================================================================== BUG: KASAN: slab-use-after-free in __put_prev_set_next_dl_server kernel/sched/sched.h:2482 [inline] BUG: KASAN: slab-use-after-free in put_prev_set_next_task kernel/sched/sched.h:2492 [inline] BUG: KASAN: slab-use-after-free in pick_next_task kernel/sched/core.c:6342 [inline] BUG: KASAN: slab-use-after-free in __schedule+0x4ed8/0x5de0 kernel/sched/core.c:6739 Write of size 8 at addr ffff8880229202a8 by task dhcpcd-run-hook/6569 CPU: 2 UID: 0 PID: 6569 Comm: dhcpcd-run-hook Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x610 mm/kasan/report.c:480 kasan_report+0xe0/0x110 mm/kasan/report.c:593 __put_prev_set_next_dl_server kernel/sched/sched.h:2482 [inline] put_prev_set_next_task kernel/sched/sched.h:2492 [inline] pick_next_task kernel/sched/core.c:6342 [inline] __schedule+0x4ed8/0x5de0 kernel/sched/core.c:6739 preempt_schedule_irq+0x51/0x90 kernel/sched/core.c:7109 irqentry_exit+0x36/0x90 kernel/entry/common.c:307 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:__unwind_start+0x476/0x7f0 arch/x86/kernel/unwind_orc.c:755 Code: 49 89 c4 49 01 ed 49 01 ec eb 2a 4c 89 f7 e8 f1 da ff ff 4c 89 f0 48 c1 e8 03 0f b6 04 28 84 c0 74 08 3c 03 0f 8e 14 02 00 00 <41> 8b 06 85 c0 0f 84 56 fe ff ff 41 80 7d 00 00 0f 85 24 02 00 00 RSP: 0018:ffffc900034477a8 EFLAGS: 00000246 RAX: 0000000000000000 RBX: ffffc90003447888 RCX: ffffc900034476fc RDX: 0000000000000000 RSI: ffffffff8de0d975 RDI: ffff888031b48444 RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000000061e5 R12: fffff52000688f01 R13: fffff52000688f00 R14: ffffc900034477f8 R15: ffffc90003447800 unwind_start arch/x86/include/asm/unwind.h:64 [inline] arch_stack_walk+0x73/0x100 arch/x86/kernel/stacktrace.c:24 stack_trace_save+0x8e/0xc0 kernel/stacktrace.c:122 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:905 [inline] slab_free_hook mm/slub.c:2333 [inline] slab_free mm/slub.c:4643 [inline] kmem_cache_free+0x142/0x4d0 mm/slub.c:4745 exit_mmap+0x511/0xb90 mm/mmap.c:1309 __mmput+0x12a/0x410 kernel/fork.c:1121 mmput+0x62/0x70 kernel/fork.c:1144 exit_mm kernel/exit.c:581 [inline] do_exit+0x7c4/0x2bd0 kernel/exit.c:952 do_group_exit+0xd3/0x2a0 kernel/exit.c:1105 __do_sys_exit_group kernel/exit.c:1116 [inline] __se_sys_exit_group kernel/exit.c:1114 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1114 x64_sys_call+0x1530/0x1730 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb6310386c5 Code: Unable to access opcode bytes at 0x7fb63103869b. RSP: 002b:00007ffe09c795b8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007ffe09c79804 RCX: 00007fb6310386c5 RDX: 00000000000000e7 RSI: ffffffffffffff88 RDI: 0000000000000000 RBP: 0000000000000003 R08: 00007ffe09c796b0 R09: 0000000000000002 R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 R13: 00007ffe09c798f0 R14: 00007fb631248000 R15: 0000561732749d98 Allocated by task 6561: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 unpoison_slab_object mm/kasan/common.c:319 [inline] __kasan_slab_alloc+0x89/0x90 mm/kasan/common.c:345 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4148 [inline] slab_alloc_node mm/slub.c:4197 [inline] kmem_cache_alloc_node_noprof+0x1d5/0x3b0 mm/slub.c:4249 alloc_task_struct_node kernel/fork.c:183 [inline] dup_task_struct kernel/fork.c:869 [inline] copy_process+0x4b6/0x7650 kernel/fork.c:1999 kernel_clone+0xfc/0x960 kernel/fork.c:2599 __do_sys_clone3+0x212/0x290 kernel/fork.c:2903 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6568: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kmem_cache_free+0x2d1/0x4d0 mm/slub.c:4745 put_task_struct include/linux/sched/task.h:145 [inline] put_task_struct include/linux/sched/task.h:132 [inline] delayed_put_task_struct+0x115/0x2e0 kernel/exit.c:230 rcu_do_batch kernel/rcu/tree.c:2576 [inline] rcu_core+0x79c/0x14e0 kernel/rcu/tree.c:2832 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 Last potentially related work creation: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_record_aux_stack+0xa7/0xc0 mm/kasan/generic.c:548 __call_rcu_common.constprop.0+0xa5/0xa10 kernel/rcu/tree.c:3094 put_task_struct_rcu_user kernel/exit.c:236 [inline] put_task_struct_rcu_user+0x75/0xc0 kernel/exit.c:233 context_switch kernel/sched/core.c:5400 [inline] __schedule+0x1172/0x5de0 kernel/sched/core.c:6786 schedule_idle+0x5c/0x90 kernel/sched/core.c:6905 do_idle+0x2b6/0x510 kernel/sched/idle.c:353 cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:423 start_secondary+0x21d/0x2b0 arch/x86/kernel/smpboot.c:315 common_startup_64+0x13e/0x148 Second to last potentially related work creation: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_record_aux_stack+0xa7/0xc0 mm/kasan/generic.c:548 task_work_add+0x258/0x360 kernel/task_work.c:65 sched_tick+0x2a9/0x940 kernel/sched/core.c:5681 update_process_times+0x19c/0x2d0 kernel/time/timer.c:2478 tick_sched_handle kernel/time/tick-sched.c:276 [inline] tick_nohz_handler+0x37e/0x540 kernel/time/tick-sched.c:297 __run_hrtimer kernel/time/hrtimer.c:1761 [inline] __hrtimer_run_queues+0x5ea/0xad0 kernel/time/hrtimer.c:1825 hrtimer_interrupt+0x397/0x8e0 kernel/time/hrtimer.c:1887 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1039 [inline] __sysvec_apic_timer_interrupt+0x10b/0x3f0 arch/x86/kernel/apic/apic.c:1056 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] sysvec_apic_timer_interrupt+0x9f/0xc0 arch/x86/kernel/apic/apic.c:1050 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 The buggy address belongs to the object at ffff888022920000 which belongs to the cache task_struct of size 9024 The buggy address is located 680 bytes inside of freed 9024-byte region [ffff888022920000, ffff888022922340) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22920 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 memcg:ffff88802b040701 anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801cef0140 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000030003 00000000f5000000 ffff88802b040701 head: 00fff00000000040 ffff88801cef0140 0000000000000000 dead000000000001 head: 0000000000000000 0000000000030003 00000000f5000000 ffff88802b040701 head: 00fff00000000003 ffffea00008a4801 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 46, tgid 46 (kworker/u32:2), ts 4698788921, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419 alloc_slab_page mm/slub.c:2451 [inline] allocate_slab mm/slub.c:2619 [inline] new_slab+0x23b/0x330 mm/slub.c:2673 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3859 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949 __slab_alloc_node mm/slub.c:4024 [inline] slab_alloc_node mm/slub.c:4185 [inline] kmem_cache_alloc_node_noprof+0xf5/0x3b0 mm/slub.c:4249 alloc_task_struct_node kernel/fork.c:183 [inline] dup_task_struct kernel/fork.c:869 [inline] copy_process+0x4b6/0x7650 kernel/fork.c:1999 kernel_clone+0xfc/0x960 kernel/fork.c:2599 user_mode_thread+0xc7/0x110 kernel/fork.c:2677 call_usermodehelper_exec_work kernel/umh.c:171 [inline] call_usermodehelper_exec_work+0xcb/0x170 kernel/umh.c:157 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402 kthread+0x3c5/0x780 kernel/kthread.c:464 ret_from_fork+0x5d7/0x6f0 arch/x86/kernel/process.c:148 page_owner free stack trace missing Memory state around the buggy address: ffff888022920180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888022920200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888022920280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888022920300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888022920380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ---------------- Code disassembly (best guess): 0: 49 89 c4 mov %rax,%r12 3: 49 01 ed add %rbp,%r13 6: 49 01 ec add %rbp,%r12 9: eb 2a jmp 0x35 b: 4c 89 f7 mov %r14,%rdi e: e8 f1 da ff ff call 0xffffdb04 13: 4c 89 f0 mov %r14,%rax 16: 48 c1 e8 03 shr $0x3,%rax 1a: 0f b6 04 28 movzbl (%rax,%rbp,1),%eax 1e: 84 c0 test %al,%al 20: 74 08 je 0x2a 22: 3c 03 cmp $0x3,%al 24: 0f 8e 14 02 00 00 jle 0x23e * 2a: 41 8b 06 mov (%r14),%eax <-- trapping instruction 2d: 85 c0 test %eax,%eax 2f: 0f 84 56 fe ff ff je 0xfffffe8b 35: 41 80 7d 00 00 cmpb $0x0,0x0(%r13) 3a: 0f 85 24 02 00 00 jne 0x264