================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:96 [inline] BUG: KASAN: slab-use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1300 [inline] BUG: KASAN: slab-use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: slab-use-after-free in do_raw_spin_lock include/linux/spinlock.h:187 [inline] BUG: KASAN: slab-use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_bh+0x97/0x1b0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff888101bede08 by task kworker/1:2/50 CPU: 1 PID: 50 Comm: kworker/1:2 Tainted: G W 6.9.0-rc2-syzkaller-00080-gc85af715cac0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024 Workqueue: vsock-loopback vsock_loopback_work Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x184/0x200 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0x163/0x550 mm/kasan/report.c:488 kasan_report+0x15f/0x190 mm/kasan/report.c:601 kasan_check_range+0x238/0x2b0 mm/kasan/generic.c:189 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:1300 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:187 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x97/0x1b0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] virtio_transport_space_update net/vmw_vsock/virtio_transport_common.c:1451 [inline] virtio_transport_recv_pkt+0xfc8/0x2a10 net/vmw_vsock/virtio_transport_common.c:1594 vsock_loopback_work+0x39a/0x4b0 net/vmw_vsock/vsock_loopback.c:127 process_one_work kernel/workqueue.c:3254 [inline] process_scheduled_works+0x77d/0x1000 kernel/workqueue.c:3335 worker_thread+0x969/0xe00 kernel/workqueue.c:3416 kthread+0x2e3/0x380 kernel/kthread.c:388 ret_from_fork+0x51/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:243 Allocated by task 399: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3b/0x70 mm/kasan/common.c:68 kasan_save_alloc_info+0x38/0x50 mm/kasan/generic.c:565 poison_kmalloc_redzone mm/kasan/common.c:370 [inline] __kasan_kmalloc+0x99/0xb0 mm/kasan/common.c:387 kasan_kmalloc include/linux/kasan.h:211 [inline] kmalloc_trace+0x18c/0x360 mm/slub.c:3997 kmalloc include/linux/slab.h:628 [inline] kzalloc include/linux/slab.h:749 [inline] virtio_transport_do_socket_init+0x56/0x350 net/vmw_vsock/virtio_transport_common.c:878 vsock_assign_transport+0x497/0x5e0 net/vmw_vsock/af_vsock.c:507 vsock_connect+0x5cb/0xe30 net/vmw_vsock/af_vsock.c:1393 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2d6/0x300 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_64+0x5e/0x130 entry_SYSCALL_64_after_hwframe+0x71/0x79 Freed by task 399: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3b/0x70 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xfd/0x140 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2106 [inline] slab_free mm/slub.c:4280 [inline] kfree+0xe8/0x280 mm/slub.c:4390 virtio_transport_destruct+0x3b/0x50 net/vmw_vsock/virtio_transport_common.c:1089 vsock_deassign_transport net/vmw_vsock/af_vsock.c:422 [inline] vsock_assign_transport+0x33f/0x5e0 net/vmw_vsock/af_vsock.c:490 vsock_connect+0x5cb/0xe30 net/vmw_vsock/af_vsock.c:1393 __sys_connect_file net/socket.c:2048 [inline] __sys_connect+0x2d6/0x300 net/socket.c:2065 __do_sys_connect net/socket.c:2075 [inline] __se_sys_connect net/socket.c:2072 [inline] __x64_sys_connect+0x7a/0x90 net/socket.c:2072 do_syscall_64+0x5e/0x130 entry_SYSCALL_64_after_hwframe+0x71/0x79 The buggy address belongs to the object at ffff888101bede00 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 8 bytes inside of freed 96-byte region [ffff888101bede00, ffff888101bede60) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101bed anon flags: 0x4000000000000800(slab|zone=1) page_type: 0xffffffff() raw: 4000000000000800 ffff888100041780 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 3829147723, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x217/0x220 mm/page_alloc.c:1534 prep_new_page mm/page_alloc.c:1541 [inline] get_page_from_freelist+0x3587/0x3650 mm/page_alloc.c:3317 __alloc_pages+0x3ad/0x800 mm/page_alloc.c:4575 __alloc_pages_node include/linux/gfp.h:238 [inline] alloc_pages_node include/linux/gfp.h:261 [inline] alloc_slab_page mm/slub.c:2175 [inline] allocate_slab mm/slub.c:2338 [inline] new_slab+0xe8/0x4b0 mm/slub.c:2391 ___slab_alloc+0x76f/0xc40 mm/slub.c:3525 __slab_alloc mm/slub.c:3610 [inline] __slab_alloc_node mm/slub.c:3663 [inline] slab_alloc_node mm/slub.c:3835 [inline] kmalloc_trace+0x217/0x360 mm/slub.c:3992 kmalloc include/linux/slab.h:628 [inline] kzalloc include/linux/slab.h:749 [inline] class_dir_create_and_add drivers/base/core.c:3239 [inline] get_device_parent+0x264/0x3b0 drivers/base/core.c:3299 device_add+0x313/0xb40 drivers/base/core.c:3629 usb_add_gadget+0x349/0x670 drivers/usb/gadget/udc/core.c:1412 usb_add_gadget_udc_release drivers/usb/gadget/udc/core.c:1467 [inline] usb_add_gadget_udc+0x11a/0x150 drivers/usb/gadget/udc/core.c:1514 dummy_udc_probe+0x6e3/0x7f0 drivers/usb/gadget/udc/dummy_hcd.c:1095 platform_probe+0x163/0x1f0 drivers/base/platform.c:1404 really_probe+0x2b8/0x820 drivers/base/dd.c:656 __driver_probe_device+0x19d/0x310 drivers/base/dd.c:798 driver_probe_device+0x54/0x3e0 drivers/base/dd.c:828 __device_attach_driver+0x2e6/0x490 drivers/base/dd.c:956 page_owner free stack trace missing Memory state around the buggy address: ffff888101bedd00: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc ffff888101bedd80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc >ffff888101bede00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff888101bede80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff888101bedf00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ==================================================================