================================================================== BUG: KASAN: use-after-free in virtqueue_add+0x2ee1/0x3730 drivers/virtio/virtio_ring.c:1704 Read of size 1 at addr ffff8881dcea5538 by task syslogd/144 CPU: 1 PID: 144 Comm: syslogd Not tainted 5.4.274-syzkaller-04911-g6f97bd951d82 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d8/0x241 lib/dump_stack.c:118 print_address_description+0x8c/0x600 mm/kasan/report.c:384 __kasan_report+0xf3/0x120 mm/kasan/report.c:516 kasan_report+0x30/0x60 mm/kasan/common.c:653 virtqueue_add+0x2ee1/0x3730 drivers/virtio/virtio_ring.c:1704 virtqueue_add_sgs+0xf8/0x110 drivers/virtio/virtio_ring.c:1740 __virtscsi_add_cmd drivers/scsi/virtio_scsi.c:447 [inline] virtscsi_add_cmd+0x589/0x6d0 drivers/scsi/virtio_scsi.c:481 virtscsi_queuecommand+0x35f/0x5a0 drivers/scsi/virtio_scsi.c:578 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1568 [inline] scsi_queue_rq+0x1b41/0x2860 drivers/scsi/scsi_lib.c:1699 blk_mq_dispatch_rq_list+0x8f4/0x16f0 block/blk-mq.c:1320 blk_mq_do_dispatch_sched+0x389/0x480 block/blk-mq-sched.c:132 __blk_mq_sched_dispatch_requests+0x3d8/0x4d0 block/blk-mq-sched.c:235 blk_mq_sched_dispatch_requests+0xec/0x160 block/blk-mq-sched.c:266 __blk_mq_run_hw_queue+0x15f/0x270 block/blk-mq.c:1451 __blk_mq_delay_run_hw_queue+0x12b/0x5b0 block/blk-mq.c:1519 blk_mq_run_hw_queue+0x1d1/0x320 block/blk-mq.c:1556 blk_mq_sched_insert_requests+0x22b/0x380 block/blk-mq-sched.c:522 blk_mq_flush_plug_list+0x8b4/0xb00 block/blk-mq.c:1824 blk_flush_plug_list+0x47e/0x4d0 block/blk-core.c:1790 blk_finish_plug+0x59/0x80 block/blk-core.c:1807 read_pages+0x39d/0x400 mm/readahead.c:142 __do_page_cache_readahead+0x448/0x4f0 mm/readahead.c:212 ra_submit mm/internal.h:62 [inline] do_sync_mmap_readahead mm/filemap.c:2580 [inline] filemap_fault+0xb5d/0x16b0 mm/filemap.c:2666 ext4_filemap_fault+0x7b/0x90 fs/ext4/inode.c:6510 __do_fault mm/memory.c:3259 [inline] do_read_fault mm/memory.c:3668 [inline] do_fault mm/memory.c:3797 [inline] handle_pte_fault mm/memory.c:4028 [inline] __handle_mm_fault mm/memory.c:4152 [inline] handle_mm_fault+0x344b/0x4990 mm/memory.c:4189 do_user_addr_fault arch/x86/mm/fault.c:1469 [inline] __do_page_fault+0x509/0xbb0 arch/x86/mm/fault.c:1530 page_fault+0x2f/0x40 arch/x86/entry/entry_64.S:1206 RIP: 0033:0x7f6c8a1dab68 Code: Bad RIP value. RSP: 002b:00007fff74529728 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000002 RCX: 00007f6c8a1dab6a RDX: 00000000000000ff RSI: 000055f5e4e9e300 RDI: 0000000000000000 RBP: 000055f5e4e9e2c0 R08: 0000000000000001 R09: 0000000000000000 R10: 00007f6c8a3793a3 R11: 0000000000000246 R12: 000055f5e4e9e342 R13: 000055f5e4e9e300 R14: 0000000000000000 R15: 00007f6c8a3b7a80 Allocated by task 512: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529 kmalloc include/linux/slab.h:556 [inline] __vring_new_virtqueue+0x13c/0xd50 drivers/virtio/virtio_ring.c:2071 vring_create_virtqueue_split drivers/virtio/virtio_ring.c:894 [inline] vring_create_virtqueue+0x11a3/0x1d20 drivers/virtio/virtio_ring.c:2152 setup_vq+0x153/0x350 drivers/virtio/virtio_pci_legacy.c:137 vp_setup_vq+0xbc/0x330 drivers/virtio/virtio_pci_common.c:189 vp_find_vqs_msix+0x8a3/0xc70 drivers/virtio/virtio_pci_common.c:322 vp_find_vqs+0x4f/0x470 drivers/virtio/virtio_pci_common.c:399 virtio_find_vqs include/linux/virtio_config.h:198 [inline] virtscsi_init+0x490/0xb70 drivers/scsi/virtio_scsi.c:807 virtscsi_restore+0x4f/0x190 drivers/scsi/virtio_scsi.c:941 virtio_device_restore+0x39d/0x5a0 drivers/virtio/virtio.c:433 dpm_run_callback+0x30/0x390 drivers/base/power/main.c:487 device_resume+0x551/0x620 drivers/base/power/main.c:1029 async_resume+0x23/0x170 drivers/base/power/main.c:1049 async_run_entry_fn+0xed/0x3f0 kernel/async.c:123 process_one_work+0x765/0xd20 kernel/workqueue.c:2290 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436 kthread+0x2da/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354 Freed by task 511: save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] kasan_set_free_info mm/kasan/common.c:345 [inline] __kasan_slab_free+0x1b5/0x270 mm/kasan/common.c:487 slab_free_hook mm/slub.c:1455 [inline] slab_free_freelist_hook mm/slub.c:1494 [inline] slab_free mm/slub.c:3080 [inline] kfree+0x123/0x370 mm/slub.c:4071 vp_del_vq drivers/virtio/virtio_pci_common.c:221 [inline] vp_del_vqs+0x35a/0x890 drivers/virtio/virtio_pci_common.c:243 virtscsi_remove_vqs drivers/scsi/virtio_scsi.c:772 [inline] virtscsi_freeze+0x8d/0xa0 drivers/scsi/virtio_scsi.c:931 virtio_device_freeze+0x138/0x300 drivers/virtio/virtio.c:390 virtio_pci_freeze+0x39/0x70 drivers/virtio/virtio_pci_common.c:465 pci_pm_suspend+0x2a5/0x930 drivers/pci/pci-driver.c:794 dpm_run_callback+0x30/0x390 drivers/base/power/main.c:487 __device_suspend+0xa18/0xff0 drivers/base/power/main.c:1816 async_suspend+0x25/0x230 drivers/base/power/main.c:1848 async_run_entry_fn+0xed/0x3f0 kernel/async.c:123 process_one_work+0x765/0xd20 kernel/workqueue.c:2290 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436 kthread+0x2da/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354 The buggy address belongs to the object at ffff8881dcea5500 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 56 bytes inside of 192-byte region [ffff8881dcea5500, ffff8881dcea55c0) The buggy address belongs to the page: page:ffffea000773a940 refcount:1 mapcount:0 mapping:ffff8881f5c02a00 index:0x0 flags: 0x8000000000000200(slab) raw: 8000000000000200 0000000000000000 0000000f00000001 ffff8881f5c02a00 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x18f/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893 alloc_slab_page+0x39/0x3c0 mm/slub.c:343 allocate_slab mm/slub.c:1683 [inline] new_slab+0x97/0x440 mm/slub.c:1749 new_slab_objects mm/slub.c:2505 [inline] ___slab_alloc+0x2fe/0x490 mm/slub.c:2667 __slab_alloc+0x62/0xa0 mm/slub.c:2707 slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc_trace+0x12d/0x260 mm/slub.c:2854 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:690 [inline] mca_alloc net/ipv6/mcast.c:856 [inline] __ipv6_dev_mc_inc+0x39a/0x940 net/ipv6/mcast.c:914 addrconf_join_solict net/ipv6/addrconf.c:2174 [inline] addrconf_dad_begin net/ipv6/addrconf.c:4013 [inline] addrconf_dad_work+0x462/0x16f0 net/ipv6/addrconf.c:4140 process_one_work+0x765/0xd20 kernel/workqueue.c:2290 worker_thread+0xaef/0x1470 kernel/workqueue.c:2436 kthread+0x2da/0x360 kernel/kthread.c:288 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:354 page_owner free stack trace missing Memory state around the buggy address: ffff8881dcea5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881dcea5480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8881dcea5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881dcea5580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8881dcea5600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================