vxcan0: j1939_tp_rxtimer: 0x0000000095c8d76e: abort rx timeout. Force session deactivation ================================================================== BUG: KASAN: use-after-free in __run_hrtimer kernel/time/hrtimer.c:1521 [inline] BUG: KASAN: use-after-free in __hrtimer_run_queues+0xa65/0xb80 kernel/time/hrtimer.c:1583 Read of size 1 at addr ffff888093430573 by task syz-executor.0/7255 CPU: 0 PID: 7255 Comm: syz-executor.0 Not tainted 5.6.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:374 __kasan_report.cold.11+0x1c/0x34 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:641 __run_hrtimer kernel/time/hrtimer.c:1521 [inline] __hrtimer_run_queues+0xa65/0xb80 kernel/time/hrtimer.c:1583 hrtimer_run_softirq+0x167/0x250 kernel/time/hrtimer.c:1600 __do_softirq+0x26e/0xa0c kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x191/0x1d0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x1a1/0x5f0 arch/x86/kernel/apic/apic.c:1146 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:752 [inline] RIP: 0010:console_unlock+0x8bb/0xbd0 kernel/printk/printk.c:2481 Code: 18 1f b4 88 48 89 f8 48 c1 e8 03 42 80 3c 30 00 0f 85 b7 02 00 00 48 83 3d 79 eb 60 07 00 0f 84 0e 01 00 00 48 8b 7d c8 57 9d <0f> 1f 44 00 00 e9 9c f8 ff ff 49 8d 7f 08 48 89 f8 48 c1 e8 03 42 RSP: 0018:ffffc900019bec30 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 RAX: 1ffffffff11683e3 RBX: 0000000000000200 RCX: 0000000000000006 RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000282 RBP: ffffc900019beca8 R08: 0000000000000001 R09: fffffbfff165e795 R10: fffffbfff165e794 R11: ffffffff8b2f3ca7 R12: 0000000000000000 R13: ffffffff89316710 R14: dffffc0000000000 R15: 0000000000000000 vprintk_emit+0x19c/0x560 kernel/printk/printk.c:1996 printk+0x9a/0xc0 kernel/printk/printk.c:2056 batadv_check_known_mac_addr.cold.22+0x13/0x28 net/batman-adv/hard-interface.c:516 batadv_hard_if_event+0x207/0x1320 net/batman-adv/hard-interface.c:1062 notifier_call_chain+0x86/0x150 kernel/notifier.c:83 call_netdevice_notifiers_extack net/core/dev.c:1960 [inline] call_netdevice_notifiers net/core/dev.c:1974 [inline] dev_set_mac_address+0x279/0x3d0 net/core/dev.c:8404 do_setlink+0x5a5/0x2c30 net/core/rtnetlink.c:2551 __rtnl_newlink+0x9cb/0x1250 net/core/rtnetlink.c:3252 rtnl_newlink+0x5c/0x80 net/core/rtnetlink.c:3377 rtnetlink_rcv_msg+0x346/0x8c0 net/core/rtnetlink.c:5436 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2478 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xac/0xe0 net/socket.c:672 __sys_sendto+0x1d9/0x2b0 net/socket.c:1998 __do_compat_sys_socketcall net/compat.c:771 [inline] __se_compat_sys_socketcall net/compat.c:719 [inline] __ia32_compat_sys_socketcall+0x401/0x550 net/compat.c:719 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Allocated by task 8504: save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc1/0xd0 mm/kasan/common.c:515 kmem_cache_alloc_trace+0x156/0x780 mm/slab.c:3551 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] j1939_session_new+0x65/0x3b0 net/can/j1939/transport.c:1418 j1939_tp_send+0x1a7/0x650 net/can/j1939/transport.c:1877 j1939_sk_send_loop net/can/j1939/socket.c:1037 [inline] j1939_sk_sendmsg+0x97c/0x1150 net/can/j1939/socket.c:1160 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xac/0xe0 net/socket.c:672 ____sys_sendmsg+0x554/0x760 net/socket.c:2343 ___sys_sendmsg+0xe4/0x160 net/socket.c:2397 __sys_sendmsg+0xce/0x170 net/socket.c:2430 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x231/0xb27 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Freed by task 7255: save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:476 __cache_free mm/slab.c:3426 [inline] kfree+0x107/0x2b0 mm/slab.c:3757 j1939_tp_rxtimer+0x249/0x254 net/can/j1939/transport.c:1194 __run_hrtimer kernel/time/hrtimer.c:1519 [inline] __hrtimer_run_queues+0x31e/0xb80 kernel/time/hrtimer.c:1583 hrtimer_run_softirq+0x167/0x250 kernel/time/hrtimer.c:1600 __do_softirq+0x26e/0xa0c kernel/softirq.c:292 The buggy address belongs to the object at ffff888093430400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 371 bytes inside of 512-byte region [ffff888093430400, ffff888093430600) The buggy address belongs to the page: page:ffffea00024d0c00 refcount:1 mapcount:0 mapping:ffff8880aa400a80 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002a6e608 ffffea0002a40b48 ffff8880aa400a80 raw: 0000000000000000 ffff888093430000 0000000100000004 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888093430400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888093430480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888093430500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888093430580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888093430600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================