==================================================================
BUG: KASAN: slab-out-of-bounds in nsproxy_free+0x57c/0x5a0
Read of size 8 at addr ffff88800c333af0 by task syz-executor.2/4453
CPU: 0 UID: 0 PID: 4453 Comm: syz-executor.2 Not tainted 6.18.0-rc5-next-20251113 #1 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0xca/0x120
print_report+0xcb/0x610
kasan_report+0xca/0x100
nsproxy_free+0x57c/0x5a0
create_new_namespaces+0x585/0x750
copy_namespaces+0x45c/0x580
copy_process+0x26e4/0x72a0
kernel_clone+0xea/0x7f0
__do_sys_clone3+0x1f5/0x280
do_syscall_64+0xbf/0x430
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0106b9ab19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f01040ce188 EFLAGS: 00000246 ORIG_RAX: 00000000000001b3
RAX: ffffffffffffffda RBX: 00007f0106cae0e0 RCX: 00007f0106b9ab19
RDX: 0000000000000000 RSI: 0000000000000058 RDI: 0000000020005880
RBP: 00007f0106bf4f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff42c45cef R14: 00007f01040ce300 R15: 0000000000022000
Allocated by task 4453:
kasan_save_stack+0x24/0x50
kasan_save_track+0x14/0x30
__kasan_slab_alloc+0x59/0x70
kmem_cache_alloc_noprof+0x213/0x690
create_new_namespaces+0x30/0x750
copy_namespaces+0x45c/0x580
copy_process+0x26e4/0x72a0
kernel_clone+0xea/0x7f0
__do_sys_clone3+0x1f5/0x280
do_syscall_64+0xbf/0x430
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88800c333a90
which belongs to the cache nsproxy of size 72
The buggy address is located 24 bytes to the right of
allocated 72-byte region [ffff88800c333a90, ffff88800c333ad8)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88800c333410 pfn:0xc333
memcg:ffff88800efa0c01
flags: 0x100000000000000(node=0|zone=1)
page_type: f5(slab)
raw: 0100000000000000 ffff88800944cdc0 dead000000000122 0000000000000000
raw: ffff88800c333410 0000000080270020 00000000f5000000 ffff88800efa0c01
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88800c333980: 00 00 00 00 fc fc fc fc 00 00 00 00 00 00 00 00
ffff88800c333a00: 00 fc fc fc fc 00 00 00 00 00 00 00 00 00 fc fc
>ffff88800c333a80: fc fc 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
^
ffff88800c333b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800c333b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Oops: general protection fault, probably for non-canonical address 0xdffffc000000002e: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000170-0x0000000000000177]
CPU: 0 UID: 0 PID: 4453 Comm: syz-executor.2 Tainted: G B 6.18.0-rc5-next-20251113 #1 PREEMPT(voluntary)
Tainted: [B]=BAD_PAGE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:nsproxy_free+0x28a/0x5a0
Code: 02 00 00 4c 8b 65 28 4d 85 e4 74 43 e8 4f 47 30 00 49 8d bc 24 78 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 f7 02 00 00 49 8b 9c 24 78 01 00 00 bf 08 00 00
RSP: 0018:ffff88801dd6f9f8 EFLAGS: 00010217
RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffc90005417000
RDX: 000000000000002e RSI: ffffffff8144cb61 RDI: 0000000000000174
RBP: ffff88800c333a90 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff8664e957 R11: ffff88801f3fec80 R12: fffffffffffffffc
R13: ffff88800d690c1c R14: ffff88801fa5b0c0 R15: ffff88804a3a8878
FS: 00007f01040ce700(0000) GS:ffff8880e5394000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000240 CR3: 000000000d15d000 CR4: 0000000000350ef0
Call Trace:
create_new_namespaces+0x585/0x750
copy_namespaces+0x45c/0x580
copy_process+0x26e4/0x72a0
kernel_clone+0xea/0x7f0
__do_sys_clone3+0x1f5/0x280
do_syscall_64+0xbf/0x430
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0106b9ab19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f01040ce188 EFLAGS: 00000246 ORIG_RAX: 00000000000001b3
RAX: ffffffffffffffda RBX: 00007f0106cae0e0 RCX: 00007f0106b9ab19
RDX: 0000000000000000 RSI: 0000000000000058 RDI: 0000000020005880
RBP: 00007f0106bf4f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff42c45cef R14: 00007f01040ce300 R15: 0000000000022000
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:nsproxy_free+0x28a/0x5a0
Code: 02 00 00 4c 8b 65 28 4d 85 e4 74 43 e8 4f 47 30 00 49 8d bc 24 78 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 f7 02 00 00 49 8b 9c 24 78 01 00 00 bf 08 00 00
RSP: 0018:ffff88801dd6f9f8 EFLAGS: 00010217
RAX: dffffc0000000000 RBX: 0000000000000001 RCX: ffffc90005417000
RDX: 000000000000002e RSI: ffffffff8144cb61 RDI: 0000000000000174
RBP: ffff88800c333a90 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff8664e957 R11: ffff88801f3fec80 R12: fffffffffffffffc
R13: ffff88800d690c1c R14: ffff88801fa5b0c0 R15: ffff88804a3a8878
FS: 00007f01040ce700(0000) GS:ffff8880e5394000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000240 CR3: 000000000d15d000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
0: 02 00 add (%rax),%al
2: 00 4c 8b 65 add %cl,0x65(%rbx,%rcx,4)
6: 28 4d 85 sub %cl,-0x7b(%rbp)
9: e4 74 in $0x74,%al
b: 43 e8 4f 47 30 00 rex.XB callq 0x304760
11: 49 8d bc 24 78 01 00 lea 0x178(%r12),%rdi
18: 00
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 f7 02 00 00 jne 0x32b
34: 49 8b 9c 24 78 01 00 mov 0x178(%r12),%rbx
3b: 00
3c: bf .byte 0xbf
3d: 08 00 or %al,(%rax)