Out of memory (oom_kill_allocating_task): Killed process 13166 (syz-executor.2) total-vm:93808kB, anon-rss:384kB, file-rss:34640kB, shmem-rss:0kB, UID:0 pgtables:136kB oom_score_adj:1000
------------[ cut here ]------------
kernfs_put: syz4/memory.events: released with incorrect active_ref 0
WARNING: CPU: 0 PID: 10708 at fs/kernfs/dir.c:531 kernfs_put.part.0+0x433/0x540
Modules linked in:
CPU: 0 PID: 10708 Comm: kworker/0:1 Not tainted 5.19.0-rc4-next-20220701 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: events kernfs_notify_workfn
RIP: 0010:kernfs_put.part.0+0x433/0x540
Code: 03 80 3c 18 00 0f 85 ea 00 00 00 4d 8b 7d 38 e8 53 42 a7 ff 48 8b 14 24 44 89 f1 4c 89 fe 48 c7 c7 a0 58 72 84 e8 97 1c 6c 02 <0f> 0b e9 b9 fc ff ff 48 89 ef e8 8e b6 d9 ff e9 c1 fd ff ff e8 84
------------[ cut here ]------------
RSP: 0018:ffff88804264fbd8 EFLAGS: 00010286
WARNING: CPU: 1 PID: 13200 at fs/kernfs/dir.c:504 kernfs_get.part.0+0x69/0x80
Modules linked in:
CPU: 1 PID: 13200 Comm: syz-executor.5 Not tainted 5.19.0-rc4-next-20220701 #1
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:kernfs_get.part.0+0x69/0x80
RDX: ffff88800cc01ac0 RSI: ffffffff812b6848 RDI: ffffed10084c9f6d
Code: 31 ff 89 ee e8 a8 43 a7 ff 85 ed 74 18 e8 cf 46 a7 ff be 04 00 00 00 48 89 df e8 52 be d9 ff f0 ff 03 5b 5d c3 e8 b7 46 a7 ff <0f> 0b eb df 48 89 df e8 fb ba d9 ff eb c6 66 0f 1f 84 00 00 00 00
RSP: 0018:ffff8880467a7630 EFLAGS: 00010093
RBP: ffff888044082eb8 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff888044082e80
RAX: 0000000000000000 RBX: ffff888044082e80 RCX: 0000000000000000
RDX: ffff888008205040 RSI: ffffffff819d2579 RDI: 0000000000000005
R13: ffff88804467e658 R14: 0000000000000000 R15: ffff88800dc41988
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
R13: 1ffffffff0a01e40 R14: ffff888044082e80 R15: ffff888045484490
FS: 0000555557097400(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa455481de0 CR3: 0000000018496000 CR4: 0000000000350ee0
CR2: 0000001b2dd20000 CR3: 00000000093b6000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Call Trace:
kernfs_get+0x1b/0x30
DR3: 0000000000000000 DR6: 00000000ffff4ff0 DR7: 0000000000000400
kernfs_notify+0x180/0x350
Call Trace:
cgroup_file_notify+0xf5/0x1a0
shrink_node+0x75f/0x1d10
kernfs_put+0x42/0x50
do_try_to_free_pages+0x3c7/0x1670
kernfs_notify_workfn+0x417/0x560
try_to_free_pages+0x290/0x7a0
process_one_work+0xa0f/0x1690
__alloc_pages_slowpath.constprop.0+0x842/0x1fa0
worker_thread+0x637/0x1250
__alloc_pages+0x421/0x4f0
kthread+0x2ed/0x3a0
ret_from_fork+0x22/0x30
vma_alloc_folio+0xde/0x510
irq event stamp: 2236789
__handle_mm_fault+0xfec/0x34f0
hardirqs last enabled at (2236801): [] asm_sysvec_apic_timer_interrupt+0x1b/0x20
hardirqs last disabled at (2236810): [] console_emit_next_record.constprop.0+0x667/0x800
softirqs last enabled at (2235502): [] srcu_invoke_callbacks+0x1e5/0x3a0
softirqs last disabled at (2235492): [] srcu_invoke_callbacks+0x1b5/0x3a0
handle_mm_fault+0x2e6/0xa10
---[ end trace 0000000000000000 ]---
do_user_addr_fault+0x536/0x1300
exc_page_fault+0x98/0x1a0
asm_exc_page_fault+0x27/0x30
RIP: 0033:0x7f8627bfc07f
Code: ff ff 4d 89 cd 48 85 c0 74 19 8b 95 44 ff ff ff 48 29 c6 48 01 c7 e8 b0 fb 04 00 85 c0 0f 85 0b 03 00 00 48 8b 85 48 ff ff ff <41> c7 45 18 01 00 00 00 4c 89 ef 49 89 85 90 06 00 00 48 8b 85 50
RSP: 002b:00007ffcfb202b10 EFLAGS: 00010246
RAX: 00007f862515f000 RBX: 0000000000021000 RCX: 00007f8627c4bc27
RDX: 0000000000000003 RSI: 0000000000020000 RDI: 00007f8625160000
RBP: 00007ffcfb202be0 R08: 00000000ffffffff R09: 00007f862517f700
R10: 0000000000020022 R11: 0000000000000206 R12: 00007ffcfb202cf0
R13: 00007f862517f700 R14: 0000000000000000 R15: 0000000000022000
irq event stamp: 12396
hardirqs last enabled at (12395): [] _raw_spin_unlock_irqrestore+0x28/0x50
hardirqs last disabled at (12396): [] _raw_spin_lock_irqsave+0x4e/0x50
softirqs last enabled at (12182): [] __irq_exit_rcu+0x113/0x170
softirqs last disabled at (12153): [] __irq_exit_rcu+0x113/0x170
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: use-after-free in kernfs_get.part.0+0x5e/0x80
Write of size 4 at addr ffff888044082e80 by task syz-executor.5/13200
CPU: 1 PID: 13200 Comm: syz-executor.5 Tainted: G W 5.19.0-rc4-next-20220701 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x8b/0xb3
print_report.cold+0x5e/0x5e1
kasan_report+0xb1/0x1b0
kasan_check_range+0x35/0x1b0
kernfs_get.part.0+0x5e/0x80
kernfs_get+0x1b/0x30
kernfs_notify+0x180/0x350
cgroup_file_notify+0xf5/0x1a0
shrink_node+0x75f/0x1d10
do_try_to_free_pages+0x3c7/0x1670
try_to_free_pages+0x290/0x7a0
__alloc_pages_slowpath.constprop.0+0x842/0x1fa0
__alloc_pages+0x421/0x4f0
vma_alloc_folio+0xde/0x510
__handle_mm_fault+0xfec/0x34f0
handle_mm_fault+0x2e6/0xa10
do_user_addr_fault+0x536/0x1300
exc_page_fault+0x98/0x1a0
asm_exc_page_fault+0x27/0x30
RIP: 0033:0x7f8627bfc07f
Code: ff ff 4d 89 cd 48 85 c0 74 19 8b 95 44 ff ff ff 48 29 c6 48 01 c7 e8 b0 fb 04 00 85 c0 0f 85 0b 03 00 00 48 8b 85 48 ff ff ff <41> c7 45 18 01 00 00 00 4c 89 ef 49 89 85 90 06 00 00 48 8b 85 50
RSP: 002b:00007ffcfb202b10 EFLAGS: 00010246
RAX: 00007f862515f000 RBX: 0000000000021000 RCX: 00007f8627c4bc27
RDX: 0000000000000003 RSI: 0000000000020000 RDI: 00007f8625160000
RBP: 00007ffcfb202be0 R08: 00000000ffffffff R09: 00007f862517f700
R10: 0000000000020022 R11: 0000000000000206 R12: 00007ffcfb202cf0
R13: 00007f862517f700 R14: 0000000000000000 R15: 0000000000022000
Allocated by task 890:
kasan_save_stack+0x1e/0x40
__kasan_slab_alloc+0x66/0x80
kmem_cache_alloc+0x1b1/0x490
__kernfs_new_node+0xd4/0x8b0
kernfs_new_node+0x93/0x120
__kernfs_create_file+0x51/0x350
cgroup_addrm_files+0x3e2/0x9d0
css_populate_dir+0x19b/0x450
cgroup_apply_control_enable+0x3ae/0xa40
cgroup_mkdir+0x824/0x11f0
kernfs_iop_mkdir+0x149/0x1d0
vfs_mkdir+0x417/0x6a0
do_mkdirat+0x17b/0x2e0
__x64_sys_mkdir+0xf2/0x140
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 10708:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0x108/0x190
kmem_cache_free+0xfb/0x600
kernfs_put.part.0+0x2c7/0x540
kernfs_put+0x42/0x50
kernfs_notify_workfn+0x417/0x560
process_one_work+0xa0f/0x1690
worker_thread+0x637/0x1250
kthread+0x2ed/0x3a0
ret_from_fork+0x22/0x30
The buggy address belongs to the object at ffff888044082e80
which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 0 bytes inside of
168-byte region [ffff888044082e80, ffff888044082f28)
The buggy address belongs to the physical page:
page:00000000ce793f7b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x44082
flags: 0x100000000000200(slab|node=0|zone=1)
raw: 0100000000000200 0000000000000000 dead000000000122 ffff8880080718c0
raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888044082d80: fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888044082e00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff888044082e80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888044082f00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
ffff888044082f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
syz-executor.6 invoked oom-killer: gfp_mask=0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), order=0, oom_score_adj=1000
CPU: 0 PID: 13224 Comm: syz-executor.6 Tainted: G B W 5.19.0-rc4-next-20220701 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x8b/0xb3
dump_header+0x10b/0x7e4
oom_kill_process.cold+0x10/0x15
out_of_memory+0x11e7/0x14b0
__alloc_pages_slowpath.constprop.0+0x194b/0x1fa0
__alloc_pages+0x421/0x4f0
alloc_pages+0x1a0/0x2f0
__vmalloc_node_range+0x8d9/0x1400
__vmalloc_node+0xa8/0xf0
xt_counters_alloc+0x4c/0x70
__do_replace+0x9a/0x850
do_ipt_set_ctl+0x880/0xae0
nf_setsockopt+0x8b/0xf0
ip_setsockopt+0xe20/0x35b0
raw_setsockopt+0x274/0x2c0
__sys_setsockopt+0x180/0x2a0
__x64_sys_setsockopt+0xba/0x150
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f5182ffeb19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f5180532188 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007f51831120e0 RCX: 00007f5182ffeb19
RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 00007f5183058f6d R08: 000000000000000c R09: 0000000000000000
R10: 0000000020000080 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff369682af R14: 00007f5180532300 R15: 0000000000022000
Mem-Info:
active_anon:11511 inactive_anon:48467 isolated_anon:0
active_file:104 inactive_file:171 isolated_file:0
unevictable:7 dirty:36 writeback:0
slab_reclaimable:7661 slab_unreclaimable:60363
mapped:69846 shmem:104 pagetables:1359 bounce:0
kernel_misc_reclaimable:0
free:3855 free_pcp:230 free_cma:0
Node 0 active_anon:46044kB inactive_anon:193868kB active_file:332kB inactive_file:768kB unevictable:28kB isolated(anon):0kB isolated(file):60kB mapped:279384kB dirty:144kB writeback:0kB shmem:416kB writeback_tmp:0kB kernel_stack:4800kB pagetables:5436kB all_unreclaimable? no
Node 0 DMA free:6500kB boost:0kB min:44kB low:56kB high:68kB reserved_highatomic:0KB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15360kB mlocked:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 1615 1615 1615
Node 0 DMA32 free:8920kB boost:0kB min:5120kB low:6772kB high:8424kB reserved_highatomic:0KB active_anon:46044kB inactive_anon:193752kB active_file:908kB inactive_file:772kB unevictable:28kB writepending:564kB present:2080640kB managed:1658292kB mlocked:28kB bounce:0kB free_pcp:952kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 0*4kB 0*8kB 0*16kB 1*32kB (U) 1*64kB (U) 0*128kB 1*256kB (U) 0*512kB 0*1024kB 1*2048kB (M) 1*4096kB (M) = 6496kB
Node 0 DMA32: 537*4kB (UME) 299*8kB (UME) 114*16kB (UME) 52*32kB (UME) 6*64kB (UM) 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 8412kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
385 total pagecache pages
0 pages in swap cache
Free swap = 0kB
Total swap = 0kB
524158 pages RAM
0 pages HighMem/MovableOnly
105745 pages reserved
Unreclaimable slab info:
Name Used Total
pid_4 7KB 7KB
pid_3 3KB 3KB
pid_2 48KB 48KB
IEEE-802.15.4-MAC 31KB 31KB
IEEE-802.15.4-RAW 63KB 63KB
p9_req_t 8KB 8KB
fib6_nodes 24KB 24KB
ip6_dst_cache 37KB 37KB
PINGv6 63KB 63KB
RAWv6 126KB 126KB
UDPLITEv6 62KB 62KB
UDPv6 62KB 62KB
TCPv6 62KB 62KB
scsi_sense_cache 8KB 8KB
virtio_scsi_cmd 16KB 16KB
bio-120 7KB 7KB
sgpool-128 178KB 297KB
sgpool-64 63KB 63KB
sgpool-32 141KB 204KB
sgpool-16 90KB 90KB
sgpool-8 82KB 82KB
io_kiocb 3KB 3KB
mqueue_inode_cache 60KB 60KB
nfs_commit_data 15KB 15KB
nfs_write_data 47KB 47KB
jbd2_inode 11KB 11KB
ext4_system_zone 3KB 3KB
ext4_io_end_vec 7KB 7KB
ext4_bio_post_read_ctx 15KB 15KB
kioctx 31KB 31KB
aio_kiocb 7KB 7KB
dnotify_mark 7KB 7KB
dnotify_struct 7KB 7KB
dio 15KB 15KB
fasync_cache 7KB 7KB
pid_namespace 7KB 7KB
rpc_buffers 31KB 31KB
rpc_tasks 3KB 3KB
UNIX-STREAM 206KB 320KB
UNIX 224KB 224KB
ip4-frags 15KB 15KB
tcp_bind_bucket 8KB 8KB
inet_peer_cache 8KB 8KB
xfrm_state 32KB 32KB
ip_fib_trie 8KB 8KB
ip_fib_alias 11KB 11KB
ip_dst_cache 8KB 8KB
RAW 93KB 93KB
UDP 154KB 220KB
request_sock_TCP 15KB 15KB
TCP 58KB 58KB
hugetlbfs_inode_cache 31KB 31KB
bio-248 11KB 11KB
ep_head 8KB 8KB
eventpoll_pwq 15KB 15KB
eventpoll_epi 35KB 35KB
inotify_inode_mark 23KB 23KB
request_queue 63KB 63KB
blkdev_ioc 8KB 8KB
bio-184 36KB 36KB
biovec-max 599KB 599KB
biovec-64 317KB 393KB
biovec-16 52KB 52KB
uid_cache 7KB 7KB
dmaengine-unmap-2 4KB 4KB
audit_buffer 7KB 7KB
skbuff_fclone_cache 75KB 75KB
skbuff_head_cache 1473KB 1747KB
file_lock_cache 35KB 59KB
file_lock_ctx 7KB 7KB
fsnotify_mark_connector 12KB 12KB
taskstats 63KB 63KB
proc_dir_entry 350KB 375KB
pde_opener 7KB 7KB
seq_file 45KB 45KB
sigqueue 35KB 35KB
shmem_inode_cache 1348KB 1361KB
kernfs_iattrs_cache 254KB 254KB
kernfs_node_cache 5262KB 5303KB
mnt_cache 181KB 181KB
filp 1215KB 1215KB
names_cache 7837KB 7837KB
net_namespace 63KB 63KB
hashtab_node 274KB 274KB
ebitmap_node 1149KB 1149KB
avtab_node 4976KB 4976KB
avc_node 35KB 35KB
lsm_inode_cache 2673KB 2980KB
lsm_file_cache 64KB 112KB
key_jar 31KB 31KB
uts_namespace 15KB 15KB
nsproxy 7KB 7KB
vm_area_struct 882KB 949KB
mm_struct 194KB 252KB
fs_cache 39KB 40KB
files_cache 143KB 143KB
signal_cache 312KB 364KB
sighand_cache 330KB 330KB
task_struct 1551KB 1578KB
cred_jar 77KB 132KB
anon_vma_chain 221KB 232KB
anon_vma 224KB 224KB
pid 48KB 60KB
Acpi-Operand 91KB 158KB
Acpi-ParseExt 31KB 31KB
Acpi-Parse 27KB 43KB
Acpi-State 55KB 70KB
Acpi-Namespace 28KB 28KB
numa_policy 7KB 7KB
perf_event 190KB 190KB
trace_event_file 175KB 175KB
ftrace_event_field 308KB 308KB
pool_workqueue 40KB 40KB
maple_node 1340KB 1376KB
task_group 16KB 16KB
vmap_area 47KB 47KB
page->ptl 203KB 208KB
kmemleak_scan_area 20KB 31KB
kmemleak_object 137437KB 147637KB
kmalloc-cg-8k 96KB 96KB
kmalloc-cg-4k 2016KB 2176KB
kmalloc-cg-2k 1840KB 1888KB
kmalloc-cg-1k 480KB 480KB
kmalloc-cg-512 304KB 304KB
kmalloc-cg-256 48KB 48KB
kmalloc-cg-192 40KB 40KB
kmalloc-cg-128 40KB 40KB
kmalloc-cg-96 38KB 40KB
kmalloc-cg-64 24KB 24KB
kmalloc-cg-32 36KB 76KB
kmalloc-cg-16 8KB 8KB
kmalloc-cg-8 15KB 15KB
kmalloc-8k 5440KB 5440KB
kmalloc-4k 3072KB 3136KB
kmalloc-2k 3064KB 3168KB
kmalloc-1k 10242KB 10848KB
kmalloc-512 5989KB 6896KB
kmalloc-256 977KB 1048KB
kmalloc-192 465KB 504KB
kmalloc-128 256KB 280KB
kmalloc-96 536KB 652KB
kmalloc-64 1570KB 1700KB
kmalloc-32 459KB 516KB
kmalloc-16 325KB 328KB
kmalloc-8 263KB 270KB
kmem_cache_node 51KB 51KB
kmem_cache 82KB 82KB
oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=syz6,mems_allowed=0,global_oom,task_memcg=/syz6,task=syz-executor.6,pid=13224,uid=0
Out of memory (oom_kill_allocating_task): Killed process 13211 (syz-executor.6) total-vm:93808kB, anon-rss:384kB, file-rss:34032kB, shmem-rss:0kB, UID:0 pgtables:140kB oom_score_adj:1000