==================================================================
BUG: KASAN: use-after-free in io_rsrc_node_ref_zero+0x5a/0x2cd
Read of size 8 at addr ffff888047ea4300 by task syz-executor.2/33061
CPU: 1 PID: 33061 Comm: syz-executor.2 Not tainted 5.17.0-rc4-next-20220217 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x8b/0xb3
print_address_description.constprop.0+0x1f/0x190
kasan_report.cold+0x7f/0x11b
io_rsrc_node_ref_zero+0x5a/0x2cd
percpu_ref_put_many.constprop.0+0x235/0x270
rcu_core+0x7e5/0x1ff0
__do_softirq+0x270/0x8c7
__irq_exit_rcu+0x113/0x170
irq_exit_rcu+0x5/0x20
sysvec_apic_timer_interrupt+0x8e/0xc0
asm_sysvec_apic_timer_interrupt+0x12/0x20
RIP: 0010:__sanitizer_cov_trace_pc+0x7/0x60
Code: 31 00 be 03 00 00 00 5d e9 76 2b bd 00 66 0f 1f 44 00 00 48 8b be b0 01 00 00 e8 b4 ff ff ff 31 c0 c3 90 65 8b 05 99 2a bf 7e <89> c1 48 8b 34 24 81 e1 00 01 00 00 65 48 8b 14 25 40 6f 02 00 a9
RSP: 0018:ffff88802bb9f6d8 EFLAGS: 00000202
RAX: 0000000080000001 RBX: ffffea0000f9f7c0 RCX: 0000000000000001
RDX: 0000000000000000 RSI: ffff888045569ac0 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff8170feca R11: 0000000000000000 R12: ffffea0000f9f7c8
R13: 0000000000000000 R14: 0000000000000001 R15: dffffc0000000000
PageHuge+0x98/0x230
page_remove_rmap+0x1e2/0x490
unmap_page_range+0xd3e/0x2380
unmap_single_vma+0x198/0x310
unmap_vmas+0x16b/0x2f0
exit_mmap+0x192/0x460
mmput+0xc8/0x380
do_exit+0xa05/0x2810
do_group_exit+0xd2/0x2f0
get_signal+0x494/0x26e0
arch_do_signal_or_restart+0x2b0/0x1720
exit_to_user_mode_prepare+0x143/0x1c0
syscall_exit_to_user_mode+0x19/0x50
do_syscall_64+0x48/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fd41d6a4b19
Code: Unable to access opcode bytes at RIP 0x7fd41d6a4aef.
RSP: 002b:00007fd41abf9218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
RAX: 0000000000000001 RBX: 00007fd41d7b8028 RCX: 00007fd41d6a4b19
RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 00007fd41d7b802c
RBP: 00007fd41d7b8020 R08: 000000000000000e R09: 0000000000000000
R10: 0000000000000005 R11: 0000000000000246 R12: 00007fd41d7b802c
R13: 00007ffe0554754f R14: 00007fd41abf9300 R15: 0000000000022000
Allocated by task 33062:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0x81/0xa0
io_rsrc_data_alloc+0x3e/0x3c3
io_sqe_files_register.cold+0x1e/0x67c
__do_sys_io_uring_register+0xc61/0x1100
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 33062:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0x108/0x170
kfree+0xcf/0x410
__io_sqe_files_unregister+0xce/0x186
__do_sys_io_uring_register.cold+0x90/0xf8c
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
Last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x97/0xa0
insert_work+0x44/0x290
__queue_work+0x61f/0x10a0
queue_work_on+0xae/0xc0
call_usermodehelper_exec+0x329/0x490
__request_module+0x414/0xa10
dev_load+0x1ea/0x200
dev_ioctl+0x496/0xfd0
sock_do_ioctl+0x160/0x230
sock_ioctl+0x41c/0x670
__x64_sys_ioctl+0x196/0x210
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff888047ea4300
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes inside of
192-byte region [ffff888047ea4300, ffff888047ea43c0)
The buggy address belongs to the page:
page:0000000046f91c22 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x47ea4
flags: 0x100000000000200(slab|node=0|zone=1)
raw: 0100000000000200 ffffea00003ec380 dead000000000007 ffff888007841a00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888047ea4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888047ea4280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888047ea4300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888047ea4380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888047ea4400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 31 00 xor %eax,(%rax)
2: be 03 00 00 00 mov $0x3,%esi
7: 5d pop %rbp
8: e9 76 2b bd 00 jmpq 0xbd2b83
d: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
13: 48 8b be b0 01 00 00 mov 0x1b0(%rsi),%rdi
1a: e8 b4 ff ff ff callq 0xffffffd3
1f: 31 c0 xor %eax,%eax
21: c3 retq
22: 90 nop
23: 65 8b 05 99 2a bf 7e mov %gs:0x7ebf2a99(%rip),%eax # 0x7ebf2ac3
* 2a: 89 c1 mov %eax,%ecx <-- trapping instruction
2c: 48 8b 34 24 mov (%rsp),%rsi
30: 81 e1 00 01 00 00 and $0x100,%ecx
36: 65 48 8b 14 25 40 6f mov %gs:0x26f40,%rdx
3d: 02 00
3f: a9 .byte 0xa9