loop3: detected capacity change from 0 to 264192 ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x42c9/0x5e80 Read of size 8 at addr ffff888041f34018 by task syz-executor/12808 CPU: 1 PID: 12808 Comm: syz-executor Not tainted 6.1.0-rc1-next-20221020 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: dump_stack_lvl+0x8b/0xc3 print_report+0x175/0x478 kasan_report+0xbb/0x1d0 __lock_acquire+0x42c9/0x5e80 lock_acquire+0x1a2/0x540 _raw_spin_lock_irq+0x32/0x60 kmemleak_scan+0x21d/0x16e0 kmemleak_write+0x570/0x690 full_proxy_write+0x11d/0x1a0 vfs_write+0x2cb/0xda0 ksys_write+0x127/0x260 do_syscall_64+0x3b/0xa0 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7fc4273925c3 Code: 16 00 00 00 eb ae 90 b8 6e 00 00 00 eb a6 e8 44 ef 04 00 0f 1f 40 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18 RSP: 002b:00007ffdf49683b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007ffdf49689f8 RCX: 00007fc4273925c3 RDX: 0000000000000004 RSI: 00007fc427448ed9 RDI: 0000000000000003 RBP: 0000000000000002 R08: 0000000000000c14 R09: 00007ffdf496b080 R10: 00007ffdf496b090 R11: 0000000000000246 R12: 00000000fffffff6 R13: 00007ffdf4969ef1 R14: 0000000000000000 R15: 00000000002f301f Allocated by task 12809: kasan_save_stack+0x1e/0x50 kasan_set_track+0x21/0x40 __kasan_slab_alloc+0x58/0x80 kmem_cache_alloc+0x1a9/0x3f0 __create_object+0x3d/0xc20 kmem_cache_alloc+0x235/0x3f0 __alloc_file+0x21/0x250 alloc_empty_file+0x6d/0x180 path_openat+0xd4/0x27c0 do_filp_open+0x1b6/0x420 do_sys_openat2+0x171/0x4d0 __x64_sys_openat+0x13f/0x200 do_syscall_64+0x3b/0xa0 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 13: kasan_save_stack+0x1e/0x50 kasan_set_track+0x21/0x40 kasan_save_free_info+0x2a/0x60 __kasan_slab_free+0x106/0x1a0 kmem_cache_free+0xf7/0x620 rcu_core+0x7e2/0x2090 __do_softirq+0x1c3/0x8f5 Last potentially related work creation: kasan_save_stack+0x1e/0x50 __kasan_record_aux_stack+0x95/0xc0 __call_rcu_common.constprop.0+0x6a/0xa50 kmem_cache_free+0xbd/0x620 rcu_core+0x7e2/0x2090 __do_softirq+0x1c3/0x8f5 Second to last potentially related work creation: kasan_save_stack+0x1e/0x50 __kasan_record_aux_stack+0x95/0xc0 __call_rcu_common.constprop.0+0x6a/0xa50 kmem_cache_free+0xbd/0x620 putname+0xfe/0x150 do_sys_openat2+0x157/0x4d0 __x64_sys_openat+0x13f/0x200 do_syscall_64+0x3b/0xa0 entry_SYSCALL_64_after_hwframe+0x72/0xdc The buggy address belongs to the object at ffff888041f34000 which belongs to the cache kmemleak_object of size 368 The buggy address is located 24 bytes inside of 368-byte region [ffff888041f34000, ffff888041f34170) The buggy address belongs to the physical page: page:00000000f218fb2c refcount:1 mapcount:0 mapping:0000000000000000 index:0xdead000000000100 pfn:0x41f34 head:00000000f218fb2c order:1 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 ffff88800804f780 dead000000120012 0000000000000000 raw: dead000000000100 dead000000000122 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888041f33f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888041f33f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888041f34000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888041f34080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888041f34100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ==================================================================