9pnet_fd: Insufficient options for proto=fd ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x42c9/0x5e70 Read of size 8 at addr ffff888044ed8418 by task syz-executor.7/6749 CPU: 1 PID: 6749 Comm: syz-executor.7 Not tainted 6.2.0-rc1-next-20221226 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Call Trace: dump_stack_lvl+0x8f/0xb7 print_report+0x175/0x478 kasan_report+0xc0/0x100 __lock_acquire+0x42c9/0x5e70 lock_acquire.part.0+0x11e/0x340 _raw_spin_lock_irqsave+0x3d/0x60 put_pmu_ctx+0xad/0x2f0 _free_event+0x2dc/0x1210 free_event+0x58/0xc0 __do_sys_perf_event_open+0x671/0x2920 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f113dbd3b19 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f113b149188 EFLAGS: 00000246 ORIG_RAX: 000000000000012a RAX: ffffffffffffffda RBX: 00007f113dce6f60 RCX: 00007f113dbd3b19 RDX: 0000000000000000 RSI: 00000000000000d5 RDI: 0000000020000080 RBP: 00007f113dc2df6d R08: 0000000000000000 R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd175a204f R14: 00007f113b149300 R15: 0000000000022000 Allocated by task 6749: kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 __kasan_kmalloc+0x82/0x90 find_get_context+0xcc/0x800 __do_sys_perf_event_open+0x967/0x2920 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 6772: kasan_save_stack+0x22/0x50 kasan_set_track+0x25/0x30 kasan_save_free_info+0x2e/0x50 __kasan_slab_free+0x10a/0x190 __kmem_cache_free+0xcf/0x410 rcu_core+0x7be/0x19c0 __do_softirq+0x1c7/0x8f9 Last potentially related work creation: kasan_save_stack+0x22/0x50 __kasan_record_aux_stack+0x95/0xb0 __call_rcu_common.constprop.0+0x6a/0x9f0 put_ctx+0x116/0x1e0 perf_event_exit_task+0x4d6/0x6b0 do_exit+0xabd/0x2760 do_group_exit+0xd4/0x2a0 __x64_sys_exit_group+0x3e/0x50 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc The buggy address belongs to the object at ffff888044ed8400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 24 bytes inside of 512-byte region [ffff888044ed8400, ffff888044ed8600) The buggy address belongs to the physical page: page:000000009cde0e4c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x44ed8 head:000000009cde0e4c order:2 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0 anon flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 ffff888008441c80 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888044ed8300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888044ed8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888044ed8400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888044ed8480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888044ed8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================