audit: type=1326 audit(1674585823.327:14): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=7714 comm="syz-executor.7" exe="/syz-executor.7" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f95f4505b19 code=0x0
general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
CPU: 1 PID: 7720 Comm: syz-executor.2 Not tainted 6.2.0-rc5-next-20230124 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:pause_prepare_data+0x5e/0x410
Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 0e 03 00 00 48 8d 7d 40 44 8b 63 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 21 03 00 00 48 8b 45 40 4c 89 ea 48 c1 ea 03 48
RSP: 0018:ffff88803e6ef270 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff888016a86d00 RCX: ffffc90006a08000
RDX: 0000000000000008 RSI: ffffffff83702020 RDI: 0000000000000040
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff85d11e17
R10: fffffbfff0ba23c2 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88801caf3880 R14: ffffffff83702000 R15: ffff88803d470580
FS: 00007f1670ea6700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2c122000 CR3: 000000003edfe000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
ethnl_default_dumpit+0x43d/0xdf0
netlink_dump+0x585/0x1070
__netlink_dump_start+0x652/0x910
genl_family_rcv_msg_dumpit+0x2bf/0x310
genl_rcv_msg+0x419/0x7e0
netlink_rcv_skb+0x15d/0x450
genl_rcv+0x28/0x40
netlink_unicast+0x552/0x800
netlink_sendmsg+0x923/0xe20
sock_sendmsg+0x1b6/0x200
____sys_sendmsg+0x74e/0x980
___sys_sendmsg+0x110/0x1b0
__sys_sendmsg+0xf7/0x1d0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f1673930b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1670ea6188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f1673a43f60 RCX: 00007f1673930b19
RDX: 0000000000000000 RSI: 0000000020000e80 RDI: 0000000000000003
RBP: 00007f167398af6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe4139b99f R14: 00007f1670ea6300 R15: 0000000000022000
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pause_prepare_data+0x5e/0x410
Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 0e 03 00 00 48 8d 7d 40 44 8b 63 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 21 03 00 00 48 8b 45 40 4c 89 ea 48 c1 ea 03 48
RSP: 0018:ffff88803e6ef270 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff888016a86d00 RCX: ffffc90006a08000
RDX: 0000000000000008 RSI: ffffffff83702020 RDI: 0000000000000040
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff85d11e17
R10: fffffbfff0ba23c2 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88801caf3880 R14: ffffffff83702000 R15: ffff88803d470580
FS: 00007f1670ea6700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2c122000 CR3: 000000003edfe000 CR4: 0000000000350ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
syz-executor.1 uses obsolete (PF_INET,SOCK_PACKET)
audit: type=1326 audit(1674585823.546:15): auid=0 uid=0 gid=0 ses=4 subj=system_u:system_r:kernel_t:s0 pid=7721 comm="syz-executor.6" exe="/syz-executor.6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x7f0b754dbb19 code=0x0
==================================================================
BUG: KASAN: use-after-free in __mutex_lock+0x1462/0x14c0
Read of size 4 at addr ffff88803f4b0034 by task syz-executor.2/7744
CPU: 0 PID: 7744 Comm: syz-executor.2 Tainted: G D 6.2.0-rc5-next-20230124 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x8f/0xb7
print_report+0x175/0x478
kasan_report+0xc0/0x100
__mutex_lock+0x1462/0x14c0
ethnl_default_dumpit+0xb6/0xdf0
netlink_dump+0x585/0x1070
__netlink_dump_start+0x652/0x910
genl_family_rcv_msg_dumpit+0x2bf/0x310
genl_rcv_msg+0x419/0x7e0
netlink_rcv_skb+0x15d/0x450
genl_rcv+0x28/0x40
netlink_unicast+0x552/0x800
netlink_sendmsg+0x923/0xe20
sock_sendmsg+0x1b6/0x200
____sys_sendmsg+0x74e/0x980
___sys_sendmsg+0x110/0x1b0
__sys_sendmsg+0xf7/0x1d0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7f1673930b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f1670e64188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f1673a440e0 RCX: 00007f1673930b19
RDX: 0000000000000000 RSI: 0000000020000e80 RDI: 0000000000000003
RBP: 00007f167398af6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe4139b99f R14: 00007f1670e64300 R15: 0000000000022000
Allocated by task 7712:
kasan_save_stack+0x22/0x50
kasan_set_track+0x25/0x30
__kasan_slab_alloc+0x59/0x70
kmem_cache_alloc_node+0x187/0x310
copy_process+0x3ac/0x7390
kernel_clone+0xeb/0x8c0
__do_sys_clone+0xba/0x100
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
Freed by task 7732:
kasan_save_stack+0x22/0x50
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2e/0x50
__kasan_slab_free+0x10a/0x190
kmem_cache_free+0xff/0x510
delayed_put_task_struct+0x1c9/0x310
rcu_core+0x802/0x1c00
__do_softirq+0x274/0x8ff
Last potentially related work creation:
kasan_save_stack+0x22/0x50
__kasan_record_aux_stack+0x95/0xb0
__call_rcu_common.constprop.0+0x6a/0xa00
put_task_struct_rcu_user+0x83/0xd0
__schedule+0xbb8/0x2b20
preempt_schedule_common+0x45/0xb0
__cond_resched+0x1b/0x30
unmap_page_range+0x11b3/0x2d90
unmap_single_vma+0x190/0x2a0
unmap_vmas+0x225/0x370
exit_mmap+0x158/0x6a0
mmput+0xd5/0x390
do_exit+0x9c8/0x2780
do_group_exit+0xd4/0x2a0
get_signal+0x2255/0x2390
arch_do_signal_or_restart+0x79/0x5a0
exit_to_user_mode_prepare+0xf5/0x190
syscall_exit_to_user_mode+0x1d/0x50
do_syscall_64+0x4c/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
Second to last potentially related work creation:
kasan_save_stack+0x22/0x50
__kasan_record_aux_stack+0x95/0xb0
__call_rcu_common.constprop.0+0x6a/0xa00
put_task_struct_rcu_user+0x83/0xd0
__schedule+0xbb8/0x2b20
schedule+0xde/0x1b0
futex_wait_queue+0xf9/0x1f0
futex_wait+0x292/0x690
do_futex+0x303/0x380
__x64_sys_futex+0x1ca/0x4d0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
The buggy address belongs to the object at ffff88803f4b0000
which belongs to the cache task_struct of size 6592
The buggy address is located 52 bytes inside of
6592-byte region [ffff88803f4b0000, ffff88803f4b19c0)
The buggy address belongs to the physical page:
page:00000000ca4c1f42 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3f4b0
head:00000000ca4c1f42 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff88800dc534c1
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 ffff88800876e640 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000040004 00000001ffffffff ffff88800dc534c1
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88803f4aff00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
ffff88803f4aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88803f4b0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88803f4b0080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88803f4b0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 03 0f add (%rdi),%ecx
2: b6 04 mov $0x4,%dh
4: 02 84 c0 74 08 3c 03 add 0x33c0874(%rax,%rax,8),%al
b: 0f 8e 0e 03 00 00 jle 0x31f
11: 48 8d 7d 40 lea 0x40(%rbp),%rdi
15: 44 8b 63 10 mov 0x10(%rbx),%r12d
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 21 03 00 00 jne 0x355
34: 48 8b 45 40 mov 0x40(%rbp),%rax
38: 4c 89 ea mov %r13,%rdx
3b: 48 c1 ea 03 shr $0x3,%rdx
3f: 48 rex.W