general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
CPU: 1 PID: 8635 Comm: syz-executor.7 Not tainted 6.2.0-rc5-next-20230124 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
RIP: 0010:pause_prepare_data+0x5e/0x410
Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 0e 03 00 00 48 8d 7d 40 44 8b 63 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 21 03 00 00 48 8b 45 40 4c 89 ea 48 c1 ea 03 48
RSP: 0018:ffff8880488b7270 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88800e0d5500 RCX: ffffc9000780b000
RDX: 0000000000000008 RSI: ffffffff83702020 RDI: 0000000000000040
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff85d11e17
R10: fffffbfff0ba23c2 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88801f3ee180 R14: ffffffff83702000 R15: ffff88804249a580
FS: 00007fa8e3331700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f52d220d3a4 CR3: 000000001f392000 CR4: 0000000000350ee0
Call Trace:
ethnl_default_dumpit+0x43d/0xdf0
netlink_dump+0x585/0x1070
__netlink_dump_start+0x652/0x910
genl_family_rcv_msg_dumpit+0x2bf/0x310
genl_rcv_msg+0x419/0x7e0
netlink_rcv_skb+0x15d/0x450
genl_rcv+0x28/0x40
netlink_unicast+0x552/0x800
netlink_sendmsg+0x923/0xe20
sock_sendmsg+0x1b6/0x200
____sys_sendmsg+0x74e/0x980
___sys_sendmsg+0x110/0x1b0
__sys_sendmsg+0xf7/0x1d0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fa8e5dbbb19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa8e3331188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fa8e5ecef60 RCX: 00007fa8e5dbbb19
RDX: 0000000000000000 RSI: 0000000020000e80 RDI: 0000000000000003
RBP: 00007fa8e5e15f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffda2a9756f R14: 00007fa8e3331300 R15: 0000000000022000
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:pause_prepare_data+0x5e/0x410
Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e 0e 03 00 00 48 8d 7d 40 44 8b 63 10 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 21 03 00 00 48 8b 45 40 4c 89 ea 48 c1 ea 03 48
RSP: 0018:ffff8880488b7270 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88800e0d5500 RCX: ffffc9000780b000
RDX: 0000000000000008 RSI: ffffffff83702020 RDI: 0000000000000040
RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff85d11e17
R10: fffffbfff0ba23c2 R11: 0000000000000001 R12: 0000000000000000
R13: ffff88801f3ee180 R14: ffffffff83702000 R15: ffff88804249a580
FS: 00007fa8e3331700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f52d220d3a4 CR3: 000000001f392000 CR4: 0000000000350ee0
==================================================================
BUG: KASAN: use-after-free in __mutex_lock+0x1462/0x14c0
Read of size 4 at addr ffff88800ddc9af4 by task syz-executor.7/8643
CPU: 0 PID: 8643 Comm: syz-executor.7 Tainted: G D 6.2.0-rc5-next-20230124 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x8f/0xb7
print_report+0x175/0x478
kasan_report+0xc0/0x100
__mutex_lock+0x1462/0x14c0
ethnl_default_dumpit+0xb6/0xdf0
netlink_dump+0x585/0x1070
__netlink_dump_start+0x652/0x910
genl_family_rcv_msg_dumpit+0x2bf/0x310
genl_rcv_msg+0x419/0x7e0
netlink_rcv_skb+0x15d/0x450
genl_rcv+0x28/0x40
netlink_unicast+0x552/0x800
netlink_sendmsg+0x923/0xe20
sock_sendmsg+0x1b6/0x200
____sys_sendmsg+0x74e/0x980
___sys_sendmsg+0x110/0x1b0
__sys_sendmsg+0xf7/0x1d0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fa8e5dbbb19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa8e32ef188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fa8e5ecf0e0 RCX: 00007fa8e5dbbb19
RDX: 0000000000000000 RSI: 0000000020000e80 RDI: 0000000000000003
RBP: 00007fa8e5e15f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffda2a9756f R14: 00007fa8e32ef300 R15: 0000000000022000
Allocated by task 8634:
kasan_save_stack+0x22/0x50
kasan_set_track+0x25/0x30
__kasan_slab_alloc+0x59/0x70
kmem_cache_alloc_node+0x187/0x310
copy_process+0x3ac/0x7390
kernel_clone+0xeb/0x8c0
__do_sys_clone+0xba/0x100
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
Freed by task 86:
kasan_save_stack+0x22/0x50
kasan_set_track+0x25/0x30
kasan_save_free_info+0x2e/0x50
__kasan_slab_free+0x10a/0x190
kmem_cache_free+0xff/0x510
delayed_put_task_struct+0x1c9/0x310
rcu_core+0x802/0x1c00
__do_softirq+0x274/0x8ff
Last potentially related work creation:
kasan_save_stack+0x22/0x50
__kasan_record_aux_stack+0x95/0xb0
__call_rcu_common.constprop.0+0x6a/0xa00
put_task_struct_rcu_user+0x83/0xd0
__schedule+0xbb8/0x2b20
preempt_schedule_common+0x45/0xb0
__cond_resched+0x1b/0x30
__mutex_lock+0xa3/0x14c0
device_add+0x125a/0x1e50
device_create_groups_vargs+0x207/0x280
device_create+0xe0/0x120
vc_allocate+0x5b6/0x830
con_install+0x97/0x5d0
tty_init_dev.part.0+0xa0/0x5e0
tty_open+0xbe7/0x13b0
chrdev_open+0x26c/0x6e0
do_dentry_open+0x6ca/0x12b0
path_openat+0x18ad/0x2750
do_filp_open+0x1ba/0x410
do_sys_openat2+0x171/0x4c0
__x64_sys_openat+0x143/0x200
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
Second to last potentially related work creation:
kasan_save_stack+0x22/0x50
__kasan_record_aux_stack+0x95/0xb0
__call_rcu_common.constprop.0+0x6a/0xa00
put_task_struct_rcu_user+0x83/0xd0
wait_consider_task+0x2f59/0x3c40
do_wait+0x777/0xc90
kernel_wait4+0x150/0x260
__do_sys_wait4+0x143/0x150
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
The buggy address belongs to the object at ffff88800ddc9ac0
which belongs to the cache task_struct of size 6592
The buggy address is located 52 bytes inside of
6592-byte region [ffff88800ddc9ac0, ffff88800ddcb480)
The buggy address belongs to the physical page:
page:000000001deccaad refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xddc8
head:000000001deccaad order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
memcg:ffff888013f3ab81
anon flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 ffff88800876e640 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000040004 00000001ffffffff ffff888013f3ab81
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88800ddc9980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff88800ddc9a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88800ddc9a80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
^
ffff88800ddc9b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88800ddc9b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 03 0f add (%rdi),%ecx
2: b6 04 mov $0x4,%dh
4: 02 84 c0 74 08 3c 03 add 0x33c0874(%rax,%rax,8),%al
b: 0f 8e 0e 03 00 00 jle 0x31f
11: 48 8d 7d 40 lea 0x40(%rbp),%rdi
15: 44 8b 63 10 mov 0x10(%rbx),%r12d
19: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
20: fc ff df
23: 48 89 fa mov %rdi,%rdx
26: 48 c1 ea 03 shr $0x3,%rdx
* 2a: 80 3c 02 00 cmpb $0x0,(%rdx,%rax,1) <-- trapping instruction
2e: 0f 85 21 03 00 00 jne 0x355
34: 48 8b 45 40 mov 0x40(%rbp),%rax
38: 4c 89 ea mov %r13,%rdx
3b: 48 c1 ea 03 shr $0x3,%rdx
3f: 48 rex.W