------------[ cut here ]------------
kernfs_put: syz2/memory.events.local: released with incorrect active_ref 0
------------[ cut here ]------------
WARNING: CPU: 1 PID: 20 at fs/kernfs/dir.c:531 kernfs_put.part.0+0x433/0x540
WARNING: CPU: 0 PID: 8110 at fs/kernfs/dir.c:504 kernfs_get.part.0+0x69/0x80
Modules linked in:
Modules linked in:
CPU: 0 PID: 8110 Comm: syz-executor.1 Not tainted 5.19.0-rc4-next-20220704 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:kernfs_get.part.0+0x69/0x80
Code: 31 ff 89 ee e8 c8 0c a7 ff 85 ed 74 18 e8 ef 0f a7 ff be 04 00 00 00 48 89 df e8 d2 ba d9 ff f0 ff 03 5b 5d c3 e8 d7 0f a7 ff <0f> 0b eb df 48 89 df e8 7b b7 d9 ff eb c6 66 0f 1f 84 00 00 00 00
CPU: 1 PID: 20 Comm: kworker/1:0 Not tainted 5.19.0-rc4-next-20220704 #1
RSP: 0018:ffff88806ce09c80 EFLAGS: 00010046
RAX: 0000000000000000 RBX: ffff8880096b00e8 RCX: 0000000000000100
RDX: ffff8880454d9ac0 RSI: ffffffff819de5c9 RDI: 0000000000000005
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
Workqueue: events kernfs_notify_workfn
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: 1ffffffff0a01e40 R14: ffff8880096b00e8 R15: ffff888015fb04f0
FS: 00007f6bfc6a3700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
RIP: 0010:kernfs_put.part.0+0x433/0x540
CR2: 0000000020002009 CR3: 000000000f116000 CR4: 0000000000350ef0
Call Trace:
kernfs_get+0x1b/0x30
Code: 03 80 3c 18 00 0f 85 ea 00 00 00 4d 8b 7d 38 e8 73 0b a7 ff 48 8b 14 24 44 89 f1 4c 89 fe 48 c7 c7 e0 58 72 84 e8 93 9c 6c 02 <0f> 0b e9 b9 fc ff ff 48 89 ef e8 0e b3 d9 ff e9 c1 fd ff ff e8 04
kernfs_notify+0x180/0x350
cgroup_file_notify+0xf5/0x1a0
RSP: 0018:ffff8880082c7bd8 EFLAGS: 00010286
call_timer_fn+0x17d/0x5f0
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffff8880082b8000 RSI: ffffffff812bd348 RDI: ffffed1001058f6d
RBP: ffff8880096b0120 R08: 0000000000000005 R09: 0000000000000000
__run_timers.part.0+0x65e/0xa50
R10: 0000000080000000 R11: 0000000000000001 R12: ffff8880096b00e8
R13: ffff8880423f2740 R14: 0000000000000000 R15: ffff888015567820
FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
run_timer_softirq+0xae/0x1a0
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
__do_softirq+0x1c8/0x8cc
__irq_exit_rcu+0x113/0x170
CR2: 0000001b2d826000 CR3: 00000000209a4000 CR4: 0000000000350ee0
irq_exit_rcu+0x5/0x20
sysvec_apic_timer_interrupt+0x8e/0xc0
Call Trace:
asm_sysvec_apic_timer_interrupt+0x1b/0x20
RIP: 0010:_raw_spin_unlock_irqrestore+0x2e/0x50
kernfs_put+0x42/0x50
Code: 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 7a 70 0d fd 48 89 ef e8 e2 f1 0d fd 80 e7 02 74 06 e8 b8 c4 2f fd fb bf 01 00 00 00 bd 93 03 fd 65 8b 05 36 70 e6 7b 85 c0 74 03 5b 5d c3 0f 1f 44
RSP: 0018:ffff888044ba7ac8 EFLAGS: 00000202
RAX: 00000000000009f7 RBX: 0000000000000216 RCX: ffffffff8128d13f
kernfs_notify_workfn+0x417/0x560
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffffff852342c0 R08: 0000000000000001 R09: ffffffff86a5e84f
R10: fffffbfff0d4bd09 R11: 0000000000000001 R12: 000000000007735a
R13: ffff888043c58000 R14: ffff888043c58000 R15: dffffc0000000000
process_one_work+0xa0f/0x1690
try_charge_memcg+0x440/0x1440
mem_cgroup_charge_skmem+0x7c/0x1b0
worker_thread+0x637/0x1250
sock_setsockopt+0x2080/0x34a0
kthread+0x2ed/0x3a0
ret_from_fork+0x22/0x30
__sys_setsockopt+0x258/0x2a0
irq event stamp: 232239
hardirqs last enabled at (232249): [] asm_sysvec_apic_timer_interrupt+0x1b/0x20
hardirqs last disabled at (232258): [] sysvec_apic_timer_interrupt+0xb/0xc0
__x64_sys_setsockopt+0xba/0x150
softirqs last enabled at (228362): [] __irq_exit_rcu+0x113/0x170
do_syscall_64+0x3b/0x90
softirqs last disabled at (228337): [] __irq_exit_rcu+0x113/0x170
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f6bff14eb19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
---[ end trace 0000000000000000 ]---
RSP: 002b:00007f6bfc6a3188 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007f6bff262020 RCX: 00007f6bff14eb19
RDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000007
RBP: 00007f6bff1a8f6d R08: 0000000000000010 R09: 0000000000000000
R10: 0000000020000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe079ccfef R14: 00007f6bfc6a3300 R15: 0000000000022000
irq event stamp: 2561
hardirqs last enabled at (2560): [] _raw_spin_unlock_irq+0x1f/0x40
hardirqs last disabled at (2561): [] _raw_spin_lock_irqsave+0x4e/0x50
softirqs last enabled at (2358): [] __irq_exit_rcu+0x113/0x170
softirqs last disabled at (2553): [] __irq_exit_rcu+0x113/0x170
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: use-after-free in kernfs_get.part.0+0x5e/0x80
Write of size 4 at addr ffff8880096b00e8 by task syz-executor.1/8110
CPU: 0 PID: 8110 Comm: syz-executor.1 Tainted: G W 5.19.0-rc4-next-20220704 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x8b/0xb3
print_report.cold+0x5e/0x5e1
kasan_report+0xb1/0x1b0
kasan_check_range+0x35/0x1b0
kernfs_get.part.0+0x5e/0x80
kernfs_get+0x1b/0x30
kernfs_notify+0x180/0x350
cgroup_file_notify+0xf5/0x1a0
call_timer_fn+0x17d/0x5f0
__run_timers.part.0+0x65e/0xa50
run_timer_softirq+0xae/0x1a0
__do_softirq+0x1c8/0x8cc
__irq_exit_rcu+0x113/0x170
irq_exit_rcu+0x5/0x20
sysvec_apic_timer_interrupt+0x8e/0xc0
asm_sysvec_apic_timer_interrupt+0x1b/0x20
RIP: 0010:_raw_spin_unlock_irqrestore+0x2e/0x50
Code: 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 7a 70 0d fd 48 89 ef e8 e2 f1 0d fd 80 e7 02 74 06 e8 b8 c4 2f fd fb bf 01 00 00 00 bd 93 03 fd 65 8b 05 36 70 e6 7b 85 c0 74 03 5b 5d c3 0f 1f 44
RSP: 0018:ffff888044ba7ac8 EFLAGS: 00000202
RAX: 00000000000009f7 RBX: 0000000000000216 RCX: ffffffff8128d13f
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
RBP: ffffffff852342c0 R08: 0000000000000001 R09: ffffffff86a5e84f
R10: fffffbfff0d4bd09 R11: 0000000000000001 R12: 000000000007735a
R13: ffff888043c58000 R14: ffff888043c58000 R15: dffffc0000000000
try_charge_memcg+0x440/0x1440
mem_cgroup_charge_skmem+0x7c/0x1b0
sock_setsockopt+0x2080/0x34a0
__sys_setsockopt+0x258/0x2a0
__x64_sys_setsockopt+0xba/0x150
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f6bff14eb19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6bfc6a3188 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00007f6bff262020 RCX: 00007f6bff14eb19
RDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000007
RBP: 00007f6bff1a8f6d R08: 0000000000000010 R09: 0000000000000000
R10: 0000000020000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe079ccfef R14: 00007f6bfc6a3300 R15: 0000000000022000
Allocated by task 294:
kasan_save_stack+0x1e/0x40
__kasan_slab_alloc+0x66/0x80
kmem_cache_alloc+0x1b1/0x490
__kernfs_new_node+0xd4/0x8b0
kernfs_new_node+0x93/0x120
__kernfs_create_file+0x51/0x350
cgroup_addrm_files+0x3e2/0x9d0
css_populate_dir+0x19b/0x450
cgroup_apply_control_enable+0x3ae/0xa40
cgroup_mkdir+0x824/0x11f0
kernfs_iop_mkdir+0x149/0x1d0
vfs_mkdir+0x417/0x6a0
do_mkdirat+0x17b/0x2e0
__x64_sys_mkdir+0xf2/0x140
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 20:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0x108/0x190
kmem_cache_free+0xfb/0x600
kernfs_put.part.0+0x2c7/0x540
kernfs_put+0x42/0x50
kernfs_notify_workfn+0x417/0x560
process_one_work+0xa0f/0x1690
worker_thread+0x637/0x1250
kthread+0x2ed/0x3a0
ret_from_fork+0x22/0x30
The buggy address belongs to the object at ffff8880096b00e8
which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 0 bytes inside of
168-byte region [ffff8880096b00e8, ffff8880096b0190)
The buggy address belongs to the physical page:
page:0000000071ab5a42 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x96b0
flags: 0x100000000000200(slab|node=0|zone=1)
raw: 0100000000000200 0000000000000000 dead000000000122 ffff8880080358c0
raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880096aff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880096b0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880096b0080: fb fb fb fb fb fc fc fc fc fc fc fc fc fa fb fb
^
ffff8880096b0100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880096b0180: fb fb fc fc fc fc fc fc fc fc 00 00 00 00 00 00
==================================================================
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.2'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.0'.
BUG: kernel NULL pointer dereference, address: 0000000000000018
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 453ed067 P4D 453ed067 PUD 44338067 PMD 0
Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 8140 Comm: syz-executor.7 Tainted: G B W 5.19.0-rc4-next-20220704 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:qlist_free_all+0xd3/0x190
Code: 03 05 a1 82 7b 03 48 8b 48 08 48 89 c2 f6 c1 01 0f 85 b6 00 00 00 0f 1f 44 00 00 48 8b 02 f6 c4 02 b8 00 00 00 00 48 0f 44 d0 <4c> 8b 72 18 e9 50 ff ff ff 49 83 7e 48 00 0f 85 68 ff ff ff 41 f7
RSP: 0018:ffff8880442aeeb8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888043b1dc50 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffea000025ac00 RDI: 0000000040000000
RBP: 0000000000000000 R08: ffff888043b1dc50 R09: 000000008011000f
R10: ffffea000025ac00 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880442aeef8 R14: 0000000000000000 R15: ffff8880096b0000
FS: 00007f46c43a1700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000018 CR3: 0000000043a6c000 CR4: 0000000000350ef0
Call Trace:
kasan_quarantine_reduce+0x180/0x200
__kasan_slab_alloc+0x78/0x80
kmem_cache_alloc_node+0x1bf/0x4a0
__alloc_skb+0x20c/0x340
alloc_skb_with_frags+0x92/0x620
sock_alloc_send_pskb+0x7ca/0x950
__ip_append_data+0x1662/0x35d0
ip_make_skb+0x226/0x2a0
udp_sendmsg+0x1907/0x20f0
udpv6_sendmsg+0x1709/0x2940
inet6_sendmsg+0xfd/0x140
sock_sendmsg+0xee/0x190
____sys_sendmsg+0x337/0x870
___sys_sendmsg+0xf3/0x170
__sys_sendmmsg+0x195/0x470
__x64_sys_sendmmsg+0x99/0x100
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f46c6e2bb19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f46c43a1188 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f46c6f3ef60 RCX: 00007f46c6e2bb19
RDX: 0000000004000101 RSI: 0000000020002880 RDI: 0000000000000006
RBP: 00007f46c6e85f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe160d3aaf R14: 00007f46c43a1300 R15: 0000000000022000
Modules linked in:
CR2: 0000000000000018
---[ end trace 0000000000000000 ]---
RIP: 0010:qlist_free_all+0xd3/0x190
Code: 03 05 a1 82 7b 03 48 8b 48 08 48 89 c2 f6 c1 01 0f 85 b6 00 00 00 0f 1f 44 00 00 48 8b 02 f6 c4 02 b8 00 00 00 00 48 0f 44 d0 <4c> 8b 72 18 e9 50 ff ff ff 49 83 7e 48 00 0f 85 68 ff ff ff 41 f7
RSP: 0018:ffff8880442aeeb8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888043b1dc50 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffea000025ac00 RDI: 0000000040000000
RBP: 0000000000000000 R08: ffff888043b1dc50 R09: 000000008011000f
R10: ffffea000025ac00 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880442aeef8 R14: 0000000000000000 R15: ffff8880096b0000
FS: 00007f46c43a1700(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000018 CR3: 0000000043a6c000 CR4: 0000000000350ef0
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.6'.
BUG: kernel NULL pointer dereference, address: 0000000000000018
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 1bfee067 P4D 1bfee067 PUD 453ef067 PMD 0
Oops: 0000 [#2] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 8178 Comm: syz-executor.4 Tainted: G B D W 5.19.0-rc4-next-20220704 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:qlist_free_all+0xd3/0x190
Code: 03 05 a1 82 7b 03 48 8b 48 08 48 89 c2 f6 c1 01 0f 85 b6 00 00 00 0f 1f 44 00 00 48 8b 02 f6 c4 02 b8 00 00 00 00 48 0f 44 d0 <4c> 8b 72 18 e9 50 ff ff ff 49 83 7e 48 00 0f 85 68 ff ff ff 41 f7
RSP: 0018:ffff888018136e18 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8880407d4a45 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff81770c31
RBP: 0000000000000000 R08: ffff8880407d4a45 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: dffffc0000000000
R13: ffff888018136e58 R14: 0000000000000000 R15: ffff888042e6bbc8
FS: 00007f4b172a1700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000018 CR3: 0000000042e40000 CR4: 0000000000350ee0
Call Trace:
kasan_quarantine_reduce+0x180/0x200
__kasan_slab_alloc+0x78/0x80
kmem_cache_alloc+0x1b1/0x490
__create_object.isra.0+0x3d/0xc10
kmem_cache_alloc_node+0x255/0x4a0
__alloc_skb+0x20c/0x340
alloc_skb_with_frags+0x92/0x620
sock_alloc_send_pskb+0x7ca/0x950
__ip_append_data+0x1662/0x35d0
ip_make_skb+0x226/0x2a0
udp_sendmsg+0x1907/0x20f0
udpv6_sendmsg+0x1709/0x2940
inet6_sendmsg+0xfd/0x140
sock_sendmsg+0xee/0x190
____sys_sendmsg+0x337/0x870
___sys_sendmsg+0xf3/0x170
__sys_sendmmsg+0x195/0x470
__x64_sys_sendmmsg+0x99/0x100
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f4b19d2bb19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4b172a1188 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f4b19e3ef60 RCX: 00007f4b19d2bb19
RDX: 0000000004000101 RSI: 0000000020002880 RDI: 0000000000000006
RBP: 00007f4b19d85f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffe8f11f5ef R14: 00007f4b172a1300 R15: 0000000000022000
Modules linked in:
CR2: 0000000000000018
---[ end trace 0000000000000000 ]---
RIP: 0010:qlist_free_all+0xd3/0x190
Code: 03 05 a1 82 7b 03 48 8b 48 08 48 89 c2 f6 c1 01 0f 85 b6 00 00 00 0f 1f 44 00 00 48 8b 02 f6 c4 02 b8 00 00 00 00 48 0f 44 d0 <4c> 8b 72 18 e9 50 ff ff ff 49 83 7e 48 00 0f 85 68 ff ff ff 41 f7
RSP: 0018:ffff8880442aeeb8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888043b1dc50 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffea000025ac00 RDI: 0000000040000000
RBP: 0000000000000000 R08: ffff888043b1dc50 R09: 000000008011000f
R10: ffffea000025ac00 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880442aeef8 R14: 0000000000000000 R15: ffff8880096b0000
FS: 00007f4b172a1700(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000018 CR3: 0000000042e40000 CR4: 0000000000350ee0
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.6'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.6'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.1'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.0'.
netlink: 2552 bytes leftover after parsing attributes in process `syz-executor.1'.
general protection fault, probably for non-canonical address 0x200221d8be3ffc8: 0000 [#3] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 299 Comm: syz-executor.6 Tainted: G B D W 5.19.0-rc4-next-20220704 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:qlist_free_all+0xaf/0x190
Code: 80 4c 01 c2 0f 82 f0 00 00 00 48 c7 c0 00 00 00 80 48 2b 05 c3 82 7b 03 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 03 05 a1 82 7b 03 <48> 8b 48 08 48 89 c2 f6 c1 01 0f 85 b6 00 00 00 0f 1f 44 00 00 48
RSP: 0018:ffff888017d87df8 EFLAGS: 00010207
RAX: 0200221d8be3ffc0 RBX: 800d8fe2f8ffff88 RCX: 1ffffffff0b1d55d
RDX: 800d8fe378ffff88 RSI: 0000000000000001 RDI: ffffffff81770c31
RBP: 0000000000000000 R08: 800d8fe2f8ffff88 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: dffffc0000000000
R13: ffff888017d87e38 R14: 0000000000000000 R15: ffff88800d12d2fd
FS: 0000555555612400(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555561bc58 CR3: 000000000e8d0000 CR4: 0000000000350ee0
Call Trace:
kasan_quarantine_reduce+0x180/0x200
__kasan_slab_alloc+0x78/0x80
kmem_cache_alloc+0x1b1/0x490
getname_flags.part.0+0x50/0x4f0
__x64_sys_unlink+0xb1/0x110
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7ff2a4b53457
Code: 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff9c841bd8 EFLAGS: 00000206 ORIG_RAX: 0000000000000057
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff2a4b53457
RDX: 00007fff9c841c10 RSI: 00007fff9c841c10 RDI: 00007fff9c841ca0
RBP: 00007fff9c841ca0 R08: 0000000000000001 R09: 00007fff9c841a70
R10: 0000555555613cbb R11: 0000000000000206 R12: 00007ff2a4bad105
R13: 00007fff9c842d60 R14: 0000555555613c20 R15: 00007fff9c842da0
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:qlist_free_all+0xd3/0x190
Code: 03 05 a1 82 7b 03 48 8b 48 08 48 89 c2 f6 c1 01 0f 85 b6 00 00 00 0f 1f 44 00 00 48 8b 02 f6 c4 02 b8 00 00 00 00 48 0f 44 d0 <4c> 8b 72 18 e9 50 ff ff ff 49 83 7e 48 00 0f 85 68 ff ff ff 41 f7
RSP: 0018:ffff8880442aeeb8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888043b1dc50 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffea000025ac00 RDI: 0000000040000000
RBP: 0000000000000000 R08: ffff888043b1dc50 R09: 000000008011000f
R10: ffffea000025ac00 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880442aeef8 R14: 0000000000000000 R15: ffff8880096b0000
FS: 0000555555612400(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055555561bc58 CR3: 000000000e8d0000 CR4: 0000000000350ee0
------------[ cut here ]------------
WARNING: CPU: 1 PID: 1 at mm/kasan/shadow.c:134 kasan_unpoison+0x42/0x50
Modules linked in:
CPU: 1 PID: 1 Comm: systemd Tainted: G B D W 5.19.0-rc4-next-20220704 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:kasan_unpoison+0x42/0x50
Code: 89 fb 48 83 c6 01 e8 7d fe ff ff 48 89 e8 83 e0 07 74 14 48 ba 00 00 00 00 00 fc ff df 48 01 eb 48 c1 eb 03 88 04 13 5b 5d c3 <0f> 0b c3 66 66 2e 0f 1f 84 00 00 00 00 00 41 57 48 89 f8 41 56 48
RSP: 0018:ffff8880081b7970 EFLAGS: 00010206
RAX: 0000000003113600 RBX: 0000000000000001 RCX: 0000000000000001
RDX: 0000000000000001 RSI: 00000000000000a8 RDI: ffff88800d12d2fd
RBP: ffff8880080358c0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88800d12d2fd
R13: 0000000000000dc0 R14: 0000000000000dc0 R15: 0000000000000dc0
FS: 00007f049e8b7900(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005559bd10aae0 CR3: 000000000fac4000 CR4: 0000000000350ee0
Call Trace:
__kasan_slab_alloc+0x2c/0x80
kmem_cache_alloc+0x1b1/0x490
__kernfs_new_node+0xd4/0x8b0
kernfs_new_node+0x93/0x120
__kernfs_create_file+0x51/0x350
cgroup_addrm_files+0x3e2/0x9d0
css_populate_dir+0x300/0x450
cgroup_mkdir+0x38b/0x11f0
kernfs_iop_mkdir+0x149/0x1d0
vfs_mkdir+0x417/0x6a0
do_mkdirat+0x17b/0x2e0
__x64_sys_mkdir+0xf2/0x140
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f049f084b07
Code: 1f 40 00 48 8b 05 89 f3 0c 00 64 c7 00 5f 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 59 f3 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffca3243fb8 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 00005559bd197bc0 RCX: 00007f049f084b07
RDX: 00007ffca3243e50 RSI: 00000000000001ed RDI: 00005559bd1d6cb0
RBP: 00007f049f475351 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 00005559bd197bc0 R14: 0000000000000000 R15: 00005559bd13e760
irq event stamp: 7271044
hardirqs last enabled at (7271043): [] _raw_write_unlock_irq+0x1f/0x40
hardirqs last disabled at (7271044): [] __schedule+0x11d9/0x24a0
softirqs last enabled at (7270682): [] __irq_exit_rcu+0x113/0x170
softirqs last disabled at (7270673): [] __irq_exit_rcu+0x113/0x170
---[ end trace 0000000000000000 ]---
kmemleak: Cannot insert 0xffff88800d12d2fd into the object search tree (overlaps existing)
CPU: 1 PID: 1 Comm: systemd Tainted: G B D W 5.19.0-rc4-next-20220704 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x8b/0xb3
__create_object.isra.0.cold+0x44/0x6a
kmem_cache_alloc+0x247/0x490
__kernfs_new_node+0xd4/0x8b0
kernfs_new_node+0x93/0x120
__kernfs_create_file+0x51/0x350
cgroup_addrm_files+0x3e2/0x9d0
css_populate_dir+0x300/0x450
cgroup_mkdir+0x38b/0x11f0
kernfs_iop_mkdir+0x149/0x1d0
vfs_mkdir+0x417/0x6a0
do_mkdirat+0x17b/0x2e0
__x64_sys_mkdir+0xf2/0x140
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f049f084b07
Code: 1f 40 00 48 8b 05 89 f3 0c 00 64 c7 00 5f 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 59 f3 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffca3243fb8 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 00005559bd197bc0 RCX: 00007f049f084b07
RDX: 00007ffca3243e50 RSI: 00000000000001ed RDI: 00005559bd1d6cb0
RBP: 00007f049f475351 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 00005559bd197bc0 R14: 0000000000000000 R15: 00005559bd13e760
kmemleak: Kernel memory leak detector disabled
kmemleak: Object 0xffff88800d12d3a0 (size 168):
kmemleak: comm "systemd", pid 1, jiffies 4294687806
kmemleak: min_count = 1
kmemleak: count = 1
kmemleak: flags = 0x1
kmemleak: checksum = 0
kmemleak: backtrace:
__kernfs_new_node+0xd4/0x8b0
kernfs_new_node+0x93/0x120
__kernfs_create_file+0x51/0x350
cgroup_addrm_files+0x3e2/0x9d0
css_populate_dir+0x300/0x450
cgroup_mkdir+0x38b/0x11f0
kernfs_iop_mkdir+0x149/0x1d0
vfs_mkdir+0x417/0x6a0
do_mkdirat+0x17b/0x2e0
__x64_sys_mkdir+0xf2/0x140
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
BUG: unable to handle page fault for address: ffffff88800df1a9
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 5029067 P4D 5029067 PUD 0
Oops: 0000 [#4] PREEMPT SMP KASAN NOPTI
CPU: 1 PID: 1 Comm: systemd Tainted: G B D W 5.19.0-rc4-next-20220704 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:kernfs_link_sibling+0x1ac/0x470
Code: 17 48 85 d2 74 79 48 89 d3 e8 d0 f4 a6 ff 48 8d 7b 20 48 89 f8 48 c1 e8 03 42 0f b6 04 20 84 c0 74 08 3c 03 0f 8e 05 02 00 00 <44> 8b 7b 20 89 ef 44 89 fe e8 f6 f0 a6 ff 44 39 fd 72 a1 e8 9c f4
RSP: 0018:ffff8880081b7a28 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffff88800df189 RCX: 0000000000000000
RDX: ffff8880081a8000 RSI: ffffffff819e00d0 RDI: ffffff88800df1a9
RBP: 000000002532d118 R08: 0000000000000004 R09: 000000002532d118
R10: 0000000019ef7ffd R11: 0000000000000001 R12: dffffc0000000000
R13: ffff88800df183a0 R14: 0000000000000000 R15: ffff88800d12d345
FS: 00007f049e8b7900(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffff88800df1a9 CR3: 000000000fac4000 CR4: 0000000000350ee0
Call Trace:
kernfs_add_one+0x27a/0x550
__kernfs_create_file+0x29c/0x350
cgroup_addrm_files+0x3e2/0x9d0
css_populate_dir+0x19b/0x450
cgroup_apply_control_enable+0x3ae/0xa40
cgroup_mkdir+0x824/0x11f0
kernfs_iop_mkdir+0x149/0x1d0
vfs_mkdir+0x417/0x6a0
do_mkdirat+0x17b/0x2e0
__x64_sys_mkdir+0xf2/0x140
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f049f084b07
Code: 1f 40 00 48 8b 05 89 f3 0c 00 64 c7 00 5f 00 00 00 b8 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 53 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 59 f3 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffca3243fb8 EFLAGS: 00000206 ORIG_RAX: 0000000000000053
RAX: ffffffffffffffda RBX: 00005559bd197bc0 RCX: 00007f049f084b07
RDX: 00007ffca3243e50 RSI: 00000000000001ed RDI: 00005559bd1d6cb0
RBP: 00007f049f475351 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 00005559bd197bc0 R14: 0000000000000000 R15: 00005559bd13e760
Modules linked in:
CR2: ffffff88800df1a9
---[ end trace 0000000000000000 ]---
RIP: 0010:qlist_free_all+0xd3/0x190
Code: 03 05 a1 82 7b 03 48 8b 48 08 48 89 c2 f6 c1 01 0f 85 b6 00 00 00 0f 1f 44 00 00 48 8b 02 f6 c4 02 b8 00 00 00 00 48 0f 44 d0 <4c> 8b 72 18 e9 50 ff ff ff 49 83 7e 48 00 0f 85 68 ff ff ff 41 f7
RSP: 0018:ffff8880442aeeb8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff888043b1dc50 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffea000025ac00 RDI: 0000000040000000
RBP: 0000000000000000 R08: ffff888043b1dc50 R09: 000000008011000f
R10: ffffea000025ac00 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880442aeef8 R14: 0000000000000000 R15: ffff8880096b0000
FS: 00007f049e8b7900(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffff88800df1a9 CR3: 000000000fac4000 CR4: 0000000000350ee0
kmemleak: Automatic memory scanning thread ended
----------------
Code disassembly (best guess):
0: 48 83 c7 18 add $0x18,%rdi
4: 53 push %rbx
5: 48 89 f3 mov %rsi,%rbx
8: 48 8b 74 24 10 mov 0x10(%rsp),%rsi
d: e8 7a 70 0d fd callq 0xfd0d708c
12: 48 89 ef mov %rbp,%rdi
15: e8 e2 f1 0d fd callq 0xfd0df1fc
1a: 80 e7 02 and $0x2,%bh
1d: 74 06 je 0x25
1f: e8 b8 c4 2f fd callq 0xfd2fc4dc
24: fb sti
25: bf 01 00 00 00 mov $0x1,%edi
* 2a: e8 bd 93 03 fd callq 0xfd0393ec <-- trapping instruction
2f: 65 8b 05 36 70 e6 7b mov %gs:0x7be67036(%rip),%eax # 0x7be6706c
36: 85 c0 test %eax,%eax
38: 74 03 je 0x3d
3a: 5b pop %rbx
3b: 5d pop %rbp
3c: c3 retq
3d: 0f .byte 0xf
3e: 1f (bad)
3f: 44 rex.R