================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x42c9/0x5e70 Read of size 8 at addr ffff88800eb7b608 by task syz-executor/10115 CPU: 0 PID: 10115 Comm: syz-executor Not tainted 6.0.0-rc1-next-20220819 #1 BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1521 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 10115, name: syz-executor preempt_count: 2, expected: 0 RCU nest depth: 1, expected: 0 3 locks held by syz-executor/10115: #0: ffff888008830438 (sb_writers#13){.+.+}-{0:0}, at: ksys_write+0x127/0x250 #1: ffffffff854cac88 (scan_mutex){+.+.}-{3:3}, at: kmemleak_write+0xd8/0x680 #2: ffffffff85405460 (rcu_read_lock){....}-{1:2}, at: kmemleak_scan+0x178/0x16f0 irq event stamp: 660420 hardirqs last enabled at (660419): [] call_rcu+0x589/0xa30 hardirqs last disabled at (660420): [] _raw_spin_lock_irq+0x41/0x50 softirqs last enabled at (576562): [] __irq_exit_rcu+0x11b/0x180 softirqs last disabled at (576557): [] __irq_exit_rcu+0x11b/0x180 Preemption disabled at: [<0000000000000000>] 0x0 CPU: 0 PID: 10115 Comm: syz-executor Not tainted 6.0.0-rc1-next-20220819 #1 syz-executor[10115] cmdline: /syz-executor leak do_seccomp Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x8b/0xb3 __might_resched.cold+0x222/0x26b down_read_killable+0x75/0x490 __access_remote_vm+0xac/0x6f0 get_mm_cmdline.part.0+0x214/0x600 get_task_cmdline_kernel+0x1e9/0x230 dump_stack_print_cmdline.part.0+0x82/0x150 dump_stack_print_info+0x185/0x190 dump_stack_lvl+0x7f/0xb3 print_report.cold+0x5e/0x5e5 kasan_report+0xb1/0x1c0 __lock_acquire+0x42c9/0x5e70 lock_acquire+0x1a2/0x530 _raw_spin_lock_irq+0x32/0x50 kmemleak_scan+0x21d/0x16f0 kmemleak_write+0x570/0x680 full_proxy_write+0x11d/0x190 vfs_write+0x2cb/0xd90 ksys_write+0x127/0x250 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f861556f5c3 Code: 16 00 00 00 eb ae 90 b8 6e 00 00 00 eb a6 e8 44 ef 04 00 0f 1f 40 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18 RSP: 002b:00007ffca21d7c18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007ffca21d8258 RCX: 00007f861556f5c3 RDX: 0000000000000004 RSI: 00007f8615625ed9 RDI: 0000000000000003 RBP: 0000000000000003 R08: 00000000000004ea R09: 00007ffca21e8080 R10: 00007ffca21e8090 R11: 0000000000000246 R12: 00007f8615571b10 R13: 00007ffca21d9ee6 R14: 0000000000000000 R15: 000000000013327f syz-executor[10115] cmdline: /syz-executor leak do_seccomp Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x8b/0xb3 print_report.cold+0x5e/0x5e5 kasan_report+0xb1/0x1c0 __lock_acquire+0x42c9/0x5e70 lock_acquire+0x1a2/0x530 _raw_spin_lock_irq+0x32/0x50 kmemleak_scan+0x21d/0x16f0 kmemleak_write+0x570/0x680 full_proxy_write+0x11d/0x190 vfs_write+0x2cb/0xd90 ksys_write+0x127/0x250 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f861556f5c3 Code: 16 00 00 00 eb ae 90 b8 6e 00 00 00 eb a6 e8 44 ef 04 00 0f 1f 40 00 64 8b 04 25 18 00 00 00 85 c0 75 14 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 55 c3 0f 1f 40 00 48 83 ec 28 48 89 54 24 18 RSP: 002b:00007ffca21d7c18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007ffca21d8258 RCX: 00007f861556f5c3 RDX: 0000000000000004 RSI: 00007f8615625ed9 RDI: 0000000000000003 RBP: 0000000000000003 R08: 00000000000004ea R09: 00007ffca21e8080 R10: 00007ffca21e8090 R11: 0000000000000246 R12: 00007f8615571b10 R13: 00007ffca21d9ee6 R14: 0000000000000000 R15: 000000000013327f Allocated by task 10116: kasan_save_stack+0x1e/0x40 __kasan_slab_alloc+0x66/0x80 kmem_cache_alloc+0x1b1/0x4a0 __create_object.isra.0+0x3d/0xc10 kmem_cache_alloc+0x24b/0x4a0 __alloc_file+0x21/0x240 alloc_empty_file+0x6d/0x170 path_openat+0xd4/0x2800 do_filp_open+0x1b6/0x410 do_sys_openat2+0x171/0x4c0 __x64_sys_openat+0x13f/0x1f0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 19: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x40 __kasan_slab_free+0x108/0x190 kmem_cache_free+0xfb/0x610 rcu_core+0x7e2/0x2080 __do_softirq+0x1c8/0x8d0 Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/0xb0 call_rcu+0x6a/0xa30 kmem_cache_free+0xc1/0x610 rcu_core+0x7e2/0x2080 __do_softirq+0x1c8/0x8d0 Second to last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x97/0xb0 call_rcu+0x6a/0xa30 kmem_cache_free+0xc1/0x610 i_callback+0x42/0x70 rcu_core+0x7e2/0x2080 __do_softirq+0x1c8/0x8d0 The buggy address belongs to the object at ffff88800eb7b5f0 which belongs to the cache kmemleak_object of size 368 The buggy address is located 24 bytes inside of 368-byte region [ffff88800eb7b5f0, ffff88800eb7b760) The buggy address belongs to the physical page: page:00000000de3f0783 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xeb7a head:00000000de3f0783 order:1 compound_mapcount:0 compound_pincount:0 flags: 0x100000000010200(slab|head|node=0|zone=1) raw: 0100000000010200 0000000000000000 dead000000000001 ffff888007c4f780 raw: 0000000000000000 0000000000120012 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800eb7b500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88800eb7b580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fa fb >ffff88800eb7b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800eb7b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800eb7b700: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ==================================================================