Out of memory (oom_kill_allocating_task): Killed process 263 (syz-fuzzer) total-vm:1168280kB, anon-rss:308764kB, file-rss:0kB, shmem-rss:0kB, UID:0 pgtables:816kB oom_score_adj:0
------------[ cut here ]------------
kernfs_put: syz7/memory.events.local: released with incorrect active_ref 0
WARNING: CPU: 1 PID: 20 at fs/kernfs/dir.c:531 kernfs_put.part.0+0x433/0x540
Modules linked in:
CPU: 1 PID: 20 Comm: kworker/1:0 Not tainted 5.19.0-rc4-next-20220630 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: events kernfs_notify_workfn
RIP: 0010:kernfs_put.part.0+0x433/0x540
Code: 03 80 3c 18 00 0f 85 ea 00 00 00 4d 8b 7d 38 e8 73 0a a7 ff 48 8b 14 24 44 89 f1 4c 89 fe 48 c7 c7 20 58 72 84 e8 7e 40 6c 02 <0f> 0b e9 b9 fc ff ff 48 89 ef e8 fe bb d9 ff e9 c1 fd ff ff e8 f4
RSP: 0018:ffff8880082c7bd8 EFLAGS: 00010286
RAX: 0000000000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: ffff8880082b8000 RSI: ffffffff812b68e8 RDI: ffffed1001058f6d
RBP: ffff8880189ca778 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000001 R12: ffff8880189ca740
R13: ffff8880189add98 R14: 0000000000000000 R15: ffff888014dd4c80
FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000044b08e CR3: 0000000018aa2000 CR4: 0000000000350ee0
Call Trace:
kernfs_put+0x42/0x50
kernfs_notify_workfn+0x417/0x560
process_one_work+0xa17/0x1690
worker_thread+0x637/0x1250
kthread+0x2f2/0x3b0
ret_from_fork+0x22/0x30
irq event stamp: 77091
hardirqs last enabled at (77103): [] __up_console_sem+0x78/0x80
hardirqs last disabled at (77114): [] __up_console_sem+0x5d/0x80
softirqs last enabled at (76402): [] __irq_exit_rcu+0x113/0x170
softirqs last disabled at (76393): [] __irq_exit_rcu+0x113/0x170
---[ end trace 0000000000000000 ]---
==================================================================
BUG: KASAN: use-after-free in llist_del_first+0x89/0xa0
Read of size 8 at addr ffff8880189ca7c0 by task kworker/1:0/20
CPU: 1 PID: 20 Comm: kworker/1:0 Tainted: G W 5.19.0-rc4-next-20220630 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: events kernfs_notify_workfn
Call Trace:
dump_stack_lvl+0x8b/0xb3
print_report.cold+0x5e/0x5e1
kasan_report+0xbe/0x1c0
llist_del_first+0x89/0xa0
kernfs_notify_workfn+0x78/0x560
process_one_work+0xa17/0x1690
worker_thread+0x637/0x1250
kthread+0x2f2/0x3b0
ret_from_fork+0x22/0x30
Allocated by task 296:
kasan_save_stack+0x1e/0x40
__kasan_slab_alloc+0x66/0x80
kmem_cache_alloc+0x1b1/0x490
__kernfs_new_node+0xd4/0x8b0
kernfs_new_node+0x93/0x120
__kernfs_create_file+0x51/0x350
cgroup_addrm_files+0x3e2/0x9d0
css_populate_dir+0x19b/0x450
cgroup_apply_control_enable+0x3ae/0xa40
cgroup_mkdir+0x824/0x11f0
kernfs_iop_mkdir+0x149/0x1d0
vfs_mkdir+0x417/0x6a0
do_mkdirat+0x17b/0x2e0
__x64_sys_mkdir+0xf2/0x140
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
Freed by task 20:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
____kasan_slab_free+0x14b/0x1a0
kmem_cache_free+0xfb/0x600
kernfs_put.part.0+0x2c7/0x540
kernfs_put+0x42/0x50
kernfs_notify_workfn+0x417/0x560
process_one_work+0xa17/0x1690
worker_thread+0x637/0x1250
kthread+0x2f2/0x3b0
ret_from_fork+0x22/0x30
The buggy address belongs to the object at ffff8880189ca740
which belongs to the cache kernfs_node_cache of size 168
The buggy address is located 128 bytes inside of
168-byte region [ffff8880189ca740, ffff8880189ca7e8)
The buggy address belongs to the physical page:
page:000000000d72090d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x189ca
flags: 0x100000000000200(slab|node=0|zone=1)
raw: 0100000000000200 0000000000000000 dead000000000122 ffff8880080718c0
raw: 0000000000000000 0000000000110011 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880189ca680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880189ca700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff8880189ca780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
^
ffff8880189ca800: fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00
ffff8880189ca880: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
==================================================================
syz-executor.1 invoked oom-killer: gfp_mask=0x140cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP), order=0, oom_score_adj=0
CPU: 1 PID: 293 Comm: syz-executor.1 Tainted: G B W 5.19.0-rc4-next-20220630 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x8b/0xb3
dump_header+0x10b/0x7e4
oom_kill_process.cold+0x10/0x15
out_of_memory+0x11e7/0x14b0
__alloc_pages_slowpath.constprop.0+0x194b/0x1fa0
__alloc_pages+0x421/0x4f0
alloc_pages+0x1a0/0x2f0
__filemap_get_folio+0x5ea/0xdb0
filemap_fault+0x1534/0x2270
__do_fault+0x10d/0x5a0
__handle_mm_fault+0x138f/0x35a0
handle_mm_fault+0x2e6/0xa10
do_user_addr_fault+0x536/0x1300
exc_page_fault+0x98/0x1a0
asm_exc_page_fault+0x27/0x30
RIP: 0033:0x7f4a8cbea7e0
Code: Unable to access opcode bytes at RIP 0x7f4a8cbea7b6.
RSP: 002b:00007ffc6f0c94d8 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000024 RCX: 0000000000000006
RDX: 000000000000086d RSI: 0000000000000024 RDI: 00007f4a8cca8053
RBP: 00007ffc6f0c953c R08: 00000000000000c7 R09: 00007ffc6f154080
R10: 00007ffc6f154090 R11: 000000000005be26 R12: 0000000000000064
R13: 0000000000030272 R14: 0000000000000006 R15: 00007ffc6f0c95a0
Mem-Info:
active_anon:346 inactive_anon:85830 isolated_anon:0
active_file:24 inactive_file:2 isolated_file:0
unevictable:0 dirty:0 writeback:0
slab_reclaimable:8839 slab_unreclaimable:58792
mapped:69638 shmem:112 pagetables:904 bounce:0
kernel_misc_reclaimable:0
free:3172 free_pcp:51 free_cma:0
Node 0 active_anon:1384kB inactive_anon:343320kB active_file:96kB inactive_file:8kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:278552kB dirty:0kB writeback:0kB shmem:448kB writeback_tmp:0kB kernel_stack:3872kB pagetables:3616kB all_unreclaimable? no
Node 0 DMA free:6484kB boost:0kB min:44kB low:56kB high:68kB reserved_highatomic:0KB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15360kB mlocked:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 1615 1615 1615
Node 0 DMA32 free:6204kB boost:0kB min:5120kB low:6772kB high:8424kB reserved_highatomic:2048KB active_anon:1384kB inactive_anon:343320kB active_file:708kB inactive_file:0kB unevictable:0kB writepending:0kB present:2080640kB managed:1658296kB mlocked:0kB bounce:0kB free_pcp:204kB local_pcp:192kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 1*4kB (U) 0*8kB 1*16kB (U) 0*32kB 1*64kB (U) 0*128kB 1*256kB (U) 0*512kB 0*1024kB 1*2048kB (M) 1*4096kB (M) = 6484kB
Node 0 DMA32: 655*4kB (UME) 171*8kB (UM) 70*16kB (UME) 27*32kB (UMH) 10*64kB (UH) 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 6612kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
178 total pagecache pages
0 pages in swap cache
Free swap = 0kB
Total swap = 0kB
524158 pages RAM
0 pages HighMem/MovableOnly
105744 pages reserved
oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=syz1,mems_allowed=0,global_oom,task_memcg=/syz1,task=syz-executor.1,pid=293,uid=0
Out of memory (oom_kill_allocating_task): Killed process 293 (syz-executor.1) total-vm:93280kB, anon-rss:384kB, file-rss:34628kB, shmem-rss:0kB, UID:0 pgtables:124kB oom_score_adj:0
rs:main Q:Reg invoked oom-killer: gfp_mask=0x141cca(GFP_HIGHUSER_MOVABLE|__GFP_COMP|__GFP_WRITE), order=0, oom_score_adj=0
CPU: 1 PID: 189 Comm: rs:main Q:Reg Tainted: G B W 5.19.0-rc4-next-20220630 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x8b/0xb3
dump_header+0x10b/0x7e4
oom_kill_process.cold+0x10/0x15
out_of_memory+0x11e7/0x14b0
__alloc_pages_slowpath.constprop.0+0x194b/0x1fa0
__alloc_pages+0x421/0x4f0
alloc_pages+0x1a0/0x2f0
__filemap_get_folio+0x5ea/0xdb0
pagecache_get_page+0x2e/0x220
ext4_da_write_begin+0x324/0x9a0
generic_perform_write+0x248/0x560
ext4_buffered_write_iter+0x164/0x330
ext4_file_write_iter+0x3dc/0x1800
new_sync_write+0x31b/0x4e0
vfs_write+0x7b9/0xac0
ksys_write+0x127/0x250
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f16ae41afef
Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 fd ff ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c fd ff ff 48
RSP: 002b:00007f16ad5d6860 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f16a40293f0 RCX: 00007f16ae41afef
RDX: 0000000000000b13 RSI: 00007f16a40296b0 RDI: 000000000000000a
RBP: 0000000000000b13 R08: 0000000000000000 R09: 00007f16a4029ba0
R10: 0000000000000000 R11: 0000000000000293 R12: 00007f16a40296b0
R13: 0000000000000000 R14: 00000000000000be R15: 00007f16a40293f0
Mem-Info:
active_anon:346 inactive_anon:85368 isolated_anon:0
active_file:471 inactive_file:461 isolated_file:45
unevictable:0 dirty:0 writeback:0
slab_reclaimable:8839 slab_unreclaimable:58460
mapped:35681 shmem:112 pagetables:715 bounce:0
kernel_misc_reclaimable:0
free:2527 free_pcp:32 free_cma:0
Node 0 active_anon:1384kB inactive_anon:341472kB active_file:1884kB inactive_file:1760kB unevictable:0kB isolated(anon):0kB isolated(file):180kB mapped:142640kB dirty:0kB writeback:0kB shmem:448kB writeback_tmp:0kB kernel_stack:3680kB pagetables:2860kB all_unreclaimable? no
Node 0 DMA free:6484kB boost:0kB min:44kB low:56kB high:68kB reserved_highatomic:0KB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15360kB mlocked:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 1615 1615 1615
Node 0 DMA32 free:3624kB boost:2048kB min:7168kB low:8820kB high:10472kB reserved_highatomic:2048KB active_anon:1384kB inactive_anon:341808kB active_file:2288kB inactive_file:2304kB unevictable:0kB writepending:0kB present:2080640kB managed:1658296kB mlocked:0kB bounce:0kB free_pcp:704kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 1*4kB (U) 0*8kB 1*16kB (U) 0*32kB 1*64kB (U) 0*128kB 1*256kB (U) 0*512kB 0*1024kB 1*2048kB (M) 1*4096kB (M) = 6484kB
Node 0 DMA32: 488*4kB (UME) 102*8kB (UME) 36*16kB (UME) 41*32kB (UMEH) 11*64kB (UMH) 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 5360kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
766 total pagecache pages
0 pages in swap cache
Free swap = 0kB
Total swap = 0kB
524158 pages RAM
0 pages HighMem/MovableOnly
105744 pages reserved
oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=/,mems_allowed=0,global_oom,task_memcg=/system.slice/rsyslog.service,task=rs:main Q:Reg,pid=189,uid=0
Out of memory (oom_kill_allocating_task): Killed process 184 (rsyslogd) total-vm:220876kB, anon-rss:968kB, file-rss:0kB, shmem-rss:0kB, UID:0 pgtables:76kB oom_score_adj:0
syz-executor.1: page allocation failure: order:0, mode:0xcc0(GFP_KERNEL), nodemask=(null),cpuset=syz1,mems_allowed=0
CPU: 1 PID: 4228 Comm: syz-executor.1 Tainted: G B W 5.19.0-rc4-next-20220630 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x8b/0xb3
warn_alloc.cold+0x95/0x18a
__alloc_pages_slowpath.constprop.0+0x1ad9/0x1fa0
__alloc_pages+0x421/0x4f0
alloc_pages+0x1a0/0x2f0
relay_open_buf.part.0+0x2a4/0xc00
relay_open+0x4ec/0x970
do_blk_trace_setup+0x4bc/0xb60
__blk_trace_setup+0xca/0x180
blk_trace_setup+0x43/0x60
sg_ioctl+0x6a8/0x2820
__x64_sys_ioctl+0x196/0x210
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f4a8cc4db19
Code: Unable to access opcode bytes at RIP 0x7f4a8cc4daef.
RSP: 002b:00007f4a8a1c3188 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f4a8cd60f60 RCX: 00007f4a8cc4db19
RDX: 0000000020000680 RSI: 00000000c0481273 RDI: 0000000000000003
RBP: 00007f4a8cca7f6d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffc6f0c928f R14: 00007f4a8a1c3300 R15: 0000000000022000
Mem-Info:
active_anon:346 inactive_anon:85368 isolated_anon:0
active_file:42 inactive_file:15 isolated_file:14
unevictable:0 dirty:0 writeback:0
slab_reclaimable:8839 slab_unreclaimable:58317
mapped:34841 shmem:112 pagetables:694 bounce:0
kernel_misc_reclaimable:0
free:2850 free_pcp:65 free_cma:0
Node 0 active_anon:1384kB inactive_anon:341472kB active_file:168kB inactive_file:60kB unevictable:0kB isolated(anon):0kB isolated(file):56kB mapped:139364kB dirty:0kB writeback:0kB shmem:448kB writeback_tmp:0kB kernel_stack:3584kB pagetables:2776kB all_unreclaimable? no
Node 0 DMA free:6484kB boost:0kB min:44kB low:56kB high:68kB reserved_highatomic:0KB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15360kB mlocked:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 1615 1615 1615
Node 0 DMA32 free:4916kB boost:0kB min:5120kB low:6772kB high:8424kB reserved_highatomic:2048KB active_anon:1384kB inactive_anon:341808kB active_file:744kB inactive_file:772kB unevictable:0kB writepending:0kB present:2080640kB managed:1658296kB mlocked:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 0 0 0
Node 0 DMA: 1*4kB (U) 0*8kB 1*16kB (U) 0*32kB 1*64kB (U) 0*128kB 1*256kB (U) 0*512kB 0*1024kB 1*2048kB (M) 1*4096kB (M) = 6484kB
Node 0 DMA32: 603*4kB (UME) 135*8kB (UM) 55*16kB (UME) 26*32kB (UMH) 2*64kB (H) 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 5332kB
Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
199 total pagecache pages
0 pages in swap cache
Free swap = 0kB
Total swap = 0kB
524158 pages RAM
0 pages HighMem/MovableOnly
105744 pages reserved