R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007ffd3540e8ef R14: 00007f7beeffd300 R15: 0000000000022000
==================================================================
BUG: KASAN: use-after-free in sco_sock_timeout+0x64/0x230
Write of size 4 at addr ffff888041a7e080 by task kworker/0:1/5738
CPU: 0 PID: 5738 Comm: kworker/0:1 Not tainted 5.17.0-next-20220322 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: events sco_sock_timeout
Call Trace:
dump_stack_lvl+0x8b/0xb3
print_report.cold+0x5e/0x5db
kasan_report+0xbe/0x1c0
kasan_check_range+0xf9/0x1e0
sco_sock_timeout+0x64/0x230
process_one_work+0xa1c/0x16a0
worker_thread+0x637/0x1250
kthread+0x2f0/0x3a0
ret_from_fork+0x22/0x30
Allocated by task 127:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0x81/0xa0
sk_prot_alloc+0x154/0x2e0
sk_alloc+0x30/0x350
__netlink_create+0x63/0x2c0
netlink_create+0x3b2/0x5e0
__sock_create+0x345/0x750
__sys_socket+0xef/0x200
__x64_sys_socket+0x6f/0xb0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
Last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x97/0xa0
call_rcu+0x6a/0xa20
netlink_release+0xf06/0x1db0
__sock_release+0xd2/0x290
sock_close+0x18/0x20
__fput+0x281/0x9e0
task_work_run+0xe2/0x1a0
do_exit+0xaf7/0x27e0
do_group_exit+0xd2/0x2f0
__x64_sys_exit_group+0x3a/0x50
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
Second to last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x97/0xa0
call_rcu+0x6a/0xa20
netlink_release+0xf06/0x1db0
__sock_release+0xd2/0x290
sock_close+0x18/0x20
__fput+0x281/0x9e0
task_work_run+0xe2/0x1a0
exit_to_user_mode_prepare+0x194/0x1a0
syscall_exit_to_user_mode+0x19/0x50
do_syscall_64+0x48/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff888041a7e000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
2048-byte region [ffff888041a7e000, ffff888041a7e800)
The buggy address belongs to the physical page:
page:00000000db25783c refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888041a7e000 pfn:0x41a78
head:00000000db25783c order:3 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 ffffea000060a608 ffffea00005ef608 ffff888007842000
raw: ffff888041a7e000 0000000000080004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888041a7df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888041a7e000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888041a7e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888041a7e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888041a7e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 0 PID: 5738 at lib/refcount.c:25 refcount_warn_saturate+0x178/0x1f0
Modules linked in:
CPU: 0 PID: 5738 Comm: kworker/0:1 Tainted: G B 5.17.0-next-20220322 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: events sco_sock_timeout
RIP: 0010:refcount_warn_saturate+0x178/0x1f0
Code: 03 31 ff 89 de e8 88 99 42 ff 84 db 0f 85 2e ff ff ff e8 1b 95 42 ff 48 c7 c7 60 eb 7c 84 c6 05 15 b4 89 03 01 e8 e2 aa fb 01 <0f> 0b e9 0f ff ff ff e8 fc 94 42 ff 0f b6 1d ff b3 89 03 31 ff 89
RSP: 0018:ffff888041497ce0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88800daf9ac0 RSI: ffffffff812b2a28 RDI: ffffed1008292f8e
RBP: ffff888041a7e080 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff812ac68c R11: 0000000000000000 R12: ffff88800b53ec08
R13: ffff888041a7e080 R14: ffff88806ce37600 R15: ffff888042c53900
FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe62665080 CR3: 0000000042326000 CR4: 0000000000350ef0
Call Trace:
sco_sock_timeout+0x1ca/0x230
process_one_work+0xa1c/0x16a0
worker_thread+0x637/0x1250
kthread+0x2f0/0x3a0
ret_from_fork+0x22/0x30
irq event stamp: 134613
hardirqs last enabled at (134613): [] asm_sysvec_apic_timer_interrupt+0x12/0x20
hardirqs last disabled at (134612): [] __do_softirq+0x6b6/0x8c7
softirqs last enabled at (132600): [] __irq_exit_rcu+0x113/0x170
softirqs last disabled at (132571): [] __irq_exit_rcu+0x113/0x170
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 5738 at lib/refcount.c:28 refcount_warn_saturate+0x103/0x1f0
Modules linked in:
CPU: 0 PID: 5738 Comm: kworker/0:1 Tainted: G B W 5.17.0-next-20220322 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: events sco_sock_timeout
RIP: 0010:refcount_warn_saturate+0x103/0x1f0
Code: 1d a9 b4 89 03 31 ff 89 de e8 f9 99 42 ff 84 db 75 a3 e8 90 95 42 ff 48 c7 c7 c0 eb 7c 84 c6 05 89 b4 89 03 01 e8 57 ab fb 01 <0f> 0b eb 87 e8 74 95 42 ff 0f b6 1d 72 b4 89 03 31 ff 89 de e8 c4
RSP: 0018:ffff888041497ce0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88800daf9ac0 RSI: ffffffff812b2a28 RDI: ffffed1008292f8e
RBP: ffff888041a7e080 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff812ac68c R11: 0000000000000000 R12: ffff88800b53ec08
R13: ffff888041a7e080 R14: ffff88806ce37600 R15: ffff888042c53900
FS: 0000000000000000(0000) GS:ffff88806ce00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa963771c60 CR3: 000000000e6e8000 CR4: 0000000000350ef0
Call Trace:
sco_sock_timeout+0x1e1/0x230
process_one_work+0xa1c/0x16a0
worker_thread+0x637/0x1250
kthread+0x2f0/0x3a0
ret_from_fork+0x22/0x30
irq event stamp: 134613
hardirqs last enabled at (134613): [] asm_sysvec_apic_timer_interrupt+0x12/0x20
hardirqs last disabled at (134612): [] __do_softirq+0x6b6/0x8c7
softirqs last enabled at (132600): [] __irq_exit_rcu+0x113/0x170
softirqs last disabled at (132571): [] __irq_exit_rcu+0x113/0x170
---[ end trace 0000000000000000 ]---
loop4: detected capacity change from 0 to 4096
FAULT_INJECTION: forcing a failure.
name fail_page_alloc, interval 1, probability 0, space 0, times 0
CPU: 1 PID: 6218 Comm: syz-executor.7 Tainted: G B W 5.17.0-next-20220322 #1
loop2: detected capacity change from 0 to 4096
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack_lvl+0x8b/0xb3
should_fail.cold+0x5/0xa
prepare_alloc_pages+0x17b/0x500
__alloc_pages+0x131/0x4e0
alloc_pages_vma+0xde/0x500
__handle_mm_fault+0xfb3/0x3570
handle_mm_fault+0x2e6/0xa20
do_user_addr_fault+0x54a/0x12a0
exc_page_fault+0xa2/0x1a0
asm_exc_page_fault+0x1e/0x30
RIP: 0010:copy_user_generic_string+0x2c/0x40
Code: cb 83 fa 08 72 27 89 f9 83 e1 07 74 15 83 e9 08 f7 d9 29 ca 8a 06 88 07 48 ff c6 48 ff c7 ff c9 75 f2 89 d1 c1 e9 03 83 e2 07 48 a5 89 d1 f3 a4 31 c0 0f 01 ca c3 8d 0c ca 89 ca eb 20 0f 01
RSP: 0018:ffff88801044fa00 EFLAGS: 00050246
RAX: 0000000000000001 RBX: 0000000000001000 RCX: 0000000000000200
RDX: 0000000000000000 RSI: ffff88801cdd6000 RDI: 000000002000b000
RBP: 000000002000b000 R08: 0000000000000000 R09: ffff88801cdd6fff
R10: ffffed10039badff R11: 0000000000000001 R12: ffff88801cdd6000
R13: 00007fffffffe000 R14: ffff88801044fd68 R15: dffffc0000000000
copyout.part.0+0xd1/0x100
copy_page_to_iter+0x462/0x1190
filemap_read+0x580/0xbb0
generic_file_read_iter+0x3cf/0x540
ext4_file_read_iter+0x184/0x400
new_sync_read+0x42f/0x6f0
vfs_read+0x499/0x5e0
ksys_read+0x12d/0x250
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fcd1d651b19
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcd1abc7188 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 00007fcd1d764f60 RCX: 00007fcd1d651b19
RDX: 00000000fffffdef RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00007fcd1abc71d0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002
R13: 00007fff7c0c406f R14: 00007fcd1abc7300 R15: 0000000000022000
EXT4-fs error (device loop4): __ext4_fill_super:5310: inode #2: comm syz-executor.4: iget: bad i_size value: -4294963200
EXT4-fs (loop4): get root inode failed
EXT4-fs (loop4): mount failed
loop0: detected capacity change from 0 to 4096
EXT4-fs error (device loop0): __ext4_fill_super:5310: inode #2: comm syz-executor.0: iget: bad extra_isize 65535 (inode size 1024)
EXT4-fs (loop0): get root inode failed
EXT4-fs (loop0): mount failed
EXT4-fs error (device loop2): __ext4_fill_super:5310: inode #2: comm syz-executor.2: iget: bad extra_isize 65535 (inode size 1024)
EXT4-fs (loop2): get root inode failed
EXT4-fs (loop2): mount failed
I/O error, dev loop2, sector 3968 op 0x0:(READ) flags 0x80700 phys_seg 1 prio class 0
----------------
Code disassembly (best guess):
0: cb lret
1: 83 fa 08 cmp $0x8,%edx
4: 72 27 jb 0x2d
6: 89 f9 mov %edi,%ecx
8: 83 e1 07 and $0x7,%ecx
b: 74 15 je 0x22
d: 83 e9 08 sub $0x8,%ecx
10: f7 d9 neg %ecx
12: 29 ca sub %ecx,%edx
14: 8a 06 mov (%rsi),%al
16: 88 07 mov %al,(%rdi)
18: 48 ff c6 inc %rsi
1b: 48 ff c7 inc %rdi
1e: ff c9 dec %ecx
20: 75 f2 jne 0x14
22: 89 d1 mov %edx,%ecx
24: c1 e9 03 shr $0x3,%ecx
27: 83 e2 07 and $0x7,%edx
* 2a: f3 48 a5 rep movsq %ds:(%rsi),%es:(%rdi) <-- trapping instruction
2d: 89 d1 mov %edx,%ecx
2f: f3 a4 rep movsb %ds:(%rsi),%es:(%rdi)
31: 31 c0 xor %eax,%eax
33: 0f 01 ca clac
36: c3 retq
37: 8d 0c ca lea (%rdx,%rcx,8),%ecx
3a: 89 ca mov %ecx,%edx
3c: eb 20 jmp 0x5e
3e: 0f .byte 0xf
3f: 01 .byte 0x1