EXT4-fs (loop2): mount failed
EXT4-fs (loop3): mount failed
EXT4-fs error (device loop6): ext4_lookup:1787: inode #2: comm syz-executor.6: deleted inode referenced: 12
==================================================================
BUG: KASAN: use-after-free in sco_sock_timeout+0x64/0x230
Write of size 4 at addr ffff88800ff91080 by task kworker/1:2/51
CPU: 1 PID: 51 Comm: kworker/1:2 Not tainted 5.17.0-next-20220329 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: events sco_sock_timeout
Call Trace:
dump_stack_lvl+0x8b/0xb3
print_report.cold+0x5e/0x5db
kasan_report+0xbe/0x1c0
kasan_check_range+0xf9/0x1e0
sco_sock_timeout+0x64/0x230
process_one_work+0xa1c/0x16a0
worker_thread+0x637/0x1250
kthread+0x2f2/0x3b0
ret_from_fork+0x22/0x30
Allocated by task 9483:
kasan_save_stack+0x1e/0x40
__kasan_kmalloc+0x81/0xa0
sk_prot_alloc+0x154/0x2e0
sk_alloc+0x34/0x750
sco_sock_alloc.constprop.0+0x31/0x330
sco_sock_create+0xc6/0x150
bt_sock_create+0x159/0x2b0
__sock_create+0x345/0x750
__sys_socket+0xef/0x200
__x64_sys_socket+0x6f/0xb0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
Last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x97/0xa0
kvfree_call_rcu+0x2c/0x7a0
drop_sysctl_table+0x3c0/0x4e0
unregister_sysctl_table+0xc0/0x190
addrconf_sysctl_unregister+0xee/0x1c0
addrconf_ifdown.isra.0+0x10fd/0x15e0
addrconf_notify+0x159/0x2370
raw_notifier_call_chain+0xb3/0x110
call_netdevice_notifiers_info+0xb5/0x130
unregister_netdevice_many+0x819/0x14b0
unregister_netdevice_queue+0x1fd/0x2b0
__tun_detach+0xfad/0x1240
tun_chr_close+0xc4/0x180
__fput+0x272/0x9d0
task_work_run+0xe2/0x1a0
exit_to_user_mode_prepare+0x199/0x1a0
syscall_exit_to_user_mode+0x19/0x50
do_syscall_64+0x48/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
Second to last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x97/0xa0
call_rcu+0x6a/0xa20
netlink_release+0xf06/0x1db0
__sock_release+0xd2/0x290
sock_close+0x18/0x20
__fput+0x272/0x9d0
task_work_run+0xe2/0x1a0
do_exit+0xaf7/0x27e0
do_group_exit+0xd2/0x2f0
__x64_sys_exit_group+0x3a/0x50
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88800ff91000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 128 bytes inside of
2048-byte region [ffff88800ff91000, ffff88800ff91800)
The buggy address belongs to the physical page:
page:00000000179bb237 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800ff91000 pfn:0xff90
head:00000000179bb237 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x100000000010200(slab|head|node=0|zone=1)
raw: 0100000000010200 ffffea000106ce08 ffffea0001087808 ffff888007842000
raw: ffff88800ff91000 0000000000080007 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88800ff90f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88800ff91000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88800ff91080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88800ff91100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88800ff91180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 1 PID: 51 at lib/refcount.c:25 refcount_warn_saturate+0x178/0x1f0
Modules linked in:
CPU: 1 PID: 51 Comm: kworker/1:2 Tainted: G B 5.17.0-next-20220329 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: events sco_sock_timeout
RIP: 0010:refcount_warn_saturate+0x178/0x1f0
Code: 03 31 ff 89 de e8 68 19 3d ff 84 db 0f 85 2e ff ff ff e8 fb 14 3d ff 48 c7 c7 20 4e 7d 84 c6 05 30 c2 84 03 01 e8 62 33 fc 01 <0f> 0b e9 0f ff ff ff e8 dc 14 3d ff 0f b6 1d 1a c2 84 03 31 ff 89
RSP: 0018:ffff88800f60fce0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888008b1d040 RSI: ffffffff812b33d8 RDI: ffffed1001ec1f8e
RBP: ffff88800ff91080 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff812ad04c R11: 0000000000000000 R12: ffff88804352e608
R13: ffff88800ff91080 R14: ffff88806cf37600 R15: ffff888008845e00
FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056504cfe3648 CR3: 0000000042d18000 CR4: 0000000000350ee0
Call Trace:
sco_sock_timeout+0x1ca/0x230
process_one_work+0xa1c/0x16a0
worker_thread+0x637/0x1250
kthread+0x2f2/0x3b0
ret_from_fork+0x22/0x30
irq event stamp: 931101
hardirqs last enabled at (931101): [] asm_sysvec_apic_timer_interrupt+0x12/0x20
hardirqs last disabled at (931100): [] __do_softirq+0x6b6/0x8c7
softirqs last enabled at (930046): [] process_one_work+0xa1c/0x16a0
softirqs last disabled at (930042): [] neigh_managed_work+0x35/0x250
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 1 PID: 51 at lib/refcount.c:28 refcount_warn_saturate+0x103/0x1f0
Modules linked in:
CPU: 1 PID: 51 Comm: kworker/1:2 Tainted: G B W 5.17.0-next-20220329 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
Workqueue: events sco_sock_timeout
RIP: 0010:refcount_warn_saturate+0x103/0x1f0
Code: 1d c4 c2 84 03 31 ff 89 de e8 d9 19 3d ff 84 db 75 a3 e8 70 15 3d ff 48 c7 c7 80 4e 7d 84 c6 05 a4 c2 84 03 01 e8 d7 33 fc 01 <0f> 0b eb 87 e8 54 15 3d ff 0f b6 1d 8d c2 84 03 31 ff 89 de e8 a4
RSP: 0018:ffff88800f60fce0 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff888008b1d040 RSI: ffffffff812b33d8 RDI: ffffed1001ec1f8e
RBP: ffff88800ff91080 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff812ad04c R11: 0000000000000000 R12: ffff88804352e608
R13: ffff88800ff91080 R14: ffff88806cf37600 R15: ffff888008845e00
FS: 0000000000000000(0000) GS:ffff88806cf00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056504cfe3648 CR3: 0000000042d18000 CR4: 0000000000350ee0
Call Trace:
sco_sock_timeout+0x1e1/0x230
process_one_work+0xa1c/0x16a0
worker_thread+0x637/0x1250
kthread+0x2f2/0x3b0
ret_from_fork+0x22/0x30
irq event stamp: 931101
hardirqs last enabled at (931101): [] asm_sysvec_apic_timer_interrupt+0x12/0x20
hardirqs last disabled at (931100): [] __do_softirq+0x6b6/0x8c7
softirqs last enabled at (930046): [] process_one_work+0xa1c/0x16a0
softirqs last disabled at (930042): [] neigh_managed_work+0x35/0x250
---[ end trace 0000000000000000 ]---
loop0: detected capacity change from 0 to 549
loop3: detected capacity change from 0 to 549
loop4: detected capacity change from 0 to 549
loop7: detected capacity change from 0 to 545
loop2: detected capacity change from 0 to 549
loop6: detected capacity change from 0 to 549
EXT4-fs error (device loop0): ext4_ext_check_inode:497: inode #4: comm syz-executor.0: pblk 0 bad header/extent: invalid extent entries - magic f30a, entries 1, max 4(4), depth 0(0)
EXT4-fs error (device loop3): ext4_quota_enable:6835: comm syz-executor.3: Bad quota inode # 3
EXT4-fs error (device loop4): ext4_ext_check_inode:497: inode #4: comm syz-executor.4: pblk 0 bad header/extent: invalid extent entries - magic f30a, entries 1, max 4(4), depth 0(0)
EXT4-fs (loop7): mounted filesystem without journal. Quota mode: writeback.
EXT4-fs warning (device loop3): ext4_enable_quotas:6872: Failed to enable quota tracking (type=0, err=-116). Please run e2fsck to fix.
EXT4-fs (loop3): mount failed
ext4 filesystem being mounted at /syzkaller-testdir691141374/syzkaller.nFgaBi/175/file0 supports timestamps until 2038 (0x7fffffff)
EXT4-fs error (device loop0): ext4_quota_enable:6835: comm syz-executor.0: Bad quota inode # 4
EXT4-fs error (device loop4): ext4_quota_enable:6835: comm syz-executor.4: Bad quota inode # 4
EXT4-fs warning (device loop0): ext4_enable_quotas:6872: Failed to enable quota tracking (type=1, err=-117). Please run e2fsck to fix.
EXT4-fs warning (device loop4): ext4_enable_quotas:6872: Failed to enable quota tracking (type=1, err=-117). Please run e2fsck to fix.
EXT4-fs error (device loop7): ext4_lookup:1787: inode #2: comm syz-executor.7: deleted inode referenced: 12
EXT4-fs (loop0): mount failed
EXT4-fs (loop4): mount failed
EXT4-fs error (device loop2): ext4_quota_enable:6835: comm syz-executor.2: Bad quota inode # 4
EXT4-fs warning (device loop2): ext4_enable_quotas:6872: Failed to enable quota tracking (type=1, err=-116). Please run e2fsck to fix.
EXT4-fs (loop2): mount failed
EXT4-fs (loop6): mounted filesystem without journal. Quota mode: writeback.
ext4 filesystem being mounted at /syzkaller-testdir791846112/syzkaller.csOtrt/169/file0 supports timestamps until 2038 (0x7fffffff)
EXT4-fs error (device loop6): ext4_lookup:1787: inode #2: comm syz-executor.6: deleted inode referenced: 12
loop3: detected capacity change from 0 to 549
loop2: detected capacity change from 0 to 549
loop4: detected capacity change from 0 to 549
loop7: detected capacity change from 0 to 545
EXT4-fs error (device loop7): ext4_ext_check_inode:497: inode #3: comm syz-executor.7: pblk 0 bad header/extent: invalid extent entries - magic f30a, entries 1, max 4(4), depth 0(0)
EXT4-fs (loop4): mounted filesystem without journal. Quota mode: writeback.
ext4 filesystem being mounted at /syzkaller-testdir103621868/syzkaller.UWNh4b/169/file0 supports timestamps until 2038 (0x7fffffff)
EXT4-fs error (device loop3): ext4_quota_enable:6835: comm syz-executor.3: Bad quota inode # 3
EXT4-fs warning (device loop2): ext4_enable_quotas:6872: Failed to enable quota tracking (type=1, err=-22). Please run e2fsck to fix.
EXT4-fs warning (device loop3): ext4_enable_quotas:6872: Failed to enable quota tracking (type=0, err=-116). Please run e2fsck to fix.
EXT4-fs (loop2): mount failed
EXT4-fs error (device loop7): ext4_quota_enable:6835: comm syz-executor.7: Bad quota inode # 3
EXT4-fs (loop3): mount failed
EXT4-fs warning (device loop7): ext4_enable_quotas:6872: Failed to enable quota tracking (type=0, err=-117). Please run e2fsck to fix.
EXT4-fs (loop7): mount failed