================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:593 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0x148e/0x1b90 kernel/locking/mutex.c:776 Read of size 8 at addr ffff88802776c6f8 by task kworker/1:0/29 CPU: 1 UID: 0 PID: 29 Comm: kworker/1:0 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: events_freezable_pwr_efficient thermal_zone_device_check Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x156/0x4c9 mm/kasan/report.c:482 kasan_report+0xdf/0x1a0 mm/kasan/report.c:595 __mutex_lock_common kernel/locking/mutex.c:593 [inline] __mutex_lock+0x148e/0x1b90 kernel/locking/mutex.c:776 class_thermal_zone_constructor drivers/thermal/thermal_core.h:158 [inline] thermal_zone_device_update drivers/thermal/thermal_core.c:704 [inline] thermal_zone_device_check+0x2e/0xb0 drivers/thermal/thermal_core.c:1396 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 838: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5177 [inline] __kmalloc_noprof+0x301/0x850 mm/slub.c:5189 kmalloc_noprof include/linux/slab.h:966 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] thermal_zone_device_register_with_trips+0x170/0x1340 drivers/thermal/thermal_core.c:1545 thermal_tripless_zone_device_register+0x34/0x50 drivers/thermal/thermal_core.c:1659 psy_register_thermal drivers/power/supply/power_supply_core.c:1534 [inline] __power_supply_register.part.0+0xb84/0x1380 drivers/power/supply/power_supply_core.c:1640 __power_supply_register drivers/power/supply/power_supply_core.c:1577 [inline] power_supply_register+0xce/0x110 drivers/power/supply/power_supply_core.c:1704 thunderstrike_psy_create drivers/hid/hid-nvidia-shield.c:841 [inline] thunderstrike_create drivers/hid/hid-nvidia-shield.c:897 [inline] shield_probe+0x9b4/0xf40 drivers/hid/hid-nvidia-shield.c:1058 __hid_device_probe drivers/hid/hid-core.c:2775 [inline] hid_device_probe+0x50e/0x800 drivers/hid/hid-core.c:2812 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x241/0xa60 drivers/base/dd.c:661 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:803 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:833 __device_attach_driver+0x1ff/0x3e0 drivers/base/dd.c:961 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1033 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x64/0x160 drivers/base/bus.c:574 device_add+0x11d9/0x1950 drivers/base/core.c:3689 hid_add_device+0x2bf/0x440 drivers/hid/hid-core.c:2951 usbhid_probe+0xd57/0x1350 drivers/hid/usbhid/hid-core.c:1450 usb_probe_interface+0x303/0x8f0 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x241/0xa60 drivers/base/dd.c:661 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:803 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:833 __device_attach_driver+0x1ff/0x3e0 drivers/base/dd.c:961 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1033 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x64/0x160 drivers/base/bus.c:574 device_add+0x11d9/0x1950 drivers/base/core.c:3689 usb_set_configuration+0xd97/0x1c60 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xa1/0xe0 drivers/usb/core/generic.c:250 usb_probe_device+0xef/0x400 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:583 [inline] really_probe+0x241/0xa60 drivers/base/dd.c:661 __driver_probe_device+0x1de/0x400 drivers/base/dd.c:803 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:833 __device_attach_driver+0x1ff/0x3e0 drivers/base/dd.c:961 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:500 __device_attach+0x1e4/0x4d0 drivers/base/dd.c:1033 device_initial_probe+0xaf/0xd0 drivers/base/dd.c:1088 bus_probe_device+0x64/0x160 drivers/base/bus.c:574 device_add+0x11d9/0x1950 drivers/base/core.c:3689 usb_new_device.cold+0x685/0x115c drivers/usb/core/hub.c:2695 hub_port_connect drivers/usb/core/hub.c:5567 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x314d/0x4af0 drivers/usb/core/hub.c:5953 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 5992: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_save_track+0x14/0x30 mm/kasan/common.c:78 kasan_save_free_info+0x3b/0x70 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2670 [inline] slab_free mm/slub.c:6082 [inline] kfree+0x1aa/0x670 mm/slub.c:6399 thermal_zone_device_unregister drivers/thermal/thermal_core.c:1739 [inline] thermal_zone_device_unregister+0x3c3/0x4e0 drivers/thermal/thermal_core.c:1713 psy_unregister_thermal drivers/power/supply/power_supply_core.c:1551 [inline] power_supply_unregister+0x10a/0x150 drivers/power/supply/power_supply_core.c:1767 thunderstrike_destroy drivers/hid/hid-nvidia-shield.c:927 [inline] shield_remove+0x75/0x130 drivers/hid/hid-nvidia-shield.c:1104 hid_device_remove+0xd1/0x270 drivers/hid/hid-core.c:2831 device_remove+0xcb/0x180 drivers/base/dd.c:571 __device_release_driver drivers/base/dd.c:1284 [inline] device_release_driver_internal+0x42e/0x600 drivers/base/dd.c:1307 bus_remove_device+0x22f/0x440 drivers/base/bus.c:616 device_del+0x376/0x9b0 drivers/base/core.c:3878 hid_remove_device drivers/hid/hid-core.c:3008 [inline] hid_destroy_device+0x19c/0x240 drivers/hid/hid-core.c:3030 usbhid_disconnect+0xa0/0xe0 drivers/hid/usbhid/hid-core.c:1477 usb_unbind_interface+0x1dd/0x9e0 drivers/usb/core/driver.c:458 device_remove drivers/base/dd.c:573 [inline] device_remove+0x12a/0x180 drivers/base/dd.c:565 __device_release_driver drivers/base/dd.c:1284 [inline] device_release_driver_internal+0x42e/0x600 drivers/base/dd.c:1307 bus_remove_device+0x22f/0x440 drivers/base/bus.c:616 device_del+0x376/0x9b0 drivers/base/core.c:3878 usb_disable_device+0x367/0x810 drivers/usb/core/message.c:1418 usb_disconnect+0x2e2/0x9a0 drivers/usb/core/hub.c:2345 hub_port_connect drivers/usb/core/hub.c:5407 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x1d0c/0x4af0 drivers/usb/core/hub.c:5953 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 ret_from_fork+0x754/0xd80 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Last potentially related work creation: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_record_aux_stack+0xa7/0xc0 mm/kasan/generic.c:556 insert_work+0x36/0x230 kernel/workqueue.c:2199 __queue_work+0x96f/0x10f0 kernel/workqueue.c:2354 __queue_delayed_work+0x365/0x470 kernel/workqueue.c:2522 mod_delayed_work_on+0x195/0x1c0 kernel/workqueue.c:2610 mod_delayed_work include/linux/workqueue.h:699 [inline] thermal_zone_pm_complete drivers/thermal/thermal_core.c:1843 [inline] thermal_pm_notify_complete drivers/thermal/thermal_core.c:1855 [inline] thermal_pm_notify+0x389/0x510 drivers/thermal/thermal_core.c:1870 notifier_call_chain+0x99/0x3b0 kernel/notifier.c:85 blocking_notifier_call_chain kernel/notifier.c:380 [inline] blocking_notifier_call_chain+0x69/0xa0 kernel/notifier.c:368 snapshot_release+0x176/0x1f0 kernel/power/user.c:125 __fput+0x3ff/0xb40 fs/file_table.c:469 task_work_run+0x150/0x240 kernel/task_work.c:233 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x829/0x2a30 kernel/exit.c:971 do_group_exit+0xd5/0x2a0 kernel/exit.c:1112 get_signal+0x1ec7/0x21e0 kernel/signal.c:3034 arch_do_signal_or_restart+0x91/0x7a0 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x86/0x4a0 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x67c/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f Second to last potentially related work creation: kasan_save_stack+0x30/0x50 mm/kasan/common.c:57 kasan_record_aux_stack+0xa7/0xc0 mm/kasan/generic.c:556 insert_work+0x36/0x230 kernel/workqueue.c:2199 __queue_work+0x96f/0x10f0 kernel/workqueue.c:2354 call_timer_fn+0x19a/0x590 kernel/time/timer.c:1748 expire_timers kernel/time/timer.c:1794 [inline] __run_timers+0x570/0xac0 kernel/time/timer.c:2373 __run_timer_base kernel/time/timer.c:2385 [inline] __run_timer_base kernel/time/timer.c:2377 [inline] run_timer_base+0x114/0x190 kernel/time/timer.c:2394 run_timer_softirq+0x1a/0x50 kernel/time/timer.c:2404 handle_softirqs+0x1ea/0x910 kernel/softirq.c:622 __do_softirq kernel/softirq.c:656 [inline] invoke_softirq kernel/softirq.c:496 [inline] __irq_exit_rcu+0xef/0x150 kernel/softirq.c:723 irq_exit_rcu+0x9/0x30 kernel/softirq.c:739 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1056 [inline] sysvec_apic_timer_interrupt+0xa3/0xc0 arch/x86/kernel/apic/apic.c:1056 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 The buggy address belongs to the object at ffff88802776c000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1784 bytes inside of freed 2048-byte region [ffff88802776c000, ffff88802776c800) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27768 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801b842f00 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff88801b842f00 dead000000000100 dead000000000122 head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 head: 00fff00000000003 ffffea00009dda01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5958, tgid 5958 (kworker/0:3), ts 63440606017, free_ts 63439126923 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x153/0x170 mm/page_alloc.c:1883 prep_new_page mm/page_alloc.c:1891 [inline] get_page_from_freelist+0x111d/0x3140 mm/page_alloc.c:3956 __alloc_frozen_pages_noprof+0x27d/0x2ae0 mm/page_alloc.c:5244 alloc_slab_page mm/slub.c:3238 [inline] allocate_slab mm/slub.c:3411 [inline] new_slab+0xa6/0x6e0 mm/slub.c:3469 refill_objects+0x26b/0x400 mm/slub.c:7091 refill_sheaf mm/slub.c:2787 [inline] alloc_full_sheaf mm/slub.c:2808 [inline] __pcs_replace_empty_main+0x19f/0x600 mm/slub.c:4546 alloc_from_pcs mm/slub.c:4639 [inline] slab_alloc_node mm/slub.c:4773 [inline] __do_kmalloc_node mm/slub.c:5176 [inline] __kmalloc_node_track_caller_noprof+0x694/0x850 mm/slub.c:5285 kmalloc_reserve+0xe8/0x350 net/core/skbuff.c:635 __alloc_skb+0x185/0x710 net/core/skbuff.c:713 alloc_skb include/linux/skbuff.h:1383 [inline] mld_newpack.isra.0+0x18e/0xa20 net/ipv6/mcast.c:1775 add_grhead+0x299/0x340 net/ipv6/mcast.c:1886 add_grec+0x1380/0x1920 net/ipv6/mcast.c:2025 mld_send_cr net/ipv6/mcast.c:2148 [inline] mld_ifc_work+0x3c5/0xc10 net/ipv6/mcast.c:2693 process_one_work+0x9c2/0x1840 kernel/workqueue.c:3275 process_scheduled_works kernel/workqueue.c:3358 [inline] worker_thread+0x5da/0xe40 kernel/workqueue.c:3439 kthread+0x370/0x450 kernel/kthread.c:467 page last free pid 5923 tgid 5923 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1432 [inline] __free_frozen_pages+0x7bb/0x1090 mm/page_alloc.c:2972 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x47/0xe0 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x1a0/0x1f0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4459 [inline] slab_alloc_node mm/slub.c:4788 [inline] __do_kmalloc_node mm/slub.c:5176 [inline] __kmalloc_noprof+0x2b9/0x850 mm/slub.c:5189 kmalloc_noprof include/linux/slab.h:966 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] fib_create_info+0x5bf/0x4640 net/ipv4/fib_semantics.c:1402 fib_table_insert+0x169/0x1c70 net/ipv4/fib_trie.c:1212 fib_magic+0x4d4/0x5c0 net/ipv4/fib_frontend.c:1134 fib_add_ifaddr+0x4ba/0x560 net/ipv4/fib_frontend.c:1178 fib_netdev_event+0x3d6/0x710 net/ipv4/fib_frontend.c:1516 notifier_call_chain+0x99/0x3b0 kernel/notifier.c:85 call_netdevice_notifiers_info+0xbe/0x110 net/core/dev.c:2242 call_netdevice_notifiers_extack net/core/dev.c:2280 [inline] call_netdevice_notifiers net/core/dev.c:2294 [inline] __dev_notify_flags+0x12c/0x2e0 net/core/dev.c:9785 netif_change_flags+0x108/0x160 net/core/dev.c:9814 do_setlink.isra.0+0x1abb/0x3e50 net/core/rtnetlink.c:3158 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x11bd/0x2380 net/core/rtnetlink.c:4072 Memory state around the buggy address: ffff88802776c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802776c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88802776c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802776c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802776c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================