==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x74/0x1ff0 kernel/locking/lockdep.c:4882
Read of size 8 at addr ffff888016c1e368 by task syz-executor.0/4621
CPU: 1 PID: 4621 Comm: syz-executor.0 Not tainted 5.15.157-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
print_address_description+0x63/0x3b0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x16b/0x1c0 mm/kasan/report.c:451
__lock_acquire+0x74/0x1ff0 kernel/locking/lockdep.c:4882
lock_acquire+0x1db/0x4f0 kernel/locking/lockdep.c:5623
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd1/0x120 kernel/locking/spinlock.c:162
try_to_wake_up+0xae/0x1300 kernel/sched/core.c:4030
call_timer_fn+0x16d/0x560 kernel/time/timer.c:1451
expire_timers kernel/time/timer.c:1496 [inline]
__run_timers+0x67c/0x890 kernel/time/timer.c:1767
run_timer_softirq+0x63/0xf0 kernel/time/timer.c:1780
__do_softirq+0x3b3/0x93a kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x155/0x240 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1096
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x16/0x20 arch/x86/include/asm/idtentry.h:638
RIP: 0010:__vlan_group_get_device net/8021q/vlan.h:59 [inline]
RIP: 0010:vlan_device_event+0x376/0x1dd0 net/8021q/vlan.c:462
Code: 87 52 05 00 00 4c 89 6c 24 10 ff 24 c5 d8 53 90 8b 45 31 f6 49 bc 00 00 00 00 00 fc ff df 44 89 f0 c1 e8 0c 44 89 f1 c1 e9 09 <83> e1 07 48 c1 e0 06 48 03 44 24 18 48 8d 5c c8 20 48 89 d8 48 c1
RSP: 0018:ffffc900037f6960 EFLAGS: 00000206
RAX: 0000000000000001 RBX: ffff888076cd1080 RCX: 000000000000000c
RDX: 0000000000000000 RSI: ffffffff8dbbe4c0 RDI: 0000000000000001
RBP: ffffc900037f6a68 R08: 0000000000000007 R09: ffffffff8970eb73
R10: 000000000000000f R11: ffff888078831dc0 R12: dffffc0000000000
R13: ffff888072250000 R14: 00000000000018a9 R15: 0000000000000001
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xd0/0x170 kernel/notifier.c:391
__dev_notify_flags+0x304/0x610
dev_change_flags+0xe7/0x190 net/core/dev.c:8889
do_setlink+0xcd1/0x3ae0 net/core/rtnetlink.c:2741
__rtnl_newlink net/core/rtnetlink.c:3429 [inline]
rtnl_newlink+0x17a4/0x2070 net/core/rtnetlink.c:3549
rtnetlink_rcv_msg+0x993/0xee0 net/core/rtnetlink.c:5629
netlink_rcv_skb+0x1cf/0x410 net/netlink/af_netlink.c:2505
netlink_unicast_kernel net/netlink/af_netlink.c:1330 [inline]
netlink_unicast+0x7b6/0x980 net/netlink/af_netlink.c:1356
netlink_sendmsg+0xa30/0xd60 net/netlink/af_netlink.c:1924
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
__sys_sendto+0x564/0x720 net/socket.c:2058
__do_sys_sendto net/socket.c:2070 [inline]
__se_sys_sendto net/socket.c:2066 [inline]
__x64_sys_sendto+0xda/0xf0 net/socket.c:2066
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
RIP: 0033:0x7f8c610f4b9c
Code: 1a 51 02 00 44 8b 4c 24 2c 4c 8b 44 24 20 89 c5 44 8b 54 24 28 48 8b 54 24 18 b8 2c 00 00 00 48 8b 74 24 10 8b 7c 24 08 0f 05 <48> 3d 00 f0 ff ff 77 34 89 ef 48 89 44 24 08 e8 60 51 02 00 48 8b
RSP: 002b:00007ffe0b74ede0 EFLAGS: 00000293 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f8c61d49620 RCX: 00007f8c610f4b9c
RDX: 000000000000002c RSI: 00007f8c61d49670 RDI: 0000000000000003
RBP: 0000000000000000 R08: 00007ffe0b74ee34 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000003
R13: 0000000000000000 R14: 00007f8c61d49670 R15: 0000000000000000
</TASK>
Allocated by task 2:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x8e/0xc0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:254 [inline]
slab_post_alloc_hook+0x53/0x380 mm/slab.h:519
slab_alloc_node mm/slub.c:3220 [inline]
kmem_cache_alloc_node+0x121/0x2c0 mm/slub.c:3256
alloc_task_struct_node kernel/fork.c:171 [inline]
dup_task_struct+0x57/0xb60 kernel/fork.c:894
copy_process+0x5eb/0x3ef0 kernel/fork.c:2038
kernel_clone+0x210/0x960 kernel/fork.c:2604
kernel_thread+0x168/0x1e0 kernel/fork.c:2656
create_kthread kernel/kthread.c:357 [inline]
kthreadd+0x57a/0x740 kernel/kthread.c:701
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300
Freed by task 4563:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track+0x4b/0x80 mm/kasan/common.c:46
kasan_set_free_info+0x1f/0x40 mm/kasan/generic.c:360
____kasan_slab_free+0xd8/0x120 mm/kasan/common.c:366
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:1705 [inline]
slab_free_freelist_hook+0xdd/0x160 mm/slub.c:1731
slab_free mm/slub.c:3499 [inline]
kmem_cache_free+0x91/0x1f0 mm/slub.c:3515
rcu_do_batch kernel/rcu/tree.c:2523 [inline]
rcu_core+0xa15/0x1650 kernel/rcu/tree.c:2763
__do_softirq+0x3b3/0x93a kernel/softirq.c:558
Last potentially related work creation:
kasan_save_stack+0x36/0x60 mm/kasan/common.c:38
kasan_record_aux_stack+0xba/0x100 mm/kasan/generic.c:348
__call_rcu kernel/rcu/tree.c:3007 [inline]
call_rcu+0x1c4/0xa70 kernel/rcu/tree.c:3087
context_switch kernel/sched/core.c:5033 [inline]
__schedule+0x12cc/0x45b0 kernel/sched/core.c:6376
schedule+0x11b/0x1f0 kernel/sched/core.c:6459
freezable_schedule include/linux/freezer.h:172 [inline]
do_nanosleep+0x1bc/0x7b0 kernel/time/hrtimer.c:2045
hrtimer_nanosleep+0x24d/0x490 kernel/time/hrtimer.c:2098
__do_sys_clock_nanosleep kernel/time/posix-timers.c:1313 [inline]
__se_sys_clock_nanosleep+0x323/0x3b0 kernel/time/posix-timers.c:1290
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x66/0xd0
Second to last potentially related work creation:
kasan_save_stack+0x36/0x60 mm/kasan/common.c:38
kasan_record_aux_stack+0xba/0x100 mm/kasan/generic.c:348
__call_rcu kernel/rcu/tree.c:3007 [inline]
call_rcu+0x1c4/0xa70 kernel/rcu/tree.c:3087
context_switch kernel/sched/core.c:5033 [inline]
__schedule+0x12cc/0x45b0 kernel/sched/core.c:6376
preempt_schedule_common+0x83/0xd0 kernel/sched/core.c:6552
preempt_schedule+0xd9/0xe0 kernel/sched/core.c:6577
preempt_schedule_thunk+0x16/0x18 arch/x86/entry/thunk_64.S:34
try_to_wake_up+0x8a8/0x1300 kernel/sched/core.c:4152
kthread_stop+0x16c/0x580 kernel/kthread.c:663
destroy_workqueue+0xf2/0xae0 kernel/workqueue.c:4451
xfs_destroy_mount_workqueues+0xd3/0x100 fs/xfs/xfs_super.c:576
xfs_fs_put_super+0x22c/0x2b0 fs/xfs/xfs_super.c:1103
generic_shutdown_super+0x136/0x2c0 fs/super.c:475
kill_block_super+0x7a/0xe0 fs/super.c:1414
deactivate_locked_super+0xa0/0x110 fs/super.c:335
cleanup_mnt+0x44e/0x500 fs/namespace.c:1143
task_work_run+0x129/0x1a0 kernel/task_work.c:164
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
exit_to_user_mode_loop+0x106/0x130 kernel/entry/common.c:181
exit_to_user_mode_prepare+0xb1/0x140 kernel/entry/common.c:214
__syscall_exit_to_user_mode_work kernel/entry/common.c:296 [inline]
syscall_exit_to_user_mode+0x5d/0x240 kernel/entry/common.c:307
do_syscall_64+0x47/0xb0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x66/0xd0
The buggy address belongs to the object at ffff888016c1d940
which belongs to the cache task_struct of size 7360
The buggy address is located 2600 bytes inside of
7360-byte region [ffff888016c1d940, ffff888016c1f600)
The buggy address belongs to the page:
page:ffffea00005b0600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x16c18
head:ffffea00005b0600 order:3 compound_mapcount:0 compound_pincount:0
memcg:ffff88801f303001
flags: 0xfff80000010200(slab|head|node=0|zone=1|lastcpupid=0xfff)
raw: 00fff80000010200 dead000000000100 dead000000000122 ffff888011deb3c0
raw: 0000000000000000 0000000000040004 00000001ffffffff ffff88801f303001
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, ts 3376008114, free_ts 0
prep_new_page mm/page_alloc.c:2426 [inline]
get_page_from_freelist+0x322a/0x33c0 mm/page_alloc.c:4159
__alloc_pages+0x272/0x700 mm/page_alloc.c:5423
alloc_slab_page mm/slub.c:1775 [inline]
allocate_slab mm/slub.c:1912 [inline]
new_slab+0xbb/0x4b0 mm/slub.c:1975
___slab_alloc+0x6f6/0xe10 mm/slub.c:3008
__slab_alloc mm/slub.c:3095 [inline]
slab_alloc_node mm/slub.c:3186 [inline]
kmem_cache_alloc_node+0x1ba/0x2c0 mm/slub.c:3256
alloc_task_struct_node kernel/fork.c:171 [inline]
dup_task_struct+0x57/0xb60 kernel/fork.c:894
copy_process+0x5eb/0x3ef0 kernel/fork.c:2038
kernel_clone+0x210/0x960 kernel/fork.c:2604
kernel_thread+0x168/0x1e0 kernel/fork.c:2656
create_kthread kernel/kthread.c:357 [inline]
kthreadd+0x57a/0x740 kernel/kthread.c:701
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:300
page_owner free stack trace missing
Memory state around the buggy address:
ffff888016c1e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888016c1e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888016c1e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888016c1e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888016c1e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: 87 52 05 xchg %edx,0x5(%rdx)
3: 00 00 add %al,(%rax)
5: 4c 89 6c 24 10 mov %r13,0x10(%rsp)
a: ff 24 c5 d8 53 90 8b jmp *-0x746fac28(,%rax,8)
11: 45 31 f6 xor %r14d,%r14d
14: 49 bc 00 00 00 00 00 movabs $0xdffffc0000000000,%r12
1b: fc ff df
1e: 44 89 f0 mov %r14d,%eax
21: c1 e8 0c shr $0xc,%eax
24: 44 89 f1 mov %r14d,%ecx
27: c1 e9 09 shr $0x9,%ecx
* 2a: 83 e1 07 and $0x7,%ecx <-- trapping instruction
2d: 48 c1 e0 06 shl $0x6,%rax
31: 48 03 44 24 18 add 0x18(%rsp),%rax
36: 48 8d 5c c8 20 lea 0x20(%rax,%rcx,8),%rbx
3b: 48 89 d8 mov %rbx,%rax
3e: 48 rex.W
3f: c1 .byte 0xc1