==================================================================
BUG: KASAN: slab-use-after-free in tcf_action_destroy+0x50/0x1d0 net/sched/act_api.c:1121
Read of size 8 at addr ffff0000de8e0800 by task kworker/u4:20/8308
CPU: 0 PID: 8308 Comm: kworker/u4:20 Not tainted 6.3.0-rc4-syzkaller-g59caa87f9dfb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Workqueue: tc_filter_workqueue fl_destroy_filter_work
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:158
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:319 [inline]
print_report+0x174/0x514 mm/kasan/report.c:430
kasan_report+0xd4/0x130 mm/kasan/report.c:536
__asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:381
tcf_action_destroy+0x50/0x1d0 net/sched/act_api.c:1121
tcf_exts_destroy+0xc0/0x130 net/sched/cls_api.c:3248
__fl_destroy_filter+0x24/0x114 net/sched/cls_flower.c:418
fl_destroy_filter_work+0x20/0x30 net/sched/cls_flower.c:428
process_one_work+0x788/0x12d4 kernel/workqueue.c:2390
worker_thread+0x8e0/0xfe8 kernel/workqueue.c:2537
kthread+0x24c/0x2d4 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Allocated by task 14754:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:510
____kasan_kmalloc mm/kasan/common.c:374 [inline]
__kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383
kasan_kmalloc include/linux/kasan.h:196 [inline]
kmalloc_trace+0x7c/0x94 mm/slab_common.c:1066
kmalloc include/linux/slab.h:580 [inline]
kmalloc_array include/linux/slab.h:635 [inline]
kcalloc include/linux/slab.h:667 [inline]
tcf_exts_init_ex+0xdc/0x574 net/sched/cls_api.c:3218
fl_change+0x4ec/0x17f8 net/sched/cls_flower.c:2237
tc_new_tfilter+0xe38/0x1614 net/sched/cls_api.c:2310
rtnetlink_rcv_msg+0x780/0xdb8 net/core/rtnetlink.c:6165
netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2574
rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6192
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
____sys_sendmsg+0x568/0x81c net/socket.c:2501
___sys_sendmsg net/socket.c:2555 [inline]
__sys_sendmsg+0x26c/0x33c net/socket.c:2584
__do_sys_sendmsg net/socket.c:2593 [inline]
__se_sys_sendmsg net/socket.c:2591 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2591
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
Freed by task 14754:
kasan_save_stack mm/kasan/common.c:45 [inline]
kasan_set_track+0x4c/0x7c mm/kasan/common.c:52
kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:521
____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236
__kasan_slab_free+0x18/0x28 mm/kasan/common.c:244
kasan_slab_free include/linux/kasan.h:162 [inline]
slab_free_hook mm/slub.c:1781 [inline]
slab_free_freelist_hook mm/slub.c:1807 [inline]
slab_free mm/slub.c:3787 [inline]
__kmem_cache_free+0x2c0/0x4b4 mm/slub.c:3800
kfree+0xc4/0x1a8 mm/slab_common.c:1019
tcf_exts_destroy net/sched/cls_api.c:3249 [inline]
tcf_exts_init_ex+0x3d8/0x574 net/sched/cls_api.c:3237
fl_change+0x4ec/0x17f8 net/sched/cls_flower.c:2237
tc_new_tfilter+0xe38/0x1614 net/sched/cls_api.c:2310
rtnetlink_rcv_msg+0x780/0xdb8 net/core/rtnetlink.c:6165
netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2574
rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6192
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
____sys_sendmsg+0x568/0x81c net/socket.c:2501
___sys_sendmsg net/socket.c:2555 [inline]
__sys_sendmsg+0x26c/0x33c net/socket.c:2584
__do_sys_sendmsg net/socket.c:2593 [inline]
__se_sys_sendmsg net/socket.c:2591 [inline]
__arm64_sys_sendmsg+0x80/0x94 net/socket.c:2591
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:193
el0_svc+0x58/0x168 arch/arm64/kernel/entry-common.c:637
el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:655
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591
The buggy address belongs to the object at ffff0000de8e0800
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes inside of
freed 256-byte region [ffff0000de8e0800, ffff0000de8e0900)
The buggy address belongs to the physical page:
page:000000003b1c945e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e8e0
head:000000003b1c945e order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 ffff0000c0002480 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000de8e0700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000de8e0780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000de8e0800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff0000de8e0880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff0000de8e0900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
------------[ cut here ]------------
refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 8308 at lib/refcount.c:87 refcount_dec_not_one+0x214/0x23c lib/refcount.c:87
Modules linked in:
CPU: 0 PID: 8308 Comm: kworker/u4:20 Tainted: G B 6.3.0-rc4-syzkaller-g59caa87f9dfb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Workqueue: tc_filter_workqueue fl_destroy_filter_work
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : refcount_dec_not_one+0x214/0x23c lib/refcount.c:87
lr : refcount_dec_not_one+0x214/0x23c lib/refcount.c:87
sp : ffff800022257960
x29: ffff8000222579c0 x28: ffff0000c0082000 x27: 00000000ffffffff
x26: 0000000000000000 x25: 00000000c0000000 x24: 1ffff0000444af30
x23: 1ffff0000444af2c x22: dfff800000000000 x21: ffff800016478d40
x20: ffff8000187c1000 x19: 0000000000000001 x18: 1fffe00036851db6
x17: ffff800015c7d000 x16: ffff800012323354 x15: 0000000000000000
x14: 0000000040000000 x13: 0000000000000002 x12: 0000000000000001
x11: ff808000080517c4 x10: 0000000040000000 x9 : e0a19da83d024400
x8 : e0a19da83d024400 x7 : 1fffe00036851db7 x6 : ffff800008285cb4
x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff8000222574a0 x1 : 0000000000000000 x0 : ffff800008285d54
Call trace:
refcount_dec_not_one+0x214/0x23c lib/refcount.c:87
refcount_dec_and_mutex_lock+0x28/0x158 lib/refcount.c:115
__tcf_action_put+0x4c/0x158 net/sched/act_api.c:377
__tcf_idr_release net/sched/act_api.c:413 [inline]
tcf_action_destroy+0xe4/0x1d0 net/sched/act_api.c:1125
tcf_exts_destroy+0xc0/0x130 net/sched/cls_api.c:3248
__fl_destroy_filter+0x24/0x114 net/sched/cls_flower.c:418
fl_destroy_filter_work+0x20/0x30 net/sched/cls_flower.c:428
process_one_work+0x788/0x12d4 kernel/workqueue.c:2390
worker_thread+0x8e0/0xfe8 kernel/workqueue.c:2537
kthread+0x24c/0x2d4 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
irq event stamp: 3531765
hardirqs last enabled at (3531765): [<ffff800008285d54>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1378 [inline]
hardirqs last enabled at (3531765): [<ffff800008285d54>] finish_lock_switch+0xbc/0x1e4 kernel/sched/core.c:5065
hardirqs last disabled at (3531764): [<ffff8000123f30d4>] __schedule+0x2a4/0x1e38 kernel/sched/core.c:6524
softirqs last enabled at (3531394): [<ffff80001209b7d8>] spin_unlock_bh include/linux/spinlock.h:395 [inline]
softirqs last enabled at (3531394): [<ffff80001209b7d8>] batadv_nc_purge_paths+0x2f4/0x378 net/batman-adv/network-coding.c:471
softirqs last disabled at (3531392): [<ffff80001209b5b4>] spin_lock_bh include/linux/spinlock.h:355 [inline]
softirqs last disabled at (3531392): [<ffff80001209b5b4>] batadv_nc_purge_paths+0xd0/0x378 net/batman-adv/network-coding.c:442
---[ end trace 0000000000000000 ]---
Unable to handle kernel paging request at virtual address e0fce0a240000734
KASAN: maybe wild-memory-access in range [0x07eb0512000039a0-0x07eb0512000039a7]
Mem abort info:
ESR = 0x0000000096000004
EC = 0x25: DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
FSC = 0x04: level 0 translation fault
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
[e0fce0a240000734] address between user and kernel address ranges
Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 8308 Comm: kworker/u4:20 Tainted: G B W 6.3.0-rc4-syzkaller-g59caa87f9dfb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023
Workqueue: tc_filter_workqueue fl_destroy_filter_work
pstate: 00400005 (nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : tcf_action_destroy+0x7c/0x1d0 net/sched/act_api.c:1124
lr : tcf_action_destroy+0x74/0x1d0 net/sched/act_api.c:1123
sp : ffff800022257a80
x29: ffff800022257a80 x28: ffff0000c0082000 x27: ffff0000ec6b9e18
x26: ffff0000c8556000 x25: 0000000000000001 x24: dfff800000000000
x23: 0000000000000000 x22: 07eb0512000039a2 x21: ffff0000de8e0808
x20: ffff0000de8e0800 x19: 0000000000000001 x18: 1fffe00036851db6
x17: ffff800015c7d000 x16: ffff8000085023f4 x15: 0000000000000000
x14: 0000000040000000 x13: 0000000000000002 x12: ffff60001b49b104
x11: ff80800010799370 x10: 0000000000000000 x9 : ffff800019f46650
x8 : 00fd60a240000734 x7 : 1fffe00036851db7 x6 : ffff800008285cb4
x5 : 0000000000000000 x4 : 0000000000000001 x3 : ffff800010799280
x2 : 0000000000000001 x1 : 0000000000000008 x0 : 0000000000000000
Call trace:
tcf_action_destroy+0x7c/0x1d0 net/sched/act_api.c:1123
tcf_exts_destroy+0xc0/0x130 net/sched/cls_api.c:3248
__fl_destroy_filter+0x24/0x114 net/sched/cls_flower.c:418
fl_destroy_filter_work+0x20/0x30 net/sched/cls_flower.c:428
process_one_work+0x788/0x12d4 kernel/workqueue.c:2390
worker_thread+0x8e0/0xfe8 kernel/workqueue.c:2537
kthread+0x24c/0x2d4 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:870
Code: aa1503e0 960756f9 d343fec8 f8397a9f (38786908)
---[ end trace 0000000000000000 ]---
----------------
Code disassembly (best guess):
0: aa1503e0 mov x0, x21
4: 960756f9 bl 0xfffffffff81d5be8
8: d343fec8 lsr x8, x22, #3
c: f8397a9f str xzr, [x20, x25, lsl #3]
* 10: 38786908 ldrb w8, [x8, x24] <-- trapping instruction