================================================================== BUG: KASAN: slab-use-after-free in __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] BUG: KASAN: slab-use-after-free in _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 Read of size 1 at addr ffff888025b8b818 by task syz.3.4/6047 CPU: 0 UID: 0 PID: 6047 Comm: syz.3.4 Not tainted 6.16.0-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 __kasan_check_byte+0x36/0x50 mm/kasan/common.c:557 kasan_check_byte include/linux/kasan.h:399 [inline] lock_acquire kernel/locking/lockdep.c:5845 [inline] lock_acquire+0xfc/0x350 kernel/locking/lockdep.c:5828 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x3a/0x60 kernel/locking/spinlock.c:162 p9_tag_remove net/9p/client.c:397 [inline] p9_req_put net/9p/client.c:405 [inline] p9_req_put+0xaf/0x250 net/9p/client.c:402 req_done+0x1dc/0x2e0 net/9p/trans_virtio.c:147 vring_interrupt drivers/virtio/virtio_ring.c:2715 [inline] vring_interrupt+0x31b/0x400 drivers/virtio/virtio_ring.c:2690 __handle_irq_event_percpu+0x229/0x7d0 kernel/irq/handle.c:158 handle_irq_event_percpu kernel/irq/handle.c:193 [inline] handle_irq_event+0xab/0x1e0 kernel/irq/handle.c:210 handle_edge_irq+0x28e/0xab0 kernel/irq/chip.c:797 generic_handle_irq_desc include/linux/irqdesc.h:173 [inline] handle_irq arch/x86/kernel/irq.c:254 [inline] call_irq_handler arch/x86/kernel/irq.c:266 [inline] __common_interrupt+0xdf/0x250 arch/x86/kernel/irq.c:292 common_interrupt+0x61/0xe0 arch/x86/kernel/irq.c:285 asm_common_interrupt+0x26/0x40 arch/x86/include/asm/idtentry.h:693 RIP: 0023:0xf70d7ae0 Code: 70 f8 8b 58 fc 89 54 24 10 8b 11 8b 44 24 1c 8b 6c 24 2c 8d b4 26 00 00 00 00 8b 4c 24 10 39 54 24 0c 19 f9 73 2d 89 44 24 10 <89> 74 24 14 8d 74 26 00 8b 45 08 8b 4d 0c 83 c5 08 89 ce 39 d0 19 RSP: 002b:00000000ffc00f80 EFLAGS: 00000297 RAX: 00000000f6689190 RBX: 00000000ffffffff RCX: 00000000ffffffff RDX: 0000000089584b1a RSI: 0000000089584b1a RDI: 00000000ffffffff RBP: 00000000f6680728 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 6063: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:905 [inline] p9_client_create+0xc7/0x11c0 net/9p/client.c:985 v9fs_session_init+0x1f7/0x1a80 fs/9p/v9fs.c:410 v9fs_mount+0xc5/0xa30 fs/9p/vfs_super.c:122 legacy_get_tree+0x109/0x220 fs/fs_context.c:666 vfs_get_tree+0x8e/0x340 fs/super.c:1804 do_new_mount fs/namespace.c:3902 [inline] path_mount+0x1414/0x2020 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __ia32_sys_mount+0x28b/0x310 fs/namespace.c:4427 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Freed by task 6063: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kfree+0x2b4/0x4d0 mm/slub.c:4842 p9_client_create+0xa28/0x11c0 net/9p/client.c:1064 v9fs_session_init+0x1f7/0x1a80 fs/9p/v9fs.c:410 v9fs_mount+0xc5/0xa30 fs/9p/vfs_super.c:122 legacy_get_tree+0x109/0x220 fs/fs_context.c:666 vfs_get_tree+0x8e/0x340 fs/super.c:1804 do_new_mount fs/namespace.c:3902 [inline] path_mount+0x1414/0x2020 fs/namespace.c:4226 do_mount fs/namespace.c:4239 [inline] __do_sys_mount fs/namespace.c:4450 [inline] __se_sys_mount fs/namespace.c:4427 [inline] __ia32_sys_mount+0x28b/0x310 fs/namespace.c:4427 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0x7c/0x3a0 arch/x86/entry/syscall_32.c:306 do_fast_syscall_32+0x32/0x80 arch/x86/entry/syscall_32.c:331 entry_SYSENTER_compat_after_hwframe+0x84/0x8e The buggy address belongs to the object at ffff888025b8b800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 24 bytes inside of freed 512-byte region [ffff888025b8b800, ffff888025b8ba00) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25b88 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000040 ffff88801b842c80 0000000000000000 dead000000000001 raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 00fff00000000040 ffff88801b842c80 0000000000000000 dead000000000001 head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 head: 00fff00000000002 ffffea000096e201 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5959, tgid 5959 (syz-executor), ts 54525347447, free_ts 52517698467 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704 prep_new_page mm/page_alloc.c:1712 [inline] get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2419 alloc_slab_page mm/slub.c:2451 [inline] allocate_slab mm/slub.c:2619 [inline] new_slab+0x23b/0x330 mm/slub.c:2673 ___slab_alloc+0xd9c/0x1940 mm/slub.c:3859 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3949 __slab_alloc_node mm/slub.c:4024 [inline] slab_alloc_node mm/slub.c:4185 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x2f2/0x510 mm/slub.c:4340 kmalloc_noprof include/linux/slab.h:909 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] fib6_info_alloc+0x40/0x160 net/ipv6/ip6_fib.c:155 ip6_route_info_create+0x14c/0x870 net/ipv6/route.c:3811 ip6_route_add.part.0+0x22/0x1d0 net/ipv6/route.c:3940 ip6_route_add+0x45/0x60 net/ipv6/route.c:3937 addrconf_add_mroute+0x1dd/0x350 net/ipv6/addrconf.c:2551 addrconf_add_dev+0x14e/0x1c0 net/ipv6/addrconf.c:2569 addrconf_dev_config net/ipv6/addrconf.c:3477 [inline] addrconf_init_auto_addrs+0x3e8/0x880 net/ipv6/addrconf.c:3566 addrconf_notify+0x6e2/0x19e0 net/ipv6/addrconf.c:3739 page last free pid 5968 tgid 5968 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1248 [inline] __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:329 kasan_slab_alloc include/linux/kasan.h:250 [inline] slab_post_alloc_hook mm/slub.c:4148 [inline] slab_alloc_node mm/slub.c:4197 [inline] __kmalloc_cache_noprof+0x1f1/0x3e0 mm/slub.c:4354 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] kobject_uevent_env+0x265/0x1870 lib/kobject_uevent.c:540 __kobject_del+0x168/0x1f0 lib/kobject.c:601 kobject_cleanup lib/kobject.c:680 [inline] kobject_release lib/kobject.c:720 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x327/0x5a0 lib/kobject.c:737 netdev_queue_update_kobjects+0x4e5/0x720 net/core/net-sysfs.c:2052 netif_set_real_num_tx_queues+0x170/0x8e0 net/core/dev.c:3185 veth_init_queues+0xe1/0x190 drivers/net/veth.c:1793 veth_newlink+0x49c/0xa00 drivers/net/veth.c:1896 rtnl_newlink_create net/core/rtnetlink.c:3823 [inline] __rtnl_newlink net/core/rtnetlink.c:3940 [inline] rtnl_newlink+0xc45/0x2000 net/core/rtnetlink.c:4055 rtnetlink_rcv_msg+0x95b/0xe90 net/core/rtnetlink.c:6944 netlink_rcv_skb+0x158/0x420 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x58a/0x850 net/netlink/af_netlink.c:1346 Memory state around the buggy address: ffff888025b8b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888025b8b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888025b8b800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888025b8b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888025b8b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ---------------- Code disassembly (best guess): 0: 70 f8 jo 0xfffffffa 2: 8b 58 fc mov -0x4(%rax),%ebx 5: 89 54 24 10 mov %edx,0x10(%rsp) 9: 8b 11 mov (%rcx),%edx b: 8b 44 24 1c mov 0x1c(%rsp),%eax f: 8b 6c 24 2c mov 0x2c(%rsp),%ebp 13: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi 1a: 8b 4c 24 10 mov 0x10(%rsp),%ecx 1e: 39 54 24 0c cmp %edx,0xc(%rsp) 22: 19 f9 sbb %edi,%ecx 24: 73 2d jae 0x53 26: 89 44 24 10 mov %eax,0x10(%rsp) * 2a: 89 74 24 14 mov %esi,0x14(%rsp) <-- trapping instruction 2e: 8d 74 26 00 lea 0x0(%rsi,%riz,1),%esi 32: 8b 45 08 mov 0x8(%rbp),%eax 35: 8b 4d 0c mov 0xc(%rbp),%ecx 38: 83 c5 08 add $0x8,%ebp 3b: 89 ce mov %ecx,%esi 3d: 39 d0 cmp %edx,%eax 3f: 19 .byte 0x19