================================================================== BUG: KASAN: use-after-free in instrument_atomic_write include/linux/instrumented.h:82 [inline] BUG: KASAN: use-after-free in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: use-after-free in mm_drop_cid kernel/sched/sched.h:3746 [inline] BUG: KASAN: use-after-free in mm_cid_schedout kernel/sched/sched.h:3927 [inline] BUG: KASAN: use-after-free in mm_cid_switch_to kernel/sched/sched.h:3934 [inline] BUG: KASAN: use-after-free in context_switch kernel/sched/core.c:5249 [inline] BUG: KASAN: use-after-free in __schedule+0x3ca9/0x5fa0 kernel/sched/core.c:6867 Write of size 8 at addr ffff888057b517d0 by task syz.0.13404/6438 CPU: 1 UID: 0 PID: 6438 Comm: syz.0.13404 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x100/0x190 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x156/0x4c9 mm/kasan/report.c:482 kasan_report+0xdf/0x1a0 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:186 [inline] kasan_check_range+0x10f/0x1e0 mm/kasan/generic.c:200 instrument_atomic_write include/linux/instrumented.h:82 [inline] clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] mm_drop_cid kernel/sched/sched.h:3746 [inline] mm_cid_schedout kernel/sched/sched.h:3927 [inline] mm_cid_switch_to kernel/sched/sched.h:3934 [inline] context_switch kernel/sched/core.c:5249 [inline] __schedule+0x3ca9/0x5fa0 kernel/sched/core.c:6867 preempt_schedule_irq+0x50/0x90 kernel/sched/core.c:7194 irqentry_exit+0x17b/0x670 kernel/entry/common.c:216 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:697 RIP: 0010:page_slab mm/slab.h:144 [inline] RIP: 0010:kfree+0x82/0x690 mm/slub.c:6879 Code: 00 00 48 83 fb 10 0f 86 15 02 00 00 48 89 df e8 54 34 54 ff 48 c1 e8 0c 48 89 c7 48 c1 e7 06 48 03 3d 12 44 8a 0b 48 8b 47 08 01 4c 8d 60 ff 4c 0f 44 e7 41 80 7c 24 33 f5 41 0f 95 c5 4d 85 RSP: 0000:ffffc90028167ab0 EFLAGS: 00000282 RAX: ffffea0000493c01 RBX: ffff8880124f2c00 RCX: ffffc9002b603000 RDX: 0000000000080000 RSI: ffffffff81b80678 RDI: ffffea0000493c80 RBP: ffffc90028167b10 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880124f2c00 R13: ffffc90028167b30 R14: ffff888026959000 R15: ffff8880124f2cf0 create_worker_cont+0x35e/0x420 io_uring/io-wq.c:868 task_work_run+0x150/0x240 kernel/task_work.c:233 get_signal+0x1bd/0x21e0 kernel/signal.c:2807 arch_do_signal_or_restart+0x91/0x770 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:41 [inline] exit_to_user_mode_loop+0x86/0x4b0 kernel/entry/common.c:75 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:159 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:194 [inline] __do_fast_syscall_32+0x4b6/0x660 arch/x86/entry/syscall_32.c:310 do_fast_syscall_32+0x32/0x70 arch/x86/entry/syscall_32.c:332 entry_SYSENTER_compat_after_hwframe+0x84/0x8e RIP: 0023:0xf743d579 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 2e 8d b4 26 00 00 00 00 8d b4 26 00 00 00 RSP: 002b:00000000f542450c EFLAGS: 00000292 ORIG_RAX: 00000000000001aa RAX: 0000000000000800 RBX: 0000000000000009 RCX: 0000000000003516 RDX: 000000000000addf RSI: 0000000000000002 RDI: 0000000000000000 RBP: 000000000001517f R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x884 pfn:0x57b51 flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) raw: 04fff00000000000 dead000000000100 dead000000000122 0000000000000000 raw: 0000000000000884 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 0, migratetype Unmovable, gfp_mask 0x100cc0(GFP_USER), pid 4777, tgid 4773 (syz.1.13398), ts 2971348718518, free_ts 2971348724457 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x1e1/0x250 mm/page_alloc.c:1884 prep_new_page mm/page_alloc.c:1892 [inline] get_page_from_freelist+0xe3d/0x2e10 mm/page_alloc.c:3945 __alloc_frozen_pages_noprof+0x26c/0x2410 mm/page_alloc.c:5240 __alloc_pages_noprof mm/page_alloc.c:5274 [inline] alloc_pages_bulk_noprof+0x777/0x1500 mm/page_alloc.c:5194 ___alloc_pages_bulk mm/kasan/shadow.c:345 [inline] __kasan_populate_vmalloc_do mm/kasan/shadow.c:370 [inline] __kasan_populate_vmalloc+0xf0/0x210 mm/kasan/shadow.c:424 kasan_populate_vmalloc include/linux/kasan.h:580 [inline] alloc_vmap_area+0x935/0x2a00 mm/vmalloc.c:2124 __get_vm_area_node+0x1ca/0x330 mm/vmalloc.c:3219 __vmalloc_node_range_noprof+0x213/0x1530 mm/vmalloc.c:4011 __vmalloc_node_noprof+0xad/0xf0 mm/vmalloc.c:4111 alloc_thread_stack_node kernel/fork.c:354 [inline] dup_task_struct kernel/fork.c:923 [inline] copy_process+0x5ec/0x7890 kernel/fork.c:2052 create_io_thread+0xc2/0x110 kernel/fork.c:2599 create_io_worker+0x1cd/0x5b0 io_uring/io-wq.c:911 io_wq_create_worker io_uring/io-wq.c:339 [inline] io_wq_enqueue+0x4d8/0x970 io_uring/io-wq.c:1035 io_queue_iowq+0x234/0x4f0 io_uring/io_uring.c:492 io_queue_sqe_fallback+0x16a/0x220 io_uring/io_uring.c:2070 io_submit_sqe io_uring/io_uring.c:2316 [inline] io_submit_sqes+0x1584/0x21c0 io_uring/io_uring.c:2435 page last free pid 4777 tgid 4773 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0x822/0x1130 mm/page_alloc.c:2973 ___free_pages_bulk mm/kasan/shadow.c:333 [inline] __kasan_populate_vmalloc_do mm/kasan/shadow.c:385 [inline] __kasan_populate_vmalloc+0x164/0x210 mm/kasan/shadow.c:424 kasan_populate_vmalloc include/linux/kasan.h:580 [inline] alloc_vmap_area+0x935/0x2a00 mm/vmalloc.c:2124 __get_vm_area_node+0x1ca/0x330 mm/vmalloc.c:3219 __vmalloc_node_range_noprof+0x213/0x1530 mm/vmalloc.c:4011 __vmalloc_node_noprof+0xad/0xf0 mm/vmalloc.c:4111 alloc_thread_stack_node kernel/fork.c:354 [inline] dup_task_struct kernel/fork.c:923 [inline] copy_process+0x5ec/0x7890 kernel/fork.c:2052 create_io_thread+0xc2/0x110 kernel/fork.c:2599 create_io_worker+0x1cd/0x5b0 io_uring/io-wq.c:911 io_wq_create_worker io_uring/io-wq.c:339 [inline] io_wq_enqueue+0x4d8/0x970 io_uring/io-wq.c:1035 io_queue_iowq+0x234/0x4f0 io_uring/io_uring.c:492 io_queue_sqe_fallback+0x16a/0x220 io_uring/io_uring.c:2070 io_submit_sqe io_uring/io_uring.c:2316 [inline] io_submit_sqes+0x1584/0x21c0 io_uring/io_uring.c:2435 __do_sys_io_uring_enter+0x6b4/0x15b0 io_uring/io_uring.c:3285 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0xde/0x660 arch/x86/entry/syscall_32.c:307 do_fast_syscall_32+0x32/0x70 arch/x86/entry/syscall_32.c:332 Memory state around the buggy address: ffff888057b51680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888057b51700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888057b51780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff888057b51800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888057b51880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ---------------- Code disassembly (best guess): 0: 00 00 add %al,(%rax) 2: 48 83 fb 10 cmp $0x10,%rbx 6: 0f 86 15 02 00 00 jbe 0x221 c: 48 89 df mov %rbx,%rdi f: e8 54 34 54 ff call 0xff543468 14: 48 c1 e8 0c shr $0xc,%rax 18: 48 89 c7 mov %rax,%rdi 1b: 48 c1 e7 06 shl $0x6,%rdi 1f: 48 03 3d 12 44 8a 0b add 0xb8a4412(%rip),%rdi # 0xb8a4438 26: 48 8b 47 08 mov 0x8(%rdi),%rax * 2a: a8 01 test $0x1,%al <-- trapping instruction 2c: 4c 8d 60 ff lea -0x1(%rax),%r12 30: 4c 0f 44 e7 cmove %rdi,%r12 34: 41 80 7c 24 33 f5 cmpb $0xf5,0x33(%r12) 3a: 41 0f 95 c5 setne %r13b 3e: 4d rex.WRB 3f: 85 .byte 0x85