================================================================== BUG: KASAN: use-after-free in user_mode arch/x86/include/asm/ptrace.h:131 [inline] BUG: KASAN: use-after-free in trace_page_fault_entries arch/x86/mm/fault.c:1516 [inline] BUG: KASAN: use-after-free in do_page_fault+0x6d/0x320 arch/x86/mm/fault.c:1528 Read of size 8 at addr ffff8881ecc2ff60 by task syz-executor174/434 CPU: 0 PID: 434 Comm: syz-executor174 Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: The buggy address belongs to the page: page:ffffea0007b30bc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x8000000000000000() raw: 8000000000000000 ffffea0007b34808 ffffea0007b30b88 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x35e/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894 alloc_slab_page+0x3c/0x3b0 mm/slub.c:343 allocate_slab mm/slub.c:1683 [inline] new_slab+0x93/0x420 mm/slub.c:1749 new_slab_objects mm/slub.c:2505 [inline] ___slab_alloc+0x29e/0x420 mm/slub.c:2667 __slab_alloc+0x63/0xa0 mm/slub.c:2707 slab_alloc_node mm/slub.c:2792 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0x12c/0x270 mm/slub.c:2842 getname_flags+0xb9/0x500 fs/namei.c:141 user_path_at_empty+0x2f/0x50 fs/namei.c:2703 user_path_at include/linux/namei.h:49 [inline] vfs_statx+0x116/0x200 fs/stat.c:187 vfs_fstatat include/linux/fs.h:3389 [inline] __do_sys_newfstatat fs/stat.c:367 [inline] __se_sys_newfstatat+0xcc/0x350 fs/stat.c:361 __x64_sys_newfstatat+0x9b/0xb0 fs/stat.c:361 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] __free_pages_ok+0x7e4/0x910 mm/page_alloc.c:1438 free_the_page mm/page_alloc.c:4956 [inline] __free_pages+0x8c/0x110 mm/page_alloc.c:4962 __free_slab+0x218/0x2d0 mm/slub.c:1774 free_slab mm/slub.c:1789 [inline] discard_slab mm/slub.c:1795 [inline] unfreeze_partials+0x165/0x1a0 mm/slub.c:2288 put_cpu_partial+0xc1/0x180 mm/slub.c:2324 __slab_free+0x2be/0x380 mm/slub.c:2971 do_slab_free mm/slub.c:3068 [inline] ___cache_free+0xbb/0xd0 mm/slub.c:3087 qlink_free+0x23/0x30 mm/kasan/quarantine.c:148 qlist_free_all+0x5f/0xb0 mm/kasan/quarantine.c:167 quarantine_reduce+0x1a8/0x200 mm/kasan/quarantine.c:260 __kasan_kmalloc+0x42/0x200 mm/kasan/common.c:507 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:537 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2829 [inline] slab_alloc mm/slub.c:2837 [inline] __kmalloc+0x106/0x2f0 mm/slub.c:3909 kmalloc_array include/linux/slab.h:618 [inline] realloc_stack_state kernel/bpf/verifier.c:595 [inline] realloc_func_state+0x305/0x5b0 kernel/bpf/verifier.c:611 check_stack_write+0xda/0x1b10 kernel/bpf/verifier.c:1926 check_mem_access+0x9b4/0x1c30 kernel/bpf/verifier.c:2920 Memory state around the buggy address: ffff8881ecc2fe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881ecc2fe80: ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 >ffff8881ecc2ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881ecc2ff80: ff ff ff ff ff ff ff ff f1 f1 f1 f1 00 f2 f2 f2 ffff8881ecc30000: 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== PANIC: double fault, error_code: 0x0 CPU: 0 PID: 434 Comm: syz-executor174 Tainted: G B 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 RIP: 0010:perf_trace_x86_exceptions+0x18/0x360 arch/x86/include/asm/trace/exceptions.h:14 Code: 98 31 00 e9 9b fe ff ff e8 c5 22 f9 02 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48 81 ec c0 00 00 00 <48> 89 4c 24 30 48 89 54 24 28 48 89 74 24 20 49 89 fd 65 48 8b 04 RSP: 0018:ffff8881ebbebf80 EFLAGS: 00010082 RAX: ffff8881ee267090 RBX: ffffe8ffffc152b8 RCX: 0000000000000000 RDX: ffff8881ebbec0d8 RSI: ffffe8ffffc152b8 RDI: ffffffff85cb57a0 RBP: ffff8881ebbec080 R08: dffffc0000000000 R09: fffffbfff0c576a6 R10: fffffbfff0c576a6 R11: 1ffffffff0c576a5 R12: ffff8881ee267090 R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8881ebbec0d8 FS: 0000000000000000(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8881ebbebf78 CR3: 00000001f5c2a000 CR4: 00000000003406b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ---------------- Code disassembly (best guess): 0: 98 cwtl 1: 31 00 xor %eax,(%rax) 3: e9 9b fe ff ff jmp 0xfffffea3 8: e8 c5 22 f9 02 call 0x2f922d2 d: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 12: 55 push %rbp 13: 48 89 e5 mov %rsp,%rbp 16: 41 57 push %r15 18: 41 56 push %r14 1a: 41 55 push %r13 1c: 41 54 push %r12 1e: 53 push %rbx 1f: 48 83 e4 e0 and $0xffffffffffffffe0,%rsp 23: 48 81 ec c0 00 00 00 sub $0xc0,%rsp * 2a: 48 89 4c 24 30 mov %rcx,0x30(%rsp) <-- trapping instruction 2f: 48 89 54 24 28 mov %rdx,0x28(%rsp) 34: 48 89 74 24 20 mov %rsi,0x20(%rsp) 39: 49 89 fd mov %rdi,%r13 3c: 65 gs 3d: 48 rex.W 3e: 8b .byte 0x8b 3f: 04 .byte 0x4