================================================================== BUG: KASAN: use-after-free in user_mode arch/x86/include/asm/ptrace.h:131 [inline] BUG: KASAN: use-after-free in trace_page_fault_entries arch/x86/mm/fault.c:1516 [inline] BUG: KASAN: use-after-free in do_page_fault+0x66/0x330 arch/x86/mm/fault.c:1528 Read of size 8 at addr ffff8881e4e47f40 by task syz.3.227/1273 CPU: 1 PID: 1273 Comm: syz.3.227 Not tainted 5.4.290-syzkaller-00017-g6b07fcd94a6a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: The buggy address belongs to the page: page:ffffea00079391c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x8000000000000000() raw: 8000000000000000 0000000000000000 ffffea00079391c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x500dc0(GFP_USER|__GFP_ZERO|__GFP_ACCOUNT) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x18f/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4893 __alloc_pages include/linux/gfp.h:503 [inline] __alloc_pages_node include/linux/gfp.h:516 [inline] alloc_pages_node include/linux/gfp.h:530 [inline] alloc_thread_stack_node kernel/fork.c:259 [inline] dup_task_struct+0x85/0x600 kernel/fork.c:886 copy_process+0x56d/0x3230 kernel/fork.c:1889 _do_fork+0x197/0x900 kernel/fork.c:2399 __do_sys_clone3 kernel/fork.c:2688 [inline] __se_sys_clone3 kernel/fork.c:2675 [inline] __x64_sys_clone3+0x2da/0x300 kernel/fork.c:2675 do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] __free_pages_ok+0x847/0x950 mm/page_alloc.c:1438 free_the_page mm/page_alloc.c:4955 [inline] __free_pages+0x91/0x140 mm/page_alloc.c:4961 free_thread_stack kernel/fork.c:299 [inline] release_task_stack kernel/fork.c:439 [inline] put_task_stack+0x212/0x260 kernel/fork.c:450 finish_task_switch+0x24a/0x590 kernel/sched/core.c:3479 context_switch kernel/sched/core.c:3611 [inline] __schedule+0xb0d/0x1320 kernel/sched/core.c:4307 preempt_schedule_irq+0xc7/0x140 kernel/sched/core.c:4558 restore_regs_and_return_to_kernel+0x0/0x26 stack_trace_consume_entry+0x13/0x240 kernel/stacktrace.c:83 arch_stack_walk+0x105/0x140 arch/x86/kernel/stacktrace.c:27 stack_trace_save+0x118/0x1c0 kernel/stacktrace.c:123 save_stack mm/kasan/common.c:70 [inline] set_track mm/kasan/common.c:78 [inline] __kasan_kmalloc+0x171/0x210 mm/kasan/common.c:529 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2829 [inline] slab_alloc mm/slub.c:2837 [inline] kmem_cache_alloc+0xd9/0x250 mm/slub.c:2842 kmem_cache_zalloc include/linux/slab.h:680 [inline] __kernfs_new_node+0xdb/0x6e0 fs/kernfs/dir.c:639 kernfs_new_node+0x130/0x230 fs/kernfs/dir.c:717 __kernfs_create_file+0x45/0x260 fs/kernfs/file.c:1001 sysfs_add_file_mode_ns+0x292/0x340 fs/sysfs/file.c:306 Memory state around the buggy address: ffff8881e4e47e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881e4e47e80: ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 >ffff8881e4e47f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881e4e47f80: ff ff ff ff f1 f1 f1 f1 00 f2 f2 f2 04 f3 f3 f3 ffff8881e4e48000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== PANIC: double fault, error_code: 0x0 CPU: 1 PID: 1273 Comm: syz.3.227 Tainted: G B 5.4.290-syzkaller-00017-g6b07fcd94a6a #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 RIP: 0010:check_memory_region+0x3/0x280 mm/kasan/generic.c:190 Code: 5c 41 5d 41 5e 41 5f 5d c3 48 c7 c7 bb 82 5a 85 eb 0a 48 c7 c7 f3 82 5a 85 4c 89 fe e8 6c 8f c1 02 31 db eb d7 90 90 55 41 57 <41> 56 53 b0 01 48 85 f6 0f 84 8e 01 00 00 48 89 fd 48 c1 ed 2f 81 RSP: 0018:ffff8881e3f4c000 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffff8881e3f4c058 RCX: ffffffff813027c1 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffffff864c4d28 RBP: 0000000000000001 R08: ffffffff81302698 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8881e3f4c0e0 R13: dffffc0000000000 R14: ffffe8ffffb00608 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8881e3f4bff8 CR3: 00000001f5c2a000 CR4: 00000000003406a0 DR0: 0000400000000300 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: <#DF> ---------------- Code disassembly (best guess): 0: 5c pop %rsp 1: 41 5d pop %r13 3: 41 5e pop %r14 5: 41 5f pop %r15 7: 5d pop %rbp 8: c3 ret 9: 48 c7 c7 bb 82 5a 85 mov $0xffffffff855a82bb,%rdi 10: eb 0a jmp 0x1c 12: 48 c7 c7 f3 82 5a 85 mov $0xffffffff855a82f3,%rdi 19: 4c 89 fe mov %r15,%rsi 1c: e8 6c 8f c1 02 call 0x2c18f8d 21: 31 db xor %ebx,%ebx 23: eb d7 jmp 0xfffffffc 25: 90 nop 26: 90 nop 27: 55 push %rbp 28: 41 57 push %r15 * 2a: 41 56 push %r14 <-- trapping instruction 2c: 53 push %rbx 2d: b0 01 mov $0x1,%al 2f: 48 85 f6 test %rsi,%rsi 32: 0f 84 8e 01 00 00 je 0x1c6 38: 48 89 fd mov %rdi,%rbp 3b: 48 c1 ed 2f shr $0x2f,%rbp 3f: 81 .byte 0x81