================================================================== BUG: KASAN: use-after-free in user_mode arch/x86/include/asm/ptrace.h:131 [inline] BUG: KASAN: use-after-free in trace_page_fault_entries arch/x86/mm/fault.c:1516 [inline] BUG: KASAN: use-after-free in do_page_fault+0x6d/0x320 arch/x86/mm/fault.c:1528 Read of size 8 at addr ffff8881eeafff40 by task syz.2.192/940 CPU: 1 PID: 940 Comm: syz.2.192 Not tainted 5.4.292-syzkaller-00021-gcd8e74fa0fa3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: The buggy address belongs to the page: page:ffffea0007babfc0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x8000000000000000() raw: 8000000000000000 0000000000000000 ffffea0007babfc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfp_mask 0x500dc0(GFP_USER|__GFP_ZERO|__GFP_ACCOUNT) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2165 [inline] prep_new_page+0x35e/0x370 mm/page_alloc.c:2171 get_page_from_freelist+0x1296/0x1310 mm/page_alloc.c:3794 __alloc_pages_nodemask+0x202/0x4b0 mm/page_alloc.c:4894 __alloc_pages include/linux/gfp.h:503 [inline] __alloc_pages_node include/linux/gfp.h:516 [inline] alloc_pages_node include/linux/gfp.h:530 [inline] alloc_thread_stack_node kernel/fork.c:259 [inline] dup_task_struct+0x91/0x640 kernel/fork.c:886 copy_process+0x503/0x2cf0 kernel/fork.c:1889 _do_fork+0x190/0x860 kernel/fork.c:2399 __do_sys_clone kernel/fork.c:2557 [inline] __se_sys_clone kernel/fork.c:2538 [inline] __x64_sys_clone+0x12e/0x160 kernel/fork.c:2538 do_syscall_64+0xcf/0x170 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x5c/0xc1 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1176 [inline] __free_pages_ok+0x7e4/0x910 mm/page_alloc.c:1438 free_the_page mm/page_alloc.c:4956 [inline] __free_pages+0x8c/0x110 mm/page_alloc.c:4962 free_thread_stack kernel/fork.c:299 [inline] release_task_stack kernel/fork.c:439 [inline] put_task_stack+0x21b/0x260 kernel/fork.c:450 finish_task_switch+0x245/0x590 kernel/sched/core.c:3481 context_switch kernel/sched/core.c:3613 [inline] __schedule+0xa57/0x12a0 kernel/sched/core.c:4309 schedule+0x12d/0x1c0 kernel/sched/core.c:4377 schedule_timeout+0xa9/0x340 kernel/time/timer.c:1915 do_wait_for_common kernel/sched/completion.c:83 [inline] __wait_for_common kernel/sched/completion.c:104 [inline] wait_for_common+0x2a3/0x490 kernel/sched/completion.c:115 wait_for_completion+0x18/0x20 kernel/sched/completion.c:136 rcu_barrier+0x2d5/0x360 kernel/rcu/tree.c:2957 wg_destruct+0x218/0x2e0 drivers/net/wireguard/device.c:245 netdev_run_todo+0xa45/0xc70 net/core/dev.c:9477 rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:112 default_device_exit_batch+0x52f/0x590 net/core/dev.c:10277 ops_exit_list net/core/net_namespace.c:187 [inline] cleanup_net+0x5fd/0xb40 net/core/net_namespace.c:612 process_one_work+0x73b/0xcc0 kernel/workqueue.c:2290 Memory state around the buggy address: ffff8881eeaffe00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8881eeaffe80: ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff >ffff8881eeafff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8881eeafff80: ff ff ff ff f1 f1 f1 f1 00 f2 f2 f2 04 f3 f3 f3 ffff8881eeb00000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================