================================================================== BUG: KASAN: slab-use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline] BUG: KASAN: slab-use-after-free in rht_head_hashfn include/linux/rhashtable.h:174 [inline] BUG: KASAN: slab-use-after-free in __rhashtable_remove_fast_one include/linux/rhashtable.h:1053 [inline] BUG: KASAN: slab-use-after-free in __rhashtable_remove_fast include/linux/rhashtable.h:1139 [inline] BUG: KASAN: slab-use-after-free in rhashtable_remove_fast include/linux/rhashtable.h:1168 [inline] BUG: KASAN: slab-use-after-free in xfs_buf_rele_cached fs/xfs/xfs_buf.c:923 [inline] BUG: KASAN: slab-use-after-free in xfs_buf_rele+0x914/0xf80 fs/xfs/xfs_buf.c:948 Read of size 4 at addr ffff8880435e0408 by task kswapd0/79 CPU: 0 UID: 0 PID: 79 Comm: kswapd0 Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 rht_key_hashfn include/linux/rhashtable.h:159 [inline] rht_head_hashfn include/linux/rhashtable.h:174 [inline] __rhashtable_remove_fast_one include/linux/rhashtable.h:1053 [inline] __rhashtable_remove_fast include/linux/rhashtable.h:1139 [inline] rhashtable_remove_fast include/linux/rhashtable.h:1168 [inline] xfs_buf_rele_cached fs/xfs/xfs_buf.c:923 [inline] xfs_buf_rele+0x914/0xf80 fs/xfs/xfs_buf.c:948 xfs_buftarg_shrink_scan+0x23e/0x2d0 fs/xfs/xfs_buf.c:1650 do_shrink_slab+0x6df/0x10d0 mm/shrinker.c:437 shrink_slab+0xd74/0x10d0 mm/shrinker.c:664 shrink_one+0x2d9/0x720 mm/vmscan.c:4921 shrink_many mm/vmscan.c:4982 [inline] lru_gen_shrink_node mm/vmscan.c:5060 [inline] shrink_node+0x2f7d/0x35b0 mm/vmscan.c:6047 kswapd_shrink_node mm/vmscan.c:6901 [inline] balance_pgdat mm/vmscan.c:7084 [inline] kswapd+0x145a/0x2820 mm/vmscan.c:7354 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 Allocated by task 5342: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5657 [inline] __kvmalloc_node_noprof+0x5d5/0x920 mm/slub.c:7136 bucket_table_alloc lib/rhashtable.c:186 [inline] rhashtable_init_noprof+0x52e/0xa70 lib/rhashtable.c:1075 xfs_perag_alloc fs/xfs/libxfs/xfs_ag.c:238 [inline] xfs_initialize_perag+0x27d/0x630 fs/xfs/libxfs/xfs_ag.c:279 xfs_mountfs+0xae0/0x22c0 fs/xfs/xfs_mount.c:995 xfs_fs_fill_super+0x11f1/0x1640 fs/xfs/xfs_super.c:1960 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1691 vfs_get_tree+0x92/0x2a0 fs/super.c:1751 fc_mount fs/namespace.c:1199 [inline] do_new_mount_fc fs/namespace.c:3636 [inline] do_new_mount+0x302/0xa10 fs/namespace.c:3712 do_mount fs/namespace.c:4035 [inline] __do_sys_mount fs/namespace.c:4224 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4201 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5342: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free mm/slub.c:6670 [inline] kfree+0x1c0/0x660 mm/slub.c:6878 rhashtable_free_and_destroy+0x7e8/0x940 lib/rhashtable.c:1173 xfs_group_free+0x163/0x370 fs/xfs/libxfs/xfs_group.c:171 xfs_free_perag_range+0x36/0x60 fs/xfs/libxfs/xfs_ag.c:133 xfs_mountfs+0x13c8/0x22c0 fs/xfs/xfs_mount.c:1275 xfs_fs_fill_super+0x11f1/0x1640 fs/xfs/xfs_super.c:1960 get_tree_bdev_flags+0x40e/0x4d0 fs/super.c:1691 vfs_get_tree+0x92/0x2a0 fs/super.c:1751 fc_mount fs/namespace.c:1199 [inline] do_new_mount_fc fs/namespace.c:3636 [inline] do_new_mount+0x302/0xa10 fs/namespace.c:3712 do_mount fs/namespace.c:4035 [inline] __do_sys_mount fs/namespace.c:4224 [inline] __se_sys_mount+0x313/0x410 fs/namespace.c:4201 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff8880435e0400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of freed 512-byte region [ffff8880435e0400, ffff8880435e0600) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x435e0 head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 ksm flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 04fff00000000040 ffff88801a441c80 ffffea000102a400 dead000000000003 raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 head: 04fff00000000040 ffff88801a441c80 ffffea000102a400 dead000000000003 head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 head: 04fff00000000001 ffffea00010d7801 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 29674368191, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857 prep_new_page mm/page_alloc.c:1865 [inline] get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486 alloc_slab_page mm/slub.c:3075 [inline] allocate_slab+0x86/0x3b0 mm/slub.c:3248 new_slab mm/slub.c:3302 [inline] ___slab_alloc+0xe53/0x1820 mm/slub.c:4656 __slab_alloc+0x65/0x100 mm/slub.c:4779 __slab_alloc_node mm/slub.c:4855 [inline] slab_alloc_node mm/slub.c:5251 [inline] __do_kmalloc_node mm/slub.c:5656 [inline] __kmalloc_noprof+0x47d/0x800 mm/slub.c:5669 mpihelp_mul_karatsuba_case+0xd6/0xf60 lib/crypto/mpi/mpih-mul.c:331 mpi_powm+0x14a4/0x23c0 lib/crypto/mpi/mpi-pow.c:223 _rsa_enc crypto/rsa.c:62 [inline] rsa_enc+0x300/0x440 crypto/rsa.c:141 crypto_akcipher_encrypt include/crypto/akcipher.h:279 [inline] rsassa_pkcs1_verify+0x4ed/0xb00 crypto/rsassa-pkcs1.c:255 crypto_sig_verify include/crypto/sig.h:221 [inline] public_key_verify_signature+0x678/0x8f0 crypto/asymmetric_keys/public_key.c:428 x509_check_for_self_signed+0x327/0x430 crypto/asymmetric_keys/x509_public_key.c:125 x509_cert_parse+0x63d/0x7b0 crypto/asymmetric_keys/x509_cert_parser.c:129 x509_key_preparse+0x64/0x780 crypto/asymmetric_keys/x509_public_key.c:157 page_owner free stack trace missing Memory state around the buggy address: ffff8880435e0300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880435e0380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880435e0400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880435e0480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880435e0500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================