==================================================================
BUG: KASAN: use-after-free in user_mode arch/x86/include/asm/ptrace.h:131 [inline]
BUG: KASAN: use-after-free in trace_page_fault_entries arch/x86/mm/fault.c:1541 [inline]
BUG: KASAN: use-after-free in do_page_fault+0x66/0x330 arch/x86/mm/fault.c:1553
Read of size 8 at addr ffff8881e171fe60 by task syz-executor.3/11579
CPU: 1 PID: 11579 Comm: syz-executor.3 Tainted: G W 5.4.268-syzkaller-00012-g51cf29fc2bfc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
The buggy address belongs to the page:
page:ffffea000785c7c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x8000000000000000()
raw: 8000000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL)
set_page_owner include/linux/page_owner.h:31 [inline]
post_alloc_hook mm/page_alloc.c:2165 [inline]
prep_new_page+0x18f/0x370 mm/page_alloc.c:2171
get_page_from_freelist+0x2d13/0x2d90 mm/page_alloc.c:3794
__alloc_pages_nodemask+0x393/0x840 mm/page_alloc.c:4891
alloc_slab_page+0x39/0x3c0 mm/slub.c:343
allocate_slab mm/slub.c:1683 [inline]
new_slab+0x97/0x440 mm/slub.c:1749
new_slab_objects mm/slub.c:2505 [inline]
___slab_alloc+0x2fe/0x490 mm/slub.c:2667
__slab_alloc+0x62/0xa0 mm/slub.c:2707
slab_alloc_node mm/slub.c:2792 [inline]
slab_alloc mm/slub.c:2837 [inline]
kmem_cache_alloc+0x109/0x250 mm/slub.c:2842
getname_flags+0xb8/0x4e0 fs/namei.c:141
getname fs/namei.c:212 [inline]
__do_sys_unlink fs/namei.c:4211 [inline]
__se_sys_unlink fs/namei.c:4209 [inline]
__x64_sys_unlink+0x38/0x50 fs/namei.c:4209
do_syscall_64+0xca/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1176 [inline]
__free_pages_ok+0x847/0x950 mm/page_alloc.c:1438
free_the_page mm/page_alloc.c:4953 [inline]
__free_pages+0x91/0x140 mm/page_alloc.c:4959
__free_slab+0x221/0x2e0 mm/slub.c:1774
free_slab mm/slub.c:1789 [inline]
discard_slab mm/slub.c:1795 [inline]
unfreeze_partials+0x14e/0x180 mm/slub.c:2288
put_cpu_partial+0x44/0x180 mm/slub.c:2324
__slab_free+0x297/0x360 mm/slub.c:2971
qlist_free_all+0x43/0xb0 mm/kasan/quarantine.c:167
quarantine_reduce+0x1d9/0x210 mm/kasan/quarantine.c:260
__kasan_kmalloc+0x41/0x210 mm/kasan/common.c:507
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slub.c:2829 [inline]
slab_alloc mm/slub.c:2837 [inline]
__kmalloc+0x105/0x2e0 mm/slub.c:3909
kmalloc_array include/linux/slab.h:618 [inline]
kcalloc include/linux/slab.h:629 [inline]
ext4_find_extent+0x33e/0xda0 fs/ext4/extents.c:941
ext4_swap_extents+0x3cc/0x2240 fs/ext4/extents.c:5864
move_extent_per_page+0x1467/0x2110 fs/ext4/move_extent.c:360
ext4_move_extents+0xe41/0x1470 fs/ext4/move_extent.c:673
ext4_ioctl+0x30fa/0x3ff0 fs/ext4/ioctl.c:997
do_vfs_ioctl+0x742/0x1720 fs/ioctl.c:47
Memory state around the buggy address:
ffff8881e171fd00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8881e171fd80: ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
>ffff8881e171fe00: 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8881e171fe80: ff ff ff ff ff ff ff ff f1 f1 f1 f1 00 f2 f2 f2
ffff8881e171ff00: 04 f3 f3 f3 ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
PANIC: double fault, error_code: 0x0
CPU: 1 PID: 11579 Comm: syz-executor.3 Tainted: G B W 5.4.268-syzkaller-00012-g51cf29fc2bfc #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
RIP: 0010:perf_trace_x86_exceptions+0x18/0x410 arch/x86/mm/../include/asm/trace/./exceptions.h:14
Code: 5e cd 0a 00 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48 81 ec c0 00 00 00 <48> 89 4c 24 30 48 89 54 24 28 48 89 74 24 18 48 89 7c 24 08 65 48
RSP: 0018:ffff8881e15f2f80 EFLAGS: 00010082
RAX: 1ffff1103dc2a953 RBX: ffff8881e15f30b8 RCX: 0000000000000000
RDX: ffff8881e15f30b8 RSI: ffffe8ffffb00490 RDI: ffffffff85eb6a20
RBP: ffff8881e15f3068 R08: ffffffff8130385e R09: fffffbfff0c96d1e
R10: 0000000000000000 R11: dffffc0000000001 R12: ffff8881ee154a90
R13: dffffc0000000000 R14: ffffe8ffffb00490 R15: 0000000000000000
FS: 00007fb24f2d66c0(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8881e15f2f78 CR3: 00000001f5c2a000 CR4: 00000000003406a0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
<#DF>
</#DF>
----------------
Code disassembly (best guess):
0: 5e pop %rsi
1: cd 0a int $0xa
3: 00 66 66 add %ah,0x66(%rsi)
6: 2e 0f 1f 84 00 00 00 cs nopl 0x0(%rax,%rax,1)
d: 00 00
f: 0f 1f 00 nopl (%rax)
12: 55 push %rbp
13: 48 89 e5 mov %rsp,%rbp
16: 41 57 push %r15
18: 41 56 push %r14
1a: 41 55 push %r13
1c: 41 54 push %r12
1e: 53 push %rbx
1f: 48 83 e4 e0 and $0xffffffffffffffe0,%rsp
23: 48 81 ec c0 00 00 00 sub $0xc0,%rsp
* 2a: 48 89 4c 24 30 mov %rcx,0x30(%rsp) <-- trapping instruction
2f: 48 89 54 24 28 mov %rdx,0x28(%rsp)
34: 48 89 74 24 18 mov %rsi,0x18(%rsp)
39: 48 89 7c 24 08 mov %rdi,0x8(%rsp)
3e: 65 gs
3f: 48 rex.W