Good day, dear maintainers, We found a bug using a modified kernel configuration file used by syzbot. We enhanced the coverage of the configuration file using our tool, klocalizer. Kernel Branch: 6.3.0-next-20230426 Kernel Config: https://drive.google.com/file/d/1hdxgrCVVhxsp3XFWi046VSKx14Y-QCR7/view?usp=sharing Reproducer: https://drive.google.com/file/d/1Pm-DN-CF7AeFnocccO1lg8Qa5JIkeCaA/view?usp=sharing Thank you! Best regards, Sanan Hasanov ================================================================== BUG: KASAN: slab-use-after-free in sco_sock_timeout+0x6e/0x240 Write of size 4 at addr ffff88801df87080 by task kworker/4:8/14653 CPU: 4 PID: 14653 Comm: kworker/4:8 Not tainted 6.3.0-next-20230426 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events sco_sock_timeout Call Trace: <TASK> dump_stack_lvl+0x17f/0x260 print_report+0xc5/0x5e0 kasan_report+0xd7/0x110 kasan_check_range+0x153/0x1a0 __kasan_check_write+0x18/0x20 sco_sock_timeout+0x6e/0x240 process_one_work+0x9f0/0x16c0 worker_thread+0x68e/0x10f0 kthread+0x356/0x460 ret_from_fork+0x1f/0x30 </TASK> Allocated by task 10149: kasan_save_stack+0x2a/0x50 kasan_set_track+0x29/0x40 kasan_save_alloc_info+0x1f/0x30 __kasan_kmalloc+0x84/0x90 __kmalloc+0x61/0x190 sk_prot_alloc+0x163/0x2b0 sk_alloc+0x3d/0x7c0 sco_sock_alloc.constprop.0+0x37/0x330 sco_sock_create+0xd5/0x160 bt_sock_create+0x16d/0x2d0 __sock_create+0x354/0x7e0 __sys_socket+0x152/0x270 __x64_sys_socket+0x76/0xb0 do_syscall_64+0x39/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Last potentially related work creation: kasan_save_stack+0x2a/0x50 __kasan_record_aux_stack+0x66/0x70 kasan_record_aux_stack_noalloc+0xf/0x20 __call_rcu_common.constprop.0+0x9e/0x820 call_rcu+0xd/0x10 netlink_release+0xcd0/0x1e90 __sock_release+0xce/0x290 sock_close+0x22/0x30 __fput+0x279/0xa40 ____fput+0x1a/0x20 task_work_run+0x196/0x2b0 do_exit+0xbf6/0x2d00 do_group_exit+0xe0/0x2c0 get_signal+0x2562/0x2610 arch_do_signal_or_restart+0x84/0x600 exit_to_user_mode_prepare+0x130/0x1f0 syscall_exit_to_user_mode+0x1f/0x50 do_syscall_64+0x46/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Second to last potentially related work creation: kasan_save_stack+0x2a/0x50 __kasan_record_aux_stack+0x66/0x70 kasan_record_aux_stack_noalloc+0xf/0x20 __call_rcu_common.constprop.0+0x9e/0x820 call_rcu+0xd/0x10 netlink_release+0xcd0/0x1e90 __sock_release+0xce/0x290 sock_close+0x22/0x30 __fput+0x279/0xa40 ____fput+0x1a/0x20 task_work_run+0x196/0x2b0 exit_to_user_mode_prepare+0x1e3/0x1f0 syscall_exit_to_user_mode+0x1f/0x50 do_syscall_64+0x46/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd The buggy address belongs to the object at ffff88801df87000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 128 bytes inside of freed 2048-byte region [ffff88801df87000, ffff88801df87800) The buggy address belongs to the physical page: page:00000000f6d79403 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1df87 flags: 0xfffe0000000200(slab|node=0|zone=1|lastcpupid=0x3fff) page_type: 0x1() raw: 00fffe0000000200 ffff888100040800 ffffea000127c210 ffffea00045ad310 raw: 0000000000000000 ffff88801df87000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88801df86f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88801df87000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88801df87080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88801df87100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801df87180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 4 PID: 14653 at lib/refcount.c:25 refcount_warn_saturate+0x185/0x200 Modules linked in: CPU: 4 PID: 14653 Comm: kworker/4:8 Tainted: G B 6.3.0-next-20230426 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events sco_sock_timeout RIP: 0010:refcount_warn_saturate+0x185/0x200 Code: 07 31 ff 89 de e8 6b 98 92 fd 84 db 0f 85 2b ff ff ff e8 9e 9c 92 fd 48 c7 c7 40 73 7b 89 c6 05 b6 95 eb 07 01 e8 4b 1c 5b fd <0f> 0b e9 0c ff ff ff e8 7f 9c 92 fd 0f b6 1d a0 95 eb 07 31 ff 89 RSP: 0018:ffffc90009e97cb8 EFLAGS: 00010292 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff8880465de1c0 RSI: ffffffff814f0e8b RDI: ffffffff814f0e7e RBP: ffffc90009e97cc8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000000c2550 R12: ffff88801df87080 R13: ffff888044fddc08 R14: ffff88801df87080 R15: ffff88811a43d100 FS: 0000000000000000(0000) GS:ffff88811a400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000000ab45000 CR4: 0000000000350ee0 Call Trace: <TASK> sco_sock_timeout+0x1e1/0x240 process_one_work+0x9f0/0x16c0 worker_thread+0x68e/0x10f0 kthread+0x356/0x460 ret_from_fork+0x1f/0x30 </TASK> irq event stamp: 821585 hardirqs last enabled at (821585): [<ffffffff88f8f95e>] irqentry_exit+0x3e/0x90 hardirqs last disabled at (821584): [<ffffffff88f8e534>] sysvec_apic_timer_interrupt+0x14/0xc0 softirqs last enabled at (821420): [<ffffffff8554fefd>] wg_packet_tx_worker+0x33d/0x780 softirqs last disabled at (821416): [<ffffffff8554fdf5>] wg_packet_tx_worker+0x235/0x780 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 4 PID: 14653 at lib/refcount.c:28 refcount_warn_saturate+0x110/0x200 Modules linked in: CPU: 4 PID: 14653 Comm: kworker/4:8 Tainted: G B W 6.3.0-next-20230426 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: events sco_sock_timeout RIP: 0010:refcount_warn_saturate+0x110/0x200 Code: 1d 4a 96 eb 07 31 ff 89 de e8 dc 98 92 fd 84 db 75 a0 e8 13 9d 92 fd 48 c7 c7 a0 73 7b 89 c6 05 2a 96 eb 07 01 e8 c0 1c 5b fd <0f> 0b eb 84 e8 f7 9c 92 fd 0f b6 1d 13 96 eb 07 31 ff 89 de e8 a7 RSP: 0018:ffffc90009e97cb8 EFLAGS: 00010292 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff8880465de1c0 RSI: ffffffff814f0e8b RDI: ffffffff814f0e7e RBP: ffffc90009e97cc8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000000c2e38 R12: ffff88801df87080 R13: ffff888044fddc08 R14: ffff88801df87080 R15: ffff88811a43d100 FS: 0000000000000000(0000) GS:ffff88811a400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000000ab45000 CR4: 0000000000350ee0 Call Trace: <TASK> sco_sock_timeout+0x1f8/0x240 process_one_work+0x9f0/0x16c0 worker_thread+0x68e/0x10f0 kthread+0x356/0x460 ret_from_fork+0x1f/0x30 </TASK> irq event stamp: 821585 hardirqs last enabled at (821585): [<ffffffff88f8f95e>] irqentry_exit+0x3e/0x90 hardirqs last disabled at (821584): [<ffffffff88f8e534>] sysvec_apic_timer_interrupt+0x14/0xc0 softirqs last enabled at (821420): [<ffffffff8554fefd>] wg_packet_tx_worker+0x33d/0x780 softirqs last disabled at (821416): [<ffffffff8554fdf5>] wg_packet_tx_worker+0x235/0x780 ---[ end trace 0000000000000000 ]---
