[ 194.388853][ T126] ================================================================== [ 194.389143][ T126] BUG: KASAN: slab-use-after-free in ovl_path_real+0x1c2/0x210 [ 194.389409][ T126] Read of size 8 at addr ffff888001926720 by task systemd-udevd/126 [ 194.389659][ T126] [ 194.389756][ T126] CPU: 0 UID: 0 PID: 126 Comm: systemd-udevd Not tainted 6.16.0-rc2-virtme #1 PREEMPT(full) [ 194.389760][ T126] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 194.389762][ T126] Call Trace: [ 194.389764][ T126] [ 194.389766][ T126] dump_stack_lvl+0x82/0xd0 [ 194.389774][ T126] print_address_description.constprop.0+0x2c/0x400 [ 194.389780][ T126] ? ovl_path_real+0x1c2/0x210 [ 194.389783][ T126] print_report+0xb4/0x270 [ 194.389786][ T126] ? ovl_path_real+0x1c2/0x210 [ 194.389789][ T126] ? kasan_addr_to_slab+0x25/0x80 [ 194.389793][ T126] ? ovl_path_real+0x1c2/0x210 [ 194.389796][ T126] kasan_report+0xca/0x100 [ 194.389800][ T126] ? ovl_path_real+0x1c2/0x210 [ 194.389805][ T126] ovl_path_real+0x1c2/0x210 [ 194.389808][ T126] ovl_getattr+0x10d/0xd60 [ 194.389812][ T126] ? __debug_check_no_obj_freed+0x252/0x520 [ 194.389818][ T126] ? __pfx_ovl_getattr+0x10/0x10 [ 194.389823][ T126] ? lockdep_hardirqs_on+0x7c/0x110 [ 194.389829][ T126] ? _raw_spin_unlock_irqrestore+0x46/0x80 [ 194.389834][ T126] ? __debug_check_no_obj_freed+0x252/0x520 [ 194.389836][ T126] ? find_held_lock+0x2b/0x80 [ 194.389844][ T126] ? __pfx___debug_check_no_obj_freed+0x10/0x10 [ 194.389849][ T126] ? trace_rcu_segcb_stats+0x106/0x220 [ 194.389856][ T126] ? rcu_is_watching+0x12/0xc0 [ 194.389859][ T126] ? kasan_quarantine_put+0x10d/0x230 [ 194.389864][ T126] ? lockdep_hardirqs_on+0x7c/0x110 [ 194.389868][ T126] vfs_getattr_nosec+0x258/0x3e0 [ 194.389874][ T126] vfs_fstat+0x3f/0x80 [ 194.389878][ T126] __do_sys_newfstat+0x6a/0xc0 [ 194.389882][ T126] ? __pfx___do_sys_newfstat+0x10/0x10 [ 194.389891][ T126] ? rcu_is_watching+0x12/0xc0 [ 194.389894][ T126] ? do_syscall_64+0x85/0x380 [ 194.389899][ T126] do_syscall_64+0xc1/0x380 [ 194.389902][ T126] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 194.389906][ T126] RIP: 0033:0x7f0dcd77a0bb [ 194.389909][ T126] Code: 0f 1e fa 48 89 f2 31 c9 48 89 fe bf 9c ff ff ff e9 5a 00 00 00 66 2e 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 05 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 05 c3 0f 1f 40 00 48 8b 15 11 ad 0b 00 f7 d8 [ 194.389912][ T126] RSP: 002b:00007ffe04fcc518 EFLAGS: 00000202 ORIG_RAX: 0000000000000005 [ 194.389916][ T126] RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f0dcd77a0bb [ 194.389918][ T126] RDX: 0000000000000000 RSI: 00007ffe04fcc630 RDI: 000000000000000d [ 194.389920][ T126] RBP: 00007ffe04fcc700 R08: 0000000000000003 R09: 0000000000000020 [ 194.389921][ T126] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000003 [ 194.389923][ T126] R13: 0000000000000000 R14: 000000000000000b R15: 000055995a1b6170 [ 194.389929][ T126] [ 194.389931][ T126] [ 194.398446][ T126] Allocated by task 88: [ 194.398580][ T126] kasan_save_stack+0x24/0x50 [ 194.398769][ T126] kasan_save_track+0x14/0x30 [ 194.398938][ T126] __kasan_kmalloc+0x7f/0x90 [ 194.399120][ T126] __kmalloc_noprof+0x1d4/0x470 [ 194.399294][ T126] ovl_fill_super+0x24c/0x1ba0 [ 194.399471][ T126] get_tree_nodev+0xb0/0x140 [ 194.399640][ T126] vfs_get_tree+0x8d/0x2b0 [ 194.399818][ T126] do_new_mount+0x277/0x620 [ 194.399996][ T126] path_mount+0x277/0x15e0 [ 194.400168][ T126] __x64_sys_mount+0x20a/0x270 [ 194.400344][ T126] do_syscall_64+0xc1/0x380 [ 194.400514][ T126] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 194.400737][ T126] [ 194.400825][ T126] Freed by task 938: [ 194.400952][ T126] kasan_save_stack+0x24/0x50 [ 194.401139][ T126] kasan_save_track+0x14/0x30 [ 194.401315][ T126] kasan_save_free_info+0x3b/0x60 [ 194.401489][ T126] __kasan_slab_free+0x38/0x50 [ 194.401662][ T126] kfree+0x144/0x320 [ 194.401792][ T126] krealloc_noprof+0xd4/0x320 [ 194.401961][ T126] emit_its_trampoline+0xa5/0x300 [ 194.402135][ T126] apply_retpolines+0xcf/0x550 [ 194.402307][ T126] module_finalize+0x3d5/0x9d0 [ 194.402479][ T126] load_module+0x139a/0x2660 [ 194.402653][ T126] init_module_from_file+0xe9/0x150 [ 194.402823][ T126] idempotent_init_module+0x335/0x620 [ 194.403015][ T126] __x64_sys_finit_module+0xca/0x150 [ 194.403187][ T126] do_syscall_64+0xc1/0x380 [ 194.403359][ T126] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 194.403573][ T126] [ 194.403661][ T126] The buggy address belongs to the object at ffff888001926720 [ 194.403661][ T126] which belongs to the cache kmalloc-96 of size 96 [ 194.404075][ T126] The buggy address is located 0 bytes inside of [ 194.404075][ T126] freed 96-byte region [ffff888001926720, ffff888001926780) [ 194.404487][ T126] [ 194.404574][ T126] The buggy address belongs to the physical page: [ 194.404784][ T126] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1926 [ 194.405096][ T126] flags: 0x80000000000000(node=0|zone=1) [ 194.405280][ T126] page_type: f5(slab) [ 194.405423][ T126] raw: 0080000000000000 ffff888001042340 ffffea0000150390 ffffea0000228350 [ 194.405732][ T126] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 [ 194.406037][ T126] page dumped because: kasan: bad access detected [ 194.406246][ T126] [ 194.406331][ T126] Memory state around the buggy address: [ 194.406500][ T126] ffff888001926600: fc fc fc fc 00 00 00 00 00 00 00 00 00 fc fc fc [ 194.406746][ T126] ffff888001926680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 194.407000][ T126] >ffff888001926700: fc fc fc fc fa fb fb fb fb fb fb fb fb fb fb fb [ 194.407259][ T126] ^ [ 194.407426][ T126] ffff888001926780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 194.407684][ T126] ffff888001926800: fc fc fc fc 00 00 00 00 00 00 00 00 00 00 00 fc [ 194.407940][ T126] ================================================================== [ 194.408206][ T126] Disabling lock debugging due to kernel taint [ 194.504496][ T939] netconsole: network logging started