TITLE: WARNING in inval_wq_set CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [linux-fsdevel@vger.kernel.org miklos@szeredi.hu] MAINTAINERS (CC): [linux-kernel@vger.kernel.org] On node 0, zone DMA32: 32 pages in unavailable ranges setup_percpu: NR_CPUS:64 nr_cpumask_bits:1 nr_cpu_ids:1 nr_node_ids:1 percpu: Embedded 66 pages/cpu s233240 r8192 d28904 u2097152 Kernel command line: root=/dev/sda console=ttyS0 root=/dev/root rootfstype=9p rootflags=trans=virtio,version=9p2000.L,cache=loose init=/home/neck392/kernel-lab/syzkaller-workdir-fuse/instance-0/init.sh console=ttyS0 nokaslr panic=1 oops=panic kasan_multi_shot=1 nmi_watchdog=0 fuse.inval_wq=5 fuse.enable_uring=1 ------------[ cut here ]------------ WARNING: kernel/workqueue.c:2549 at __queue_delayed_work+0x2e7/0x3c0, CPU#0: swapper/0 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper Not tainted 7.1.0-rc6 #1 PREEMPT(undef) Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__queue_delayed_work+0x2e7/0x3c0 Code: 89 e7 e8 9c e9 ff ff 5b 5d 41 5c 41 5d 41 5e 41 5f e9 cd 02 2e 00 e8 c8 02 2e 00 90 0f 0b 90 e9 e7 fe ff ff e8 ba 02 2e 00 90 <0f> 0b 90 e9 5d fd ff ff e8 ac 02 2e 00 90 0f 0b 90 e9 80 fd ff ff RSP: 0000:ffffffff86807cc0 EFLAGS: 00010093 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: ffffffff88eff8a0 RCX: ffffffff81490656 RDX: ffffffff86816f80 RSI: 0000000000000000 RDI: ffffffff88eff8d8 RBP: 0000000000001388 R08: 0000000000000001 R09: fffffbfff11dff14 R10: ffffffff88eff8a7 R11: 0000000000000001 R12: 0000000000000040 R13: 0000000000000000 R14: ffffffff88eff8c0 R15: 0000000000000005 FS: 0000000000000000(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888008f4d000 CR3: 000000000688a000 CR4: 00000000000000b0 Call Trace: queue_delayed_work_on+0x8a/0x90 inval_wq_set+0x1c3/0x210 parse_args+0x50c/0x840 start_kernel+0xeb/0x450 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x111/0x120 common_startup_64+0x13e/0x148 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ WARNING: kernel/workqueue.c:2551 at __queue_delayed_work+0x303/0x3c0, CPU#0: swapper/0 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G W 7.1.0-rc6 #1 PREEMPT(undef) Tainted: [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__queue_delayed_work+0x303/0x3c0 Code: 0f 0b 90 e9 e7 fe ff ff e8 ba 02 2e 00 90 0f 0b 90 e9 5d fd ff ff e8 ac 02 2e 00 90 0f 0b 90 e9 80 fd ff ff e8 9e 02 2e 00 90 <0f> 0b 90 e9 a3 fd ff ff e8 90 02 2e 00 bf 03 00 00 00 e8 c6 a3 0e RSP: 0000:ffffffff86807cc0 EFLAGS: 00010093 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: ffffffff88eff8a0 RCX: ffffffff81490672 RDX: ffffffff86816f80 RSI: 0000000000000000 RDI: ffffffff88eff8c8 RBP: 0000000000001388 R08: 0000000000000001 R09: fffffbfff11dff14 R10: ffffffff88eff8a7 R11: 0000000000000001 R12: 0000000000000040 R13: 0000000000000000 R14: ffffffff88eff8c0 R15: ffffffff88eff8a8 FS: 0000000000000000(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888008f4d000 CR3: 000000000688a000 CR4: 00000000000000b0 Call Trace: queue_delayed_work_on+0x8a/0x90 inval_wq_set+0x1c3/0x210 parse_args+0x50c/0x840 start_kernel+0xeb/0x450 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x111/0x120 common_startup_64+0x13e/0x148 ---[ end trace 0000000000000000 ]--- Unknown kernel command line parameters "nokaslr nmi_watchdog=0", will be passed to user space. printk: log buffer data + meta data: 262144 + 917504 = 1179648 bytes Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes, linear) Inode-cache hash table entries: 65536 (order: 7, 524288 bytes, linear) Fallback order for Node 0: 0 Built 1 zonelists, mobility grouping on. Total pages: 262014 Policy zone: DMA32 mem auto-init: stack:all(zero), heap alloc:off, heap free:off stackdepot: allocating hash table via alloc_large_system_hash stackdepot hash table entries: 1048576 (order: 12, 16777216 bytes, linear) stackdepot: allocating space for 8192 stack pools via memblock SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 Kernel/User page tables isolation: enabled Dynamic Preempt: lazy rcu: Preemptible hierarchical RCU implementation. rcu: RCU event tracing is enabled. rcu: RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=1. Trampoline variant of Tasks RCU enabled. Tracing variant of Tasks RCU enabled. rcu: RCU calculated value of scheduler-enlistment delay is 100 jiffies. rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1 RCU Tasks: Setting shift to 0 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=1. NR_IRQS: 4352, nr_irqs: 256, preallocated irqs: 16 rcu: srcu_init: Setting srcu_struct sizes based on contention. Console: colour VGA+ 80x25 printk: legacy console [ttyS0] enabled ACPI: Core revision 20251212 clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604467 ns APIC: Switch to symmetric I/O mode setup x2apic enabled APIC: Switched APIC routing to: physical x2apic ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1 clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x2b2c8d6afc8, max_idle_ns: 440795331172 ns Calibrating delay loop (skipped) preset value.. 5990.39 BogoMIPS (lpj=2995198) Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0 Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0 mitigations: Enabled attack vectors: user_kernel, user_user, SMT mitigations: auto Speculative Store Bypass: Vulnerable Spectre V2 : Mitigation: Retpolines ITS: Mitigation: Aligned branch/return thunks MDS: Vulnerable: Clear CPU buffers attempted, no microcode Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization Spectre V2 : Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT active return thunk: its_return_thunk x86/fpu: x87 FPU will use FXSAVE pid_max: default: 32768 minimum: 301 SELinux: Initializing. Mount-cache hash table entries: 2048 (order: 2, 16384 bytes, linear) Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes, linear) VFS: Finished mounting rootfs on nullfs smpboot: CPU0: Intel QEMU Virtual CPU version 2.5+ (family: 0xf, model: 0x6b, stepping: 0x1) Performance Events: unsupported Netburst CPU model 107 no PMU driver, software events only. signal: max sigframe size: 1440 rcu: Hierarchical SRCU implementation. rcu: Max phase no-delay instances is 400. smp: Bringing up secondary CPUs ... smp: Brought up 1 node, 1 CPU smpboot: Total of 1 processors activated (5990.39 BogoMIPS) Memory: 729872K/1048056K available (72949K kernel code, 16656K rwdata, 15568K rodata, 11404K init, 904K bss, 313228K reserved, 0K cma-reserved) devtmpfs: initialized clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1911260446275000 ns posixtimers hash table entries: 512 (order: 1, 8192 bytes, linear) futex hash table entries: 256 (16384 bytes on 1 NUMA nodes, total 16 KiB, linear). PM: RTC time: 06:15:56, date: 2026-06-01 NET: Registered PF_NETLINK/PF_ROUTE protocol family audit: initializing netlink subsys (disabled) audit: type=2000 audit(1780294556.553:1): state=initialized audit_enabled=0 res=1 thermal_sys: Registered thermal governor 'step_wise' cpuidle: using governor menu Freeing SMP alternatives memory: 68K PCI: Using configuration type 1 for base access kprobes: kprobe jump-optimization is enabled. All kprobes are optimized if possible. HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page raid6: sse2x4 gen() 11548 MB/s raid6: sse2x2 gen() 7908 MB/s raid6: sse2x1 gen() 7028 MB/s raid6: using algorithm sse2x4 gen() 11548 MB/s raid6: .... xor() 3224 MB/s, rmw enabled raid6: using intx1 recovery algorithm ACPI: Added _OSI(Module Device) ACPI: Added _OSI(Processor Device) ACPI: Added _OSI(Processor Aggregator Device) ACPI: 1 ACPI AML tables successfully acquired and loaded ACPI: \_SB_: platform _OSC: OS support mask [002a7eee] ACPI: Interpreter enabled ACPI: PM: (supports S0 S3 S4 S5) ACPI: Using IOAPIC for interrupt routing PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug PCI: Using E820 reservations for host bridge windows ACPI: Enabled 2 GPEs in block 00 to 0F ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff]) acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI HPX-Type3] acpi PNP0A03:00: _OSC: not requesting OS control; OS requires [ExtendedConfig ASPM ClockPM MSI] acpi PNP0A03:00: _OSC: platform retains control of PCIe features (AE_ERROR) acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended configuration space under this bridge PCI host bridge to bus 0000:00 pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7 window] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window] pci_bus 0000:00: root bus resource [mem 0x40000000-0xfebfffff window] pci_bus 0000:00: root bus resource [mem 0x100000000-0x17fffffff window] pci_bus 0000:00: root bus resource [bus 00-ff] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000 conventional PCI endpoint pci 0000:00:01.0: [8086:7000] type 00 class 0x060100 conventional PCI endpoint pci 0000:00:01.1: [8086:7010] type 00 class 0x010180 conventional PCI endpoint pci 0000:00:01.1: BAR 4 [io 0xc0a0-0xc0af] pci 0000:00:01.1: BAR 0 [io 0x01f0-0x01f7]: legacy IDE quirk pci 0000:00:01.1: BAR 1 [io 0x03f6]: legacy IDE quirk pci 0000:00:01.1: BAR 2 [io 0x0170-0x0177]: legacy IDE quirk pci 0000:00:01.1: BAR 3 [io 0x0376]: legacy IDE quirk pci 0000:00:01.3: [8086:7113] type 00 class 0x068000 conventional PCI endpoint pci 0000:00:01.3: quirk: [io 0x0600-0x063f] claimed by PIIX4 ACPI pci 0000:00:01.3: quirk: [io 0x0700-0x070f] claimed by PIIX4 SMB pci 0000:00:02.0: [1234:1111] type 00 class 0x030000 conventional PCI endpoint pci 0000:00:02.0: BAR 0 [mem 0xfd000000-0xfdffffff pref] pci 0000:00:02.0: BAR 2 [mem 0xfebb0000-0xfebb0fff] pci 0000:00:02.0: ROM [mem 0xfeba0000-0xfebaffff pref] pci 0000:00:02.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff] pci 0000:00:03.0: [1af4:1005] type 00 class 0x00ff00 conventional PCI endpoint pci 0000:00:03.0: BAR 0 [io 0xc080-0xc09f] pci 0000:00:03.0: BAR 1 [mem 0xfebb1000-0xfebb1fff] pci 0000:00:03.0: BAR 4 [mem 0xfe000000-0xfe003fff 64bit pref] pci 0000:00:04.0: [8086:100e] type 00 class 0x020000 conventional PCI endpoint pci 0000:00:04.0: BAR 0 [mem 0xfeb80000-0xfeb9ffff] pci 0000:00:04.0: BAR 1 [io 0xc000-0xc03f] pci 0000:00:04.0: ROM [mem 0xfeb00000-0xfeb7ffff pref] pci 0000:00:05.0: [1af4:1009] type 00 class 0x000200 conventional PCI endpoint pci 0000:00:05.0: BAR 0 [io 0xc040-0xc07f] pci 0000:00:05.0: BAR 1 [mem 0xfebb2000-0xfebb2fff] pci 0000:00:05.0: BAR 4 [mem 0xfe004000-0xfe007fff 64bit pref] ACPI: PCI: Interrupt link LNKA configured for IRQ 10 ACPI: PCI: Interrupt link LNKB configured for IRQ 10 ACPI: PCI: Interrupt link LNKC configured for IRQ 11 ACPI: PCI: Interrupt link LNKD configured for IRQ 11 ACPI: PCI: Interrupt link LNKS configured for IRQ 9 iommu: Default domain type: Translated iommu: DMA domain TLB invalidation policy: lazy mode SCSI subsystem initialized ACPI: bus type USB registered usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb pps_core: LinuxPPS API ver. 1 registered pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti PTP clock support registered Advanced Linux Sound Architecture Driver Initialized. NetLabel: Initializing NetLabel: domain hash size = 128 NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO NetLabel: unlabeled traffic allowed by default PCI: Using ACPI for IRQ routing e820: register RAM buffer resource [mem 0x0009fc00-0x0009ffff] e820: register RAM buffer resource [mem 0x3ffe0000-0x3fffffff] pci 0000:00:02.0: vgaarb: setting as boot VGA device pci 0000:00:02.0: vgaarb: bridge control possible pci 0000:00:02.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none vgaarb: loaded hpet: 3 channels of 0 reserved for per-cpu timers hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0 hpet0: 3 comparators, 64-bit 100.000000 MHz counter clocksource: Switched to clocksource kvm-clock VFS: Disk quotas dquot_6.6.0 VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes) pnp: PnP ACPI init pnp: PnP ACPI: found 5 devices clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns NET: Registered PF_INET protocol family IP idents hash table entries: 16384 (order: 5, 131072 bytes, linear) tcp_listen_portaddr_hash hash table entries: 512 (order: 1, 8192 bytes, linear) Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear) TCP established hash table entries: 8192 (order: 4, 65536 bytes, linear) TCP bind hash table entries: 8192 (order: 6, 262144 bytes, linear) TCP: Hash tables configured (established 8192 bind 8192) UDP hash table entries: 512 (order: 3, 32768 bytes, linear) NET: Registered PF_UNIX/PF_LOCAL protocol family RPC: Registered named UNIX socket transport module. RPC: Registered udp transport module. RPC: Registered tcp transport module. RPC: Registered tcp-with-tls transport module. RPC: Registered tcp NFSv4.1 backchannel transport module. pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window] pci_bus 0000:00: resource 7 [mem 0x40000000-0xfebfffff window] pci_bus 0000:00: resource 8 [mem 0x100000000-0x17fffffff window] pci 0000:00:01.0: PIIX3: Enabling Passive Release pci 0000:00:00.0: Limiting direct PCI/PCI transfers PCI: CLS 0 bytes, default 64 clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2b2c8d6afc8, max_idle_ns: 440795331172 ns Initialise system trusted keyrings workingset: timestamp_bits=56 (anon: 52) max_order=18 bucket_order=0 (anon: 0) squashfs: version 4.0 (2009/01/31) Phillip Lougher NFS: Registering the id_resolver key type Key type id_resolver registered Key type id_legacy registered nfs4filelayout_init: NFSv4 File Layout Driver Registering... nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering... fuse: init (API version 7.45) JFS: nTxBlock = 5741, nTxLock = 45931 SGI XFS with security attributes, scrub, repair, no debug enabled 9p: Installing v9fs 9p2000 file system support NILFS version 2 loaded Key type asymmetric registered Asymmetric key parser 'x509' registered Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251) io scheduler mq-deadline registered io scheduler kyber registered xor: measuring software checksum speed prefetch64-sse : 19896 MB/sec sse : 20525 MB/sec xor: using function: sse (20525 MB/sec) input: Power Button as /devices/platform/LNXPWRBN:00/input/input0 ACPI: button: Power Button [PWRF] kwatchdog (49) used greatest stack depth: 30424 bytes left ACPI: \_SB_.LNKC: Enabled at IRQ 11 ACPI: \_SB_.LNKA: Enabled at IRQ 10 Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled 00:04: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A Non-volatile memory driver v1.3 ACPI: bus type drm_connector registered loop: module loaded scsi host0: ata_piix scsi host1: ata_piix ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc0a0 irq 14 lpm-pol 0 ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc0a8 irq 15 lpm-pol 0 e100: Intel(R) PRO/100 Network Driver e100: Copyright(c) 1999-2006 Intel Corporation e1000: Intel(R) PRO/1000 Network Driver e1000: Copyright (c) 1999-2006 Intel Corporation. ata2: found unknown device (class 0) ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100 scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 2.5+ PQ: 0 ANSI: 5 sr 1:0:0:0: [sr0] scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray cdrom: Uniform CD-ROM driver Revision: 3.20 sr 1:0:0:0: Attached scsi generic sg0 type 5 ACPI: \_SB_.LNKD: Enabled at IRQ 11 e1000 0000:00:04.0 eth0: (PCI:33MHz:32-bit) 52:54:00:12:34:56 e1000 0000:00:04.0 eth0: Intel(R) PRO/1000 Network Connection e1000e: Intel(R) PRO/1000 Network Driver e1000e: Copyright(c) 1999 - 2015 Intel Corporation. sky2: driver version 1.30 usbcore: registered new interface driver usblp usbcore: registered new interface driver usb-storage i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12 serio: i8042 KBD port at 0x60,0x64 irq 1 serio: i8042 AUX port at 0x60,0x64 irq 12 rtc_cmos PNP0B00:00: RTC can wake from S4 input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1 rtc_cmos PNP0B00:00: registered as rtc0 rtc_cmos PNP0B00:00: alarms up to one day, y3k, 242 bytes nvram, hpet irqs device-mapper: ioctl: 4.50.0-ioctl (2025-04-28) initialised: dm-devel@lists.linux.dev intel_pstate: CPU model not supported hid: raw HID events driver (C) Jiri Kosina usbcore: registered new interface driver usbhid usbhid: USB HID core driver Initializing XFRM netlink socket NET: Registered PF_INET6 protocol family Segment Routing with IPv6 In-situ OAM (IOAM) with IPv6 NET: Registered PF_PACKET protocol family 9pnet: Installing 9P2000 support Key type dns_resolver registered IPI shorthand broadcast: enabled sched_clock: Marking stable (6156013197, 314166715)->(6558734503, -88554591) registered taskstats version 1 Loading compiled-in X.509 certificates Demotion targets for Node 0: null Btrfs loaded, zoned=no, fsverity=no PM: Magic number: 14:427:265 netconsole: network logging started cfg80211: Loading compiled-in X.509 certificates for regulatory database kworker/u4:3 (58) used greatest stack depth: 29088 bytes left Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7' Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600' ALSA device list: faux_driver regulatory: Direct firmware load for regulatory.db failed with error -2 No soundcards found. cfg80211: failed to load regulatory.db input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input3 md: Waiting for all devices to be available before autodetect md: If you don't use raid, use raid=noautodetect md: Autodetecting RAID arrays. md: autorun ... md: ... autorun DONE. VFS: Mounted root (9p filesystem) readonly on device 0:20. devtmpfs: mounted VFS: Pivoted into new rootfs Freeing unused kernel image (initmem) memory: 11404K Write protecting the kernel read-only data: 90112k Freeing unused kernel image (text/rodata gap) memory: 776K Freeing unused kernel image (rodata/data gap) memory: 816K x86/mm: Checked W+X mappings: passed, no W+X pages found. x86/mm: Checking user space page tables x86/mm: Checked W+X mappings: passed, no W+X pages found. Run /home/neck392/kernel-lab/syzkaller-workdir-fuse/instance-0/init.sh as init process mount (61) used greatest stack depth: 25672 bytes left ip (79) used greatest stack depth: 24416 bytes left e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX random: crng init done ------------[ cut here ]------------ WARNING: fs/fuse/dev_uring.c:865 at fuse_uring_cmd+0x1411/0x2840, CPU#0: repro_minimal_u/154 Modules linked in: CPU: 0 UID: 1000 PID: 154 Comm: repro_minimal_u Tainted: G W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_cmd+0x1411/0x2840 Code: c7 00 40 d7 86 e8 1f 2a 29 03 85 c0 0f 85 74 07 00 00 e8 42 f5 32 ff 44 89 e3 e9 cf f3 ff ff 4c 89 4c 24 20 e8 30 f5 32 ff 90 <0f> 0b 90 48 c7 c6 00 c8 9f 85 48 c7 c7 80 3e d7 86 e8 e9 29 29 03 RSP: 0018:ffffc90000a7fab0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888009ed5180 RCX: ffffffff824413e0 RDX: ffff88800ca9d000 RSI: 1ffff110013ed186 RDI: ffff888009ecc6e8 RBP: ffffc90000a7fc18 R08: 0000000000000001 R09: ffff888009f68c30 R10: 0000000000000003 R11: 0000000000000000 R12: ffff888009f68c00 R13: 0000000080000111 R14: ffff88800c0c7b00 R15: ffff888009ecc658 FS: 00007fb20603c6c0(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20603beb8 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: io_uring_cmd+0x291/0x5d0 __io_issue_sqe+0xbd/0x6f0 io_issue_sqe+0x82/0x1140 io_submit_sqes+0x94e/0x2030 __do_sys_io_uring_enter+0x87b/0x1490 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20603bdb8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 0000558c96020038 RCX: 00007fb20618a28d RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000005 RBP: 0000558c96020030 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000558c9602003c R13: fffffffffffffeb8 R14: 000000000000006e R15: 0000558c9601fc80 ---[ end trace 0000000000000000 ]--- fuse: qid=0 commit_id 4 state 3 fuse: FUSE_IO_URING_COMMIT_AND_FETCH failed err=-5 ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_copy_to_ring+0x20b/0x230 Read of size 8 at addr ffff888009ecc698 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_copy_to_ring+0x20b/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 64 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_args_to_ring.isra.0+0x4ad/0x530 Read of size 8 at addr ffff888009ecc678 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_args_to_ring.isra.0+0x4ad/0x530 fuse_uring_copy_to_ring+0xf0/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 32 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_args_to_ring.isra.0+0x4a3/0x530 Read of size 8 at addr ffff888009ecc698 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_args_to_ring.isra.0+0x4a3/0x530 fuse_uring_copy_to_ring+0xf0/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 64 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in _copy_to_user+0x4e/0x80 Read of size 40 at addr ffff888009ecc690 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 _copy_to_user+0x4e/0x80 fuse_uring_copy_to_ring+0x12c/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 56 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_send_in_task+0x171/0x4c0 Write of size 8 at addr ffff888009ecc688 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 fuse_uring_send_in_task+0x171/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 48 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x786/0x990 Read of size 8 at addr ffff888009ecc658 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x786/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 0 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7e1/0x990 Read of size 8 at addr ffff888009ecc660 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7e1/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 8 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7c8/0x990 Write of size 8 at addr ffff88800c0c7908 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7c8/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466479s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x8f/0xa0 fuse_file_alloc+0xba/0x2c0 fuse_file_open+0x22d/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574668s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x133/0x3a0 fuse_file_open+0x524/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88800c0c7900 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of freed 192-byte region [ffff88800c0c7900, ffff88800c0c79c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0c7 flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880090413c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800c0c7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0c7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88800c0c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800c0c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800c0c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Oops: general protection fault, probably for non-canonical address 0xe03a7c15c0000013: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x01d400ae00000098-0x01d400ae0000009f] CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 85 ca test %ecx,%edx 2: 04 00 add $0x0,%al 4: 00 48 8d add %cl,-0x73(%rax) 7: 7e 08 jle 0x11 9: 49 8b 4d 08 mov 0x8(%r13),%rcx d: 49 89 f8 mov %rdi,%r8 10: 49 c1 e8 03 shr $0x3,%r8 14: 41 80 3c 28 00 cmpb $0x0,(%r8,%rbp,1) 19: 0f 85 92 04 00 00 jne 0x4b1 1f: 48 89 cf mov %rcx,%rdi 22: 48 89 4e 08 mov %rcx,0x8(%rsi) 26: 48 c1 ef 03 shr $0x3,%rdi * 2a: 80 3c 2f 00 cmpb $0x0,(%rdi,%rbp,1) <-- trapping instruction 2e: 0f 85 5c 04 00 00 jne 0x490 34: 48 89 31 mov %rsi,(%rcx) 37: 4c 89 e9 mov %r13,%rcx 3a: 48 c1 e9 03 shr $0x3,%rcx 3e: 80 .byte 0x80 3f: 3c .byte 0x3c TITLE: WARNING in inval_wq_set CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [linux-fsdevel@vger.kernel.org miklos@szeredi.hu] MAINTAINERS (CC): [linux-kernel@vger.kernel.org] x86_64_start_kernel+0x111/0x120 common_startup_64+0x13e/0x148 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ WARNING: kernel/workqueue.c:2551 at __queue_delayed_work+0x303/0x3c0, CPU#0: swapper/0 Modules linked in: CPU: 0 UID: 0 PID: 0 Comm: swapper Tainted: G W 7.1.0-rc6 #1 PREEMPT(undef) Tainted: [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__queue_delayed_work+0x303/0x3c0 Code: 0f 0b 90 e9 e7 fe ff ff e8 ba 02 2e 00 90 0f 0b 90 e9 5d fd ff ff e8 ac 02 2e 00 90 0f 0b 90 e9 80 fd ff ff e8 9e 02 2e 00 90 <0f> 0b 90 e9 a3 fd ff ff e8 90 02 2e 00 bf 03 00 00 00 e8 c6 a3 0e RSP: 0000:ffffffff86807cc0 EFLAGS: 00010093 ORIG_RAX: 0000000000000000 RAX: 0000000000000000 RBX: ffffffff88eff8a0 RCX: ffffffff81490672 RDX: ffffffff86816f80 RSI: 0000000000000000 RDI: ffffffff88eff8c8 RBP: 0000000000001388 R08: 0000000000000001 R09: fffffbfff11dff14 R10: ffffffff88eff8a7 R11: 0000000000000001 R12: 0000000000000040 R13: 0000000000000000 R14: ffffffff88eff8c0 R15: ffffffff88eff8a8 FS: 0000000000000000(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff888008f4d000 CR3: 000000000688a000 CR4: 00000000000000b0 Call Trace: queue_delayed_work_on+0x8a/0x90 inval_wq_set+0x1c3/0x210 parse_args+0x50c/0x840 start_kernel+0xeb/0x450 x86_64_start_reservations+0x18/0x30 x86_64_start_kernel+0x111/0x120 common_startup_64+0x13e/0x148 ---[ end trace 0000000000000000 ]--- Unknown kernel command line parameters "nokaslr nmi_watchdog=0", will be passed to user space. printk: log buffer data + meta data: 262144 + 917504 = 1179648 bytes Dentry cache hash table entries: 131072 (order: 8, 1048576 bytes, linear) Inode-cache hash table entries: 65536 (order: 7, 524288 bytes, linear) Fallback order for Node 0: 0 Built 1 zonelists, mobility grouping on. Total pages: 262014 Policy zone: DMA32 mem auto-init: stack:all(zero), heap alloc:off, heap free:off stackdepot: allocating hash table via alloc_large_system_hash stackdepot hash table entries: 1048576 (order: 12, 16777216 bytes, linear) stackdepot: allocating space for 8192 stack pools via memblock SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 Kernel/User page tables isolation: enabled Dynamic Preempt: lazy rcu: Preemptible hierarchical RCU implementation. rcu: RCU event tracing is enabled. rcu: RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=1. Trampoline variant of Tasks RCU enabled. Tracing variant of Tasks RCU enabled. rcu: RCU calculated value of scheduler-enlistment delay is 100 jiffies. rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1 RCU Tasks: Setting shift to 0 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=1. NR_IRQS: 4352, nr_irqs: 256, preallocated irqs: 16 rcu: srcu_init: Setting srcu_struct sizes based on contention. Console: colour VGA+ 80x25 printk: legacy console [ttyS0] enabled ACPI: Core revision 20251212 clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604467 ns APIC: Switch to symmetric I/O mode setup x2apic enabled APIC: Switched APIC routing to: physical x2apic ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1 clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x2b2c8d6afc8, max_idle_ns: 440795331172 ns Calibrating delay loop (skipped) preset value.. 5990.39 BogoMIPS (lpj=2995198) Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0 Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0 mitigations: Enabled attack vectors: user_kernel, user_user, SMT mitigations: auto Speculative Store Bypass: Vulnerable Spectre V2 : Mitigation: Retpolines ITS: Mitigation: Aligned branch/return thunks MDS: Vulnerable: Clear CPU buffers attempted, no microcode Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization Spectre V2 : Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT active return thunk: its_return_thunk x86/fpu: x87 FPU will use FXSAVE pid_max: default: 32768 minimum: 301 SELinux: Initializing. Mount-cache hash table entries: 2048 (order: 2, 16384 bytes, linear) Mountpoint-cache hash table entries: 2048 (order: 2, 16384 bytes, linear) VFS: Finished mounting rootfs on nullfs smpboot: CPU0: Intel QEMU Virtual CPU version 2.5+ (family: 0xf, model: 0x6b, stepping: 0x1) Performance Events: unsupported Netburst CPU model 107 no PMU driver, software events only. signal: max sigframe size: 1440 rcu: Hierarchical SRCU implementation. rcu: Max phase no-delay instances is 400. smp: Bringing up secondary CPUs ... smp: Brought up 1 node, 1 CPU smpboot: Total of 1 processors activated (5990.39 BogoMIPS) Memory: 729872K/1048056K available (72949K kernel code, 16656K rwdata, 15568K rodata, 11404K init, 904K bss, 313228K reserved, 0K cma-reserved) devtmpfs: initialized clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1911260446275000 ns posixtimers hash table entries: 512 (order: 1, 8192 bytes, linear) futex hash table entries: 256 (16384 bytes on 1 NUMA nodes, total 16 KiB, linear). PM: RTC time: 06:15:56, date: 2026-06-01 NET: Registered PF_NETLINK/PF_ROUTE protocol family audit: initializing netlink subsys (disabled) audit: type=2000 audit(1780294556.553:1): state=initialized audit_enabled=0 res=1 thermal_sys: Registered thermal governor 'step_wise' cpuidle: using governor menu Freeing SMP alternatives memory: 68K PCI: Using configuration type 1 for base access kprobes: kprobe jump-optimization is enabled. All kprobes are optimized if possible. HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page raid6: sse2x4 gen() 11548 MB/s raid6: sse2x2 gen() 7908 MB/s raid6: sse2x1 gen() 7028 MB/s raid6: using algorithm sse2x4 gen() 11548 MB/s raid6: .... xor() 3224 MB/s, rmw enabled raid6: using intx1 recovery algorithm ACPI: Added _OSI(Module Device) ACPI: Added _OSI(Processor Device) ACPI: Added _OSI(Processor Aggregator Device) ACPI: 1 ACPI AML tables successfully acquired and loaded ACPI: \_SB_: platform _OSC: OS support mask [002a7eee] ACPI: Interpreter enabled ACPI: PM: (supports S0 S3 S4 S5) ACPI: Using IOAPIC for interrupt routing PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug PCI: Using E820 reservations for host bridge windows ACPI: Enabled 2 GPEs in block 00 to 0F ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff]) acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI HPX-Type3] acpi PNP0A03:00: _OSC: not requesting OS control; OS requires [ExtendedConfig ASPM ClockPM MSI] acpi PNP0A03:00: _OSC: platform retains control of PCIe features (AE_ERROR) acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended configuration space under this bridge PCI host bridge to bus 0000:00 pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7 window] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window] pci_bus 0000:00: root bus resource [mem 0x40000000-0xfebfffff window] pci_bus 0000:00: root bus resource [mem 0x100000000-0x17fffffff window] pci_bus 0000:00: root bus resource [bus 00-ff] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000 conventional PCI endpoint pci 0000:00:01.0: [8086:7000] type 00 class 0x060100 conventional PCI endpoint pci 0000:00:01.1: [8086:7010] type 00 class 0x010180 conventional PCI endpoint pci 0000:00:01.1: BAR 4 [io 0xc0a0-0xc0af] pci 0000:00:01.1: BAR 0 [io 0x01f0-0x01f7]: legacy IDE quirk pci 0000:00:01.1: BAR 1 [io 0x03f6]: legacy IDE quirk pci 0000:00:01.1: BAR 2 [io 0x0170-0x0177]: legacy IDE quirk pci 0000:00:01.1: BAR 3 [io 0x0376]: legacy IDE quirk pci 0000:00:01.3: [8086:7113] type 00 class 0x068000 conventional PCI endpoint pci 0000:00:01.3: quirk: [io 0x0600-0x063f] claimed by PIIX4 ACPI pci 0000:00:01.3: quirk: [io 0x0700-0x070f] claimed by PIIX4 SMB pci 0000:00:02.0: [1234:1111] type 00 class 0x030000 conventional PCI endpoint pci 0000:00:02.0: BAR 0 [mem 0xfd000000-0xfdffffff pref] pci 0000:00:02.0: BAR 2 [mem 0xfebb0000-0xfebb0fff] pci 0000:00:02.0: ROM [mem 0xfeba0000-0xfebaffff pref] pci 0000:00:02.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff] pci 0000:00:03.0: [1af4:1005] type 00 class 0x00ff00 conventional PCI endpoint pci 0000:00:03.0: BAR 0 [io 0xc080-0xc09f] pci 0000:00:03.0: BAR 1 [mem 0xfebb1000-0xfebb1fff] pci 0000:00:03.0: BAR 4 [mem 0xfe000000-0xfe003fff 64bit pref] pci 0000:00:04.0: [8086:100e] type 00 class 0x020000 conventional PCI endpoint pci 0000:00:04.0: BAR 0 [mem 0xfeb80000-0xfeb9ffff] pci 0000:00:04.0: BAR 1 [io 0xc000-0xc03f] pci 0000:00:04.0: ROM [mem 0xfeb00000-0xfeb7ffff pref] pci 0000:00:05.0: [1af4:1009] type 00 class 0x000200 conventional PCI endpoint pci 0000:00:05.0: BAR 0 [io 0xc040-0xc07f] pci 0000:00:05.0: BAR 1 [mem 0xfebb2000-0xfebb2fff] pci 0000:00:05.0: BAR 4 [mem 0xfe004000-0xfe007fff 64bit pref] ACPI: PCI: Interrupt link LNKA configured for IRQ 10 ACPI: PCI: Interrupt link LNKB configured for IRQ 10 ACPI: PCI: Interrupt link LNKC configured for IRQ 11 ACPI: PCI: Interrupt link LNKD configured for IRQ 11 ACPI: PCI: Interrupt link LNKS configured for IRQ 9 iommu: Default domain type: Translated iommu: DMA domain TLB invalidation policy: lazy mode SCSI subsystem initialized ACPI: bus type USB registered usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb pps_core: LinuxPPS API ver. 1 registered pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti PTP clock support registered Advanced Linux Sound Architecture Driver Initialized. NetLabel: Initializing NetLabel: domain hash size = 128 NetLabel: protocols = UNLABELED CIPSOv4 CALIPSO NetLabel: unlabeled traffic allowed by default PCI: Using ACPI for IRQ routing e820: register RAM buffer resource [mem 0x0009fc00-0x0009ffff] e820: register RAM buffer resource [mem 0x3ffe0000-0x3fffffff] pci 0000:00:02.0: vgaarb: setting as boot VGA device pci 0000:00:02.0: vgaarb: bridge control possible pci 0000:00:02.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none vgaarb: loaded hpet: 3 channels of 0 reserved for per-cpu timers hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0 hpet0: 3 comparators, 64-bit 100.000000 MHz counter clocksource: Switched to clocksource kvm-clock VFS: Disk quotas dquot_6.6.0 VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes) pnp: PnP ACPI init pnp: PnP ACPI: found 5 devices clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns NET: Registered PF_INET protocol family IP idents hash table entries: 16384 (order: 5, 131072 bytes, linear) tcp_listen_portaddr_hash hash table entries: 512 (order: 1, 8192 bytes, linear) Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear) TCP established hash table entries: 8192 (order: 4, 65536 bytes, linear) TCP bind hash table entries: 8192 (order: 6, 262144 bytes, linear) TCP: Hash tables configured (established 8192 bind 8192) UDP hash table entries: 512 (order: 3, 32768 bytes, linear) NET: Registered PF_UNIX/PF_LOCAL protocol family RPC: Registered named UNIX socket transport module. RPC: Registered udp transport module. RPC: Registered tcp transport module. RPC: Registered tcp-with-tls transport module. RPC: Registered tcp NFSv4.1 backchannel transport module. pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window] pci_bus 0000:00: resource 7 [mem 0x40000000-0xfebfffff window] pci_bus 0000:00: resource 8 [mem 0x100000000-0x17fffffff window] pci 0000:00:01.0: PIIX3: Enabling Passive Release pci 0000:00:00.0: Limiting direct PCI/PCI transfers PCI: CLS 0 bytes, default 64 clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2b2c8d6afc8, max_idle_ns: 440795331172 ns Initialise system trusted keyrings workingset: timestamp_bits=56 (anon: 52) max_order=18 bucket_order=0 (anon: 0) squashfs: version 4.0 (2009/01/31) Phillip Lougher NFS: Registering the id_resolver key type Key type id_resolver registered Key type id_legacy registered nfs4filelayout_init: NFSv4 File Layout Driver Registering... nfs4flexfilelayout_init: NFSv4 Flexfile Layout Driver Registering... fuse: init (API version 7.45) JFS: nTxBlock = 5741, nTxLock = 45931 SGI XFS with security attributes, scrub, repair, no debug enabled 9p: Installing v9fs 9p2000 file system support NILFS version 2 loaded Key type asymmetric registered Asymmetric key parser 'x509' registered Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251) io scheduler mq-deadline registered io scheduler kyber registered xor: measuring software checksum speed prefetch64-sse : 19896 MB/sec sse : 20525 MB/sec xor: using function: sse (20525 MB/sec) input: Power Button as /devices/platform/LNXPWRBN:00/input/input0 ACPI: button: Power Button [PWRF] kwatchdog (49) used greatest stack depth: 30424 bytes left ACPI: \_SB_.LNKC: Enabled at IRQ 11 ACPI: \_SB_.LNKA: Enabled at IRQ 10 Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled 00:04: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A Non-volatile memory driver v1.3 ACPI: bus type drm_connector registered loop: module loaded scsi host0: ata_piix scsi host1: ata_piix ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc0a0 irq 14 lpm-pol 0 ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc0a8 irq 15 lpm-pol 0 e100: Intel(R) PRO/100 Network Driver e100: Copyright(c) 1999-2006 Intel Corporation e1000: Intel(R) PRO/1000 Network Driver e1000: Copyright (c) 1999-2006 Intel Corporation. ata2: found unknown device (class 0) ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100 scsi 1:0:0:0: CD-ROM QEMU QEMU DVD-ROM 2.5+ PQ: 0 ANSI: 5 sr 1:0:0:0: [sr0] scsi3-mmc drive: 4x/4x cd/rw xa/form2 tray cdrom: Uniform CD-ROM driver Revision: 3.20 sr 1:0:0:0: Attached scsi generic sg0 type 5 ACPI: \_SB_.LNKD: Enabled at IRQ 11 e1000 0000:00:04.0 eth0: (PCI:33MHz:32-bit) 52:54:00:12:34:56 e1000 0000:00:04.0 eth0: Intel(R) PRO/1000 Network Connection e1000e: Intel(R) PRO/1000 Network Driver e1000e: Copyright(c) 1999 - 2015 Intel Corporation. sky2: driver version 1.30 usbcore: registered new interface driver usblp usbcore: registered new interface driver usb-storage i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12 serio: i8042 KBD port at 0x60,0x64 irq 1 serio: i8042 AUX port at 0x60,0x64 irq 12 rtc_cmos PNP0B00:00: RTC can wake from S4 input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1 rtc_cmos PNP0B00:00: registered as rtc0 rtc_cmos PNP0B00:00: alarms up to one day, y3k, 242 bytes nvram, hpet irqs device-mapper: ioctl: 4.50.0-ioctl (2025-04-28) initialised: dm-devel@lists.linux.dev intel_pstate: CPU model not supported hid: raw HID events driver (C) Jiri Kosina usbcore: registered new interface driver usbhid usbhid: USB HID core driver Initializing XFRM netlink socket NET: Registered PF_INET6 protocol family Segment Routing with IPv6 In-situ OAM (IOAM) with IPv6 NET: Registered PF_PACKET protocol family 9pnet: Installing 9P2000 support Key type dns_resolver registered IPI shorthand broadcast: enabled sched_clock: Marking stable (6156013197, 314166715)->(6558734503, -88554591) registered taskstats version 1 Loading compiled-in X.509 certificates Demotion targets for Node 0: null Btrfs loaded, zoned=no, fsverity=no PM: Magic number: 14:427:265 netconsole: network logging started cfg80211: Loading compiled-in X.509 certificates for regulatory database kworker/u4:3 (58) used greatest stack depth: 29088 bytes left Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7' Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600' ALSA device list: faux_driver regulatory: Direct firmware load for regulatory.db failed with error -2 No soundcards found. cfg80211: failed to load regulatory.db input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input3 md: Waiting for all devices to be available before autodetect md: If you don't use raid, use raid=noautodetect md: Autodetecting RAID arrays. md: autorun ... md: ... autorun DONE. VFS: Mounted root (9p filesystem) readonly on device 0:20. devtmpfs: mounted VFS: Pivoted into new rootfs Freeing unused kernel image (initmem) memory: 11404K Write protecting the kernel read-only data: 90112k Freeing unused kernel image (text/rodata gap) memory: 776K Freeing unused kernel image (rodata/data gap) memory: 816K x86/mm: Checked W+X mappings: passed, no W+X pages found. x86/mm: Checking user space page tables x86/mm: Checked W+X mappings: passed, no W+X pages found. Run /home/neck392/kernel-lab/syzkaller-workdir-fuse/instance-0/init.sh as init process mount (61) used greatest stack depth: 25672 bytes left ip (79) used greatest stack depth: 24416 bytes left e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX random: crng init done ------------[ cut here ]------------ WARNING: fs/fuse/dev_uring.c:865 at fuse_uring_cmd+0x1411/0x2840, CPU#0: repro_minimal_u/154 Modules linked in: CPU: 0 UID: 1000 PID: 154 Comm: repro_minimal_u Tainted: G W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_cmd+0x1411/0x2840 Code: c7 00 40 d7 86 e8 1f 2a 29 03 85 c0 0f 85 74 07 00 00 e8 42 f5 32 ff 44 89 e3 e9 cf f3 ff ff 4c 89 4c 24 20 e8 30 f5 32 ff 90 <0f> 0b 90 48 c7 c6 00 c8 9f 85 48 c7 c7 80 3e d7 86 e8 e9 29 29 03 RSP: 0018:ffffc90000a7fab0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888009ed5180 RCX: ffffffff824413e0 RDX: ffff88800ca9d000 RSI: 1ffff110013ed186 RDI: ffff888009ecc6e8 RBP: ffffc90000a7fc18 R08: 0000000000000001 R09: ffff888009f68c30 R10: 0000000000000003 R11: 0000000000000000 R12: ffff888009f68c00 R13: 0000000080000111 R14: ffff88800c0c7b00 R15: ffff888009ecc658 FS: 00007fb20603c6c0(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20603beb8 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: io_uring_cmd+0x291/0x5d0 __io_issue_sqe+0xbd/0x6f0 io_issue_sqe+0x82/0x1140 io_submit_sqes+0x94e/0x2030 __do_sys_io_uring_enter+0x87b/0x1490 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20603bdb8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 0000558c96020038 RCX: 00007fb20618a28d RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000005 RBP: 0000558c96020030 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000558c9602003c R13: fffffffffffffeb8 R14: 000000000000006e R15: 0000558c9601fc80 ---[ end trace 0000000000000000 ]--- fuse: qid=0 commit_id 4 state 3 fuse: FUSE_IO_URING_COMMIT_AND_FETCH failed err=-5 ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_copy_to_ring+0x20b/0x230 Read of size 8 at addr ffff888009ecc698 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_copy_to_ring+0x20b/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 64 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_args_to_ring.isra.0+0x4ad/0x530 Read of size 8 at addr ffff888009ecc678 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_args_to_ring.isra.0+0x4ad/0x530 fuse_uring_copy_to_ring+0xf0/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 32 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_args_to_ring.isra.0+0x4a3/0x530 Read of size 8 at addr ffff888009ecc698 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_args_to_ring.isra.0+0x4a3/0x530 fuse_uring_copy_to_ring+0xf0/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 64 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in _copy_to_user+0x4e/0x80 Read of size 40 at addr ffff888009ecc690 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 _copy_to_user+0x4e/0x80 fuse_uring_copy_to_ring+0x12c/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 56 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_send_in_task+0x171/0x4c0 Write of size 8 at addr ffff888009ecc688 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 fuse_uring_send_in_task+0x171/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 48 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x786/0x990 Read of size 8 at addr ffff888009ecc658 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x786/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 0 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7e1/0x990 Read of size 8 at addr ffff888009ecc660 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7e1/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 8 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7c8/0x990 Write of size 8 at addr ffff88800c0c7908 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7c8/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466479s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x8f/0xa0 fuse_file_alloc+0xba/0x2c0 fuse_file_open+0x22d/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574668s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x133/0x3a0 fuse_file_open+0x524/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88800c0c7900 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of freed 192-byte region [ffff88800c0c7900, ffff88800c0c79c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0c7 flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880090413c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800c0c7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0c7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88800c0c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800c0c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800c0c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Oops: general protection fault, probably for non-canonical address 0xe03a7c15c0000013: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x01d400ae00000098-0x01d400ae0000009f] CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 85 ca test %ecx,%edx 2: 04 00 add $0x0,%al 4: 00 48 8d add %cl,-0x73(%rax) 7: 7e 08 jle 0x11 9: 49 8b 4d 08 mov 0x8(%r13),%rcx d: 49 89 f8 mov %rdi,%r8 10: 49 c1 e8 03 shr $0x3,%r8 14: 41 80 3c 28 00 cmpb $0x0,(%r8,%rbp,1) 19: 0f 85 92 04 00 00 jne 0x4b1 1f: 48 89 cf mov %rcx,%rdi 22: 48 89 4e 08 mov %rcx,0x8(%rsi) 26: 48 c1 ef 03 shr $0x3,%rdi * 2a: 80 3c 2f 00 cmpb $0x0,(%rdi,%rbp,1) <-- trapping instruction 2e: 0f 85 5c 04 00 00 jne 0x490 34: 48 89 31 mov %rsi,(%rcx) 37: 4c 89 e9 mov %r13,%rcx 3a: 48 c1 e9 03 shr $0x3,%rcx 3e: 80 .byte 0x80 3f: 3c .byte 0x3c TITLE: WARNING in fuse_uring_cmd CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [linux-fsdevel@vger.kernel.org miklos@szeredi.hu] MAINTAINERS (CC): [linux-kernel@vger.kernel.org] mount (61) used greatest stack depth: 25672 bytes left ip (79) used greatest stack depth: 24416 bytes left e1000: eth0 NIC Link is Up 1000 Mbps Full Duplex, Flow Control: RX random: crng init done ------------[ cut here ]------------ WARNING: fs/fuse/dev_uring.c:865 at fuse_uring_cmd+0x1411/0x2840, CPU#0: repro_minimal_u/154 Modules linked in: CPU: 0 UID: 1000 PID: 154 Comm: repro_minimal_u Tainted: G W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_cmd+0x1411/0x2840 Code: c7 00 40 d7 86 e8 1f 2a 29 03 85 c0 0f 85 74 07 00 00 e8 42 f5 32 ff 44 89 e3 e9 cf f3 ff ff 4c 89 4c 24 20 e8 30 f5 32 ff 90 <0f> 0b 90 48 c7 c6 00 c8 9f 85 48 c7 c7 80 3e d7 86 e8 e9 29 29 03 RSP: 0018:ffffc90000a7fab0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff888009ed5180 RCX: ffffffff824413e0 RDX: ffff88800ca9d000 RSI: 1ffff110013ed186 RDI: ffff888009ecc6e8 RBP: ffffc90000a7fc18 R08: 0000000000000001 R09: ffff888009f68c30 R10: 0000000000000003 R11: 0000000000000000 R12: ffff888009f68c00 R13: 0000000080000111 R14: ffff88800c0c7b00 R15: ffff888009ecc658 FS: 00007fb20603c6c0(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20603beb8 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: io_uring_cmd+0x291/0x5d0 __io_issue_sqe+0xbd/0x6f0 io_issue_sqe+0x82/0x1140 io_submit_sqes+0x94e/0x2030 __do_sys_io_uring_enter+0x87b/0x1490 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20603bdb8 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa RAX: ffffffffffffffda RBX: 0000558c96020038 RCX: 00007fb20618a28d RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000005 RBP: 0000558c96020030 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000558c9602003c R13: fffffffffffffeb8 R14: 000000000000006e R15: 0000558c9601fc80 ---[ end trace 0000000000000000 ]--- fuse: qid=0 commit_id 4 state 3 fuse: FUSE_IO_URING_COMMIT_AND_FETCH failed err=-5 ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_copy_to_ring+0x20b/0x230 Read of size 8 at addr ffff888009ecc698 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_copy_to_ring+0x20b/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 64 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_args_to_ring.isra.0+0x4ad/0x530 Read of size 8 at addr ffff888009ecc678 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_args_to_ring.isra.0+0x4ad/0x530 fuse_uring_copy_to_ring+0xf0/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 32 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_args_to_ring.isra.0+0x4a3/0x530 Read of size 8 at addr ffff888009ecc698 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_args_to_ring.isra.0+0x4a3/0x530 fuse_uring_copy_to_ring+0xf0/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 64 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in _copy_to_user+0x4e/0x80 Read of size 40 at addr ffff888009ecc690 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 _copy_to_user+0x4e/0x80 fuse_uring_copy_to_ring+0x12c/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 56 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_send_in_task+0x171/0x4c0 Write of size 8 at addr ffff888009ecc688 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 fuse_uring_send_in_task+0x171/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 48 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x786/0x990 Read of size 8 at addr ffff888009ecc658 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x786/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 0 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7e1/0x990 Read of size 8 at addr ffff888009ecc660 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7e1/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 8 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7c8/0x990 Write of size 8 at addr ffff88800c0c7908 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7c8/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466479s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x8f/0xa0 fuse_file_alloc+0xba/0x2c0 fuse_file_open+0x22d/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574668s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x133/0x3a0 fuse_file_open+0x524/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88800c0c7900 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of freed 192-byte region [ffff88800c0c7900, ffff88800c0c79c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0c7 flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880090413c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800c0c7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0c7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88800c0c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800c0c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800c0c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Oops: general protection fault, probably for non-canonical address 0xe03a7c15c0000013: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x01d400ae00000098-0x01d400ae0000009f] CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 85 ca test %ecx,%edx 2: 04 00 add $0x0,%al 4: 00 48 8d add %cl,-0x73(%rax) 7: 7e 08 jle 0x11 9: 49 8b 4d 08 mov 0x8(%r13),%rcx d: 49 89 f8 mov %rdi,%r8 10: 49 c1 e8 03 shr $0x3,%r8 14: 41 80 3c 28 00 cmpb $0x0,(%r8,%rbp,1) 19: 0f 85 92 04 00 00 jne 0x4b1 1f: 48 89 cf mov %rcx,%rdi 22: 48 89 4e 08 mov %rcx,0x8(%rsi) 26: 48 c1 ef 03 shr $0x3,%rdi * 2a: 80 3c 2f 00 cmpb $0x0,(%rdi,%rbp,1) <-- trapping instruction 2e: 0f 85 5c 04 00 00 jne 0x490 34: 48 89 31 mov %rsi,(%rcx) 37: 4c 89 e9 mov %r13,%rcx 3a: 48 c1 e9 03 shr $0x3,%rcx 3e: 80 .byte 0x80 3f: 3c .byte 0x3c TITLE: KASAN: slab-use-after-free Read in fuse_uring_copy_to_ring CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] ---[ end trace 0000000000000000 ]--- fuse: qid=0 commit_id 4 state 3 fuse: FUSE_IO_URING_COMMIT_AND_FETCH failed err=-5 ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_copy_to_ring+0x20b/0x230 Read of size 8 at addr ffff888009ecc698 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_copy_to_ring+0x20b/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 64 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_args_to_ring.isra.0+0x4ad/0x530 Read of size 8 at addr ffff888009ecc678 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_args_to_ring.isra.0+0x4ad/0x530 fuse_uring_copy_to_ring+0xf0/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 32 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_args_to_ring.isra.0+0x4a3/0x530 Read of size 8 at addr ffff888009ecc698 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_args_to_ring.isra.0+0x4a3/0x530 fuse_uring_copy_to_ring+0xf0/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 64 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in _copy_to_user+0x4e/0x80 Read of size 40 at addr ffff888009ecc690 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 _copy_to_user+0x4e/0x80 fuse_uring_copy_to_ring+0x12c/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 56 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_send_in_task+0x171/0x4c0 Write of size 8 at addr ffff888009ecc688 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 fuse_uring_send_in_task+0x171/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 48 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x786/0x990 Read of size 8 at addr ffff888009ecc658 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x786/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 0 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7e1/0x990 Read of size 8 at addr ffff888009ecc660 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7e1/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 8 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7c8/0x990 Write of size 8 at addr ffff88800c0c7908 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7c8/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466479s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x8f/0xa0 fuse_file_alloc+0xba/0x2c0 fuse_file_open+0x22d/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574668s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x133/0x3a0 fuse_file_open+0x524/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88800c0c7900 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of freed 192-byte region [ffff88800c0c7900, ffff88800c0c79c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0c7 flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880090413c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800c0c7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0c7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88800c0c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800c0c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800c0c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Oops: general protection fault, probably for non-canonical address 0xe03a7c15c0000013: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x01d400ae00000098-0x01d400ae0000009f] CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 85 ca test %ecx,%edx 2: 04 00 add $0x0,%al 4: 00 48 8d add %cl,-0x73(%rax) 7: 7e 08 jle 0x11 9: 49 8b 4d 08 mov 0x8(%r13),%rcx d: 49 89 f8 mov %rdi,%r8 10: 49 c1 e8 03 shr $0x3,%r8 14: 41 80 3c 28 00 cmpb $0x0,(%r8,%rbp,1) 19: 0f 85 92 04 00 00 jne 0x4b1 1f: 48 89 cf mov %rcx,%rdi 22: 48 89 4e 08 mov %rcx,0x8(%rsi) 26: 48 c1 ef 03 shr $0x3,%rdi * 2a: 80 3c 2f 00 cmpb $0x0,(%rdi,%rbp,1) <-- trapping instruction 2e: 0f 85 5c 04 00 00 jne 0x490 34: 48 89 31 mov %rsi,(%rcx) 37: 4c 89 e9 mov %r13,%rcx 3a: 48 c1 e9 03 shr $0x3,%rcx 3e: 80 .byte 0x80 3f: 3c .byte 0x3c TITLE: KASAN: slab-use-after-free Read in fuse_uring_args_to_ring CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== Disabling lock debugging due to kernel taint ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_args_to_ring.isra.0+0x4ad/0x530 Read of size 8 at addr ffff888009ecc678 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_args_to_ring.isra.0+0x4ad/0x530 fuse_uring_copy_to_ring+0xf0/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 32 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_args_to_ring.isra.0+0x4a3/0x530 Read of size 8 at addr ffff888009ecc698 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_args_to_ring.isra.0+0x4a3/0x530 fuse_uring_copy_to_ring+0xf0/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 64 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in _copy_to_user+0x4e/0x80 Read of size 40 at addr ffff888009ecc690 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 _copy_to_user+0x4e/0x80 fuse_uring_copy_to_ring+0x12c/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 56 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_send_in_task+0x171/0x4c0 Write of size 8 at addr ffff888009ecc688 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 fuse_uring_send_in_task+0x171/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 48 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x786/0x990 Read of size 8 at addr ffff888009ecc658 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x786/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 0 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7e1/0x990 Read of size 8 at addr ffff888009ecc660 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7e1/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 8 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7c8/0x990 Write of size 8 at addr ffff88800c0c7908 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7c8/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466479s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x8f/0xa0 fuse_file_alloc+0xba/0x2c0 fuse_file_open+0x22d/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574668s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x133/0x3a0 fuse_file_open+0x524/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88800c0c7900 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of freed 192-byte region [ffff88800c0c7900, ffff88800c0c79c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0c7 flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880090413c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800c0c7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0c7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88800c0c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800c0c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800c0c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Oops: general protection fault, probably for non-canonical address 0xe03a7c15c0000013: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x01d400ae00000098-0x01d400ae0000009f] CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 85 ca test %ecx,%edx 2: 04 00 add $0x0,%al 4: 00 48 8d add %cl,-0x73(%rax) 7: 7e 08 jle 0x11 9: 49 8b 4d 08 mov 0x8(%r13),%rcx d: 49 89 f8 mov %rdi,%r8 10: 49 c1 e8 03 shr $0x3,%r8 14: 41 80 3c 28 00 cmpb $0x0,(%r8,%rbp,1) 19: 0f 85 92 04 00 00 jne 0x4b1 1f: 48 89 cf mov %rcx,%rdi 22: 48 89 4e 08 mov %rcx,0x8(%rsi) 26: 48 c1 ef 03 shr $0x3,%rdi * 2a: 80 3c 2f 00 cmpb $0x0,(%rdi,%rbp,1) <-- trapping instruction 2e: 0f 85 5c 04 00 00 jne 0x490 34: 48 89 31 mov %rsi,(%rcx) 37: 4c 89 e9 mov %r13,%rcx 3a: 48 c1 e9 03 shr $0x3,%rcx 3e: 80 .byte 0x80 3f: 3c .byte 0x3c TITLE: KASAN: slab-use-after-free Read in fuse_uring_args_to_ring CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_args_to_ring.isra.0+0x4a3/0x530 Read of size 8 at addr ffff888009ecc698 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_args_to_ring.isra.0+0x4a3/0x530 fuse_uring_copy_to_ring+0xf0/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 64 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in _copy_to_user+0x4e/0x80 Read of size 40 at addr ffff888009ecc690 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 _copy_to_user+0x4e/0x80 fuse_uring_copy_to_ring+0x12c/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 56 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_send_in_task+0x171/0x4c0 Write of size 8 at addr ffff888009ecc688 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 fuse_uring_send_in_task+0x171/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 48 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x786/0x990 Read of size 8 at addr ffff888009ecc658 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x786/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 0 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7e1/0x990 Read of size 8 at addr ffff888009ecc660 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7e1/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 8 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7c8/0x990 Write of size 8 at addr ffff88800c0c7908 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7c8/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466479s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x8f/0xa0 fuse_file_alloc+0xba/0x2c0 fuse_file_open+0x22d/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574668s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x133/0x3a0 fuse_file_open+0x524/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88800c0c7900 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of freed 192-byte region [ffff88800c0c7900, ffff88800c0c79c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0c7 flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880090413c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800c0c7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0c7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88800c0c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800c0c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800c0c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Oops: general protection fault, probably for non-canonical address 0xe03a7c15c0000013: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x01d400ae00000098-0x01d400ae0000009f] CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 85 ca test %ecx,%edx 2: 04 00 add $0x0,%al 4: 00 48 8d add %cl,-0x73(%rax) 7: 7e 08 jle 0x11 9: 49 8b 4d 08 mov 0x8(%r13),%rcx d: 49 89 f8 mov %rdi,%r8 10: 49 c1 e8 03 shr $0x3,%r8 14: 41 80 3c 28 00 cmpb $0x0,(%r8,%rbp,1) 19: 0f 85 92 04 00 00 jne 0x4b1 1f: 48 89 cf mov %rcx,%rdi 22: 48 89 4e 08 mov %rcx,0x8(%rsi) 26: 48 c1 ef 03 shr $0x3,%rdi * 2a: 80 3c 2f 00 cmpb $0x0,(%rdi,%rbp,1) <-- trapping instruction 2e: 0f 85 5c 04 00 00 jne 0x490 34: 48 89 31 mov %rsi,(%rcx) 37: 4c 89 e9 mov %r13,%rcx 3a: 48 c1 e9 03 shr $0x3,%rcx 3e: 80 .byte 0x80 3f: 3c .byte 0x3c TITLE: KASAN: slab-use-after-free Read in fuse_uring_copy_to_ring CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in _copy_to_user+0x4e/0x80 Read of size 40 at addr ffff888009ecc690 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 _copy_to_user+0x4e/0x80 fuse_uring_copy_to_ring+0x12c/0x230 fuse_uring_send_in_task+0x153/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 56 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_send_in_task+0x171/0x4c0 Write of size 8 at addr ffff888009ecc688 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 fuse_uring_send_in_task+0x171/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 48 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x786/0x990 Read of size 8 at addr ffff888009ecc658 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x786/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 0 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7e1/0x990 Read of size 8 at addr ffff888009ecc660 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7e1/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 8 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7c8/0x990 Write of size 8 at addr ffff88800c0c7908 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7c8/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466479s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x8f/0xa0 fuse_file_alloc+0xba/0x2c0 fuse_file_open+0x22d/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574668s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x133/0x3a0 fuse_file_open+0x524/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88800c0c7900 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of freed 192-byte region [ffff88800c0c7900, ffff88800c0c79c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0c7 flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880090413c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800c0c7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0c7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88800c0c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800c0c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800c0c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Oops: general protection fault, probably for non-canonical address 0xe03a7c15c0000013: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x01d400ae00000098-0x01d400ae0000009f] CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 85 ca test %ecx,%edx 2: 04 00 add $0x0,%al 4: 00 48 8d add %cl,-0x73(%rax) 7: 7e 08 jle 0x11 9: 49 8b 4d 08 mov 0x8(%r13),%rcx d: 49 89 f8 mov %rdi,%r8 10: 49 c1 e8 03 shr $0x3,%r8 14: 41 80 3c 28 00 cmpb $0x0,(%r8,%rbp,1) 19: 0f 85 92 04 00 00 jne 0x4b1 1f: 48 89 cf mov %rcx,%rdi 22: 48 89 4e 08 mov %rcx,0x8(%rsi) 26: 48 c1 ef 03 shr $0x3,%rdi * 2a: 80 3c 2f 00 cmpb $0x0,(%rdi,%rbp,1) <-- trapping instruction 2e: 0f 85 5c 04 00 00 jne 0x490 34: 48 89 31 mov %rsi,(%rcx) 37: 4c 89 e9 mov %r13,%rcx 3a: 48 c1 e9 03 shr $0x3,%rcx 3e: 80 .byte 0x80 3f: 3c .byte 0x3c TITLE: KASAN: slab-use-after-free Write in fuse_uring_send_in_task CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_send_in_task+0x171/0x4c0 Write of size 8 at addr ffff888009ecc688 by task repro_minimal_u/153 CPU: 0 UID: 1000 PID: 153 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 kasan_check_range+0x105/0x1b0 fuse_uring_send_in_task+0x171/0x4c0 io_handle_tw_list+0x2fe/0x3a0 tctx_task_work_run+0x59/0x230 tctx_task_work+0x7a/0xd0 task_work_run+0x13f/0x210 get_signal+0x1bb/0x1ea0 arch_do_signal_or_restart+0x8f/0x6f0 exit_to_user_mode_loop+0x6e/0x4b0 do_syscall_64+0x482/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20618a28d Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b bb 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fb20605edc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: fffffffffffffffb RBX: 0000558c96020028 RCX: 00007fb20618a28d RDX: 0000000000050480 RSI: 0000200000000040 RDI: ffffffffffffff9c RBP: 0000558c96020020 R08: 00007fb20605fcdc R09: 0000558c96020028 R10: 0000000000000028 R11: 0000000000000246 R12: 0000558c9602002c R13: fffffffffffffeb8 R14: 0000000000000000 R15: 0000558c9601fc80 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 48 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb >ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x786/0x990 Read of size 8 at addr ffff888009ecc658 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x786/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 0 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7e1/0x990 Read of size 8 at addr ffff888009ecc660 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7e1/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 8 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7c8/0x990 Write of size 8 at addr ffff88800c0c7908 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7c8/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466479s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x8f/0xa0 fuse_file_alloc+0xba/0x2c0 fuse_file_open+0x22d/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574668s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x133/0x3a0 fuse_file_open+0x524/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88800c0c7900 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of freed 192-byte region [ffff88800c0c7900, ffff88800c0c79c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0c7 flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880090413c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800c0c7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0c7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88800c0c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800c0c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800c0c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Oops: general protection fault, probably for non-canonical address 0xe03a7c15c0000013: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x01d400ae00000098-0x01d400ae0000009f] CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 85 ca test %ecx,%edx 2: 04 00 add $0x0,%al 4: 00 48 8d add %cl,-0x73(%rax) 7: 7e 08 jle 0x11 9: 49 8b 4d 08 mov 0x8(%r13),%rcx d: 49 89 f8 mov %rdi,%r8 10: 49 c1 e8 03 shr $0x3,%r8 14: 41 80 3c 28 00 cmpb $0x0,(%r8,%rbp,1) 19: 0f 85 92 04 00 00 jne 0x4b1 1f: 48 89 cf mov %rcx,%rdi 22: 48 89 4e 08 mov %rcx,0x8(%rsi) 26: 48 c1 ef 03 shr $0x3,%rdi * 2a: 80 3c 2f 00 cmpb $0x0,(%rdi,%rbp,1) <-- trapping instruction 2e: 0f 85 5c 04 00 00 jne 0x490 34: 48 89 31 mov %rsi,(%rcx) 37: 4c 89 e9 mov %r13,%rcx 3a: 48 c1 e9 03 shr $0x3,%rcx 3e: 80 .byte 0x80 3f: 3c .byte 0x3c TITLE: KASAN: slab-use-after-free Read in fuse_uring_stop_list_entries CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] ^ ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ffff888009ecc780: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x786/0x990 Read of size 8 at addr ffff888009ecc658 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x786/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 0 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7e1/0x990 Read of size 8 at addr ffff888009ecc660 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7e1/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 8 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7c8/0x990 Write of size 8 at addr ffff88800c0c7908 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7c8/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466479s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x8f/0xa0 fuse_file_alloc+0xba/0x2c0 fuse_file_open+0x22d/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574668s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x133/0x3a0 fuse_file_open+0x524/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88800c0c7900 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of freed 192-byte region [ffff88800c0c7900, ffff88800c0c79c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0c7 flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880090413c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800c0c7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0c7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88800c0c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800c0c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800c0c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Oops: general protection fault, probably for non-canonical address 0xe03a7c15c0000013: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x01d400ae00000098-0x01d400ae0000009f] CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 85 ca test %ecx,%edx 2: 04 00 add $0x0,%al 4: 00 48 8d add %cl,-0x73(%rax) 7: 7e 08 jle 0x11 9: 49 8b 4d 08 mov 0x8(%r13),%rcx d: 49 89 f8 mov %rdi,%r8 10: 49 c1 e8 03 shr $0x3,%r8 14: 41 80 3c 28 00 cmpb $0x0,(%r8,%rbp,1) 19: 0f 85 92 04 00 00 jne 0x4b1 1f: 48 89 cf mov %rcx,%rdi 22: 48 89 4e 08 mov %rcx,0x8(%rsi) 26: 48 c1 ef 03 shr $0x3,%rdi * 2a: 80 3c 2f 00 cmpb $0x0,(%rdi,%rbp,1) <-- trapping instruction 2e: 0f 85 5c 04 00 00 jne 0x490 34: 48 89 31 mov %rsi,(%rcx) 37: 4c 89 e9 mov %r13,%rcx 3a: 48 c1 e9 03 shr $0x3,%rcx 3e: 80 .byte 0x80 3f: 3c .byte 0x3c TITLE: KASAN: slab-use-after-free Read in fuse_uring_stop_list_entries CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7e1/0x990 Read of size 8 at addr ffff888009ecc660 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7e1/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466485s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_noprof+0xfd/0x380 fuse_request_alloc+0x22/0x200 fuse_get_req+0x295/0x8c0 __fuse_simple_request+0x9d/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574662s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kmem_cache_free+0xba/0x3b0 fuse_put_request+0x190/0x2a0 __fuse_simple_request+0x4d0/0xd40 fuse_send_open+0x1cc/0x270 fuse_file_open+0x2e4/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff888009ecc658 which belongs to the cache fuse_request of size 168 The buggy address is located 8 bytes inside of freed 168-byte region [ffff888009ecc658, ffff888009ecc700) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888009ecc828 pfn:0x9ecc flags: 0x100000000000200(workingset|node=0|zone=1) page_type: f5(slab) raw: 0100000000000200 ffff88800a48c8c0 ffff88800a486990 ffff88800a486990 raw: ffff888009ecc828 0000000000110009 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888009ecc500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888009ecc580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888009ecc600: fc fc fc fc fc fc fc fc fc fc fc fa fb fb fb fb ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7c8/0x990 Write of size 8 at addr ffff88800c0c7908 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7c8/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466479s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x8f/0xa0 fuse_file_alloc+0xba/0x2c0 fuse_file_open+0x22d/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574668s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x133/0x3a0 fuse_file_open+0x524/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88800c0c7900 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of freed 192-byte region [ffff88800c0c7900, ffff88800c0c79c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0c7 flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880090413c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800c0c7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0c7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88800c0c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800c0c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800c0c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Oops: general protection fault, probably for non-canonical address 0xe03a7c15c0000013: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x01d400ae00000098-0x01d400ae0000009f] CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 85 ca test %ecx,%edx 2: 04 00 add $0x0,%al 4: 00 48 8d add %cl,-0x73(%rax) 7: 7e 08 jle 0x11 9: 49 8b 4d 08 mov 0x8(%r13),%rcx d: 49 89 f8 mov %rdi,%r8 10: 49 c1 e8 03 shr $0x3,%r8 14: 41 80 3c 28 00 cmpb $0x0,(%r8,%rbp,1) 19: 0f 85 92 04 00 00 jne 0x4b1 1f: 48 89 cf mov %rcx,%rdi 22: 48 89 4e 08 mov %rcx,0x8(%rsi) 26: 48 c1 ef 03 shr $0x3,%rdi * 2a: 80 3c 2f 00 cmpb $0x0,(%rdi,%rbp,1) <-- trapping instruction 2e: 0f 85 5c 04 00 00 jne 0x490 34: 48 89 31 mov %rsi,(%rcx) 37: 4c 89 e9 mov %r13,%rcx 3a: 48 c1 e9 03 shr $0x3,%rcx 3e: 80 .byte 0x80 3f: 3c .byte 0x3c TITLE: KASAN: slab-use-after-free Write in fuse_uring_stop_list_entries CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] ^ ffff888009ecc680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888009ecc700: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-use-after-free in fuse_uring_stop_list_entries+0x7c8/0x990 Write of size 8 at addr ffff88800c0c7908 by task repro_minimal_u/152 CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0x7b/0xa0 print_report+0xce/0x5f0 kasan_report+0xce/0x100 fuse_uring_stop_list_entries+0x7c8/0x990 fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Allocated by task 153 on cpu 0 at 28.466479s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 __kasan_kmalloc+0x8f/0xa0 fuse_file_alloc+0xba/0x2c0 fuse_file_open+0x22d/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 153 on cpu 0 at 28.574668s: kasan_save_stack+0x33/0x60 kasan_save_track+0x17/0x60 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x43/0x70 kfree+0x133/0x3a0 fuse_file_open+0x524/0x810 fuse_do_open+0x50/0xc0 fuse_dir_open+0x10d/0x260 do_dentry_open+0x5cc/0x1340 vfs_open+0x79/0x390 path_openat+0x22f6/0x3bc0 do_file_open+0x219/0x470 do_sys_openat2+0xed/0x1b0 __x64_sys_openat+0x131/0x1e0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88800c0c7900 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 8 bytes inside of freed 192-byte region [ffff88800c0c7900, ffff88800c0c79c0) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xc0c7 flags: 0x100000000000000(node=0|zone=1) page_type: f5(slab) raw: 0100000000000000 ffff8880090413c0 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800c0c7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800c0c7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff88800c0c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800c0c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800c0c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Oops: general protection fault, probably for non-canonical address 0xe03a7c15c0000013: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x01d400ae00000098-0x01d400ae0000009f] CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 85 ca test %ecx,%edx 2: 04 00 add $0x0,%al 4: 00 48 8d add %cl,-0x73(%rax) 7: 7e 08 jle 0x11 9: 49 8b 4d 08 mov 0x8(%r13),%rcx d: 49 89 f8 mov %rdi,%r8 10: 49 c1 e8 03 shr $0x3,%r8 14: 41 80 3c 28 00 cmpb $0x0,(%r8,%rbp,1) 19: 0f 85 92 04 00 00 jne 0x4b1 1f: 48 89 cf mov %rcx,%rdi 22: 48 89 4e 08 mov %rcx,0x8(%rsi) 26: 48 c1 ef 03 shr $0x3,%rdi * 2a: 80 3c 2f 00 cmpb $0x0,(%rdi,%rbp,1) <-- trapping instruction 2e: 0f 85 5c 04 00 00 jne 0x490 34: 48 89 31 mov %rsi,(%rcx) 37: 4c 89 e9 mov %r13,%rcx 3a: 48 c1 e9 03 shr $0x3,%rcx 3e: 80 .byte 0x80 3f: 3c .byte 0x3c TITLE: general protection fault in fuse_uring_stop_list_entries CORRUPTED: false () SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] >ffff88800c0c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88800c0c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88800c0c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Oops: general protection fault, probably for non-canonical address 0xe03a7c15c0000013: 0000 [#1] SMP KASAN PTI KASAN: maybe wild-memory-access in range [0x01d400ae00000098-0x01d400ae0000009f] CPU: 0 UID: 1000 PID: 152 Comm: repro_minimal_u Tainted: G B W 7.1.0-rc6 #1 PREEMPT(lazy) Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Call Trace: fuse_uring_teardown_all_queues+0xb0/0x120 fuse_uring_stop_queues+0x1f/0x230 fuse_abort_conn+0xac7/0xd40 fuse_dev_release+0x3a3/0x4d0 __fput+0x38c/0xa70 fput_close_sync+0xfa/0x1f0 __x64_sys_close+0x87/0xf0 do_syscall_64+0x102/0x5a0 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb20617974c Code: 0f 05 48 3d 00 f0 ff ff 77 3c c3 0f 1f 00 55 48 89 e5 48 83 ec 10 89 7d fc e8 10 1e f8 ff 8b 7d fc 89 c2 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2c 89 d7 89 45 fc e8 72 1e f8 ff 8b 45 fc c9 RSP: 002b:0000558c9601fe50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb20617974c RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000558c9601fe60 R08: 0000000000000000 R09: 00007fb206277000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000558c95f04a10 R13: 0000000000006e2b R14: 0000000000006e5d R15: 0000558c9601feb0 Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:fuse_uring_stop_list_entries+0x332/0x990 Code: 85 ca 04 00 00 48 8d 7e 08 49 8b 4d 08 49 89 f8 49 c1 e8 03 41 80 3c 28 00 0f 85 92 04 00 00 48 89 cf 48 89 4e 08 48 c1 ef 03 <80> 3c 2f 00 0f 85 5c 04 00 00 48 89 31 4c 89 e9 48 c1 e9 03 80 3c RSP: 0018:ffffc90000a5fb08 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffff888009f68c00 RCX: 01d400ae00000099 RDX: ffff888009e95000 RSI: ffff88800c0c7900 RDI: 003a8015c0000013 RBP: dffffc0000000000 R08: 0000000000000001 R09: fffffbfff11d1438 R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 ---------------- Code disassembly (best guess): 0: 85 ca test %ecx,%edx 2: 04 00 add $0x0,%al 4: 00 48 8d add %cl,-0x73(%rax) 7: 7e 08 jle 0x11 9: 49 8b 4d 08 mov 0x8(%r13),%rcx d: 49 89 f8 mov %rdi,%r8 10: 49 c1 e8 03 shr $0x3,%r8 14: 41 80 3c 28 00 cmpb $0x0,(%r8,%rbp,1) 19: 0f 85 92 04 00 00 jne 0x4b1 1f: 48 89 cf mov %rcx,%rdi 22: 48 89 4e 08 mov %rcx,0x8(%rsi) 26: 48 c1 ef 03 shr $0x3,%rdi * 2a: 80 3c 2f 00 cmpb $0x0,(%rdi,%rbp,1) <-- trapping instruction 2e: 0f 85 5c 04 00 00 jne 0x490 34: 48 89 31 mov %rsi,(%rcx) 37: 4c 89 e9 mov %r13,%rcx 3a: 48 c1 e9 03 shr $0x3,%rcx 3e: 80 .byte 0x80 3f: 3c .byte 0x3c TITLE: kernel panic: Fatal exception CORRUPTED: true (report format is marked as corrupted) SUPPRESSED: false MAINTAINERS (TO): [] MAINTAINERS (CC): [] R10: ffffffff88e8a1c7 R11: 0000000000000001 R12: ffff88800c0c7b00 R13: ffff888009ecc658 R14: ffff888009f68c20 R15: ffffc90000a5fb50 FS: 00007fb206060800(0000) GS:ffff8880acde2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb20615ca10 CR3: 000000000dc18000 CR4: 00000000000006f0 Kernel panic - not syncing: Fatal exception Kernel Offset: disabled Rebooting in 1 seconds..