Re: tracing: user events UAF crash report
From: Mathias Krause
Date: Thu Jul 25 2024 - 17:33:17 EST
On 25.07.24 23:14, Steven Rostedt wrote:
> On Thu, 25 Jul 2024 22:41:23 +0200
> Mathias Krause <minipli@xxxxxxxxxxxxxx> wrote:
>
>>> diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
>>> index 6ef29eba90ce..5fbfa1c885de 100644
>>> --- a/kernel/trace/trace_events.c
>>> +++ b/kernel/trace/trace_events.c
>>> @@ -1627,12 +1627,14 @@ static int f_show(struct seq_file *m, void *v)
>>>
>>> static void *f_start(struct seq_file *m, loff_t *pos)
>>> {
>>> + struct trace_event_file *file;
>>> void *p = (void *)FORMAT_HEADER;
>>> loff_t l = 0;
>>>
>>> /* ->stop() is called even if ->start() fails */
>>> mutex_lock(&event_mutex);
>>> - if (!event_file_data(m->private))
>>> + file = event_file_data(m->private);
>>> + if (!file || (file->flags & EVENT_FILE_FL_FREED))
>>> return ERR_PTR(-ENODEV);
>>>
>>> while (l < *pos && p)
>>>
>>>
>>
>> Nope, still the same splats.
>
> Can you reshow the splats. Because I'm now confused.
Sure, see attached serial.log.
That was for a single run of
tools/testing/selftests/user_events/ftrace_test with the read loop of
/sys/kernel/tracing/events/user_events/__test_event/format in a
different shell.
>
> destroy_user_event() which is under event_mutex calls
> user_event_set_call_visible() with false, that will then call:
>
> trace_remove_event_call() -> probe_remove_event_call() ->
> __trace_remove_event_call() -> event_remove() ->
> remove_event_from_tracers()
>
> Where remove_event_from_tracers() loops over all the instances and will set
> each of the file pointers flags associated to the event: EVENT_FILE_FL_FREED
>
> Then it returns back to destroy_user_event() that would free the event.
>
> The f_start() that was in your crash, with the new patch, should take the
> event_mutex before referencing the event that was freed. And with that flag
> being set, it should exit out.
Looking at the very first report:
[ 76.306946] BUG: KASAN: slab-use-after-free in f_start+0x36e/0x3d0
That's what faddr2line gives me:
f_start+0x36e/0x3d0:
f_start at kernel/trace/trace_events.c:1637 (discriminator 1)
Which is:
1635 mutex_lock(&event_mutex);
1636 file = event_file_data(m->private);
1637 if (!file || (file->flags & EVENT_FILE_FL_FREED))
1638 return ERR_PTR(-ENODEV);
Apparently, 'file' was free'd now and reading the 'flags' member
triggers KASAN.
Second report is:
[ 76.367688] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
which faddr2line says is:
f_start+0x2e4/0x3d0:
trace_get_fields at include/linux/trace_events.h:482
(inlined by) f_next at kernel/trace/trace_events.c:1545
(inlined by) f_start at kernel/trace/trace_events.c:1641
480 trace_get_fields(struct trace_event_call *event_call)
481 {
482 if (!event_call->class->get_fields)
483 return &event_call->class->fields;
The one we ran into first.
So still something doesn't match up with how lifetimes of objects are
managed.
>
> Did you remove all the other patches before applying this one?
Sure. That's what I have on top of v6.10:
minipli@nuc:~/src/linux (tracefs)$ git diff v6.10 > ~/6.10-tracefs_dbg.diff
Please ignore the WARN()s. They're left-overs from earlier debug
attempts of mine.
Thanks,
Mathias[ 0.000000] Linux version 6.10.0-vanilla+ (minipli@nuc) (gcc (Debian 13.3.0-3) 13.3.0, GNU ld (GNU Binutils for Debian) 2.42.50.20240710) #34 SMP PREEMPT_DYNAMIC Thu Jul 25 22:37:17 CEST 2024
[ 0.000000] Command line: console=ttyS0 console=tty root=/dev/vda kasan_multi_shot
[ 0.000000] KERNEL supported cpus:
[ 0.000000] Intel GenuineIntel
[ 0.000000] BIOS-provided physical RAM map:
[ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
[ 0.000000] BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
[ 0.000000] BIOS-e820: [mem 0x0000000000100000-0x000000007ffdbfff] usable
[ 0.000000] BIOS-e820: [mem 0x000000007ffdc000-0x000000007fffffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000feffc000-0x00000000feffffff] reserved
[ 0.000000] BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
[ 0.000000] NX (Execute Disable) protection: active
[ 0.000000] APIC: Static calls initialized
[ 0.000000] SMBIOS 2.8 present.
[ 0.000000] DMI: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 0.000000] DMI: Memory slots populated: 1/1
[ 0.000000] tsc: Fast TSC calibration using PIT
[ 0.000000] tsc: Detected 2495.993 MHz processor
[ 0.000355] last_pfn = 0x7ffdc max_arch_pfn = 0x400000000
[ 0.000368] MTRR map: 4 entries (3 fixed + 1 variable; max 19), built from 8 variable MTRRs
[ 0.000371] x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
[ 0.002582] found SMP MP-table at [mem 0x000f5450-0x000f545f]
[ 0.002591] Using GB pages for direct mapping
[ 0.002592] Incomplete global flushes, disabling PCID
[ 0.002771] ACPI: Early table checksum verification disabled
[ 0.002774] ACPI: RSDP 0x00000000000F5270 000014 (v00 BOCHS )
[ 0.002780] ACPI: RSDT 0x000000007FFE1D75 000034 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.002787] ACPI: FACP 0x000000007FFE1C11 000074 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.002794] ACPI: DSDT 0x000000007FFE0040 001BD1 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.002799] ACPI: FACS 0x000000007FFE0000 000040
[ 0.002803] ACPI: APIC 0x000000007FFE1C85 000090 (v03 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.002807] ACPI: HPET 0x000000007FFE1D15 000038 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.002811] ACPI: WAET 0x000000007FFE1D4D 000028 (v01 BOCHS BXPC 00000001 BXPC 00000001)
[ 0.002815] ACPI: Reserving FACP table memory at [mem 0x7ffe1c11-0x7ffe1c84]
[ 0.002817] ACPI: Reserving DSDT table memory at [mem 0x7ffe0040-0x7ffe1c10]
[ 0.002818] ACPI: Reserving FACS table memory at [mem 0x7ffe0000-0x7ffe003f]
[ 0.002819] ACPI: Reserving APIC table memory at [mem 0x7ffe1c85-0x7ffe1d14]
[ 0.002821] ACPI: Reserving HPET table memory at [mem 0x7ffe1d15-0x7ffe1d4c]
[ 0.002822] ACPI: Reserving WAET table memory at [mem 0x7ffe1d4d-0x7ffe1d74]
[ 0.002847] Zone ranges:
[ 0.002848] DMA32 [mem 0x0000000000001000-0x000000007ffdbfff]
[ 0.002851] Normal empty
[ 0.002853] Movable zone start for each node
[ 0.002854] Early memory node ranges
[ 0.002855] node 0: [mem 0x0000000000001000-0x000000000009efff]
[ 0.002857] node 0: [mem 0x0000000000100000-0x000000007ffdbfff]
[ 0.002858] Initmem setup node 0 [mem 0x0000000000001000-0x000000007ffdbfff]
[ 0.003061] On node 0, zone DMA32: 1 pages in unavailable ranges
[ 0.003943] On node 0, zone DMA32: 97 pages in unavailable ranges
[ 0.004154] On node 0, zone DMA32: 36 pages in unavailable ranges
[ 0.038408] kasan: KernelAddressSanitizer initialized
[ 0.038620] ACPI: PM-Timer IO Port: 0x608
[ 0.038628] ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
[ 0.038654] IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
[ 0.038657] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
[ 0.038659] ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
[ 0.038661] ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
[ 0.038662] ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[ 0.038664] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[ 0.038667] ACPI: Using ACPI (MADT) for SMP configuration information
[ 0.038668] ACPI: HPET id: 0x8086a201 base: 0xfed00000
[ 0.038671] TSC deadline timer available
[ 0.038673] CPU topo: Max. logical packages: 1
[ 0.038674] CPU topo: Max. logical dies: 1
[ 0.038675] CPU topo: Max. dies per package: 1
[ 0.038678] CPU topo: Max. threads per core: 1
[ 0.038679] CPU topo: Num. cores per package: 4
[ 0.038680] CPU topo: Num. threads per package: 4
[ 0.038681] CPU topo: Allowing 4 present CPUs plus 0 hotplug CPUs
[ 0.038688] [mem 0x80000000-0xfeffbfff] available for PCI devices
[ 0.038691] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645519600211568 ns
[ 0.045504] setup_percpu: NR_CPUS:64 nr_cpumask_bits:4 nr_cpu_ids:4 nr_node_ids:1
[ 0.045825] percpu: Embedded 72 pages/cpu s257888 r8192 d28832 u524288
[ 0.045846] Kernel command line: pax_size_overflow_report_only pax_kstack_report_only panic=10 console=ttyS0 console=tty root=/dev/vda kasan_multi_shot
[ 0.045885] Unknown kernel command line parameters "pax_size_overflow_report_only pax_kstack_report_only", will be passed to user space.
[ 0.045903] random: crng init done
[ 0.046168] Dentry cache hash table entries: 262144 (order: 9, 2097152 bytes, linear)
[ 0.046406] Inode-cache hash table entries: 131072 (order: 8, 1048576 bytes, linear)
[ 0.046485] Built 1 zonelists, mobility grouping on. Total pages: 524154
[ 0.046493] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.046494] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.046496] stackdepot hash table entries: 1048576 (order: 12, 16777216 bytes, linear)
[ 0.057424] Memory: 260864K/2096616K available (34816K kernel code, 7149K rwdata, 8696K rodata, 4408K init, 13448K bss, 401800K reserved, 0K cma-reserved)
[ 0.057806] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
[ 0.057983] Dynamic Preempt: full
[ 0.058146] Running RCU self tests
[ 0.058147] Running RCU synchronous self tests
[ 0.058153] rcu: Preemptible hierarchical RCU implementation.
[ 0.058154] rcu: RCU lockdep checking is enabled.
[ 0.058155] rcu: RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=4.
[ 0.058157] Trampoline variant of Tasks RCU enabled.
[ 0.058158] Tracing variant of Tasks RCU enabled.
[ 0.058159] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
[ 0.058160] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4
[ 0.058191] Running RCU synchronous self tests
[ 0.058194] RCU Tasks: Setting shift to 2 and lim to 1 rcu_task_cb_adjust=1.
[ 0.058196] RCU Tasks Trace: Setting shift to 2 and lim to 1 rcu_task_cb_adjust=1.
[ 0.065493] NR_IRQS: 4352, nr_irqs: 456, preallocated irqs: 16
[ 0.065750] rcu: srcu_init: Setting srcu_struct sizes based on contention.
[ 0.068232] Console: colour VGA+ 80x25
[ 0.068252] printk: legacy console [tty0] enabled
[ 0.083161] printk: legacy console [ttyS0] enabled
[ 0.117494] Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar
[ 0.118161] ... MAX_LOCKDEP_SUBCLASSES: 8
[ 0.118539] ... MAX_LOCK_DEPTH: 48
[ 0.118923] ... MAX_LOCKDEP_KEYS: 8192
[ 0.119317] ... CLASSHASH_SIZE: 4096
[ 0.119716] ... MAX_LOCKDEP_ENTRIES: 32768
[ 0.120119] ... MAX_LOCKDEP_CHAINS: 65536
[ 0.120522] ... CHAINHASH_SIZE: 32768
[ 0.120922] memory used by lock dependency info: 6429 kB
[ 0.121390] memory used for stack traces: 4224 kB
[ 0.121816] per task-struct memory footprint: 1920 bytes
[ 0.122293] ACPI: Core revision 20240322
[ 0.122927] clocksource: hpet: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604467 ns
[ 0.123828] APIC: Switch to symmetric I/O mode setup
[ 0.124375] x2apic: IRQ remapping doesn't support X2APIC mode
[ 0.125743] ..TIMER: vector=0x30 apic1=0 pin1=2 apic2=-1 pin2=-1
[ 0.143767] clocksource: tsc-early: mask: 0xffffffffffffffff max_cycles: 0x23fa7089fe7, max_idle_ns: 440795281784 ns
[ 0.144656] Calibrating delay loop (skipped), value calculated using timer frequency.. 4991.98 BogoMIPS (lpj=9983972)
[ 0.145597] x86/cpu: User Mode Instruction Prevention (UMIP) activated
[ 0.146207] Last level iTLB entries: 4KB 0, 2MB 0, 4MB 0
[ 0.146680] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0
[ 0.147204] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[ 0.148648] Spectre V2 : Spectre BHI mitigation: SW BHB clearing on vm exit
[ 0.149307] Spectre V2 : Spectre BHI mitigation: SW BHB clearing on syscall
[ 0.149963] Spectre V2 : Mitigation: Enhanced / Automatic IBRS
[ 0.150529] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
[ 0.151311] Spectre V2 : Spectre v2 / PBRSB-eIBRS: Retire a single CALL on VMEXIT
[ 0.152037] Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
[ 0.152647] Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
[ 0.153466] Register File Data Sampling: Vulnerable: No microcode
[ 0.154074] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
[ 0.154837] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[ 0.155468] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[ 0.156121] x86/fpu: Supporting XSAVE feature 0x200: 'Protection Keys User registers'
[ 0.157174] x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256
[ 0.157778] x86/fpu: xstate_offset[9]: 832, xstate_sizes[9]: 8
[ 0.158306] x86/fpu: Enabled xstate features 0x207, context size is 840 bytes, using 'compacted' format.
[ 0.171418] Freeing SMP alternatives memory: 32K
[ 0.171910] pid_max: default: 32768 minimum: 301
[ 0.172577] Mount-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[ 0.173077] Mountpoint-cache hash table entries: 4096 (order: 3, 32768 bytes, linear)
[ 0.174790] Running RCU synchronous self tests
[ 0.175267] Running RCU synchronous self tests
[ 0.175886] smpboot: CPU0: 12th Gen Intel(R) Core(TM) i7-1260P (family: 0x6, model: 0x9a, stepping: 0x3)
[ 0.177102] Running RCU Tasks wait API self tests
[ 0.280729] Running RCU Tasks Trace wait API self tests
[ 0.281337] Performance Events: unsupported p6 CPU model 154 no PMU driver, software events only.
[ 0.282149] signal: max sigframe size: 3632
[ 0.282659] rcu: Hierarchical SRCU implementation.
[ 0.283110] rcu: Max phase no-delay instances is 1000.
[ 0.284577] smp: Bringing up secondary CPUs ...
[ 0.285270] smpboot: x86: Booting SMP configuration:
[ 0.285735] .... node #0, CPUs: #1 #2 #3
[ 0.286419] smp: Brought up 1 node, 4 CPUs
[ 0.286419] smpboot: Total of 4 processors activated (19967.94 BogoMIPS)
[ 0.293153] node 0 deferred pages initialised in 4ms
[ 0.293685] allocated 4194304 bytes of page_ext
[ 0.296883] devtmpfs: initialized
[ 0.296995] Running RCU synchronous self tests
[ 0.297305] Running RCU synchronous self tests
[ 0.297827] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[ 0.297827] futex hash table entries: 1024 (order: 5, 131072 bytes, linear)
[ 0.298506] pinctrl core: initialized pinctrl subsystem
[ 0.301124] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[ 0.302181] audit: initializing netlink subsys (disabled)
[ 0.304709] audit: type=2000 audit(1721942138.184:1): state=initialized audit_enabled=0 res=1
[ 0.305058] thermal_sys: Registered thermal governor 'step_wise'
[ 0.305903] thermal_sys: Registered thermal governor 'user_space'
[ 0.305903] cpuidle: using governor ladder
[ 0.308705] cpuidle: using governor menu
[ 0.308661] Callback from call_rcu_tasks_trace() invoked.
[ 0.309162] PCI: Using configuration type 1 for base access
[ 0.310258] kprobes: kprobe jump-optimization is enabled. All kprobes are optimized if possible.
[ 0.310258] HugeTLB: registered 2.00 MiB page size, pre-allocated 0 pages
[ 0.310258] HugeTLB: 28 KiB vmemmap can be freed for a 2.00 MiB page
[ 0.312889] ACPI: Added _OSI(Module Device)
[ 0.313407] ACPI: Added _OSI(Processor Device)
[ 0.313407] ACPI: Added _OSI(3.0 _SCP Extensions)
[ 0.313501] ACPI: Added _OSI(Processor Aggregator Device)
[ 0.323555] ACPI: 1 ACPI AML tables successfully acquired and loaded
[ 0.328941] ACPI: _OSC evaluation for CPUs failed, trying _PDC
[ 0.330898] ACPI: Interpreter enabled
[ 0.332687] ACPI: PM: (supports S0 S5)
[ 0.333069] ACPI: Using IOAPIC for interrupt routing
[ 0.333569] PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug
[ 0.334342] PCI: Using E820 reservations for host bridge windows
[ 0.335771] ACPI: Enabled 2 GPEs in block 00 to 0F
[ 0.355109] ACPI: PCI Root Bridge [PCI0] (domain 0000 [bus 00-ff])
[ 0.355688] acpi PNP0A03:00: _OSC: OS supports [ASPM ClockPM Segments MSI HPX-Type3]
[ 0.356400] acpi PNP0A03:00: PCIe port services disabled; not requesting _OSC control
[ 0.356700] acpi PNP0A03:00: fail to add MMCONFIG information, can't access extended configuration space under this bridge
[ 0.358214] PCI host bridge to bus 0000:00
[ 0.358641] pci_bus 0000:00: root bus resource [io 0x0000-0x0cf7 window]
[ 0.359223] pci_bus 0000:00: root bus resource [io 0x0d00-0xffff window]
[ 0.359845] pci_bus 0000:00: root bus resource [mem 0x000a0000-0x000bffff window]
[ 0.360498] pci_bus 0000:00: root bus resource [mem 0x80000000-0xfebfffff window]
[ 0.361111] pci_bus 0000:00: root bus resource [mem 0x100000000-0x17fffffff window]
[ 0.361776] pci_bus 0000:00: root bus resource [bus 00-ff]
[ 0.362394] pci 0000:00:00.0: [8086:1237] type 00 class 0x060000 conventional PCI endpoint
[ 0.363671] pci 0000:00:01.0: [8086:7000] type 00 class 0x060100 conventional PCI endpoint
[ 0.364931] pci 0000:00:01.1: [8086:7010] type 00 class 0x010180 conventional PCI endpoint
[ 0.367143] pci 0000:00:01.1: BAR 4 [io 0xc100-0xc10f]
[ 0.368191] pci 0000:00:01.1: BAR 0 [io 0x01f0-0x01f7]: legacy IDE quirk
[ 0.368650] pci 0000:00:01.1: BAR 1 [io 0x03f6]: legacy IDE quirk
[ 0.369225] pci 0000:00:01.1: BAR 2 [io 0x0170-0x0177]: legacy IDE quirk
[ 0.369849] pci 0000:00:01.1: BAR 3 [io 0x0376]: legacy IDE quirk
[ 0.370770] pci 0000:00:01.3: [8086:7113] type 00 class 0x068000 conventional PCI endpoint
[ 0.371734] pci 0000:00:01.3: quirk: [io 0x0600-0x063f] claimed by PIIX4 ACPI
[ 0.372372] pci 0000:00:01.3: quirk: [io 0x0700-0x070f] claimed by PIIX4 SMB
[ 0.373011] pci 0000:00:02.0: [1234:1111] type 00 class 0x030000 conventional PCI endpoint
[ 0.374503] pci 0000:00:02.0: BAR 0 [mem 0xfd000000-0xfdffffff pref]
[ 0.377607] pci 0000:00:02.0: BAR 2 [mem 0xfebd4000-0xfebd4fff]
[ 0.380655] pci 0000:00:02.0: ROM [mem 0xfebc0000-0xfebcffff pref]
[ 0.381397] pci 0000:00:02.0: Video device with shadowed ROM at [mem 0x000c0000-0x000dffff]
[ 0.382772] pci 0000:00:03.0: [1af4:1000] type 00 class 0x020000 conventional PCI endpoint
[ 0.384174] pci 0000:00:03.0: BAR 0 [io 0xc0c0-0xc0df]
[ 0.386193] pci 0000:00:03.0: BAR 4 [mem 0xfe000000-0xfe003fff 64bit pref]
[ 0.387331] pci 0000:00:03.0: ROM [mem 0xfeb80000-0xfebbffff pref]
[ 0.394270] pci 0000:00:04.0: [8086:2668] type 00 class 0x040300 conventional PCI endpoint
[ 0.395290] pci 0000:00:04.0: BAR 0 [mem 0xfebd0000-0xfebd3fff]
[ 0.402817] pci 0000:00:05.0: [1af4:1005] type 00 class 0x00ff00 conventional PCI endpoint
[ 0.404113] pci 0000:00:05.0: BAR 0 [io 0xc0e0-0xc0ff]
[ 0.405086] pci 0000:00:05.0: BAR 1 [mem 0xfebd5000-0xfebd5fff]
[ 0.406912] pci 0000:00:05.0: BAR 4 [mem 0xfe004000-0xfe007fff 64bit pref]
[ 0.415068] pci 0000:00:06.0: [8086:24cd] type 00 class 0x0c0320 conventional PCI endpoint
[ 0.416110] pci 0000:00:06.0: BAR 0 [mem 0xfebd6000-0xfebd6fff]
[ 0.423458] pci 0000:00:07.0: [1af4:1004] type 00 class 0x010000 conventional PCI endpoint
[ 0.424647] pci 0000:00:07.0: BAR 0 [io 0xc080-0xc0bf]
[ 0.425839] pci 0000:00:07.0: BAR 1 [mem 0xfebd7000-0xfebd7fff]
[ 0.427749] pci 0000:00:07.0: BAR 4 [mem 0xfe008000-0xfe00bfff 64bit pref]
[ 0.435984] pci 0000:00:08.0: [1af4:1001] type 00 class 0x010000 conventional PCI endpoint
[ 0.437799] pci 0000:00:08.0: BAR 0 [io 0xc000-0xc07f]
[ 0.438967] pci 0000:00:08.0: BAR 1 [mem 0xfebd8000-0xfebd8fff]
[ 0.440891] pci 0000:00:08.0: BAR 4 [mem 0xfe00c000-0xfe00ffff 64bit pref]
[ 0.449570] ACPI: PCI: Interrupt link LNKA configured for IRQ 10
[ 0.450638] ACPI: PCI: Interrupt link LNKB configured for IRQ 10
[ 0.451743] ACPI: PCI: Interrupt link LNKC configured for IRQ 11
[ 0.452768] ACPI: PCI: Interrupt link LNKD configured for IRQ 11
[ 0.453498] ACPI: PCI: Interrupt link LNKS configured for IRQ 9
[ 0.457155] SCSI subsystem initialized
[ 0.457562] PCI: Using ACPI for IRQ routing
[ 0.457957] pci 0000:00:02.0: vgaarb: setting as boot VGA device
[ 0.457957] pci 0000:00:02.0: vgaarb: bridge control possible
[ 0.457957] pci 0000:00:02.0: vgaarb: VGA device added: decodes=io+mem,owns=io+mem,locks=none
[ 0.460651] vgaarb: loaded
[ 0.461270] hpet0: at MMIO 0xfed00000, IRQs 2, 8, 0
[ 0.461270] hpet0: 3 comparators, 64-bit 100.000000 MHz counter
[ 0.465810] clocksource: Switched to clocksource tsc-early
[ 0.469843] pnp: PnP ACPI init
[ 0.471489] pnp: PnP ACPI: found 6 devices
[ 0.482949] clocksource: acpi_pm: mask: 0xffffff max_cycles: 0xffffff, max_idle_ns: 2085701024 ns
[ 0.484130] NET: Registered PF_INET protocol family
[ 0.484853] IP idents hash table entries: 32768 (order: 6, 262144 bytes, linear)
[ 0.486025] tcp_listen_portaddr_hash hash table entries: 1024 (order: 4, 73728 bytes, linear)
[ 0.486791] Table-perturb hash table entries: 65536 (order: 6, 262144 bytes, linear)
[ 0.487497] TCP established hash table entries: 16384 (order: 5, 131072 bytes, linear)
[ 0.488383] TCP bind hash table entries: 16384 (order: 9, 2359296 bytes, linear)
[ 0.490248] TCP: Hash tables configured (established 16384 bind 16384)
[ 0.490935] UDP hash table entries: 1024 (order: 5, 163840 bytes, linear)
[ 0.491574] UDP-Lite hash table entries: 1024 (order: 5, 163840 bytes, linear)
[ 0.492344] NET: Registered PF_UNIX/PF_LOCAL protocol family
[ 0.492953] pci_bus 0000:00: resource 4 [io 0x0000-0x0cf7 window]
[ 0.493031] Callback from call_rcu_tasks() invoked.
[ 0.493138] pci_bus 0000:00: resource 5 [io 0x0d00-0xffff window]
[ 0.493140] pci_bus 0000:00: resource 6 [mem 0x000a0000-0x000bffff window]
[ 0.493142] pci_bus 0000:00: resource 7 [mem 0x80000000-0xfebfffff window]
[ 0.495718] pci_bus 0000:00: resource 8 [mem 0x100000000-0x17fffffff window]
[ 0.496516] pci 0000:00:01.0: PIIX3: Enabling Passive Release
[ 0.497083] pci 0000:00:00.0: Limiting direct PCI/PCI transfers
[ 0.497663] PCI: CLS 0 bytes, default 64
[ 0.498803] RAPL PMU: API unit is 2^-32 Joules, 0 fixed counters, 10737418240 ms ovfl timer
[ 0.509824] workingset: timestamp_bits=46 max_order=19 bucket_order=0
[ 0.520358] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 249)
[ 0.521217] io scheduler mq-deadline registered
[ 0.521666] io scheduler kyber registered
[ 0.522082] io scheduler bfq registered
[ 0.524587] input: Power Button as /devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
[ 0.525341] ACPI: button: Power Button [PWRF]
[ 0.938087] ACPI: \_SB_.LNKC: Enabled at IRQ 11
[ 1.374598] ACPI: \_SB_.LNKA: Enabled at IRQ 10
[ 1.530932] tsc: Refined TSC clocksource calibration: 2495.994 MHz
[ 1.531533] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x23fa717cb36, max_idle_ns: 440795237972 ns
[ 1.532645] clocksource: Switched to clocksource tsc
[ 2.244617] ACPI: \_SB_.LNKD: Enabled at IRQ 11
[ 2.278009] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled
[ 2.279001] 00:04: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
[ 2.285092] Non-volatile memory driver v1.3
[ 2.291277] loop: module loaded
[ 2.291728] virtio_blk virtio3: 4/0/0 default/read/poll queues
[ 2.293551] virtio_blk virtio3: [vda] 41943040 512-byte logical blocks (21.5 GB/20.0 GiB)
[ 2.296152] lkdtm: No crash points registered, enable through debugfs
[ 2.297434] virtio_scsi virtio2: 4/0/0 default/read/poll queues
[ 2.299201] scsi host0: Virtio SCSI HBA
[ 2.349103] scsi host1: ata_piix
[ 2.350017] scsi host2: ata_piix
[ 2.350535] ata1: PATA max MWDMA2 cmd 0x1f0 ctl 0x3f6 bmdma 0xc100 irq 14 lpm-pol 0
[ 2.351278] ata2: PATA max MWDMA2 cmd 0x170 ctl 0x376 bmdma 0xc108 irq 15 lpm-pol 0
[ 2.353507] Intel(R) 2.5G Ethernet Linux Driver
[ 2.354033] Copyright(c) 2018 Intel Corporation.
[ 2.354938] i8042: PNP: PS/2 Controller [PNP0303:KBD,PNP0f13:MOU] at 0x60,0x64 irq 1,12
[ 2.356353] serio: i8042 KBD port at 0x60,0x64 irq 1
[ 2.357098] serio: i8042 AUX port at 0x60,0x64 irq 12
[ 2.358004] intel_pstate: CPU model not supported
[ 2.359133] input: AT Translated Set 2 keyboard as /devices/platform/i8042/serio0/input/input1
[ 2.361104] NET: Registered PF_PACKET protocol family
[ 2.361842] 9pnet: Installing 9P2000 support
[ 2.362357] Key type dns_resolver registered
[ 2.363844] IPI shorthand broadcast: enabled
[ 2.375523] sched_clock: Marking stable (2320003287, 54850684)->(2421857485, -47003514)
[ 2.376679] Timer migration: 1 hierarchy levels; 8 children per group; 1 crossnode level
[ 2.377823] registered taskstats version 1
[ 2.390705] Key type .fscrypt registered
[ 2.391111] Key type fscrypt-provisioning registered
[ 2.414546] clk: Disabling unused clocks
[ 2.415070] KTAP version 1
[ 2.415413] 1..11
[ 2.415953] KTAP version 1
[ 2.416331] # Subtest: binfmt_elf
[ 2.416762] # module: binfmt_elf
[ 2.416770] 1..1
[ 2.417789] ok 1 total_mapping_size_test
[ 2.417799] ok 1 binfmt_elf
[ 2.418675] KTAP version 1
[ 2.419071] # Subtest: compat_binfmt_elf
[ 2.419490] # module: compat_binfmt_elf
[ 2.419494] 1..1
[ 2.420524] ok 1 total_mapping_size_test
[ 2.420530] ok 2 compat_binfmt_elf
[ 2.421325] KTAP version 1
[ 2.421641] # Subtest: kunit_executor_test
[ 2.422058] # module: kunit
[ 2.422062] 1..8
[ 2.422993] ok 1 parse_filter_test
[ 2.423257] ok 2 filter_suites_test
[ 2.423995] ok 3 filter_suites_test_glob_test
[ 2.424673] ok 4 filter_suites_to_empty_test
[ 2.425383] ok 5 parse_filter_attr_test
[ 2.426328] ok 6 filter_attr_test
[ 2.427147] ok 7 filter_attr_empty_test
[ 2.428019] ok 8 filter_attr_skip_test
[ 2.428491] # kunit_executor_test: pass:8 fail:0 skip:0 total:8
[ 2.428968] # Totals: pass:8 fail:0 skip:0 total:8
[ 2.429586] ok 3 kunit_executor_test
[ 2.430531] KTAP version 1
[ 2.430914] # Subtest: kunit-try-catch-test
[ 2.431362] # module: kunit_test
[ 2.431366] 1..2
[ 2.432446] ok 1 kunit_test_try_catch_successful_try_no_catch
[ 2.432656] ok 2 kunit_test_try_catch_unsuccessful_try_does_catch
[ 2.433296] # kunit-try-catch-test: pass:2 fail:0 skip:0 total:2
[ 2.433955] # Totals: pass:2 fail:0 skip:0 total:2
[ 2.434577] ok 4 kunit-try-catch-test
[ 2.435497] KTAP version 1
[ 2.435810] # Subtest: kunit-resource-test
[ 2.436228] # module: kunit_test
[ 2.436232] 1..12
[ 2.437277] ok 1 kunit_resource_test_init_resources
[ 2.437424] ok 2 kunit_resource_test_alloc_resource
[ 2.438192] ok 3 kunit_resource_test_destroy_resource
[ 2.439154] ok 4 kunit_resource_test_remove_resource
[ 2.439917] ok 5 kunit_resource_test_cleanup_resources
[ 2.440705] ok 6 kunit_resource_test_proper_free_ordering
[ 2.441451] ok 7 kunit_resource_test_static
[ 2.442215] ok 8 kunit_resource_test_named
[ 2.442944] ok 9 kunit_resource_test_action
[ 2.444121] ok 10 kunit_resource_test_remove_action
[ 2.444781] ok 11 kunit_resource_test_release_action
[ 2.445435] action_order_2
[ 2.446020] action_order_2
[ 2.446358] action_order_1
[ 2.446813] ok 12 kunit_resource_test_action_ordering
[ 2.447174] # kunit-resource-test: pass:12 fail:0 skip:0 total:12
[ 2.447774] # Totals: pass:12 fail:0 skip:0 total:12
[ 2.448465] ok 5 kunit-resource-test
[ 2.449442] KTAP version 1
[ 2.449804] # Subtest: kunit-log-test
[ 2.450251] # module: kunit_test
[ 2.450256] 1..2
[ 2.451059] put this in log.
[ 2.451064] this too.
[ 2.451432] add to suite log.
[ 2.451729] along with this.
[ 2.452359] ok 1 kunit_log_test
[ 2.452867] # kunit_log_newline_test: Add newline
[ 2.454072] ok 2 kunit_log_newline_test
[ 2.454077] # kunit-log-test: pass:2 fail:0 skip:0 total:2
[ 2.454570] # Totals: pass:2 fail:0 skip:0 total:2
[ 2.455176] ok 6 kunit-log-test
[ 2.456076] KTAP version 1
[ 2.456441] # Subtest: kunit_status
[ 2.456889] # module: kunit_test
[ 2.456893] 1..2
[ 2.457866] ok 1 kunit_status_set_failure_test
[ 2.458008] ok 2 kunit_status_mark_skipped_test
[ 2.458569] # kunit_status: pass:2 fail:0 skip:0 total:2
[ 2.459128] # Totals: pass:2 fail:0 skip:0 total:2
[ 2.459689] ok 7 kunit_status
[ 2.460585] KTAP version 1
[ 2.460961] # Subtest: kunit_current
[ 2.461400] # module: kunit_test
[ 2.461404] 1..2
[ 2.462440] ok 1 kunit_current_test
[ 2.462501] # fake test: lib/kunit/kunit-test.c:722: This should make `fake` test fail.
[ 2.463083] ok 2 kunit_current_fail_test
[ 2.463940] # kunit_current: pass:2 fail:0 skip:0 total:2
[ 2.464411] # Totals: pass:2 fail:0 skip:0 total:2
[ 2.464996] ok 8 kunit_current
[ 2.465913] KTAP version 1
[ 2.466279] # Subtest: kunit_device
[ 2.466717] # module: kunit_test
[ 2.466721] 1..3
[ 2.468024] ok 1 kunit_device_test
[ 2.468380] ok 2 kunit_device_cleanup_test
[ 2.469562] ok 3 kunit_device_driver_test
[ 2.470078] # kunit_device: pass:3 fail:0 skip:0 total:3
[ 2.470582] # Totals: pass:3 fail:0 skip:0 total:3
[ 2.471169] ok 9 kunit_device
[ 2.472061] KTAP version 1
[ 2.472424] # Subtest: kunit_fault
[ 2.472847] # module: kunit_test
[ 2.472850] 1..1
[ 2.473835] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
[ 2.475044] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 2.475808] CPU: 0 PID: 173 Comm: kunit_try_catch Tainted: G N 6.10.0-vanilla+ #34
[ 2.476729] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 2.477695] RIP: 0010:kunit_test_null_dereference+0x4a/0x130
[ 2.478210] Code: b5 41 48 c7 44 24 08 db 23 9d a5 48 c1 ed 03 48 c7 44 24 10 f0 7e 20 a4 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 01 f3 f3 f3 <0f> b6 00 84 c0 74 08 3c 03 0f 8e bb 00 00 00 48 8d bb b0 01 00 00
[ 2.479756] RSP: 0000:ffff888000f37e80 EFLAGS: 00010a02
[ 2.480238] RAX: dffffc0000000000 RBX: ffff888000967bd8 RCX: ffffffffa339836b
[ 2.480873] RDX: ffffed10001e6fd0 RSI: 0000000000000008 RDI: ffff888000967bd8
[ 2.481496] RBP: 1ffff110001e6fd0 R08: 0000000000000000 R09: ffffed1000d6b240
[ 2.482111] R10: ffff888006b59207 R11: 0000000000000000 R12: ffffffffa4207ef0
[ 2.482727] R13: ffff88800383fbb0 R14: ffffffffa41fed30 R15: ffff8880037f7980
[ 2.483366] FS: 0000000000000000(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000
[ 2.484078] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.484597] CR2: ffff888069a01000 CR3: 0000000067cb0000 CR4: 0000000000750ef0
[ 2.485237] PKRU: 55555554
[ 2.485521] Call Trace:
[ 2.485783] <TASK>
[ 2.486023] ? die_addr+0x3b/0xa0
[ 2.486353] ? exc_general_protection+0x138/0x1f0
[ 2.486786] ? asm_exc_general_protection+0x26/0x30
[ 2.487247] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[ 2.487780] ? __pfx_kunit_test_null_dereference+0x10/0x10
[ 2.488269] ? __kthread_parkme+0xab/0x1c0
[ 2.488661] ? kunit_test_null_dereference+0x4a/0x130
[ 2.489132] ? __pfx_kunit_test_null_dereference+0x10/0x10
[ 2.489620] ? __kthread_parkme+0xab/0x1c0
[ 2.490006] ? __pfx_kunit_generic_run_threadfn_adapter+0x10/0x10
[ 2.490539] kunit_generic_run_threadfn_adapter+0x78/0xe0
[ 2.491040] kthread+0x2be/0x3b0
[ 2.494508] ? __pfx_kthread+0x10/0x10
[ 2.494871] ret_from_fork+0x2c/0x70
[ 2.495240] ? __pfx_kthread+0x10/0x10
[ 2.495601] ret_from_fork_asm+0x1a/0x30
[ 2.495976] </TASK>
[ 2.496218] Modules linked in:
[ 2.496540] ---[ end trace 0000000000000000 ]---
[ 2.497000] RIP: 0010:kunit_test_null_dereference+0x4a/0x130
[ 2.497499] Code: b5 41 48 c7 44 24 08 db 23 9d a5 48 c1 ed 03 48 c7 44 24 10 f0 7e 20 a4 48 8d 54 05 00 c7 02 f1 f1 f1 f1 c7 42 04 01 f3 f3 f3 <0f> b6 00 84 c0 74 08 3c 03 0f 8e bb 00 00 00 48 8d bb b0 01 00 00
[ 2.499348] RSP: 0000:ffff888000f37e80 EFLAGS: 00010a02
[ 2.499828] RAX: dffffc0000000000 RBX: ffff888000967bd8 RCX: ffffffffa339836b
[ 2.500436] RDX: ffffed10001e6fd0 RSI: 0000000000000008 RDI: ffff888000967bd8
[ 2.501072] RBP: 1ffff110001e6fd0 R08: 0000000000000000 R09: ffffed1000d6b240
[ 2.501681] R10: ffff888006b59207 R11: 0000000000000000 R12: ffffffffa4207ef0
[ 2.502289] R13: ffff88800383fbb0 R14: ffffffffa41fed30 R15: ffff8880037f7980
[ 2.502907] FS: 0000000000000000(0000) GS:ffff88806d400000(0000) knlGS:0000000000000000
[ 2.503631] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.504139] CR2: ffff888069a01000 CR3: 0000000067cb0000 CR4: 0000000000750ef0
[ 2.504768] PKRU: 55555554
[ 2.505176] # kunit_test_fault_null_dereference: try faulted: last line seen lib/kunit/kunit-test.c:95
[ 2.506362] ok 1 kunit_test_fault_null_dereference
[ 2.506370] ok 10 kunit_fault
[ 2.507273] KTAP version 1
[ 2.507581] # Subtest: string-stream-test
[ 2.507985] # module: string_stream_test
[ 2.507989] 1..12
[ 2.509366] ok 1 string_stream_managed_init_test
[ 2.509907] ok 2 string_stream_unmanaged_init_test
[ 2.510708] ok 3 string_stream_managed_free_test
[ 2.511941] ok 4 string_stream_resource_free_test
[ 2.513526] ok 5 string_stream_line_add_test
[ 2.514881] ok 6 string_stream_variable_length_line_test
[ 2.514949] ata2: found unknown device (class 0)
[ 2.515376] ok 7 string_stream_append_test
[ 2.516051] ata2.00: ATAPI: QEMU DVD-ROM, 2.5+, max UDMA/100
[ 2.516539] ok 8 string_stream_append_auto_newline_test
[ 2.517759] scsi 2:0:0:0: CD-ROM QEMU QEMU DVD-ROM 2.5+ PQ: 0 ANSI: 5
[ 2.518020] ok 9 string_stream_append_empty_string_test
[ 2.519621] ok 10 string_stream_no_auto_newline_test
[ 2.520445] ok 11 string_stream_auto_newline_test
[ 2.536854] # string_stream_performance_test: Time elapsed: 15184 us
[ 2.537967] # string_stream_performance_test: Total string length: 573890
[ 2.538617] # string_stream_performance_test: Bytes requested: 823986
[ 2.539420] # string_stream_performance_test: Actual bytes allocated: 1048344
[ 2.553418] ok 12 string_stream_performance_test
[ 2.553752] # string-stream-test: pass:12 fail:0 skip:0 total:12
[ 2.554218] # Totals: pass:12 fail:0 skip:0 total:12
[ 2.554740] ok 11 string-stream-test
[ 2.976573] input: ImExPS/2 Generic Explorer Mouse as /devices/platform/i8042/serio1/input/input3
[ 2.991513] EXT4-fs (vda): mounted filesystem 5255db7c-90ed-48a0-bf5e-4bdaecca5594 ro with ordered data mode. Quota mode: disabled.
[ 2.993490] VFS: Mounted root (ext4 filesystem) readonly on device 254:0.
[ 2.995746] devtmpfs: mounted
[ 2.997598] Freeing unused kernel image (initmem) memory: 4408K
[ 2.998534] Write protecting the kernel read-only data: 45056k
[ 3.000002] Freeing unused kernel image (rodata/data gap) memory: 1544K
[ 3.000699] rodata_test: all tests were successful
[ 3.001177] Run /sbin/init as init process
[ 3.001571] with arguments:
[ 3.001880] /sbin/init
[ 3.002163] pax_size_overflow_report_only
[ 3.002567] pax_kstack_report_only
[ 3.002936] with environment:
[ 3.003254] HOME=/
[ 3.003511] TERM=linux
[ 3.163672] systemd[1]: systemd 247.3-7+deb11u5 running in system mode. (+PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=unified)
[ 3.169206] systemd[1]: Detected virtualization kvm.
[ 3.170078] systemd[1]: Detected architecture x86-64.
[ 3.174098] systemd[1]: Set hostname to <deb11-amd64>.
[ 3.272838] systemd[1]: Queued start job for default target Graphical Interface.
[ 3.275085] systemd[1]: Created slice system-getty.slice.
[ 3.276420] systemd[1]: Created slice system-modprobe.slice.
[ 3.277628] systemd[1]: Created slice system-serial\x2dgetty.slice.
[ 3.278826] systemd[1]: Created slice User and Session Slice.
[ 3.279959] systemd[1]: Started Dispatch Password Requests to Console Directory Watch.
[ 3.281018] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[ 3.281971] systemd[1]: Condition check resulted in Arbitrary Executable File Formats File System Automount Point being skipped.
[ 3.282868] systemd[1]: Reached target Local Encrypted Volumes.
[ 3.283649] systemd[1]: Reached target Paths.
[ 3.284289] systemd[1]: Reached target Remote File Systems.
[ 3.284999] systemd[1]: Reached target Slices.
[ 3.286149] systemd[1]: Listening on Syslog Socket.
[ 3.286872] systemd[1]: Listening on fsck to fsckd communication Socket.
[ 3.287716] systemd[1]: Listening on initctl Compatibility Named Pipe.
[ 3.288558] systemd[1]: Listening on Journal Audit Socket.
[ 3.289341] systemd[1]: Listening on Journal Socket (/dev/log).
[ 3.290136] systemd[1]: Listening on Journal Socket.
[ 3.291218] systemd[1]: Listening on udev Control Socket.
[ 3.291958] systemd[1]: Listening on udev Kernel Socket.
[ 3.294098] systemd[1]: Mounting Huge Pages File System...
[ 3.296274] systemd[1]: Mounting POSIX Message Queue File System...
[ 3.298691] systemd[1]: Mounting Kernel Debug File System...
[ 3.300747] systemd[1]: Mounting Kernel Trace File System...
[ 3.301749] systemd[1]: Condition check resulted in Create list of static device nodes for the current kernel being skipped.
[ 3.304381] systemd[1]: Starting Load Kernel Module configfs...
[ 3.307334] systemd[1]: Starting Load Kernel Module drm...
[ 3.309753] systemd[1]: Starting Load Kernel Module fuse...
[ 3.311119] systemd[1]: Condition check resulted in Set Up Additional Binary Formats being skipped.
[ 3.313441] systemd[1]: Starting File System Check on Root Device...
[ 3.317495] systemd[1]: Starting Journal Service...
[ 3.320347] systemd[1]: Starting Load Kernel Modules...
[ 3.323639] systemd[1]: Starting Coldplug All udev Devices...
[ 3.326234] systemd[1]: Mounted Huge Pages File System.
[ 3.327322] systemd[1]: Mounted POSIX Message Queue File System.
[ 3.328304] systemd[1]: Mounted Kernel Debug File System.
[ 3.329962] systemd[1]: Mounted Kernel Trace File System.
[ 3.331447] systemd[1]: modprobe@configfs.service: Succeeded.
[ 3.332655] systemd[1]: Finished Load Kernel Module configfs.
[ 3.334251] systemd[1]: modprobe@drm.service: Succeeded.
[ 3.335371] systemd[1]: Finished Load Kernel Module drm.
[ 3.336701] systemd[1]: modprobe@fuse.service: Succeeded.
[ 3.337942] systemd[1]: Finished Load Kernel Module fuse.
[ 3.339785] systemd[1]: Finished Load Kernel Modules.
[ 3.341547] systemd[1]: Condition check resulted in FUSE Control File System being skipped.
[ 3.342380] systemd[1]: Condition check resulted in Kernel Configuration File System being skipped.
[ 3.344894] systemd[1]: Started File System Check Daemon to report status.
[ 3.348909] systemd[1]: Starting Apply Kernel Variables...
[ 3.355924] systemd[1]: Finished File System Check on Root Device.
[ 3.359096] systemd[1]: Starting Remount Root and Kernel File Systems...
[ 3.360505] systemd[1]: Started Journal Service.
[ 3.388746] EXT4-fs (vda): re-mounted 5255db7c-90ed-48a0-bf5e-4bdaecca5594 r/w. Quota mode: disabled.
[ 3.404765] systemd-journald[226]: Received client request to flush runtime journal.
[ 3.405917] Adding 655356k swap on /swapfile. Priority:-2 extents:6 across:860156k
[ 3.505148] virtio_net virtio0 enp0s3: renamed from eth0
Debian GNU/Linux 11 deb11-amd64 ttyS0
deb11-amd64 login: [ 76.304034] ==================================================================
[ 76.306946] BUG: KASAN: slab-use-after-free in f_start+0x36e/0x3d0
[ 76.308724] Read of size 8 at addr ffff8880044988a8 by task cat/4361
[ 76.310122]
[ 76.310543] CPU: 3 PID: 4361 Comm: cat Tainted: G D N 6.10.0-vanilla+ #34
[ 76.311927] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.313437] Call Trace:
[ 76.313845] <TASK>
[ 76.314163] dump_stack_lvl+0x66/0xa0
[ 76.314650] print_report+0xd0/0x630
[ 76.315070] ? f_start+0x36e/0x3d0
[ 76.315450] ? __virt_addr_valid+0x208/0x3f0
[ 76.315927] ? f_start+0x36e/0x3d0
[ 76.316336] kasan_report+0xd8/0x110
[ 76.316759] ? f_start+0x36e/0x3d0
[ 76.317161] f_start+0x36e/0x3d0
[ 76.317545] seq_read_iter+0x268/0x11e0
[ 76.317990] ? lock_release+0x453/0x600
[ 76.318410] seq_read+0x261/0x350
[ 76.318835] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.319341] ? __pfx_seq_read+0x10/0x10
[ 76.319775] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.320346] vfs_read+0x171/0x9e0
[ 76.320744] ? lock_acquire+0x408/0x4b0
[ 76.321187] ? __pfx_vfs_read+0x10/0x10
[ 76.321628] ? do_raw_spin_lock+0x119/0x240
[ 76.322130] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.322667] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.323203] ksys_read+0xdd/0x1a0
[ 76.323629] ? __pfx_ksys_read+0x10/0x10
[ 76.324080] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.324665] do_syscall_64+0x66/0x130
[ 76.325121] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.325693] RIP: 0033:0x7f9b5d95140e
[ 76.326146] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.328019] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.329045] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.329820] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.330545] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.331291] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.332052] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.332782] </TASK>
[ 76.333064]
[ 76.333304] Allocated by task 4363:
[ 76.333744] kasan_save_stack+0x20/0x40
[ 76.334215] kasan_save_track+0x14/0x30
[ 76.334686] __kasan_kmalloc+0x8f/0xa0
[ 76.335154] user_event_parse_cmd+0x55e/0x25a0
[ 76.335682] user_events_ioctl+0xa52/0x17f0
[ 76.336184] __x64_sys_ioctl+0x133/0x190
[ 76.336634] do_syscall_64+0x66/0x130
[ 76.337063] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.337643]
[ 76.337877] Freed by task 341:
[ 76.338251] kasan_save_stack+0x20/0x40
[ 76.338697] kasan_save_track+0x14/0x30
[ 76.339177] kasan_save_free_info+0x3b/0x60
[ 76.339628] poison_slab_object+0x10a/0x170
[ 76.340109] __kasan_slab_free+0x14/0x30
[ 76.340568] kfree+0xe0/0x2f0
[ 76.340951] destroy_user_event+0x305/0x450
[ 76.341426] delayed_destroy_user_event+0x5c/0xe0
[ 76.341949] process_one_work+0x81c/0x1970
[ 76.342382] worker_thread+0x608/0x1160
[ 76.342798] kthread+0x2be/0x3b0
[ 76.343150] ret_from_fork+0x2c/0x70
[ 76.343572] ret_from_fork_asm+0x1a/0x30
[ 76.343998]
[ 76.344246] Last potentially related work creation:
[ 76.344747] kasan_save_stack+0x20/0x40
[ 76.345162] __kasan_record_aux_stack+0x8e/0xa0
[ 76.345672] insert_work+0x20/0x1b0
[ 76.346093] __queue_work+0x67a/0xc60
[ 76.346524] queue_work_on+0x63/0x90
[ 76.346926] user_event_put+0x1f9/0x390
[ 76.347345] user_events_release+0x124/0x200
[ 76.347828] __fput+0x361/0xa60
[ 76.348191] __x64_sys_close+0x77/0xd0
[ 76.348610] do_syscall_64+0x66/0x130
[ 76.349033] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.349545]
[ 76.349780] The buggy address belongs to the object at ffff888004498800
[ 76.349780] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.351007] The buggy address is located 168 bytes inside of
[ 76.351007] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.352185]
[ 76.352436] The buggy address belongs to the physical page:
[ 76.353049] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.353867] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.354677] memcg:ffff888003f75301
[ 76.355090] flags: 0x40(head|zone=0)
[ 76.355484] page_type: 0xffffefff(slab)
[ 76.355925] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.356684] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.357498] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.358259] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.359183] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.359945] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.360707] page dumped because: kasan: bad access detected
[ 76.361264]
[ 76.361521] Memory state around the buggy address:
[ 76.362051] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.362755] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.363529] >ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.364263] ^
[ 76.364773] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.365536] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.366246] ==================================================================
[ 76.367021] ==================================================================
[ 76.367688] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 76.368210] Read of size 8 at addr ffff888004498870 by task cat/4361
[ 76.368751]
[ 76.368961] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.369628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.370527] Call Trace:
[ 76.370794] <TASK>
[ 76.371043] dump_stack_lvl+0x66/0xa0
[ 76.371436] print_report+0xd0/0x630
[ 76.371824] ? f_start+0x2e4/0x3d0
[ 76.372237] ? __virt_addr_valid+0x208/0x3f0
[ 76.372678] ? f_start+0x2e4/0x3d0
[ 76.373073] kasan_report+0xd8/0x110
[ 76.373465] ? f_start+0x2e4/0x3d0
[ 76.373878] f_start+0x2e4/0x3d0
[ 76.374245] seq_read_iter+0x268/0x11e0
[ 76.374666] ? lock_release+0x453/0x600
[ 76.375073] seq_read+0x261/0x350
[ 76.375467] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.375967] ? __pfx_seq_read+0x10/0x10
[ 76.376378] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.376928] vfs_read+0x171/0x9e0
[ 76.377328] ? lock_acquire+0x408/0x4b0
[ 76.377770] ? __pfx_vfs_read+0x10/0x10
[ 76.378191] ? do_raw_spin_lock+0x119/0x240
[ 76.378670] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.379144] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.379624] ksys_read+0xdd/0x1a0
[ 76.379999] ? __pfx_ksys_read+0x10/0x10
[ 76.380415] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.380962] do_syscall_64+0x66/0x130
[ 76.381345] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.381854] RIP: 0033:0x7f9b5d95140e
[ 76.382244] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.383788] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.384527] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.385247] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.385923] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.386593] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.387277] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.387949] </TASK>
[ 76.388262]
[ 76.388513] Allocated by task 4363:
[ 76.389074] kasan_save_stack+0x20/0x40
[ 76.389489] kasan_save_track+0x14/0x30
[ 76.389900] __kasan_kmalloc+0x8f/0xa0
[ 76.390325] user_event_parse_cmd+0x55e/0x25a0
[ 76.390741] user_events_ioctl+0xa52/0x17f0
[ 76.391153] __x64_sys_ioctl+0x133/0x190
[ 76.391571] do_syscall_64+0x66/0x130
[ 76.391963] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.392473]
[ 76.392699] Freed by task 341:
[ 76.393085] kasan_save_stack+0x20/0x40
[ 76.393533] kasan_save_track+0x14/0x30
[ 76.393945] kasan_save_free_info+0x3b/0x60
[ 76.394387] poison_slab_object+0x10a/0x170
[ 76.394857] __kasan_slab_free+0x14/0x30
[ 76.395288] kfree+0xe0/0x2f0
[ 76.395648] destroy_user_event+0x305/0x450
[ 76.396033] delayed_destroy_user_event+0x5c/0xe0
[ 76.396454] process_one_work+0x81c/0x1970
[ 76.396840] worker_thread+0x608/0x1160
[ 76.397202] kthread+0x2be/0x3b0
[ 76.397524] ret_from_fork+0x2c/0x70
[ 76.397874] ret_from_fork_asm+0x1a/0x30
[ 76.402063]
[ 76.402271] Last potentially related work creation:
[ 76.402698] kasan_save_stack+0x20/0x40
[ 76.403064] __kasan_record_aux_stack+0x8e/0xa0
[ 76.403481] insert_work+0x20/0x1b0
[ 76.403825] __queue_work+0x67a/0xc60
[ 76.404175] queue_work_on+0x63/0x90
[ 76.404520] user_event_put+0x1f9/0x390
[ 76.404892] user_events_release+0x124/0x200
[ 76.405288] __fput+0x361/0xa60
[ 76.405604] __x64_sys_close+0x77/0xd0
[ 76.405965] do_syscall_64+0x66/0x130
[ 76.406319] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.406819]
[ 76.407069] The buggy address belongs to the object at ffff888004498800
[ 76.407069] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.408209] The buggy address is located 112 bytes inside of
[ 76.408209] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.409302]
[ 76.409531] The buggy address belongs to the physical page:
[ 76.410082] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.410888] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.411676] memcg:ffff888003f75301
[ 76.412048] flags: 0x40(head|zone=0)
[ 76.412440] page_type: 0xffffefff(slab)
[ 76.412860] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.413671] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.414472] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.415214] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.415962] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.416715] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.417538] page dumped because: kasan: bad access detected
[ 76.418122]
[ 76.418351] Memory state around the buggy address:
[ 76.419059] ffff888004498700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.419820] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.420593] >ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.421353] ^
[ 76.422015] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.422781] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.423545] ==================================================================
[ 76.424274] ==================================================================
[ 76.424987] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 76.425579] Read of size 8 at addr ffff888004498908 by task cat/4361
[ 76.426221]
[ 76.426475] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.427249] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.428362] Call Trace:
[ 76.428664] <TASK>
[ 76.428967] dump_stack_lvl+0x66/0xa0
[ 76.429376] print_report+0xd0/0x630
[ 76.429798] ? f_start+0x2cb/0x3d0
[ 76.430176] ? __virt_addr_valid+0x208/0x3f0
[ 76.430665] ? f_start+0x2cb/0x3d0
[ 76.431078] kasan_report+0xd8/0x110
[ 76.431506] ? f_start+0x2cb/0x3d0
[ 76.431920] f_start+0x2cb/0x3d0
[ 76.432284] seq_read_iter+0x268/0x11e0
[ 76.432699] ? lock_release+0x453/0x600
[ 76.433119] seq_read+0x261/0x350
[ 76.433492] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.433978] ? __pfx_seq_read+0x10/0x10
[ 76.434424] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.434984] vfs_read+0x171/0x9e0
[ 76.435394] ? lock_acquire+0x408/0x4b0
[ 76.435812] ? __pfx_vfs_read+0x10/0x10
[ 76.436259] ? do_raw_spin_lock+0x119/0x240
[ 76.436741] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.437254] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.437762] ksys_read+0xdd/0x1a0
[ 76.438163] ? __pfx_ksys_read+0x10/0x10
[ 76.438620] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.439174] do_syscall_64+0x66/0x130
[ 76.439598] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.440099] RIP: 0033:0x7f9b5d95140e
[ 76.440525] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.442267] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.443058] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.443726] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.444407] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.445133] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.445861] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.446590] </TASK>
[ 76.446873]
[ 76.447123] Allocated by task 4363:
[ 76.447540] kasan_save_stack+0x20/0x40
[ 76.447956] kasan_save_track+0x14/0x30
[ 76.448399] __kasan_kmalloc+0x8f/0xa0
[ 76.449012] user_event_parse_cmd+0x55e/0x25a0
[ 76.449471] user_events_ioctl+0xa52/0x17f0
[ 76.449948] __x64_sys_ioctl+0x133/0x190
[ 76.450406] do_syscall_64+0x66/0x130
[ 76.450841] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.451363]
[ 76.451615] Freed by task 341:
[ 76.451970] kasan_save_stack+0x20/0x40
[ 76.452416] kasan_save_track+0x14/0x30
[ 76.452870] kasan_save_free_info+0x3b/0x60
[ 76.453349] poison_slab_object+0x10a/0x170
[ 76.453825] __kasan_slab_free+0x14/0x30
[ 76.454273] kfree+0xe0/0x2f0
[ 76.454619] destroy_user_event+0x305/0x450
[ 76.455094] delayed_destroy_user_event+0x5c/0xe0
[ 76.455611] process_one_work+0x81c/0x1970
[ 76.456050] worker_thread+0x608/0x1160
[ 76.456466] kthread+0x2be/0x3b0
[ 76.456834] ret_from_fork+0x2c/0x70
[ 76.457255] ret_from_fork_asm+0x1a/0x30
[ 76.457709]
[ 76.457937] Last potentially related work creation:
[ 76.458430] kasan_save_stack+0x20/0x40
[ 76.458845] __kasan_record_aux_stack+0x8e/0xa0
[ 76.459350] insert_work+0x20/0x1b0
[ 76.459771] __queue_work+0x67a/0xc60
[ 76.460172] queue_work_on+0x63/0x90
[ 76.460596] user_event_put+0x1f9/0x390
[ 76.461042] user_events_release+0x124/0x200
[ 76.461524] __fput+0x361/0xa60
[ 76.461884] __x64_sys_close+0x77/0xd0
[ 76.462292] do_syscall_64+0x66/0x130
[ 76.462721] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.463230]
[ 76.463482] The buggy address belongs to the object at ffff888004498800
[ 76.463482] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.464701] The buggy address is located 264 bytes inside of
[ 76.464701] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.465896]
[ 76.466143] The buggy address belongs to the physical page:
[ 76.466694] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.467502] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.468309] memcg:ffff888003f75301
[ 76.468684] flags: 0x40(head|zone=0)
[ 76.469080] page_type: 0xffffefff(slab)
[ 76.469496] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.470244] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.471003] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.471806] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.472572] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.473333] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.474148] page dumped because: kasan: bad access detected
[ 76.474695]
[ 76.474920] Memory state around the buggy address:
[ 76.475399] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.476096] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.476851] >ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.477611] ^
[ 76.478029] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.478944] ffff888004498a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.483263] ==================================================================
[ 76.483991] ==================================================================
[ 76.484763] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 76.485519] Read of size 8 at addr ffff8880044988b8 by task cat/4361
[ 76.486135]
[ 76.486360] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.487165] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.488183] Call Trace:
[ 76.488474] <TASK>
[ 76.488754] dump_stack_lvl+0x66/0xa0
[ 76.489158] print_report+0xd0/0x630
[ 76.489507] ? user_event_get_fields+0x38/0x40
[ 76.489985] ? __virt_addr_valid+0x208/0x3f0
[ 76.490417] ? user_event_get_fields+0x38/0x40
[ 76.490919] kasan_report+0xd8/0x110
[ 76.491315] ? user_event_get_fields+0x38/0x40
[ 76.491806] user_event_get_fields+0x38/0x40
[ 76.492284] f_start+0x175/0x3d0
[ 76.492655] seq_read_iter+0x268/0x11e0
[ 76.493061] ? lock_release+0x453/0x600
[ 76.493505] seq_read+0x261/0x350
[ 76.493878] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.494392] ? __pfx_seq_read+0x10/0x10
[ 76.494837] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.495351] vfs_read+0x171/0x9e0
[ 76.495730] ? lock_acquire+0x408/0x4b0
[ 76.496148] ? __pfx_vfs_read+0x10/0x10
[ 76.496597] ? do_raw_spin_lock+0x119/0x240
[ 76.497041] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.497542] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.498011] ksys_read+0xdd/0x1a0
[ 76.498381] ? __pfx_ksys_read+0x10/0x10
[ 76.498802] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.499324] do_syscall_64+0x66/0x130
[ 76.499725] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.500274] RIP: 0033:0x7f9b5d95140e
[ 76.500698] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.502358] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.503108] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.503832] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.504548] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.505259] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.505935] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.506623] </TASK>
[ 76.506934]
[ 76.507159] Allocated by task 4363:
[ 76.507541] kasan_save_stack+0x20/0x40
[ 76.507954] kasan_save_track+0x14/0x30
[ 76.508401] __kasan_kmalloc+0x8f/0xa0
[ 76.509038] user_event_parse_cmd+0x55e/0x25a0
[ 76.509536] user_events_ioctl+0xa52/0x17f0
[ 76.509978] __x64_sys_ioctl+0x133/0x190
[ 76.510402] do_syscall_64+0x66/0x130
[ 76.510832] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.511342]
[ 76.511565] Freed by task 341:
[ 76.511911] kasan_save_stack+0x20/0x40
[ 76.512353] kasan_save_track+0x14/0x30
[ 76.512765] kasan_save_free_info+0x3b/0x60
[ 76.513193] poison_slab_object+0x10a/0x170
[ 76.513600] __kasan_slab_free+0x14/0x30
[ 76.513972] kfree+0xe0/0x2f0
[ 76.514285] destroy_user_event+0x305/0x450
[ 76.514684] delayed_destroy_user_event+0x5c/0xe0
[ 76.515113] process_one_work+0x81c/0x1970
[ 76.515501] worker_thread+0x608/0x1160
[ 76.515871] kthread+0x2be/0x3b0
[ 76.516200] ret_from_fork+0x2c/0x70
[ 76.516549] ret_from_fork_asm+0x1a/0x30
[ 76.516930]
[ 76.517140] Last potentially related work creation:
[ 76.517572] kasan_save_stack+0x20/0x40
[ 76.517941] __kasan_record_aux_stack+0x8e/0xa0
[ 76.518360] insert_work+0x20/0x1b0
[ 76.518704] __queue_work+0x67a/0xc60
[ 76.519062] queue_work_on+0x63/0x90
[ 76.519414] user_event_put+0x1f9/0x390
[ 76.519781] user_events_release+0x124/0x200
[ 76.520175] __fput+0x361/0xa60
[ 76.520500] __x64_sys_close+0x77/0xd0
[ 76.520864] do_syscall_64+0x66/0x130
[ 76.521219] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.521672]
[ 76.521883] The buggy address belongs to the object at ffff888004498800
[ 76.521883] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.522881] The buggy address is located 184 bytes inside of
[ 76.522881] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.523840]
[ 76.524050] The buggy address belongs to the physical page:
[ 76.524544] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.525213] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.525876] memcg:ffff888003f75301
[ 76.526217] flags: 0x40(head|zone=0)
[ 76.526568] page_type: 0xffffefff(slab)
[ 76.526937] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.527594] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.528253] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.528923] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.529583] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.530251] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.530921] page dumped because: kasan: bad access detected
[ 76.531406]
[ 76.531621] Memory state around the buggy address:
[ 76.532052] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.532677] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.533306] >ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.533929] ^
[ 76.534373] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.534999] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.535619] ==================================================================
[ 76.536267] ==================================================================
[ 76.536912] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 76.537441] Read of size 8 at addr ffff888004498870 by task cat/4361
[ 76.537981]
[ 76.538191] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.539128] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.540060] Call Trace:
[ 76.540335] <TASK>
[ 76.540587] dump_stack_lvl+0x66/0xa0
[ 76.540953] print_report+0xd0/0x630
[ 76.541302] ? f_start+0x2e4/0x3d0
[ 76.541647] ? __virt_addr_valid+0x208/0x3f0
[ 76.542045] ? f_start+0x2e4/0x3d0
[ 76.542386] kasan_report+0xd8/0x110
[ 76.542740] ? f_start+0x2e4/0x3d0
[ 76.543084] f_start+0x2e4/0x3d0
[ 76.543412] seq_read_iter+0x268/0x11e0
[ 76.543782] ? lock_release+0x453/0x600
[ 76.544154] seq_read+0x261/0x350
[ 76.544489] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.544918] ? __pfx_seq_read+0x10/0x10
[ 76.545289] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.545750] vfs_read+0x171/0x9e0
[ 76.546088] ? lock_acquire+0x408/0x4b0
[ 76.546460] ? __pfx_vfs_read+0x10/0x10
[ 76.546832] ? do_raw_spin_lock+0x119/0x240
[ 76.547227] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.547644] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.548059] ksys_read+0xdd/0x1a0
[ 76.548394] ? __pfx_ksys_read+0x10/0x10
[ 76.548773] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.549234] do_syscall_64+0x66/0x130
[ 76.549595] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.550055] RIP: 0033:0x7f9b5d95140e
[ 76.550407] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.551836] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.552486] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.553083] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.553673] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.554262] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.554854] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.559263] </TASK>
[ 76.559521]
[ 76.559729] Allocated by task 4363:
[ 76.560075] kasan_save_stack+0x20/0x40
[ 76.560442] kasan_save_track+0x14/0x30
[ 76.560811] __kasan_kmalloc+0x8f/0xa0
[ 76.561175] user_event_parse_cmd+0x55e/0x25a0
[ 76.561587] user_events_ioctl+0xa52/0x17f0
[ 76.561978] __x64_sys_ioctl+0x133/0x190
[ 76.562350] do_syscall_64+0x66/0x130
[ 76.562710] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.563162]
[ 76.563367] Freed by task 341:
[ 76.563683] kasan_save_stack+0x20/0x40
[ 76.564048] kasan_save_track+0x14/0x30
[ 76.564416] kasan_save_free_info+0x3b/0x60
[ 76.564812] poison_slab_object+0x10a/0x170
[ 76.565204] __kasan_slab_free+0x14/0x30
[ 76.565578] kfree+0xe0/0x2f0
[ 76.565888] destroy_user_event+0x305/0x450
[ 76.566281] delayed_destroy_user_event+0x5c/0xe0
[ 76.566711] process_one_work+0x81c/0x1970
[ 76.567096] worker_thread+0x608/0x1160
[ 76.567462] kthread+0x2be/0x3b0
[ 76.567792] ret_from_fork+0x2c/0x70
[ 76.568147] ret_from_fork_asm+0x1a/0x30
[ 76.568518]
[ 76.568730] Last potentially related work creation:
[ 76.569408] kasan_save_stack+0x20/0x40
[ 76.569788] __kasan_record_aux_stack+0x8e/0xa0
[ 76.570209] insert_work+0x20/0x1b0
[ 76.570556] __queue_work+0x67a/0xc60
[ 76.570920] queue_work_on+0x63/0x90
[ 76.571270] user_event_put+0x1f9/0x390
[ 76.571640] user_events_release+0x124/0x200
[ 76.572038] __fput+0x361/0xa60
[ 76.572358] __x64_sys_close+0x77/0xd0
[ 76.572724] do_syscall_64+0x66/0x130
[ 76.573091] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.573538]
[ 76.573751] The buggy address belongs to the object at ffff888004498800
[ 76.573751] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.574753] The buggy address is located 112 bytes inside of
[ 76.574753] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.575713]
[ 76.575920] The buggy address belongs to the physical page:
[ 76.576407] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.577077] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.577731] memcg:ffff888003f75301
[ 76.578067] flags: 0x40(head|zone=0)
[ 76.578417] page_type: 0xffffefff(slab)
[ 76.578787] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.579446] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.580106] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.580771] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.581439] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.582101] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.582766] page dumped because: kasan: bad access detected
[ 76.583248]
[ 76.583457] Memory state around the buggy address:
[ 76.583889] ffff888004498700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.584508] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.585137] >ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.585758] ^
[ 76.586333] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.586964] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.587585] ==================================================================
[ 76.588224] ==================================================================
[ 76.588861] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 76.589382] Read of size 8 at addr ffff888004498908 by task cat/4361
[ 76.589915]
[ 76.590128] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.590809] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.591724] Call Trace:
[ 76.592000] <TASK>
[ 76.592248] dump_stack_lvl+0x66/0xa0
[ 76.592601] print_report+0xd0/0x630
[ 76.592953] ? f_start+0x2cb/0x3d0
[ 76.593292] ? __virt_addr_valid+0x208/0x3f0
[ 76.593692] ? f_start+0x2cb/0x3d0
[ 76.594032] kasan_report+0xd8/0x110
[ 76.594382] ? f_start+0x2cb/0x3d0
[ 76.594722] f_start+0x2cb/0x3d0
[ 76.595056] seq_read_iter+0x268/0x11e0
[ 76.595428] ? lock_release+0x453/0x600
[ 76.595793] seq_read+0x261/0x350
[ 76.596127] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.596550] ? __pfx_seq_read+0x10/0x10
[ 76.596917] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.597375] vfs_read+0x171/0x9e0
[ 76.597711] ? lock_acquire+0x408/0x4b0
[ 76.598080] ? __pfx_vfs_read+0x10/0x10
[ 76.598446] ? do_raw_spin_lock+0x119/0x240
[ 76.599092] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.599529] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.599944] ksys_read+0xdd/0x1a0
[ 76.600274] ? __pfx_ksys_read+0x10/0x10
[ 76.600648] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.601116] do_syscall_64+0x66/0x130
[ 76.601471] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.601926] RIP: 0033:0x7f9b5d95140e
[ 76.602284] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.603708] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.604356] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.604953] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.605544] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.606135] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.606727] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.607319] </TASK>
[ 76.607574]
[ 76.607782] Allocated by task 4363:
[ 76.608127] kasan_save_stack+0x20/0x40
[ 76.608495] kasan_save_track+0x14/0x30
[ 76.608863] __kasan_kmalloc+0x8f/0xa0
[ 76.609228] user_event_parse_cmd+0x55e/0x25a0
[ 76.609641] user_events_ioctl+0xa52/0x17f0
[ 76.610031] __x64_sys_ioctl+0x133/0x190
[ 76.610407] do_syscall_64+0x66/0x130
[ 76.610763] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.611211]
[ 76.611420] Freed by task 341:
[ 76.611737] kasan_save_stack+0x20/0x40
[ 76.612105] kasan_save_track+0x14/0x30
[ 76.612472] kasan_save_free_info+0x3b/0x60
[ 76.612872] poison_slab_object+0x10a/0x170
[ 76.613263] __kasan_slab_free+0x14/0x30
[ 76.613635] kfree+0xe0/0x2f0
[ 76.613946] destroy_user_event+0x305/0x450
[ 76.614339] delayed_destroy_user_event+0x5c/0xe0
[ 76.614766] process_one_work+0x81c/0x1970
[ 76.615150] worker_thread+0x608/0x1160
[ 76.615518] kthread+0x2be/0x3b0
[ 76.615848] ret_from_fork+0x2c/0x70
[ 76.616199] ret_from_fork_asm+0x1a/0x30
[ 76.616576]
[ 76.616794] Last potentially related work creation:
[ 76.617233] kasan_save_stack+0x20/0x40
[ 76.617599] __kasan_record_aux_stack+0x8e/0xa0
[ 76.618017] insert_work+0x20/0x1b0
[ 76.618366] __queue_work+0x67a/0xc60
[ 76.618720] queue_work_on+0x63/0x90
[ 76.619073] user_event_put+0x1f9/0x390
[ 76.619440] user_events_release+0x124/0x200
[ 76.619836] __fput+0x361/0xa60
[ 76.620159] __x64_sys_close+0x77/0xd0
[ 76.620520] do_syscall_64+0x66/0x130
[ 76.620878] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.621330]
[ 76.621539] The buggy address belongs to the object at ffff888004498800
[ 76.621539] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.622533] The buggy address is located 264 bytes inside of
[ 76.622533] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.623483]
[ 76.623691] The buggy address belongs to the physical page:
[ 76.624177] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.624844] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.625498] memcg:ffff888003f75301
[ 76.625834] flags: 0x40(head|zone=0)
[ 76.630239] page_type: 0xffffefff(slab)
[ 76.630608] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.631275] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.631929] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.632596] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.633266] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.633933] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.634596] page dumped because: kasan: bad access detected
[ 76.635086]
[ 76.635295] Memory state around the buggy address:
[ 76.635724] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.636349] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.636974] >ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.637595] ^
[ 76.637936] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.638563] ffff888004498a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.639186] ==================================================================
[ 76.639824] ==================================================================
[ 76.640455] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 76.641084] Read of size 8 at addr ffff8880044988b8 by task cat/4361
[ 76.641623]
[ 76.641835] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.642504] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.643419] Call Trace:
[ 76.643691] <TASK>
[ 76.643939] dump_stack_lvl+0x66/0xa0
[ 76.644295] print_report+0xd0/0x630
[ 76.644645] ? user_event_get_fields+0x38/0x40
[ 76.645058] ? __virt_addr_valid+0x208/0x3f0
[ 76.645456] ? user_event_get_fields+0x38/0x40
[ 76.645867] kasan_report+0xd8/0x110
[ 76.646218] ? user_event_get_fields+0x38/0x40
[ 76.646626] user_event_get_fields+0x38/0x40
[ 76.647027] f_start+0x175/0x3d0
[ 76.647362] seq_read_iter+0x268/0x11e0
[ 76.647731] ? lock_release+0x453/0x600
[ 76.648103] seq_read+0x261/0x350
[ 76.648439] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.648865] ? __pfx_seq_read+0x10/0x10
[ 76.649229] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.649691] vfs_read+0x171/0x9e0
[ 76.650025] ? lock_acquire+0x408/0x4b0
[ 76.650392] ? __pfx_vfs_read+0x10/0x10
[ 76.650758] ? do_raw_spin_lock+0x119/0x240
[ 76.651153] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.651566] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.651986] ksys_read+0xdd/0x1a0
[ 76.652316] ? __pfx_ksys_read+0x10/0x10
[ 76.652691] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.653153] do_syscall_64+0x66/0x130
[ 76.653510] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.653961] RIP: 0033:0x7f9b5d95140e
[ 76.654313] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.655735] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.656378] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.656974] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.657563] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.658154] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.658746] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.659594] </TASK>
[ 76.659851]
[ 76.660064] Allocated by task 4363:
[ 76.660407] kasan_save_stack+0x20/0x40
[ 76.660783] kasan_save_track+0x14/0x30
[ 76.661156] __kasan_kmalloc+0x8f/0xa0
[ 76.661519] user_event_parse_cmd+0x55e/0x25a0
[ 76.661930] user_events_ioctl+0xa52/0x17f0
[ 76.662325] __x64_sys_ioctl+0x133/0x190
[ 76.662701] do_syscall_64+0x66/0x130
[ 76.663056] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.663506]
[ 76.663717] Freed by task 341:
[ 76.664030] kasan_save_stack+0x20/0x40
[ 76.664394] kasan_save_track+0x14/0x30
[ 76.664773] kasan_save_free_info+0x3b/0x60
[ 76.665168] poison_slab_object+0x10a/0x170
[ 76.665557] __kasan_slab_free+0x14/0x30
[ 76.665929] kfree+0xe0/0x2f0
[ 76.666242] destroy_user_event+0x305/0x450
[ 76.666632] delayed_destroy_user_event+0x5c/0xe0
[ 76.667072] process_one_work+0x81c/0x1970
[ 76.667459] worker_thread+0x608/0x1160
[ 76.667827] kthread+0x2be/0x3b0
[ 76.668157] ret_from_fork+0x2c/0x70
[ 76.668507] ret_from_fork_asm+0x1a/0x30
[ 76.668885]
[ 76.669093] Last potentially related work creation:
[ 76.669530] kasan_save_stack+0x20/0x40
[ 76.669899] __kasan_record_aux_stack+0x8e/0xa0
[ 76.670319] insert_work+0x20/0x1b0
[ 76.670661] __queue_work+0x67a/0xc60
[ 76.671020] queue_work_on+0x63/0x90
[ 76.671373] user_event_put+0x1f9/0x390
[ 76.671742] user_events_release+0x124/0x200
[ 76.672139] __fput+0x361/0xa60
[ 76.672458] __x64_sys_close+0x77/0xd0
[ 76.672824] do_syscall_64+0x66/0x130
[ 76.673185] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.673637]
[ 76.673848] The buggy address belongs to the object at ffff888004498800
[ 76.673848] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.674835] The buggy address is located 184 bytes inside of
[ 76.674835] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.675795]
[ 76.676007] The buggy address belongs to the physical page:
[ 76.676490] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.677154] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.677812] memcg:ffff888003f75301
[ 76.678150] flags: 0x40(head|zone=0)
[ 76.678502] page_type: 0xffffefff(slab)
[ 76.678868] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.679521] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.680182] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.680844] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.681509] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.682178] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.682842] page dumped because: kasan: bad access detected
[ 76.683323]
[ 76.683535] Memory state around the buggy address:
[ 76.683965] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.684588] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.685213] >ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.685835] ^
[ 76.686285] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.686909] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.687531] ==================================================================
[ 76.688181] ==================================================================
[ 76.689048] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 76.689590] Read of size 8 at addr ffff888004498870 by task cat/4361
[ 76.690131]
[ 76.690343] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.691022] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.691927] Call Trace:
[ 76.692200] <TASK>
[ 76.692453] dump_stack_lvl+0x66/0xa0
[ 76.692817] print_report+0xd0/0x630
[ 76.693163] ? f_start+0x2e4/0x3d0
[ 76.693507] ? __virt_addr_valid+0x208/0x3f0
[ 76.693905] ? f_start+0x2e4/0x3d0
[ 76.694245] kasan_report+0xd8/0x110
[ 76.694597] ? f_start+0x2e4/0x3d0
[ 76.694941] f_start+0x2e4/0x3d0
[ 76.695267] seq_read_iter+0x268/0x11e0
[ 76.695635] ? lock_release+0x453/0x600
[ 76.699823] seq_read+0x261/0x350
[ 76.700154] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.700578] ? __pfx_seq_read+0x10/0x10
[ 76.700952] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.701409] vfs_read+0x171/0x9e0
[ 76.701740] ? lock_acquire+0x408/0x4b0
[ 76.702109] ? __pfx_vfs_read+0x10/0x10
[ 76.702476] ? do_raw_spin_lock+0x119/0x240
[ 76.702871] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.703283] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.703704] ksys_read+0xdd/0x1a0
[ 76.704037] ? __pfx_ksys_read+0x10/0x10
[ 76.704411] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.704871] do_syscall_64+0x66/0x130
[ 76.705235] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.705686] RIP: 0033:0x7f9b5d95140e
[ 76.706034] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.707474] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.708126] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.708721] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.709322] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.709921] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.710513] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.711112] </TASK>
[ 76.711374]
[ 76.711584] Allocated by task 4363:
[ 76.711928] kasan_save_stack+0x20/0x40
[ 76.712296] kasan_save_track+0x14/0x30
[ 76.712659] __kasan_kmalloc+0x8f/0xa0
[ 76.713027] user_event_parse_cmd+0x55e/0x25a0
[ 76.713439] user_events_ioctl+0xa52/0x17f0
[ 76.713829] __x64_sys_ioctl+0x133/0x190
[ 76.714202] do_syscall_64+0x66/0x130
[ 76.714558] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.715009]
[ 76.715216] Freed by task 341:
[ 76.715534] kasan_save_stack+0x20/0x40
[ 76.715900] kasan_save_track+0x14/0x30
[ 76.716272] kasan_save_free_info+0x3b/0x60
[ 76.716667] poison_slab_object+0x10a/0x170
[ 76.717060] __kasan_slab_free+0x14/0x30
[ 76.717432] kfree+0xe0/0x2f0
[ 76.717742] destroy_user_event+0x305/0x450
[ 76.718135] delayed_destroy_user_event+0x5c/0xe0
[ 76.718568] process_one_work+0x81c/0x1970
[ 76.719177] worker_thread+0x608/0x1160
[ 76.719558] kthread+0x2be/0x3b0
[ 76.719887] ret_from_fork+0x2c/0x70
[ 76.720242] ret_from_fork_asm+0x1a/0x30
[ 76.720615]
[ 76.720836] Last potentially related work creation:
[ 76.721269] kasan_save_stack+0x20/0x40
[ 76.721634] __kasan_record_aux_stack+0x8e/0xa0
[ 76.722050] insert_work+0x20/0x1b0
[ 76.722396] __queue_work+0x67a/0xc60
[ 76.722761] queue_work_on+0x63/0x90
[ 76.723110] user_event_put+0x1f9/0x390
[ 76.723478] user_events_release+0x124/0x200
[ 76.723875] __fput+0x361/0xa60
[ 76.724194] __x64_sys_close+0x77/0xd0
[ 76.724558] do_syscall_64+0x66/0x130
[ 76.724919] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.725368]
[ 76.725575] The buggy address belongs to the object at ffff888004498800
[ 76.725575] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.726579] The buggy address is located 112 bytes inside of
[ 76.726579] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.727537]
[ 76.727744] The buggy address belongs to the physical page:
[ 76.728231] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.728904] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.729555] memcg:ffff888003f75301
[ 76.729892] flags: 0x40(head|zone=0)
[ 76.730242] page_type: 0xffffefff(slab)
[ 76.730615] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.731272] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.731932] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.732591] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.733270] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.733929] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.734595] page dumped because: kasan: bad access detected
[ 76.735079]
[ 76.735289] Memory state around the buggy address:
[ 76.735725] ffff888004498700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.736343] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.736971] >ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.737592] ^
[ 76.738166] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.738792] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.739422] ==================================================================
[ 76.740061] ==================================================================
[ 76.740694] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 76.741224] Read of size 8 at addr ffff888004498908 by task cat/4361
[ 76.741764]
[ 76.741974] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.742650] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.743573] Call Trace:
[ 76.743850] <TASK>
[ 76.744102] dump_stack_lvl+0x66/0xa0
[ 76.744462] print_report+0xd0/0x630
[ 76.744822] ? f_start+0x2cb/0x3d0
[ 76.745160] ? __virt_addr_valid+0x208/0x3f0
[ 76.745559] ? f_start+0x2cb/0x3d0
[ 76.745898] kasan_report+0xd8/0x110
[ 76.746246] ? f_start+0x2cb/0x3d0
[ 76.746584] f_start+0x2cb/0x3d0
[ 76.746916] seq_read_iter+0x268/0x11e0
[ 76.747282] ? lock_release+0x453/0x600
[ 76.747644] seq_read+0x261/0x350
[ 76.747980] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.748399] ? __pfx_seq_read+0x10/0x10
[ 76.748771] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.749384] vfs_read+0x171/0x9e0
[ 76.749719] ? lock_acquire+0x408/0x4b0
[ 76.750089] ? __pfx_vfs_read+0x10/0x10
[ 76.750454] ? do_raw_spin_lock+0x119/0x240
[ 76.750845] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.751259] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.751672] ksys_read+0xdd/0x1a0
[ 76.752002] ? __pfx_ksys_read+0x10/0x10
[ 76.752375] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.752843] do_syscall_64+0x66/0x130
[ 76.753205] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.753649] RIP: 0033:0x7f9b5d95140e
[ 76.754004] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.755433] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.756074] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.756666] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.757258] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.757850] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.758437] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.759032] </TASK>
[ 76.759286]
[ 76.759497] Allocated by task 4363:
[ 76.759841] kasan_save_stack+0x20/0x40
[ 76.760207] kasan_save_track+0x14/0x30
[ 76.760571] __kasan_kmalloc+0x8f/0xa0
[ 76.760936] user_event_parse_cmd+0x55e/0x25a0
[ 76.761343] user_events_ioctl+0xa52/0x17f0
[ 76.761732] __x64_sys_ioctl+0x133/0x190
[ 76.762107] do_syscall_64+0x66/0x130
[ 76.762468] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.762918]
[ 76.763129] Freed by task 341:
[ 76.763444] kasan_save_stack+0x20/0x40
[ 76.763810] kasan_save_track+0x14/0x30
[ 76.764174] kasan_save_free_info+0x3b/0x60
[ 76.764560] poison_slab_object+0x10a/0x170
[ 76.764958] __kasan_slab_free+0x14/0x30
[ 76.765329] kfree+0xe0/0x2f0
[ 76.765640] destroy_user_event+0x305/0x450
[ 76.766030] delayed_destroy_user_event+0x5c/0xe0
[ 76.766456] process_one_work+0x81c/0x1970
[ 76.766839] worker_thread+0x608/0x1160
[ 76.767208] kthread+0x2be/0x3b0
[ 76.767538] ret_from_fork+0x2c/0x70
[ 76.767885] ret_from_fork_asm+0x1a/0x30
[ 76.771545]
[ 76.771751] Last potentially related work creation:
[ 76.772180] kasan_save_stack+0x20/0x40
[ 76.772545] __kasan_record_aux_stack+0x8e/0xa0
[ 76.772965] insert_work+0x20/0x1b0
[ 76.773306] __queue_work+0x67a/0xc60
[ 76.773665] queue_work_on+0x63/0x90
[ 76.774010] user_event_put+0x1f9/0x390
[ 76.774371] user_events_release+0x124/0x200
[ 76.774766] __fput+0x361/0xa60
[ 76.775088] __x64_sys_close+0x77/0xd0
[ 76.775449] do_syscall_64+0x66/0x130
[ 76.775800] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.776248]
[ 76.776461] The buggy address belongs to the object at ffff888004498800
[ 76.776461] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.777456] The buggy address is located 264 bytes inside of
[ 76.777456] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.778409]
[ 76.778620] The buggy address belongs to the physical page:
[ 76.779272] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.779933] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.780577] memcg:ffff888003f75301
[ 76.780921] flags: 0x40(head|zone=0)
[ 76.781271] page_type: 0xffffefff(slab)
[ 76.781635] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.782296] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.782948] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.783607] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.784264] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.784929] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.785587] page dumped because: kasan: bad access detected
[ 76.786070]
[ 76.786282] Memory state around the buggy address:
[ 76.786712] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.787332] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.787953] >ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.788574] ^
[ 76.788919] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.789535] ffff888004498a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.790152] ==================================================================
[ 76.790790] ==================================================================
[ 76.791412] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 76.792037] Read of size 8 at addr ffff8880044988b8 by task cat/4361
[ 76.792575]
[ 76.792791] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.793464] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.794366] Call Trace:
[ 76.794637] <TASK>
[ 76.794882] dump_stack_lvl+0x66/0xa0
[ 76.795237] print_report+0xd0/0x630
[ 76.795589] ? user_event_get_fields+0x38/0x40
[ 76.796001] ? __virt_addr_valid+0x208/0x3f0
[ 76.796401] ? user_event_get_fields+0x38/0x40
[ 76.796820] kasan_report+0xd8/0x110
[ 76.797175] ? user_event_get_fields+0x38/0x40
[ 76.797585] user_event_get_fields+0x38/0x40
[ 76.797986] f_start+0x175/0x3d0
[ 76.798320] seq_read_iter+0x268/0x11e0
[ 76.798686] ? lock_release+0x453/0x600
[ 76.799057] seq_read+0x261/0x350
[ 76.799391] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.799808] ? __pfx_seq_read+0x10/0x10
[ 76.800176] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.800631] vfs_read+0x171/0x9e0
[ 76.800968] ? lock_acquire+0x408/0x4b0
[ 76.801331] ? __pfx_vfs_read+0x10/0x10
[ 76.801695] ? do_raw_spin_lock+0x119/0x240
[ 76.802087] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.802498] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.802914] ksys_read+0xdd/0x1a0
[ 76.803248] ? __pfx_ksys_read+0x10/0x10
[ 76.803621] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.804076] do_syscall_64+0x66/0x130
[ 76.804428] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.804883] RIP: 0033:0x7f9b5d95140e
[ 76.805234] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.806649] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.807294] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.807885] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.808473] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.809250] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.809840] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.810428] </TASK>
[ 76.810680]
[ 76.810891] Allocated by task 4363:
[ 76.811230] kasan_save_stack+0x20/0x40
[ 76.811595] kasan_save_track+0x14/0x30
[ 76.811961] __kasan_kmalloc+0x8f/0xa0
[ 76.812321] user_event_parse_cmd+0x55e/0x25a0
[ 76.812725] user_events_ioctl+0xa52/0x17f0
[ 76.813123] __x64_sys_ioctl+0x133/0x190
[ 76.813496] do_syscall_64+0x66/0x130
[ 76.813849] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.814301]
[ 76.814511] Freed by task 341:
[ 76.814824] kasan_save_stack+0x20/0x40
[ 76.815193] kasan_save_track+0x14/0x30
[ 76.815561] kasan_save_free_info+0x3b/0x60
[ 76.815953] poison_slab_object+0x10a/0x170
[ 76.816341] __kasan_slab_free+0x14/0x30
[ 76.816714] kfree+0xe0/0x2f0
[ 76.817030] destroy_user_event+0x305/0x450
[ 76.817421] delayed_destroy_user_event+0x5c/0xe0
[ 76.817848] process_one_work+0x81c/0x1970
[ 76.818236] worker_thread+0x608/0x1160
[ 76.818604] kthread+0x2be/0x3b0
[ 76.818929] ret_from_fork+0x2c/0x70
[ 76.819279] ret_from_fork_asm+0x1a/0x30
[ 76.819651]
[ 76.819859] Last potentially related work creation:
[ 76.820292] kasan_save_stack+0x20/0x40
[ 76.820656] __kasan_record_aux_stack+0x8e/0xa0
[ 76.821074] insert_work+0x20/0x1b0
[ 76.821418] __queue_work+0x67a/0xc60
[ 76.821771] queue_work_on+0x63/0x90
[ 76.822121] user_event_put+0x1f9/0x390
[ 76.822492] user_events_release+0x124/0x200
[ 76.822889] __fput+0x361/0xa60
[ 76.823213] __x64_sys_close+0x77/0xd0
[ 76.823570] do_syscall_64+0x66/0x130
[ 76.823925] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.824375]
[ 76.824583] The buggy address belongs to the object at ffff888004498800
[ 76.824583] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.825572] The buggy address is located 184 bytes inside of
[ 76.825572] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.826529]
[ 76.826741] The buggy address belongs to the physical page:
[ 76.827220] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.827877] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.828529] memcg:ffff888003f75301
[ 76.828878] flags: 0x40(head|zone=0)
[ 76.829230] page_type: 0xffffefff(slab)
[ 76.829595] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.830251] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.830914] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.831580] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.832242] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.832916] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.833579] page dumped because: kasan: bad access detected
[ 76.834064]
[ 76.834274] Memory state around the buggy address:
[ 76.834702] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.835322] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.835942] >ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.836565] ^
[ 76.837014] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.841610] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.842230] ==================================================================
[ 76.842864] ==================================================================
[ 76.843516] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 76.844044] Read of size 8 at addr ffff888004498870 by task cat/4361
[ 76.844582]
[ 76.844793] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.845474] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.846383] Call Trace:
[ 76.846657] <TASK>
[ 76.846906] dump_stack_lvl+0x66/0xa0
[ 76.847261] print_report+0xd0/0x630
[ 76.847611] ? f_start+0x2e4/0x3d0
[ 76.847950] ? __virt_addr_valid+0x208/0x3f0
[ 76.848346] ? f_start+0x2e4/0x3d0
[ 76.848689] kasan_report+0xd8/0x110
[ 76.849043] ? f_start+0x2e4/0x3d0
[ 76.849380] f_start+0x2e4/0x3d0
[ 76.849712] seq_read_iter+0x268/0x11e0
[ 76.850080] ? lock_release+0x453/0x600
[ 76.850450] seq_read+0x261/0x350
[ 76.850784] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.851207] ? __pfx_seq_read+0x10/0x10
[ 76.851575] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.852036] vfs_read+0x171/0x9e0
[ 76.852368] ? lock_acquire+0x408/0x4b0
[ 76.852741] ? __pfx_vfs_read+0x10/0x10
[ 76.853110] ? do_raw_spin_lock+0x119/0x240
[ 76.853501] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.853921] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.854341] ksys_read+0xdd/0x1a0
[ 76.854670] ? __pfx_ksys_read+0x10/0x10
[ 76.855044] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.855504] do_syscall_64+0x66/0x130
[ 76.855861] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.856311] RIP: 0033:0x7f9b5d95140e
[ 76.856657] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.858096] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.858740] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.859332] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.859923] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.860515] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.861112] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.861704] </TASK>
[ 76.861960]
[ 76.862165] Allocated by task 4363:
[ 76.862513] kasan_save_stack+0x20/0x40
[ 76.862883] kasan_save_track+0x14/0x30
[ 76.863246] __kasan_kmalloc+0x8f/0xa0
[ 76.863608] user_event_parse_cmd+0x55e/0x25a0
[ 76.864020] user_events_ioctl+0xa52/0x17f0
[ 76.864410] __x64_sys_ioctl+0x133/0x190
[ 76.864788] do_syscall_64+0x66/0x130
[ 76.865145] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.865594]
[ 76.865803] Freed by task 341:
[ 76.866120] kasan_save_stack+0x20/0x40
[ 76.866489] kasan_save_track+0x14/0x30
[ 76.866855] kasan_save_free_info+0x3b/0x60
[ 76.867246] poison_slab_object+0x10a/0x170
[ 76.867637] __kasan_slab_free+0x14/0x30
[ 76.868011] kfree+0xe0/0x2f0
[ 76.868322] destroy_user_event+0x305/0x450
[ 76.868714] delayed_destroy_user_event+0x5c/0xe0
[ 76.869318] process_one_work+0x81c/0x1970
[ 76.869709] worker_thread+0x608/0x1160
[ 76.870074] kthread+0x2be/0x3b0
[ 76.870404] ret_from_fork+0x2c/0x70
[ 76.870756] ret_from_fork_asm+0x1a/0x30
[ 76.871131]
[ 76.871343] Last potentially related work creation:
[ 76.871781] kasan_save_stack+0x20/0x40
[ 76.872146] __kasan_record_aux_stack+0x8e/0xa0
[ 76.872564] insert_work+0x20/0x1b0
[ 76.872917] __queue_work+0x67a/0xc60
[ 76.873274] queue_work_on+0x63/0x90
[ 76.873622] user_event_put+0x1f9/0x390
[ 76.873997] user_events_release+0x124/0x200
[ 76.874397] __fput+0x361/0xa60
[ 76.874717] __x64_sys_close+0x77/0xd0
[ 76.875080] do_syscall_64+0x66/0x130
[ 76.875439] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.875892]
[ 76.876100] The buggy address belongs to the object at ffff888004498800
[ 76.876100] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.877105] The buggy address is located 112 bytes inside of
[ 76.877105] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.878060]
[ 76.878268] The buggy address belongs to the physical page:
[ 76.878755] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.879421] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.880079] memcg:ffff888003f75301
[ 76.880414] flags: 0x40(head|zone=0)
[ 76.880767] page_type: 0xffffefff(slab)
[ 76.881138] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.881796] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.882455] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.883112] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.883777] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.884436] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.885104] page dumped because: kasan: bad access detected
[ 76.885583]
[ 76.885793] Memory state around the buggy address:
[ 76.886226] ffff888004498700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.886851] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.887471] >ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.888092] ^
[ 76.888667] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.889296] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.889920] ==================================================================
[ 76.890561] ==================================================================
[ 76.891216] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 76.891740] Read of size 8 at addr ffff888004498908 by task cat/4361
[ 76.892276]
[ 76.892488] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.893168] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.894078] Call Trace:
[ 76.894352] <TASK>
[ 76.894599] dump_stack_lvl+0x66/0xa0
[ 76.894956] print_report+0xd0/0x630
[ 76.895306] ? f_start+0x2cb/0x3d0
[ 76.895641] ? __virt_addr_valid+0x208/0x3f0
[ 76.896044] ? f_start+0x2cb/0x3d0
[ 76.896381] kasan_report+0xd8/0x110
[ 76.896737] ? f_start+0x2cb/0x3d0
[ 76.897076] f_start+0x2cb/0x3d0
[ 76.897402] seq_read_iter+0x268/0x11e0
[ 76.897769] ? lock_release+0x453/0x600
[ 76.898138] seq_read+0x261/0x350
[ 76.898473] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.899108] ? __pfx_seq_read+0x10/0x10
[ 76.899484] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.899944] vfs_read+0x171/0x9e0
[ 76.900282] ? lock_acquire+0x408/0x4b0
[ 76.900652] ? __pfx_vfs_read+0x10/0x10
[ 76.901022] ? do_raw_spin_lock+0x119/0x240
[ 76.901414] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.901831] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.902246] ksys_read+0xdd/0x1a0
[ 76.902578] ? __pfx_ksys_read+0x10/0x10
[ 76.902957] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.903411] do_syscall_64+0x66/0x130
[ 76.903766] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.904209] RIP: 0033:0x7f9b5d95140e
[ 76.904566] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.905997] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.906638] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.907233] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.907823] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.908410] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.908997] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.913376] </TASK>
[ 76.913621]
[ 76.913829] Allocated by task 4363:
[ 76.914160] kasan_save_stack+0x20/0x40
[ 76.914533] kasan_save_track+0x14/0x30
[ 76.914889] __kasan_kmalloc+0x8f/0xa0
[ 76.915244] user_event_parse_cmd+0x55e/0x25a0
[ 76.915650] user_events_ioctl+0xa52/0x17f0
[ 76.916041] __x64_sys_ioctl+0x133/0x190
[ 76.916408] do_syscall_64+0x66/0x130
[ 76.916765] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.917215]
[ 76.917427] Freed by task 341:
[ 76.917738] kasan_save_stack+0x20/0x40
[ 76.918104] kasan_save_track+0x14/0x30
[ 76.918472] kasan_save_free_info+0x3b/0x60
[ 76.918858] poison_slab_object+0x10a/0x170
[ 76.919246] __kasan_slab_free+0x14/0x30
[ 76.919616] kfree+0xe0/0x2f0
[ 76.919928] destroy_user_event+0x305/0x450
[ 76.920313] delayed_destroy_user_event+0x5c/0xe0
[ 76.920744] process_one_work+0x81c/0x1970
[ 76.921130] worker_thread+0x608/0x1160
[ 76.921493] kthread+0x2be/0x3b0
[ 76.921815] ret_from_fork+0x2c/0x70
[ 76.922170] ret_from_fork_asm+0x1a/0x30
[ 76.922545]
[ 76.922754] Last potentially related work creation:
[ 76.923198] kasan_save_stack+0x20/0x40
[ 76.923565] __kasan_record_aux_stack+0x8e/0xa0
[ 76.923977] insert_work+0x20/0x1b0
[ 76.924320] __queue_work+0x67a/0xc60
[ 76.924678] queue_work_on+0x63/0x90
[ 76.925031] user_event_put+0x1f9/0x390
[ 76.925396] user_events_release+0x124/0x200
[ 76.925793] __fput+0x361/0xa60
[ 76.926116] __x64_sys_close+0x77/0xd0
[ 76.926476] do_syscall_64+0x66/0x130
[ 76.926833] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.927282]
[ 76.927490] The buggy address belongs to the object at ffff888004498800
[ 76.927490] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.928484] The buggy address is located 264 bytes inside of
[ 76.928484] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.929572]
[ 76.929784] The buggy address belongs to the physical page:
[ 76.930267] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.930928] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.931576] memcg:ffff888003f75301
[ 76.931916] flags: 0x40(head|zone=0)
[ 76.932266] page_type: 0xffffefff(slab)
[ 76.932632] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.933302] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.933958] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.934619] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.935280] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.935945] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.936601] page dumped because: kasan: bad access detected
[ 76.937082]
[ 76.937293] Memory state around the buggy address:
[ 76.937721] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.938344] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.938964] >ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.939582] ^
[ 76.939924] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.940555] ffff888004498a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.941177] ==================================================================
[ 76.941823] ==================================================================
[ 76.942447] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 76.943071] Read of size 8 at addr ffff8880044988b8 by task cat/4361
[ 76.943610]
[ 76.943822] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.944488] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.945394] Call Trace:
[ 76.945664] <TASK>
[ 76.945912] dump_stack_lvl+0x66/0xa0
[ 76.946266] print_report+0xd0/0x630
[ 76.946619] ? user_event_get_fields+0x38/0x40
[ 76.947029] ? __virt_addr_valid+0x208/0x3f0
[ 76.947436] ? user_event_get_fields+0x38/0x40
[ 76.947850] kasan_report+0xd8/0x110
[ 76.948201] ? user_event_get_fields+0x38/0x40
[ 76.948610] user_event_get_fields+0x38/0x40
[ 76.949016] f_start+0x175/0x3d0
[ 76.949346] seq_read_iter+0x268/0x11e0
[ 76.949712] ? lock_release+0x453/0x600
[ 76.950081] seq_read+0x261/0x350
[ 76.950417] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 76.950837] ? __pfx_seq_read+0x10/0x10
[ 76.951203] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.951663] vfs_read+0x171/0x9e0
[ 76.952000] ? lock_acquire+0x408/0x4b0
[ 76.952366] ? __pfx_vfs_read+0x10/0x10
[ 76.952739] ? do_raw_spin_lock+0x119/0x240
[ 76.953136] ? __pfx_task_mm_cid_work+0x10/0x10
[ 76.953551] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 76.953969] ksys_read+0xdd/0x1a0
[ 76.954302] ? __pfx_ksys_read+0x10/0x10
[ 76.954675] ? trace_irq_enable.constprop.0+0xce/0x110
[ 76.955129] do_syscall_64+0x66/0x130
[ 76.955485] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.955938] RIP: 0033:0x7f9b5d95140e
[ 76.956290] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 76.957711] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 76.958356] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 76.959211] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 76.959810] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 76.960398] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 76.960994] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 76.961598] </TASK>
[ 76.961851]
[ 76.962064] Allocated by task 4363:
[ 76.962410] kasan_save_stack+0x20/0x40
[ 76.962779] kasan_save_track+0x14/0x30
[ 76.963154] __kasan_kmalloc+0x8f/0xa0
[ 76.963517] user_event_parse_cmd+0x55e/0x25a0
[ 76.963924] user_events_ioctl+0xa52/0x17f0
[ 76.964316] __x64_sys_ioctl+0x133/0x190
[ 76.964691] do_syscall_64+0x66/0x130
[ 76.965053] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.965506]
[ 76.965719] Freed by task 341:
[ 76.966036] kasan_save_stack+0x20/0x40
[ 76.966409] kasan_save_track+0x14/0x30
[ 76.966780] kasan_save_free_info+0x3b/0x60
[ 76.967170] poison_slab_object+0x10a/0x170
[ 76.967556] __kasan_slab_free+0x14/0x30
[ 76.967935] kfree+0xe0/0x2f0
[ 76.968251] destroy_user_event+0x305/0x450
[ 76.968643] delayed_destroy_user_event+0x5c/0xe0
[ 76.969071] process_one_work+0x81c/0x1970
[ 76.969459] worker_thread+0x608/0x1160
[ 76.969833] kthread+0x2be/0x3b0
[ 76.970160] ret_from_fork+0x2c/0x70
[ 76.970514] ret_from_fork_asm+0x1a/0x30
[ 76.970889]
[ 76.971100] Last potentially related work creation:
[ 76.971541] kasan_save_stack+0x20/0x40
[ 76.971910] __kasan_record_aux_stack+0x8e/0xa0
[ 76.972332] insert_work+0x20/0x1b0
[ 76.972676] __queue_work+0x67a/0xc60
[ 76.973038] queue_work_on+0x63/0x90
[ 76.973390] user_event_put+0x1f9/0x390
[ 76.973758] user_events_release+0x124/0x200
[ 76.974157] __fput+0x361/0xa60
[ 76.974480] __x64_sys_close+0x77/0xd0
[ 76.974839] do_syscall_64+0x66/0x130
[ 76.975194] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 76.975655]
[ 76.975870] The buggy address belongs to the object at ffff888004498800
[ 76.975870] which belongs to the cache kmalloc-cg-512 of size 512
[ 76.976871] The buggy address is located 184 bytes inside of
[ 76.976871] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 76.977837]
[ 76.978046] The buggy address belongs to the physical page:
[ 76.978539] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 76.979204] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 76.983681] memcg:ffff888003f75301
[ 76.984030] flags: 0x40(head|zone=0)
[ 76.984382] page_type: 0xffffefff(slab)
[ 76.984756] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.985416] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.986075] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 76.986746] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 76.987412] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 76.988077] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 76.988750] page dumped because: kasan: bad access detected
[ 76.989462]
[ 76.989676] Memory state around the buggy address:
[ 76.990115] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 76.990742] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.991362] >ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.991985] ^
[ 76.992440] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.993072] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 76.993700] ==================================================================
[ 76.994361] ==================================================================
[ 76.994995] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 76.995525] Read of size 8 at addr ffff888004498870 by task cat/4361
[ 76.996073]
[ 76.996284] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 76.996977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 76.997889] Call Trace:
[ 76.998166] <TASK>
[ 76.998419] dump_stack_lvl+0x66/0xa0
[ 76.998783] print_report+0xd0/0x630
[ 76.999142] ? f_start+0x2e4/0x3d0
[ 76.999480] ? __virt_addr_valid+0x208/0x3f0
[ 76.999881] ? f_start+0x2e4/0x3d0
[ 77.000224] kasan_report+0xd8/0x110
[ 77.000576] ? f_start+0x2e4/0x3d0
[ 77.000921] f_start+0x2e4/0x3d0
[ 77.001256] seq_read_iter+0x268/0x11e0
[ 77.001625] ? lock_release+0x453/0x600
[ 77.001995] seq_read+0x261/0x350
[ 77.002332] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.002752] ? __pfx_seq_read+0x10/0x10
[ 77.003127] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.003587] vfs_read+0x171/0x9e0
[ 77.003922] ? lock_acquire+0x408/0x4b0
[ 77.004290] ? __pfx_vfs_read+0x10/0x10
[ 77.004662] ? do_raw_spin_lock+0x119/0x240
[ 77.005051] ? __pfx_task_mm_cid_work+0x10/0x10
[ 77.005472] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.005898] ksys_read+0xdd/0x1a0
[ 77.006229] ? __pfx_ksys_read+0x10/0x10
[ 77.006609] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.007071] do_syscall_64+0x66/0x130
[ 77.007428] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.007882] RIP: 0033:0x7f9b5d95140e
[ 77.008234] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.009668] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.010313] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 77.010907] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 77.011507] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 77.012107] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.012702] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.013301] </TASK>
[ 77.013555]
[ 77.013763] Allocated by task 4363:
[ 77.014112] kasan_save_stack+0x20/0x40
[ 77.014478] kasan_save_track+0x14/0x30
[ 77.014842] __kasan_kmalloc+0x8f/0xa0
[ 77.015205] user_event_parse_cmd+0x55e/0x25a0
[ 77.015615] user_events_ioctl+0xa52/0x17f0
[ 77.016005] __x64_sys_ioctl+0x133/0x190
[ 77.016382] do_syscall_64+0x66/0x130
[ 77.016753] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.017202]
[ 77.017407] Freed by task 341:
[ 77.017723] kasan_save_stack+0x20/0x40
[ 77.018090] kasan_save_track+0x14/0x30
[ 77.018457] kasan_save_free_info+0x3b/0x60
[ 77.019058] poison_slab_object+0x10a/0x170
[ 77.019464] __kasan_slab_free+0x14/0x30
[ 77.019835] kfree+0xe0/0x2f0
[ 77.020145] destroy_user_event+0x305/0x450
[ 77.020538] delayed_destroy_user_event+0x5c/0xe0
[ 77.020977] process_one_work+0x81c/0x1970
[ 77.021360] worker_thread+0x608/0x1160
[ 77.021728] kthread+0x2be/0x3b0
[ 77.022060] ret_from_fork+0x2c/0x70
[ 77.022406] ret_from_fork_asm+0x1a/0x30
[ 77.022778]
[ 77.022995] Last potentially related work creation:
[ 77.023429] kasan_save_stack+0x20/0x40
[ 77.023791] __kasan_record_aux_stack+0x8e/0xa0
[ 77.024205] insert_work+0x20/0x1b0
[ 77.024552] __queue_work+0x67a/0xc60
[ 77.024908] queue_work_on+0x63/0x90
[ 77.025258] user_event_put+0x1f9/0x390
[ 77.025631] user_events_release+0x124/0x200
[ 77.026036] __fput+0x361/0xa60
[ 77.026354] __x64_sys_close+0x77/0xd0
[ 77.026719] do_syscall_64+0x66/0x130
[ 77.027075] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.027520]
[ 77.027734] The buggy address belongs to the object at ffff888004498800
[ 77.027734] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.028729] The buggy address is located 112 bytes inside of
[ 77.028729] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 77.029690]
[ 77.029899] The buggy address belongs to the physical page:
[ 77.030382] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 77.031039] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.031689] memcg:ffff888003f75301
[ 77.032021] flags: 0x40(head|zone=0)
[ 77.032372] page_type: 0xffffefff(slab)
[ 77.032748] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.033405] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.034064] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.034722] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.035386] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 77.036054] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.036715] page dumped because: kasan: bad access detected
[ 77.037199]
[ 77.037409] Memory state around the buggy address:
[ 77.037838] ffff888004498700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.038461] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.039085] >ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.039703] ^
[ 77.040279] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.040909] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.041547] ==================================================================
[ 77.042194] ==================================================================
[ 77.042827] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 77.043358] Read of size 8 at addr ffff888004498908 by task cat/4361
[ 77.043898]
[ 77.044213] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.045094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.046284] Call Trace:
[ 77.046631] <TASK>
[ 77.046942] dump_stack_lvl+0x66/0xa0
[ 77.047399] print_report+0xd0/0x630
[ 77.047846] ? f_start+0x2cb/0x3d0
[ 77.048276] ? __virt_addr_valid+0x208/0x3f0
[ 77.048942] ? f_start+0x2cb/0x3d0
[ 77.049374] kasan_report+0xd8/0x110
[ 77.049820] ? f_start+0x2cb/0x3d0
[ 77.050251] f_start+0x2cb/0x3d0
[ 77.050642] seq_read_iter+0x268/0x11e0
[ 77.051088] ? lock_release+0x453/0x600
[ 77.055344] seq_read+0x261/0x350
[ 77.055768] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.056308] ? __pfx_seq_read+0x10/0x10
[ 77.056783] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.057377] vfs_read+0x171/0x9e0
[ 77.057802] ? lock_acquire+0x408/0x4b0
[ 77.058270] ? __pfx_vfs_read+0x10/0x10
[ 77.058742] ? do_raw_spin_lock+0x119/0x240
[ 77.059241] ? __pfx_task_mm_cid_work+0x10/0x10
[ 77.059772] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.060308] ksys_read+0xdd/0x1a0
[ 77.060738] ? __pfx_ksys_read+0x10/0x10
[ 77.061216] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.061802] do_syscall_64+0x66/0x130
[ 77.062262] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.062807] RIP: 0033:0x7f9b5d95140e
[ 77.063252] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.065067] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.065904] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 77.066666] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 77.067430] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 77.068192] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.068960] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.069725] </TASK>
[ 77.070050]
[ 77.070289] Allocated by task 4363:
[ 77.070699] kasan_save_stack+0x20/0x40
[ 77.071140] kasan_save_track+0x14/0x30
[ 77.071610] __kasan_kmalloc+0x8f/0xa0
[ 77.072071] user_event_parse_cmd+0x55e/0x25a0
[ 77.072566] user_events_ioctl+0xa52/0x17f0
[ 77.073036] __x64_sys_ioctl+0x133/0x190
[ 77.073511] do_syscall_64+0x66/0x130
[ 77.073963] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.074543]
[ 77.074804] Freed by task 341:
[ 77.075203] kasan_save_stack+0x20/0x40
[ 77.075672] kasan_save_track+0x14/0x30
[ 77.076142] kasan_save_free_info+0x3b/0x60
[ 77.076640] poison_slab_object+0x10a/0x170
[ 77.077112] __kasan_slab_free+0x14/0x30
[ 77.077591] kfree+0xe0/0x2f0
[ 77.077983] destroy_user_event+0x305/0x450
[ 77.078481] delayed_destroy_user_event+0x5c/0xe0
[ 77.079180] process_one_work+0x81c/0x1970
[ 77.079676] worker_thread+0x608/0x1160
[ 77.080143] kthread+0x2be/0x3b0
[ 77.080555] ret_from_fork+0x2c/0x70
[ 77.081011] ret_from_fork_asm+0x1a/0x30
[ 77.081457]
[ 77.081693] Last potentially related work creation:
[ 77.082222] kasan_save_stack+0x20/0x40
[ 77.082693] __kasan_record_aux_stack+0x8e/0xa0
[ 77.083224] insert_work+0x20/0x1b0
[ 77.083663] __queue_work+0x67a/0xc60
[ 77.084119] queue_work_on+0x63/0x90
[ 77.084562] user_event_put+0x1f9/0x390
[ 77.085003] user_events_release+0x124/0x200
[ 77.085513] __fput+0x361/0xa60
[ 77.085924] __x64_sys_close+0x77/0xd0
[ 77.086353] do_syscall_64+0x66/0x130
[ 77.086809] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.087389]
[ 77.087649] The buggy address belongs to the object at ffff888004498800
[ 77.087649] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.088957] The buggy address is located 264 bytes inside of
[ 77.088957] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 77.090214]
[ 77.090451] The buggy address belongs to the physical page:
[ 77.091036] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 77.091902] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.092747] memcg:ffff888003f75301
[ 77.093179] flags: 0x40(head|zone=0)
[ 77.093624] page_type: 0xffffefff(slab)
[ 77.094092] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.094945] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.095790] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.096611] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.097423] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 77.098287] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.099151] page dumped because: kasan: bad access detected
[ 77.099740]
[ 77.099980] Memory state around the buggy address:
[ 77.100505] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.101266] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.102066] >ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.102872] ^
[ 77.103311] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.104118] ffff888004498a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.104926] ==================================================================
[ 77.105758] ==================================================================
[ 77.106576] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 77.107386] Read of size 8 at addr ffff8880044988b8 by task cat/4361
[ 77.108041]
[ 77.108304] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.109346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.110482] Call Trace:
[ 77.110827] <TASK>
[ 77.111143] dump_stack_lvl+0x66/0xa0
[ 77.111601] print_report+0xd0/0x630
[ 77.112017] ? user_event_get_fields+0x38/0x40
[ 77.112514] ? __virt_addr_valid+0x208/0x3f0
[ 77.113000] ? user_event_get_fields+0x38/0x40
[ 77.113523] kasan_report+0xd8/0x110
[ 77.113970] ? user_event_get_fields+0x38/0x40
[ 77.114497] user_event_get_fields+0x38/0x40
[ 77.115003] f_start+0x175/0x3d0
[ 77.115422] seq_read_iter+0x268/0x11e0
[ 77.115894] ? lock_release+0x453/0x600
[ 77.116365] seq_read+0x261/0x350
[ 77.116794] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.117333] ? __pfx_seq_read+0x10/0x10
[ 77.117804] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.118398] vfs_read+0x171/0x9e0
[ 77.118821] ? lock_acquire+0x408/0x4b0
[ 77.119291] ? __pfx_vfs_read+0x10/0x10
[ 77.119763] ? do_raw_spin_lock+0x119/0x240
[ 77.120266] ? __pfx_task_mm_cid_work+0x10/0x10
[ 77.120773] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.121306] ksys_read+0xdd/0x1a0
[ 77.121731] ? __pfx_ksys_read+0x10/0x10
[ 77.122211] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.122795] do_syscall_64+0x66/0x130
[ 77.123250] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.123829] RIP: 0033:0x7f9b5d95140e
[ 77.124276] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.126142] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.126984] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 77.127706] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 77.128467] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 77.129236] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.129961] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.130724] </TASK>
[ 77.131044]
[ 77.131305] Allocated by task 4363:
[ 77.131714] kasan_save_stack+0x20/0x40
[ 77.132154] kasan_save_track+0x14/0x30
[ 77.132624] __kasan_kmalloc+0x8f/0xa0
[ 77.133086] user_event_parse_cmd+0x55e/0x25a0
[ 77.133609] user_events_ioctl+0xa52/0x17f0
[ 77.134111] __x64_sys_ioctl+0x133/0x190
[ 77.134587] do_syscall_64+0x66/0x130
[ 77.135041] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.135621]
[ 77.135861] Freed by task 341:
[ 77.136258] kasan_save_stack+0x20/0x40
[ 77.136728] kasan_save_track+0x14/0x30
[ 77.137204] kasan_save_free_info+0x3b/0x60
[ 77.137703] poison_slab_object+0x10a/0x170
[ 77.138200] __kasan_slab_free+0x14/0x30
[ 77.138678] kfree+0xe0/0x2f0
[ 77.139209] destroy_user_event+0x305/0x450
[ 77.139705] delayed_destroy_user_event+0x5c/0xe0
[ 77.140251] process_one_work+0x81c/0x1970
[ 77.140749] worker_thread+0x608/0x1160
[ 77.141187] kthread+0x2be/0x3b0
[ 77.145785] ret_from_fork+0x2c/0x70
[ 77.146201] ret_from_fork_asm+0x1a/0x30
[ 77.146675]
[ 77.146938] Last potentially related work creation:
[ 77.147498] kasan_save_stack+0x20/0x40
[ 77.147934] __kasan_record_aux_stack+0x8e/0xa0
[ 77.148440] insert_work+0x20/0x1b0
[ 77.148850] __queue_work+0x67a/0xc60
[ 77.149299] queue_work_on+0x63/0x90
[ 77.149742] user_event_put+0x1f9/0x390
[ 77.150209] user_events_release+0x124/0x200
[ 77.150716] __fput+0x361/0xa60
[ 77.151120] __x64_sys_close+0x77/0xd0
[ 77.151579] do_syscall_64+0x66/0x130
[ 77.152032] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.152605]
[ 77.152866] The buggy address belongs to the object at ffff888004498800
[ 77.152866] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.154158] The buggy address is located 184 bytes inside of
[ 77.154158] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 77.155394]
[ 77.155651] The buggy address belongs to the physical page:
[ 77.156271] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 77.157112] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.157952] memcg:ffff888003f75301
[ 77.158357] flags: 0x40(head|zone=0)
[ 77.158770] page_type: 0xffffefff(slab)
[ 77.159241] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.160046] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.160847] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.161702] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.162506] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 77.163361] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.164217] page dumped because: kasan: bad access detected
[ 77.164835]
[ 77.165050] Memory state around the buggy address:
[ 77.165484] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.166123] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.166757] >ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.167387] ^
[ 77.167845] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.168479] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.169287] ==================================================================
[ 77.169935] ==================================================================
[ 77.170564] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 77.171098] Read of size 8 at addr ffff888004498870 by task cat/4361
[ 77.171647]
[ 77.171861] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.172545] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.173471] Call Trace:
[ 77.173750] <TASK>
[ 77.174000] dump_stack_lvl+0x66/0xa0
[ 77.174361] print_report+0xd0/0x630
[ 77.174717] ? f_start+0x2e4/0x3d0
[ 77.175055] ? __virt_addr_valid+0x208/0x3f0
[ 77.175459] ? f_start+0x2e4/0x3d0
[ 77.175800] kasan_report+0xd8/0x110
[ 77.176153] ? f_start+0x2e4/0x3d0
[ 77.176498] f_start+0x2e4/0x3d0
[ 77.176836] seq_read_iter+0x268/0x11e0
[ 77.177207] ? lock_release+0x453/0x600
[ 77.177574] seq_read+0x261/0x350
[ 77.177918] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.178351] ? __pfx_seq_read+0x10/0x10
[ 77.178719] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.179184] vfs_read+0x171/0x9e0
[ 77.179525] ? lock_acquire+0x408/0x4b0
[ 77.179895] ? __pfx_vfs_read+0x10/0x10
[ 77.180266] ? do_raw_spin_lock+0x119/0x240
[ 77.180661] ? __pfx_task_mm_cid_work+0x10/0x10
[ 77.181086] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.181503] ksys_read+0xdd/0x1a0
[ 77.181837] ? __pfx_ksys_read+0x10/0x10
[ 77.182216] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.182676] do_syscall_64+0x66/0x130
[ 77.183034] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.183485] RIP: 0033:0x7f9b5d95140e
[ 77.183841] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.185290] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.185939] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 77.186536] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 77.187132] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 77.187731] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.188327] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.188928] </TASK>
[ 77.189185]
[ 77.189396] Allocated by task 4363:
[ 77.189745] kasan_save_stack+0x20/0x40
[ 77.190119] kasan_save_track+0x14/0x30
[ 77.190490] __kasan_kmalloc+0x8f/0xa0
[ 77.190856] user_event_parse_cmd+0x55e/0x25a0
[ 77.191268] user_events_ioctl+0xa52/0x17f0
[ 77.191658] __x64_sys_ioctl+0x133/0x190
[ 77.192039] do_syscall_64+0x66/0x130
[ 77.192401] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.192860]
[ 77.193067] Freed by task 341:
[ 77.193386] kasan_save_stack+0x20/0x40
[ 77.193754] kasan_save_track+0x14/0x30
[ 77.194124] kasan_save_free_info+0x3b/0x60
[ 77.194519] poison_slab_object+0x10a/0x170
[ 77.194916] __kasan_slab_free+0x14/0x30
[ 77.195290] kfree+0xe0/0x2f0
[ 77.195607] destroy_user_event+0x305/0x450
[ 77.196000] delayed_destroy_user_event+0x5c/0xe0
[ 77.196433] process_one_work+0x81c/0x1970
[ 77.196826] worker_thread+0x608/0x1160
[ 77.197196] kthread+0x2be/0x3b0
[ 77.197525] ret_from_fork+0x2c/0x70
[ 77.197878] ret_from_fork_asm+0x1a/0x30
[ 77.198256]
[ 77.198468] Last potentially related work creation:
[ 77.199117] kasan_save_stack+0x20/0x40
[ 77.199490] __kasan_record_aux_stack+0x8e/0xa0
[ 77.199910] insert_work+0x20/0x1b0
[ 77.200257] __queue_work+0x67a/0xc60
[ 77.200614] queue_work_on+0x63/0x90
[ 77.200974] user_event_put+0x1f9/0x390
[ 77.201347] user_events_release+0x124/0x200
[ 77.201749] __fput+0x361/0xa60
[ 77.202071] __x64_sys_close+0x77/0xd0
[ 77.202437] do_syscall_64+0x66/0x130
[ 77.202796] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.203252]
[ 77.203462] The buggy address belongs to the object at ffff888004498800
[ 77.203462] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.204463] The buggy address is located 112 bytes inside of
[ 77.204463] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 77.205433]
[ 77.205645] The buggy address belongs to the physical page:
[ 77.206135] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 77.206806] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.207463] memcg:ffff888003f75301
[ 77.207805] flags: 0x40(head|zone=0)
[ 77.208158] page_type: 0xffffefff(slab)
[ 77.208533] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.209202] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.209870] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.210535] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.211204] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 77.211870] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.212543] page dumped because: kasan: bad access detected
[ 77.213074]
[ 77.213284] Memory state around the buggy address:
[ 77.213717] ffff888004498700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.214345] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.214976] >ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.215601] ^
[ 77.216176] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.220640] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.221269] ==================================================================
[ 77.221913] ==================================================================
[ 77.222542] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 77.223077] Read of size 8 at addr ffff888004498908 by task cat/4361
[ 77.223620]
[ 77.223831] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.224520] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.225446] Call Trace:
[ 77.225719] <TASK>
[ 77.225973] dump_stack_lvl+0x66/0xa0
[ 77.226337] print_report+0xd0/0x630
[ 77.226688] ? f_start+0x2cb/0x3d0
[ 77.227034] ? __virt_addr_valid+0x208/0x3f0
[ 77.227433] ? f_start+0x2cb/0x3d0
[ 77.227777] kasan_report+0xd8/0x110
[ 77.228134] ? f_start+0x2cb/0x3d0
[ 77.228476] f_start+0x2cb/0x3d0
[ 77.228975] seq_read_iter+0x268/0x11e0
[ 77.229349] ? lock_release+0x453/0x600
[ 77.229722] seq_read+0x261/0x350
[ 77.230057] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.230479] ? __pfx_seq_read+0x10/0x10
[ 77.230850] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.231312] vfs_read+0x171/0x9e0
[ 77.231647] ? lock_acquire+0x408/0x4b0
[ 77.232018] ? __pfx_vfs_read+0x10/0x10
[ 77.232392] ? do_raw_spin_lock+0x119/0x240
[ 77.232792] ? __pfx_task_mm_cid_work+0x10/0x10
[ 77.233211] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.233631] ksys_read+0xdd/0x1a0
[ 77.233970] ? __pfx_ksys_read+0x10/0x10
[ 77.234346] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.234807] do_syscall_64+0x66/0x130
[ 77.235169] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.235627] RIP: 0033:0x7f9b5d95140e
[ 77.235978] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.237418] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.238071] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 77.238665] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 77.239259] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 77.239851] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.240449] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.241053] </TASK>
[ 77.241313]
[ 77.241521] Allocated by task 4363:
[ 77.241865] kasan_save_stack+0x20/0x40
[ 77.242237] kasan_save_track+0x14/0x30
[ 77.242605] __kasan_kmalloc+0x8f/0xa0
[ 77.242973] user_event_parse_cmd+0x55e/0x25a0
[ 77.243389] user_events_ioctl+0xa52/0x17f0
[ 77.243784] __x64_sys_ioctl+0x133/0x190
[ 77.244160] do_syscall_64+0x66/0x130
[ 77.244517] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.244981]
[ 77.245192] Freed by task 341:
[ 77.245507] kasan_save_stack+0x20/0x40
[ 77.245880] kasan_save_track+0x14/0x30
[ 77.246255] kasan_save_free_info+0x3b/0x60
[ 77.246647] poison_slab_object+0x10a/0x170
[ 77.247046] __kasan_slab_free+0x14/0x30
[ 77.247423] kfree+0xe0/0x2f0
[ 77.247735] destroy_user_event+0x305/0x450
[ 77.248124] delayed_destroy_user_event+0x5c/0xe0
[ 77.248560] process_one_work+0x81c/0x1970
[ 77.248958] worker_thread+0x608/0x1160
[ 77.249328] kthread+0x2be/0x3b0
[ 77.249659] ret_from_fork+0x2c/0x70
[ 77.250015] ret_from_fork_asm+0x1a/0x30
[ 77.250391]
[ 77.250601] Last potentially related work creation:
[ 77.251045] kasan_save_stack+0x20/0x40
[ 77.251413] __kasan_record_aux_stack+0x8e/0xa0
[ 77.251830] insert_work+0x20/0x1b0
[ 77.252179] __queue_work+0x67a/0xc60
[ 77.252539] queue_work_on+0x63/0x90
[ 77.252895] user_event_put+0x1f9/0x390
[ 77.253267] user_events_release+0x124/0x200
[ 77.253668] __fput+0x361/0xa60
[ 77.253989] __x64_sys_close+0x77/0xd0
[ 77.254351] do_syscall_64+0x66/0x130
[ 77.254712] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.255167]
[ 77.255376] The buggy address belongs to the object at ffff888004498800
[ 77.255376] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.256382] The buggy address is located 264 bytes inside of
[ 77.256382] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 77.257358]
[ 77.257566] The buggy address belongs to the physical page:
[ 77.258055] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 77.258729] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.259456] memcg:ffff888003f75301
[ 77.259798] flags: 0x40(head|zone=0)
[ 77.260149] page_type: 0xffffefff(slab)
[ 77.260518] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.261191] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.261865] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.262537] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.263201] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 77.263872] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.264538] page dumped because: kasan: bad access detected
[ 77.265032]
[ 77.265240] Memory state around the buggy address:
[ 77.265676] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.266303] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.266932] >ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.267556] ^
[ 77.267903] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.268532] ffff888004498a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.269160] ==================================================================
[ 77.269801] ==================================================================
[ 77.270437] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 77.271064] Read of size 8 at addr ffff8880044988b8 by task cat/4361
[ 77.271605]
[ 77.271816] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.272492] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.273419] Call Trace:
[ 77.273694] <TASK>
[ 77.273948] dump_stack_lvl+0x66/0xa0
[ 77.274309] print_report+0xd0/0x630
[ 77.274660] ? user_event_get_fields+0x38/0x40
[ 77.275077] ? __virt_addr_valid+0x208/0x3f0
[ 77.275481] ? user_event_get_fields+0x38/0x40
[ 77.275893] kasan_report+0xd8/0x110
[ 77.276248] ? user_event_get_fields+0x38/0x40
[ 77.276665] user_event_get_fields+0x38/0x40
[ 77.277071] f_start+0x175/0x3d0
[ 77.277401] seq_read_iter+0x268/0x11e0
[ 77.277773] ? lock_release+0x453/0x600
[ 77.278144] seq_read+0x261/0x350
[ 77.278480] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.278904] ? __pfx_seq_read+0x10/0x10
[ 77.279277] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.279741] vfs_read+0x171/0x9e0
[ 77.280076] ? lock_acquire+0x408/0x4b0
[ 77.280447] ? __pfx_vfs_read+0x10/0x10
[ 77.280824] ? do_raw_spin_lock+0x119/0x240
[ 77.281219] ? __pfx_task_mm_cid_work+0x10/0x10
[ 77.281635] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.282057] ksys_read+0xdd/0x1a0
[ 77.282393] ? __pfx_ksys_read+0x10/0x10
[ 77.282766] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.283224] do_syscall_64+0x66/0x130
[ 77.283582] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.284038] RIP: 0033:0x7f9b5d95140e
[ 77.284393] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.285836] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.286491] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 77.287084] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 77.287678] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 77.292386] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.292996] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.293599] </TASK>
[ 77.293857]
[ 77.294069] Allocated by task 4363:
[ 77.294418] kasan_save_stack+0x20/0x40
[ 77.294786] kasan_save_track+0x14/0x30
[ 77.295156] __kasan_kmalloc+0x8f/0xa0
[ 77.295523] user_event_parse_cmd+0x55e/0x25a0
[ 77.295939] user_events_ioctl+0xa52/0x17f0
[ 77.296330] __x64_sys_ioctl+0x133/0x190
[ 77.296703] do_syscall_64+0x66/0x130
[ 77.297072] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.297530]
[ 77.297739] Freed by task 341:
[ 77.298059] kasan_save_stack+0x20/0x40
[ 77.298429] kasan_save_track+0x14/0x30
[ 77.298797] kasan_save_free_info+0x3b/0x60
[ 77.299195] poison_slab_object+0x10a/0x170
[ 77.299589] __kasan_slab_free+0x14/0x30
[ 77.299965] kfree+0xe0/0x2f0
[ 77.300279] destroy_user_event+0x305/0x450
[ 77.300674] delayed_destroy_user_event+0x5c/0xe0
[ 77.301113] process_one_work+0x81c/0x1970
[ 77.301500] worker_thread+0x608/0x1160
[ 77.301868] kthread+0x2be/0x3b0
[ 77.302201] ret_from_fork+0x2c/0x70
[ 77.302555] ret_from_fork_asm+0x1a/0x30
[ 77.302934]
[ 77.303145] Last potentially related work creation:
[ 77.303584] kasan_save_stack+0x20/0x40
[ 77.303952] __kasan_record_aux_stack+0x8e/0xa0
[ 77.304373] insert_work+0x20/0x1b0
[ 77.304725] __queue_work+0x67a/0xc60
[ 77.305086] queue_work_on+0x63/0x90
[ 77.305437] user_event_put+0x1f9/0x390
[ 77.305813] user_events_release+0x124/0x200
[ 77.306216] __fput+0x361/0xa60
[ 77.306542] __x64_sys_close+0x77/0xd0
[ 77.306912] do_syscall_64+0x66/0x130
[ 77.307275] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.307729]
[ 77.307937] The buggy address belongs to the object at ffff888004498800
[ 77.307937] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.308945] The buggy address is located 184 bytes inside of
[ 77.308945] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 77.309905]
[ 77.310113] The buggy address belongs to the physical page:
[ 77.310602] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 77.311271] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.311925] memcg:ffff888003f75301
[ 77.312263] flags: 0x40(head|zone=0)
[ 77.312615] page_type: 0xffffefff(slab)
[ 77.312994] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.313659] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.314325] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.314992] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.315664] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 77.316333] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.317009] page dumped because: kasan: bad access detected
[ 77.317496]
[ 77.317704] Memory state around the buggy address:
[ 77.318143] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.318771] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.319590] >ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.320217] ^
[ 77.320674] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.321304] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.321932] ==================================================================
[ 77.322577] ==================================================================
[ 77.323215] BUG: KASAN: slab-use-after-free in f_start+0x2f8/0x3d0
[ 77.323743] Read of size 8 at addr ffff888004498958 by task cat/4361
[ 77.324281]
[ 77.324498] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.325182] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.326108] Call Trace:
[ 77.326383] <TASK>
[ 77.326634] dump_stack_lvl+0x66/0xa0
[ 77.326996] print_report+0xd0/0x630
[ 77.327354] ? f_start+0x2f8/0x3d0
[ 77.327695] ? __virt_addr_valid+0x208/0x3f0
[ 77.328098] ? f_start+0x2f8/0x3d0
[ 77.328442] kasan_report+0xd8/0x110
[ 77.328801] ? f_start+0x2f8/0x3d0
[ 77.329147] f_start+0x2f8/0x3d0
[ 77.329481] seq_read_iter+0x268/0x11e0
[ 77.329851] ? lock_release+0x453/0x600
[ 77.330222] seq_read+0x261/0x350
[ 77.330560] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.330988] ? __pfx_seq_read+0x10/0x10
[ 77.331355] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.331820] vfs_read+0x171/0x9e0
[ 77.332157] ? lock_acquire+0x408/0x4b0
[ 77.332530] ? __pfx_vfs_read+0x10/0x10
[ 77.332907] ? do_raw_spin_lock+0x119/0x240
[ 77.333306] ? __pfx_task_mm_cid_work+0x10/0x10
[ 77.333725] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.334144] ksys_read+0xdd/0x1a0
[ 77.334477] ? __pfx_ksys_read+0x10/0x10
[ 77.334855] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.335319] do_syscall_64+0x66/0x130
[ 77.335677] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.336131] RIP: 0033:0x7f9b5d95140e
[ 77.336488] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.337933] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.338585] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 77.339185] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 77.339781] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 77.340384] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.340984] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.341582] </TASK>
[ 77.341837]
[ 77.342048] Allocated by task 4363:
[ 77.342394] kasan_save_stack+0x20/0x40
[ 77.342763] kasan_save_track+0x14/0x30
[ 77.343138] __kasan_kmalloc+0x8f/0xa0
[ 77.343503] user_event_parse_cmd+0x55e/0x25a0
[ 77.343916] user_events_ioctl+0xa52/0x17f0
[ 77.344308] __x64_sys_ioctl+0x133/0x190
[ 77.344689] do_syscall_64+0x66/0x130
[ 77.345058] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.345511]
[ 77.345721] Freed by task 341:
[ 77.346039] kasan_save_stack+0x20/0x40
[ 77.346406] kasan_save_track+0x14/0x30
[ 77.346779] kasan_save_free_info+0x3b/0x60
[ 77.347173] poison_slab_object+0x10a/0x170
[ 77.347566] __kasan_slab_free+0x14/0x30
[ 77.347944] kfree+0xe0/0x2f0
[ 77.348259] destroy_user_event+0x305/0x450
[ 77.348655] delayed_destroy_user_event+0x5c/0xe0
[ 77.349341] process_one_work+0x81c/0x1970
[ 77.349735] worker_thread+0x608/0x1160
[ 77.350108] kthread+0x2be/0x3b0
[ 77.350441] ret_from_fork+0x2c/0x70
[ 77.350797] ret_from_fork_asm+0x1a/0x30
[ 77.351176]
[ 77.351391] Last potentially related work creation:
[ 77.351832] kasan_save_stack+0x20/0x40
[ 77.352211] __kasan_record_aux_stack+0x8e/0xa0
[ 77.352636] insert_work+0x20/0x1b0
[ 77.352990] __queue_work+0x67a/0xc60
[ 77.353350] queue_work_on+0x63/0x90
[ 77.353706] user_event_put+0x1f9/0x390
[ 77.354081] user_events_release+0x124/0x200
[ 77.354482] __fput+0x361/0xa60
[ 77.354809] __x64_sys_close+0x77/0xd0
[ 77.355175] do_syscall_64+0x66/0x130
[ 77.355534] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.355990]
[ 77.356204] The buggy address belongs to the object at ffff888004498800
[ 77.356204] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.357253] The buggy address is located 344 bytes inside of
[ 77.357253] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 77.358222]
[ 77.358435] The buggy address belongs to the physical page:
[ 77.358921] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 77.359588] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.364077] memcg:ffff888003f75301
[ 77.364422] flags: 0x40(head|zone=0)
[ 77.364784] page_type: 0xffffefff(slab)
[ 77.365155] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.365826] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.366486] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.367160] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.367827] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 77.368500] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.369174] page dumped because: kasan: bad access detected
[ 77.369667]
[ 77.369874] Memory state around the buggy address:
[ 77.370312] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.370944] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.371568] >ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.372196] ^
[ 77.372717] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.373352] ffff888004498a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.373978] ==================================================================
[ 77.374636] ==================================================================
[ 77.375275] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 77.375809] Read of size 8 at addr ffff888004498870 by task cat/4361
[ 77.376349]
[ 77.376558] CPU: 3 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.377255] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.378169] Call Trace:
[ 77.378443] <TASK>
[ 77.378695] dump_stack_lvl+0x66/0xa0
[ 77.379218] print_report+0xd0/0x630
[ 77.379572] ? f_start+0x2e4/0x3d0
[ 77.379915] ? __virt_addr_valid+0x208/0x3f0
[ 77.380317] ? f_start+0x2e4/0x3d0
[ 77.380658] kasan_report+0xd8/0x110
[ 77.381020] ? f_start+0x2e4/0x3d0
[ 77.381362] f_start+0x2e4/0x3d0
[ 77.381698] seq_read_iter+0x268/0x11e0
[ 77.382073] ? lock_release+0x453/0x600
[ 77.382446] seq_read+0x261/0x350
[ 77.382780] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.383208] ? __pfx_seq_read+0x10/0x10
[ 77.383581] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.384044] vfs_read+0x171/0x9e0
[ 77.384381] ? lock_acquire+0x408/0x4b0
[ 77.384759] ? __pfx_vfs_read+0x10/0x10
[ 77.385133] ? do_raw_spin_lock+0x119/0x240
[ 77.385526] ? __pfx_task_mm_cid_work+0x10/0x10
[ 77.385947] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.386371] ksys_read+0xdd/0x1a0
[ 77.386709] ? __pfx_ksys_read+0x10/0x10
[ 77.387085] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.387546] do_syscall_64+0x66/0x130
[ 77.387906] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.388358] RIP: 0033:0x7f9b5d95140e
[ 77.388712] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.390171] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.390824] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 77.391417] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 77.392010] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 77.392607] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.393210] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.393808] </TASK>
[ 77.394066]
[ 77.394275] Allocated by task 4363:
[ 77.394622] kasan_save_stack+0x20/0x40
[ 77.394996] kasan_save_track+0x14/0x30
[ 77.395363] __kasan_kmalloc+0x8f/0xa0
[ 77.395728] user_event_parse_cmd+0x55e/0x25a0
[ 77.396141] user_events_ioctl+0xa52/0x17f0
[ 77.396531] __x64_sys_ioctl+0x133/0x190
[ 77.396916] do_syscall_64+0x66/0x130
[ 77.397276] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.397736]
[ 77.397946] Freed by task 341:
[ 77.398262] kasan_save_stack+0x20/0x40
[ 77.398633] kasan_save_track+0x14/0x30
[ 77.399001] kasan_save_free_info+0x3b/0x60
[ 77.399391] poison_slab_object+0x10a/0x170
[ 77.399786] __kasan_slab_free+0x14/0x30
[ 77.400164] kfree+0xe0/0x2f0
[ 77.400477] destroy_user_event+0x305/0x450
[ 77.400880] delayed_destroy_user_event+0x5c/0xe0
[ 77.401312] process_one_work+0x81c/0x1970
[ 77.401702] worker_thread+0x608/0x1160
[ 77.402071] kthread+0x2be/0x3b0
[ 77.402404] ret_from_fork+0x2c/0x70
[ 77.402758] ret_from_fork_asm+0x1a/0x30
[ 77.403131]
[ 77.403341] Last potentially related work creation:
[ 77.403780] kasan_save_stack+0x20/0x40
[ 77.404149] __kasan_record_aux_stack+0x8e/0xa0
[ 77.404567] insert_work+0x20/0x1b0
[ 77.404921] __queue_work+0x67a/0xc60
[ 77.405288] queue_work_on+0x63/0x90
[ 77.405639] user_event_put+0x1f9/0x390
[ 77.406010] user_events_release+0x124/0x200
[ 77.406414] __fput+0x361/0xa60
[ 77.406736] __x64_sys_close+0x77/0xd0
[ 77.407099] do_syscall_64+0x66/0x130
[ 77.407461] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.407911]
[ 77.408120] The buggy address belongs to the object at ffff888004498800
[ 77.408120] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.409389] The buggy address is located 112 bytes inside of
[ 77.409389] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 77.410368]
[ 77.410578] The buggy address belongs to the physical page:
[ 77.411068] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 77.411740] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.412391] memcg:ffff888003f75301
[ 77.412734] flags: 0x40(head|zone=0)
[ 77.413098] page_type: 0xffffefff(slab)
[ 77.413469] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.414134] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.414792] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.415464] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.416132] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 77.416802] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.417470] page dumped because: kasan: bad access detected
[ 77.417956]
[ 77.418166] Memory state around the buggy address:
[ 77.418605] ffff888004498700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.419237] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.419865] >ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.420496] ^
[ 77.421077] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.421708] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.422332] ==================================================================
[ 77.423004] ==================================================================
[ 77.423654] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 77.424183] Read of size 8 at addr ffff888004498908 by task cat/4361
[ 77.424723]
[ 77.424936] CPU: 1 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.425620] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.426525] Call Trace:
[ 77.426798] <TASK>
[ 77.427051] dump_stack_lvl+0x66/0xa0
[ 77.427410] print_report+0xd0/0x630
[ 77.427763] ? f_start+0x2cb/0x3d0
[ 77.428100] ? __virt_addr_valid+0x208/0x3f0
[ 77.428498] ? f_start+0x2cb/0x3d0
[ 77.428849] kasan_report+0xd8/0x110
[ 77.429202] ? f_start+0x2cb/0x3d0
[ 77.429543] f_start+0x2cb/0x3d0
[ 77.429873] seq_read_iter+0x268/0x11e0
[ 77.430244] ? lock_release+0x453/0x600
[ 77.434456] seq_read+0x261/0x350
[ 77.434793] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.435214] ? __pfx_seq_read+0x10/0x10
[ 77.435586] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.436049] vfs_read+0x171/0x9e0
[ 77.436385] ? lock_acquire+0x408/0x4b0
[ 77.436759] ? __pfx_vfs_read+0x10/0x10
[ 77.437128] ? do_raw_spin_lock+0x119/0x240
[ 77.437523] ? __pfx_task_mm_cid_work+0x10/0x10
[ 77.437938] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.438356] ksys_read+0xdd/0x1a0
[ 77.438690] ? __pfx_ksys_read+0x10/0x10
[ 77.439222] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.439679] do_syscall_64+0x66/0x130
[ 77.440033] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.440487] RIP: 0033:0x7f9b5d95140e
[ 77.440848] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.442275] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.442920] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 77.443512] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 77.444102] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 77.444695] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.445285] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.445880] </TASK>
[ 77.446135]
[ 77.446344] Allocated by task 4363:
[ 77.446687] kasan_save_stack+0x20/0x40
[ 77.447053] kasan_save_track+0x14/0x30
[ 77.447423] __kasan_kmalloc+0x8f/0xa0
[ 77.447790] user_event_parse_cmd+0x55e/0x25a0
[ 77.448199] user_events_ioctl+0xa52/0x17f0
[ 77.448592] __x64_sys_ioctl+0x133/0x190
[ 77.448972] do_syscall_64+0x66/0x130
[ 77.449330] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.449785]
[ 77.449994] Freed by task 341:
[ 77.450310] kasan_save_stack+0x20/0x40
[ 77.450676] kasan_save_track+0x14/0x30
[ 77.451043] kasan_save_free_info+0x3b/0x60
[ 77.451433] poison_slab_object+0x10a/0x170
[ 77.451826] __kasan_slab_free+0x14/0x30
[ 77.452198] kfree+0xe0/0x2f0
[ 77.452512] destroy_user_event+0x305/0x450
[ 77.452905] delayed_destroy_user_event+0x5c/0xe0
[ 77.453331] process_one_work+0x81c/0x1970
[ 77.453723] worker_thread+0x608/0x1160
[ 77.454092] kthread+0x2be/0x3b0
[ 77.454419] ret_from_fork+0x2c/0x70
[ 77.454768] ret_from_fork_asm+0x1a/0x30
[ 77.455143]
[ 77.455353] Last potentially related work creation:
[ 77.455790] kasan_save_stack+0x20/0x40
[ 77.456160] __kasan_record_aux_stack+0x8e/0xa0
[ 77.456575] insert_work+0x20/0x1b0
[ 77.456922] __queue_work+0x67a/0xc60
[ 77.457279] queue_work_on+0x63/0x90
[ 77.457630] user_event_put+0x1f9/0x390
[ 77.457999] user_events_release+0x124/0x200
[ 77.458395] __fput+0x361/0xa60
[ 77.458721] __x64_sys_close+0x77/0xd0
[ 77.459086] do_syscall_64+0x66/0x130
[ 77.459441] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.459895]
[ 77.460105] The buggy address belongs to the object at ffff888004498800
[ 77.460105] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.461107] The buggy address is located 264 bytes inside of
[ 77.461107] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 77.462067]
[ 77.462278] The buggy address belongs to the physical page:
[ 77.462760] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 77.463422] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.464078] memcg:ffff888003f75301
[ 77.464415] flags: 0x40(head|zone=0)
[ 77.464771] page_type: 0xffffefff(slab)
[ 77.465138] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.465790] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.466450] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.467115] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.467783] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 77.468446] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.469262] page dumped because: kasan: bad access detected
[ 77.469749]
[ 77.469961] Memory state around the buggy address:
[ 77.470392] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.471015] ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.471635] >ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.472259] ^
[ 77.472600] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.473230] ffff888004498a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.473849] ==================================================================
[ 77.474492] ==================================================================
[ 77.475144] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 77.475765] Read of size 8 at addr ffff8880044988b8 by task cat/4361
[ 77.476301]
[ 77.476514] CPU: 1 PID: 4361 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.477198] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.478108] Call Trace:
[ 77.478380] <TASK>
[ 77.478631] dump_stack_lvl+0x66/0xa0
[ 77.478990] print_report+0xd0/0x630
[ 77.479344] ? user_event_get_fields+0x38/0x40
[ 77.479753] ? __virt_addr_valid+0x208/0x3f0
[ 77.480149] ? user_event_get_fields+0x38/0x40
[ 77.480558] kasan_report+0xd8/0x110
[ 77.480915] ? user_event_get_fields+0x38/0x40
[ 77.481322] user_event_get_fields+0x38/0x40
[ 77.481719] f_start+0x175/0x3d0
[ 77.482048] seq_read_iter+0x268/0x11e0
[ 77.482418] ? lock_release+0x453/0x600
[ 77.482788] seq_read+0x261/0x350
[ 77.483130] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.483554] ? __pfx_seq_read+0x10/0x10
[ 77.483922] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.484378] vfs_read+0x171/0x9e0
[ 77.484713] ? lock_acquire+0x408/0x4b0
[ 77.485088] ? __pfx_vfs_read+0x10/0x10
[ 77.485453] ? do_raw_spin_lock+0x119/0x240
[ 77.485847] ? __pfx_task_mm_cid_work+0x10/0x10
[ 77.486266] ? __pfx_do_raw_spin_lock+0x10/0x10
[ 77.486681] ksys_read+0xdd/0x1a0
[ 77.487017] ? __pfx_ksys_read+0x10/0x10
[ 77.487392] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.487849] do_syscall_64+0x66/0x130
[ 77.488204] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.488655] RIP: 0033:0x7f9b5d95140e
[ 77.489010] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.490438] RSP: 002b:00007ffd50ab1618 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.491085] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007f9b5d95140e
[ 77.491678] RDX: 0000000000020000 RSI: 00007f9b5d845000 RDI: 0000000000000003
[ 77.492271] RBP: 00007f9b5d845000 R08: 00007f9b5d844010 R09: 0000000000000000
[ 77.492867] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.493461] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.494056] </TASK>
[ 77.494309]
[ 77.494522] Allocated by task 4363:
[ 77.494869] kasan_save_stack+0x20/0x40
[ 77.495239] kasan_save_track+0x14/0x30
[ 77.495607] __kasan_kmalloc+0x8f/0xa0
[ 77.495972] user_event_parse_cmd+0x55e/0x25a0
[ 77.496378] user_events_ioctl+0xa52/0x17f0
[ 77.496772] __x64_sys_ioctl+0x133/0x190
[ 77.497147] do_syscall_64+0x66/0x130
[ 77.497503] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.497954]
[ 77.498160] Freed by task 341:
[ 77.498478] kasan_save_stack+0x20/0x40
[ 77.499043] kasan_save_track+0x14/0x30
[ 77.499412] kasan_save_free_info+0x3b/0x60
[ 77.499801] poison_slab_object+0x10a/0x170
[ 77.500189] __kasan_slab_free+0x14/0x30
[ 77.500561] kfree+0xe0/0x2f0
[ 77.500881] destroy_user_event+0x305/0x450
[ 77.501272] delayed_destroy_user_event+0x5c/0xe0
[ 77.501695] process_one_work+0x81c/0x1970
[ 77.502080] worker_thread+0x608/0x1160
[ 77.502448] kthread+0x2be/0x3b0
[ 77.506625] ret_from_fork+0x2c/0x70
[ 77.506981] ret_from_fork_asm+0x1a/0x30
[ 77.507354]
[ 77.507565] Last potentially related work creation:
[ 77.508002] kasan_save_stack+0x20/0x40
[ 77.508372] __kasan_record_aux_stack+0x8e/0xa0
[ 77.508786] insert_work+0x20/0x1b0
[ 77.509131] __queue_work+0x67a/0xc60
[ 77.509489] queue_work_on+0x63/0x90
[ 77.509836] user_event_put+0x1f9/0x390
[ 77.510203] user_events_release+0x124/0x200
[ 77.510606] __fput+0x361/0xa60
[ 77.510931] __x64_sys_close+0x77/0xd0
[ 77.511292] do_syscall_64+0x66/0x130
[ 77.511650] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.512101]
[ 77.512309] The buggy address belongs to the object at ffff888004498800
[ 77.512309] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.513314] The buggy address is located 184 bytes inside of
[ 77.513314] freed 512-byte region [ffff888004498800, ffff888004498a00)
[ 77.514281]
[ 77.514490] The buggy address belongs to the physical page:
[ 77.514974] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4498
[ 77.515641] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.516288] memcg:ffff888003f75301
[ 77.516625] flags: 0x40(head|zone=0)
[ 77.516980] page_type: 0xffffefff(slab)
[ 77.517345] raw: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.518007] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.518663] head: 0000000000000040 ffff88800014cdc0 dead000000000100 dead000000000122
[ 77.519329] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888003f75301
[ 77.519991] head: 0000000000000002 ffffea0000112601 ffffffffffffffff 0000000000000000
[ 77.520655] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.521320] page dumped because: kasan: bad access detected
[ 77.521807]
[ 77.522014] Memory state around the buggy address:
[ 77.522444] ffff888004498780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.523074] ffff888004498800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.523694] >ffff888004498880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.524318] ^
[ 77.524770] ffff888004498900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.525391] ffff888004498980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.526009] ==================================================================
[ 77.739011] ==================================================================
[ 77.739796] BUG: KASAN: slab-use-after-free in f_start+0x36e/0x3d0
[ 77.740445] Read of size 8 at addr ffff88800473eca8 by task cat/4434
[ 77.741149]
[ 77.741415] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.742323] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.743516] Call Trace:
[ 77.743867] <TASK>
[ 77.744185] dump_stack_lvl+0x66/0xa0
[ 77.744644] print_report+0xd0/0x630
[ 77.745106] ? f_start+0x36e/0x3d0
[ 77.745544] ? __virt_addr_valid+0x208/0x3f0
[ 77.746066] ? f_start+0x36e/0x3d0
[ 77.746502] kasan_report+0xd8/0x110
[ 77.746958] ? f_start+0x36e/0x3d0
[ 77.747373] f_start+0x36e/0x3d0
[ 77.747795] seq_read_iter+0x268/0x11e0
[ 77.748278] ? lock_release+0x453/0x600
[ 77.748759] seq_read+0x261/0x350
[ 77.749174] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.749723] ? __pfx_seq_read+0x10/0x10
[ 77.750202] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.750800] vfs_read+0x171/0x9e0
[ 77.751229] ? lock_acquire+0x408/0x4b0
[ 77.751708] ? __pfx_vfs_read+0x10/0x10
[ 77.752187] ? lock_release+0x453/0x600
[ 77.752662] ? __pfx___up_read+0x10/0x10
[ 77.753153] ksys_read+0xdd/0x1a0
[ 77.753585] ? __pfx_ksys_read+0x10/0x10
[ 77.754068] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.754662] do_syscall_64+0x66/0x130
[ 77.755126] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.755715] RIP: 0033:0x7fa23454940e
[ 77.756169] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.758092] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.758959] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 77.759740] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 77.760520] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 77.761303] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.762080] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.762870] </TASK>
[ 77.763198]
[ 77.763461] Allocated by task 4436:
[ 77.763910] kasan_save_stack+0x20/0x40
[ 77.764394] kasan_save_track+0x14/0x30
[ 77.764874] __kasan_kmalloc+0x8f/0xa0
[ 77.765326] user_event_parse_cmd+0x55e/0x25a0
[ 77.765826] user_events_ioctl+0xa52/0x17f0
[ 77.766331] __x64_sys_ioctl+0x133/0x190
[ 77.766810] do_syscall_64+0x66/0x130
[ 77.767267] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.767847]
[ 77.768111] Freed by task 50:
[ 77.768507] kasan_save_stack+0x20/0x40
[ 77.769209] kasan_save_track+0x14/0x30
[ 77.769635] kasan_save_free_info+0x3b/0x60
[ 77.770101] poison_slab_object+0x10a/0x170
[ 77.770564] __kasan_slab_free+0x14/0x30
[ 77.770987] kfree+0xe0/0x2f0
[ 77.771334] destroy_user_event+0x305/0x450
[ 77.771778] delayed_destroy_user_event+0x5c/0xe0
[ 77.772251] process_one_work+0x81c/0x1970
[ 77.772636] worker_thread+0x608/0x1160
[ 77.773058] kthread+0x2be/0x3b0
[ 77.773434] ret_from_fork+0x2c/0x70
[ 77.773789] ret_from_fork_asm+0x1a/0x30
[ 77.774243]
[ 77.774493] Last potentially related work creation:
[ 77.774995] kasan_save_stack+0x20/0x40
[ 77.775432] __kasan_record_aux_stack+0x8e/0xa0
[ 77.775875] insert_work+0x20/0x1b0
[ 77.776268] __queue_work+0x67a/0xc60
[ 77.776698] queue_work_on+0x63/0x90
[ 77.777093] user_event_put+0x1f9/0x390
[ 77.777541] user_events_ioctl+0x11ed/0x17f0
[ 77.777975] __x64_sys_ioctl+0x133/0x190
[ 77.778345] do_syscall_64+0x66/0x130
[ 77.778693] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.779136]
[ 77.779344] The buggy address belongs to the object at ffff88800473ec00
[ 77.779344] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.780320] The buggy address is located 168 bytes inside of
[ 77.780320] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 77.781287]
[ 77.781496] The buggy address belongs to the physical page:
[ 77.781974] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 77.782718] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.783365] memcg:ffff88800102a301
[ 77.783701] flags: 0x40(head|zone=0)
[ 77.784052] page_type: 0xffffefff(slab)
[ 77.784420] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 77.785078] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 77.785823] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 77.786612] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 77.787411] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 77.788156] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.788914] page dumped because: kasan: bad access detected
[ 77.789454]
[ 77.789680] Memory state around the buggy address:
[ 77.790171] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.790870] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.791573] >ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.792201] ^
[ 77.792658] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.793342] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.797858] ==================================================================
[ 77.798675] ==================================================================
[ 77.799536] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 77.800118] Read of size 8 at addr ffff88800473ec70 by task cat/4434
[ 77.800694]
[ 77.800951] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.801692] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.802700] Call Trace:
[ 77.803007] <TASK>
[ 77.803254] dump_stack_lvl+0x66/0xa0
[ 77.803609] print_report+0xd0/0x630
[ 77.804007] ? f_start+0x2e4/0x3d0
[ 77.804361] ? __virt_addr_valid+0x208/0x3f0
[ 77.804760] ? f_start+0x2e4/0x3d0
[ 77.805127] kasan_report+0xd8/0x110
[ 77.805541] ? f_start+0x2e4/0x3d0
[ 77.805877] f_start+0x2e4/0x3d0
[ 77.806240] seq_read_iter+0x268/0x11e0
[ 77.806665] ? lock_release+0x453/0x600
[ 77.807084] seq_read+0x261/0x350
[ 77.807455] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.807968] ? __pfx_seq_read+0x10/0x10
[ 77.808385] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.808858] vfs_read+0x171/0x9e0
[ 77.809235] ? lock_acquire+0x408/0x4b0
[ 77.809680] ? __pfx_vfs_read+0x10/0x10
[ 77.810123] ? lock_release+0x453/0x600
[ 77.810526] ? __pfx___up_read+0x10/0x10
[ 77.810940] ksys_read+0xdd/0x1a0
[ 77.811305] ? __pfx_ksys_read+0x10/0x10
[ 77.811671] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.812121] do_syscall_64+0x66/0x130
[ 77.812500] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.813013] RIP: 0033:0x7fa23454940e
[ 77.813363] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.815024] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.815707] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 77.816342] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 77.816967] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 77.817599] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.818209] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.818817] </TASK>
[ 77.819073]
[ 77.819279] Allocated by task 4436:
[ 77.819645] kasan_save_stack+0x20/0x40
[ 77.820031] kasan_save_track+0x14/0x30
[ 77.820440] __kasan_kmalloc+0x8f/0xa0
[ 77.820851] user_event_parse_cmd+0x55e/0x25a0
[ 77.821318] user_events_ioctl+0xa52/0x17f0
[ 77.821704] __x64_sys_ioctl+0x133/0x190
[ 77.822089] do_syscall_64+0x66/0x130
[ 77.822438] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.822887]
[ 77.823095] Freed by task 50:
[ 77.823417] kasan_save_stack+0x20/0x40
[ 77.823821] kasan_save_track+0x14/0x30
[ 77.824218] kasan_save_free_info+0x3b/0x60
[ 77.824643] poison_slab_object+0x10a/0x170
[ 77.825033] __kasan_slab_free+0x14/0x30
[ 77.825436] kfree+0xe0/0x2f0
[ 77.825815] destroy_user_event+0x305/0x450
[ 77.826285] delayed_destroy_user_event+0x5c/0xe0
[ 77.826727] process_one_work+0x81c/0x1970
[ 77.827136] worker_thread+0x608/0x1160
[ 77.827549] kthread+0x2be/0x3b0
[ 77.827898] ret_from_fork+0x2c/0x70
[ 77.828270] ret_from_fork_asm+0x1a/0x30
[ 77.828697]
[ 77.829080] Last potentially related work creation:
[ 77.829533] kasan_save_stack+0x20/0x40
[ 77.829932] __kasan_record_aux_stack+0x8e/0xa0
[ 77.830351] insert_work+0x20/0x1b0
[ 77.830705] __queue_work+0x67a/0xc60
[ 77.831103] queue_work_on+0x63/0x90
[ 77.831447] user_event_put+0x1f9/0x390
[ 77.831818] user_events_ioctl+0x11ed/0x17f0
[ 77.832213] __x64_sys_ioctl+0x133/0x190
[ 77.832612] do_syscall_64+0x66/0x130
[ 77.833031] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.833485]
[ 77.833741] The buggy address belongs to the object at ffff88800473ec00
[ 77.833741] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.834766] The buggy address is located 112 bytes inside of
[ 77.834766] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 77.835771]
[ 77.836023] The buggy address belongs to the physical page:
[ 77.836545] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 77.837376] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.838015] memcg:ffff88800102a301
[ 77.838345] flags: 0x40(head|zone=0)
[ 77.838691] page_type: 0xffffefff(slab)
[ 77.839052] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 77.839692] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 77.840344] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 77.840999] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 77.841651] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 77.842308] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.842956] page dumped because: kasan: bad access detected
[ 77.843432]
[ 77.843639] Memory state around the buggy address:
[ 77.844062] ffff88800473eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.844671] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.845284] >ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.845894] ^
[ 77.846451] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.847062] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.847751] ==================================================================
[ 77.848384] ==================================================================
[ 77.849071] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 77.849674] Read of size 8 at addr ffff88800473ed08 by task cat/4434
[ 77.850268]
[ 77.850481] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.851215] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.852306] Call Trace:
[ 77.852591] <TASK>
[ 77.852855] dump_stack_lvl+0x66/0xa0
[ 77.853255] print_report+0xd0/0x630
[ 77.853646] ? f_start+0x2cb/0x3d0
[ 77.854048] ? __virt_addr_valid+0x208/0x3f0
[ 77.854495] ? f_start+0x2cb/0x3d0
[ 77.854875] kasan_report+0xd8/0x110
[ 77.855265] ? f_start+0x2cb/0x3d0
[ 77.855674] f_start+0x2cb/0x3d0
[ 77.856024] seq_read_iter+0x268/0x11e0
[ 77.856437] ? lock_release+0x453/0x600
[ 77.856873] seq_read+0x261/0x350
[ 77.857248] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.857724] ? __pfx_seq_read+0x10/0x10
[ 77.858138] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.858703] vfs_read+0x171/0x9e0
[ 77.859265] ? lock_acquire+0x408/0x4b0
[ 77.859679] ? __pfx_vfs_read+0x10/0x10
[ 77.860098] ? lock_release+0x453/0x600
[ 77.860521] ? __pfx___up_read+0x10/0x10
[ 77.860960] ksys_read+0xdd/0x1a0
[ 77.861361] ? __pfx_ksys_read+0x10/0x10
[ 77.861787] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.862264] do_syscall_64+0x66/0x130
[ 77.862701] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.863169] RIP: 0033:0x7fa23454940e
[ 77.863552] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.865213] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.866001] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 77.866674] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 77.867342] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 77.868019] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.868735] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.869417] </TASK>
[ 77.869696]
[ 77.869920] Allocated by task 4436:
[ 77.870305] kasan_save_stack+0x20/0x40
[ 77.870743] kasan_save_track+0x14/0x30
[ 77.875118] __kasan_kmalloc+0x8f/0xa0
[ 77.875526] user_event_parse_cmd+0x55e/0x25a0
[ 77.876021] user_events_ioctl+0xa52/0x17f0
[ 77.876502] __x64_sys_ioctl+0x133/0x190
[ 77.876956] do_syscall_64+0x66/0x130
[ 77.877353] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.877867]
[ 77.878093] Freed by task 50:
[ 77.878442] kasan_save_stack+0x20/0x40
[ 77.878889] kasan_save_track+0x14/0x30
[ 77.879304] kasan_save_free_info+0x3b/0x60
[ 77.879779] poison_slab_object+0x10a/0x170
[ 77.880259] __kasan_slab_free+0x14/0x30
[ 77.880681] kfree+0xe0/0x2f0
[ 77.881063] destroy_user_event+0x305/0x450
[ 77.881496] delayed_destroy_user_event+0x5c/0xe0
[ 77.881987] process_one_work+0x81c/0x1970
[ 77.882457] worker_thread+0x608/0x1160
[ 77.882877] kthread+0x2be/0x3b0
[ 77.883245] ret_from_fork+0x2c/0x70
[ 77.883642] ret_from_fork_asm+0x1a/0x30
[ 77.884063]
[ 77.884312] Last potentially related work creation:
[ 77.884808] kasan_save_stack+0x20/0x40
[ 77.885251] __kasan_record_aux_stack+0x8e/0xa0
[ 77.885761] insert_work+0x20/0x1b0
[ 77.886181] __queue_work+0x67a/0xc60
[ 77.886617] queue_work_on+0x63/0x90
[ 77.887010] user_event_put+0x1f9/0x390
[ 77.887454] user_events_ioctl+0x11ed/0x17f0
[ 77.887908] __x64_sys_ioctl+0x133/0x190
[ 77.888364] do_syscall_64+0x66/0x130
[ 77.888981] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.889491]
[ 77.889704] The buggy address belongs to the object at ffff88800473ec00
[ 77.889704] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.890810] The buggy address is located 264 bytes inside of
[ 77.890810] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 77.891990]
[ 77.892242] The buggy address belongs to the physical page:
[ 77.892824] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 77.893735] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.894526] memcg:ffff88800102a301
[ 77.894935] flags: 0x40(head|zone=0)
[ 77.895325] page_type: 0xffffefff(slab)
[ 77.895739] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 77.896484] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 77.897247] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 77.897993] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 77.898793] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 77.899601] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.900418] page dumped because: kasan: bad access detected
[ 77.900979]
[ 77.901231] Memory state around the buggy address:
[ 77.901718] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.902426] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.903195] >ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.903914] ^
[ 77.904300] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.905025] ffff88800473ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.905751] ==================================================================
[ 77.906527] ==================================================================
[ 77.907246] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 77.908017] Read of size 8 at addr ffff88800473ecb8 by task cat/4434
[ 77.908670]
[ 77.908928] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.909707] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.910814] Call Trace:
[ 77.911149] <TASK>
[ 77.911453] dump_stack_lvl+0x66/0xa0
[ 77.911883] print_report+0xd0/0x630
[ 77.912281] ? user_event_get_fields+0x38/0x40
[ 77.912750] ? __virt_addr_valid+0x208/0x3f0
[ 77.913234] ? user_event_get_fields+0x38/0x40
[ 77.913693] kasan_report+0xd8/0x110
[ 77.914096] ? user_event_get_fields+0x38/0x40
[ 77.914595] user_event_get_fields+0x38/0x40
[ 77.915084] f_start+0x175/0x3d0
[ 77.915479] seq_read_iter+0x268/0x11e0
[ 77.915901] ? lock_release+0x453/0x600
[ 77.916347] seq_read+0x261/0x350
[ 77.916756] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.917233] ? __pfx_seq_read+0x10/0x10
[ 77.917684] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.918209] vfs_read+0x171/0x9e0
[ 77.918588] ? lock_acquire+0x408/0x4b0
[ 77.919156] ? __pfx_vfs_read+0x10/0x10
[ 77.919562] ? lock_release+0x453/0x600
[ 77.919986] ? __pfx___up_read+0x10/0x10
[ 77.920447] ksys_read+0xdd/0x1a0
[ 77.920857] ? __pfx_ksys_read+0x10/0x10
[ 77.921314] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.921838] do_syscall_64+0x66/0x130
[ 77.922232] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.922772] RIP: 0033:0x7fa23454940e
[ 77.923164] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.924825] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.925567] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 77.926299] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 77.927018] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 77.927749] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.928429] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.929180] </TASK>
[ 77.929487]
[ 77.929724] Allocated by task 4436:
[ 77.930136] kasan_save_stack+0x20/0x40
[ 77.930604] kasan_save_track+0x14/0x30
[ 77.931075] __kasan_kmalloc+0x8f/0xa0
[ 77.931537] user_event_parse_cmd+0x55e/0x25a0
[ 77.932064] user_events_ioctl+0xa52/0x17f0
[ 77.932532] __x64_sys_ioctl+0x133/0x190
[ 77.933025] do_syscall_64+0x66/0x130
[ 77.933486] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.934063]
[ 77.934325] Freed by task 50:
[ 77.934724] kasan_save_stack+0x20/0x40
[ 77.935181] kasan_save_track+0x14/0x30
[ 77.935615] kasan_save_free_info+0x3b/0x60
[ 77.936079] poison_slab_object+0x10a/0x170
[ 77.936542] __kasan_slab_free+0x14/0x30
[ 77.936969] kfree+0xe0/0x2f0
[ 77.937280] destroy_user_event+0x305/0x450
[ 77.937673] delayed_destroy_user_event+0x5c/0xe0
[ 77.938105] process_one_work+0x81c/0x1970
[ 77.938490] worker_thread+0x608/0x1160
[ 77.938861] kthread+0x2be/0x3b0
[ 77.939194] ret_from_fork+0x2c/0x70
[ 77.939546] ret_from_fork_asm+0x1a/0x30
[ 77.939920]
[ 77.940133] Last potentially related work creation:
[ 77.940572] kasan_save_stack+0x20/0x40
[ 77.940958] __kasan_record_aux_stack+0x8e/0xa0
[ 77.941380] insert_work+0x20/0x1b0
[ 77.941730] __queue_work+0x67a/0xc60
[ 77.942086] queue_work_on+0x63/0x90
[ 77.942436] user_event_put+0x1f9/0x390
[ 77.942810] user_events_ioctl+0x11ed/0x17f0
[ 77.943212] __x64_sys_ioctl+0x133/0x190
[ 77.943590] do_syscall_64+0x66/0x130
[ 77.943950] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.944404]
[ 77.944612] The buggy address belongs to the object at ffff88800473ec00
[ 77.944612] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.945624] The buggy address is located 184 bytes inside of
[ 77.945624] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 77.946605]
[ 77.946818] The buggy address belongs to the physical page:
[ 77.947304] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 77.948064] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 77.948718] memcg:ffff88800102a301
[ 77.949212] flags: 0x40(head|zone=0)
[ 77.949565] page_type: 0xffffefff(slab)
[ 77.949936] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 77.950641] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 77.951300] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 77.955807] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 77.956479] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 77.957146] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 77.957816] page dumped because: kasan: bad access detected
[ 77.958300]
[ 77.958508] Memory state around the buggy address:
[ 77.958949] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 77.959577] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.960224] >ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.960854] ^
[ 77.961311] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.961938] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 77.962568] ==================================================================
[ 77.963225] ==================================================================
[ 77.963857] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 77.964386] Read of size 8 at addr ffff88800473ec70 by task cat/4434
[ 77.964937]
[ 77.965152] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 77.965831] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 77.966754] Call Trace:
[ 77.967028] <TASK>
[ 77.967276] dump_stack_lvl+0x66/0xa0
[ 77.967637] print_report+0xd0/0x630
[ 77.967989] ? f_start+0x2e4/0x3d0
[ 77.968327] ? __virt_addr_valid+0x208/0x3f0
[ 77.968732] ? f_start+0x2e4/0x3d0
[ 77.969086] kasan_report+0xd8/0x110
[ 77.969437] ? f_start+0x2e4/0x3d0
[ 77.969777] f_start+0x2e4/0x3d0
[ 77.970111] seq_read_iter+0x268/0x11e0
[ 77.970483] ? lock_release+0x453/0x600
[ 77.970852] seq_read+0x261/0x350
[ 77.971191] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 77.971622] ? __pfx_seq_read+0x10/0x10
[ 77.971993] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.972453] vfs_read+0x171/0x9e0
[ 77.972792] ? lock_acquire+0x408/0x4b0
[ 77.973170] ? __pfx_vfs_read+0x10/0x10
[ 77.973558] ? lock_release+0x453/0x600
[ 77.973932] ? __pfx___up_read+0x10/0x10
[ 77.974310] ksys_read+0xdd/0x1a0
[ 77.974644] ? __pfx_ksys_read+0x10/0x10
[ 77.975023] ? trace_irq_enable.constprop.0+0xce/0x110
[ 77.975484] do_syscall_64+0x66/0x130
[ 77.975845] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.976300] RIP: 0033:0x7fa23454940e
[ 77.976652] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 77.978101] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 77.978753] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 77.979538] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 77.980137] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 77.980748] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 77.981346] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 77.981944] </TASK>
[ 77.982203]
[ 77.982412] Allocated by task 4436:
[ 77.982761] kasan_save_stack+0x20/0x40
[ 77.983132] kasan_save_track+0x14/0x30
[ 77.983504] __kasan_kmalloc+0x8f/0xa0
[ 77.983869] user_event_parse_cmd+0x55e/0x25a0
[ 77.984283] user_events_ioctl+0xa52/0x17f0
[ 77.984674] __x64_sys_ioctl+0x133/0x190
[ 77.985054] do_syscall_64+0x66/0x130
[ 77.985421] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.985879]
[ 77.986089] Freed by task 50:
[ 77.986399] kasan_save_stack+0x20/0x40
[ 77.986769] kasan_save_track+0x14/0x30
[ 77.987139] kasan_save_free_info+0x3b/0x60
[ 77.987535] poison_slab_object+0x10a/0x170
[ 77.987929] __kasan_slab_free+0x14/0x30
[ 77.988305] kfree+0xe0/0x2f0
[ 77.988614] destroy_user_event+0x305/0x450
[ 77.989016] delayed_destroy_user_event+0x5c/0xe0
[ 77.989448] process_one_work+0x81c/0x1970
[ 77.989835] worker_thread+0x608/0x1160
[ 77.990214] kthread+0x2be/0x3b0
[ 77.990546] ret_from_fork+0x2c/0x70
[ 77.990901] ret_from_fork_asm+0x1a/0x30
[ 77.991279]
[ 77.991493] Last potentially related work creation:
[ 77.991938] kasan_save_stack+0x20/0x40
[ 77.992311] __kasan_record_aux_stack+0x8e/0xa0
[ 77.992734] insert_work+0x20/0x1b0
[ 77.993086] __queue_work+0x67a/0xc60
[ 77.993444] queue_work_on+0x63/0x90
[ 77.993802] user_event_put+0x1f9/0x390
[ 77.994176] user_events_ioctl+0x11ed/0x17f0
[ 77.994574] __x64_sys_ioctl+0x133/0x190
[ 77.994971] do_syscall_64+0x66/0x130
[ 77.995408] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 77.995990]
[ 77.996247] The buggy address belongs to the object at ffff88800473ec00
[ 77.996247] which belongs to the cache kmalloc-cg-512 of size 512
[ 77.997540] The buggy address is located 112 bytes inside of
[ 77.997540] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 77.998787]
[ 77.999047] The buggy address belongs to the physical page:
[ 77.999662] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.000629] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.001471] memcg:ffff88800102a301
[ 78.001901] flags: 0x40(head|zone=0)
[ 78.002347] page_type: 0xffffefff(slab)
[ 78.002815] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.003692] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.004468] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.005133] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.005800] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.006468] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.007233] page dumped because: kasan: bad access detected
[ 78.007853]
[ 78.008111] Memory state around the buggy address:
[ 78.008658] ffff88800473eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.009586] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.010367] >ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.011150] ^
[ 78.011859] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.012642] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.013426] ==================================================================
[ 78.014353] ==================================================================
[ 78.015141] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 78.015798] Read of size 8 at addr ffff88800473ed08 by task cat/4434
[ 78.016465]
[ 78.016716] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.017572] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.018713] Call Trace:
[ 78.019044] <TASK>
[ 78.019348] dump_stack_lvl+0x66/0xa0
[ 78.019788] print_report+0xd0/0x630
[ 78.020216] ? f_start+0x2cb/0x3d0
[ 78.020612] ? __virt_addr_valid+0x208/0x3f0
[ 78.021109] ? f_start+0x2cb/0x3d0
[ 78.021527] kasan_report+0xd8/0x110
[ 78.021966] ? f_start+0x2cb/0x3d0
[ 78.022386] f_start+0x2cb/0x3d0
[ 78.022789] seq_read_iter+0x268/0x11e0
[ 78.023249] ? lock_release+0x453/0x600
[ 78.023705] seq_read+0x261/0x350
[ 78.024087] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.024611] ? __pfx_seq_read+0x10/0x10
[ 78.025071] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.025619] vfs_read+0x171/0x9e0
[ 78.026027] ? lock_acquire+0x408/0x4b0
[ 78.026482] ? __pfx_vfs_read+0x10/0x10
[ 78.026969] ? lock_release+0x453/0x600
[ 78.027363] ? __pfx___up_read+0x10/0x10
[ 78.027734] ksys_read+0xdd/0x1a0
[ 78.031921] ? __pfx_ksys_read+0x10/0x10
[ 78.032320] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.032884] do_syscall_64+0x66/0x130
[ 78.033290] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.033796] RIP: 0033:0x7fa23454940e
[ 78.034209] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.035866] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.036642] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.037338] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.038024] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.038761] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.039708] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.040397] </TASK>
[ 78.040711]
[ 78.040961] Allocated by task 4436:
[ 78.041384] kasan_save_stack+0x20/0x40
[ 78.041794] kasan_save_track+0x14/0x30
[ 78.042218] __kasan_kmalloc+0x8f/0xa0
[ 78.042648] user_event_parse_cmd+0x55e/0x25a0
[ 78.043116] user_events_ioctl+0xa52/0x17f0
[ 78.043561] __x64_sys_ioctl+0x133/0x190
[ 78.044008] do_syscall_64+0x66/0x130
[ 78.044400] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.044919]
[ 78.045148] Freed by task 50:
[ 78.045522] kasan_save_stack+0x20/0x40
[ 78.045921] kasan_save_track+0x14/0x30
[ 78.046337] kasan_save_free_info+0x3b/0x60
[ 78.046810] poison_slab_object+0x10a/0x170
[ 78.047288] __kasan_slab_free+0x14/0x30
[ 78.047736] kfree+0xe0/0x2f0
[ 78.048077] destroy_user_event+0x305/0x450
[ 78.048517] delayed_destroy_user_event+0x5c/0xe0
[ 78.049044] process_one_work+0x81c/0x1970
[ 78.049505] worker_thread+0x608/0x1160
[ 78.049931] kthread+0x2be/0x3b0
[ 78.050328] ret_from_fork+0x2c/0x70
[ 78.050756] ret_from_fork_asm+0x1a/0x30
[ 78.051182]
[ 78.051431] Last potentially related work creation:
[ 78.051929] kasan_save_stack+0x20/0x40
[ 78.052370] __kasan_record_aux_stack+0x8e/0xa0
[ 78.052851] insert_work+0x20/0x1b0
[ 78.053243] __queue_work+0x67a/0xc60
[ 78.053638] queue_work_on+0x63/0x90
[ 78.054024] user_event_put+0x1f9/0x390
[ 78.054435] user_events_ioctl+0x11ed/0x17f0
[ 78.054913] __x64_sys_ioctl+0x133/0x190
[ 78.055363] do_syscall_64+0x66/0x130
[ 78.055755] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.056264]
[ 78.056516] The buggy address belongs to the object at ffff88800473ec00
[ 78.056516] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.057669] The buggy address is located 264 bytes inside of
[ 78.057669] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.058783]
[ 78.059037] The buggy address belongs to the physical page:
[ 78.059612] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.060523] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.061314] memcg:ffff88800102a301
[ 78.061697] flags: 0x40(head|zone=0)
[ 78.062123] page_type: 0xffffefff(slab)
[ 78.062528] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.063333] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.064085] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.064867] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.065628] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.066378] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.067118] page dumped because: kasan: bad access detected
[ 78.067710]
[ 78.067930] Memory state around the buggy address:
[ 78.068421] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.069328] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.070036] >ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.070728] ^
[ 78.071115] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.071811] ffff88800473ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.072552] ==================================================================
[ 78.073331] ==================================================================
[ 78.074073] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 78.074796] Read of size 8 at addr ffff88800473ecb8 by task cat/4434
[ 78.075445]
[ 78.075672] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.076432] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.077485] Call Trace:
[ 78.077781] <TASK>
[ 78.078083] dump_stack_lvl+0x66/0xa0
[ 78.078520] print_report+0xd0/0x630
[ 78.078944] ? user_event_get_fields+0x38/0x40
[ 78.079442] ? __virt_addr_valid+0x208/0x3f0
[ 78.079884] ? user_event_get_fields+0x38/0x40
[ 78.080341] kasan_report+0xd8/0x110
[ 78.080733] ? user_event_get_fields+0x38/0x40
[ 78.081192] user_event_get_fields+0x38/0x40
[ 78.081668] f_start+0x175/0x3d0
[ 78.082036] seq_read_iter+0x268/0x11e0
[ 78.082442] ? lock_release+0x453/0x600
[ 78.082863] seq_read+0x261/0x350
[ 78.083236] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.083691] ? __pfx_seq_read+0x10/0x10
[ 78.084098] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.084661] vfs_read+0x171/0x9e0
[ 78.085064] ? lock_acquire+0x408/0x4b0
[ 78.085475] ? __pfx_vfs_read+0x10/0x10
[ 78.085887] ? lock_release+0x453/0x600
[ 78.086305] ? __pfx___up_read+0x10/0x10
[ 78.086760] ksys_read+0xdd/0x1a0
[ 78.087126] ? __pfx_ksys_read+0x10/0x10
[ 78.087547] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.088106] do_syscall_64+0x66/0x130
[ 78.088498] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.089045] RIP: 0033:0x7fa23454940e
[ 78.089431] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.091092] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.091856] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.092570] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.093250] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.093922] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.094630] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.095300] </TASK>
[ 78.095575]
[ 78.095827] Allocated by task 4436:
[ 78.096244] kasan_save_stack+0x20/0x40
[ 78.096686] kasan_save_track+0x14/0x30
[ 78.097124] __kasan_kmalloc+0x8f/0xa0
[ 78.097500] user_event_parse_cmd+0x55e/0x25a0
[ 78.097911] user_events_ioctl+0xa52/0x17f0
[ 78.098303] __x64_sys_ioctl+0x133/0x190
[ 78.098680] do_syscall_64+0x66/0x130
[ 78.099192] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.099644]
[ 78.099855] Freed by task 50:
[ 78.100168] kasan_save_stack+0x20/0x40
[ 78.100536] kasan_save_track+0x14/0x30
[ 78.100918] kasan_save_free_info+0x3b/0x60
[ 78.101313] poison_slab_object+0x10a/0x170
[ 78.101704] __kasan_slab_free+0x14/0x30
[ 78.102081] kfree+0xe0/0x2f0
[ 78.102396] destroy_user_event+0x305/0x450
[ 78.102793] delayed_destroy_user_event+0x5c/0xe0
[ 78.103220] process_one_work+0x81c/0x1970
[ 78.103606] worker_thread+0x608/0x1160
[ 78.103977] kthread+0x2be/0x3b0
[ 78.104307] ret_from_fork+0x2c/0x70
[ 78.104658] ret_from_fork_asm+0x1a/0x30
[ 78.105039]
[ 78.105251] Last potentially related work creation:
[ 78.105692] kasan_save_stack+0x20/0x40
[ 78.106062] __kasan_record_aux_stack+0x8e/0xa0
[ 78.106486] insert_work+0x20/0x1b0
[ 78.106834] __queue_work+0x67a/0xc60
[ 78.107190] queue_work_on+0x63/0x90
[ 78.107548] user_event_put+0x1f9/0x390
[ 78.107917] user_events_ioctl+0x11ed/0x17f0
[ 78.108322] __x64_sys_ioctl+0x133/0x190
[ 78.108703] do_syscall_64+0x66/0x130
[ 78.112915] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.113391]
[ 78.113615] The buggy address belongs to the object at ffff88800473ec00
[ 78.113615] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.114612] The buggy address is located 184 bytes inside of
[ 78.114612] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.115580]
[ 78.115791] The buggy address belongs to the physical page:
[ 78.116279] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.117038] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.117691] memcg:ffff88800102a301
[ 78.118029] flags: 0x40(head|zone=0)
[ 78.118385] page_type: 0xffffefff(slab)
[ 78.118759] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.119420] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.120085] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.120751] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.121422] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.122090] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.122778] page dumped because: kasan: bad access detected
[ 78.123261]
[ 78.123472] Memory state around the buggy address:
[ 78.123907] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.124530] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.125172] >ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.125803] ^
[ 78.126258] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.126887] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.127518] ==================================================================
[ 78.128178] ==================================================================
[ 78.129013] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 78.129556] Read of size 8 at addr ffff88800473ec70 by task cat/4434
[ 78.130100]
[ 78.130313] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.130996] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.131916] Call Trace:
[ 78.132192] <TASK>
[ 78.132445] dump_stack_lvl+0x66/0xa0
[ 78.132814] print_report+0xd0/0x630
[ 78.133165] ? f_start+0x2e4/0x3d0
[ 78.133509] ? __virt_addr_valid+0x208/0x3f0
[ 78.133914] ? f_start+0x2e4/0x3d0
[ 78.134265] kasan_report+0xd8/0x110
[ 78.134621] ? f_start+0x2e4/0x3d0
[ 78.135011] f_start+0x2e4/0x3d0
[ 78.135402] seq_read_iter+0x268/0x11e0
[ 78.135875] ? lock_release+0x453/0x600
[ 78.136322] seq_read+0x261/0x350
[ 78.136713] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.137137] ? __pfx_seq_read+0x10/0x10
[ 78.137504] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.137961] vfs_read+0x171/0x9e0
[ 78.138294] ? lock_acquire+0x408/0x4b0
[ 78.138656] ? __pfx_vfs_read+0x10/0x10
[ 78.139025] ? lock_release+0x453/0x600
[ 78.139398] ? __pfx___up_read+0x10/0x10
[ 78.139771] ksys_read+0xdd/0x1a0
[ 78.140104] ? __pfx_ksys_read+0x10/0x10
[ 78.140478] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.140942] do_syscall_64+0x66/0x130
[ 78.141298] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.141747] RIP: 0033:0x7fa23454940e
[ 78.142107] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.143530] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.144178] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.144773] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.145369] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.145959] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.146546] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.147145] </TASK>
[ 78.147398]
[ 78.147611] Allocated by task 4436:
[ 78.147955] kasan_save_stack+0x20/0x40
[ 78.148322] kasan_save_track+0x14/0x30
[ 78.148695] __kasan_kmalloc+0x8f/0xa0
[ 78.149064] user_event_parse_cmd+0x55e/0x25a0
[ 78.149475] user_events_ioctl+0xa52/0x17f0
[ 78.149866] __x64_sys_ioctl+0x133/0x190
[ 78.150246] do_syscall_64+0x66/0x130
[ 78.150606] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.151056]
[ 78.151266] Freed by task 50:
[ 78.151575] kasan_save_stack+0x20/0x40
[ 78.151946] kasan_save_track+0x14/0x30
[ 78.152315] kasan_save_free_info+0x3b/0x60
[ 78.152711] poison_slab_object+0x10a/0x170
[ 78.153105] __kasan_slab_free+0x14/0x30
[ 78.153481] kfree+0xe0/0x2f0
[ 78.153795] destroy_user_event+0x305/0x450
[ 78.154191] delayed_destroy_user_event+0x5c/0xe0
[ 78.154620] process_one_work+0x81c/0x1970
[ 78.155008] worker_thread+0x608/0x1160
[ 78.155376] kthread+0x2be/0x3b0
[ 78.155700] ret_from_fork+0x2c/0x70
[ 78.156052] ret_from_fork_asm+0x1a/0x30
[ 78.156427]
[ 78.156638] Last potentially related work creation:
[ 78.157082] kasan_save_stack+0x20/0x40
[ 78.157457] __kasan_record_aux_stack+0x8e/0xa0
[ 78.157876] insert_work+0x20/0x1b0
[ 78.158224] __queue_work+0x67a/0xc60
[ 78.158579] queue_work_on+0x63/0x90
[ 78.159106] user_event_put+0x1f9/0x390
[ 78.159495] user_events_ioctl+0x11ed/0x17f0
[ 78.159893] __x64_sys_ioctl+0x133/0x190
[ 78.160270] do_syscall_64+0x66/0x130
[ 78.160633] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.161090]
[ 78.161302] The buggy address belongs to the object at ffff88800473ec00
[ 78.161302] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.162307] The buggy address is located 112 bytes inside of
[ 78.162307] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.163284]
[ 78.163494] The buggy address belongs to the physical page:
[ 78.163981] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.164751] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.165408] memcg:ffff88800102a301
[ 78.165749] flags: 0x40(head|zone=0)
[ 78.166098] page_type: 0xffffefff(slab)
[ 78.166477] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.167143] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.167808] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.168478] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.169145] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.169805] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.170469] page dumped because: kasan: bad access detected
[ 78.170953]
[ 78.171161] Memory state around the buggy address:
[ 78.171595] ffff88800473eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.172223] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.172852] >ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.173472] ^
[ 78.174054] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.174681] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.175302] ==================================================================
[ 78.175958] ==================================================================
[ 78.176587] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 78.177121] Read of size 8 at addr ffff88800473ed08 by task cat/4434
[ 78.177662]
[ 78.177874] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.178557] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.179472] Call Trace:
[ 78.179745] <TASK>
[ 78.183854] dump_stack_lvl+0x66/0xa0
[ 78.184216] print_report+0xd0/0x630
[ 78.184566] ? f_start+0x2cb/0x3d0
[ 78.184910] ? __virt_addr_valid+0x208/0x3f0
[ 78.185312] ? f_start+0x2cb/0x3d0
[ 78.185654] kasan_report+0xd8/0x110
[ 78.186008] ? f_start+0x2cb/0x3d0
[ 78.186356] f_start+0x2cb/0x3d0
[ 78.186689] seq_read_iter+0x268/0x11e0
[ 78.187065] ? lock_release+0x453/0x600
[ 78.187440] seq_read+0x261/0x350
[ 78.187779] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.188208] ? __pfx_seq_read+0x10/0x10
[ 78.188577] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.189266] vfs_read+0x171/0x9e0
[ 78.189617] ? lock_acquire+0x408/0x4b0
[ 78.189989] ? __pfx_vfs_read+0x10/0x10
[ 78.190358] ? lock_release+0x453/0x600
[ 78.190730] ? __pfx___up_read+0x10/0x10
[ 78.191107] ksys_read+0xdd/0x1a0
[ 78.191441] ? __pfx_ksys_read+0x10/0x10
[ 78.191817] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.192281] do_syscall_64+0x66/0x130
[ 78.192642] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.193102] RIP: 0033:0x7fa23454940e
[ 78.193456] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.194893] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.195547] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.196144] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.196749] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.197349] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.197940] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.198534] </TASK>
[ 78.198792]
[ 78.199006] Allocated by task 4436:
[ 78.199355] kasan_save_stack+0x20/0x40
[ 78.199723] kasan_save_track+0x14/0x30
[ 78.200099] __kasan_kmalloc+0x8f/0xa0
[ 78.200468] user_event_parse_cmd+0x55e/0x25a0
[ 78.200885] user_events_ioctl+0xa52/0x17f0
[ 78.201277] __x64_sys_ioctl+0x133/0x190
[ 78.201658] do_syscall_64+0x66/0x130
[ 78.202020] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.202466]
[ 78.202667] Freed by task 50:
[ 78.202965] kasan_save_stack+0x20/0x40
[ 78.203316] kasan_save_track+0x14/0x30
[ 78.203673] kasan_save_free_info+0x3b/0x60
[ 78.204046] poison_slab_object+0x10a/0x170
[ 78.204420] __kasan_slab_free+0x14/0x30
[ 78.204782] kfree+0xe0/0x2f0
[ 78.205090] destroy_user_event+0x305/0x450
[ 78.205467] delayed_destroy_user_event+0x5c/0xe0
[ 78.205878] process_one_work+0x81c/0x1970
[ 78.206242] worker_thread+0x608/0x1160
[ 78.206599] kthread+0x2be/0x3b0
[ 78.206916] ret_from_fork+0x2c/0x70
[ 78.207248] ret_from_fork_asm+0x1a/0x30
[ 78.207604]
[ 78.207806] Last potentially related work creation:
[ 78.208225] kasan_save_stack+0x20/0x40
[ 78.208579] __kasan_record_aux_stack+0x8e/0xa0
[ 78.208992] insert_work+0x20/0x1b0
[ 78.209320] __queue_work+0x67a/0xc60
[ 78.209659] queue_work_on+0x63/0x90
[ 78.209995] user_event_put+0x1f9/0x390
[ 78.210344] user_events_ioctl+0x11ed/0x17f0
[ 78.210725] __x64_sys_ioctl+0x133/0x190
[ 78.211082] do_syscall_64+0x66/0x130
[ 78.211425] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.211853]
[ 78.212051] The buggy address belongs to the object at ffff88800473ec00
[ 78.212051] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.213019] The buggy address is located 264 bytes inside of
[ 78.213019] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.213935]
[ 78.214133] The buggy address belongs to the physical page:
[ 78.214597] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.215323] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.215944] memcg:ffff88800102a301
[ 78.216270] flags: 0x40(head|zone=0)
[ 78.216601] page_type: 0xffffefff(slab)
[ 78.216970] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.217606] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.218234] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.219075] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.219723] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.220358] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.221014] page dumped because: kasan: bad access detected
[ 78.221496]
[ 78.221706] Memory state around the buggy address:
[ 78.222139] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.222763] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.223384] >ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.224004] ^
[ 78.224350] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.224973] ffff88800473ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.225568] ==================================================================
[ 78.226194] ==================================================================
[ 78.226828] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 78.227473] Read of size 8 at addr ffff88800473ecb8 by task cat/4434
[ 78.228021]
[ 78.228232] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.228917] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.229833] Call Trace:
[ 78.230105] <TASK>
[ 78.230365] dump_stack_lvl+0x66/0xa0
[ 78.230730] print_report+0xd0/0x630
[ 78.231080] ? user_event_get_fields+0x38/0x40
[ 78.231475] ? __virt_addr_valid+0x208/0x3f0
[ 78.231855] ? user_event_get_fields+0x38/0x40
[ 78.232254] kasan_report+0xd8/0x110
[ 78.232588] ? user_event_get_fields+0x38/0x40
[ 78.233013] user_event_get_fields+0x38/0x40
[ 78.233393] f_start+0x175/0x3d0
[ 78.233712] seq_read_iter+0x268/0x11e0
[ 78.234071] ? lock_release+0x453/0x600
[ 78.234425] seq_read+0x261/0x350
[ 78.234745] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.235164] ? __pfx_seq_read+0x10/0x10
[ 78.235519] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.235965] vfs_read+0x171/0x9e0
[ 78.236284] ? lock_acquire+0x408/0x4b0
[ 78.236636] ? __pfx_vfs_read+0x10/0x10
[ 78.237014] ? lock_release+0x453/0x600
[ 78.237381] ? __pfx___up_read+0x10/0x10
[ 78.237747] ksys_read+0xdd/0x1a0
[ 78.238067] ? __pfx_ksys_read+0x10/0x10
[ 78.238431] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.238876] do_syscall_64+0x66/0x130
[ 78.239232] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.239665] RIP: 0033:0x7fa23454940e
[ 78.240006] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.241427] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.242080] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.242675] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.243271] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.243867] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.244464] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.245061] </TASK>
[ 78.245318]
[ 78.245528] Allocated by task 4436:
[ 78.245875] kasan_save_stack+0x20/0x40
[ 78.246252] kasan_save_track+0x14/0x30
[ 78.246628] __kasan_kmalloc+0x8f/0xa0
[ 78.246994] user_event_parse_cmd+0x55e/0x25a0
[ 78.247404] user_events_ioctl+0xa52/0x17f0
[ 78.247801] __x64_sys_ioctl+0x133/0x190
[ 78.248180] do_syscall_64+0x66/0x130
[ 78.248544] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.249266]
[ 78.249492] Freed by task 50:
[ 78.249802] kasan_save_stack+0x20/0x40
[ 78.250174] kasan_save_track+0x14/0x30
[ 78.250551] kasan_save_free_info+0x3b/0x60
[ 78.250946] poison_slab_object+0x10a/0x170
[ 78.255191] __kasan_slab_free+0x14/0x30
[ 78.255572] kfree+0xe0/0x2f0
[ 78.255885] destroy_user_event+0x305/0x450
[ 78.256285] delayed_destroy_user_event+0x5c/0xe0
[ 78.256715] process_one_work+0x81c/0x1970
[ 78.257109] worker_thread+0x608/0x1160
[ 78.257480] kthread+0x2be/0x3b0
[ 78.257811] ret_from_fork+0x2c/0x70
[ 78.258169] ret_from_fork_asm+0x1a/0x30
[ 78.258544]
[ 78.258761] Last potentially related work creation:
[ 78.259201] kasan_save_stack+0x20/0x40
[ 78.259571] __kasan_record_aux_stack+0x8e/0xa0
[ 78.259995] insert_work+0x20/0x1b0
[ 78.260344] __queue_work+0x67a/0xc60
[ 78.260702] queue_work_on+0x63/0x90
[ 78.261058] user_event_put+0x1f9/0x390
[ 78.261428] user_events_ioctl+0x11ed/0x17f0
[ 78.261833] __x64_sys_ioctl+0x133/0x190
[ 78.262207] do_syscall_64+0x66/0x130
[ 78.262566] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.263068]
[ 78.263279] The buggy address belongs to the object at ffff88800473ec00
[ 78.263279] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.264288] The buggy address is located 184 bytes inside of
[ 78.264288] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.265262]
[ 78.265474] The buggy address belongs to the physical page:
[ 78.265960] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.266724] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.267383] memcg:ffff88800102a301
[ 78.267723] flags: 0x40(head|zone=0)
[ 78.268078] page_type: 0xffffefff(slab)
[ 78.268445] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.269154] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.269900] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.270574] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.271246] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.271918] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.272581] page dumped because: kasan: bad access detected
[ 78.273076]
[ 78.273287] Memory state around the buggy address:
[ 78.273727] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.274358] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.274981] >ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.275609] ^
[ 78.276060] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.276688] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.277314] ==================================================================
[ 78.277962] ==================================================================
[ 78.278589] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 78.279375] Read of size 8 at addr ffff88800473ec70 by task cat/4434
[ 78.279928]
[ 78.280139] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.280833] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.281752] Call Trace:
[ 78.282025] <TASK>
[ 78.282284] dump_stack_lvl+0x66/0xa0
[ 78.282641] print_report+0xd0/0x630
[ 78.282993] ? f_start+0x2e4/0x3d0
[ 78.283338] ? __virt_addr_valid+0x208/0x3f0
[ 78.283741] ? f_start+0x2e4/0x3d0
[ 78.284084] kasan_report+0xd8/0x110
[ 78.284440] ? f_start+0x2e4/0x3d0
[ 78.284790] f_start+0x2e4/0x3d0
[ 78.285120] seq_read_iter+0x268/0x11e0
[ 78.285492] ? lock_release+0x453/0x600
[ 78.285866] seq_read+0x261/0x350
[ 78.286205] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.286630] ? __pfx_seq_read+0x10/0x10
[ 78.287005] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.287468] vfs_read+0x171/0x9e0
[ 78.287802] ? lock_acquire+0x408/0x4b0
[ 78.288173] ? __pfx_vfs_read+0x10/0x10
[ 78.288545] ? lock_release+0x453/0x600
[ 78.288918] ? __pfx___up_read+0x10/0x10
[ 78.289294] ksys_read+0xdd/0x1a0
[ 78.289638] ? __pfx_ksys_read+0x10/0x10
[ 78.290017] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.290480] do_syscall_64+0x66/0x130
[ 78.290841] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.291303] RIP: 0033:0x7fa23454940e
[ 78.291658] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.293095] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.293756] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.294350] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.294945] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.295537] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.296133] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.296741] </TASK>
[ 78.297001]
[ 78.297213] Allocated by task 4436:
[ 78.297557] kasan_save_stack+0x20/0x40
[ 78.297931] kasan_save_track+0x14/0x30
[ 78.298304] __kasan_kmalloc+0x8f/0xa0
[ 78.298671] user_event_parse_cmd+0x55e/0x25a0
[ 78.299085] user_events_ioctl+0xa52/0x17f0
[ 78.299482] __x64_sys_ioctl+0x133/0x190
[ 78.299865] do_syscall_64+0x66/0x130
[ 78.300223] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.300679]
[ 78.300897] Freed by task 50:
[ 78.301211] kasan_save_stack+0x20/0x40
[ 78.301584] kasan_save_track+0x14/0x30
[ 78.301956] kasan_save_free_info+0x3b/0x60
[ 78.302349] poison_slab_object+0x10a/0x170
[ 78.302747] __kasan_slab_free+0x14/0x30
[ 78.303123] kfree+0xe0/0x2f0
[ 78.303422] destroy_user_event+0x305/0x450
[ 78.303795] delayed_destroy_user_event+0x5c/0xe0
[ 78.304208] process_one_work+0x81c/0x1970
[ 78.304576] worker_thread+0x608/0x1160
[ 78.304950] kthread+0x2be/0x3b0
[ 78.305270] ret_from_fork+0x2c/0x70
[ 78.305614] ret_from_fork_asm+0x1a/0x30
[ 78.305975]
[ 78.306177] Last potentially related work creation:
[ 78.306597] kasan_save_stack+0x20/0x40
[ 78.306950] __kasan_record_aux_stack+0x8e/0xa0
[ 78.307351] insert_work+0x20/0x1b0
[ 78.307681] __queue_work+0x67a/0xc60
[ 78.308024] queue_work_on+0x63/0x90
[ 78.308362] user_event_put+0x1f9/0x390
[ 78.308712] user_events_ioctl+0x11ed/0x17f0
[ 78.309299] __x64_sys_ioctl+0x133/0x190
[ 78.309662] do_syscall_64+0x66/0x130
[ 78.310008] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.310437]
[ 78.310639] The buggy address belongs to the object at ffff88800473ec00
[ 78.310639] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.311601] The buggy address is located 112 bytes inside of
[ 78.311601] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.312539]
[ 78.312747] The buggy address belongs to the physical page:
[ 78.313222] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.313943] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.314570] memcg:ffff88800102a301
[ 78.314893] flags: 0x40(head|zone=0)
[ 78.315228] page_type: 0xffffefff(slab)
[ 78.315582] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.316211] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.316855] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.317492] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.318138] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.318771] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.319413] page dumped because: kasan: bad access detected
[ 78.319877]
[ 78.320078] Memory state around the buggy address:
[ 78.320494] ffff88800473eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.321102] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.325365] >ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.325964] ^
[ 78.326513] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.327107] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.327706] ==================================================================
[ 78.328322] ==================================================================
[ 78.329070] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 78.329609] Read of size 8 at addr ffff88800473ed08 by task cat/4434
[ 78.330154]
[ 78.330365] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.331053] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.331968] Call Trace:
[ 78.332245] <TASK>
[ 78.332500] dump_stack_lvl+0x66/0xa0
[ 78.332863] print_report+0xd0/0x630
[ 78.333215] ? f_start+0x2cb/0x3d0
[ 78.333564] ? __virt_addr_valid+0x208/0x3f0
[ 78.333966] ? f_start+0x2cb/0x3d0
[ 78.334306] kasan_report+0xd8/0x110
[ 78.334661] ? f_start+0x2cb/0x3d0
[ 78.335006] f_start+0x2cb/0x3d0
[ 78.335337] seq_read_iter+0x268/0x11e0
[ 78.335714] ? lock_release+0x453/0x600
[ 78.336084] seq_read+0x261/0x350
[ 78.336419] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.336848] ? __pfx_seq_read+0x10/0x10
[ 78.337224] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.337691] vfs_read+0x171/0x9e0
[ 78.338031] ? lock_acquire+0x408/0x4b0
[ 78.338407] ? __pfx_vfs_read+0x10/0x10
[ 78.338940] ? lock_release+0x453/0x600
[ 78.339311] ? __pfx___up_read+0x10/0x10
[ 78.339689] ksys_read+0xdd/0x1a0
[ 78.340027] ? __pfx_ksys_read+0x10/0x10
[ 78.340408] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.340871] do_syscall_64+0x66/0x130
[ 78.341230] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.341689] RIP: 0033:0x7fa23454940e
[ 78.342046] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.343484] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.344144] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.344740] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.345335] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.345933] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.346529] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.347133] </TASK>
[ 78.347390]
[ 78.347602] Allocated by task 4436:
[ 78.347947] kasan_save_stack+0x20/0x40
[ 78.348324] kasan_save_track+0x14/0x30
[ 78.348699] __kasan_kmalloc+0x8f/0xa0
[ 78.349064] user_event_parse_cmd+0x55e/0x25a0
[ 78.349472] user_events_ioctl+0xa52/0x17f0
[ 78.349869] __x64_sys_ioctl+0x133/0x190
[ 78.350247] do_syscall_64+0x66/0x130
[ 78.350604] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.351056]
[ 78.351268] Freed by task 50:
[ 78.351580] kasan_save_stack+0x20/0x40
[ 78.351951] kasan_save_track+0x14/0x30
[ 78.352322] kasan_save_free_info+0x3b/0x60
[ 78.352714] poison_slab_object+0x10a/0x170
[ 78.353112] __kasan_slab_free+0x14/0x30
[ 78.353491] kfree+0xe0/0x2f0
[ 78.353807] destroy_user_event+0x305/0x450
[ 78.354200] delayed_destroy_user_event+0x5c/0xe0
[ 78.354630] process_one_work+0x81c/0x1970
[ 78.355020] worker_thread+0x608/0x1160
[ 78.355390] kthread+0x2be/0x3b0
[ 78.355718] ret_from_fork+0x2c/0x70
[ 78.356076] ret_from_fork_asm+0x1a/0x30
[ 78.356455]
[ 78.356666] Last potentially related work creation:
[ 78.357111] kasan_save_stack+0x20/0x40
[ 78.357484] __kasan_record_aux_stack+0x8e/0xa0
[ 78.357902] insert_work+0x20/0x1b0
[ 78.358251] __queue_work+0x67a/0xc60
[ 78.358612] queue_work_on+0x63/0x90
[ 78.358968] user_event_put+0x1f9/0x390
[ 78.359338] user_events_ioctl+0x11ed/0x17f0
[ 78.359741] __x64_sys_ioctl+0x133/0x190
[ 78.360122] do_syscall_64+0x66/0x130
[ 78.360479] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.360938]
[ 78.361148] The buggy address belongs to the object at ffff88800473ec00
[ 78.361148] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.362155] The buggy address is located 264 bytes inside of
[ 78.362155] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.363119]
[ 78.363328] The buggy address belongs to the physical page:
[ 78.363816] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.364573] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.365234] memcg:ffff88800102a301
[ 78.365572] flags: 0x40(head|zone=0)
[ 78.365935] page_type: 0xffffefff(slab)
[ 78.366309] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.366970] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.367639] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.368305] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.369168] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.369839] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.370510] page dumped because: kasan: bad access detected
[ 78.370996]
[ 78.371209] Memory state around the buggy address:
[ 78.371646] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.372277] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.372914] >ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.373538] ^
[ 78.373890] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.374517] ffff88800473ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.375150] ==================================================================
[ 78.375801] ==================================================================
[ 78.376429] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 78.377060] Read of size 8 at addr ffff88800473ecb8 by task cat/4434
[ 78.377600]
[ 78.377809] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.378496] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.379417] Call Trace:
[ 78.379693] <TASK>
[ 78.379945] dump_stack_lvl+0x66/0xa0
[ 78.380302] print_report+0xd0/0x630
[ 78.380656] ? user_event_get_fields+0x38/0x40
[ 78.381074] ? __virt_addr_valid+0x208/0x3f0
[ 78.381475] ? user_event_get_fields+0x38/0x40
[ 78.381892] kasan_report+0xd8/0x110
[ 78.382247] ? user_event_get_fields+0x38/0x40
[ 78.382664] user_event_get_fields+0x38/0x40
[ 78.383063] f_start+0x175/0x3d0
[ 78.383395] seq_read_iter+0x268/0x11e0
[ 78.383771] ? lock_release+0x453/0x600
[ 78.384144] seq_read+0x261/0x350
[ 78.384484] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.384916] ? __pfx_seq_read+0x10/0x10
[ 78.385291] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.385753] vfs_read+0x171/0x9e0
[ 78.386088] ? lock_acquire+0x408/0x4b0
[ 78.386464] ? __pfx_vfs_read+0x10/0x10
[ 78.386834] ? lock_release+0x453/0x600
[ 78.387205] ? __pfx___up_read+0x10/0x10
[ 78.387584] ksys_read+0xdd/0x1a0
[ 78.387920] ? __pfx_ksys_read+0x10/0x10
[ 78.388295] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.388763] do_syscall_64+0x66/0x130
[ 78.389123] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.389578] RIP: 0033:0x7fa23454940e
[ 78.389928] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.391367] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.392020] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.392617] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.397058] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.397663] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.398262] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.399113] </TASK>
[ 78.399375]
[ 78.399582] Allocated by task 4436:
[ 78.399927] kasan_save_stack+0x20/0x40
[ 78.400292] kasan_save_track+0x14/0x30
[ 78.400657] __kasan_kmalloc+0x8f/0xa0
[ 78.401030] user_event_parse_cmd+0x55e/0x25a0
[ 78.401437] user_events_ioctl+0xa52/0x17f0
[ 78.401825] __x64_sys_ioctl+0x133/0x190
[ 78.402198] do_syscall_64+0x66/0x130
[ 78.402558] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.403008]
[ 78.403213] Freed by task 50:
[ 78.403522] kasan_save_stack+0x20/0x40
[ 78.403886] kasan_save_track+0x14/0x30
[ 78.404248] kasan_save_free_info+0x3b/0x60
[ 78.404638] poison_slab_object+0x10a/0x170
[ 78.405032] __kasan_slab_free+0x14/0x30
[ 78.405401] kfree+0xe0/0x2f0
[ 78.405710] destroy_user_event+0x305/0x450
[ 78.406100] delayed_destroy_user_event+0x5c/0xe0
[ 78.406523] process_one_work+0x81c/0x1970
[ 78.406904] worker_thread+0x608/0x1160
[ 78.407270] kthread+0x2be/0x3b0
[ 78.407599] ret_from_fork+0x2c/0x70
[ 78.407947] ret_from_fork_asm+0x1a/0x30
[ 78.408318]
[ 78.408529] Last potentially related work creation:
[ 78.408968] kasan_save_stack+0x20/0x40
[ 78.409332] __kasan_record_aux_stack+0x8e/0xa0
[ 78.409748] insert_work+0x20/0x1b0
[ 78.410092] __queue_work+0x67a/0xc60
[ 78.410445] queue_work_on+0x63/0x90
[ 78.410793] user_event_put+0x1f9/0x390
[ 78.411160] user_events_ioctl+0x11ed/0x17f0
[ 78.411556] __x64_sys_ioctl+0x133/0x190
[ 78.411927] do_syscall_64+0x66/0x130
[ 78.412283] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.412733]
[ 78.412948] The buggy address belongs to the object at ffff88800473ec00
[ 78.412948] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.413944] The buggy address is located 184 bytes inside of
[ 78.413944] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.414900]
[ 78.415106] The buggy address belongs to the physical page:
[ 78.415588] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.416340] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.416998] memcg:ffff88800102a301
[ 78.417336] flags: 0x40(head|zone=0)
[ 78.417682] page_type: 0xffffefff(slab)
[ 78.418048] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.418707] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.419363] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.420039] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.420697] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.421363] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.422022] page dumped because: kasan: bad access detected
[ 78.422505]
[ 78.422711] Memory state around the buggy address:
[ 78.423140] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.423758] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.424373] >ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.424995] ^
[ 78.425443] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.426063] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.426680] ==================================================================
[ 78.427360] ==================================================================
[ 78.427982] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 78.428506] Read of size 8 at addr ffff88800473ec70 by task cat/4434
[ 78.429201]
[ 78.429408] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.430086] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.431028] Call Trace:
[ 78.431300] <TASK>
[ 78.431549] dump_stack_lvl+0x66/0xa0
[ 78.431903] print_report+0xd0/0x630
[ 78.432252] ? f_start+0x2e4/0x3d0
[ 78.432590] ? __virt_addr_valid+0x208/0x3f0
[ 78.432989] ? f_start+0x2e4/0x3d0
[ 78.433325] kasan_report+0xd8/0x110
[ 78.433674] ? f_start+0x2e4/0x3d0
[ 78.434010] f_start+0x2e4/0x3d0
[ 78.434334] seq_read_iter+0x268/0x11e0
[ 78.434703] ? lock_release+0x453/0x600
[ 78.435068] seq_read+0x261/0x350
[ 78.435400] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.435820] ? __pfx_seq_read+0x10/0x10
[ 78.436186] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.436641] vfs_read+0x171/0x9e0
[ 78.436981] ? lock_acquire+0x408/0x4b0
[ 78.437347] ? __pfx_vfs_read+0x10/0x10
[ 78.437710] ? lock_release+0x453/0x600
[ 78.438073] ? __pfx___up_read+0x10/0x10
[ 78.438446] ksys_read+0xdd/0x1a0
[ 78.438779] ? __pfx_ksys_read+0x10/0x10
[ 78.439148] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.439601] do_syscall_64+0x66/0x130
[ 78.439956] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.440406] RIP: 0033:0x7fa23454940e
[ 78.440757] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.442175] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.442817] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.443402] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.443987] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.444571] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.445163] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.445751] </TASK>
[ 78.446005]
[ 78.446212] Allocated by task 4436:
[ 78.446554] kasan_save_stack+0x20/0x40
[ 78.446919] kasan_save_track+0x14/0x30
[ 78.447283] __kasan_kmalloc+0x8f/0xa0
[ 78.447640] user_event_parse_cmd+0x55e/0x25a0
[ 78.448048] user_events_ioctl+0xa52/0x17f0
[ 78.448437] __x64_sys_ioctl+0x133/0x190
[ 78.448811] do_syscall_64+0x66/0x130
[ 78.449162] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.449610]
[ 78.449818] Freed by task 50:
[ 78.450124] kasan_save_stack+0x20/0x40
[ 78.450492] kasan_save_track+0x14/0x30
[ 78.450855] kasan_save_free_info+0x3b/0x60
[ 78.451239] poison_slab_object+0x10a/0x170
[ 78.451628] __kasan_slab_free+0x14/0x30
[ 78.452000] kfree+0xe0/0x2f0
[ 78.452306] destroy_user_event+0x305/0x450
[ 78.452691] delayed_destroy_user_event+0x5c/0xe0
[ 78.453121] process_one_work+0x81c/0x1970
[ 78.453503] worker_thread+0x608/0x1160
[ 78.453864] kthread+0x2be/0x3b0
[ 78.454189] ret_from_fork+0x2c/0x70
[ 78.454538] ret_from_fork_asm+0x1a/0x30
[ 78.454905]
[ 78.455111] Last potentially related work creation:
[ 78.455547] kasan_save_stack+0x20/0x40
[ 78.455911] __kasan_record_aux_stack+0x8e/0xa0
[ 78.456324] insert_work+0x20/0x1b0
[ 78.456669] __queue_work+0x67a/0xc60
[ 78.457030] queue_work_on+0x63/0x90
[ 78.457376] user_event_put+0x1f9/0x390
[ 78.457743] user_events_ioctl+0x11ed/0x17f0
[ 78.458140] __x64_sys_ioctl+0x133/0x190
[ 78.458511] do_syscall_64+0x66/0x130
[ 78.459060] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.459509]
[ 78.459718] The buggy address belongs to the object at ffff88800473ec00
[ 78.459718] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.460703] The buggy address is located 112 bytes inside of
[ 78.460703] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.461663]
[ 78.461872] The buggy address belongs to the physical page:
[ 78.462350] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.463091] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.463740] memcg:ffff88800102a301
[ 78.464073] flags: 0x40(head|zone=0)
[ 78.468269] page_type: 0xffffefff(slab)
[ 78.468633] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.469296] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.469946] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.470609] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.471267] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.471931] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.472590] page dumped because: kasan: bad access detected
[ 78.473074]
[ 78.473280] Memory state around the buggy address:
[ 78.473709] ffff88800473eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.474327] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.474945] >ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.475563] ^
[ 78.476131] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.476753] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.477371] ==================================================================
[ 78.478004] ==================================================================
[ 78.478636] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 78.479160] Read of size 8 at addr ffff88800473ed08 by task cat/4434
[ 78.479692]
[ 78.479897] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.480573] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.481481] Call Trace:
[ 78.481752] <TASK>
[ 78.482001] dump_stack_lvl+0x66/0xa0
[ 78.482353] print_report+0xd0/0x630
[ 78.482702] ? f_start+0x2cb/0x3d0
[ 78.483040] ? __virt_addr_valid+0x208/0x3f0
[ 78.483433] ? f_start+0x2cb/0x3d0
[ 78.483768] kasan_report+0xd8/0x110
[ 78.484116] ? f_start+0x2cb/0x3d0
[ 78.484452] f_start+0x2cb/0x3d0
[ 78.484786] seq_read_iter+0x268/0x11e0
[ 78.485154] ? lock_release+0x453/0x600
[ 78.485520] seq_read+0x261/0x350
[ 78.485849] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.486268] ? __pfx_seq_read+0x10/0x10
[ 78.486635] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.487089] vfs_read+0x171/0x9e0
[ 78.487420] ? lock_acquire+0x408/0x4b0
[ 78.487787] ? __pfx_vfs_read+0x10/0x10
[ 78.488154] ? lock_release+0x453/0x600
[ 78.488519] ? __pfx___up_read+0x10/0x10
[ 78.489043] ksys_read+0xdd/0x1a0
[ 78.489375] ? __pfx_ksys_read+0x10/0x10
[ 78.489743] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.490195] do_syscall_64+0x66/0x130
[ 78.490552] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.491001] RIP: 0033:0x7fa23454940e
[ 78.491347] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.492773] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.493416] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.494001] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.494587] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.495169] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.495754] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.496343] </TASK>
[ 78.496598]
[ 78.496811] Allocated by task 4436:
[ 78.497149] kasan_save_stack+0x20/0x40
[ 78.497514] kasan_save_track+0x14/0x30
[ 78.497880] __kasan_kmalloc+0x8f/0xa0
[ 78.498237] user_event_parse_cmd+0x55e/0x25a0
[ 78.498643] user_events_ioctl+0xa52/0x17f0
[ 78.499030] __x64_sys_ioctl+0x133/0x190
[ 78.499398] do_syscall_64+0x66/0x130
[ 78.499748] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.500193]
[ 78.500401] Freed by task 50:
[ 78.500704] kasan_save_stack+0x20/0x40
[ 78.501075] kasan_save_track+0x14/0x30
[ 78.501441] kasan_save_free_info+0x3b/0x60
[ 78.501823] poison_slab_object+0x10a/0x170
[ 78.502209] __kasan_slab_free+0x14/0x30
[ 78.502578] kfree+0xe0/0x2f0
[ 78.502884] destroy_user_event+0x305/0x450
[ 78.503271] delayed_destroy_user_event+0x5c/0xe0
[ 78.503695] process_one_work+0x81c/0x1970
[ 78.504078] worker_thread+0x608/0x1160
[ 78.504438] kthread+0x2be/0x3b0
[ 78.504766] ret_from_fork+0x2c/0x70
[ 78.505116] ret_from_fork_asm+0x1a/0x30
[ 78.505487]
[ 78.505695] Last potentially related work creation:
[ 78.506133] kasan_save_stack+0x20/0x40
[ 78.506496] __kasan_record_aux_stack+0x8e/0xa0
[ 78.506907] insert_work+0x20/0x1b0
[ 78.507250] __queue_work+0x67a/0xc60
[ 78.507603] queue_work_on+0x63/0x90
[ 78.507947] user_event_put+0x1f9/0x390
[ 78.508310] user_events_ioctl+0x11ed/0x17f0
[ 78.508707] __x64_sys_ioctl+0x133/0x190
[ 78.509083] do_syscall_64+0x66/0x130
[ 78.509436] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.509885]
[ 78.510095] The buggy address belongs to the object at ffff88800473ec00
[ 78.510095] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.511081] The buggy address is located 264 bytes inside of
[ 78.511081] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.512033]
[ 78.512242] The buggy address belongs to the physical page:
[ 78.512721] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.513470] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.514116] memcg:ffff88800102a301
[ 78.514449] flags: 0x40(head|zone=0)
[ 78.514797] page_type: 0xffffefff(slab)
[ 78.515161] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.515812] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.516468] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.517129] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.517792] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.518449] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.519255] page dumped because: kasan: bad access detected
[ 78.519737]
[ 78.519945] Memory state around the buggy address:
[ 78.520372] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.520991] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.521610] >ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.522227] ^
[ 78.522566] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.523185] ffff88800473ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.523800] ==================================================================
[ 78.524435] ==================================================================
[ 78.525058] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 78.525686] Read of size 8 at addr ffff88800473ecb8 by task cat/4434
[ 78.526219]
[ 78.526427] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.527100] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.527999] Call Trace:
[ 78.528271] <TASK>
[ 78.528518] dump_stack_lvl+0x66/0xa0
[ 78.528878] print_report+0xd0/0x630
[ 78.529228] ? user_event_get_fields+0x38/0x40
[ 78.529631] ? __virt_addr_valid+0x208/0x3f0
[ 78.530025] ? user_event_get_fields+0x38/0x40
[ 78.530434] kasan_report+0xd8/0x110
[ 78.530783] ? user_event_get_fields+0x38/0x40
[ 78.531189] user_event_get_fields+0x38/0x40
[ 78.531582] f_start+0x175/0x3d0
[ 78.531910] seq_read_iter+0x268/0x11e0
[ 78.532278] ? lock_release+0x453/0x600
[ 78.532642] seq_read+0x261/0x350
[ 78.532979] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.537236] ? __pfx_seq_read+0x10/0x10
[ 78.537604] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.538059] vfs_read+0x171/0x9e0
[ 78.538388] ? lock_acquire+0x408/0x4b0
[ 78.538752] ? __pfx_vfs_read+0x10/0x10
[ 78.539117] ? lock_release+0x453/0x600
[ 78.539486] ? __pfx___up_read+0x10/0x10
[ 78.539856] ksys_read+0xdd/0x1a0
[ 78.540187] ? __pfx_ksys_read+0x10/0x10
[ 78.540560] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.541018] do_syscall_64+0x66/0x130
[ 78.541371] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.541820] RIP: 0033:0x7fa23454940e
[ 78.542168] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.543589] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.544231] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.544824] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.545412] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.545997] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.546583] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.547169] </TASK>
[ 78.547421]
[ 78.547630] Allocated by task 4436:
[ 78.547971] kasan_save_stack+0x20/0x40
[ 78.548335] kasan_save_track+0x14/0x30
[ 78.548703] __kasan_kmalloc+0x8f/0xa0
[ 78.549191] user_event_parse_cmd+0x55e/0x25a0
[ 78.549596] user_events_ioctl+0xa52/0x17f0
[ 78.549986] __x64_sys_ioctl+0x133/0x190
[ 78.550359] do_syscall_64+0x66/0x130
[ 78.550712] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.551160]
[ 78.551368] Freed by task 50:
[ 78.551678] kasan_save_stack+0x20/0x40
[ 78.552041] kasan_save_track+0x14/0x30
[ 78.552407] kasan_save_free_info+0x3b/0x60
[ 78.552801] poison_slab_object+0x10a/0x170
[ 78.553187] __kasan_slab_free+0x14/0x30
[ 78.553556] kfree+0xe0/0x2f0
[ 78.553865] destroy_user_event+0x305/0x450
[ 78.554251] delayed_destroy_user_event+0x5c/0xe0
[ 78.554673] process_one_work+0x81c/0x1970
[ 78.555057] worker_thread+0x608/0x1160
[ 78.555425] kthread+0x2be/0x3b0
[ 78.555750] ret_from_fork+0x2c/0x70
[ 78.556095] ret_from_fork_asm+0x1a/0x30
[ 78.556468]
[ 78.556675] Last potentially related work creation:
[ 78.557113] kasan_save_stack+0x20/0x40
[ 78.557478] __kasan_record_aux_stack+0x8e/0xa0
[ 78.557893] insert_work+0x20/0x1b0
[ 78.558234] __queue_work+0x67a/0xc60
[ 78.558586] queue_work_on+0x63/0x90
[ 78.558935] user_event_put+0x1f9/0x390
[ 78.559299] user_events_ioctl+0x11ed/0x17f0
[ 78.559691] __x64_sys_ioctl+0x133/0x190
[ 78.560063] do_syscall_64+0x66/0x130
[ 78.560418] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.560871]
[ 78.561076] The buggy address belongs to the object at ffff88800473ec00
[ 78.561076] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.562068] The buggy address is located 184 bytes inside of
[ 78.562068] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.563019]
[ 78.563225] The buggy address belongs to the physical page:
[ 78.563707] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.564454] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.565104] memcg:ffff88800102a301
[ 78.565440] flags: 0x40(head|zone=0)
[ 78.565786] page_type: 0xffffefff(slab)
[ 78.566152] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.566808] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.567458] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.568118] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.568788] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.569444] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.570110] page dumped because: kasan: bad access detected
[ 78.570591]
[ 78.570798] Memory state around the buggy address:
[ 78.571227] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.571849] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.572471] >ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.573092] ^
[ 78.573541] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.574159] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.574776] ==================================================================
[ 78.575407] ==================================================================
[ 78.576030] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 78.576554] Read of size 8 at addr ffff88800473ec70 by task cat/4434
[ 78.577096]
[ 78.577306] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.577978] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.579050] Call Trace:
[ 78.579322] <TASK>
[ 78.579569] dump_stack_lvl+0x66/0xa0
[ 78.579925] print_report+0xd0/0x630
[ 78.580276] ? f_start+0x2e4/0x3d0
[ 78.580612] ? __virt_addr_valid+0x208/0x3f0
[ 78.581014] ? f_start+0x2e4/0x3d0
[ 78.581353] kasan_report+0xd8/0x110
[ 78.581700] ? f_start+0x2e4/0x3d0
[ 78.582036] f_start+0x2e4/0x3d0
[ 78.582363] seq_read_iter+0x268/0x11e0
[ 78.582728] ? lock_release+0x453/0x600
[ 78.583092] seq_read+0x261/0x350
[ 78.583424] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.583843] ? __pfx_seq_read+0x10/0x10
[ 78.584208] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.584663] vfs_read+0x171/0x9e0
[ 78.585002] ? lock_acquire+0x408/0x4b0
[ 78.585370] ? __pfx_vfs_read+0x10/0x10
[ 78.585736] ? lock_release+0x453/0x600
[ 78.586104] ? __pfx___up_read+0x10/0x10
[ 78.586477] ksys_read+0xdd/0x1a0
[ 78.586807] ? __pfx_ksys_read+0x10/0x10
[ 78.587176] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.587631] do_syscall_64+0x66/0x130
[ 78.587986] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.588433] RIP: 0033:0x7fa23454940e
[ 78.588783] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.590208] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.590849] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.591438] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.592026] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.592614] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.593207] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.593796] </TASK>
[ 78.594050]
[ 78.594257] Allocated by task 4436:
[ 78.594599] kasan_save_stack+0x20/0x40
[ 78.594962] kasan_save_track+0x14/0x30
[ 78.595324] __kasan_kmalloc+0x8f/0xa0
[ 78.595684] user_event_parse_cmd+0x55e/0x25a0
[ 78.596092] user_events_ioctl+0xa52/0x17f0
[ 78.596479] __x64_sys_ioctl+0x133/0x190
[ 78.596854] do_syscall_64+0x66/0x130
[ 78.597208] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.597654]
[ 78.597860] Freed by task 50:
[ 78.598169] kasan_save_stack+0x20/0x40
[ 78.598532] kasan_save_track+0x14/0x30
[ 78.598896] kasan_save_free_info+0x3b/0x60
[ 78.599285] poison_slab_object+0x10a/0x170
[ 78.599673] __kasan_slab_free+0x14/0x30
[ 78.600041] kfree+0xe0/0x2f0
[ 78.600349] destroy_user_event+0x305/0x450
[ 78.600742] delayed_destroy_user_event+0x5c/0xe0
[ 78.601169] process_one_work+0x81c/0x1970
[ 78.601550] worker_thread+0x608/0x1160
[ 78.601913] kthread+0x2be/0x3b0
[ 78.602238] ret_from_fork+0x2c/0x70
[ 78.602584] ret_from_fork_asm+0x1a/0x30
[ 78.602952]
[ 78.603162] Last potentially related work creation:
[ 78.603594] kasan_save_stack+0x20/0x40
[ 78.603958] __kasan_record_aux_stack+0x8e/0xa0
[ 78.604372] insert_work+0x20/0x1b0
[ 78.608561] __queue_work+0x67a/0xc60
[ 78.609073] queue_work_on+0x63/0x90
[ 78.609423] user_event_put+0x1f9/0x390
[ 78.609786] user_events_ioctl+0x11ed/0x17f0
[ 78.610181] __x64_sys_ioctl+0x133/0x190
[ 78.610554] do_syscall_64+0x66/0x130
[ 78.610909] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.611356]
[ 78.611563] The buggy address belongs to the object at ffff88800473ec00
[ 78.611563] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.612553] The buggy address is located 112 bytes inside of
[ 78.612553] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.613511]
[ 78.613716] The buggy address belongs to the physical page:
[ 78.614199] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.614943] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.615587] memcg:ffff88800102a301
[ 78.615921] flags: 0x40(head|zone=0)
[ 78.616267] page_type: 0xffffefff(slab)
[ 78.616633] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.617294] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.617946] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.618603] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.619272] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.619929] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.620591] page dumped because: kasan: bad access detected
[ 78.621078]
[ 78.621286] Memory state around the buggy address:
[ 78.621717] ffff88800473eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.622334] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.622953] >ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.623571] ^
[ 78.624143] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.624766] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.625384] ==================================================================
[ 78.626017] ==================================================================
[ 78.626639] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 78.627165] Read of size 8 at addr ffff88800473ed08 by task cat/4434
[ 78.627697]
[ 78.627905] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.628579] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.629490] Call Trace:
[ 78.629762] <TASK>
[ 78.630010] dump_stack_lvl+0x66/0xa0
[ 78.630366] print_report+0xd0/0x630
[ 78.630716] ? f_start+0x2cb/0x3d0
[ 78.631052] ? __virt_addr_valid+0x208/0x3f0
[ 78.631446] ? f_start+0x2cb/0x3d0
[ 78.631784] kasan_report+0xd8/0x110
[ 78.632131] ? f_start+0x2cb/0x3d0
[ 78.632468] f_start+0x2cb/0x3d0
[ 78.632801] seq_read_iter+0x268/0x11e0
[ 78.633170] ? lock_release+0x453/0x600
[ 78.633535] seq_read+0x261/0x350
[ 78.633868] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.634287] ? __pfx_seq_read+0x10/0x10
[ 78.634651] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.635104] vfs_read+0x171/0x9e0
[ 78.635437] ? lock_acquire+0x408/0x4b0
[ 78.635802] ? __pfx_vfs_read+0x10/0x10
[ 78.636166] ? lock_release+0x453/0x600
[ 78.636530] ? __pfx___up_read+0x10/0x10
[ 78.636908] ksys_read+0xdd/0x1a0
[ 78.637239] ? __pfx_ksys_read+0x10/0x10
[ 78.637610] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.638067] do_syscall_64+0x66/0x130
[ 78.638423] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.639009] RIP: 0033:0x7fa23454940e
[ 78.639356] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.640789] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.641433] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.642022] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.642610] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.643200] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.643790] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.644381] </TASK>
[ 78.644636]
[ 78.644845] Allocated by task 4436:
[ 78.645187] kasan_save_stack+0x20/0x40
[ 78.645551] kasan_save_track+0x14/0x30
[ 78.645913] __kasan_kmalloc+0x8f/0xa0
[ 78.646275] user_event_parse_cmd+0x55e/0x25a0
[ 78.646684] user_events_ioctl+0xa52/0x17f0
[ 78.647071] __x64_sys_ioctl+0x133/0x190
[ 78.647442] do_syscall_64+0x66/0x130
[ 78.647797] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.648247]
[ 78.648453] Freed by task 50:
[ 78.648767] kasan_save_stack+0x20/0x40
[ 78.649134] kasan_save_track+0x14/0x30
[ 78.649498] kasan_save_free_info+0x3b/0x60
[ 78.649889] poison_slab_object+0x10a/0x170
[ 78.650279] __kasan_slab_free+0x14/0x30
[ 78.650648] kfree+0xe0/0x2f0
[ 78.650960] destroy_user_event+0x305/0x450
[ 78.651349] delayed_destroy_user_event+0x5c/0xe0
[ 78.651774] process_one_work+0x81c/0x1970
[ 78.652156] worker_thread+0x608/0x1160
[ 78.652520] kthread+0x2be/0x3b0
[ 78.652852] ret_from_fork+0x2c/0x70
[ 78.653199] ret_from_fork_asm+0x1a/0x30
[ 78.653567]
[ 78.653777] Last potentially related work creation:
[ 78.654211] kasan_save_stack+0x20/0x40
[ 78.654574] __kasan_record_aux_stack+0x8e/0xa0
[ 78.654988] insert_work+0x20/0x1b0
[ 78.655333] __queue_work+0x67a/0xc60
[ 78.655686] queue_work_on+0x63/0x90
[ 78.656032] user_event_put+0x1f9/0x390
[ 78.656400] user_events_ioctl+0x11ed/0x17f0
[ 78.656804] __x64_sys_ioctl+0x133/0x190
[ 78.657174] do_syscall_64+0x66/0x130
[ 78.657529] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.657980]
[ 78.658185] The buggy address belongs to the object at ffff88800473ec00
[ 78.658185] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.659179] The buggy address is located 264 bytes inside of
[ 78.659179] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.660137]
[ 78.660346] The buggy address belongs to the physical page:
[ 78.660831] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.661584] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.662230] memcg:ffff88800102a301
[ 78.662567] flags: 0x40(head|zone=0)
[ 78.662917] page_type: 0xffffefff(slab)
[ 78.663281] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.663936] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.664587] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.665261] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.665919] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.666583] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.667240] page dumped because: kasan: bad access detected
[ 78.667723]
[ 78.667932] Memory state around the buggy address:
[ 78.668362] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.669168] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.669783] >ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.670401] ^
[ 78.670741] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.671364] ffff88800473ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.671980] ==================================================================
[ 78.672616] ==================================================================
[ 78.673245] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 78.673865] Read of size 8 at addr ffff88800473ecb8 by task cat/4434
[ 78.678247]
[ 78.678454] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.679127] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.680028] Call Trace:
[ 78.680297] <TASK>
[ 78.680547] dump_stack_lvl+0x66/0xa0
[ 78.680903] print_report+0xd0/0x630
[ 78.681251] ? user_event_get_fields+0x38/0x40
[ 78.681661] ? __virt_addr_valid+0x208/0x3f0
[ 78.682056] ? user_event_get_fields+0x38/0x40
[ 78.682461] kasan_report+0xd8/0x110
[ 78.682811] ? user_event_get_fields+0x38/0x40
[ 78.683218] user_event_get_fields+0x38/0x40
[ 78.683611] f_start+0x175/0x3d0
[ 78.683934] seq_read_iter+0x268/0x11e0
[ 78.684302] ? lock_release+0x453/0x600
[ 78.684668] seq_read+0x261/0x350
[ 78.685002] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.685422] ? __pfx_seq_read+0x10/0x10
[ 78.685788] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.686241] vfs_read+0x171/0x9e0
[ 78.686569] ? lock_acquire+0x408/0x4b0
[ 78.686937] ? __pfx_vfs_read+0x10/0x10
[ 78.687305] ? lock_release+0x453/0x600
[ 78.687669] ? __pfx___up_read+0x10/0x10
[ 78.688037] ksys_read+0xdd/0x1a0
[ 78.688370] ? __pfx_ksys_read+0x10/0x10
[ 78.688742] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.689195] do_syscall_64+0x66/0x130
[ 78.689550] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.690000] RIP: 0033:0x7fa23454940e
[ 78.690345] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.691763] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.692404] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.692994] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.693577] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.694163] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.694747] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.695334] </TASK>
[ 78.695588]
[ 78.695797] Allocated by task 4436:
[ 78.696137] kasan_save_stack+0x20/0x40
[ 78.696502] kasan_save_track+0x14/0x30
[ 78.696874] __kasan_kmalloc+0x8f/0xa0
[ 78.697231] user_event_parse_cmd+0x55e/0x25a0
[ 78.697640] user_events_ioctl+0xa52/0x17f0
[ 78.698029] __x64_sys_ioctl+0x133/0x190
[ 78.698398] do_syscall_64+0x66/0x130
[ 78.698751] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.699358]
[ 78.699566] Freed by task 50:
[ 78.699872] kasan_save_stack+0x20/0x40
[ 78.700238] kasan_save_track+0x14/0x30
[ 78.700605] kasan_save_free_info+0x3b/0x60
[ 78.700997] poison_slab_object+0x10a/0x170
[ 78.701384] __kasan_slab_free+0x14/0x30
[ 78.701758] kfree+0xe0/0x2f0
[ 78.702066] destroy_user_event+0x305/0x450
[ 78.702454] delayed_destroy_user_event+0x5c/0xe0
[ 78.702880] process_one_work+0x81c/0x1970
[ 78.703263] worker_thread+0x608/0x1160
[ 78.703627] kthread+0x2be/0x3b0
[ 78.703952] ret_from_fork+0x2c/0x70
[ 78.704302] ret_from_fork_asm+0x1a/0x30
[ 78.704675]
[ 78.704888] Last potentially related work creation:
[ 78.705324] kasan_save_stack+0x20/0x40
[ 78.705691] __kasan_record_aux_stack+0x8e/0xa0
[ 78.706101] insert_work+0x20/0x1b0
[ 78.706444] __queue_work+0x67a/0xc60
[ 78.706798] queue_work_on+0x63/0x90
[ 78.707143] user_event_put+0x1f9/0x390
[ 78.707506] user_events_ioctl+0x11ed/0x17f0
[ 78.707903] __x64_sys_ioctl+0x133/0x190
[ 78.708276] do_syscall_64+0x66/0x130
[ 78.708629] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.709080]
[ 78.709290] The buggy address belongs to the object at ffff88800473ec00
[ 78.709290] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.710280] The buggy address is located 184 bytes inside of
[ 78.710280] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.711238]
[ 78.711449] The buggy address belongs to the physical page:
[ 78.711928] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.712675] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.713330] memcg:ffff88800102a301
[ 78.713665] flags: 0x40(head|zone=0)
[ 78.714014] page_type: 0xffffefff(slab)
[ 78.714382] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.715033] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.715689] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.716346] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.717015] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.717673] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.718342] page dumped because: kasan: bad access detected
[ 78.718822]
[ 78.719031] Memory state around the buggy address:
[ 78.719458] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.720074] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.720693] >ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.721317] ^
[ 78.721762] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.722378] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.722995] ==================================================================
[ 78.723628] ==================================================================
[ 78.724251] BUG: KASAN: slab-use-after-free in f_start+0x2f8/0x3d0
[ 78.724784] Read of size 8 at addr ffff88800473ed58 by task cat/4434
[ 78.725323]
[ 78.725533] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.726203] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.727118] Call Trace:
[ 78.727389] <TASK>
[ 78.727635] dump_stack_lvl+0x66/0xa0
[ 78.727990] print_report+0xd0/0x630
[ 78.728338] ? f_start+0x2f8/0x3d0
[ 78.728674] ? __virt_addr_valid+0x208/0x3f0
[ 78.729215] ? f_start+0x2f8/0x3d0
[ 78.729550] kasan_report+0xd8/0x110
[ 78.729897] ? f_start+0x2f8/0x3d0
[ 78.730238] f_start+0x2f8/0x3d0
[ 78.730566] seq_read_iter+0x268/0x11e0
[ 78.730931] ? lock_release+0x453/0x600
[ 78.731298] seq_read+0x261/0x350
[ 78.731631] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.732049] ? __pfx_seq_read+0x10/0x10
[ 78.732413] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.732876] vfs_read+0x171/0x9e0
[ 78.733208] ? lock_acquire+0x408/0x4b0
[ 78.733572] ? __pfx_vfs_read+0x10/0x10
[ 78.733940] ? lock_release+0x453/0x600
[ 78.734308] ? __pfx___up_read+0x10/0x10
[ 78.734679] ksys_read+0xdd/0x1a0
[ 78.735009] ? __pfx_ksys_read+0x10/0x10
[ 78.735382] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.735837] do_syscall_64+0x66/0x130
[ 78.736190] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.736637] RIP: 0033:0x7fa23454940e
[ 78.736993] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.738415] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.739058] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.739646] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.740235] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.740832] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.741418] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.742007] </TASK>
[ 78.742259]
[ 78.742468] Allocated by task 4436:
[ 78.742807] kasan_save_stack+0x20/0x40
[ 78.743171] kasan_save_track+0x14/0x30
[ 78.743537] __kasan_kmalloc+0x8f/0xa0
[ 78.743899] user_event_parse_cmd+0x55e/0x25a0
[ 78.744303] user_events_ioctl+0xa52/0x17f0
[ 78.744689] __x64_sys_ioctl+0x133/0x190
[ 78.745066] do_syscall_64+0x66/0x130
[ 78.745421] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.749712]
[ 78.749922] Freed by task 50:
[ 78.750225] kasan_save_stack+0x20/0x40
[ 78.750591] kasan_save_track+0x14/0x30
[ 78.750958] kasan_save_free_info+0x3b/0x60
[ 78.751342] poison_slab_object+0x10a/0x170
[ 78.751729] __kasan_slab_free+0x14/0x30
[ 78.752100] kfree+0xe0/0x2f0
[ 78.752406] destroy_user_event+0x305/0x450
[ 78.752797] delayed_destroy_user_event+0x5c/0xe0
[ 78.753223] process_one_work+0x81c/0x1970
[ 78.753606] worker_thread+0x608/0x1160
[ 78.753969] kthread+0x2be/0x3b0
[ 78.754292] ret_from_fork+0x2c/0x70
[ 78.754642] ret_from_fork_asm+0x1a/0x30
[ 78.755011]
[ 78.755216] Last potentially related work creation:
[ 78.755652] kasan_save_stack+0x20/0x40
[ 78.756019] __kasan_record_aux_stack+0x8e/0xa0
[ 78.756431] insert_work+0x20/0x1b0
[ 78.756779] __queue_work+0x67a/0xc60
[ 78.757135] queue_work_on+0x63/0x90
[ 78.757481] user_event_put+0x1f9/0x390
[ 78.757843] user_events_ioctl+0x11ed/0x17f0
[ 78.758240] __x64_sys_ioctl+0x133/0x190
[ 78.758612] do_syscall_64+0x66/0x130
[ 78.759108] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.759558]
[ 78.759767] The buggy address belongs to the object at ffff88800473ec00
[ 78.759767] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.760758] The buggy address is located 344 bytes inside of
[ 78.760758] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.761711]
[ 78.761919] The buggy address belongs to the physical page:
[ 78.762397] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.763147] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.763796] memcg:ffff88800102a301
[ 78.764129] flags: 0x40(head|zone=0)
[ 78.764478] page_type: 0xffffefff(slab)
[ 78.764846] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.765499] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.766158] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.766815] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.767479] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.768133] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.768798] page dumped because: kasan: bad access detected
[ 78.769279]
[ 78.769487] Memory state around the buggy address:
[ 78.769914] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.770531] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.771149] >ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.771767] ^
[ 78.772281] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.772901] ffff88800473ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.773521] ==================================================================
[ 78.774151] ==================================================================
[ 78.774781] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 78.775310] Read of size 8 at addr ffff88800473ec70 by task cat/4434
[ 78.775845]
[ 78.776054] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.776721] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.777637] Call Trace:
[ 78.777907] <TASK>
[ 78.778153] dump_stack_lvl+0x66/0xa0
[ 78.778510] print_report+0xd0/0x630
[ 78.778860] ? f_start+0x2e4/0x3d0
[ 78.779196] ? __virt_addr_valid+0x208/0x3f0
[ 78.779594] ? f_start+0x2e4/0x3d0
[ 78.779931] kasan_report+0xd8/0x110
[ 78.780279] ? f_start+0x2e4/0x3d0
[ 78.780618] f_start+0x2e4/0x3d0
[ 78.780950] seq_read_iter+0x268/0x11e0
[ 78.781316] ? lock_release+0x453/0x600
[ 78.781684] seq_read+0x261/0x350
[ 78.782017] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.782434] ? __pfx_seq_read+0x10/0x10
[ 78.782798] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.783255] vfs_read+0x171/0x9e0
[ 78.783588] ? lock_acquire+0x408/0x4b0
[ 78.783953] ? __pfx_vfs_read+0x10/0x10
[ 78.784317] ? lock_release+0x453/0x600
[ 78.784684] ? __pfx___up_read+0x10/0x10
[ 78.785057] ksys_read+0xdd/0x1a0
[ 78.785387] ? __pfx_ksys_read+0x10/0x10
[ 78.785761] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.786218] do_syscall_64+0x66/0x130
[ 78.786571] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.787019] RIP: 0033:0x7fa23454940e
[ 78.787368] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.788939] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.789580] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.790169] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.790757] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.791347] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.791934] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.792521] </TASK>
[ 78.792778]
[ 78.792987] Allocated by task 4436:
[ 78.793331] kasan_save_stack+0x20/0x40
[ 78.793694] kasan_save_track+0x14/0x30
[ 78.794060] __kasan_kmalloc+0x8f/0xa0
[ 78.794420] user_event_parse_cmd+0x55e/0x25a0
[ 78.794824] user_events_ioctl+0xa52/0x17f0
[ 78.795210] __x64_sys_ioctl+0x133/0x190
[ 78.795583] do_syscall_64+0x66/0x130
[ 78.795939] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.796384]
[ 78.796590] Freed by task 50:
[ 78.796902] kasan_save_stack+0x20/0x40
[ 78.797266] kasan_save_track+0x14/0x30
[ 78.797631] kasan_save_free_info+0x3b/0x60
[ 78.798020] poison_slab_object+0x10a/0x170
[ 78.798405] __kasan_slab_free+0x14/0x30
[ 78.798774] kfree+0xe0/0x2f0
[ 78.799084] destroy_user_event+0x305/0x450
[ 78.799473] delayed_destroy_user_event+0x5c/0xe0
[ 78.799896] process_one_work+0x81c/0x1970
[ 78.800277] worker_thread+0x608/0x1160
[ 78.800643] kthread+0x2be/0x3b0
[ 78.800976] ret_from_fork+0x2c/0x70
[ 78.801322] ret_from_fork_asm+0x1a/0x30
[ 78.801693]
[ 78.801903] Last potentially related work creation:
[ 78.802335] kasan_save_stack+0x20/0x40
[ 78.802704] __kasan_record_aux_stack+0x8e/0xa0
[ 78.803118] insert_work+0x20/0x1b0
[ 78.803460] __queue_work+0x67a/0xc60
[ 78.803812] queue_work_on+0x63/0x90
[ 78.804161] user_event_put+0x1f9/0x390
[ 78.804527] user_events_ioctl+0x11ed/0x17f0
[ 78.804926] __x64_sys_ioctl+0x133/0x190
[ 78.805298] do_syscall_64+0x66/0x130
[ 78.805653] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.806100]
[ 78.806307] The buggy address belongs to the object at ffff88800473ec00
[ 78.806307] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.807300] The buggy address is located 112 bytes inside of
[ 78.807300] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.808253]
[ 78.808459] The buggy address belongs to the physical page:
[ 78.808947] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.809699] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.810344] memcg:ffff88800102a301
[ 78.810681] flags: 0x40(head|zone=0)
[ 78.811027] page_type: 0xffffefff(slab)
[ 78.811390] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.812046] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.812700] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.813368] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.814026] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.814685] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.815350] page dumped because: kasan: bad access detected
[ 78.819845]
[ 78.820054] Memory state around the buggy address:
[ 78.820482] ffff88800473eb00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.821104] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.821724] >ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.822339] ^
[ 78.822905] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.823522] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.824141] ==================================================================
[ 78.824784] ==================================================================
[ 78.825410] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 78.825934] Read of size 8 at addr ffff88800473ed08 by task cat/4434
[ 78.826470]
[ 78.826680] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.827349] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.828261] Call Trace:
[ 78.828529] <TASK>
[ 78.828783] dump_stack_lvl+0x66/0xa0
[ 78.829139] print_report+0xd0/0x630
[ 78.829487] ? f_start+0x2cb/0x3d0
[ 78.829822] ? __virt_addr_valid+0x208/0x3f0
[ 78.830218] ? f_start+0x2cb/0x3d0
[ 78.830558] kasan_report+0xd8/0x110
[ 78.830904] ? f_start+0x2cb/0x3d0
[ 78.831244] f_start+0x2cb/0x3d0
[ 78.831573] seq_read_iter+0x268/0x11e0
[ 78.831940] ? lock_release+0x453/0x600
[ 78.832307] seq_read+0x261/0x350
[ 78.832640] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.833070] ? __pfx_seq_read+0x10/0x10
[ 78.833435] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.833891] vfs_read+0x171/0x9e0
[ 78.834224] ? lock_acquire+0x408/0x4b0
[ 78.834587] ? __pfx_vfs_read+0x10/0x10
[ 78.834952] ? lock_release+0x453/0x600
[ 78.835318] ? __pfx___up_read+0x10/0x10
[ 78.835688] ksys_read+0xdd/0x1a0
[ 78.836019] ? __pfx_ksys_read+0x10/0x10
[ 78.836391] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.836852] do_syscall_64+0x66/0x130
[ 78.837206] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.837651] RIP: 0033:0x7fa23454940e
[ 78.838000] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.839424] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.840064] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.840653] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.841247] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.841834] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.842423] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.843011] </TASK>
[ 78.843262]
[ 78.843468] Allocated by task 4436:
[ 78.843811] kasan_save_stack+0x20/0x40
[ 78.844175] kasan_save_track+0x14/0x30
[ 78.844542] __kasan_kmalloc+0x8f/0xa0
[ 78.844906] user_event_parse_cmd+0x55e/0x25a0
[ 78.845313] user_events_ioctl+0xa52/0x17f0
[ 78.845698] __x64_sys_ioctl+0x133/0x190
[ 78.846070] do_syscall_64+0x66/0x130
[ 78.846427] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.846875]
[ 78.847080] Freed by task 50:
[ 78.847389] kasan_save_stack+0x20/0x40
[ 78.847753] kasan_save_track+0x14/0x30
[ 78.848118] kasan_save_free_info+0x3b/0x60
[ 78.848507] poison_slab_object+0x10a/0x170
[ 78.849068] __kasan_slab_free+0x14/0x30
[ 78.849438] kfree+0xe0/0x2f0
[ 78.849750] destroy_user_event+0x305/0x450
[ 78.850139] delayed_destroy_user_event+0x5c/0xe0
[ 78.850562] process_one_work+0x81c/0x1970
[ 78.850940] worker_thread+0x608/0x1160
[ 78.851306] kthread+0x2be/0x3b0
[ 78.851633] ret_from_fork+0x2c/0x70
[ 78.851982] ret_from_fork_asm+0x1a/0x30
[ 78.852353]
[ 78.852562] Last potentially related work creation:
[ 78.853000] kasan_save_stack+0x20/0x40
[ 78.853368] __kasan_record_aux_stack+0x8e/0xa0
[ 78.853782] insert_work+0x20/0x1b0
[ 78.854123] __queue_work+0x67a/0xc60
[ 78.854476] queue_work_on+0x63/0x90
[ 78.854826] user_event_put+0x1f9/0x390
[ 78.855190] user_events_ioctl+0x11ed/0x17f0
[ 78.855584] __x64_sys_ioctl+0x133/0x190
[ 78.855951] do_syscall_64+0x66/0x130
[ 78.856304] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.856754]
[ 78.856961] The buggy address belongs to the object at ffff88800473ec00
[ 78.856961] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.857953] The buggy address is located 264 bytes inside of
[ 78.857953] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.858907]
[ 78.859114] The buggy address belongs to the physical page:
[ 78.859597] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.860349] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.861001] memcg:ffff88800102a301
[ 78.861339] flags: 0x40(head|zone=0)
[ 78.861683] page_type: 0xffffefff(slab)
[ 78.862047] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.862704] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.863357] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.864019] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.864675] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.865349] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.866008] page dumped because: kasan: bad access detected
[ 78.866486]
[ 78.866692] Memory state around the buggy address:
[ 78.867122] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.867742] ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.868359] >ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.868980] ^
[ 78.869322] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.869941] ffff88800473ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.870559] ==================================================================
[ 78.871188] ==================================================================
[ 78.871810] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 78.872429] Read of size 8 at addr ffff88800473ecb8 by task cat/4434
[ 78.872973]
[ 78.873183] CPU: 2 PID: 4434 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.873853] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.874760] Call Trace:
[ 78.875029] <TASK>
[ 78.875278] dump_stack_lvl+0x66/0xa0
[ 78.875629] print_report+0xd0/0x630
[ 78.875978] ? user_event_get_fields+0x38/0x40
[ 78.876385] ? __virt_addr_valid+0x208/0x3f0
[ 78.876788] ? user_event_get_fields+0x38/0x40
[ 78.877194] kasan_report+0xd8/0x110
[ 78.877540] ? user_event_get_fields+0x38/0x40
[ 78.877948] user_event_get_fields+0x38/0x40
[ 78.878345] f_start+0x175/0x3d0
[ 78.878672] seq_read_iter+0x268/0x11e0
[ 78.879256] ? lock_release+0x453/0x600
[ 78.879632] seq_read+0x261/0x350
[ 78.879963] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.880381] ? __pfx_seq_read+0x10/0x10
[ 78.880760] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.881218] vfs_read+0x171/0x9e0
[ 78.881549] ? lock_acquire+0x408/0x4b0
[ 78.881913] ? __pfx_vfs_read+0x10/0x10
[ 78.882281] ? lock_release+0x453/0x600
[ 78.882647] ? __pfx___up_read+0x10/0x10
[ 78.883017] ksys_read+0xdd/0x1a0
[ 78.883351] ? __pfx_ksys_read+0x10/0x10
[ 78.883725] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.884178] do_syscall_64+0x66/0x130
[ 78.884532] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.884988] RIP: 0033:0x7fa23454940e
[ 78.885338] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.890605] RSP: 002b:00007fff3bf6c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.891252] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fa23454940e
[ 78.891838] RDX: 0000000000020000 RSI: 00007fa23443d000 RDI: 0000000000000003
[ 78.892426] RBP: 00007fa23443d000 R08: 00007fa23443c010 R09: 0000000000000000
[ 78.893021] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.893609] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.894199] </TASK>
[ 78.894455]
[ 78.894662] Allocated by task 4436:
[ 78.895006] kasan_save_stack+0x20/0x40
[ 78.895375] kasan_save_track+0x14/0x30
[ 78.895739] __kasan_kmalloc+0x8f/0xa0
[ 78.896100] user_event_parse_cmd+0x55e/0x25a0
[ 78.896510] user_events_ioctl+0xa52/0x17f0
[ 78.896901] __x64_sys_ioctl+0x133/0x190
[ 78.897271] do_syscall_64+0x66/0x130
[ 78.897626] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.898076]
[ 78.898282] Freed by task 50:
[ 78.898589] kasan_save_stack+0x20/0x40
[ 78.898955] kasan_save_track+0x14/0x30
[ 78.899320] kasan_save_free_info+0x3b/0x60
[ 78.899706] poison_slab_object+0x10a/0x170
[ 78.900095] __kasan_slab_free+0x14/0x30
[ 78.900468] kfree+0xe0/0x2f0
[ 78.900779] destroy_user_event+0x305/0x450
[ 78.901169] delayed_destroy_user_event+0x5c/0xe0
[ 78.901594] process_one_work+0x81c/0x1970
[ 78.901973] worker_thread+0x608/0x1160
[ 78.902336] kthread+0x2be/0x3b0
[ 78.902662] ret_from_fork+0x2c/0x70
[ 78.903011] ret_from_fork_asm+0x1a/0x30
[ 78.903379]
[ 78.903588] Last potentially related work creation:
[ 78.904020] kasan_save_stack+0x20/0x40
[ 78.904382] __kasan_record_aux_stack+0x8e/0xa0
[ 78.904801] insert_work+0x20/0x1b0
[ 78.905146] __queue_work+0x67a/0xc60
[ 78.905498] queue_work_on+0x63/0x90
[ 78.905844] user_event_put+0x1f9/0x390
[ 78.906210] user_events_ioctl+0x11ed/0x17f0
[ 78.906607] __x64_sys_ioctl+0x133/0x190
[ 78.906975] do_syscall_64+0x66/0x130
[ 78.907329] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.907777]
[ 78.907987] The buggy address belongs to the object at ffff88800473ec00
[ 78.907987] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.909232] The buggy address is located 184 bytes inside of
[ 78.909232] freed 512-byte region [ffff88800473ec00, ffff88800473ee00)
[ 78.910205]
[ 78.910415] The buggy address belongs to the physical page:
[ 78.910897] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88800473d800 pfn:0x473c
[ 78.911649] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.912297] memcg:ffff88800102a301
[ 78.912634] flags: 0x40(head|zone=0)
[ 78.912995] page_type: 0xffffefff(slab)
[ 78.913359] raw: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.914009] raw: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.914662] head: 0000000000000040 ffff88800014cdc0 ffffea00000e9300 dead000000000002
[ 78.915326] head: ffff88800473d800 000000008010000f 00000001ffffefff ffff88800102a301
[ 78.915984] head: 0000000000000002 ffffea000011cf01 ffffffffffffffff 0000000000000000
[ 78.916647] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.917311] page dumped because: kasan: bad access detected
[ 78.917792]
[ 78.918001] Memory state around the buggy address:
[ 78.918430] ffff88800473eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.919052] ffff88800473ec00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.919668] >ffff88800473ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.920289] ^
[ 78.920734] ffff88800473ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.921358] ffff88800473ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.921973] ==================================================================
[ 78.924611] ==================================================================
[ 78.925274] BUG: KASAN: slab-use-after-free in f_start+0x36e/0x3d0
[ 78.925814] Read of size 8 at addr ffff888001bd4ca8 by task cat/4437
[ 78.926358]
[ 78.926570] CPU: 0 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.927255] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.928173] Call Trace:
[ 78.928447] <TASK>
[ 78.928703] dump_stack_lvl+0x66/0xa0
[ 78.929065] print_report+0xd0/0x630
[ 78.929417] ? f_start+0x36e/0x3d0
[ 78.929761] ? __virt_addr_valid+0x208/0x3f0
[ 78.930164] ? f_start+0x36e/0x3d0
[ 78.930508] kasan_report+0xd8/0x110
[ 78.930864] ? f_start+0x36e/0x3d0
[ 78.931210] f_start+0x36e/0x3d0
[ 78.931544] seq_read_iter+0x268/0x11e0
[ 78.931921] ? lock_release+0x453/0x600
[ 78.932295] seq_read+0x261/0x350
[ 78.932632] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.933066] ? __pfx_seq_read+0x10/0x10
[ 78.933439] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.933899] vfs_read+0x171/0x9e0
[ 78.934234] ? lock_acquire+0x408/0x4b0
[ 78.934606] ? __pfx_vfs_read+0x10/0x10
[ 78.934979] ? lock_release+0x453/0x600
[ 78.935330] ? __pfx___up_read+0x10/0x10
[ 78.935685] ksys_read+0xdd/0x1a0
[ 78.936011] ? __pfx_ksys_read+0x10/0x10
[ 78.936369] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.936815] do_syscall_64+0x66/0x130
[ 78.937173] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.937630] RIP: 0033:0x7fac6e8fb40e
[ 78.937985] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.939553] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.940180] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 78.940750] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 78.941337] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 78.941901] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.942465] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.943048] </TASK>
[ 78.943289]
[ 78.943661] Allocated by task 4436:
[ 78.944029] kasan_save_stack+0x20/0x40
[ 78.944494] kasan_save_track+0x14/0x30
[ 78.944884] __kasan_kmalloc+0x8f/0xa0
[ 78.945623] user_event_parse_cmd+0x55e/0x25a0
[ 78.946323] user_events_ioctl+0xa52/0x17f0
[ 78.946707] __x64_sys_ioctl+0x133/0x190
[ 78.947076] do_syscall_64+0x66/0x130
[ 78.947422] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.947861]
[ 78.948065] Freed by task 49:
[ 78.948363] kasan_save_stack+0x20/0x40
[ 78.949498] kasan_save_track+0x14/0x30
[ 78.949957] kasan_save_free_info+0x3b/0x60
[ 78.950391] poison_slab_object+0x10a/0x170
[ 78.950877] __kasan_slab_free+0x14/0x30
[ 78.951256] kfree+0xe0/0x2f0
[ 78.951569] destroy_user_event+0x305/0x450
[ 78.951961] delayed_destroy_user_event+0x5c/0xe0
[ 78.952392] process_one_work+0x81c/0x1970
[ 78.952787] worker_thread+0x608/0x1160
[ 78.953153] kthread+0x2be/0x3b0
[ 78.953478] ret_from_fork+0x2c/0x70
[ 78.953830] ret_from_fork_asm+0x1a/0x30
[ 78.954206]
[ 78.954414] Last potentially related work creation:
[ 78.954851] kasan_save_stack+0x20/0x40
[ 78.955221] __kasan_record_aux_stack+0x8e/0xa0
[ 78.955637] insert_work+0x20/0x1b0
[ 78.955980] __queue_work+0x67a/0xc60
[ 78.956340] queue_work_on+0x63/0x90
[ 78.956690] user_event_put+0x1f9/0x390
[ 78.957115] user_events_ioctl+0x11ed/0x17f0
[ 78.957516] __x64_sys_ioctl+0x133/0x190
[ 78.957893] do_syscall_64+0x66/0x130
[ 78.958252] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.958708]
[ 78.958920] The buggy address belongs to the object at ffff888001bd4c00
[ 78.958920] which belongs to the cache kmalloc-cg-512 of size 512
[ 78.959913] The buggy address is located 168 bytes inside of
[ 78.959913] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 78.960879]
[ 78.961088] The buggy address belongs to the physical page:
[ 78.965403] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 78.966070] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 78.966717] memcg:ffff888004b9e101
[ 78.967056] anon flags: 0x40(head|zone=0)
[ 78.967436] page_type: 0xffffefff(slab)
[ 78.967804] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 78.968471] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 78.969286] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 78.969918] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 78.970544] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 78.971184] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 78.971813] page dumped because: kasan: bad access detected
[ 78.972273]
[ 78.972472] Memory state around the buggy address:
[ 78.972891] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 78.973484] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.974076] >ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.974670] ^
[ 78.975070] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.975662] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 78.976252] ==================================================================
[ 78.976932] ==================================================================
[ 78.977551] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 78.978041] Read of size 8 at addr ffff888001bd4c70 by task cat/4437
[ 78.978540]
[ 78.978731] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 78.979376] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 78.980217] Call Trace:
[ 78.980470] <TASK>
[ 78.980700] dump_stack_lvl+0x66/0xa0
[ 78.981044] print_report+0xd0/0x630
[ 78.981369] ? f_start+0x2e4/0x3d0
[ 78.981684] ? __virt_addr_valid+0x208/0x3f0
[ 78.982051] ? f_start+0x2e4/0x3d0
[ 78.982361] kasan_report+0xd8/0x110
[ 78.982686] ? f_start+0x2e4/0x3d0
[ 78.983009] f_start+0x2e4/0x3d0
[ 78.983314] seq_read_iter+0x268/0x11e0
[ 78.983657] ? lock_release+0x453/0x600
[ 78.983996] seq_read+0x261/0x350
[ 78.984305] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 78.984697] ? __pfx_seq_read+0x10/0x10
[ 78.985051] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.985474] vfs_read+0x171/0x9e0
[ 78.985781] ? lock_acquire+0x408/0x4b0
[ 78.986122] ? __pfx_vfs_read+0x10/0x10
[ 78.986465] ? lock_release+0x453/0x600
[ 78.986804] ? __pfx___up_read+0x10/0x10
[ 78.987162] ksys_read+0xdd/0x1a0
[ 78.987471] ? __pfx_ksys_read+0x10/0x10
[ 78.987820] ? trace_irq_enable.constprop.0+0xce/0x110
[ 78.988241] do_syscall_64+0x66/0x130
[ 78.988573] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.989013] RIP: 0033:0x7fac6e8fb40e
[ 78.989336] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 78.990661] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 78.991274] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 78.991820] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 78.992365] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 78.992926] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 78.993470] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 78.994018] </TASK>
[ 78.994255]
[ 78.994448] Allocated by task 4436:
[ 78.994765] kasan_save_stack+0x20/0x40
[ 78.995117] kasan_save_track+0x14/0x30
[ 78.995455] __kasan_kmalloc+0x8f/0xa0
[ 78.995787] user_event_parse_cmd+0x55e/0x25a0
[ 78.996167] user_events_ioctl+0xa52/0x17f0
[ 78.996529] __x64_sys_ioctl+0x133/0x190
[ 78.996932] do_syscall_64+0x66/0x130
[ 78.997282] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 78.997713]
[ 78.997916] Freed by task 49:
[ 78.998207] kasan_save_stack+0x20/0x40
[ 78.998560] kasan_save_track+0x14/0x30
[ 78.999089] kasan_save_free_info+0x3b/0x60
[ 78.999458] poison_slab_object+0x10a/0x170
[ 78.999835] __kasan_slab_free+0x14/0x30
[ 79.000198] kfree+0xe0/0x2f0
[ 79.000493] destroy_user_event+0x305/0x450
[ 79.000880] delayed_destroy_user_event+0x5c/0xe0
[ 79.001305] process_one_work+0x81c/0x1970
[ 79.001695] worker_thread+0x608/0x1160
[ 79.002070] kthread+0x2be/0x3b0
[ 79.002400] ret_from_fork+0x2c/0x70
[ 79.002760] ret_from_fork_asm+0x1a/0x30
[ 79.003135]
[ 79.003344] Last potentially related work creation:
[ 79.003787] kasan_save_stack+0x20/0x40
[ 79.004157] __kasan_record_aux_stack+0x8e/0xa0
[ 79.004576] insert_work+0x20/0x1b0
[ 79.004934] __queue_work+0x67a/0xc60
[ 79.005295] queue_work_on+0x63/0x90
[ 79.005646] user_event_put+0x1f9/0x390
[ 79.006021] user_events_ioctl+0x11ed/0x17f0
[ 79.006425] __x64_sys_ioctl+0x133/0x190
[ 79.006805] do_syscall_64+0x66/0x130
[ 79.007164] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.007621]
[ 79.007833] The buggy address belongs to the object at ffff888001bd4c00
[ 79.007833] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.008837] The buggy address is located 112 bytes inside of
[ 79.008837] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.009802]
[ 79.010015] The buggy address belongs to the physical page:
[ 79.010507] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.011176] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.011836] memcg:ffff888004b9e101
[ 79.012175] anon flags: 0x40(head|zone=0)
[ 79.012559] page_type: 0xffffefff(slab)
[ 79.012937] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.013598] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.014265] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.014936] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.015609] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.016277] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.016946] page dumped because: kasan: bad access detected
[ 79.017437]
[ 79.017653] Memory state around the buggy address:
[ 79.018087] ffff888001bd4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.018714] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.019350] >ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.019978] ^
[ 79.020552] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.021224] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.021853] ==================================================================
[ 79.022497] ==================================================================
[ 79.023127] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 79.023650] Read of size 8 at addr ffff888001bd4d08 by task cat/4437
[ 79.024192]
[ 79.024403] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.025085] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.026008] Call Trace:
[ 79.026281] <TASK>
[ 79.026529] dump_stack_lvl+0x66/0xa0
[ 79.026893] print_report+0xd0/0x630
[ 79.027246] ? f_start+0x2cb/0x3d0
[ 79.027587] ? __virt_addr_valid+0x208/0x3f0
[ 79.027989] ? f_start+0x2cb/0x3d0
[ 79.028334] kasan_report+0xd8/0x110
[ 79.028690] ? f_start+0x2cb/0x3d0
[ 79.029219] f_start+0x2cb/0x3d0
[ 79.033405] seq_read_iter+0x268/0x11e0
[ 79.033780] ? lock_release+0x453/0x600
[ 79.034149] seq_read+0x261/0x350
[ 79.034483] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.034907] ? __pfx_seq_read+0x10/0x10
[ 79.035282] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.035745] vfs_read+0x171/0x9e0
[ 79.036082] ? lock_acquire+0x408/0x4b0
[ 79.036452] ? __pfx_vfs_read+0x10/0x10
[ 79.036833] ? lock_release+0x453/0x600
[ 79.037207] ? __pfx___up_read+0x10/0x10
[ 79.037586] ksys_read+0xdd/0x1a0
[ 79.037922] ? __pfx_ksys_read+0x10/0x10
[ 79.038282] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.038718] do_syscall_64+0x66/0x130
[ 79.039074] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.039510] RIP: 0033:0x7fac6e8fb40e
[ 79.039844] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.041215] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.041835] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.042394] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.042964] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.043536] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.044108] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.044675] </TASK>
[ 79.044935]
[ 79.045139] Allocated by task 4436:
[ 79.045465] kasan_save_stack+0x20/0x40
[ 79.045817] kasan_save_track+0x14/0x30
[ 79.046168] __kasan_kmalloc+0x8f/0xa0
[ 79.046515] user_event_parse_cmd+0x55e/0x25a0
[ 79.046915] user_events_ioctl+0xa52/0x17f0
[ 79.047299] __x64_sys_ioctl+0x133/0x190
[ 79.047656] do_syscall_64+0x66/0x130
[ 79.047997] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.048429]
[ 79.048634] Freed by task 49:
[ 79.048942] kasan_save_stack+0x20/0x40
[ 79.049294] kasan_save_track+0x14/0x30
[ 79.049648] kasan_save_free_info+0x3b/0x60
[ 79.050021] poison_slab_object+0x10a/0x170
[ 79.050395] __kasan_slab_free+0x14/0x30
[ 79.050745] kfree+0xe0/0x2f0
[ 79.051016] destroy_user_event+0x305/0x450
[ 79.051337] delayed_destroy_user_event+0x5c/0xe0
[ 79.051689] process_one_work+0x81c/0x1970
[ 79.052011] worker_thread+0x608/0x1160
[ 79.052314] kthread+0x2be/0x3b0
[ 79.052585] ret_from_fork+0x2c/0x70
[ 79.052910] ret_from_fork_asm+0x1a/0x30
[ 79.053219]
[ 79.053389] Last potentially related work creation:
[ 79.053750] kasan_save_stack+0x20/0x40
[ 79.054054] __kasan_record_aux_stack+0x8e/0xa0
[ 79.054400] insert_work+0x20/0x1b0
[ 79.054685] __queue_work+0x67a/0xc60
[ 79.055003] queue_work_on+0x63/0x90
[ 79.055308] user_event_put+0x1f9/0x390
[ 79.055610] user_events_ioctl+0x11ed/0x17f0
[ 79.055938] __x64_sys_ioctl+0x133/0x190
[ 79.056249] do_syscall_64+0x66/0x130
[ 79.056541] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.056957]
[ 79.057163] The buggy address belongs to the object at ffff888001bd4c00
[ 79.057163] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.058148] The buggy address is located 264 bytes inside of
[ 79.058148] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.059344]
[ 79.059566] The buggy address belongs to the physical page:
[ 79.060055] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.060724] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.061363] memcg:ffff888004b9e101
[ 79.061686] anon flags: 0x40(head|zone=0)
[ 79.062056] page_type: 0xffffefff(slab)
[ 79.062411] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.063048] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.063686] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.064321] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.064985] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.065652] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.066319] page dumped because: kasan: bad access detected
[ 79.066813]
[ 79.067023] Memory state around the buggy address:
[ 79.067436] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.068032] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.068631] >ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.069242] ^
[ 79.069570] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.070165] ffff888001bd4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.070758] ==================================================================
[ 79.071576] ==================================================================
[ 79.072197] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 79.072832] Read of size 8 at addr ffff888001bd4cb8 by task cat/4437
[ 79.073378]
[ 79.073585] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.074238] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.075128] Call Trace:
[ 79.075397] <TASK>
[ 79.075637] dump_stack_lvl+0x66/0xa0
[ 79.075986] print_report+0xd0/0x630
[ 79.076325] ? user_event_get_fields+0x38/0x40
[ 79.076717] ? __virt_addr_valid+0x208/0x3f0
[ 79.077113] ? user_event_get_fields+0x38/0x40
[ 79.077508] kasan_report+0xd8/0x110
[ 79.077849] ? user_event_get_fields+0x38/0x40
[ 79.078245] user_event_get_fields+0x38/0x40
[ 79.078632] f_start+0x175/0x3d0
[ 79.078955] seq_read_iter+0x268/0x11e0
[ 79.079315] ? lock_release+0x453/0x600
[ 79.079669] seq_read+0x261/0x350
[ 79.079990] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.080400] ? __pfx_seq_read+0x10/0x10
[ 79.080754] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.081204] vfs_read+0x171/0x9e0
[ 79.081527] ? lock_acquire+0x408/0x4b0
[ 79.081883] ? __pfx_vfs_read+0x10/0x10
[ 79.082237] ? lock_release+0x453/0x600
[ 79.082595] ? __pfx___up_read+0x10/0x10
[ 79.082967] ksys_read+0xdd/0x1a0
[ 79.083290] ? __pfx_ksys_read+0x10/0x10
[ 79.083648] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.084093] do_syscall_64+0x66/0x130
[ 79.084439] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.084898] RIP: 0033:0x7fac6e8fb40e
[ 79.085233] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.086619] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.087248] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.087825] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.088399] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.089197] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.089782] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.090358] </TASK>
[ 79.090604]
[ 79.090806] Allocated by task 4436:
[ 79.091147] kasan_save_stack+0x20/0x40
[ 79.091499] kasan_save_track+0x14/0x30
[ 79.091854] __kasan_kmalloc+0x8f/0xa0
[ 79.092204] user_event_parse_cmd+0x55e/0x25a0
[ 79.092603] user_events_ioctl+0xa52/0x17f0
[ 79.092996] __x64_sys_ioctl+0x133/0x190
[ 79.093353] do_syscall_64+0x66/0x130
[ 79.093698] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.094133]
[ 79.094333] Freed by task 49:
[ 79.094636] kasan_save_stack+0x20/0x40
[ 79.095008] kasan_save_track+0x14/0x30
[ 79.095360] kasan_save_free_info+0x3b/0x60
[ 79.095734] poison_slab_object+0x10a/0x170
[ 79.096108] __kasan_slab_free+0x14/0x30
[ 79.096464] kfree+0xe0/0x2f0
[ 79.096768] destroy_user_event+0x305/0x450
[ 79.097151] delayed_destroy_user_event+0x5c/0xe0
[ 79.097560] process_one_work+0x81c/0x1970
[ 79.097929] worker_thread+0x608/0x1160
[ 79.098282] kthread+0x2be/0x3b0
[ 79.098595] ret_from_fork+0x2c/0x70
[ 79.102584] ret_from_fork_asm+0x1a/0x30
[ 79.102946]
[ 79.103149] Last potentially related work creation:
[ 79.103569] kasan_save_stack+0x20/0x40
[ 79.103922] __kasan_record_aux_stack+0x8e/0xa0
[ 79.104320] insert_work+0x20/0x1b0
[ 79.104651] __queue_work+0x67a/0xc60
[ 79.105009] queue_work_on+0x63/0x90
[ 79.105345] user_event_put+0x1f9/0x390
[ 79.105695] user_events_ioctl+0x11ed/0x17f0
[ 79.106074] __x64_sys_ioctl+0x133/0x190
[ 79.106435] do_syscall_64+0x66/0x130
[ 79.106781] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.107227]
[ 79.107428] The buggy address belongs to the object at ffff888001bd4c00
[ 79.107428] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.108386] The buggy address is located 184 bytes inside of
[ 79.108386] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.109321]
[ 79.109520] The buggy address belongs to the physical page:
[ 79.109986] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.110622] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.111260] memcg:ffff888004b9e101
[ 79.111587] anon flags: 0x40(head|zone=0)
[ 79.111949] page_type: 0xffffefff(slab)
[ 79.112304] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.112957] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.113612] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.114281] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.114951] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.115619] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.116293] page dumped because: kasan: bad access detected
[ 79.116787]
[ 79.116996] Memory state around the buggy address:
[ 79.117436] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.118063] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.118697] >ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.119476] ^
[ 79.119935] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.120560] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.121208] ==================================================================
[ 79.121853] ==================================================================
[ 79.122495] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 79.123031] Read of size 8 at addr ffff888001bd4c70 by task cat/4437
[ 79.123578]
[ 79.123792] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.124478] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.125415] Call Trace:
[ 79.125692] <TASK>
[ 79.125945] dump_stack_lvl+0x66/0xa0
[ 79.126314] print_report+0xd0/0x630
[ 79.126672] ? f_start+0x2e4/0x3d0
[ 79.127019] ? __virt_addr_valid+0x208/0x3f0
[ 79.127428] ? f_start+0x2e4/0x3d0
[ 79.127774] kasan_report+0xd8/0x110
[ 79.128132] ? f_start+0x2e4/0x3d0
[ 79.128478] f_start+0x2e4/0x3d0
[ 79.128824] seq_read_iter+0x268/0x11e0
[ 79.129196] ? lock_release+0x453/0x600
[ 79.129569] seq_read+0x261/0x350
[ 79.129908] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.130336] ? __pfx_seq_read+0x10/0x10
[ 79.130707] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.131173] vfs_read+0x171/0x9e0
[ 79.131520] ? lock_acquire+0x408/0x4b0
[ 79.131895] ? __pfx_vfs_read+0x10/0x10
[ 79.132265] ? lock_release+0x453/0x600
[ 79.132638] ? __pfx___up_read+0x10/0x10
[ 79.133023] ksys_read+0xdd/0x1a0
[ 79.133359] ? __pfx_ksys_read+0x10/0x10
[ 79.133743] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.134211] do_syscall_64+0x66/0x130
[ 79.134570] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.135025] RIP: 0033:0x7fac6e8fb40e
[ 79.135380] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.136838] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.137493] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.138093] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.138696] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.139300] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.139904] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.140504] </TASK>
[ 79.140768]
[ 79.140977] Allocated by task 4436:
[ 79.141329] kasan_save_stack+0x20/0x40
[ 79.141701] kasan_save_track+0x14/0x30
[ 79.142077] __kasan_kmalloc+0x8f/0xa0
[ 79.142449] user_event_parse_cmd+0x55e/0x25a0
[ 79.142863] user_events_ioctl+0xa52/0x17f0
[ 79.143257] __x64_sys_ioctl+0x133/0x190
[ 79.143640] do_syscall_64+0x66/0x130
[ 79.144002] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.144458]
[ 79.144667] Freed by task 49:
[ 79.144985] kasan_save_stack+0x20/0x40
[ 79.145355] kasan_save_track+0x14/0x30
[ 79.145726] kasan_save_free_info+0x3b/0x60
[ 79.146123] poison_slab_object+0x10a/0x170
[ 79.146518] __kasan_slab_free+0x14/0x30
[ 79.146895] kfree+0xe0/0x2f0
[ 79.147211] destroy_user_event+0x305/0x450
[ 79.147606] delayed_destroy_user_event+0x5c/0xe0
[ 79.148040] process_one_work+0x81c/0x1970
[ 79.148431] worker_thread+0x608/0x1160
[ 79.148987] kthread+0x2be/0x3b0
[ 79.149334] ret_from_fork+0x2c/0x70
[ 79.149688] ret_from_fork_asm+0x1a/0x30
[ 79.150071]
[ 79.150285] Last potentially related work creation:
[ 79.150728] kasan_save_stack+0x20/0x40
[ 79.151099] __kasan_record_aux_stack+0x8e/0xa0
[ 79.151523] insert_work+0x20/0x1b0
[ 79.151878] __queue_work+0x67a/0xc60
[ 79.152240] queue_work_on+0x63/0x90
[ 79.152594] user_event_put+0x1f9/0x390
[ 79.152981] user_events_ioctl+0x11ed/0x17f0
[ 79.153383] __x64_sys_ioctl+0x133/0x190
[ 79.153764] do_syscall_64+0x66/0x130
[ 79.154129] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.154583]
[ 79.154791] The buggy address belongs to the object at ffff888001bd4c00
[ 79.154791] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.155804] The buggy address is located 112 bytes inside of
[ 79.155804] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.156783]
[ 79.156992] The buggy address belongs to the physical page:
[ 79.157481] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.158156] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.158811] memcg:ffff888004b9e101
[ 79.159158] anon flags: 0x40(head|zone=0)
[ 79.159542] page_type: 0xffffefff(slab)
[ 79.159904] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.160541] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.161187] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.161829] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.162467] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.163125] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.163760] page dumped because: kasan: bad access detected
[ 79.164226]
[ 79.164424] Memory state around the buggy address:
[ 79.164853] ffff888001bd4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.165455] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.166052] >ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.166646] ^
[ 79.167210] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.167809] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.168405] ==================================================================
[ 79.172677] ==================================================================
[ 79.173309] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 79.173841] Read of size 8 at addr ffff888001bd4d08 by task cat/4437
[ 79.174392]
[ 79.174608] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.175288] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.176214] Call Trace:
[ 79.176494] <TASK>
[ 79.176752] dump_stack_lvl+0x66/0xa0
[ 79.177116] print_report+0xd0/0x630
[ 79.177472] ? f_start+0x2cb/0x3d0
[ 79.177815] ? __virt_addr_valid+0x208/0x3f0
[ 79.178225] ? f_start+0x2cb/0x3d0
[ 79.178571] kasan_report+0xd8/0x110
[ 79.179179] ? f_start+0x2cb/0x3d0
[ 79.179541] f_start+0x2cb/0x3d0
[ 79.179874] seq_read_iter+0x268/0x11e0
[ 79.180247] ? lock_release+0x453/0x600
[ 79.180618] seq_read+0x261/0x350
[ 79.180970] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.181395] ? __pfx_seq_read+0x10/0x10
[ 79.181768] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.182234] vfs_read+0x171/0x9e0
[ 79.182574] ? lock_acquire+0x408/0x4b0
[ 79.182946] ? __pfx_vfs_read+0x10/0x10
[ 79.183323] ? lock_release+0x453/0x600
[ 79.183706] ? __pfx___up_read+0x10/0x10
[ 79.184088] ksys_read+0xdd/0x1a0
[ 79.184424] ? __pfx_ksys_read+0x10/0x10
[ 79.184808] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.185272] do_syscall_64+0x66/0x130
[ 79.185632] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.186093] RIP: 0033:0x7fac6e8fb40e
[ 79.186448] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.187883] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.188533] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.189134] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.189728] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.190324] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.190923] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.191522] </TASK>
[ 79.191780]
[ 79.191988] Allocated by task 4436:
[ 79.192346] kasan_save_stack+0x20/0x40
[ 79.192717] kasan_save_track+0x14/0x30
[ 79.193087] __kasan_kmalloc+0x8f/0xa0
[ 79.193454] user_event_parse_cmd+0x55e/0x25a0
[ 79.193867] user_events_ioctl+0xa52/0x17f0
[ 79.194258] __x64_sys_ioctl+0x133/0x190
[ 79.194634] do_syscall_64+0x66/0x130
[ 79.194996] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.195450]
[ 79.195658] Freed by task 49:
[ 79.195971] kasan_save_stack+0x20/0x40
[ 79.196343] kasan_save_track+0x14/0x30
[ 79.196723] kasan_save_free_info+0x3b/0x60
[ 79.197123] poison_slab_object+0x10a/0x170
[ 79.197522] __kasan_slab_free+0x14/0x30
[ 79.197895] kfree+0xe0/0x2f0
[ 79.198210] destroy_user_event+0x305/0x450
[ 79.198609] delayed_destroy_user_event+0x5c/0xe0
[ 79.199043] process_one_work+0x81c/0x1970
[ 79.199426] worker_thread+0x608/0x1160
[ 79.199799] kthread+0x2be/0x3b0
[ 79.200125] ret_from_fork+0x2c/0x70
[ 79.200475] ret_from_fork_asm+0x1a/0x30
[ 79.200857]
[ 79.201067] Last potentially related work creation:
[ 79.201503] kasan_save_stack+0x20/0x40
[ 79.201871] __kasan_record_aux_stack+0x8e/0xa0
[ 79.202293] insert_work+0x20/0x1b0
[ 79.202647] __queue_work+0x67a/0xc60
[ 79.203002] queue_work_on+0x63/0x90
[ 79.203359] user_event_put+0x1f9/0x390
[ 79.203730] user_events_ioctl+0x11ed/0x17f0
[ 79.204128] __x64_sys_ioctl+0x133/0x190
[ 79.204501] do_syscall_64+0x66/0x130
[ 79.204868] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.205319]
[ 79.205525] The buggy address belongs to the object at ffff888001bd4c00
[ 79.205525] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.206522] The buggy address is located 264 bytes inside of
[ 79.206522] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.207485]
[ 79.207695] The buggy address belongs to the physical page:
[ 79.208183] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.209098] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.209763] memcg:ffff888004b9e101
[ 79.210108] anon flags: 0x40(head|zone=0)
[ 79.210488] page_type: 0xffffefff(slab)
[ 79.210857] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.211516] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.212179] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.212856] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.213521] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.214191] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.214860] page dumped because: kasan: bad access detected
[ 79.215347]
[ 79.215554] Memory state around the buggy address:
[ 79.215990] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.216617] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.217257] >ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.217880] ^
[ 79.218224] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.218841] ffff888001bd4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.219448] ==================================================================
[ 79.220072] ==================================================================
[ 79.220700] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 79.221305] Read of size 8 at addr ffff888001bd4cb8 by task cat/4437
[ 79.221824]
[ 79.222027] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.222673] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.223556] Call Trace:
[ 79.223812] <TASK>
[ 79.224018] dump_stack_lvl+0x66/0xa0
[ 79.224314] print_report+0xd0/0x630
[ 79.224606] ? user_event_get_fields+0x38/0x40
[ 79.224987] ? __virt_addr_valid+0x208/0x3f0
[ 79.225324] ? user_event_get_fields+0x38/0x40
[ 79.225659] kasan_report+0xd8/0x110
[ 79.225948] ? user_event_get_fields+0x38/0x40
[ 79.226288] user_event_get_fields+0x38/0x40
[ 79.226618] f_start+0x175/0x3d0
[ 79.226894] seq_read_iter+0x268/0x11e0
[ 79.227225] ? lock_release+0x453/0x600
[ 79.227533] seq_read+0x261/0x350
[ 79.227810] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.228167] ? __pfx_seq_read+0x10/0x10
[ 79.228472] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.228880] vfs_read+0x171/0x9e0
[ 79.229164] ? lock_acquire+0x408/0x4b0
[ 79.229467] ? __pfx_vfs_read+0x10/0x10
[ 79.229772] ? lock_release+0x453/0x600
[ 79.230072] ? __pfx___up_read+0x10/0x10
[ 79.230387] ksys_read+0xdd/0x1a0
[ 79.230668] ? __pfx_ksys_read+0x10/0x10
[ 79.230999] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.231390] do_syscall_64+0x66/0x130
[ 79.231690] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.232066] RIP: 0033:0x7fac6e8fb40e
[ 79.232355] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.233595] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.234138] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.234630] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.235165] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.235662] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.236154] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.236645] </TASK>
[ 79.236892]
[ 79.237073] Allocated by task 4436:
[ 79.237363] kasan_save_stack+0x20/0x40
[ 79.237671] kasan_save_track+0x14/0x30
[ 79.241368] __kasan_kmalloc+0x8f/0xa0
[ 79.241678] user_event_parse_cmd+0x55e/0x25a0
[ 79.242025] user_events_ioctl+0xa52/0x17f0
[ 79.242349] __x64_sys_ioctl+0x133/0x190
[ 79.242664] do_syscall_64+0x66/0x130
[ 79.242984] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.243380]
[ 79.243554] Freed by task 49:
[ 79.243818] kasan_save_stack+0x20/0x40
[ 79.244127] kasan_save_track+0x14/0x30
[ 79.244437] kasan_save_free_info+0x3b/0x60
[ 79.244772] poison_slab_object+0x10a/0x170
[ 79.245131] __kasan_slab_free+0x14/0x30
[ 79.245446] kfree+0xe0/0x2f0
[ 79.245705] destroy_user_event+0x305/0x450
[ 79.246035] delayed_destroy_user_event+0x5c/0xe0
[ 79.246399] process_one_work+0x81c/0x1970
[ 79.246722] worker_thread+0x608/0x1160
[ 79.247059] kthread+0x2be/0x3b0
[ 79.247332] ret_from_fork+0x2c/0x70
[ 79.247628] ret_from_fork_asm+0x1a/0x30
[ 79.247937]
[ 79.248113] Last potentially related work creation:
[ 79.248478] kasan_save_stack+0x20/0x40
[ 79.248800] __kasan_record_aux_stack+0x8e/0xa0
[ 79.249174] insert_work+0x20/0x1b0
[ 79.249466] __queue_work+0x67a/0xc60
[ 79.249767] queue_work_on+0x63/0x90
[ 79.250063] user_event_put+0x1f9/0x390
[ 79.250370] user_events_ioctl+0x11ed/0x17f0
[ 79.250704] __x64_sys_ioctl+0x133/0x190
[ 79.251055] do_syscall_64+0x66/0x130
[ 79.251354] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.251735]
[ 79.251913] The buggy address belongs to the object at ffff888001bd4c00
[ 79.251913] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.252762] The buggy address is located 184 bytes inside of
[ 79.252762] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.253617]
[ 79.253792] The buggy address belongs to the physical page:
[ 79.254200] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.254756] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.255338] memcg:ffff888004b9e101
[ 79.255630] anon flags: 0x40(head|zone=0)
[ 79.255950] page_type: 0xffffefff(slab)
[ 79.256258] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.256829] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.257461] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.258142] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.258809] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.259482] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.260150] page dumped because: kasan: bad access detected
[ 79.260644]
[ 79.260859] Memory state around the buggy address:
[ 79.261294] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.261926] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.262553] >ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.263188] ^
[ 79.263639] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.264271] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.264901] ==================================================================
[ 79.265555] ==================================================================
[ 79.266179] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 79.266711] Read of size 8 at addr ffff888001bd4c70 by task cat/4437
[ 79.267261]
[ 79.267470] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.268156] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.269252] Call Trace:
[ 79.269529] <TASK>
[ 79.269781] dump_stack_lvl+0x66/0xa0
[ 79.270141] print_report+0xd0/0x630
[ 79.270494] ? f_start+0x2e4/0x3d0
[ 79.270841] ? __virt_addr_valid+0x208/0x3f0
[ 79.271242] ? f_start+0x2e4/0x3d0
[ 79.271584] kasan_report+0xd8/0x110
[ 79.271943] ? f_start+0x2e4/0x3d0
[ 79.272288] f_start+0x2e4/0x3d0
[ 79.272623] seq_read_iter+0x268/0x11e0
[ 79.273004] ? lock_release+0x453/0x600
[ 79.273377] seq_read+0x261/0x350
[ 79.273714] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.274141] ? __pfx_seq_read+0x10/0x10
[ 79.274515] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.274977] vfs_read+0x171/0x9e0
[ 79.275316] ? lock_acquire+0x408/0x4b0
[ 79.275689] ? __pfx_vfs_read+0x10/0x10
[ 79.276064] ? lock_release+0x453/0x600
[ 79.276440] ? __pfx___up_read+0x10/0x10
[ 79.276823] ksys_read+0xdd/0x1a0
[ 79.277162] ? __pfx_ksys_read+0x10/0x10
[ 79.277541] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.278003] do_syscall_64+0x66/0x130
[ 79.278365] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.278824] RIP: 0033:0x7fac6e8fb40e
[ 79.279180] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.280622] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.281284] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.281880] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.282480] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.283083] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.283680] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.284277] </TASK>
[ 79.284535]
[ 79.284750] Allocated by task 4436:
[ 79.285097] kasan_save_stack+0x20/0x40
[ 79.285471] kasan_save_track+0x14/0x30
[ 79.285844] __kasan_kmalloc+0x8f/0xa0
[ 79.286208] user_event_parse_cmd+0x55e/0x25a0
[ 79.286621] user_events_ioctl+0xa52/0x17f0
[ 79.287019] __x64_sys_ioctl+0x133/0x190
[ 79.287399] do_syscall_64+0x66/0x130
[ 79.287757] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.288223]
[ 79.288435] Freed by task 49:
[ 79.288751] kasan_save_stack+0x20/0x40
[ 79.289126] kasan_save_track+0x14/0x30
[ 79.289498] kasan_save_free_info+0x3b/0x60
[ 79.289892] poison_slab_object+0x10a/0x170
[ 79.290285] __kasan_slab_free+0x14/0x30
[ 79.290665] kfree+0xe0/0x2f0
[ 79.290981] destroy_user_event+0x305/0x450
[ 79.291376] delayed_destroy_user_event+0x5c/0xe0
[ 79.291808] process_one_work+0x81c/0x1970
[ 79.292200] worker_thread+0x608/0x1160
[ 79.292571] kthread+0x2be/0x3b0
[ 79.292908] ret_from_fork+0x2c/0x70
[ 79.293264] ret_from_fork_asm+0x1a/0x30
[ 79.293645]
[ 79.293853] Last potentially related work creation:
[ 79.294301] kasan_save_stack+0x20/0x40
[ 79.294674] __kasan_record_aux_stack+0x8e/0xa0
[ 79.295096] insert_work+0x20/0x1b0
[ 79.295443] __queue_work+0x67a/0xc60
[ 79.295804] queue_work_on+0x63/0x90
[ 79.296147] user_event_put+0x1f9/0x390
[ 79.296498] user_events_ioctl+0x11ed/0x17f0
[ 79.296920] __x64_sys_ioctl+0x133/0x190
[ 79.297291] do_syscall_64+0x66/0x130
[ 79.297635] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.298067]
[ 79.298271] The buggy address belongs to the object at ffff888001bd4c00
[ 79.298271] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.299393] The buggy address is located 112 bytes inside of
[ 79.299393] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.300313]
[ 79.300517] The buggy address belongs to the physical page:
[ 79.300997] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.301633] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.302262] memcg:ffff888004b9e101
[ 79.302583] anon flags: 0x40(head|zone=0)
[ 79.302955] page_type: 0xffffefff(slab)
[ 79.303315] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.303946] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.304582] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.305229] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.309529] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.310170] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.310806] page dumped because: kasan: bad access detected
[ 79.311286]
[ 79.311483] Memory state around the buggy address:
[ 79.311899] ffff888001bd4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.312500] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.313115] >ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.313714] ^
[ 79.314261] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.314858] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.315465] ==================================================================
[ 79.316149] ==================================================================
[ 79.316789] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 79.317327] Read of size 8 at addr ffff888001bd4d08 by task cat/4437
[ 79.317841]
[ 79.318043] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.318695] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.319578] Call Trace:
[ 79.319839] <TASK>
[ 79.320078] dump_stack_lvl+0x66/0xa0
[ 79.320423] print_report+0xd0/0x630
[ 79.320764] ? f_start+0x2cb/0x3d0
[ 79.321102] ? __virt_addr_valid+0x208/0x3f0
[ 79.321484] ? f_start+0x2cb/0x3d0
[ 79.321807] kasan_report+0xd8/0x110
[ 79.322148] ? f_start+0x2cb/0x3d0
[ 79.322479] f_start+0x2cb/0x3d0
[ 79.322791] seq_read_iter+0x268/0x11e0
[ 79.323159] ? lock_release+0x453/0x600
[ 79.323516] seq_read+0x261/0x350
[ 79.323838] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.324245] ? __pfx_seq_read+0x10/0x10
[ 79.324602] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.325060] vfs_read+0x171/0x9e0
[ 79.325379] ? lock_acquire+0x408/0x4b0
[ 79.325742] ? __pfx_vfs_read+0x10/0x10
[ 79.326099] ? lock_release+0x453/0x600
[ 79.326451] ? __pfx___up_read+0x10/0x10
[ 79.326809] ksys_read+0xdd/0x1a0
[ 79.327143] ? __pfx_ksys_read+0x10/0x10
[ 79.327503] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.327946] do_syscall_64+0x66/0x130
[ 79.328287] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.328722] RIP: 0033:0x7fac6e8fb40e
[ 79.329168] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.330542] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.331173] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.331740] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.332307] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.332891] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.333462] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.334032] </TASK>
[ 79.334276]
[ 79.334477] Allocated by task 4436:
[ 79.334810] kasan_save_stack+0x20/0x40
[ 79.335182] kasan_save_track+0x14/0x30
[ 79.335542] __kasan_kmalloc+0x8f/0xa0
[ 79.335888] user_event_parse_cmd+0x55e/0x25a0
[ 79.336281] user_events_ioctl+0xa52/0x17f0
[ 79.336661] __x64_sys_ioctl+0x133/0x190
[ 79.337037] do_syscall_64+0x66/0x130
[ 79.337403] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.337862]
[ 79.338074] Freed by task 49:
[ 79.338384] kasan_save_stack+0x20/0x40
[ 79.338760] kasan_save_track+0x14/0x30
[ 79.339133] kasan_save_free_info+0x3b/0x60
[ 79.339524] poison_slab_object+0x10a/0x170
[ 79.339918] __kasan_slab_free+0x14/0x30
[ 79.340300] kfree+0xe0/0x2f0
[ 79.340619] destroy_user_event+0x305/0x450
[ 79.341016] delayed_destroy_user_event+0x5c/0xe0
[ 79.341448] process_one_work+0x81c/0x1970
[ 79.341842] worker_thread+0x608/0x1160
[ 79.342213] kthread+0x2be/0x3b0
[ 79.342542] ret_from_fork+0x2c/0x70
[ 79.342898] ret_from_fork_asm+0x1a/0x30
[ 79.343277]
[ 79.343485] Last potentially related work creation:
[ 79.343930] kasan_save_stack+0x20/0x40
[ 79.344306] __kasan_record_aux_stack+0x8e/0xa0
[ 79.344725] insert_work+0x20/0x1b0
[ 79.345076] __queue_work+0x67a/0xc60
[ 79.345444] queue_work_on+0x63/0x90
[ 79.345802] user_event_put+0x1f9/0x390
[ 79.346174] user_events_ioctl+0x11ed/0x17f0
[ 79.346585] __x64_sys_ioctl+0x133/0x190
[ 79.346967] do_syscall_64+0x66/0x130
[ 79.347324] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.347787]
[ 79.347999] The buggy address belongs to the object at ffff888001bd4c00
[ 79.347999] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.349004] The buggy address is located 264 bytes inside of
[ 79.349004] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.349971]
[ 79.350185] The buggy address belongs to the physical page:
[ 79.350673] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.351343] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.352003] memcg:ffff888004b9e101
[ 79.352346] anon flags: 0x40(head|zone=0)
[ 79.352731] page_type: 0xffffefff(slab)
[ 79.353107] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.353770] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.354438] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.355107] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.355777] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.356447] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.357124] page dumped because: kasan: bad access detected
[ 79.357611]
[ 79.357822] Memory state around the buggy address:
[ 79.358261] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.359125] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.359776] >ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.360403] ^
[ 79.360764] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.361402] ffff888001bd4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.362031] ==================================================================
[ 79.362682] ==================================================================
[ 79.363310] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 79.363941] Read of size 8 at addr ffff888001bd4cb8 by task cat/4437
[ 79.364482]
[ 79.364693] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.365382] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.366294] Call Trace:
[ 79.366569] <TASK>
[ 79.366822] dump_stack_lvl+0x66/0xa0
[ 79.367181] print_report+0xd0/0x630
[ 79.367535] ? user_event_get_fields+0x38/0x40
[ 79.367946] ? __virt_addr_valid+0x208/0x3f0
[ 79.368351] ? user_event_get_fields+0x38/0x40
[ 79.368770] kasan_report+0xd8/0x110
[ 79.369128] ? user_event_get_fields+0x38/0x40
[ 79.369536] user_event_get_fields+0x38/0x40
[ 79.369935] f_start+0x175/0x3d0
[ 79.370269] seq_read_iter+0x268/0x11e0
[ 79.370640] ? lock_release+0x453/0x600
[ 79.371008] seq_read+0x261/0x350
[ 79.371341] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.371769] ? __pfx_seq_read+0x10/0x10
[ 79.372143] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.372606] vfs_read+0x171/0x9e0
[ 79.372948] ? lock_acquire+0x408/0x4b0
[ 79.373321] ? __pfx_vfs_read+0x10/0x10
[ 79.373692] ? lock_release+0x453/0x600
[ 79.374061] ? __pfx___up_read+0x10/0x10
[ 79.374440] ksys_read+0xdd/0x1a0
[ 79.378620] ? __pfx_ksys_read+0x10/0x10
[ 79.379000] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.379466] do_syscall_64+0x66/0x130
[ 79.379827] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.380282] RIP: 0033:0x7fac6e8fb40e
[ 79.380638] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.382084] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.382740] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.383345] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.383950] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.384547] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.385149] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.385750] </TASK>
[ 79.386004]
[ 79.386216] Allocated by task 4436:
[ 79.386574] kasan_save_stack+0x20/0x40
[ 79.386946] kasan_save_track+0x14/0x30
[ 79.387320] __kasan_kmalloc+0x8f/0xa0
[ 79.387690] user_event_parse_cmd+0x55e/0x25a0
[ 79.388105] user_events_ioctl+0xa52/0x17f0
[ 79.388500] __x64_sys_ioctl+0x133/0x190
[ 79.389125] do_syscall_64+0x66/0x130
[ 79.389500] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.389956]
[ 79.390167] Freed by task 49:
[ 79.390484] kasan_save_stack+0x20/0x40
[ 79.390857] kasan_save_track+0x14/0x30
[ 79.391232] kasan_save_free_info+0x3b/0x60
[ 79.391628] poison_slab_object+0x10a/0x170
[ 79.392020] __kasan_slab_free+0x14/0x30
[ 79.392398] kfree+0xe0/0x2f0
[ 79.392712] destroy_user_event+0x305/0x450
[ 79.393118] delayed_destroy_user_event+0x5c/0xe0
[ 79.393557] process_one_work+0x81c/0x1970
[ 79.393942] worker_thread+0x608/0x1160
[ 79.394315] kthread+0x2be/0x3b0
[ 79.394650] ret_from_fork+0x2c/0x70
[ 79.395005] ret_from_fork_asm+0x1a/0x30
[ 79.395387]
[ 79.395599] Last potentially related work creation:
[ 79.396040] kasan_save_stack+0x20/0x40
[ 79.396415] __kasan_record_aux_stack+0x8e/0xa0
[ 79.396844] insert_work+0x20/0x1b0
[ 79.397192] __queue_work+0x67a/0xc60
[ 79.397550] queue_work_on+0x63/0x90
[ 79.397906] user_event_put+0x1f9/0x390
[ 79.398279] user_events_ioctl+0x11ed/0x17f0
[ 79.398684] __x64_sys_ioctl+0x133/0x190
[ 79.399063] do_syscall_64+0x66/0x130
[ 79.399428] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.399883]
[ 79.400093] The buggy address belongs to the object at ffff888001bd4c00
[ 79.400093] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.401115] The buggy address is located 184 bytes inside of
[ 79.401115] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.402085]
[ 79.402298] The buggy address belongs to the physical page:
[ 79.402789] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.403469] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.404125] memcg:ffff888004b9e101
[ 79.404468] anon flags: 0x40(head|zone=0)
[ 79.404856] page_type: 0xffffefff(slab)
[ 79.405231] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.405902] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.406567] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.407240] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.407913] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.408582] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.409263] page dumped because: kasan: bad access detected
[ 79.409751]
[ 79.409961] Memory state around the buggy address:
[ 79.410399] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.411039] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.411673] >ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.412302] ^
[ 79.412764] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.413392] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.414021] ==================================================================
[ 79.414676] ==================================================================
[ 79.415310] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 79.415842] Read of size 8 at addr ffff888001bd4c70 by task cat/4437
[ 79.416391]
[ 79.416608] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.417555] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.418527] Call Trace:
[ 79.419122] <TASK>
[ 79.419396] dump_stack_lvl+0x66/0xa0
[ 79.419764] print_report+0xd0/0x630
[ 79.420124] ? f_start+0x2e4/0x3d0
[ 79.420468] ? __virt_addr_valid+0x208/0x3f0
[ 79.420885] ? f_start+0x2e4/0x3d0
[ 79.421232] kasan_report+0xd8/0x110
[ 79.421588] ? f_start+0x2e4/0x3d0
[ 79.421932] f_start+0x2e4/0x3d0
[ 79.422266] seq_read_iter+0x268/0x11e0
[ 79.422639] ? lock_release+0x453/0x600
[ 79.423030] seq_read+0x261/0x350
[ 79.423374] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.423810] ? __pfx_seq_read+0x10/0x10
[ 79.424183] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.424644] vfs_read+0x171/0x9e0
[ 79.424996] ? lock_acquire+0x408/0x4b0
[ 79.425373] ? __pfx_vfs_read+0x10/0x10
[ 79.425746] ? lock_release+0x453/0x600
[ 79.426123] ? __pfx___up_read+0x10/0x10
[ 79.426503] ksys_read+0xdd/0x1a0
[ 79.426840] ? __pfx_ksys_read+0x10/0x10
[ 79.427232] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.427704] do_syscall_64+0x66/0x130
[ 79.428074] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.428536] RIP: 0033:0x7fac6e8fb40e
[ 79.428899] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.430354] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.431008] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.431609] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.432208] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.432811] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.433411] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.434011] </TASK>
[ 79.434273]
[ 79.434483] Allocated by task 4436:
[ 79.434834] kasan_save_stack+0x20/0x40
[ 79.435207] kasan_save_track+0x14/0x30
[ 79.435575] __kasan_kmalloc+0x8f/0xa0
[ 79.435939] user_event_parse_cmd+0x55e/0x25a0
[ 79.436355] user_events_ioctl+0xa52/0x17f0
[ 79.436751] __x64_sys_ioctl+0x133/0x190
[ 79.437132] do_syscall_64+0x66/0x130
[ 79.437496] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.437955]
[ 79.438165] Freed by task 49:
[ 79.438483] kasan_save_stack+0x20/0x40
[ 79.438860] kasan_save_track+0x14/0x30
[ 79.439228] kasan_save_free_info+0x3b/0x60
[ 79.439624] poison_slab_object+0x10a/0x170
[ 79.440021] __kasan_slab_free+0x14/0x30
[ 79.440398] kfree+0xe0/0x2f0
[ 79.440710] destroy_user_event+0x305/0x450
[ 79.441121] delayed_destroy_user_event+0x5c/0xe0
[ 79.441554] process_one_work+0x81c/0x1970
[ 79.441951] worker_thread+0x608/0x1160
[ 79.442331] kthread+0x2be/0x3b0
[ 79.442669] ret_from_fork+0x2c/0x70
[ 79.443028] ret_from_fork_asm+0x1a/0x30
[ 79.443404]
[ 79.443621] Last potentially related work creation:
[ 79.444069] kasan_save_stack+0x20/0x40
[ 79.444448] __kasan_record_aux_stack+0x8e/0xa0
[ 79.444876] insert_work+0x20/0x1b0
[ 79.445227] __queue_work+0x67a/0xc60
[ 79.445586] queue_work_on+0x63/0x90
[ 79.445937] user_event_put+0x1f9/0x390
[ 79.446307] user_events_ioctl+0x11ed/0x17f0
[ 79.446706] __x64_sys_ioctl+0x133/0x190
[ 79.447083] do_syscall_64+0x66/0x130
[ 79.447447] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.447906]
[ 79.452265] The buggy address belongs to the object at ffff888001bd4c00
[ 79.452265] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.453302] The buggy address is located 112 bytes inside of
[ 79.453302] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.454274]
[ 79.454485] The buggy address belongs to the physical page:
[ 79.454994] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.455664] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.456335] memcg:ffff888004b9e101
[ 79.456678] anon flags: 0x40(head|zone=0)
[ 79.457075] page_type: 0xffffefff(slab)
[ 79.457453] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.458120] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.458797] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.459473] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.460155] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.460835] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.461511] page dumped because: kasan: bad access detected
[ 79.462001]
[ 79.462211] Memory state around the buggy address:
[ 79.462650] ffff888001bd4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.463283] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.463915] >ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.464550] ^
[ 79.465137] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.465767] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.466393] ==================================================================
[ 79.467082] ==================================================================
[ 79.467728] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 79.468267] Read of size 8 at addr ffff888001bd4d08 by task cat/4437
[ 79.468820]
[ 79.469041] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.469726] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.470650] Call Trace:
[ 79.470929] <TASK>
[ 79.471183] dump_stack_lvl+0x66/0xa0
[ 79.471546] print_report+0xd0/0x630
[ 79.471903] ? f_start+0x2cb/0x3d0
[ 79.472237] ? __virt_addr_valid+0x208/0x3f0
[ 79.472622] ? f_start+0x2cb/0x3d0
[ 79.472967] kasan_report+0xd8/0x110
[ 79.473303] ? f_start+0x2cb/0x3d0
[ 79.473633] f_start+0x2cb/0x3d0
[ 79.473955] seq_read_iter+0x268/0x11e0
[ 79.474312] ? lock_release+0x453/0x600
[ 79.474673] seq_read+0x261/0x350
[ 79.475020] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.475431] ? __pfx_seq_read+0x10/0x10
[ 79.475786] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.476223] vfs_read+0x171/0x9e0
[ 79.476551] ? lock_acquire+0x408/0x4b0
[ 79.476927] ? __pfx_vfs_read+0x10/0x10
[ 79.477282] ? lock_release+0x453/0x600
[ 79.477643] ? __pfx___up_read+0x10/0x10
[ 79.478012] ksys_read+0xdd/0x1a0
[ 79.478335] ? __pfx_ksys_read+0x10/0x10
[ 79.478697] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.479379] do_syscall_64+0x66/0x130
[ 79.479734] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.480173] RIP: 0033:0x7fac6e8fb40e
[ 79.480511] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.481927] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.482554] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.483139] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.483709] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.484289] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.484891] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.485469] </TASK>
[ 79.485716]
[ 79.485917] Allocated by task 4436:
[ 79.486252] kasan_save_stack+0x20/0x40
[ 79.486608] kasan_save_track+0x14/0x30
[ 79.486969] __kasan_kmalloc+0x8f/0xa0
[ 79.487326] user_event_parse_cmd+0x55e/0x25a0
[ 79.487724] user_events_ioctl+0xa52/0x17f0
[ 79.488099] __x64_sys_ioctl+0x133/0x190
[ 79.488463] do_syscall_64+0x66/0x130
[ 79.488829] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.489268]
[ 79.489473] Freed by task 49:
[ 79.489772] kasan_save_stack+0x20/0x40
[ 79.490129] kasan_save_track+0x14/0x30
[ 79.490484] kasan_save_free_info+0x3b/0x60
[ 79.490862] poison_slab_object+0x10a/0x170
[ 79.491261] __kasan_slab_free+0x14/0x30
[ 79.491618] kfree+0xe0/0x2f0
[ 79.491917] destroy_user_event+0x305/0x450
[ 79.492293] delayed_destroy_user_event+0x5c/0xe0
[ 79.492711] process_one_work+0x81c/0x1970
[ 79.493095] worker_thread+0x608/0x1160
[ 79.493449] kthread+0x2be/0x3b0
[ 79.493768] ret_from_fork+0x2c/0x70
[ 79.494109] ret_from_fork_asm+0x1a/0x30
[ 79.494467]
[ 79.494674] Last potentially related work creation:
[ 79.495107] kasan_save_stack+0x20/0x40
[ 79.495459] __kasan_record_aux_stack+0x8e/0xa0
[ 79.495861] insert_work+0x20/0x1b0
[ 79.496194] __queue_work+0x67a/0xc60
[ 79.496536] queue_work_on+0x63/0x90
[ 79.496904] user_event_put+0x1f9/0x390
[ 79.497261] user_events_ioctl+0x11ed/0x17f0
[ 79.497642] __x64_sys_ioctl+0x133/0x190
[ 79.498004] do_syscall_64+0x66/0x130
[ 79.498354] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.498792]
[ 79.499015] The buggy address belongs to the object at ffff888001bd4c00
[ 79.499015] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.499981] The buggy address is located 264 bytes inside of
[ 79.499981] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.500921]
[ 79.501123] The buggy address belongs to the physical page:
[ 79.501584] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.502232] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.502864] memcg:ffff888004b9e101
[ 79.503204] anon flags: 0x40(head|zone=0)
[ 79.503568] page_type: 0xffffefff(slab)
[ 79.503923] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.504561] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.505225] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.505865] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.506505] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.507160] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.507793] page dumped because: kasan: bad access detected
[ 79.508264]
[ 79.508463] Memory state around the buggy address:
[ 79.509159] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.509773] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.510372] >ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.510980] ^
[ 79.511314] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.511917] ffff888001bd4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.512515] ==================================================================
[ 79.513221] ==================================================================
[ 79.513836] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 79.514433] Read of size 8 at addr ffff888001bd4cb8 by task cat/4437
[ 79.514957]
[ 79.515165] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.515812] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.516693] Call Trace:
[ 79.516958] <TASK>
[ 79.517198] dump_stack_lvl+0x66/0xa0
[ 79.521218] print_report+0xd0/0x630
[ 79.521559] ? user_event_get_fields+0x38/0x40
[ 79.521956] ? __virt_addr_valid+0x208/0x3f0
[ 79.522340] ? user_event_get_fields+0x38/0x40
[ 79.522734] kasan_report+0xd8/0x110
[ 79.523075] ? user_event_get_fields+0x38/0x40
[ 79.523473] user_event_get_fields+0x38/0x40
[ 79.523856] f_start+0x175/0x3d0
[ 79.524175] seq_read_iter+0x268/0x11e0
[ 79.524534] ? lock_release+0x453/0x600
[ 79.524889] seq_read+0x261/0x350
[ 79.525211] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.525620] ? __pfx_seq_read+0x10/0x10
[ 79.525977] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.526419] vfs_read+0x171/0x9e0
[ 79.526739] ? lock_acquire+0x408/0x4b0
[ 79.527102] ? __pfx_vfs_read+0x10/0x10
[ 79.527459] ? lock_release+0x453/0x600
[ 79.527813] ? __pfx___up_read+0x10/0x10
[ 79.528176] ksys_read+0xdd/0x1a0
[ 79.528501] ? __pfx_ksys_read+0x10/0x10
[ 79.528861] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.529301] do_syscall_64+0x66/0x130
[ 79.529647] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.530083] RIP: 0033:0x7fac6e8fb40e
[ 79.530420] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.531796] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.532428] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.533000] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.533569] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.534140] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.534709] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.535282] </TASK>
[ 79.535531]
[ 79.535730] Allocated by task 4436:
[ 79.536059] kasan_save_stack+0x20/0x40
[ 79.536414] kasan_save_track+0x14/0x30
[ 79.536783] __kasan_kmalloc+0x8f/0xa0
[ 79.537136] user_event_parse_cmd+0x55e/0x25a0
[ 79.537536] user_events_ioctl+0xa52/0x17f0
[ 79.537915] __x64_sys_ioctl+0x133/0x190
[ 79.538273] do_syscall_64+0x66/0x130
[ 79.538613] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.539330]
[ 79.539541] Freed by task 49:
[ 79.539837] kasan_save_stack+0x20/0x40
[ 79.540196] kasan_save_track+0x14/0x30
[ 79.540548] kasan_save_free_info+0x3b/0x60
[ 79.540945] poison_slab_object+0x10a/0x170
[ 79.541322] __kasan_slab_free+0x14/0x30
[ 79.541684] kfree+0xe0/0x2f0
[ 79.541983] destroy_user_event+0x305/0x450
[ 79.542356] delayed_destroy_user_event+0x5c/0xe0
[ 79.542768] process_one_work+0x81c/0x1970
[ 79.543153] worker_thread+0x608/0x1160
[ 79.543507] kthread+0x2be/0x3b0
[ 79.543819] ret_from_fork+0x2c/0x70
[ 79.544158] ret_from_fork_asm+0x1a/0x30
[ 79.544515]
[ 79.544714] Last potentially related work creation:
[ 79.545155] kasan_save_stack+0x20/0x40
[ 79.545505] __kasan_record_aux_stack+0x8e/0xa0
[ 79.545905] insert_work+0x20/0x1b0
[ 79.546240] __queue_work+0x67a/0xc60
[ 79.546580] queue_work_on+0x63/0x90
[ 79.546920] user_event_put+0x1f9/0x390
[ 79.547281] user_events_ioctl+0x11ed/0x17f0
[ 79.547665] __x64_sys_ioctl+0x133/0x190
[ 79.548025] do_syscall_64+0x66/0x130
[ 79.548367] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.548813]
[ 79.549025] The buggy address belongs to the object at ffff888001bd4c00
[ 79.549025] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.549985] The buggy address is located 184 bytes inside of
[ 79.549985] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.550909]
[ 79.551120] The buggy address belongs to the physical page:
[ 79.551584] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.552219] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.552861] memcg:ffff888004b9e101
[ 79.553202] anon flags: 0x40(head|zone=0)
[ 79.553588] page_type: 0xffffefff(slab)
[ 79.553958] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.554625] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.555296] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.555963] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.556635] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.557307] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.557975] page dumped because: kasan: bad access detected
[ 79.558467]
[ 79.558679] Memory state around the buggy address:
[ 79.559115] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.559749] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.560379] >ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.561014] ^
[ 79.561468] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.562094] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.562724] ==================================================================
[ 79.563387] ==================================================================
[ 79.564019] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 79.564554] Read of size 8 at addr ffff888001bd4c70 by task cat/4437
[ 79.565102]
[ 79.565314] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.566087] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.567186] Call Trace:
[ 79.567464] <TASK>
[ 79.567718] dump_stack_lvl+0x66/0xa0
[ 79.568078] print_report+0xd0/0x630
[ 79.568436] ? f_start+0x2e4/0x3d0
[ 79.569123] ? __virt_addr_valid+0x208/0x3f0
[ 79.569550] ? f_start+0x2e4/0x3d0
[ 79.569896] kasan_report+0xd8/0x110
[ 79.570252] ? f_start+0x2e4/0x3d0
[ 79.570597] f_start+0x2e4/0x3d0
[ 79.570928] seq_read_iter+0x268/0x11e0
[ 79.571303] ? lock_release+0x453/0x600
[ 79.571680] seq_read+0x261/0x350
[ 79.572015] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.572443] ? __pfx_seq_read+0x10/0x10
[ 79.572825] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.573290] vfs_read+0x171/0x9e0
[ 79.573627] ? lock_acquire+0x408/0x4b0
[ 79.573996] ? __pfx_vfs_read+0x10/0x10
[ 79.574377] ? lock_release+0x453/0x600
[ 79.574749] ? __pfx___up_read+0x10/0x10
[ 79.575127] ksys_read+0xdd/0x1a0
[ 79.575468] ? __pfx_ksys_read+0x10/0x10
[ 79.575849] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.576309] do_syscall_64+0x66/0x130
[ 79.576672] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.577143] RIP: 0033:0x7fac6e8fb40e
[ 79.577509] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.578957] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.579611] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.580208] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.580805] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.581399] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.581997] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.582588] </TASK>
[ 79.582843]
[ 79.583055] Allocated by task 4436:
[ 79.583404] kasan_save_stack+0x20/0x40
[ 79.583776] kasan_save_track+0x14/0x30
[ 79.584151] __kasan_kmalloc+0x8f/0xa0
[ 79.584514] user_event_parse_cmd+0x55e/0x25a0
[ 79.584936] user_events_ioctl+0xa52/0x17f0
[ 79.585336] __x64_sys_ioctl+0x133/0x190
[ 79.585714] do_syscall_64+0x66/0x130
[ 79.586069] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.586524]
[ 79.586738] Freed by task 49:
[ 79.587051] kasan_save_stack+0x20/0x40
[ 79.587421] kasan_save_track+0x14/0x30
[ 79.587797] kasan_save_free_info+0x3b/0x60
[ 79.588197] poison_slab_object+0x10a/0x170
[ 79.588591] __kasan_slab_free+0x14/0x30
[ 79.588976] kfree+0xe0/0x2f0
[ 79.593142] destroy_user_event+0x305/0x450
[ 79.593572] delayed_destroy_user_event+0x5c/0xe0
[ 79.594014] process_one_work+0x81c/0x1970
[ 79.594413] worker_thread+0x608/0x1160
[ 79.594783] kthread+0x2be/0x3b0
[ 79.595111] ret_from_fork+0x2c/0x70
[ 79.595466] ret_from_fork_asm+0x1a/0x30
[ 79.595841]
[ 79.596052] Last potentially related work creation:
[ 79.596499] kasan_save_stack+0x20/0x40
[ 79.596873] __kasan_record_aux_stack+0x8e/0xa0
[ 79.597290] insert_work+0x20/0x1b0
[ 79.597639] __queue_work+0x67a/0xc60
[ 79.598007] queue_work_on+0x63/0x90
[ 79.598364] user_event_put+0x1f9/0x390
[ 79.598742] user_events_ioctl+0x11ed/0x17f0
[ 79.599403] __x64_sys_ioctl+0x133/0x190
[ 79.599783] do_syscall_64+0x66/0x130
[ 79.600146] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.600610]
[ 79.600842] The buggy address belongs to the object at ffff888001bd4c00
[ 79.600842] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.601866] The buggy address is located 112 bytes inside of
[ 79.601866] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.602855]
[ 79.603073] The buggy address belongs to the physical page:
[ 79.603569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.604249] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.604916] memcg:ffff888004b9e101
[ 79.605266] anon flags: 0x40(head|zone=0)
[ 79.605652] page_type: 0xffffefff(slab)
[ 79.606023] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.606692] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.607364] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.608037] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.608712] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.609393] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.610061] page dumped because: kasan: bad access detected
[ 79.610549]
[ 79.610761] Memory state around the buggy address:
[ 79.611199] ffff888001bd4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.611836] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.612432] >ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.613050] ^
[ 79.613603] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.614201] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.614801] ==================================================================
[ 79.615448] ==================================================================
[ 79.616094] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 79.616632] Read of size 8 at addr ffff888001bd4d08 by task cat/4437
[ 79.617237]
[ 79.617456] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.618137] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.619066] Call Trace:
[ 79.619343] <TASK>
[ 79.619599] dump_stack_lvl+0x66/0xa0
[ 79.619963] print_report+0xd0/0x630
[ 79.620318] ? f_start+0x2cb/0x3d0
[ 79.620667] ? __virt_addr_valid+0x208/0x3f0
[ 79.621075] ? f_start+0x2cb/0x3d0
[ 79.621418] kasan_report+0xd8/0x110
[ 79.621774] ? f_start+0x2cb/0x3d0
[ 79.622119] f_start+0x2cb/0x3d0
[ 79.622452] seq_read_iter+0x268/0x11e0
[ 79.622835] ? lock_release+0x453/0x600
[ 79.623213] seq_read+0x261/0x350
[ 79.623559] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.623992] ? __pfx_seq_read+0x10/0x10
[ 79.624371] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.624852] vfs_read+0x171/0x9e0
[ 79.625196] ? lock_acquire+0x408/0x4b0
[ 79.625565] ? __pfx_vfs_read+0x10/0x10
[ 79.625939] ? lock_release+0x453/0x600
[ 79.626319] ? __pfx___up_read+0x10/0x10
[ 79.626704] ksys_read+0xdd/0x1a0
[ 79.627047] ? __pfx_ksys_read+0x10/0x10
[ 79.627432] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.627904] do_syscall_64+0x66/0x130
[ 79.628267] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.628730] RIP: 0033:0x7fac6e8fb40e
[ 79.629428] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.630885] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.631541] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.632144] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.632752] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.633356] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.633958] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.634568] </TASK>
[ 79.634839]
[ 79.635055] Allocated by task 4436:
[ 79.635407] kasan_save_stack+0x20/0x40
[ 79.635783] kasan_save_track+0x14/0x30
[ 79.636158] __kasan_kmalloc+0x8f/0xa0
[ 79.636528] user_event_parse_cmd+0x55e/0x25a0
[ 79.636949] user_events_ioctl+0xa52/0x17f0
[ 79.637349] __x64_sys_ioctl+0x133/0x190
[ 79.637733] do_syscall_64+0x66/0x130
[ 79.638097] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.638558]
[ 79.638771] Freed by task 49:
[ 79.639085] kasan_save_stack+0x20/0x40
[ 79.639459] kasan_save_track+0x14/0x30
[ 79.639837] kasan_save_free_info+0x3b/0x60
[ 79.640234] poison_slab_object+0x10a/0x170
[ 79.640632] __kasan_slab_free+0x14/0x30
[ 79.641020] kfree+0xe0/0x2f0
[ 79.641345] destroy_user_event+0x305/0x450
[ 79.641741] delayed_destroy_user_event+0x5c/0xe0
[ 79.642174] process_one_work+0x81c/0x1970
[ 79.642571] worker_thread+0x608/0x1160
[ 79.642946] kthread+0x2be/0x3b0
[ 79.643278] ret_from_fork+0x2c/0x70
[ 79.643636] ret_from_fork_asm+0x1a/0x30
[ 79.644020]
[ 79.644231] Last potentially related work creation:
[ 79.644673] kasan_save_stack+0x20/0x40
[ 79.645048] __kasan_record_aux_stack+0x8e/0xa0
[ 79.645452] insert_work+0x20/0x1b0
[ 79.645787] __queue_work+0x67a/0xc60
[ 79.646135] queue_work_on+0x63/0x90
[ 79.646475] user_event_put+0x1f9/0x390
[ 79.646828] user_events_ioctl+0x11ed/0x17f0
[ 79.647212] __x64_sys_ioctl+0x133/0x190
[ 79.647576] do_syscall_64+0x66/0x130
[ 79.647926] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.648358]
[ 79.648561] The buggy address belongs to the object at ffff888001bd4c00
[ 79.648561] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.649564] The buggy address is located 264 bytes inside of
[ 79.649564] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.650489]
[ 79.650689] The buggy address belongs to the physical page:
[ 79.651162] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.651806] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.652446] memcg:ffff888004b9e101
[ 79.652776] anon flags: 0x40(head|zone=0)
[ 79.653142] page_type: 0xffffefff(slab)
[ 79.653502] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.654135] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.654776] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.655417] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.656063] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.656700] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.657351] page dumped because: kasan: bad access detected
[ 79.657820]
[ 79.658020] Memory state around the buggy address:
[ 79.658438] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.659317] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.659966] >ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.664367] ^
[ 79.664698] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.665341] ffff888001bd4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.665967] ==================================================================
[ 79.666679] ==================================================================
[ 79.667320] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 79.667961] Read of size 8 at addr ffff888001bd4cb8 by task cat/4437
[ 79.668526]
[ 79.668744] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.669400] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.670277] Call Trace:
[ 79.670542] <TASK>
[ 79.670782] dump_stack_lvl+0x66/0xa0
[ 79.671138] print_report+0xd0/0x630
[ 79.671483] ? user_event_get_fields+0x38/0x40
[ 79.671882] ? __virt_addr_valid+0x208/0x3f0
[ 79.672264] ? user_event_get_fields+0x38/0x40
[ 79.672658] kasan_report+0xd8/0x110
[ 79.673010] ? user_event_get_fields+0x38/0x40
[ 79.673401] user_event_get_fields+0x38/0x40
[ 79.673791] f_start+0x175/0x3d0
[ 79.674107] seq_read_iter+0x268/0x11e0
[ 79.674460] ? lock_release+0x453/0x600
[ 79.674812] seq_read+0x261/0x350
[ 79.675145] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.675552] ? __pfx_seq_read+0x10/0x10
[ 79.675903] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.676348] vfs_read+0x171/0x9e0
[ 79.676671] ? lock_acquire+0x408/0x4b0
[ 79.677038] ? __pfx_vfs_read+0x10/0x10
[ 79.677390] ? lock_release+0x453/0x600
[ 79.677747] ? __pfx___up_read+0x10/0x10
[ 79.678114] ksys_read+0xdd/0x1a0
[ 79.678439] ? __pfx_ksys_read+0x10/0x10
[ 79.678800] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.679262] do_syscall_64+0x66/0x130
[ 79.679607] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.680040] RIP: 0033:0x7fac6e8fb40e
[ 79.680378] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.681773] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.682396] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.682971] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.683543] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.684114] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.684683] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.685267] </TASK>
[ 79.685513]
[ 79.685712] Allocated by task 4436:
[ 79.686044] kasan_save_stack+0x20/0x40
[ 79.686398] kasan_save_track+0x14/0x30
[ 79.686748] __kasan_kmalloc+0x8f/0xa0
[ 79.687114] user_event_parse_cmd+0x55e/0x25a0
[ 79.687507] user_events_ioctl+0xa52/0x17f0
[ 79.687882] __x64_sys_ioctl+0x133/0x190
[ 79.688241] do_syscall_64+0x66/0x130
[ 79.688585] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.689230]
[ 79.689429] Freed by task 49:
[ 79.689731] kasan_save_stack+0x20/0x40
[ 79.690086] kasan_save_track+0x14/0x30
[ 79.690440] kasan_save_free_info+0x3b/0x60
[ 79.690817] poison_slab_object+0x10a/0x170
[ 79.691205] __kasan_slab_free+0x14/0x30
[ 79.691564] kfree+0xe0/0x2f0
[ 79.691859] destroy_user_event+0x305/0x450
[ 79.692238] delayed_destroy_user_event+0x5c/0xe0
[ 79.692646] process_one_work+0x81c/0x1970
[ 79.693038] worker_thread+0x608/0x1160
[ 79.693394] kthread+0x2be/0x3b0
[ 79.693714] ret_from_fork+0x2c/0x70
[ 79.694050] ret_from_fork_asm+0x1a/0x30
[ 79.694409]
[ 79.694612] Last potentially related work creation:
[ 79.695032] kasan_save_stack+0x20/0x40
[ 79.695390] __kasan_record_aux_stack+0x8e/0xa0
[ 79.695793] insert_work+0x20/0x1b0
[ 79.696128] __queue_work+0x67a/0xc60
[ 79.696468] queue_work_on+0x63/0x90
[ 79.696816] user_event_put+0x1f9/0x390
[ 79.697181] user_events_ioctl+0x11ed/0x17f0
[ 79.697562] __x64_sys_ioctl+0x133/0x190
[ 79.697918] do_syscall_64+0x66/0x130
[ 79.698265] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.698702]
[ 79.698900] The buggy address belongs to the object at ffff888001bd4c00
[ 79.698900] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.699860] The buggy address is located 184 bytes inside of
[ 79.699860] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.700794]
[ 79.701002] The buggy address belongs to the physical page:
[ 79.701474] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.702117] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.702740] memcg:ffff888004b9e101
[ 79.703065] anon flags: 0x40(head|zone=0)
[ 79.703431] page_type: 0xffffefff(slab)
[ 79.703783] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.704422] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.705064] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.705706] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.706339] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.706983] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.707621] page dumped because: kasan: bad access detected
[ 79.708088]
[ 79.708286] Memory state around the buggy address:
[ 79.708704] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.709320] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.709919] >ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.710514] ^
[ 79.710947] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.711549] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.712145] ==================================================================
[ 79.712802] ==================================================================
[ 79.713426] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 79.713932] Read of size 8 at addr ffff888001bd4c70 by task cat/4437
[ 79.714456]
[ 79.714662] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.715349] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.716225] Call Trace:
[ 79.716493] <TASK>
[ 79.716731] dump_stack_lvl+0x66/0xa0
[ 79.717097] print_report+0xd0/0x630
[ 79.717440] ? f_start+0x2e4/0x3d0
[ 79.717768] ? __virt_addr_valid+0x208/0x3f0
[ 79.718151] ? f_start+0x2e4/0x3d0
[ 79.718484] kasan_report+0xd8/0x110
[ 79.719151] ? f_start+0x2e4/0x3d0
[ 79.719498] f_start+0x2e4/0x3d0
[ 79.719818] seq_read_iter+0x268/0x11e0
[ 79.720177] ? lock_release+0x453/0x600
[ 79.720534] seq_read+0x261/0x350
[ 79.720877] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.721321] ? __pfx_seq_read+0x10/0x10
[ 79.721697] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.722166] vfs_read+0x171/0x9e0
[ 79.722507] ? lock_acquire+0x408/0x4b0
[ 79.722881] ? __pfx_vfs_read+0x10/0x10
[ 79.723256] ? lock_release+0x453/0x600
[ 79.723614] ? __pfx___up_read+0x10/0x10
[ 79.723987] ksys_read+0xdd/0x1a0
[ 79.724326] ? __pfx_ksys_read+0x10/0x10
[ 79.724708] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.725168] do_syscall_64+0x66/0x130
[ 79.725522] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.725958] RIP: 0033:0x7fac6e8fb40e
[ 79.726299] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.727691] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.728330] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.728912] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.729478] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.730044] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.734429] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.735093] </TASK>
[ 79.735397]
[ 79.735659] Allocated by task 4436:
[ 79.736066] kasan_save_stack+0x20/0x40
[ 79.736488] kasan_save_track+0x14/0x30
[ 79.736869] __kasan_kmalloc+0x8f/0xa0
[ 79.737237] user_event_parse_cmd+0x55e/0x25a0
[ 79.737650] user_events_ioctl+0xa52/0x17f0
[ 79.738044] __x64_sys_ioctl+0x133/0x190
[ 79.738423] do_syscall_64+0x66/0x130
[ 79.738788] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.739245]
[ 79.739463] Freed by task 49:
[ 79.739778] kasan_save_stack+0x20/0x40
[ 79.740148] kasan_save_track+0x14/0x30
[ 79.740521] kasan_save_free_info+0x3b/0x60
[ 79.740920] poison_slab_object+0x10a/0x170
[ 79.741304] __kasan_slab_free+0x14/0x30
[ 79.741670] kfree+0xe0/0x2f0
[ 79.741965] destroy_user_event+0x305/0x450
[ 79.742339] delayed_destroy_user_event+0x5c/0xe0
[ 79.742744] process_one_work+0x81c/0x1970
[ 79.743111] worker_thread+0x608/0x1160
[ 79.743467] kthread+0x2be/0x3b0
[ 79.743784] ret_from_fork+0x2c/0x70
[ 79.744115] ret_from_fork_asm+0x1a/0x30
[ 79.744472]
[ 79.744675] Last potentially related work creation:
[ 79.745100] kasan_save_stack+0x20/0x40
[ 79.745451] __kasan_record_aux_stack+0x8e/0xa0
[ 79.745850] insert_work+0x20/0x1b0
[ 79.746180] __queue_work+0x67a/0xc60
[ 79.746519] queue_work_on+0x63/0x90
[ 79.746854] user_event_put+0x1f9/0x390
[ 79.747216] user_events_ioctl+0x11ed/0x17f0
[ 79.747601] __x64_sys_ioctl+0x133/0x190
[ 79.747960] do_syscall_64+0x66/0x130
[ 79.748303] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.748734]
[ 79.749193] The buggy address belongs to the object at ffff888001bd4c00
[ 79.749193] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.750159] The buggy address is located 112 bytes inside of
[ 79.750159] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.751112]
[ 79.751323] The buggy address belongs to the physical page:
[ 79.751814] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.752488] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.753150] memcg:ffff888004b9e101
[ 79.753499] anon flags: 0x40(head|zone=0)
[ 79.753883] page_type: 0xffffefff(slab)
[ 79.754259] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.754926] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.755598] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.756272] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.756948] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.757613] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.758268] page dumped because: kasan: bad access detected
[ 79.758730]
[ 79.758930] Memory state around the buggy address:
[ 79.759347] ffff888001bd4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.759943] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.760545] >ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.761158] ^
[ 79.761715] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.762308] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.762901] ==================================================================
[ 79.763532] ==================================================================
[ 79.764172] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 79.764707] Read of size 8 at addr ffff888001bd4d08 by task cat/4437
[ 79.765263]
[ 79.765474] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.766165] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.767089] Call Trace:
[ 79.767371] <TASK>
[ 79.767623] dump_stack_lvl+0x66/0xa0
[ 79.767988] print_report+0xd0/0x630
[ 79.768343] ? f_start+0x2cb/0x3d0
[ 79.768688] ? __virt_addr_valid+0x208/0x3f0
[ 79.769097] ? f_start+0x2cb/0x3d0
[ 79.769446] kasan_report+0xd8/0x110
[ 79.769812] ? f_start+0x2cb/0x3d0
[ 79.770165] f_start+0x2cb/0x3d0
[ 79.770505] seq_read_iter+0x268/0x11e0
[ 79.770884] ? lock_release+0x453/0x600
[ 79.771259] seq_read+0x261/0x350
[ 79.771599] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.772041] ? __pfx_seq_read+0x10/0x10
[ 79.772417] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.772889] vfs_read+0x171/0x9e0
[ 79.773233] ? lock_acquire+0x408/0x4b0
[ 79.773610] ? __pfx_vfs_read+0x10/0x10
[ 79.773984] ? lock_release+0x453/0x600
[ 79.774358] ? __pfx___up_read+0x10/0x10
[ 79.774755] ksys_read+0xdd/0x1a0
[ 79.775136] ? __pfx_ksys_read+0x10/0x10
[ 79.775539] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.776011] do_syscall_64+0x66/0x130
[ 79.776377] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.776840] RIP: 0033:0x7fac6e8fb40e
[ 79.777193] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.778648] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.779572] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.780178] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.780788] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.781381] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.781956] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.782529] </TASK>
[ 79.782775]
[ 79.782974] Allocated by task 4436:
[ 79.783310] kasan_save_stack+0x20/0x40
[ 79.783668] kasan_save_track+0x14/0x30
[ 79.784021] __kasan_kmalloc+0x8f/0xa0
[ 79.784366] user_event_parse_cmd+0x55e/0x25a0
[ 79.784789] user_events_ioctl+0xa52/0x17f0
[ 79.785185] __x64_sys_ioctl+0x133/0x190
[ 79.785571] do_syscall_64+0x66/0x130
[ 79.785941] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.786404]
[ 79.786614] Freed by task 49:
[ 79.786931] kasan_save_stack+0x20/0x40
[ 79.787312] kasan_save_track+0x14/0x30
[ 79.787686] kasan_save_free_info+0x3b/0x60
[ 79.788085] poison_slab_object+0x10a/0x170
[ 79.788483] __kasan_slab_free+0x14/0x30
[ 79.788874] kfree+0xe0/0x2f0
[ 79.789195] destroy_user_event+0x305/0x450
[ 79.789595] delayed_destroy_user_event+0x5c/0xe0
[ 79.790034] process_one_work+0x81c/0x1970
[ 79.790422] worker_thread+0x608/0x1160
[ 79.790791] kthread+0x2be/0x3b0
[ 79.791129] ret_from_fork+0x2c/0x70
[ 79.791485] ret_from_fork_asm+0x1a/0x30
[ 79.791850]
[ 79.792051] Last potentially related work creation:
[ 79.792474] kasan_save_stack+0x20/0x40
[ 79.792853] __kasan_record_aux_stack+0x8e/0xa0
[ 79.793256] insert_work+0x20/0x1b0
[ 79.793589] __queue_work+0x67a/0xc60
[ 79.793933] queue_work_on+0x63/0x90
[ 79.794268] user_event_put+0x1f9/0x390
[ 79.794625] user_events_ioctl+0x11ed/0x17f0
[ 79.795008] __x64_sys_ioctl+0x133/0x190
[ 79.795366] do_syscall_64+0x66/0x130
[ 79.795707] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.796143]
[ 79.796344] The buggy address belongs to the object at ffff888001bd4c00
[ 79.796344] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.797323] The buggy address is located 264 bytes inside of
[ 79.797323] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.798244]
[ 79.798448] The buggy address belongs to the physical page:
[ 79.798912] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.799551] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.800174] memcg:ffff888004b9e101
[ 79.800499] anon flags: 0x40(head|zone=0)
[ 79.800887] page_type: 0xffffefff(slab)
[ 79.801260] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.805796] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.806457] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.807130] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.807802] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.808470] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.809510] page dumped because: kasan: bad access detected
[ 79.810002]
[ 79.810201] Memory state around the buggy address:
[ 79.810619] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.811220] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.811817] >ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.812414] ^
[ 79.812756] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.813355] ffff888001bd4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.813955] ==================================================================
[ 79.814611] ==================================================================
[ 79.815240] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 79.815841] Read of size 8 at addr ffff888001bd4cb8 by task cat/4437
[ 79.816362]
[ 79.816563] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.817231] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.818104] Call Trace:
[ 79.818365] <TASK>
[ 79.818618] dump_stack_lvl+0x66/0xa0
[ 79.818978] print_report+0xd0/0x630
[ 79.819336] ? user_event_get_fields+0x38/0x40
[ 79.819754] ? __virt_addr_valid+0x208/0x3f0
[ 79.820161] ? user_event_get_fields+0x38/0x40
[ 79.820578] kasan_report+0xd8/0x110
[ 79.820940] ? user_event_get_fields+0x38/0x40
[ 79.821362] user_event_get_fields+0x38/0x40
[ 79.821768] f_start+0x175/0x3d0
[ 79.822105] seq_read_iter+0x268/0x11e0
[ 79.822486] ? lock_release+0x453/0x600
[ 79.822863] seq_read+0x261/0x350
[ 79.823203] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.823630] ? __pfx_seq_read+0x10/0x10
[ 79.824011] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.824473] vfs_read+0x171/0x9e0
[ 79.824818] ? lock_acquire+0x408/0x4b0
[ 79.825196] ? __pfx_vfs_read+0x10/0x10
[ 79.825573] ? lock_release+0x453/0x600
[ 79.825934] ? __pfx___up_read+0x10/0x10
[ 79.826292] ksys_read+0xdd/0x1a0
[ 79.826612] ? __pfx_ksys_read+0x10/0x10
[ 79.826976] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.827419] do_syscall_64+0x66/0x130
[ 79.827763] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.828199] RIP: 0033:0x7fac6e8fb40e
[ 79.828540] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.829912] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.830535] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.831104] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.831677] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.832245] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.832822] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.833406] </TASK>
[ 79.833655]
[ 79.833858] Allocated by task 4436:
[ 79.834191] kasan_save_stack+0x20/0x40
[ 79.834548] kasan_save_track+0x14/0x30
[ 79.834903] __kasan_kmalloc+0x8f/0xa0
[ 79.835251] user_event_parse_cmd+0x55e/0x25a0
[ 79.835645] user_events_ioctl+0xa52/0x17f0
[ 79.836045] __x64_sys_ioctl+0x133/0x190
[ 79.836428] do_syscall_64+0x66/0x130
[ 79.836800] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.837273]
[ 79.837488] Freed by task 49:
[ 79.837806] kasan_save_stack+0x20/0x40
[ 79.838184] kasan_save_track+0x14/0x30
[ 79.838564] kasan_save_free_info+0x3b/0x60
[ 79.839213] poison_slab_object+0x10a/0x170
[ 79.839626] __kasan_slab_free+0x14/0x30
[ 79.840006] kfree+0xe0/0x2f0
[ 79.840326] destroy_user_event+0x305/0x450
[ 79.840722] delayed_destroy_user_event+0x5c/0xe0
[ 79.841168] process_one_work+0x81c/0x1970
[ 79.841568] worker_thread+0x608/0x1160
[ 79.841936] kthread+0x2be/0x3b0
[ 79.842263] ret_from_fork+0x2c/0x70
[ 79.842601] ret_from_fork_asm+0x1a/0x30
[ 79.842968]
[ 79.843170] Last potentially related work creation:
[ 79.843592] kasan_save_stack+0x20/0x40
[ 79.843949] __kasan_record_aux_stack+0x8e/0xa0
[ 79.844350] insert_work+0x20/0x1b0
[ 79.844682] __queue_work+0x67a/0xc60
[ 79.845030] queue_work_on+0x63/0x90
[ 79.845369] user_event_put+0x1f9/0x390
[ 79.845721] user_events_ioctl+0x11ed/0x17f0
[ 79.846103] __x64_sys_ioctl+0x133/0x190
[ 79.846467] do_syscall_64+0x66/0x130
[ 79.846808] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.847241]
[ 79.847441] The buggy address belongs to the object at ffff888001bd4c00
[ 79.847441] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.848398] The buggy address is located 184 bytes inside of
[ 79.848398] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.849330]
[ 79.849535] The buggy address belongs to the physical page:
[ 79.850000] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.850641] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.851272] memcg:ffff888004b9e101
[ 79.851596] anon flags: 0x40(head|zone=0)
[ 79.851961] page_type: 0xffffefff(slab)
[ 79.852334] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.853003] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.853677] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.854355] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.855040] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.855720] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.856397] page dumped because: kasan: bad access detected
[ 79.856892]
[ 79.857109] Memory state around the buggy address:
[ 79.857547] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.858176] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.858809] >ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.859416] ^
[ 79.859842] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.860441] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.861043] ==================================================================
[ 79.861721] ==================================================================
[ 79.862335] BUG: KASAN: slab-use-after-free in f_start+0x2f8/0x3d0
[ 79.862847] Read of size 8 at addr ffff888001bd4d58 by task cat/4437
[ 79.863366]
[ 79.863568] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.864217] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.865116] Call Trace:
[ 79.865392] <TASK>
[ 79.865642] dump_stack_lvl+0x66/0xa0
[ 79.866012] print_report+0xd0/0x630
[ 79.866372] ? f_start+0x2f8/0x3d0
[ 79.866719] ? __virt_addr_valid+0x208/0x3f0
[ 79.867126] ? f_start+0x2f8/0x3d0
[ 79.867471] kasan_report+0xd8/0x110
[ 79.867826] ? f_start+0x2f8/0x3d0
[ 79.868173] f_start+0x2f8/0x3d0
[ 79.868511] seq_read_iter+0x268/0x11e0
[ 79.869069] ? lock_release+0x453/0x600
[ 79.869442] seq_read+0x261/0x350
[ 79.869780] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.870215] ? __pfx_seq_read+0x10/0x10
[ 79.870594] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.874930] vfs_read+0x171/0x9e0
[ 79.875275] ? lock_acquire+0x408/0x4b0
[ 79.875675] ? __pfx_vfs_read+0x10/0x10
[ 79.876125] ? lock_release+0x453/0x600
[ 79.876495] ? __pfx___up_read+0x10/0x10
[ 79.876877] ksys_read+0xdd/0x1a0
[ 79.877200] ? __pfx_ksys_read+0x10/0x10
[ 79.877558] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.878000] do_syscall_64+0x66/0x130
[ 79.878346] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.878784] RIP: 0033:0x7fac6e8fb40e
[ 79.879120] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.880489] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.881128] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.881698] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.882264] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.882837] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.883405] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.883975] </TASK>
[ 79.884223]
[ 79.884424] Allocated by task 4436:
[ 79.884758] kasan_save_stack+0x20/0x40
[ 79.885132] kasan_save_track+0x14/0x30
[ 79.885506] __kasan_kmalloc+0x8f/0xa0
[ 79.885876] user_event_parse_cmd+0x55e/0x25a0
[ 79.886300] user_events_ioctl+0xa52/0x17f0
[ 79.886699] __x64_sys_ioctl+0x133/0x190
[ 79.887078] do_syscall_64+0x66/0x130
[ 79.887439] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.887901]
[ 79.888115] Freed by task 49:
[ 79.888430] kasan_save_stack+0x20/0x40
[ 79.888813] kasan_save_track+0x14/0x30
[ 79.889188] kasan_save_free_info+0x3b/0x60
[ 79.889584] poison_slab_object+0x10a/0x170
[ 79.889979] __kasan_slab_free+0x14/0x30
[ 79.890360] kfree+0xe0/0x2f0
[ 79.890676] destroy_user_event+0x305/0x450
[ 79.891071] delayed_destroy_user_event+0x5c/0xe0
[ 79.891505] process_one_work+0x81c/0x1970
[ 79.891897] worker_thread+0x608/0x1160
[ 79.892271] kthread+0x2be/0x3b0
[ 79.892584] ret_from_fork+0x2c/0x70
[ 79.892930] ret_from_fork_asm+0x1a/0x30
[ 79.893290]
[ 79.893491] Last potentially related work creation:
[ 79.893915] kasan_save_stack+0x20/0x40
[ 79.894268] __kasan_record_aux_stack+0x8e/0xa0
[ 79.894665] insert_work+0x20/0x1b0
[ 79.894996] __queue_work+0x67a/0xc60
[ 79.895344] queue_work_on+0x63/0x90
[ 79.895679] user_event_put+0x1f9/0x390
[ 79.896034] user_events_ioctl+0x11ed/0x17f0
[ 79.896418] __x64_sys_ioctl+0x133/0x190
[ 79.896782] do_syscall_64+0x66/0x130
[ 79.897122] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.897556]
[ 79.897756] The buggy address belongs to the object at ffff888001bd4c00
[ 79.897756] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.898709] The buggy address is located 344 bytes inside of
[ 79.898709] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.899830]
[ 79.900034] The buggy address belongs to the physical page:
[ 79.900498] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.901149] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.901776] memcg:ffff888004b9e101
[ 79.902102] anon flags: 0x40(head|zone=0)
[ 79.902483] page_type: 0xffffefff(slab)
[ 79.902859] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.903530] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.904200] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.904881] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.905559] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.906231] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.906909] page dumped because: kasan: bad access detected
[ 79.907402]
[ 79.907619] Memory state around the buggy address:
[ 79.908058] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.908691] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.909323] >ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.909930] ^
[ 79.910429] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.911027] ffff888001bd4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.911628] ==================================================================
[ 79.912279] ==================================================================
[ 79.912920] BUG: KASAN: slab-use-after-free in f_start+0x2e4/0x3d0
[ 79.913473] Read of size 8 at addr ffff888001bd4c70 by task cat/4437
[ 79.914022]
[ 79.914237] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.914922] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.915843] Call Trace:
[ 79.916116] <TASK>
[ 79.916375] dump_stack_lvl+0x66/0xa0
[ 79.916743] print_report+0xd0/0x630
[ 79.917097] ? f_start+0x2e4/0x3d0
[ 79.917441] ? __virt_addr_valid+0x208/0x3f0
[ 79.917847] ? f_start+0x2e4/0x3d0
[ 79.918192] kasan_report+0xd8/0x110
[ 79.918546] ? f_start+0x2e4/0x3d0
[ 79.918893] f_start+0x2e4/0x3d0
[ 79.919229] seq_read_iter+0x268/0x11e0
[ 79.919602] ? lock_release+0x453/0x600
[ 79.919985] seq_read+0x261/0x350
[ 79.920335] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.920779] ? __pfx_seq_read+0x10/0x10
[ 79.921152] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.921624] vfs_read+0x171/0x9e0
[ 79.921968] ? lock_acquire+0x408/0x4b0
[ 79.922346] ? __pfx_vfs_read+0x10/0x10
[ 79.922725] ? lock_release+0x453/0x600
[ 79.923102] ? __pfx___up_read+0x10/0x10
[ 79.923483] ksys_read+0xdd/0x1a0
[ 79.923823] ? __pfx_ksys_read+0x10/0x10
[ 79.924206] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.924676] do_syscall_64+0x66/0x130
[ 79.925055] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.925523] RIP: 0033:0x7fac6e8fb40e
[ 79.925881] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.927336] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.927993] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.928595] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.929536] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.930153] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.930747] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.931343] </TASK>
[ 79.931601]
[ 79.931813] Allocated by task 4436:
[ 79.932161] kasan_save_stack+0x20/0x40
[ 79.932532] kasan_save_track+0x14/0x30
[ 79.932912] __kasan_kmalloc+0x8f/0xa0
[ 79.933279] user_event_parse_cmd+0x55e/0x25a0
[ 79.933695] user_events_ioctl+0xa52/0x17f0
[ 79.934088] __x64_sys_ioctl+0x133/0x190
[ 79.934468] do_syscall_64+0x66/0x130
[ 79.934828] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.935286]
[ 79.935498] Freed by task 49:
[ 79.935816] kasan_save_stack+0x20/0x40
[ 79.936186] kasan_save_track+0x14/0x30
[ 79.936559] kasan_save_free_info+0x3b/0x60
[ 79.936960] poison_slab_object+0x10a/0x170
[ 79.937354] __kasan_slab_free+0x14/0x30
[ 79.937730] kfree+0xe0/0x2f0
[ 79.938046] destroy_user_event+0x305/0x450
[ 79.938446] delayed_destroy_user_event+0x5c/0xe0
[ 79.938877] process_one_work+0x81c/0x1970
[ 79.939266] worker_thread+0x608/0x1160
[ 79.939638] kthread+0x2be/0x3b0
[ 79.939973] ret_from_fork+0x2c/0x70
[ 79.940334] ret_from_fork_asm+0x1a/0x30
[ 79.940717]
[ 79.940932] Last potentially related work creation:
[ 79.941375] kasan_save_stack+0x20/0x40
[ 79.941750] __kasan_record_aux_stack+0x8e/0xa0
[ 79.942171] insert_work+0x20/0x1b0
[ 79.942518] __queue_work+0x67a/0xc60
[ 79.942876] queue_work_on+0x63/0x90
[ 79.947065] user_event_put+0x1f9/0x390
[ 79.947443] user_events_ioctl+0x11ed/0x17f0
[ 79.947845] __x64_sys_ioctl+0x133/0x190
[ 79.948226] do_syscall_64+0x66/0x130
[ 79.948584] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.949049]
[ 79.949262] The buggy address belongs to the object at ffff888001bd4c00
[ 79.949262] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.950277] The buggy address is located 112 bytes inside of
[ 79.950277] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.951251]
[ 79.951463] The buggy address belongs to the physical page:
[ 79.951960] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 79.952628] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 79.953296] memcg:ffff888004b9e101
[ 79.953636] anon flags: 0x40(head|zone=0)
[ 79.954021] page_type: 0xffffefff(slab)
[ 79.954396] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.955062] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.955732] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 79.956403] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 79.957081] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 79.957757] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 79.958423] page dumped because: kasan: bad access detected
[ 79.959115]
[ 79.959329] Memory state around the buggy address:
[ 79.959768] ffff888001bd4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.960394] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 79.961030] >ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.961663] ^
[ 79.962245] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.962873] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 79.963504] ==================================================================
[ 79.964183] ==================================================================
[ 79.964822] BUG: KASAN: slab-use-after-free in f_start+0x2cb/0x3d0
[ 79.965353] Read of size 8 at addr ffff888001bd4d08 by task cat/4437
[ 79.965900]
[ 79.966115] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 79.966796] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 79.967720] Call Trace:
[ 79.967997] <TASK>
[ 79.968247] dump_stack_lvl+0x66/0xa0
[ 79.968613] print_report+0xd0/0x630
[ 79.968972] ? f_start+0x2cb/0x3d0
[ 79.969316] ? __virt_addr_valid+0x208/0x3f0
[ 79.969723] ? f_start+0x2cb/0x3d0
[ 79.970066] kasan_report+0xd8/0x110
[ 79.970419] ? f_start+0x2cb/0x3d0
[ 79.970766] f_start+0x2cb/0x3d0
[ 79.971100] seq_read_iter+0x268/0x11e0
[ 79.971471] ? lock_release+0x453/0x600
[ 79.971847] seq_read+0x261/0x350
[ 79.972189] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 79.972614] ? __pfx_seq_read+0x10/0x10
[ 79.972991] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.973458] vfs_read+0x171/0x9e0
[ 79.973797] ? lock_acquire+0x408/0x4b0
[ 79.974172] ? __pfx_vfs_read+0x10/0x10
[ 79.974547] ? lock_release+0x453/0x600
[ 79.974923] ? __pfx___up_read+0x10/0x10
[ 79.975301] ksys_read+0xdd/0x1a0
[ 79.975639] ? __pfx_ksys_read+0x10/0x10
[ 79.976020] ? trace_irq_enable.constprop.0+0xce/0x110
[ 79.976485] do_syscall_64+0x66/0x130
[ 79.976846] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.977310] RIP: 0033:0x7fac6e8fb40e
[ 79.977669] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 79.979114] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 79.979772] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 79.980381] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 79.980990] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 79.981588] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 79.982191] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 79.982792] </TASK>
[ 79.983053]
[ 79.983266] Allocated by task 4436:
[ 79.983613] kasan_save_stack+0x20/0x40
[ 79.983990] kasan_save_track+0x14/0x30
[ 79.984362] __kasan_kmalloc+0x8f/0xa0
[ 79.984729] user_event_parse_cmd+0x55e/0x25a0
[ 79.985155] user_events_ioctl+0xa52/0x17f0
[ 79.985548] __x64_sys_ioctl+0x133/0x190
[ 79.985930] do_syscall_64+0x66/0x130
[ 79.986293] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.986747]
[ 79.986959] Freed by task 49:
[ 79.987276] kasan_save_stack+0x20/0x40
[ 79.987647] kasan_save_track+0x14/0x30
[ 79.988020] kasan_save_free_info+0x3b/0x60
[ 79.988419] poison_slab_object+0x10a/0x170
[ 79.989022] __kasan_slab_free+0x14/0x30
[ 79.989409] kfree+0xe0/0x2f0
[ 79.989732] destroy_user_event+0x305/0x450
[ 79.990130] delayed_destroy_user_event+0x5c/0xe0
[ 79.990562] process_one_work+0x81c/0x1970
[ 79.990953] worker_thread+0x608/0x1160
[ 79.991329] kthread+0x2be/0x3b0
[ 79.991661] ret_from_fork+0x2c/0x70
[ 79.992015] ret_from_fork_asm+0x1a/0x30
[ 79.992394]
[ 79.992606] Last potentially related work creation:
[ 79.993059] kasan_save_stack+0x20/0x40
[ 79.993439] __kasan_record_aux_stack+0x8e/0xa0
[ 79.993859] insert_work+0x20/0x1b0
[ 79.994206] __queue_work+0x67a/0xc60
[ 79.994567] queue_work_on+0x63/0x90
[ 79.994920] user_event_put+0x1f9/0x390
[ 79.995289] user_events_ioctl+0x11ed/0x17f0
[ 79.995695] __x64_sys_ioctl+0x133/0x190
[ 79.996076] do_syscall_64+0x66/0x130
[ 79.996437] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 79.996896]
[ 79.997109] The buggy address belongs to the object at ffff888001bd4c00
[ 79.997109] which belongs to the cache kmalloc-cg-512 of size 512
[ 79.998122] The buggy address is located 264 bytes inside of
[ 79.998122] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 79.999094]
[ 79.999309] The buggy address belongs to the physical page:
[ 79.999801] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 80.000475] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 80.001143] memcg:ffff888004b9e101
[ 80.001486] anon flags: 0x40(head|zone=0)
[ 80.001871] page_type: 0xffffefff(slab)
[ 80.002226] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 80.002861] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 80.003490] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 80.004129] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 80.004774] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 80.005417] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 80.006063] page dumped because: kasan: bad access detected
[ 80.006528]
[ 80.006727] Memory state around the buggy address:
[ 80.007148] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 80.007754] ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 80.008353] >ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 80.008961] ^
[ 80.009295] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 80.009893] ffff888001bd4e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 80.010494] ==================================================================
[ 80.011109] ==================================================================
[ 80.011732] BUG: KASAN: slab-use-after-free in user_event_get_fields+0x38/0x40
[ 80.012332] Read of size 8 at addr ffff888001bd4cb8 by task cat/4437
[ 80.012864]
[ 80.013069] CPU: 2 PID: 4437 Comm: cat Tainted: G B D N 6.10.0-vanilla+ #34
[ 80.017381] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014
[ 80.018258] Call Trace:
[ 80.018521] <TASK>
[ 80.018761] dump_stack_lvl+0x66/0xa0
[ 80.019312] print_report+0xd0/0x630
[ 80.019656] ? user_event_get_fields+0x38/0x40
[ 80.020050] ? __virt_addr_valid+0x208/0x3f0
[ 80.020433] ? user_event_get_fields+0x38/0x40
[ 80.020838] kasan_report+0xd8/0x110
[ 80.021178] ? user_event_get_fields+0x38/0x40
[ 80.021577] user_event_get_fields+0x38/0x40
[ 80.021959] f_start+0x175/0x3d0
[ 80.022278] seq_read_iter+0x268/0x11e0
[ 80.022632] ? lock_release+0x453/0x600
[ 80.022993] seq_read+0x261/0x350
[ 80.023314] ? file_tty_write.isra.0+0x4f9/0x8b0
[ 80.023721] ? __pfx_seq_read+0x10/0x10
[ 80.024075] ? trace_irq_enable.constprop.0+0xce/0x110
[ 80.024516] vfs_read+0x171/0x9e0
[ 80.024843] ? lock_acquire+0x408/0x4b0
[ 80.025196] ? __pfx_vfs_read+0x10/0x10
[ 80.025549] ? lock_release+0x453/0x600
[ 80.025906] ? __pfx___up_read+0x10/0x10
[ 80.026270] ksys_read+0xdd/0x1a0
[ 80.026589] ? __pfx_ksys_read+0x10/0x10
[ 80.026949] ? trace_irq_enable.constprop.0+0xce/0x110
[ 80.027391] do_syscall_64+0x66/0x130
[ 80.027736] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 80.028174] RIP: 0033:0x7fac6e8fb40e
[ 80.028510] Code: c0 e9 b6 fe ff ff 50 48 8d 3d 2e 08 0b 00 e8 69 01 02 00 66 0f 1f 84 00 00 00 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 5a c3 66 0f 1f 84 00 00 00 00 00 48 83 ec 28
[ 80.029885] RSP: 002b:00007ffe7b02f3a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 80.030509] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007fac6e8fb40e
[ 80.031081] RDX: 0000000000020000 RSI: 00007fac6e7ef000 RDI: 0000000000000003
[ 80.031654] RBP: 00007fac6e7ef000 R08: 00007fac6e7ee010 R09: 0000000000000000
[ 80.032225] R10: fffffffffffffbc5 R11: 0000000000000246 R12: 0000000000000000
[ 80.032802] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000
[ 80.033376] </TASK>
[ 80.033623]
[ 80.033823] Allocated by task 4436:
[ 80.034156] kasan_save_stack+0x20/0x40
[ 80.034510] kasan_save_track+0x14/0x30
[ 80.034863] __kasan_kmalloc+0x8f/0xa0
[ 80.035212] user_event_parse_cmd+0x55e/0x25a0
[ 80.035616] user_events_ioctl+0xa52/0x17f0
[ 80.035990] __x64_sys_ioctl+0x133/0x190
[ 80.036347] do_syscall_64+0x66/0x130
[ 80.036690] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 80.037123]
[ 80.037325] Freed by task 49:
[ 80.037625] kasan_save_stack+0x20/0x40
[ 80.037977] kasan_save_track+0x14/0x30
[ 80.038330] kasan_save_free_info+0x3b/0x60
[ 80.038704] poison_slab_object+0x10a/0x170
[ 80.039080] __kasan_slab_free+0x14/0x30
[ 80.039440] kfree+0xe0/0x2f0
[ 80.039738] destroy_user_event+0x305/0x450
[ 80.040116] delayed_destroy_user_event+0x5c/0xe0
[ 80.040531] process_one_work+0x81c/0x1970
[ 80.040900] worker_thread+0x608/0x1160
[ 80.041251] kthread+0x2be/0x3b0
[ 80.041570] ret_from_fork+0x2c/0x70
[ 80.041908] ret_from_fork_asm+0x1a/0x30
[ 80.042264]
[ 80.042466] Last potentially related work creation:
[ 80.042884] kasan_save_stack+0x20/0x40
[ 80.043236] __kasan_record_aux_stack+0x8e/0xa0
[ 80.043639] insert_work+0x20/0x1b0
[ 80.043976] __queue_work+0x67a/0xc60
[ 80.044318] queue_work_on+0x63/0x90
[ 80.044653] user_event_put+0x1f9/0x390
[ 80.045012] user_events_ioctl+0x11ed/0x17f0
[ 80.045391] __x64_sys_ioctl+0x133/0x190
[ 80.045750] do_syscall_64+0x66/0x130
[ 80.046096] entry_SYSCALL_64_after_hwframe+0x71/0x79
[ 80.046533]
[ 80.046732] The buggy address belongs to the object at ffff888001bd4c00
[ 80.046732] which belongs to the cache kmalloc-cg-512 of size 512
[ 80.047689] The buggy address is located 184 bytes inside of
[ 80.047689] freed 512-byte region [ffff888001bd4c00, ffff888001bd4e00)
[ 80.048623]
[ 80.048962] The buggy address belongs to the physical page:
[ 80.049426] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1bd4
[ 80.050068] head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 80.050689] memcg:ffff888004b9e101
[ 80.051014] anon flags: 0x40(head|zone=0)
[ 80.051377] page_type: 0xffffefff(slab)
[ 80.051730] raw: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 80.052364] raw: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 80.052996] head: 0000000000000040 ffff88800014cdc0 0000000000000000 dead000000000001
[ 80.053638] head: 0000000000000000 0000000080100010 00000001ffffefff ffff888004b9e101
[ 80.054275] head: 0000000000000002 ffffea000006f501 ffffffffffffffff 0000000000000000
[ 80.054915] head: ffff888000000004 0000000000000000 00000000ffffffff 0000000000000000
[ 80.055552] page dumped because: kasan: bad access detected
[ 80.056021]
[ 80.056221] Memory state around the buggy address:
[ 80.056639] ffff888001bd4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 80.057243] ffff888001bd4c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 80.057842] >ffff888001bd4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 80.058438] ^
[ 80.058869] ffff888001bd4d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 80.059471] ffff888001bd4d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 80.060068] ==================================================================
diff --git a/fs/tracefs/event_inode.c b/fs/tracefs/event_inode.c
index 5d88c184f0fc..6a698b524338 100644
--- a/fs/tracefs/event_inode.c
+++ b/fs/tracefs/event_inode.c
@@ -112,7 +112,7 @@ static void release_ei(struct kref *ref)
entry->release(entry->name, ei->data);
}
- call_rcu(&ei->rcu, free_ei_rcu);
+ call_srcu(&eventfs_srcu, &ei->rcu, free_ei_rcu);
}
static inline void put_ei(struct eventfs_inode *ei)
@@ -334,6 +334,7 @@ static struct inode *eventfs_get_inode(struct dentry *dentry, struct eventfs_att
ti = get_tracefs(inode);
ti->private = ei;
+ WARN(ti->flags, "ti-flags = %lx\n", ti->flags);
ti->flags |= TRACEFS_EVENT_INODE;
/* Find the top dentry that holds the "events" directory */
@@ -736,7 +737,7 @@ struct eventfs_inode *eventfs_create_dir(const char *name, struct eventfs_inode
/* Was the parent freed? */
if (list_empty(&ei->list)) {
cleanup_ei(ei);
- ei = NULL;
+ ei = ERR_PTR(-EBUSY);
}
return ei;
}
@@ -802,6 +803,7 @@ struct eventfs_inode *eventfs_create_events_dir(const char *name, struct dentry
INIT_LIST_HEAD(&ei->list);
ti = get_tracefs(inode);
+ WARN(ti->flags, "ti-flags = %lx\n", ti->flags);
ti->flags |= TRACEFS_EVENT_INODE;
ti->private = ei;
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 6ef29eba90ce..5fbfa1c885de 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -1627,12 +1627,14 @@ static int f_show(struct seq_file *m, void *v)
static void *f_start(struct seq_file *m, loff_t *pos)
{
+ struct trace_event_file *file;
void *p = (void *)FORMAT_HEADER;
loff_t l = 0;
/* ->stop() is called even if ->start() fails */
mutex_lock(&event_mutex);
- if (!event_file_data(m->private))
+ file = event_file_data(m->private);
+ if (!file || (file->flags & EVENT_FILE_FL_FREED))
return ERR_PTR(-ENODEV);
while (l < *pos && p)