netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'. ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:276 [inline] BUG: KASAN: use-after-free in atomic64_read arch/x86/include/asm/atomic64_64.h:21 [inline] BUG: KASAN: use-after-free in atomic64_add_unless arch/x86/include/asm/atomic64_64.h:201 [inline] BUG: KASAN: use-after-free in get_mm_exe_file+0x398/0x3d0 kernel/fork.c:988 Read of size 8 at addr ffff8801ce7982f0 by task syz-executor4/3100 CPU: 1 PID: 3100 Comm: syz-executor4 Not tainted 4.13.0-rc5-next-20170816+ #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x24e/0x340 mm/kasan/report.c:409 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 __read_once_size include/linux/compiler.h:276 [inline] atomic64_read arch/x86/include/asm/atomic64_64.h:21 [inline] atomic64_add_unless arch/x86/include/asm/atomic64_64.h:201 [inline] get_mm_exe_file+0x398/0x3d0 kernel/fork.c:988 dup_mmap kernel/fork.c:614 [inline] dup_mm kernel/fork.c:1177 [inline] copy_mm+0x44b/0x1247 kernel/fork.c:1231 copy_process.part.36+0x1ea3/0x4af0 kernel/fork.c:1733 copy_process kernel/fork.c:1546 [inline] _do_fork+0x1ef/0xfb0 kernel/fork.c:2025 SYSC_clone kernel/fork.c:2135 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2129 do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287 entry_SYSCALL64_slow_path+0x25/0x25 RIP: 0033:0x44fa9a RSP: 002b:0000000000a6f9c0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 0000000000a6f9c0 RCX: 000000000044fa9a RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 RBP: 0000000000a6fa00 R08: 0000000000000001 R09: 0000000000d06940 R10: 0000000000d06c10 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000000 R15: 00000000000004e0 Allocated by task 3073: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3561 kmem_cache_zalloc include/linux/slab.h:656 [inline] get_empty_filp+0xfb/0x4f0 fs/file_table.c:123 path_openat+0xed/0x3520 fs/namei.c:3505 do_filp_open+0x25b/0x3b0 fs/namei.c:3563 do_open_execat+0x1b9/0x5c0 fs/exec.c:849 do_execveat_common.isra.33+0x8fe/0x22e0 fs/exec.c:1754 do_execve fs/exec.c:1860 [inline] SYSC_execve fs/exec.c:1941 [inline] SyS_execve+0x39/0x50 fs/exec.c:1936 do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287 return_from_SYSCALL_64+0x0/0x7a Freed by task 12903: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x77/0x280 mm/slab.c:3763 file_free_rcu+0x5c/0x70 fs/file_table.c:50 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2666 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2920 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2887 [inline] rcu_process_callbacks+0xd3e/0x17b0 kernel/rcu/tree.c:2904 __do_softirq+0x2f5/0xba3 kernel/softirq.c:284 The buggy address belongs to the object at ffff8801ce798280 which belongs to the cache filp of size 456 The buggy address is located 112 bytes inside of 456-byte region [ffff8801ce798280, ffff8801ce798448) The buggy address belongs to the page: page:ffffea000739e600 count:1 mapcount:0 mapping:ffff8801ce798000 index:0xffff8801ce798a00 flags: 0x200000000000100(slab) raw: 0200000000000100 ffff8801ce798000 ffff8801ce798a00 0000000100000005 raw: ffffea000713fd20 ffffea00073d44a0 ffff8801dae3d300 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801ce798180: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc ffff8801ce798200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801ce798280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ce798300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ce798380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================