================================================================== BUG: KASAN: use-after-free in madvise_willneed mm/madvise.c:297 [inline] BUG: KASAN: use-after-free in madvise_vma mm/madvise.c:954 [inline] BUG: KASAN: use-after-free in do_madvise.part.0+0x1771/0x1890 mm/madvise.c:1175 Read of size 8 at addr ffff888092c7d148 by task syz-executor.0/7104 CPU: 0 PID: 7104 Comm: syz-executor.0 Not tainted 5.9.0-rc1-next-20200821-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 madvise_willneed mm/madvise.c:297 [inline] madvise_vma mm/madvise.c:954 [inline] do_madvise.part.0+0x1771/0x1890 mm/madvise.c:1175 do_madvise mm/madvise.c:1202 [inline] __do_sys_madvise mm/madvise.c:1202 [inline] __se_sys_madvise mm/madvise.c:1200 [inline] __x64_sys_madvise+0x117/0x150 mm/madvise.c:1200 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45d4d9 Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f634719ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000001c RAX: ffffffffffffffda RBX: 0000000000020800 RCX: 000000000045d4d9 RDX: 0000000000000003 RSI: 0000000000600003 RDI: 0000000020000000 RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec R13: 00007ffdd1f531cf R14: 00007f634719b9c0 R15: 000000000118cfec Allocated by task 7100: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 slab_post_alloc_hook mm/slab.h:517 [inline] slab_alloc mm/slab.c:3312 [inline] kmem_cache_alloc+0x138/0x3a0 mm/slab.c:3482 vm_area_alloc+0x1c/0x110 kernel/fork.c:347 mmap_region+0x9a4/0x1760 mm/mmap.c:1778 do_mmap+0xcf9/0x11d0 mm/mmap.c:1584 vm_mmap_pgoff+0x195/0x200 mm/util.c:507 ksys_mmap_pgoff+0x43a/0x560 mm/mmap.c:1635 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 7100: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422 __cache_free mm/slab.c:3418 [inline] kmem_cache_free.part.0+0x67/0x1f0 mm/slab.c:3693 remove_vma+0x132/0x170 mm/mmap.c:184 remove_vma_list mm/mmap.c:2663 [inline] __do_munmap+0x743/0x1170 mm/mmap.c:2919 do_munmap mm/mmap.c:2927 [inline] munmap_vma_range mm/mmap.c:600 [inline] mmap_region+0x85a/0x1760 mm/mmap.c:1753 do_mmap+0xcf9/0x11d0 mm/mmap.c:1584 vm_mmap_pgoff+0x195/0x200 mm/util.c:507 ksys_mmap_pgoff+0x43a/0x560 mm/mmap.c:1635 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888092c7d148 which belongs to the cache vm_area_struct of size 200 The buggy address is located 0 bytes inside of 200-byte region [ffff888092c7d148, ffff888092c7d210) The buggy address belongs to the page: page:00000000e55343e1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x92c7d flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00029f9748 ffffea0002a37488 ffff8880aa06f500 raw: 0000000000000000 ffff888092c7d040 000000010000000f 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888092c7d000: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ffff888092c7d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888092c7d100: 00 fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb ^ ffff888092c7d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888092c7d200: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb ==================================================================