================================================================== BUG: KASAN: use-after-free in bpf_tree_comp kernel/bpf/core.c:437 [inline] BUG: KASAN: use-after-free in __lt_find include/linux/rbtree_latch.h:115 [inline] BUG: KASAN: use-after-free in latch_tree_find include/linux/rbtree_latch.h:208 [inline] BUG: KASAN: use-after-free in bpf_prog_kallsyms_find kernel/bpf/core.c:511 [inline] BUG: KASAN: use-after-free in bpf_prog_kallsyms_find+0x264/0x2c0 kernel/bpf/core.c:504 Read of size 8 at addr ffff888096040600 by task syz-executor117/7804 CPU: 0 PID: 7804 Comm: syz-executor117 Not tainted 4.19.79 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 bpf_tree_comp kernel/bpf/core.c:437 [inline] __lt_find include/linux/rbtree_latch.h:115 [inline] latch_tree_find include/linux/rbtree_latch.h:208 [inline] bpf_prog_kallsyms_find kernel/bpf/core.c:511 [inline] bpf_prog_kallsyms_find+0x264/0x2c0 kernel/bpf/core.c:504 is_bpf_text_address+0x78/0x170 kernel/bpf/core.c:546 kernel_text_address+0x73/0xf0 kernel/extable.c:152 __kernel_text_address+0xd/0x40 kernel/extable.c:107 unwind_get_return_address arch/x86/kernel/unwind_frame.c:18 [inline] unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:13 __save_stack_trace+0x99/0x100 arch/x86/kernel/stacktrace.c:45 save_stack_trace+0x1a/0x20 arch/x86/kernel/stacktrace.c:60 save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc mm/kasan/kasan.c:553 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc mm/slab.c:3397 [inline] kmem_cache_alloc+0x11b/0x700 mm/slab.c:3557 anon_vma_chain_alloc mm/rmap.c:129 [inline] __anon_vma_prepare+0x62/0x3c0 mm/rmap.c:183 anon_vma_prepare include/linux/rmap.h:153 [inline] do_huge_pmd_anonymous_page+0xeff/0x14e0 mm/huge_memory.c:676 create_huge_pmd mm/memory.c:3932 [inline] __handle_mm_fault+0x2c80/0x3f80 mm/memory.c:4136 handle_mm_fault+0x1b5/0x690 mm/memory.c:4202 __do_page_fault+0x62a/0xe90 arch/x86/mm/fault.c:1390 do_page_fault+0x71/0x57d arch/x86/mm/fault.c:1465 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1204 RIP: 0033:0x400d4b Code: 8b 03 85 c0 74 e1 44 8b 4d 04 c7 45 08 00 00 00 00 45 85 c9 0f 85 54 02 00 00 31 c0 ba 04 00 00 00 31 c9 31 f6 31 ff 45 31 c0 <66> 89 04 25 02 00 00 20 66 89 14 25 0a 00 00 20 31 c0 66 89 0c 25 RSP: 002b:00007f5903552dc0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000006dbc28 RCX: 0000000000000000 RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 R10: 00007f59035539d0 R11: 0000000000000202 R12: 00000000006dbc2c R13: 00007ffc282b32bf R14: 00007f59035539c0 R15: 000000000000002d Allocated by task 7798: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc mm/kasan/kasan.c:553 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531 kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] bpf_prog_alloc+0x216/0x2a0 kernel/bpf/core.c:90 jit_subprogs kernel/bpf/verifier.c:5814 [inline] fixup_call_args kernel/bpf/verifier.c:5933 [inline] bpf_check+0x3e7f/0x6259 kernel/bpf/verifier.c:6340 bpf_prog_load+0xdcf/0x13f0 kernel/bpf/syscall.c:1445 __do_sys_bpf kernel/bpf/syscall.c:2411 [inline] __se_sys_bpf kernel/bpf/syscall.c:2373 [inline] __x64_sys_bpf+0x32b/0x4c0 kernel/bpf/syscall.c:2373 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 3224: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kfree+0xcf/0x220 mm/slab.c:3822 bpf_jit_free+0xa5/0x300 bpf_prog_free_deferred+0x1a6/0x420 kernel/bpf/core.c:1809 process_one_work+0x989/0x1750 kernel/workqueue.c:2153 worker_thread+0x98/0xe40 kernel/workqueue.c:2296 kthread+0x354/0x420 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888096040580 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 128 bytes inside of 256-byte region [ffff888096040580, ffff888096040680) The buggy address belongs to the page: page:ffffea0002581000 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffffea0002653308 ffffea0002878888 ffff88812c3f07c0 raw: 0000000000000000 ffff888096040080 000000010000000c 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888096040500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888096040580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888096040600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888096040680: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ffff888096040700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================