==================================================================
BUG: KASAN: use-after-free in _vm_unmap_aliases mm/vmalloc.c:1728 [inline]
BUG: KASAN: use-after-free in _vm_unmap_aliases+0x446/0x480 mm/vmalloc.c:1711
Read of size 8 at addr ffff888090c8ac60 by task syz-executor.3/8915

CPU: 0 PID: 8915 Comm: syz-executor.3 Not tainted 5.7.0-rc1-next-20200415-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd3/0x315 mm/kasan/report.c:382
 __kasan_report.cold+0x35/0x4d mm/kasan/report.c:511
 kasan_report+0x33/0x50 mm/kasan/common.c:625
 _vm_unmap_aliases mm/vmalloc.c:1728 [inline]
 _vm_unmap_aliases+0x446/0x480 mm/vmalloc.c:1711
 change_page_attr_set_clr+0x1fb/0x7f0 arch/x86/mm/pat/set_memory.c:1723
 change_page_attr_clear arch/x86/mm/pat/set_memory.c:1780 [inline]
 set_memory_ro+0x78/0xa0 arch/x86/mm/pat/set_memory.c:1926
 bpf_jit_binary_lock_ro include/linux/filter.h:817 [inline]
 bpf_int_jit_compile+0xdbc/0x115e arch/x86/net/bpf_jit_comp.c:1917
 bpf_prog_select_runtime+0x4b6/0x860 kernel/bpf/core.c:1807
 bpf_prog_load+0xdc2/0x15f0 kernel/bpf/syscall.c:2117
 __do_sys_bpf+0x724/0x42b0 kernel/bpf/syscall.c:3701
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45c889
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f77c39a2c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f77c39a36d4 RCX: 000000000045c889
RDX: 0000000000000048 RSI: 00000000200017c0 RDI: 0000000000000005
RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000006a R14: 00000000004c3101 R15: 000000000076bf0c

Allocated by task 3828:
 save_stack+0x1b/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 __kasan_kmalloc mm/kasan/common.c:495 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
 slab_post_alloc_hook mm/slab.h:586 [inline]
 slab_alloc_node mm/slab.c:3263 [inline]
 kmem_cache_alloc_node+0x13c/0x760 mm/slab.c:3575
 alloc_vmap_area+0x13e/0x1e20 mm/vmalloc.c:1116
 new_vmap_block mm/vmalloc.c:1514 [inline]
 vb_alloc mm/vmalloc.c:1662 [inline]
 vm_map_ram+0x556/0xc50 mm/vmalloc.c:1828
 ion_heap_clear_pages+0x26/0x70 drivers/staging/android/ion/ion_heap.c:102
 ion_heap_sglist_zero+0x219/0x240 drivers/staging/android/ion/ion_heap.c:130
 ion_system_heap_free+0x1e1/0x240 drivers/staging/android/ion/ion_system_heap.c:163
 ion_buffer_destroy+0x14d/0x2b0 drivers/staging/android/ion/ion.c:93
 ion_heap_deferred_free+0x269/0x590 drivers/staging/android/ion/ion_heap.c:239
 kthread+0x388/0x470 kernel/kthread.c:268
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 8920:
 save_stack+0x1b/0x40 mm/kasan/common.c:49
 set_track mm/kasan/common.c:57 [inline]
 kasan_set_free_info mm/kasan/common.c:317 [inline]
 __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
 __cache_free mm/slab.c:3426 [inline]
 kmem_cache_free+0x7f/0x320 mm/slab.c:3694
 merge_or_add_vmap_area mm/vmalloc.c:760 [inline]
 __purge_vmap_area_lazy+0x102e/0x1f60 mm/vmalloc.c:1325
 _vm_unmap_aliases mm/vmalloc.c:1746 [inline]
 _vm_unmap_aliases+0x393/0x480 mm/vmalloc.c:1711
 change_page_attr_set_clr+0x1fb/0x7f0 arch/x86/mm/pat/set_memory.c:1723
 change_page_attr_clear arch/x86/mm/pat/set_memory.c:1780 [inline]
 set_memory_ro+0x78/0xa0 arch/x86/mm/pat/set_memory.c:1926
 bpf_jit_binary_lock_ro include/linux/filter.h:817 [inline]
 bpf_int_jit_compile+0xdbc/0x115e arch/x86/net/bpf_jit_comp.c:1917
 bpf_prog_select_runtime+0x4b6/0x860 kernel/bpf/core.c:1807
 bpf_migrate_filter net/core/filter.c:1275 [inline]
 bpf_prepare_filter net/core/filter.c:1323 [inline]
 bpf_prepare_filter+0x8b1/0xc30 net/core/filter.c:1289
 __get_filter+0x20a/0x2c0 net/core/filter.c:1492
 sk_attach_filter+0x19/0xa0 net/core/filter.c:1507
 sock_setsockopt+0x1eac/0x21b0 net/core/sock.c:999
 __sys_setsockopt+0x418/0x480 net/socket.c:2128
 __do_sys_setsockopt net/socket.c:2148 [inline]
 __se_sys_setsockopt net/socket.c:2145 [inline]
 __x64_sys_setsockopt+0xba/0x150 net/socket.c:2145
 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
 entry_SYSCALL_64_after_hwframe+0x49/0xb3

The buggy address belongs to the object at ffff888090c8ac60
 which belongs to the cache vmap_area of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff888090c8ac60, ffff888090c8aca0)
The buggy address belongs to the page:
page:ffffea0002432280 refcount:1 mapcount:0 mapping:00000000be341f87 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002907488 ffffea0002789d48 ffff8880aa012e00
raw: 0000000000000000 ffff888090c8a000 000000010000002a 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888090c8ab00: 00 00 00 00 fc fc fc fc 00 00 00 00 00 00 00 00
 ffff888090c8ab80: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
>ffff888090c8ac00: 00 00 00 00 00 00 00 00 fc fc fc fc fb fb fb fb
                                                       ^
 ffff888090c8ac80: fb fb fb fb fc fc fc fc 00 00 00 00 00 00 00 00
 ffff888090c8ad00: fc fc fc fc 00 00 00 00 00 00 00 00 fc fc fc fc
==================================================================