IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 8021q: adding VLAN 0 to HW filter on device team0 BUG: MAX_LOCK_DEPTH too low! turning off the locking correctness validator. depth: 48 max: 48! 48 locks held by syz-executor0/5089: #0: (____ptrval____) (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x328/0x3910 net/core/dev.c:3503 #1: (____ptrval____) (&(&sch->seqlock)->rlock){+...}, at: spin_trylock include/linux/spinlock.h:320 [inline] #1: (____ptrval____) (&(&sch->seqlock)->rlock){+...}, at: qdisc_run_begin include/net/sch_generic.h:124 [inline] #1: (____ptrval____) (&(&sch->seqlock)->rlock){+...}, at: qdisc_run include/net/pkt_sched.h:117 [inline] #1: (____ptrval____) (&(&sch->seqlock)->rlock){+...}, at: __dev_xmit_skb net/core/dev.c:3229 [inline] #1: (____ptrval____) (&(&sch->seqlock)->rlock){+...}, at: __dev_queue_xmit+0x13a3/0x3910 net/core/dev.c:3537 #2: (____ptrval____) (dev->qdisc_running_key ?: &qdisc_running_key){+...}, at: dev_queue_xmit+0x17/0x20 net/core/dev.c:3602 #3: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #3: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #4: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #4: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #5: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #5: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #6: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #6: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #7: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #7: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #8: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #8: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #9: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #9: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #10: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #10: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #11: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #11: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #12: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #12: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #13: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #13: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #14: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #14: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #15: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #15: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #16: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #16: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #17: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #17: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #18: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #18: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #19: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #19: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #20: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #20: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #21: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #21: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #22: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #22: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #23: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #23: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #24: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #24: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #25: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #25: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #26: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #26: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #27: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #27: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #28: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #28: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #29: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #29: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #30: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #30: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #31: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #31: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #32: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #32: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #33: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #33: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #34: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #34: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #35: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #35: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #36: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #36: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #37: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #37: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #38: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #38: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #39: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #39: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #40: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #40: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #41: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #41: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #42: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #42: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #43: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #43: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #44: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #44: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #45: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #45: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #46: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #46: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 #47: (____ptrval____) (rcu_read_lock){....}, at: __skb_pull include/linux/skbuff.h:2080 [inline] #47: (____ptrval____) (rcu_read_lock){....}, at: skb_mac_gso_segment+0x229/0x740 net/core/dev.c:2787 INFO: lockdep is turned off. CPU: 1 PID: 5089 Comm: syz-executor0 Not tainted 4.18.0-rc4+ #46 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 __lock_acquire+0x175d/0x5020 kernel/locking/lockdep.c:3453 lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924 rcu_lock_acquire include/linux/rcupdate.h:245 [inline] rcu_read_lock include/linux/rcupdate.h:631 [inline] skb_mac_gso_segment+0x263/0x740 net/core/dev.c:2789 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 nsh_gso_segment+0x470/0xb40 net/nsh/nsh.c:111 skb_mac_gso_segment+0x3b5/0x740 net/core/dev.c:2792 __skb_gso_segment+0x3c3/0x880 net/core/dev.c:2865 skb_gso_segment include/linux/netdevice.h:4099 [inline] validate_xmit_skb+0x640/0xf30 net/core/dev.c:3104 validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3154 sch_direct_xmit+0x30e/0x1140 net/sched/sch_generic.c:312 qdisc_restart net/sched/sch_generic.c:390 [inline] __qdisc_run+0x619/0x19f0 net/sched/sch_generic.c:398 qdisc_run include/net/pkt_sched.h:118 [inline] __dev_xmit_skb net/core/dev.c:3229 [inline] __dev_queue_xmit+0x1419/0x3910 net/core/dev.c:3537 dev_queue_xmit+0x17/0x20 net/core/dev.c:3602 packet_snd net/packet/af_packet.c:2919 [inline] packet_sendmsg+0x428e/0x6130 net/packet/af_packet.c:2944 sock_sendmsg_nosec net/socket.c:641 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:651 ___sys_sendmsg+0x7fd/0x930 net/socket.c:2125 __sys_sendmsg+0x11d/0x290 net/socket.c:2163 __compat_sys_sendmsg net/compat.c:756 [inline] __do_compat_sys_sendmsg net/compat.c:763 [inline] __se_compat_sys_sendmsg net/compat.c:760 [inline] __ia32_compat_sys_sendmsg+0x7a/0xb0 net/compat.c:760 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7fedcb9 Code: 55 08 8b 88 64 cd ff ff 8b 98 68 cd ff ff 89 c8 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 1c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000f7fe90ac EFLAGS: 00000282 ORIG_RAX: 0000000000000172 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020000480 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 ================================================================== BUG: KASAN: stack-out-of-bounds in __debug_check_no_obj_freed lib/debugobjects.c:775 [inline] BUG: KASAN: stack-out-of-bounds in debug_check_no_obj_freed+0x467/0x595 lib/debugobjects.c:815 Read of size 8 at addr ffff8801d69dba80 by task rs:main Q:Reg/4460 CPU: 0 PID: 4460 Comm: rs:main Q:Reg Not tainted 4.18.0-rc4+ #46 kasan: CONFIG_KASAN_INLINE enabled Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 kasan: GPF could be caused by NULL-ptr deref or user memory access Call Trace: general protection fault: 0000 [#1] SMP KASAN __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 CPU: 1 PID: 5089 Comm: syz-executor0 Not tainted 4.18.0-rc4+ #46 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:cpuacct_account_field+0x17b/0x3b0 kernel/sched/cpuacct.c:366 Code: 0f 84 print_address_description+0x6c/0x20b mm/kasan/report.c:256 81 00 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 00 00 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 4c 63 __debug_check_no_obj_freed lib/debugobjects.c:775 [inline] debug_check_no_obj_freed+0x467/0x595 lib/debugobjects.c:815 ad 74 ff ff ff 48 b8 00 free_pages_prepare mm/page_alloc.c:1027 [inline] free_pcp_prepare mm/page_alloc.c:1041 [inline] free_unref_page_prepare mm/page_alloc.c:2732 [inline] free_unref_page_list+0x3c1/0x1200 mm/page_alloc.c:2801 00 00 00 00 fc ff df 49 c1 e5 03 49 8d bc 24 38 01 00 release_pages+0x7cf/0x14e0 mm/swap.c:792 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 af 01 00 00 49 8b 9c 24 38 01 00 00 65 48 03 1d RSP: 0018:ffff8801daf078e8 EFLAGS: 00010806 free_pages_and_swap_cache+0x391/0x510 mm/swap_state.c:319 RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000 RDX: 1bffff8000000027 RSI: 0000000000000000 RDI: dffffc0000000138 tlb_flush_mmu_free+0xc3/0x160 mm/memory.c:259 RBP: ffff8801daf07978 R08: 0000000000000000 R09: 0000000000000001 tlb_flush_mmu mm/memory.c:268 [inline] arch_tlb_finish_mmu+0xad/0x170 mm/memory.c:283 R10: ffff8801daf07950 R11: ffffffff88fa1263 R12: dffffc0000000000 tlb_finish_mmu+0x140/0x1f0 mm/memory.c:433 R13: 0000000000000020 R14: 1ffff1003b5e0f1e R15: 00000000000f4240 FS: 0000000000000000(0000) GS:ffff8801daf00000(0063) knlGS:00000000f7fe9b40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 unmap_region+0x3ea/0x570 mm/mmap.c:2573 CR2: 00007ffeb557dd98 CR3: 00000001bc314000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: do_munmap+0x617/0xf90 mm/mmap.c:2785 cgroup_account_cputime_field include/linux/cgroup.h:739 [inline] task_group_account_field kernel/sched/cputime.c:108 [inline] account_system_index_time+0x1dc/0x5c0 kernel/sched/cputime.c:171 __do_sys_brk mm/mmap.c:237 [inline] __se_sys_brk mm/mmap.c:191 [inline] __x64_sys_brk+0x5a0/0x7a0 mm/mmap.c:191 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 account_system_time+0x7f/0xb0 kernel/sched/cputime.c:199 account_process_tick+0x76/0x240 kernel/sched/cputime.c:498 update_process_times+0x21/0x70 kernel/time/timer.c:1634 entry_SYSCALL_64_after_hwframe+0x49/0xbe tick_sched_handle+0x9f/0x180 kernel/time/tick-sched.c:164 RIP: 0033:0x7f375ef1920a tick_sched_timer+0x45/0x130 kernel/time/tick-sched.c:1274 Code: __run_hrtimer kernel/time/hrtimer.c:1398 [inline] __hrtimer_run_queues+0x3eb/0x10c0 kernel/time/hrtimer.c:1460 03 01 00 00 00 0f 1f 00 b8 ff ff ff ff hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1518 48 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x165/0x730 arch/x86/kernel/apic/apic.c:1050 8b 1c 24 48 8b 6c apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 24 08 Modules linked in: 4c 8b 64 24 Dumping ftrace buffer: (ftrace buffer empty) 10 ---[ end trace 0de547695d3fb3f7 ]--- 48 RIP: 0010:cpuacct_account_field+0x17b/0x3b0 kernel/sched/cpuacct.c:366 83 Code: c4 0f 18 84 c3 81 48 00 89 00 fa 00 b8 4c 0c 63 00 ad 00 74 00 ff 0f ff 05 ff <48> 48 3d b8 00 00 f0 00 ff 00 ff 00 77 00 33 fc 48 ff 8b df 0d 49 57 c1 fc e5 2a 03 00 48 49 89 8d bc 01 24 31 38 c9 01 48 00 39 00 48 RSP: 002b:00007f375db8ab88 EFLAGS: 00000206 89 ORIG_RAX: 000000000000000c fa RAX: ffffffffffffffda RBX: 0000000000eda000 RCX: 00007f375ef1920a 48 RDX: 0000000000eb9000 RSI: 00007f375f1cae40 RDI: 0000000000eb9000 c1 ea RBP: fffffffffffdf000 R08: 0000000000e82b80 R09: 000000000000116c 03 R10: 0000000000000000 R11: 0000000000000206 R12: 00007f375f1cbef0 <80> R13: 0000000000eda000 R14: 0000000000021000 R15: 0000000000e72a10 3c 02 Allocated by task 3104: 00 save_stack+0x43/0xd0 mm/kasan/kasan.c:448 0f 85 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 af kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 01 00 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 00 kmem_cache_zalloc include/linux/slab.h:697 [inline] fill_pool lib/debugobjects.c:134 [inline] __debug_object_init+0xbe1/0x12e0 lib/debugobjects.c:377 49 debug_object_init lib/debugobjects.c:429 [inline] debug_object_activate+0x32e/0x690 lib/debugobjects.c:510 8b debug_rcu_head_queue kernel/rcu/rcu.h:135 [inline] __call_rcu.constprop.67+0xc8/0xc00 kernel/rcu/tree.c:2906 9c call_rcu_sched+0x12/0x20 kernel/rcu/tree.c:2985 24 dentry_free+0xcb/0x170 fs/dcache.c:349 38 __dentry_kill+0x527/0x7a0 fs/dcache.c:582 01 shrink_dentry_list+0x322/0x7c0 fs/dcache.c:1081 00 shrink_dcache_sb+0x229/0x350 fs/dcache.c:1216 00 do_remount_sb+0x2cc/0x7b0 fs/super.c:869 65 do_remount fs/namespace.c:2339 [inline] do_mount+0x149b/0x30e0 fs/namespace.c:2839 48 ksys_mount+0x12d/0x140 fs/namespace.c:3064 03 __do_sys_mount fs/namespace.c:3078 [inline] __se_sys_mount fs/namespace.c:3075 [inline] __x64_sys_mount+0xbe/0x150 fs/namespace.c:3075 1d do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RSP: 0018:ffff8801daf078e8 EFLAGS: 00010806 Freed by task 0: RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000 (stack is not available) RDX: 1bffff8000000027 RSI: 0000000000000000 RDI: dffffc0000000138 RBP: ffff8801daf07978 R08: 0000000000000000 R09: 0000000000000001 The buggy address belongs to the object at ffff8801d69dba80 which belongs to the cache debug_objects_cache of size 40 R10: ffff8801daf07950 R11: ffffffff88fa1263 R12: dffffc0000000000 The buggy address is located 0 bytes inside of 40-byte region [ffff8801d69dba80, ffff8801d69dbaa8) R13: 0000000000000020 R14: 1ffff1003b5e0f1e R15: 00000000000f4240 The buggy address belongs to the page: FS: 0000000000000000(0000) GS:ffff8801daf00000(0063) knlGS:00000000f7fe9b40 page:ffffea00075a76c0 count:1 mapcount:0 mapping:ffff8801da810dc0 index:0xffff8801d69dbfb9 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00007ffeb557dd98 CR3: 00000001bc314000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 flags: 0x2fffc0000000100(slab) DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400