================================================================== BUG: KASAN: stack-out-of-bounds in __read_once_size include/linux/compiler.h:188 [inline] BUG: KASAN: stack-out-of-bounds in wait_consider_task+0x1d02/0x39b0 kernel/exit.c:1342 Read of size 4 at addr ffff880197f2876c by task syz-executor6/4454 CPU: 1 PID: 4454 Comm: syz-executor6 Not tainted 4.18.0-rc3+ #48 ------------[ cut here ]------------ Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 2956 at lib/refcount.c:187 refcount_sub_and_test+0x2e7/0x350 lib/refcount.c:187 print_address_description+0x6c/0x20b mm/kasan/report.c:256 Kernel panic - not syncing: panic_on_warn set ... kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 __read_once_size include/linux/compiler.h:188 [inline] wait_consider_task+0x1d02/0x39b0 kernel/exit.c:1342 do_wait_thread kernel/exit.c:1451 [inline] do_wait+0x477/0xb80 kernel/exit.c:1522 kernel_wait4+0x247/0x3f0 kernel/exit.c:1665 __do_sys_wait4+0x137/0x150 kernel/exit.c:1677 __se_sys_wait4 kernel/exit.c:1673 [inline] __x64_sys_wait4+0x97/0xf0 kernel/exit.c:1673 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x40feaa Code: 0f 83 1a 17 00 00 c3 66 0f 1f 84 00 00 00 00 00 8b 05 ee 60 63 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d4 ff ff ff f7 RSP: 002b:00007ffc1c928278 EFLAGS: 00000246 ORIG_RAX: 000000000000003d RAX: ffffffffffffffda RBX: 000000000005adfb RCX: 000000000040feaa RDX: 0000000040000001 RSI: 00007ffc1c928294 RDI: ffffffffffffffff RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000001c0c940 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 R13: 0000000000000b2f R14: 00007ffc1c928920 R15: 000000000005adf5 CPU: 0 PID: 2956 Comm: syz-executor1 Not tainted 4.18.0-rc3+ #48 Allocated by task 4454: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 save_stack+0x43/0xd0 mm/kasan/kasan.c:448 Call Trace: set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 kmem_cache_alloc_node+0x144/0x780 mm/slab.c:3644 alloc_task_struct_node kernel/fork.c:157 [inline] dup_task_struct kernel/fork.c:779 [inline] copy_process.part.40+0x16b5/0x7220 kernel/fork.c:1641 panic+0x238/0x4e7 kernel/panic.c:184 copy_process kernel/fork.c:1616 [inline] _do_fork+0x291/0x12a0 kernel/fork.c:2099 __do_sys_clone kernel/fork.c:2206 [inline] __se_sys_clone kernel/fork.c:2200 [inline] __x64_sys_clone+0xbf/0x150 kernel/fork.c:2200 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 1472: __warn.cold.8+0x163/0x1ba kernel/panic.c:536 save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 report_bug+0x252/0x2d0 lib/bug.c:186 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x86/0x2d0 mm/slab.c:3756 free_task_struct kernel/fork.c:162 [inline] free_task+0x16e/0x1f0 kernel/fork.c:390 __put_task_struct+0x2e6/0x620 kernel/fork.c:666 put_task_struct include/linux/sched/task.h:96 [inline] delayed_put_task_struct+0x37f/0x490 kernel/exit.c:180 __rcu_reclaim kernel/rcu/rcu.h:178 [inline] rcu_do_batch kernel/rcu/tree.c:2558 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2818 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2785 [inline] rcu_process_callbacks+0xed5/0x1850 kernel/rcu/tree.c:2802 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316 __do_softirq+0x2e8/0xb17 kernel/softirq.c:288 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:992 RIP: 0010:refcount_sub_and_test+0x2e7/0x350 lib/refcount.c:187 The buggy address belongs to the object at ffff880197f28340 which belongs to the cache task_struct(17:syz6) of size 5952 Code: The buggy address is located 1068 bytes inside of 5952-byte region [ffff880197f28340, ffff880197f29a80) The buggy address belongs to the page: page:ffffea00065fca00 count:1 mapcount:0 mapping:ffff8801ccf60180 index:0x0 89 compound_mapcount: 0 de e8 ec flags: 0x2fffc0000008100(slab|head) raw: 02fffc0000008100 ffffea000668d708 ffffea00066ddc88 ffff8801ccf60180 c0 raw: 0000000000000000 ffff880197f28340 0000000100000001 ffff8801a8cdeb80 1c fe page dumped because: kasan: bad access detected 84 db page->mem_cgroup:ffff8801a8cdeb80 74 07 31 Memory state around the buggy address: db e9 ffff880197f28600: f2 f2 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 46 ff ffff880197f28680: f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 ff ff >ffff880197f28700: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 e8 ^ 0c ffff880197f28780: f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 c0 1c ffff880197f28800: f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2 f2 00 fe 48 ================================================================== kasan: CONFIG_KASAN_INLINE enabled c7 c7 a0 41 1a 88 kasan: GPF could be caused by NULL-ptr deref or user memory access c6 05 cd 82 3a general protection fault: 0000 [#1] SMP KASAN 06 01 CPU: 1 PID: 4454 Comm: syz-executor6 Tainted: G B 4.18.0-rc3+ #48 e8 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 d9 e2 RIP: 0010:__read_once_size include/linux/compiler.h:188 [inline] RIP: 0010:wait_consider_task+0xeb/0x39b0 kernel/exit.c:1342 e7 Code: fd <0f> 65 0b 48 31 8b db 04 e9 25 25 ff 28 00 ff 00 ff 48 00 8b 48 bd 89 28 45 ff ff d0 ff 31 89 c0 85 e8 34 ff bb ff d6 ff 33 00 RSP: 0018:ffff8801dae07228 EFLAGS: 00010282 49 8d RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 b4 RDX: 0000000000000100 RSI: ffffffff81631851 RDI: ffff8801dae06f00 RBP: ffff8801dae07310 R08: ffff8801a85dc1c0 R09: fffffbfff11f11e4 24 R10: fffffbfff11f11e4 R11: ffffffff88f88f23 R12: 00000000fffffb01 2c R13: ffff8801dae072e8 R14: 00000000000004ff R15: ffff8801dae07468 04 00 00 48 89 tcp_wfree+0x104/0x770 net/ipv4/tcp_output.c:924 f0 48 89 b5 e0 fd ff ff 48 c1 skb_release_head_state+0x15f/0x2e0 net/core/skbuff.c:612 e8 skb_release_all+0x15/0x60 net/core/skbuff.c:625 03 __kfree_skb net/core/skbuff.c:641 [inline] kfree_skb+0x19d/0x580 net/core/skbuff.c:659 <0f> b6 14 18 48 89 f0 83 e0 07 83 ndisc_error_report+0xde/0x1c0 net/ipv6/ndisc.c:696 c0 neigh_invalidate+0x246/0x550 net/core/neighbour.c:894 03 38 neigh_timer_handler+0xb0d/0xdf0 net/core/neighbour.c:980 d0 7c call_timer_fn+0x242/0x970 kernel/time/timer.c:1326 08 84 d2 0f 85 f6 RSP: 0018:ffff88019f1cf788 EFLAGS: 00010207 RAX: 00000000192ff563 RBX: dffffc0000000000 RCX: ffffffff8148774f RDX: 0000000000000000 RSI: 00000000c97fab1c RDI: ffff88019f1cfc28 RBP: ffff88019f1cfa20 R08: ffff8801c97fa700 R09: fffffbfff1205390 R10: fffffbfff1205390 R11: ffffffff89029c83 R12: 00000000c97fa6f0 R13: ffff88019f1cfc28 R14: 00000000c97fa6f0 R15: ffff88019f1cfc28 FS: 0000000001c0c940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fb9c2121000 CR3: 000000019f183000 CR4: 00000000001406e0 DR0: 0000000020000080 DR1: 0000000020000080 DR2: 0000000000000000 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x7a6/0xc70 kernel/time/timer.c:1666 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 Call Trace: run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2e8/0xb17 kernel/softirq.c:288 do_wait_thread kernel/exit.c:1451 [inline] do_wait+0x477/0xb80 kernel/exit.c:1522 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x1d1/0x200 kernel/softirq.c:408 kernel_wait4+0x247/0x3f0 kernel/exit.c:1665 exiting_irq arch/x86/include/asm/apic.h:527 [inline] smp_apic_timer_interrupt+0x186/0x730 arch/x86/kernel/apic/apic.c:1052 __do_sys_wait4+0x137/0x150 kernel/exit.c:1677 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863 __se_sys_wait4 kernel/exit.c:1673 [inline] __x64_sys_wait4+0x97/0xf0 kernel/exit.c:1673 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x40feaa Code: 0f 83 1a 17 00 00 c3 66 0f 1f 84 00 00 00 00 00 8b 05 ee 60 63 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d4 ff ff ff f7 RSP: 002b:00007ffc1c928278 EFLAGS: 00000246 ORIG_RAX: 000000000000003d RAX: ffffffffffffffda RBX: 000000000005adfb RCX: 000000000040feaa RDX: 0000000040000001 RSI: 00007ffc1c928294 RDI: ffffffffffffffff RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000001c0c940 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 R13: 0000000000000b2f R14: 00007ffc1c928920 R15: 000000000005adf5 Modules linked in: Dumping ftrace buffer: --------------------------------- syz-exec-17556 1...2 160403509us : 0: }D syz-exec-17556 1...2 160403515us : 0: }D syz-exec-17556 1...2 160403518us : 0: }D syz-exec-17556 1...2 160403521us : 0: }D syz-exec-17556 1...2 160403524us : 0: }D syz-exec-17556 1...2 160403526us : 0: }D syz-exec-17556 1...2 160403529us : 0: }D syz-exec-17556 1...2 160403531us : 0: }D syz-exec-17556 1...2 160403533us : 0: }D syz-exec-17556 1...2 160403536us : 0: }D syz-exec-17556 1...2 160403539us : 0: }D syz-exec-17556 1...2 160403541us : 0: }D syz-exec-17556 1...2 160403543us : 0: }D syz-exec-17556 1...2 160403546us : 0: }D syz-exec-17556 1...2 160403548us : 0: }D syz-exec-17556 1...2 160403550us : 0: }D syz-exec-17556 1...2 160403553us : 0: }D syz-exec-17556 1...2 160403555us : 0: }D syz-exec-17556 1...2 160403557us : 0: }D syz-exec-17556 1...2 160403559us : 0: }D syz-exec-17556 1...2 160403562us : 0: }D syz-exec-17556 1...2 160403564us : 0: }D syz-exec-17556 1...2 160403567us : 0: }D syz-exec-17556 1...2 160403569us : 0: }D syz-exec-17556 1...2 160403572us : 0: }D syz-exec-17556 1...2 160403574us : 0: }D syz-exec-17556 1...2 160403576us : 0: }D syz-exec-17556 1...2 160403579us : 0: }D syz-exec-17556 1...2 160403582us : 0: }D syz-exec-17556 1...2 160403584us : 0: }D syz-exec-17556 1...2 160403587us : 0: }D syz-exec-17556 1...2 160403590us : 0: }D syz-exec-17556 1...2 160403592us : 0: }D syz-exec-17556 1...2 160403595us : 0: }D syz-exec-17556 1...2 160403598us : 0: }D syz-exec-17556 1...2 160403600us : 0: }D syz-exec-17556 1...2 160403603us : 0: }D syz-exec-17556 1...2 160403605us : 0: }D syz-exec-17556 1...2 160403608us : 0: }D syz-exec-17556 1...2 160403611us : 0: }D syz-exec-17556 1...2 160403613us : 0: }D syz-exec-17556 1...2 160403616us : 0: }D syz-exec-17556 1...2 160403619us : 0: }D syz-exec-17556 1...2 160403622us : 0: }D syz-exec-17556 1...2 160403624us : 0: }D syz-exec-17556 1...2 160403627us : 0: }D syz-exec-17556 1...2 160403629us : 0: }D syz-exec-17556 1...2 160403631us : 0: }D syz-exec-17556 1...2 160403634us : 0: }D syz-exec-17556 1...2 160403636us : 0: }D syz-exec-17556 1...2 160403639us : 0: }D syz-exec-17556 1...2 160403642us : 0: }D syz-exec-17556 1...2 160403644us : 0: }D syz-exec-17556 1...2 160403647us : 0: }D syz-exec-17556 1...2 160403650us : 0: }D syz-exec-17556 1...2 160403652us : 0: }D syz-exec-17556 1...2 160403655us : 0: }D syz-exec-17556 1...2 160403657us : 0: }D syz-exec-17556 1...2 160403660us : 0: }D syz-exec-17556 1...2 160403662us : 0: }D syz-exec-17556 1...2 160403665us : 0: }D syz-exec-17556 1...2 160403668us : 0: }D syz-exec-17556 1...2 160403670us : 0: }D syz-exec-17556 1...2 160403673us : 0: }D syz-exec-17556 1...2 160403676us : 0: }D syz-exec-17556 1...2 160403679us : 0: }D syz-exec-17556 1...2 160403681us : 0: }D syz-exec-17556 1...2 160403684us : 0: }D syz-exec-17556 1...2 160403686us : 0: }D syz-exec-17556 1...2 160403688us : 0: }D syz-exec-17556 1...2 160403690us : 0: }D syz-exec-17556 1...2 160403693us : 0: }D syz-exec-17556 1...2 160403695us : 0: }D syz-exec-17556 1...2 160403697us : 0: }D syz-exec-17556 1...2 160403699us : 0: }D syz-exec-17556 1...2 160403702us : 0: }D syz-exec-17556 1...2 160403704us : 0: }D syz-exec-17556 1...2 160403707us : 0: }D syz-exec-17556 1...2 160403709us : 0: }D syz-exec-17556 1...2 160403712us : 0: }D syz-exec-17556 1...2 160403714us : 0: }D syz-exec-17556 1...2 160403717us : 0: }D syz-exec-17556 1...2 160403719us : 0: }D syz-exec-17556 1...2 160403722us : 0: }D syz-exec-17556 1...2 160403724us : 0: }D syz-exec-17556 1...2 160403727us : 0: }D syz-exec-17556 1...2 160403730us : 0: }D syz-exec-17556 1...2 160403732us : 0: }D syz-exec-17556 1...2 160403735us : 0: }D syz-exec-17556 1...2 160403737us : 0: }D syz-exec-17556 1...2 160403739us : 0: }D syz-exec-17556 1...2 160403742us : 0: }D syz-exec-17556 1...2 160403744us : 0: }D syz-exec-17556 1...2 160403746us : 0: }D syz-exec-17556 1...2 160403749us : 0: }D syz-exec-17556 1...2 160403751us : 0: }D syz-exec-17556 1...2 160403754us : 0: }D syz-exec-17556 1...2 160403756us : 0: }D syz-exec-17556 1...2 160403758us : 0: }D syz-exec-17556 1...2 160403761us : 0: }D syz-exec-17556 1...2 160403763us : 0: }D syz-exec-17556 1...2 160403765us : 0: }D syz-exec-17556 1...2 160403768us : 0: }D syz-exec-17556 1...2 160403770us : 0: }D syz-exec-17556 1...2 160403772us : 0: }D syz-exec-17556 1...2 160403775us : 0: }D syz-exec-17556 1...2 160403777us : 0: }D syz-exec-17556 1...2 160403780us : 0: }D syz-exec-17556 1...2 160403782us : 0: }D syz-exec-17556 1...2 160403784us : 0: }D syz-exec-17556 1...2 160403787us : 0: }D syz-exec-17556 1...2 160403790us : 0: }D syz-exec-17556 1...2 160403792us : 0: }D syz-exec-17556 1...2 160403795us : 0: }D syz-exec-17556 1...2 160403797us : 0: }D syz-exec-17556 1...2 160403800us : 0: }D syz-exec-17556 1...2 160403803us : 0: }D syz-exec-17556 1...2 160403805us : 0: }D syz-exec-17556 1...2 160403807us : 0: }D syz-exec-17556 1...2 160403810us : 0: }D syz-exec-17556 1...2 160403812us : 0: }D syz-exec-17556 1...2 160403815us : 0: }D syz-exec-17556 1...2 160403817us : 0: }D syz-exec-17556 1...2 160403820us : 0: }D syz-exec-17556 1...2 160403823us : 0: }D syz-exec-17556 1...2 160403825us : 0: }D syz-exec-17556 1...2 160403828us : 0: }D syz-exec-17556 1...2 160403830us : 0: }D syz-exec-17556 1...2 160403833us : 0: }D syz-exec-17556 1...2 160403835us : 0: }D syz-exec-17556 1...2 160403838us : 0: }D syz-exec-17556 1...2 160403841us : 0: }D syz-exec-17556 1...2 160403843us : 0: }D syz-exec-17556 1...2 160403845us : 0: }D syz-exec-17556 1...2 160403848us : 0: }D syz-exec-17556 1...2 160403850us : 0: }D syz-exec-17556 1...2 160403853us : 0: }D syz-exec-17556 1...2 160403856us : 0: }D syz-exec-17556 1...2 160403858us : 0: }D syz-exec-17556 1...2 160403861us : 0: }D syz-exec-17556 1...2 160403864us : 0: }D syz-exec-17556 1...2 160403866us : 0: }D syz-exec-17556 1...2 160403869us : 0: }D syz-exec-17556 1...2 160403871us : 0: }D syz-exec-17556 1...2 160403873us : 0: }D syz-exec-17556 1...2 160403876us : 0: }D syz-exec-17556 1...2 160403878us : 0: }D syz-exec-17556 1...2 160403881us : 0: }D syz-exec-17556 1...2 160403883us : 0: }D syz-exec-17556 1...2 160403886us : 0: }D syz-exec-17556 1...2 160403888us : 0: }D syz-exec-17556 1...2 160403890us : 0: }D syz-exec-17556 1...2 160403893us : 0: }D syz-exec-17556 1...2 160403895us : 0: }D syz-exec-17556 1...2 160403897us : 0: }D syz-exec-17556 1...2 160403899us : 0: }D syz-exec-17556 1...2 160403902us : 0: }D syz-exec-17556 1...2 160403905us : 0: }D syz-exec-17556 1...2 160403907us : 0: }D syz-exec-17556 1...2 160403910us : 0: }D syz-exec-17556 1...2 160403912us : 0: }D syz-exec-17556 1...2 160403914us : 0: }D syz-exec-17556 1...2 160403916us : 0: }D syz-exec-17556 1...2 160403919us : 0: }D syz-exec-17556 1...2 160403921us : 0: }D syz-exec-17556 1...2 160403924us : 0: }D syz-exec-17556 1...2 160403950us : 0: }D syz-exec-17556 1...2 160403953us : 0: }D syz-exec-17556 1...2 160403955us : 0: }D syz-exec-17556 1...2 160403960us : 0: }D syz-exec-17556 1...2 160403963us : 0: }D syz-exec-17556 1...2 160403965us : 0: }D syz-exec-17556 1...2 160403968us : 0: }D syz-exec-17556 1...2 160403971us : 0: }D syz-exec-17556 1...2 160403973us : 0: }D syz-exec-17556 1...2 160403976us : 0: }D syz-exec-17556 1...2 160403978us : 0: }D syz-exec-17556 1...2 160403981us : 0: }D syz-exec-17556 1...2 160403983us : 0: }D syz-exec-17556 1...2 160403986us : 0: }D syz-exec-17556 1...2 160403988us : 0: }D syz-exec-17556 1...2 160403991us : 0: }D