================================================================== BUG: KASAN: use-after-free in deliver_ptype_list_skb net/core/dev.c:1871 [inline] BUG: KASAN: use-after-free in __netif_receive_skb_core+0x2be3/0x33d0 net/core/dev.c:4406 Read of size 2 at addr ffff8801c8576b80 by task syzkaller379800/2988 CPU: 0 PID: 2988 Comm: syzkaller379800 Not tainted 4.13.0-mm1+ #7 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x24e/0x340 mm/kasan/report.c:409 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428 deliver_ptype_list_skb net/core/dev.c:1871 [inline] __netif_receive_skb_core+0x2be3/0x33d0 net/core/dev.c:4406 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4461 netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4534 napi_skb_finish net/core/dev.c:4895 [inline] napi_gro_receive+0x3d0/0x500 net/core/dev.c:4926 receive_buf+0xcc5/0x51f0 drivers/net/virtio_net.c:841 virtnet_receive drivers/net/virtio_net.c:1087 [inline] virtnet_poll+0x304/0xad0 drivers/net/virtio_net.c:1168 napi_poll net/core/dev.c:5537 [inline] net_rx_action+0x792/0x1910 net/core/dev.c:5603 __do_softirq+0x2bb/0xbd0 kernel/softirq.c:284 invoke_softirq kernel/softirq.c:364 [inline] irq_exit+0x1d3/0x210 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:638 [inline] do_IRQ+0xf6/0x190 arch/x86/kernel/irq.c:253 common_interrupt+0x9d/0x9d arch/x86/entry/entry_64.S:598 RIP: 0010:lock_release+0x6d9/0xd70 kernel/locking/lockdep.c:4025 RSP: 0018:ffff8801d75066c0 EFLAGS: 00000296 ORIG_RAX: ffffffffffffff6e RAX: 0000000000000000 RBX: fffffffffffffffc RCX: 0000000000000000 RDX: 1ffffffff0b592fd RSI: 0000000000000004 RDI: ffffed003aea0cd8 RBP: ffff8801d75066e8 R08: 0000000000000000 R09: 1ffff1003aea0cb8 R10: ffff8801cead6200 R11: 0000000000000003 R12: ffff8801d75065c0 R13: ffff8801cead6200 R14: de2a526b9dff2449 R15: 0000000000000003 rcu_lock_release include/linux/rcupdate.h:249 [inline] rcu_read_unlock include/linux/rcupdate.h:686 [inline] __is_insn_slot_addr+0x225/0x330 kernel/kprobes.c:301 is_kprobe_insn_slot include/linux/kprobes.h:317 [inline] __kernel_text_address+0xa2/0xe0 kernel/extable.c:111 unwind_get_return_address+0x61/0xa0 arch/x86/kernel/unwind_frame.c:18 __save_stack_trace+0x7e/0xd0 arch/x86/kernel/stacktrace.c:45 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 slab_post_alloc_hook mm/slab.h:444 [inline] slab_alloc mm/slab.c:3397 [inline] kmem_cache_alloc+0x11b/0x760 mm/slab.c:3559 ptlock_alloc+0x24/0x70 mm/memory.c:4659 ptlock_init include/linux/mm.h:1729 [inline] pgtable_page_ctor include/linux/mm.h:1763 [inline] pte_alloc_one+0x59/0x100 arch/x86/mm/pgtable.c:31 __pte_alloc+0x2a/0x300 mm/memory.c:647 copy_pte_range mm/memory.c:1072 [inline] copy_pmd_range mm/memory.c:1148 [inline] copy_pud_range mm/memory.c:1182 [inline] copy_p4d_range mm/memory.c:1204 [inline] copy_page_range+0x18ba/0x27b0 mm/memory.c:1266 dup_mmap kernel/fork.c:711 [inline] dup_mm kernel/fork.c:1179 [inline] copy_mm+0xd68/0x1310 kernel/fork.c:1233 copy_process.part.36+0x1eae/0x4af0 kernel/fork.c:1735