================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:276 [inline] BUG: KASAN: use-after-free in dev_map_notification+0x4ef/0x5e0 kernel/bpf/devmap.c:406 Read of size 8 at addr ffff8801c5709d88 by task kworker/u4:2/27 CPU: 1 PID: 27 Comm: kworker/u4:2 Not tainted 4.13.0-rc4-next-20170811 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_address_description+0x7f/0x260 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x24e/0x340 mm/kasan/report.c:409 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 __read_once_size include/linux/compiler.h:276 [inline] dev_map_notification+0x4ef/0x5e0 kernel/bpf/devmap.c:406 notifier_call_chain+0x136/0x2c0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1671 call_netdevice_notifiers net/core/dev.c:1687 [inline] rollback_registered_many+0x91c/0xe80 net/core/dev.c:7140 unregister_netdevice_many.part.108+0x87/0x420 net/core/dev.c:8189 unregister_netdevice_many+0xbb/0x100 net/core/dev.c:8188 sit_exit_net+0x470/0x690 net/ipv6/sit.c:1857 ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:142 cleanup_net+0x5c7/0xb50 net/core/net_namespace.c:483 process_one_work+0xbf3/0x1bc0 kernel/workqueue.c:2098 worker_thread+0x223/0x1860 kernel/workqueue.c:2233 kthread+0x35e/0x430 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 Allocated by task 9926: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xaa/0xd0 mm/kasan/kasan.c:551 __do_kmalloc mm/slab.c:3725 [inline] __kmalloc+0x120/0x710 mm/slab.c:3734 kmalloc include/linux/slab.h:498 [inline] bpf_map_area_alloc+0x2a/0x70 kernel/bpf/syscall.c:118 dev_map_alloc+0x62c/0xa30 kernel/bpf/devmap.c:127 find_and_alloc_map kernel/bpf/syscall.c:100 [inline] map_create kernel/bpf/syscall.c:324 [inline] SYSC_bpf kernel/bpf/syscall.c:1422 [inline] SyS_bpf+0xe1b/0x46a0 kernel/bpf/syscall.c:1403 entry_SYSCALL_64_fastpath+0x1f/0xbe Freed by task 3: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x6e/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3503 [inline] kfree+0xd3/0x260 mm/slab.c:3820 kvfree+0x36/0x60 mm/util.c:416 bpf_map_area_free+0x15/0x20 kernel/bpf/syscall.c:128 dev_map_free+0x452/0x5a0 kernel/bpf/devmap.c:191 bpf_map_free_deferred+0xac/0xd0 kernel/bpf/syscall.c:208 process_one_work+0xbf3/0x1bc0 kernel/workqueue.c:2098 worker_thread+0x223/0x1860 kernel/workqueue.c:2233 kthread+0x35e/0x430 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 The buggy address belongs to the object at ffff8801c5708480 which belongs to the cache kmalloc-8192 of size 8192 The buggy address is located 6408 bytes inside of 8192-byte region [ffff8801c5708480, ffff8801c570a480) The buggy address belongs to the page: page:ffffea00063309c0 count:1 mapcount:0 mapping:ffff8801c5708480 index:0x0 compound_mapcount: 0 flags: 0x200000000008100(slab|head) raw: 0200000000008100 ffff8801c5708480 0000000000000000 0000000100000001 raw: ffffea0006341680 ffffea000630afe0 ffff8801dbc00a00 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c5709c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c5709d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801c5709d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c5709e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c5709e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================