------------[ cut here ]------------
kernel BUG at mm/slab.c:4421!
invalid opcode: 0000 [#1] SMP KASAN
CPU: 0 PID: 5034 Comm: syz-executor7 Not tainted 4.18.0-rc3+ #58
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__check_heap_object+0xa7/0xb5 mm/slab.c:4446
Code: 48 c7 c7 e0 8b c0 88 e8 87 7a 08 00 5d c3 41 8b 91 04 01 00 00 48 29 c7 48 39 d7 77 be 48 01 d0 48 29 c8 48 39 f0 72 b3 5d c3 <0f> 0b 48 c7 c7 e0 8b c0 88 e8 6d 81 08 00 44 89 e1 4c 8d 45 c4 48 
RSP: 0018:ffff8801953bfa10 EFLAGS: 00010246
RAX: 0000000000000001 RBX: 1ffff10032a77f49 RCX: 000000000000000b
RDX: ffff880191fff740 RSI: 0000000000000433 RDI: ffff880191fffffc
RBP: ffff8801953bfa10 R08: ffff8801ce882180 R09: ffff8801b89f9340
R10: 0000000000000855 R11: 0000000000000001 R12: ffff880191fffffc
R13: 0000000000000433 R14: 0000000000000001 R15: ffffea000647ffc0
FS:  00007f74d8a28700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f74d8a27db8 CR3: 000000019d89b000 CR4: 00000000001406f0
DR0: 00000000200001c0 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 check_heap_object mm/usercopy.c:236 [inline]
 __check_object_size+0x4db/0x5f2 mm/usercopy.c:259
 check_object_size include/linux/thread_info.h:119 [inline]
 check_copy_size include/linux/thread_info.h:150 [inline]
 copy_to_user include/linux/uaccess.h:154 [inline]
 bpf_test_finish.isra.7+0xd9/0x1f0 net/bpf/test_run.c:59
 bpf_prog_test_run_skb+0x7d7/0xa30 net/bpf/test_run.c:144
 bpf_prog_test_run+0x130/0x1a0 kernel/bpf/syscall.c:1686
 __do_sys_bpf kernel/bpf/syscall.c:2323 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:2267 [inline]
 __x64_sys_bpf+0x3d8/0x510 kernel/bpf/syscall.c:2267
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x455ab9
Code: 1d ba fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b9 fb ff c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007f74d8a27c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f74d8a286d4 RCX: 0000000000455ab9
RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a
RBP: 000000000072bff0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004bb71f R14: 00000000004c8b00 R15: 0000000000000002
Modules linked in:
Dumping ftrace buffer:
---------------------------------
syz-exec-1658    0...2 283595072us : 0: }D
syz-exec-1658    0...2 283595079us : 0: }D
syz-exec-1658    0...2 283595082us : 0: }D
syz-exec-1658    0...2 283595084us : 0: }D
syz-exec-1658    0...2 283595087us : 0: }D
syz-exec-1658    0...2 283595089us : 0: }D
syz-exec-1658    0...2 283595092us : 0: }D
syz-exec-1658    0...2 283595095us : 0: }D
syz-exec-1658    0...2 283595097us : 0: }D
syz-exec-1658    0...2 283595100us : 0: }D
syz-exec-1658    0...2 283595102us : 0: }D
syz-exec-1658    0...2 283595105us : 0: }D
syz-exec-1658    0...2 283595107us : 0: }D
syz-exec-1658    0...2 283595110us : 0: }D
syz-exec-1658    0...2 283595113us : 0: }D
syz-exec-1658    0...2 283595115us : 0: }D
syz-exec-1658    0...2 283595118us : 0: }D
syz-exec-1658    0...2 283595120us : 0: }D
syz-exec-1658    0...2 283595123us : 0: }D
syz-exec-1658    0...2 283595125us : 0: }D
syz-exec-1658    0...2 283595128us : 0: }D
syz-exec-1658    0...2 283595131us : 0: }D
syz-exec-1658    0...2 283595133us : 0: }D
syz-exec-1658    0...2 283595135us : 0: }D
syz-exec-1658    0...2 283595138us : 0: }D
syz-exec-1658    0...2 283595140us : 0: }D
syz-exec-1658    0...2 283595143us : 0: }D
syz-exec-1658    0...2 283595145us : 0: }D
syz-exec-1658    0...2 283595148us : 0: }D
syz-exec-1658    0...2 283595150us : 0: }D
syz-exec-1658    0...2 283595152us : 0: }D
syz-exec-1658    0...2 283595154us : 0: }D
syz-exec-1658    0...2 283595157us : 0: }D
syz-exec-1658    0...2 283595159us : 0: }D
syz-exec-1658    0...2 283595162us : 0: }D
syz-exec-1658    0...2 283595164us : 0: }D
syz-exec-1658    0...2 283595167us : 0: }D
syz-exec-1658    0...2 283595169us : 0: }D
syz-exec-1658    0...2 283595172us : 0: }D
syz-exec-1658    0...2 283595174us : 0: }D
syz-exec-1658    0...2 283595177us : 0: }D
syz-exec-1658    0...2 283595179us : 0: }D
syz-exec-1658    0...2 283595181us : 0: }D
syz-exec-1658    0...2 283595183us : 0: }D
syz-exec-1658    0...2 283595185us : 0: }D
syz-exec-1658    0...2 283595188us : 0: }D
syz-exec-1658    0...2 283595190us : 0: }D
syz-exec-1658    0...2 283595193us : 0: }D
syz-exec-1658    0...2 283595195us : 0: }D
syz-exec-1658    0...2 283595198us : 0: }D
syz-exec-1658    0...2 283595201us : 0: }D
syz-exec-1658    0...2 283595203us : 0: }D
syz-exec-1658    0...2 283595206us : 0: }D
syz-exec-1658    0...2 283595208us : 0: }D
syz-exec-1658    0...2 283595210us : 0: }D
syz-exec-1658    0...2 283595212us : 0: }D
syz-exec-1658    0...2 283595214us : 0: }D
syz-exec-1658    0...2 283595216us : 0: }D
syz-exec-1658    0...2 283595219us : 0: }D
syz-exec-1658    0...2 283595221us : 0: }D
syz-exec-1658    0...2 283595224us : 0: }D
syz-exec-1658    0...2 283595226us : 0: }D
syz-exec-1658    0...2 283595228us : 0: }D
syz-exec-1658    0...2 283595231us : 0: }D
syz-exec-1658    0...2 283595234us : 0: }D
syz-exec-1658    0...2 283595236us : 0: }D
syz-exec-1658    0...2 283595239us : 0: }D
syz-exec-1658    0...2 283595241us : 0: }D
syz-exec-1658    0...2 283595244us : 0: }D
syz-exec-1658    0...2 283595246us : 0: }D
syz-exec-1658    0...2 283595249us : 0: }D
syz-exec-1658    0...2 283595251us : 0: }D
syz-exec-1658    0...2 283595254us : 0: }D
syz-exec-1658    0...2 283595257us : 0: }D
syz-exec-1658    0...2 283595259us : 0: }D
syz-exec-1658    0...2 283595262us : 0: }D
syz-exec-1658    0...2 283595264us : 0: }D
syz-exec-1658    0...2 283595267us : 0: }D
syz-exec-1658    0...2 283595269us : 0: }D
syz-exec-1658    0...2 283595272us : 0: }D
syz-exec-1658    0...2 283595275us : 0: }D
syz-exec-1658    0...2 283595277us : 0: }D
syz-exec-1658    0...2 283595280us : 0: }D
syz-exec-1658    0...2 283595282us : 0: }D
syz-exec-1658    0...2 283595285us : 0: }D
syz-exec-1658    0...2 283595287us : 0: }D
syz-exec-1658    0...2 283595290us : 0: }D
syz-exec-1658    0...2 283595292us : 0: }D
syz-exec-1658    0...2 283595295us : 0: }D
syz-exec-1658    0...2 283595297us : 0: }D
syz-exec-1658    0...2 283595300us : 0: }D
syz-exec-1658    0...2 283595303us : 0: }D
syz-exec-1658    0...2 283595305us : 0: }D
syz-exec-1658    0...2 283595308us : 0: }D
syz-exec-1658    0...2 283595310us : 0: }D
syz-exec-1658    0...2 283595313us : 0: }D
syz-exec-1658    0...2 283595315us : 0: }D
syz-exec-1658    0...2 283595318us : 0: }D
syz-exec-1658    0...2 283595320us : 0: }D
syz-exec-1658    0...2 283595323us : 0: }D
syz-exec-1658    0.N.2 283595326us : 0: }D
syz-exec-1658    0...2 283596188us : 0: }D
syz-exec-1658    0...2 283596191us : 0: }D
syz-exec-1658    0...2 283596193us : 0: }D
syz-exec-1658    0...2 283596196us : 0: }D
syz-exec-1658    0...2 283596199us : 0: }D
syz-exec-1658    0...2 283596201us : 0: }D
syz-exec-1658    0...2 283596203us : 0: }D
syz-exec-1658    0...2 283596206us : 0: }D
syz-exec-1658    0...2 283596209us : 0: }D
syz-exec-1658    0...2 283596211us : 0: }D
syz-exec-1658    0...2 283596214us : 0: }D
syz-exec-1658    0...2 283596216us : 0: }D
syz-exec-1658    0...2 283596220us : 0: }D
syz-exec-1658    0...2 283596222us : 0: }D
syz-exec-1658    0...2 283596225us : 0: }D
syz-exec-1658    0...2 283596228us : 0: }D
syz-exec-1658    0...2 283596231us : 0: }D
syz-exec-1658    0...2 283596233us : 0: }D
syz-exec-1658    0...2 283596236us : 0: }D
syz-exec-1658    0...2 283596239us : 0: }D
syz-exec-1658    0...2 283596242us : 0: }D
syz-exec-1658    0...2 283596245us : 0: }D
syz-exec-1658    0...2 283596247us : 0: }D
==================================================================
syz-exec-1658    0...2 283596251us : 0: }D
BUG: KASAN: use-after-free in _copy_to_user+0xe9/0x110 lib/usercopy.c:27
syz-exec-1658    0...2 283596253us : 0: }D
Read of size 1075 at addr ffff8801907ffffc by task syz-executor7/4985
syz-exec-1658    0...2 283596255us : 0: }D

CPU: 1 PID: 4985 Comm: syz-executor7 Not tainted 4.18.0-rc3+ #58
syz-exec-1658    0...2 283596258us : 0: }D
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
syz-exec-1658    0...2 283596262us : 0: }D
Call Trace:
syz-exec-1658    0...2 283596264us : 0: }D
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
syz-exec-1658    0...2 283596266us : 0: }D
syz-exec-1658    0...2 283596270us : 0: }D
syz-exec-1658    0...2 283596272us : 0: }D
syz-exec-1658    0...2 283596275us : 0: }D
syz-exec-1658    0...2 283596278us : 0: }D
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
syz-exec-1658    0...2 283596281us : 0: }D
syz-exec-1658    0...2 283596284us : 0: }D
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
syz-exec-1658    0...2 283596286us : 0: }D
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
syz-exec-1658    0...2 283596289us : 0: }D
 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
syz-exec-1658    0...2 283596292us : 0: }D
 _copy_to_user+0xe9/0x110 lib/usercopy.c:27
syz-exec-1658    0...2 283596295us : 0: }D
 copy_to_user include/linux/uaccess.h:155 [inline]
 bpf_test_finish.isra.7+0xee/0x1f0 net/bpf/test_run.c:59
syz-exec-1658    0...2 283596297us : 0: }D
syz-exec-1658    0...2 283596301us : 0: }D
syz-exec-1658    0...2 283596303us : 0: }D
syz-exec-1658    0...2 283596306us : 0: }D
 bpf_prog_test_run_skb+0x7d7/0xa30 net/bpf/test_run.c:144
syz-exec-1658    0...2 283596308us : 0: }D
syz-exec-1658    0...2 283596311us : 0: }D
syz-exec-1658    0...2 283596314us : 0: }D
syz-exec-1658    0...2 283596316us : 0: }D
syz-exec-1658    0...2 283596319us : 0: }D
syz-exec-1658    0...2 283596323us : 0: }D
 bpf_prog_test_run+0x130/0x1a0 kernel/bpf/syscall.c:1686
syz-exec-1658    0...2 283596325us : 0: }D
 __do_sys_bpf kernel/bpf/syscall.c:2323 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:2267 [inline]
 __x64_sys_bpf+0x3d8/0x510 kernel/bpf/syscall.c:2267
syz-exec-1658    0...2 283596345us : 0: }D
syz-exec-1658    0...2 283596349us : 0: }D
syz-exec-1658    0...2 283596352us : 0: }D
syz-exec-1658    0...2 283596354us : 0: }D
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
syz-exec-1658    0...2 283596357us : 0: }D
syz-exec-1658    0...2 283596360us : 0: }D
syz-exec-1658    0...2 283596363us : 0: }D
syz-exec-1658    0...2 283596365us : 0: }D
syz-exec-1658    0...2 283596368us : 0: }D
syz-exec-1658    0...2 283596371us : 0: }D
syz-exec-1658    0...2 283596374us : 0: }D
syz-exec-1658    0...2 283596376us : 0: }D
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
syz-exec-1658    0...2 283596379us : 0: }D
RIP: 0033:0x455ab9
syz-exec-1658    0...2 283596382us : 0: }D
Code: 
syz-exec-1658    0...2 283596385us : 0: }D
1d 
syz-exec-1658    0...2 283596387us : 0: }D
ba 
syz-exec-1658    0...2 283596390us : 0: }D
fb 
syz-exec-1658    0...2 283596394us : 0: }D
ff 
syz-exec-1658    0...2 283596397us : 0: }D
c3 66 
syz-exec-1658    0...2 283596399us : 0: }D
2e 
syz-exec-1658    0...2 283596402us : 0: }D
0f 
syz-exec-1658    0...2 283596405us : 0: }D
1f 84 
syz-exec-1658    0...2 283596407us : 0: }D
00 00 
syz-exec-1658    0...2 283596410us : 0: }D
00 
syz-exec-1658    0...2 283596413us : 0: }D
00 
syz-exec-1658    0...2 283596416us : 0: }D
00 
syz-exec-1658    0...2 283596418us : 0: }D
66 
syz-exec-1658    0...2 283596422us : 0: }D
90 
syz-exec-1658    0...2 283596424us : 0: }D
48 89 
syz-exec-1658    0...2 283596427us : 0: }D
f8 
syz-exec-1658    0...2 283596429us : 0: }D
48 
syz-exec-1658    0...2 283596433us : 0: }D
89 
syz-exec-1658    0...2 283596435us : 0: }D
f7 
syz-exec-1658    0...2 283596438us : 0: }D
48 
syz-exec-1658    0...2 283596441us : 0: }D
89 d6 
syz-exec-1658    0...2 283596444us : 0: }D
48 
syz-exec-1658    0...2 283596446us : 0: }D
89 
syz-exec-1658    0...2 283596449us : 0: }D
ca 4d 
syz-exec-1658    0...2 283596452us : 0: }D
89 c2 
syz-exec-1658    0...2 283596455us : 0: }D
4d 
syz-exec-1658    0...2 283596457us : 0: }D
89 
syz-exec-1658    0...2 283596460us : 0: }D
c8 
syz-exec-1658    0...2 283596463us : 0: }D
4c 8b 
syz-exec-1658    0...2 283596466us : 0: }D
4c 
syz-exec-1658    0...2 283596469us : 0: }D
24 
syz-exec-1658    0...2 283596472us : 0: }D
08 0f 
syz-exec-1658    0...2 283596475us : 0: }D
05 
syz-exec-1658    0...2 283596477us : 0: }D
<48> 
syz-exec-1658    0...2 283596480us : 0: }D
3d 
syz-exec-1658    0...2 283596483us : 0: }D
01 
syz-exec-1658    0...2 283596486us : 0: }D
f0 ff 
syz-exec-1658    0...2 283596488us : 0: }D
ff 0f 
syz-exec-1658    0...2 283596491us : 0: }D
83 
syz-exec-1658    0...2 283596494us : 0: }D
eb 
syz-exec-1658    0...2 283596497us : 0: }D
b9 
syz-exec-1658    0...2 283596499us : 0: }D
fb ff 
syz-exec-1658    0...2 283596502us : 0: }D
c3 66 
syz-exec-1658    0...2 283596505us : 0: }D
2e 
syz-exec-1658    0...2 283596508us : 0: }D
0f 
syz-exec-1658    0...2 283596510us : 0: }D
1f 
syz-exec-1658    0...2 283596513us : 0: }D
84 
syz-exec-1658    0...2 283596516us : 0: }D
00 
syz-exec-1658    0...2 283596518us : 0: }D
00 
syz-exec-1658    0...2 283596521us : 0: }D
00 00 
syz-exec-1658    0...2 283596524us : 0: }D
syz-exec-1658    0...2 283596527us : 0: }D
RSP: 002b:00007f74d8a69c68 EFLAGS: 00000246
syz-exec-1658    0...2 283596529us : 0: }D
 ORIG_RAX: 0000000000000141
syz-exec-1658    0...2 283596532us : 0: }D
RAX: ffffffffffffffda RBX: 00007f74d8a6a6d4 RCX: 0000000000455ab9
syz-exec-1658    0...2 283596535us : 0: }D
RDX: 0000000000000028 RSI: 0000000020000080 RDI: 000000000000000a
syz-exec-1658    0...2 283596538us : 0: }D
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
syz-exec-1658    0...2 283596540us : 0: }D
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
syz-exec-1658    0...2 283596543us : 0: }D
R13: 00000000004bb71f R14: 00000000004c8b00 R15: 0000000000000000
syz-exec-1658    0...2 283596546us : 0: }D

syz-exec-1658    0...2 283596549us : 0: }D
The buggy address belongs to the page:
syz-exec-1658    0...2 283596551us : 0: }D
page:ffffea000641ffc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
syz-exec-1658    0...2 283596554us : 0: }D
syz-exec-1658    0...2 283596557us : 0: }D
flags: 0x2fffc0000000000()
syz-exec-1658    0...2 283596559us : 0: }D
raw: 02fffc0000000000 0000000000000000 ffffea000641ffc8 0000000000000000
syz-exec-1658    0...2 283596562us : 0: }D
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
syz-exec-1658    0...2 283596565us : 0: }D
page dumped because: kasan: bad access detected
syz-exec-1658    0...2 283596567us : 0: }D

syz-exec-1658    0...2 283596570us : 0: }D
Memory state around the buggy address:
syz-exec-1658    0...2 283596572us : 0: }D
 ffff8801907ffe80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
syz-exec-1658    0...2 283596575us : 0: }D
 ffff8801907fff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
syz-exec-1658    0...2 283596577us : 0: }D
>ffff8801907fff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
syz-exec-1658    0...2 283596580us : 0: }D
                                                                ^
syz-exec-1658    0...2 283596583us : 0: }D
 ffff880190800000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
syz-exec-1658    0...2 283596585us : 0: }D
 ffff880190800080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
syz-exec-1658    0...2 283596588us : 0: }D
==================================================================
syz-exec-1658    0...2 283596590us : 0: }D