Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113 dump_header+0x27b/0xf72 mm/oom_kill.c:441 ================================================================== BUG: KASAN: use-after-free in vhci_hub_control+0x1b6d/0x1be0 drivers/usb/usbip/vhci_hcd.c:441 Read of size 4 at addr ffff8801ce136e9c by task syz-executor2/25885 out_of_memory.cold.30+0xf/0x184 mm/oom_kill.c:1109 mem_cgroup_out_of_memory+0x15e/0x210 mm/memcontrol.c:1386 mem_cgroup_oom mm/memcontrol.c:1701 [inline] try_charge+0xc43/0x1690 mm/memcontrol.c:2260 mem_cgroup_try_charge+0x5ea/0xe10 mm/memcontrol.c:5912 mem_cgroup_try_charge_delay+0x1d/0xa0 mm/memcontrol.c:5927 wp_page_copy+0x46c/0x14f0 mm/memory.c:2514 do_wp_page+0x774/0x1390 mm/memory.c:2793 handle_pte_fault mm/memory.c:3999 [inline] __handle_mm_fault+0x2c60/0x53e0 mm/memory.c:4107 handle_mm_fault+0x54f/0xc70 mm/memory.c:4144 __do_page_fault+0x67d/0xed0 arch/x86/mm/fault.c:1395 do_page_fault+0xf2/0x7e0 arch/x86/mm/fault.c:1470 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1161 RIP: 0023:0x8052253 Code: 68 3d 12 08 74 21 c7 43 04 70 3d 12 08 a1 6c 3d 12 08 89 08 8b 15 70 3d 12 08 89 42 04 a1 68 3d 12 08 a3 70 3d 12 08 8d 45 60 34 00 46 08 8b 4d 64 8b 55 60 89 4a 04 8b 4d 64 89 11 c7 05 34 RSP: 002b:000000000845fd60 EFLAGS: 00010246 RAX: 0000000008eb9960 RBX: 0000000008123d68 RCX: 0000000008123d70 RDX: 00000000080520d0 RSI: 000000000845fd80 RDI: 0000000000000000 RBP: 0000000008eb9900 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 CPU: 1 PID: 25885 Comm: syz-executor2 Not tainted 4.19.0-rc6+ #175 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113 Memory limit reached of cgroup print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 /syz4 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 memory: usage 204800kB, limit 204800kB, failcnt 1823 vhci_hub_control+0x1b6d/0x1be0 drivers/usb/usbip/vhci_hcd.c:441 memory+swap: usage 0kB, limit 9007199254740988kB, failcnt 0 kmem: usage 0kB, limit 9007199254740988kB, failcnt 0 Memory cgroup stats for rh_call_control drivers/usb/core/hcd.c:679 [inline] rh_urb_enqueue drivers/usb/core/hcd.c:838 [inline] usb_hcd_submit_urb+0x17bb/0x20a0 drivers/usb/core/hcd.c:1651 /syz4 : cache:152KB rss:48KB rss_huge:0KB shmem:0KB usb_submit_urb+0x893/0x14e0 drivers/usb/core/urb.c:570 mapped_file:0KB usb_start_wait_urb+0x13d/0x370 drivers/usb/core/message.c:57 dirty:132KB usb_internal_control_msg drivers/usb/core/message.c:101 [inline] usb_control_msg+0x332/0x4e0 drivers/usb/core/message.c:152 writeback:132KB proc_control+0x99b/0xef0 drivers/usb/core/devio.c:1106 swap:0KB usbdev_do_ioctl+0x1eb8/0x3b50 drivers/usb/core/devio.c:2412 inactive_anon:0KB active_anon:80KB inactive_file:0KB active_file:0KB unevictable:0KB Out of memory and no killable processes... syz-executor4 invoked oom-killer: gfp_mask=0x6000c0(GFP_KERNEL), nodemask=(null), order=0, oom_score_adj=-1000 syz-executor4 cpuset= syz4 mems_allowed=0 usbdev_compat_ioctl+0x24/0x30 drivers/usb/core/devio.c:2580 __do_compat_sys_ioctl fs/compat_ioctl.c:1419 [inline] __se_compat_sys_ioctl fs/compat_ioctl.c:1365 [inline] __ia32_compat_sys_ioctl+0x20e/0x630 fs/compat_ioctl.c:1365 do_syscall_32_irqs_on arch/x86/entry/common.c:326 [inline] do_fast_syscall_32+0x34d/0xfb2 arch/x86/entry/common.c:397 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7ff0ca9 Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 0c 24 c3 8b 1c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000f5fec0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000c0185500 RDX: 0000000020000100 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 25515: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620 kmalloc include/linux/slab.h:513 [inline] perf_event_mmap_event kernel/events/core.c:7255 [inline] perf_event_mmap+0x77b/0x1350 kernel/events/core.c:7453 mprotect_fixup+0x6d1/0xc60 mm/mprotect.c:445 do_mprotect_pkey+0x5d2/0xa60 mm/mprotect.c:555 __do_sys_mprotect mm/mprotect.c:580 [inline] __se_sys_mprotect mm/mprotect.c:577 [inline] __x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:577 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 25515: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x230 mm/slab.c:3813 perf_event_mmap_event kernel/events/core.c:7335 [inline] perf_event_mmap+0xd4f/0x1350 kernel/events/core.c:7453 mprotect_fixup+0x6d1/0xc60 mm/mprotect.c:445 do_mprotect_pkey+0x5d2/0xa60 mm/mprotect.c:555 __do_sys_mprotect mm/mprotect.c:580 [inline] __se_sys_mprotect mm/mprotect.c:577 [inline] __x64_sys_mprotect+0x78/0xb0 mm/mprotect.c:577 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8801ce136740 which belongs to the cache kmalloc-4096 of size 4096 The buggy address is located 1884 bytes inside of 4096-byte region [ffff8801ce136740, ffff8801ce137740) The buggy address belongs to the page: page:ffffea0007384d80 count:1 mapcount:0 mapping:ffff8801da800dc0 index:0x0 compound_mapcount: 0 flags: 0x2fffc0000008100(slab|head) raw: 02fffc0000008100 ffffea00070b0788 ffffea00063ba608 ffff8801da800dc0 raw: 0000000000000000 ffff8801ce136740 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801ce136d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ce136e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801ce136e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ce136f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ce136f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================