l2tp_core: tunl 4: sockfd_lookup(fd=7) returned -9 l2tp_core: tunl 4: sockfd_lookup(fd=8) returned -9 l2tp_core: tunl 4: sockfd_lookup(fd=7) returned -9 l2tp_core: tunl 4: sockfd_lookup(fd=7) returned -9 ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x387e/0x4b50 kernel/locking/lockdep.c:3092 Read of size 8 at addr ffff8801d14333a0 by task syz-executor0/4439 CPU: 0 PID: 4439 Comm: syz-executor0 Not tainted 4.4.125-g38f41ec #21 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 c193559adff24fb8 ffff8801d151f620 ffffffff81d067bd ffffea0007450c00 ffff8801d14333a0 0000000000000000 ffff8801d14333a0 0000000000000000 ffff8801d151f658 ffffffff814fea83 ffff8801d14333a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x73/0x260 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x285/0x370 mm/kasan/report.c:408 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] __lock_acquire+0x387e/0x4b50 kernel/locking/lockdep.c:3092 [] lock_acquire+0x15e/0x460 kernel/locking/lockdep.c:3592 [] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline] [] _raw_spin_lock_bh+0x3a/0x50 kernel/locking/spinlock.c:175 [] spin_lock_bh include/linux/spinlock.h:307 [inline] [] lock_sock_nested+0x43/0x120 net/core/sock.c:2451 [] lock_sock include/net/sock.h:1493 [inline] [] pppol2tp_release+0x50/0x310 net/l2tp/l2tp_ppp.c:493 [] sock_release+0x8d/0x1e0 net/socket.c:586 [] sock_close+0x16/0x20 net/socket.c:1037 [] __fput+0x233/0x6d0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x104/0x180 kernel/task_work.c:115 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x82a/0x2a10 kernel/exit.c:759 [] do_group_exit+0x108/0x320 kernel/exit.c:889 [] get_signal+0x4f2/0x1550 kernel/signal.c:2317 [] do_signal+0x8b/0x1d40 arch/x86/kernel/signal.c:712 [] exit_to_usermode_loop+0x11a/0x160 arch/x86/entry/common.c:248 [] prepare_exit_to_usermode arch/x86/entry/common.c:283 [inline] [] syscall_return_slowpath arch/x86/entry/common.c:348 [inline] [] do_syscall_32_irqs_on arch/x86/entry/common.c:398 [inline] [] do_fast_syscall_32+0x614/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Allocated by task 4439: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 [] __kmalloc+0x124/0x320 mm/slub.c:3613 [] kmalloc include/linux/slab.h:481 [inline] [] sk_prot_alloc+0x18c/0x310 net/core/sock.c:1354 [] sk_alloc+0x3a/0x3a0 net/core/sock.c:1419 [] pppol2tp_create+0x33/0x1f0 net/l2tp/l2tp_ppp.c:551 [] pppox_create+0xf1/0x200 drivers/net/ppp/pppox.c:121 [] __sock_create+0x3ac/0x640 net/socket.c:1177 [] sock_create net/socket.c:1217 [inline] [] SYSC_socket net/socket.c:1247 [inline] [] SyS_socket+0xf0/0x1b0 net/socket.c:1227 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Freed by task 4439: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xfc/0x300 mm/slub.c:3749 [] sk_prot_free net/core/sock.c:1391 [inline] [] sk_destruct+0x3f7/0x4c0 net/core/sock.c:1472 [] __sk_free+0x57/0x230 net/core/sock.c:1480 [] sk_free+0x30/0x40 net/core/sock.c:1491 [] sock_put include/net/sock.h:1639 [inline] [] pppol2tp_session_sock_put+0x5f/0x70 net/l2tp/l2tp_ppp.c:286 [] l2tp_tunnel_closeall+0x254/0x3b0 net/l2tp/l2tp_core.c:1277 [] l2tp_udp_encap_destroy+0x8b/0xf0 net/l2tp/l2tp_core.c:1300 [] udpv6_destroy_sock+0xb1/0xd0 net/ipv6/udp.c:1421 [] sk_common_release+0x6b/0x300 net/core/sock.c:2680 [] udp_lib_close+0x15/0x20 include/net/udp.h:190 [] inet_release+0xfa/0x1d0 net/ipv4/af_inet.c:435 [] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:424 [] sock_release+0x8d/0x1e0 net/socket.c:586 [] sock_close+0x16/0x20 net/socket.c:1037 [] __fput+0x233/0x6d0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x104/0x180 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x13d/0x160 arch/x86/entry/common.c:252 [] prepare_exit_to_usermode arch/x86/entry/common.c:283 [inline] [] syscall_return_slowpath arch/x86/entry/common.c:348 [inline] [] do_syscall_32_irqs_on arch/x86/entry/common.c:398 [inline] [] do_fast_syscall_32+0x614/0x8a0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 The buggy address belongs to the object at ffff8801d1433300 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 160 bytes inside of 2048-byte region [ffff8801d1433300, ffff8801d1433b00) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 3778 Comm: syz-executor0 Not tainted 4.4.125-g38f41ec #21 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800ac9ee000 task.stack: ffff8800abc80000 RIP: 0010:[] [] __debug_check_no_obj_freed lib/debugobjects.c:689 [inline] RIP: 0010:[] [] debug_check_no_obj_freed+0x1a8/0x9b0 lib/debugobjects.c:726 RSP: 0000:ffff8800abc873c0 EFLAGS: 00010007 RAX: 0000000000000092 RBX: ffff8801d4a10000 RCX: 0000000000000003 RDX: 09ebe8eaa84be9aa RSI: ffff8800abc87450 RDI: ffffffff838a91b8 RBP: ffff8800abc874b8 R08: 1ffffffff0715237 R09: ffffffff850d1060 R10: dead000000000200 R11: 1ffff10015790e3e R12: 0000292965676170 R13: ffff8801d4a08000 R14: 4f5f4755425f4d56 R15: dffffc0000000000 FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:0000000008c9e900 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00000000ffab7ffc CR3: 00000000af350000 CR4: 0000000000160670 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff8800ac9ee000 ffff8800abc87450 0000000000000003 0000000000000092 1ffff10015790e86 ffffffff857a1340 ffff8801d4a10000 ffff8801d4a10000 dead000000000200 4f5f4755425f4d56 000000000003b900 fffffbfff0af4268 Call Trace: [] free_pages_prepare+0x4a9/0xb30 mm/page_alloc.c:1049 [] __free_pages_ok+0x1c/0xbd0 mm/page_alloc.c:1064 [] __free_pages+0x56/0x90 mm/page_alloc.c:3369 [] __free_kmem_pages+0x9/0x10 mm/page_alloc.c:3521 [] __free_slab+0xc3/0x1e0 mm/slub.c:1580 [] free_slab mm/slub.c:1615 [inline] [] discard_slab+0x2b/0x40 mm/slub.c:1621 [] unfreeze_partials.isra.69+0x12c/0x170 mm/slub.c:2115 [] put_cpu_partial+0xe7/0x1a0 mm/slub.c:2153 [] __slab_free+0x17c/0x2b0 mm/slub.c:2755 [] do_slab_free mm/slub.c:2851 [inline] [] ___cache_free+0xaa/0xc0 mm/slub.c:2872 [] qlink_free mm/kasan/quarantine.c:147 [inline] [] qlist_free_all+0x43/0xc0 mm/kasan/quarantine.c:166 [] quarantine_reduce+0x18f/0x1d0 mm/kasan/quarantine.c:259 [] kasan_kmalloc+0xca/0xe0 mm/kasan/kasan.c:601 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] __kmalloc_track_caller+0xda/0x2c0 mm/slub.c:4153 [] kmemdup+0x24/0x50 mm/util.c:115 [] selinux_cred_prepare+0x43/0xa0 security/selinux/hooks.c:3581 [] security_prepare_creds+0x7d/0xb0 security/security.c:870 [] prepare_creds+0x226/0x310 kernel/cred.c:277 [] do_coredump+0x2e1/0x2980 fs/coredump.c:547 [] get_signal+0x5c2/0x1550 kernel/signal.c:2311 [] do_signal+0x8b/0x1d40 arch/x86/kernel/signal.c:712 [] exit_to_usermode_loop+0x11a/0x160 arch/x86/entry/common.c:248 [] prepare_exit_to_usermode+0xe3/0x100 arch/x86/entry/common.c:283 [] retint_user+0x8/0x3c Code: 48 c7 c6 40 5a 76 85 4c 8b 34 0e 4d 85 f6 0f 84 c5 03 00 00 49 ba 00 02 00 00 00 00 ad de 31 c9 48 8d 75 98 4c 89 f2 48 c1 ea 03 <42> 80 3c 3a 00 0f 85 f0 03 00 00 49 8d 7e 18 83 c1 01 49 8b 16 RIP [] __debug_check_no_obj_freed lib/debugobjects.c:689 [inline] RIP [] debug_check_no_obj_freed+0x1a8/0x9b0 lib/debugobjects.c:726 RSP ---[ end trace 7fe78f1ed8cdd9c5 ]---