================================================================== BUG: KASAN: use-after-free in copyin+0x84/0xb0 lib/iov_iter.c:150 Write of size 63 at addr ffff8881cb488140 by task syz-executor.0/13190 CPU: 0 PID: 13190 Comm: syz-executor.0 Tainted: G W 5.4.24-syzkaller-00181-g3334f0da669e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b0/0x228 lib/dump_stack.c:118 print_address_description+0x96/0x5d0 mm/kasan/report.c:374 __kasan_report+0x14b/0x1c0 mm/kasan/report.c:506 kasan_report+0x26/0x50 mm/kasan/common.c:634 check_memory_region_inline mm/kasan/generic.c:182 [inline] check_memory_region+0x2c6/0x300 mm/kasan/generic.c:192 __kasan_check_write+0x14/0x20 mm/kasan/common.c:98 copyin+0x84/0xb0 lib/iov_iter.c:150 copy_page_from_iter_iovec lib/iov_iter.c:295 [inline] copy_page_from_iter+0x397/0x670 lib/iov_iter.c:921 tun_build_skb drivers/net/tun.c:1681 [inline] tun_get_user+0x721/0x3d10 drivers/net/tun.c:1818 tun_chr_write_iter+0x134/0x1c0 drivers/net/tun.c:2026 do_iter_readv_writev+0x5fa/0x890 include/linux/fs.h:1919 do_iter_write+0x180/0x590 fs/read_write.c:973 vfs_writev fs/read_write.c:1018 [inline] do_writev+0x2cd/0x560 fs/read_write.c:1061 __do_sys_writev fs/read_write.c:1134 [inline] __se_sys_writev fs/read_write.c:1131 [inline] __x64_sys_writev+0x7d/0x90 fs/read_write.c:1131 do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45c361 Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 b7 fb ff c3 48 83 ec 08 e8 fa 2c 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 43 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fb441526bc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 000000000000003f RCX: 000000000045c361 RDX: 0000000000000001 RSI: 00007fb441526bf0 RDI: 00000000000000f0 RBP: 0000000020002b00 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000293 R12: 00000000ffffffff R13: 0000000000000bad R14: 00000000004cd993 R15: 000000000076bf2c Allocated by task 293: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] __kasan_kmalloc+0x117/0x1b0 mm/kasan/common.c:510 kasan_slab_alloc+0xe/0x10 mm/kasan/common.c:518 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc_node mm/slub.c:2758 [inline] slab_alloc mm/slub.c:2766 [inline] kmem_cache_alloc+0x120/0x2b0 mm/slub.c:2771 getname_flags+0xba/0x640 fs/namei.c:141 user_path_at_empty+0x2d/0x50 fs/namei.c:2699 do_readlinkat+0x10c/0x3d0 fs/stat.c:399 __do_sys_readlink fs/stat.c:432 [inline] __se_sys_readlink fs/stat.c:429 [inline] __x64_sys_readlink+0x7f/0x90 fs/stat.c:429 do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 293: save_stack mm/kasan/common.c:69 [inline] set_track mm/kasan/common.c:77 [inline] kasan_set_free_info mm/kasan/common.c:332 [inline] __kasan_slab_free+0x168/0x220 mm/kasan/common.c:471 kasan_slab_free+0xe/0x10 mm/kasan/common.c:480 slab_free_hook mm/slub.c:1424 [inline] slab_free_freelist_hook mm/slub.c:1457 [inline] slab_free mm/slub.c:3004 [inline] kmem_cache_free+0x181/0x7a0 mm/slub.c:3020 putname fs/namei.c:262 [inline] filename_lookup+0x4e6/0x6c0 fs/namei.c:2442 user_path_at_empty+0x40/0x50 fs/namei.c:2699 do_readlinkat+0x10c/0x3d0 fs/stat.c:399 __do_sys_readlink fs/stat.c:432 [inline] __se_sys_readlink fs/stat.c:429 [inline] __x64_sys_readlink+0x7f/0x90 fs/stat.c:429 do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8881cb488000 which belongs to the cache names_cache of size 4096 The buggy address is located 320 bytes inside of 4096-byte region [ffff8881cb488000, ffff8881cb489000) The buggy address belongs to the page: page:ffffea00072d2200 refcount:1 mapcount:0 mapping:ffff8881da8e4000 index:0x0 compound_mapcount: 0 flags: 0x8000000000010200(slab|head) raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da8e4000 raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881cb488000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881cb488080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881cb488100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881cb488180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881cb488200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== BUG: Bad page state in process syz-executor.0 pfn:1cb488 page:ffffea00072d2200 refcount:0 mapcount:0 mapping:ffff8881da8e4000 index:0x0 compound_mapcount: 0 flags: 0x8000000000010200(slab|head) raw: 8000000000010200 dead000000000100 dead000000000122 ffff8881da8e4000 raw: 0000000000000000 0000000000070007 00000000ffffffff 0000000000000000 page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set bad because of flags: 0x200(slab) Modules linked in: CPU: 0 PID: 13190 Comm: syz-executor.0 Tainted: G B W 5.4.24-syzkaller-00181-g3334f0da669e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b0/0x228 lib/dump_stack.c:118 bad_page+0x262/0x290 mm/page_alloc.c:661 free_pages_check_bad mm/page_alloc.c:1062 [inline] free_pages_check mm/page_alloc.c:1071 [inline] free_pages_prepare mm/page_alloc.c:1169 [inline] __free_pages_ok+0x759/0xd80 mm/page_alloc.c:1432 free_compound_page+0x67/0x90 mm/page_alloc.c:686 __put_compound_page mm/swap.c:97 [inline] __put_page+0xf7/0x120 mm/swap.c:113 put_page include/linux/mm.h:1050 [inline] tun_build_skb drivers/net/tun.c:1734 [inline] tun_get_user+0x29ee/0x3d10 drivers/net/tun.c:1818 tun_chr_write_iter+0x134/0x1c0 drivers/net/tun.c:2026 do_iter_readv_writev+0x5fa/0x890 include/linux/fs.h:1919 do_iter_write+0x180/0x590 fs/read_write.c:973 vfs_writev fs/read_write.c:1018 [inline] do_writev+0x2cd/0x560 fs/read_write.c:1061 __do_sys_writev fs/read_write.c:1134 [inline] __se_sys_writev fs/read_write.c:1131 [inline] __x64_sys_writev+0x7d/0x90 fs/read_write.c:1131 do_syscall_64+0xc0/0x100 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45c361 Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 b7 fb ff c3 48 83 ec 08 e8 fa 2c 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 43 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007fb441526bc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 000000000000003f RCX: 000000000045c361 RDX: 0000000000000001 RSI: 00007fb441526bf0 RDI: 00000000000000f0 RBP: 0000000020002b00 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffffffffffff R11: 0000000000000293 R12: 00000000ffffffff R13: 0000000000000bad R14: 00000000004cd993 R15: 000000000076bf2c