================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:276 [inline] BUG: KASAN: use-after-free in dev_map_notification+0x4ef/0x5e0 kernel/bpf/devmap.c:406 Read of size 8 at addr ffff8800688b31a8 by task kworker/u8:0/5 CPU: 1 PID: 5 Comm: kworker/u8:0 Not tainted 4.13.0-rc5-next-20170815+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x24e/0x340 mm/kasan/report.c:409 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 __read_once_size include/linux/compiler.h:276 [inline] dev_map_notification+0x4ef/0x5e0 kernel/bpf/devmap.c:406 notifier_call_chain+0x136/0x2c0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1671 call_netdevice_notifiers net/core/dev.c:1687 [inline] rollback_registered_many+0x91c/0xe80 net/core/dev.c:7141 unregister_netdevice_many.part.107+0x87/0x420 net/core/dev.c:8190 unregister_netdevice_many+0xbb/0x100 net/core/dev.c:8189 sit_exit_net+0x470/0x690 net/ipv6/sit.c:1857 ops_exit_list.isra.6+0xae/0x150 net/core/net_namespace.c:142 cleanup_net+0x5c7/0xb50 net/core/net_namespace.c:483 process_one_work+0xbf3/0x1bc0 kernel/workqueue.c:2098 worker_thread+0x223/0x1860 kernel/workqueue.c:2233 kthread+0x35e/0x430 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 Allocated by task 5265: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 __do_kmalloc mm/slab.c:3725 [inline] __kmalloc+0x162/0x760 mm/slab.c:3734 kmalloc include/linux/slab.h:498 [inline] bpf_map_area_alloc+0x2a/0x70 kernel/bpf/syscall.c:118 dev_map_alloc+0x62c/0xa30 kernel/bpf/devmap.c:127 find_and_alloc_map kernel/bpf/syscall.c:100 [inline] map_create kernel/bpf/syscall.c:324 [inline] SYSC_bpf kernel/bpf/syscall.c:1422 [inline] SyS_bpf+0xe1b/0x46a0 kernel/bpf/syscall.c:1403 entry_SYSCALL_64_fastpath+0x1f/0xbe Freed by task 3491: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3503 [inline] kfree+0xca/0x250 mm/slab.c:3820 kvfree+0x36/0x60 mm/util.c:416 bpf_map_area_free+0x15/0x20 kernel/bpf/syscall.c:128 dev_map_free+0x452/0x5a0 kernel/bpf/devmap.c:191 bpf_map_free_deferred+0xac/0xd0 kernel/bpf/syscall.c:208 process_one_work+0xbf3/0x1bc0 kernel/workqueue.c:2098 worker_thread+0x223/0x1860 kernel/workqueue.c:2233 kthread+0x35e/0x430 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 The buggy address belongs to the object at ffff8800688b1a40 which belongs to the cache kmalloc-8192 of size 8192 The buggy address is located 5992 bytes inside of 8192-byte region [ffff8800688b1a40, ffff8800688b3a40) The buggy address belongs to the page: page:ffffea0001a22c00 count:1 mapcount:0 mapping:ffff8800688b1a40 index:0x0 compound_mapcount: 0 flags: 0x500000000008100(slab|head) raw: 0500000000008100 ffff8800688b1a40 0000000000000000 0000000100000001 raw: ffffea00015d0c20 ffffea0001a4d320 ffff88003e802080 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8800688b3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8800688b3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8800688b3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8800688b3200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8800688b3280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================