================================================================== BUG: KASAN: use-after-free in __list_add_valid+0x8f/0xac lib/list_debug.c:26 Read of size 8 at addr ffff8881ba0ee2b0 by task modprobe/12049 CPU: 1 PID: 12049 Comm: modprobe Not tainted 4.20.0-rc6-next-20181210+ #164 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 print_address_description.cold.4+0x9/0x1ff mm/kasan/report.c:187 kasan_report.cold.5+0x1b/0x39 mm/kasan/report.c:317 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 __list_add_valid+0x8f/0xac lib/list_debug.c:26 __list_add include/linux/list.h:60 [inline] list_add_tail include/linux/list.h:93 [inline] neigh_alloc net/core/neighbour.c:395 [inline] ___neigh_create+0x14b7/0x2600 net/core/neighbour.c:553 __neigh_create+0x30/0x40 net/core/neighbour.c:640 ip6_finish_output2+0xa64/0x2940 net/ipv6/ip6_output.c:117 ip6_finish_output+0x58c/0xc60 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip6_output+0x232/0x9d0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:444 [inline] NF_HOOK include/linux/netfilter.h:289 [inline] ndisc_send_skb+0x1005/0x1560 net/ipv6/ndisc.c:491 ndisc_send_rs+0x134/0x6e0 net/ipv6/ndisc.c:685 addrconf_rs_timer+0x314/0x690 net/ipv6/addrconf.c:3840 call_timer_fn+0x272/0x920 kernel/time/timer.c:1325 expire_timers kernel/time/timer.c:1362 [inline] __run_timers+0x7e5/0xc70 kernel/time/timer.c:1681 run_timer_softirq+0x52/0xb0 kernel/time/timer.c:1694 __do_softirq+0x308/0xb7e kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x17f/0x1c0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x1cb/0x760 arch/x86/kernel/apic/apic.c:1061 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807 RIP: 0010:lock_is_held_type+0x197/0x210 kernel/locking/lockdep.c:3887 Code: 00 00 48 89 fa 48 c1 ea 03 80 3c 02 00 75 63 48 83 3d 2c 2c 11 08 00 74 30 48 89 df 57 9d 0f 1f 44 00 00 48 83 c4 08 44 89 e8 <5b> 41 5c 41 5d 5d c3 48 83 c4 08 41 bd 01 00 00 00 5b 44 89 e8 41 RSP: 0018:ffff88817f4df4e8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: 0000000000000000 RBX: 0000000000000282 RCX: 0000000000000000 RDX: 1ffffffff12e4816 RSI: 00000000ffffffff RDI: 0000000000000282 RBP: ffff88817f4df500 R08: ffffffff81dbdbe1 R09: ffffed102fe9bf58 R10: ffff88817f4df9a0 R11: 0000000000000003 R12: ffff8881cb844200 R13: 0000000000000000 R14: ffffffff884b34e0 R15: 000000000000038c lock_is_held include/linux/lockdep.h:339 [inline] ___might_sleep+0x2bc/0x340 kernel/sched/core.c:6113 __might_sleep+0x95/0x190 kernel/sched/core.c:6101 __mutex_lock_common kernel/locking/mutex.c:908 [inline] __mutex_lock+0x138/0x16f0 kernel/locking/mutex.c:1072 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1087 seq_read+0x71/0x1150 fs/seq_file.c:161 proc_reg_read+0x2a3/0x3d0 fs/proc/inode.c:227 __vfs_read+0x117/0xa80 fs/read_write.c:416 vfs_read+0x17f/0x3e0 fs/read_write.c:452 ksys_read+0x101/0x260 fs/read_write.c:578 __do_sys_read fs/read_write.c:588 [inline] __se_sys_read fs/read_write.c:586 [inline] __x64_sys_read+0x73/0xb0 fs/read_write.c:586 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f4b68bb8310 Code: 73 01 c3 48 8b 0d 28 4b 2b 00 31 d2 48 29 c2 64 89 11 48 83 c8 ff eb ea 90 90 83 3d e5 a2 2b 00 00 75 10 b8 00 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 6e 8a 01 00 48 89 04 24 RSP: 002b:00007ffd6376f098 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000fff RCX: 00007f4b68bb8310 RDX: 0000000000000fff RSI: 00007ffd6376f2e0 RDI: 0000000000000000 RBP: 0000000000000000 R08: 00007f4b692a0700 R09: 00007ffd6376f1b8 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd6376f2e0 R13: 0000000000000000 R14: 00007ffd6376f2e0 R15: 00007ffd6376f2e0 Allocated by task 11581: save_stack+0x43/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] kasan_kmalloc+0xcb/0xd0 mm/kasan/common.c:482 __do_kmalloc mm/slab.c:3709 [inline] __kmalloc+0x15d/0x760 mm/slab.c:3718 kmalloc include/linux/slab.h:550 [inline] kzalloc include/linux/slab.h:740 [inline] neigh_alloc net/core/neighbour.c:375 [inline] ___neigh_create+0x13fc/0x2600 net/core/neighbour.c:553 __neigh_create+0x30/0x40 net/core/neighbour.c:640 ip6_finish_output2+0xa64/0x2940 net/ipv6/ip6_output.c:117 ip6_finish_output+0x58c/0xc60 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:278 [inline] ip6_output+0x232/0x9d0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:444 [inline] NF_HOOK include/linux/netfilter.h:289 [inline] ip6_xmit+0xf1c/0x24d0 net/ipv6/ip6_output.c:275 inet6_csk_xmit+0x378/0x630 net/ipv6/inet6_connection_sock.c:139 __tcp_transmit_skb+0x1bb7/0x3bb0 net/ipv4/tcp_output.c:1160 tcp_transmit_skb net/ipv4/tcp_output.c:1176 [inline] __tcp_retransmit_skb+0x7bd/0x2dc0 net/ipv4/tcp_output.c:2940 tcp_retransmit_skb+0x2e/0x240 net/ipv4/tcp_output.c:2959 tcp_retransmit_timer+0xca3/0x33d0 net/ipv4/tcp_timer.c:514 tcp_write_timer_handler+0x2e6/0x950 net/ipv4/tcp_timer.c:600 tcp_write_timer+0x111/0x1d0 net/ipv4/tcp_timer.c:620 call_timer_fn+0x272/0x920 kernel/time/timer.c:1325 expire_timers kernel/time/timer.c:1362 [inline] __run_timers+0x7e5/0xc70 kernel/time/timer.c:1681 run_timer_softirq+0x52/0xb0 kernel/time/timer.c:1694 __do_softirq+0x308/0xb7e kernel/softirq.c:292 Freed by task 11585: save_stack+0x43/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:444 kasan_slab_free+0xe/0x10 mm/kasan/common.c:452 __cache_free mm/slab.c:3485 [inline] kfree+0xcf/0x230 mm/slab.c:3804 __rcu_reclaim kernel/rcu/rcu.h:233 [inline] rcu_do_batch kernel/rcu/tree.c:2452 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2773 [inline] rcu_process_callbacks+0xd91/0x15f0 kernel/rcu/tree.c:2754 __do_softirq+0x308/0xb7e kernel/softirq.c:292 The buggy address belongs to the object at ffff8881ba0ee040 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 624 bytes inside of 1024-byte region [ffff8881ba0ee040, ffff8881ba0ee440) The buggy address belongs to the page: page:ffffea0006e83b80 count:1 mapcount:0 mapping:ffff8881da800ac0 index:0x0 compound_mapcount: 0 flags: 0x2fffc0000010200(slab|head) raw: 02fffc0000010200 ffffea0006e99a88 ffffea0007657c08 ffff8881da800ac0 raw: 0000000000000000 ffff8881ba0ee040 0000000100000007 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881ba0ee180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881ba0ee200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881ba0ee280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881ba0ee300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881ba0ee380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================