hid-generic 0000:0000:0000.0013: unknown main item tag 0x0 hid-generic 0000:0000:0000.0013: unknown main item tag 0x0 hid-generic 0000:0000:0000.0013: unknown main item tag 0x0 hid-generic 0000:0000:0000.0013: unknown main item tag 0x0 ================================================================== BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:247 [inline] BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:632 [inline] BUG: KASAN: use-after-free in hlist_del_rcu include/linux/rculist.h:340 [inline] BUG: KASAN: use-after-free in nf_nat_cleanup_conntrack+0x1ca/0x1e0 net/netfilter/nf_nat_core.c:691 Write of size 8 at addr ffff8801c1b760f8 by task kworker/0:0/4 CPU: 0 PID: 4 Comm: kworker/0:0 Not tainted 4.4.174+ #17 Workqueue: events uhid_device_add_worker 0000000000000000 dc1a975669efef1d ffff8801db607a10 ffffffff81aad1a1 0000000000000001 ffffea000706dd80 ffff8801c1b760f8 0000000000000008 ffffffff82361100 ffff8801db607a48 ffffffff81490120 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_address_description+0x6f/0x21b mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report mm/kasan/report.c:408 [inline] [] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393 [] __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:434 [] __write_once_size include/linux/compiler.h:247 [inline] [] __hlist_del include/linux/list.h:632 [inline] [] hlist_del_rcu include/linux/rculist.h:340 [inline] [] nf_nat_cleanup_conntrack+0x1ca/0x1e0 net/netfilter/nf_nat_core.c:691 [] __nf_ct_ext_destroy+0x140/0x2a0 net/netfilter/nf_conntrack_extend.c:40 [] nf_ct_ext_destroy include/net/netfilter/nf_conntrack_extend.h:80 [inline] [] nf_conntrack_free+0x77/0x120 net/netfilter/nf_conntrack_core.c:904 [] destroy_conntrack+0x270/0x380 net/netfilter/nf_conntrack_core.c:365 [] nf_conntrack_destroy+0x99/0x1a0 net/netfilter/core.c:389 [] nf_conntrack_put include/linux/skbuff.h:3377 [inline] [] skb_release_head_state+0x15a/0x210 net/core/skbuff.c:649 [] skb_release_all+0x16/0x60 net/core/skbuff.c:659 [] __kfree_skb net/core/skbuff.c:675 [inline] [] kfree_skb+0xf7/0x400 net/core/skbuff.c:696 [] inet_frag_rbtree_purge+0xaa/0xf0 net/ipv4/ip_fragment.c:761 [] inet_frag_destroy+0x21f/0x2c0 net/ipv4/inet_fragment.c:156 [] inet_frag_put include/net/inet_frag.h:124 [inline] [] ipq_put+0x34/0x40 net/ipv4/ip_fragment.c:164 [] ip_expire+0x14d/0x880 net/ipv4/ip_fragment.c:265 [] call_timer_fn+0x18d/0x850 kernel/time/timer.c:1185 [] __run_timers kernel/time/timer.c:1261 [inline] [] run_timer_softirq+0x51f/0xb70 kernel/time/timer.c:1444 [] __do_softirq+0x226/0xa3f kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10a/0x150 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] smp_apic_timer_interrupt+0x7e/0xb0 arch/x86/kernel/apic/apic.c:926 [] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:768 [] ? console_unlock kernel/printk/printk.c:2337 [inline] [] ? console_unlock+0x656/0xa10 kernel/printk/printk.c:2242 [] vprintk_emit+0x3b2/0x820 kernel/printk/printk.c:1837 [] dev_vprintk_emit+0x222/0x670 drivers/base/core.c:2205 [] dev_printk_emit+0xbb/0xf0 drivers/base/core.c:2216 [] __dev_printk+0x107/0x270 drivers/base/core.c:2228 [] dev_err+0xd8/0x110 drivers/base/core.c:2271 [] hid_parser_main+0x593/0x9a0 drivers/hid/hid-core.c:555 [] hid_open_report+0x34a/0x6a0 drivers/hid/hid-core.c:1010 [] hid_device_probe+0x255/0x4c0 drivers/hid/hid-core.c:2183 [] really_probe drivers/base/dd.c:310 [inline] [] driver_probe_device+0x205/0x680 drivers/base/dd.c:423 [] __device_attach_driver+0x1e2/0x240 drivers/base/dd.c:508 [] bus_for_each_drv+0x16f/0x200 drivers/base/bus.c:467 [] __device_attach+0x21d/0x320 drivers/base/dd.c:565 [] device_initial_probe+0x1b/0x20 drivers/base/dd.c:612 [] bus_probe_device+0x1e7/0x290 drivers/base/bus.c:561 [] device_add+0xa44/0x1490 drivers/base/core.c:1142 [] hid_add_device drivers/hid/hid-core.c:2656 [inline] [] hid_add_device+0x33b/0x990 drivers/hid/hid-core.c:2607 [] uhid_device_add_worker+0x3f/0x150 drivers/hid/uhid.c:68 [] process_one_work+0x825/0x1720 kernel/workqueue.c:2064 [] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196 [] kthread+0x273/0x310 kernel/kthread.c:211 [] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537 The buggy address belongs to the page: page:ffffea000706dd80 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000000() page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c1b75f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c1b76000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801c1b76080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801c1b76100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c1b76180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================