BUG: sleeping function called from invalid context at ./include/linux/uaccess.h:71 in_atomic(): 1, irqs_disabled(): 0, pid: 6503, name: syz-executor5 2 locks held by syz-executor5/6503: #0: (&vcpu->mutex){+.+.}, at: [] vcpu_load+0x1c/0x70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:154 #1: (&kvm->srcu){....}, at: [] vcpu_enter_guest arch/x86/kvm/x86.c:7021 [inline] #1: (&kvm->srcu){....}, at: [] vcpu_run arch/x86/kvm/x86.c:7100 [inline] #1: (&kvm->srcu){....}, at: [] kvm_arch_vcpu_ioctl_run+0x1bdd/0x5a30 arch/x86/kvm/x86.c:7261 CPU: 2 PID: 6503 Comm: syz-executor5 Not tainted 4.13.0-next-20170914+ #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6015 __might_sleep+0x95/0x190 kernel/sched/core.c:5968 __might_fault+0xab/0x1d0 mm/memory.c:4499 __copy_from_user include/linux/uaccess.h:71 [inline] paging32_walk_addr_generic+0x427/0x1d80 arch/x86/kvm/paging_tmpl.h:369 paging32_walk_addr arch/x86/kvm/paging_tmpl.h:475 [inline] paging32_gva_to_gpa+0xa5/0x230 arch/x86/kvm/paging_tmpl.h:913 kvm_read_guest_virt_helper+0xd8/0x140 arch/x86/kvm/x86.c:4436 kvm_read_guest_virt_system+0x3c/0x50 arch/x86/kvm/x86.c:4503 segmented_read_std+0x10c/0x180 arch/x86/kvm/emulate.c:822 em_fxrstor+0x27b/0x410 arch/x86/kvm/emulate.c:4025 x86_emulate_insn+0x55d/0x3cf0 arch/x86/kvm/emulate.c:5483 x86_emulate_instruction+0x411/0x1ca0 arch/x86/kvm/x86.c:5735 kvm_mmu_page_fault+0x1b0/0x2f0 arch/x86/kvm/mmu.c:4956 handle_ept_violation+0x194/0x540 arch/x86/kvm/vmx.c:6502 vmx_handle_exit+0x24b/0x1a60 arch/x86/kvm/vmx.c:8823 vcpu_enter_guest arch/x86/kvm/x86.c:7038 [inline] vcpu_run arch/x86/kvm/x86.c:7100 [inline] kvm_arch_vcpu_ioctl_run+0x1d36/0x5a30 arch/x86/kvm/x86.c:7261 kvm_vcpu_ioctl+0x64c/0x1010 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2550 vfs_ioctl fs/ioctl.c:45 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685 SYSC_ioctl fs/ioctl.c:700 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x447299 RSP: 002b:00007f541bfb6c08 EFLAGS: 00000296 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 0000000000447299 RDX: 0000000000000000 RSI: 000000000000ae80 RDI: 0000000000000019 RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000296 R12: 000000000000001a R13: 0000000000005790 R14: 00000000006e8850 R15: 0000000000000019 skbuff: bad partial csum: csum=53081/14726 len=2273 Bearer <> rejected, not supported in standalone mode Bearer <> rejected, not supported in standalone mode kvm: MONITOR instruction emulated as NOP! audit: type=1326 audit(1505367645.985:3066): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=6695 comm="syz-executor6" exe="/syz-executor6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 audit: type=1326 audit(1505367645.987:3067): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=6690 comm="syz-executor5" exe="/syz-executor5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 audit: type=1326 audit(1505367646.054:3068): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=6695 comm="syz-executor6" exe="/syz-executor6" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 audit: type=1326 audit(1505367646.085:3069): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=6690 comm="syz-executor5" exe="/syz-executor5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 device lo entered promiscuous mode RDS: rds_bind could not find a transport for 172.20.7.187, load rds_tcp or rds_rdma? RDS: rds_bind could not find a transport for 172.20.7.187, load rds_tcp or rds_rdma? device gre0 entered promiscuous mode sock: sock_set_timeout: `syz-executor7' (pid 6971) tries to set negative timeout sock: sock_set_timeout: `syz-executor7' (pid 6996) tries to set negative timeout RDS: rds_bind could not find a transport for 255.255.255.255, load rds_tcp or rds_rdma? RDS: rds_bind could not find a transport for 255.255.255.255, load rds_tcp or rds_rdma? sock: sock_set_timeout: `syz-executor0' (pid 7088) tries to set negative timeout sock: sock_set_timeout: `syz-executor0' (pid 7084) tries to set negative timeout nla_parse: 33 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. audit: type=1326 audit(1505367647.461:3070): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=7371 comm="syz-executor6" exe="/syz-executor6" sig=9 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x0 audit: type=1326 audit(1505367647.546:3071): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=7371 comm="syz-executor6" exe="/syz-executor6" sig=9 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x0 netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. sg_write: data in/out 327773/19 bytes for SCSI command 0x4e-- guessing data in; program syz-executor2 not setting count and/or reply_len properly sg_write: data in/out 327773/19 bytes for SCSI command 0x4e-- guessing data in; program syz-executor2 not setting count and/or reply_len properly loop_reread_partitions: partition scan of loop0 (-\t@r9hxGQ:[il L*@R-Tr-x) failed (rc=-13) kvm [7931]: vcpu0, guest rIP: 0xfff0 disabled perfctr wrmsr: 0x186 data 0x8 TCP: tcp_parse_options: Illegal window scaling value 32 > 14 received netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'. TCP: tcp_parse_options: Illegal window scaling value 32 > 14 received kvm [7931]: vcpu0, guest rIP: 0xfff0 disabled perfctr wrmsr: 0x186 data 0x8 QAT: Invalid ioctl QAT: Invalid ioctl netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'. sctp: [Deprecated]: syz-executor1 (pid 8026) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sctp: [Deprecated]: syz-executor1 (pid 8028) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. sg_write: data in/out 169/54 bytes for SCSI command 0x0-- guessing data in; program syz-executor1 not setting count and/or reply_len properly netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. sg_write: data in/out 169/54 bytes for SCSI command 0x0-- guessing data in; program syz-executor1 not setting count and/or reply_len properly device lo entered promiscuous mode device lo left promiscuous mode device  entered promiscuous mode device  left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode sctp: [Deprecated]: syz-executor4 (pid 8297) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead SELinux: unrecognized netlink message: protocol=6 nlmsg_type=8 sclass=netlink_xfrm_socket pig=8321 comm=syz-executor6 sctp: [Deprecated]: syz-executor4 (pid 8312) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=8334 comm=syz-executor6 device lo entered promiscuous mode device lo left promiscuous mode audit: type=1326 audit(1505367650.899:3072): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=8410 comm="syz-executor4" exe="/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 audit: type=1326 audit(1505367650.986:3073): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=8410 comm="syz-executor4" exe="/syz-executor4" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=8499 comm=syz-executor6 audit: type=1326 audit(1505367651.165:3074): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=8524 comm="syz-executor0" exe="/syz-executor0" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 audit: type=1326 audit(1505367651.247:3075): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=8524 comm="syz-executor0" exe="/syz-executor0" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 *** Guest State *** CR0: actual=0x0000000000000031, shadow=0x0000000060000011, gh_mask=fffffffffffffff7 CR4: actual=0x0000000000002050, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 CR3 = 0x00000000fffbc000 RSP = 0x0000000000000000 RIP = 0x0000000000000000 RFLAGS=0x00041090 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000f80 CS:RIP=0030:0000000000002810 CS: sel=0x0043, attr=0x040fb, limit=0x000fffff, base=0x0000000000000000 DS: sel=0x004b, attr=0x040f3, limit=0x000fffff, base=0x0000000000000000 SS: sel=0x004b, attr=0x040f3, limit=0x000fffff, base=0x0000000000000000 ES: sel=0x004b, attr=0x040f3, limit=0x000fffff, base=0x0000000000000000 FS: sel=0x004b, attr=0x040f3, limit=0x000fffff, base=0x0000000000000000 GS: sel=0x004b, attr=0x040f3, limit=0x000fffff, base=0x0000000000000000 GDTR: limit=0x000007ff, base=0x0000000000001000 LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 IDTR: limit=0x000001ff, base=0x0000000000003800 TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 EFER = 0x0000000000000001 PAT = 0x0007040600070406 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 BndCfgS = 0x0000000000000000 Interruptibility = 00000000 ActivityState = 00000000 *** Host State *** RIP = 0xffffffff811b8bff RSP = 0xffff88005987f4c8 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 FSBase=00007f3559472700 GSBase=ffff88003ec00000 TRBase=ffff88003ec23100 GDTBase=ffffffffff577000 IDTBase=ffffffffff57b000 CR0=0000000080050033 CR3=000000001a24d000 CR4=00000000000026f0 Sysenter RSP=0000000000000000 CS:RIP=0010:ffffffff84d45b40 EFER = 0x0000000000000d01 PAT = 0x0007040600070406 *** Control State *** PinBased=0000003f CPUBased=b699edfa SecondaryExec=000000e2 EntryControls=0001d1ff ExitControls=00afefff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 VMEntry: intr_info=00000306 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000002 reason=80000021 qualification=0000000000000000 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xffffffdb9822c082 EPT pointer = 0x0000000039fa501e Virtual processor ID = 0x0001 *** Guest State *** CR0: actual=0x0000000000000031, shadow=0x0000000060000011, gh_mask=fffffffffffffff7 CR4: actual=0x0000000000002050, shadow=0x0000000000000020, gh_mask=ffffffffffffe871 CR3 = 0x00000000fffbc000 RSP = 0x0000000000000000 RIP = 0x0000000000000000 RFLAGS=0x00041090 DR7 = 0x0000000000000400 Sysenter RSP=0000000000000f80 CS:RIP=0030:0000000000002810 CS: sel=0x0043, attr=0x040fb, limit=0x000fffff, base=0x0000000000000000 DS: sel=0x004b, attr=0x040f3, limit=0x000fffff, base=0x0000000000000000 SS: sel=0x004b, attr=0x040f3, limit=0x000fffff, base=0x0000000000000000 ES: sel=0x004b, attr=0x040f3, limit=0x000fffff, base=0x0000000000000000 FS: sel=0x004b, attr=0x040f3, limit=0x000fffff, base=0x0000000000000000 GS: sel=0x004b, attr=0x040f3, limit=0x000fffff, base=0x0000000000000000 device lo left promiscuous mode GDTR: limit=0x000007ff, base=0x0000000000001000 LDTR: sel=0x0008, attr=0x04082, limit=0x000007ff, base=0x0000000000001800 IDTR: limit=0x000001ff, base=0x0000000000003800 TR: sel=0x0000, attr=0x0008b, limit=0x0000ffff, base=0x0000000000000000 EFER = 0x0000000000000001 PAT = 0x0007040600070406 DebugCtl = 0x0000000000000000 DebugExceptions = 0x0000000000000000 BndCfgS = 0x0000000000000000 Interruptibility = 00000000 ActivityState = 00000000 *** Host State *** RIP = 0xffffffff811b8bff RSP = 0xffff8800578274c8 CS=0010 SS=0018 DS=0000 ES=0000 FS=0000 GS=0000 TR=0040 FSBase=00007f355940d700 GSBase=ffff88006df00000 TRBase=ffff88006df23100 GDTBase=ffffffffff574000 IDTBase=ffffffffff57b000 CR0=0000000080050033 CR3=000000001a24d000 CR4=00000000000026e0 Sysenter RSP=0000000000000000 CS:RIP=0010:ffffffff84d45b40 EFER = 0x0000000000000d01 PAT = 0x0007040600070406 *** Control State *** PinBased=0000003f CPUBased=b699edfa SecondaryExec=000000e2 EntryControls=0001d1ff ExitControls=00afefff ExceptionBitmap=00060042 PFECmask=00000000 PFECmatch=00000000 VMEntry: intr_info=00000306 errcode=00000000 ilen=00000000 VMExit: intr_info=00000000 errcode=00000000 ilen=00000000 reason=80000021 qualification=0000000000000000 IDTVectoring: info=00000000 errcode=00000000 TSC Offset = 0xffffffdb8d60312e EPT pointer = 0x000000005b26901e Virtual processor ID = 0x009c Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable audit: type=1326 audit(1505367651.683:3076): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=8729 comm=FA34 exe="/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x50000 audit: type=1326 audit(1505367651.683:3077): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=8729 comm=FA34 exe="/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x50000 audit: type=1326 audit(1505367651.683:3078): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=8729 comm=FA34 exe="/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x50000 audit: type=1326 audit(1505367651.683:3079): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=8729 comm=FA34 exe="/syz-executor6" sig=0 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0x50000 sctp: [Deprecated]: syz-executor3 (pid 8779) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead sctp: [Deprecated]: syz-executor3 (pid 8779) Use of struct sctp_assoc_value in delayed_ack socket option. Use struct sctp_sack_info instead device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode QAT: Invalid ioctl kvm [8904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008f kvm [8904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008e kvm [8904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008d kvm [8904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008c kvm [8904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008b kvm [8904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x4000008a kvm [8904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000089 kvm [8904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000088 kvm [8904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000087 kvm [8904]: vcpu0, guest rIP: 0x9135 Hyper-V unhandled rdmsr: 0x40000086 kvm_hv_set_msr: 1 callbacks suppressed kvm [8904]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000023 data 0x66c900003b9a1047 kvm [8904]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000022 data 0x66c90000cb211047 kvm [8904]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000020 data 0x66c90000000c1047 kvm [8904]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000023 data 0x66c900003b9a1047 kvm [8904]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000022 data 0x66c90000cb211047 kvm [8904]: vcpu0, guest rIP: 0x9112 Hyper-V uhandled wrmsr: 0x40000020 data 0x66c90000000d1047 QAT: Invalid ioctl sctp: [Deprecated]: syz-executor2 (pid 9019) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor2 (pid 9019) Use of int in maxseg socket option. Use struct sctp_assoc_value instead kauditd_printk_skb: 4542 callbacks suppressed audit: type=1326 audit(1505367652.725:7622): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=9096 comm="syz-executor5" exe="/syz-executor5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 sctp: [Deprecated]: syz-executor1 (pid 9105) Use of int in maxseg socket option. Use struct sctp_assoc_value instead sctp: [Deprecated]: syz-executor1 (pid 9105) Use of int in maxseg socket option. Use struct sctp_assoc_value instead audit: type=1326 audit(1505367652.769:7623): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=9096 comm="syz-executor5" exe="/syz-executor5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 audit: type=1326 audit(1505367652.829:7624): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=9096 comm="syz-executor5" exe="/syz-executor5" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=3 sclass=netlink_audit_socket pig=9234 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=3 sclass=netlink_audit_socket pig=9241 comm=syz-executor2 nla_parse: 14 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. SELinux: unrecognized netlink message: protocol=9 nlmsg_type=37422 sclass=netlink_audit_socket pig=9275 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=37422 sclass=netlink_audit_socket pig=9305 comm=syz-executor5 netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: Can't replace route, no match found audit: type=1326 audit(1505367653.464:7625): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=kernel pid=9333 comm="syz-executor2" exe="/syz-executor2" sig=31 arch=c000003e syscall=202 compat=0 ip=0x447299 code=0xffff0000 ================================================================== BUG: KASAN: slab-out-of-bounds in __collect_expired_timers include/linux/list.h:729 [inline] BUG: KASAN: slab-out-of-bounds in collect_expired_timers kernel/time/timer.c:1569 [inline] BUG: KASAN: slab-out-of-bounds in __run_timers+0xa2e/0xb90 kernel/time/timer.c:1616 Write of size 8 at addr ffff88005b653808 by task swapper/3/0 CPU: 3 PID: 0 Comm: swapper/3 Tainted: G W 4.13.0-next-20170914+ #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x24e/0x340 mm/kasan/report.c:409 __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:435 __collect_expired_timers include/linux/list.h:729 [inline] collect_expired_timers kernel/time/timer.c:1569 [inline] __run_timers+0xa2e/0xb90 kernel/time/timer.c:1616 run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1646 __do_softirq+0x2bb/0xbd0 kernel/softirq.c:284 invoke_softirq kernel/softirq.c:364 [inline] irq_exit+0x1d3/0x210 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:638 [inline] smp_apic_timer_interrupt+0x177/0x710 arch/x86/kernel/apic/apic.c:1048 apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:577 RIP: 0010:native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:53 RSP: 0018:ffff88006dadfdb0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff10 RAX: dffffc0000000000 RBX: 1ffff1000db5bfb9 RCX: 0000000000000000 RDX: 1ffffffff0b59300 RSI: 0000000000000001 RDI: ffffffff85ac9800 RBP: ffff88006dadfdb0 R08: ffffffff8161a569 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff85ac97f0 R13: ffff88006dadfe68 R14: 0000000000000000 R15: ffff88006dad4080 arch_safe_halt arch/x86/include/asm/paravirt.h:93 [inline] default_idle+0xbf/0x460 arch/x86/kernel/process.c:341 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:332 default_idle_call+0x36/0x90 kernel/sched/idle.c:98 cpuidle_idle_call kernel/sched/idle.c:156 [inline] do_idle+0x256/0x3b0 kernel/sched/idle.c:246 cpu_startup_entry+0x18/0x20 kernel/sched/idle.c:351 start_secondary+0x2ea/0x3f0 arch/x86/kernel/smpboot.c:277 secondary_startup_64+0xa5/0xa5 arch/x86/kernel/head_64.S:235 Allocated by task 9254: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3627 kmalloc include/linux/slab.h:493 [inline] kzalloc include/linux/slab.h:666 [inline] tipc_nametbl_init+0x241/0x5e0 net/tipc/name_table.c:810 tipc_init_net+0x347/0x570 net/tipc/core.c:69 ops_init+0x10a/0x570 net/core/net_namespace.c:118 setup_net+0x319/0x720 net/core/net_namespace.c:294 copy_net_ns+0x27c/0x580 net/core/net_namespace.c:418 create_new_namespaces+0x425/0x880 kernel/nsproxy.c:107 copy_namespaces+0x340/0x400 kernel/nsproxy.c:165 copy_process.part.36+0x22fd/0x4af0 kernel/fork.c:1738 copy_process kernel/fork.c:1548 [inline] _do_fork+0x1ef/0xfe0 kernel/fork.c:2027 SYSC_clone kernel/fork.c:2137 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2131 do_syscall_64+0x26c/0x8c0 arch/x86/entry/common.c:287 return_from_SYSCALL_64+0x0/0x7a Freed by task 8388: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3503 [inline] kfree+0xca/0x250 mm/slab.c:3820 kvfree+0x36/0x60 mm/util.c:416 netdev_freemem net/core/dev.c:7970 [inline] free_netdev+0x2cf/0x360 net/core/dev.c:8132 tun_set_iff drivers/net/tun.c:2105 [inline] __tun_chr_ioctl+0x2cf6/0x3d20 drivers/net/tun.c:2276 tun_chr_ioctl+0x2a/0x40 drivers/net/tun.c:2521 vfs_ioctl fs/ioctl.c:45 [inline] do_vfs_ioctl+0x1b1/0x1530 fs/ioctl.c:685 SYSC_ioctl fs/ioctl.c:700 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691 entry_SYSCALL_64_fastpath+0x1f/0xbe The buggy address belongs to the object at ffff88005b650400 which belongs to the cache kmalloc-16384 of size 16384 The buggy address is located 13320 bytes inside of 16384-byte region [ffff88005b650400, ffff88005b654400) The buggy address belongs to the page: page:ffffea00016d9400 count:1 mapcount:0 mapping:ffff88005b650400 index:0x0 compound_mapcount: 0 flags: 0x500000000008100(slab|head) raw: 0500000000008100 ffff88005b650400 0000000000000000 0000000100000001 raw: ffffea00016c8e20 ffffea000165f220 ffff88003e802200 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88005b653700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88005b653780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88005b653800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88005b653880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88005b653900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================