================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:194 [inline] BUG: KASAN: use-after-free in list_empty include/linux/list.h:254 [inline] BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:126 [inline] BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:147 [inline] BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2086 [inline] BUG: KASAN: use-after-free in sock_def_write_space+0x452/0x480 net/core/sock.c:2788 Read of size 8 at addr ffff888098db79f8 by task syz-executor.2/7872 CPU: 0 PID: 7872 Comm: syz-executor.2 Not tainted 5.2.0-rc3+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x113/0x167 lib/dump_stack.c:113 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:188 __kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317 kasan_report+0x12/0x20 mm/kasan/common.c:614 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132 __read_once_size include/linux/compiler.h:194 [inline] list_empty include/linux/list.h:254 [inline] waitqueue_active include/linux/wait.h:126 [inline] wq_has_sleeper include/linux/wait.h:147 [inline] skwq_has_sleeper include/net/sock.h:2086 [inline] sock_def_write_space+0x452/0x480 net/core/sock.c:2788 sock_wfree+0xf3/0x120 net/core/sock.c:1946 skb_release_head_state+0x9f/0x1a0 net/core/skbuff.c:650 skb_release_all+0xd/0x50 net/core/skbuff.c:661 _kfree_skb_defer net/core/skbuff.c:772 [inline] napi_consume_skb+0x10d/0x400 net/core/skbuff.c:817 free_old_xmit_skbs+0xbc/0x1f0 drivers/net/virtio_net.c:1366 virtnet_poll_tx+0x1e5/0x360 drivers/net/virtio_net.c:1493 napi_poll net/core/dev.c:6329 [inline] net_rx_action+0x470/0xe20 net/core/dev.c:6395 __do_softirq+0x260/0x958 kernel/softirq.c:293 invoke_softirq kernel/softirq.c:374 [inline] irq_exit+0x17f/0x1c0 kernel/softirq.c:414 exiting_irq arch/x86/include/asm/apic.h:536 [inline] do_IRQ+0x10b/0x1c0 arch/x86/kernel/irq.c:259 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:583 RIP: 0010:get_current arch/x86/include/asm/current.h:15 [inline] RIP: 0010:do_syscall_64+0x51/0x530 arch/x86/entry/common.c:289 Code: 00 00 00 00 fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 3a 04 00 00 48 83 3d ec 8e 31 07 00 0f 84 78 03 00 00 fb 66 0f 1f 44 00 00 <65> 4c 8b 34 25 c0 fd 01 00 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 RSP: 0018:ffff888089847f20 EFLAGS: 00000282 ORIG_RAX: ffffffffffffffd6 RAX: dffffc0000000000 RBX: 000000000000003d RCX: 0000000000000000 RDX: 1ffffffff10643e0 RSI: 0000000000000006 RDI: ffff888091d0ae3c RBP: ffff888089847f48 R08: 0000000000000006 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff888089847f58 R13: ffffffff88321f00 R14: 0000000000000000 R15: 0000000000000000 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4137ba Code: 0f 83 6a 18 00 00 c3 66 0f 1f 84 00 00 00 00 00 8b 05 de 2a 66 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d4 ff ff ff f7 RSP: 002b:00007fff088087e8 EFLAGS: 00000246 ORIG_RAX: 000000000000003d RAX: ffffffffffffffda RBX: 000000000005da8c RCX: 00000000004137ba RDX: 0000000040000001 RSI: 00007fff08808820 RDI: ffffffffffffffff RBP: 0000000000001345 R08: 0000000000000001 R09: 0000555556872940 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006 R13: 00007fff08808820 R14: 000000000005d9fa R15: 00007fff08808830 Allocated by task 13138: save_stack+0x21/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc.constprop.8+0xc7/0xd0 mm/kasan/common.c:489 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503 kmem_cache_alloc_trace+0x154/0x740 mm/slab.c:3555 kmalloc include/linux/slab.h:547 [inline] sock_alloc_inode+0x5c/0x230 net/socket.c:249 alloc_inode+0x5c/0x1a0 fs/inode.c:227 new_inode_pseudo+0xc/0xd0 fs/inode.c:916 sock_alloc+0x3c/0x270 net/socket.c:569 __sock_create+0x7a/0x540 net/socket.c:1388 sock_create net/socket.c:1475 [inline] __sys_socket+0xd7/0x1c0 net/socket.c:1517 __do_sys_socket net/socket.c:1526 [inline] __se_sys_socket net/socket.c:1524 [inline] __x64_sys_socket+0x6e/0xb0 net/socket.c:1524 do_syscall_64+0xd0/0x530 arch/x86/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 9: save_stack+0x21/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 __cache_free mm/slab.c:3432 [inline] kfree+0xcf/0x220 mm/slab.c:3755 __rcu_reclaim kernel/rcu/rcu.h:215 [inline] rcu_do_batch kernel/rcu/tree.c:2092 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2310 [inline] rcu_core+0xc8e/0x1430 kernel/rcu/tree.c:2291 __do_softirq+0x260/0x958 kernel/softirq.c:293 The buggy address belongs to the object at ffff888098db79c0 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 56 bytes inside of 128-byte region [ffff888098db79c0, ffff888098db7a40) The buggy address belongs to the page: page:ffffea0002636dc0 refcount:1 mapcount:0 mapping:ffff8880aa400640 index:0xffff888098db76c0 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea00027b9508 ffffea00024b5408 ffff8880aa400640 raw: ffff888098db76c0 ffff888098db7000 0000000100000011 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888098db7880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888098db7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888098db7980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff888098db7a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888098db7a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc ==================================================================