================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801ca8ea338 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801ca8ea338 BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801ca8ea338 BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801ca8ea338 BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801ca8ea338 BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801ca8ea338 Read of size 8 by task syz-executor6/14888 CPU: 0 PID: 14888 Comm: syz-executor6 Not tainted 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d0e4fd88 ffffffff81d90429 ffff8801da155140 ffff8801ca8ea2e8 ffff8801ca8ea3a0 ffffed003951d467 ffff8801ca8ea338 ffff8801d0e4fdb0 ffffffff8153a3ac ffffed003951d467 ffff8801da155140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] static_key_count include/linux/jump_label.h:174 [inline] [] static_key_false include/linux/jump_label.h:184 [inline] [] perf_sw_event include/linux/perf_event.h:1039 [inline] [] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 Object at ffff8801ca8ea2e8, in cache vm_area_struct size: 184 Allocated: PID = 14888 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x587/0xfd0 mm/mmap.c:1662 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 14902 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x11d/0x160 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 mmap_region+0x14d/0xfd0 mm/mmap.c:1635 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ca8ea200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca8ea280: fb fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb >ffff8801ca8ea300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ca8ea380: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb ffff8801ca8ea400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== netlink: 17 bytes leftover after parsing attributes in process `syz-executor2'. CPU: 1 PID: 14880 Comm: syz-executor4 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d153fae0 ffffffff81d90429 ffff8801d153fdc0 0000000000000000 ffff8801ad87c890 ffff8801d153fcb0 ffff8801ad87c780 ffff8801d153fcd8 ffffffff8165e3c7 0000000000006e92 ffff8801c80f08f0 ffff8801c80f08a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads binder: 14968:14969 ioctl c0106426 20435ff0 returned -22 binder: 14968:14969 ioctl c0106426 20435ff0 returned -22 PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex IPVS: Creating netns size=2536 id=32 PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads IPVS: Creating netns size=2536 id=33 device gre0 entered promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device gre0 entered promiscuous mode device gre0 entered promiscuous mode nla_parse: 3 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. binder: 15248:15251 ioctl 40082404 204b1ff8 returned -22 binder: 15248:15251 ioctl 8914 20c01000 returned -22 binder: 15248:15262 ioctl 40082404 204b1ff8 returned -22 IPVS: Creating netns size=2536 id=34 binder: 15248:15262 ioctl 8914 20c01000 returned -22 netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode keychord: keycode 25638 out of range device gre0 entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev netlink: 216 bytes leftover after parsing attributes in process `syz-executor4'. keychord: Insufficient bytes present for keycount 26 keychord: keycode 25638 out of range keychord: Insufficient bytes present for keycount 26 netlink: 216 bytes leftover after parsing attributes in process `syz-executor4'. qtaguid: iface_stat: create6(lo): no inet dev device gre0 entered promiscuous mode netlink: 11 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor7'. device gre0 entered promiscuous mode netlink: 9 bytes leftover after parsing attributes in process `syz-executor0'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. netlink: 9 bytes leftover after parsing attributes in process `syz-executor0'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: 15710:15712 ioctl 8927 204dcfd8 returned -22 binder: 15710:15712 ioctl 4028641b 209affd8 returned -22 binder: 15710:15712 ioctl 8927 204dcfd8 returned -22 binder: 15710:15724 ioctl 4028641b 209affd8 returned -22 binder: 15752:15753 ioctl 8927 20b09fd8 returned -22 binder: 15752:15753 ioctl 4028641b 209affd8 returned -22 binder: 15752:15753 ioctl 89e0 208dd000 returned -22 binder: 15752:15777 ioctl 8927 20b09fd8 returned -22 binder: 15752:15777 ioctl 89e0 208dd000 returned -22 binder: 15752:15753 ioctl 4028641b 209affd8 returned -22 sock: process `syz-executor1' is using obsolete getsockopt SO_BSDCOMPAT IPVS: Creating netns size=2536 id=35 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 15923 Comm: syz-executor4 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aa08f9a0 ffffffff81d90429 ffff8801aa08fc80 0000000000000000 ffff8801ad87c290 ffff8801aa08fb70 ffff8801ad87c180 ffff8801aa08fb98 ffffffff8165e3c7 0000000000000282 ffff8801aa08faf0 00000001c86d8067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_sigaltstack kernel/signal.c:3170 [inline] [] SyS_sigaltstack+0x6c/0x90 kernel/signal.c:3168 [] entry_SYSCALL_64_fastpath+0x23/0xc6 IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable keychord: keycode 16224 out of range keychord: keycode 16224 out of range device gre0 entered promiscuous mode binder: 16117:16119 ioctl 40045201 20000000 returned -22 binder: 16117:16119 ioctl 80045200 20000ffc returned -22 binder: 16117:16119 ioctl 40045201 20000000 returned -22 device gre0 entered promiscuous mode binder: 16117:16119 ioctl 80045200 20000ffc returned -22 TCP: request_sock_TCP: Possible SYN flooding on port 20013. Sending cookies. Check SNMP counters. binder: 16212:16213 ioctl c0086420 20739ff8 returned -22 binder: 16212:16213 ioctl 40086425 203c4000 returned -22 9pnet_virtio: no channels available for device H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H 9pnet_virtio: no channels available for device H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H device lo entered promiscuous mode nla_parse: 10 callbacks suppressed netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE keychord: invalid keycode count 0 keychord: invalid keycode count 0 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 binder: 16536:16539 ioctl 5603 20e9affa returned -22 binder: 16536:16539 ioctl c0bc5310 20612000 returned -22 binder: 16536:16539 ioctl 4b69 20fb7f68 returned -22 binder: 16536:16561 ioctl 5603 20e9affa returned -22 binder: 16536:16561 ioctl c0bc5310 20612000 returned -22 binder: 16536:16578 ioctl 4b69 20fb7f68 returned -22 device gre0 entered promiscuous mode device gre0 entered promiscuous mode sg_write: data in/out 9969/38 bytes for SCSI command 0x0-- guessing data in; program syz-executor4 not setting count and/or reply_len properly IPVS: Creating netns size=2536 id=36 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads