================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801cd4a6810 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801cd4a6810 BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801cd4a6810 BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801cd4a6810 BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801cd4a6810 BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801cd4a6810 Read of size 8 by task syz-executor0/16813 CPU: 0 PID: 16813 Comm: syz-executor0 Not tainted 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d9a9fd88 ffffffff81d90429 ffff8801da155140 ffff8801cd4a67c0 ffff8801cd4a6878 ffffed0039a94d02 ffff8801cd4a6810 ffff8801d9a9fdb0 ffffffff8153a3ac ffffed0039a94d02 ffff8801da155140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] static_key_count include/linux/jump_label.h:174 [inline] [] static_key_false include/linux/jump_label.h:184 [inline] [] perf_sw_event include/linux/perf_event.h:1039 [inline] [] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 Object at ffff8801cd4a67c0, in cache vm_area_struct size: 184 Allocated: PID = 16813 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x587/0xfd0 mm/mmap.c:1662 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 16825 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x11d/0x160 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 mmap_region+0x14d/0xfd0 mm/mmap.c:1635 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801cd4a6700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801cd4a6780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801cd4a6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc sock: sock_set_timeout: `syz-executor7' (pid 16884) tries to set negative timeout ^ ffff8801cd4a6880: fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb ffff8801cd4a6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc ================================================================== nla_parse: 10 callbacks suppressed netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. sock: sock_set_timeout: `syz-executor7' (pid 16884) tries to set negative timeout netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. device gre0 entered promiscuous mode device lo entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode sg_write: data in/out 262364/161 bytes for SCSI command 0xff-- guessing data in; program syz-executor5 not setting count and/or reply_len properly binder: 17098:17102 ioctl c0106426 20435ff0 returned -22 device gre0 entered promiscuous mode binder: 17114:17116 ioctl c0bc5310 20ac1000 returned -22 device gre0 entered promiscuous mode binder: 17098:17113 ioctl c0106426 20435ff0 returned -22 binder: 17114:17116 ioctl c0bc5310 20ac1000 returned -22 device lo entered promiscuous mode device lo left promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route device lo entered promiscuous mode device lo left promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route device lo entered promiscuous mode device gre0 entered promiscuous mode device lo left promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route device lo entered promiscuous mode device lo left promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route selinux_nlmsg_perm: 144 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=43087 sclass=netlink_route_socket pig=17334 comm=syz-executor3 netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex SELinux: unrecognized netlink message: protocol=0 nlmsg_type=43087 sclass=netlink_route_socket pig=17334 comm=syz-executor3 PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex device gre0 entered promiscuous mode binder: 17501:17502 ioctl 540f 2091c000 returned -22 binder: 17501:17502 ioctl 540f 2091c000 returned -22 device gre0 entered promiscuous mode device lo entered promiscuous mode device gre0 entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device gre0 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode binder: 18401:18402 ioctl 8927 204dcfd8 returned -22 binder: 18401:18402 ioctl 4028641b 209affd8 returned -22 binder: 18401:18402 ioctl 8927 204dcfd8 returned -22 device gre0 entered promiscuous mode binder: 18401:18410 ioctl 4028641b 209affd8 returned -22 nla_parse: 10 callbacks suppressed netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor7'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode loop: Write error at byte offset 18446744073709547520, length 512. blk_update_request: I/O error, dev loop0, sector 0 Buffer I/O error on dev loop0, logical block 0, lost async page write loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) device gre0 entered promiscuous mode loop: Write error at byte offset 18446744073709547520, length 512. blk_update_request: I/O error, dev loop0, sector 0 Buffer I/O error on dev loop0, logical block 0, lost async page write loop: Write error at byte offset 18446744073709547520, length 512. blk_update_request: I/O error, dev loop0, sector 0 Buffer I/O error on dev loop0, logical block 0, lost async page write loop_reread_partitions: partition scan of loop0 () failed (rc=-13) device gre0 entered promiscuous mode loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) loop: Write error at byte offset 18446744073709547520, length 512. device gre0 entered promiscuous mode blk_update_request: I/O error, dev loop0, sector 0 Buffer I/O error on dev loop0, logical block 0, lost async page write loop: Write error at byte offset 18446744073709547520, length 512. blk_update_request: I/O error, dev loop0, sector 0 Buffer I/O error on dev loop0, logical block 0, lost async page write VFS: Dirty inode writeback failed for block device loop0 (err=-5). loop_reread_partitions: partition scan of loop0 () failed (rc=-13) device gre0 entered promiscuous mode binder: 18813:18816 ioctl 8903 20a5cffc returned -22 binder: 18813:18816 ioctl 8903 20a5cffc returned -22 device gre0 entered promiscuous mode device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=18907 comm=syz-executor7 device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. device gre0 entered promiscuous mode 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=37 binder: 19197:19199 ioctl c00c642d 2027f000 returned -22 device gre0 entered promiscuous mode binder: 19205:19206 ioctl 8927 204dcfd8 returned -22 binder: 19197:19213 ioctl 40086409 2075c000 returned -22 binder: 19205:19206 ioctl 4028641b 209affd8 returned -22 binder: 19205:19206 ioctl 89e0 208dd000 returned -22 binder: 19197:19199 ioctl c00c642d 2027f000 returned -22 binder: 19197:19213 ioctl 40086409 2075c000 returned -22 binder: 19205:19215 ioctl 8927 204dcfd8 returned -22 device gre0 entered promiscuous mode binder: 19205:19206 ioctl 4028641b 209affd8 returned -22 binder: 19205:19215 ioctl 89e0 208dd000 returned -22 device gre0 entered promiscuous mode binder: 19271:19272 ioctl 8905 20a31ffc returned -22 binder: 19271:19272 ioctl 8927 201b7000 returned -22 binder: 19271:19272 ioctl 8905 20a31ffc returned -22 binder: 19271:19272 ioctl 8927 201b7000 returned -22 binder: 19297:19299 ioctl 8927 204dcfd8 returned -22 device gre0 entered promiscuous mode binder: 19297:19299 ioctl 4028641b 209affd8 returned -22 binder: 19297:19299 ioctl 89e0 208dd000 returned -22 binder: 19297:19319 ioctl 8927 204dcfd8 returned -22 binder: 19297:19319 ioctl 89e0 208dd000 returned -22 binder: 19297:19299 ioctl 4028641b 209affd8 returned -22 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: 19401:19404 ioctl 8927 204dcfd8 returned -22 device gre0 entered promiscuous mode binder: 19401:19404 ioctl 4028641b 209affd8 returned -22 binder: 19401:19404 ioctl 89e0 208dd000 returned -22 binder: 19401:19425 ioctl 8927 204dcfd8 returned -22 binder: 19401:19404 ioctl 4028641b 209affd8 returned -22 binder: 19401:19425 ioctl 89e0 208dd000 returned -22 device gre0 entered promiscuous mode binder: 19476:19478 ioctl 8927 204dcfd8 returned -22 binder: 19476:19478 ioctl 4028641b 209affd8 returned -22 binder: 19476:19478 ioctl 89e0 208dd000 returned -22 binder: 19476:19500 ioctl 8927 204dcfd8 returned -22 binder: 19476:19478 ioctl 4028641b 209affd8 returned -22 binder: 19476:19500 ioctl 89e0 208dd000 returned -22 netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. device gre0 entered promiscuous mode binder: 19546:19549 ioctl 8927 204dcfd8 returned -22 binder: 19546:19549 ioctl 4028641b 209affd8 returned -22 binder: 19546:19549 ioctl 89e0 208dd000 returned -22 binder: 19546:19579 ioctl 8927 204dcfd8 returned -22 binder: 19546:19549 ioctl 4028641b 209affd8 returned -22 binder: 19546:19579 ioctl 89e0 208dd000 returned -22 device gre0 entered promiscuous mode binder: 19624:19627 ioctl 8927 204dcfd8 returned -22 device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: 19624:19627 ioctl 4028641b 209affd8 returned -22 binder: 19624:19627 ioctl 89e0 208dd000 returned -22 binder: 19624:19643 ioctl 8927 204dcfd8 returned -22 binder: 19624:19627 ioctl 4028641b 209affd8 returned -22 binder: 19624:19643 ioctl 89e0 208dd000 returned -22 device gre0 entered promiscuous mode binder: 19712:19718 ioctl 8927 204dcfd8 returned -22 device gre0 entered promiscuous mode binder: 19712:19718 ioctl 4028641b 209affd8 returned -22 binder: 19712:19718 ioctl 89e0 208dd000 returned -22 binder: 19712:19730 ioctl 8927 204dcfd8 returned -22