IPVS: Creating netns size=2536 id=12 ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801aacd4240 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801aacd4240 BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801aacd4240 BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801aacd4240 BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801aacd4240 BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801aacd4240 Read of size 8 by task syz-executor4/4592 CPU: 1 PID: 4592 Comm: syz-executor4 Not tainted 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aaf3fd88 ffffffff81d90429 ffff8801da155140 ffff8801aacd41f0 ffff8801aacd42a8 ffffed003559a848 ffff8801aacd4240 ffff8801aaf3fdb0 ffffffff8153a3ac ffffed003559a848 ffff8801da155140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] static_key_count include/linux/jump_label.h:174 [inline] [] static_key_false include/linux/jump_label.h:184 [inline] [] perf_sw_event include/linux/perf_event.h:1039 [inline] [] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 Object at ffff8801aacd41f0, in cache vm_area_struct size: 184 Allocated: PID = 4592 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x587/0xfd0 mm/mmap.c:1662 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 4610 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x11d/0x160 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 mmap_region+0x14d/0xfd0 mm/mmap.c:1635 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801aacd4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aacd4180: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb fb >ffff8801aacd4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801aacd4280: fb fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb ffff8801aacd4300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== device gre0 entered promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device gre0 entered promiscuous mode device gre0 entered promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. binder: 4849:4850 ioctl 5609 208daffa returned -22 netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. binder: 4849:4850 ioctl 5609 208daffa returned -22 netlink: 8 bytes leftover after parsing attributes in process `syz-executor5'. tty_warn_deprecated_flags: 'syz-executor3' is using deprecated serial flags (with no effect): 00008000 tty_warn_deprecated_flags: 'syz-executor3' is using deprecated serial flags (with no effect): 00008000 device gre0 entered promiscuous mode binder: 5159:5160 ioctl 5609 208daffa returned -22 binder: 5159:5168 ioctl 5609 208daffa returned -22 device gre0 entered promiscuous mode binder: 5361:5366 ioctl 5417 20343000 returned -22 binder: 5361:5377 ioctl 5417 20343000 returned -22 nla_parse: 6 callbacks suppressed netlink: 18 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 18 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. binder: 5406:5407 ioctl 5609 208daffa returned -22 netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. binder: 5411:5416 ioctl 5609 208daffa returned -22 netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. binder: 5411:5416 ioctl 5609 208daffa returned -22 netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. binder: 5406:5437 ioctl 5609 208daffa returned -22 IPVS: length: 24 != 8 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=5549 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=5549 comm=syz-executor1 device gre0 entered promiscuous mode qtaguid: iface_stat: iface_check_stats_reset_and_adjust(lo): iface reset its stats unexpectedly tmpfs: No value for mount option 'K"WOSdYl' tmpfs: No value for mount option 'K"WOSdYl' SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=5726 comm=syz-executor3 Option '޾'' to dns_resolver key: bad/missing value SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=5730 comm=syz-executor3 Option '޾'' to dns_resolver key: bad/missing value netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'. binder: 5800:5804 ioctl 80404525 20001000 returned -22 binder: 5800:5811 ioctl 80404525 20001000 returned -22 netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'. binder: 5818:5821 ioctl 4028641b 209affd8 returned -22 binder: 5818:5821 ioctl 89e0 20038000 returned -22 binder: 5818:5831 ioctl 4028641b 209affd8 returned -22 binder: 5818:5821 ioctl 89e0 20038000 returned -22 loop_reread_partitions: partition scan of loop0 (-\t@r9hxGQ:[il L*@R-Tr-x) failed (rc=-13) FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 5889 Comm: syz-executor2 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d995f8e0 ffffffff81d90429 ffff8801d995fbc0 0000000000000000 ffff8801ca2e0b90 ffff8801d995fab0 ffff8801ca2e0a80 ffff8801d995fad8 ffffffff8165e3c7 ffff8801db221d40 ffff8801d995fa30 00000001d8dab067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] strndup_user+0x28/0xb0 mm/util.c:160 [] SYSC_request_key security/keys/keyctl.c:186 [inline] [] SyS_request_key+0xd6/0x2d0 security/keys/keyctl.c:158 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor1'. sg_write: data in/out 262364/161 bytes for SCSI command 0xff-- guessing data in; program syz-executor4 not setting count and/or reply_len properly device lo entered promiscuous mode device lo left promiscuous mode binder: 5954:5956 ioctl c0106426 20435ff0 returned -22 binder: 5954:5962 ioctl c0106426 20435ff0 returned -22 9pnet_virtio: no channels available for device ./file0 device lo entered promiscuous mode 9pnet_virtio: no channels available for device ./file0 device lo left promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode device lo entered promiscuous mode device gre0 entered promiscuous mode device lo left promiscuous mode IPVS: Creating netns size=2536 id=13 device gre0 entered promiscuous mode device gre0 left promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 6059 Comm: syz-executor4 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cc3af960 ffffffff81d90429 ffff8801cc3afc40 0000000000000000 ffff8801a5685010 ffff8801cc3afb30 ffff8801a5684f00 ffff8801cc3afb58 ffffffff8165e3c7 dffffc0000000000 ffff8801cc3afab0[ 45.646876] device lo entered promiscuous mode 00000001c63e5067Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device lo left promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device gre0 entered promiscuous mode tmpfs: No value for mount option 'K"WOSdYl' 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 device gre0 entered promiscuous mode 9pnet_virtio: no channels available for device HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 9pnet_virtio: no channels available for device H PF_BRIDGE: RTM_SETLINK with unknown ifindex PF_BRIDGE: RTM_SETLINK with unknown ifindex device gre0 entered promiscuous mode binder: 6342:6345 ioctl 8927 20c56fd8 returned -22 binder: 6342:6345 ioctl 80605414 200006c8 returned -22 binder: 6342:6353 ioctl 541b 20000000 returned -22 binder: 6342:6345 ioctl 8927 20c56fd8 returned -22 binder: 6342:6353 ioctl 800454d3 20001000 returned -22 device gre0 entered promiscuous mode binder: 6564:6570 ioctl c0086420 20739ff8 returned -22 binder: 6564:6570 ioctl 40086425 203c4000 returned -22 IPVS: Creating netns size=2536 id=14 device gre0 entered promiscuous mode device lo entered promiscuous mode IPVS: Creating netns size=2536 id=15 device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads IPVS: Creating netns size=2536 id=16 binder: 6774:6778 ioctl c0286404 20c0dfd8 returned -22 PF_BRIDGE: RTM_SETLINK with unknown ifindex PF_BRIDGE: RTM_SETLINK with unknown ifindex nla_parse: 8 callbacks suppressed netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. binder: 6859:6868 ioctl 8905 20a31ffc returned -22 netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. binder: 6859:6868 ioctl 8915 205d7000 returned -22 binder: 6859:6868 ioctl 8905 20a31ffc returned -22 netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. binder: 6859:6868 ioctl 8915 205d7000 returned -22 netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'.