================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801c9170148 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801c9170148 BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801c9170148 BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801c9170148 BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801c9170148 BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801c9170148 Read of size 8 by task syz-executor5/8355 CPU: 1 PID: 8355 Comm: syz-executor5 Not tainted 4.9.64-gfbb7468 #94 binder: 8347:8359 ioctl 4b68 20e80000 returned -22 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 binder: 8347:8359 ioctl 4b64 201f4000 returned -22 ffff8801d804fd88 ffffffff81d90429 ffff8801da155140 ffff8801c91700f8 ffff8801c91701b0 ffffed003922e029 ffff8801c9170148 ffff8801d804fdb0 ffffffff8153a3ac ffffed003922e029 ffff8801da155140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] static_key_count include/linux/jump_label.h:174 [inline] [] static_key_false include/linux/jump_label.h:184 [inline] [] perf_sw_event include/linux/perf_event.h:1039 [inline] [] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 Object at ffff8801c91700f8, in cache vm_area_struct size: 184 Allocated: PID = 8355 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x587/0xfd0 mm/mmap.c:1662 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 8368 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x11d/0x160 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 mmap_region+0x14d/0xfd0 mm/mmap.c:1635 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801c9170000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c9170080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb >ffff8801c9170100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c9170180: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb fb ffff8801c9170200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== IPVS: Creating netns size=2536 id=16 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode IPVS: Creating netns size=2536 id=17 device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device gre0 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device lo entered promiscuous mode device lo left promiscuous mode netlink: 18 bytes leftover after parsing attributes in process `syz-executor1'. device lo entered promiscuous mode device lo left promiscuous mode skbuff: bad partial csum: csum=53081/14726 len=2273 netlink: 18 bytes leftover after parsing attributes in process `syz-executor1'. IPVS: Creating netns size=2536 id=18 keychord: unsupported version 48 skbuff: bad partial csum: csum=53081/14726 len=2273 keychord: unsupported version 48 binder: 8714:8720 ioctl 8927 204dcfd8 returned -22 binder: 8714:8720 ioctl 4028641b 209affd8 returned -22 binder: 8714:8720 ioctl 89e0 208dd000 returned -22 binder: 8714:8720 ioctl 8927 204dcfd8 returned -22 binder: 8714:8737 ioctl 4028641b 209affd8 returned -22 binder: 8714:8720 ioctl 89e0 208dd000 returned -22 netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'. pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=8811 comm=syz-executor0 device gre0 entered promiscuous mode qtaguid: iface_stat: iface_check_stats_reset_and_adjust(gre0): iface reset its stats unexpectedly IPVS: Creating netns size=2536 id=19 netlink: 6 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. device gre0 entered promiscuous mode netlink: 18 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 18 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor7'. IPVS: Creating netns size=2536 id=20 IPVS: Creating netns size=2536 id=21 netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor7'. SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=9147 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9147 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9147 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=9147 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=202 sclass=netlink_route_socket pig=9164 comm=syz-executor5 netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=9147 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9164 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=9164 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=9164 comm=syz-executor5 device gre0 entered promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads netlink: 16 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor3'. device gre0 entered promiscuous mode sock: sock_set_timeout: `syz-executor7' (pid 9437) tries to set negative timeout IPVS: Creating netns size=2536 id=22 device gre0 entered promiscuous mode binder: 9455:9456 ioctl 4b44 2004dff8 returned -22 binder: 9455:9456 ioctl 4b44 2004dff8 returned -22 binder: 9478:9482 ioctl c0286404 209bffd8 returned -22 binder: 9478:9482 ioctl 4c05 2063b000 returned -22 binder: 9478:9489 ioctl c0286404 209bffd8 returned -22 sock: sock_set_timeout: `syz-executor7' (pid 9397) tries to set negative timeout binder: 9478:9489 ioctl 4c05 2063b000 returned -22 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device gre0 entered promiscuous mode binder: 9676:9678 ioctl 540f 2091c000 returned -22 sg_write: data in/out 65498/34 bytes for SCSI command 0xfe-- guessing data in; program syz-executor3 not setting count and/or reply_len properly binder: 9676:9697 ioctl 540f 2091c000 returned -22 binder: 9737:9739 ioctl 40bc5311 203c8000 returned -22 binder: binder_mmap: 9767 207fd000-20801000 bad vm_flags failed -1 binder: 9767:9770 ioctl 8917 20227fe0 returned -22 binder: binder_mmap: 9767 207fd000-20801000 bad vm_flags failed -1 binder: 9767:9780 ioctl 8917 20227fe0 returned -22 A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. nla_parse: 18 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor3'. device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=23 binder: 10151:10154 ioctl 8040451b 20ba8000 returned -22 device lo entered promiscuous mode device lo left promiscuous mode binder: 10168:10170 ioctl 541c 20647000 returned -22 binder: 10168:10170 ioctl 8955 20a1e000 returned -22 binder: 10151:10161 ioctl 8040451b 20ba8000 returned -22 device lo entered promiscuous mode device lo left promiscuous mode binder: 10168:10181 ioctl 541c 20647000 returned -22 device lo entered promiscuous mode syz-executor2: vmalloc: allocation failure: 17179869168 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 1 PID: 10198 Comm: syz-executor2 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d6e7f880 ffffffff81d90429 1ffff1003adcff13 ffff8801c9f1b000 ffffffff83ab7d80 binder: 10168:10189 ioctl 8955 20a1e000 returned -22 0000000000000001 0000000000400000 ffff8801d6e7f990 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3054 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722 [] translate_table+0x21a/0x1e30 net/ipv4/netfilter/ip_tables.c:700 [] do_replace net/ipv4/netfilter/ip_tables.c:1151 [inline] [] do_ipt_set_ctl+0x2be/0x470 net/ipv4/netfilter/ip_tables.c:1687 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1243 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2736 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Mem-Info: active_anon:86664 inactive_anon:39 isolated_anon:0 active_file:3593 inactive_file:6527 isolated_file:0 unevictable:0 dirty:26 writeback:0 unstable:0 slab_reclaimable:4784 slab_unreclaimable:12292 mapped:22732 shmem:48 pagetables:828 bounce:0 free:1494341 free_pcp:303 free_cma:0 Node 0 active_anon:346656kB inactive_anon:156kB active_file:14372kB inactive_file:26108kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:90928kB dirty:104kB writeback:0kB shmem:192kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 18432kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no