================================================================== BUG: KASAN: use-after-free in iov_iter_revert+0x976/0x9d0 lib/iov_iter.c:890 Read of size 4 at addr ffff88002d8cf388 by task loop6/11359 CPU: 3 PID: 11359 Comm: loop6 Not tainted 4.13.0-rc7-next-20170901+ #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x24e/0x340 mm/kasan/report.c:409 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429 iov_iter_revert+0x976/0x9d0 lib/iov_iter.c:890 generic_file_read_iter+0x1883/0x26c0 mm/filemap.c:2197 syz-executor1: vmalloc: allocation failure: 4833356120 bytes, mode:0x14080c0(GFP_KERNEL|__GFP_ZERO), nodemask=(null) syz-executor1 cpuset=/ mems_allowed=0-1 blkdev_read_iter+0x105/0x170 fs/block_dev.c:1918 call_read_iter include/linux/fs.h:1738 [inline] lo_rw_aio+0x9e9/0xc20 drivers/block/loop.c:501 do_req_filebacked drivers/block/loop.c:539 [inline] loop_handle_cmd drivers/block/loop.c:1658 [inline] loop_queue_work+0x1f91/0x3900 drivers/block/loop.c:1672 kthread_worker_fn+0x340/0x9b0 kernel/kthread.c:635 loop_kthread_worker_fn+0x51/0x60 drivers/block/loop.c:793 kthread+0x39c/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 Allocated by task 20917: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3561 mempool_alloc_slab+0x44/0x60 mm/mempool.c:449 mempool_alloc+0x16a/0x4b0 mm/mempool.c:329 CPU: 0 PID: 20966 Comm: syz-executor1 Not tainted 4.13.0-rc7-next-20170901+ #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 warn_alloc+0x1c2/0x2f0 mm/page_alloc.c:3257 __vmalloc_node_range+0x599/0x730 mm/vmalloc.c:1781 __vmalloc_node mm/vmalloc.c:1810 [inline] __vmalloc_node_flags_caller+0x50/0x60 mm/vmalloc.c:1832 kvmalloc_node+0x82/0xd0 mm/util.c:406 kvmalloc include/linux/mm.h:529 [inline] kvmalloc_array include/linux/mm.h:545 [inline] xt_alloc_entry_offsets+0x21/0x30 net/netfilter/x_tables.c:774 translate_table+0x235/0x1610 net/ipv4/netfilter/ip_tables.c:692 do_replace net/ipv4/netfilter/ip_tables.c:1135 [inline] do_ipt_set_ctl+0x34b/0x5c0 net/ipv4/netfilter/ip_tables.c:1669 nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1251 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2801 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2960 SYSC_setsockopt net/socket.c:1852 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1831 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x447299 RSP: 002b:00007f4377d02c08 EFLAGS: 00000292 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000018 RCX: 0000000000447299 RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000018 RBP: 0000000000000082 R08: 0000000000000056 R09: 0000000000000000 R10: 0000000020006000 R11: 0000000000000292 R12: 00000000ffffffff R13: 0000000000005020 R14: 00000000006e70e0 R15: 0000000000000001 bio_alloc_bioset+0x3c7/0x750 block/bio.c:486 bio_alloc include/linux/bio.h:417 [inline] submit_bh_wbc+0x104/0x680 fs/buffer.c:3110 submit_bh fs/buffer.c:3142 [inline] block_read_full_page+0x6cf/0x950 fs/buffer.c:2355 blkdev_readpage+0x1c/0x20 fs/block_dev.c:583 do_generic_file_read mm/filemap.c:2082 [inline] generic_file_read_iter+0x1286/0x26c0 mm/filemap.c:2213 blkdev_read_iter+0x105/0x170 fs/block_dev.c:1918 call_read_iter include/linux/fs.h:1738 [inline] new_sync_read fs/read_write.c:400 [inline] __vfs_read+0x6ad/0xa00 fs/read_write.c:412 vfs_read+0x124/0x360 fs/read_write.c:433 SYSC_read fs/read_write.c:549 [inline] SyS_read+0xef/0x220 fs/read_write.c:542 entry_SYSCALL_64_fastpath+0x1f/0xbe Freed by task 10: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3503 [inline] kmem_cache_free+0x77/0x280 mm/slab.c:3763 mempool_free_slab+0x1d/0x30 mm/mempool.c:456 mempool_free+0xd4/0x1d0 mm/mempool.c:438 bio_free+0x11c/0x190 block/bio.c:265 bio_put+0x14f/0x180 block/bio.c:558 end_bio_bh_io_sync+0xcd/0x110 fs/buffer.c:3038 bio_endio+0x2f8/0x8d0 block/bio.c:1843 req_bio_endio block/blk-core.c:204 [inline] blk_update_request+0x2a6/0xe20 block/blk-core.c:2738 blk_mq_end_request+0x54/0x120 block/blk-mq.c:509 lo_complete_rq+0xbe/0x1f0 drivers/block/loop.c:460 __blk_mq_complete_request_remote+0x58/0x70 block/blk-mq.c:519 flush_smp_call_function_queue+0x2d6/0x450 kernel/smp.c:247 generic_smp_call_function_single_interrupt+0x13/0x30 kernel/smp.c:192 smp_call_function_single_interrupt+0x10f/0x650 arch/x86/kernel/smp.c:295 The buggy address belongs to the object at ffff88002d8cf300 which belongs to the cache bio-0 of size 192 The buggy address is located 136 bytes inside of 192-byte region [ffff88002d8cf300, ffff88002d8cf3c0) The buggy address belongs to the page: page:ffffea0000b633c0 count:1 mapcount:0 mapping:ffff88002d8cf000 index:0x0 flags: 0x100000000000100(slab) raw: 0100000000000100 ffff88002d8cf000 0000000000000000 0000000100000010 raw: ffffea0000b9f620 ffffea0000b52260 ffff88006cf816c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88002d8cf280: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff88002d8cf300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88002d8cf380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff88002d8cf400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88002d8cf480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ==================================================================