binder: 14338:14343 ioctl 80404519 20f74000 returned -22 device lo left promiscuous mode ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801da09b148 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801da09b148 BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801da09b148 BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801da09b148 BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801da09b148 BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801da09b148 Read of size 8 by task syz-executor2/14345 CPU: 1 PID: 14345 Comm: syz-executor2 Not tainted 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aa607d88 ffffffff81d90429 ffff8801da155140 ffff8801da09b0f8 ffff8801da09b1b0 ffffed003b413629 ffff8801da09b148 ffff8801aa607db0 ffffffff8153a3ac ffffed003b413629 ffff8801da155140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] static_key_count include/linux/jump_label.h:174 [inline] [] static_key_false include/linux/jump_label.h:184 [inline] [] perf_sw_event include/linux/perf_event.h:1039 [inline] [] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 Object at ffff8801da09b0f8, in cache vm_area_struct size: 184 Allocated: PID = 14345 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x587/0xfd0 mm/mmap.c:1662 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 14356 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x11d/0x160 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 mmap_region+0x14d/0xfd0 mm/mmap.c:1635 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801da09b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801da09b080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb >ffff8801da09b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801da09b180: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb fb ffff8801da09b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready device lo left promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. IPVS: Creating netns size=2536 id=32 netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. binder: 14427:14436 ioctl c058534b 20000000 returned -22 netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. ?: renamed from tunl0 netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. binder: 14427:14436 ioctl c058534b 20000000 returned -22 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads SELinux: unrecognized netlink message: protocol=4 nlmsg_type=50 sclass=netlink_tcpdiag_socket pig=14584 comm=syz-executor0 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=50 sclass=netlink_tcpdiag_socket pig=14603 comm=syz-executor0 binder: 14636:14638 ioctl 540f 207a4000 returned -22 binder: 14636:14638 ioctl 540c 0 returned -22 binder: 14636:14650 ioctl 540f 207a4000 returned -22 binder: 14636:14638 ioctl 540c 0 returned -22 tmpfs: No value for mount option '‹¶K"WöËO¢©S£d€Yl®' device gre0 entered promiscuous mode binder: 14768:14772 ioctl 5609 20fa5ffa returned -22 binder: 14768:14772 ioctl 5609 20fa5ffa returned -22 IPVS: Creating netns size=2536 id=33 device lo entered promiscuous mode device lo left promiscuous mode 9pnet_virtio: no channels available for device H¨ IPVS: Creating netns size=2536 id=34 device lo entered promiscuous mode device lo left promiscuous mode 9pnet_virtio: no channels available for device H¨ device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready device lo left promiscuous mode device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready device lo left promiscuous mode IPVS: Creating netns size=2536 id=35 binder: 15218:15219 ioctl 541c 20647000 returned -22 binder: 15218:15219 ioctl 8955 20a1e000 returned -22 binder: 15236:15244 ioctl c01064b5 2058cff4 returned -22 binder: 15218:15254 ioctl 541c 20647000 returned -22 binder: 15236:15244 ioctl c01064b5 2058cff4 returned -22 binder: 15218:15235 ioctl 8955 20a1e000 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=45845 sclass=netlink_route_socket pig=15295 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=45845 sclass=netlink_route_socket pig=15295 comm=syz-executor7 device gre0 entered promiscuous mode nla_parse: 65 callbacks suppressed netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. binder: 15503:15504 ioctl 40bc5311 20798f44 returned -22 device gre0 entered promiscuous mode binder: 15503:15504 ioctl 40bc5311 20798f44 returned -22 netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. Option '9˜ŸT§' to dns_resolver key: bad/missing value Option '9˜ŸT§' to dns_resolver key: bad/missing value SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15727 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15751 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=163 sclass=netlink_route_socket pig=15929 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=163 sclass=netlink_route_socket pig=15939 comm=syz-executor3 PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex IPVS: Creating netns size=2536 id=36 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device lo entered promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode device lo left promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads binder: 16341:16342 ioctl 4b45 20306000 returned -22 device gre0 entered promiscuous mode binder: 16341:16342 ioctl 4b45 20306000 returned -22 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=37 device lo entered promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device gre0 entered promiscuous mode nla_parse: 74 callbacks suppressed netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. syz-executor1: vmalloc: allocation failure: 17179869168 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 1 PID: 17091 Comm: syz-executor1 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d931f880 ffffffff81d90429 1ffff1003b263f13 ffff8801d9310000 ffffffff83ab7d80 0000000000000001 0000000000400000 ffff8801d931f990 ffffffff8144ead2 024000c2942cddba 0000000041b58ab3 ffffffff8419115d Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3054 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722 [] translate_table+0x21a/0x1e30 net/ipv4/netfilter/ip_tables.c:700 [] do_replace net/ipv4/netfilter/ip_tables.c:1151 [inline] [] do_ipt_set_ctl+0x2be/0x470 net/ipv4/netfilter/ip_tables.c:1687 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1243 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2736 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Mem-Info: active_anon:84318 inactive_anon:35 isolated_anon:0 active_file:3794 inactive_file:6642 isolated_file:0 unevictable:0 dirty:83 writeback:0 unstable:0 slab_reclaimable:6674 slab_unreclaimable:55414 mapped:22840 shmem:77 pagetables:773 bounce:0 free:1451731 free_pcp:394 free_cma:0 Node 0 active_anon:337272kB inactive_anon:140kB active_file:15176kB inactive_file:26568kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:91360kB dirty:332kB writeback:0kB shmem:308kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 0kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no DMA free:15908kB min:160kB low:200kB high:240kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB DMA32 free:2981144kB min:30600kB low:38248kB high:45896kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:3129332kB managed:2981844kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:700kB local_pcp:652kB free_cma:0kB Normal free:2809872kB min:36816kB low:46020kB high:55224kB active_anon:337272kB inactive_anon:140kB active_file:15176kB inactive_file:26568kB unevictable:0kB writepending:332kB present:4718592kB managed:3585220kB mlocked:0kB slab_reclaimable:26696kB slab_unreclaimable:221656kB kernel_stack:5984kB pagetables:3092kB bounce:0kB free_pcp:876kB local_pcp:184kB free_cma:0kB DMA: 1*4kB (U) 0*8kB 0*16kB 1*32kB (U) 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15908kB Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB 10512 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 1965979 pages RAM 0 pages HighMem/MovableOnly 320236 pages reserved syz-executor1: vmalloc: allocation failure: 17179869168 bytes, mode:0x24000c2(GFP_KERNEL|__GFP_HIGHMEM) CPU: 1 PID: 17091 Comm: syz-executor1 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d931f880 ffffffff81d90429 1ffff1003b263f13 ffff8801d9310000 ffffffff83ab7d80 0000000000000001 0000000000400000 ffff8801d931f990 ffffffff8144ead2 024000c2942cddba 0000000041b58ab3 ffffffff8419115d Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] warn_alloc+0x212/0x240 mm/page_alloc.c:3054 [] __vmalloc_node_range+0x3f5/0x5f0 mm/vmalloc.c:1722 [] __vmalloc_node mm/vmalloc.c:1744 [inline] [] __vmalloc_node_flags mm/vmalloc.c:1758 [inline] [] vmalloc+0x5b/0x70 mm/vmalloc.c:1773 [] xt_alloc_entry_offsets+0x41/0x60 net/netfilter/x_tables.c:722 [] translate_table+0x21a/0x1e30 net/ipv4/netfilter/ip_tables.c:700 [] do_replace net/ipv4/netfilter/ip_tables.c:1151 [inline] [] do_ipt_set_ctl+0x2be/0x470 net/ipv4/netfilter/ip_tables.c:1687