================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801d125ebf0 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801d125ebf0 BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801d125ebf0 BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801d125ebf0 BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801d125ebf0 BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801d125ebf0 Read of size 8 by task syz-executor4/6572 CPU: 1 PID: 6572 Comm: syz-executor4 Not tainted 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d69afd88 ffffffff81d90429 ffff8801da155140 ffff8801d125eba0 ffff8801d125ec58 ffffed003a24bd7e ffff8801d125ebf0 ffff8801d69afdb0 ffffffff8153a3ac ffffed003a24bd7e ffff8801da155140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] static_key_count include/linux/jump_label.h:174 [inline] [] static_key_false include/linux/jump_label.h:184 [inline] [] perf_sw_event include/linux/perf_event.h:1039 [inline] [] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 Object at ffff8801d125eba0, in cache vm_area_struct size: 184 Allocated: PID = 6572 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x587/0xfd0 mm/mmap.c:1662 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 6584 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x11d/0x160 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 mmap_region+0x14d/0xfd0 mm/mmap.c:1635 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801d125ea80: fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb ffff8801d125eb00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc >ffff8801d125eb80: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d125ec00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc ffff8801d125ec80: fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== binder: 6620:6624 ioctl 8905 20ef6000 returned -22 binder: 6620:6624 ioctl c0206434 20630fe0 returned -22 binder: 6620:6635 ioctl 8905 20ef6000 returned -22 binder: 6620:6635 ioctl c0206434 20630fe0 returned -22 netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor1'. binder: 6680:6682 ioctl 8915 20004000 returned -22 binder: 6680:6708 ioctl 8915 20004000 returned -22 binder: 6705:6710 ioctl 8927 204dcfd8 returned -22 binder: 6705:6710 ioctl 8922 20594fd8 returned -22 binder: 6705:6715 ioctl 8927 204dcfd8 returned -22 binder: 6705:6710 ioctl 8922 20594fd8 returned -22 device gre0 entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. device gre0 entered promiscuous mode device eql entered promiscuous mode skbuff: bad partial csum: csum=65534/0 len=32 device gre0 entered promiscuous mode device gre0 entered promiscuous mode device lo entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. IPVS: Creating netns size=2536 id=16 device gre0 entered promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) ALSA: seq fatal error: cannot create timer (-19) ALSA: seq fatal error: cannot create timer (-19) keychord: invalid keycode count 0 binder: 7255:7259 ioctl 8915 20004000 returned -22 loop_reread_partitions: partition scan of loop0 () failed (rc=-13) keychord: invalid keycode count 0 binder: 7255:7259 ioctl 8915 20004000 returned -22 keychord: Insufficient bytes present for keycount 42 keychord: Insufficient bytes present for keycount 42 selinux_nlmsg_perm: 263 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket pig=7626 comm=syz-executor4 IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket pig=7665 comm=syz-executor4 IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE PF_BRIDGE: RTM_SETLINK with unknown ifindex device lo left promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7777 comm=syz-executor4 PF_BRIDGE: RTM_SETLINK with unknown ifindex IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=7777 comm=syz-executor4 IPv6: NLM_F_CREATE should be set when creating new route nla_parse: 27 callbacks suppressed netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. binder: 7823:7831 ioctl 5609 208daffa returned -22 netlink: 2 bytes leftover after parsing attributes in process `syz-executor4'. binder: 7823:7837 ioctl 5609 208daffa returned -22 IPVS: Creating netns size=2536 id=17 binder: 7910:7915 ioctl 541c 20647000 returned -22 binder: 7910:7915 ioctl 8955 20a1e000 returned -22 binder: 7910:7915 ioctl 541c 20647000 returned -22 device gre0 entered promiscuous mode binder: 7910:7933 ioctl 8955 20a1e000 returned -22 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. binder: 8007:8012 ioctl 4b45 20306000 returned -22 binder: 8007:8012 ioctl 4b45 20306000 returned -22 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads netlink: 6 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. device gre0 entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. binder: 8208:8216 ioctl 541c 20dd8ff4 returned -22 binder: 8208:8216 ioctl 54a3 0 returned -22 binder_alloc: binder_alloc_mmap_handler: 8208 20000000-20400000 already mapped failed -16 binder: 8208:8216 ioctl 541c 20dd8ff4 returned -22 netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. binder: 8208:8216 ioctl 54a3 0 returned -22 IPVS: Creating netns size=2536 id=18 program syz-executor3 is using a deprecated SCSI ioctl, please convert it to SG_IO sock: sock_set_timeout: `syz-executor7' (pid 8324) tries to set negative timeout sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 program syz-executor3 is using a deprecated SCSI ioctl, please convert it to SG_IO sock: sock_set_timeout: `syz-executor7' (pid 8324) tries to set negative timeout sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 device lo entered promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads binder: 8478:8479 ioctl 541c 20ed7fd8 returned -22 binder: 8478:8479 ioctl 80404519 2013af92 returned -22 binder: 8478:8479 ioctl 541c 20ed7fd8 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=8472 comm=syz-executor2 binder: 8478:8479 ioctl 80404519 2013af92 returned -22 sock: process `syz-executor3' is using obsolete setsockopt SO_BSDCOMPAT binder: 8621:8622 ioctl 8903 20af0ffc returned -22 binder: 8621:8627 ioctl 540a 0 returned -22 binder: 8801:8803 ioctl 5608 0 returned -22 binder: 8801:8808 ioctl 5608 0 returned -22 device lo left promiscuous mode IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE sg_write: data in/out 822404280/197 bytes for SCSI command 0x12-- guessing data in; program syz-executor5 not setting count and/or reply_len properly ALSA: seq fatal error: cannot create timer (-19) A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. ALSA: seq fatal error: cannot create timer (-19)