================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801ca3c8050 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801ca3c8050 BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801ca3c8050 BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801ca3c8050 BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801ca3c8050 BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801ca3c8050 Read of size 8 by task syz-executor1/10948 CPU: 0 PID: 10948 Comm: syz-executor1 Not tainted 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c91a7d88 ffffffff81d90429 ffff8801da155140 ffff8801ca3c8000 ffff8801ca3c80b8 ffffed003947900a ffff8801ca3c8050 ffff8801c91a7db0 ffffffff8153a3ac ffffed003947900a ffff8801da155140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] static_key_count include/linux/jump_label.h:174 [inline] [] static_key_false include/linux/jump_label.h:184 [inline] [] perf_sw_event include/linux/perf_event.h:1039 [inline] [] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 Object at ffff8801ca3c8000, in cache vm_area_struct size: 184 Allocated: PID = 10939 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x587/0xfd0 mm/mmap.c:1662 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 device gre0 entered promiscuous mode entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 10957 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 binder: 10994:10995 ioctl 641e 0 returned -22 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x11d/0x160 mm/mmap.c:175 binder: 10994:10999 ioctl 641e 0 returned -22 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 mmap_region+0x14d/0xfd0 mm/mmap.c:1635 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2018 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ca3c7f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801ca3c7f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801ca3c8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ca3c8080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb ffff8801ca3c8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=11100 comm=syz-executor5 keychord: invalid keycode count 0 keychord: invalid keycode count 0 device gre0 entered promiscuous mode binder: 11235:11239 ioctl c0286404 209bffd8 returned -22 device gre0 entered promiscuous mode binder: 11235:11239 ioctl 4c05 2063b000 returned -22 binder: 11235:11249 ioctl c0286404 209bffd8 returned -22 binder: 11235:11249 ioctl 4c05 2063b000 returned -22 binder: 11251:11262 ioctl 5609 208daffa returned -22 device gre0 entered promiscuous mode binder: 11251:11254 ioctl 5609 208daffa returned -22 device gre0 entered promiscuous mode device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=6 nlmsg_type=2 sclass=netlink_xfrm_socket pig=11387 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=2 sclass=netlink_xfrm_socket pig=11417 comm=syz-executor3 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 11403 Comm: syz-executor1 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a9a4f930 ffffffff81d90429 ffff8801a9a4fc10 0000000000000000 ffff8801d03f0b90 ffff8801a9a4fb00 ffff8801d03f0a80 ffff8801a9a4fb28 ffffffff8165e3c7 ffff8801a9a4fac8 ffff8801a9a4fa80 00000001cad42067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 11390 Comm: syz-executor1 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a77af8e0 ffffffff81d90429 ffff8801a77afbc0 0000000000000000 ffff8801d03f0b90 ffff8801a77afab0 ffff8801d03f0a80 ffff8801a77afad8 ffffffff8165e3c7 ffff8801db321d40 ffff8801a77afa30 00000001cad42067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SyS_rt_tgsigqueueinfo+0x2c/0x40 kernel/signal.c:3008 [] entry_SYSCALL_64_fastpath+0x23/0xc6 device gre0 entered promiscuous mode device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=11579 comm=syz-executor5 IPVS: Creating netns size=2536 id=23 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=63 sclass=netlink_xfrm_socket pig=11626 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=63 sclass=netlink_xfrm_socket pig=11626 comm=syz-executor5 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads tmpfs: No value for mount option 'K"WOSdYl' nla_parse: 11 callbacks suppressed netlink: 9 bytes leftover after parsing attributes in process `syz-executor2'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. blk_update_request: I/O error, dev loop5, sector 0 netlink: 9 bytes leftover after parsing attributes in process `syz-executor2'. A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode keychord: Insufficient bytes present for keycount 42 keychord: Insufficient bytes present for keycount 42 device gre0 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. binder: 12041:12047 ioctl 4040534e 20000000 returned -22 tmpfs: No value for mount option '9,3' binder: 12041:12056 ioctl 4040534e 20000000 returned -22 netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. tmpfs: No value for mount option '9,3' tc_ctl_action: received NO action attribs tc_ctl_action: received NO action attribs netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. tmpfs: No value for mount option 'K"WOSdYl' tmpfs: No value for mount option 'K"WOSdYl' 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. device gre0 entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. IPv6: Can't replace route, no match found IPv6: Can't replace route, no match found binder: binder_mmap: 12490 207fd000-20801000 bad vm_flags failed -1 binder: 12490:12491 ioctl 8917 20227fe0 returned -22 binder: 12490:12491 ioctl 541c 205b0000 returned -22 binder: binder_mmap: 12490 207fd000-20801000 bad vm_flags failed -1 binder: 12490:12504 ioctl 8917 20227fe0 returned -22 device gre0 entered promiscuous mode binder: 12646:12652 ioctl 40082406 204bfff4 returned -22 binder: 12646:12652 ioctl c00c642d 20191000 returned -22 binder: 12646:12652 ioctl c010640b 207d3000 returned -22 binder: 12646:12652 ioctl c008640a 20b8b000 returned -22 binder: 12646:12652 ioctl 8940 20000fe8 returned -22 binder: 12646:12728 ioctl 40082406 204bfff4 returned -22 binder: 12646:12728 ioctl c00c642d 20191000 returned -22 binder: 12646:12725 ioctl c010640b 207d3000 returned -22 binder: 12646:12728 ioctl c008640a 20b8b000 returned -22 binder: 12646:12743 ioctl 8940 20000fe8 returned -22 device gre0 entered promiscuous mode 9pnet_virtio: no channels available for device ./file0/file0 9pnet_virtio: no channels available for device ./file0/file0 device lo entered promiscuous mode device lo left promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=13288 comm=syz-executor0 IPVS: Creating netns size=2536 id=24 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=770 sclass=netlink_route_socket pig=13328 comm=syz-executor0 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=13387 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=13387 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=13387 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=202 sclass=netlink_route_socket pig=13387 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=0 sclass=netlink_xfrm_socket pig=13387 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=13410 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=13410 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=202 sclass=netlink_route_socket pig=13407 comm=syz-executor4 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads binder: 13617:13623 ioctl 540f 2091c000 returned -22 binder: 13617:13623 ioctl 540f 2091c000 returned -22 nla_parse: 12 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. IPv6: NLM_F_REPLACE set, but no existing node found! netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPVS: Creating netns size=2536 id=25 netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'.