================================================================== BUG: KASAN: use-after-free in inet_shutdown+0x2e9/0x370 net/ipv4/af_inet.c:809 Read of size 4 at addr ffff8801cbc38440 by task syz-executor0/6631 CPU: 0 PID: 6631 Comm: syz-executor0 Not tainted 4.4.141-gb1bad9e #69 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 6d36339904d0783e ffff8801d8fcfbc0 ffffffff81e0e16d ffffea00072f0e00 ffff8801cbc38440 0000000000000000 ffff8801cbc38440 ffff8800b07562d8 ffff8801d8fcfbf8 ffffffff81515a76 ffff8801cbc38440 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:428 [] inet_shutdown+0x2e9/0x370 net/ipv4/af_inet.c:809 [] pppol2tp_session_close+0xa0/0xe0 net/l2tp/l2tp_ppp.c:458 [] l2tp_tunnel_closeall+0x205/0x350 net/l2tp/l2tp_core.c:1274 [] l2tp_udp_encap_destroy+0x8b/0xf0 net/l2tp/l2tp_core.c:1300 [] udp_destroy_sock+0x118/0x1a0 net/ipv4/udp.c:2056 [] sk_common_release+0x6d/0x300 net/core/sock.c:2680 [] udp_lib_close+0x15/0x20 include/net/udp.h:190 [] inet_release+0xff/0x1d0 net/ipv4/af_inet.c:435 [] sock_release+0x96/0x1c0 net/socket.c:586 [] sock_close+0x16/0x20 net/socket.c:1037 [] __fput+0x235/0x6f0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x10f/0x190 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x13d/0x160 arch/x86/entry/common.c:253 [] prepare_exit_to_usermode arch/x86/entry/common.c:284 [inline] [] syscall_return_slowpath+0x1b5/0x1f0 arch/x86/entry/common.c:349 [] int_ret_from_sys_call+0x25/0xa3 Allocated by task 6631: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xbe/0x2a0 mm/slub.c:2628 [] sock_alloc_inode+0x1d/0x260 net/socket.c:250 [] alloc_inode+0x63/0x180 fs/inode.c:198 [] new_inode_pseudo+0x17/0xe0 fs/inode.c:878 [] sock_alloc+0x41/0x280 net/socket.c:555 [] __sock_create+0x8d/0x5f0 net/socket.c:1141 [] sock_create net/socket.c:1217 [inline] [] SYSC_socket net/socket.c:1247 [inline] [] SyS_socket+0xf0/0x1b0 net/socket.c:1227 [] entry_SYSCALL_64_fastpath+0x22/0x9e Freed by task 6669: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kmem_cache_free+0xbe/0x340 mm/slub.c:2881 [] sock_destroy_inode+0x56/0x70 net/socket.c:280 [] destroy_inode+0xc2/0x120 fs/inode.c:255 [] evict+0x322/0x4f0 fs/inode.c:559 [] iput_final fs/inode.c:1477 [inline] [] iput+0x391/0x980 fs/inode.c:1504 [] dentry_iput fs/dcache.c:372 [inline] [] __dentry_kill+0x492/0x5f0 fs/dcache.c:559 [] dentry_kill fs/dcache.c:603 [inline] [] dput.part.26+0x587/0x760 fs/dcache.c:818 [] dput+0x1f/0x30 fs/dcache.c:782 [] __fput+0x401/0x6f0 fs/file_table.c:226 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x10f/0x190 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x13d/0x160 arch/x86/entry/common.c:253 [] prepare_exit_to_usermode arch/x86/entry/common.c:284 [inline] [] syscall_return_slowpath+0x1b5/0x1f0 arch/x86/entry/common.c:349 [] int_ret_from_sys_call+0x25/0xa3 The buggy address belongs to the object at ffff8801cbc38440 which belongs to the cache sock_inode_cache of size 936 The buggy address is located 0 bytes inside of 936-byte region [ffff8801cbc38440, ffff8801cbc387e8) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.141-gb1bad9e #69 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d9a41800 task.stack: ffff8801d9a50000 RIP: 0010:[] [] rb_set_parent_color include/linux/rbtree_augmented.h:117 [inline] RIP: 0010:[] [] ____rb_erase_color lib/rbtree.c:345 [inline] RIP: 0010:[] [] rb_erase+0x721/0x1cb0 lib/rbtree.c:429 RSP: 0018:ffff8801db307cf8 EFLAGS: 00010086 RAX: 5028454741505f4e RBX: dffffc0000000000 RCX: ffff8801d8e7fe08 RDX: ffffed003b6632e2 RSI: ffff8801db319710 RDI: 0a0508a8e82a0be9 RBP: ffff8801db307d40 R08: ffffffff8533dfd0 R09: 0000000000000001 R10: 0000000000000000 R11: ffff8801d9a41800 R12: ffff8801d8e7fdf8 R13: ffff8801d8e7fdf9 R14: ffffffff83aaa228 R15: ffffffff83aaa220 FS: 0000000000000000(0000) GS:SeaBIOS (version 1.8.2-20171012_061934-google) Initializing cgroup subsys cpuset Initializing cgroup subsys cpu Initializing cgroup subsys cpuacct Initializing cgroup subsys schedtune Linux version 4.4.141-gb1bad9e (syzkaller@ci) (gcc version 8.0.1 20180413 (experimental) (GCC) ) #69 SMP PREEMPT Tue Jul 17 10:56:53 UTC 2018 Command line: BOOT_IMAGE=/vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n ftrace_dump_on_oops=orig_cpu oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 workqueue.watchdog_thresh=140 nopti KERNEL supported cpus: Intel GenuineIntel AMD AuthenticAMD Centaur CentaurHauls x86/fpu: xstate_offset[2]: 576, xstate_sizes[2]: 256 x86/fpu: Supporting XSAVE feature 0x01: 'x87 floating point registers' x86/fpu: Supporting XSAVE feature 0x02: 'SSE registers' x86/fpu: Supporting XSAVE feature 0x04: 'AVX registers' x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format. e820: BIOS-provided physical RAM map: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved BIOS-e820: [mem 0x0000000000100000-0x00000000bfff2fff] usable BIOS-e820: [mem 0x00000000bfff3000-0x00000000bfffffff] reserved BIOS-e820: [mem 0x00000000fffbc000-0x00000000ffffffff] reserved BIOS-e820: [mem 0x0000000100000000-0x000000021fffffff] usable bootconsole [earlyser0] enabled NX (Execute Disable) protection: active SMBIOS 2.4 present. Hypervisor detected: KVM Kernel/User page tables isolation: disabled e820: last_pfn = 0x220000 max_arch_pfn = 0x400000000 x86/PAT: Configuration [0-7]: WB WC UC- UC WB WC UC- WT e820: last_pfn = 0xbfff3 max_arch_pfn = 0x400000000 found SMP MP-table at [mem 0x000f2310-0x000f231f] mapped at [ffff8800000f2310] Scanning 1 areas for low memory corruption Using GB pages for direct mapping ACPI: Early table checksum verification disabled ACPI: RSDP 0x00000000000F22D0 000014 (v00 Google) ACPI: RSDT 0x00000000BFFF3430 000038 (v01 Google GOOGRSDT 00000001 GOOG 00000001) ACPI: FACP 0x00000000BFFFCF60 0000F4 (v02 Google GOOGFACP 00000001 GOOG 00000001) ACPI: DSDT 0x00000000BFFF3470 0017B2 (v01 Google GOOGDSDT 00000001 GOOG 00000001) ACPI: FACS 0x00000000BFFFCF00 000040 ACPI: FACS 0x00000000BFFFCF00 000040 ACPI: SSDT 0x00000000BFFF65F0 00690D (v01 Google GOOGSSDT 00000001 GOOG 00000001) ACPI: APIC 0x00000000BFFF5D10 000076 (v01 Google GOOGAPIC 00000001 GOOG 00000001) ACPI: WAET 0x00000000BFFF5CE0 000028 (v01 Google GOOGWAET 00000001 GOOG 00000001) ACPI: SRAT 0x00000000BFFF4C30 0000C8 (v01 Google GOOGSRAT 00000001 GOOG 00000001) kvm-clock: Using msrs 4b564d01 and 4b564d00 kvm-clock: cpu 0, msr 2:1fffd001, primary cpu clock kvm-clock: using sched offset of 2089772335 cycles clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns Zone ranges: DMA [mem 0x0000000000001000-0x0000000000ffffff] DMA32 [mem 0x0000000001000000-0x00000000ffffffff] Normal [mem 0x0000000100000000-0x000000021fffffff] Movable zone start for each node Early memory node ranges node 0: [mem 0x0000000000001000-0x000000000009efff] node 0: [mem 0x0000000000100000-0x00000000bfff2fff] node 0: [mem 0x0000000100000000-0x000000021fffffff] Initmem setup node 0 [mem 0x0000000000001000-0x000000021fffffff] kasan: KernelAddressSanitizer initialized ACPI: PM-Timer IO Port: 0xb008 ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1]) IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23 ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level) ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level) ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level) ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level) Using ACPI (MADT) for SMP configuration information smpboot: Allowing 2 CPUs, 0 hotplug CPUs PM: Registered nosave memory: [mem 0x00000000-0x00000fff] PM: Registered nosave memory: [mem 0x0009f000-0x0009ffff] PM: Registered nosave memory: [mem 0x000a0000-0x000effff] PM: Registered nosave memory: [mem 0x000f0000-0x000fffff] PM: Registered nosave memory: [mem 0xbfff3000-0xbfffffff] PM: Registered nosave memory: [mem 0xc0000000-0xfffbbfff] PM: Registered nosave memory: [mem 0xfffbc000-0xffffffff] e820: [mem 0xc0000000-0xfffbbfff] available for PCI devices Booting paravirtualized kernel on KVM clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns setup_percpu: NR_CPUS:64 nr_cpumask_bits:64 nr_cpu_ids:2 nr_node_ids:1 PERCPU: Embedded 42 pages/cpu @ffff8801db200000 s134024 r8192 d29816 u1048576 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 1935227 Kernel command line: BOOT_IMAGE=/vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n ftrace_dump_on_oops=orig_cpu oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 workqueue.watchdog_thresh=140 nopti PID hash table entries: 4096 (order: 3, 32768 bytes) Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes) Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes) Memory: 6579092K/7863876K available (41762K kernel code, 6303K rwdata, 9052K rodata, 1864K init, 23696K bss, 1284784K reserved, 0K cma-reserved) SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1 Running RCU self tests Preemptible hierarchical RCU implementation. RCU lockdep checking is enabled. Build-time adjustment of leaf fanout to 64. RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=2. RCU: Adjusting geometry for rcu_fanout_leaf=64, nr_cpu_ids=2 NR_IRQS:4352 nr_irqs:440 16 console [ttyS0] enabled console [ttyS0] enabled bootconsole [earlyser0] disabled bootconsole [earlyser0] disabled Lock dependency validator: Copyright (c) 2006 Red Hat, Inc., Ingo Molnar ... MAX_LOCKDEP_SUBCLASSES: 8 ... MAX_LOCK_DEPTH: 48 ... MAX_LOCKDEP_KEYS: 8191 ... CLASSHASH_SIZE: 4096 ... MAX_LOCKDEP_ENTRIES: 32768 ... MAX_LOCKDEP_CHAINS: 65536 ... CHAINHASH_SIZE: 32768 memory used by lock dependency info: 8159 kB per task-struct memory footprint: 1920 bytes tsc: Detected 2300.000 MHz processor Calibrating delay loop (skipped) preset value.. 4600.00 BogoMIPS (lpj=23000000) pid_max: default: 32768 minimum: 301 ACPI: Core revision 20150930 ACPI: 2 ACPI AML tables successfully acquired and loaded Security Framework initialized SELinux: Initializing. AppArmor: AppArmor disabled by boot time parameter Mount-cache hash table entries: 16384 (order: 5, 131072 bytes) Mountpoint-cache hash table entries: 16384 (order: 5, 131072 bytes) Initializing cgroup subsys io Initializing cgroup subsys freezer Initializing cgroup subsys hugetlb Initializing cgroup subsys debug CPU: Physical Processor ID: 0 mce: CPU supports 32 MCE banks Last level iTLB entries: 4KB 1024, 2MB 1024, 4MB 1024 Last level dTLB entries: 4KB 1024, 2MB 1024, 4MB 1024, 1GB 4 Spectre V2 : Mitigation: Full generic retpoline Freeing SMP alternatives memory: 48K ..TIMER: vector=0x30 apic1=0 pin1=0 apic2=-1 pin2=-1 smpboot: CPU0: Intel(R) Xeon(R) CPU @ 2.30GHz (family: 0x6, model: 0x3f, stepping: 0x0) Performance Events: unsupported p6 CPU model 63 no PMU driver, software events only. x86: Booting SMP configuration: .... node #0, CPUs: #1 kvm-clock: cpu 1, msr 2:1fffd041, secondary cpu clock x86: Booted up 1 node, 2 CPUs smpboot: Total of 2 processors activated (9200.00 BogoMIPS) devtmpfs: initialized clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns futex hash table entries: 512 (order: 4, 65536 bytes) xor: automatically using best checksumming function: kworker/u4:0 (21) used greatest stack depth: 27920 bytes left avx : 23490.400 MB/sec RTC time: 4:16:03, date: 07/18/18 NET: Registered protocol family 16 schedtune: init normalization constants... schedtune: no energy model data schedtune: disabled! cpuidle: using governor ladder cpuidle: using governor menu ACPI: bus type PCI registered acpiphp: ACPI Hot Plug PCI Controller Driver version: 0.5 PCI: Using configuration type 1 for base access kworker/u4:0 (48) used greatest stack depth: 27424 bytes left raid6: sse2x1 gen() 4528 MB/s raid6: sse2x1 xor() 2520 MB/s raid6: sse2x2 gen() 7040 MB/s raid6: sse2x2 xor() 4032 MB/s raid6: sse2x4 gen() 8730 MB/s raid6: sse2x4 xor() 5274 MB/s raid6: avx2x1 gen() 9384 MB/s raid6: avx2x2 gen() 14664 MB/s raid6: avx2x4 gen() 19315 MB/s raid6: using algorithm avx2x4 gen() 19315 MB/s raid6: using avx2x2 recovery algorithm ACPI: Added _OSI(Module Device) ACPI: Added _OSI(Processor Device) ACPI: Added _OSI(3.0 _SCP Extensions) ACPI: Added _OSI(Processor Aggregator Device) ACPI: Executed 2 blocks of module-level executable AML code ACPI: Interpreter enabled ACPI: (supports S0 S3 S4 S5) ACPI: Using IOAPIC for interrupt routing PCI: Using host bridge windows from ACPI; if necessary, use "pci=nocrs" and report a bug