device gre0 entered promiscuous mode ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801ab280ce8 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801ab280ce8 BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801ab280ce8 BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801ab280ce8 BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801ab280ce8 BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801ab280ce8 Read of size 8 by task syz-executor0/3666 CPU: 0 PID: 3666 Comm: syz-executor0 Not tainted 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cc80fd88 ffffffff81d91589 ffff8801da155140 ffff8801ab280c98 ffff8801ab280d50 ffffed003565019d ffff8801ab280ce8 ffff8801cc80fdb0 ffffffff8153c1bc ffffed003565019d ffff8801da155140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] static_key_count include/linux/jump_label.h:174 [inline] [] static_key_false include/linux/jump_label.h:184 [inline] [] perf_sw_event include/linux/perf_event.h:1039 [inline] [] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 Object at ffff8801ab280c98, in cache vm_area_struct size: 184 Allocated: PID = 3666 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x587/0xfd0 mm/mmap.c:1662 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2014 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3675 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x11d/0x160 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 mmap_region+0x14d/0xfd0 mm/mmap.c:1635 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2014 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ab280b80: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ab280c00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc >ffff8801ab280c80: fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ab280d00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc ffff8801ab280d80: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3693 comm=syz-executor3 netlink: 6 bytes leftover after parsing attributes in process `syz-executor0'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=3693 comm=syz-executor3 syz-executor6 uses obsolete (PF_INET,SOCK_PACKET) device lo entered promiscuous mode device lo left promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route device lo entered promiscuous mode device lo left promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE IPv6: NLM_F_CREATE should be set when creating new route IPv6: NLM_F_CREATE should be set when creating new route capability: warning: `syz-executor5' uses 32-bit capabilities (legacy support in use) SELinux: unrecognized netlink message: protocol=9 nlmsg_type=9 sclass=netlink_audit_socket pig=3901 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=3901 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=3901 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=3901 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=9 sclass=netlink_audit_socket pig=3925 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=3925 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=3925 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=3925 comm=syz-executor5 binder: 4056:4060 ioctl 5609 208daffa returned -22 9pnet_virtio: no channels available for device HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH tty_warn_deprecated_flags: 'syz-executor0' is using deprecated serial flags (with no effect): 00008000 tc_dump_action: action bad kind binder: 4056:4081 ioctl 408c5333 205c5000 returned -22 device gre0 entered promiscuous mode tc_dump_action: action bad kind binder: 4056:4081 ioctl 5609 208daffa returned -22 tty_warn_deprecated_flags: 'syz-executor0' is using deprecated serial flags (with no effect): 00008000 binder: 4056:4109 ioctl 408c5333 205c5000 returned -22 binder: 4118:4119 ioctl 5609 208daffa returned -22 netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. binder: 4118:4132 ioctl 408c5333 205c5000 returned -22 binder: 4118:4132 ioctl 5609 208daffa returned -22 netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. binder: 4118:4151 ioctl 408c5333 205c5000 returned -22 device gre0 entered promiscuous mode binder: 4201:4204 ioctl 8904 2021a000 returned -22 binder: 4201:4204 ioctl 4c82 0 returned -22 binder: 4201:4204 ioctl 4c81 ffffffffffffffff returned -22 binder: 4201:4204 ioctl c0a85322 20c6a000 returned -22 binder: 4201:4204 ioctl 4c82 0 returned -22 binder: 4201:4204 ioctl 541c 20496000 returned -22 binder: 4201:4207 ioctl 4c81 ffffffffffffffff returned -22 binder: 4201:4207 ioctl 4c82 0 returned -22 binder: 4201:4204 ioctl 541c 20496000 returned -22 binder: 4255:4256 ioctl c0286405 20795000 returned -22 binder: 4255:4256 ioctl c0286405 20795000 returned -22 netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. device gre0 entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. binder: 4281:4283 ioctl c0286405 20795000 returned -22 device lo entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'. binder: 4281:4294 ioctl c0286405 20795000 returned -22 device lo left promiscuous mode device gre0 entered promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor0'. device lo entered promiscuous mode device lo left promiscuous mode IPVS: Creating netns size=2536 id=9 IPVS: Creating netns size=2536 id=10 device lo entered promiscuous mode device lo left promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. Option 'Þ¾š„'' to dns_resolver key: bad/missing value device lo entered promiscuous mode device lo left promiscuous mode device gre0 entered promiscuous mode binder: 4461:4466 ioctl 40082404 20000ff8 returned -22 binder: 4461:4466 ioctl 4b48 20000000 returned -22 Option 'Þ¾š„'' to dns_resolver key: bad/missing value binder: 4461:4475 ioctl 40082404 20000ff8 returned -22 binder: 4461:4466 ioctl 4b48 20000000 returned -22 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device lo entered promiscuous mode device lo left promiscuous mode device gre0 entered promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode device gre0 entered promiscuous mode random: crng init done device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=11 IPVS: Creating netns size=2536 id=12 Tx-ring is not supported. nla_parse: 23 callbacks suppressed netlink: 13 bytes leftover after parsing attributes in process `syz-executor5'. pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads selinux_nlmsg_perm: 144 callbacks suppressed SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=5249 comm=syz-executor7 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=11771 sclass=netlink_audit_socket pig=5263 comm=syz-executor7 device gre0 entered promiscuous mode pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads netlink: 11 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor0'. binder: 5404:5409 ioctl c08c5335 209dcf74 returned -22 binder: 5404:5409 ioctl 80084502 2099ffaa returned -22 binder: 5404:5418 ioctl c08c5335 209dcf74 returned -22 binder: 5404:5409 ioctl 80084502 2099ffaa returned -22 netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. device gre0 entered promiscuous mode netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 11 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 9 bytes leftover after parsing attributes in process `syz-executor0'. binder: 5552:5553 ioctl 8927 204dcfd8 returned -22 A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. binder: 5552:5553 ioctl 4028641b 209affd8 returned -22 A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. binder: 5552:5556 ioctl 8927 204dcfd8 returned -22 binder: 5552:5556 ioctl 4028641b 209affd8 returned -22 9pnet_virtio: no channels available for device H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H¨H device gre0 entered promiscuous mode FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 5584 Comm: syz-executor2 Tainted: G B 4.9.61-g904c79c #86 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cecc79a0 ffffffff81d91589 ffff8801cecc7c80 0000000000000000 ffff8801c4df2290 ffff8801cecc7b70 ffff8801c4df2180 ffff8801cecc7b98 ffffffff8165fe47 ffff8801a7a78000 ffff8801cecc7af0 00000001c8fbf067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] SYSC_sigaltstack kernel/signal.c:3170 [inline] [] SyS_sigaltstack+0x6c/0x90 kernel/signal.c:3168 [] entry_SYSCALL_64_fastpath+0x23/0xc6 9pnet_virtio: no channels available for device H¨ capability: warning: `syz-executor1' uses deprecated v2 capabilities in a way that may be insecure binder: 5789:5791 ioctl 541c 20dd8ff4 returned -22 binder: 5789:5791 ioctl 54a3 0 returned -22 binder_alloc: binder_alloc_mmap_handler: 5789 20000000-20400000 already mapped failed -16 binder: 5789:5791 ioctl 541c 20dd8ff4 returned -22 binder: 5789:5800 ioctl 54a3 0 returned -22 IPVS: Creating netns size=2536 id=13 device lo entered promiscuous mode sd 0:0:1:0: [sg0] tag#981 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#981 CDB: opcode=0xff (vendor) sd 0:0:1:0: [sg0] tag#981 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#981 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#981 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#981 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#981 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#981 CDB: opcode=0xff (vendor) sd 0:0:1:0: [sg0] tag#981 CDB[00]: ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#981 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#981 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#981 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode binder_alloc: binder_alloc_mmap_handler: 6057 20000000-20400000 already mapped failed -16 device gre0 entered promiscuous mode sg_write: data in/out 65500/34 bytes for SCSI command 0xfe-- guessing data in; program syz-executor0 not setting count and/or reply_len properly binder: 6211:6213 ioctl 5425 3f returned -22 binder: 6211:6213 ioctl 5402 20b98fec returned -22