================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801da11b430 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801da11b430 BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801da11b430 BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801da11b430 BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801da11b430 BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801da11b430 Read of size 8 by task syz-executor7/15829 CPU: 0 PID: 15829 Comm: syz-executor7 Not tainted 4.9.61-ga93e312 #85 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c8147d88 ffffffff81d91589 ffff8801da155140 ffff8801da11b3e0 ffff8801da11b498 ffffed003b423686 ffff8801da11b430 ffff8801c8147db0 ffffffff8153c1bc ffffed003b423686 ffff8801da155140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] static_key_count include/linux/jump_label.h:174 [inline] [] static_key_false include/linux/jump_label.h:184 [inline] [] perf_sw_event include/linux/perf_event.h:1039 [inline] [] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 Object at ffff8801da11b3e0, in cache vm_area_struct size: 184 Allocated: PID = 15829 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x587/0xfd0 mm/mmap.c:1662 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2014 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 15856 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x11d/0x160 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 mmap_region+0x14d/0xfd0 mm/mmap.c:1635 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2014 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801da11b300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801da11b380: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb >ffff8801da11b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801da11b480: fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb ffff8801da11b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801acd7a620 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801acd7a620 BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801acd7a620 BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801acd7a620 BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801acd7a620 BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801acd7a620 Read of size 8 by task syz-executor7/15927 CPU: 1 PID: 15927 Comm: syz-executor7 Tainted: G B 4.9.61-ga93e312 #85 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c6ac7d88 ffffffff81d91589 ffff8801da155140 ffff8801acd7a5d0 ffff8801acd7a688 ffffed00359af4c4 ffff8801acd7a620 ffff8801c6ac7db0 ffffffff8153c1bc ffffed00359af4c4 ffff8801da155140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] __read_once_size include/linux/compiler.h:243 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] static_key_count include/linux/jump_label.h:174 [inline] [] static_key_false include/linux/jump_label.h:184 [inline] [] perf_sw_event include/linux/perf_event.h:1039 [inline] [] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 Object at ffff8801acd7a5d0, in cache vm_area_struct size: 184 Allocated: PID = 15927 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xba/0x290 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x587/0xfd0 mm/mmap.c:1662 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2014 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 15942 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x11d/0x160 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 mmap_region+0x14d/0xfd0 mm/mmap.c:1635 do_mmap+0x57b/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2014 [inline] vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801acd7a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801acd7a580: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb >ffff8801acd7a600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801acd7a680: fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb ffff8801acd7a700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== cgroup: cgroup2: unknown option "" cgroup: cgroup2: unknown option "" nla_parse: 20 callbacks suppressed netlink: 6 bytes leftover after parsing attributes in process `syz-executor3'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=16280 comm=syz-executor3 netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. qtaguid: iface_stat: create6(lo): no inet dev netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. binder: 16410:16412 ioctl 5609 208daffa returned -22 netlink: 2 bytes leftover after parsing attributes in process `syz-executor3'. binder: 16410:16454 ioctl 5609 208daffa returned -22 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=16483 comm=syz-executor7 netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'. sock: sock_set_timeout: `syz-executor5' (pid 16661) tries to set negative timeout sock: sock_set_timeout: `syz-executor5' (pid 16672) tries to set negative timeout device gre0 entered promiscuous mode device gre0 entered promiscuous mode device lo entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=9 nlmsg_type=9 sclass=netlink_audit_socket pig=16974 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=16974 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=16974 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=16974 comm=syz-executor2 device gre0 entered promiscuous mode IPVS: Creating netns size=2536 id=28 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=16974 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=16974 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=16974 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=16974 comm=syz-executor2 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=16974 comm=syz-executor2 IPVS: Creating netns size=2536 id=29 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=0 sclass=netlink_audit_socket pig=16974 comm=syz-executor2 device gre0 entered promiscuous mode device gre0 left promiscuous mode keychord: invalid keycode count 0 device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode PF_BRIDGE: RTM_SETLINK with unknown ifindex device gre0 entered promiscuous mode PF_BRIDGE: RTM_SETLINK with unknown ifindex IPVS: Creating netns size=2536 id=30 IPVS: Creating netns size=2536 id=31 binder: 17456:17463 ioctl 80082407 20400ff8 returned -22 TCP: request_sock_TCP: Possible SYN flooding on port 20010. Sending cookies. Check SNMP counters. binder: 17456:17488 ioctl 80605414 2011e000 returned -22 binder: 17456:17463 ioctl 80082407 20400ff8 returned -22 binder: 17456:17511 ioctl 80605414 2011e000 returned -22 device gre0 entered promiscuous mode PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex PF_BRIDGE: RTM_NEWNEIGH with unknown ifindex binder: 17749:17757 ioctl c0206416 20d30fe0 returned -22 binder: 17749:17765 ioctl c0206416 20d30fe0 returned -22 pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads pktgen: kernel_thread() failed for cpu 0 pktgen: Cannot create thread for cpu 0 (-4) pktgen: kernel_thread() failed for cpu 1 pktgen: Cannot create thread for cpu 1 (-4) pktgen: Initialization failed for all threads device gre0 entered promiscuous mode device gre0 left promiscuous mode nla_parse: 10 callbacks suppressed netlink: 11 bytes leftover after parsing attributes in process `syz-executor2'. device gre0 entered promiscuous mode device gre0 left promiscuous mode netlink: 11 bytes leftover after parsing attributes in process `syz-executor2'. device gre0 left promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): gre0: link becomes ready IPVS: Creating netns size=2536 id=32 sd 0:0:1:0: [sg0] tag#50 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#50 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#50 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#50 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#50 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#50 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#663 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK tty_warn_deprecated_flags: 'syz-executor1' is using deprecated serial flags (with no effect): 00008000 sd 0:0:1:0: [sg0] tag#663 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#663 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#663 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#663 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#663 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 tty_warn_deprecated_flags: 'syz-executor1' is using deprecated serial flags (with no effect): 00008000 device gre0 entered promiscuous mode device gre0 left promiscuous mode binder: 17968:17997 ioctl 40082404 20000ff8 returned -22 binder: 17968:18021 ioctl 4b48 20000000 returned -22 device gre0 entered promiscuous mode device gre0 left promiscuous mode netlink: 44 bytes leftover after parsing attributes in process `syz-executor4'. binder: 17968:18053 ioctl 40082404 20000ff8 returned -22 binder: 17968:17997 ioctl 4b48 20000000 returned -22 binder: 18058:18060 ioctl 5606 4 returned -22 netlink: 44 bytes leftover after parsing attributes in process `syz-executor4'. binder: 18058:18060 ioctl 5606 4 returned -22 netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor6'. binder: 18212:18214 ioctl 80084502 2099ffaa returned -22 binder: 18212:18214 ioctl 80084502 2099ffaa returned -22 9pnet_virtio: no channels available for device HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH netlink: 4 bytes leftover after parsing attributes in process `syz-executor3'. 9pnet_virtio: no channels available for device H selinux_nlmsg_perm: 137 callbacks suppressed SELinux: unrecognized netlink message: protocol=4 nlmsg_type=25 sclass=netlink_tcpdiag_socket pig=18317 comm=syz-executor4 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=25 sclass=netlink_tcpdiag_socket pig=18317 comm=syz-executor4 netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. loop_reread_partitions: partition scan of loop0 (-\t@r9hxGQ:[il L*@R-Tr-x) failed (rc=-13) sg_write: data in/out 65500/34 bytes for SCSI command 0xfe-- guessing data in; program syz-executor7 not setting count and/or reply_len properly netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. binder: 18406:18432 ioctl c0206434 20001000 returned -22 binder: 18406:18432 ioctl c0106438 20011ff0 returned -22 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 18412 Comm: syz-executor7 Tainted: G B 4.9.61-ga93e312 #85 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aca6f5c0 ffffffff81d91589 ffff8801aca6f8a0 0000000000000000 ffff8801a8534410 ffff8801aca6f790 ffff8801a8534300 ffff8801aca6f7b8 ffffffff8165fe47 1ffff1003594debc ffff8801aca6f710 00000001d134e067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323