bisecting cause commit starting from 18445bf405cb331117bc98427b1ba6f12418ad17
building syzkaller on e1c29030da37d46475ab5babe68abc4afe085799
testing commit 18445bf405cb331117bc98427b1ba6f12418ad17 with gcc (GCC) 8.1.0
kernel signature: f32b45a240b7c524012ca1d35bb1e02aac5d1c74d7c98f019a054f6fbebc5117
all runs: crashed: unregister_netdevice: waiting for DEV to become free
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.1.0
kernel signature: b88ebec86f6886e917e1af111f678c792c3b71281209b5e00b391e8f42125932
all runs: crashed: unregister_netdevice: waiting for DEV to become free
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0
kernel signature: f26f50f74dbaf279b200afefcda5010f3f92d7c69d2a56a3ea42d94d6192dde1
all runs: crashed: unregister_netdevice: waiting for DEV to become free
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0
kernel signature: e01e11126a918c3bc1926f124477234fce2322acf92b500d3e77b0db6303aa00
all runs: crashed: unregister_netdevice: waiting for DEV to become free
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0
kernel signature: d7a6d9665f65491066ceb8071846b8df726ff0782fecc3ec9282bc87c8b5f738
all runs: crashed: unregister_netdevice: waiting for DEV to become free
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0
kernel signature: 6b87148af4a4367e8a351f483c90c019f88a76af47b71b5b17127f997d222a78
all runs: crashed: unregister_netdevice: waiting for DEV to become free
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0
kernel signature: ba4697a3400e6c90b7e714846797f9adf33a4d5ce89f690bcb338bdb12e4b2d1
all runs: crashed: unregister_netdevice: waiting for DEV to become free
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0
kernel signature: d97c00f813a333d7074159137e8163c9623999af1efa028abc7b9f097095da61
all runs: crashed: unregister_netdevice: waiting for DEV to become free
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
kernel signature: db228c6f89c5961caf061ae8b28a0a338ac882384fdd7d17ea560c4b22857137
run #0: crashed: WARNING in bpf_jit_free
run #1: crashed: unregister_netdevice: waiting for DEV to become free
run #2: crashed: unregister_netdevice: waiting for DEV to become free
run #3: crashed: unregister_netdevice: waiting for DEV to become free
run #4: crashed: unregister_netdevice: waiting for DEV to become free
run #5: crashed: unregister_netdevice: waiting for DEV to become free
run #6: crashed: unregister_netdevice: waiting for DEV to become free
run #7: crashed: unregister_netdevice: waiting for DEV to become free
run #8: crashed: unregister_netdevice: waiting for DEV to become free
run #9: crashed: unregister_netdevice: waiting for DEV to become free
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
kernel signature: 57eed69340e65a2353d76aa4fe02f9571d12fb14d7e62ff269bd9c9d730a3749
all runs: crashed: unregister_netdevice: waiting for DEV to become free
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
kernel signature: 20a00ef8e4efc88793ebe839b6092e0856c52158c7670b56f04302fd4eef0e38
all runs: crashed: unregister_netdevice: waiting for DEV to become free
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
kernel signature: fa8b34dc48d3ccbd9ad65a26725d36eaf2855ba1c89f40ad93a28cc0f2c142d0
all runs: crashed: unregister_netdevice: waiting for DEV to become free
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
kernel signature: 9f96569510625e3a158361a9b3a97d3f088d7e188c08cc6aab8eb944446269f1
all runs: crashed: unregister_netdevice: waiting for DEV to become free
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
kernel signature: 45d867c04ab73ce2bad696935fca2e66132917b3fb6094d679fa83307b831f8b
all runs: OK
# git bisect start 94710cac0ef4ee177a63b5227664b38c95bbf703 29dcea88779c856c7dc92040a0c01233263101d4
Bisecting: 7032 revisions left to test after this (roughly 13 steps)
[3036bc45364f98515a2c446d7fac2c34dcfbeff4] Merge tag 'media/v4.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
testing commit 3036bc45364f98515a2c446d7fac2c34dcfbeff4 with gcc (GCC) 8.1.0
kernel signature: 14c4900638c837b2630c4aec145793ced883a9b02c36178fb1846d6e3f2422dc
run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #2: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #3: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #4: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #5: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #6: OK
run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #9: OK
# git bisect bad 3036bc45364f98515a2c446d7fac2c34dcfbeff4
Bisecting: 3644 revisions left to test after this (roughly 12 steps)
[135c5504a600ff9b06e321694fbcac78a9530cd4] Merge tag 'drm-next-2018-06-06-1' of git://anongit.freedesktop.org/drm/drm
testing commit 135c5504a600ff9b06e321694fbcac78a9530cd4 with gcc (GCC) 8.1.0
kernel signature: a5778465bdbf5e90dc671396f4b8eb3b539cddba51f9726308ec6b59273ed789
all runs: OK
# git bisect good 135c5504a600ff9b06e321694fbcac78a9530cd4
Bisecting: 1830 revisions left to test after this (roughly 11 steps)
[f39c6b29ae1d3727d9c65a4ab99d5150b558be5e] Merge tag 'mlx5e-updates-2018-06-01' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux
testing commit f39c6b29ae1d3727d9c65a4ab99d5150b558be5e with gcc (GCC) 8.1.0
kernel signature: c2d6a24fc2e535c6d6aaf619ef18fa213b3a54306d0003da1f535d0bc48fea5c
run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #2: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #3: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #4: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #5: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #6: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #8: OK
run #9: OK
# git bisect bad f39c6b29ae1d3727d9c65a4ab99d5150b558be5e
Bisecting: 901 revisions left to test after this (roughly 10 steps)
[7d6541fba19c970cf5ebbc2c56b0fb04eab89f98] Merge tag 'mlx5e-updates-2018-05-14' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux
testing commit 7d6541fba19c970cf5ebbc2c56b0fb04eab89f98 with gcc (GCC) 8.1.0
kernel signature: 83c3554222955db38bc5bf20d820963c064916dfc17b57b1f86eb6034cda64f2
all runs: OK
# git bisect good 7d6541fba19c970cf5ebbc2c56b0fb04eab89f98
Bisecting: 450 revisions left to test after this (roughly 9 steps)
[73bf1fc58dc4376d0111a4c1c9eab27e2759f468] Merge branch 'net-ipv6-Fix-route-append-and-replace-use-cases'
testing commit 73bf1fc58dc4376d0111a4c1c9eab27e2759f468 with gcc (GCC) 8.1.0
kernel signature: 1f8f81da03e2851a4f41b2ccb72299a3e988426bc9221c0e5e5c30a3f6944653
all runs: OK
# git bisect good 73bf1fc58dc4376d0111a4c1c9eab27e2759f468
Bisecting: 213 revisions left to test after this (roughly 8 steps)
[90fed9c94625718a3a10db7d1e8e4efe093bbf5f] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next
testing commit 90fed9c94625718a3a10db7d1e8e4efe093bbf5f with gcc (GCC) 8.1.0
kernel signature: d42097dce8b9034c40391ac61b9fb751bda82cfa4854b3c0f8fc78bb55a8d828
run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #1: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #2: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #3: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #4: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #5: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #6: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #8: OK
run #9: OK
# git bisect bad 90fed9c94625718a3a10db7d1e8e4efe093bbf5f
Bisecting: 119 revisions left to test after this (roughly 7 steps)
[7c08c41f779eac856f3c8a03e178ee6f506bdcb3] Merge branch 'amd-xgbe-next'
testing commit 7c08c41f779eac856f3c8a03e178ee6f506bdcb3 with gcc (GCC) 8.1.0
kernel signature: c00f4b0da9238c662e9cf0245f4fc88a606163a08029a9848e9819ddc3efdf6a
run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #2: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #3: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #4: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #5: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #6: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #7: OK
run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #9: OK
# git bisect bad 7c08c41f779eac856f3c8a03e178ee6f506bdcb3
Bisecting: 58 revisions left to test after this (roughly 6 steps)
[218bbea11a777c156eb7bcbdc72867b32ae10985] net: dsa: qca8k: Add QCA8334 binding documentation
testing commit 218bbea11a777c156eb7bcbdc72867b32ae10985 with gcc (GCC) 8.1.0
kernel signature: 74852cf79195861ac3fc76e20697fa5460c4561d4c53ff1ab4130c54a0e83ba9
run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #2: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #3: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #4: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #5: OK
run #6: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 218bbea11a777c156eb7bcbdc72867b32ae10985
Bisecting: 28 revisions left to test after this (roughly 5 steps)
[8f6196f63c46982c095e485a9c73c683d9900a2e] nfp: move rtsym helpers to pf code
testing commit 8f6196f63c46982c095e485a9c73c683d9900a2e with gcc (GCC) 8.1.0
kernel signature: 727c21c35aa577d6181d74fa5ac19d5cd77d939514189ea059a30f0ca8432d8a
run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #2: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #3: OK
run #4: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #5: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 8f6196f63c46982c095e485a9c73c683d9900a2e
Bisecting: 14 revisions left to test after this (roughly 4 steps)
[9c803cfd5fe211cb7d3a7157b489209f8cc527a2] Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue
testing commit 9c803cfd5fe211cb7d3a7157b489209f8cc527a2 with gcc (GCC) 8.1.0
kernel signature: c1570ed8cfcb0691f44f84f9dcea17674e3e5c192d9e335b66ac46768c75347e
all runs: OK
# git bisect good 9c803cfd5fe211cb7d3a7157b489209f8cc527a2
Bisecting: 7 revisions left to test after this (roughly 3 steps)
[642a0b37e669465765cad9b64b9798be65df0f09] qedf: Add support for populating ethernet TLVs.
testing commit 642a0b37e669465765cad9b64b9798be65df0f09 with gcc (GCC) 8.1.0
kernel signature: 83b009584f17f850c6acff2d0082a81b15c34598bb89d521aa8021c12cc39e0a
all runs: OK
# git bisect good 642a0b37e669465765cad9b64b9798be65df0f09
Bisecting: 3 revisions left to test after this (roughly 2 steps)
[1fe8c06c4a0d3b589f076cd00c25082840f10423] Merge branch 'qed-firmware-TLV'
testing commit 1fe8c06c4a0d3b589f076cd00c25082840f10423 with gcc (GCC) 8.1.0
kernel signature: b6e72e87a1d5908a19e6179e0b431df9e686952975c3c5c7288633011ff164fa
all runs: OK
# git bisect good 1fe8c06c4a0d3b589f076cd00c25082840f10423
Bisecting: 1 revision left to test after this (roughly 1 step)
[d2ba09c17a0647f899d6c20a11bab9e6d3382f07] net: add skeleton of bpfilter kernel module
testing commit d2ba09c17a0647f899d6c20a11bab9e6d3382f07 with gcc (GCC) 8.1.0
kernel signature: c31682a8dfd587e95b7d2cd8dd384b8e396a4bc0639a6ae4d0068ec2e533028c
run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #2: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #3: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #4: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #5: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #6: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
# git bisect bad d2ba09c17a0647f899d6c20a11bab9e6d3382f07
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[449325b52b7a6208f65ed67d3484fd7b7184477b] umh: introduce fork_usermode_blob() helper
testing commit 449325b52b7a6208f65ed67d3484fd7b7184477b with gcc (GCC) 8.1.0
kernel signature: e9b9be363142d5616649c36c71bc348da6829b1b63ee3b8df0ebe63caa16ecf1
run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #2: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #3: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #4: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #5: OK
run #6: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 449325b52b7a6208f65ed67d3484fd7b7184477b
449325b52b7a6208f65ed67d3484fd7b7184477b is the first bad commit
commit 449325b52b7a6208f65ed67d3484fd7b7184477b
Author: Alexei Starovoitov <ast@kernel.org>
Date:   Mon May 21 19:22:29 2018 -0700

    umh: introduce fork_usermode_blob() helper
    
    Introduce helper:
    int fork_usermode_blob(void *data, size_t len, struct umh_info *info);
    struct umh_info {
           struct file *pipe_to_umh;
           struct file *pipe_from_umh;
           pid_t pid;
    };
    
    that GPLed kernel modules (signed or unsigned) can use it to execute part
    of its own data as swappable user mode process.
    
    The kernel will do:
    - allocate a unique file in tmpfs
    - populate that file with [data, data + len] bytes
    - user-mode-helper code will do_execve that file and, before the process
      starts, the kernel will create two unix pipes for bidirectional
      communication between kernel module and umh
    - close tmpfs file, effectively deleting it
    - the fork_usermode_blob will return zero on success and populate
      'struct umh_info' with two unix pipes and the pid of the user process
    
    As the first step in the development of the bpfilter project
    the fork_usermode_blob() helper is introduced to allow user mode code
    to be invoked from a kernel module. The idea is that user mode code plus
    normal kernel module code are built as part of the kernel build
    and installed as traditional kernel module into distro specified location,
    such that from a distribution point of view, there is
    no difference between regular kernel modules and kernel modules + umh code.
    Such modules can be signed, modprobed, rmmod, etc. The use of this new helper
    by a kernel module doesn't make it any special from kernel and user space
    tooling point of view.
    
    Such approach enables kernel to delegate functionality traditionally done
    by the kernel modules into the user space processes (either root or !root) and
    reduces security attack surface of the new code. The buggy umh code would crash
    the user process, but not the kernel. Another advantage is that umh code
    of the kernel module can be debugged and tested out of user space
    (e.g. opening the possibility to run clang sanitizers, fuzzers or
    user space test suites on the umh code).
    In case of the bpfilter project such architecture allows complex control plane
    to be done in the user space while bpf based data plane stays in the kernel.
    
    Since umh can crash, can be oom-ed by the kernel, killed by the admin,
    the kernel module that uses them (like bpfilter) needs to manage life
    time of umh on its own via two unix pipes and the pid of umh.
    
    The exit code of such kernel module should kill the umh it started,
    so that rmmod of the kernel module will cleanup the corresponding umh.
    Just like if the kernel module does kmalloc() it should kfree() it
    in the exit code.
    
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>

 fs/exec.c               |  38 +++++++++++----
 include/linux/binfmts.h |   1 +
 include/linux/umh.h     |  12 +++++
 kernel/umh.c            | 125 ++++++++++++++++++++++++++++++++++++++++++++++--
 4 files changed, 164 insertions(+), 12 deletions(-)
culprit signature: e9b9be363142d5616649c36c71bc348da6829b1b63ee3b8df0ebe63caa16ecf1
parent  signature: b6e72e87a1d5908a19e6179e0b431df9e686952975c3c5c7288633011ff164fa
revisions tested: 28, total time: 7h29m36.823055419s (build: 2h48m31.565851851s, test: 4h37m50.905148177s)
first bad commit: 449325b52b7a6208f65ed67d3484fd7b7184477b umh: introduce fork_usermode_blob() helper
recipients (to): ["ast@kernel.org" "davem@davemloft.net" "linux-kernel@vger.kernel.org" "mcgrof@kernel.org"]
recipients (cc): ["linux-fsdevel@vger.kernel.org" "viro@zeniv.linux.org.uk"]
crash: KASAN: use-after-free Write in call_usermodehelper_exec_work
Bluetooth: hci4: command 0x0419 tx timeout
Bluetooth: hci2: command 0x0419 tx timeout
Bluetooth: hci3: command 0x0419 tx timeout
==================================================================
BUG: KASAN: use-after-free in call_usermodehelper_exec_work+0x204/0x240 kernel/umh.c:195
Write of size 4 at addr ffff8800a841a370 by task kworker/u4:6/7650

CPU: 0 PID: 7650 Comm: kworker/u4:6 Not tainted 4.17.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events_unbound call_usermodehelper_exec_work
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x15a/0x20d lib/dump_stack.c:113
 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x307 mm/kasan/report.c:412
 __asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:437
 call_usermodehelper_exec_work+0x204/0x240 kernel/umh.c:195
 process_one_work+0x780/0x1570 kernel/workqueue.c:2145
 worker_thread+0xd0/0xc00 kernel/workqueue.c:2279
 kthread+0x316/0x3d0 kernel/kthread.c:240
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:412

Allocated by task 3576:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538
 kmem_cache_alloc_trace+0x152/0x3f0 mm/slab.c:3620
 kmalloc include/linux/slab.h:512 [inline]
 kzalloc include/linux/slab.h:701 [inline]
 call_usermodehelper_setup+0x65/0x2c0 kernel/umh.c:382
 kobject_uevent_env+0x8c2/0xe40 lib/kobject_uevent.c:608
 kobject_synth_uevent+0x5d9/0x833 lib/kobject_uevent.c:208
 uevent_store+0x1c/0x40 drivers/base/core.c:993
 dev_attr_store+0x37/0x70 drivers/base/core.c:713
 sysfs_kf_write+0xfd/0x150 fs/sysfs/file.c:139
 kernfs_fop_write+0x255/0x410 fs/kernfs/file.c:316
 __vfs_write+0xe3/0x860 fs/read_write.c:485
 vfs_write+0x150/0x4f0 fs/read_write.c:549
 ksys_write+0xcd/0x1b0 fs/read_write.c:598
 __do_sys_write fs/read_write.c:610 [inline]
 __se_sys_write fs/read_write.c:607 [inline]
 __x64_sys_write+0x6e/0xb0 fs/read_write.c:607
 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 12969:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x13c/0x220 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xcf/0x280 mm/slab.c:3813
 call_usermodehelper_freeinfo kernel/umh.c:45 [inline]
 umh_complete+0x52/0x60 kernel/umh.c:59
 call_usermodehelper_exec_async+0x465/0x550 kernel/umh.c:116
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:412

The buggy address belongs to the object at ffff8800a841a300
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 112 bytes inside of
 192-byte region [ffff8800a841a300, ffff8800a841a3c0)
The buggy address belongs to the page:
page:ffffea0002a10680 count:1 mapcount:0 mapping:ffff8800a841a000 index:0xffff8800a841ad00
flags: 0xfffe0000000100(slab)
raw: 00fffe0000000100 ffff8800a841a000 ffff8800a841ad00 0000000100000005
raw: ffffea00023dbfe0 ffffea0002a2b4a0 ffff8800aa800040 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8800a841a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a841a280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8800a841a300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
 ffff8800a841a380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8800a841a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================