bisecting cause commit starting from 9e50b94b3eb0d859a2586b5a40d7fd6e5afd9210 building syzkaller on 510951950dc0ee69cfdaf746061d3dbe31b49fd8 testing commit 9e50b94b3eb0d859a2586b5a40d7fd6e5afd9210 with gcc (GCC) 8.1.0 kernel signature: b6dc26a456aa006189cd5a03d5b1ebd1bd341297ceddfa76b5ecb15cf27025f1 all runs: crashed: WARNING in submit_bio_checks testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.1.0 kernel signature: f491ee66addf842d141357c34134bf3ddb800e01afb3a7c85d4e63586423c1cf all runs: crashed: WARNING in generic_make_request_checks testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.1.0 kernel signature: e2116660b88222532525174a81e398f64e0e07a1e6952c89d16392809ab72bb4 all runs: crashed: WARNING in generic_make_request_checks testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 0a140f88dc4997cc06d0ae1f39dde7d8e040cc0332578e1defb8d63fbf97af92 all runs: crashed: WARNING in generic_make_request_checks testing release v5.4 testing commit 219d54332a09e8d8741c1e1982f5eae56099de85 with gcc (GCC) 8.1.0 kernel signature: c973b27c29b8b0fa5f2ec5e311b40a3e74417f92fed9b3b12d7fa087e0b74da2 all runs: crashed: WARNING in generic_make_request_checks testing release v5.3 testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8 with gcc (GCC) 8.1.0 kernel signature: d579a5f07faf0b55f4f0e004a1701fd0cc1f34b891b68dd2bdff3cb6fa53915a all runs: crashed: WARNING in generic_make_request_checks testing release v5.2 testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36 with gcc (GCC) 8.1.0 kernel signature: efc84bcd6878e2c75422d7fa0500b51ea6f94510bd3a21fccb85f38ecd248e99 all runs: crashed: WARNING in generic_make_request_checks testing release v5.1 testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0 kernel signature: 9f07801baa61ff10487e58fb9e1ece332ca666adb8c9ade90d158f65fbdcadb9 all runs: crashed: WARNING in generic_make_request_checks testing release v5.0 testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0 kernel signature: 5799cd5e0c9ab50c7d2e06d3180f01d1344fbcfce34f2178bdca4c86955cf39b all runs: crashed: WARNING in generic_make_request_checks testing release v4.20 testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0 kernel signature: dedae1e8181bc5d03ca0cfd0b3ab01823524ef20c2db5706ed644028df71dcdc all runs: crashed: WARNING in generic_make_request_checks testing release v4.19 testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0 kernel signature: 2c1ea07ba74f14a0a355ade68210f295bf587b745088951c713a6760a2159385 all runs: crashed: WARNING in generic_make_request_checks testing release v4.18 testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0 kernel signature: f5341e3a8ac0382580b0c79c367b67f3c95d893e56b45a9f6eb2526f27b858a0 all runs: crashed: WARNING in generic_make_request_checks testing release v4.17 testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0 kernel signature: fc70fd0356cad74fde42fe19a56e36ed80380f19c32e401b84f13b1feecd3aec all runs: OK # git bisect start 94710cac0ef4ee177a63b5227664b38c95bbf703 29dcea88779c856c7dc92040a0c01233263101d4 Bisecting: 7032 revisions left to test after this (roughly 13 steps) [3036bc45364f98515a2c446d7fac2c34dcfbeff4] Merge tag 'media/v4.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 3036bc45364f98515a2c446d7fac2c34dcfbeff4 with gcc (GCC) 8.1.0 kernel signature: b3998ea0604f7ff1e58a0e712577faa6842f0628e3d9e22d5bc5b5bdee1130f7 run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #2: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #3: OK run #4: OK run #5: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #6: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad 3036bc45364f98515a2c446d7fac2c34dcfbeff4 Bisecting: 3644 revisions left to test after this (roughly 12 steps) [135c5504a600ff9b06e321694fbcac78a9530cd4] Merge tag 'drm-next-2018-06-06-1' of git://anongit.freedesktop.org/drm/drm testing commit 135c5504a600ff9b06e321694fbcac78a9530cd4 with gcc (GCC) 8.1.0 kernel signature: 99f962d9b1b054a924d1b367c238ee803b77e2876dfe1e6ce6e54b838ec80661 all runs: OK # git bisect good 135c5504a600ff9b06e321694fbcac78a9530cd4 Bisecting: 1830 revisions left to test after this (roughly 11 steps) [f39c6b29ae1d3727d9c65a4ab99d5150b558be5e] Merge tag 'mlx5e-updates-2018-06-01' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit f39c6b29ae1d3727d9c65a4ab99d5150b558be5e with gcc (GCC) 8.1.0 kernel signature: cd22d324b9b31b2508b827ceddde129cb895bd9f1861952ec429623b8fc574b3 run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #2: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #3: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #4: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #5: OK run #6: OK run #7: OK run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad f39c6b29ae1d3727d9c65a4ab99d5150b558be5e Bisecting: 901 revisions left to test after this (roughly 10 steps) [7d6541fba19c970cf5ebbc2c56b0fb04eab89f98] Merge tag 'mlx5e-updates-2018-05-14' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux testing commit 7d6541fba19c970cf5ebbc2c56b0fb04eab89f98 with gcc (GCC) 8.1.0 kernel signature: 2072dcc167d1c4c7a2438ffc16f25cc0f4bb67f44f42ccc01813f485304a6a3c all runs: OK # git bisect good 7d6541fba19c970cf5ebbc2c56b0fb04eab89f98 Bisecting: 450 revisions left to test after this (roughly 9 steps) [73bf1fc58dc4376d0111a4c1c9eab27e2759f468] Merge branch 'net-ipv6-Fix-route-append-and-replace-use-cases' testing commit 73bf1fc58dc4376d0111a4c1c9eab27e2759f468 with gcc (GCC) 8.1.0 kernel signature: 658176e0a6455c963cd79b5360e678b8ffb329839be92665380e4a765c8ef4a3 all runs: OK # git bisect good 73bf1fc58dc4376d0111a4c1c9eab27e2759f468 Bisecting: 213 revisions left to test after this (roughly 8 steps) [90fed9c94625718a3a10db7d1e8e4efe093bbf5f] Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next testing commit 90fed9c94625718a3a10db7d1e8e4efe093bbf5f with gcc (GCC) 8.1.0 kernel signature: e3b451bc02751a282683d660ddaa01a0480b8aa40338a8c3b40ba7aadf7d9bff run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #2: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #3: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #4: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #5: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #6: OK run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad 90fed9c94625718a3a10db7d1e8e4efe093bbf5f Bisecting: 119 revisions left to test after this (roughly 7 steps) [7c08c41f779eac856f3c8a03e178ee6f506bdcb3] Merge branch 'amd-xgbe-next' testing commit 7c08c41f779eac856f3c8a03e178ee6f506bdcb3 with gcc (GCC) 8.1.0 kernel signature: 4a19c9e807ffb3e4735de74a3f20e46486adf5258e8fd1f0c8f58cf55ea72db6 run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #2: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #3: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #4: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #5: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #6: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #7: OK run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad 7c08c41f779eac856f3c8a03e178ee6f506bdcb3 Bisecting: 58 revisions left to test after this (roughly 6 steps) [218bbea11a777c156eb7bcbdc72867b32ae10985] net: dsa: qca8k: Add QCA8334 binding documentation testing commit 218bbea11a777c156eb7bcbdc72867b32ae10985 with gcc (GCC) 8.1.0 kernel signature: 3a53ac92c0ff35750697e2fc8cb6aaa3de0f266fdd6e9db6f7fae428566762ca run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #2: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #3: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #4: OK run #5: OK run #6: OK run #7: OK run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad 218bbea11a777c156eb7bcbdc72867b32ae10985 Bisecting: 28 revisions left to test after this (roughly 5 steps) [8f6196f63c46982c095e485a9c73c683d9900a2e] nfp: move rtsym helpers to pf code testing commit 8f6196f63c46982c095e485a9c73c683d9900a2e with gcc (GCC) 8.1.0 kernel signature: 58673d98ef16aa886a926a51d8375cab3e251f3ade162ba2858e29965a2664c4 run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #2: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #3: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #4: OK run #5: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #6: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad 8f6196f63c46982c095e485a9c73c683d9900a2e Bisecting: 14 revisions left to test after this (roughly 4 steps) [9c803cfd5fe211cb7d3a7157b489209f8cc527a2] Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue testing commit 9c803cfd5fe211cb7d3a7157b489209f8cc527a2 with gcc (GCC) 8.1.0 kernel signature: dd2380d8006aee086e3f268876aa73d30d6c4b07884251133bf69a48bdeb4578 all runs: OK # git bisect good 9c803cfd5fe211cb7d3a7157b489209f8cc527a2 Bisecting: 7 revisions left to test after this (roughly 3 steps) [642a0b37e669465765cad9b64b9798be65df0f09] qedf: Add support for populating ethernet TLVs. testing commit 642a0b37e669465765cad9b64b9798be65df0f09 with gcc (GCC) 8.1.0 kernel signature: 0db25f21255252d940419ff348511f872e217eb38e1c75f8d057e71386c3104a all runs: OK # git bisect good 642a0b37e669465765cad9b64b9798be65df0f09 Bisecting: 3 revisions left to test after this (roughly 2 steps) [1fe8c06c4a0d3b589f076cd00c25082840f10423] Merge branch 'qed-firmware-TLV' testing commit 1fe8c06c4a0d3b589f076cd00c25082840f10423 with gcc (GCC) 8.1.0 kernel signature: ed3db43449100f950791873304306ce9aa8c569423af625251858a9a52811e0b all runs: OK # git bisect good 1fe8c06c4a0d3b589f076cd00c25082840f10423 Bisecting: 1 revision left to test after this (roughly 1 step) [d2ba09c17a0647f899d6c20a11bab9e6d3382f07] net: add skeleton of bpfilter kernel module testing commit d2ba09c17a0647f899d6c20a11bab9e6d3382f07 with gcc (GCC) 8.1.0 kernel signature: f652b2be507f0a669d5b99e5980fe81a08632e602d625fbdcfa3f6a2cc9943b3 run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #2: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #3: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #4: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #5: OK run #6: OK run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad d2ba09c17a0647f899d6c20a11bab9e6d3382f07 Bisecting: 0 revisions left to test after this (roughly 0 steps) [449325b52b7a6208f65ed67d3484fd7b7184477b] umh: introduce fork_usermode_blob() helper testing commit 449325b52b7a6208f65ed67d3484fd7b7184477b with gcc (GCC) 8.1.0 kernel signature: 3812878d8da59ed286e1a7d37e63076e7545a8e501f0152d70831e36df9ea301 run #0: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #1: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #2: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #3: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #4: crashed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #5: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #6: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #7: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #8: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work run #9: boot failed: KASAN: use-after-free Write in call_usermodehelper_exec_work # git bisect bad 449325b52b7a6208f65ed67d3484fd7b7184477b 449325b52b7a6208f65ed67d3484fd7b7184477b is the first bad commit commit 449325b52b7a6208f65ed67d3484fd7b7184477b Author: Alexei Starovoitov Date: Mon May 21 19:22:29 2018 -0700 umh: introduce fork_usermode_blob() helper Introduce helper: int fork_usermode_blob(void *data, size_t len, struct umh_info *info); struct umh_info { struct file *pipe_to_umh; struct file *pipe_from_umh; pid_t pid; }; that GPLed kernel modules (signed or unsigned) can use it to execute part of its own data as swappable user mode process. The kernel will do: - allocate a unique file in tmpfs - populate that file with [data, data + len] bytes - user-mode-helper code will do_execve that file and, before the process starts, the kernel will create two unix pipes for bidirectional communication between kernel module and umh - close tmpfs file, effectively deleting it - the fork_usermode_blob will return zero on success and populate 'struct umh_info' with two unix pipes and the pid of the user process As the first step in the development of the bpfilter project the fork_usermode_blob() helper is introduced to allow user mode code to be invoked from a kernel module. The idea is that user mode code plus normal kernel module code are built as part of the kernel build and installed as traditional kernel module into distro specified location, such that from a distribution point of view, there is no difference between regular kernel modules and kernel modules + umh code. Such modules can be signed, modprobed, rmmod, etc. The use of this new helper by a kernel module doesn't make it any special from kernel and user space tooling point of view. Such approach enables kernel to delegate functionality traditionally done by the kernel modules into the user space processes (either root or !root) and reduces security attack surface of the new code. The buggy umh code would crash the user process, but not the kernel. Another advantage is that umh code of the kernel module can be debugged and tested out of user space (e.g. opening the possibility to run clang sanitizers, fuzzers or user space test suites on the umh code). In case of the bpfilter project such architecture allows complex control plane to be done in the user space while bpf based data plane stays in the kernel. Since umh can crash, can be oom-ed by the kernel, killed by the admin, the kernel module that uses them (like bpfilter) needs to manage life time of umh on its own via two unix pipes and the pid of umh. The exit code of such kernel module should kill the umh it started, so that rmmod of the kernel module will cleanup the corresponding umh. Just like if the kernel module does kmalloc() it should kfree() it in the exit code. Signed-off-by: Alexei Starovoitov Signed-off-by: David S. Miller fs/exec.c | 38 +++++++++++---- include/linux/binfmts.h | 1 + include/linux/umh.h | 12 +++++ kernel/umh.c | 125 ++++++++++++++++++++++++++++++++++++++++++++++-- 4 files changed, 164 insertions(+), 12 deletions(-) culprit signature: 3812878d8da59ed286e1a7d37e63076e7545a8e501f0152d70831e36df9ea301 parent signature: ed3db43449100f950791873304306ce9aa8c569423af625251858a9a52811e0b revisions tested: 27, total time: 5h51m10.156707916s (build: 2h32m24.620111637s, test: 3h14m9.943818572s) first bad commit: 449325b52b7a6208f65ed67d3484fd7b7184477b umh: introduce fork_usermode_blob() helper cc: ["ast@kernel.org" "davem@davemloft.net" "linux-fsdevel@vger.kernel.org" "linux-kernel@vger.kernel.org" "mcgrof@kernel.org" "viro@zeniv.linux.org.uk"] crash: KASAN: use-after-free Write in call_usermodehelper_exec_work generic_make_request: Trying to write to read-only block-device nullb0 (partno 0) generic_make_request: Trying to write to read-only block-device nullb0 (partno 0) generic_make_request: Trying to write to read-only block-device nullb0 (partno 0) ================================================================== BUG: KASAN: use-after-free in call_usermodehelper_exec_work+0x204/0x240 kernel/umh.c:195 Write of size 4 at addr ffff88009f343770 by task kworker/u4:2/36 CPU: 1 PID: 36 Comm: kworker/u4:2 Not tainted 4.17.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events_unbound call_usermodehelper_exec_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x15a/0x20d lib/dump_stack.c:113 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x307 mm/kasan/report.c:412 __asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:437 call_usermodehelper_exec_work+0x204/0x240 kernel/umh.c:195 process_one_work+0x780/0x1570 kernel/workqueue.c:2145 worker_thread+0xd0/0xc00 kernel/workqueue.c:2279 kthread+0x316/0x3d0 kernel/kthread.c:240 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:412 Allocated by task 3561: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538 kmem_cache_alloc_trace+0x152/0x3f0 mm/slab.c:3620 kmalloc include/linux/slab.h:512 [inline] kzalloc include/linux/slab.h:701 [inline] call_usermodehelper_setup+0x65/0x2c0 kernel/umh.c:382 kobject_uevent_env+0x8c2/0xe40 lib/kobject_uevent.c:608 kobject_synth_uevent+0x5d9/0x833 lib/kobject_uevent.c:208 uevent_store+0x1c/0x40 drivers/base/core.c:993 dev_attr_store+0x37/0x70 drivers/base/core.c:713 sysfs_kf_write+0xfd/0x150 fs/sysfs/file.c:139 kernfs_fop_write+0x255/0x410 fs/kernfs/file.c:316 __vfs_write+0xe3/0x860 fs/read_write.c:485 vfs_write+0x150/0x4f0 fs/read_write.c:549 ksys_write+0xcd/0x1b0 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x6e/0xb0 fs/read_write.c:607 do_syscall_64+0xd0/0x4d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 16989: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x13c/0x220 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x280 mm/slab.c:3813 call_usermodehelper_freeinfo kernel/umh.c:45 [inline] umh_complete+0x52/0x60 kernel/umh.c:59 call_usermodehelper_exec_async+0x465/0x550 kernel/umh.c:116 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:412 The buggy address belongs to the object at ffff88009f343700 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 112 bytes inside of 192-byte region [ffff88009f343700, ffff88009f3437c0) The buggy address belongs to the page: page:ffffea00027cd0c0 count:1 mapcount:0 mapping:ffff88009f343000 index:0x0 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffff88009f343000 0000000000000000 0000000100000010 raw: ffffea0002903aa0 ffffea0002767a60 ffff8800aa800040 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88009f343600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88009f343680: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc >ffff88009f343700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88009f343780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff88009f343800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================