device lo entered promiscuous mode
binder: 20229:20230 ioctl c04c5349 200e3fb4 returned -22
binder: 20229:20230 ioctl c04c5349 200e3fb4 returned -22
==================================================================
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:243 [inline] at addr ffff8801c9317ce8
BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801c9317ce8
BUG: KASAN: use-after-free in static_key_count include/linux/jump_label.h:174 [inline] at addr ffff8801c9317ce8
BUG: KASAN: use-after-free in static_key_false include/linux/jump_label.h:184 [inline] at addr ffff8801c9317ce8
BUG: KASAN: use-after-free in perf_sw_event include/linux/perf_event.h:1039 [inline] at addr ffff8801c9317ce8
BUG: KASAN: use-after-free in __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438 at addr ffff8801c9317ce8
Read of size 8 by task syz-executor7/20248
CPU: 1 PID: 20248 Comm: syz-executor7 Not tainted 4.9.63-g44a3afc #92
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
ffff8801a9297d88 ffffffff81d94429 ffff8801da155140 ffff8801c9317c98
ffff8801c9317d50 ffffed0039262f9d ffff8801c9317ce8 ffff8801a9297db0
ffffffff8153e3ac ffffed0039262f9d ffff8801da155140 0000000000000000
Call Trace:
[<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
[<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
[<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
[<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
[<ffffffff8153ea09>] kasan_report mm/kasan/report.c:330 [inline]
[<ffffffff8153ea09>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
[<ffffffff810e1b10>] __read_once_size include/linux/compiler.h:243 [inline]
[<ffffffff810e1b10>] atomic_read arch/x86/include/asm/atomic.h:26 [inline]
[<ffffffff810e1b10>] static_key_count include/linux/jump_label.h:174 [inline]
[<ffffffff810e1b10>] static_key_false include/linux/jump_label.h:184 [inline]
[<ffffffff810e1b10>] perf_sw_event include/linux/perf_event.h:1039 [inline]
[<ffffffff810e1b10>] __do_page_fault+0xc80/0xd70 arch/x86/mm/fault.c:1438
[<ffffffff810e1c27>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
[<ffffffff838ae8d8>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
Object at ffff8801c9317c98, in cache vm_area_struct size: 184
Allocated:
PID = 20248
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:495
set_track mm/kasan/kasan.c:507 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537
slab_post_alloc_hook mm/slab.h:417 [inline]
slab_alloc_node mm/slub.c:2715 [inline]
slab_alloc mm/slub.c:2723 [inline]
kmem_cache_alloc+0xba/0x290 mm/slub.c:2728
kmem_cache_zalloc include/linux/slab.h:626 [inline]
mmap_region+0x587/0xfd0 mm/mmap.c:1662
do_mmap+0x57b/0xbe0 mm/mmap.c:1473
do_mmap_pgoff include/linux/mm.h:2014 [inline]
vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305
SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481
SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 20253
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
save_stack+0x43/0xd0 mm/kasan/kasan.c:495
set_track mm/kasan/kasan.c:507 [inline]
kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
slab_free_hook mm/slub.c:1355 [inline]
slab_free_freelist_hook mm/slub.c:1377 [inline]
slab_free mm/slub.c:2958 [inline]
kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980
remove_vma+0x11d/0x160 mm/mmap.c:175
remove_vma_list mm/mmap.c:2482 [inline]
do_munmap+0x7ff/0xeb0 mm/mmap.c:2705
mmap_region+0x14d/0xfd0 mm/mmap.c:1635
do_mmap+0x57b/0xbe0 mm/mmap.c:1473
do_mmap_pgoff include/linux/mm.h:2014 [inline]
vm_mmap_pgoff+0x16b/0x1b0 mm/util.c:305
SYSC_mmap_pgoff mm/mmap.c:1523 [inline]
SyS_mmap_pgoff+0xd0/0x560 mm/mmap.c:1481
SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline]
SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86
entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
ffff8801c9317b80: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c9317c00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
>ffff8801c9317c80: fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8801c9317d00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
ffff8801c9317d80: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
program syz-executor7 is using a deprecated SCSI ioctl, please convert it to SG_IO
sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0
program syz-executor7 is using a deprecated SCSI ioctl, please convert it to SG_IO
sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0
binder: 20404:20407 ioctl 5425 3f returned -22
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
binder: 20404:20417 ioctl 5425 3f returned -22
binder: 20492:20499 ioctl 5411 20826ffc returned -22
netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'.
device gre0 entered promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
tmpfs: No value for mount option '�'
tmpfs: No value for mount option '�'
binder: 20830:20831 ioctl 8905 20ef6000 returned -22
binder: 20830:20831 ioctl 8905 20ef6000 returned -22
binder: 20851:20856 ioctl 8914 2062ffe0 returned -22
binder: 20851:20856 ioctl 540f 2091c000 returned -22
device lo entered promiscuous mode
binder: 20851:20856 ioctl 8914 2062ffe0 returned -22
binder: 20851:20856 ioctl 540f 2091c000 returned -22
device lo left promiscuous mode
netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'.
binder: 20952:20963 ioctl 8905 20ef6000 returned -22
binder: 20952:20963 ioctl c0206434 20630fe0 returned -22
binder: 20952:20990 ioctl 8905 20ef6000 returned -22
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59136 sclass=netlink_route_socket pig=20997 comm=syz-executor1
binder: 20952:20990 ioctl c0206434 20630fe0 returned -22
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=59136 sclass=netlink_route_socket pig=20997 comm=syz-executor1
device gre0 entered promiscuous mode
IPVS: Creating netns size=2536 id=91
netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'.
IPv6: Can't replace route, no match found
netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'.
IPVS: Creating netns size=2536 id=92
netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'.
IPv6: Can't replace route, no match found
binder: 21214:21219 ioctl 4b44 20ad2000 returned -22
sg_write: data in/out 822404280/197 bytes for SCSI command 0x12-- guessing data in;
program syz-executor4 not setting count and/or reply_len properly
binder_alloc: binder_alloc_mmap_handler: 21324 2076f000-20772000 already mapped failed -16
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'.
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
TCP: request_sock_TCPv6: Possible SYN flooding on port 20012. Sending cookies. Check SNMP counters.
device gre0 entered promiscuous mode
device gre0 left promiscuous mode
device gre0 entered promiscuous mode
netlink: 2 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'.
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
pktgen: kernel_thread() failed for cpu 0
pktgen: Cannot create thread for cpu 0 (-4)
pktgen: kernel_thread() failed for cpu 1
pktgen: Cannot create thread for cpu 1 (-4)
pktgen: Initialization failed for all threads
loop_reread_partitions: partition scan of loop0 (-�\���t�@���r�9h��x�G�Q:[����i�l���
�L�*���@�����R�-�T�r-�x���) failed (rc=-13)
loop_reread_partitions: partition scan of loop0 (-�\���t�@���r�9h��x�G�Q:[����i�l���
�L�*���@�����R�-�T�r-�x���) failed (rc=-13)
device lo left promiscuous mode
IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE
IPv6: NLM_F_CREATE should be set when creating new route
IPv6: NLM_F_CREATE should be set when creating new route
device gre0 entered promiscuous mode
device lo entered promiscuous mode
device gre0 left promiscuous mode
device lo left promiscuous mode
device gre0 entered promiscuous mode
tc_dump_action: action bad kind
tc_dump_action: action bad kind
device eql entered promiscuous mode
device lo left promiscuous mode
9pnet_virtio: no channels available for device ./file0
9pnet_virtio: no channels available for device ./file0
binder: 22260:22265 ioctl 8927 204dcfd8 returned -22
binder: 22260:22265 ioctl 5413 20f4fad0 returned -22
binder: 22260:22265 ioctl 8904 20f41ffc returned -22
binder: 22260:22273 ioctl 8927 204dcfd8 returned -22
binder: 22260:22265 ioctl 5413 20f4fad0 returned -22
binder: 22260:22275 ioctl 8904 20f41ffc returned -22
FAULT_FLAG_ALLOW_RETRY missing 31
CPU: 0 PID: 22290 Comm: syz-executor3 Tainted: G B 4.9.63-g44a3afc #92
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
ffff8801c9c37870 ffffffff81d94429 ffff8801c9c37b50 0000000000000000
ffff8801c5397f10 ffff8801c9c37a40 ffff8801c5397e00 ffff8801c9c37a68
ffffffff816623c7 ffff8801c9c378a0 ffffffff811bcccd 0000000006e4f280
Call Trace:
device lo entered promiscuous mode
[<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff816623c7>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
binder: 22322:22326 ioctl 80084502 2099ffaa returned -22
binder: 22322:22329 ioctl 80084502 2099ffaa returned -22
[<ffffffff814d1672>] do_anonymous_page mm/memory.c:2783 [inline]
[<ffffffff814d1672>] handle_pte_fault mm/memory.c:3488 [inline]
[<ffffffff814d1672>] __handle_mm_fault mm/memory.c:3577 [inline]
[<ffffffff814d1672>] handle_mm_fault+0x1f82/0x2530 mm/memory.c:3614
[<ffffffff810e1447>] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396
[<ffffffff810e1c27>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
[<ffffffff838ae8d8>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
[<ffffffff820604d5>] SYSC_getrandom drivers/char/random.c:1899 [inline]
[<ffffffff820604d5>] SyS_getrandom+0x165/0x2a0 drivers/char/random.c:1880
[<ffffffff838ad705>] entry_SYSCALL_64_fastpath+0x23/0xc6
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
FAULT_FLAG_ALLOW_RETRY missing 31
CPU: 0 PID: 22290 Comm: syz-executor3 Tainted: G B 4.9.63-g44a3afc #92
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
ffff8801c9c37870 ffffffff81d94429 ffff8801c9c37b50 0000000000000000
ffff8801c5397190 ffff8801c9c37a40 ffff8801c5397080 ffff8801c9c37a68
ffffffff816623c7 ffff8801c9c378a0 ffffffff811bcccd 0000000006db0880
Call Trace:
[<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
[<ffffffff816623c7>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
[<ffffffff814d1672>] do_anonymous_page mm/memory.c:2783 [inline]
[<ffffffff814d1672>] handle_pte_fault mm/memory.c:3488 [inline]
[<ffffffff814d1672>] __handle_mm_fault mm/memory.c:3577 [inline]
[<ffffffff814d1672>] handle_mm_fault+0x1f82/0x2530 mm/memory.c:3614
[<ffffffff810e1447>] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396
[<ffffffff810e1c27>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460
[<ffffffff838ae8d8>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
[<ffffffff820604d5>] SYSC_getrandom drivers/char/random.c:1899 [inline]
[<ffffffff820604d5>] SyS_getrandom+0x165/0x2a0 drivers/char/random.c:1880
[<ffffffff838ad705>] entry_SYSCALL_64_fastpath+0x23/0xc6
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
ALSA: seq fatal error: cannot create timer (-19)
nla_parse: 10 callbacks suppressed
netlink: 73 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 73 bytes leftover after parsing attributes in process `syz-executor6'.