[ 54.680063] ================================================================== [ 54.681042] BUG: KASAN: use-after-free in __list_del_entry_valid+0x126/0x170 [ 54.681042] Read of size 8 at addr ffff8801721cfbc8 by task repro/2162 [ 54.681042] [ 54.681042] CPU: 2 PID: 2162 Comm: repro Not tainted 4.13.0 #2 [ 54.681042] Hardware name: LENOVO 7484A3G/LENOVO, BIOS 5CKT54AUS 09/07/2009 [ 54.681042] Call Trace: [ 54.681042] dump_stack+0x6c/0x9c [ 54.681042] ? __list_del_entry_valid+0x126/0x170 [ 54.681042] print_address_description+0x6a/0x280 [ 54.681042] ? __list_del_entry_valid+0x126/0x170 [ 54.681042] kasan_report+0x22b/0x340 [ 54.681042] __asan_report_load8_noabort+0x14/0x20 [ 54.681042] __list_del_entry_valid+0x126/0x170 [ 54.681042] userfaultfd_event_wait_completion+0x457/0x800 [ 54.681042] ? userfaultfd_read+0x18b0/0x18b0 [ 54.681042] dup_userfaultfd_complete+0x148/0x340 [ 54.681042] ? dup_userfaultfd+0x650/0x650 [ 54.681042] ? wake_up_q+0xe0/0xe0 [ 54.681042] ? __vma_link_rb+0x222/0x310 [ 54.681042] copy_process.part.47+0x4d47/0x5600 [ 54.681042] ? __cleanup_sighand+0x40/0x40 [ 54.681042] _do_fork+0x18f/0x850 [ 54.681042] ? fork_idle+0x180/0x180 [ 54.681042] SyS_clone+0x37/0x50 [ 54.681042] ? ptregs_sys_rt_sigreturn+0x10/0x10 [ 54.681042] do_syscall_64+0x184/0x3a0 [ 54.681042] ? SyS_set_robust_list+0x6a/0x90 [ 54.681042] entry_SYSCALL64_slow_path+0x25/0x25 [ 54.681042] RIP: 0033:0x7f6d29fe6354 [ 54.681042] RSP: 002b:00007f6d2952bee0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 [ 54.681042] RAX: ffffffffffffffda RBX: 00007f6d2952bee0 RCX: 00007f6d29fe6354 [ 54.681042] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 [ 54.681042] RBP: 00007f6d2952bf30 R08: 00007f6d2952c700 R09: 0000000000000872 [ 54.681042] R10: 00007f6d2952c9d0 R11: 0000000000000246 R12: 0000000000000000 [ 54.681042] R13: 0000000000000020 R14: 0000000000000001 R15: 0000000000000000 [ 54.681042] [ 54.681042] The buggy address belongs to the page: [ 54.681042] page:ffffea0005c873c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 54.681042] flags: 0x200000000000000() [ 54.681042] raw: 0200000000000000 0000000000000000 0000000000000000 00000000ffffffff [ 54.681042] raw: 0000000000000000 ffffea0005c873e0 0000000000000000 0000000000000000 [ 54.681042] page dumped because: kasan: bad access detected [ 54.681042] [ 54.681042] Memory state around the buggy address: [ 54.681042] ffff8801721cfa80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 54.681042] ffff8801721cfb00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 54.681042] >ffff8801721cfb80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 54.681042] ^ [ 54.681042] ffff8801721cfc00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 54.681042] ffff8801721cfc80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 54.681042] ================================================================== [ 54.681042] Disabling lock debugging due to kernel taint [ 54.955604] list_del corruption. prev->next should be ffff88017333fb80, but was ffffffff9d9b3eda [ 54.964493] ------------[ cut here ]------------ [ 54.969130] WARNING: CPU: 2 PID: 2162 at lib/list_debug.c:53 __list_del_entry_valid+0x102/0x170 [ 54.977818] Modules linked in: [ 54.980900] CPU: 2 PID: 2162 Comm: repro Tainted: G B 4.13.0 #2 [ 54.987945] Hardware name: LENOVO 7484A3G/LENOVO, BIOS 5CKT54AUS 09/07/2009 [ 54.994914] task: ffff880176bf9a80 task.stack: ffff880173338000 [ 55.000843] RIP: 0010:__list_del_entry_valid+0x102/0x170 [ 55.006161] RSP: 0018:ffff88017333fa10 EFLAGS: 00010282 [ 55.011395] RAX: 0000000000000054 RBX: ffff8801721cfbc8 RCX: 0000000000000000 [ 55.018534] RDX: 0000000000000054 RSI: ffff880181715bb8 RDI: ffffed002e667f36 [ 55.025669] RBP: ffff88017333fa28 R08: 0000000000000002 R09: fffffbfff40d6a7c [ 55.032814] R10: ffff88017333f828 R11: fffffbfff40d6a7d R12: ffff8801721cfbc8 [ 55.039948] R13: ffff88017333fb48 R14: ffff880174fa9048 R15: dffffc0000000000 [ 55.047086] FS: 00007f6d2952c700(0000) GS:ffff880181700000(0000) knlGS:0000000000000000 [ 55.055171] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 55.060925] CR2: 000055aa069fe9f0 CR3: 0000000176e40000 CR4: 00000000000406e0 [ 55.068067] Call Trace: [ 55.070541] userfaultfd_event_wait_completion+0x457/0x800 [ 55.076034] ? userfaultfd_read+0x18b0/0x18b0 [ 55.080413] dup_userfaultfd_complete+0x148/0x340 [ 55.085123] ? dup_userfaultfd+0x650/0x650 [ 55.089237] ? wake_up_q+0xe0/0xe0 [ 55.092650] ? __vma_link_rb+0x222/0x310 [ 55.096594] copy_process.part.47+0x4d47/0x5600 [ 55.101133] ? __cleanup_sighand+0x40/0x40 [ 55.105239] _do_fork+0x18f/0x850 [ 55.108568] ? fork_idle+0x180/0x180 [ 55.112164] SyS_clone+0x37/0x50 [ 55.115404] ? ptregs_sys_rt_sigreturn+0x10/0x10 [ 55.120032] do_syscall_64+0x184/0x3a0 [ 55.123797] ? SyS_set_robust_list+0x6a/0x90 [ 55.128077] entry_SYSCALL64_slow_path+0x25/0x25 [ 55.132702] RIP: 0033:0x7f6d29fe6354 [ 55.136290] RSP: 002b:00007f6d2952bee0 EFLAGS: 00000246 ORIG_RAX: 0000000000000038 [ 55.143862] RAX: ffffffffffffffda RBX: 00007f6d2952bee0 RCX: 00007f6d29fe6354 [ 55.150998] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000001200011 [ 55.158133] RBP: 00007f6d2952bf30 R08: 00007f6d2952c700 R09: 0000000000000872 [ 55.165269] R10: 00007f6d2952c9d0 R11: 0000000000000246 R12: 0000000000000000 [ 55.172405] R13: 0000000000000020 R14: 0000000000000001 R15: 0000000000000000 [ 55.179541] Code: 0f ff 48 83 c4 08 31 c0 5b 41 5c 5d c3 48 c7 c7 a0 32 b3 9f e8 05 0a 6a ff 0f ff 31 c0 eb c9 48 c7 c7 00 33 b3 9f e8 f3 09 6a ff <0f> ff 31 c0 eb b7 48 c7 c7 60 33 b3 9f e8 e1 09 6a ff 0f ff 31 [ 55.198416] ---[ end trace 1035fa6e7ae9bff0 ]---