[ 3.286772] ================================================================== [ 3.288470] BUG: KASAN: use-after-free in __list_del_entry_valid+0x148/0x188 [ 3.290230] Read of size 8 at addr ffff80000af53b40 by task repro/1374 [ 3.291682] [ 3.292099] CPU: 2 PID: 1374 Comm: repro Not tainted 4.13.0 #47 [ 3.293653] Hardware name: linux,dummy-virt (DT) [ 3.294862] Call trace: [ 3.295506] [<ffff20000808fd00>] dump_backtrace+0x0/0x420 [ 3.296887] [<ffff2000080903ec>] show_stack+0x14/0x20 [ 3.298173] [<ffff2000098c1424>] dump_stack+0xcc/0xf8 [ 3.299463] [<ffff2000083dc2c0>] print_address_description+0x60/0x250 [ 3.301101] [<ffff2000083dc7b0>] kasan_report+0x238/0x2f8 [ 3.302474] [<ffff2000083dc8e8>] __asan_report_load8_noabort+0x18/0x20 [ 3.304144] [<ffff2000088d74a0>] __list_del_entry_valid+0x148/0x188 [ 3.305734] [<ffff2000084dc5d8>] userfaultfd_event_wait_completion+0x278/0x568 [ 3.307567] [<ffff2000084e0f38>] dup_userfaultfd_complete+0x110/0x290 [ 3.309205] [<ffff200008114df4>] copy_process.isra.6.part.7+0x39b4/0x4768 [ 3.310920] [<ffff200008115f60>] _do_fork+0x120/0x590 [ 3.312209] [<ffff200008116498>] SyS_clone+0x18/0x20 [ 3.313471] [<ffff200008083f30>] el0_svc_naked+0x24/0x28 [ 3.314816] [ 3.315212] The buggy address belongs to the page: [ 3.316439] page:ffff7e00002bd4c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 3.318456] flags: 0xfffc00000000000() [ 3.319208] raw: 0fffc00000000000 0000000000000000 0000000000000000 00000000ffffffff [ 3.321177] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 [ 3.323125] page dumped because: kasan: bad access detected [ 3.324542] [ 3.324938] Memory state around the buggy address: [ 3.326155] ffff80000af53a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3.327983] ffff80000af53a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3.329808] >ffff80000af53b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3.331635] ^ [ 3.332980] ffff80000af53b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3.334801] ffff80000af53c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3.336627] ================================================================== [ 3.338447] Disabling lock debugging due to kernel taint [ 3.339915] Kernel panic - not syncing: panic_on_warn set ... [ 3.339915] [ 3.341081] CPU: 2 PID: 1374 Comm: repro Tainted: G B 4.13.0 #47 [ 3.342884] Hardware name: linux,dummy-virt (DT) [ 3.344062] Call trace: [ 3.344698] [<ffff20000808fd00>] dump_backtrace+0x0/0x420 [ 3.346066] [<ffff2000080903ec>] show_stack+0x14/0x20 [ 3.347346] [<ffff2000098c1424>] dump_stack+0xcc/0xf8 [ 3.348637] [<ffff2000081179c4>] panic+0x1e4/0x358 [ 3.349855] [<ffff2000083dc230>] kasan_save_enable_multi_shot+0x0/0x30 [ 3.351504] [<ffff2000083dc66c>] kasan_report+0xf4/0x2f8 [ 3.352860] [<ffff2000083dc8e8>] __asan_report_load8_noabort+0x18/0x20 [ 3.354509] [<ffff2000088d74a0>] __list_del_entry_valid+0x148/0x188 [ 3.356101] [<ffff2000084dc5d8>] userfaultfd_event_wait_completion+0x278/0x568 [ 3.357920] [<ffff2000084e0f38>] dup_userfaultfd_complete+0x110/0x290 [ 3.359553] [<ffff200008114df4>] copy_process.isra.6.part.7+0x39b4/0x4768 [ 3.361267] [<ffff200008115f60>] _do_fork+0x120/0x590 [ 3.362549] [<ffff200008116498>] SyS_clone+0x18/0x20 [ 3.363815] [<ffff200008083f30>] el0_svc_naked+0x24/0x28 [ 3.365161] SMP: stopping secondary CPUs [ 3.366180] Kernel Offset: disabled [ 3.366784] CPU features: 0x002082 [ 3.367362] Memory Limit: none [ 3.367897] Rebooting in 86400 seconds..