[ 3.286772] ================================================================== [ 3.288470] BUG: KASAN: use-after-free in __list_del_entry_valid+0x148/0x188 [ 3.290230] Read of size 8 at addr ffff80000af53b40 by task repro/1374 [ 3.291682] [ 3.292099] CPU: 2 PID: 1374 Comm: repro Not tainted 4.13.0 #47 [ 3.293653] Hardware name: linux,dummy-virt (DT) [ 3.294862] Call trace: [ 3.295506] [] dump_backtrace+0x0/0x420 [ 3.296887] [] show_stack+0x14/0x20 [ 3.298173] [] dump_stack+0xcc/0xf8 [ 3.299463] [] print_address_description+0x60/0x250 [ 3.301101] [] kasan_report+0x238/0x2f8 [ 3.302474] [] __asan_report_load8_noabort+0x18/0x20 [ 3.304144] [] __list_del_entry_valid+0x148/0x188 [ 3.305734] [] userfaultfd_event_wait_completion+0x278/0x568 [ 3.307567] [] dup_userfaultfd_complete+0x110/0x290 [ 3.309205] [] copy_process.isra.6.part.7+0x39b4/0x4768 [ 3.310920] [] _do_fork+0x120/0x590 [ 3.312209] [] SyS_clone+0x18/0x20 [ 3.313471] [] el0_svc_naked+0x24/0x28 [ 3.314816] [ 3.315212] The buggy address belongs to the page: [ 3.316439] page:ffff7e00002bd4c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 3.318456] flags: 0xfffc00000000000() [ 3.319208] raw: 0fffc00000000000 0000000000000000 0000000000000000 00000000ffffffff [ 3.321177] raw: dead000000000100 dead000000000200 0000000000000000 0000000000000000 [ 3.323125] page dumped because: kasan: bad access detected [ 3.324542] [ 3.324938] Memory state around the buggy address: [ 3.326155] ffff80000af53a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3.327983] ffff80000af53a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3.329808] >ffff80000af53b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3.331635] ^ [ 3.332980] ffff80000af53b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3.334801] ffff80000af53c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 3.336627] ================================================================== [ 3.338447] Disabling lock debugging due to kernel taint [ 3.339915] Kernel panic - not syncing: panic_on_warn set ... [ 3.339915] [ 3.341081] CPU: 2 PID: 1374 Comm: repro Tainted: G B 4.13.0 #47 [ 3.342884] Hardware name: linux,dummy-virt (DT) [ 3.344062] Call trace: [ 3.344698] [] dump_backtrace+0x0/0x420 [ 3.346066] [] show_stack+0x14/0x20 [ 3.347346] [] dump_stack+0xcc/0xf8 [ 3.348637] [] panic+0x1e4/0x358 [ 3.349855] [] kasan_save_enable_multi_shot+0x0/0x30 [ 3.351504] [] kasan_report+0xf4/0x2f8 [ 3.352860] [] __asan_report_load8_noabort+0x18/0x20 [ 3.354509] [] __list_del_entry_valid+0x148/0x188 [ 3.356101] [] userfaultfd_event_wait_completion+0x278/0x568 [ 3.357920] [] dup_userfaultfd_complete+0x110/0x290 [ 3.359553] [] copy_process.isra.6.part.7+0x39b4/0x4768 [ 3.361267] [] _do_fork+0x120/0x590 [ 3.362549] [] SyS_clone+0x18/0x20 [ 3.363815] [] el0_svc_naked+0x24/0x28 [ 3.365161] SMP: stopping secondary CPUs [ 3.366180] Kernel Offset: disabled [ 3.366784] CPU features: 0x002082 [ 3.367362] Memory Limit: none [ 3.367897] Rebooting in 86400 seconds..