================================================================== BUG: KASAN: use-after-free in __dev_queue_xmit+0x33f9/0x3950 net/core/dev.c:3772 Read of size 8 at addr ffff8801bf8ab400 by task syz-executor3/6088 CPU: 0 PID: 6088 Comm: syz-executor3 Not tainted 4.19.0-rc5-next-20180928+ #84 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d3/0x2c4 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __dev_queue_xmit+0x33f9/0x3950 net/core/dev.c:3772 dev_queue_xmit+0x17/0x20 net/core/dev.c:3838 neigh_resolve_output+0x67e/0xae0 net/core/neighbour.c:1364 neigh_output include/net/neighbour.h:483 [inline] ip6_finish_output2+0xc91/0x27a0 net/ipv6/ip6_output.c:120 ip6_finish_output+0x4de/0xbc0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:276 [inline] ip6_output+0x23e/0x9f0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:444 [inline] NF_HOOK include/linux/netfilter.h:287 [inline] ndisc_send_skb+0x1005/0x1570 net/ipv6/ndisc.c:491 ndisc_send_rs+0x134/0x6e0 net/ipv6/ndisc.c:685 addrconf_rs_timer+0x314/0x690 net/ipv6/addrconf.c:3820 call_timer_fn+0x26d/0x920 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x7e0/0xc60 kernel/time/timer.c:1682 run_timer_softirq+0x52/0xb0 kernel/time/timer.c:1695 __do_softirq+0x30b/0xb03 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x17f/0x1c0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x1cb/0x750 arch/x86/kernel/apic/apic.c:1061 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:804 RIP: 0010:wait_consider_task+0xd2/0x3bb0 kernel/exit.c:1336 Code: f2 c7 40 2c 00 f2 f2 f2 c7 40 30 f2 f2 f2 f2 c7 40 34 00 f2 f2 f2 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 ee c6 34 00 <49> 8d 8e 6c 04 00 00 48 89 c8 48 89 8d e0 fd ff ff 48 c1 e8 03 0f RSP: 0018:ffff880192987788 EFLAGS: 00000293 ORIG_RAX: ffffffffffffff13 RAX: ffff88019297a5c0 RBX: dffffc0000000000 RCX: ffffffff8148e0e9 RDX: 0000000000000000 RSI: ffffffff8148a162 RDI: ffff880192987c28 RBP: ffff880192987a20 R08: ffff88019297a5c0 R09: fffffbfff1241218 R10: fffffbfff1241218 R11: ffffffff892090c3 R12: 0000000000000000 R13: ffff880192987c28 R14: ffff8801bd1e46c0 R15: ffff880192987c28 do_wait_thread kernel/exit.c:1445 [inline] do_wait+0x49a/0xb80 kernel/exit.c:1516 kernel_wait4+0x247/0x3f0 kernel/exit.c:1659 __do_sys_wait4+0x137/0x150 kernel/exit.c:1671 __se_sys_wait4 kernel/exit.c:1667 [inline] __x64_sys_wait4+0x97/0xf0 kernel/exit.c:1667 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x41127a Code: 0f 83 1a 17 00 00 c3 66 0f 1f 84 00 00 00 00 00 8b 05 3e 4d 63 00 85 c0 75 36 45 31 d2 48 63 d2 48 63 ff b8 3d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 06 c3 0f 1f 44 00 00 48 c7 c2 d4 ff ff ff f7 RSP: 002b:00007ffe21ed8e68 EFLAGS: 00000246 ORIG_RAX: 000000000000003d RAX: ffffffffffffffda RBX: 000000000006ef3d RCX: 000000000041127a RDX: 0000000040000001 RSI: 00007ffe21ed8ea0 RDI: ffffffffffffffff RBP: 00000000000006f9 R08: 0000000000000001 R09: 0000000000a57940 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000008 R13: 000000000006eefb R14: 00000000000001a7 R15: 0000000000000003 Allocated by task 22902: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 __do_kmalloc_node mm/slab.c:3682 [inline] __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696 __kmalloc_reserve.isra.39+0x41/0xe0 net/core/skbuff.c:137 __alloc_skb+0x150/0x770 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:997 [inline] dccp_connect+0x293/0x6e0 net/dccp/output.c:555 dccp_v4_connect+0xd4f/0x1540 net/dccp/ipv4.c:126 __inet_stream_connect+0x992/0x1150 net/ipv4/af_inet.c:655 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:719 __sys_connect+0x37d/0x4c0 net/socket.c:1665 __do_sys_connect net/socket.c:1676 [inline] __se_sys_connect net/socket.c:1673 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:1673 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 22901: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kfree+0xcf/0x230 mm/slab.c:3813 skb_free_head+0x99/0xc0 net/core/skbuff.c:550 skb_release_data+0x6a4/0x880 net/core/skbuff.c:570 skb_release_all+0x4a/0x60 net/core/skbuff.c:627 __kfree_skb net/core/skbuff.c:641 [inline] kfree_skb+0x1b6/0x580 net/core/skbuff.c:659 skb_queue_purge+0x19/0x40 net/core/skbuff.c:2852 packet_release+0xa01/0xda0 net/packet/af_packet.c:3021 __sock_release+0xd7/0x250 net/socket.c:580 sock_close+0x19/0x20 net/socket.c:1142 __fput+0x3bc/0xa70 fs/file_table.c:279 ____fput+0x15/0x20 fs/file_table.c:312 task_work_run+0x1e8/0x2a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline] syscall_return_slowpath arch/x86/entry/common.c:268 [inline] do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8801bf8ab400 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 0 bytes inside of 2048-byte region [ffff8801bf8ab400, ffff8801bf8abc00) The buggy address belongs to the page: page:ffffea0006fe2a80 count:1 mapcount:0 mapping:ffff8801da800c40 index:0x0 compound_mapcount: 0 flags: 0x2fffc0000010200(slab|head) raw: 02fffc0000010200 ffffea0007176908 ffffea0006fd2508 ffff8801da800c40 raw: 0000000000000000 ffff8801bf8aa300 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801bf8ab300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801bf8ab380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801bf8ab400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801bf8ab480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801bf8ab500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================