syzbot

device veth1_macvtap left promiscuous mode
device veth0_vlan left promiscuous mode
==================================================================
BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
BUG: KASAN: use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
BUG: KASAN: use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
BUG: KASAN: use-after-free in do_raw_spin_lock include/linux/spinlock.h:187 [inline]
BUG: KASAN: use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x81/0xe0 kernel/locking/spinlock.c:178
Write of size 4 at addr ffff88810bdf6914 by task kworker/u4:4/2414

CPU: 1 PID: 2414 Comm: kworker/u4:4 Not tainted syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025
Workqueue: netns cleanup_net
Call Trace:
 <TASK>
 __dump_stack+0x21/0x24 lib/dump_stack.c:88
 dump_stack_lvl+0xee/0x150 lib/dump_stack.c:106
 print_address_description+0x71/0x200 mm/kasan/report.c:316
 print_report+0x4a/0x60 mm/kasan/report.c:420
 kasan_report+0x122/0x150 mm/kasan/report.c:524
 check_region_inline mm/kasan/generic.c:-1 [inline]
 kasan_check_range+0x280/0x290 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:102 [inline]
 atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:111 [inline]
 do_raw_spin_lock include/linux/spinlock.h:187 [inline]
 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline]
 _raw_spin_lock_bh+0x81/0xe0 kernel/locking/spinlock.c:178
 spin_lock_bh include/linux/spinlock.h:356 [inline]
 __ip6_del_rt+0x8f/0x150 net/ipv6/route.c:3915
 ip6_del_rt+0xb0/0xf0 net/ipv6/route.c:3931
 __remove_nexthop_fib+0x1f7/0x270 net/ipv4/nexthop.c:1861
 __remove_nexthop net/ipv4/nexthop.c:1869 [inline]
 remove_nexthop+0x73/0x500 net/ipv4/nexthop.c:1895
 remove_nh_grp_entry net/ipv4/nexthop.c:1751 [inline]
 remove_nexthop_from_groups+0x22f/0x1210 net/ipv4/nexthop.c:1816
 __remove_nexthop net/ipv4/nexthop.c:1880 [inline]
 remove_nexthop+0x3b6/0x500 net/ipv4/nexthop.c:1895
 flush_all_nexthops net/ipv4/nexthop.c:2404 [inline]
 nexthop_net_exit_batch+0x76/0x110 net/ipv4/nexthop.c:3730
 ops_exit_list net/core/net_namespace.c:177 [inline]
 cleanup_net+0x62d/0xb00 net/core/net_namespace.c:604
 process_one_work+0x71f/0xc40 kernel/workqueue.c:2302
 worker_thread+0xa29/0x11f0 kernel/workqueue.c:2449
 kthread+0x281/0x320 kernel/kthread.c:386
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 371:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505
 ____kasan_kmalloc mm/kasan/common.c:379 [inline]
 __kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:388
 kasan_kmalloc include/linux/kasan.h:212 [inline]
 kmalloc_trace+0x40/0xb0 mm/slab_common.c:1033
 kmalloc include/linux/slab.h:563 [inline]
 kzalloc include/linux/slab.h:699 [inline]
 fib6_net_init+0x23d/0x8c0 net/ipv6/ip6_fib.c:2389
 ops_init+0x1c8/0x4a0 net/core/net_namespace.c:138
 setup_net+0x4ab/0xcb0 net/core/net_namespace.c:335
 copy_net_ns+0x355/0x5c0 net/core/net_namespace.c:481
 create_new_namespaces+0x3a2/0x660 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x120/0x170 kernel/nsproxy.c:226
 ksys_unshare+0x4ac/0x7b0 kernel/fork.c:3399
 __do_sys_unshare kernel/fork.c:3470 [inline]
 __se_sys_unshare kernel/fork.c:3468 [inline]
 __x64_sys_unshare+0x38/0x40 kernel/fork.c:3468
 x64_sys_call+0x767/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:273
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Freed by task 2414:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4b/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516
 ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:241
 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249
 kasan_slab_free include/linux/kasan.h:178 [inline]
 slab_free_hook mm/slub.c:1750 [inline]
 slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1776
 slab_free mm/slub.c:3712 [inline]
 __kmem_cache_free+0xb7/0x1b0 mm/slub.c:3728
 kfree+0x6f/0xf0 mm/slab_common.c:990
 fib6_free_table net/ipv6/ip6_fib.c:216 [inline]
 fib6_net_exit+0x270/0x300 net/ipv6/ip6_fib.c:2443
 ops_exit_list net/core/net_namespace.c:172 [inline]
 cleanup_net+0x5ad/0xb00 net/core/net_namespace.c:604
 process_one_work+0x71f/0xc40 kernel/workqueue.c:2302
 worker_thread+0xa29/0x11f0 kernel/workqueue.c:2449
 kthread+0x281/0x320 kernel/kthread.c:386
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The buggy address belongs to the object at ffff88810bdf6900
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 20 bytes inside of
 128-byte region [ffff88810bdf6900, ffff88810bdf6980)

The buggy address belongs to the physical page:
page:ffffea00042f7d80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10bdf6
flags: 0x4000000000000200(slab|zone=1)
raw: 4000000000000200 ffffea000432fbc0 dead000000000003 ffff888100042a80
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 3100221853, free_ts 0
 set_page_owner include/linux/page_owner.h:33 [inline]
 post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2643
 prep_new_page+0x1c/0x110 mm/page_alloc.c:2650
 get_page_from_freelist+0x2c7b/0x2cf0 mm/page_alloc.c:4554
 __alloc_pages+0x1c3/0x450 mm/page_alloc.c:5868
 alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1
 allocate_slab mm/slub.c:1967 [inline]
 new_slab+0x98/0x3d0 mm/slub.c:2020
 ___slab_alloc+0x6bd/0xb20 mm/slub.c:3177
 __slab_alloc+0x5e/0xa0 mm/slub.c:3263
 slab_alloc_node mm/slub.c:3348 [inline]
 __kmem_cache_alloc_node+0x203/0x2c0 mm/slub.c:3423
 __do_kmalloc_node mm/slab_common.c:937 [inline]
 __kmalloc_node+0xa1/0x1e0 mm/slab_common.c:945
 kmalloc_node include/linux/slab.h:589 [inline]
 kvmalloc_node+0x294/0x480 mm/util.c:592
 kvzalloc_node include/linux/slab.h:720 [inline]
 sbitmap_init_node+0x43b/0x580 lib/sbitmap.c:113
 blk_mq_alloc_hctx block/blk-mq.c:3743 [inline]
 blk_mq_alloc_and_init_hctx+0x4f0/0xe50 block/blk-mq.c:4191
 blk_mq_realloc_hw_ctxs+0x17a/0x410 block/blk-mq.c:4224
 blk_mq_init_allocated_queue+0x4df/0x16b0 block/blk-mq.c:4286
 blk_mq_init_queue_data block/blk-mq.c:4096 [inline]
 __blk_mq_alloc_disk+0xb8/0x1e0 block/blk-mq.c:4143
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88810bdf6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88810bdf6880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88810bdf6900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff88810bdf6980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88810bdf6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
==================================================================
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready