KASAN: user-memory-access Write in dst

[upstream] KASAN: user-memory-access Write in dst_release
Status: upstream: reported on 2019/01/07 11:14
Reported-by: syzbot+29ffc731816e0995ad54@syzkaller.appspotmail.com
First: 10d, last: 10d

Sample crash report:

bridge0: port 2(bridge_slave_1) entered disabled state
device bridge_slave_1 entered promiscuous mode
bond0: Enslaving bond_slave_0 as an active interface with an up link
bond0: Enslaving bond_slave_1 as an active interface with an up link
==================================================================
BUG: KASAN: user-memory-access in atomic_sub_return include/asm-generic/atomic-instrumented.h:305 [inline]
BUG: KASAN: user-memory-access in dst_release net/core/dst.c:186 [inline]
BUG: KASAN: user-memory-access in dst_release+0x2a/0xb0 net/core/dst.c:181
Write of size 4 at addr 00000000000054e8 by task kworker/u4:2/55

CPU: 1 PID: 55 Comm: kworker/u4:2 Not tainted 4.20.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
team0: Port device team_slave_0 added
 kasan_report_error mm/kasan/report.c:352 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x19f/0x2ba mm/kasan/report.c:396
IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
team0: Port device team_slave_1 added
 kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278
IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
 atomic_sub_return include/asm-generic/atomic-instrumented.h:305 [inline]
 dst_release net/core/dst.c:186 [inline]
 dst_release+0x2a/0xb0 net/core/dst.c:181
IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
 dst_cache_destroy net/core/dst_cache.c:164 [inline]
 dst_cache_destroy+0xd3/0x1b0 net/core/dst_cache.c:156
 ip_tunnel_dev_free+0x25/0x60 net/ipv4/ip_tunnel.c:970
 netdev_run_todo+0x647/0xae0 net/core/dev.c:8885
 rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:117
 ip_tunnel_delete_nets+0x4df/0x6d0 net/ipv4/ip_tunnel.c:1083
 ipip_exit_batch_net+0x23/0x30 net/ipv4/ipip.c:663
 ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156
 cleanup_net+0x51d/0xb10 net/core/net_namespace.c:551
 process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
 worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
kobject: 'batman_adv' (0000000005425111): kobject_add_internal: parent: 'veth0_to_hsr', set: '<NULL>'
kobject: 'hsr_slave_0' (000000005dd69dfa): kobject_add_internal: parent: 'net', set: 'devices'
kobject: 'hsr_slave_0' (000000005dd69dfa): kobject_uevent_env
kobject: 'hsr_slave_0' (000000005dd69dfa): fill_kobj_path: path = '/devices/virtual/net/hsr_slave_0'
kobject: 'queues' (000000008eea68f9): kobject_add_internal: parent: 'hsr_slave_0', set: '<NULL>'
kobject: 'queues' (000000008eea68f9): kobject_uevent_env
kobject: 'queues' (000000008eea68f9): kobject_uevent_env: filter function caused the event to drop!
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
==================================================================

All crashes (1):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci-upstream-net-kasan-gce	2019/01/07 09:51	net-next	b71acb0e	ee332608	.config	log	report			davem@davemloft.net, dsahern@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pablo@netfilter.org