KASAN: user-memory-access Write in dst

[upstream] KASAN: user-memory-access Write in dst_release
Status: upstream: reported on 2019/01/07 11:14
Reported-by: syzbot+29ffc731816e0995ad54@syzkaller.appspotmail.com
First crash: 78d, last: 2d08h

Sample crash report:

binder: undelivered TRANSACTION_ERROR: 29189
==================================================================
BUG: KASAN: user-memory-access in atomic_sub_return include/asm-generic/atomic-instrumented.h:305 [inline]
BUG: KASAN: user-memory-access in dst_release net/core/dst.c:190 [inline]
BUG: KASAN: user-memory-access in dst_release+0x2a/0xb0 net/core/dst.c:185
Write of size 4 at addr 000000000001a494 by task kworker/u4:3/13552

CPU: 0 PID: 13552 Comm: kworker/u4:3 Not tainted 5.0.0+ #7
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 kasan_report.cold+0x5/0x40 mm/kasan/report.c:321
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x123/0x190 mm/kasan/generic.c:191
 kasan_check_write+0x14/0x20 mm/kasan/common.c:106
 atomic_sub_return include/asm-generic/atomic-instrumented.h:305 [inline]
 dst_release net/core/dst.c:190 [inline]
 dst_release+0x2a/0xb0 net/core/dst.c:185
 dst_cache_destroy net/core/dst_cache.c:164 [inline]
 dst_cache_destroy+0xd3/0x1b0 net/core/dst_cache.c:156
 ipip6_dev_free+0x19/0x50 net/ipv6/sit.c:1355
 netdev_run_todo+0x51c/0x7d0 net/core/dev.c:8970
 rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:116
 sit_exit_batch_net+0x565/0x750 net/ipv6/sit.c:1891
 ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156
 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551
 process_one_work+0x98e/0x1790 kernel/workqueue.c:2173
 worker_thread+0x98/0xe40 kernel/workqueue.c:2319
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
==================================================================

All crashes (9):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Maintainers
ci-upstream-kasan-gce	2019/03/06 01:32	upstream	63bdf428	16559f86	.config	log	report	davem@davemloft.net, dsahern@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pablo@netfilter.org, posk@google.com
ci-upstream-kasan-gce-root	2019/02/26 23:29	upstream	7d762d69	f2468c12	.config	log	report	davem@davemloft.net, dsahern@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pablo@netfilter.org
ci-upstream-kasan-gce	2019/02/17 06:05	upstream	64c0133e	f42dee6d	.config	log	report	davem@davemloft.net, dsahern@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pablo@netfilter.org
ci-upstream-kasan-gce	2019/02/08 13:31	upstream	74e96711	aa4feb03	.config	log	report	davem@davemloft.net, dsahern@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pablo@netfilter.org
ci-upstream-kasan-gce-386	2019/03/02 07:04	upstream	a215ce8f	1c0e457a	.config	log	report	davem@davemloft.net, dsahern@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pablo@netfilter.org
ci-upstream-net-this-kasan-gce	2019/03/23 10:26	net	5f543a54	3361bde5	.config	log	report	davem@davemloft.net, dsahern@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pablo@netfilter.org, posk@google.com
ci-upstream-net-kasan-gce	2019/01/07 09:51	net-next	b71acb0e	ee332608	.config	log	report	davem@davemloft.net, dsahern@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pablo@netfilter.org
ci-upstream-net-kasan-gce	2019/03/24 03:35	net-next	3b0f31f2	a2cef203	.config	log	report	davem@davemloft.net, dsahern@gmail.com, jwi@linux.ibm.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pablo@netfilter.org, posk@google.com, weiwan@google.com
ci-upstream-net-kasan-gce	2019/02/24 07:17	net-next	dccd3ab5	7a06e792	.config	log	report	davem@davemloft.net, dsahern@gmail.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, pablo@netfilter.org, posk@google.com