================================================================== BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 at addr ffff8800a21d7180 Read of size 8 by task syz-executor.3/15217 CPU: 0 PID: 15217 Comm: syz-executor.3 Not tainted 4.7.0-rc3+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff8800a21d7180 ffff8800b829f250 ffff8800a21d7180 ffff88012bc00200 ffff8800b829f240 ffffffff81746e17 ffff8800b829f268 ffff8800b829f310 0000000000000282 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:180 [inline] [] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276 [] kasan_report mm/kasan/report.c:298 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319 [] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 [] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711 [] seq_read+0x9e4/0x11a0 fs/seq_file.c:268 [] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203 [] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714 [] do_readv_writev+0x565/0x660 fs/read_write.c:845 [] vfs_readv+0x67/0xa0 fs/read_write.c:869 [] kernel_readv fs/splice.c:583 [inline] [] default_file_splice_read+0x42d/0x800 fs/splice.c:659 [] do_splice_to+0xe3/0x140 fs/splice.c:1154 [] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226 [] do_splice_direct+0x14e/0x260 fs/splice.c:1337 [] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354 [] SYSC_sendfile64 fs/read_write.c:1415 [inline] [] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff8800a21d7180, in cache kmalloc-64 Object freed, allocated with size 36 bytes Allocation: PID = 15229 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:476 [] set_track mm/kasan/kasan.c:488 [inline] [] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586 [] __do_kmalloc mm/slab.c:3773 [inline] [] __kmalloc+0x169/0x7a0 mm/slab.c:3782 [] kmalloc include/linux/slab.h:483 [inline] [] pneigh_lookup+0x15e/0x3b0 net/core/neighbour.c:594 [] arp_req_set_public net/ipv4/arp.c:975 [inline] [] arp_req_set+0x323/0x540 net/ipv4/arp.c:991 [] arp_ioctl+0x1c5/0x5c0 net/ipv4/arp.c:1186 [] inet_ioctl+0x6b/0x170 net/ipv4/af_inet.c:865 [] sock_do_ioctl+0x62/0xa0 net/socket.c:866 [] sock_ioctl+0x2a3/0x390 net/socket.c:952 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674 [] SYSC_ioctl fs/ioctl.c:689 [inline] [] SyS_ioctl+0x74/0x80 fs/ioctl.c:680 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Deallocation: PID = 15216 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:476 [] set_track mm/kasan/kasan.c:488 [inline] [] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540 [] __cache_free mm/slab.c:3551 [inline] [] kfree+0xce/0x2c0 mm/slab.c:3868 [] pneigh_ifdown net/core/neighbour.c:662 [inline] [] neigh_ifdown+0x162/0x220 net/core/neighbour.c:257 [] arp_ifdown+0x13/0x20 net/ipv4/arp.c:1232 [] inetdev_destroy net/ipv4/devinet.c:306 [inline] [] inetdev_event+0x573/0xf60 net/ipv4/devinet.c:1480 [] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643 [] call_netdevice_notifiers net/core/dev.c:1659 [inline] [] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611 [] rollback_registered+0x6f/0x90 net/core/dev.c:6652 [] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636 [] unregister_netdevice include/linux/netdevice.h:2363 [inline] [] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561 [] tun_detach drivers/net/tun.c:570 [inline] [] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343 [] __fput+0x20e/0x750 fs/file_table.c:208 [] ____fput+0x9/0x10 fs/file_table.c:244 [] task_work_run+0xdc/0x150 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233 [] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline] [] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329 [] entry_SYSCALL_64_fastpath+0xbf/0xc1 Memory state around the buggy address: ffff8800a21d7080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8800a21d7100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff8800a21d7180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff8800a21d7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8800a21d7280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff880129e6b008 BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff880129e6b008 BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630 at addr ffff880129e6b008 Read of size 8 by task syz-executor.3/15217 CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G B 4.7.0-rc3+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff880129e6b000 ffff8800b829f250 ffff880129e6b000 ffff88012bc00500 ffff8800b829f240 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:180 [inline] [] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276 [] kasan_report mm/kasan/report.c:298 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319 [] read_pnet include/net/net_namespace.h:259 [inline] [] pneigh_net include/net/neighbour.h:352 [inline] [] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630 [] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711 [] seq_read+0x9e4/0x11a0 fs/seq_file.c:268 [] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203 [] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714 [] do_readv_writev+0x565/0x660 fs/read_write.c:845 [] vfs_readv+0x67/0xa0 fs/read_write.c:869 [] kernel_readv fs/splice.c:583 [inline] [] default_file_splice_read+0x42d/0x800 fs/splice.c:659 [] do_splice_to+0xe3/0x140 fs/splice.c:1154 [] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226 [] do_splice_direct+0x14e/0x260 fs/splice.c:1337 [] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354 [] SYSC_sendfile64 fs/read_write.c:1415 [inline] [] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff880129e6b000, in cache kmalloc-256 Object freed, allocated with size 198 bytes Allocation: PID = 15217 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:476 [] set_track mm/kasan/kasan.c:488 [inline] [] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586 [] __do_kmalloc mm/slab.c:3773 [inline] [] __kmalloc+0x169/0x7a0 mm/slab.c:3782 [] kmalloc include/linux/slab.h:483 [inline] [] kzalloc include/linux/slab.h:622 [inline] [] __proc_create+0x136/0x570 fs/proc/generic.c:381 [] proc_create_data+0x55/0x140 fs/proc/generic.c:499 [] snmp6_register_dev+0xb0/0x130 net/ipv6/proc.c:282 [] ipv6_add_dev+0x55c/0xfd0 net/ipv6/addrconf.c:382 [] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239 [] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643 [] call_netdevice_notifiers net/core/dev.c:1659 [inline] [] register_netdevice+0x907/0xd60 net/core/dev.c:7100 [] tun_set_iff drivers/net/tun.c:1811 [inline] [] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010 [] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674 [] SYSC_ioctl fs/ioctl.c:689 [inline] [] SyS_ioctl+0x74/0x80 fs/ioctl.c:680 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Deallocation: PID = 15216 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:476 [] set_track mm/kasan/kasan.c:488 [inline] [] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540 [] __cache_free mm/slab.c:3551 [inline] [] kfree+0xce/0x2c0 mm/slab.c:3868 [] free_proc_entry fs/proc/generic.c:534 [inline] [] pde_put+0x73/0xc0 fs/proc/generic.c:540 [] remove_proc_subtree+0x1cb/0x240 fs/proc/generic.c:622 [] proc_remove+0x38/0x50 fs/proc/generic.c:637 [] snmp6_unregister_dev+0xac/0x120 net/ipv6/proc.c:299 [] addrconf_ifdown+0xa51/0xcd0 net/ipv6/addrconf.c:3460 [] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367 [] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643 [] call_netdevice_notifiers net/core/dev.c:1659 [inline] [] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611 [] rollback_registered+0x6f/0x90 net/core/dev.c:6652 [] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636 [] unregister_netdevice include/linux/netdevice.h:2363 [inline] [] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561 [] tun_detach drivers/net/tun.c:570 [inline] [] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343 [] __fput+0x20e/0x750 fs/file_table.c:208 [] ____fput+0x9/0x10 fs/file_table.c:244 [] task_work_run+0xdc/0x150 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233 [] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline] [] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329 [] entry_SYSCALL_64_fastpath+0xbf/0xc1 Memory state around the buggy address: ffff880129e6af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880129e6af80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc >ffff880129e6b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff880129e6b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880129e6b100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ================================================================== ================================================================== BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 at addr ffff880129e6b000 Read of size 8 by task syz-executor.3/15217 CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G B 4.7.0-rc3+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff880129e6b000 ffff8800b829f250 ffff880129e6b000 ffff88012bc00500 ffff8800b829f240 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:180 [inline] [] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276 [] kasan_report mm/kasan/report.c:298 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319 [] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 [] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711 [] seq_read+0x9e4/0x11a0 fs/seq_file.c:268 [] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203 [] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714 [] do_readv_writev+0x565/0x660 fs/read_write.c:845 [] vfs_readv+0x67/0xa0 fs/read_write.c:869 [] kernel_readv fs/splice.c:583 [inline] [] default_file_splice_read+0x42d/0x800 fs/splice.c:659 [] do_splice_to+0xe3/0x140 fs/splice.c:1154 [] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226 [] do_splice_direct+0x14e/0x260 fs/splice.c:1337 [] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354 [] SYSC_sendfile64 fs/read_write.c:1415 [inline] [] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff880129e6b000, in cache kmalloc-256 Object freed, allocated with size 198 bytes Allocation: PID = 15217 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:476 [] set_track mm/kasan/kasan.c:488 [inline] [] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586 [] __do_kmalloc mm/slab.c:3773 [inline] [] __kmalloc+0x169/0x7a0 mm/slab.c:3782 [] kmalloc include/linux/slab.h:483 [inline] [] kzalloc include/linux/slab.h:622 [inline] [] __proc_create+0x136/0x570 fs/proc/generic.c:381 [] proc_create_data+0x55/0x140 fs/proc/generic.c:499 [] snmp6_register_dev+0xb0/0x130 net/ipv6/proc.c:282 [] ipv6_add_dev+0x55c/0xfd0 net/ipv6/addrconf.c:382 [] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239 [] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643 [] call_netdevice_notifiers net/core/dev.c:1659 [inline] [] register_netdevice+0x907/0xd60 net/core/dev.c:7100 [] tun_set_iff drivers/net/tun.c:1811 [inline] [] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010 [] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674 [] SYSC_ioctl fs/ioctl.c:689 [inline] [] SyS_ioctl+0x74/0x80 fs/ioctl.c:680 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Deallocation: PID = 15216 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:476 [] set_track mm/kasan/kasan.c:488 [inline] [] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540 [] __cache_free mm/slab.c:3551 [inline] [] kfree+0xce/0x2c0 mm/slab.c:3868 [] free_proc_entry fs/proc/generic.c:534 [inline] [] pde_put+0x73/0xc0 fs/proc/generic.c:540 [] remove_proc_subtree+0x1cb/0x240 fs/proc/generic.c:622 [] proc_remove+0x38/0x50 fs/proc/generic.c:637 [] snmp6_unregister_dev+0xac/0x120 net/ipv6/proc.c:299 [] addrconf_ifdown+0xa51/0xcd0 net/ipv6/addrconf.c:3460 [] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367 [] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643 [] call_netdevice_notifiers net/core/dev.c:1659 [inline] [] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611 [] rollback_registered+0x6f/0x90 net/core/dev.c:6652 [] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636 [] unregister_netdevice include/linux/netdevice.h:2363 [inline] [] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561 [] tun_detach drivers/net/tun.c:570 [inline] [] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343 [] __fput+0x20e/0x750 fs/file_table.c:208 [] ____fput+0x9/0x10 fs/file_table.c:244 [] task_work_run+0xdc/0x150 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233 [] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline] [] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329 [] entry_SYSCALL_64_fastpath+0xbf/0xc1 Memory state around the buggy address: ffff880129e6af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880129e6af80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc >ffff880129e6b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff880129e6b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880129e6b100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ================================================================== ================================================================== BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff880129e6b508 BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff880129e6b508 BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630 at addr ffff880129e6b508 Read of size 8 by task syz-executor.3/15217 CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G B 4.7.0-rc3+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff880129e6b500 ffff8800b829f250 ffff880129e6b500 ffff88012bc00500 ffff8800b829f240 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:180 [inline] [] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276 [] kasan_report mm/kasan/report.c:298 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319 [] read_pnet include/net/net_namespace.h:259 [inline] [] pneigh_net include/net/neighbour.h:352 [inline] [] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630 [] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711 [] seq_read+0x9e4/0x11a0 fs/seq_file.c:268 [] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203 [] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714 [] do_readv_writev+0x565/0x660 fs/read_write.c:845 [] vfs_readv+0x67/0xa0 fs/read_write.c:869 [] kernel_readv fs/splice.c:583 [inline] [] default_file_splice_read+0x42d/0x800 fs/splice.c:659 [] do_splice_to+0xe3/0x140 fs/splice.c:1154 [] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226 [] do_splice_direct+0x14e/0x260 fs/splice.c:1337 [] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354 [] SYSC_sendfile64 fs/read_write.c:1415 [inline] [] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff880129e6b500, in cache kmalloc-256 Object freed, allocated with size 240 bytes Allocation: PID = 15217 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:476 [] set_track mm/kasan/kasan.c:488 [inline] [] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586 [] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675 [] kmalloc include/linux/slab.h:478 [inline] [] kzalloc include/linux/slab.h:622 [inline] [] mca_alloc net/ipv6/mcast.c:825 [inline] [] ipv6_dev_mc_inc+0x294/0xde0 net/ipv6/mcast.c:884 [] ipv6_add_dev+0xa96/0xfd0 net/ipv6/addrconf.c:438 [] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239 [] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643 [] call_netdevice_notifiers net/core/dev.c:1659 [inline] [] register_netdevice+0x907/0xd60 net/core/dev.c:7100 [] tun_set_iff drivers/net/tun.c:1811 [inline] [] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010 [] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674 [] SYSC_ioctl fs/ioctl.c:689 [inline] [] SyS_ioctl+0x74/0x80 fs/ioctl.c:680 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Deallocation: PID = 15216 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:476 [] set_track mm/kasan/kasan.c:488 [inline] [] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540 [] __cache_free mm/slab.c:3551 [inline] [] kfree+0xce/0x2c0 mm/slab.c:3868 [] ma_put+0x42/0x60 net/ipv6/mcast.c:816 [] __ipv6_dev_mc_dec+0x216/0x380 net/ipv6/mcast.c:924 [] ipv6_mc_destroy_dev+0x28/0x150 net/ipv6/mcast.c:2557 [] addrconf_ifdown+0x7f8/0xcd0 net/ipv6/addrconf.c:3584 [] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367 [] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643 [] call_netdevice_notifiers net/core/dev.c:1659 [inline] [] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611 [] rollback_registered+0x6f/0x90 net/core/dev.c:6652 [] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636 [] unregister_netdevice include/linux/netdevice.h:2363 [inline] [] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561 [] tun_detach drivers/net/tun.c:570 [inline] [] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343 [] __fput+0x20e/0x750 fs/file_table.c:208 [] ____fput+0x9/0x10 fs/file_table.c:244 [] task_work_run+0xdc/0x150 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233 [] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline] [] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329 [] entry_SYSCALL_64_fastpath+0xbf/0xc1 Memory state around the buggy address: ffff880129e6b400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff880129e6b480: 00 00 00 00 00 00 00 05 fc fc fc fc fc fc fc fc >ffff880129e6b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff880129e6b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff880129e6b600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 at addr ffff880129e6b500 Read of size 8 by task syz-executor.3/15217 CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G B 4.7.0-rc3+ #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff880129e6b500 ffff8800b829f250 ffff880129e6b500 ffff88012bc00500 ffff8800b829f240 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] object_err mm/kasan/report.c:139 [inline] [] print_address_description mm/kasan/report.c:180 [inline] [] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276 [] kasan_report mm/kasan/report.c:298 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319 [] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 [] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711 [] seq_read+0x9e4/0x11a0 fs/seq_file.c:268 [] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203 [] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714 [] do_readv_writev+0x565/0x660 fs/read_write.c:845 [] vfs_readv+0x67/0xa0 fs/read_write.c:869 [] kernel_readv fs/splice.c:583 [inline] [] default_file_splice_read+0x42d/0x800 fs/splice.c:659 [] do_splice_to+0xe3/0x140 fs/splice.c:1154 [] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226 [] do_splice_direct+0x14e/0x260 fs/splice.c:1337 [] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354 [] SYSC_sendfile64 fs/read_write.c:1415 [inline] [] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Object at ffff880129e6b500, in cache kmalloc-256 Object freed, allocated with size 240 bytes Allocation: PID = 15217 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:476 [] set_track mm/kasan/kasan.c:488 [inline] [] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586 [] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675 [] kmalloc include/linux/slab.h:478 [inline] [] kzalloc include/linux/slab.h:622 [inline] [] mca_alloc net/ipv6/mcast.c:825 [inline] [] ipv6_dev_mc_inc+0x294/0xde0 net/ipv6/mcast.c:884 [] ipv6_add_dev+0xa96/0xfd0 net/ipv6/addrconf.c:438 [] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239 [] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643 [] call_netdevice_notifiers net/core/dev.c:1659 [inline] [] register_netdevice+0x907/0xd60 net/core/dev.c:7100 [] tun_set_iff drivers/net/tun.c:1811 [inline] [] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010 [] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674 [] SYSC_ioctl fs/ioctl.c:689 [inline] [] SyS_ioctl+0x74/0x80 fs/ioctl.c:680 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Deallocation: PID = 15216 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack+0x46/0xd0 mm/kasan/kasan.c:476 [] set_track mm/kasan/kasan.c:488 [inline] [] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540 [] __cache_free mm/slab.c:3551 [inline] [] kfree+0xce/0x2c0 mm/slab.c:3868 [] ma_put+0x42/0x60 net/ipv6/mcast.c:816 [] __ipv6_dev_mc_dec+0x216/0x380 net/ipv6/mcast.c:924 [] ipv6_mc_destroy_dev+0x28/0x150 net/ipv6/mcast.c:2557 [] addrconf_ifdown+0x7f8/0xcd0 net/ipv6/addrconf.c:3584 [] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367 [] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643 [] call_netdevice_notifiers net/core/dev.c:1659 [inline] [] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611 [] rollback_registered+0x6f/0x90 net/core/dev.c:6652 [] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636 [] unregister_netdevice include/linux/netdevice.h:2363 [inline] [] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561 [] tun_detach drivers/net/tun.c:570 [inline] [] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343 [] __fput+0x20e/0x750 fs/file_table.c:208 [] ____fput+0x9/0x10 fs/file_table.c:244 [] task_work_run+0xdc/0x150 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233 [] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline] [] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329 [