================================================================== BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:141 [inline] BUG: KASAN: use-after-free in ip6_xmit+0x177c/0x1a00 net/ipv6/ip6_output.c:237 Read of size 8 at addr ffff8800a3c07518 by task syz-executor1/24267 CPU: 0 PID: 24267 Comm: syz-executor1 Not tainted 4.4.153-g5e24b4e #90 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 e32b41490bb92e4f ffff8801ba57f5c8 ffffffff81e162ed ffffea00028f01c0 ffff8800a3c07518 0000000000000000 ffff8800a3c07518 0000000000001000 ffff8801ba57f600 ffffffff8151b4d9 ffff8800a3c07518 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] ip6_dst_idev include/net/ip6_fib.h:141 [inline] [] ip6_xmit+0x177c/0x1a00 net/ipv6/ip6_output.c:237 [] inet6_csk_xmit+0x245/0x490 net/ipv6/inet6_connection_sock.c:176 [] l2tp_xmit_core net/l2tp/l2tp_core.c:1084 [inline] [] l2tp_xmit_skb+0xb9c/0xe80 net/l2tp/l2tp_core.c:1179 [] pppol2tp_sendmsg+0x4e0/0x7d0 net/l2tp/l2tp_ppp.c:355 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:648 [] ___sys_sendmsg+0x441/0x880 net/socket.c:1975 [] __sys_sendmmsg+0x12e/0x2e0 net/socket.c:2060 [] SYSC_sendmmsg net/socket.c:2090 [inline] [] SyS_sendmmsg+0x35/0x60 net/socket.c:2085 [] entry_SYSCALL_64_fastpath+0x22/0x9e Allocated by task 21853: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xbe/0x2a0 mm/slub.c:2628 [] dst_alloc+0xb5/0x1a0 net/core/dst.c:210 [] rt_dst_alloc+0x78/0x430 net/ipv4/route.c:1478 [] __mkroute_output net/ipv4/route.c:2132 [inline] [] __ip_route_output_key_hash+0x9ac/0x2380 net/ipv4/route.c:2344 [] __ip_route_output_key include/net/route.h:124 [inline] [] ip_route_output_flow+0x29/0xa0 net/ipv4/route.c:2431 [] ip_route_connect include/net/route.h:304 [inline] [] __ip4_datagram_connect+0x663/0xfe0 net/ipv4/datagram.c:51 [] ip4_datagram_connect+0x2f/0x50 net/ipv4/datagram.c:92 [] inet_dgram_connect+0x117/0x200 net/ipv4/af_inet.c:550 [] SYSC_connect+0x1b8/0x300 net/socket.c:1570 [] SyS_connect+0x24/0x30 net/socket.c:1551 [] entry_SYSCALL_64_fastpath+0x22/0x9e Freed by task 19699: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kmem_cache_free+0xbe/0x340 mm/slub.c:2881 [] dst_destroy.part.6+0x1f5/0x330 net/core/dst.c:270 [] dst_destroy net/core/dst.c:252 [inline] [] dst_destroy_rcu+0x15/0x40 net/core/dst.c:295 [] __rcu_reclaim kernel/rcu/rcu.h:118 [inline] [] rcu_do_batch kernel/rcu/tree.c:2705 [inline] [] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] [] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] [] rcu_process_callbacks+0x927/0x1440 kernel/rcu/tree.c:2957 [] __do_softirq+0x22c/0xa1a kernel/softirq.c:273 The buggy address belongs to the object at ffff8800a3c07500 which belongs to the cache ip_dst_cache of size 208 The buggy address is located 24 bytes inside of 208-byte region [ffff8800a3c07500, ffff8800a3c075d0) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 24283 Comm: syz-executor5 Not tainted 4.4.153-g5e24b4e #90 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800a1504800 task.stack: ffff8801bbcb0000 RIP: 0010:[] [] tcp_rack_mark_lost+0x2f3/0x6f0 net/ipv4/tcp_recovery.c:53 RSP: 0018:ffff8801db307450 EFLAGS: 00010203 RAX: 0800000000000015 RBX: 000000000000008c RCX: 0000000000000005 RDX: 0000000000000100 RSI: ffffffff832c4067 RDI: 40000000000000ac RBP: ffff8801db3074d0 R08: 000000000000452e R09: 0000000000000014 R10: ffffed0043fffa09 R11: 0000000000000008 R12: 4000000000000080 R13: 000000007d73c8a0 R14: dffffc0000000000 R15: ffff8801d271c980 FS: 00007fa745249700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc1ed817fc0 CR3: 00000000b741a000 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff8801d271d0d8 00000008844bec20 ffff8801d271d1d4 1ffff1003a4e3a31 ffff8801d271d188 ffffea00028f01f5 0003362a000003e8 000000008f68f1f8 ffff8801d271cd68 ffffed003a4e3a1b ffff8801d271cb70 ffff8801d271c980 Call Trace: [] tcp_fastretrans_alert+0x1435/0x29a0 net/ipv4/tcp_input.c:2823 [] tcp_ack+0x1ad7/0x4760 net/ipv4/tcp_input.c:3648 [] tcp_rcv_established+0x3a8/0x1fe0 net/ipv4/tcp_input.c:5438 [] tcp_v4_do_rcv+0x5c5/0x990 net/ipv4/tcp_ipv4.c:1397 [] tcp_v4_rcv+0x23d3/0x30b0 net/ipv4/tcp_ipv4.c:1680 [] ip_local_deliver_finish+0x257/0xa60 net/ipv4/ip_input.c:216 [] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline] [] NF_HOOK include/linux/netfilter.h:249 [inline] [] ip_local_deliver+0x1f1/0x380 net/ipv4/ip_input.c:257 [] dst_input include/net/dst.h:504 [inline] [] ip_rcv_finish+0x65a/0x1640 net/ipv4/ip_input.c:365 [] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline] [] NF_HOOK include/linux/netfilter.h:249 [inline] [] ip_rcv+0x9e4/0x1190 net/ipv4/ip_input.c:455 [] __netif_receive_skb_core+0x12d6/0x2940 net/core/dev.c:4019 [] __netif_receive_skb+0x5b/0x1c0 net/core/dev.c:4054 [] process_backlog+0x216/0x6a0 net/core/dev.c:4647 [] napi_poll net/core/dev.c:4885 [inline] [] net_rx_action+0x3a2/0xdb0 net/core/dev.c:4950 [] __do_softirq+0x22c/0xa1a kernel/softirq.c:273 [] do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:929 [] do_softirq.part.16+0x54/0x60 kernel/softirq.c:317 [] do_softirq arch/x86/include/asm/preempt.h:22 [inline] [] __local_bh_enable_ip+0xc6/0xd0 kernel/softirq.c:170 [] __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:178 [inline] [] _raw_spin_unlock_bh+0x30/0x40 kernel/locking/spinlock.c:207 [] spin_unlock_bh include/linux/spinlock.h:352 [inline] [] release_sock+0x3b6/0x500 net/core/sock.c:2484 [] sk_wait_data+0x124/0x3a0 net/core/sock.c:2064 [] tcp_recvmsg+0x19db/0x2df0 net/ipv4/tcp.c:1777 [] inet_recvmsg+0x23e/0x4c0 net/ipv4/af_inet.c:786 [] sock_recvmsg_nosec net/socket.c:740 [inline] [] sock_recvmsg+0x91/0xc0 net/socket.c:748 [] ___sys_recvmsg+0x265/0x590 net/socket.c:2129 [] __sys_recvmsg+0xd6/0x190 net/socket.c:2175 [] SYSC_recvmsg net/socket.c:2187 [inline] [] SyS_recvmsg+0x2d/0x50 net/socket.c:2182 [] entry_SYSCALL_64_fastpath+0x22/0x9e Code: e8 03 42 80 3c 30 00 0f 85 48 03 00 00 4d 39 a7 e8 03 00 00 0f 84 b7 02 00 00 e8 29 05 09 fe 49 8d 7c 24 2c 48 89 f8 48 c1 e8 03 <42> 0f b6 14 30 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f RIP [] tcp_rack_mark_lost+0x2f3/0x6f0 net/ipv4/tcp_recovery.c:53 RSP ------------[ cut here ]------------ WARNING: CPU: 1 PID: 24283 at lib/list_debug.c:29 __list_add+0x120/0x1c0 lib/list_debug.c:26() list_add corruption. next->prev should be prev (ffff8801db21fef0), but was ffffffff83aaae60. (next=ffff8801b9d41888).