------------[ cut here ]------------ kernel BUG at net/ipv6/route.c:1252! invalid opcode: 0000 [#1] SMP KASAN ================================================================== CPU: 0 PID: 4823 Comm: syz-executor609 Not tainted 4.18.0-rc5-next-20180718+ #10 BUG: KASAN: use-after-free in atomic_sub_return include/asm-generic/atomic-instrumented.h:305 [inline] BUG: KASAN: use-after-free in dst_release+0x2a/0xb0 net/core/dst.c:186 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Write of size 4 at addr ffff8801d2cb1e40 by task syz-executor609/4822 RIP: 0010:rt6_make_pcpu_route net/ipv6/route.c:1252 [inline] RIP: 0010:ip6_pol_route+0xa34/0x13d0 net/ipv6/route.c:1909 CPU: 1 PID: 4822 Comm: syz-executor609 Not tainted 4.18.0-rc5-next-20180718+ #10 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Code: 31 Call Trace: e4 e8 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 af 01 15 fb print_address_description+0x6c/0x20b mm/kasan/report.c:256 4c 89 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412 e0 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 f0 kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 4c atomic_sub_return include/asm-generic/atomic-instrumented.h:305 [inline] dst_release+0x2a/0xb0 net/core/dst.c:186 0f inet_sock_destruct+0x6ae/0x9c0 net/ipv4/af_inet.c:159 b1 33 31 ff 49 89 c4 udp_destruct_sock+0x350/0x4a0 net/ipv4/udp.c:1436 48 89 c6 e8 l2tp_tunnel_destruct+0x174/0x290 net/l2tp/l2tp_core.c:1183 da 97 __sk_destruct+0x107/0xa60 net/core/sock.c:1605 d6 fa 4d 85 e4 0f 84 d0 f9 ff ff e8 9c 96 d6 fa __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2576 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2880 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2847 [inline] rcu_process_callbacks+0xf98/0x2860 kernel/rcu/tree.c:2864 <0f> 0b e8 95 96 d6 fa e8 00 d0 c0 fa 31 ff 89 c6 88 85 a0 fd ff ff RSP: 0018:ffff8801c9fcec20 EFLAGS: 00010293 __do_softirq+0x2e8/0xb17 kernel/softirq.c:288 RAX: ffff8801c8a1c180 RBX: ffffe8ffffc601e8 RCX: ffffffff86a60fd6 RDX: 0000000000000000 RSI: ffffffff86a60fe4 RDI: 0000000000000007 RBP: ffff8801c9fcee90 R08: ffff8801c8a1c180 R09: fffff91ffff8c03d R10: fffff91ffff8c03d R11: ffffe8ffffc601ef R12: ffff8801d2cb1e00 R13: ffff8801d8bc7b80 R14: ffff8801a9b52ac0 R15: ffff8801a9b52b00 FS: 00007f4496d9d700(0000) GS:ffff8801dae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f4496d9ce78 CR3: 00000001ca3da000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1050 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: do_softirq.part.18+0x14d/0x190 kernel/softirq.c:332 do_softirq arch/x86/include/asm/preempt.h:23 [inline] __local_bh_enable_ip+0x1ec/0x230 kernel/softirq.c:185 ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:2082 local_bh_enable include/linux/bottom_half.h:32 [inline] pppol2tp_sendmsg+0x4c4/0x6c0 net/l2tp/l2tp_ppp.c:342 fib6_rule_lookup+0x283/0x890 net/ipv6/fib6_rules.c:122 sock_sendmsg_nosec net/socket.c:623 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:633 ___sys_sendmsg+0x51d/0x930 net/socket.c:2107 ip6_route_output_flags+0x2c5/0x350 net/ipv6/route.c:2110 ip6_dst_lookup_tail+0x1278/0x1da0 net/ipv6/ip6_output.c:976 ip6_dst_lookup_flow+0xc8/0x270 net/ipv6/ip6_output.c:1077 ip6_sk_dst_lookup_flow+0x5ed/0xc50 net/ipv6/ip6_output.c:1115 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2202 udpv6_sendmsg+0x216c/0x36c0 net/ipv6/udp.c:1354 __do_sys_sendmmsg net/socket.c:2231 [inline] __se_sys_sendmmsg net/socket.c:2228 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2228 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:799 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x446ba9 Code: sock_sendmsg_nosec net/socket.c:623 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:633 e8 ___sys_sendmsg+0x51d/0x930 net/socket.c:2107 cc bb 02 00 48 83 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2202 c4 18 c3 0f 1f 80 00 00 __do_sys_sendmmsg net/socket.c:2231 [inline] __se_sys_sendmmsg net/socket.c:2228 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2228 00 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 00 48 89 f8 48 89 entry_SYSCALL_64_after_hwframe+0x49/0xbe f7 RIP: 0033:0x446ba9 48 Code: 89 e8 d6 cc 48 bb 89 02 ca 00 4d 48 89 83 c4 c2 18 c3 4d 0f 89 1f c8 80 4c 00 8b 00 4c 00 00 24 48 08 89 0f f8 05 48 <48> 89 3d f7 01 48 f0 89 ff d6 ff 48 0f 89 83 ca eb 4d 08 fc 89 ff c2 c3 66 4d 2e 89 c8 0f 4c 1f 8b 84 4c 00 24 00 08 00 0f 00 05 <48> RSP: 002b:00007f4496dbdda8 EFLAGS: 00000297 3d ORIG_RAX: 0000000000000133 01 RAX: ffffffffffffffda RBX: 00000000006dcc3c RCX: 0000000000446ba9 f0 RDX: 00000000000003e8 RSI: 0000000020005fc0 RDI: 0000000000000004 ff RBP: 00000000006dcc38 R08: 0000000000000000 R09: 0000000000000000 ff R10: 0000000000000000 R11: 0000000000000297 R12: 45c828efc7a64843 0f R13: e6eeb815b9d8a477 R14: 5068caf6f713c6fc R15: 0000000000000001 83 eb 08 Allocated by task 4731: fc save_stack+0x43/0xd0 mm/kasan/kasan.c:448 ff set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 c3 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 66 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 2e dst_alloc+0xbb/0x1d0 net/core/dst.c:105 0f ip6_dst_alloc+0x35/0xa0 net/ipv6/route.c:353 1f ip6_rt_pcpu_alloc net/ipv6/route.c:1215 [inline] rt6_make_pcpu_route net/ipv6/route.c:1243 [inline] ip6_pol_route+0x758/0x13d0 net/ipv6/route.c:1909 84 ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:2082 00 fib6_rule_lookup+0x283/0x890 net/ipv6/fib6_rules.c:122 00 ip6_route_output_flags+0x2c5/0x350 net/ipv6/route.c:2110 ip6_route_output include/net/ip6_route.h:88 [inline] ip6_dst_lookup_tail+0xe3f/0x1da0 net/ipv6/ip6_output.c:949 00 ip6_dst_lookup_flow+0xc8/0x270 net/ipv6/ip6_output.c:1077 ip6_datagram_dst_update+0x763/0xf90 net/ipv6/datagram.c:91 00 __ip6_datagram_connect+0x5fe/0x1470 net/ipv6/datagram.c:250 ip6_datagram_connect+0x2f/0x50 net/ipv6/datagram.c:273 RSP: 002b:00007f4496d9cda8 EFLAGS: 00000246 inet_dgram_connect+0x154/0x2e0 net/ipv4/af_inet.c:572 ORIG_RAX: 0000000000000133 __sys_connect+0x37d/0x4c0 net/socket.c:1655 RAX: ffffffffffffffda RBX: 00000000006dcc54 RCX: 0000000000446ba9 __do_sys_connect net/socket.c:1666 [inline] __se_sys_connect net/socket.c:1663 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:1663 RDX: 00000000000000b8 RSI: 0000000020001b00 RDI: 0000000000000003 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 RBP: 00000000006dcc50 R08: 00007f4496d9d700 R09: 0000000000000000 entry_SYSCALL_64_after_hwframe+0x49/0xbe R10: 0000000000000000 R11: 0000000000000246 R12: 45c828efc7a64843 R13: e6eeb815b9d8a477 R14: 5068caf6f713c6fc R15: 0000000000000001 Freed by task 4822: Modules linked in: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 Dumping ftrace buffer: kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 (ftrace buffer empty) __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x86/0x2d0 mm/slab.c:3756 dst_destroy+0x267/0x3c0 net/core/dst.c:141 ---[ end trace 954a385cbb759e75 ]--- dst_destroy_rcu+0x16/0x20 net/core/dst.c:154 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2576 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2880 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2847 [inline] rcu_process_callbacks+0xf98/0x2860 kernel/rcu/tree.c:2864 __do_softirq+0x2e8/0xb17 kernel/softirq.c:288 RIP: 0010:rt6_make_pcpu_route net/ipv6/route.c:1252 [inline] RIP: 0010:ip6_pol_route+0xa34/0x13d0 net/ipv6/route.c:1909 The buggy address belongs to the object at ffff8801d2cb1e00 which belongs to the cache ip6_dst_cache of size 240 The buggy address is located 64 bytes inside of 240-byte region [ffff8801d2cb1e00, ffff8801d2cb1ef0) Code: The buggy address belongs to the page: page:ffffea00074b2c40 count:1 mapcount:0 mapping:ffff8801cd271180 index:0x0 31 flags: 0x2fffc0000000200(slab) raw: 02fffc0000000200 ffffea000759a148 ffffea0006c1c048 ffff8801cd271180 e4 raw: 0000000000000000 ffff8801d2cb1040 000000010000000c 0000000000000000 page dumped because: kasan: bad access detected e8 Memory state around the buggy address: ffff8801d2cb1d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d2cb1d80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc af >ffff8801d2cb1e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d2cb1e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc 01 ffff8801d2cb1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================