================================================================== BUG: KASAN: use-after-free in l3mdev_master_ifindex_rcu+0x132/0x150 net/l3mdev/l3mdev.c:24 Read of size 4 at addr ffff88808987021c by task syz-executor.0/26332 CPU: 0 PID: 26332 Comm: syz-executor.0 Not tainted 5.6.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134 l3mdev_master_ifindex_rcu+0x132/0x150 net/l3mdev/l3mdev.c:24 ipv6_dev_get_saddr+0x7b8/0xc50 net/ipv6/addrconf.c:1817 ip6_route_get_saddr include/net/ip6_route.h:144 [inline] ip6_dst_lookup_tail+0x1218/0x1f20 net/ipv6/ip6_output.c:1030 ip6_dst_lookup_flow+0x8c/0x1d0 net/ipv6/ip6_output.c:1153 sctp_v6_get_dst+0x7e9/0x1d70 net/sctp/ipv6.c:278 sctp_transport_route+0x12d/0x360 net/sctp/transport.c:297 sctp_assoc_add_peer+0x5a8/0x1040 net/sctp/associola.c:659 sctp_process_param net/sctp/sm_make_chunk.c:2523 [inline] sctp_process_init+0x23eb/0x2a50 net/sctp/sm_make_chunk.c:2344 sctp_sf_do_5_1B_init+0x8ba/0xe50 net/sctp/sm_statefuns.c:401 sctp_do_sm+0x121/0x5330 net/sctp/sm_sideeffect.c:1153 sctp_endpoint_bh_rcv+0x417/0x8a0 net/sctp/endpointola.c:395 sctp_inq_push+0x1e4/0x280 net/sctp/inqueue.c:80 sctp_rcv+0xfde/0x3620 net/sctp/input.c:256 sctp6_rcv+0x17/0x30 net/sctp/ipv6.c:1049 ip6_protocol_deliver_rcu+0x2fe/0x1670 net/ipv6/ip6_input.c:432 ip6_input_finish+0x84/0x170 net/ipv6/ip6_input.c:473 NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip6_input+0xe4/0x3f0 net/ipv6/ip6_input.c:482 dst_input include/net/dst.h:442 [inline] ip6_rcv_finish+0x1de/0x310 net/ipv6/ip6_input.c:76 NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:306 __netif_receive_skb_one_core+0x113/0x1a0 net/core/dev.c:5198 __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312 process_backlog+0x226/0x780 net/core/dev.c:6144 napi_poll net/core/dev.c:6582 [inline] net_rx_action+0x508/0x1120 net/core/dev.c:6650 __do_softirq+0x262/0x98c kernel/softirq.c:292 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082 do_softirq.part.0+0x11a/0x170 kernel/softirq.c:337 do_softirq kernel/softirq.c:329 [inline] __local_bh_enable_ip+0x211/0x270 kernel/softirq.c:189 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:690 [inline] ip6_finish_output2+0x1101/0x25c0 net/ipv6/ip6_output.c:117 __ip6_finish_output+0x444/0xaa0 net/ipv6/ip6_output.c:142 ip6_finish_output+0x38/0x1f0 net/ipv6/ip6_output.c:152 NF_HOOK_COND include/linux/netfilter.h:296 [inline] ip6_output+0x25e/0x880 net/ipv6/ip6_output.c:175 dst_output include/net/dst.h:436 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip6_xmit+0xe1a/0x2090 net/ipv6/ip6_output.c:279 sctp_v6_xmit+0x34b/0x6a0 net/sctp/ipv6.c:217 sctp_packet_transmit+0x1ba6/0x3740 net/sctp/output.c:629 sctp_packet_singleton net/sctp/outqueue.c:773 [inline] sctp_outq_flush_ctrl.constprop.0+0x73c/0xd30 net/sctp/outqueue.c:904 sctp_outq_flush+0xe8/0x2780 net/sctp/outqueue.c:1186 sctp_outq_uncork+0x6c/0x80 net/sctp/outqueue.c:758 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1793 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline] sctp_do_sm+0x50d/0x5330 net/sctp/sm_sideeffect.c:1156 sctp_primitive_ASSOCIATE+0x9d/0xd0 net/sctp/primitive.c:73 __sctp_connect+0xa73/0xcd0 net/sctp/socket.c:1212 __sctp_setsockopt_connectx+0x137/0x1a0 net/sctp/socket.c:1321 sctp_setsockopt_connectx_old net/sctp/socket.c:1337 [inline] sctp_setsockopt net/sctp/socket.c:4691 [inline] sctp_setsockopt+0x1647/0x7350 net/sctp/socket.c:4655 sock_common_setsockopt+0x94/0xd0 net/core/sock.c:3149 __sys_setsockopt+0x261/0x4c0 net/socket.c:2130 __do_sys_setsockopt net/socket.c:2146 [inline] __se_sys_setsockopt net/socket.c:2143 [inline] __x64_sys_setsockopt+0xbe/0x150 net/socket.c:2143 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c449 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fa8149bbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fa8149bc6d4 RCX: 000000000045c449 RDX: 000000000000006b RSI: 0000000000000084 RDI: 0000000000000005 RBP: 000000000076bfc0 R08: 000000000000001c R09: 0000000000000000 R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000ab3 R14: 00000000004d6630 R15: 000000000076bfcc Allocated by task 11159: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:515 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 __do_kmalloc_node mm/slab.c:3616 [inline] __kmalloc_node+0x4e/0x70 mm/slab.c:3623 kmalloc_node include/linux/slab.h:578 [inline] kvmalloc_node+0x68/0x100 mm/util.c:574 kvmalloc include/linux/mm.h:645 [inline] kvzalloc include/linux/mm.h:653 [inline] alloc_netdev_mqs+0x98/0xe40 net/core/dev.c:9797 vti6_init_net+0x244/0x810 net/ipv6/ip6_vti.c:1119 ops_init+0xb3/0x420 net/core/net_namespace.c:137 setup_net+0x2d5/0x8b0 net/core/net_namespace.c:327 copy_net_ns+0x29e/0x5a0 net/core/net_namespace.c:468 create_new_namespaces+0x403/0xb50 kernel/nsproxy.c:108 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:229 ksys_unshare+0x444/0x980 kernel/fork.c:2955 __do_sys_unshare kernel/fork.c:3023 [inline] __se_sys_unshare kernel/fork.c:3021 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:3021 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 26202: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:476 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x2c0 mm/slab.c:3757 __netdev_name_node_alt_destroy+0x1ff/0x2a0 net/core/dev.c:322 netdev_name_node_alt_destroy+0x57/0x80 net/core/dev.c:334 rtnl_alt_ifname net/core/rtnetlink.c:3518 [inline] rtnl_linkprop.isra.0+0x575/0x6f0 net/core/rtnetlink.c:3567 rtnl_dellinkprop+0x46/0x60 net/core/rtnetlink.c:3588 rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5438 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5456 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x59e/0x7e0 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:672 ____sys_sendmsg+0x753/0x880 net/socket.c:2343 ___sys_sendmsg+0x100/0x170 net/socket.c:2397 __sys_sendmsg+0x105/0x1d0 net/socket.c:2430 __do_sys_sendmsg net/socket.c:2439 [inline] __se_sys_sendmsg net/socket.c:2437 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2437 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff888089870000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 540 bytes inside of 4096-byte region [ffff888089870000, ffff888089871000) The buggy address belongs to the page: page:ffffea0002261c00 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea00025ee688 ffffea0002359508 ffff8880aa402000 raw: 0000000000000000 ffff888089870000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888089870100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888089870180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888089870200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888089870280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888089870300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================