binder: 6101:6126 transaction failed 29201/-71, size 0-48 line 2923 ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor0/6168 CPU: 1 PID: 6168 Comm: syz-executor0 Not tainted 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c47cf698 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801c47cf6c0 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor0/6168 CPU: 1 PID: 6168 Comm: syz-executor0 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c47cf698 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801c47cf6c0 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor5/6158 CPU: 1 PID: 6158 Comm: syz-executor5 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a6c87698 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801a6c876c0 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor5/6158 CPU: 1 PID: 6158 Comm: syz-executor5 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a6c87698 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801a6c876c0 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. binder: 6241:6242 got transaction with invalid offsets size, 4 binder: 6241:6242 transaction failed 29201/-22, size 0-4 line 3166 binder: BINDER_SET_CONTEXT_MGR already set SELinux: unrecognized netlink message: protocol=4 nlmsg_type=770 sclass=netlink_tcpdiag_socket pig=6260 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=4 nlmsg_type=770 sclass=netlink_tcpdiag_socket pig=6262 comm=syz-executor3 binder: 6241:6242 ioctl 40046207 0 returned -16 binder_alloc: 6241: binder_alloc_buf, no vma binder: 6241:6264 transaction failed 29189/-3, size 0-4 line 3130 ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor4/6276 CPU: 0 PID: 6276 Comm: syz-executor4 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a7e874f0 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801a7e87518 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] dev_close_many+0x254/0x370 net/core/dev.c:1455 [] rollback_registered_many+0x27a/0x960 net/core/dev.c:6783 netlink: 8 bytes leftover after parsing attributes in process `syz-executor7'. [] rollback_registered+0x81/0xb0 net/core/dev.c:6846 [] unregister_netdevice_queue+0x81/0x140 net/core/dev.c:7833 [] unregister_netdevice include/linux/netdevice.h:2458 [inline] [] __tun_detach+0xa2c/0xc20 drivers/net/tun.c:567 [] tun_detach drivers/net/tun.c:578 [inline] [] tun_chr_close+0x44/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor4/6276 CPU: 0 PID: 6276 Comm: syz-executor4 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a7e874f0 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801a7e87518 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] dev_close_many+0x254/0x370 net/core/dev.c:1455 [] rollback_registered_many+0x27a/0x960 net/core/dev.c:6783 [] rollback_registered+0x81/0xb0 net/core/dev.c:6846 [] unregister_netdevice_queue+0x81/0x140 net/core/dev.c:7833 [] unregister_netdevice include/linux/netdevice.h:2458 [inline] [] __tun_detach+0xa2c/0xc20 drivers/net/tun.c:567 [] tun_detach drivers/net/tun.c:578 [inline] [] tun_chr_close+0x44/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor4/6276 CPU: 0 PID: 6276 Comm: syz-executor4 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a7e87698 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801a7e876c0 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor4/6276 CPU: 0 PID: 6276 Comm: syz-executor4 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a7e87698 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801a7e876c0 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== loop: Write error at byte offset 0, length 512. blk_update_request: I/O error, dev loop4, sector 0 loop: Write error at byte offset 0, length 512. blk_update_request: I/O error, dev loop4, sector 0 ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor5/6389 CPU: 0 PID: 6389 Comm: syz-executor5 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aa73fac8 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801aa73faf0 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor5/6389 CPU: 0 PID: 6389 Comm: syz-executor5 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aa73fac8 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801aa73faf0 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor5/6389 CPU: 1 PID: 6389 Comm: syz-executor5 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aa73fa90 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801aa73fab8 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath arch/x86/entry/common.c:259 [inline] [] do_syscall_64+0x36e/0x490 arch/x86/entry/common.c:285 [] entry_SYSCALL64_slow_path+0x25/0x25 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor5/6389 CPU: 1 PID: 6389 Comm: syz-executor5 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aa73fa90 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801aa73fab8 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath arch/x86/entry/common.c:259 [inline] [] do_syscall_64+0x36e/0x490 arch/x86/entry/common.c:285 [] entry_SYSCALL64_slow_path+0x25/0x25 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. IPv6: NLM_F_REPLACE set, but no existing node found! ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor4/6431 CPU: 1 PID: 6431 Comm: syz-executor4 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cd267698 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801cd2676c0 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor4/6431 CPU: 1 PID: 6431 Comm: syz-executor4 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cd267698 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801cd2676c0 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor2/6463 CPU: 0 PID: 6463 Comm: syz-executor2 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ce5c7ac8 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801ce5c7af0 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801c6f9db00 Read of size 8 by task syz-executor2/6463 CPU: 0 PID: 6463 Comm: syz-executor2 Tainted: G B 4.9.65-g73378e2 #99 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ce5c7ac8 ffffffff81d90469 ffff8801da001140 ffff8801c6f9db00 ffff8801c6f9df00 ffffed0038df3b60 ffff8801c6f9db00 ffff8801ce5c7af0 ffffffff8153a3fc ffffed0038df3b60 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801c6f9db00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3330 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801c6f9da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9da80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c6f9db00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c6f9db80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c6f9dc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== unregister_netdevice: waiting for lo to become free. Usage count = 2