NOHZ: local_softirq_pending 08 ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x5047/0x5290 kernel/locking/lockdep.c:3221 at addr ffff8801362e3648 Read of size 8 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07980 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 ffffffff88076580 1ffff10027780f64 ffff88013bc079a8 ffffffff8171d43c ffff88013bc07a38 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324 [] __lock_acquire+0x5047/0x5290 kernel/locking/lockdep.c:3221 [] lock_acquire+0x197/0x4b0 kernel/locking/lockdep.c:3746 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x4ea4/0x5290 kernel/locking/lockdep.c:3225 at addr ffff8801362e3650 Read of size 8 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07980 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 ffffffff88076580 1ffff10027780f64 ffff88013bc079a8 ffffffff8171d43c ffff88013bc07a38 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324 [] __lock_acquire+0x4ea4/0x5290 kernel/locking/lockdep.c:3225 [] lock_acquire+0x197/0x4b0 kernel/locking/lockdep.c:3746 [] __raw_spin_lock include/linux/spinlock_api_smp.h:144 [inline] [] _raw_spin_lock+0x36/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] at addr ffff8801362e3634 BUG: KASAN: use-after-free in do_raw_spin_lock+0x28b/0x2f0 kernel/locking/spinlock_debug.c:135 at addr ffff8801362e3634 Read of size 4 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323 [] debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] [] do_raw_spin_lock+0x28b/0x2f0 kernel/locking/spinlock_debug.c:135 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] at addr ffff8801362e3640 BUG: KASAN: use-after-free in do_raw_spin_lock+0x2c1/0x2f0 kernel/locking/spinlock_debug.c:135 at addr ffff8801362e3640 Read of size 8 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324 [] debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] [] do_raw_spin_lock+0x2c1/0x2f0 kernel/locking/spinlock_debug.c:135 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] at addr ffff8801362e3638 BUG: KASAN: use-after-free in do_raw_spin_lock+0x2a5/0x2f0 kernel/locking/spinlock_debug.c:135 at addr ffff8801362e3638 Read of size 4 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323 [] debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] [] do_raw_spin_lock+0x2a5/0x2f0 kernel/locking/spinlock_debug.c:135 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:220 [inline] at addr ffff8801362e3630 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801362e3630 BUG: KASAN: use-after-free in queued_spin_trylock include/asm-generic/qspinlock.h:84 [inline] at addr ffff8801362e3630 BUG: KASAN: use-after-free in do_raw_spin_lock+0x298/0x2f0 kernel/locking/spinlock_debug.c:136 at addr ffff8801362e3630 Read of size 4 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323 [] __read_once_size include/linux/compiler.h:220 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] queued_spin_trylock include/asm-generic/qspinlock.h:84 [inline] [] do_raw_spin_lock+0x298/0x2f0 kernel/locking/spinlock_debug.c:136 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 NOHZ: local_softirq_pending 08 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline] at addr ffff8801362e3638 BUG: KASAN: use-after-free in do_raw_spin_lock+0x2b2/0x2f0 kernel/locking/spinlock_debug.c:138 at addr ffff8801362e3638 Write of size 4 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 0000000000000000 dffffc0000000000 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_store4_noabort+0x3e/0x40 mm/kasan/report.c:328 [] debug_spin_lock_after kernel/locking/spinlock_debug.c:91 [inline] [] do_raw_spin_lock+0x2b2/0x2f0 kernel/locking/spinlock_debug.c:138 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline] at addr ffff8801362e3640 BUG: KASAN: use-after-free in do_raw_spin_lock+0x2e5/0x2f0 kernel/locking/spinlock_debug.c:138 at addr ffff8801362e3640 Write of size 8 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 0000000000000000 dffffc0000000000 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329 [] debug_spin_lock_after kernel/locking/spinlock_debug.c:92 [inline] [] do_raw_spin_lock+0x2e5/0x2f0 kernel/locking/spinlock_debug.c:138 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in br_multicast_group_expired+0x346/0x360 net/bridge/br_multicast.c:244 at addr ffff8801362e2b88 Read of size 8 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07bd0 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000 ffff88013bc07bf8 ffffffff8171d43c ffff88013bc07c88 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324 [] br_multicast_group_expired+0x346/0x360 net/bridge/br_multicast.c:244 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e2a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e2b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e2b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e2c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in constant_test_bit arch/x86/include/asm/bitops.h:311 [inline] at addr ffff8801362e2148 BUG: KASAN: use-after-free in netif_running include/linux/netdevice.h:3084 [inline] at addr ffff8801362e2148 BUG: KASAN: use-after-free in br_multicast_group_expired+0x33c/0x360 net/bridge/br_multicast.c:244 at addr ffff8801362e2148 Read of size 8 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07bd0 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000 ffff88013bc07bf8 ffffffff8171d43c ffff88013bc07c88 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324 [] constant_test_bit arch/x86/include/asm/bitops.h:311 [inline] [] netif_running include/linux/netdevice.h:3084 [inline] [] br_multicast_group_expired+0x33c/0x360 net/bridge/br_multicast.c:244 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e2000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801362e2080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801362e2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline] at addr ffff8801362e3634 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x20f/0x250 kernel/locking/spinlock_debug.c:158 at addr ffff8801362e3634 Read of size 4 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b90 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000 ffff88013bc07bb8 ffffffff8171d43c ffff88013bc07c48 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323 [] debug_spin_unlock kernel/locking/spinlock_debug.c:97 [inline] [] do_raw_spin_unlock+0x20f/0x250 kernel/locking/spinlock_debug.c:158 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] br_multicast_group_expired+0xc1/0x360 net/bridge/br_multicast.c:260 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:220 [inline] at addr ffff8801362e3630 BUG: KASAN: use-after-free in atomic_read arch/x86/include/asm/atomic.h:26 [inline] at addr ffff8801362e3630 BUG: KASAN: use-after-free in queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline] at addr ffff8801362e3630 BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline] at addr ffff8801362e3630 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x205/0x250 kernel/locking/spinlock_debug.c:158 at addr ffff8801362e3630 Read of size 4 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b90 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000 ffff88013bc07bb8 ffffffff8171d43c ffff88013bc07c48 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323 [] __read_once_size include/linux/compiler.h:220 [inline] [] atomic_read arch/x86/include/asm/atomic.h:26 [inline] [] queued_spin_is_locked include/asm-generic/qspinlock.h:49 [inline] [] debug_spin_unlock kernel/locking/spinlock_debug.c:98 [inline] [] do_raw_spin_unlock+0x205/0x250 kernel/locking/spinlock_debug.c:158 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] br_multicast_group_expired+0xc1/0x360 net/bridge/br_multicast.c:260 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline] at addr ffff8801362e3640 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x229/0x250 kernel/locking/spinlock_debug.c:158 at addr ffff8801362e3640 Read of size 8 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b90 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000 ffff88013bc07bb8 ffffffff8171d43c ffff88013bc07c48 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324 [] debug_spin_unlock kernel/locking/spinlock_debug.c:99 [inline] [] do_raw_spin_unlock+0x229/0x250 kernel/locking/spinlock_debug.c:158 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] br_multicast_group_expired+0xc1/0x360 net/bridge/br_multicast.c:260 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline] at addr ffff8801362e3638 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x1f8/0x250 kernel/locking/spinlock_debug.c:158 at addr ffff8801362e3638 Read of size 4 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b90 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000 ffff88013bc07bb8 ffffffff8171d43c ffff88013bc07c48 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323 [] debug_spin_unlock kernel/locking/spinlock_debug.c:100 [inline] [] do_raw_spin_unlock+0x1f8/0x250 kernel/locking/spinlock_debug.c:158 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] br_multicast_group_expired+0xc1/0x360 net/bridge/br_multicast.c:260 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline] at addr ffff8801362e3640 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x240/0x250 kernel/locking/spinlock_debug.c:158 at addr ffff8801362e3640 Write of size 8 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b90 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000 ffff88013bc07bb8 ffffffff8171d43c ffff88013bc07c48 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329 [] debug_spin_unlock kernel/locking/spinlock_debug.c:102 [inline] [] do_raw_spin_unlock+0x240/0x250 kernel/locking/spinlock_debug.c:158 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] br_multicast_group_expired+0xc1/0x360 net/bridge/br_multicast.c:260 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline] at addr ffff8801362e3638 BUG: KASAN: use-after-free in do_raw_spin_unlock+0x21c/0x250 kernel/locking/spinlock_debug.c:158 at addr ffff8801362e3638 Write of size 4 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b90 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 ffff8801362e2100 dffffc0000000000 ffff88013bc07bb8 ffffffff8171d43c ffff88013bc07c48 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_store4_noabort+0x3e/0x40 mm/kasan/report.c:328 [] debug_spin_unlock kernel/locking/spinlock_debug.c:103 [inline] [] do_raw_spin_unlock+0x21c/0x250 kernel/locking/spinlock_debug.c:158 [] __raw_spin_unlock include/linux/spinlock_api_smp.h:153 [inline] [] _raw_spin_unlock+0x22/0x50 kernel/locking/spinlock.c:183 [] spin_unlock include/linux/spinlock.h:347 [inline] [] br_multicast_group_expired+0xc1/0x360 net/bridge/br_multicast.c:260 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] at addr ffff8801362e3634 BUG: KASAN: use-after-free in do_raw_spin_lock+0x28b/0x2f0 kernel/locking/spinlock_debug.c:135 at addr ffff8801362e3634 Read of size 4 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323 [] debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] [] do_raw_spin_lock+0x28b/0x2f0 kernel/locking/spinlock_debug.c:135 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] at addr ffff8801362e3640 BUG: KASAN: use-after-free in do_raw_spin_lock+0x2c1/0x2f0 kernel/locking/spinlock_debug.c:135 at addr ffff8801362e3640 Read of size 8 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:324 [] debug_spin_lock_before kernel/locking/spinlock_debug.c:84 [inline] [] do_raw_spin_lock+0x2c1/0x2f0 kernel/locking/spinlock_debug.c:135 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610 [] rtnl_create_link+0x132/0x830 net/core/rtnetlink.c:2302 [] rtnl_newlink+0xc55/0x1220 net/core/rtnetlink.c:2547 [] rtnetlink_rcv_msg+0x222/0x670 net/core/rtnetlink.c:3846 [] netlink_rcv_skb+0x242/0x350 net/netlink/af_netlink.c:2280 [] rtnetlink_rcv+0x25/0x30 net/core/rtnetlink.c:3852 [] netlink_unicast_kernel net/netlink/af_netlink.c:1214 [inline] [] netlink_unicast+0x3df/0x570 net/netlink/af_netlink.c:1240 [] netlink_sendmsg+0x9bb/0xb40 net/netlink/af_netlink.c:1786 [] sock_sendmsg_nosec net/socket.c:609 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:619 [] SYSC_sendto net/socket.c:1644 [inline] [] SyS_sendto+0x1ca/0x2c0 net/socket.c:1612 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Freed: PID = 2978 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_slab_free+0xae/0x180 mm/kasan/kasan.c:555 [] slab_free_hook mm/slub.c:1356 [inline] [] slab_free_freelist_hook mm/slub.c:1378 [inline] [] slab_free mm/slub.c:2936 [inline] [] kfree+0x11b/0x3a0 mm/slub.c:3856 [] kvfree+0x25/0x30 mm/util.c:329 [] netdev_freemem+0x47/0x60 net/core/dev.c:7562 [] netdev_release+0x6c/0x90 net/core/net-sysfs.c:1469 [] device_release+0x71/0x1e0 drivers/base/core.c:247 [] kobject_cleanup lib/kobject.c:645 [inline] [] kobject_release lib/kobject.c:674 [inline] [] kref_sub include/linux/kref.h:73 [inline] [] kref_put include/linux/kref.h:98 [inline] [] kobject_put+0x146/0x400 lib/kobject.c:691 [] netdev_run_todo+0x483/0x650 net/core/dev.c:7467 [] rtnl_unlock+0x9/0x10 net/core/rtnetlink.c:104 [] default_device_exit_batch+0x2fe/0x3d0 net/core/dev.c:8244 [] ops_exit_list.isra.0+0xd6/0x120 net/core/net_namespace.c:137 [] cleanup_net+0x2d0/0x540 net/core/net_namespace.c:431 [] process_one_work+0x67d/0x14f0 kernel/workqueue.c:2096 [] worker_thread+0xda/0xf10 kernel/workqueue.c:2230 [] kthread+0x209/0x2d0 kernel/kthread.c:209 [] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:393 Memory state around the buggy address: ffff8801362e3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801362e3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801362e3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801362e3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] at addr ffff8801362e3638 BUG: KASAN: use-after-free in do_raw_spin_lock+0x2a5/0x2f0 kernel/locking/spinlock_debug.c:135 at addr ffff8801362e3638 Read of size 4 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 4.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 ffff88013bc07b70 ffffffff82e4dd32 ffff88013b802a80 ffff8801362e2100 ffff8801362e4100 0000000000000101 dffffc0000000000 ffff88013bc07b98 ffffffff8171d43c ffff88013bc07c28 ffff88013b802a80 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x136/0x1d4 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [] print_address_description mm/kasan/report.c:194 [inline] [] kasan_report_error+0x1e2/0x4c0 mm/kasan/report.c:283 [] kasan_report mm/kasan/report.c:303 [inline] [] __asan_report_load4_noabort+0x3e/0x40 mm/kasan/report.c:323 [] debug_spin_lock_before kernel/locking/spinlock_debug.c:85 [inline] [] do_raw_spin_lock+0x2a5/0x2f0 kernel/locking/spinlock_debug.c:135 [] __raw_spin_lock include/linux/spinlock_api_smp.h:145 [inline] [] _raw_spin_lock+0x3e/0x50 kernel/locking/spinlock.c:151 [] spin_lock include/linux/spinlock.h:302 [inline] [] br_multicast_group_expired+0x47/0x360 net/bridge/br_multicast.c:243 [] call_timer_fn+0x14f/0x630 kernel/time/timer.c:1298 [] expire_timers+0x28f/0x460 kernel/time/timer.c:1338 [] __run_timers kernel/time/timer.c:1627 [inline] [] run_timer_softirq+0x1a6/0x520 kernel/time/timer.c:1640 [] __do_softirq+0x2cb/0xa1c kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x14f/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:659 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:958 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:633 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:49 [] arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] [] default_idle+0x4f/0x390 arch/x86/kernel/process.c:307 [] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:298 [] default_idle_call+0x48/0xa0 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:151 [inline] [] cpu_idle_loop kernel/sched/idle.c:244 [inline] [] cpu_startup_entry+0x5ec/0x7e0 kernel/sched/idle.c:293 [] rest_init+0x152/0x160 init/main.c:408 [] start_kernel+0x4fd/0x523 init/main.c:662 [] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:195 [] x86_64_start_kernel+0x17c/0x18b arch/x86/kernel/head64.c:176 Object at ffff8801362e2100, in cache kmalloc-8192 size: 8192 Allocated: PID = 7529 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67 [] save_stack mm/kasan/kasan.c:479 [inline] [] set_track mm/kasan/kasan.c:491 [inline] [] kasan_kmalloc+0xee/0x180 mm/kasan/kasan.c:582 [] __kmalloc+0x15f/0x3c0 mm/slub.c:3719 [] kmalloc include/linux/slab.h:495 [inline] [] kzalloc include/linux/slab.h:636 [inline] [] alloc_netdev_mqs+0x940/0xda0 net/core/dev.c:7610