================================================================== BUG: KASAN: use-after-free in ifname_compare_aligned include/linux/netfilter/x_tables.h:362 [inline] BUG: KASAN: use-after-free in ip6_packet_match net/ipv6/netfilter/ip6_tables.c:124 [inline] BUG: KASAN: use-after-free in ip6t_do_table+0x1545/0x1860 net/ipv6/netfilter/ip6_tables.c:382 Read of size 8 at addr ffff8801d3f54000 by task syz-executor.3/3639 CPU: 1 PID: 3639 Comm: syz-executor.3 Not tainted 4.4.174+ #17 0000000000000000 5771efea4bde42b5 ffff8801d2d9f028 ffffffff81aad1a1 0000000000000000 ffffea00074fd500 ffff8801d3f54000 0000000000000008 dffffc0000000000 ffff8801d2d9f060 ffffffff81490120 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_address_description+0x6f/0x21b mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report mm/kasan/report.c:408 [inline] [] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] ifname_compare_aligned include/linux/netfilter/x_tables.h:362 [inline] [] ip6_packet_match net/ipv6/netfilter/ip6_tables.c:124 [inline] [] ip6t_do_table+0x1545/0x1860 net/ipv6/netfilter/ip6_tables.c:382 [] ip6t_mangle_out net/ipv6/netfilter/ip6table_mangle.c:60 [inline] [] ip6table_mangle_hook+0x2d6/0x710 net/ipv6/netfilter/ip6table_mangle.c:82 [] nf_iterate+0x186/0x220 net/netfilter/core.c:274 [] nf_hook_slow+0x1b6/0x340 net/netfilter/core.c:306 [] nf_hook_thresh include/linux/netfilter.h:187 [inline] [] nf_hook include/linux/netfilter.h:197 [inline] [] __ip6_local_out+0x309/0x4b0 net/ipv6/output_core.c:157 [] ip6_local_out+0x29/0x180 net/ipv6/output_core.c:167 [] ip6_send_skb+0xa2/0x340 net/ipv6/ip6_output.c:1725 [] udp_v6_send_skb+0x438/0xe90 net/ipv6/udp.c:1066 [] udp_v6_push_pending_frames+0x245/0x360 net/ipv6/udp.c:1098 [] udpv6_sendmsg+0x1a37/0x24f0 net/ipv6/udp.c:1358 [] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbe/0x110 net/socket.c:648 [] ___sys_sendmsg+0x369/0x890 net/socket.c:1975 [] __sys_sendmmsg+0x1d6/0x2e0 net/socket.c:2053 [] C_SYSC_sendmmsg net/compat.c:731 [inline] [] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:728 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a The buggy address belongs to the page: page:ffffea00074fd500 count:0 mapcount:-127 mapping: (null) index:0x0 flags: 0x4000000000000000() page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d3f53f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801d3f53f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801d3f54000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801d3f54080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801d3f54100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================