================================================================== BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:247 [inline] BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:632 [inline] BUG: KASAN: use-after-free in hlist_del_rcu include/linux/rculist.h:340 [inline] BUG: KASAN: use-after-free in nf_nat_cleanup_conntrack+0x1ca/0x1e0 net/netfilter/nf_nat_core.c:691 Write of size 8 at addr ffff8801c1f11430 by task swapper/1/0 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.174+ #17 0000000000000000 cdaa87ea4e863e79 ffff8801db707a10 ffffffff81aad1a1 0000000000000001 ffffea000707c440 ffff8801c1f11430 0000000000000008 ffffffff82361100 ffff8801db707a48 ffffffff81490120 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_address_description+0x6f/0x21b mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report mm/kasan/report.c:408 [inline] [] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393 [] __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:434 [] __write_once_size include/linux/compiler.h:247 [inline] [] __hlist_del include/linux/list.h:632 [inline] [] hlist_del_rcu include/linux/rculist.h:340 [inline] [] nf_nat_cleanup_conntrack+0x1ca/0x1e0 net/netfilter/nf_nat_core.c:691 [] __nf_ct_ext_destroy+0x140/0x2a0 net/netfilter/nf_conntrack_extend.c:40 [] nf_ct_ext_destroy include/net/netfilter/nf_conntrack_extend.h:80 [inline] [] nf_conntrack_free+0x77/0x120 net/netfilter/nf_conntrack_core.c:904 [] destroy_conntrack+0x270/0x380 net/netfilter/nf_conntrack_core.c:365 [] nf_conntrack_destroy+0x99/0x1a0 net/netfilter/core.c:389 [] nf_conntrack_put include/linux/skbuff.h:3377 [inline] [] skb_release_head_state+0x15a/0x210 net/core/skbuff.c:649 [] skb_release_all+0x16/0x60 net/core/skbuff.c:659 [] __kfree_skb net/core/skbuff.c:675 [inline] [] kfree_skb+0xf7/0x400 net/core/skbuff.c:696 [] inet_frag_rbtree_purge+0xaa/0xf0 net/ipv4/ip_fragment.c:761 [] inet_frag_destroy+0x21f/0x2c0 net/ipv4/inet_fragment.c:156 [] inet_frag_put include/net/inet_frag.h:124 [inline] [] ipq_put+0x34/0x40 net/ipv4/ip_fragment.c:164 [] ip_expire+0x14d/0x880 net/ipv4/ip_fragment.c:265 [] call_timer_fn+0x18d/0x850 kernel/time/timer.c:1185 [] __run_timers kernel/time/timer.c:1261 [inline] [] run_timer_softirq+0x51f/0xb70 kernel/time/timer.c:1444 [] __do_softirq+0x226/0xa3f kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10a/0x150 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] smp_apic_timer_interrupt+0x7e/0xb0 arch/x86/kernel/apic/apic.c:926 [] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:768 [] ? native_safe_halt+0x2/0x10 arch/x86/include/asm/irqflags.h:52 [] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:423 [] default_idle_call+0x48/0x70 kernel/sched/idle.c:93 [] cpuidle_idle_call kernel/sched/idle.c:157 [inline] [] cpu_idle_loop kernel/sched/idle.c:253 [inline] [] cpu_startup_entry+0x6d1/0x810 kernel/sched/idle.c:301 [] start_secondary+0x31d/0x410 arch/x86/kernel/smpboot.c:245 The buggy address belongs to the page: page:ffffea000707c440 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000000() page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c1f11300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c1f11380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801c1f11400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801c1f11480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c1f11500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================