================================================================== BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] BUG: KASAN: use-after-free in atomic_fetch_add_unless include/linux/atomic.h:575 [inline] BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic.h:597 [inline] BUG: KASAN: use-after-free in dst_hold_safe include/net/dst.h:308 [inline] BUG: KASAN: use-after-free in ip6_hold_safe+0xa7/0x3a0 net/ipv6/route.c:1023 Read of size 4 at addr ffff888094854588 by task syz-executor.0/12523 CPU: 1 PID: 12523 Comm: syz-executor.0 Not tainted 5.0.0+ #110 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x123/0x190 mm/kasan/generic.c:191 kasan_check_read+0x11/0x20 mm/kasan/common.c:100 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] atomic_fetch_add_unless include/linux/atomic.h:575 [inline] atomic_add_unless include/linux/atomic.h:597 [inline] dst_hold_safe include/net/dst.h:308 [inline] ip6_hold_safe+0xa7/0x3a0 net/ipv6/route.c:1023 rt6_get_pcpu_route net/ipv6/route.c:1243 [inline] ip6_pol_route+0x33d/0xf00 net/ipv6/route.c:1904 ip6_nh_lookup_table.isra.0+0x1be/0x2c0 net/ipv6/route.c:2732 ip6_route_check_nh_onlink net/ipv6/route.c:2756 [inline] ip6_validate_gw net/ipv6/route.c:2865 [inline] ip6_route_info_create+0x1aed/0x2a20 net/ipv6/route.c:3068 ip6_route_multipath_add+0x45f/0x1350 net/ipv6/route.c:4363 inet6_rtm_newroute+0xd3/0x150 net/ipv6/route.c:4528 rtnetlink_rcv_msg+0x465/0xb00 net/core/rtnetlink.c:5192 netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2485 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5210 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1925 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xdd/0x130 net/socket.c:632 ___sys_sendmsg+0x3e2/0x930 net/socket.c:2137 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2232 __do_sys_sendmmsg net/socket.c:2261 [inline] __se_sys_sendmmsg net/socket.c:2258 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2258 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457f29 Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f79ebea5c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000000457f29 RDX: 0492492492492805 RSI: 0000000020000140 RDI: 0000000000000003 RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f79ebea66d4 R13: 00000000004c4ee0 R14: 00000000004d8c28 R15: 00000000ffffffff Allocated by task 12108: save_stack+0x45/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc mm/kasan/common.c:495 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:468 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:503 slab_post_alloc_hook mm/slab.h:440 [inline] slab_alloc mm/slab.c:3388 [inline] kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3548 ptlock_alloc+0x20/0x70 mm/memory.c:4577 ptlock_init include/linux/mm.h:1955 [inline] pgtable_page_ctor include/linux/mm.h:1982 [inline] pte_alloc_one+0x6d/0x1a0 arch/x86/mm/pgtable.c:38 __pte_alloc+0x20/0x310 mm/memory.c:406 do_anonymous_page mm/memory.c:2899 [inline] handle_pte_fault mm/memory.c:3785 [inline] __handle_mm_fault+0x33ca/0x3f20 mm/memory.c:3911 handle_mm_fault+0x43f/0xb30 mm/memory.c:3948 faultin_page mm/gup.c:535 [inline] __get_user_pages+0x7b6/0x1a40 mm/gup.c:738 __get_user_pages_locked mm/gup.c:914 [inline] get_user_pages_remote+0x21d/0x440 mm/gup.c:1106 get_arg_page fs/exec.c:216 [inline] copy_strings.isra.0+0x3dc/0x890 fs/exec.c:559 copy_strings_kernel+0xa5/0x110 fs/exec.c:604 __do_execve_file.isra.0+0x10ef/0x23f0 fs/exec.c:1803 do_execveat_common fs/exec.c:1865 [inline] do_execve+0x33/0x40 fs/exec.c:1882 call_usermodehelper_exec_async+0x5b5/0x740 kernel/umh.c:111 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 Freed by task 12108: save_stack+0x45/0xd0 mm/kasan/common.c:73 set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:457 kasan_slab_free+0xe/0x10 mm/kasan/common.c:465 __cache_free mm/slab.c:3494 [inline] kmem_cache_free+0x86/0x260 mm/slab.c:3754 ptlock_free+0x38/0x42 mm/memory.c:4586 pgtable_page_dtor include/linux/mm.h:1991 [inline] ___pte_free_tlb+0x1e/0x160 arch/x86/mm/pgtable.c:64 __pte_free_tlb arch/x86/include/asm/pgalloc.h:73 [inline] free_pte_range mm/memory.c:198 [inline] free_pmd_range mm/memory.c:216 [inline] free_pud_range mm/memory.c:250 [inline] free_p4d_range mm/memory.c:284 [inline] free_pgd_range+0x8e2/0xed0 mm/memory.c:364 shift_arg_pages+0x2b3/0x490 fs/exec.c:673 setup_arg_pages+0x668/0x7f0 fs/exec.c:766 load_elf_binary+0xc30/0x53f0 fs/binfmt_elf.c:887 search_binary_handler fs/exec.c:1656 [inline] search_binary_handler+0x17f/0x570 fs/exec.c:1634 exec_binprm fs/exec.c:1698 [inline] __do_execve_file.isra.0+0x1394/0x23f0 fs/exec.c:1818 do_execveat_common fs/exec.c:1865 [inline] do_execve+0x33/0x40 fs/exec.c:1882 call_usermodehelper_exec_async+0x5b5/0x740 kernel/umh.c:111 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff888094854580 which belongs to the cache page->ptl of size 56 The buggy address is located 8 bytes inside of 56-byte region [ffff888094854580, ffff8880948545b8) The buggy address belongs to the page: page:ffffea0002521500 count:1 mapcount:0 mapping:ffff88812c3eb0c0 index:0xffff888094854840 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea00027f4e48 ffffea0002456088 ffff88812c3eb0c0 raw: ffff888094854840 ffff888094854000 000000010000002b 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888094854480: fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb fb ffff888094854500: fb fc fc fc fc fb fb fb fb fb fb fb fc fc fc fc >ffff888094854580: fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb ^ ffff888094854600: fb fb fc fc fc fc fb fb fb fb fb fb fb fc fc fc ffff888094854680: fc fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb ==================================================================