binder: 30633:30669 transaction failed 29201/-22, size 0-0 line 3007 ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801ca60ed00 Read of size 8 by task syz-executor4/30649 CPU: 0 PID: 30649 Comm: syz-executor4 Not tainted 4.9.65-g5311c74 #100 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a8caf698 ffffffff81d904c9 ffff8801da001140 ffff8801ca60ed00 ffff8801ca60f100 ffffed00394c1da0 ffff8801ca60ed00 ffff8801a8caf6c0 ffffffff8153a45c ffffed00394c1da0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801ca60ed00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3320 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 0 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801ca60ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801ca60ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ca60ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801ca60ed00 Read of size 8 by task syz-executor4/30649 CPU: 0 PID: 30649 Comm: syz-executor4 Tainted: G B 4.9.65-g5311c74 #100 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a8caf698 ffffffff81d904c9 ffff8801da001140 ffff8801ca60ed00 ffff8801ca60f100 ffffed00394c1da0 ffff8801ca60ed00 ffff8801a8caf6c0 ffffffff8153a45c ffffed00394c1da0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801ca60ed00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3320 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 0 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801ca60ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801ca60ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ca60ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== binder: 30633:30669 ioctl 40046205 1000 returned -22 binder: 30633:30669 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: 30633:30669 BC_INCREFS_DONE node 255 has no pending increfs request binder: 30633:30699 ioctl 40286608 5 returned -22 binder: 30633:30702 ioctl 40046205 10000 returned -22 binder: 30633:30702 ioctl 40046205 3 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 30633:30702 ioctl 40046207 0 returned -16 binder: 30633:30699 ERROR: BC_REGISTER_LOOPER called without request binder: 30633:30702 got transaction to invalid handle binder: 30633:30702 transaction failed 29201/-22, size 0-0 line 3007 binder: 30633:30699 got reply transaction with no transaction stack binder: 30633:30699 transaction failed 29201/-71, size 32-8 line 2923 binder: 30633:30699 ioctl 40046205 1000 returned -22 binder: undelivered TRANSACTION_ERROR: 29201 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode device lo left promiscuous mode netlink: 64 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 64 bytes leftover after parsing attributes in process `syz-executor7'. binder: 30789:30790 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 30789:30790 BC_INCREFS_DONE u000000002011a000 no match binder: 30789:30790 got transaction with invalid parent offset or type binder: 30789:30790 transaction failed 29201/-22, size 32-24 line 3253 device lo entered promiscuous mode binder: 30789:30790 got transaction with unaligned buffers size, 58534 binder: 30789:30790 transaction failed 29201/-22, size 0-40 line 3175 binder: BINDER_SET_CONTEXT_MGR already set binder: 30789:30803 ioctl 40046207 0 returned -16 binder: 30789:30803 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 30789:30803 BC_INCREFS_DONE u000000002011a000 no match binder_alloc: 30789: binder_alloc_buf, no vma binder: 30789:30803 transaction failed 29189/-3, size 32-24 line 3130 binder: 30808:30811 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 30808:30811 got transaction to invalid handle binder: 30808:30811 transaction failed 29201/-22, size 24-16 line 3007 binder: 30808:30811 ioctl 40106410 20002000 returned -22 binder: 30789:30790 ioctl c0306201 2000f000 returned -14 binder_alloc: 30789: binder_alloc_buf, no vma binder: 30789:30803 transaction failed 29189/-3, size 0-40 line 3130 binder: 30808:30811 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 30808:30813 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 30808:30813 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 30808:30820 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 30808:30820 Release 1 refcount change on invalid ref 0 ret -22 binder: 30808:30820 got transaction to invalid handle binder: 30808:30820 transaction failed 29201/-22, size 24-16 line 3007 binder: 30808:30811 ioctl 40106410 20002000 returned -22 binder: undelivered death notification, 0000000000000000 qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode qtaguid: iface_stat: create(lo): no inet dev qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev device lo left promiscuous mode SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=30903 comm=syz-executor1 SELinux: unrecognized netlink message: protocol=9 nlmsg_type=18 sclass=netlink_audit_socket pig=30903 comm=syz-executor1 ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801ca60ed00 Read of size 8 by task syz-executor3/30904 CPU: 1 PID: 30904 Comm: syz-executor3 Tainted: G B 4.9.65-g5311c74 #100 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cd80f698 ffffffff81d904c9 ffff8801da001140 ffff8801ca60ed00 ffff8801ca60f100 ffffed00394c1da0 ffff8801ca60ed00 ffff8801cd80f6c0 ffffffff8153a45c ffffed00394c1da0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801ca60ed00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232 __kmalloc_reserve.isra.37+0x33/0xc0 net/core/skbuff.c:138 __alloc_skb+0x119/0x600 net/core/skbuff.c:231 alloc_skb_fclone include/linux/skbuff.h:961 [inline] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:828 tcp_sendmsg+0xd1b/0x2ff0 net/ipv4/tcp.c:1224 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 skb_free_head+0x74/0xb0 net/core/skbuff.c:580 skb_release_data+0x315/0x3f0 net/core/skbuff.c:611 skb_release_all+0x4a/0x60 net/core/skbuff.c:670 __kfree_skb net/core/skbuff.c:684 [inline] consume_skb+0xc6/0x340 net/core/skbuff.c:757 __dev_kfree_skb_any+0x58/0x70 net/core/dev.c:2381 dev_kfree_skb_any include/linux/netdevice.h:3308 [inline] free_old_xmit_skbs.isra.50+0x1ba/0x2d0 drivers/net/virtio_net.c:825 start_xmit+0x11d/0x1410 drivers/net/virtio_net.c:880 __netdev_start_xmit include/linux/netdevice.h:4062 [inline] netdev_start_xmit include/linux/netdevice.h:4071 [inline] xmit_one net/core/dev.c:2947 [inline] dev_hard_start_xmit+0x192/0x8a0 net/core/dev.c:2963 sch_direct_xmit+0x2bc/0x5d0 net/sched/sch_generic.c:182 __dev_xmit_skb net/core/dev.c:3132 [inline] __dev_queue_xmit+0x15fd/0x1e60 net/core/dev.c:3392 dev_queue_xmit+0x17/0x20 net/core/dev.c:3457 neigh_hh_output include/net/neighbour.h:468 [inline] dst_neigh_output include/net/dst.h:468 [inline] ip_finish_output2+0xbe8/0x1060 net/ipv4/ip_output.c:225 ip_finish_output+0x6b1/0xa00 net/ipv4/ip_output.c:313 NF_HOOK_COND include/linux/netfilter.h:246 [inline] ip_output+0x1ca/0x610 net/ipv4/ip_output.c:401 dst_output include/net/dst.h:507 [inline] ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124 ip_queue_xmit+0x884/0x1760 net/ipv4/ip_output.c:500 tcp_transmit_skb+0x1847/0x2f00 net/ipv4/tcp_output.c:1036 tcp_write_xmit+0xbd6/0x4a40 net/ipv4/tcp_output.c:2182 __tcp_push_pending_frames+0xa0/0x240 net/ipv4/tcp_output.c:2363 tcp_push+0x3fc/0x5d0 net/ipv4/tcp.c:688 tcp_sendmsg+0xb38/0x2ff0 net/ipv4/tcp.c:1342 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ca60ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801ca60ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ca60ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801ca60ed00 Read of size 8 by task syz-executor3/30904 CPU: 1 PID: 30904 Comm: syz-executor3 Tainted: G B 4.9.65-g5311c74 #100 binder_alloc: binder_alloc_mmap_handler: 30921 20000000-20002000 already mapped failed -16 binder: 30921:30926 got transaction with invalid offsets size, 4 binder: 30921:30926 transaction failed 29201/-22, size 0-4 line 3166 binder_alloc: binder_alloc_mmap_handler: 30921 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 30921:30926 ioctl 40046207 0 returned -16 binder_alloc: 30921: binder_alloc_buf, no vma binder: 30921:30929 transaction failed 29189/-3, size 0-4 line 3130 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cd80f698 ffffffff81d904c9 ffff8801da001140 ffff8801ca60ed00 ffff8801ca60f100 ffffed00394c1da0 ffff8801ca60ed00 ffff8801cd80f6c0 ffffffff8153a45c ffffed00394c1da0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801ca60ed00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232 __kmalloc_reserve.isra.37+0x33/0xc0 net/core/skbuff.c:138 __alloc_skb+0x119/0x600 net/core/skbuff.c:231 alloc_skb_fclone include/linux/skbuff.h:961 [inline] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:828 tcp_sendmsg+0xd1b/0x2ff0 net/ipv4/tcp.c:1224 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 skb_free_head+0x74/0xb0 net/core/skbuff.c:580 skb_release_data+0x315/0x3f0 net/core/skbuff.c:611 skb_release_all+0x4a/0x60 net/core/skbuff.c:670 __kfree_skb net/core/skbuff.c:684 [inline] consume_skb+0xc6/0x340 net/core/skbuff.c:757 __dev_kfree_skb_any+0x58/0x70 net/core/dev.c:2381 dev_kfree_skb_any include/linux/netdevice.h:3308 [inline] free_old_xmit_skbs.isra.50+0x1ba/0x2d0 drivers/net/virtio_net.c:825 start_xmit+0x11d/0x1410 drivers/net/virtio_net.c:880 __netdev_start_xmit include/linux/netdevice.h:4062 [inline] netdev_start_xmit include/linux/netdevice.h:4071 [inline] xmit_one net/core/dev.c:2947 [inline] dev_hard_start_xmit+0x192/0x8a0 net/core/dev.c:2963 sch_direct_xmit+0x2bc/0x5d0 net/sched/sch_generic.c:182 __dev_xmit_skb net/core/dev.c:3132 [inline] __dev_queue_xmit+0x15fd/0x1e60 net/core/dev.c:3392 dev_queue_xmit+0x17/0x20 net/core/dev.c:3457 neigh_hh_output include/net/neighbour.h:468 [inline] dst_neigh_output include/net/dst.h:468 [inline] ip_finish_output2+0xbe8/0x1060 net/ipv4/ip_output.c:225 ip_finish_output+0x6b1/0xa00 net/ipv4/ip_output.c:313 NF_HOOK_COND include/linux/netfilter.h:246 [inline] ip_output+0x1ca/0x610 net/ipv4/ip_output.c:401 dst_output include/net/dst.h:507 [inline] ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124 ip_queue_xmit+0x884/0x1760 net/ipv4/ip_output.c:500 tcp_transmit_skb+0x1847/0x2f00 net/ipv4/tcp_output.c:1036 tcp_write_xmit+0xbd6/0x4a40 net/ipv4/tcp_output.c:2182 __tcp_push_pending_frames+0xa0/0x240 net/ipv4/tcp_output.c:2363 tcp_push+0x3fc/0x5d0 net/ipv4/tcp.c:688 tcp_sendmsg+0xb38/0x2ff0 net/ipv4/tcp.c:1342 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ca60ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801ca60ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801ca60ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ca60ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== device gre0 entered promiscuous mode ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801ca60ed00 Read of size 8 by task syz-executor7/30932 CPU: 1 PID: 30932 Comm: syz-executor7 Tainted: G B 4.9.65-g5311c74 #100 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdd274f0 ffffffff81d904c9 ffff8801da001140 ffff8801ca60ed00 ffff8801ca60f100 ffffed00394c1da0 ffff8801ca60ed00 ffff8801cdd27518 ffffffff8153a45c ffffed00394c1da0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] dev_close_many+0x254/0x370 net/core/dev.c:1455 [] rollback_registered_many+0x27a/0x960 net/core/dev.c:6783 [] rollback_registered+0x81/0xb0 net/core/dev.c:6846 [] unregister_netdevice_queue+0x81/0x140 net/core/dev.c:7833 [] unregister_netdevice include/linux/netdevice.h:2458 [inline] [] __tun_detach+0xa2c/0xc20 drivers/net/tun.c:567 [] tun_detach drivers/net/tun.c:578 [inline] [] tun_chr_close+0x44/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801ca60ed00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232 __kmalloc_reserve.isra.37+0x33/0xc0 net/core/skbuff.c:138 __alloc_skb+0x119/0x600 net/core/skbuff.c:231 alloc_skb_fclone include/linux/skbuff.h:961 [inline] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:828 tcp_sendmsg+0xd1b/0x2ff0 net/ipv4/tcp.c:1224 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 skb_free_head+0x74/0xb0 net/core/skbuff.c:580 skb_release_data+0x315/0x3f0 net/core/skbuff.c:611 skb_release_all+0x4a/0x60 net/core/skbuff.c:670 __kfree_skb net/core/skbuff.c:684 [inline] consume_skb+0xc6/0x340 net/core/skbuff.c:757 __dev_kfree_skb_any+0x58/0x70 net/core/dev.c:2381 dev_kfree_skb_any include/linux/netdevice.h:3308 [inline] free_old_xmit_skbs.isra.50+0x1ba/0x2d0 drivers/net/virtio_net.c:825 start_xmit+0x11d/0x1410 drivers/net/virtio_net.c:880 __netdev_start_xmit include/linux/netdevice.h:4062 [inline] netdev_start_xmit include/linux/netdevice.h:4071 [inline] xmit_one net/core/dev.c:2947 [inline] dev_hard_start_xmit+0x192/0x8a0 net/core/dev.c:2963 sch_direct_xmit+0x2bc/0x5d0 net/sched/sch_generic.c:182 __dev_xmit_skb net/core/dev.c:3132 [inline] __dev_queue_xmit+0x15fd/0x1e60 net/core/dev.c:3392 dev_queue_xmit+0x17/0x20 net/core/dev.c:3457 neigh_hh_output include/net/neighbour.h:468 [inline] dst_neigh_output include/net/dst.h:468 [inline] ip_finish_output2+0xbe8/0x1060 net/ipv4/ip_output.c:225 ip_finish_output+0x6b1/0xa00 net/ipv4/ip_output.c:313 NF_HOOK_COND include/linux/netfilter.h:246 [inline] ip_output+0x1ca/0x610 net/ipv4/ip_output.c:401 dst_output include/net/dst.h:507 [inline] ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124 ip_queue_xmit+0x884/0x1760 net/ipv4/ip_output.c:500 tcp_transmit_skb+0x1847/0x2f00 net/ipv4/tcp_output.c:1036 tcp_write_xmit+0xbd6/0x4a40 net/ipv4/tcp_output.c:2182 __tcp_push_pending_frames+0xa0/0x240 net/ipv4/tcp_output.c:2363 tcp_push+0x3fc/0x5d0 net/ipv4/tcp.c:688 tcp_sendmsg+0xb38/0x2ff0 net/ipv4/tcp.c:1342 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ca60ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801ca60ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ca60ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801ca60ed00 Read of size 8 by task syz-executor7/30932 CPU: 1 PID: 30932 Comm: syz-executor7 Tainted: G B 4.9.65-g5311c74 #100 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdd274f0 ffffffff81d904c9 ffff8801da001140 ffff8801ca60ed00 ffff8801ca60f100 ffffed00394c1da0 ffff8801ca60ed00 ffff8801cdd27518 ffffffff8153a45c ffffed00394c1da0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] dev_close_many+0x254/0x370 net/core/dev.c:1455 [] rollback_registered_many+0x27a/0x960 net/core/dev.c:6783 [] rollback_registered+0x81/0xb0 net/core/dev.c:6846 [] unregister_netdevice_queue+0x81/0x140 net/core/dev.c:7833 [] unregister_netdevice include/linux/netdevice.h:2458 [inline] [] __tun_detach+0xa2c/0xc20 drivers/net/tun.c:567 [] tun_detach drivers/net/tun.c:578 [inline] [] tun_chr_close+0x44/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801ca60ed00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232 __kmalloc_reserve.isra.37+0x33/0xc0 net/core/skbuff.c:138 __alloc_skb+0x119/0x600 net/core/skbuff.c:231 alloc_skb_fclone include/linux/skbuff.h:961 [inline] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:828 tcp_sendmsg+0xd1b/0x2ff0 net/ipv4/tcp.c:1224 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 skb_free_head+0x74/0xb0 net/core/skbuff.c:580 skb_release_data+0x315/0x3f0 net/core/skbuff.c:611 skb_release_all+0x4a/0x60 net/core/skbuff.c:670 __kfree_skb net/core/skbuff.c:684 [inline] consume_skb+0xc6/0x340 net/core/skbuff.c:757 __dev_kfree_skb_any+0x58/0x70 net/core/dev.c:2381 dev_kfree_skb_any include/linux/netdevice.h:3308 [inline] free_old_xmit_skbs.isra.50+0x1ba/0x2d0 drivers/net/virtio_net.c:825 start_xmit+0x11d/0x1410 drivers/net/virtio_net.c:880 __netdev_start_xmit include/linux/netdevice.h:4062 [inline] netdev_start_xmit include/linux/netdevice.h:4071 [inline] xmit_one net/core/dev.c:2947 [inline] dev_hard_start_xmit+0x192/0x8a0 net/core/dev.c:2963 sch_direct_xmit+0x2bc/0x5d0 net/sched/sch_generic.c:182 __dev_xmit_skb net/core/dev.c:3132 [inline] __dev_queue_xmit+0x15fd/0x1e60 net/core/dev.c:3392 dev_queue_xmit+0x17/0x20 net/core/dev.c:3457 neigh_hh_output include/net/neighbour.h:468 [inline] dst_neigh_output include/net/dst.h:468 [inline] ip_finish_output2+0xbe8/0x1060 net/ipv4/ip_output.c:225 ip_finish_output+0x6b1/0xa00 net/ipv4/ip_output.c:313 NF_HOOK_COND include/linux/netfilter.h:246 [inline] ip_output+0x1ca/0x610 net/ipv4/ip_output.c:401 dst_output include/net/dst.h:507 [inline] ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124 ip_queue_xmit+0x884/0x1760 net/ipv4/ip_output.c:500 tcp_transmit_skb+0x1847/0x2f00 net/ipv4/tcp_output.c:1036 tcp_write_xmit+0xbd6/0x4a40 net/ipv4/tcp_output.c:2182 __tcp_push_pending_frames+0xa0/0x240 net/ipv4/tcp_output.c:2363 tcp_push+0x3fc/0x5d0 net/ipv4/tcp.c:688 tcp_sendmsg+0xb38/0x2ff0 net/ipv4/tcp.c:1342 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ca60ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801ca60ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ca60ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801ca60ed00 Read of size 8 by task syz-executor1/30916 CPU: 0 PID: 30916 Comm: syz-executor1 Tainted: G B 4.9.65-g5311c74 #100 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d5507698 ffffffff81d904c9 ffff8801da001140 ffff8801ca60ed00 ffff8801ca60f100 ffffed00394c1da0 ffff8801ca60ed00 ffff8801d55076c0 ffffffff8153a45c ffffed00394c1da0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801ca60ed00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232 __kmalloc_reserve.isra.37+0x33/0xc0 net/core/skbuff.c:138 __alloc_skb+0x119/0x600 net/core/skbuff.c:231 alloc_skb_fclone include/linux/skbuff.h:961 [inline] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:828 tcp_sendmsg+0xd1b/0x2ff0 net/ipv4/tcp.c:1224 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 skb_free_head+0x74/0xb0 net/core/skbuff.c:580 skb_release_data+0x315/0x3f0 net/core/skbuff.c:611 skb_release_all+0x4a/0x60 net/core/skbuff.c:670 __kfree_skb net/core/skbuff.c:684 [inline] consume_skb+0xc6/0x340 net/core/skbuff.c:757 __dev_kfree_skb_any+0x58/0x70 net/core/dev.c:2381 dev_kfree_skb_any include/linux/netdevice.h:3308 [inline] free_old_xmit_skbs.isra.50+0x1ba/0x2d0 drivers/net/virtio_net.c:825 start_xmit+0x11d/0x1410 drivers/net/virtio_net.c:880 __netdev_start_xmit include/linux/netdevice.h:4062 [inline] netdev_start_xmit include/linux/netdevice.h:4071 [inline] xmit_one net/core/dev.c:2947 [inline] dev_hard_start_xmit+0x192/0x8a0 net/core/dev.c:2963 sch_direct_xmit+0x2bc/0x5d0 net/sched/sch_generic.c:182 __dev_xmit_skb net/core/dev.c:3132 [inline] __dev_queue_xmit+0x15fd/0x1e60 net/core/dev.c:3392 dev_queue_xmit+0x17/0x20 net/core/dev.c:3457 neigh_hh_output include/net/neighbour.h:468 [inline] dst_neigh_output include/net/dst.h:468 [inline] ip_finish_output2+0xbe8/0x1060 net/ipv4/ip_output.c:225 ip_finish_output+0x6b1/0xa00 net/ipv4/ip_output.c:313 NF_HOOK_COND include/linux/netfilter.h:246 [inline] ip_output+0x1ca/0x610 net/ipv4/ip_output.c:401 dst_output include/net/dst.h:507 [inline] ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124 ip_queue_xmit+0x884/0x1760 net/ipv4/ip_output.c:500 tcp_transmit_skb+0x1847/0x2f00 net/ipv4/tcp_output.c:1036 tcp_write_xmit+0xbd6/0x4a40 net/ipv4/tcp_output.c:2182 __tcp_push_pending_frames+0xa0/0x240 net/ipv4/tcp_output.c:2363 tcp_push+0x3fc/0x5d0 net/ipv4/tcp.c:688 tcp_sendmsg+0xb38/0x2ff0 net/ipv4/tcp.c:1342 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ca60ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801ca60ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ca60ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801ca60ed00 Read of size 8 by task syz-executor1/30916 CPU: 0 PID: 30916 Comm: syz-executor1 Tainted: G B 4.9.65-g5311c74 #100 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d5507698 ffffffff81d904c9 ffff8801da001140 ffff8801ca60ed00 ffff8801ca60f100 ffffed00394c1da0 ffff8801ca60ed00 ffff8801d55076c0 ffffffff8153a45c ffffed00394c1da0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 unregister_netdevice: waiting for lo to become free. Usage count = 2 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801ca60ed00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232 __kmalloc_reserve.isra.37+0x33/0xc0 net/core/skbuff.c:138 __alloc_skb+0x119/0x600 net/core/skbuff.c:231 alloc_skb_fclone include/linux/skbuff.h:961 [inline] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:828 tcp_sendmsg+0xd1b/0x2ff0 net/ipv4/tcp.c:1224 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 skb_free_head+0x74/0xb0 net/core/skbuff.c:580 skb_release_data+0x315/0x3f0 net/core/skbuff.c:611 skb_release_all+0x4a/0x60 net/core/skbuff.c:670 __kfree_skb net/core/skbuff.c:684 [inline] consume_skb+0xc6/0x340 net/core/skbuff.c:757 __dev_kfree_skb_any+0x58/0x70 net/core/dev.c:2381 dev_kfree_skb_any include/linux/netdevice.h:3308 [inline] free_old_xmit_skbs.isra.50+0x1ba/0x2d0 drivers/net/virtio_net.c:825 start_xmit+0x11d/0x1410 drivers/net/virtio_net.c:880 __netdev_start_xmit include/linux/netdevice.h:4062 [inline] netdev_start_xmit include/linux/netdevice.h:4071 [inline] xmit_one net/core/dev.c:2947 [inline] dev_hard_start_xmit+0x192/0x8a0 net/core/dev.c:2963 sch_direct_xmit+0x2bc/0x5d0 net/sched/sch_generic.c:182 __dev_xmit_skb net/core/dev.c:3132 [inline] __dev_queue_xmit+0x15fd/0x1e60 net/core/dev.c:3392 dev_queue_xmit+0x17/0x20 net/core/dev.c:3457 neigh_hh_output include/net/neighbour.h:468 [inline] dst_neigh_output include/net/dst.h:468 [inline] ip_finish_output2+0xbe8/0x1060 net/ipv4/ip_output.c:225 ip_finish_output+0x6b1/0xa00 net/ipv4/ip_output.c:313 NF_HOOK_COND include/linux/netfilter.h:246 [inline] ip_output+0x1ca/0x610 net/ipv4/ip_output.c:401 dst_output include/net/dst.h:507 [inline] ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124 ip_queue_xmit+0x884/0x1760 net/ipv4/ip_output.c:500 tcp_transmit_skb+0x1847/0x2f00 net/ipv4/tcp_output.c:1036 tcp_write_xmit+0xbd6/0x4a40 net/ipv4/tcp_output.c:2182 __tcp_push_pending_frames+0xa0/0x240 net/ipv4/tcp_output.c:2363 tcp_push+0x3fc/0x5d0 net/ipv4/tcp.c:688 tcp_sendmsg+0xb38/0x2ff0 net/ipv4/tcp.c:1342 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ca60ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801ca60ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ca60ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801ca60ed00 Read of size 8 by task syz-executor7/30932 CPU: 1 PID: 30932 Comm: syz-executor7 Tainted: G B 4.9.65-g5311c74 #100 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdd27698 ffffffff81d904c9 ffff8801da001140 ffff8801ca60ed00 ffff8801ca60f100 ffffed00394c1da0 ffff8801ca60ed00 ffff8801cdd276c0 ffffffff8153a45c ffffed00394c1da0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801ca60ed00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232 __kmalloc_reserve.isra.37+0x33/0xc0 net/core/skbuff.c:138 __alloc_skb+0x119/0x600 net/core/skbuff.c:231 alloc_skb_fclone include/linux/skbuff.h:961 [inline] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:828 tcp_sendmsg+0xd1b/0x2ff0 net/ipv4/tcp.c:1224 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 skb_free_head+0x74/0xb0 net/core/skbuff.c:580 skb_release_data+0x315/0x3f0 net/core/skbuff.c:611 skb_release_all+0x4a/0x60 net/core/skbuff.c:670 __kfree_skb net/core/skbuff.c:684 [inline] consume_skb+0xc6/0x340 net/core/skbuff.c:757 __dev_kfree_skb_any+0x58/0x70 net/core/dev.c:2381 dev_kfree_skb_any include/linux/netdevice.h:3308 [inline] free_old_xmit_skbs.isra.50+0x1ba/0x2d0 drivers/net/virtio_net.c:825 start_xmit+0x11d/0x1410 drivers/net/virtio_net.c:880 __netdev_start_xmit include/linux/netdevice.h:4062 [inline] netdev_start_xmit include/linux/netdevice.h:4071 [inline] xmit_one net/core/dev.c:2947 [inline] dev_hard_start_xmit+0x192/0x8a0 net/core/dev.c:2963 sch_direct_xmit+0x2bc/0x5d0 net/sched/sch_generic.c:182 __dev_xmit_skb net/core/dev.c:3132 [inline] __dev_queue_xmit+0x15fd/0x1e60 net/core/dev.c:3392 dev_queue_xmit+0x17/0x20 net/core/dev.c:3457 neigh_hh_output include/net/neighbour.h:468 [inline] dst_neigh_output include/net/dst.h:468 [inline] ip_finish_output2+0xbe8/0x1060 net/ipv4/ip_output.c:225 ip_finish_output+0x6b1/0xa00 net/ipv4/ip_output.c:313 NF_HOOK_COND include/linux/netfilter.h:246 [inline] ip_output+0x1ca/0x610 net/ipv4/ip_output.c:401 dst_output include/net/dst.h:507 [inline] ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124 ip_queue_xmit+0x884/0x1760 net/ipv4/ip_output.c:500 tcp_transmit_skb+0x1847/0x2f00 net/ipv4/tcp_output.c:1036 tcp_write_xmit+0xbd6/0x4a40 net/ipv4/tcp_output.c:2182 __tcp_push_pending_frames+0xa0/0x240 net/ipv4/tcp_output.c:2363 tcp_push+0x3fc/0x5d0 net/ipv4/tcp.c:688 tcp_sendmsg+0xb38/0x2ff0 net/ipv4/tcp.c:1342 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ca60ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801ca60ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ca60ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801ca60ed00 Read of size 8 by task syz-executor7/30932 CPU: 1 PID: 30932 Comm: syz-executor7 Tainted: G B 4.9.65-g5311c74 #100 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdd27698 ffffffff81d904c9 ffff8801da001140 ffff8801ca60ed00 ffff8801ca60f100 ffffed00394c1da0 ffff8801ca60ed00 ffff8801cdd276c0 ffffffff8153a45c ffffed00394c1da0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801ca60ed00, in cache kmalloc-1024 size: 1024 Allocated: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232 __kmalloc_reserve.isra.37+0x33/0xc0 net/core/skbuff.c:138 __alloc_skb+0x119/0x600 net/core/skbuff.c:231 alloc_skb_fclone include/linux/skbuff.h:961 [inline] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:828 tcp_sendmsg+0xd1b/0x2ff0 net/ipv4/tcp.c:1224 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3267 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 skb_free_head+0x74/0xb0 net/core/skbuff.c:580 skb_release_data+0x315/0x3f0 net/core/skbuff.c:611 skb_release_all+0x4a/0x60 net/core/skbuff.c:670 __kfree_skb net/core/skbuff.c:684 [inline] consume_skb+0xc6/0x340 net/core/skbuff.c:757 __dev_kfree_skb_any+0x58/0x70 net/core/dev.c:2381 dev_kfree_skb_any include/linux/netdevice.h:3308 [inline] free_old_xmit_skbs.isra.50+0x1ba/0x2d0 drivers/net/virtio_net.c:825 start_xmit+0x11d/0x1410 drivers/net/virtio_net.c:880 __netdev_start_xmit include/linux/netdevice.h:4062 [inline] netdev_start_xmit include/linux/netdevice.h:4071 [inline] xmit_one net/core/dev.c:2947 [inline] dev_hard_start_xmit+0x192/0x8a0 net/core/dev.c:2963 sch_direct_xmit+0x2bc/0x5d0 net/sched/sch_generic.c:182 __dev_xmit_skb net/core/dev.c:3132 [inline] __dev_queue_xmit+0x15fd/0x1e60 net/core/dev.c:3392 dev_queue_xmit+0x17/0x20 net/core/dev.c:3457 neigh_hh_output include/net/neighbour.h:468 [inline] dst_neigh_output include/net/dst.h:468 [inline] ip_finish_output2+0xbe8/0x1060 net/ipv4/ip_output.c:225 ip_finish_output+0x6b1/0xa00 net/ipv4/ip_output.c:313 NF_HOOK_COND include/linux/netfilter.h:246 [inline] ip_output+0x1ca/0x610 net/ipv4/ip_output.c:401 dst_output include/net/dst.h:507 [inline] ip_local_out+0x95/0x170 net/ipv4/ip_output.c:124 ip_queue_xmit+0x884/0x1760 net/ipv4/ip_output.c:500 tcp_transmit_skb+0x1847/0x2f00 net/ipv4/tcp_output.c:1036 tcp_write_xmit+0xbd6/0x4a40 net/ipv4/tcp_output.c:2182 __tcp_push_pending_frames+0xa0/0x240 net/ipv4/tcp_output.c:2363 tcp_push+0x3fc/0x5d0 net/ipv4/tcp.c:688 tcp_sendmsg+0xb38/0x2ff0 net/ipv4/tcp.c:1342 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 sock_write_iter+0x226/0x3b0 net/socket.c:843 new_sync_write fs/read_write.c:499 [inline] __vfs_write+0x4bf/0x680 fs/read_write.c:512 vfs_write+0x189/0x530 fs/read_write.c:560 SYSC_write fs/read_write.c:607 [inline] SyS_write+0xd9/0x1b0 fs/read_write.c:599 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ca60ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801ca60ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ca60ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ca60ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================