================================================================== BUG: KASAN: null-ptr-deref in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] BUG: KASAN: null-ptr-deref in refcount_sub_and_test_checked+0x9d/0x310 lib/refcount.c:179 Read of size 4 at addr 000000000000002e by task syz-executor5/9851 CPU: 0 PID: 9851 Comm: syz-executor5 Not tainted 4.19.0-rc6+ #245 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113 kasan_report_error mm/kasan/report.c:352 [inline] kasan_report.cold.9+0x6d/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] refcount_sub_and_test_checked+0x9d/0x310 lib/refcount.c:179 refcount_dec_and_test_checked+0x1a/0x20 lib/refcount.c:212 ip_fib_metrics_put include/net/ip.h:428 [inline] fib6_info_destroy_rcu+0x2ef/0x3e0 net/ipv6/ip6_fib.c:204 __rcu_reclaim kernel/rcu/rcu.h:236 [inline] rcu_do_batch kernel/rcu/tree.c:2576 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2880 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2847 [inline] rcu_process_callbacks+0xf23/0x2670 kernel/rcu/tree.c:2864 __do_softirq+0x30b/0xad8 kernel/softirq.c:292 IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x17f/0x1c0 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x1cb/0x760 arch/x86/kernel/apic/apic.c:1056 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:864 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:788 [inline] RIP: 0010:lock_acquire+0x268/0x520 kernel/locking/lockdep.c:3903 Code: 00 00 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 44 02 00 00 48 83 3d 8f 14 d1 07 00 0f 84 c3 01 00 00 48 8b bd 20 ff ff ff 57 9d <0f> 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 48 01 c3 48 c7 03 00 RSP: 0018:ffff8801843af810 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: 1ffff10030875f07 RCX: 0000000000000000 RDX: 1ffffffff1263e41 RSI: 0000000000000000 RDI: 0000000000000286 RBP: ffff8801843af900 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000b77ae9a3 R11: 0000000000000000 R12: ffff8801a1c1a500 R13: 0000000000000002 R14: 0000000000000000 R15: 0000000000000000 rcu_lock_acquire include/linux/rcupdate.h:244 [inline] rcu_read_lock_sched include/linux/rcupdate.h:743 [inline] percpu_ref_put_many+0x94/0x260 include/linux/percpu-refcount.h:279 percpu_ref_put include/linux/percpu-refcount.h:300 [inline] css_put include/linux/cgroup.h:387 [inline] memcg_kmem_put_cache+0x93/0xb0 mm/memcontrol.c:2571 slab_post_alloc_hook mm/slab.h:448 [inline] slab_alloc mm/slab.c:3392 [inline] kmem_cache_alloc+0x2d6/0x730 mm/slab.c:3552 __d_alloc+0xc8/0xcc0 fs/dcache.c:1614 d_alloc_pseudo+0x1d/0x30 fs/dcache.c:1742 alloc_file_pseudo+0x158/0x3f0 fs/file_table.c:224 sock_alloc_file+0x4c/0x180 net/socket.c:394 sock_map_fd net/socket.c:417 [inline] __sys_socket+0x172/0x260 net/socket.c:1351 __do_sys_socket net/socket.c:1356 [inline] __se_sys_socket net/socket.c:1354 [inline] __x64_sys_socket+0x73/0xb0 net/socket.c:1354 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a0e7 Code: 00 00 00 49 89 ca b8 36 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 9a 88 fb ff c3 66 0f 1f 84 00 00 00 00 00 b8 29 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 7d 88 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffc9d788358 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045a0e7 RDX: 0000000000000006 RSI: 0000000000000001 RDI: 0000000000000002 RBP: 0000000000000003 R08: 00007ffc9d7883dc R09: 000000000000000a R10: 00007ffc9d7883e0 R11: 0000000000000246 R12: 0000000000000002 R13: 0000000000064000 R14: 0000000000000384 R15: 0000000000000005 ==================================================================