==================================================================
BUG: KFENCE: use-after-free read in arch_atomic_read arch/x86/include/asm/atomic.h:29 [inline]
BUG: KFENCE: use-after-free read in atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline]
BUG: KFENCE: use-after-free read in ip6mr_sk_done+0x145/0x410 net/ipv6/ip6mr.c:1578

Use-after-free read at 0xffff88823bd9e088 (in kfence-#206):
 arch_atomic_read arch/x86/include/asm/atomic.h:29 [inline]
 atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline]
 ip6mr_sk_done+0x145/0x410 net/ipv6/ip6mr.c:1578
 rawv6_close+0x58/0x80 net/ipv6/raw.c:1201
 inet_release+0x12e/0x280 net/ipv4/af_inet.c:428
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:478
 __sock_release net/socket.c:650 [inline]
 sock_release+0x87/0x1b0 net/socket.c:678
 inet_ctl_sock_destroy include/net/inet_common.h:65 [inline]
 igmp6_net_exit+0x6b/0x170 net/ipv6/mcast.c:3173
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:168
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:600
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

kfence-#206: 0xffff88823bd9e000-0xffff88823bd9e0f7, size=248, cache=kmalloc-256

allocated by task 5004 on cpu 0 at 139.560299s:
 kmemdup+0x23/0x50 mm/util.c:128
 kmemdup include/linux/fortify-string.h:304 [inline]
 addrconf_init_net+0x2c/0x640 net/ipv6/addrconf.c:7114
 ops_init+0xaf/0x470 net/core/net_namespace.c:140
 setup_net+0x5d1/0xc50 net/core/net_namespace.c:331
 copy_net_ns+0x318/0x760 net/core/net_namespace.c:477
 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0xc1/0x1f0 kernel/nsproxy.c:226
 ksys_unshare+0x445/0x920 kernel/fork.c:3048
 __do_sys_unshare kernel/fork.c:3119 [inline]
 __se_sys_unshare kernel/fork.c:3117 [inline]
 __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3117
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

freed by task 49 on cpu 0 at 140.618879s:
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:168
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:600
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

CPU: 0 PID: 49 Comm: kworker/u4:2 Not tainted 5.17.0-rc2-syzkaller-00650-g5a8fb33e5305 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:29 [inline]
RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline]
RIP: 0010:ip6mr_sk_done+0x145/0x410 net/ipv6/ip6mr.c:1578
Code: 48 89 ea 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 0f b6 14 02 48 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 2b 02 00 00 <41> 8b ac 24 88 00 00 00 31 ff 89 ee e8 7a 25 7d f9 85 ed 0f 84 07
RSP: 0018:ffffc9000119fb50 EFLAGS: 00010246
RAX: 0000000000000003 RBX: ffff88801fcca440 RCX: ffffffff87fb54fb
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff88823bd9e088
RBP: ffff88823bd9e088 R08: 0000000000000000 R09: ffff88823bd9e08b
R10: ffffed10477b3c11 R11: 000000000000003a R12: ffff88823bd9e000
R13: ffff88804a446018 R14: ffff88807b699a40 R15: fffffbfff1a9c634
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff88823bd9e088 CR3: 00000000727d4000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 rawv6_close+0x58/0x80 net/ipv6/raw.c:1201
 inet_release+0x12e/0x280 net/ipv4/af_inet.c:428
 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:478
 __sock_release net/socket.c:650 [inline]
 sock_release+0x87/0x1b0 net/socket.c:678
 inet_ctl_sock_destroy include/net/inet_common.h:65 [inline]
 igmp6_net_exit+0x6b/0x170 net/ipv6/mcast.c:3173
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:168
 cleanup_net+0x4ea/0xb00 net/core/net_namespace.c:600
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>
==================================================================
----------------
Code disassembly (best guess):
   0:	48 89 ea             	mov    %rbp,%rdx
   3:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
   a:	fc ff df
   d:	48 c1 ea 03          	shr    $0x3,%rdx
  11:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx
  15:	48 89 e8             	mov    %rbp,%rax
  18:	83 e0 07             	and    $0x7,%eax
  1b:	83 c0 03             	add    $0x3,%eax
  1e:	38 d0                	cmp    %dl,%al
  20:	7c 08                	jl     0x2a
  22:	84 d2                	test   %dl,%dl
  24:	0f 85 2b 02 00 00    	jne    0x255
* 2a:	41 8b ac 24 88 00 00 	mov    0x88(%r12),%ebp <-- trapping instruction
  31:	00
  32:	31 ff                	xor    %edi,%edi
  34:	89 ee                	mov    %ebp,%esi
  36:	e8 7a 25 7d f9       	callq  0xf97d25b5
  3b:	85 ed                	test   %ebp,%ebp
  3d:	0f                   	.byte 0xf
  3e:	84 07                	test   %al,(%rdi)