8021q: adding VLAN 0 to HW filter on device bond0 IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready netlink: 2 bytes leftover after parsing attributes in process `syz-executor.1'. IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready ================================================================== BUG: KASAN: use-after-free in memset+0x1a/0x30 mm/kasan/kasan.c:301 at addr ffff8801a7fc7500 Write of size 32 by task udevd/7315 page:ffffea00069ff1c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x57ffe0000000000() page dumped because: kasan: bad access detected IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready CPU: 0 PID: 7315 Comm: udevd Not tainted 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d9577e ffff88012c0076d8 ffffffff82c4dd46 ffff8801a7fc7500 ffff88012c007768 ffff8801a7fc7500 ffff88012c007850 ffff88012c007758 ffffffff817405ba ffff880126aa2640 ffffffff86d0ede0 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report+0x34/0x40 mm/kasan/report.c:297 IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state [] check_memory_region mm/kasan/kasan.c:285 [inline] [] __asan_storeN+0x12d/0x180 mm/kasan/kasan.c:688 [] memset+0x1a/0x30 mm/kasan/kasan.c:301 [] __alloc_skb+0x31a/0x5b0 net/core/skbuff.c:259 [] alloc_skb include/linux/skbuff.h:895 [inline] [] alloc_skb_with_frags+0x8d/0x4b0 net/core/skbuff.c:4557 IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [] sock_alloc_send_pskb+0x5c9/0x740 net/core/sock.c:1851 IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [] sock_alloc_send_skb+0x13/0x20 net/core/sock.c:1868 [] mld_newpack+0x1bb/0x930 net/ipv6/mcast.c:1571 [] add_grhead.isra.29+0x2ba/0x3a0 net/ipv6/mcast.c:1678 [] add_grec+0x85c/0xcb0 net/ipv6/mcast.c:1793 [] mld_send_cr net/ipv6/mcast.c:1919 [inline] [] mld_ifc_timer_expire+0x2fb/0x710 net/ipv6/mcast.c:2425 [] call_timer_fn+0x14e/0x620 kernel/time/timer.c:1178 [] __run_timers kernel/time/timer.c:1254 [inline] [] run_timer_softirq+0x5f7/0x9c0 kernel/time/timer.c:1437 [] __do_softirq+0x2cc/0xa06 kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x157/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:658 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:932 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:621 [] ? __read_once_size include/linux/compiler.h:222 [inline] [] ? avc_search_node security/selinux/avc.c:583 [inline] [] ? avc_lookup security/selinux/avc.c:612 [inline] [] ? avc_has_perm_noaudit security/selinux/avc.c:1112 [inline] [] ? avc_has_perm+0x1bf/0x470 security/selinux/avc.c:1148 [] inode_has_perm.isra.47+0x13f/0x1c0 security/selinux/hooks.c:1689 [] dentry_has_perm security/selinux/hooks.c:1705 [inline] [] selinux_inode_readlink+0xdb/0x120 security/selinux/hooks.c:2906 [] security_inode_readlink+0xb1/0xf0 security/security.c:584 [] SYSC_readlinkat fs/stat.c:333 [inline] [] SyS_readlinkat fs/stat.c:315 [inline] [] SYSC_readlink fs/stat.c:352 [inline] [] SyS_readlink+0x141/0x290 fs/stat.c:349 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8801a7fc7400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801a7fc7500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801a7fc7580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:250 [inline] at addr ffff8801a7fc7520 BUG: KASAN: use-after-free in atomic_set arch/x86/include/asm/atomic.h:38 [inline] at addr ffff8801a7fc7520 BUG: KASAN: use-after-free in __alloc_skb+0x4bb/0x5b0 net/core/skbuff.c:260 at addr ffff8801a7fc7520 Write of size 4 by task udevd/7315 page:ffffea00069ff1c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x57ffe0000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 7315 Comm: udevd Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d9577e ffff88012c007710 ffffffff82c4dd46 0000000000000000[ 68.293987] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state ffff88012c0077a0 ffff8801a7fc7520[ 68.346229] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready ffff88012c007850[ 68.369668] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready ffff88012c007790 ffffffff817405ba 6637613130383866 00203a3030363763 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_store4_noabort+0x3e/0x40 mm/kasan/report.c:322 [] __write_once_size include/linux/compiler.h:250 [inline] [] atomic_set arch/x86/include/asm/atomic.h:38 [inline] [] __alloc_skb+0x4bb/0x5b0 net/core/skbuff.c:260 [] alloc_skb include/linux/skbuff.h:895 [inline] [] alloc_skb_with_frags+0x8d/0x4b0 net/core/skbuff.c:4557 [] sock_alloc_send_pskb+0x5c9/0x740 net/core/sock.c:1851 [] sock_alloc_send_skb+0x13/0x20 net/core/sock.c:1868 [] mld_newpack+0x1bb/0x930 net/ipv6/mcast.c:1571 [] add_grhead.isra.29+0x2ba/0x3a0 net/ipv6/mcast.c:1678 [] add_grec+0x85c/0xcb0 net/ipv6/mcast.c:1793 [] mld_send_cr net/ipv6/mcast.c:1919 [inline] [] mld_ifc_timer_expire+0x2fb/0x710 net/ipv6/mcast.c:2425 [] call_timer_fn+0x14e/0x620 kernel/time/timer.c:1178 [] __run_timers kernel/time/timer.c:1254 [inline] [] run_timer_softirq+0x5f7/0x9c0 kernel/time/timer.c:1437 [] __do_softirq+0x2cc/0xa06 kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x157/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:658 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:932 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:621 [] ? __read_once_size include/linux/compiler.h:222 [inline] [] ? avc_search_node security/selinux/avc.c:583 [inline] [] ? avc_lookup security/selinux/avc.c:612 [inline] [] ? avc_has_perm_noaudit security/selinux/avc.c:1112 [inline] [] ? avc_has_perm+0x1bf/0x470 security/selinux/avc.c:1148 [] inode_has_perm.isra.47+0x13f/0x1c0 security/selinux/hooks.c:1689 [] dentry_has_perm security/selinux/hooks.c:1705 [inline] [] selinux_inode_readlink+0xdb/0x120 security/selinux/hooks.c:2906 [] security_inode_readlink+0xb1/0xf0 security/security.c:584 [] SYSC_readlinkat fs/stat.c:333 [inline] [] SyS_readlinkat fs/stat.c:315 [inline] [] SYSC_readlink fs/stat.c:352 [inline] [] SyS_readlink+0x141/0x290 fs/stat.c:349 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8801a7fc7400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801a7fc7500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801a7fc7580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in __dev_queue_xmit+0x1828/0x1f40 net/core/dev.c:3282 at addr ffff8801a7fc7501 Read of size 1 by task udevd/7315 page:ffffea00069ff1c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x57ffe0000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 7315 Comm: udevd Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d9577e ffff88012c0075e8 ffffffff82c4dd46 ffff8800b5aead86 ffff88012c007678 ffff8801a7fc7501 ffff8800b5aeace0 ffff88012c007668 ffffffff817405ba ffffffff00000000 1ffff10025800ec2 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:315 [] __dev_queue_xmit+0x1828/0x1f40 net/core/dev.c:3282 [] dev_queue_xmit+0xb/0x10 net/core/dev.c:3392 [] neigh_resolve_output+0x488/0x7d0 net/core/neighbour.c:1311 [] dst_neigh_output include/net/dst.h:467 [inline] [] ip6_finish_output2+0x98b/0x1b90 net/ipv6/ip6_output.c:113 [] ip6_finish_output+0x353/0x700 net/ipv6/ip6_output.c:131 [] NF_HOOK_COND include/linux/netfilter.h:233 [inline] [] ip6_output+0x167/0x530 net/ipv6/ip6_output.c:145 [] dst_output include/net/dst.h:504 [inline] [] NF_HOOK_THRESH.constprop.38+0xc9/0x290 include/linux/netfilter.h:219 [] NF_HOOK include/linux/netfilter.h:242 [inline] [] mld_sendpack+0x5f8/0xb80 net/ipv6/mcast.c:1646 [] mld_send_cr net/ipv6/mcast.c:1927 [inline] [] mld_ifc_timer_expire+0x360/0x710 net/ipv6/mcast.c:2425 [] call_timer_fn+0x14e/0x620 kernel/time/timer.c:1178 [] __run_timers kernel/time/timer.c:1254 [inline] [] run_timer_softirq+0x5f7/0x9c0 kernel/time/timer.c:1437 [] __do_softirq+0x2cc/0xa06 kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x157/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:658 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:932 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:621 [] ? __read_once_size include/linux/compiler.h:222 [inline] [] ? avc_search_node security/selinux/avc.c:583 [inline] [] ? avc_lookup security/selinux/avc.c:612 [inline] [] ? avc_has_perm_noaudit security/selinux/avc.c:1112 [inline] [] ? avc_has_perm+0x1bf/0x470 security/selinux/avc.c:1148 [] inode_has_perm.isra.47+0x13f/0x1c0 security/selinux/hooks.c:1689 [] dentry_has_perm security/selinux/hooks.c:1705 [inline] [] selinux_inode_readlink+0xdb/0x120 security/selinux/hooks.c:2906 [] security_inode_readlink+0xb1/0xf0 security/security.c:584 [] SYSC_readlinkat fs/stat.c:333 [inline] [] SyS_readlinkat fs/stat.c:315 [inline] [] SYSC_readlink fs/stat.c:352 [inline] [] SyS_readlink+0x141/0x290 fs/stat.c:349 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8801a7fc7400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801a7fc7500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801a7fc7580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in qdisc_pkt_len_init net/core/dev.c:3002 [inline] at addr ffff8801a7fc7502 BUG: KASAN: use-after-free in __dev_queue_xmit+0x17db/0x1f40 net/core/dev.c:3292 at addr ffff8801a7fc7502 Read of size 2 by task udevd/7315 page:ffffea00069ff1c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x57ffe0000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 7315 Comm: udevd Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d9577e ffff88012c0075e8 ffffffff82c4dd46 ffff8800b5aead86 ffff88012c007678 ffff8801a7fc7502 ffff8801a7fc7500 ffff88012c007668 ffffffff817405ba 0000000000000010 ffff880126aa2640 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load2_noabort+0x3e/0x40 mm/kasan/report.c:316 [] qdisc_pkt_len_init net/core/dev.c:3002 [inline] [] __dev_queue_xmit+0x17db/0x1f40 net/core/dev.c:3292 [] dev_queue_xmit+0xb/0x10 net/core/dev.c:3392 [] neigh_resolve_output+0x488/0x7d0 net/core/neighbour.c:1311 [] dst_neigh_output include/net/dst.h:467 [inline] [] ip6_finish_output2+0x98b/0x1b90 net/ipv6/ip6_output.c:113 [] ip6_finish_output+0x353/0x700 net/ipv6/ip6_output.c:131 [] NF_HOOK_COND include/linux/netfilter.h:233 [inline] [] ip6_output+0x167/0x530 net/ipv6/ip6_output.c:145 [] dst_output include/net/dst.h:504 [inline] [] NF_HOOK_THRESH.constprop.38+0xc9/0x290 include/linux/netfilter.h:219 [] NF_HOOK include/linux/netfilter.h:242 [inline] [] mld_sendpack+0x5f8/0xb80 net/ipv6/mcast.c:1646 [] mld_send_cr net/ipv6/mcast.c:1927 [inline] [] mld_ifc_timer_expire+0x360/0x710 net/ipv6/mcast.c:2425 [] call_timer_fn+0x14e/0x620 kernel/time/timer.c:1178 [] __run_timers kernel/time/timer.c:1254 [inline] [] run_timer_softirq+0x5f7/0x9c0 kernel/time/timer.c:1437 [] __do_softirq+0x2cc/0xa06 kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x157/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:658 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:932 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:621 [] ? __read_once_size include/linux/compiler.h:222 [inline] [] ? avc_search_node security/selinux/avc.c:583 [inline] [] ? avc_lookup security/selinux/avc.c:612 [inline] [] ? avc_has_perm_noaudit security/selinux/avc.c:1112 [inline] [] ? avc_has_perm+0x1bf/0x470 security/selinux/avc.c:1148 [] inode_has_perm.isra.47+0x13f/0x1c0 security/selinux/hooks.c:1689 [] dentry_has_perm security/selinux/hooks.c:1705 [inline] [] selinux_inode_readlink+0xdb/0x120 security/selinux/hooks.c:2906 [] security_inode_readlink+0xb1/0xf0 security/security.c:584 [] SYSC_readlinkat fs/stat.c:333 [inline] [] SyS_readlinkat fs/stat.c:315 [inline] [] SYSC_readlink fs/stat.c:352 [inline] [] SyS_readlink+0x141/0x290 fs/stat.c:349 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8801a7fc7400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801a7fc7500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801a7fc7580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in netif_skb_features+0x601/0x7d0 net/core/dev.c:2832 at addr ffff8801a7fc7504 Read of size 2 by task udevd/7315 page:ffffea00069ff1c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x57ffe0000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 7315 Comm: udevd Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d9577e ffff88012c0074e8 ffffffff82c4dd46 ffff8800b5aeacc0 ffff88012c007578 ffff8801a7fc7504 ffff8800b5aeace0 ffff88012c007568 ffffffff817405ba 1ffffffff0eca2ec 0000000000000000 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load2_noabort+0x3e/0x40 mm/kasan/report.c:316 [] netif_skb_features+0x601/0x7d0 net/core/dev.c:2832 [] validate_xmit_skb.isra.107.part.108+0x20/0xa20 net/core/dev.c:2921 [] validate_xmit_skb net/core/dev.c:3059 [inline] [] __dev_queue_xmit+0x1c5d/0x1f40 net/core/dev.c:3350 [] dev_queue_xmit+0xb/0x10 net/core/dev.c:3392 [] neigh_resolve_output+0x488/0x7d0 net/core/neighbour.c:1311 [] dst_neigh_output include/net/dst.h:467 [inline] [] ip6_finish_output2+0x98b/0x1b90 net/ipv6/ip6_output.c:113 [] ip6_finish_output+0x353/0x700 net/ipv6/ip6_output.c:131 [] NF_HOOK_COND include/linux/netfilter.h:233 [inline] [] ip6_output+0x167/0x530 net/ipv6/ip6_output.c:145 [] dst_output include/net/dst.h:504 [inline] [] NF_HOOK_THRESH.constprop.38+0xc9/0x290 include/linux/netfilter.h:219 [] NF_HOOK include/linux/netfilter.h:242 [inline] [] mld_sendpack+0x5f8/0xb80 net/ipv6/mcast.c:1646 [] mld_send_cr net/ipv6/mcast.c:1927 [inline] [] mld_ifc_timer_expire+0x360/0x710 net/ipv6/mcast.c:2425 [] call_timer_fn+0x14e/0x620 kernel/time/timer.c:1178 [] __run_timers kernel/time/timer.c:1254 [inline] [] run_timer_softirq+0x5f7/0x9c0 kernel/time/timer.c:1437 [] __do_softirq+0x2cc/0xa06 kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x157/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:658 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:932 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:621 [] ? __read_once_size include/linux/compiler.h:222 [inline] [] ? avc_search_node security/selinux/avc.c:583 [inline] [] ? avc_lookup security/selinux/avc.c:612 [inline] [] ? avc_has_perm_noaudit security/selinux/avc.c:1112 [inline] [] ? avc_has_perm+0x1bf/0x470 security/selinux/avc.c:1148 [] inode_has_perm.isra.47+0x13f/0x1c0 security/selinux/hooks.c:1689 [] dentry_has_perm security/selinux/hooks.c:1705 [inline] [] selinux_inode_readlink+0xdb/0x120 security/selinux/hooks.c:2906 [] security_inode_readlink+0xb1/0xf0 security/security.c:584 [] SYSC_readlinkat fs/stat.c:333 [inline] [] SyS_readlinkat fs/stat.c:315 [inline] [] SYSC_readlink fs/stat.c:352 [inline] [] SyS_readlink+0x141/0x290 fs/stat.c:349 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8801a7fc7400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801a7fc7500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801a7fc7580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in skb_is_gso include/linux/skbuff.h:3648 [inline] at addr ffff8801a7fc7502 BUG: KASAN: use-after-free in netif_needs_gso include/linux/netdevice.h:4039 [inline] at addr ffff8801a7fc7502 BUG: KASAN: use-after-free in validate_xmit_skb.isra.107.part.108+0x831/0xa20 net/core/dev.c:2926 at addr ffff8801a7fc7502 Read of size 2 by task udevd/7315 page:ffffea00069ff1c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x57ffe0000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 7315 Comm: udevd Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d9577e ffff88012c007590 ffffffff82c4dd46 ffff8800b5aeacc0 ffff88012c007620 ffff8801a7fc7502 0000000000000000 ffff88012c007610 ffffffff817405ba ffff88012c007648 ffffffff8495006e 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load2_noabort+0x3e/0x40 mm/kasan/report.c:316 [] skb_is_gso include/linux/skbuff.h:3648 [inline] [] netif_needs_gso include/linux/netdevice.h:4039 [inline] [] validate_xmit_skb.isra.107.part.108+0x831/0xa20 net/core/dev.c:2926 [] validate_xmit_skb net/core/dev.c:3059 [inline] [] __dev_queue_xmit+0x1c5d/0x1f40 net/core/dev.c:3350 [] dev_queue_xmit+0xb/0x10 net/core/dev.c:3392 [] neigh_resolve_output+0x488/0x7d0 net/core/neighbour.c:1311 [] dst_neigh_output include/net/dst.h:467 [inline] [] ip6_finish_output2+0x98b/0x1b90 net/ipv6/ip6_output.c:113 [] ip6_finish_output+0x353/0x700 net/ipv6/ip6_output.c:131 [] NF_HOOK_COND include/linux/netfilter.h:233 [inline] [] ip6_output+0x167/0x530 net/ipv6/ip6_output.c:145 [] dst_output include/net/dst.h:504 [inline] [] NF_HOOK_THRESH.constprop.38+0xc9/0x290 include/linux/netfilter.h:219 [] NF_HOOK include/linux/netfilter.h:242 [inline] [] mld_sendpack+0x5f8/0xb80 net/ipv6/mcast.c:1646 [] mld_send_cr net/ipv6/mcast.c:1927 [inline] [] mld_ifc_timer_expire+0x360/0x710 net/ipv6/mcast.c:2425 [] call_timer_fn+0x14e/0x620 kernel/time/timer.c:1178 [] __run_timers kernel/time/timer.c:1254 [inline] [] run_timer_softirq+0x5f7/0x9c0 kernel/time/timer.c:1437 [] __do_softirq+0x2cc/0xa06 kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x157/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:658 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:932 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:621 [] ? __read_once_size include/linux/compiler.h:222 [inline] [] ? avc_search_node security/selinux/avc.c:583 [inline] [] ? avc_lookup security/selinux/avc.c:612 [inline] [] ? avc_has_perm_noaudit security/selinux/avc.c:1112 [inline] [] ? avc_has_perm+0x1bf/0x470 security/selinux/avc.c:1148 [] inode_has_perm.isra.47+0x13f/0x1c0 security/selinux/hooks.c:1689 [] dentry_has_perm security/selinux/hooks.c:1705 [inline] [] selinux_inode_readlink+0xdb/0x120 security/selinux/hooks.c:2906 [] security_inode_readlink+0xb1/0xf0 security/security.c:584 [] SYSC_readlinkat fs/stat.c:333 [inline] [] SyS_readlinkat fs/stat.c:315 [inline] [] SYSC_readlink fs/stat.c:352 [inline] [] SyS_readlink+0x141/0x290 fs/stat.c:349 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8801a7fc7400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801a7fc7500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801a7fc7580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in skb_release_data+0x39f/0x470 net/core/skbuff.c:592 at addr ffff8801a7fc7500 Read of size 1 by task udevd/7315 page:ffffea00069ff1c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x57ffe0000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 7315 Comm: udevd Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d9577e ffff88012c007330 ffffffff82c4dd46 ffff8800b5aeacc0 ffff88012c0073c0 ffff8801a7fc7500 ffff8800a78ca1c0 ffff88012c0073b0 ffffffff817405ba 0000000000000000 ffffffff848f05c0 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:315 [] skb_release_data+0x39f/0x470 net/core/skbuff.c:592 [] skb_release_all+0x3d/0x50 net/core/skbuff.c:669 [] __kfree_skb+0xd/0x20 net/core/skbuff.c:683 [] kfree_skb+0x90/0x2f0 net/core/skbuff.c:704 [] br_flood+0x236/0x350 net/bridge/br_forward.c:234 [] br_flood_deliver+0x16/0x20 net/bridge/br_forward.c:241 [] br_dev_xmit+0x680/0xbc0 net/bridge/br_device.c:81 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] xmit_one net/core/dev.c:2871 [inline] [] dev_hard_start_xmit+0x6b9/0x1140 net/core/dev.c:2887 [] __dev_queue_xmit+0x1b85/0x1f40 net/core/dev.c:3358 [] dev_queue_xmit+0xb/0x10 net/core/dev.c:3392 [] neigh_resolve_output+0x488/0x7d0 net/core/neighbour.c:1311 [] dst_neigh_output include/net/dst.h:467 [inline] [] ip6_finish_output2+0x98b/0x1b90 net/ipv6/ip6_output.c:113 [] ip6_finish_output+0x353/0x700 net/ipv6/ip6_output.c:131 [] NF_HOOK_COND include/linux/netfilter.h:233 [inline] [] ip6_output+0x167/0x530 net/ipv6/ip6_output.c:145 [] dst_output include/net/dst.h:504 [inline] [] NF_HOOK_THRESH.constprop.38+0xc9/0x290 include/linux/netfilter.h:219 [] NF_HOOK include/linux/netfilter.h:242 [inline] [] mld_sendpack+0x5f8/0xb80 net/ipv6/mcast.c:1646 [] mld_send_cr net/ipv6/mcast.c:1927 [inline] [] mld_ifc_timer_expire+0x360/0x710 net/ipv6/mcast.c:2425 [] call_timer_fn+0x14e/0x620 kernel/time/timer.c:1178 [] __run_timers kernel/time/timer.c:1254 [inline] [] run_timer_softirq+0x5f7/0x9c0 kernel/time/timer.c:1437 [] __do_softirq+0x2cc/0xa06 kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x157/0x190 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:658 [inline] [] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:932 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:621 [] ? __read_once_size include/linux/compiler.h:222 [inline] [] ? avc_search_node security/selinux/avc.c:583 [inline] [] ? avc_lookup security/selinux/avc.c:612 [inline] [] ? avc_has_perm_noaudit security/selinux/avc.c:1112 [inline] [] ? avc_has_perm+0x1bf/0x470 security/selinux/avc.c:1148 [] inode_has_perm.isra.47+0x13f/0x1c0 security/selinux/hooks.c:1689 [] dentry_has_perm security/selinux/hooks.c:1705 [inline] [] selinux_inode_readlink+0xdb/0x120 security/selinux/hooks.c:2906 [] security_inode_readlink+0xb1/0xf0 security/security.c:584 [] SYSC_readlinkat fs/stat.c:333 [inline] [] SyS_readlinkat fs/stat.c:315 [inline] [] SYSC_readlink fs/stat.c:352 [inline] [] SyS_readlink+0x141/0x290 fs/stat.c:349 [] entry_SYSCALL_64_fastpath+0x23/0xc1 Memory state around the buggy address: ffff8801a7fc7400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801a7fc7500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801a7fc7580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a7fc7600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in skb_release_data+0x3f0/0x470 net/core/skbuff.c:599 at addr ffff8801a7fc7501 Read of size 1 by task udevd/7315 page:ffffea00069ff1c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x57ffe0000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 7315 Comm: udevd Tainted: G B 4.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 1ffffffff0d9577e ffff88012c007330 ffffffff82c4dd46 ffff8800b5aeacc0 ffff88012c0073c0 ffff8801a7fc7501 ffffed0034ff8ea0 ffff88012c0073b0 ffffffff817405ba 0000000000000010 ffffffff00000000 0000000000000286 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xe6/0x120 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:190 [inline] [] kasan_report_error+0x59a/0x5c0 mm/kasan/report.c:275 [] kasan_report mm/kasan/report.c:297 [inline] [] __asan_report_load1_noabort+0x3e/0x40 mm/kasan/report.c:315 [] skb_release_data+0x3f0/0x470 net/core/skbuff.c:599 [] skb_release_all+0x3d/0x50 net/core/skbuff.c:669 [] __kfree_skb+0xd/0x20 net/core/skbuff.c:683 [] kfree_skb+0x90/0x2f0 net/core/skbuff.c:704 [] br_flood+0x236/0x350 net/bridge/br_forward.c:234 [] br_flood_deliver+0x16/0x20 net/bridge/br_forward.c:241 [] br_dev_xmit+0x680/0xbc0 net/bridge/br_device.c:81 [] __netdev_start_xmit include/linux/netdevice.h:3928 [inline] [] netdev_start_xmit include/linux/netdevice.h:3937 [inline] [] xmit_one net/core/dev.c:2871 [inline] [] dev_hard_start_xmit+0x6b9/0x1140 net/core/dev.c:2887 [] __dev_queue_xmit+0x1b85/0x1f40 net/core/dev.c:3358 [] dev_queue_xmit+0xb/0x10 net/core/dev.c:3392 [] neigh_resolve_output+0x488/0x7d0 net/core/neighbour.c:1311 [] dst_neigh_output include/net/dst.h:467 [inline] [] ip6_finish_output2+0x98b/0x1b90 net/ipv6/ip6_output.c:113 [] ip6_finish_output+0x353/0x700 net/ipv6/ip6_output.c:131 [] NF_HOOK_COND include/linux/netfilter.h:233 [inline] [] ip6_output+0x167/0x530 net/ipv6/ip6_output.c:145 [] dst_output include/net/dst.h:504 [inline] [] NF_HOOK_THRESH.constprop.38+0xc9/0x290 include/linux/netfilter.h:219 [] NF_HOOK include/linux/netfilter.h:242 [inline] [] mld_sendpack+0x5f8/0xb80 net/ipv6/mcast.c:1646 [] mld_send_cr net/ipv6/mcast.c:1927 [inline] [] mld_ifc_timer_expire+0x360/0x710 net/ipv6/mcast.c:2425 [] call_timer_fn+0x14e/0x620 kernel/time/timer.c:1178 [] __run_timers kernel/time/timer.c:1254 [inline] [