================================================================== BUG: KASAN: use-after-free in __dev_queue_xmit+0x169b/0x1bd0 net/core/dev.c:3431 Read of size 4 at addr ffff8801d6614224 by task syz-executor.1/14273 CPU: 1 PID: 14273 Comm: syz-executor.1 Not tainted 4.9.194+ #0 ffff8801a6b2f080 ffffffff81b67001 0000000000000000 ffffea0007598500 ffff8801d6614224 0000000000000004 ffffffff8233ce8b ffff8801a6b2f0b8 ffffffff8150c4f1 0000000000000000 ffff8801d6614224 ffff8801d6614224 Call Trace: [<000000007dc11766>] __dump_stack lib/dump_stack.c:15 [inline] [<000000007dc11766>] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [<0000000007fc6047>] print_address_description+0x6f/0x23a mm/kasan/report.c:256 [<0000000084fba302>] kasan_report_error mm/kasan/report.c:355 [inline] [<0000000084fba302>] kasan_report mm/kasan/report.c:413 [inline] [<0000000084fba302>] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:397 [<00000000b9a8a610>] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:433 [<00000000a7acdbe0>] __dev_queue_xmit+0x169b/0x1bd0 net/core/dev.c:3431 [<0000000091836ece>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3506 [<00000000b7b68bcf>] neigh_resolve_output+0x4a0/0x7a0 net/core/neighbour.c:1328 [<00000000ed71f07e>] dst_neigh_output include/net/dst.h:470 [inline] [<00000000ed71f07e>] ip6_finish_output2+0x94f/0x1e50 net/ipv6/ip6_output.c:119 [<000000001978ec05>] ip6_finish_output+0x336/0x970 net/ipv6/ip6_output.c:145 [<0000000096be4429>] NF_HOOK_COND include/linux/netfilter.h:246 [inline] [<0000000096be4429>] ip6_output+0x21b/0x730 net/ipv6/ip6_output.c:162 [<000000009340d3d8>] dst_output include/net/dst.h:507 [inline] [<000000009340d3d8>] ip6_local_out+0x9c/0x180 net/ipv6/output_core.c:178 [<000000007bf0f326>] ip6_send_skb+0xa2/0x340 net/ipv6/ip6_output.c:1753 [<000000009f88b1bf>] udp_v6_send_skb+0x438/0xe90 net/ipv6/udp.c:974 [<00000000f48dcf05>] udp_v6_push_pending_frames+0x245/0x360 net/ipv6/udp.c:1007 [<00000000e07cae70>] udpv6_sendmsg+0x19b0/0x2430 net/ipv6/udp.c:1273 [<0000000029ed5b27>] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:766 [<00000000c9b4d9ef>] sock_sendmsg_nosec net/socket.c:649 [inline] [<00000000c9b4d9ef>] sock_sendmsg+0xbe/0x110 net/socket.c:659 [<0000000071ea3daa>] ___sys_sendmsg+0x387/0x8b0 net/socket.c:1983 [<0000000043c0ef93>] __sys_sendmmsg+0x164/0x3d0 net/socket.c:2073 [<00000000a7069175>] SYSC_sendmmsg net/socket.c:2104 [inline] [<00000000a7069175>] SyS_sendmmsg+0x35/0x60 net/socket.c:2099 [<000000008cf77fff>] do_syscall_64+0x1ad/0x5c0 arch/x86/entry/common.c:288 [<0000000081a3707a>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb The buggy address belongs to the page: page:ffffea0007598500 count:0 mapcount:-127 mapping: (null) index:0x0 flags: 0x4000000000000000() page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d6614100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801d6614180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801d6614200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801d6614280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801d6614300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================