syz-executor.5 (5495) used greatest stack depth: 22960 bytes left ================================================================== BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:247 [inline] BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:632 [inline] BUG: KASAN: use-after-free in hlist_del_rcu include/linux/rculist.h:340 [inline] BUG: KASAN: use-after-free in nf_nat_cleanup_conntrack+0x1ca/0x1e0 net/netfilter/nf_nat_core.c:691 Write of size 8 at addr ffff8800a09c5580 by task kworker/u4:5/2174 CPU: 0 PID: 2174 Comm: kworker/u4:5 Not tainted 4.4.174+ #4 Workqueue: netns cleanup_net 0000000000000000 1c004ad469725d29 ffff8801db607a10 ffffffff81aad1a1 0000000000000001 ffffea0002827140 ffff8800a09c5580 0000000000000008 ffffffff82361100 ffff8801db607a48 ffffffff81490120 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_address_description+0x6f/0x21b mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report mm/kasan/report.c:408 [inline] [] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393 [] __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:434 [] __write_once_size include/linux/compiler.h:247 [inline] [] __hlist_del include/linux/list.h:632 [inline] [] hlist_del_rcu include/linux/rculist.h:340 [inline] [] nf_nat_cleanup_conntrack+0x1ca/0x1e0 net/netfilter/nf_nat_core.c:691 [] __nf_ct_ext_destroy+0x140/0x2a0 net/netfilter/nf_conntrack_extend.c:40 [] nf_ct_ext_destroy include/net/netfilter/nf_conntrack_extend.h:80 [inline] [] nf_conntrack_free+0x77/0x120 net/netfilter/nf_conntrack_core.c:904 [] destroy_conntrack+0x270/0x380 net/netfilter/nf_conntrack_core.c:365 [] nf_conntrack_destroy+0x99/0x1a0 net/netfilter/core.c:389 [] nf_conntrack_put include/linux/skbuff.h:3377 [inline] [] skb_release_head_state+0x15a/0x210 net/core/skbuff.c:649 [] skb_release_all+0x16/0x60 net/core/skbuff.c:659 [] __kfree_skb net/core/skbuff.c:675 [inline] [] kfree_skb+0xf7/0x400 net/core/skbuff.c:696 [] inet_frag_rbtree_purge+0xaa/0xf0 net/ipv4/ip_fragment.c:761 [] inet_frag_destroy+0x21f/0x2c0 net/ipv4/inet_fragment.c:156 [] inet_frag_put include/net/inet_frag.h:124 [inline] [] ipq_put+0x34/0x40 net/ipv4/ip_fragment.c:164 [] ip_expire+0x14d/0x880 net/ipv4/ip_fragment.c:265 [] call_timer_fn+0x18d/0x850 kernel/time/timer.c:1185 [] __run_timers kernel/time/timer.c:1261 [inline] [] run_timer_softirq+0x51f/0xb70 kernel/time/timer.c:1444 [] __do_softirq+0x226/0xa3f kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10a/0x150 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] smp_apic_timer_interrupt+0x7e/0xb0 arch/x86/kernel/apic/apic.c:926 [] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:768 [] ? get_next_corpse net/netfilter/nf_conntrack_core.c:1393 [inline] [] ? nf_ct_iterate_cleanup+0xe1/0x500 net/netfilter/nf_conntrack_core.c:1432 [] local_bh_enable include/linux/bottom_half.h:31 [inline] [] get_next_corpse net/netfilter/nf_conntrack_core.c:1403 [inline] [] nf_ct_iterate_cleanup+0x108/0x500 net/netfilter/nf_conntrack_core.c:1432 [] nf_conntrack_cleanup_net_list+0x7c/0x300 net/netfilter/nf_conntrack_core.c:1522 [] nf_conntrack_pernet_exit+0x11d/0x170 net/netfilter/nf_conntrack_standalone.c:583 [] ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:137 [] cleanup_net+0x3d6/0x860 net/core/net_namespace.c:452 [] process_one_work+0x825/0x1720 kernel/workqueue.c:2064 [] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196 [] kthread+0x273/0x310 kernel/kthread.c:211 [] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537 The buggy address belongs to the page: page:ffffea0002827140 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x0() page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8800a09c5480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800a09c5500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8800a09c5580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8800a09c5600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800a09c5680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================