================================================================== BUG: KASAN: use-after-free in __write_once_size include/linux/compiler.h:247 [inline] BUG: KASAN: use-after-free in __hlist_del include/linux/list.h:632 [inline] BUG: KASAN: use-after-free in hlist_del_rcu include/linux/rculist.h:340 [inline] BUG: KASAN: use-after-free in nf_nat_cleanup_conntrack+0x1ca/0x1e0 net/netfilter/nf_nat_core.c:691 Write of size 8 at addr ffff8800a7770d40 by task syz-executor.0/3668 CPU: 0 PID: 3668 Comm: syz-executor.0 Not tainted 4.4.174+ #17 0000000000000000[ 92.234760] SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket 71ab418799d26d2f ffff8801db607a10 ffffffff81aad1a1 0000000000000001 ffffea00029ddc00 ffff8800a7770d40 0000000000000008 ffffffff82361100 ffff8801db607a48 ffffffff81490120 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_address_description+0x6f/0x21b mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report mm/kasan/report.c:408 [inline] [] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393 [] __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:434 [] __write_once_size include/linux/compiler.h:247 [inline] [] __hlist_del include/linux/list.h:632 [inline] [] hlist_del_rcu include/linux/rculist.h:340 [inline] [] nf_nat_cleanup_conntrack+0x1ca/0x1e0 net/netfilter/nf_nat_core.c:691 [] __nf_ct_ext_destroy+0x140/0x2a0 net/netfilter/nf_conntrack_extend.c:40 [] nf_ct_ext_destroy include/net/netfilter/nf_conntrack_extend.h:80 [inline] [] nf_conntrack_free+0x77/0x120 net/netfilter/nf_conntrack_core.c:904 [] destroy_conntrack+0x270/0x380 net/netfilter/nf_conntrack_core.c:365 [] nf_conntrack_destroy+0x99/0x1a0 net/netfilter/core.c:389 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket [] nf_conntrack_put include/linux/skbuff.h:3377 [inline] [] skb_release_head_state+0x15a/0x210 net/core/skbuff.c:649 [] skb_release_all+0x16/0x60 net/core/skbuff.c:659 [] __kfree_skb net/core/skbuff.c:675 [inline] [] kfree_skb+0xf7/0x400 net/core/skbuff.c:696 [] inet_frag_rbtree_purge+0xaa/0xf0 net/ipv4/ip_fragment.c:761 [] inet_frag_destroy+0x21f/0x2c0 net/ipv4/inet_fragment.c:156 [] inet_frag_put include/net/inet_frag.h:124 [inline] [] ipq_put+0x34/0x40 net/ipv4/ip_fragment.c:164 [] ip_expire+0x14d/0x880 net/ipv4/ip_fragment.c:265 [] call_timer_fn+0x18d/0x850 kernel/time/timer.c:1185 [] __run_timers kernel/time/timer.c:1261 [inline] [] run_timer_softirq+0x51f/0xb70 kernel/time/timer.c:1444 [] __do_softirq+0x226/0xa3f kernel/softirq.c:273 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65535 sclass=netlink_route_socket [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10a/0x150 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] smp_apic_timer_interrupt+0x7e/0xb0 arch/x86/kernel/apic/apic.c:926 [] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:768 [] ? arch_local_irq_restore arch/x86/include/asm/paravirt.h:812 [inline] [] ? lock_is_held+0xfb/0x140 kernel/locking/lockdep.c:3632 [] ___might_sleep+0x1ca/0x280 kernel/sched/core.c:7956 [] __might_sleep+0x90/0x1a0 kernel/sched/core.c:7948 [] anon_vma_prepare+0x5a/0x3d0 mm/rmap.c:174 [] wp_page_copy.isra.0+0xb6/0xc70 mm/memory.c:2159 [] do_wp_page+0x23a/0x1340 mm/memory.c:2441 [] handle_pte_fault mm/memory.c:3362 [inline] [] __handle_mm_fault mm/memory.c:3474 [inline] [] handle_mm_fault+0x1614/0x3140 mm/memory.c:3503 [] __do_page_fault+0x28e/0x7f0 arch/x86/mm/fault.c:1243 [] do_page_fault+0x28/0x30 arch/x86/mm/fault.c:1306 [] page_fault+0x25/0x30 arch/x86/entry/entry_64.S:1064 [] pipe_read+0x274/0x860 fs/pipe.c:270 [] new_sync_read fs/read_write.c:424 [inline] [] __vfs_read+0x2e5/0x3c0 fs/read_write.c:436 [] vfs_read+0x134/0x360 fs/read_write.c:456 [] SYSC_read fs/read_write.c:571 [inline] [] SyS_read+0xdc/0x1c0 fs/read_write.c:564 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a The buggy address belongs to the page: page:ffffea00029ddc00 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x0() page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8800a7770c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800a7770c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8800a7770d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8800a7770d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800a7770e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================