================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline] BUG: KASAN: use-after-free in atomic64_dec_if_positive include/asm-generic/atomic-instrumented.h:1176 [inline] BUG: KASAN: use-after-free in atomic_long_dec_if_positive include/asm-generic/atomic-long.h:515 [inline] BUG: KASAN: use-after-free in dec_ucount+0x54/0x130 kernel/ucount.c:245 Write of size 8 at addr ffff888011ba8b40 by task kworker/u4:2/28 CPU: 1 PID: 28 Comm: kworker/u4:2 Not tainted 5.14.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:105 print_address_description.constprop.0.cold+0x6c/0x309 mm/kasan/report.c:233 __kasan_report mm/kasan/report.c:419 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:436 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:101 [inline] atomic64_dec_if_positive include/asm-generic/atomic-instrumented.h:1176 [inline] atomic_long_dec_if_positive include/asm-generic/atomic-long.h:515 [inline] dec_ucount+0x54/0x130 kernel/ucount.c:245 dec_net_namespaces net/core/net_namespace.c:394 [inline] cleanup_net+0x6f3/0xb10 net/core/net_namespace.c:611 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 28: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:434 [inline] ____kasan_kmalloc mm/kasan/common.c:513 [inline] ____kasan_kmalloc mm/kasan/common.c:472 [inline] __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:522 kmalloc include/linux/slab.h:591 [inline] addr_event.part.0+0x7b/0x4d0 drivers/infiniband/core/roce_gid_mgmt.c:840 addr_event drivers/infiniband/core/roce_gid_mgmt.c:824 [inline] inetaddr_event+0x12c/0x190 drivers/infiniband/core/roce_gid_mgmt.c:869 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 blocking_notifier_call_chain kernel/notifier.c:337 [inline] blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:325 __inet_del_ifa+0x415/0xf70 net/ipv4/devinet.c:428 inet_del_ifa net/ipv4/devinet.c:465 [inline] inetdev_destroy net/ipv4/devinet.c:318 [inline] inetdev_event+0x671/0x15d0 net/ipv4/devinet.c:1598 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2122 call_netdevice_notifiers_extack net/core/dev.c:2134 [inline] call_netdevice_notifiers net/core/dev.c:2148 [inline] unregister_netdevice_many+0x951/0x1790 net/core/dev.c:11075 default_device_exit_batch+0x2fa/0x3c0 net/core/dev.c:11605 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:178 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:595 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:348 insert_work+0x48/0x370 kernel/workqueue.c:1332 __queue_work+0x5c1/0xed0 kernel/workqueue.c:1498 queue_work_on+0xee/0x110 kernel/workqueue.c:1525 queue_work include/linux/workqueue.h:507 [inline] addr_event.part.0+0x31c/0x4d0 drivers/infiniband/core/roce_gid_mgmt.c:853 addr_event drivers/infiniband/core/roce_gid_mgmt.c:824 [inline] inetaddr_event+0x12c/0x190 drivers/infiniband/core/roce_gid_mgmt.c:869 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 blocking_notifier_call_chain kernel/notifier.c:337 [inline] blocking_notifier_call_chain+0x67/0x90 kernel/notifier.c:325 __inet_del_ifa+0x415/0xf70 net/ipv4/devinet.c:428 inet_del_ifa net/ipv4/devinet.c:465 [inline] inetdev_destroy net/ipv4/devinet.c:318 [inline] inetdev_event+0x671/0x15d0 net/ipv4/devinet.c:1598 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2122 call_netdevice_notifiers_extack net/core/dev.c:2134 [inline] call_netdevice_notifiers net/core/dev.c:2148 [inline] unregister_netdevice_many+0x951/0x1790 net/core/dev.c:11075 default_device_exit_batch+0x2fa/0x3c0 net/core/dev.c:11605 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:178 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:595 process_one_work+0x98d/0x1630 kernel/workqueue.c:2276 worker_thread+0x658/0x11f0 kernel/workqueue.c:2422 kthread+0x3e5/0x4d0 kernel/kthread.c:319 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Second to last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:348 insert_work+0x48/0x370 kernel/workqueue.c:1332 __queue_work+0x5c1/0xed0 kernel/workqueue.c:1498 queue_work_on+0xee/0x110 kernel/workqueue.c:1525 queue_work include/linux/workqueue.h:507 [inline] addr_event.part.0+0x31c/0x4d0 drivers/infiniband/core/roce_gid_mgmt.c:853 addr_event drivers/infiniband/core/roce_gid_mgmt.c:824 [inline] inet6addr_event+0x13e/0x1b0 drivers/infiniband/core/roce_gid_mgmt.c:883 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 atomic_notifier_call_chain+0x70/0x180 kernel/notifier.c:217 ipv6_add_addr+0x1705/0x1f00 net/ipv6/addrconf.c:1152 inet6_addr_add+0x410/0xae0 net/ipv6/addrconf.c:2945 inet6_rtm_newaddr+0xf00/0x1970 net/ipv6/addrconf.c:4871 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5574 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:703 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:723 __sys_sendto+0x21c/0x320 net/socket.c:2019 __do_sys_sendto net/socket.c:2031 [inline] __se_sys_sendto net/socket.c:2027 [inline] __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2027 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888011ba8b00 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 64 bytes inside of 192-byte region [ffff888011ba8b00, ffff888011ba8bc0) The buggy address belongs to the page: page:ffffea000046ea00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888011ba8b00 pfn:0x11ba8 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea000077bf48 ffffea0002873088 ffff888010841a00 raw: ffff888011ba8b00 000000000010000f 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x0(), pid 1, ts 1892807739, free_ts 0 create_dummy_stack mm/page_owner.c:59 [inline] register_early_stack+0x66/0xb0 mm/page_owner.c:75 init_page_owner mm/page_owner.c:85 [inline] init_page_owner+0x4e/0x890 mm/page_owner.c:78 invoke_init_callbacks mm/page_ext.c:98 [inline] page_ext_init+0x4c6/0x4d9 mm/page_ext.c:407 kernel_init_freeable+0x48b/0x741 init/main.c:1591 page_owner free stack trace missing Memory state around the buggy address: ffff888011ba8a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888011ba8a80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888011ba8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888011ba8b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff888011ba8c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================