IPv6: RTM_NEWROUTE with no NLM_F_CREATE or NLM_F_REPLACE ================================================================== BUG: KASAN: use-after-free in ip6_route_mpath_notify+0xc2/0xd0 net/ipv6/route.c:3131 Read of size 4 at addr ffff8801af18be90 by task syz-executor5/24322 CPU: 0 PID: 24322 Comm: syz-executor5 Not tainted 4.14.71+ #8 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x11b lib/dump_stack.c:53 print_address_description+0x60/0x22b mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409 ip6_route_mpath_notify+0xc2/0xd0 net/ipv6/route.c:3131 ip6_route_multipath_add+0xbfc/0x1100 net/ipv6/route.c:3251 inet6_rtm_newroute+0xa4/0x110 net/ipv6/route.c:3339 rtnetlink_rcv_msg+0x3bb/0xb30 net/core/rtnetlink.c:4255 netlink_rcv_skb+0x130/0x390 net/netlink/af_netlink.c:2432 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline] netlink_unicast+0x46d/0x620 net/netlink/af_netlink.c:1312 netlink_sendmsg+0x664/0xbe0 net/netlink/af_netlink.c:1877 sock_sendmsg_nosec net/socket.c:645 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:655 ___sys_sendmsg+0x741/0x890 net/socket.c:2061 __sys_sendmsg+0xca/0x170 net/socket.c:2095 SYSC_sendmsg net/socket.c:2106 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2102 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x457679 RSP: 002b:00007fc23ca34c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fc23ca356d4 RCX: 0000000000457679 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000005 RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000004d5160 R14: 00000000004c3564 R15: 0000000000000001 Allocated by task 24322: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551 slab_post_alloc_hook mm/slab.h:442 [inline] slab_alloc_node mm/slub.c:2723 [inline] slab_alloc mm/slub.c:2731 [inline] kmem_cache_alloc+0xe4/0x2b0 mm/slub.c:2736 dst_alloc+0xb1/0x1a0 net/core/dst.c:107 __ip6_dst_alloc+0x2f/0x60 net/ipv6/route.c:355 ip6_dst_alloc+0x2a/0x1d0 net/ipv6/route.c:368 ip6_route_info_create+0x339/0x23d0 net/ipv6/route.c:1953 ip6_route_multipath_add+0x60b/0x1100 net/ipv6/route.c:3190 inet6_rtm_newroute+0xa4/0x110 net/ipv6/route.c:3339 rtnetlink_rcv_msg+0x3bb/0xb30 net/core/rtnetlink.c:4255 netlink_rcv_skb+0x130/0x390 net/netlink/af_netlink.c:2432 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline] netlink_unicast+0x46d/0x620 net/netlink/af_netlink.c:1312 netlink_sendmsg+0x664/0xbe0 net/netlink/af_netlink.c:1877 sock_sendmsg_nosec net/socket.c:645 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:655 ___sys_sendmsg+0x741/0x890 net/socket.c:2061 __sys_sendmsg+0xca/0x170 net/socket.c:2095 SYSC_sendmsg net/socket.c:2106 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2102 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 24322: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524 slab_free_hook mm/slub.c:1389 [inline] slab_free_freelist_hook mm/slub.c:1410 [inline] slab_free mm/slub.c:2966 [inline] kmem_cache_free+0x12d/0x350 mm/slub.c:2988 dst_destroy+0x1c7/0x2c0 net/core/dst.c:138 dst_release_immediate+0x45/0x60 net/core/dst.c:203 fib6_add+0x18c5/0x2c30 net/ipv6/ip6_fib.c:1233 __ip6_ins_rt+0x61/0x80 net/ipv6/route.c:945 ip6_route_multipath_add+0xb1c/0x1100 net/ipv6/route.c:3215 inet6_rtm_newroute+0xa4/0x110 net/ipv6/route.c:3339 rtnetlink_rcv_msg+0x3bb/0xb30 net/core/rtnetlink.c:4255 netlink_rcv_skb+0x130/0x390 net/netlink/af_netlink.c:2432 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline] netlink_unicast+0x46d/0x620 net/netlink/af_netlink.c:1312 netlink_sendmsg+0x664/0xbe0 net/netlink/af_netlink.c:1877 sock_sendmsg_nosec net/socket.c:645 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:655 ___sys_sendmsg+0x741/0x890 net/socket.c:2061 __sys_sendmsg+0xca/0x170 net/socket.c:2095 SYSC_sendmsg net/socket.c:2106 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2102 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The buggy address belongs to the object at ffff8801af18bdc0 which belongs to the cache ip6_dst_cache of size 384 The buggy address is located 208 bytes inside of 384-byte region [ffff8801af18bdc0, ffff8801af18bf40) The buggy address belongs to the page: page:ffffea0006bc6280 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000008100(slab|head) raw: 4000000000008100 0000000000000000 0000000000000000 0000000180120012 raw: ffffea0006bc6200 0000000200000002 ffff8801d5f4ea00 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801af18bd80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801af18be00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801af18be80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801af18bf00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801af18bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================