device veth1_macvtap left promiscuous mode device veth0_vlan left promiscuous mode ================================================================== BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:102 [inline] BUG: KASAN: use-after-free in atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] BUG: KASAN: use-after-free in queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] BUG: KASAN: use-after-free in do_raw_spin_lock include/linux/spinlock.h:187 [inline] BUG: KASAN: use-after-free in __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] BUG: KASAN: use-after-free in _raw_spin_lock_bh+0x81/0xe0 kernel/locking/spinlock.c:178 Write of size 4 at addr ffff88810bdf6914 by task kworker/u4:4/2414 CPU: 1 PID: 2414 Comm: kworker/u4:4 Not tainted syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Workqueue: netns cleanup_net Call Trace: __dump_stack+0x21/0x24 lib/dump_stack.c:88 dump_stack_lvl+0xee/0x150 lib/dump_stack.c:106 print_address_description+0x71/0x200 mm/kasan/report.c:316 print_report+0x4a/0x60 mm/kasan/report.c:420 kasan_report+0x122/0x150 mm/kasan/report.c:524 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x280/0x290 mm/kasan/generic.c:189 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37 instrument_atomic_read_write include/linux/instrumented.h:102 [inline] atomic_try_cmpxchg_acquire include/linux/atomic/atomic-instrumented.h:541 [inline] queued_spin_lock include/asm-generic/qspinlock.h:111 [inline] do_raw_spin_lock include/linux/spinlock.h:187 [inline] __raw_spin_lock_bh include/linux/spinlock_api_smp.h:127 [inline] _raw_spin_lock_bh+0x81/0xe0 kernel/locking/spinlock.c:178 spin_lock_bh include/linux/spinlock.h:356 [inline] __ip6_del_rt+0x8f/0x150 net/ipv6/route.c:3915 ip6_del_rt+0xb0/0xf0 net/ipv6/route.c:3931 __remove_nexthop_fib+0x1f7/0x270 net/ipv4/nexthop.c:1861 __remove_nexthop net/ipv4/nexthop.c:1869 [inline] remove_nexthop+0x73/0x500 net/ipv4/nexthop.c:1895 remove_nh_grp_entry net/ipv4/nexthop.c:1751 [inline] remove_nexthop_from_groups+0x22f/0x1210 net/ipv4/nexthop.c:1816 __remove_nexthop net/ipv4/nexthop.c:1880 [inline] remove_nexthop+0x3b6/0x500 net/ipv4/nexthop.c:1895 flush_all_nexthops net/ipv4/nexthop.c:2404 [inline] nexthop_net_exit_batch+0x76/0x110 net/ipv4/nexthop.c:3730 ops_exit_list net/core/net_namespace.c:177 [inline] cleanup_net+0x62d/0xb00 net/core/net_namespace.c:604 process_one_work+0x71f/0xc40 kernel/workqueue.c:2302 worker_thread+0xa29/0x11f0 kernel/workqueue.c:2449 kthread+0x281/0x320 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 371: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505 ____kasan_kmalloc mm/kasan/common.c:379 [inline] __kasan_kmalloc+0x95/0xb0 mm/kasan/common.c:388 kasan_kmalloc include/linux/kasan.h:212 [inline] kmalloc_trace+0x40/0xb0 mm/slab_common.c:1033 kmalloc include/linux/slab.h:563 [inline] kzalloc include/linux/slab.h:699 [inline] fib6_net_init+0x23d/0x8c0 net/ipv6/ip6_fib.c:2389 ops_init+0x1c8/0x4a0 net/core/net_namespace.c:138 setup_net+0x4ab/0xcb0 net/core/net_namespace.c:335 copy_net_ns+0x355/0x5c0 net/core/net_namespace.c:481 create_new_namespaces+0x3a2/0x660 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x120/0x170 kernel/nsproxy.c:226 ksys_unshare+0x4ac/0x7b0 kernel/fork.c:3399 __do_sys_unshare kernel/fork.c:3470 [inline] __se_sys_unshare kernel/fork.c:3468 [inline] __x64_sys_unshare+0x38/0x40 kernel/fork.c:3468 x64_sys_call+0x767/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:273 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 2414: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x31/0x50 mm/kasan/generic.c:516 ____kasan_slab_free+0x132/0x180 mm/kasan/common.c:241 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249 kasan_slab_free include/linux/kasan.h:178 [inline] slab_free_hook mm/slub.c:1750 [inline] slab_free_freelist_hook+0xc2/0x190 mm/slub.c:1776 slab_free mm/slub.c:3712 [inline] __kmem_cache_free+0xb7/0x1b0 mm/slub.c:3728 kfree+0x6f/0xf0 mm/slab_common.c:990 fib6_free_table net/ipv6/ip6_fib.c:216 [inline] fib6_net_exit+0x270/0x300 net/ipv6/ip6_fib.c:2443 ops_exit_list net/core/net_namespace.c:172 [inline] cleanup_net+0x5ad/0xb00 net/core/net_namespace.c:604 process_one_work+0x71f/0xc40 kernel/workqueue.c:2302 worker_thread+0xa29/0x11f0 kernel/workqueue.c:2449 kthread+0x281/0x320 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the object at ffff88810bdf6900 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 20 bytes inside of 128-byte region [ffff88810bdf6900, ffff88810bdf6980) The buggy address belongs to the physical page: page:ffffea00042f7d80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10bdf6 flags: 0x4000000000000200(slab|zone=1) raw: 4000000000000200 ffffea000432fbc0 dead000000000003 ffff888100042a80 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY), pid 1, tgid 1 (swapper/0), ts 3100221853, free_ts 0 set_page_owner include/linux/page_owner.h:33 [inline] post_alloc_hook+0x1f5/0x210 mm/page_alloc.c:2643 prep_new_page+0x1c/0x110 mm/page_alloc.c:2650 get_page_from_freelist+0x2c7b/0x2cf0 mm/page_alloc.c:4554 __alloc_pages+0x1c3/0x450 mm/page_alloc.c:5868 alloc_slab_page+0x6e/0xf0 include/linux/gfp.h:-1 allocate_slab mm/slub.c:1967 [inline] new_slab+0x98/0x3d0 mm/slub.c:2020 ___slab_alloc+0x6bd/0xb20 mm/slub.c:3177 __slab_alloc+0x5e/0xa0 mm/slub.c:3263 slab_alloc_node mm/slub.c:3348 [inline] __kmem_cache_alloc_node+0x203/0x2c0 mm/slub.c:3423 __do_kmalloc_node mm/slab_common.c:937 [inline] __kmalloc_node+0xa1/0x1e0 mm/slab_common.c:945 kmalloc_node include/linux/slab.h:589 [inline] kvmalloc_node+0x294/0x480 mm/util.c:592 kvzalloc_node include/linux/slab.h:720 [inline] sbitmap_init_node+0x43b/0x580 lib/sbitmap.c:113 blk_mq_alloc_hctx block/blk-mq.c:3743 [inline] blk_mq_alloc_and_init_hctx+0x4f0/0xe50 block/blk-mq.c:4191 blk_mq_realloc_hw_ctxs+0x17a/0x410 block/blk-mq.c:4224 blk_mq_init_allocated_queue+0x4df/0x16b0 block/blk-mq.c:4286 blk_mq_init_queue_data block/blk-mq.c:4096 [inline] __blk_mq_alloc_disk+0xb8/0x1e0 block/blk-mq.c:4143 page_owner free stack trace missing Memory state around the buggy address: ffff88810bdf6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88810bdf6880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88810bdf6900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88810bdf6980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88810bdf6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc ================================================================== IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready