================================================================== BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x557/0x600 net/ipv6/xfrm6_tunnel.c:300 Read of size 8 at addr ffff8801d5c9a8f8 by task kworker/1:2/23916 CPU: 1 PID: 23916 Comm: kworker/1:2 Not tainted 4.4.169+ #2 Workqueue: events xfrm_state_gc_task 0000000000000000 90f9f17ca0de363f ffff8800984d7a48 ffffffff81aab9c1 0000000000000000 ffffea0007572600 ffff8801d5c9a8f8 0000000000000008 ffff8801d5c9a100 ffff8800984d7a80 ffffffff8148fc0d 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_address_description+0x6f/0x21b mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report mm/kasan/report.c:408 [inline] [] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline] [] xfrm6_tunnel_destroy+0x557/0x600 net/ipv6/xfrm6_tunnel.c:300 [] xfrm_state_gc_destroy net/xfrm/xfrm_state.c:349 [inline] [] xfrm_state_gc_task+0x3aa/0x510 net/xfrm/xfrm_state.c:368 [] process_one_work+0x825/0x1720 kernel/workqueue.c:2064 [] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196 [] kthread+0x273/0x310 kernel/kthread.c:211 [] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537 Allocated by task 2139: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616 [] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601 [] __kmalloc+0x141/0x330 mm/slub.c:3613 [] kmalloc include/linux/slab.h:481 [inline] [] kzalloc include/linux/slab.h:620 [inline] [] ops_init+0xf1/0x3a0 net/core/net_namespace.c:99 [] setup_net+0x1b4/0x4e0 net/core/net_namespace.c:289 [] copy_net_ns+0xd5/0x250 net/core/net_namespace.c:388 [] create_new_namespaces+0x2f0/0x670 kernel/nsproxy.c:95 [] unshare_nsproxy_namespaces+0xab/0x1e0 kernel/nsproxy.c:190 [] SYSC_unshare kernel/fork.c:2083 [inline] [] SyS_unshare+0x302/0x6f0 kernel/fork.c:2033 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Freed by task 60: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xf4/0x310 mm/slub.c:3749 [] ops_free net/core/net_namespace.c:124 [inline] [] ops_free_list.part.0+0x1ff/0x330 net/core/net_namespace.c:146 [] ops_free_list net/core/net_namespace.c:144 [inline] [] cleanup_net+0x474/0x860 net/core/net_namespace.c:456 [] process_one_work+0x825/0x1720 kernel/workqueue.c:2064 [] worker_thread+0x4e4/0xf50 kernel/workqueue.c:2196 [] kthread+0x273/0x310 kernel/kthread.c:211 [] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:537 The buggy address belongs to the object at ffff8801d5c9a100 which belongs to the cache kmalloc-8192 of size 8192 The buggy address is located 2040 bytes inside of 8192-byte region [ffff8801d5c9a100, ffff8801d5c9c100) The buggy address belongs to the page: audit: type=1400 audit(1546518951.062:716): avc: denied { sigchld } for pid=2127 comm="syz-executor5" scontext=system_u:object_r:unlabeled_t:s0 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process permissive=0 audit: type=1400 audit(1546518951.062:717): avc: denied { sigchld } for pid=2127 comm="syz-executor5" scontext=system_u:object_r:unlabeled_t:s0 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=process permissive=0 BUG: unable to handle kernel NULL pointer dereference at 00000000000000c4 IP: [] qlink_to_object mm/kasan/quarantine.c:136 [inline] IP: [] qlink_free mm/kasan/quarantine.c:141 [inline] IP: [] qlist_free_all+0x31/0xc0 mm/kasan/quarantine.c:166 PGD 1d6c5f067 PUD 1d94ef067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 0 PID: 1923 Comm: rsyslogd Not tainted 4.4.169+ #2 task: ffff8801d6c00000 task.stack: ffff8800b8d70000 RIP: 0010:[] [] qlink_to_object mm/kasan/quarantine.c:136 [inline] RIP: 0010:[] [] qlink_free mm/kasan/quarantine.c:141 [inline] RIP: 0010:[] [] qlist_free_all+0x31/0xc0 mm/kasan/quarantine.c:166 RSP: 0018:ffff8800b8d77a78 EFLAGS: 00010246 RAX: ffffea00000a2440 RBX: 0000000000000000 RCX: ffffea00000a245f RDX: 0000000000000000 RSI: ffffffff82891c20 RDI: 0000000000000000 RBP: ffff8800b8d77aa0 R08: 0000000000000001 R09: ffffffff81484c11 R10: ffffea00025fa380 R11: 0000000000000000 R12: ffff8800b8d77ab8 R13: 0000000080000000 R14: ffffea0000000000 R15: ffffffff82891c20 FS: 00007f521162e700(0000) GS:ffff8801db600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c4 CR3: 00000001d70d0000 CR4: 00000000001606b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 0000000000000000 0000000000000001 ffff8800b8d77ab8 ffff8800b73ccd80 ffff8801da401140 ffff8800b8d77ae8 ffffffff814850af ffffffff81484fb5 ffff8801d2371480 ffff88009bd1f260 00000000001000c0 9f61d5e46f1f5d07 Call Trace: [] quarantine_reduce+0x18f/0x1d0 mm/kasan/quarantine.c:259 [] kasan_kmalloc+0xa0/0xd0 mm/kasan/kasan.c:601 [] kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc_trace+0xe0/0x2d0 mm/slub.c:2640 [] kmalloc include/linux/slab.h:476 [inline] [] syslog_print kernel/printk/printk.c:1153 [inline] [] do_syslog kernel/printk/printk.c:1336 [inline] [] do_syslog+0x5bc/0xaf0 kernel/printk/printk.c:1306 [] kmsg_read+0x74/0xa0 fs/proc/kmsg.c:39 [] proc_reg_read+0xfd/0x180 fs/proc/inode.c:202 [] __vfs_read+0x116/0x3c0 fs/read_write.c:432 [] vfs_read+0x134/0x360 fs/read_write.c:454 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xdc/0x1c0 fs/read_write.c:562 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Code: 41 56 41 55 41 54 53 48 89 f3 48 8b 37 48 85 f6 0f 84 8d 00 00 00 49 89 fc 41 bd 00 00 00 80 49 be 00 00 00 00 00 ea ff ff eb 21 <48> 63 97 c4 00 00 00 4c 8b 3e 48 29 d6 48 c7 c2 11 4c 48 81 e8 RIP [] virt_to_head_page include/linux/mm.h:521 [inline] RIP [] qlink_to_cache mm/kasan/quarantine.c:127 [inline] RIP [] qlist_free_all+0x31/0xc0 mm/kasan/quarantine.c:163 RSP CR2: 00000000000000c4 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 2127 at lib/list_debug.c:23 __list_add_valid+0x86/0x120 lib/list_debug.c:23() list_add corruption. next->prev should be prev (ffff8801db71f238), but was ffffffff8142a736. (next=ffff8800984c8088).