==================================================================
BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:159 [inline]
BUG: KASAN: use-after-free in __rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
Read of size 4 at addr ffff888065178008 by task ksoftirqd/0/16
CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Not tainted 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
rht_key_hashfn include/linux/rhashtable.h:159 [inline]
__rhashtable_lookup.constprop.0+0x426/0x550 include/linux/rhashtable.h:604
rhashtable_lookup include/linux/rhashtable.h:646 [inline]
rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
ila_xlat_addr net/ipv6/ila/ila_xlat.c:657 [inline]
ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:190
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xbe/0x200 net/netfilter/core.c:626
nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
__netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5670
__netif_receive_skb+0x1d/0x160 net/core/dev.c:5783
process_backlog+0x443/0x15f0 net/core/dev.c:6115
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:6779
napi_poll net/core/dev.c:6848 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6970
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
run_ksoftirqd kernel/softirq.c:927 [inline]
run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919
smpboot_thread_fn+0x664/0xa30 kernel/smpboot.c:164
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88806517e000 pfn:0x65178
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f0(buddy)
raw: 00fff00000000000 ffffea00009d2c08 ffffea0001fa8008 0000000000000000
raw: ffff88806517e000 0000000000000003 00000000f0000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 7897, tgid 7897 (syz-executor), ts 189869743966, free_ts 265856709971
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4750
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
___kmalloc_large_node+0x84/0x1b0 mm/slub.c:4209
__kmalloc_large_node_noprof+0x1c/0x70 mm/slub.c:4236
__do_kmalloc_node mm/slub.c:4252 [inline]
__kmalloc_node_noprof.cold+0x5/0x5f mm/slub.c:4270
__kvmalloc_node_noprof+0x6f/0x1a0 mm/util.c:658
bucket_table_alloc.isra.0+0x86/0x460 lib/rhashtable.c:186
rhashtable_init_noprof+0x41a/0x7e0 lib/rhashtable.c:1071
ila_xlat_init_net+0xb5/0x110 net/ipv6/ila/ila_xlat.c:613
ops_init+0x1e2/0x5f0 net/core/net_namespace.c:139
setup_net+0x21f/0x860 net/core/net_namespace.c:356
copy_net_ns+0x2b4/0x6b0 net/core/net_namespace.c:494
create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
ksys_unshare+0x45d/0xa40 kernel/fork.c:3313
page last free pid 1149 tgid 1149 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
__folio_put+0x32a/0x450 mm/swap.c:112
kvfree+0x47/0x50 mm/util.c:701
rhashtable_free_and_destroy+0x16c/0x990 lib/rhashtable.c:1169
ila_xlat_exit_net+0x59/0xa0 net/ipv6/ila/ila_xlat.c:635
ops_exit_list+0xb3/0x180 net/core/net_namespace.c:173
cleanup_net+0x5b7/0xb40 net/core/net_namespace.c:626
process_one_work+0x9c8/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff888065177f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888065177f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888065178000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888065178080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888065178100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
==================================================================
BUG: KASAN: use-after-free in rht_bucket_index include/linux/rhashtable.h:122 [inline]
BUG: KASAN: use-after-free in rht_key_hashfn include/linux/rhashtable.h:161 [inline]
BUG: KASAN: use-after-free in __rhashtable_lookup.constprop.0+0x43d/0x550 include/linux/rhashtable.h:604
Read of size 4 at addr ffff888065178000 by task ksoftirqd/0/16
CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G B 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
rht_bucket_index include/linux/rhashtable.h:122 [inline]
rht_key_hashfn include/linux/rhashtable.h:161 [inline]
__rhashtable_lookup.constprop.0+0x43d/0x550 include/linux/rhashtable.h:604
rhashtable_lookup include/linux/rhashtable.h:646 [inline]
rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
ila_xlat_addr net/ipv6/ila/ila_xlat.c:657 [inline]
ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:190
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xbe/0x200 net/netfilter/core.c:626
nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
__netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5670
__netif_receive_skb+0x1d/0x160 net/core/dev.c:5783
process_backlog+0x443/0x15f0 net/core/dev.c:6115
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:6779
napi_poll net/core/dev.c:6848 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6970
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
run_ksoftirqd kernel/softirq.c:927 [inline]
run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919
smpboot_thread_fn+0x664/0xa30 kernel/smpboot.c:164
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88806517e000 pfn:0x65178
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f0(buddy)
raw: 00fff00000000000 ffffea00009d2c08 ffffea0001fa8008 0000000000000000
raw: ffff88806517e000 0000000000000003 00000000f0000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 7897, tgid 7897 (syz-executor), ts 189869743966, free_ts 265856709971
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4750
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
___kmalloc_large_node+0x84/0x1b0 mm/slub.c:4209
__kmalloc_large_node_noprof+0x1c/0x70 mm/slub.c:4236
__do_kmalloc_node mm/slub.c:4252 [inline]
__kmalloc_node_noprof.cold+0x5/0x5f mm/slub.c:4270
__kvmalloc_node_noprof+0x6f/0x1a0 mm/util.c:658
bucket_table_alloc.isra.0+0x86/0x460 lib/rhashtable.c:186
rhashtable_init_noprof+0x41a/0x7e0 lib/rhashtable.c:1071
ila_xlat_init_net+0xb5/0x110 net/ipv6/ila/ila_xlat.c:613
ops_init+0x1e2/0x5f0 net/core/net_namespace.c:139
setup_net+0x21f/0x860 net/core/net_namespace.c:356
copy_net_ns+0x2b4/0x6b0 net/core/net_namespace.c:494
create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
ksys_unshare+0x45d/0xa40 kernel/fork.c:3313
page last free pid 1149 tgid 1149 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
__folio_put+0x32a/0x450 mm/swap.c:112
kvfree+0x47/0x50 mm/util.c:701
rhashtable_free_and_destroy+0x16c/0x990 lib/rhashtable.c:1169
ila_xlat_exit_net+0x59/0xa0 net/ipv6/ila/ila_xlat.c:635
ops_exit_list+0xb3/0x180 net/core/net_namespace.c:173
cleanup_net+0x5b7/0xb40 net/core/net_namespace.c:626
process_one_work+0x9c8/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff888065177f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888065177f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888065178000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888065178080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888065178100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
==================================================================
BUG: KASAN: use-after-free in rht_bucket include/linux/rhashtable.h:289 [inline]
BUG: KASAN: use-after-free in __rhashtable_lookup.constprop.0+0x430/0x550 include/linux/rhashtable.h:605
Read of size 4 at addr ffff888065178004 by task ksoftirqd/0/16
CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G B 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
rht_bucket include/linux/rhashtable.h:289 [inline]
__rhashtable_lookup.constprop.0+0x430/0x550 include/linux/rhashtable.h:605
rhashtable_lookup include/linux/rhashtable.h:646 [inline]
rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
ila_xlat_addr net/ipv6/ila/ila_xlat.c:657 [inline]
ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:190
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xbe/0x200 net/netfilter/core.c:626
nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
__netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5670
__netif_receive_skb+0x1d/0x160 net/core/dev.c:5783
process_backlog+0x443/0x15f0 net/core/dev.c:6115
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:6779
napi_poll net/core/dev.c:6848 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6970
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
run_ksoftirqd kernel/softirq.c:927 [inline]
run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919
smpboot_thread_fn+0x664/0xa30 kernel/smpboot.c:164
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88806517e000 pfn:0x65178
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f0(buddy)
raw: 00fff00000000000 ffffea00009d2c08 ffffea0001fa8008 0000000000000000
raw: ffff88806517e000 0000000000000003 00000000f0000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 7897, tgid 7897 (syz-executor), ts 189869743966, free_ts 265856709971
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4750
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
___kmalloc_large_node+0x84/0x1b0 mm/slub.c:4209
__kmalloc_large_node_noprof+0x1c/0x70 mm/slub.c:4236
__do_kmalloc_node mm/slub.c:4252 [inline]
__kmalloc_node_noprof.cold+0x5/0x5f mm/slub.c:4270
__kvmalloc_node_noprof+0x6f/0x1a0 mm/util.c:658
bucket_table_alloc.isra.0+0x86/0x460 lib/rhashtable.c:186
rhashtable_init_noprof+0x41a/0x7e0 lib/rhashtable.c:1071
ila_xlat_init_net+0xb5/0x110 net/ipv6/ila/ila_xlat.c:613
ops_init+0x1e2/0x5f0 net/core/net_namespace.c:139
setup_net+0x21f/0x860 net/core/net_namespace.c:356
copy_net_ns+0x2b4/0x6b0 net/core/net_namespace.c:494
create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
ksys_unshare+0x45d/0xa40 kernel/fork.c:3313
page last free pid 1149 tgid 1149 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
__folio_put+0x32a/0x450 mm/swap.c:112
kvfree+0x47/0x50 mm/util.c:701
rhashtable_free_and_destroy+0x16c/0x990 lib/rhashtable.c:1169
ila_xlat_exit_net+0x59/0xa0 net/ipv6/ila/ila_xlat.c:635
ops_exit_list+0xb3/0x180 net/core/net_namespace.c:173
cleanup_net+0x5b7/0xb40 net/core/net_namespace.c:626
process_one_work+0x9c8/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff888065177f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888065177f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888065178000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888065178080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888065178100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
==================================================================
BUG: KASAN: use-after-free in rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
BUG: KASAN: use-after-free in __rhashtable_lookup.constprop.0+0x516/0x550 include/linux/rhashtable.h:607
Read of size 8 at addr ffff88806517af40 by task ksoftirqd/0/16
CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G B 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
rht_ptr_rcu include/linux/rhashtable.h:376 [inline]
__rhashtable_lookup.constprop.0+0x516/0x550 include/linux/rhashtable.h:607
rhashtable_lookup include/linux/rhashtable.h:646 [inline]
rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
ila_xlat_addr net/ipv6/ila/ila_xlat.c:657 [inline]
ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:190
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xbe/0x200 net/netfilter/core.c:626
nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
__netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5670
__netif_receive_skb+0x1d/0x160 net/core/dev.c:5783
process_backlog+0x443/0x15f0 net/core/dev.c:6115
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:6779
napi_poll net/core/dev.c:6848 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6970
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
run_ksoftirqd kernel/softirq.c:927 [inline]
run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919
smpboot_thread_fn+0x664/0xa30 kernel/smpboot.c:164
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6517a
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 0000000000000000 ffffea0001945e90 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 7897, tgid 7897 (syz-executor), ts 189869743966, free_ts 265856709971
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4750
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
___kmalloc_large_node+0x84/0x1b0 mm/slub.c:4209
__kmalloc_large_node_noprof+0x1c/0x70 mm/slub.c:4236
__do_kmalloc_node mm/slub.c:4252 [inline]
__kmalloc_node_noprof.cold+0x5/0x5f mm/slub.c:4270
__kvmalloc_node_noprof+0x6f/0x1a0 mm/util.c:658
bucket_table_alloc.isra.0+0x86/0x460 lib/rhashtable.c:186
rhashtable_init_noprof+0x41a/0x7e0 lib/rhashtable.c:1071
ila_xlat_init_net+0xb5/0x110 net/ipv6/ila/ila_xlat.c:613
ops_init+0x1e2/0x5f0 net/core/net_namespace.c:139
setup_net+0x21f/0x860 net/core/net_namespace.c:356
copy_net_ns+0x2b4/0x6b0 net/core/net_namespace.c:494
create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
ksys_unshare+0x45d/0xa40 kernel/fork.c:3313
page last free pid 1149 tgid 1149 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
__folio_put+0x32a/0x450 mm/swap.c:112
kvfree+0x47/0x50 mm/util.c:701
rhashtable_free_and_destroy+0x16c/0x990 lib/rhashtable.c:1169
ila_xlat_exit_net+0x59/0xa0 net/ipv6/ila/ila_xlat.c:635
ops_exit_list+0xb3/0x180 net/core/net_namespace.c:173
cleanup_net+0x5b7/0xb40 net/core/net_namespace.c:626
process_one_work+0x9c8/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff88806517ae00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88806517ae80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88806517af00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88806517af80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88806517b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
==================================================================
BUG: KASAN: use-after-free in __rhashtable_lookup.constprop.0+0x548/0x550 include/linux/rhashtable.h:622
Read of size 8 at addr ffff888065178030 by task ksoftirqd/0/16
CPU: 0 UID: 0 PID: 16 Comm: ksoftirqd/0 Tainted: G B 6.12.0-rc7-syzkaller-00187-gf868cd251776 #0
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/30/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
__rhashtable_lookup.constprop.0+0x548/0x550 include/linux/rhashtable.h:622
rhashtable_lookup include/linux/rhashtable.h:646 [inline]
rhashtable_lookup_fast include/linux/rhashtable.h:672 [inline]
ila_lookup_wildcards net/ipv6/ila/ila_xlat.c:132 [inline]
ila_xlat_addr net/ipv6/ila/ila_xlat.c:657 [inline]
ila_nf_input+0x1ee/0x620 net/ipv6/ila/ila_xlat.c:190
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xbe/0x200 net/netfilter/core.c:626
nf_hook.constprop.0+0x42e/0x750 include/linux/netfilter.h:269
NF_HOOK include/linux/netfilter.h:312 [inline]
ipv6_rcv+0xa4/0x680 net/ipv6/ip6_input.c:309
__netif_receive_skb_one_core+0x12e/0x1e0 net/core/dev.c:5670
__netif_receive_skb+0x1d/0x160 net/core/dev.c:5783
process_backlog+0x443/0x15f0 net/core/dev.c:6115
__napi_poll.constprop.0+0xba/0x550 net/core/dev.c:6779
napi_poll net/core/dev.c:6848 [inline]
net_rx_action+0xa92/0x1010 net/core/dev.c:6970
handle_softirqs+0x216/0x8f0 kernel/softirq.c:554
run_ksoftirqd kernel/softirq.c:927 [inline]
run_ksoftirqd+0x3a/0x60 kernel/softirq.c:919
smpboot_thread_fn+0x664/0xa30 kernel/smpboot.c:164
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88806517e000 pfn:0x65178
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f0(buddy)
raw: 00fff00000000000 ffffea00009d2c08 ffffea0001fa8008 0000000000000000
raw: ffff88806517e000 0000000000000003 00000000f0000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 7897, tgid 7897 (syz-executor), ts 189869743966, free_ts 265856709971
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4750
__alloc_pages_node_noprof include/linux/gfp.h:269 [inline]
alloc_pages_node_noprof include/linux/gfp.h:296 [inline]
___kmalloc_large_node+0x84/0x1b0 mm/slub.c:4209
__kmalloc_large_node_noprof+0x1c/0x70 mm/slub.c:4236
__do_kmalloc_node mm/slub.c:4252 [inline]
__kmalloc_node_noprof.cold+0x5/0x5f mm/slub.c:4270
__kvmalloc_node_noprof+0x6f/0x1a0 mm/util.c:658
bucket_table_alloc.isra.0+0x86/0x460 lib/rhashtable.c:186
rhashtable_init_noprof+0x41a/0x7e0 lib/rhashtable.c:1071
ila_xlat_init_net+0xb5/0x110 net/ipv6/ila/ila_xlat.c:613
ops_init+0x1e2/0x5f0 net/core/net_namespace.c:139
setup_net+0x21f/0x860 net/core/net_namespace.c:356
copy_net_ns+0x2b4/0x6b0 net/core/net_namespace.c:494
create_new_namespaces+0x3ea/0xad0 kernel/nsproxy.c:110
unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:228
ksys_unshare+0x45d/0xa40 kernel/fork.c:3313
page last free pid 1149 tgid 1149 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1127 [inline]
free_unref_page+0x661/0x1080 mm/page_alloc.c:2657
__folio_put+0x32a/0x450 mm/swap.c:112
kvfree+0x47/0x50 mm/util.c:701
rhashtable_free_and_destroy+0x16c/0x990 lib/rhashtable.c:1169
ila_xlat_exit_net+0x59/0xa0 net/ipv6/ila/ila_xlat.c:635
ops_exit_list+0xb3/0x180 net/core/net_namespace.c:173
cleanup_net+0x5b7/0xb40 net/core/net_namespace.c:626
process_one_work+0x9c8/0x1ba0 kernel/workqueue.c:3229
process_scheduled_works kernel/workqueue.c:3310 [inline]
worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391
kthread+0x2c4/0x3a0 kernel/kthread.c:389
ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Memory state around the buggy address:
ffff888065177f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff888065177f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888065178000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888065178080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888065178100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================