================================================================== BUG: KASAN: use-after-free in xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x57b/0x630 net/ipv6/xfrm6_tunnel.c:300 Read of size 8 at addr ffff8801cf46c9f8 by task kworker/0:4/20547 CPU: 0 PID: 20547 Comm: kworker/0:4 Not tainted 4.4.162+ #114 Workqueue: events xfrm_state_gc_task 0000000000000000 402f49cb95affa7f ffff8800ab1b7aa0 ffffffff81a994bd ffffea00073d1a00 ffff8801cf46c9f8 0000000000000000 ffff8801cf46c9f8 ffff8801d841f284 ffff8800ab1b7ad8 ffffffff8148a669 ffff8801cf46c9f8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x217 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.6+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] xfrm6_tunnel_free_spi net/ipv6/xfrm6_tunnel.c:205 [inline] [] xfrm6_tunnel_destroy+0x57b/0x630 net/ipv6/xfrm6_tunnel.c:300 [] xfrm_state_gc_destroy net/xfrm/xfrm_state.c:349 [inline] [] xfrm_state_gc_task+0x39f/0x500 net/xfrm/xfrm_state.c:368 [] process_one_work+0x824/0x1670 kernel/workqueue.c:2064 [] worker_thread+0xd9/0x1060 kernel/workqueue.c:2196 [] kthread+0x268/0x300 kernel/kthread.c:211 [] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:510 Allocated by task 2141: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:616 [] kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:601 [] __kmalloc+0x13d/0x330 mm/slub.c:3613 [] kmalloc include/linux/slab.h:481 [inline] [] kzalloc include/linux/slab.h:620 [inline] [] ops_init+0xef/0x3a0 net/core/net_namespace.c:99 [] setup_net+0x1bc/0x4d0 net/core/net_namespace.c:289 [] copy_net_ns+0xd2/0x250 net/core/net_namespace.c:388 [] create_new_namespaces+0x416/0x640 kernel/nsproxy.c:95 [] unshare_nsproxy_namespaces+0xa5/0x1d0 kernel/nsproxy.c:190 [] SYSC_unshare kernel/fork.c:2083 [inline] [] SyS_unshare+0x316/0x710 kernel/fork.c:2033 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Freed by task 15713: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xf4/0x310 mm/slub.c:3749 [] ops_free net/core/net_namespace.c:124 [inline] [] ops_free_list.part.3+0x1ff/0x330 net/core/net_namespace.c:146 [] ops_free_list net/core/net_namespace.c:144 [inline] [] cleanup_net+0x490/0x880 net/core/net_namespace.c:456 [] process_one_work+0x824/0x1670 kernel/workqueue.c:2064 [] worker_thread+0xd9/0x1060 kernel/workqueue.c:2196 [] kthread+0x268/0x300 kernel/kthread.c:211 [] ret_from_fork+0x55/0x80 arch/x86/entry/entry_64.S:510 The buggy address belongs to the object at ffff8801cf46c200 which belongs to the cache kmalloc-8192 of size 8192 The buggy address is located 2040 bytes inside of 8192-byte region [ffff8801cf46c200, ffff8801cf46e200) The buggy address belongs to the page: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 0 at kernel/locking/lockdep.c:3123 __lock_acquire+0x2488/0x5f10 kernel/locking/lockdep.c:3123() DEBUG_LOCKS_WARN_ON(depth >= MAX_LOCK_DEPTH)