================================================================== BUG: KASAN: use-after-free in xfrm_lookup_with_ifid+0x2243/0x22f0 net/xfrm/xfrm_policy.c:3082 Read of size 4 at addr ffff8880a711785c by task blkid/21202 CPU: 0 PID: 21202 Comm: blkid Not tainted 5.6.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134 xfrm_lookup_with_ifid+0x2243/0x22f0 net/xfrm/xfrm_policy.c:3082 xfrmi_xmit2 net/xfrm/xfrm_interface.c:272 [inline] xfrmi_xmit+0x43f/0x15e0 net/xfrm/xfrm_interface.c:387 __netdev_start_xmit include/linux/netdevice.h:4524 [inline] netdev_start_xmit include/linux/netdevice.h:4538 [inline] xmit_one net/core/dev.c:3470 [inline] dev_hard_start_xmit+0x1a3/0x9b0 net/core/dev.c:3486 __dev_queue_xmit+0x2b05/0x35c0 net/core/dev.c:4063 dev_queue_xmit+0x18/0x20 net/core/dev.c:4096 neigh_direct_output+0x16/0x20 net/core/neighbour.c:1527 neigh_output include/net/neighbour.h:510 [inline] ip6_finish_output2+0x109a/0x25c0 net/ipv6/ip6_output.c:116 __ip6_finish_output+0x444/0xaa0 net/ipv6/ip6_output.c:142 ip6_finish_output+0x38/0x1f0 net/ipv6/ip6_output.c:152 NF_HOOK_COND include/linux/netfilter.h:296 [inline] ip6_output+0x25e/0x880 net/ipv6/ip6_output.c:175 dst_output include/net/dst.h:436 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] ndisc_send_skb+0xf1f/0x1490 net/ipv6/ndisc.c:505 ndisc_send_rs+0x134/0x720 net/ipv6/ndisc.c:699 addrconf_rs_timer+0x30f/0x6e0 net/ipv6/addrconf.c:3879 call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] __run_timers kernel/time/timer.c:1773 [inline] __run_timers kernel/time/timer.c:1740 [inline] run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786 __do_softirq+0x262/0x98c kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x19b/0x1e0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1146 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:752 [inline] RIP: 0010:lock_acquire+0x20b/0x410 kernel/locking/lockdep.c:4487 Code: 94 08 00 00 00 00 00 00 48 c1 e8 03 80 3c 10 00 0f 85 d3 01 00 00 48 83 3d d9 83 58 08 00 0f 84 53 01 00 00 48 8b 7d c8 57 9d <0f> 1f 44 00 00 48 8d 65 d8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 65 8b RSP: 0018:ffffc90006d678a0 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 RAX: 1ffffffff1367617 RBX: ffff888056886600 RCX: ffffffff815ad1f0 RDX: dffffc0000000000 RSI: 0000000000000008 RDI: 0000000000000282 RBP: ffffc90006d678e8 R08: 1ffffffff16a336c R09: fffffbfff16a336d R10: ffff888056886ec0 R11: ffff888056886600 R12: ffffffff89bac240 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002 rcu_lock_acquire include/linux/rcupdate.h:208 [inline] rcu_read_lock include/linux/rcupdate.h:601 [inline] lock_page_memcg+0x39/0x240 mm/memcontrol.c:1972 page_remove_file_rmap mm/rmap.c:1237 [inline] page_remove_rmap+0x5ce/0x11d0 mm/rmap.c:1330 zap_pte_range mm/memory.c:1080 [inline] zap_pmd_range mm/memory.c:1184 [inline] zap_pud_range mm/memory.c:1213 [inline] zap_p4d_range mm/memory.c:1234 [inline] unmap_page_range+0xde0/0x28d0 mm/memory.c:1255 unmap_single_vma+0x19d/0x300 mm/memory.c:1300 unmap_vmas+0x184/0x2f0 mm/memory.c:1332 exit_mmap+0x2ba/0x530 mm/mmap.c:3130 __mmput kernel/fork.c:1082 [inline] mmput+0x179/0x4d0 kernel/fork.c:1103 exit_mm kernel/exit.c:485 [inline] do_exit+0xac2/0x2f50 kernel/exit.c:788 do_group_exit+0x135/0x360 kernel/exit.c:899 __do_sys_exit_group kernel/exit.c:910 [inline] __se_sys_exit_group kernel/exit.c:908 [inline] __x64_sys_exit_group+0x44/0x50 kernel/exit.c:908 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f1e1452a1e8 Code: Bad RIP value. RSP: 002b:00007ffef11fd408 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f1e1452a1e8 RDX: 0000000000000002 RSI: 000000000000003c RDI: 0000000000000002 RBP: 00007f1e147ff840 R08: 00000000000000e7 R09: ffffffffffffffa8 R10: 00007f1e14805740 R11: 0000000000000246 R12: 00007f1e147ff840 R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 17135: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:515 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:488 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:523 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc mm/slab.c:3320 [inline] kmem_cache_alloc+0x121/0x710 mm/slab.c:3484 kmem_cache_zalloc include/linux/slab.h:659 [inline] net_alloc net/core/net_namespace.c:403 [inline] copy_net_ns+0xf1/0x5a0 net/core/net_namespace.c:455 create_new_namespaces+0x403/0xb50 kernel/nsproxy.c:108 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:229 ksys_unshare+0x444/0x980 kernel/fork.c:2955 __do_sys_unshare kernel/fork.c:3023 [inline] __se_sys_unshare kernel/fork.c:3021 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:3021 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 12805: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:476 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 __cache_free mm/slab.c:3426 [inline] kmem_cache_free+0x86/0x320 mm/slab.c:3694 net_free net/core/net_namespace.c:431 [inline] net_drop_ns.part.0+0xa6/0xe0 net/core/net_namespace.c:438 net_drop_ns net/core/net_namespace.c:437 [inline] cleanup_net+0x803/0xb10 net/core/net_namespace.c:608 process_one_work+0xa05/0x17a0 kernel/workqueue.c:2264 worker_thread+0x98/0xe40 kernel/workqueue.c:2410 kthread+0x361/0x430 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 The buggy address belongs to the object at ffff8880a7116380 which belongs to the cache net_namespace of size 6912 The buggy address is located 5340 bytes inside of 6912-byte region [ffff8880a7116380, ffff8880a7117e80) The buggy address belongs to the page: page:ffffea00029c4580 refcount:1 mapcount:0 mapping:ffff88821bc53c40 index:0x0 compound_mapcount: 0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea0001460888 ffffea00015deb08 ffff88821bc53c40 raw: 0000000000000000 ffff8880a7116380 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a7117700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a7117780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a7117800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a7117880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a7117900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================