audit: type=1400 audit(1571563312.847:141): avc: denied { create } for pid=4333 comm="syz-executor.4" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=0 ================================================================== BUG: KASAN: use-after-free in ifname_compare_aligned include/linux/netfilter/x_tables.h:362 [inline] BUG: KASAN: use-after-free in ip6_packet_match net/ipv6/netfilter/ip6_tables.c:124 [inline] BUG: KASAN: use-after-free in ip6t_do_table+0x1545/0x1860 net/ipv6/netfilter/ip6_tables.c:382 Read of size 8 at addr ffff8800ba584000 by task syz-executor.3/4336 CPU: 0 PID: 4336 Comm: syz-executor.3 Not tainted 4.4.174+ #4 0000000000000000 bbf2f87a4d316b82 ffff8800a5dff0a8 ffffffff81aad1a1 0000000000000000 ffffea0002e96100 ffff8800ba584000 0000000000000008 dffffc0000000000 ffff8800a5dff0e0 ffffffff81490120 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_address_description+0x6f/0x21b mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report mm/kasan/report.c:408 [inline] [] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] ifname_compare_aligned include/linux/netfilter/x_tables.h:362 [inline] [] ip6_packet_match net/ipv6/netfilter/ip6_tables.c:124 [inline] [] ip6t_do_table+0x1545/0x1860 net/ipv6/netfilter/ip6_tables.c:382 [] ip6t_mangle_out net/ipv6/netfilter/ip6table_mangle.c:60 [inline] [] ip6table_mangle_hook+0x2d6/0x710 net/ipv6/netfilter/ip6table_mangle.c:82 [] nf_iterate+0x186/0x220 net/netfilter/core.c:274 [] nf_hook_slow+0x1b6/0x340 net/netfilter/core.c:306 [] nf_hook_thresh include/linux/netfilter.h:187 [inline] [] nf_hook include/linux/netfilter.h:197 [inline] [] __ip6_local_out+0x309/0x4b0 net/ipv6/output_core.c:157 [] ip6_local_out+0x29/0x180 net/ipv6/output_core.c:167 [] ip6_send_skb+0xa2/0x340 net/ipv6/ip6_output.c:1725 [] udp_v6_send_skb+0x438/0xe90 net/ipv6/udp.c:1066 [] udp_v6_push_pending_frames+0x245/0x360 net/ipv6/udp.c:1098 [] udpv6_sendmsg+0x1a37/0x24f0 net/ipv6/udp.c:1358 [] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbe/0x110 net/socket.c:648 [] ___sys_sendmsg+0x369/0x890 net/socket.c:1975 [] __sys_sendmmsg+0x130/0x2e0 net/socket.c:2060 [] SYSC_sendmmsg net/socket.c:2090 [inline] [] SyS_sendmmsg+0x35/0x60 net/socket.c:2085 [] entry_SYSCALL_64_fastpath+0x1e/0x9a The buggy address belongs to the page: page:ffffea0002e96100 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x0() page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8800ba583f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8800ba583f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8800ba584000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff8800ba584080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800ba584100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================