ffffffff8165e417 00000000000051b9 ffff8801cf44d0f0 ffff8801cf44d0a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a78e6880 Read of size 8 by task syz-executor3/15829 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 0 PID: 15829 Comm: syz-executor3 Not tainted 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d8407798 ffffffff81d90469 ffff8801da001140 ffff8801a78e6880 ffff8801a78e6c80 ffffed0034f1cd10 ffff8801a78e6880 ffff8801d84077c0 ffffffff8153a3fc[ 93.307774] FAULT_FLAG_ALLOW_RETRY missing 20 ffffed0034f1cd10 ffff8801da001140 0000000000000000 [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 FAULT_FLAG_ALLOW_RETRY missing 30 FAULT_FLAG_ALLOW_RETRY missing 30 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] dev_close_many+0x254/0x370 net/core/dev.c:1455 [] rollback_registered_many+0x27a/0x960 net/core/dev.c:6783 [] rollback_registered+0x81/0xb0 net/core/dev.c:6846 [] unregister_netdevice_queue+0x81/0x140 net/core/dev.c:7833 [] unregister_netdevice include/linux/netdevice.h:2458 [inline] [] __tun_detach+0xa2c/0xc20 drivers/net/tun.c:567 [] tun_detach drivers/net/tun.c:578 [inline] [] tun_chr_close+0x44/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] SYSC_exit_group kernel/exit.c:948 [inline] [] SyS_exit_group+0x1d/0x20 kernel/exit.c:946 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801a78e6880, in cache kmalloc-1024 size: 1024 CPU: 1 PID: 15851 Comm: syz-executor4 Not tainted 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a57a72d8 ffffffff81d90469 ffff8801a57a75b8 0000000000000000 ffff8801c8a97490 ffff8801a57a74a8 ffff8801c8a97380 ffff8801a57a74d0 ffffffff8165e417 0000000000000000 00000000000051b9 ffff8801c74868f0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] faultin_page mm/gup.c:386 [inline] [] __get_user_pages+0x39a/0x1010 mm/gup.c:585 [] __get_user_pages_locked mm/gup.c:797 [inline] [] __get_user_pages_unlocked mm/gup.c:872 [inline] [] get_user_pages_unlocked+0x1d3/0x370 mm/gup.c:900 [] get_user_pages_fast+0x11e/0x320 arch/x86/mm/gup.c:440 [] get_futex_key+0x20a/0x1050 kernel/futex.c:545 [] futex_requeue+0x240/0x15c0 kernel/futex.c:1746 [] do_futex+0x48f/0x15c0 kernel/futex.c:3242 [] SYSC_futex kernel/futex.c:3280 [inline] [] SyS_futex+0x226/0x2d0 kernel/futex.c:3248 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 1 PID: 15865 Comm: syz-executor5 Not tainted 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d9a176e0 ffffffff81d90469 ffff8801d9a179c0 0000000000000000 ffff8801a7931310 ffff8801d9a178b0 ffff8801a7931200 ffff8801d9a178d8 ffffffff8165e417 00000000000051b9 ffff8801cf44d0f0 ffff8801cf44d0a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 CPU: 1 PID: 15846 Comm: syz-executor5 Not tainted 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c748f8d0 ffffffff81d90469 ffff8801c748fbb0 0000000000000000 ffff8801a7931310 ffff8801c748faa0 ffff8801a7931200 ffff8801c748fac8 ffffffff8165e417 00000000000051b9 ffff8801c74808f0 ffff8801c74808a0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5b7/0xd70 arch/x86/mm/fault.c:1396 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Allocated: PID = 3305 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3531 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a78e6780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801a78e6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a78e6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a78e6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a78e6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a78e6880 Read of size 8 by task syz-executor3/15829 CPU: 0 PID: 15829 Comm: syz-executor3 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d8407798 ffffffff81d90469 ffff8801da001140 ffff8801a78e6880 ffff8801a78e6c80 ffffed0034f1cd10 ffff8801a78e6880 ffff8801d84077c0 ffffffff8153a3fc ffffed0034f1cd10 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] dev_close_many+0x254/0x370 net/core/dev.c:1455 [] rollback_registered_many+0x27a/0x960 net/core/dev.c:6783 [] rollback_registered+0x81/0xb0 net/core/dev.c:6846 [] unregister_netdevice_queue+0x81/0x140 net/core/dev.c:7833 [] unregister_netdevice include/linux/netdevice.h:2458 [inline] [] __tun_detach+0xa2c/0xc20 drivers/net/tun.c:567 [] tun_detach drivers/net/tun.c:578 [inline] [] tun_chr_close+0x44/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] SYSC_exit_group kernel/exit.c:948 [inline] [] SyS_exit_group+0x1d/0x20 kernel/exit.c:946 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801a78e6880, in cache kmalloc-1024 size: 1024 Allocated: PID = 3305 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3531 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a78e6780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801a78e6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a78e6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a78e6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a78e6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a78e6880 Read of size 8 by task syz-executor3/15829 CPU: 1 PID: 15829 Comm: syz-executor3 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d8407940 ffffffff81d90469 ffff8801da001140 ffff8801a78e6880 ffff8801a78e6c80 ffffed0034f1cd10 ffff8801a78e6880 ffff8801d8407968 ffffffff8153a3fc ffffed0034f1cd10 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] SYSC_exit_group kernel/exit.c:948 [inline] [] SyS_exit_group+0x1d/0x20 kernel/exit.c:946 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801a78e6880, in cache kmalloc-1024 size: 1024 Allocated: PID = 3305 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3531 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a78e6780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801a78e6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a78e6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a78e6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a78e6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a78e6880 Read of size 8 by task syz-executor3/15829 CPU: 1 PID: 15829 Comm: syz-executor3 Tainted: G B 4.9.65-gea83e4a #95 binder: 15914:15920 ioctl 80e85411 20304f42 returned -22 binder: 15914:15920 ioctl 40086432 2048effc returned -22 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d8407940 ffffffff81d90469 ffff8801da001140 ffff8801a78e6880 ffff8801a78e6c80 ffffed0034f1cd10 ffff8801a78e6880 ffff8801d8407968 ffffffff8153a3fc ffffed0034f1cd10 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 binder: 15914:15920 ioctl 80e85411 20304f42 returned -22 binder: 15914:15920 ioctl 40086432 2048effc returned -22 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] SYSC_exit_group kernel/exit.c:948 [inline] [] SyS_exit_group+0x1d/0x20 kernel/exit.c:946 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801a78e6880, in cache kmalloc-1024 size: 1024 Allocated: PID = 3305 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3531 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a78e6780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801a78e6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a78e6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a78e6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a78e6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a78e6880 Read of size 8 by task syz-executor2/15907 CPU: 0 PID: 15907 Comm: syz-executor2 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c94ef698 ffffffff81d90469 ffff8801da001140 ffff8801a78e6880 ffff8801a78e6c80 ffffed0034f1cd10 ffff8801a78e6880 ffff8801c94ef6c0 ffffffff8153a3fc ffffed0034f1cd10 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a78e6880, in cache kmalloc-1024 size: 1024 Allocated: PID = 3305 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3531 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a78e6780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801a78e6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a78e6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a78e6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a78e6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a78e6880 Read of size 8 by task syz-executor2/15907 CPU: 0 PID: 15907 Comm: syz-executor2 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c94ef698 ffffffff81d90469 ffff8801da001140 ffff8801a78e6880 ffff8801a78e6c80 ffffed0034f1cd10 ffff8801a78e6880 ffff8801c94ef6c0 ffffffff8153a3fc ffffed0034f1cd10 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a78e6880, in cache kmalloc-1024 size: 1024 Allocated: PID = 3305 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3531 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a78e6780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801a78e6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a78e6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a78e6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a78e6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== device gre0 entered promiscuous mode netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor6'. blk_update_request: I/O error, dev loop0, sector 0 ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a78e6880 Read of size 8 by task syz-executor3/15959 CPU: 1 PID: 15959 Comm: syz-executor3 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdb9f798 ffffffff81d90469 ffff8801da001140 ffff8801a78e6880 ffff8801a78e6c80 ffffed0034f1cd10 ffff8801a78e6880 ffff8801cdb9f7c0 ffffffff8153a3fc ffffed0034f1cd10 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] dev_close_many+0x254/0x370 net/core/dev.c:1455 [] rollback_registered_many+0x27a/0x960 net/core/dev.c:6783 [] rollback_registered+0x81/0xb0 net/core/dev.c:6846 [] unregister_netdevice_queue+0x81/0x140 net/core/dev.c:7833 [] unregister_netdevice include/linux/netdevice.h:2458 [inline] [] __tun_detach+0xa2c/0xc20 drivers/net/tun.c:567 [] tun_detach drivers/net/tun.c:578 [inline] [] tun_chr_close+0x44/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] SYSC_exit_group kernel/exit.c:948 [inline] [] SyS_exit_group+0x1d/0x20 kernel/exit.c:946 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801a78e6880, in cache kmalloc-1024 size: 1024 Allocated: PID = 3305 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3531 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a78e6780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801a78e6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a78e6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a78e6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a78e6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a78e6880 Read of size 8 by task syz-executor3/15959 CPU: 1 PID: 15959 Comm: syz-executor3 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdb9f798 ffffffff81d90469 ffff8801da001140 ffff8801a78e6880 ffff8801a78e6c80 ffffed0034f1cd10 ffff8801a78e6880 ffff8801cdb9f7c0 ffffffff8153a3fc ffffed0034f1cd10 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] dev_close_many+0x254/0x370 net/core/dev.c:1455 [] rollback_registered_many+0x27a/0x960 net/core/dev.c:6783 [] rollback_registered+0x81/0xb0 net/core/dev.c:6846 [] unregister_netdevice_queue+0x81/0x140 net/core/dev.c:7833 [] unregister_netdevice include/linux/netdevice.h:2458 [inline] [] __tun_detach+0xa2c/0xc20 drivers/net/tun.c:567 [] tun_detach drivers/net/tun.c:578 [inline] [] tun_chr_close+0x44/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] SYSC_exit_group kernel/exit.c:948 [inline] [] SyS_exit_group+0x1d/0x20 kernel/exit.c:946 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801a78e6880, in cache kmalloc-1024 size: 1024 Allocated: PID = 3305 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3531 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a78e6780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801a78e6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a78e6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a78e6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a78e6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a78e6880 Read of size 8 by task syz-executor3/15959 CPU: 1 PID: 15959 Comm: syz-executor3 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdb9f940 ffffffff81d90469 ffff8801da001140 ffff8801a78e6880 ffff8801a78e6c80 ffffed0034f1cd10 ffff8801a78e6880 ffff8801cdb9f968 ffffffff8153a3fc ffffed0034f1cd10 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] SYSC_exit_group kernel/exit.c:948 [inline] [] SyS_exit_group+0x1d/0x20 kernel/exit.c:946 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801a78e6880, in cache kmalloc-1024 size: 1024 Allocated: PID = 3305 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3531 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a78e6780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801a78e6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a78e6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a78e6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a78e6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a78e6880 Read of size 8 by task syz-executor3/15959 CPU: 1 PID: 15959 Comm: syz-executor3 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cdb9f940 ffffffff81d90469 ffff8801da001140 ffff8801a78e6880 ffff8801a78e6c80 ffffed0034f1cd10 ffff8801a78e6880 ffff8801cdb9f968 ffffffff8153a3fc ffffed0034f1cd10 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] SYSC_exit_group kernel/exit.c:948 [inline] [] SyS_exit_group+0x1d/0x20 kernel/exit.c:946 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801a78e6880, in cache kmalloc-1024 size: 1024 Allocated: PID = 3305 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3531 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a78e6780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801a78e6800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a78e6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a78e6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a78e6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a78e6880 Read of size 8 by task syz-executor2/15997 CPU: 1 PID: 15997 Comm: syz-executor2 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a8bf7698 ffffffff81d90469 ffff8801da001140 ffff8801a78e6880 ffff8801a78e6c80 ffffed0034f1cd10 ffff8801a78e6880 ffff8801a8bf76c0 ffffffff8153a3fc ffffed0034f1cd10 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [