audit: type=1400 audit(1560781149.195:9): avc:  denied  { dac_override } for  pid=2268 comm="syz-executor.0" capability=1  scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.4+0x273/0x2b0 net/core/neighbour.c:2652
Read of size 8 at addr ffff8801c6186f00 by task syz-executor.0/2339

CPU: 1 PID: 2339 Comm: syz-executor.0 Not tainted 4.9.141+ #23
 ffff8801c619f240 ffffffff81b42e79 ffffea0007186180 ffff8801c6186f00
 0000000000000000 ffff8801c6186f00 ffff8801c6186f00 ffff8801c619f278
 ffffffff815009b8 ffff8801c6186f00 0000000000000008 0000000000000000
Call Trace:
 [<ffffffff81b42e79>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81b42e79>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff815009b8>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff81500dc2>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff81500dc2>] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412
 [<ffffffff814f3074>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 [<ffffffff82331e83>] pneigh_get_next.isra.4+0x273/0x2b0 net/core/neighbour.c:2652
 [<ffffffff82336911>] neigh_seq_next+0xb1/0x1e0 net/core/neighbour.c:2734
 [<ffffffff8158113b>] seq_read+0xa0b/0x12d0 fs/seq_file.c:270
 [<ffffffff8165c00d>] proc_reg_read+0xfd/0x180 fs/proc/inode.c:203
 [<ffffffff81509df5>] do_loop_readv_writev.part.1+0xd5/0x280 fs/read_write.c:718
 [<ffffffff8150b49e>] do_loop_readv_writev fs/read_write.c:707 [inline]
 [<ffffffff8150b49e>] do_readv_writev+0x56e/0x7b0 fs/read_write.c:873
 [<ffffffff8150b764>] vfs_readv+0x84/0xc0 fs/read_write.c:897
 [<ffffffff815ac2a1>] kernel_readv fs/splice.c:363 [inline]
 [<ffffffff815ac2a1>] default_file_splice_read+0x451/0x7f0 fs/splice.c:435
 [<ffffffff815ab39c>] do_splice_to+0x10c/0x170 fs/splice.c:899
 [<ffffffff815ab63f>] splice_direct_to_actor+0x23f/0x7e0 fs/splice.c:971
 [<ffffffff815abd83>] do_splice_direct+0x1a3/0x270 fs/splice.c:1080
 [<ffffffff8150d780>] do_sendfile+0x4f0/0xc30 fs/read_write.c:1393
 [<ffffffff8150f9c3>] C_SYSC_sendfile fs/read_write.c:1475 [inline]
 [<ffffffff8150f9c3>] compat_SyS_sendfile+0x143/0x160 fs/read_write.c:1458
 [<ffffffff81006311>] do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
 [<ffffffff81006311>] do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
 [<ffffffff82818de0>] entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

Allocated by task 2340:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594
 __kmalloc+0x12f/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 pneigh_lookup+0x17d/0x3f0 net/core/neighbour.c:594
 arp_req_set_public net/ipv4/arp.c:992 [inline]
 arp_req_set+0x443/0x570 net/ipv4/arp.c:1008
 arp_ioctl+0x32a/0x670 net/ipv4/arp.c:1203
 inet_ioctl+0x90/0x1d0 net/ipv4/af_inet.c:895
 sock_do_ioctl+0x6a/0xb0 net/socket.c:905
 compat_sock_ioctl_trans net/socket.c:3199 [inline]
 compat_sock_ioctl+0x95a/0x1310 net/socket.c:3224
 C_SYSC_ioctl fs/compat_ioctl.c:1602 [inline]
 compat_SyS_ioctl+0x12d/0x1fd0 fs/compat_ioctl.c:1549
 do_syscall_32_irqs_on arch/x86/entry/common.c:328 [inline]
 do_fast_syscall_32+0x2f1/0xa10 arch/x86/entry/common.c:390
 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

Freed by task 2337:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack mm/kasan/kasan.c:505 [inline]
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xfb/0x310 mm/slub.c:3878
 pneigh_ifdown_and_unlock net/core/neighbour.c:674 [inline]
 neigh_ifdown+0x1da/0x2a0 net/core/neighbour.c:258
 arp_ifdown+0x1c/0x20 net/ipv4/arp.c:1249
 inetdev_destroy net/ipv4/devinet.c:306 [inline]
 inetdev_event+0x6f2/0x10b0 net/ipv4/devinet.c:1480
 notifier_call_chain+0xb4/0x1d0 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x55/0x70 net/core/dev.c:1647
 call_netdevice_notifiers net/core/dev.c:1663 [inline]
 rollback_registered_many+0x6e5/0xb50 net/core/dev.c:6860
 rollback_registered+0xee/0x1b0 net/core/dev.c:6901
 unregister_netdevice_queue+0x1aa/0x230 net/core/dev.c:7888
 unregister_netdevice include/linux/netdevice.h:2465 [inline]
 __tun_detach+0x821/0xa00 drivers/net/tun.c:575
 tun_detach drivers/net/tun.c:585 [inline]
 tun_chr_close+0x44/0x60 drivers/net/tun.c:2392
 __fput+0x263/0x700 fs/file_table.c:208
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x10c/0x180 kernel/task_work.c:116
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x129/0x150 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:263 [inline]
 do_syscall_32_irqs_on arch/x86/entry/common.c:334 [inline]
 do_fast_syscall_32+0x6dc/0xa10 arch/x86/entry/common.c:390
 entry_SYSENTER_compat+0x90/0xa2 arch/x86/entry/entry_64_compat.S:137

The buggy address belongs to the object at ffff8801c6186f00
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff8801c6186f00, ffff8801c6186f40)
The buggy address belongs to the page:
page:ffffea0007186180 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000080(slab)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801c6186e00: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8801c6186e80: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
>ffff8801c6186f00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                   ^
 ffff8801c6186f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801c6187000: fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb fb
==================================================================