===================================================== BUG: KMSAN: use-after-free in fib6_nh_flush_exceptions net/ipv6/route.c:1724 [inline] BUG: KMSAN: use-after-free in fib6_nh_release+0x304/0x6b0 net/ipv6/route.c:3505 CPU: 1 PID: 18655 Comm: syz-executor.5 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x220 lib/dump_stack.c:118 kmsan_report+0xf8/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 fib6_nh_flush_exceptions net/ipv6/route.c:1724 [inline] fib6_nh_release+0x304/0x6b0 net/ipv6/route.c:3505 fib6_info_destroy_rcu+0x18b/0x330 net/ipv6/ip6_fib.c:174 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2183 [inline] rcu_core+0xc76/0x1b10 kernel/rcu/tree.c:2408 rcu_core_si+0xe/0x10 kernel/rcu/tree.c:2417 __do_softirq+0x4a1/0x83a kernel/softirq.c:293 do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091 do_softirq kernel/softirq.c:338 [inline] __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190 local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32 get_next_corpse net/netfilter/nf_conntrack_core.c:2011 [inline] nf_ct_iterate_cleanup+0x596/0x6f0 net/netfilter/nf_conntrack_core.c:2034 nf_ct_iterate_cleanup_net+0x182/0x230 net/netfilter/nf_conntrack_core.c:2119 masq_device_event+0x10c/0x180 net/netfilter/nf_nat_masquerade.c:88 notifier_call_chain kernel/notifier.c:83 [inline] __raw_notifier_call_chain kernel/notifier.c:361 [inline] raw_notifier_call_chain+0x13d/0x240 kernel/notifier.c:368 call_netdevice_notifiers_info net/core/dev.c:1893 [inline] call_netdevice_notifiers_extack net/core/dev.c:1905 [inline] call_netdevice_notifiers net/core/dev.c:1919 [inline] dev_close_many+0x660/0xad0 net/core/dev.c:1544 rollback_registered_many+0x91b/0x28b0 net/core/dev.c:8721 unregister_netdevice_many+0x79/0x5e0 net/core/dev.c:9907 rtnl_delete_link net/core/rtnetlink.c:2928 [inline] rtnl_dellink+0xa1d/0x12a0 net/core/rtnetlink.c:2980 rtnetlink_rcv_msg+0x115a/0x1580 net/core/rtnetlink.c:5424 netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0xfa0/0x1100 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x11f0/0x1480 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg net/socket.c:659 [inline] ____sys_sendmsg+0x1362/0x13f0 net/socket.c:2330 ___sys_sendmsg net/socket.c:2384 [inline] __sys_sendmsg+0x4f0/0x5e0 net/socket.c:2417 __do_sys_sendmsg net/socket.c:2426 [inline] __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424 do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45a919 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f7158ae8c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a919 RDX: 0000000000000000 RSI: 0000000020000380 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f7158ae96d4 R13: 00000000004c92d0 R14: 00000000004e1028 R15: 00000000ffffffff Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:127 kmsan_slab_free+0x6e/0xb0 mm/kmsan/kmsan_hooks.c:107 slab_free_freelist_hook mm/slub.c:1458 [inline] slab_free mm/slub.c:3021 [inline] kfree+0x8ce/0x3090 mm/slub.c:3974 free_pipe_info+0x421/0x440 fs/pipe.c:801 put_pipe_info fs/pipe.c:672 [inline] pipe_release+0x40e/0x530 fs/pipe.c:693 __fput+0x4c9/0xba0 fs/file_table.c:280 ____fput+0x37/0x40 fs/file_table.c:313 task_work_run+0x22e/0x2a0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:188 [inline] exit_to_usermode_loop arch/x86/entry/common.c:164 [inline] prepare_exit_to_usermode+0x3cf/0x530 arch/x86/entry/common.c:195 syscall_return_slowpath+0x90/0x610 arch/x86/entry/common.c:278 do_syscall_64+0xdc/0x160 arch/x86/entry/common.c:306 entry_SYSCALL_64_after_hwframe+0x44/0xa9 =====================================================