binder: 6503:6538 ioctl 80605414 2011e000 returned -22 ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor1/6528 CPU: 1 PID: 6528 Comm: syz-executor1 Not tainted 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d98774f0 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801d9877518 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] dev_close_many+0x254/0x370 net/core/dev.c:1455 [] rollback_registered_many+0x27a/0x960 net/core/dev.c:6783 [] rollback_registered+0x81/0xb0 net/core/dev.c:6846 [] unregister_netdevice_queue+0x81/0x140 net/core/dev.c:7833 [] unregister_netdevice include/linux/netdevice.h:2458 [inline] [] __tun_detach+0xa2c/0xc20 drivers/net/tun.c:567 [] tun_detach drivers/net/tun.c:578 [inline] [] tun_chr_close+0x44/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a9c27600, in cache kmalloc-1024 size: 1024 Allocated: PID = 3298 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a9c27500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a9c27600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a9c27680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor1/6528 CPU: 1 PID: 6528 Comm: syz-executor1 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d98774f0 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801d9877518 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] dev_close_many+0x254/0x370 net/core/dev.c:1455 [] rollback_registered_many+0x27a/0x960 net/core/dev.c:6783 [] rollback_registered+0x81/0xb0 net/core/dev.c:6846 [] unregister_netdevice_queue+0x81/0x140 net/core/dev.c:7833 [] unregister_netdevice include/linux/netdevice.h:2458 [inline] [] __tun_detach+0xa2c/0xc20 drivers/net/tun.c:567 [] tun_detach drivers/net/tun.c:578 [inline] [] tun_chr_close+0x44/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a9c27600, in cache kmalloc-1024 size: 1024 Allocated: PID = 3298 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a9c27500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a9c27600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a9c27680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== nla_parse: 4 callbacks suppressed netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. binder: 6574:6575 ioctl 5402 20eae000 returned -22 binder: 6574:6575 ioctl 80082407 20400ff8 returned -22 binder: 6574:6575 ioctl c0505405 20757000 returned -22 binder: 6574:6575 ioctl 80605414 2011e000 returned -22 binder: 6574:6575 ioctl 5402 20eae000 returned -22 binder: 6574:6595 ioctl 80082407 20400ff8 returned -22 binder: 6574:6595 ioctl c0505405 20757000 returned -22 binder: 6574:6595 ioctl 80605414 2011e000 returned -22 ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor1/6528 CPU: 1 PID: 6528 Comm: syz-executor1 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d9877698 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801d98776c0 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a9c27600, in cache kmalloc-1024 size: 1024 Allocated: PID = 3298 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a9c27500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a9c27600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a9c27680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor1/6528 CPU: 1 PID: 6528 Comm: syz-executor1 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d9877698 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801d98776c0 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a9c27600, in cache kmalloc-1024 size: 1024 Allocated: PID = 3298 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a9c27500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a9c27600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a9c27680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor7/6550 CPU: 1 PID: 6550 Comm: syz-executor7 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ca2c7698 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801ca2c76c0 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a9c27600, in cache kmalloc-1024 size: 1024 Allocated: PID = 3298 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a9c27500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a9c27600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a9c27680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor7/6550 CPU: 1 PID: 6550 Comm: syz-executor7 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ca2c7698 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801ca2c76c0 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a9c27600, in cache kmalloc-1024 size: 1024 Allocated: PID = 3298 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a9c27500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a9c27600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a9c27680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== sd 0:0:1:0: [sg0] tag#543 FAILED Result: hostbyte=DID_ABORT driverbyte=DRIVER_OK sd 0:0:1:0: [sg0] tag#543 CDB: Test Unit Ready sd 0:0:1:0: [sg0] tag#543 CDB[00]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#543 CDB[10]: 00 00 00 00 10 27 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#543 CDB[20]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 sd 0:0:1:0: [sg0] tag#543 CDB[30]: 00 00 00 00 00 00 00 00 00 00 00 00 selinux_nlmsg_perm: 231 callbacks suppressed SELinux: unrecognized netlink message: protocol=0 nlmsg_type=257 sclass=netlink_route_socket pig=6666 comm=syz-executor7 ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor3/6584 CPU: 1 PID: 6584 Comm: syz-executor3 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c7ef7698 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801c7ef76c0 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a9c27600, in cache kmalloc-1024 size: 1024 Allocated: PID = 3298 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a9c27500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a9c27600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a9c27680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor3/6584 CPU: 1 PID: 6584 Comm: syz-executor3 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c7ef7698 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801c7ef76c0 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a9c27600, in cache kmalloc-1024 size: 1024 Allocated: PID = 3298 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a9c27500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a9c27600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a9c27680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor2/6617 CPU: 0 PID: 6617 Comm: syz-executor2 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d8e37698 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801d8e376c0 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a9c27600, in cache kmalloc-1024 size: 1024 Allocated: PID = 3298 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a9c27500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a9c27600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a9c27680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor2/6617 CPU: 1 PID: 6617 Comm: syz-executor2 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d8e37698 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801d8e376c0 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a9c27600, in cache kmalloc-1024 size: 1024 Allocated: PID = 3298 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a9c27500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a9c27600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a9c27680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor5/6630 CPU: 0 PID: 6630 Comm: syz-executor5 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d6a5f698 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801d6a5f6c0 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a9c27600, in cache kmalloc-1024 size: 1024 Allocated: PID = 3298 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a9c27500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a9c27600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a9c27680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor5/6630 CPU: 1 PID: 6630 Comm: syz-executor5 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d6a5f698 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801d6a5f6c0 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a9c27600, in cache kmalloc-1024 size: 1024 Allocated: PID = 3298 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a9c27500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a9c27600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a9c27680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a9c27700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a9c27600 Read of size 8 by task syz-executor7/6655 CPU: 0 PID: 6655 Comm: syz-executor7 Tainted: G B 4.9.64-gfbb7468 #94 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ac367ac8 ffffffff81d90429 ffff8801da001140 ffff8801a9c27600 ffff8801a9c27a00 ffffed0035384ec0 ffff8801a9c27600 ffff8801ac367af0 ffffffff8153a3ac ffffed0035384ec0 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [