binder: 8598:8602 ioctl 541a 20004ffc returned -22 ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a5a9c000 Read of size 8 by task syz-executor4/8622 CPU: 0 PID: 8622 Comm: syz-executor4 Not tainted 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aaa17890 ffffffff81d90469 ffff8801da001140 ffff8801a5a9c000 ffff8801a5a9c400 ffffed0034b53800 ffff8801a5a9c000 ffff8801aaa178b8 ffffffff8153a3fc ffffed0034b53800 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] __dev_notify_flags+0x197/0x270 net/core/dev.c:6488 [] dev_change_flags+0xf5/0x140 net/core/dev.c:6519 [] devinet_ioctl+0xe35/0x14b0 net/ipv4/devinet.c:1052 [] inet_ioctl+0x117/0x1c0 net/ipv4/af_inet.c:908 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801a5a9c000, in cache kmalloc-1024 size: 1024 Allocated: PID = 3293 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a5a9bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801a5a9bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a5a9c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a5a9c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a5a9c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a5a9c000 Read of size 8 by task syz-executor4/8622 CPU: 0 PID: 8622 Comm: syz-executor4 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aaa17890 ffffffff81d90469 ffff8801da001140 ffff8801a5a9c000 ffff8801a5a9c400 ffffed0034b53800 ffff8801a5a9c000 ffff8801aaa178b8 ffffffff8153a3fc ffffed0034b53800 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] __dev_notify_flags+0x197/0x270 net/core/dev.c:6488 [] dev_change_flags+0xf5/0x140 net/core/dev.c:6519 [] devinet_ioctl+0xe35/0x14b0 net/ipv4/devinet.c:1052 [] inet_ioctl+0x117/0x1c0 net/ipv4/af_inet.c:908 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801a5a9c000, in cache kmalloc-1024 size: 1024 Allocated: PID = 3293 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a5a9bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801a5a9bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a5a9c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a5a9c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a5a9c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a5a9c000 Read of size 8 by task syz-executor4/8622 CPU: 0 PID: 8622 Comm: syz-executor4 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aaa17890 ffffffff81d90469 ffff8801da001140 ffff8801a5a9c000 ffff8801a5a9c400 ffffed0034b53800 ffff8801a5a9c000 ffff8801aaa178b8 ffffffff8153a3fc ffffed0034b53800 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] __dev_notify_flags+0x197/0x270 net/core/dev.c:6488 [] dev_change_flags+0xf5/0x140 net/core/dev.c:6519 [] devinet_ioctl+0xe35/0x14b0 net/ipv4/devinet.c:1052 [] inet_ioctl+0x117/0x1c0 net/ipv4/af_inet.c:908 [] sock_do_ioctl+0x65/0xb0 net/socket.c:892 [] sock_ioctl+0x2e0/0x3d0 net/socket.c:978 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801a5a9c000, in cache kmalloc-1024 size: 1024 Allocated: PID = 3293 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a5a9bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801a5a9bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a5a9c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a5a9c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a5a9c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a5a9c000 Read of size 8 by task syz-executor7/8603 CPU: 0 PID: 8603 Comm: syz-executor7 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d01d7698 ffffffff81d90469 ffff8801da001140 ffff8801a5a9c000 ffff8801a5a9c400 ffffed0034b53800 ffff8801a5a9c000 ffff8801d01d76c0 ffffffff8153a3fc ffffed0034b53800 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a5a9c000, in cache kmalloc-1024 size: 1024 Allocated: PID = 3293 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a5a9bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801a5a9bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a5a9c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a5a9c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a5a9c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a5a9c000 Read of size 8 by task syz-executor7/8603 CPU: 0 PID: 8603 Comm: syz-executor7 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d01d7698 ffffffff81d90469 ffff8801da001140 ffff8801a5a9c000 ffff8801a5a9c400 ffffed0034b53800 ffff8801a5a9c000 ffff8801d01d76c0 ffffffff8153a3fc ffffed0034b53800 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a5a9c000, in cache kmalloc-1024 size: 1024 Allocated: PID = 3293 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a5a9bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801a5a9bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a5a9c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a5a9c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a5a9c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a5a9c000 Read of size 8 by task syz-executor7/8603 CPU: 0 PID: 8603 Comm: syz-executor7 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d01d7698 ffffffff81d90469 ffff8801da001140 ffff8801a5a9c000 ffff8801a5a9c400 ffffed0034b53800 ffff8801a5a9c000 ffff8801d01d76c0 ffffffff8153a3fc ffffed0034b53800 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a5a9c000, in cache kmalloc-1024 size: 1024 Allocated: PID = 3293 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a5a9bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801a5a9bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a5a9c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a5a9c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a5a9c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a5a9c000 Read of size 8 by task syz-executor4/8646 CPU: 0 PID: 8646 Comm: syz-executor4 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a9287698 ffffffff81d90469 ffff8801da001140 ffff8801a5a9c000 ffff8801a5a9c400 ffffed0034b53800 ffff8801a5a9c000 ffff8801a92876c0 ffffffff8153a3fc ffffed0034b53800 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a5a9c000, in cache kmalloc-1024 size: 1024 Allocated: PID = 3293 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a5a9bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801a5a9bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a5a9c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a5a9c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a5a9c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a5a9c000 Read of size 8 by task syz-executor4/8646 CPU: 0 PID: 8646 Comm: syz-executor4 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a9287698 ffffffff81d90469 ffff8801da001140 ffff8801a5a9c000 ffff8801a5a9c400 ffffed0034b53800 ffff8801a5a9c000 ffff8801a92876c0 ffffffff8153a3fc ffffed0034b53800 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a5a9c000, in cache kmalloc-1024 size: 1024 Allocated: PID = 3293 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a5a9bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801a5a9bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a5a9c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a5a9c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a5a9c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 at addr ffff8801a5a9c000 Read of size 8 by task syz-executor4/8646 CPU: 0 PID: 8646 Comm: syz-executor4 Tainted: G B 4.9.65-gea83e4a #95 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a9287698 ffffffff81d90469 ffff8801da001140 ffff8801a5a9c000 ffff8801a5a9c400 ffffed0034b53800 ffff8801a5a9c000 ffff8801a92876c0 ffffffff8153a3fc ffffed0034b53800 ffff8801da001140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_dst_ifdown+0x2f1/0x320 net/ipv6/route.c:400 [] dst_ifdown+0x75/0x230 net/core/dst.c:440 [] dst_dev_event+0xb1/0x2e0 net/core/dst.c:467 [] notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 [] __raw_notifier_call_chain kernel/notifier.c:394 [inline] [] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 [] call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 [] call_netdevice_notifiers net/core/dev.c:1662 [inline] [] netdev_run_todo+0x17a/0x6b0 net/core/dev.c:7499 [] rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:104 [] tun_detach drivers/net/tun.c:579 [inline] [] tun_chr_close+0x49/0x60 drivers/net/tun.c:2379 [] __fput+0x28c/0x6e0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x115/0x190 kernel/task_work.c:116 [] exit_task_work include/linux/task_work.h:21 [inline] [] do_exit+0x7e7/0x2a40 kernel/exit.c:833 [] do_group_exit+0x108/0x320 kernel/exit.c:937 [] get_signal+0x4d4/0x14e0 kernel/signal.c:2315 [] do_signal+0x87/0x1a00 arch/x86/kernel/signal.c:807 [] exit_to_usermode_loop+0xe1/0x120 arch/x86/entry/common.c:156 [] prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] [] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8801a5a9c000, in cache kmalloc-1024 size: 1024 Allocated: PID = 3293 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0xfb/0x2a0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] ipv6_add_dev+0xbb/0x1000 net/ipv6/addrconf.c:371 addrconf_notify+0xa5e/0x2190 net/ipv6/addrconf.c:3356 notifier_call_chain+0x90/0x1a0 kernel/notifier.c:93 __raw_notifier_call_chain kernel/notifier.c:394 [inline] raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1646 call_netdevice_notifiers net/core/dev.c:1662 [inline] register_netdevice+0xb92/0xea0 net/core/dev.c:7294 register_netdev+0x1a/0x30 net/core/dev.c:7377 loopback_net_init+0x76/0x160 drivers/net/loopback.c:202 ops_init+0xa9/0x3a0 net/core/net_namespace.c:111 setup_net+0x1b2/0x3e0 net/core/net_namespace.c:291 copy_net_ns+0x189/0x280 net/core/net_namespace.c:389 create_new_namespaces+0x37f/0x730 kernel/nsproxy.c:106 copy_namespaces+0x291/0x320 kernel/nsproxy.c:164 copy_process.part.51+0x1c99/0x5d40 kernel/fork.c:1667 copy_process kernel/fork.c:1491 [inline] _do_fork+0x1c0/0xd70 kernel/fork.c:1949 SYSC_clone kernel/fork.c:2059 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2053 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 3 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 in6_dev_finish_destroy_rcu+0x9d/0xc0 net/ipv6/addrconf_core.c:150 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801a5a9bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801a5a9bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801a5a9c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801a5a9c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801a5a9c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== unregister_netdevice: waiting for lo to become free. Usage count = 3