IPVS: Creating netns size=2720 id=2
IPVS: ftp: loaded support on port[0] = 21
IPVS: Creating netns size=2720 id=3
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in ida_get_new_above+0x2eb/0x5d0 lib/idr.c:295 at addr ffff88006baffc00
Write of size 128 by task syz-executor0/5627
CPU: 1 PID: 5627 Comm: syz-executor0 Not tainted 4.10.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0xe6/0x120 lib/dump_stack.c:52
 kasan_object_err+0x1c/0x70 mm/kasan/report.c:162
 print_address_description mm/kasan/report.c:200 [inline]
 kasan_report_error mm/kasan/report.c:289 [inline]
 kasan_report.part.2+0x1e1/0x4a0 mm/kasan/report.c:311
 kasan_report+0x20/0x30 mm/kasan/report.c:298
 check_memory_region_inline mm/kasan/kasan.c:319 [inline]
 check_memory_region+0x13d/0x1a0 mm/kasan/kasan.c:333
 memset+0x23/0x40 mm/kasan/kasan.c:351
 ida_get_new_above+0x2eb/0x5d0 lib/idr.c:295
 ida_simple_get+0xd1/0x170 lib/idr.c:447
 __kernfs_new_node+0x84/0x290 fs/kernfs/dir.c:633
 kernfs_new_node+0x5e/0xe0 fs/kernfs/dir.c:661
 kernfs_create_dir_ns+0x24/0x120 fs/kernfs/dir.c:933
 sysfs_create_dir_ns+0xa2/0x1b0 fs/sysfs/dir.c:55
 create_dir lib/kobject.c:71 [inline]
 kobject_add_internal+0x343/0x980 lib/kobject.c:229
 kset_register+0x20/0x50 lib/kobject.c:817
 kset_create_and_add+0x10d/0x170 lib/kobject.c:947
 register_queue_kobjects net/core/net-sysfs.c:1393 [inline]
 netdev_register_kobject+0x195/0x3a0 net/core/net-sysfs.c:1608
 register_netdevice+0x7c6/0xd60 net/core/dev.c:7296
 register_netdev+0x15/0x30 net/core/dev.c:7408
 ip6_tnl_init_net+0x3ea/0x670 net/ipv6/ip6_tunnel.c:2194
 ops_init+0x95/0x390 net/core/net_namespace.c:117
 setup_net+0x21b/0x520 net/core/net_namespace.c:293
 copy_net_ns+0x134/0x3b0 net/core/net_namespace.c:398
 create_new_namespaces+0x354/0x660 kernel/nsproxy.c:106
 unshare_nsproxy_namespaces+0x8a/0x190 kernel/nsproxy.c:205
 SYSC_unshare kernel/fork.c:2306 [inline]
 SyS_unshare+0x308/0x6b0 kernel/fork.c:2256
 entry_SYSCALL_64_fastpath+0x23/0xc6
RIP: 0033:0x458187
RSP: 002b:00007ffc4ab977c8 EFLAGS: 00000206 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007ffc4ab977d0 RCX: 0000000000458187
RDX: 0000000000000000 RSI: 00007ffc4ab977b0 RDI: 0000000040000000
RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000018
R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Object at ffff88006baffc00, in cache kmalloc-128 size: 128
Allocated:
PID = 5619
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x46/0xd0 mm/kasan/kasan.c:513
 set_track mm/kasan/kasan.c:525 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
 kmem_cache_alloc_trace+0x142/0x800 mm/slab.c:3635
 kmalloc include/linux/slab.h:490 [inline]
 ida_pre_get+0xa8/0xc0 lib/radix-tree.c:2129
 get_anon_bdev+0x68/0x1a0 fs/super.c:941
 set_anon_super fs/super.c:980 [inline]
 ns_set_super+0x3a/0x50 fs/super.c:1011
 sget_userns+0x758/0xb20 fs/super.c:508
 mount_ns+0x5d/0x170 fs/super.c:1026
 proc_mount+0x6d/0xa0 fs/proc/root.c:100
 mount_fs+0x7c/0x2c0 fs/super.c:1223
 vfs_kern_mount+0x66/0x3c0 fs/namespace.c:979
 kern_mount_data+0x36/0x90 fs/namespace.c:3293
 pid_ns_prepare_proc+0x1b/0x60 fs/proc/root.c:221
 alloc_pid+0x8e7/0xb80 kernel/pid.c:324
 copy_process.part.36+0x3352/0x5ce0 kernel/fork.c:1711
 copy_process kernel/fork.c:1522 [inline]
 _do_fork+0x160/0xbb0 kernel/fork.c:1985
 SYSC_clone kernel/fork.c:2095 [inline]
 SyS_clone+0x14/0x20 kernel/fork.c:2089
 do_syscall_64+0x1ba/0x5b0 arch/x86/entry/common.c:281
 return_from_SYSCALL_64+0x0/0x7a
Freed:
PID = 5620
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x46/0xd0 mm/kasan/kasan.c:513
 set_track mm/kasan/kasan.c:525 [inline]
 kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:589
 __cache_free mm/slab.c:3511 [inline]
 kfree+0xcf/0x2c0 mm/slab.c:3828
 ida_pre_get+0x6f/0xc0 lib/radix-tree.c:2133
 mnt_alloc_id fs/namespace.c:107 [inline]
 alloc_vfsmnt+0x49/0x720 fs/namespace.c:209
 clone_mnt+0x6c/0xf00 fs/namespace.c:1019
 copy_tree+0x322/0x8e0 fs/namespace.c:1803
 copy_mnt_ns+0xdc/0xcb0 fs/namespace.c:2935
 create_new_namespaces+0xc5/0x660 kernel/nsproxy.c:74
 unshare_nsproxy_namespaces+0x8a/0x190 kernel/nsproxy.c:205
 SYSC_unshare kernel/fork.c:2306 [inline]
 SyS_unshare+0x308/0x6b0 kernel/fork.c:2256
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff88006baffb00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff88006baffb80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>ffff88006baffc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88006baffc80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff88006baffd00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================