IPVS: Creating netns size=2720 id=2 IPVS: ftp: loaded support on port[0] = 21 ================================================================== BUG: KASAN: use-after-free in ida_get_new_above+0x2eb/0x5d0 lib/idr.c:295 at addr ffff8800649956c0 Write of size 128 by task syz-executor2/5333 CPU: 1 PID: 5333 Comm: syz-executor2 Not tainted 4.10.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0xe6/0x120 lib/dump_stack.c:52 kasan_object_err+0x1c/0x70 mm/kasan/report.c:162 print_address_description mm/kasan/report.c:200 [inline] kasan_report_error mm/kasan/report.c:289 [inline] kasan_report.part.2+0x1e1/0x4a0 mm/kasan/report.c:311 kasan_report+0x20/0x30 mm/kasan/report.c:298 check_memory_region_inline mm/kasan/kasan.c:319 [inline] check_memory_region+0x13d/0x1a0 mm/kasan/kasan.c:333 memset+0x23/0x40 mm/kasan/kasan.c:351 ida_get_new_above+0x2eb/0x5d0 lib/idr.c:295 ida_simple_get+0xd1/0x170 lib/idr.c:447 __kernfs_new_node+0x84/0x290 fs/kernfs/dir.c:633 kernfs_new_node+0x5e/0xe0 fs/kernfs/dir.c:661 __kernfs_create_file+0x2d/0x2c0 fs/kernfs/file.c:988 sysfs_add_file_mode_ns+0x1d0/0x4e0 fs/sysfs/file.c:305 sysfs_create_file_ns+0x6c/0xb0 fs/sysfs/file.c:332 sysfs_create_file include/linux/sysfs.h:494 [inline] populate_dir lib/kobject.c:58 [inline] create_dir lib/kobject.c:75 [inline] kobject_add_internal+0x4ef/0x980 lib/kobject.c:229 kobject_add_varg lib/kobject.c:366 [inline] kobject_init_and_add+0xc5/0x110 lib/kobject.c:438 netdev_queue_add_kobject net/core/net-sysfs.c:1335 [inline] netdev_queue_update_kobjects+0xd7/0x300 net/core/net-sysfs.c:1364 register_queue_kobjects net/core/net-sysfs.c:1406 [inline] netdev_register_kobject+0x258/0x3a0 net/core/net-sysfs.c:1608 register_netdevice+0x7c6/0xd60 net/core/dev.c:7296 __ip_tunnel_create+0x313/0x410 net/ipv4/ip_tunnel.c:281 ip_tunnel_init_net+0x1bd/0x430 net/ipv4/ip_tunnel.c:1017 ipgre_init_net+0x18/0x20 net/ipv4/ip_gre.c:766 ops_init+0x95/0x390 net/core/net_namespace.c:117 setup_net+0x21b/0x520 net/core/net_namespace.c:293 copy_net_ns+0x134/0x3b0 net/core/net_namespace.c:398 create_new_namespaces+0x354/0x660 kernel/nsproxy.c:106 unshare_nsproxy_namespaces+0x8a/0x190 kernel/nsproxy.c:205 SYSC_unshare kernel/fork.c:2306 [inline] SyS_unshare+0x308/0x6b0 kernel/fork.c:2256 entry_SYSCALL_64_fastpath+0x23/0xc6 RIP: 0033:0x4582a7 RSP: 002b:00007ffffc216438 EFLAGS: 00000206 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 00007ffffc216440 RCX: 00000000004582a7 RDX: 0000000000000000 RSI: 00007ffffc216420 RDI: 0000000040000000 RBP: 0000000000000082 R08: 0000000000000000 R09: 0000000000000018 R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Object at ffff8800649956c0, in cache kmalloc-128 size: 128 Allocated: PID = 5333 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x46/0xd0 mm/kasan/kasan.c:513 set_track mm/kasan/kasan.c:525 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616 kmem_cache_alloc_trace+0x142/0x800 mm/slab.c:3635 kmalloc include/linux/slab.h:490 [inline] ida_pre_get+0xa8/0xc0 lib/radix-tree.c:2129 proc_alloc_inum+0x9b/0x150 fs/proc/generic.c:197 proc_register+0x20/0x2a0 fs/proc/generic.c:338 proc_mkdir_data+0xe9/0x160 fs/proc/generic.c:441 proc_net_mkdir include/linux/proc_fs.h:84 [inline] nfs_fs_proc_net_init+0x161/0x340 fs/nfs/client.c:1294 nfs_net_init+0x15/0x20 fs/nfs/inode.c:2051 ops_init+0x95/0x390 net/core/net_namespace.c:117 setup_net+0x21b/0x520 net/core/net_namespace.c:293 copy_net_ns+0x134/0x3b0 net/core/net_namespace.c:398 create_new_namespaces+0x354/0x660 kernel/nsproxy.c:106 unshare_nsproxy_namespaces+0x8a/0x190 kernel/nsproxy.c:205 SYSC_unshare kernel/fork.c:2306 [inline] SyS_unshare+0x308/0x6b0 kernel/fork.c:2256 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 5334 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x46/0xd0 mm/kasan/kasan.c:513 set_track mm/kasan/kasan.c:525 [inline] kasan_slab_free+0x70/0xb0 mm/kasan/kasan.c:589 __cache_free mm/slab.c:3511 [inline] kfree+0xcf/0x2c0 mm/slab.c:3828 ida_pre_get+0x6f/0xc0 lib/radix-tree.c:2133 mnt_alloc_id fs/namespace.c:107 [inline] alloc_vfsmnt+0x49/0x720 fs/namespace.c:209 clone_mnt+0x6c/0xf00 fs/namespace.c:1019 copy_tree+0x322/0x8e0 fs/namespace.c:1803 copy_mnt_ns+0xdc/0xcb0 fs/namespace.c:2935 create_new_namespaces+0xc5/0x660 kernel/nsproxy.c:74 unshare_nsproxy_namespaces+0x8a/0x190 kernel/nsproxy.c:205 SYSC_unshare kernel/fork.c:2306 [inline] SyS_unshare+0x308/0x6b0 kernel/fork.c:2256 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff880064995580: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff880064995600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff880064995680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff880064995700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff880064995780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================