bisecting cause commit starting from 0011572c883082a95e02d47f45fc4a42dc0e8634
building syzkaller on 442206d76b974cca2d83ec763d4cf5ee829eb7d6
testing commit 0011572c883082a95e02d47f45fc4a42dc0e8634 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in sprintf
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: OK
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in sprintf
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: OK
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: OK
run #8: OK
run #9: OK
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in sprintf
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in sprintf
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in sprintf
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in sprintf
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in arp_seq_show
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in arp_seq_show
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.12
testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in sprintf
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in sprintf
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.11
testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in sprintf
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.10
testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in sprintf
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in sprintf
run #6: crashed: KASAN: use-after-free Read in sprintf
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.9
testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in sprintf
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in sprintf
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.8
testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: OK
run #9: OK
testing release v4.7
testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0
run #0: OK
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: boot failed: can't ssh into the instance
# git bisect start v4.8 v4.7
Bisecting: 7344 revisions left to test after this (roughly 13 steps)
[e61c10e468a42512f5fad74c00b62af5cc19f65f] sh: add device tree source for J2 FPGA on Mimas v2 board
testing commit e61c10e468a42512f5fad74c00b62af5cc19f65f with gcc (GCC) 5.5.0
all runs: OK
# git bisect good e61c10e468a42512f5fad74c00b62af5cc19f65f
Bisecting: 3672 revisions left to test after this (roughly 12 steps)
[b6e8d4aa1110306378af0f3472a6b85a1f039a16] rapidio: add RapidIO channelized messaging driver
testing commit b6e8d4aa1110306378af0f3472a6b85a1f039a16 with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in sprintf
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in sprintf
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: OK
run #9: OK
# git bisect bad b6e8d4aa1110306378af0f3472a6b85a1f039a16
Bisecting: 1880 revisions left to test after this (roughly 11 steps)
[043248cd4e9603e2e8858c4e20810d8e40be7d9d] Merge tag 'armsoc-dt' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
testing commit 043248cd4e9603e2e8858c4e20810d8e40be7d9d with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 043248cd4e9603e2e8858c4e20810d8e40be7d9d
Bisecting: 898 revisions left to test after this (roughly 10 steps)
[7a66ecfd319af8fe4f4c3eadf019b998c93d6687] Merge tag 'backlight-for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/backlight
testing commit 7a66ecfd319af8fe4f4c3eadf019b998c93d6687 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 7a66ecfd319af8fe4f4c3eadf019b998c93d6687
Bisecting: 451 revisions left to test after this (roughly 9 steps)
[cd06b2a573d4a6cb37092235d084ae99e30493e0] Merge tag 'at91-ab-4.8-dt3' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux into next/dt
testing commit cd06b2a573d4a6cb37092235d084ae99e30493e0 with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in sprintf
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad cd06b2a573d4a6cb37092235d084ae99e30493e0
Bisecting: 205 revisions left to test after this (roughly 8 steps)
[ab4b4340c7d74310a132cb457665bf3d98fdff79] Merge tag 'imx-dt-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into next/dt
testing commit ab4b4340c7d74310a132cb457665bf3d98fdff79 with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in sprintf
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad ab4b4340c7d74310a132cb457665bf3d98fdff79
Bisecting: 117 revisions left to test after this (roughly 7 steps)
[35902cf1dae06f36e5304b79a7a540169e809969] Merge tag 'at91-ab-4.8-dt2' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux into next/dt
testing commit 35902cf1dae06f36e5304b79a7a540169e809969 with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 35902cf1dae06f36e5304b79a7a540169e809969
Bisecting: 54 revisions left to test after this (roughly 6 steps)
[057b670df067ed6e7cee9c05f8a016258d976fd0] Merge tag 'renesas-dt-for-v4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas into next/dt
testing commit 057b670df067ed6e7cee9c05f8a016258d976fd0 with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 057b670df067ed6e7cee9c05f8a016258d976fd0
Bisecting: 30 revisions left to test after this (roughly 5 steps)
[95eb940c0ec5f232f4ba033c121cabd5f9f379ee] Merge tag 'samsung-dt-odroid-xu-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into next/dt
testing commit 95eb940c0ec5f232f4ba033c121cabd5f9f379ee with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 95eb940c0ec5f232f4ba033c121cabd5f9f379ee
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[538fc7ad51b85bff727a147947300406a5ad220f] ARM: dts: exynos: Move HSI2C nodes to exynos54xx.dtsi
testing commit 538fc7ad51b85bff727a147947300406a5ad220f with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 538fc7ad51b85bff727a147947300406a5ad220f
Bisecting: 9 revisions left to test after this (roughly 3 steps)
[aff138bf8e3736b29a0ec31160d8cb75f55f93ed] ARM: dts: exynos: Add TMU nodes regulator supply for Peach boards
testing commit aff138bf8e3736b29a0ec31160d8cb75f55f93ed with gcc (GCC) 5.5.0
all runs: OK
# git bisect good aff138bf8e3736b29a0ec31160d8cb75f55f93ed
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[c1a3b0681717ee0a4f52d8cb8441842cbda654a6] ARM: dts: exynos: Add Thermal Management Unit to Exynos5410
testing commit c1a3b0681717ee0a4f52d8cb8441842cbda654a6 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good c1a3b0681717ee0a4f52d8cb8441842cbda654a6
Bisecting: 2 revisions left to test after this (roughly 1 step)
[b8bd7e23bb0be762c39510497c931066dc62e62f] ARM: dts: exynos: Add watchdog and Security SubSystem to Exynos5410
testing commit b8bd7e23bb0be762c39510497c931066dc62e62f with gcc (GCC) 5.5.0
all runs: OK
# git bisect good b8bd7e23bb0be762c39510497c931066dc62e62f
Bisecting: 0 revisions left to test after this (roughly 1 step)
[effd786282d83a72d7fdaa3c9d144cf7e995e02b] Merge tag 'samsung-dt-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into next/dt
testing commit effd786282d83a72d7fdaa3c9d144cf7e995e02b with gcc (GCC) 5.5.0
all runs: OK
# git bisect good effd786282d83a72d7fdaa3c9d144cf7e995e02b
95eb940c0ec5f232f4ba033c121cabd5f9f379ee is the first bad commit
revisions tested: 31, total time: 7h28m11.062449221s (build: 2h13m57.558655428s, test: 5h6m48.840174513s)
first bad commit: 95eb940c0ec5f232f4ba033c121cabd5f9f379ee Merge tag 'samsung-dt-odroid-xu-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into next/dt
cc: ["devicetree@vger.kernel.org" "k.kozlowski@samsung.com" "kgene@kernel.org" "linux-arm-kernel@lists.infradead.org" "linux-kernel@vger.kernel.org" "linux-samsung-soc@vger.kernel.org" "linux@armlinux.org.uk" "mark.rutland@arm.com" "olof@lixom.net" "robh+dt@kernel.org"]
crash: KASAN: use-after-free Read in pneigh_get_next
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 at addr ffff8800a21d7180
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Not tainted 4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff8800a21d7180
 ffff8800b829f250 ffff8800a21d7180 ffff88012bc00200 ffff8800b829f240
 ffffffff81746e17 ffff8800b829f268 ffff8800b829f310 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464add4>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800a21d7180, in cache kmalloc-64
Object freed, allocated with size 36 bytes
Allocation:
PID = 15229
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff817411c9>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff817411c9>] __kmalloc+0x169/0x7a0 mm/slab.c:3782
 [<ffffffff8464955e>] kmalloc include/linux/slab.h:483 [inline]
 [<ffffffff8464955e>] pneigh_lookup+0x15e/0x3b0 net/core/neighbour.c:594
 [<ffffffff84b83183>] arp_req_set_public net/ipv4/arp.c:975 [inline]
 [<ffffffff84b83183>] arp_req_set+0x323/0x540 net/ipv4/arp.c:991
 [<ffffffff84b88125>] arp_ioctl+0x1c5/0x5c0 net/ipv4/arp.c:1186
 [<ffffffff84b9ef2b>] inet_ioctl+0x6b/0x170 net/ipv4/af_inet.c:865
 [<ffffffff845bd0e2>] sock_do_ioctl+0x62/0xa0 net/socket.c:866
 [<ffffffff845bd3c3>] sock_ioctl+0x2a3/0x390 net/socket.c:952
 [<ffffffff817d407f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817d407f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817d4e34>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817d4e34>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff84651f82>] pneigh_ifdown net/core/neighbour.c:662 [inline]
 [<ffffffff84651f82>] neigh_ifdown+0x162/0x220 net/core/neighbour.c:257
 [<ffffffff84b88533>] arp_ifdown+0x13/0x20 net/ipv4/arp.c:1232
 [<ffffffff84b95673>] inetdev_destroy net/ipv4/devinet.c:306 [inline]
 [<ffffffff84b95673>] inetdev_event+0x573/0xf60 net/ipv4/devinet.c:1480
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800a21d7080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8800a21d7100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8800a21d7180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                   ^
 ffff8800a21d7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8800a21d7280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff880129e6b008
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff880129e6b008
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630 at addr ffff880129e6b008
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G    B           4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff880129e6b000
 ffff8800b829f250 ffff880129e6b000 ffff88012bc00500 ffff8800b829f240
 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464adb7>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff8464adb7>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff8464adb7>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff880129e6b000, in cache kmalloc-256
Object freed, allocated with size 198 bytes
Allocation:
PID = 15217
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff817411c9>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff817411c9>] __kmalloc+0x169/0x7a0 mm/slab.c:3782
 [<ffffffff81907716>] kmalloc include/linux/slab.h:483 [inline]
 [<ffffffff81907716>] kzalloc include/linux/slab.h:622 [inline]
 [<ffffffff81907716>] __proc_create+0x136/0x570 fs/proc/generic.c:381
 [<ffffffff819082c5>] proc_create_data+0x55/0x140 fs/proc/generic.c:499
 [<ffffffff84dcf5f0>] snmp6_register_dev+0xb0/0x130 net/ipv6/proc.c:282
 [<ffffffff84d056ac>] ipv6_add_dev+0x55c/0xfd0 net/ipv6/addrconf.c:382
 [<ffffffff84d18d44>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8463a147>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8463a147>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835b8ac0>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835b8ac0>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835bac4e>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817d407f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817d407f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817d4e34>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817d4e34>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff81908743>] free_proc_entry fs/proc/generic.c:534 [inline]
 [<ffffffff81908743>] pde_put+0x73/0xc0 fs/proc/generic.c:540
 [<ffffffff8190923b>] remove_proc_subtree+0x1cb/0x240 fs/proc/generic.c:622
 [<ffffffff819092e8>] proc_remove+0x38/0x50 fs/proc/generic.c:637
 [<ffffffff84dcf71c>] snmp6_unregister_dev+0xac/0x120 net/ipv6/proc.c:299
 [<ffffffff84d0e8c1>] addrconf_ifdown+0xa51/0xcd0 net/ipv6/addrconf.c:3460
 [<ffffffff84d18cf0>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff880129e6af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880129e6af80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
>ffff880129e6b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff880129e6b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880129e6b100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 at addr ffff880129e6b000
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G    B           4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff880129e6b000
 ffff8800b829f250 ffff880129e6b000 ffff88012bc00500 ffff8800b829f240
 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464add4>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff880129e6b000, in cache kmalloc-256
Object freed, allocated with size 198 bytes
Allocation:
PID = 15217
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff817411c9>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff817411c9>] __kmalloc+0x169/0x7a0 mm/slab.c:3782
 [<ffffffff81907716>] kmalloc include/linux/slab.h:483 [inline]
 [<ffffffff81907716>] kzalloc include/linux/slab.h:622 [inline]
 [<ffffffff81907716>] __proc_create+0x136/0x570 fs/proc/generic.c:381
 [<ffffffff819082c5>] proc_create_data+0x55/0x140 fs/proc/generic.c:499
 [<ffffffff84dcf5f0>] snmp6_register_dev+0xb0/0x130 net/ipv6/proc.c:282
 [<ffffffff84d056ac>] ipv6_add_dev+0x55c/0xfd0 net/ipv6/addrconf.c:382
 [<ffffffff84d18d44>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8463a147>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8463a147>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835b8ac0>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835b8ac0>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835bac4e>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817d407f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817d407f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817d4e34>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817d4e34>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff81908743>] free_proc_entry fs/proc/generic.c:534 [inline]
 [<ffffffff81908743>] pde_put+0x73/0xc0 fs/proc/generic.c:540
 [<ffffffff8190923b>] remove_proc_subtree+0x1cb/0x240 fs/proc/generic.c:622
 [<ffffffff819092e8>] proc_remove+0x38/0x50 fs/proc/generic.c:637
 [<ffffffff84dcf71c>] snmp6_unregister_dev+0xac/0x120 net/ipv6/proc.c:299
 [<ffffffff84d0e8c1>] addrconf_ifdown+0xa51/0xcd0 net/ipv6/addrconf.c:3460
 [<ffffffff84d18cf0>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff880129e6af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880129e6af80: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
>ffff880129e6b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff880129e6b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880129e6b100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff880129e6b508
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff880129e6b508
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630 at addr ffff880129e6b508
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G    B           4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff880129e6b500
 ffff8800b829f250 ffff880129e6b500 ffff88012bc00500 ffff8800b829f240
 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464adb7>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff8464adb7>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff8464adb7>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff880129e6b500, in cache kmalloc-256
Object freed, allocated with size 240 bytes
Allocation:
PID = 15217
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff817426f2>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff84d79144>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff84d79144>] kzalloc include/linux/slab.h:622 [inline]
 [<ffffffff84d79144>] mca_alloc net/ipv6/mcast.c:825 [inline]
 [<ffffffff84d79144>] ipv6_dev_mc_inc+0x294/0xde0 net/ipv6/mcast.c:884
 [<ffffffff84d05be6>] ipv6_add_dev+0xa96/0xfd0 net/ipv6/addrconf.c:438
 [<ffffffff84d18d44>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8463a147>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8463a147>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835b8ac0>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835b8ac0>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835bac4e>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817d407f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817d407f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817d4e34>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817d4e34>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff84d72ca2>] ma_put+0x42/0x60 net/ipv6/mcast.c:816
 [<ffffffff84d7a6e6>] __ipv6_dev_mc_dec+0x216/0x380 net/ipv6/mcast.c:924
 [<ffffffff84d7ff08>] ipv6_mc_destroy_dev+0x28/0x150 net/ipv6/mcast.c:2557
 [<ffffffff84d0e668>] addrconf_ifdown+0x7f8/0xcd0 net/ipv6/addrconf.c:3584
 [<ffffffff84d18cf0>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff880129e6b400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff880129e6b480: 00 00 00 00 00 00 00 05 fc fc fc fc fc fc fc fc
>ffff880129e6b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff880129e6b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880129e6b600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 at addr ffff880129e6b500
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G    B           4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff880129e6b500
 ffff8800b829f250 ffff880129e6b500 ffff88012bc00500 ffff8800b829f240
 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464add4>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff880129e6b500, in cache kmalloc-256
Object freed, allocated with size 240 bytes
Allocation:
PID = 15217
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff817426f2>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff84d79144>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff84d79144>] kzalloc include/linux/slab.h:622 [inline]
 [<ffffffff84d79144>] mca_alloc net/ipv6/mcast.c:825 [inline]
 [<ffffffff84d79144>] ipv6_dev_mc_inc+0x294/0xde0 net/ipv6/mcast.c:884
 [<ffffffff84d05be6>] ipv6_add_dev+0xa96/0xfd0 net/ipv6/addrconf.c:438
 [<ffffffff84d18d44>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8463a147>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8463a147>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835b8ac0>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835b8ac0>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835bac4e>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817d407f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817d407f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817d4e34>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817d4e34>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff84d72ca2>] ma_put+0x42/0x60 net/ipv6/mcast.c:816
 [<ffffffff84d7a6e6>] __ipv6_dev_mc_dec+0x216/0x380 net/ipv6/mcast.c:924
 [<ffffffff84d7ff08>] ipv6_mc_destroy_dev+0x28/0x150 net/ipv6/mcast.c:2557
 [<ffffffff84d0e668>] addrconf_ifdown+0x7f8/0xcd0 net/ipv6/addrconf.c:3584
 [<ffffffff84d18cf0>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff880129e6b400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff880129e6b480: 00 00 00 00 00 00 00 05 fc fc fc fc fc fc fc fc
>ffff880129e6b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff880129e6b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880129e6b600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff880129e6b648
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff880129e6b648
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630 at addr ffff880129e6b648
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G    B           4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff880129e6b640
 ffff8800b829f250 ffff880129e6b640 ffff88012bc00500 ffff8800b829f240
 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464adb7>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff8464adb7>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff8464adb7>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff880129e6b640, in cache kmalloc-256
Object freed, allocated with size 240 bytes
Allocation:
PID = 15217
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff817426f2>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff84d79144>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff84d79144>] kzalloc include/linux/slab.h:622 [inline]
 [<ffffffff84d79144>] mca_alloc net/ipv6/mcast.c:825 [inline]
 [<ffffffff84d79144>] ipv6_dev_mc_inc+0x294/0xde0 net/ipv6/mcast.c:884
 [<ffffffff84d05bd7>] ipv6_add_dev+0xa87/0xfd0 net/ipv6/addrconf.c:435
 [<ffffffff84d18d44>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8463a147>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8463a147>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835b8ac0>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835b8ac0>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835bac4e>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817d407f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817d407f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817d4e34>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817d4e34>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff84d72ca2>] ma_put+0x42/0x60 net/ipv6/mcast.c:816
 [<ffffffff84d7ffc1>] ipv6_mc_destroy_dev+0xe1/0x150 net/ipv6/mcast.c:2568
 [<ffffffff84d0e668>] addrconf_ifdown+0x7f8/0xcd0 net/ipv6/addrconf.c:3584
 [<ffffffff84d18cf0>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff880129e6b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880129e6b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880129e6b600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                              ^
 ffff880129e6b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880129e6b700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 at addr ffff880129e6b640
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G    B           4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff880129e6b640
 ffff8800b829f250 ffff880129e6b640 ffff88012bc00500 ffff8800b829f240
 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464add4>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff880129e6b640, in cache kmalloc-256
Object freed, allocated with size 240 bytes
Allocation:
PID = 15217
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff817426f2>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff84d79144>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff84d79144>] kzalloc include/linux/slab.h:622 [inline]
 [<ffffffff84d79144>] mca_alloc net/ipv6/mcast.c:825 [inline]
 [<ffffffff84d79144>] ipv6_dev_mc_inc+0x294/0xde0 net/ipv6/mcast.c:884
 [<ffffffff84d05bd7>] ipv6_add_dev+0xa87/0xfd0 net/ipv6/addrconf.c:435
 [<ffffffff84d18d44>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8463a147>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8463a147>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835b8ac0>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835b8ac0>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835bac4e>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817d407f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817d407f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817d4e34>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817d4e34>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff84d72ca2>] ma_put+0x42/0x60 net/ipv6/mcast.c:816
 [<ffffffff84d7ffc1>] ipv6_mc_destroy_dev+0xe1/0x150 net/ipv6/mcast.c:2568
 [<ffffffff84d0e668>] addrconf_ifdown+0x7f8/0xcd0 net/ipv6/addrconf.c:3584
 [<ffffffff84d18cf0>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff880129e6b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880129e6b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880129e6b600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                           ^
 ffff880129e6b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880129e6b700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff8800ae1028c8
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff8800ae1028c8
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630 at addr ffff8800ae1028c8
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G    B           4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff8800ae1028c0
 ffff8800b829f250 ffff8800ae1028c0 ffff88012bc00900 ffff8800b829f240
 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464adb7>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff8464adb7>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff8464adb7>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800ae1028c0, in cache kmalloc-4096
Object freed, allocated with size 2816 bytes
Allocation:
PID = 15217
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81740a35>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff81740a35>] __kmalloc_track_caller+0x165/0x790 mm/slab.c:3788
 [<ffffffff8168b28b>] kmemdup+0x1b/0x40 mm/util.c:113
 [<ffffffff84cfdf76>] __addrconf_sysctl_register+0x86/0x340 net/ipv6/addrconf.c:5947
 [<ffffffff84cff1f4>] addrconf_sysctl_register+0x104/0x1a0 net/ipv6/addrconf.c:5995
 [<ffffffff84d05ac8>] ipv6_add_dev+0x978/0xfd0 net/ipv6/addrconf.c:424
 [<ffffffff84d18d44>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8463a147>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8463a147>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835b8ac0>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835b8ac0>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835bac4e>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817d407f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817d407f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817d4e34>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817d4e34>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff84cff30a>] __addrconf_sysctl_unregister.isra.42+0x7a/0xa0 net/ipv6/addrconf.c:5981
 [<ffffffff84d0e6c6>] addrconf_sysctl_unregister net/ipv6/addrconf.c:6005 [inline]
 [<ffffffff84d0e6c6>] addrconf_ifdown+0x856/0xcd0 net/ipv6/addrconf.c:3593
 [<ffffffff84d18cf0>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800ae102780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800ae102800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800ae102880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                              ^
 ffff8800ae102900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800ae102980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 at addr ffff8800ae1028c0
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G    B           4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff8800ae1028c0
 ffff8800b829f250 ffff8800ae1028c0 ffff88012bc00900 ffff8800b829f240
 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464add4>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800ae1028c0, in cache kmalloc-4096
Object freed, allocated with size 2816 bytes
Allocation:
PID = 15217
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81740a35>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff81740a35>] __kmalloc_track_caller+0x165/0x790 mm/slab.c:3788
 [<ffffffff8168b28b>] kmemdup+0x1b/0x40 mm/util.c:113
 [<ffffffff84cfdf76>] __addrconf_sysctl_register+0x86/0x340 net/ipv6/addrconf.c:5947
 [<ffffffff84cff1f4>] addrconf_sysctl_register+0x104/0x1a0 net/ipv6/addrconf.c:5995
 [<ffffffff84d05ac8>] ipv6_add_dev+0x978/0xfd0 net/ipv6/addrconf.c:424
 [<ffffffff84d18d44>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8463a147>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8463a147>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835b8ac0>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835b8ac0>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835bac4e>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817d407f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817d407f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817d4e34>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817d4e34>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff84cff30a>] __addrconf_sysctl_unregister.isra.42+0x7a/0xa0 net/ipv6/addrconf.c:5981
 [<ffffffff84d0e6c6>] addrconf_sysctl_unregister net/ipv6/addrconf.c:6005 [inline]
 [<ffffffff84d0e6c6>] addrconf_ifdown+0x856/0xcd0 net/ipv6/addrconf.c:3593
 [<ffffffff84d18cf0>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800ae102780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800ae102800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800ae102880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                           ^
 ffff8800ae102900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800ae102980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff880124f96948
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff880124f96948
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630 at addr ffff880124f96948
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G    B           4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff880124f96940
 ffff8800b829f250 ffff880124f96940 ffff88012bc00800 ffff8800b829f240
 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464adb7>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff8464adb7>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff8464adb7>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff880124f96940, in cache kmalloc-2048
Object freed, allocated with size 1352 bytes
Allocation:
PID = 15217
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81740a35>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff81740a35>] __kmalloc_track_caller+0x165/0x790 mm/slab.c:3788
 [<ffffffff8168b28b>] kmemdup+0x1b/0x40 mm/util.c:113
 [<ffffffff8464a219>] neigh_sysctl_register+0x89/0x7c0 net/core/neighbour.c:3119
 [<ffffffff84cff194>] addrconf_sysctl_register+0xa4/0x1a0 net/ipv6/addrconf.c:5991
 [<ffffffff84d05ac8>] ipv6_add_dev+0x978/0xfd0 net/ipv6/addrconf.c:424
 [<ffffffff84d18d44>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8463a147>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8463a147>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835b8ac0>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835b8ac0>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835bac4e>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817d407f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817d407f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817d4e34>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817d4e34>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff8464a9af>] neigh_sysctl_unregister+0x5f/0x80 net/core/neighbour.c:3205
 [<ffffffff84d0e6f4>] addrconf_sysctl_unregister net/ipv6/addrconf.c:6006 [inline]
 [<ffffffff84d0e6f4>] addrconf_ifdown+0x884/0xcd0 net/ipv6/addrconf.c:3593
 [<ffffffff84d18cf0>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff880124f96800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff880124f96880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff880124f96900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                              ^
 ffff880124f96980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880124f96a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 at addr ffff880124f96940
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G    B           4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff880124f96940
 ffff8800b829f250 ffff880124f96940 ffff88012bc00800 ffff8800b829f240
 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464add4>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff880124f96940, in cache kmalloc-2048
Object freed, allocated with size 1352 bytes
Allocation:
PID = 15217
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81740a35>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff81740a35>] __kmalloc_track_caller+0x165/0x790 mm/slab.c:3788
 [<ffffffff8168b28b>] kmemdup+0x1b/0x40 mm/util.c:113
 [<ffffffff8464a219>] neigh_sysctl_register+0x89/0x7c0 net/core/neighbour.c:3119
 [<ffffffff84cff194>] addrconf_sysctl_register+0xa4/0x1a0 net/ipv6/addrconf.c:5991
 [<ffffffff84d05ac8>] ipv6_add_dev+0x978/0xfd0 net/ipv6/addrconf.c:424
 [<ffffffff84d18d44>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8463a147>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8463a147>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835b8ac0>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835b8ac0>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835bac4e>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817d407f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817d407f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817d4e34>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817d4e34>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff8464a9af>] neigh_sysctl_unregister+0x5f/0x80 net/core/neighbour.c:3205
 [<ffffffff84d0e6f4>] addrconf_sysctl_unregister net/ipv6/addrconf.c:6006 [inline]
 [<ffffffff84d0e6f4>] addrconf_ifdown+0x884/0xcd0 net/ipv6/addrconf.c:3593
 [<ffffffff84d18cf0>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff880124f96800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff880124f96880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff880124f96900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                           ^
 ffff880124f96980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880124f96a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff8800b82d2708
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff8800b82d2708
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630 at addr ffff8800b82d2708
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G    B           4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff8800b82d2700
 ffff8800b829f250 ffff8800b82d2700 ffff88012bc00000 ffff8800b829f240
 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464adb7>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff8464adb7>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff8464adb7>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2630
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800b82d2700, in cache kmalloc-node
Object freed, allocated with size 160 bytes
Allocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff817426f2>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff8407064f>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff8407064f>] netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:555 [inline]
 [<ffffffff8407064f>] netdevice_event+0x24f/0x7c0 drivers/infiniband/core/roce_gid_mgmt.c:657
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Deallocation:
PID = 6598
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff8406ff8c>] netdevice_event_work_handler+0x11c/0x1d0 drivers/infiniband/core/roce_gid_mgmt.c:548
 [<ffffffff8139a6f1>] process_one_work+0x6a1/0x1580 kernel/workqueue.c:2096
 [<ffffffff8139b6a7>] worker_thread+0xd7/0xf10 kernel/workqueue.c:2230
 [<ffffffff813abf49>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff85877b4f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:389
Memory state around the buggy address:
 ffff8800b82d2600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800b82d2680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8800b82d2700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8800b82d2780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8800b82d2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629 at addr ffff8800b82d2700
Read of size 8 by task syz-executor.3/15217
CPU: 0 PID: 15217 Comm: syz-executor.3 Tainted: G    B           4.7.0-rc3+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d55dda ffff8800b829f1c0 ffffffff829ccc36 ffff8800b82d2700
 ffff8800b829f250 ffff8800b82d2700 ffff88012bc00000 ffff8800b829f240
 ffffffff81746e17 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829ccc36>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829ccc36>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff81746e17>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff81746e17>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff81746e17>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff817472de>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff817472de>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff8464add4>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2629
 [<ffffffff8464bc51>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2711
 [<ffffffff818096a4>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818f7b9c>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff81797944>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff8179c235>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff8179c397>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183748d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183748d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff81832e43>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff818330d5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff818337ae>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff8179df00>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1354
 [<ffffffff8179facd>] SYSC_sendfile64 fs/read_write.c:1415 [inline]
 [<ffffffff8179facd>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1401
 [<ffffffff85877900>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800b82d2700, in cache kmalloc-node
Object freed, allocated with size 160 bytes
Allocation:
PID = 15216
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff817462da>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff817462da>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff817426f2>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff8407064f>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff8407064f>] netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:555 [inline]
 [<ffffffff8407064f>] netdevice_event+0x24f/0x7c0 drivers/infiniband/core/roce_gid_mgmt.c:657
 [<ffffffff813af26b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813af371>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813af371>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84613e77>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84620aea>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84620aea>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff84620e9f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff84620f28>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835b6644>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835b6644>] __tun_detach+0x764/0x9f0 drivers/net/tun.c:561
 [<ffffffff835b6910>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835b6910>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a052e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a0ad9>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813a74bc>] task_work_run+0xdc/0x150 kernel/task_work.c:115
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff8587799c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Deallocation:
PID = 6598
 [<ffffffff8120b336>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff81746086>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174686b>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174686b>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff817446be>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff817446be>] kfree+0xce/0x2c0 mm/slab.c:3868
 [<ffffffff8406ff8c>] netdevice_event_work_handler+0x11c/0x1d0 drivers/infiniband/core/roce_gid_mgmt.c:548
 [<ffffffff8139a6f1>] process_one_work+0x6a1/0x1580 kernel/workqueue.c:2096
 [<ffffffff8139b6a7>] worker_thread+0xd7/0xf10 kernel/workqueue.c:2230
 [<ffffffff813abf49>] kthread+0x209/0x2d0 kernel/kthread.c:209