bisecting cause commit starting from 57f780f1c43362b86fd23d20bd940e2468237716
building syzkaller on 15cea0a381c6ef9a7b4ffb2770360ce8882274c5
testing commit 57f780f1c43362b86fd23d20bd940e2468237716
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: 718377466cd691339e1a3e5ec3d8636f96b071bada1e0621541c40b007eae342
run #0: crashed: WARNING: ODEBUG bug in route4_destroy
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: KASAN: use-after-free Read in route4_destroy
run #3: crashed: KASAN: use-after-free Read in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: WARNING: ODEBUG bug in route4_destroy
run #6: crashed: KASAN: use-after-free Read in route4_destroy
run #7: crashed: WARNING: ODEBUG bug in route4_destroy
run #8: crashed: KASAN: use-after-free Read in route4_destroy
run #9: crashed: KASAN: use-after-free Read in route4_get
run #10: crashed: KASAN: use-after-free Read in route4_get
run #11: crashed: KASAN: use-after-free Read in route4_get
run #12: crashed: WARNING: ODEBUG bug in route4_destroy
run #13: crashed: WARNING: ODEBUG bug in route4_destroy
run #14: crashed: KASAN: use-after-free Read in route4_destroy
run #15: crashed: WARNING: ODEBUG bug in route4_destroy
run #16: crashed: WARNING: ODEBUG bug in route4_destroy
run #17: crashed: WARNING: ODEBUG bug in route4_destroy
run #18: crashed: WARNING: ODEBUG bug in route4_destroy
run #19: crashed: KASAN: use-after-free Read in route4_destroy
testing release v5.13
testing commit 62fb9874f5da54fdb243003b386128037319b219
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: 909f5b513362d755e99068620c19525cb2afd91ca8725228219fd46574a48866
run #0: crashed: KASAN: use-after-free Read in route4_destroy
run #1: crashed: WARNING: ODEBUG bug in route4_destroy
run #2: crashed: KASAN: use-after-free Read in route4_destroy
run #3: crashed: KASAN: use-after-free Read in route4_destroy
run #4: crashed: WARNING: ODEBUG bug in route4_destroy
run #5: crashed: WARNING: ODEBUG bug in route4_destroy
run #6: crashed: WARNING: ODEBUG bug in route4_destroy
run #7: crashed: KASAN: use-after-free Read in route4_destroy
run #8: crashed: KASAN: use-after-free Read in route4_destroy
run #9: crashed: KASAN: use-after-free Read in route4_destroy
testing release v5.12
testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: bb4e26dd8f4a005b0fd76547575ef29621d4d502b5251ddaf0a5696974104629
run #0: crashed: KASAN: use-after-free Read in route4_destroy
run #1: crashed: WARNING: ODEBUG bug in route4_destroy
run #2: crashed: WARNING: ODEBUG bug in route4_destroy
run #3: crashed: WARNING: ODEBUG bug in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_get
run #5: crashed: WARNING: ODEBUG bug in route4_destroy
run #6: crashed: WARNING: ODEBUG bug in route4_destroy
run #7: crashed: KASAN: use-after-free Read in route4_destroy
run #8: crashed: KASAN: use-after-free Read in route4_destroy
run #9: crashed: KASAN: use-after-free Read in route4_destroy
testing release v5.11
testing commit f40ddce88593482919761f74910f42f4b84c004b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: 3222e6ed80513dd888ba5df1ed0bb0fed90b38311471a07f8ebfef14f678fd42
run #0: crashed: WARNING: ODEBUG bug in route4_destroy
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: KASAN: use-after-free Read in route4_get
run #3: crashed: WARNING: ODEBUG bug in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: KASAN: use-after-free Read in route4_destroy
run #6: crashed: KASAN: use-after-free Read in route4_destroy
run #7: crashed: KASAN: use-after-free Read in route4_destroy
run #8: crashed: WARNING: ODEBUG bug in route4_destroy
run #9: crashed: KASAN: use-after-free Read in route4_destroy
testing release v5.10
testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: 35c88fb67e0626f0232c5254d6e9f188ff33bdc5ecf75a2e20b39b0354577e82
run #0: crashed: WARNING: ODEBUG bug in route4_destroy
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: KASAN: use-after-free Read in route4_destroy
run #3: crashed: WARNING: ODEBUG bug in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: WARNING: ODEBUG bug in route4_destroy
run #6: crashed: KASAN: use-after-free Read in route4_destroy
run #7: crashed: KASAN: use-after-free Read in route4_destroy
run #8: crashed: KASAN: use-after-free Read in route4_destroy
run #9: crashed: WARNING: ODEBUG bug in route4_destroy
testing release v5.9
testing commit bbf5c979011a099af5dc76498918ed7df445635b
compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: 4753fc6113ccf19b73886623e431f1d42203e5df7900561c23ce4babeaf8f756
run #0: crashed: WARNING: ODEBUG bug in route4_destroy
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: WARNING: ODEBUG bug in route4_destroy
run #3: crashed: WARNING: ODEBUG bug in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: WARNING: ODEBUG bug in route4_destroy
run #6: crashed: KASAN: use-after-free Read in route4_destroy
run #7: crashed: KASAN: use-after-free Read in route4_destroy
run #8: crashed: KASAN: use-after-free Read in route4_destroy
run #9: crashed: KASAN: use-after-free Read in route4_destroy
testing release v5.8
testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c
compiler: gcc (GCC) 8.4.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: 64bef9c619e4f9660afe7c971d6b25d7fe2654ae1e3be1137534ef774e1b1619
run #0: crashed: WARNING: ODEBUG bug in route4_destroy
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: WARNING: ODEBUG bug in route4_destroy
run #3: crashed: KASAN: use-after-free Read in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: WARNING: ODEBUG bug in route4_destroy
run #6: crashed: KASAN: use-after-free Read in route4_destroy
run #7: crashed: KASAN: use-after-free Read in route4_destroy
run #8: crashed: KASAN: use-after-free Read in route4_destroy
run #9: crashed: KASAN: use-after-free Read in route4_destroy
testing release v5.7
testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162
compiler: gcc version 8.4.1 20210217 (GCC), GNU ld (GNU Binutils for Debian) 2.35.1
kernel signature: f76fe31c01316385978519b5b4e89add706a0c3d5fe63afc28097ce825bd70af
run #0: crashed: KASAN: use-after-free Read in route4_destroy
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: KASAN: use-after-free Read in route4_destroy
run #3: crashed: KASAN: use-after-free Read in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: KASAN: use-after-free Read in route4_destroy
run #6: crashed: WARNING: ODEBUG bug in route4_destroy
run #7: crashed: KASAN: use-after-free Read in route4_destroy
run #8: crashed: KASAN: use-after-free Read in route4_destroy
run #9: crashed: WARNING: ODEBUG bug in route4_destroy
testing release v5.6
testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: ce1c40f29ea7dac1ab1efcb8a4c28e91d707e6db2dd3c7ba2f4d3ff05339b929
run #0: crashed: KASAN: use-after-free Read in route4_destroy
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: KASAN: use-after-free Read in route4_destroy
run #3: crashed: WARNING: ODEBUG bug in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: KASAN: use-after-free Read in route4_get
run #6: crashed: WARNING: ODEBUG bug in route4_destroy
run #7: crashed: KASAN: use-after-free Read in route4_get
run #8: crashed: KASAN: use-after-free Read in route4_destroy
run #9: crashed: KASAN: use-after-free Read in route4_destroy
testing release v5.5
testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 52e3d19b3dd1254ec0fc70d5e850d8b373790b6a1ce2b4832bb7a2a2d3945561
run #0: crashed: KASAN: use-after-free Read in route4_destroy
run #1: crashed: WARNING: ODEBUG bug in route4_destroy
run #2: crashed: KASAN: use-after-free Read in route4_destroy
run #3: crashed: WARNING: ODEBUG bug in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: KASAN: use-after-free Read in route4_destroy
run #6: crashed: KASAN: use-after-free Read in route4_destroy
run #7: crashed: WARNING: ODEBUG bug in route4_destroy
run #8: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #9: crashed: WARNING: ODEBUG bug in route4_destroy
testing release v5.4
testing commit 219d54332a09e8d8741c1e1982f5eae56099de85
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: aaf25273084462a2ad615141adb1da70de0e843313526173854dc50400e6d06c
run #0: crashed: WARNING: ODEBUG bug in route4_destroy
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: KASAN: use-after-free Read in route4_destroy
run #3: crashed: WARNING: ODEBUG bug in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_get
run #5: crashed: KASAN: use-after-free Read in route4_destroy
run #6: crashed: KASAN: use-after-free Read in route4_destroy
run #7: crashed: KASAN: use-after-free Read in route4_destroy
run #8: crashed: KASAN: use-after-free Read in route4_get
run #9: crashed: KASAN: use-after-free Read in route4_destroy
testing release v5.3
testing commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 6a118b86ece6a00ec309dfe958551a7e37b62c5a38c74bfffbdf71d5ff2118cf
run #0: crashed: KASAN: use-after-free Read in route4_destroy
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: KASAN: use-after-free Read in route4_destroy
run #3: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: KASAN: use-after-free Read in route4_destroy
run #6: crashed: KASAN: use-after-free Read in route4_destroy
run #7: crashed: KASAN: use-after-free Read in route4_destroy
run #8: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #9: crashed: KASAN: use-after-free Read in route4_destroy
testing release v5.2
testing commit 0ecfebd2b52404ae0c54a878c872bb93363ada36
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: dc0a4e06aabc5a71b7bb3c51a117c73e328564b4a4f21cfd43ea9747d8ce137d
all runs: crashed: KASAN: use-after-free Read in route4_destroy
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: 6f28a54ae9631f7a38ae82812fc557e8efc8855fdd74a27360b3ac8c36083bee
run #0: crashed: KASAN: use-after-free Read in route4_destroy
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #3: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: KASAN: use-after-free Read in route4_destroy
run #6: crashed: KASAN: use-after-free Read in route4_destroy
run #7: crashed: KASAN: use-after-free Read in route4_destroy
run #8: crashed: KASAN: use-after-free Read in route4_destroy
run #9: crashed: WARNING: ODEBUG bug in __init_work
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: cc4af3f53694d3fa6e61b52de0e00edfb6449f3b5e2c0a6ea7e7eb72c3e13ece
run #0: crashed: KASAN: use-after-free Read in route4_destroy
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: KASAN: use-after-free Read in route4_destroy
run #3: crashed: KASAN: use-after-free Read in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: KASAN: use-after-free Read in route4_destroy
run #6: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #7: crashed: WARNING: locking bug in corrupted
run #8: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #9: crashed: WARNING: locking bug in corrupted
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: ba2676e7c82672e1573235b569eecf2521057c0a9cdeeae50da2a2bbbbebe94f
run #0: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #3: crashed: KASAN: use-after-free Read in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: KASAN: use-after-free Read in route4_destroy
run #6: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #7: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #8: crashed: KASAN: use-after-free Read in route4_destroy
run #9: crashed: WARNING: ODEBUG bug in __init_work
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: a61122edd433e5af4f08bf1d43ff70e4eea2fa074cd0eb85efd071a0489d7f99
run #0: crashed: KASAN: use-after-free Read in route4_destroy
run #1: crashed: WARNING: ODEBUG bug in __route4_delete_filter
run #2: crashed: KASAN: use-after-free Read in route4_destroy
run #3: crashed: KASAN: use-after-free Read in route4_destroy
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #6: crashed: WARNING: ODEBUG bug in __init_work
run #7: crashed: KASAN: use-after-free Read in route4_destroy
run #8: crashed: KASAN: use-after-free Read in route4_destroy
run #9: crashed: KASAN: use-after-free Read in route4_destroy
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703
compiler: gcc version 8.4.1 20210217 (GCC)
kernel signature: bcc996862113df9eb010135ab9c96280c6b4967c9d812d376a19404e4cdfc540
run #0: crashed: WARNING: ODEBUG bug in __route4_delete_filter
run #1: crashed: KASAN: use-after-free Read in route4_destroy
run #2: crashed: KASAN: use-after-free Read in route4_destroy
run #3: crashed: WARNING: ODEBUG bug in tcf_queue_work
run #4: crashed: KASAN: use-after-free Read in route4_destroy
run #5: crashed: KASAN: use-after-free Read in route4_destroy
run #6: crashed: KASAN: use-after-free Read in route4_destroy
run #7: crashed: KASAN: use-after-free Read in route4_destroy
run #8: crashed: WARNING: ODEBUG bug in __init_work
run #9: crashed: KASAN: use-after-free Read in route4_destroy
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4
failed to run ["make" "-j" "64" "ARCH=x86_64" "CC=/syzkaller/shared/bisect_bin/gcc-8.1.0/bin/gcc" "bzImage"]: exit status 2
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda
orc_dump.c:106:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
orc_dump.c:111:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
elf.c:135:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:140:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff
orc_dump.c:106:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
orc_dump.c:111:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
pager.c:36:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
elf.c:135:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:140:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4
orc_dump.c:105:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
orc_dump.c:110:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
elf.c:134:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:139:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
pager.c:36:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261
pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
elf.c:144:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:149:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
testing release v4.12
testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c
pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
elf.c:141:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:146:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
testing release v4.11
testing commit a351e9b9fc24e982ec2f0e76379a49826036da12
elf.c:141:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
elf.c:146:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
testing release v4.10
testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd
tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes]
elf.c:129:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:134:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
testing release v4.9
testing commit 69973b830859bc6529a7a0468ba0d80ee5117826
tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes]
elf.c:129:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:134:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
pager.c:35:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
testing release v4.8
testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3
tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes]
elf.c:129:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:134:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
pager.c:33:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
testing release v4.7
testing commit 523d939ef98fd712632d93a5a2b588e477a7565e
tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes]
elf.c:122:2: error: 'elf_getshnum' is deprecated [-Werror=deprecated-declarations]
elf.c:127:2: error: 'elf_getshstrndx' is deprecated [-Werror=deprecated-declarations]
pager.c:33:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
testing release v4.6
testing commit 2dcd0af568b0cf583645c8a317dd12e344b1c72a
tools/include/linux/log2.h:19:1: error: ignoring attribute 'noreturn' because it conflicts with attribute 'const' [-Werror=attributes]
pager.c:33:12: error: passing argument 2 to 'restrict'-qualified parameter aliases with argument 4 [-Werror=restrict]
revisions tested: 18, total time: 3h0m57.633951702s (build: 1h58m35.220792351s, test: 56m23.730343943s)
the crash already happened on the oldest tested release
commit msg: Linux 4.18
crash: KASAN: use-after-free Read in route4_destroy
Bluetooth: hci3: command 0x0419 tx timeout
wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
==================================================================
BUG: KASAN: use-after-free in route4_destroy+0x535/0x6e0 net/sched/cls_route.c:298
Read of size 8 at addr ffff880096653b00 by task syz-executor.3/10158

CPU: 1 PID: 10158 Comm: syz-executor.3 Not tainted 4.18.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x15a/0x20d lib/dump_stack.c:113
 print_address_description.cold.6+0x9/0x244 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold.7+0x242/0x305 mm/kasan/report.c:396
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 route4_destroy+0x535/0x6e0 net/sched/cls_route.c:298
 tcf_proto_destroy+0x59/0xf0 net/sched/cls_api.c:179
 tcf_chain_flush+0x142/0x2b0 net/sched/cls_api.c:228
 tcf_block_put_ext.part.19+0x1d9/0x600 net/sched/cls_api.c:685
 tcf_block_put_ext net/sched/cls_api.c:669 [inline]
 tcf_block_put+0xa8/0xf0 net/sched/cls_api.c:707
 drr_destroy_qdisc+0x42/0x1e0 net/sched/sch_drr.c:464
 qdisc_destroy+0x126/0x5f0 net/sched/sch_generic.c:962
 notify_and_destroy+0x34/0x40 net/sched/sch_api.c:917
 qdisc_graft+0x86c/0xdf0 net/sched/sch_api.c:975
 tc_modify_qdisc+0x965/0x18d7 net/sched/sch_api.c:1561
 rtnetlink_rcv_msg+0x34f/0x950 net/core/rtnetlink.c:4665
 netlink_rcv_skb+0x142/0x390 net/netlink/af_netlink.c:2455
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4683
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x443/0x660 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x667/0xc60 net/netlink/af_netlink.c:1908
 sock_sendmsg_nosec net/socket.c:642 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:652
 ___sys_sendmsg+0x647/0x950 net/socket.c:2126
 __sys_sendmsg+0xd9/0x180 net/socket.c:2164
 __do_sys_sendmsg net/socket.c:2173 [inline]
 __se_sys_sendmsg net/socket.c:2171 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2171
 do_syscall_64+0xda/0x540 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4665f9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 
RSP: 002b:00007f978d88c188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665f9
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80
R13: 00007ffd700b8b5f R14: 00007f978d88c300 R15: 0000000000022000

Allocated by task 10127:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553
 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538
 kmem_cache_alloc_trace+0x142/0x350 mm/slub.c:2735
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 route4_change+0x24a/0x1d60 net/sched/cls_route.c:495
 tc_new_tfilter+0x561/0x1540 net/sched/cls_api.c:1185
 rtnetlink_rcv_msg+0x34f/0x950 net/core/rtnetlink.c:4665
 netlink_rcv_skb+0x142/0x390 net/netlink/af_netlink.c:2455
 rtnetlink_rcv+0x10/0x20 net/core/rtnetlink.c:4683
 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
 netlink_unicast+0x443/0x660 net/netlink/af_netlink.c:1343
 netlink_sendmsg+0x667/0xc60 net/netlink/af_netlink.c:1908
 sock_sendmsg_nosec net/socket.c:642 [inline]
 sock_sendmsg+0xac/0xf0 net/socket.c:652
 ___sys_sendmsg+0x647/0x950 net/socket.c:2126
 __sys_sendmsg+0xd9/0x180 net/socket.c:2164
 __do_sys_sendmsg net/socket.c:2173 [inline]
 __se_sys_sendmsg net/socket.c:2171 [inline]
 __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2171
 do_syscall_64+0xda/0x540 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7:
 save_stack mm/kasan/kasan.c:448 [inline]
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x167/0x240 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 slab_free_hook mm/slub.c:1373 [inline]
 slab_free_freelist_hook mm/slub.c:1400 [inline]
 slab_free mm/slub.c:2955 [inline]
 kfree+0x130/0x3b0 mm/slub.c:3908
 __route4_delete_filter+0x49/0x70 net/sched/cls_route.c:261
 route4_delete_filter_work+0x16/0x20 net/sched/cls_route.c:270
 process_one_work+0x7b9/0x1580 kernel/workqueue.c:2153
 worker_thread+0x85/0xb60 kernel/workqueue.c:2296
 kthread+0x316/0x3d0 kernel/kthread.c:246
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:412

The buggy address belongs to the object at ffff880096653b00
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 0 bytes inside of
 192-byte region [ffff880096653b00, ffff880096653bc0)
The buggy address belongs to the page:
page:ffffea00025994c0 count:1 mapcount:0 mapping:ffff8800b6003000 index:0x0
flags: 0xfff00000000100(slab)
raw: 00fff00000000100 dead000000000100 dead000000000200 ffff8800b6003000
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page allocated via order 0, migratetype Unmovable, gfp_mask 0x6012c0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY)
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook mm/page_alloc.c:1906 [inline]
 prep_new_page mm/page_alloc.c:1914 [inline]
 get_page_from_freelist+0x2f35/0x46b0 mm/page_alloc.c:3345
 __alloc_pages_nodemask+0x39e/0x2780 mm/page_alloc.c:4369
 alloc_pages_current+0xd6/0x1b0 mm/mempolicy.c:2093
 alloc_pages include/linux/gfp.h:492 [inline]
 alloc_slab_page mm/slub.c:1440 [inline]
 allocate_slab mm/slub.c:1585 [inline]
 new_slab+0x4a9/0x850 mm/slub.c:1656
 new_slab_objects mm/slub.c:2419 [inline]
 ___slab_alloc+0x609/0x940 mm/slub.c:2571
 __slab_alloc.isra.22+0x78/0xe0 mm/slub.c:2611
 slab_alloc_node mm/slub.c:2674 [inline]
 slab_alloc mm/slub.c:2716 [inline]
 kmem_cache_alloc_trace+0x295/0x350 mm/slub.c:2733
 kmalloc include/linux/slab.h:513 [inline]
 kzalloc include/linux/slab.h:707 [inline]
 kernfs_iattrs.isra.1+0x8f/0x340 fs/kernfs/inode.c:45
 kernfs_xattr_get+0x57/0x90 fs/kernfs/inode.c:316
 __vfs_getxattr+0xbe/0x120 fs/xattr.c:311
 cap_inode_need_killpriv+0x3b/0x50 security/commoncap.c:307
 security_inode_need_killpriv+0x3a/0x70 security/security.c:796
 dentry_needs_remove_privs.part.13+0x19/0x40 fs/inode.c:1782
 dentry_needs_remove_privs+0x66/0x79 fs/inode.c:1778
 do_truncate+0xa6/0x1a0 fs/open.c:55
 handle_truncate fs/namei.c:2989 [inline]
 do_last fs/namei.c:3408 [inline]
 path_openat+0x15c4/0x2290 fs/namei.c:3540

Memory state around the buggy address:
 ffff880096653a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff880096653a80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
>ffff880096653b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff880096653b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff880096653c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================