bisecting cause commit starting from 0011572c883082a95e02d47f45fc4a42dc0e8634
building syzkaller on 442206d76b974cca2d83ec763d4cf5ee829eb7d6
testing commit 0011572c883082a95e02d47f45fc4a42dc0e8634 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in sprintf
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in sprintf
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v5.1
testing commit e93c9c99a629c61837d5a7fc2120cd2b6c70dbdd with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in sprintf
run #3: crashed: KASAN: use-after-free Read in sprintf
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v5.0
testing commit 1c163f4c7b3f621efff9b28a47abb36f7378d783 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in sprintf
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in sprintf
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.20
testing commit 8fe28cb58bcb235034b64cbbb7550a8a43fd88be with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in sprintf
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.19
testing commit 84df9525b0c27f3ebc2ebb1864fa62a97fdedb7d with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.18
testing commit 94710cac0ef4ee177a63b5227664b38c95bbf703 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in arp_seq_show
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: OK
run #9: OK
testing release v4.17
testing commit 29dcea88779c856c7dc92040a0c01233263101d4 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in arp_seq_show
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.16
testing commit 0adb32858b0bddf4ada5f364a84ed60b196dbcda with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: OK
testing release v4.15
testing commit d8a5b80568a9cb66810e75b182018e9edb68e8ff with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in sprintf
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.14
testing commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 with gcc (GCC) 8.1.0
all runs: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.13
testing commit 569dbb88e80deb68974ef6fdd6a13edb9d686261 with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in sprintf
run #6: crashed: KASAN: use-after-free Read in sprintf
run #7: crashed: KASAN: use-after-free Read in arp_seq_show
run #8: crashed: KASAN: use-after-free Read in sprintf
run #9: crashed: KASAN: use-after-free Read in sprintf
testing release v4.12
testing commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c with gcc (GCC) 8.1.0
run #0: crashed: KASAN: use-after-free Read in sprintf
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.11
testing commit a351e9b9fc24e982ec2f0e76379a49826036da12 with gcc (GCC) 7.3.0
all runs: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.10
testing commit c470abd4fde40ea6a0846a2beab642a578c0b8cd with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in sprintf
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in sprintf
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.9
testing commit 69973b830859bc6529a7a0468ba0d80ee5117826 with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in pneigh_get_next
run #8: crashed: KASAN: use-after-free Read in sprintf
run #9: crashed: KASAN: use-after-free Read in pneigh_get_next
testing release v4.8
testing commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: crashed: KASAN: use-after-free Read in pneigh_get_next
run #3: crashed: KASAN: use-after-free Read in pneigh_get_next
run #4: crashed: KASAN: use-after-free Read in pneigh_get_next
run #5: crashed: KASAN: use-after-free Read in pneigh_get_next
run #6: crashed: KASAN: use-after-free Read in pneigh_get_next
run #7: crashed: KASAN: use-after-free Read in sprintf
run #8: crashed: KASAN: use-after-free Read in pneigh_get_next
run #9: OK
testing release v4.7
testing commit 523d939ef98fd712632d93a5a2b588e477a7565e with gcc (GCC) 5.5.0
all runs: OK
# git bisect start v4.8 v4.7
Bisecting: 7344 revisions left to test after this (roughly 13 steps)
[e61c10e468a42512f5fad74c00b62af5cc19f65f] sh: add device tree source for J2 FPGA on Mimas v2 board
testing commit e61c10e468a42512f5fad74c00b62af5cc19f65f with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: crashed: KASAN: use-after-free Read in sprintf
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad e61c10e468a42512f5fad74c00b62af5cc19f65f
Bisecting: 3754 revisions left to test after this (roughly 12 steps)
[08fd8c17686c6b09fa410a26d516548dd80ff147] Merge tag 'for-linus-4.8-rc0-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip
testing commit 08fd8c17686c6b09fa410a26d516548dd80ff147 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 08fd8c17686c6b09fa410a26d516548dd80ff147
Bisecting: 1877 revisions left to test after this (roughly 11 steps)
[7ae0ae4a022b72f33d23ab6e858163d4b37400a5] Merge tag 'spi-v4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
testing commit 7ae0ae4a022b72f33d23ab6e858163d4b37400a5 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 7ae0ae4a022b72f33d23ab6e858163d4b37400a5
Bisecting: 875 revisions left to test after this (roughly 10 steps)
[d94ba9e7d8d5c821d0442f13b30b0140c1109c38] Merge tag 'pinctrl-v4.8-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
testing commit d94ba9e7d8d5c821d0442f13b30b0140c1109c38 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good d94ba9e7d8d5c821d0442f13b30b0140c1109c38
Bisecting: 397 revisions left to test after this (roughly 9 steps)
[7a1e8b80fb1e8ead4cec15d1fc494ed290e4d2e9] Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
testing commit 7a1e8b80fb1e8ead4cec15d1fc494ed290e4d2e9 with gcc (GCC) 5.5.0
run #0: OK
run #1: crashed: KASAN: use-after-free Read in pneigh_get_next
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad 7a1e8b80fb1e8ead4cec15d1fc494ed290e4d2e9
Bisecting: 271 revisions left to test after this (roughly 8 steps)
[1a81a8f2a5918956e214bb718099a89e500e7ec5] Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/ide
testing commit 1a81a8f2a5918956e214bb718099a89e500e7ec5 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 1a81a8f2a5918956e214bb718099a89e500e7ec5
Bisecting: 135 revisions left to test after this (roughly 7 steps)
[f351841f8d41072e741e45299070d421a5833a4a] apparmor: fix put() parent ref after updating the active ref
testing commit f351841f8d41072e741e45299070d421a5833a4a with gcc (GCC) 5.5.0
all runs: OK
# git bisect good f351841f8d41072e741e45299070d421a5833a4a
Bisecting: 67 revisions left to test after this (roughly 6 steps)
[ecd8081f6fb9032c41e5c38885f06836da6ab455] ARC/time: Convert to hotplug state machine
testing commit ecd8081f6fb9032c41e5c38885f06836da6ab455 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good ecd8081f6fb9032c41e5c38885f06836da6ab455
Bisecting: 37 revisions left to test after this (roughly 5 steps)
[aeaa4a79ff6a5ed912b7362f206cf8576fca538b] fs: Call d_automount with the filesystems creds
testing commit aeaa4a79ff6a5ed912b7362f206cf8576fca538b with gcc (GCC) 5.5.0
all runs: OK
# git bisect good aeaa4a79ff6a5ed912b7362f206cf8576fca538b
Bisecting: 18 revisions left to test after this (roughly 4 steps)
[fa7539b27f4a9d0bfaede2f7547c2322ac68f1f2] tpm2_i2c_nuvoton: add irq validity check
testing commit fa7539b27f4a9d0bfaede2f7547c2322ac68f1f2 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good fa7539b27f4a9d0bfaede2f7547c2322ac68f1f2
Bisecting: 8 revisions left to test after this (roughly 3 steps)
[574c7e233344b58c6b14b305c93de361d3e7d35d] Merge branch 'for-4.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup
testing commit 574c7e233344b58c6b14b305c93de361d3e7d35d with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 574c7e233344b58c6b14b305c93de361d3e7d35d
Bisecting: 4 revisions left to test after this (roughly 2 steps)
[7616ac70d1bb4f2e9d25c1a82d283f3368a7b632] apparmor: fix SECURITY_APPARMOR_HASH_DEFAULT parameter handling
testing commit 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632 with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 7616ac70d1bb4f2e9d25c1a82d283f3368a7b632
Bisecting: 2 revisions left to test after this (roughly 1 step)
[e148d0f85cc3e9f2802c7fcf451098c6d19b535b] Merge branch 'pm-sleep'
testing commit e148d0f85cc3e9f2802c7fcf451098c6d19b535b with gcc (GCC) 5.5.0
run #0: crashed: KASAN: use-after-free Read in pneigh_get_next
run #1: OK
run #2: OK
run #3: OK
run #4: OK
run #5: OK
run #6: OK
run #7: OK
run #8: OK
run #9: OK
# git bisect bad e148d0f85cc3e9f2802c7fcf451098c6d19b535b
Bisecting: 0 revisions left to test after this (roughly 0 steps)
[4ce827b4cc58bec7952591b96cce2b28553e4d5b] x86/power/64: Fix hibernation return address corruption
testing commit 4ce827b4cc58bec7952591b96cce2b28553e4d5b with gcc (GCC) 5.5.0
all runs: OK
# git bisect good 4ce827b4cc58bec7952591b96cce2b28553e4d5b
e148d0f85cc3e9f2802c7fcf451098c6d19b535b is the first bad commit
revisions tested: 31, total time: 7h20m32.945927573s (build: 2h14m19.767848349s, test: 4h58m59.678801592s)
first bad commit: e148d0f85cc3e9f2802c7fcf451098c6d19b535b Merge branch 'pm-sleep'
cc: ["rafael.j.wysocki@intel.com"]
crash: KASAN: use-after-free Read in pneigh_get_next
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633 at addr ffff8800b14abf80
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Not tainted 4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800b14abf80
 ffff8800aef37250 ffff8800b14abf80 ffff88012bc00200 ffff8800aef37240
 ffffffff8174e667 ffff8800aef37268 ffff8800aef37310 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698324>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800b14abf80, in cache kmalloc-64
Object freed, allocated with size 36 bytes
Allocation:
PID = 12208
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81748a09>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff81748a09>] __kmalloc+0x169/0x7a0 mm/slab.c:3782
 [<ffffffff84696aae>] kmalloc include/linux/slab.h:483 [inline]
 [<ffffffff84696aae>] pneigh_lookup+0x15e/0x3b0 net/core/neighbour.c:594
 [<ffffffff84bd10e3>] arp_req_set_public net/ipv4/arp.c:975 [inline]
 [<ffffffff84bd10e3>] arp_req_set+0x323/0x540 net/ipv4/arp.c:991
 [<ffffffff84bd6085>] arp_ioctl+0x1c5/0x5c0 net/ipv4/arp.c:1186
 [<ffffffff84bece8b>] inet_ioctl+0x6b/0x170 net/ipv4/af_inet.c:865
 [<ffffffff84609f22>] sock_do_ioctl+0x62/0xa0 net/socket.c:866
 [<ffffffff8460a203>] sock_ioctl+0x2a3/0x390 net/socket.c:952
 [<ffffffff817dbd5f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817dbd5f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817dcb14>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817dcb14>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff8469d902>] pneigh_ifdown net/core/neighbour.c:662 [inline]
 [<ffffffff8469d902>] neigh_ifdown+0x162/0x220 net/core/neighbour.c:257
 [<ffffffff84bd6493>] arp_ifdown+0x13/0x20 net/ipv4/arp.c:1232
 [<ffffffff84be35d3>] inetdev_destroy net/ipv4/devinet.c:306 [inline]
 [<ffffffff84be35d3>] inetdev_event+0x573/0xf60 net/ipv4/devinet.c:1480
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800b14abe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800b14abf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800b14abf80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                   ^
 ffff8800b14ac000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8800b14ac080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff8800a7868848
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff8800a7868848
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634 at addr ffff8800a7868848
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800a7868840
 ffff8800aef37250 ffff8800a7868840 ffff88012bc00500 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698307>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff84698307>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff84698307>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800a7868840, in cache kmalloc-256
Object freed, allocated with size 198 bytes
Allocation:
PID = 12203
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81748a09>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff81748a09>] __kmalloc+0x169/0x7a0 mm/slab.c:3782
 [<ffffffff8190ef76>] kmalloc include/linux/slab.h:483 [inline]
 [<ffffffff8190ef76>] kzalloc include/linux/slab.h:622 [inline]
 [<ffffffff8190ef76>] __proc_create+0x136/0x570 fs/proc/generic.c:381
 [<ffffffff8190fb25>] proc_create_data+0x55/0x140 fs/proc/generic.c:499
 [<ffffffff84e1d9f0>] snmp6_register_dev+0xb0/0x130 net/ipv6/proc.c:282
 [<ffffffff84d53bbc>] ipv6_add_dev+0x55c/0xfd0 net/ipv6/addrconf.c:382
 [<ffffffff84d67254>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84687697>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84687697>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835e3170>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835e3170>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835e52fe>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817dbd5f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817dbd5f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817dcb14>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817dcb14>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff8190ffa3>] free_proc_entry fs/proc/generic.c:534 [inline]
 [<ffffffff8190ffa3>] pde_put+0x73/0xc0 fs/proc/generic.c:540
 [<ffffffff81910a9b>] remove_proc_subtree+0x1cb/0x240 fs/proc/generic.c:622
 [<ffffffff81910b48>] proc_remove+0x38/0x50 fs/proc/generic.c:637
 [<ffffffff84e1db1c>] snmp6_unregister_dev+0xac/0x120 net/ipv6/proc.c:299
 [<ffffffff84d5cdd1>] addrconf_ifdown+0xa51/0xcd0 net/ipv6/addrconf.c:3460
 [<ffffffff84d67200>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800a7868700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8800a7868780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fc
>ffff8800a7868800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                              ^
 ffff8800a7868880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a7868900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633 at addr ffff8800a7868840
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800a7868840
 ffff8800aef37250 ffff8800a7868840 ffff88012bc00500 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698324>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800a7868840, in cache kmalloc-256
Object freed, allocated with size 198 bytes
Allocation:
PID = 12203
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81748a09>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff81748a09>] __kmalloc+0x169/0x7a0 mm/slab.c:3782
 [<ffffffff8190ef76>] kmalloc include/linux/slab.h:483 [inline]
 [<ffffffff8190ef76>] kzalloc include/linux/slab.h:622 [inline]
 [<ffffffff8190ef76>] __proc_create+0x136/0x570 fs/proc/generic.c:381
 [<ffffffff8190fb25>] proc_create_data+0x55/0x140 fs/proc/generic.c:499
 [<ffffffff84e1d9f0>] snmp6_register_dev+0xb0/0x130 net/ipv6/proc.c:282
 [<ffffffff84d53bbc>] ipv6_add_dev+0x55c/0xfd0 net/ipv6/addrconf.c:382
 [<ffffffff84d67254>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84687697>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84687697>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835e3170>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835e3170>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835e52fe>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817dbd5f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817dbd5f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817dcb14>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817dcb14>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff8190ffa3>] free_proc_entry fs/proc/generic.c:534 [inline]
 [<ffffffff8190ffa3>] pde_put+0x73/0xc0 fs/proc/generic.c:540
 [<ffffffff81910a9b>] remove_proc_subtree+0x1cb/0x240 fs/proc/generic.c:622
 [<ffffffff81910b48>] proc_remove+0x38/0x50 fs/proc/generic.c:637
 [<ffffffff84e1db1c>] snmp6_unregister_dev+0xac/0x120 net/ipv6/proc.c:299
 [<ffffffff84d5cdd1>] addrconf_ifdown+0xa51/0xcd0 net/ipv6/addrconf.c:3460
 [<ffffffff84d67200>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800a7868700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8800a7868780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 fc
>ffff8800a7868800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                           ^
 ffff8800a7868880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a7868900: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff8800a7868348
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff8800a7868348
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634 at addr ffff8800a7868348
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800a7868340
 ffff8800aef37250 ffff8800a7868340 ffff88012bc00500 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698307>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff84698307>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff84698307>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800a7868340, in cache kmalloc-256
Object freed, allocated with size 240 bytes
Allocation:
PID = 12203
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81749f32>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff84dc7484>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff84dc7484>] kzalloc include/linux/slab.h:622 [inline]
 [<ffffffff84dc7484>] mca_alloc net/ipv6/mcast.c:825 [inline]
 [<ffffffff84dc7484>] ipv6_dev_mc_inc+0x294/0xde0 net/ipv6/mcast.c:884
 [<ffffffff84d540f6>] ipv6_add_dev+0xa96/0xfd0 net/ipv6/addrconf.c:438
 [<ffffffff84d67254>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84687697>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84687697>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835e3170>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835e3170>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835e52fe>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817dbd5f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817dbd5f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817dcb14>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817dcb14>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff84dc0fe2>] ma_put+0x42/0x60 net/ipv6/mcast.c:816
 [<ffffffff84dc8a26>] __ipv6_dev_mc_dec+0x216/0x380 net/ipv6/mcast.c:924
 [<ffffffff84dce248>] ipv6_mc_destroy_dev+0x28/0x150 net/ipv6/mcast.c:2557
 [<ffffffff84d5cb78>] addrconf_ifdown+0x7f8/0xcd0 net/ipv6/addrconf.c:3584
 [<ffffffff84d67200>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800a7868200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8800a7868280: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
>ffff8800a7868300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                              ^
 ffff8800a7868380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a7868400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633 at addr ffff8800a7868340
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800a7868340
 ffff8800aef37250 ffff8800a7868340 ffff88012bc00500 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698324>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800a7868340, in cache kmalloc-256
Object freed, allocated with size 240 bytes
Allocation:
PID = 12203
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81749f32>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff84dc7484>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff84dc7484>] kzalloc include/linux/slab.h:622 [inline]
 [<ffffffff84dc7484>] mca_alloc net/ipv6/mcast.c:825 [inline]
 [<ffffffff84dc7484>] ipv6_dev_mc_inc+0x294/0xde0 net/ipv6/mcast.c:884
 [<ffffffff84d540f6>] ipv6_add_dev+0xa96/0xfd0 net/ipv6/addrconf.c:438
 [<ffffffff84d67254>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84687697>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84687697>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835e3170>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835e3170>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835e52fe>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817dbd5f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817dbd5f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817dcb14>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817dcb14>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff84dc0fe2>] ma_put+0x42/0x60 net/ipv6/mcast.c:816
 [<ffffffff84dc8a26>] __ipv6_dev_mc_dec+0x216/0x380 net/ipv6/mcast.c:924
 [<ffffffff84dce248>] ipv6_mc_destroy_dev+0x28/0x150 net/ipv6/mcast.c:2557
 [<ffffffff84d5cb78>] addrconf_ifdown+0x7f8/0xcd0 net/ipv6/addrconf.c:3584
 [<ffffffff84d67200>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800a7868200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8800a7868280: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
>ffff8800a7868300: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                           ^
 ffff8800a7868380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a7868400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff8800a7868488
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff8800a7868488
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634 at addr ffff8800a7868488
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800a7868480
 ffff8800aef37250 ffff8800a7868480 ffff88012bc00500 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698307>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff84698307>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff84698307>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800a7868480, in cache kmalloc-256
Object freed, allocated with size 240 bytes
Allocation:
PID = 12203
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81749f32>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff84dc7484>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff84dc7484>] kzalloc include/linux/slab.h:622 [inline]
 [<ffffffff84dc7484>] mca_alloc net/ipv6/mcast.c:825 [inline]
 [<ffffffff84dc7484>] ipv6_dev_mc_inc+0x294/0xde0 net/ipv6/mcast.c:884
 [<ffffffff84d540e7>] ipv6_add_dev+0xa87/0xfd0 net/ipv6/addrconf.c:435
 [<ffffffff84d67254>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84687697>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84687697>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835e3170>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835e3170>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835e52fe>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817dbd5f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817dbd5f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817dcb14>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817dcb14>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff84dc0fe2>] ma_put+0x42/0x60 net/ipv6/mcast.c:816
 [<ffffffff84dce301>] ipv6_mc_destroy_dev+0xe1/0x150 net/ipv6/mcast.c:2568
 [<ffffffff84d5cb78>] addrconf_ifdown+0x7f8/0xcd0 net/ipv6/addrconf.c:3584
 [<ffffffff84d67200>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800a7868380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a7868400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8800a7868480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8800a7868500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a7868580: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633 at addr ffff8800a7868480
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800a7868480
 ffff8800aef37250 ffff8800a7868480 ffff88012bc00500 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698324>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800a7868480, in cache kmalloc-256
Object freed, allocated with size 240 bytes
Allocation:
PID = 12203
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81749f32>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff84dc7484>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff84dc7484>] kzalloc include/linux/slab.h:622 [inline]
 [<ffffffff84dc7484>] mca_alloc net/ipv6/mcast.c:825 [inline]
 [<ffffffff84dc7484>] ipv6_dev_mc_inc+0x294/0xde0 net/ipv6/mcast.c:884
 [<ffffffff84d540e7>] ipv6_add_dev+0xa87/0xfd0 net/ipv6/addrconf.c:435
 [<ffffffff84d67254>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84687697>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84687697>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835e3170>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835e3170>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835e52fe>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817dbd5f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817dbd5f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817dcb14>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817dcb14>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff84dc0fe2>] ma_put+0x42/0x60 net/ipv6/mcast.c:816
 [<ffffffff84dce301>] ipv6_mc_destroy_dev+0xe1/0x150 net/ipv6/mcast.c:2568
 [<ffffffff84d5cb78>] addrconf_ifdown+0x7f8/0xcd0 net/ipv6/addrconf.c:3584
 [<ffffffff84d67200>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800a7868380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a7868400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8800a7868480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8800a7868500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a7868580: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff8800a21546c8
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff8800a21546c8
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634 at addr ffff8800a21546c8
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800a21546c0
 ffff8800aef37250 ffff8800a21546c0 ffff88012bc00900 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698307>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff84698307>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff84698307>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800a21546c0, in cache kmalloc-4096
Object freed, allocated with size 2816 bytes
Allocation:
PID = 12203
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81748275>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff81748275>] __kmalloc_track_caller+0x165/0x790 mm/slab.c:3788
 [<ffffffff81692acb>] kmemdup+0x1b/0x40 mm/util.c:113
 [<ffffffff84d4c486>] __addrconf_sysctl_register+0x86/0x340 net/ipv6/addrconf.c:5947
 [<ffffffff84d4d704>] addrconf_sysctl_register+0x104/0x1a0 net/ipv6/addrconf.c:5995
 [<ffffffff84d53fd8>] ipv6_add_dev+0x978/0xfd0 net/ipv6/addrconf.c:424
 [<ffffffff84d67254>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84687697>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84687697>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835e3170>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835e3170>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835e52fe>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817dbd5f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817dbd5f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817dcb14>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817dcb14>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff84d4d81a>] __addrconf_sysctl_unregister.isra.42+0x7a/0xa0 net/ipv6/addrconf.c:5981
 [<ffffffff84d5cbd6>] addrconf_sysctl_unregister net/ipv6/addrconf.c:6005 [inline]
 [<ffffffff84d5cbd6>] addrconf_ifdown+0x856/0xcd0 net/ipv6/addrconf.c:3593
 [<ffffffff84d67200>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800a2154580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800a2154600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800a2154680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                              ^
 ffff8800a2154700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a2154780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633 at addr ffff8800a21546c0
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800a21546c0
 ffff8800aef37250 ffff8800a21546c0 ffff88012bc00900 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698324>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800a21546c0, in cache kmalloc-4096
Object freed, allocated with size 2816 bytes
Allocation:
PID = 12203
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81748275>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff81748275>] __kmalloc_track_caller+0x165/0x790 mm/slab.c:3788
 [<ffffffff81692acb>] kmemdup+0x1b/0x40 mm/util.c:113
 [<ffffffff84d4c486>] __addrconf_sysctl_register+0x86/0x340 net/ipv6/addrconf.c:5947
 [<ffffffff84d4d704>] addrconf_sysctl_register+0x104/0x1a0 net/ipv6/addrconf.c:5995
 [<ffffffff84d53fd8>] ipv6_add_dev+0x978/0xfd0 net/ipv6/addrconf.c:424
 [<ffffffff84d67254>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84687697>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84687697>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835e3170>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835e3170>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835e52fe>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817dbd5f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817dbd5f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817dcb14>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817dcb14>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff84d4d81a>] __addrconf_sysctl_unregister.isra.42+0x7a/0xa0 net/ipv6/addrconf.c:5981
 [<ffffffff84d5cbd6>] addrconf_sysctl_unregister net/ipv6/addrconf.c:6005 [inline]
 [<ffffffff84d5cbd6>] addrconf_ifdown+0x856/0xcd0 net/ipv6/addrconf.c:3593
 [<ffffffff84d67200>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800a2154580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800a2154600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800a2154680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                           ^
 ffff8800a2154700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a2154780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff8800a2153308
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff8800a2153308
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634 at addr ffff8800a2153308
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800a2153300
 ffff8800aef37250 ffff8800a2153300 ffff88012bc00800 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698307>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff84698307>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff84698307>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800a2153300, in cache kmalloc-2048
Object freed, allocated with size 1352 bytes
Allocation:
PID = 12203
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81748275>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff81748275>] __kmalloc_track_caller+0x165/0x790 mm/slab.c:3788
 [<ffffffff81692acb>] kmemdup+0x1b/0x40 mm/util.c:113
 [<ffffffff84697769>] neigh_sysctl_register+0x89/0x7c0 net/core/neighbour.c:3123
 [<ffffffff84d4d6a4>] addrconf_sysctl_register+0xa4/0x1a0 net/ipv6/addrconf.c:5991
 [<ffffffff84d53fd8>] ipv6_add_dev+0x978/0xfd0 net/ipv6/addrconf.c:424
 [<ffffffff84d67254>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84687697>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84687697>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835e3170>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835e3170>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835e52fe>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817dbd5f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817dbd5f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817dcb14>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817dcb14>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff84697eff>] neigh_sysctl_unregister+0x5f/0x80 net/core/neighbour.c:3209
 [<ffffffff84d5cc04>] addrconf_sysctl_unregister net/ipv6/addrconf.c:6006 [inline]
 [<ffffffff84d5cc04>] addrconf_ifdown+0x884/0xcd0 net/ipv6/addrconf.c:3593
 [<ffffffff84d67200>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800a2153200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800a2153280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800a2153300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8800a2153380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a2153400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633 at addr ffff8800a2153300
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800a2153300
 ffff8800aef37250 ffff8800a2153300 ffff88012bc00800 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698324>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800a2153300, in cache kmalloc-2048
Object freed, allocated with size 1352 bytes
Allocation:
PID = 12203
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81748275>] __do_kmalloc mm/slab.c:3773 [inline]
 [<ffffffff81748275>] __kmalloc_track_caller+0x165/0x790 mm/slab.c:3788
 [<ffffffff81692acb>] kmemdup+0x1b/0x40 mm/util.c:113
 [<ffffffff84697769>] neigh_sysctl_register+0x89/0x7c0 net/core/neighbour.c:3123
 [<ffffffff84d4d6a4>] addrconf_sysctl_register+0xa4/0x1a0 net/ipv6/addrconf.c:5991
 [<ffffffff84d53fd8>] ipv6_add_dev+0x978/0xfd0 net/ipv6/addrconf.c:424
 [<ffffffff84d67254>] addrconf_notify+0x764/0x1cf0 net/ipv6/addrconf.c:3239
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff84687697>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff84687697>] register_netdevice+0x907/0xd60 net/core/dev.c:7100
 [<ffffffff835e3170>] tun_set_iff drivers/net/tun.c:1811 [inline]
 [<ffffffff835e3170>] __tun_chr_ioctl+0x13e0/0x3540 drivers/net/tun.c:2010
 [<ffffffff835e52fe>] tun_chr_ioctl+0xe/0x10 drivers/net/tun.c:2255
 [<ffffffff817dbd5f>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff817dbd5f>] do_vfs_ioctl+0x17f/0xec0 fs/ioctl.c:674
 [<ffffffff817dcb14>] SYSC_ioctl fs/ioctl.c:689 [inline]
 [<ffffffff817dcb14>] SyS_ioctl+0x74/0x80 fs/ioctl.c:680
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff84697eff>] neigh_sysctl_unregister+0x5f/0x80 net/core/neighbour.c:3209
 [<ffffffff84d5cc04>] addrconf_sysctl_unregister net/ipv6/addrconf.c:6006 [inline]
 [<ffffffff84d5cc04>] addrconf_ifdown+0x884/0xcd0 net/ipv6/addrconf.c:3593
 [<ffffffff84d67200>] addrconf_notify+0x710/0x1cf0 net/ipv6/addrconf.c:3367
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Memory state around the buggy address:
 ffff8800a2153200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800a2153280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800a2153300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8800a2153380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800a2153400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff8800ae433e08
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff8800ae433e08
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634 at addr ffff8800ae433e08
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800ae433e00
 ffff8800aef37250 ffff8800ae433e00 ffff88012bc00000 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698307>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff84698307>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff84698307>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800ae433e00, in cache kmalloc-node
Object freed, allocated with size 160 bytes
Allocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81749f32>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff840aef5f>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff840aef5f>] netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:555 [inline]
 [<ffffffff840aef5f>] netdevice_event+0x24f/0x7c0 drivers/infiniband/core/roce_gid_mgmt.c:657
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Deallocation:
PID = 8554
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff840ae89c>] netdevice_event_work_handler+0x11c/0x1d0 drivers/infiniband/core/roce_gid_mgmt.c:548
 [<ffffffff8139fc02>] process_one_work+0x6a2/0x1580 kernel/workqueue.c:2096
 [<ffffffff813a0bb7>] worker_thread+0xd7/0xf10 kernel/workqueue.c:2230
 [<ffffffff813b13e9>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff858c960f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:389
Memory state around the buggy address:
 ffff8800ae433d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800ae433d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8800ae433e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff8800ae433e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8800ae433f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633 at addr ffff8800ae433e00
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800ae433e00
 ffff8800aef37250 ffff8800ae433e00 ffff88012bc00000 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698324>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800ae433e00, in cache kmalloc-node
Object freed, allocated with size 160 bytes
Allocation:
PID = 12198
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81749f32>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff840aef5f>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff840aef5f>] netdevice_queue_work drivers/infiniband/core/roce_gid_mgmt.c:555 [inline]
 [<ffffffff840aef5f>] netdevice_event+0x24f/0x7c0 drivers/infiniband/core/roce_gid_mgmt.c:657
 [<ffffffff813b470b>] notifier_call_chain+0x8b/0x170 kernel/notifier.c:93
 [<ffffffff813b4811>] __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 [<ffffffff813b4811>] raw_notifier_call_chain+0x11/0x20 kernel/notifier.c:401
 [<ffffffff84661377>] call_netdevice_notifiers_info+0x47/0x80 net/core/dev.c:1643
 [<ffffffff8466dfca>] call_netdevice_notifiers net/core/dev.c:1659 [inline]
 [<ffffffff8466dfca>] rollback_registered_many+0x3fa/0x740 net/core/dev.c:6611
 [<ffffffff8466e37f>] rollback_registered+0x6f/0x90 net/core/dev.c:6652
 [<ffffffff8466e408>] unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7636
 [<ffffffff835e0cfe>] unregister_netdevice include/linux/netdevice.h:2363 [inline]
 [<ffffffff835e0cfe>] __tun_detach+0x73e/0x9c0 drivers/net/tun.c:561
 [<ffffffff835e0fc0>] tun_detach drivers/net/tun.c:570 [inline]
 [<ffffffff835e0fc0>] tun_chr_close+0x40/0x60 drivers/net/tun.c:2343
 [<ffffffff817a7b9e>] __fput+0x20e/0x750 fs/file_table.c:208
 [<ffffffff817a8149>] ____fput+0x9/0x10 fs/file_table.c:244
 [<ffffffff813ac959>] task_work_run+0xd9/0x150 kernel/task_work.c:114
 [<ffffffff810066d3>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff810066d3>] exit_to_usermode_loop+0x183/0x1c0 arch/x86/entry/common.c:233
 [<ffffffff81008815>] prepare_exit_to_usermode arch/x86/entry/common.c:264 [inline]
 [<ffffffff81008815>] syscall_return_slowpath+0x275/0x2f0 arch/x86/entry/common.c:329
 [<ffffffff858c945c>] entry_SYSCALL_64_fastpath+0xbf/0xc1
Deallocation:
PID = 8554
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff840ae89c>] netdevice_event_work_handler+0x11c/0x1d0 drivers/infiniband/core/roce_gid_mgmt.c:548
 [<ffffffff8139fc02>] process_one_work+0x6a2/0x1580 kernel/workqueue.c:2096
 [<ffffffff813a0bb7>] worker_thread+0xd7/0xf10 kernel/workqueue.c:2230
 [<ffffffff813b13e9>] kthread+0x209/0x2d0 kernel/kthread.c:209
 [<ffffffff858c960f>] ret_from_fork+0x1f/0x40 arch/x86/entry/entry_64.S:389
Memory state around the buggy address:
 ffff8800ae433d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800ae433d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8800ae433e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8800ae433e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8800ae433f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in read_pnet include/net/net_namespace.h:259 [inline] at addr ffff8800ad2f7b48
BUG: KASAN: use-after-free in pneigh_net include/net/neighbour.h:352 [inline] at addr ffff8800ad2f7b48
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634 at addr ffff8800ad2f7b48
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800ad2f7b40
 ffff8800aef37250 ffff8800ad2f7b40 ffff88012bc00700 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698307>] read_pnet include/net/net_namespace.h:259 [inline]
 [<ffffffff84698307>] pneigh_net include/net/neighbour.h:352 [inline]
 [<ffffffff84698307>] pneigh_get_next.isra.18+0x1f7/0x320 net/core/neighbour.c:2634
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869
 [<ffffffff8183f55d>] kernel_readv fs/splice.c:583 [inline]
 [<ffffffff8183f55d>] default_file_splice_read+0x42d/0x800 fs/splice.c:659
 [<ffffffff8183af13>] do_splice_to+0xe3/0x140 fs/splice.c:1154
 [<ffffffff8183b1a5>] splice_direct_to_actor+0x235/0x7c0 fs/splice.c:1226
 [<ffffffff8183b87e>] do_splice_direct+0x14e/0x260 fs/splice.c:1337
 [<ffffffff817a5560>] do_sendfile+0x4c0/0xe40 fs/read_write.c:1372
 [<ffffffff817a713d>] SYSC_sendfile64 fs/read_write.c:1433 [inline]
 [<ffffffff817a713d>] SyS_sendfile64+0x11d/0x120 fs/read_write.c:1419
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Object at ffff8800ad2f7b40, in cache kmalloc-1024
Object freed, allocated with size 1024 bytes
Allocation:
PID = 6739
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174db7a>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174db7a>] kasan_kmalloc+0xda/0x100 mm/kasan/kasan.c:586
 [<ffffffff81749f32>] kmem_cache_alloc_trace+0x142/0x780 mm/slab.c:3675
 [<ffffffff8146ec9b>] kmalloc include/linux/slab.h:478 [inline]
 [<ffffffff8146ec9b>] syslog_print kernel/printk/printk.c:1151 [inline]
 [<ffffffff8146ec9b>] do_syslog+0x47b/0x990 kernel/printk/printk.c:1328
 [<ffffffff81926b45>] kmsg_read+0x65/0x80 fs/proc/kmsg.c:39
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179e81b>] __vfs_read+0xdb/0x730 fs/read_write.c:452
 [<ffffffff817a2caa>] vfs_read+0xea/0x2d0 fs/read_write.c:475
 [<ffffffff817a65fb>] SYSC_read fs/read_write.c:591 [inline]
 [<ffffffff817a65fb>] SyS_read+0xcb/0x1a0 fs/read_write.c:584
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Deallocation:
PID = 6739
 [<ffffffff812103a6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:67
 [<ffffffff8174d8d6>] save_stack+0x46/0xd0 mm/kasan/kasan.c:476
 [<ffffffff8174e0bb>] set_track mm/kasan/kasan.c:488 [inline]
 [<ffffffff8174e0bb>] kasan_slab_free+0x9b/0xd0 mm/kasan/kasan.c:540
 [<ffffffff8174bf0f>] __cache_free mm/slab.c:3551 [inline]
 [<ffffffff8174bf0f>] kfree+0xcf/0x2c0 mm/slab.c:3868
 [<ffffffff8146eff5>] syslog_print kernel/printk/printk.c:1205 [inline]
 [<ffffffff8146eff5>] do_syslog+0x7d5/0x990 kernel/printk/printk.c:1328
 [<ffffffff81926b45>] kmsg_read+0x65/0x80 fs/proc/kmsg.c:39
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179e81b>] __vfs_read+0xdb/0x730 fs/read_write.c:452
 [<ffffffff817a2caa>] vfs_read+0xea/0x2d0 fs/read_write.c:475
 [<ffffffff817a65fb>] SYSC_read fs/read_write.c:591 [inline]
 [<ffffffff817a65fb>] SyS_read+0xcb/0x1a0 fs/read_write.c:584
 [<ffffffff858c93c0>] entry_SYSCALL_64_fastpath+0x23/0xc1
Memory state around the buggy address:
 ffff8800ad2f7a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800ad2f7a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800ad2f7b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                              ^
 ffff8800ad2f7b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800ad2f7c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633 at addr ffff8800ad2f7b40
Read of size 8 by task syz-executor.2/12203
CPU: 1 PID: 12203 Comm: syz-executor.2 Tainted: G    B           4.7.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 1ffffffff0d56312 ffff8800aef371c0 ffffffff829e0956 ffff8800ad2f7b40
 ffff8800aef37250 ffff8800ad2f7b40 ffff88012bc00700 ffff8800aef37240
 ffffffff8174e667 0000000000000010 ffff880000000000 0000000000000282
Call Trace:
 [<ffffffff829e0956>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff829e0956>] dump_stack+0xe6/0x120 lib/dump_stack.c:51
 [<ffffffff8174e667>] object_err mm/kasan/report.c:139 [inline]
 [<ffffffff8174e667>] print_address_description mm/kasan/report.c:180 [inline]
 [<ffffffff8174e667>] kasan_report_error+0x1e7/0x5b0 mm/kasan/report.c:276
 [<ffffffff8174eb2e>] kasan_report mm/kasan/report.c:298 [inline]
 [<ffffffff8174eb2e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:319
 [<ffffffff84698324>] pneigh_get_next.isra.18+0x214/0x320 net/core/neighbour.c:2633
 [<ffffffff846991a1>] neigh_seq_next+0x91/0x1c0 net/core/neighbour.c:2715
 [<ffffffff81811434>] seq_read+0x9e4/0x11a0 fs/seq_file.c:268
 [<ffffffff818ff3ec>] proc_reg_read+0xbc/0x180 fs/proc/inode.c:203
 [<ffffffff8179efa4>] do_loop_readv_writev+0x134/0x210 fs/read_write.c:714
 [<ffffffff817a3895>] do_readv_writev+0x565/0x660 fs/read_write.c:845
 [<ffffffff817a39f7>] vfs_readv+0x67/0xa0 fs/read_write.c:869