Warning: Permanently added '[localhost]:60365' (ECDSA) to the list of known hosts. syzkaller login: [ 109.660787][ T39] kauditd_printk_skb: 4 callbacks suppressed [ 109.660797][ T39] audit: type=1400 audit(1584461704.105:42): avc: denied { map } for pid=8789 comm="syz-executor732" path="/syz-executor732942968" dev="sda1" ino=16528 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 109.692018][ T8790] IPVS: ftp: loaded support on port[0] = 21 executing program [ 110.153016][ T8] tipc: TX() has been purged, node left! [ 112.326080][ T8] ================================================================== [ 112.335147][ T8] BUG: KASAN: use-after-free in route4_destroy+0x6bf/0x800 [ 112.335147][ T8] Read of size 8 at addr ffff888022eab800 by task kworker/u16:0/8 [ 112.335147][ T8] [ 112.335147][ T8] CPU: 3 PID: 8 Comm: kworker/u16:0 Not tainted 5.6.0-rc6-syzkaller #0 [ 112.335147][ T8] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 112.335147][ T8] Workqueue: netns cleanup_net [ 112.335147][ T8] Call Trace: [ 112.335147][ T8] dump_stack+0x188/0x20d [ 112.335147][ T8] ? route4_destroy+0x6bf/0x800 [ 112.335147][ T8] ? route4_destroy+0x6bf/0x800 [ 112.335147][ T8] print_address_description.constprop.0.cold+0xd3/0x315 [ 112.335147][ T8] ? route4_destroy+0x6bf/0x800 [ 112.335147][ T8] ? route4_destroy+0x6bf/0x800 [ 112.335147][ T8] __kasan_report.cold+0x1a/0x32 [ 112.335147][ T8] ? route4_destroy+0x6bf/0x800 [ 112.335147][ T8] kasan_report+0xe/0x20 [ 112.335147][ T8] route4_destroy+0x6bf/0x800 [ 112.335147][ T8] ? mutex_trylock+0x2c0/0x2c0 [ 112.335147][ T8] ? route4_init+0xa0/0xa0 [ 112.335147][ T8] ? __mutex_unlock_slowpath+0xe2/0x660 [ 112.335147][ T8] tcf_proto_destroy+0x6e/0x310 [ 112.335147][ T8] tcf_proto_put+0x8c/0xc0 [ 112.335147][ T8] tcf_chain_flush+0x266/0x390 [ 112.335147][ T8] __tcf_block_put+0x1a4/0x540 [ 112.335147][ T8] tcf_block_put+0xb3/0x100 [ 112.335147][ T8] ? tcf_block_put_ext+0x40/0x40 [ 112.335147][ T8] ? qdisc_dequeue_head+0x330/0x330 [ 112.335147][ T8] ? hrtimer_cancel+0x29/0x40 [ 112.335147][ T8] hfsc_destroy_qdisc+0xe0/0x280 [ 112.335147][ T8] ? hfsc_walk+0x330/0x330 [ 112.335147][ T8] qdisc_destroy+0x118/0x690 [ 112.335147][ T8] qdisc_put+0xcd/0xe0 [ 112.335147][ T8] dev_shutdown+0x2b5/0x486 [ 112.335147][ T8] rollback_registered_many+0x603/0xe70 [ 112.335147][ T8] ? find_held_lock+0x2d/0x110 [ 112.335147][ T8] ? netif_set_real_num_tx_queues+0x700/0x700 [ 112.335147][ T8] ? default_device_exit_batch+0x1ab/0x3d0 [ 112.335147][ T8] ? mark_lock+0xbc/0x1220 [ 112.335147][ T8] unregister_netdevice_many.part.0+0x16/0x1e0 [ 112.335147][ T8] default_device_exit_batch+0x311/0x3d0 [ 112.335147][ T8] ? unregister_netdevice_many+0x50/0x50 [ 112.335147][ T8] ? prepare_to_wait_exclusive+0x2c0/0x2c0 [ 112.335147][ T8] ? unregister_netdevice_many+0x50/0x50 [ 112.335147][ T8] ? dev_change_net_namespace+0xcf0/0xcf0 [ 112.335147][ T8] ops_exit_list.isra.0+0x103/0x150 [ 112.335147][ T8] cleanup_net+0x511/0xa50 [ 112.335147][ T8] ? unregister_pernet_device+0x70/0x70 [ 112.335147][ T8] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 112.335147][ T8] process_one_work+0x94b/0x1690 [ 112.335147][ T8] ? pwq_dec_nr_in_flight+0x310/0x310 [ 112.335147][ T8] ? do_raw_spin_lock+0x129/0x2e0 [ 112.335147][ T8] worker_thread+0x96/0xe20 [ 112.335147][ T8] ? process_one_work+0x1690/0x1690 [ 112.335147][ T8] kthread+0x357/0x430 [ 112.335147][ T8] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 112.335147][ T8] ret_from_fork+0x24/0x30 [ 112.335147][ T8] [ 112.335147][ T8] Allocated by task 8791: [ 112.335147][ T8] save_stack+0x1b/0x80 [ 112.335147][ T8] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 112.335147][ T8] kmem_cache_alloc_trace+0x153/0x7d0 [ 112.335147][ T8] route4_change+0x2a9/0x2250 [ 112.335147][ T8] tc_new_tfilter+0xa59/0x20b0 [ 112.335147][ T8] rtnetlink_rcv_msg+0x810/0xad0 [ 112.335147][ T8] netlink_rcv_skb+0x15a/0x410 [ 112.335147][ T8] netlink_unicast+0x537/0x740 [ 112.335147][ T8] netlink_sendmsg+0x882/0xe10 [ 112.335147][ T8] sock_sendmsg+0xcf/0x120 [ 112.335147][ T8] ____sys_sendmsg+0x6b9/0x7d0 [ 112.335147][ T8] ___sys_sendmsg+0x100/0x170 [ 112.335147][ T8] __sys_sendmsg+0xec/0x1b0 [ 112.335147][ T8] do_syscall_64+0xf6/0x7d0 [ 112.335147][ T8] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 112.335147][ T8] [ 112.335147][ T8] Freed by task 8: [ 112.335147][ T8] save_stack+0x1b/0x80 [ 112.335147][ T8] __kasan_slab_free+0xf7/0x140 [ 112.335147][ T8] kfree+0x109/0x2b0 [ 112.335147][ T8] route4_delete_filter_work+0x17/0x20 [ 112.335147][ T8] process_one_work+0x94b/0x1690 [ 112.335147][ T8] worker_thread+0x96/0xe20 [ 112.335147][ T8] kthread+0x357/0x430 [ 112.335147][ T8] ret_from_fork+0x24/0x30 [ 112.335147][ T8] [ 112.335147][ T8] The buggy address belongs to the object at ffff888022eab800 [ 112.335147][ T8] which belongs to the cache kmalloc-192 of size 192 [ 112.335147][ T8] The buggy address is located 0 bytes inside of [ 112.335147][ T8] 192-byte region [ffff888022eab800, ffff888022eab8c0) [ 112.335147][ T8] The buggy address belongs to the page: [ 112.335147][ T8] page:ffffea00008baac0 refcount:1 mapcount:0 mapping:ffff88802cc00000 index:0x0 [ 112.335147][ T8] flags: 0xfffe0000000200(slab) [ 112.335147][ T8] raw: 00fffe0000000200 ffffea0000a95b08 ffffea00008a6fc8 ffff88802cc00000 [ 112.335147][ T8] raw: 0000000000000000 ffff888022eab000 0000000100000010 0000000000000000 [ 112.335147][ T8] page dumped because: kasan: bad access detected [ 112.335147][ T8] [ 112.335147][ T8] Memory state around the buggy address: [ 112.335147][ T8] ffff888022eab700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 112.335147][ T8] ffff888022eab780: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 112.335147][ T8] >ffff888022eab800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 112.335147][ T8] ^ [ 112.335147][ T8] ffff888022eab880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 112.335147][ T8] ffff888022eab900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 112.335147][ T8] ================================================================== [ 112.335147][ T8] Disabling lock debugging due to kernel taint [ 113.075138][ T8] Kernel panic - not syncing: panic_on_warn set ... [ 113.082489][ T8] CPU: 3 PID: 8 Comm: kworker/u16:0 Tainted: G B 5.6.0-rc6-syzkaller #0 [ 113.082489][ T8] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 113.082489][ T8] Workqueue: netns cleanup_net [ 113.082489][ T8] Call Trace: [ 113.082489][ T8] dump_stack+0x188/0x20d [ 113.082489][ T8] panic+0x2e3/0x75c [ 113.082489][ T8] ? add_taint.cold+0x16/0x16 [ 113.145847][ T8] ? preempt_schedule_common+0x5e/0xc0 [ 113.145847][ T8] ? route4_destroy+0x6bf/0x800 [ 113.145847][ T8] ? ___preempt_schedule+0x16/0x18 [ 113.162929][ T8] ? trace_hardirqs_on+0x55/0x220 [ 113.162929][ T8] ? route4_destroy+0x6bf/0x800 [ 113.172691][ T8] end_report+0x43/0x49 [ 113.182683][ T8] ? route4_destroy+0x6bf/0x800 [ 113.182683][ T8] __kasan_report.cold+0xd/0x32 [ 113.182683][ T8] ? route4_destroy+0x6bf/0x800 [ 113.202609][ T8] kasan_report+0xe/0x20 [ 113.202609][ T8] route4_destroy+0x6bf/0x800 [ 113.202609][ T8] ? mutex_trylock+0x2c0/0x2c0 [ 113.202609][ T8] ? route4_init+0xa0/0xa0 [ 113.222655][ T8] ? __mutex_unlock_slowpath+0xe2/0x660 [ 113.222655][ T8] tcf_proto_destroy+0x6e/0x310 [ 113.222655][ T8] tcf_proto_put+0x8c/0xc0 [ 113.242659][ T8] tcf_chain_flush+0x266/0x390 [ 113.242659][ T8] __tcf_block_put+0x1a4/0x540 [ 113.242659][ T8] tcf_block_put+0xb3/0x100 [ 113.242659][ T8] ? tcf_block_put_ext+0x40/0x40 [ 113.262708][ T8] ? qdisc_dequeue_head+0x330/0x330 [ 113.262708][ T8] ? hrtimer_cancel+0x29/0x40 [ 113.273978][ T8] hfsc_destroy_qdisc+0xe0/0x280 [ 113.282871][ T8] ? hfsc_walk+0x330/0x330 [ 113.282871][ T8] qdisc_destroy+0x118/0x690 [ 113.282871][ T8] qdisc_put+0xcd/0xe0 [ 113.282871][ T8] dev_shutdown+0x2b5/0x486 [ 113.302754][ T8] rollback_registered_many+0x603/0xe70 [ 113.302754][ T8] ? find_held_lock+0x2d/0x110 [ 113.302754][ T8] ? netif_set_real_num_tx_queues+0x700/0x700 [ 113.322614][ T8] ? default_device_exit_batch+0x1ab/0x3d0 [ 113.322614][ T8] ? mark_lock+0xbc/0x1220 [ 113.322614][ T8] unregister_netdevice_many.part.0+0x16/0x1e0 [ 113.342590][ T8] default_device_exit_batch+0x311/0x3d0 [ 113.352679][ T8] ? unregister_netdevice_many+0x50/0x50 [ 113.352679][ T8] ? prepare_to_wait_exclusive+0x2c0/0x2c0 [ 113.362659][ T8] ? unregister_netdevice_many+0x50/0x50 [ 113.362659][ T8] ? dev_change_net_namespace+0xcf0/0xcf0 [ 113.382610][ T8] ops_exit_list.isra.0+0x103/0x150 [ 113.382610][ T8] cleanup_net+0x511/0xa50 [ 113.382610][ T8] ? unregister_pernet_device+0x70/0x70 [ 113.402650][ T8] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 113.402650][ T8] process_one_work+0x94b/0x1690 [ 113.402650][ T8] ? pwq_dec_nr_in_flight+0x310/0x310 [ 113.422564][ T8] ? do_raw_spin_lock+0x129/0x2e0 [ 113.422564][ T8] worker_thread+0x96/0xe20 [ 113.422564][ T8] ? process_one_work+0x1690/0x1690 [ 113.422564][ T8] kthread+0x357/0x430 [ 113.442693][ T8] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 113.452598][ T8] ret_from_fork+0x24/0x30 [ 113.462658][ T8] Kernel Offset: disabled [ 113.462658][ T8] Rebooting in 86400 seconds..