================================================================== BUG: KASAN: use-after-free in netdev_need_ops_lock include/net/netdev_lock.h:30 [inline] BUG: KASAN: use-after-free in netdev_unlock_ops include/net/netdev_lock.h:47 [inline] BUG: KASAN: use-after-free in __linkwatch_run_queue+0x54c/0x618 net/core/link_watch.c:245 Read of size 1 at addr ffff00001d080ca9 by task kworker/u8:6/20759 CPU: 0 UID: 0 PID: 20759 Comm: kworker/u8:6 Not tainted syzkaller #0 PREEMPT Hardware name: linux,dummy-virt (DT) Workqueue: events_unbound linkwatch_event Call trace: show_stack+0x18/0x24 arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xa4/0xf4 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xf4/0x5a0 mm/kasan/report.c:482 kasan_report+0xc8/0x108 mm/kasan/report.c:595 __asan_report_load1_noabort+0x20/0x2c mm/kasan/report_generic.c:378 netdev_need_ops_lock include/net/netdev_lock.h:30 [inline] netdev_unlock_ops include/net/netdev_lock.h:47 [inline] __linkwatch_run_queue+0x54c/0x618 net/core/link_watch.c:245 linkwatch_event+0x90/0xbc net/core/link_watch.c:304 process_one_work+0x7cc/0x18d4 kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x734/0xb84 kernel/workqueue.c:3427 kthread+0x348/0x5fc kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff00001d082000 pfn:0x5d080 flags: 0x1ffc00000000000(node=0|zone=0|lastcpupid=0x7ff) raw: 01ffc00000000000 fffffdffc08e8408 ffff00006a090c40 0000000000000000 raw: ffff00001d082000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff00001d080b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff00001d080c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff00001d080c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff00001d080d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff00001d080d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== netdevsim netdevsim1 eth3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim1 eth2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim1 eth1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 netdevsim netdevsim1 eth0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 bond0 (unregistering): (slave bond_slave_0): Releasing backup interface bond0 (unregistering): (slave bond_slave_1): Releasing backup interface bond0 (unregistering): Released all slaves hsr_slave_0: left promiscuous mode hsr_slave_1: left promiscuous mode veth1_macvtap: left promiscuous mode veth0_macvtap: left promiscuous mode veth1_vlan: left promiscuous mode veth0_vlan: left promiscuous mode ------------[ cut here ]------------ WARNING: CPU: 0 PID: 20759 at net/ipv6/xfrm6_tunnel.c:341 xfrm6_tunnel_net_exit+0x84/0x154 net/ipv6/xfrm6_tunnel.c:341 Modules linked in: CPU: 0 UID: 0 PID: 20759 Comm: kworker/u8:6 Tainted: G B syzkaller #0 PREEMPT Tainted: [B]=BAD_PAGE Hardware name: linux,dummy-virt (DT) Workqueue: netns cleanup_net pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm6_tunnel_net_exit+0x84/0x154 net/ipv6/xfrm6_tunnel.c:341 lr : xfrm6_tunnel_net_exit+0x50/0x154 net/ipv6/xfrm6_tunnel.c:338 sp : ffff80008e297910 x29: ffff80008e297910 x28: dfff800000000000 x27: ffff800088a5db00 x26: ffff800088c16880 x25: ffff700011c52f5c x24: ffff0000171e0000 x23: dfff800000000000 x22: ffff000013ea0000 x21: 0000000000000000 x20: ffff000013ea0000 x19: 0000000000000000 x18: ffff80008e296c8c x17: ffff8000871defc0 x16: ffff00006a053504 x15: ffff00000e3a0a00 x14: 1fffe00001c74164 x13: 0000000000000000 x12: ffff700011c52e95 x11: 1ffff00011c52e94 x10: ffff700011c52e94 x9 : dfff800000000000 x8 : ffff80008e2974a8 x7 : ffff80008e2975d0 x6 : ffff80008e297520 x5 : ffff80008e297508 x4 : 1ffff00011c52eaa x3 : 1fffe0000d40bfde x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000021c2b000 Call trace: xfrm6_tunnel_net_exit+0x84/0x154 net/ipv6/xfrm6_tunnel.c:341 (P) ops_exit_list net/core/net_namespace.c:199 [inline] ops_undo_list+0x1f4/0x71c net/core/net_namespace.c:252 cleanup_net+0x32c/0x73c net/core/net_namespace.c:695 process_one_work+0x7cc/0x18d4 kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x734/0xb84 kernel/workqueue.c:3427 kthread+0x348/0x5fc kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 irq event stamp: 30445 hardirqs last enabled at (30445): [] raw_spin_rq_unlock_irq kernel/sched/sched.h:1559 [inline] hardirqs last enabled at (30445): [] finish_lock_switch kernel/sched/core.c:5073 [inline] hardirqs last enabled at (30445): [] finish_task_switch.isra.0+0x1a8/0x854 kernel/sched/core.c:5191 hardirqs last disabled at (30444): [] __schedule+0x2e8/0x3180 kernel/sched/core.c:6813 softirqs last enabled at (30420): [] softirq_handle_end kernel/softirq.c:468 [inline] softirqs last enabled at (30420): [] handle_softirqs+0x88c/0xdb4 kernel/softirq.c:650 softirqs last disabled at (30107): [] __do_softirq+0x14/0x20 kernel/softirq.c:656 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ WARNING: CPU: 0 PID: 20759 at net/ipv6/xfrm6_tunnel.c:344 xfrm6_tunnel_net_exit+0xe0/0x154 net/ipv6/xfrm6_tunnel.c:344 Modules linked in: CPU: 0 UID: 0 PID: 20759 Comm: kworker/u8:6 Tainted: G B W syzkaller #0 PREEMPT Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: linux,dummy-virt (DT) Workqueue: netns cleanup_net pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm6_tunnel_net_exit+0xe0/0x154 net/ipv6/xfrm6_tunnel.c:344 lr : xfrm6_tunnel_net_exit+0x50/0x154 net/ipv6/xfrm6_tunnel.c:338 sp : ffff80008e297910 x29: ffff80008e297910 x28: dfff800000000000 x27: ffff800088a5db00 x26: ffff800088c16880 x25: ffff700011c52f5c x24: ffff0000171e0000 x23: dfff800000000000 x22: ffff000013ea0000 x21: ffff000013ea0808 x20: 0000000000000101 x19: 0000000000000001 x18: ffff80008e296c8c x17: ffff8000871defc0 x16: ffff00006a053504 x15: ffff00000e3a0a00 x14: 1fffe00001c74164 x13: 0000000000000000 x12: ffff700011c52e95 x11: 1ffff00011c52e94 x10: ffff700011c52e94 x9 : dfff800000000000 x8 : ffff80008e2974a8 x7 : ffff80008e2975d0 x6 : ffff80008e297520 x5 : ffff80008e297508 x4 : 1ffff00011c52eaa x3 : 1fffe0000d40bfde x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000021c2b010 Call trace: xfrm6_tunnel_net_exit+0xe0/0x154 net/ipv6/xfrm6_tunnel.c:344 (P) ops_exit_list net/core/net_namespace.c:199 [inline] ops_undo_list+0x1f4/0x71c net/core/net_namespace.c:252 cleanup_net+0x32c/0x73c net/core/net_namespace.c:695 process_one_work+0x7cc/0x18d4 kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x734/0xb84 kernel/workqueue.c:3427 kthread+0x348/0x5fc kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 irq event stamp: 30445 hardirqs last enabled at (30445): [] raw_spin_rq_unlock_irq kernel/sched/sched.h:1559 [inline] hardirqs last enabled at (30445): [] finish_lock_switch kernel/sched/core.c:5073 [inline] hardirqs last enabled at (30445): [] finish_task_switch.isra.0+0x1a8/0x854 kernel/sched/core.c:5191 hardirqs last disabled at (30444): [] __schedule+0x2e8/0x3180 kernel/sched/core.c:6813 softirqs last enabled at (30420): [] softirq_handle_end kernel/softirq.c:468 [inline] softirqs last enabled at (30420): [] handle_softirqs+0x88c/0xdb4 kernel/softirq.c:650 softirqs last disabled at (30107): [] __do_softirq+0x14/0x20 kernel/softirq.c:656 ---[ end trace 0000000000000000 ]--- ------------[ cut here ]------------ WARNING: CPU: 0 PID: 20759 at net/xfrm/xfrm_state.c:3306 xfrm_state_fini+0x1e8/0x330 net/xfrm/xfrm_state.c:3318 Modules linked in: CPU: 0 UID: 0 PID: 20759 Comm: kworker/u8:6 Tainted: G B W syzkaller #0 PREEMPT Tainted: [B]=BAD_PAGE, [W]=WARN Hardware name: linux,dummy-virt (DT) Workqueue: netns cleanup_net pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : xfrm_state_fini+0x1e8/0x330 net/xfrm/xfrm_state.c:3306 lr : xfrm_state_fini+0x4c/0x330 net/xfrm/xfrm_state.c:3304 sp : ffff80008e2978f0 x29: ffff80008e2978f0 x28: dfff800000000000 x27: ffff800088a5db00 x26: ffff800088bd9480 x25: ffff700011c52f5c x24: ffff0000171e0000 x23: ffff800088a5db00 x22: ffff80008e297ae0 x21: ffff800088bd94a0 x20: ffff0000171e1240 x19: ffff0000171e0000 x18: ffff80008e296e8c x17: ffff8000871defc0 x16: ffff00006a053504 x15: ffff00000e3a0a00 x14: 1fffe00001c74164 x13: 0000000000000000 x12: ffff700011c52eb9 x11: 1ffff00011c52eb8 x10: ffff700011c52eb8 x9 : dfff800000000000 x8 : ffff80008e2975c8 x7 : ffff80008e2976f0 x6 : ffff80008e297640 x5 : ffff80008e297628 x4 : 1fffe00002b0db71 x3 : 1fffe00002b0dbf8 x2 : 0000000000000000 x1 : 1fffe00002e3c248 x0 : ffff000023a2c118 Call trace: xfrm_state_fini+0x1e8/0x330 net/xfrm/xfrm_state.c:3318 (P) xfrm_net_exit+0x30/0x70 net/xfrm/xfrm_policy.c:4354 ops_exit_list net/core/net_namespace.c:199 [inline] ops_undo_list+0x1f4/0x71c net/core/net_namespace.c:252 cleanup_net+0x32c/0x73c net/core/net_namespace.c:695 process_one_work+0x7cc/0x18d4 kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x734/0xb84 kernel/workqueue.c:3427 kthread+0x348/0x5fc kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 irq event stamp: 30445 hardirqs last enabled at (30445): [] raw_spin_rq_unlock_irq kernel/sched/sched.h:1559 [inline] hardirqs last enabled at (30445): [] finish_lock_switch kernel/sched/core.c:5073 [inline] hardirqs last enabled at (30445): [] finish_task_switch.isra.0+0x1a8/0x854 kernel/sched/core.c:5191 hardirqs last disabled at (30444): [] __schedule+0x2e8/0x3180 kernel/sched/core.c:6813 softirqs last enabled at (30420): [] softirq_handle_end kernel/softirq.c:468 [inline] softirqs last enabled at (30420): [] handle_softirqs+0x88c/0xdb4 kernel/softirq.c:650 softirqs last disabled at (30107): [] __do_softirq+0x14/0x20 kernel/softirq.c:656 ---[ end trace 0000000000000000 ]--- bond0 (unregistering): (slave bond_slave_0): Releasing backup interface bond0 (unregistering): (slave bond_slave_1): Releasing backup interface bond0 (unregistering): Released all slaves hsr_slave_0: left promiscuous mode hsr_slave_1: left promiscuous mode