Warning: Permanently added '10.128.0.138' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 50.818562] ================================================================== [ 50.826252] BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x1f95/0x2320 [ 50.833612] Read of size 16 at addr ffff8801d6cdf430 by task syz-executor162/2232 [ 50.841222] [ 50.843464] CPU: 0 PID: 2232 Comm: syz-executor162 Not tainted 4.4.174+ #4 [ 50.850513] 0000000000000000 7dfc489a1df6fa71 ffff8801d287edd0 ffffffff81aad1a1 [ 50.858889] 0000000000000000 ffffea00075b3700 ffff8801d6cdf430 0000000000000010 [ 50.866948] ffff8801d6cdf180 ffff8801d287ee08 ffffffff81490120 0000000000000000 [ 50.875273] Call Trace: [ 50.877862] [] dump_stack+0xc1/0x120 [ 50.883216] [] print_address_description+0x6f/0x21b [ 50.889873] [] kasan_report.cold+0x8c/0x2be [ 50.895994] [] ? ip6_tnl_xmit2+0x1f95/0x2320 [ 50.902116] [] __asan_report_load_n_noabort+0xf/0x20 [ 50.909229] [] ip6_tnl_xmit2+0x1f95/0x2320 [ 50.915107] [] ? nf_conntrack_tuple_taken+0x656/0x900 [ 50.921940] [] ? nf_conntrack_tuple_taken+0x7e/0x900 [ 50.928874] [] ? ip6_tnl_create2+0x2d0/0x2d0 [ 50.934967] [] ? __lock_acquire+0xa4f/0x4f50 [ 50.941129] [] ? depot_save_stack+0x1c3/0x5f0 [ 50.947260] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 50.954131] [] ? trace_hardirqs_on+0x10/0x10 [ 50.960344] [] ? make_kuid+0xf0/0x180 [ 50.965789] [] ip6_tnl_xmit+0xa09/0xe00 [ 50.971437] [] ? ip6ip6_dscp_ecn_decapsulate+0x790/0x790 [ 50.978547] [] dev_hard_start_xmit+0x7c1/0x11e0 [ 50.985027] [] __dev_queue_xmit+0x164b/0x1bb0 [ 50.991166] [] ? __dev_queue_xmit+0x1d7/0x1bb0 [ 50.997476] [] ? trace_hardirqs_on+0x10/0x10 [ 51.003565] [] ? netdev_pick_tx+0x2f0/0x2f0 [ 51.009526] [] ? nf_ct_deliver_cached_events+0x393/0x5f0 [ 51.016673] [] ? nf_ct_deliver_cached_events+0x8a/0x5f0 [ 51.023718] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 51.030041] [] ? check_preemption_disabled+0x3c/0x200 [ 51.036920] [] ? check_preemption_disabled+0x3c/0x200 [ 51.043791] [] dev_queue_xmit+0x18/0x20 [ 51.049412] [] neigh_direct_output+0x16/0x20 [ 51.055660] [] ip_finish_output2+0x6a2/0x1280 [ 51.062040] [] ? ip_finish_output2+0x20b/0x1280 [ 51.068522] [] ? nf_hook_slow+0x1dc/0x340 [ 51.074337] [] ? ip_send_check+0xb0/0xb0 [ 51.080167] [] ? nf_iterate+0x220/0x220 [ 51.085778] [] ip_finish_output+0x8b2/0xc60 [ 51.091835] [] ip_output+0x227/0x4c0 [ 51.097435] [] ? ip_mc_output+0xae0/0xae0 [ 51.103305] [] ? ip_make_skb+0x116/0x210 [ 51.109296] [] ? ip_fragment.constprop.0+0x200/0x200 [ 51.116107] [] ? ip_flush_pending_frames+0x30/0x30 [ 51.122676] [] ip_local_out+0x9c/0x180 [ 51.128734] [] ip_send_skb+0x3e/0xc0 [ 51.134156] [] udp_send_skb+0x4fd/0xc70 [ 51.139845] [] udp_sendmsg+0x16cf/0x1c60 [ 51.145726] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 51.151865] [] ? udp_lib_unhash+0x630/0x630 [ 51.157836] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 51.164582] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 51.171690] [] ? avc_has_perm+0x164/0x3a0 [ 51.177593] [] ? avc_has_perm+0x1d2/0x3a0 [ 51.183406] [] ? avc_has_perm+0xac/0x3a0 [ 51.189208] [] udpv6_sendmsg+0x12f2/0x24f0 [ 51.195081] [] ? __lock_acquire+0xa4f/0x4f50 [ 51.201292] [] ? check_preemption_disabled+0x3c/0x200 [ 51.208137] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 51.215050] [] ? sock_has_perm+0x2a8/0x400 [ 51.221036] [] ? sock_has_perm+0xa6/0x400 [ 51.226932] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 51.234575] [] ? __do_page_fault+0x33f/0x7f0 [ 51.240736] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 51.247822] [] ? check_preemption_disabled+0x3c/0x200 [ 51.254889] [] ? check_preemption_disabled+0x3c/0x200 [ 51.261721] [] ? inet_sendmsg+0x143/0x4d0 [ 51.267504] [] inet_sendmsg+0x202/0x4d0 [ 51.273391] [] ? inet_sendmsg+0x76/0x4d0 [ 51.279270] [] ? inet_recvmsg+0x4d0/0x4d0 [ 51.285265] [] sock_sendmsg+0xbe/0x110 [ 51.290806] [] ___sys_sendmsg+0x769/0x890 [ 51.296760] [] ? copy_msghdr_from_user+0x550/0x550 [ 51.303336] [] ? __alloc_pages_direct_compact+0x220/0x220 [ 51.311327] [] ? prandom_u32+0x74/0xa0 [ 51.316916] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 51.323758] [] ? check_preemption_disabled+0x3c/0x200 [ 51.331310] [] ? check_preemption_disabled+0x3c/0x200 [ 51.338148] [] ? __local_bh_enable_ip+0x6a/0xe0 [ 51.344569] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 51.351356] [] ? __fget_light+0xa3/0x1f0 [ 51.357058] [] ? __fdget+0x1b/0x20 [ 51.362237] [] __sys_sendmsg+0xc5/0x160 [ 51.367891] [] ? SyS_shutdown+0x1a0/0x1a0 [ 51.373875] [] ? retint_user+0x18/0x3c [ 51.380468] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 51.387319] [] SyS_sendmsg+0x2d/0x50 [ 51.392752] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 51.399324] [ 51.400941] Allocated by task 2232: [ 51.404546] [] save_stack_trace+0x26/0x50 [ 51.410526] [] kasan_kmalloc.part.0+0x62/0xf0 [ 51.416802] [] kasan_kmalloc+0xb7/0xd0 [ 51.422701] [] __kmalloc+0x141/0x330 [ 51.428671] [] __neigh_create+0x1d6/0x1b30 [ 51.434826] [] ipv4_neigh_lookup+0x52e/0x6e0 [ 51.441006] [] ip6_tnl_xmit2+0x27b/0x2320 [ 51.446931] [] ip6_tnl_xmit+0xa09/0xe00 [ 51.452845] [] dev_hard_start_xmit+0x7c1/0x11e0 [ 51.459568] [] __dev_queue_xmit+0x164b/0x1bb0 [ 51.465935] [] dev_queue_xmit+0x18/0x20 [ 51.471777] [] neigh_direct_output+0x16/0x20 [ 51.478592] [] ip_finish_output2+0x6a2/0x1280 [ 51.485058] [] ip_finish_output+0x8b2/0xc60 [ 51.491673] [] ip_output+0x227/0x4c0 [ 51.497184] [] ip_local_out+0x9c/0x180 [ 51.503794] [] ip_send_skb+0x3e/0xc0 [ 51.509361] [] udp_send_skb+0x4fd/0xc70 [ 51.515254] [] udp_sendmsg+0x16cf/0x1c60 [ 51.521132] [] udpv6_sendmsg+0x12f2/0x24f0 [ 51.527310] [] inet_sendmsg+0x202/0x4d0 [ 51.533696] [] sock_sendmsg+0xbe/0x110 [ 51.539499] [] ___sys_sendmsg+0x769/0x890 [ 51.545662] [] __sys_sendmsg+0xc5/0x160 [ 51.551674] [] SyS_sendmsg+0x2d/0x50 [ 51.557238] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 51.564113] [ 51.565730] Freed by task 469: [ 51.569047] [] save_stack_trace+0x26/0x50 [ 51.576101] [] kasan_slab_free+0xb0/0x190 [ 51.582629] [] kfree+0xf4/0x310 [ 51.587990] [] skb_release_data+0x2e6/0x380 [ 51.594242] [] skb_release_all+0x4d/0x60 [ 51.600395] [] consume_skb+0xf3/0x3f0 [ 51.606848] [] skb_free_datagram+0x1b/0xf0 [ 51.613100] [] netlink_recvmsg+0x585/0xcf0 [ 51.619140] [] sock_recvmsg+0x8f/0xc0 [ 51.625360] [] ___sys_recvmsg+0x257/0x530 [ 51.631449] [] __sys_recvmsg+0xc5/0x160 [ 51.637342] [] SyS_recvmsg+0x2d/0x50 [ 51.642837] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 51.649597] [ 51.651208] The buggy address belongs to the object at ffff8801d6cdf180 [ 51.651208] which belongs to the cache kmalloc-1024 of size 1024 [ 51.664373] The buggy address is located 688 bytes inside of [ 51.664373] 1024-byte region [ffff8801d6cdf180, ffff8801d6cdf580) [ 51.676449] The buggy address belongs to the page: [ 51.688479] BUG: unable to handle kernel paging request at fffffbfff7be8088 [ 51.695962] IP: [] kick_process+0xdc/0x1d0 [ 51.702054] PGD 21ff68067 PUD 21ff67067 PMD 0 [ 51.707102] Oops: 0000 [#1] PREEMPT SMP KASAN [ 51.712193] Modules linked in: [ 51.715536] CPU: 1 PID: 2085 Comm: syz-executor162 Not tainted 4.4.174+ #4 [ 51.722545] task: ffff8801d4982f80 task.stack: ffff8800b6960000 [ 51.728614] RIP: 0010:[] [] kick_process+0xdc/0x1d0 [ 51.737030] RSP: 0000:ffff8800b69677f8 EFLAGS: 00010806 [ 51.742487] RAX: dffffc0000000000 RBX: ffff8800b58ac740 RCX: 0000000000000000 [ 51.749765] RDX: 1ffffffff7be8088 RSI: ffffffff81b0abec RDI: ffffffffbdf40440 [ 51.757150] RBP: ffff8800b6967818 R08: 0000000000000001 R09: 0000000000000001 [ 51.764426] R10: 0000000000000000 R11: 0000000000000000 R12: 000000000001e880 [ 51.771709] R13: 00000000075b3700 R14: 00000000075b3700 R15: ffff8801d2f60000 [ 51.779345] FS: 0000000000000000(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000 [ 51.787584] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 51.793493] CR2: fffffbfff7be8088 CR3: 0000000002e0a000 CR4: 00000000001606b0 [ 51.800769] Stack: [ 51.802930] 0000000000000081 ffff8800b58ac740 dffffc0000000000 0000000000000100 [ 51.811032] ffff8800b6967838 ffffffff810f877f ffff8800b58ac740 ffff8800b58ac740 [ 51.819121] ffff8800b6967890 ffffffff810f9ce2 0000000000000000 0000000000000000 [ 51.827356] Call Trace: [ 51.829958] [] signal_wake_up_state+0x5f/0x70 [ 51.836109] [] complete_signal+0x632/0x7b0 [ 51.842003] [] ? __lock_task_sighand+0x118/0x480 [ 51.848525] [] __send_signal+0x597/0x12a0 [ 51.854502] [] send_signal+0x49/0xc0 [ 51.859871] [] do_send_sig_info+0xa4/0x130 [ 51.865786] [] ? kill_pid_info_as_cred+0x540/0x540 [ 51.872371] [] send_sig_info+0x36/0x60 [ 51.878008] [] zap_pid_ns_processes+0x1cb/0x640 [ 51.884345] [] ? zap_pid_ns_processes+0x228/0x640 [ 51.891002] [] ? copy_pid_ns+0x990/0x990 [ 51.896727] [] ? trace_hardirqs_on_caller+0x385/0x5a0 [ 51.903578] [] do_exit+0x236f/0x2c60 [ 51.909126] [] ? rcu_read_lock_sched_held+0x10b/0x130 [ 51.915988] [] ? release_task+0x14a0/0x14a0 [ 51.921965] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 51.928908] [] do_group_exit+0x111/0x300 [ 51.934629] [] get_signal+0x517/0x1570 [ 51.940366] [] ? _raw_spin_unlock_irqrestore+0x5a/0x70 [ 51.947300] [] do_signal+0x9c/0x1840 [ 51.952703] [] ? force_sig_info_fault.constprop.0+0xd0/0x110 [ 51.960170] [] ? setup_sigcontext+0x780/0x780 [ 51.966318] [] ? amd_set_subcaches+0x710/0x810 [ 51.972553] [] ? spurious_fault+0x380/0x380 [ 51.978561] [] ? debug_lockdep_rcu_enabled+0x10/0xa0 [ 51.985325] [] ? amd_set_subcaches+0x710/0x810 [ 51.991563] [] ? __bad_area_nosemaphore+0x22a/0x3f0 [ 51.998343] [] ? exit_to_usermode_loop+0xf2/0x170 [ 52.004857] [] exit_to_usermode_loop+0x127/0x170 [ 52.011367] [] prepare_exit_to_usermode+0x15a/0x1e0 [ 52.018039] [] retint_user+0x8/0x3c [ 52.023324] Code: 04 02 84 c0 74 08 3c 03 0f 8e be 00 00 00 48 b8 00 00 00 00 00 fc ff df 45 8b 6d 10 4a 8d 3c ed 40 4c 1a 83 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b8 00 00 00 4e 03 24 ed 40 4c 1a 83 48 b8 00 [ 52.051957] RIP [] kick_process+0xdc/0x1d0 [ 52.058003] RSP [ 52.061627] CR2: fffffbfff7be8088 [ 52.065093] ---[ end trace 8ccbe7e050134cf0 ]--- [ 52.069850] Kernel panic - not syncing: Fatal exception [ 53.213465] Shutting down cpus with NMI [ 53.217887] Kernel Offset: disabled [ 53.221507] Rebooting in 86400 seconds..