================================================================== BUG: KASAN: slab-out-of-bounds in atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] BUG: KASAN: slab-out-of-bounds in atomic_fetch_add_unless include/linux/atomic-fallback.h:1086 [inline] BUG: KASAN: slab-out-of-bounds in atomic_add_unless include/linux/atomic-fallback.h:1111 [inline] BUG: KASAN: slab-out-of-bounds in atomic_inc_not_zero include/linux/atomic-fallback.h:1127 [inline] BUG: KASAN: slab-out-of-bounds in dst_hold_safe include/net/dst.h:297 [inline] BUG: KASAN: slab-out-of-bounds in ip6_hold_safe+0xad/0x380 net/ipv6/route.c:1046 Read of size 4 at addr ffff888096fd093c by task kworker/0:3/12460 CPU: 0 PID: 12460 Comm: kworker/0:3 Not tainted 5.2.0-rc3+ #15 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events rt6_probe_deferred Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 kasan_report+0x12/0x20 mm/kasan/common.c:614 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x123/0x190 mm/kasan/generic.c:191 kasan_check_read+0x11/0x20 mm/kasan/common.c:94 atomic_read include/asm-generic/atomic-instrumented.h:26 [inline] atomic_fetch_add_unless include/linux/atomic-fallback.h:1086 [inline] atomic_add_unless include/linux/atomic-fallback.h:1111 [inline] atomic_inc_not_zero include/linux/atomic-fallback.h:1127 [inline] dst_hold_safe include/net/dst.h:297 [inline] ip6_hold_safe+0xad/0x380 net/ipv6/route.c:1046 rt6_get_pcpu_route net/ipv6/route.c:1273 [inline] ip6_pol_route+0x339/0x10f0 net/ipv6/route.c:1952 ip6_pol_route_input+0x65/0x80 net/ipv6/route.c:1971 fib6_rule_lookup+0x133/0x5a0 net/ipv6/fib6_rules.c:116 ip6_route_input_lookup+0xb7/0xd0 net/ipv6/route.c:1983 ip6_route_input+0x5e2/0x9e0 net/ipv6/route.c:2118 ip6_rcv_finish_core.isra.0+0x174/0x590 net/ipv6/ip6_input.c:63 ip6_rcv_finish+0x17a/0x310 net/ipv6/ip6_input.c:74 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:272 __netif_receive_skb_one_core+0x113/0x1a0 net/core/dev.c:4981 __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5095 process_backlog+0x206/0x750 net/core/dev.c:5906 napi_poll net/core/dev.c:6329 [inline] net_rx_action+0x4f5/0x1070 net/core/dev.c:6395 __do_softirq+0x25c/0x94c kernel/softirq.c:293 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1040 do_softirq.part.0+0x11a/0x170 kernel/softirq.c:338 do_softirq kernel/softirq.c:330 [inline] __local_bh_enable_ip+0x211/0x270 kernel/softirq.c:190 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:682 [inline] ip6_finish_output2+0x10a0/0x2550 net/ipv6/ip6_output.c:117 ip6_finish_output+0x56d/0xc20 net/ipv6/ip6_output.c:150 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip6_output+0x235/0x7f0 net/ipv6/ip6_output.c:167 dst_output include/net/dst.h:433 [inline] NF_HOOK include/linux/netfilter.h:305 [inline] ndisc_send_skb+0xf29/0x14a0 net/ipv6/ndisc.c:504 ndisc_send_ns+0x3a9/0x850 net/ipv6/ndisc.c:646 rt6_probe_deferred+0xe3/0x1a0 net/ipv6/route.c:539 process_one_work+0x989/0x1790 kernel/workqueue.c:2269 worker_thread+0x98/0xe40 kernel/workqueue.c:2415 kthread+0x354/0x420 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 25473: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_kmalloc mm/kasan/common.c:489 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503 __do_kmalloc_node mm/slab.c:3620 [inline] __kmalloc_node+0x4e/0x70 mm/slab.c:3627 kmalloc_node include/linux/slab.h:590 [inline] __vmalloc_area_node mm/vmalloc.c:2368 [inline] __vmalloc_node_range+0x201/0x790 mm/vmalloc.c:2443 __vmalloc_node mm/vmalloc.c:2498 [inline] __vmalloc_node_flags mm/vmalloc.c:2512 [inline] vmalloc+0x6b/0x90 mm/vmalloc.c:2537 xt_compat_init_offsets+0x111/0x260 net/netfilter/x_tables.c:715 compat_table_info+0xb5/0x500 net/ipv6/netfilter/ip6_tables.c:954 compat_get_entries net/ipv6/netfilter/ip6_tables.c:1633 [inline] compat_do_ip6t_get_ctl+0x308/0x9a0 net/ipv6/netfilter/ip6_tables.c:1665 compat_nf_sockopt net/netfilter/nf_sockopt.c:139 [inline] compat_nf_getsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:163 compat_ipv6_getsockopt net/ipv6/ipv6_sockglue.c:1439 [inline] compat_ipv6_getsockopt+0x244/0x350 net/ipv6/ipv6_sockglue.c:1410 inet_csk_compat_getsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1037 compat_tcp_getsockopt+0x4d/0x80 net/ipv4/tcp.c:3630 compat_sock_common_getsockopt+0xb2/0x140 net/core/sock.c:3094 __compat_sys_getsockopt+0x16c/0x2c0 net/compat.c:417 __do_compat_sys_socketcall net/compat.c:790 [inline] __se_compat_sys_socketcall net/compat.c:718 [inline] __ia32_compat_sys_socketcall+0x5dc/0x710 net/compat.c:718 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x27b/0xd7d arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Freed by task 25473: save_stack+0x23/0x90 mm/kasan/common.c:71 set_track mm/kasan/common.c:79 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459 __cache_free mm/slab.c:3432 [inline] kfree+0xcf/0x220 mm/slab.c:3755 kvfree+0x61/0x70 mm/util.c:460 __vunmap+0x7e9/0x9c0 mm/vmalloc.c:2212 __vfree+0x41/0xd0 mm/vmalloc.c:2256 vfree+0x5f/0x90 mm/vmalloc.c:2286 xt_compat_flush_offsets+0xc0/0x1a0 net/netfilter/x_tables.c:673 compat_get_entries net/ipv6/netfilter/ip6_tables.c:1640 [inline] compat_do_ip6t_get_ctl+0x32c/0x9a0 net/ipv6/netfilter/ip6_tables.c:1665 compat_nf_sockopt net/netfilter/nf_sockopt.c:139 [inline] compat_nf_getsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:163 compat_ipv6_getsockopt net/ipv6/ipv6_sockglue.c:1439 [inline] compat_ipv6_getsockopt+0x244/0x350 net/ipv6/ipv6_sockglue.c:1410 inet_csk_compat_getsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1037 compat_tcp_getsockopt+0x4d/0x80 net/ipv4/tcp.c:3630 compat_sock_common_getsockopt+0xb2/0x140 net/core/sock.c:3094 __compat_sys_getsockopt+0x16c/0x2c0 net/compat.c:417 __do_compat_sys_socketcall net/compat.c:790 [inline] __se_compat_sys_socketcall net/compat.c:718 [inline] __ia32_compat_sys_socketcall+0x5dc/0x710 net/compat.c:718 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x27b/0xd7d arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 The buggy address belongs to the object at ffff888096fd0900 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 28 bytes to the right of 32-byte region [ffff888096fd0900, ffff888096fd0920) The buggy address belongs to the page: page:ffffea00025bf400 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff888096fd0fc1 flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea00023e02c8 ffffea0002948708 ffff8880aa4001c0 raw: ffff888096fd0fc1 ffff888096fd0000 0000000100000036 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888096fd0800: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff888096fd0880: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc >ffff888096fd0900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff888096fd0980: fb fb fb fb fc fc fc fc 05 fc fc fc fc fc fc fc ffff888096fd0a00: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ==================================================================