================================================================== BUG: KASAN: slab-out-of-bounds in __ipv6_addr_type+0x26c/0x290 net/ipv6/addrconf_core.c:68 Read of size 4 at addr ffff8801bcabf8b8 by task syz-executor.1/30670 CPU: 0 PID: 30670 Comm: syz-executor.1 Not tainted 4.4.174+ #4 0000000000000000 69466c89c5ee45c6 ffff88019567eda0 ffffffff81aad1a1 0000000000000000 ffffea0006f2af00 ffff8801bcabf8b8 0000000000000004 ffff8801bcabf600 ffff88019567edd8 ffffffff81490120 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_address_description+0x6f/0x21b mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report mm/kasan/report.c:408 [inline] [] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393 [] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:428 [] __ipv6_addr_type+0x26c/0x290 net/ipv6/addrconf_core.c:68 [] ipv6_addr_type include/net/ipv6.h:330 [inline] [] ip6_tnl_xmit2+0x2ac/0x2320 net/ipv6/ip6_tunnel.c:988 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1134 [inline] [] ip6_tnl_xmit+0xa09/0xe00 net/ipv6/ip6_tunnel.c:1212 [] __netdev_start_xmit include/linux/netdevice.h:3750 [inline] [] netdev_start_xmit include/linux/netdevice.h:3759 [inline] [] xmit_one net/core/dev.c:2781 [inline] [] dev_hard_start_xmit+0x7c1/0x11e0 net/core/dev.c:2797 [] __dev_queue_xmit+0x164b/0x1bb0 net/core/dev.c:3229 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1369 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:213 [] ip_finish_output+0x8b2/0xc60 net/ipv4/ip_output.c:288 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_output+0x227/0x4c0 net/ipv4/ip_output.c:362 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842 [] udp_sendmsg+0x16cf/0x1c60 net/ipv4/udp.c:1072 [] udpv6_sendmsg+0x12f2/0x24f0 net/ipv6/udp.c:1173 [] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbe/0x110 net/socket.c:648 [] ___sys_sendmsg+0x769/0x890 net/socket.c:1975 [] __sys_sendmsg+0xc5/0x160 net/socket.c:2009 [] SYSC_sendmsg net/socket.c:2020 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2016 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Allocated by task 30670: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616 [] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601 [] __kmalloc+0x141/0x330 mm/slub.c:3613 [] kmalloc include/linux/slab.h:481 [inline] [] kzalloc include/linux/slab.h:620 [inline] [] neigh_alloc net/core/neighbour.c:285 [inline] [] __neigh_create+0x1d6/0x1b30 net/core/neighbour.c:457 [] neigh_create include/net/neighbour.h:313 [inline] [] ipv4_neigh_lookup+0x52e/0x6e0 net/ipv4/route.c:464 [] dst_neigh_lookup include/net/dst.h:466 [inline] [] ip6_tnl_xmit2+0x27b/0x2320 net/ipv6/ip6_tunnel.c:982 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1134 [inline] [] ip6_tnl_xmit+0xa09/0xe00 net/ipv6/ip6_tunnel.c:1212 [] __netdev_start_xmit include/linux/netdevice.h:3750 [inline] [] netdev_start_xmit include/linux/netdevice.h:3759 [inline] [] xmit_one net/core/dev.c:2781 [inline] [] dev_hard_start_xmit+0x7c1/0x11e0 net/core/dev.c:2797 [] __dev_queue_xmit+0x164b/0x1bb0 net/core/dev.c:3229 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1369 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:213 [] ip_finish_output+0x8b2/0xc60 net/ipv4/ip_output.c:288 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_output+0x227/0x4c0 net/ipv4/ip_output.c:362 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842 [] udp_sendmsg+0x16cf/0x1c60 net/ipv4/udp.c:1072 [] udpv6_sendmsg+0x12f2/0x24f0 net/ipv6/udp.c:1173 [] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbe/0x110 net/socket.c:648 [] ___sys_sendmsg+0x769/0x890 net/socket.c:1975 [] __sys_sendmsg+0xc5/0x160 net/socket.c:2009 [] SYSC_sendmsg net/socket.c:2020 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2016 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8801bcabf600 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 696 bytes inside of 1024-byte region [ffff8801bcabf600, ffff8801bcabfa00) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 1 PID: 30200 Comm: syz-executor.4 Not tainted 4.4.174+ #4 task: ffff880093cd8000 task.stack: ffff8800ac408000 RIP: 0010:[] [] vm_start_gap include/linux/mm.h:2036 [inline] RIP: 0010:[] [] vma_compute_subtree_gap+0x22/0x1f0 mm/mmap.c:380 RSP: 0018:ffff8800ac40fba0 EFLAGS: 00010206 RAX: dffffc0000000000 RBX: 000000000070bfe0 RCX: ffff880194c22d40 RDX: 00000000000e17fc RSI: ffffffff81440921 RDI: 000000000070bfe0 RBP: ffff8800ac40fbb8 R08: 0000000000000002 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000400000 R13: dffffc0000000000 R14: ffff880194c22d60 R15: ffff880194c22d40 FS: 000000000171a940(0063) GS:ffff8801db700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000a5048d CR3: 00000001c2f98000 CR4: 00000000001606b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 000000000070c000 0000000000400000 dffffc0000000000 ffff8800ac40fbe0 ffffffff81440bd1 ffff8801d6e5ca80 ffff880194c22d40 ffff880194c22d48 ffff8800ac40fc18 ffffffff81443645 ffff880194c22d40 ffff8801d6e5ca80 Call Trace: [] vma_gap_callbacks_propagate mm/mmap.c:506 [inline] [] vma_gap_update+0x51/0x90 mm/mmap.c:520 [] __vma_link_rb+0x125/0x1f0 mm/mmap.c:662 [] dup_mmap kernel/fork.c:512 [inline] [] dup_mm kernel/fork.c:985 [inline] [] copy_mm kernel/fork.c:1039 [inline] [] copy_process+0x4340/0x68a0 kernel/fork.c:1519 [] _do_fork+0x14e/0xdc0 kernel/fork.c:1806 [] SYSC_clone kernel/fork.c:1917 [inline] [] SyS_clone+0x37/0x50 kernel/fork.c:1911 [] tracesys+0x88/0x8d Code: c0 5d 48 0f 48 c2 c3 66 90 55 48 89 e5 41 55 41 54 53 48 89 fb e8 cf 8c ec ff 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 80 01 00 00 48 8d 7b 50 4c 8b 23 48 b8 00 00 RIP [] vm_start_gap include/linux/mm.h:2036 [inline] RIP [] vma_compute_subtree_gap+0x22/0x1f0 mm/mmap.c:380 RSP kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#2] PREEMPT SMP KASAN Modules linked in: CPU: 1 PID: 1920 Comm: rsyslogd Tainted: G D 4.4.174+ #4 task: ffff8800b936df00 task.stack: ffff8800b8e08000 RIP: 0010:[] [] find_stack lib/stackdepot.c:174 [inline] RIP: 0010:[] [] depot_save_stack+0x15f/0x5f0 lib/stackdepot.c:225 RSP: 0018:ffff8800b8e0f328 EFLAGS: 00010093 RAX: ffff8800b936df00 RBX: 000000008539d65a RCX: 000000009d4c2b05 RDX: 0000000000000000 RSI: ffffffff81b46cff RDI: ffff8800b8e0f390 RBP: ffff8800b8e0f380 R08: ffff8800b8e0f390 R09: 0000000000000000 R10: 0000000000000000 R11: ffffffff831a5078 R12: 4000000000004080 R13: 000000000009d65a R14: 00000000000000d0 R15: ffff8800b8e0f474 FS: 00007fe97e0cb700(0000) GS:ffff8801db700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000a5048d CR3: 00000001d7271000 CR4: 00000000001606b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 0208922000000046 ffff8800b8e0f3a8 ffff8800b8e0f390 ffff88000000001a 0000000000000000 3992ac10e5beed54 ffff88009c75dc68 0000000002089220 ffff88009c75dc40 0000000000000000 ffff8801da402a00 ffff8800b8e0f5b8 Call Trace: [] save_stack mm/kasan/kasan.c:518 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc.part.0+0xc6/0xf0 mm/kasan/kasan.c:616 [] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601 [] kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628 [] kmem_cache_zalloc include/linux/slab.h:610 [inline] [] fill_pool lib/debugobjects.c:99 [inline] [] __debug_object_init+0x5bc/0x880 lib/debugobjects.c:315 [] debug_object_init+0x16/0x20 lib/debugobjects.c:367 [] rcuhead_fixup_activate kernel/rcu/update.c:381 [inline] [] rcuhead_fixup_activate+0x23/0x40 kernel/rcu/update.c:370 [] debug_object_fixup lib/debugobjects.c:279 [inline] [] debug_object_activate+0x29a/0x470 lib/debugobjects.c:442 [] debug_rcu_head_queue kernel/rcu/rcu.h:75 [inline] [] __call_rcu.constprop.0+0x35/0x930 kernel/rcu/tree.c:3059 [] call_rcu+0x12/0x20 kernel/rcu/tree_plugin.h:662 [] avc_node_delete+0xc0/0x100 security/selinux/avc.c:494 [] avc_reclaim_node security/selinux/avc.c:531 [inline] [] avc_alloc_node security/selinux/avc.c:559 [inline] [] avc_alloc_node+0x290/0x3c0 security/selinux/avc.c:547 [] avc_insert security/selinux/avc.c:670 [inline] [] avc_compute_av+0x182/0x610 security/selinux/avc.c:976 [] avc_has_perm_noaudit security/selinux/avc.c:1112 [inline] [] avc_has_perm+0x355/0x3a0 security/selinux/avc.c:1146 [] task_has_system+0x159/0x230 security/selinux/hooks.c:1591 [] selinux_syslog security/selinux/hooks.c:2128 [inline] [] selinux_syslog+0x35/0xa0 security/selinux/hooks.c:2107 [] security_syslog+0x73/0xb0 security/security.c:208 [] check_syslog_permissions+0x5b/0xb0 kernel/printk/printk.c:525 [] do_syslog+0x95/0xaf0 kernel/printk/printk.c:1312 [] kmsg_read+0x74/0xa0 fs/proc/kmsg.c:39 [] proc_reg_read+0xfd/0x180 fs/proc/inode.c:202 [] __vfs_read+0x116/0x3c0 fs/read_write.c:434 [] vfs_read+0x134/0x360 fs/read_write.c:456 [] SYSC_read fs/read_write.c:571 [inline] [] SyS_read+0xdc/0x1c0 fs/read_write.c:564 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Code: 00 00 e8 15 29 7c ff 48 63 45 c0 48 c1 e0 03 49 89 c6 eb 12 e8 03 29 7c ff 4d 8b 24 24 4d 85 e4 0f 84 8e 00 00 00 e8 f1 28 7c ff <41> 3b 5c 24 08 75 e2 e8 e5 28 7c ff 8b 45 c0 41 3b 44 24 0c 75 RIP [] find_stack lib/stackdepot.c:174 [inline] RIP [] depot_save_stack+0x15f/0x5f0 lib/stackdepot.c:225 RSP ---[ end trace 1d08dbcf5db579ea ]---