IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready ================================================================== BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x2043/0x20d0 net/ipv6/ip6_tunnel.c:987 Read of size 16 at addr ffff8801d7b8d030 by task syz-executor0/4150 CPU: 1 PID: 4150 Comm: syz-executor0 Not tainted 4.4.128-gbd23e3a #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 54c227b52dec9696 ffff8801d78b6f90 ffffffff81e0daad ffffea00075ee300 ffff8801d7b8d030 0000000000000000 ffff8801d7b8d038 ffff8800bb84a200 ffff8801d78b6fc8 ffffffff815150ac ffff8801d7b8d030 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:439 [] ip6_tnl_xmit2+0x2043/0x20d0 net/ipv6/ip6_tunnel.c:987 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline] [] ip6_tnl_xmit+0x910/0xc60 net/ipv6/ip6_tunnel.c:1203 [] __netdev_start_xmit include/linux/netdevice.h:3743 [inline] [] netdev_start_xmit include/linux/netdevice.h:3752 [inline] [] xmit_one net/core/dev.c:2759 [inline] [] dev_hard_start_xmit+0x7b1/0x11c0 net/core/dev.c:2775 [] __dev_queue_xmit+0x16c0/0x1c80 net/core/dev.c:3207 [] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241 [] neigh_direct_output+0x15/0x20 net/core/neighbour.c:1358 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6ab/0x1110 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x198b/0x2150 net/ipv4/ip_output.c:633 [] ip_fragment.constprop.50+0x143/0x200 net/ipv4/ip_output.c:503 [] ip_finish_output+0x6c4/0xbc0 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_mc_output+0x233/0x980 net/ipv4/ip_output.c:347 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1450 [] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842 [] udp_sendmsg+0x16ce/0x1bb0 net/ipv4/udp.c:1070 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:635 [] SYSC_sendto+0x21c/0x370 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x326/0x8b0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Allocated by task 4150: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616 [] __kmalloc+0x124/0x310 mm/slub.c:3613 [] kmalloc include/linux/slab.h:481 [inline] [] kzalloc include/linux/slab.h:620 [inline] [] neigh_alloc net/core/neighbour.c:285 [inline] [] __neigh_create+0x1d6/0x1b20 net/core/neighbour.c:457 [] neigh_create include/net/neighbour.h:313 [inline] [] ipv4_neigh_lookup+0x4dd/0x700 net/ipv4/route.c:464 [] dst_neigh_lookup include/net/dst.h:466 [inline] [] ip6_tnl_xmit2+0x613/0x20d0 net/ipv6/ip6_tunnel.c:982 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline] [] ip6_tnl_xmit+0x910/0xc60 net/ipv6/ip6_tunnel.c:1203 [] __netdev_start_xmit include/linux/netdevice.h:3743 [inline] [] netdev_start_xmit include/linux/netdevice.h:3752 [inline] [] xmit_one net/core/dev.c:2759 [inline] [] dev_hard_start_xmit+0x7b1/0x11c0 net/core/dev.c:2775 [] __dev_queue_xmit+0x16c0/0x1c80 net/core/dev.c:3207 [] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241 [] neigh_direct_output+0x15/0x20 net/core/neighbour.c:1358 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6ab/0x1110 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x198b/0x2150 net/ipv4/ip_output.c:633 [] ip_fragment.constprop.50+0x143/0x200 net/ipv4/ip_output.c:503 [] ip_finish_output+0x6c4/0xbc0 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_mc_output+0x233/0x980 net/ipv4/ip_output.c:347 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1450 [] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842 [] udp_sendmsg+0x16ce/0x1bb0 net/ipv4/udp.c:1070 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:635 [] SYSC_sendto+0x21c/0x370 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x326/0x8b0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8801d7b8cd80 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 688 bytes inside of 1024-byte region [ffff8801d7b8cd80, ffff8801d7b8d180) The buggy address belongs to the page: syz-executor0: Corrupted page table at address 804f3d8 PGD 80000001d060e067 PUD 1d060f067 PMD 1d0619067 PTE ffffffff8148ca77 Bad pagetable: 0009 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 3795 Comm: wĘH˙˙˙˙utor0 Not tainted 4.4.128-gbd23e3a #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801cb46e000 task.stack: ffffea00075ee300 RIP: 0010:[] [] copy_user_generic_unrolled+0x9e/0xc0 arch/x86/lib/copy_user_64.S:117 RSP: 0000:ffff8801d91e7d00 EFLAGS: 00010202 RAX: ffff8801cb46e000 RBX: ffff8801d91e7d88 RCX: 0000000000000001 RDX: 0000000000000001 RSI: 000000000804f3d8 RDI: ffff8801d91e7d88 RBP: ffff8801d91e7d30 R08: ffff8801cb46e900 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001 R13: 00007ffffffff000 R14: 000000000804f3d8 R15: ffff8801cb46e000 FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:000000000995e900 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 000000000804f3d8 CR3: 00000001d996c000 CR4: 0000000000160670 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff8142a327 000000000804f3d8 ffff8801d91e7e08 000000000804f3e7 ffff8801d91e7d88 ffff8801d91e7f58 ffff8801d91e7e30 ffffffff810d5384 fffffbfff088e71d ffff8801d91e7fe0 000000084ae0f9a1 1ffff1003b23cfad Call Trace: Code: [ 33.189162] ------------[ cut here ]------------ WARNING: CPU: 0 PID: 3795 at include/linux/uaccess.h:15 pagefault_disabled_dec include/linux/uaccess.h:15 [inline]() WARNING: CPU: 0 PID: 3795 at include/linux/uaccess.h:15 pagefault_enable include/linux/uaccess.h:42 [inline]() WARNING: CPU: 0 PID: 3795 at include/linux/uaccess.h:15 __probe_kernel_read+0x1b9/0x200 mm/maccess.c:35()