================================================================== BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x1f95/0x2320 net/ipv6/ip6_tunnel.c:987 Read of size 16 at addr ffff8801bb3d02b0 by task syz-executor.4/2904 CPU: 0 PID: 2904 Comm: syz-executor.4 Not tainted 4.4.174+ #4 0000000000000000 ad6cb87ba96214c0 ffff8801d456ee70 ffffffff81aad1a1 0000000000000000 ffffea0006ecf400 ffff8801bb3d02b0 0000000000000010 ffff8801bb3d0000 ffff8801d456eea8 ffffffff81490120 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_address_description+0x6f/0x21b mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report mm/kasan/report.c:408 [inline] [] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393 [] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:439 [] ip6_tnl_xmit2+0x1f95/0x2320 net/ipv6/ip6_tunnel.c:987 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1134 [inline] [] ip6_tnl_xmit+0xa09/0xe00 net/ipv6/ip6_tunnel.c:1212 [] __netdev_start_xmit include/linux/netdevice.h:3750 [inline] [] netdev_start_xmit include/linux/netdevice.h:3759 [inline] [] xmit_one net/core/dev.c:2781 [inline] [] dev_hard_start_xmit+0x7c1/0x11e0 net/core/dev.c:2797 [] __dev_queue_xmit+0x164b/0x1bb0 net/core/dev.c:3229 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1369 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842 [] udp_sendmsg+0x16cf/0x1c60 net/ipv4/udp.c:1072 [] udpv6_sendmsg+0x12f2/0x24f0 net/ipv6/udp.c:1173 [] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbe/0x110 net/socket.c:648 [] SYSC_sendto net/socket.c:1678 [inline] [] SyS_sendto+0x201/0x340 net/socket.c:1646 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Allocated by task 2904: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616 [] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601 [] __kmalloc+0x141/0x330 mm/slub.c:3613 [] kmalloc include/linux/slab.h:481 [inline] [] kzalloc include/linux/slab.h:620 [inline] [] neigh_alloc net/core/neighbour.c:285 [inline] [] __neigh_create+0x1d6/0x1b30 net/core/neighbour.c:457 [] neigh_create include/net/neighbour.h:313 [inline] [] ipv4_neigh_lookup+0x52e/0x6e0 net/ipv4/route.c:464 [] dst_neigh_lookup include/net/dst.h:466 [inline] [] ip6_tnl_xmit2+0x27b/0x2320 net/ipv6/ip6_tunnel.c:982 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1134 [inline] [] ip6_tnl_xmit+0xa09/0xe00 net/ipv6/ip6_tunnel.c:1212 [] __netdev_start_xmit include/linux/netdevice.h:3750 [inline] [] netdev_start_xmit include/linux/netdevice.h:3759 [inline] [] xmit_one net/core/dev.c:2781 [inline] [] dev_hard_start_xmit+0x7c1/0x11e0 net/core/dev.c:2797 [] __dev_queue_xmit+0x164b/0x1bb0 net/core/dev.c:3229 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1369 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x187c/0x1f70 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.0+0x14b/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x3b9/0xc60 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_mc_output+0x251/0xae0 net/ipv4/ip_output.c:347 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x4fd/0xc70 net/ipv4/udp.c:842 [] udp_sendmsg+0x16cf/0x1c60 net/ipv4/udp.c:1072 [] udpv6_sendmsg+0x12f2/0x24f0 net/ipv6/udp.c:1173 [] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbe/0x110 net/socket.c:648 [] SYSC_sendto net/socket.c:1678 [inline] [] SyS_sendto+0x201/0x340 net/socket.c:1646 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Freed by task 1924: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xf4/0x310 mm/slub.c:3749 [] syslog_print kernel/printk/printk.c:1207 [inline] [] do_syslog kernel/printk/printk.c:1336 [inline] [] do_syslog+0x900/0xaf0 kernel/printk/printk.c:1306 [] kmsg_read+0x74/0xa0 fs/proc/kmsg.c:39 [] proc_reg_read+0xfd/0x180 fs/proc/inode.c:202 [] __vfs_read+0x116/0x3c0 fs/read_write.c:434 [] vfs_read+0x134/0x360 fs/read_write.c:456 [] SYSC_read fs/read_write.c:571 [inline] [] SyS_read+0xdc/0x1c0 fs/read_write.c:564 [] entry_SYSCALL_64_fastpath+0x1e/0x9a The buggy address belongs to the object at ffff8801bb3d0000 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 688 bytes inside of 1024-byte region [ffff8801bb3d0000, ffff8801bb3d0400) The buggy address belongs to the page: page:ffffea0006ecf400 count:0 mapcount:1 mapping: (null) index:0x0 BUG: unable to handle kernel flags: 0x0( paging request ) at fffff94000dd9e80 page dumped because: VM_BUG_ON_PAGE(PageSlab(page)) IP: [] memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:62 PGD 330c067 PUD 330b063 PMD 330a063 PTE 800000000330d161 Oops: 0003 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 1 PID: 2124 Comm: syz-executor.5 Not tainted 4.4.174+ #4 task: ffff8800b7ed0000 task.stack: ffff8801cf2b0000 RIP: 0010:[] [] memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:62 RSP: 0018:ffff8801cf2b76a0 EFLAGS: 00010206 RAX: 1ffffd4000dd9e00 RBX: fffff94000dd9e89 RCX: 0000000000000009 RDX: 0000000000000009 RSI: 0000000000000000 RDI: fffff94000dd9e80 RBP: ffff8801cf2b76b8 R08: 0000000000000002 R09: fffff94000dd9e80 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000048 R13: ffffea0006ecf400 R14: ffffea0006ecf447 R15: ffff8801da548780 FS: 00000000023b0940(0063) GS:ffff8801db700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: fffff94000dd9e80 CR3: 00000001c07f2000 CR4: 00000000001606b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff81484025 ffffea0006ecf448 0000000002008000 ffff8801cf2b76f8 ffffffff8148412c ffffea0006ecf447 4000000000004080 ffff8801da548780 0000000002008000 ffffffff81953367 ffffea0006ecf400 ffff8801cf2b7708 Call Trace: [] kasan_kmalloc+0x4c/0xd0 mm/kasan/kasan.c:611 [] kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xdc/0x2c0 mm/slub.c:2628 [] kmem_cache_zalloc include/linux/slab.h:610 [inline] [] avc_alloc_node+0x27/0x3c0 security/selinux/avc.c:551 [] avc_insert security/selinux/avc.c:670 [inline] [] avc_compute_av+0x182/0x610 security/selinux/avc.c:976 [] avc_has_perm_noaudit+0x2a8/0x300 security/selinux/avc.c:1112 [] selinux_inode_permission+0x27f/0x4a0 security/selinux/hooks.c:2902 [] security_inode_permission+0xb9/0x100 security/security.c:600 [] __inode_permission2+0x96/0x250 fs/namei.c:425 [] inode_permission2+0x32/0x110 fs/namei.c:475 [] may_lookup fs/namei.c:1706 [inline] [] link_path_walk+0x198/0x15e0 fs/namei.c:1970 [] path_lookupat.isra.0+0x6a/0x3f0 fs/namei.c:2194 [] filename_lookup+0x1a4/0x3b0 fs/namei.c:2229 [] user_path_at_empty+0x43/0x50 fs/namei.c:2403 [] user_path_at include/linux/namei.h:52 [inline] [] vfs_fstatat+0xc6/0x170 fs/stat.c:106 [] vfs_lstat fs/stat.c:129 [inline] [] SYSC_newlstat fs/stat.c:283 [inline] [] SyS_newlstat+0x97/0x110 fs/stat.c:277 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Code: 48 c1 e9 03 40 0f b6 f6 48 b8 01 01 01 01 01 01 01 01 48 0f af c6 f3 48 ab 89 d1 f3 aa 4c 89 c8 c3 90 49 89 f9 40 88 f0 48 89 d1 aa 4c 89 c8 c3 90 49 89 fa 40 0f b6 ce 48 b8 01 01 01 01 01 RIP [] memset_erms+0x9/0x10 arch/x86/lib/memset_64.S:61 RSP CR2: fffff94000dd9e80 ---[ end trace 959521ff44d343cb ]---