IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready syz-executor350 (4046) used greatest stack depth: 23552 bytes left ================================================================== BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x2043/0x20d0 net/ipv6/ip6_tunnel.c:987 Read of size 16 at addr ffff8801d84a2b30 by task syz-executor350/4047 CPU: 1 PID: 4047 Comm: syz-executor350 Not tainted 4.4.147-ga5fc665 #80 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 6be34894c98f9875 ffff8801d8adeaf0 ffffffff81e12a4d ffffea0007612800 ffff8801d84a2b30 0000000000000000 ffff8801d84a2b38 ffff8800ba8c8000 ffff8801d8adeb28 ffffffff81517fd6 ffff8801d84a2b30 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:439 [] ip6_tnl_xmit2+0x2043/0x20d0 net/ipv6/ip6_tunnel.c:987 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline] [] ip6_tnl_xmit+0x910/0xc60 net/ipv6/ip6_tunnel.c:1203 [] __netdev_start_xmit include/linux/netdevice.h:3743 [inline] [] netdev_start_xmit include/linux/netdevice.h:3752 [inline] [] xmit_one net/core/dev.c:2759 [inline] [] dev_hard_start_xmit+0x7b1/0x11c0 net/core/dev.c:2775 [] __dev_queue_xmit+0x16c0/0x1c80 net/core/dev.c:3207 [] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241 [] neigh_direct_output+0x15/0x20 net/core/neighbour.c:1366 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6ab/0x1110 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x19cc/0x2190 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.51+0x143/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x48a/0xc00 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_output+0x219/0x4c0 net/ipv4/ip_output.c:362 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842 [] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870 [] udp_sendmsg+0x1147/0x1c70 net/ipv4/udp.c:1104 [] udpv6_sendmsg+0x1d59/0x24c0 net/ipv6/udp.c:1178 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:626 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:636 [] ___sys_sendmsg+0x441/0x880 net/socket.c:1963 [] __sys_sendmmsg+0x12e/0x2e0 net/socket.c:2048 [] SYSC_sendmmsg net/socket.c:2078 [inline] [] SyS_sendmmsg+0x35/0x60 net/socket.c:2073 [] entry_SYSCALL_64_fastpath+0x22/0x9e Allocated by task 4047: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616 [] __kmalloc+0x124/0x310 mm/slub.c:3613 [] kmalloc include/linux/slab.h:481 [inline] [] kzalloc include/linux/slab.h:620 [inline] [] neigh_alloc net/core/neighbour.c:285 [inline] [] __neigh_create+0x1d6/0x1b20 net/core/neighbour.c:457 [] neigh_create include/net/neighbour.h:313 [inline] [] ipv4_neigh_lookup+0x4dd/0x700 net/ipv4/route.c:464 [] dst_neigh_lookup include/net/dst.h:466 [inline] [] ip6_tnl_xmit2+0x613/0x20d0 net/ipv6/ip6_tunnel.c:982 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline] [] ip6_tnl_xmit+0x910/0xc60 net/ipv6/ip6_tunnel.c:1203 [] __netdev_start_xmit include/linux/netdevice.h:3743 [inline] [] netdev_start_xmit include/linux/netdevice.h:3752 [inline] [] xmit_one net/core/dev.c:2759 [inline] [] dev_hard_start_xmit+0x7b1/0x11c0 net/core/dev.c:2775 [] __dev_queue_xmit+0x16c0/0x1c80 net/core/dev.c:3207 [] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241 [] neigh_direct_output+0x15/0x20 net/core/neighbour.c:1366 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6ab/0x1110 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x19cc/0x2190 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.51+0x143/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x48a/0xc00 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_output+0x219/0x4c0 net/ipv4/ip_output.c:362 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842 [] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870 [] udp_sendmsg+0x1147/0x1c70 net/ipv4/udp.c:1104 [] udpv6_sendmsg+0x1d59/0x24c0 net/ipv6/udp.c:1178 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:626 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:636 [] ___sys_sendmsg+0x441/0x880 net/socket.c:1963 [] __sys_sendmmsg+0x12e/0x2e0 net/socket.c:2048 [] SYSC_sendmmsg net/socket.c:2078 [inline] [] SyS_sendmmsg+0x35/0x60 net/socket.c:2073 [] entry_SYSCALL_64_fastpath+0x22/0x9e Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8801d84a2880 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 688 bytes inside of 1024-byte region [ffff8801d84a2880, ffff8801d84a2c80) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 4046 Comm: syz-executor350 Not tainted 4.4.147-ga5fc665 #80 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800bb899800 task.stack: ffff8800b1578000 RIP: 0010:[] [] lookup_object lib/debugobjects.c:120 [inline] RIP: 0010:[] [] debug_object_deactivate+0x191/0x340 lib/debugobjects.c:465 RSP: 0018:ffff8801db207cf0 EFLAGS: 00010803 RAX: dffffc0000000000 RBX: c8cfe8df89480b0f RCX: 1919fd1bf1290164 RDX: 1ffffffff0b4070f RSI: ffffffff844c77a0 RDI: c8cfe8df89480b27 RBP: ffff8801db207da8 R08: 0000000000000001 R09: 0000000000000000 R10: ffffed0043fffa01 R11: 0000000000000001 R12: 1ffff1003b640fa0 R13: ffffffff85a03868 R14: ffff8801d99b7638 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000415830 CR3: 000000000440c000 CR4: 00000000001606f0 Stack: 0000000000000092 ffffffff844c77a0 0000000041b58ab3 ffffffff8420c107 ffffffff81e74350 0000000a19a8b670 ffff8801db207d30 ffffffff810cdef3 ffff8801db207d40 ffffffff810cdf19 ffff8801db207da8 ffffffff812b2381 Call Trace: [] debug_hrtimer_deactivate kernel/time/hrtimer.c:415 [inline] [] debug_deactivate kernel/time/hrtimer.c:462 [inline] [] __run_hrtimer kernel/time/hrtimer.c:1230 [inline] [] __hrtimer_run_queues+0x222/0x1000 kernel/time/hrtimer.c:1325 [] hrtimer_interrupt+0x1b1/0x430 kernel/time/hrtimer.c:1359 [] local_apic_timer_interrupt+0x74/0xa0 arch/x86/kernel/apic/apic.c:901 [] smp_apic_timer_interrupt+0x7c/0xa0 arch/x86/kernel/apic/apic.c:925 [] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741 [] vprintk_emit+0x51e/0x840 kernel/printk/printk.c:1832 [] vprintk+0x28/0x30 kernel/printk/printk.c:1843 [] vprintk_default+0x1d/0x30 kernel/printk/printk.c:1844 [] printk+0xaf/0xd7 kernel/printk/printk.c:1922 [] check_stack_usage kernel/exit.c:646 [inline] [] do_exit.cold.21+0x5d/0x2bb kernel/exit.c:810 [] do_group_exit+0x111/0x330 kernel/exit.c:885 [] SYSC_exit_group kernel/exit.c:896 [inline] [] SyS_exit_group+0x1d/0x20 kernel/exit.c:894 [] entry_SYSCALL_64_fastpath+0x22/0x9e Code: a9 01 00 00 48 8b 1b 41 bf 01 00 00 00 48 85 db 74 42 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 18 41 83 c7 01 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 0c 01 00 00 4c 3b 73 18 74 7d 48 89 d9 48 c1 RIP [] lookup_object lib/debugobjects.c:120 [inline] RIP [] debug_object_deactivate+0x191/0x340 lib/debugobjects.c:465 RSP ---[ end trace d6501de20e797b19 ]---