================================================================== BUG: KASAN: slab-out-of-bounds in fl6_update_dst+0x159/0x1a0 net/ipv6/exthdrs.c:1356 Read of size 16 at addr ffff8880a7a8df58 by task syz-executor098/7245 CPU: 1 PID: 7245 Comm: syz-executor098 Not tainted 5.7.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1e9/0x30e lib/dump_stack.c:118 print_address_description+0x74/0x5c0 mm/kasan/report.c:382 __kasan_report+0x103/0x1a0 mm/kasan/report.c:511 kasan_report+0x4d/0x80 mm/kasan/common.c:625 Allocated by task 7245: save_stack mm/kasan/common.c:49 [inline] set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc+0x114/0x160 mm/kasan/common.c:495 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x24b/0x330 mm/slab.c:3665 kmalloc include/linux/slab.h:560 [inline] sock_kmalloc+0x98/0x100 net/core/sock.c:2166 ipv6_renew_options+0x27c/0xa70 net/ipv6/exthdrs.c:1275 do_ipv6_setsockopt+0x244d/0x3a20 net/ipv6/ipv6_sockglue.c:435 ipv6_setsockopt+0x49/0x160 net/ipv6/ipv6_sockglue.c:949 sctp_setsockopt+0x15a/0xe850 net/sctp/socket.c:4685 __sys_setsockopt+0x564/0x710 net/socket.c:2132 __do_sys_setsockopt net/socket.c:2148 [inline] __se_sys_setsockopt net/socket.c:2145 [inline] __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2145 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 7152: save_stack mm/kasan/common.c:49 [inline] set_track mm/kasan/common.c:57 [inline] kasan_set_free_info mm/kasan/common.c:317 [inline] __kasan_slab_free+0x125/0x190 mm/kasan/common.c:456 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x220 mm/slab.c:3757 ext4_ext_map_blocks+0x421f/0x6db0 fs/ext4/extents.c:4319 ext4_map_blocks+0x43b/0x1b00 fs/ext4/inode.c:544 ext4_getblk fs/ext4/inode.c:825 [inline] ext4_bread_batch+0xea/0x7c0 fs/ext4/inode.c:895 __ext4_find_entry+0x68f/0x1730 fs/ext4/namei.c:1523 ext4_lookup_entry fs/ext4/namei.c:1623 [inline] ext4_lookup+0x321/0xbe0 fs/ext4/namei.c:1691 lookup_open fs/namei.c:3060 [inline] open_last_lookups fs/namei.c:3155 [inline] path_openat+0x141b/0x38b0 fs/namei.c:3343 do_filp_open+0x191/0x3a0 fs/namei.c:3373 do_sys_openat2+0x463/0x770 fs/open.c:1148 do_sys_open fs/open.c:1164 [inline] ksys_open include/linux/syscalls.h:1386 [inline] __do_sys_open fs/open.c:1170 [inline] __se_sys_open fs/open.c:1168 [inline] __x64_sys_open+0x1af/0x1e0 fs/open.c:1168 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 The buggy address belongs to the object at ffff8880a7a8df00 which belongs to the cache kmalloc-96 of size 96 The buggy address is located 88 bytes inside of 96-byte region [ffff8880a7a8df00, ffff8880a7a8df60) The buggy address belongs to the page: page:ffffea00029ea340 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a7a8d080 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea00024e03c8 ffffea00026315c8 ffff8880aa400540 raw: ffff8880a7a8d080 ffff8880a7a8d000 0000000100000012 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a7a8de00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ffff8880a7a8de80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc >ffff8880a7a8df00: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc ^ ffff8880a7a8df80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8880a7a8e000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================