IPVS: ftp: loaded support on port[0] = 21 ================================================================== BUG: KASAN: slab-out-of-bounds in fib6_rule_lookup+0x6fc/0x870 net/ipv6/fib6_rules.c:119 Read of size 2 at addr ffff888096883750 by task syz-executor0/22272 CPU: 0 PID: 22272 Comm: syz-executor0 Not tainted 4.20.0+ #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1db/0x2d0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431 fib6_rule_lookup+0x6fc/0x870 net/ipv6/fib6_rules.c:119 ip6_route_input_lookup+0xb7/0xd0 net/ipv6/route.c:1921 ip6_route_input+0x79b/0xe00 net/ipv6/route.c:2056 ip6_rcv_finish_core.isra.0+0x204/0x720 net/ipv6/ip6_input.c:63 ip6_rcv_finish+0x109/0x330 net/ipv6/ip6_input.c:74 NF_HOOK include/linux/netfilter.h:289 [inline] NF_HOOK include/linux/netfilter.h:283 [inline] ipv6_rcv+0x113/0x650 net/ipv6/ip6_input.c:272 __netif_receive_skb_one_core+0x160/0x210 net/core/dev.c:4973 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083 netif_receive_skb_internal+0x11e/0x690 net/core/dev.c:5186 napi_frags_finish net/core/dev.c:5753 [inline] napi_gro_frags+0xd07/0xfe0 net/core/dev.c:5827 tun_get_user+0x2ec2/0x4150 drivers/net/tun.c:1972 tun_chr_write_iter+0xbd/0x160 drivers/net/tun.c:2017 call_write_iter include/linux/fs.h:1857 [inline] do_iter_readv_writev+0x856/0xae0 fs/read_write.c:680 do_iter_write fs/read_write.c:959 [inline] do_iter_write+0x184/0x600 fs/read_write.c:940 vfs_writev+0x1ee/0x370 fs/read_write.c:1004 do_writev+0x11a/0x300 fs/read_write.c:1039 __do_sys_writev fs/read_write.c:1112 [inline] __se_sys_writev fs/read_write.c:1109 [inline] __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457d81 Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 a4 b8 fb ff c3 48 83 ec 08 e8 1a 2d 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 63 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01 RSP: 002b:00007f75aeefaba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 000000000000004a RCX: 0000000000457d81 RDX: 0000000000000001 RSI: 00007f75aeefabf0 RDI: 00000000000000f0 RBP: 0000000020000080 R08: 00000000000000f0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 00007f75aeefb6d4 R13: 00000000004c636f R14: 00000000004db3f8 R15: 00000000ffffffff Allocated by task 7704: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc mm/kasan/kasan.c:553 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x700 mm/slab.c:3554 anon_vma_alloc mm/rmap.c:82 [inline] anon_vma_fork+0x18e/0x880 mm/rmap.c:341 dup_mmap kernel/fork.c:545 [inline] dup_mm kernel/fork.c:1323 [inline] copy_mm kernel/fork.c:1378 [inline] copy_process+0x3a53/0x8730 kernel/fork.c:1922 _do_fork+0x1a9/0x1170 kernel/fork.c:2221 __do_sys_clone kernel/fork.c:2328 [inline] __se_sys_clone kernel/fork.c:2322 [inline] __x64_sys_clone+0xbf/0x150 kernel/fork.c:2322 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff888096883698 which belongs to the cache anon_vma of size 168 The buggy address is located 16 bytes to the right of 168-byte region [ffff888096883698, ffff888096883740) The buggy address belongs to the page: page:ffffea00025a20c0 count:1 mapcount:0 mapping:ffff88821bc40340 index:0xffff888096883fef flags: 0x1fffc0000000200(slab) raw: 01fffc0000000200 ffffea000253c3c8 ffffea0002224608 ffff88821bc40340 raw: ffff888096883fef ffff888096883040 0000000100000011 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888096883600: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc ffff888096883680: fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888096883700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff888096883780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888096883800: 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 ==================================================================