IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready syz-executor808 (4186) used greatest stack depth: 23264 bytes left ================================================================== BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x2043/0x20d0 net/ipv6/ip6_tunnel.c:987 Read of size 16 at addr ffff8801d7c1c730 by task syz-executor808/4187 CPU: 1 PID: 4187 Comm: syz-executor808 Not tainted 4.4.147-ga5fc665 #16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 2fd84b2ece1ebb4e ffff8801d7006a70 ffffffff81e12a4d ffffea00075f0700 ffff8801d7c1c730 0000000000000000 ffff8801d7c1c738 ffff8800abd1d500 ffff8801d7006aa8 ffffffff81517fd6 ffff8801d7c1c730 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:439 [] ip6_tnl_xmit2+0x2043/0x20d0 net/ipv6/ip6_tunnel.c:987 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline] [] ip6_tnl_xmit+0x910/0xc60 net/ipv6/ip6_tunnel.c:1203 [] __netdev_start_xmit include/linux/netdevice.h:3743 [inline] [] netdev_start_xmit include/linux/netdevice.h:3752 [inline] [] xmit_one net/core/dev.c:2759 [inline] [] dev_hard_start_xmit+0x7b1/0x11c0 net/core/dev.c:2775 [] __dev_queue_xmit+0x16c0/0x1c80 net/core/dev.c:3207 [] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241 [] neigh_direct_output+0x15/0x20 net/core/neighbour.c:1366 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6ab/0x1110 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x19cc/0x2190 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.51+0x143/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x48a/0xc00 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_output+0x219/0x4c0 net/ipv4/ip_output.c:362 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842 [] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870 [] udp_sendmsg+0x1147/0x1c70 net/ipv4/udp.c:1104 [] udpv6_sendmsg+0x1d59/0x24c0 net/ipv6/udp.c:1178 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:626 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:636 [] ___sys_sendmsg+0x441/0x880 net/socket.c:1963 [] __sys_sendmmsg+0x1d4/0x2e0 net/socket.c:2041 [] C_SYSC_sendmmsg net/compat.c:728 [inline] [] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:725 [] do_syscall_32_irqs_on arch/x86/entry/common.c:393 [inline] [] do_fast_syscall_32+0x324/0x8b0 arch/x86/entry/common.c:460 [] sysenter_flags_fixed+0xd/0x1a Allocated by task 4187: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616 [] __kmalloc+0x124/0x310 mm/slub.c:3613 [] kmalloc include/linux/slab.h:481 [inline] [] kzalloc include/linux/slab.h:620 [inline] [] neigh_alloc net/core/neighbour.c:285 [inline] [] __neigh_create+0x1d6/0x1b20 net/core/neighbour.c:457 [] neigh_create include/net/neighbour.h:313 [inline] [] ipv4_neigh_lookup+0x4dd/0x700 net/ipv4/route.c:464 [] dst_neigh_lookup include/net/dst.h:466 [inline] [] ip6_tnl_xmit2+0x613/0x20d0 net/ipv6/ip6_tunnel.c:982 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline] [] ip6_tnl_xmit+0x910/0xc60 net/ipv6/ip6_tunnel.c:1203 [] __netdev_start_xmit include/linux/netdevice.h:3743 [inline] [] netdev_start_xmit include/linux/netdevice.h:3752 [inline] [] xmit_one net/core/dev.c:2759 [inline] [] dev_hard_start_xmit+0x7b1/0x11c0 net/core/dev.c:2775 [] __dev_queue_xmit+0x16c0/0x1c80 net/core/dev.c:3207 [] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241 [] neigh_direct_output+0x15/0x20 net/core/neighbour.c:1366 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6ab/0x1110 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x19cc/0x2190 net/ipv4/ip_output.c:635 [] ip_fragment.constprop.51+0x143/0x200 net/ipv4/ip_output.c:505 [] ip_finish_output+0x48a/0xc00 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_output+0x219/0x4c0 net/ipv4/ip_output.c:362 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842 [] udp_push_pending_frames+0x4e/0xe0 net/ipv4/udp.c:870 [] udp_sendmsg+0x1147/0x1c70 net/ipv4/udp.c:1104 [] udpv6_sendmsg+0x1d59/0x24c0 net/ipv6/udp.c:1178 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:626 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:636 [] ___sys_sendmsg+0x441/0x880 net/socket.c:1963 [] __sys_sendmmsg+0x1d4/0x2e0 net/socket.c:2041 [] C_SYSC_sendmmsg net/compat.c:728 [inline] [] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:725 [] do_syscall_32_irqs_on arch/x86/entry/common.c:393 [inline] [] do_fast_syscall_32+0x324/0x8b0 arch/x86/entry/common.c:460 [] sysenter_flags_fixed+0xd/0x1a Freed by task 2542: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xf4/0x310 mm/slub.c:3749 [] free_pipe_info+0x210/0x2c0 fs/pipe.c:657 [] put_pipe_info+0xb8/0xe0 fs/pipe.c:548 [] pipe_release+0x1af/0x250 fs/pipe.c:569 [] __fput+0x235/0x6f0 fs/file_table.c:208 [] ____fput+0x15/0x20 fs/file_table.c:244 [] task_work_run+0x10f/0x190 kernel/task_work.c:115 [] tracehook_notify_resume include/linux/tracehook.h:191 [inline] [] exit_to_usermode_loop+0x13d/0x160 arch/x86/entry/common.c:253 [] prepare_exit_to_usermode arch/x86/entry/common.c:284 [inline] [] syscall_return_slowpath+0x1b5/0x1f0 arch/x86/entry/common.c:349 [] int_ret_from_sys_call+0x25/0xa3 The buggy address belongs to the object at ffff8801d7c1c480 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 688 bytes inside of 1024-byte region [ffff8801d7c1c480, ffff8801d7c1c880) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 4186 Comm: syz-executor808 Not tainted 4.4.147-ga5fc665 #16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800ba3fe000 task.stack: ffff8800b9890000 RIP: 0010:[] [] do_slab_free mm/slub.c:2830 [inline] RIP: 0010:[] [] slab_free mm/slub.c:2866 [inline] RIP: 0010:[] [] kmem_cache_free+0xd3/0x340 mm/slub.c:2881 RSP: 0018:ffff8801db207df8 EFLAGS: 00010287 RAX: 0000000000000000 RBX: ffff8801d843f300 RCX: ffff8801d7c1c480 RDX: 0000000000000000 RSI: 00000000000000fb RDI: ffffed003b087e60 RBP: ffff8801db207e20 R08: ffff8801d843f2ff R09: ffffed003b087e60 R10: 0000000000000001 R11: 0000000000000001 R12: ffffea0007610fc0 R13: ffff8801d6d8bdc0 R14: ffffffff8118b2c9 R15: 0000000000000246 FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00000000080d78a0 CR3: 000000000440c000 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff8801d843f300 ffff8800acc30000 0000000000000006 dffffc0000000000 ffff8801d843f328 ffff8801db207e40 ffffffff8118b2c9 ffff8801d843f320 ffff8801d9734230 ffff8801db207e58 ffffffff8118b316 ffff8801d843f320 Call Trace: [] put_pid+0xf9/0x130 kernel/pid.c:247 [] delayed_put_pid+0x16/0x20 kernel/pid.c:256 [] __rcu_reclaim kernel/rcu/rcu.h:118 [inline] [] rcu_do_batch kernel/rcu/tree.c:2705 [inline] [] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] [] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] [] rcu_process_callbacks+0x927/0x1440 kernel/rcu/tree.c:2957 [] __do_softirq+0x22c/0xa1a kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10d/0x140 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] smp_apic_timer_interrupt+0x81/0xa0 arch/x86/kernel/apic/apic.c:926 [] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741 [] vprintk_emit+0x51e/0x840 kernel/printk/printk.c:1832 [] vprintk+0x28/0x30 kernel/printk/printk.c:1843 [] vprintk_default+0x1d/0x30 kernel/printk/printk.c:1844 [] printk+0xaf/0xd7 kernel/printk/printk.c:1922 [] check_stack_usage kernel/exit.c:646 [inline] [] do_exit.cold.21+0x5d/0x2bb kernel/exit.c:810 [] do_group_exit+0x111/0x330 kernel/exit.c:885 [] SYSC_exit_group kernel/exit.c:896 [inline] [] SyS_exit_group+0x1d/0x20 kernel/exit.c:894 [] do_syscall_32_irqs_on arch/x86/entry/common.c:393 [inline] [] do_fast_syscall_32+0x324/0x8b0 arch/x86/entry/common.c:460 [] sysenter_flags_fixed+0xd/0x1a Code: 41 f6 45 0a 40 0f 84 c9 00 00 00 48 89 de 4c 89 ef e8 02 2e 00 00 49 8b 45 08 25 00 00 08 08 48 3d 00 00 00 08 74 50 49 8b 4d 00 <65> 48 8b 51 08 48 89 c8 65 48 03 05 bd d7 b1 7e 48 8b 70 08 48 RIP [] do_slab_free mm/slub.c:2830 [inline] RIP [] slab_free mm/slub.c:2866 [inline] RIP [] kmem_cache_free+0xd3/0x340 mm/slub.c:2881 RSP ---[ end trace f41d395388bb95e9 ]---