Dead loop on virtual device ip6tnl0, fix it urgently! ================================================================== Dead loop on virtual device ip6tnl0, fix it urgently! BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x2043/0x20d0 net/ipv6/ip6_tunnel.c:987 Read of size 16 at addr ffff8800b5c3d930 by task syz-executor3/4469 CPU: 1 PID: 4469 Comm: syz-executor3 Not tainted 4.4.128-ged3b23f #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 72f1aff974fb2356 ffff8801c6d26b20 ffffffff81e0daad ffffea0002d70f00 ffff8800b5c3d930 0000000000000000 ffff8800b5c3d938 ffff8800b9980000 ffff8801c6d26b58 ffffffff815150ac ffff8800b5c3d930 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:439 [] ip6_tnl_xmit2+0x2043/0x20d0 net/ipv6/ip6_tunnel.c:987 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline] [] ip6_tnl_xmit+0x910/0xc60 net/ipv6/ip6_tunnel.c:1203 [] __netdev_start_xmit include/linux/netdevice.h:3743 [inline] [] netdev_start_xmit include/linux/netdevice.h:3752 [inline] [] xmit_one net/core/dev.c:2759 [inline] [] dev_hard_start_xmit+0x7b1/0x11c0 net/core/dev.c:2775 [] __dev_queue_xmit+0x16c0/0x1c80 net/core/dev.c:3207 [] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241 [] neigh_direct_output+0x15/0x20 net/core/neighbour.c:1358 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6ab/0x1110 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x198b/0x2150 net/ipv4/ip_output.c:633 [] ip_fragment.constprop.50+0x143/0x200 net/ipv4/ip_output.c:503 [] ip_finish_output+0x6c4/0xbc0 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_output+0x219/0x4c0 net/ipv4/ip_output.c:362 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1450 [] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842 [] udp_sendmsg+0x16ce/0x1bb0 net/ipv4/udp.c:1070 [] udpv6_sendmsg+0x12cd/0x24c0 net/ipv6/udp.c:1173 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:635 [] ___sys_sendmsg+0x441/0x880 net/socket.c:1962 [] __sys_sendmmsg+0x12e/0x2e0 net/socket.c:2047 [] SYSC_sendmmsg net/socket.c:2077 [inline] [] SyS_sendmmsg+0x35/0x60 net/socket.c:2072 [] entry_SYSCALL_64_fastpath+0x22/0x9e Allocated by task 4469: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616 [] __kmalloc+0x124/0x310 mm/slub.c:3613 [] kmalloc include/linux/slab.h:481 [inline] [] kzalloc include/linux/slab.h:620 [inline] [] neigh_alloc net/core/neighbour.c:285 [inline] [] __neigh_create+0x1d6/0x1b20 net/core/neighbour.c:457 [] neigh_create include/net/neighbour.h:313 [inline] [] ipv4_neigh_lookup+0x4dd/0x700 net/ipv4/route.c:464 [] dst_neigh_lookup include/net/dst.h:466 [inline] [] ip6_tnl_xmit2+0x613/0x20d0 net/ipv6/ip6_tunnel.c:982 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline] [] ip6_tnl_xmit+0x910/0xc60 net/ipv6/ip6_tunnel.c:1203 [] __netdev_start_xmit include/linux/netdevice.h:3743 [inline] [] netdev_start_xmit include/linux/netdevice.h:3752 [inline] [] xmit_one net/core/dev.c:2759 [inline] [] dev_hard_start_xmit+0x7b1/0x11c0 net/core/dev.c:2775 [] __dev_queue_xmit+0x16c0/0x1c80 net/core/dev.c:3207 [] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241 [] neigh_direct_output+0x15/0x20 net/core/neighbour.c:1358 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x6ab/0x1110 net/ipv4/ip_output.c:213 [] ip_do_fragment+0x198b/0x2150 net/ipv4/ip_output.c:633 [] ip_fragment.constprop.50+0x143/0x200 net/ipv4/ip_output.c:503 [] ip_finish_output+0x6c4/0xbc0 net/ipv4/ip_output.c:286 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_output+0x219/0x4c0 net/ipv4/ip_output.c:362 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1450 [] udp_send_skb+0x5c3/0xc60 net/ipv4/udp.c:842 [] udp_sendmsg+0x16ce/0x1bb0 net/ipv4/udp.c:1070 [] udpv6_sendmsg+0x12cd/0x24c0 net/ipv6/udp.c:1173 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:635 [] ___sys_sendmsg+0x441/0x880 net/socket.c:1962 [] __sys_sendmmsg+0x12e/0x2e0 net/socket.c:2047 [] SYSC_sendmmsg net/socket.c:2077 [inline] [] SyS_sendmmsg+0x35/0x60 net/socket.c:2072 [] entry_SYSCALL_64_fastpath+0x22/0x9e Freed by task 3932: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xf4/0x310 mm/slub.c:3749 [] kvfree+0x4b/0x60 mm/util.c:323 [] xt_free_table_info+0x14f/0x1b0 net/netfilter/x_tables.c:1019 [] __do_replace+0x400/0x620 net/ipv6/netfilter/ip6_tables.c:1259 [] do_replace net/ipv6/netfilter/ip6_tables.c:1315 [inline] [] do_ip6t_set_ctl+0x2e1/0x450 net/ipv6/netfilter/ip6_tables.c:1862 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x6d/0xc0 net/netfilter/nf_sockopt.c:114 [] ipv6_setsockopt+0xc8/0x130 net/ipv6/ipv6_sockglue.c:909 [] tcp_setsockopt+0x88/0xe0 net/ipv4/tcp.c:2641 [] sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:2659 [] SYSC_setsockopt net/socket.c:1767 [inline] [] SyS_setsockopt+0x166/0x260 net/socket.c:1746 [] tracesys_phase2+0x94/0x99 The buggy address belongs to the object at ffff8800b5c3d680 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 688 bytes inside of 1024-byte region [ffff8800b5c3d680, ffff8800b5c3da80) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 3936 Comm: syz-executor3 Not tainted 4.4.128-ged3b23f #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8800a3689800 task.stack: ffff8800ba9d0000 RIP: 0010:[] [] lookup_object lib/debugobjects.c:120 [inline] RIP: 0010:[] [] debug_object_deactivate+0x191/0x340 lib/debugobjects.c:465 RSP: 0018:ffff8801db207cf0 EFLAGS: 00010803 RAX: dffffc0000000000 RBX: c42fe8df89480b0f RCX: 1885fd1bf1290164 RDX: 1ffffffff0b43f3f RSI: ffffffff844c64e0 RDI: c42fe8df89480b27 RBP: ffff8801db207da8 R08: ffffffff85363dd0 R09: 0000000000000001 R10: 0000000000000001 R11: ffff8800a3689800 R12: 1ffff1003b640fa0 R13: ffffffff85a1f9e8 R14: ffff8801c6dc7b10 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8148ca77 CR3: 00000000ab90a000 CR4: 0000000000160670 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: 0000000000000092 ffffffff844c64e0 0000000041b58ab3 ffffffff84208a1f ffffffff81e6f430 ffff8800a3689800 ffffed00146d141b ffff8800a368a0e0 ffff8801db219658 0000000000000001 ffff8801db207d80 ffffffff81229442 Call Trace: [] debug_hrtimer_deactivate kernel/time/hrtimer.c:415 [inline] [] debug_deactivate kernel/time/hrtimer.c:461 [inline] [] __run_hrtimer kernel/time/hrtimer.c:1229 [inline] [] __hrtimer_run_queues+0x222/0x1000 kernel/time/hrtimer.c:1324 [] hrtimer_interrupt+0x1b1/0x430 kernel/time/hrtimer.c:1358 [] local_apic_timer_interrupt+0x74/0xa0 arch/x86/kernel/apic/apic.c:901 [] smp_apic_timer_interrupt+0x7c/0xa0 arch/x86/kernel/apic/apic.c:925 [] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741 [] dump_trace+0x17a/0x360 arch/x86/kernel/dumpstack_64.c:243 [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kmem_cache_free+0xbe/0x340 mm/slub.c:2881 [] anon_vma_chain_free mm/rmap.c:129 [inline] [] unlink_anon_vmas+0xb3/0x640 mm/rmap.c:397 [] free_pgtables+0xe6/0x330 mm/memory.c:540 [] exit_mmap+0x1d8/0x3a0 mm/mmap.c:2928 [] __mmput kernel/fork.c:715 [inline] [] mmput+0xf8/0x2d0 kernel/fork.c:735 [] exit_mm kernel/exit.c:444 [inline] [] do_exit+0x8d8/0x26b0 kernel/exit.c:746 [] do_group_exit+0x111/0x330 kernel/exit.c:889 [] SYSC_exit_group kernel/exit.c:900 [inline] [] SyS_exit_group+0x1d/0x20 kernel/exit.c:898 [] entry_SYSCALL_64_fastpath+0x22/0x9e Code: a9 01 00 00 48 8b 1b 41 bf 01 00 00 00 48 85 db 74 42 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 18 41 83 c7 01 48 89 f9 48 c1 e9 03 <80> 3c 01 00 0f 85 0c 01 00 00 4c 3b 73 18 74 7d 48 89 d9 48 c1 RIP [] lookup_object lib/debugobjects.c:120 [inline] RIP [] debug_object_deactivate+0x191/0x340 lib/debugobjects.c:465 RSP ---[ end trace a3a897126342b1e6 ]---