================================================================== BUG: KASAN: slab-out-of-bounds in __ptr_ring_produce include/linux/ptr_ring.h:109 [inline] BUG: KASAN: slab-out-of-bounds in ptr_ring_produce include/linux/ptr_ring.h:132 [inline] BUG: KASAN: slab-out-of-bounds in skb_array_produce include/linux/skb_array.h:48 [inline] BUG: KASAN: slab-out-of-bounds in tun_net_xmit+0xf18/0x1010 drivers/net/tun.c:916 Read of size 8 at addr ffff8801c80628a8 by task syz-executor0/32340 CPU: 0 PID: 32340 Comm: syz-executor0 Not tainted 4.14.79+ #1 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x11b lib/dump_stack.c:53 print_address_description+0x60/0x22b mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409 __ptr_ring_produce include/linux/ptr_ring.h:109 [inline] ptr_ring_produce include/linux/ptr_ring.h:132 [inline] skb_array_produce include/linux/skb_array.h:48 [inline] tun_net_xmit+0xf18/0x1010 drivers/net/tun.c:916 __netdev_start_xmit include/linux/netdevice.h:4030 [inline] netdev_start_xmit include/linux/netdevice.h:4039 [inline] xmit_one net/core/dev.c:3009 [inline] dev_hard_start_xmit+0x191/0x890 net/core/dev.c:3025 sch_direct_xmit+0x280/0x520 net/sched/sch_generic.c:186 __dev_xmit_skb net/core/dev.c:3218 [inline] __dev_queue_xmit+0x16fd/0x1f40 net/core/dev.c:3493 neigh_hh_output include/net/neighbour.h:472 [inline] neigh_output include/net/neighbour.h:480 [inline] ip6_finish_output2+0x10a2/0x1e70 net/ipv6/ip6_output.c:120 ip6_finish_output+0x62e/0xb10 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1dd/0x680 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:459 [inline] NF_HOOK include/linux/netfilter.h:250 [inline] mld_sendpack+0xaad/0xfa0 net/ipv6/mcast.c:1659 mld_send_cr net/ipv6/mcast.c:1955 [inline] mld_ifc_timer_expire+0x3b6/0x7c0 net/ipv6/mcast.c:2454 call_timer_fn+0x163/0x6a0 kernel/time/timer.c:1279 ip6_tunnel: ip6tnl1 xmit: Local address not yet configured! expire_timers+0x1f3/0x4a0 kernel/time/timer.c:1318 __run_timers kernel/time/timer.c:1634 [inline] run_timer_softirq+0x1da/0x560 kernel/time/timer.c:1647 __do_softirq+0x215/0x997 kernel/softirq.c:288 invoke_softirq kernel/softirq.c:368 [inline] irq_exit+0x10f/0x150 kernel/softirq.c:409 exiting_irq arch/x86/include/asm/apic.h:648 [inline] smp_apic_timer_interrupt+0x188/0x5f0 arch/x86/kernel/apic/apic.c:1064 apic_timer_interrupt+0x84/0x90 arch/x86/entry/entry_64.S:787 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:778 [inline] RIP: 0010:lock_acquire+0x15c/0x380 kernel/locking/lockdep.c:3994 RSP: 0018:ffff8801aaf4f828 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10 RAX: 0000000000000007 RBX: 0000000000000246 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff8801d65aa028 RDI: 0000000000000246 RBP: ffff8801d65a9780 R08: 0000000000002775 R09: ffffffffa3ada288 R10: ffff8801d65aa028 R11: 0000000000000001 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000001 __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline] _raw_read_lock+0x2d/0x40 kernel/locking/spinlock.c:224 ext4_es_lookup_extent+0x8d/0xab0 fs/ext4/extents_status.c:793 ext4_map_blocks+0x12d/0x1560 fs/ext4/inode.c:526 ext4_getblk+0x31c/0x400 fs/ext4/inode.c:966 ext4_bread_batch+0x78/0x330 fs/ext4/inode.c:1036 ext4_find_entry+0x44c/0xcd0 fs/ext4/namei.c:1424 ext4_rmdir+0x190/0xad0 fs/ext4/namei.c:2926 vfs_rmdir2+0x21a/0x420 fs/namei.c:3901 do_rmdir+0x2f5/0x3a0 fs/namei.c:3967 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4572d7 RSP: 002b:00007ffd0c2d9068 EFLAGS: 00000207 ORIG_RAX: 0000000000000054 RAX: ffffffffffffffda RBX: 0000000000000065 RCX: 00000000004572d7 RDX: 0000000000000000 RSI: 000000000070d698 RDI: 00007ffd0c2da1a0 RBP: 000000000000097c R08: 0000000000000000 R09: 0000000000000001 R10: 000000000000000a R11: 0000000000000207 R12: 00007ffd0c2da1a0 R13: 0000000002149940 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 16153: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551 __kmalloc+0x153/0x340 mm/slub.c:3760 __kmalloc_node include/linux/slab.h:356 [inline] kmalloc_node include/linux/slab.h:530 [inline] kvmalloc_node+0x42/0xd0 mm/util.c:397 kvmalloc include/linux/mm.h:531 [inline] kvmalloc_array include/linux/mm.h:547 [inline] __ptr_ring_init_queue_alloc include/linux/ptr_ring.h:455 [inline] ptr_ring_resize_multiple include/linux/ptr_ring.h:613 [inline] skb_array_resize_multiple include/linux/skb_array.h:200 [inline] tun_queue_resize drivers/net/tun.c:2809 [inline] tun_device_event+0x450/0xc50 drivers/net/tun.c:2827 notifier_call_chain+0x114/0x1b0 kernel/notifier.c:93 call_netdevice_notifiers+0x6e/0xa0 net/core/dev.c:1687 do_setlink+0xb7d/0x2cb0 net/core/rtnetlink.c:2096 rtnl_group_changelink net/core/rtnetlink.c:2482 [inline] rtnl_newlink+0xbae/0x16d0 net/core/rtnetlink.c:2636 rtnetlink_rcv_msg+0x3bb/0xb30 net/core/rtnetlink.c:4282 netlink_rcv_skb+0x130/0x390 net/netlink/af_netlink.c:2432 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline] netlink_unicast+0x46d/0x620 net/netlink/af_netlink.c:1312 netlink_sendmsg+0x664/0xbe0 net/netlink/af_netlink.c:1877 sock_sendmsg_nosec net/socket.c:645 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:655 ___sys_sendmsg+0x741/0x890 net/socket.c:2061 __sys_sendmsg+0xca/0x170 net/socket.c:2095 SYSC_sendmsg net/socket.c:2106 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2102 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 14379: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524 slab_free_hook mm/slub.c:1389 [inline] slab_free_freelist_hook mm/slub.c:1410 [inline] slab_free mm/slub.c:2966 [inline] kfree+0xf5/0x310 mm/slub.c:3897 call_usermodehelper_freeinfo kernel/umh.c:43 [inline] call_usermodehelper_exec+0x209/0x440 kernel/umh.c:458 call_modprobe kernel/kmod.c:99 [inline] __request_module+0x3a3/0x917 kernel/kmod.c:171 crypto_larval_lookup.part.2+0x1e2/0x2b0 crypto/api.c:224 crypto_larval_lookup crypto/api.c:212 [inline] crypto_alg_mod_lookup+0x6c/0x120 crypto/api.c:271 crypto_attr_alg2+0xfc/0x137 crypto/algapi.c:805 shash_attr_alg+0x25/0x50 crypto/shash.c:573 hmac_create+0x73/0x660 crypto/hmac.c:195 cryptomgr_probe+0x67/0x290 crypto/algboss.c:75 kthread+0x348/0x420 kernel/kthread.c:232 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402 The buggy address belongs to the object at ffff8801c8062840 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 104 bytes inside of 128-byte region [ffff8801c8062840, ffff8801c80628c0) The buggy address belongs to the page: page:ffffea0007201880 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000100(slab) raw: 4000000000000100 0000000000000000 0000000000000000 0000000180150015 raw: 0000000000000000 0000000b00000001 ffff8801da803200 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c8062780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c8062800: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 >ffff8801c8062880: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801c8062900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c8062980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ==================================================================