================================================================== BUG: KASAN: slab-out-of-bounds in __ipv6_addr_type+0x26c/0x290 net/ipv6/addrconf_core.c:68 Read of size 4 at addr ffff8800af34d938 by task syz-executor7/19038 CPU: 1 PID: 19038 Comm: syz-executor7 Not tainted 4.4.153+ #92 0000000000000000 1a60c99b76b48111 ffff8800afc26c70 ffffffff81a4571d ffffea0002bcd300 ffff8800af34d938 0000000000000000 ffff8800af34d938 ffff8801c9f7c400 ffff8800afc26ca8 ffffffff8146ae90 ffff8800af34d938 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x217 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.6+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:428 [] __ipv6_addr_type+0x26c/0x290 net/ipv6/addrconf_core.c:68 [] ipv6_addr_type include/net/ipv6.h:337 [inline] [] ip6_tnl_xmit2+0x2bb/0x2350 net/ipv6/ip6_tunnel.c:988 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline] [] ip6_tnl_xmit+0x91a/0xc70 net/ipv6/ip6_tunnel.c:1203 [] __netdev_start_xmit include/linux/netdevice.h:3743 [inline] [] netdev_start_xmit include/linux/netdevice.h:3752 [inline] [] xmit_one net/core/dev.c:2759 [inline] [] dev_hard_start_xmit+0x7bd/0x11c0 net/core/dev.c:2775 [] __dev_queue_xmit+0x16f5/0x1c30 net/core/dev.c:3207 [] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241 [] neigh_direct_output+0x15/0x20 net/core/neighbour.c:1366 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x8f0/0x1100 net/ipv4/ip_output.c:213 [] ip_finish_output+0x882/0xc00 net/ipv4/ip_output.c:288 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_output+0x219/0x4c0 net/ipv4/ip_output.c:362 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x503/0xc70 net/ipv4/udp.c:842 [] udp_sendmsg+0x16c9/0x1c70 net/ipv4/udp.c:1072 [] udpv6_sendmsg+0x12cd/0x24c0 net/ipv6/udp.c:1173 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbb/0x110 net/socket.c:648 [] ___sys_sendmsg+0x745/0x880 net/socket.c:1975 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2009 [] SYSC_sendmsg net/socket.c:2020 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2016 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Allocated by task 19038: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:616 [] kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:601 [] __kmalloc+0x124/0x310 mm/slub.c:3613 [] kmalloc include/linux/slab.h:481 [inline] [] kzalloc include/linux/slab.h:620 [inline] [] neigh_alloc net/core/neighbour.c:285 [inline] [] __neigh_create+0x1d6/0x1b20 net/core/neighbour.c:457 [] neigh_create include/net/neighbour.h:313 [inline] [] ipv4_neigh_lookup+0x4de/0x700 net/ipv4/route.c:464 [] dst_neigh_lookup include/net/dst.h:466 [inline] [] ip6_tnl_xmit2+0x28a/0x2350 net/ipv6/ip6_tunnel.c:982 [] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1129 [inline] [] ip6_tnl_xmit+0x91a/0xc70 net/ipv6/ip6_tunnel.c:1203 [] __netdev_start_xmit include/linux/netdevice.h:3743 [inline] [] netdev_start_xmit include/linux/netdevice.h:3752 [inline] [] xmit_one net/core/dev.c:2759 [inline] [] dev_hard_start_xmit+0x7bd/0x11c0 net/core/dev.c:2775 [] __dev_queue_xmit+0x16f5/0x1c30 net/core/dev.c:3207 [] dev_queue_xmit+0x17/0x20 net/core/dev.c:3241 [] neigh_direct_output+0x15/0x20 net/core/neighbour.c:1366 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip_finish_output2+0x8f0/0x1100 net/ipv4/ip_output.c:213 [] ip_finish_output+0x882/0xc00 net/ipv4/ip_output.c:288 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip_output+0x219/0x4c0 net/ipv4/ip_output.c:362 [] dst_output include/net/dst.h:498 [inline] [] ip_local_out+0x9b/0x180 net/ipv4/ip_output.c:119 [] ip_send_skb+0x3c/0xc0 net/ipv4/ip_output.c:1453 [] udp_send_skb+0x503/0xc70 net/ipv4/udp.c:842 [] udp_sendmsg+0x16c9/0x1c70 net/ipv4/udp.c:1072 [] udpv6_sendmsg+0x12cd/0x24c0 net/ipv6/udp.c:1173 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbb/0x110 net/socket.c:648 [] ___sys_sendmsg+0x745/0x880 net/socket.c:1975 [] __sys_sendmsg+0xd6/0x190 net/socket.c:2009 [] SYSC_sendmsg net/socket.c:2020 [inline] [] SyS_sendmsg+0x2d/0x50 net/socket.c:2016 [] entry_SYSCALL_64_fastpath+0x1e/0x9a Freed by task 2137: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xf4/0x310 mm/slub.c:3749 [] syslog_print kernel/printk/printk.c:1202 [inline] [] do_syslog+0x93e/0xb20 kernel/printk/printk.c:1331 [] kmsg_read+0x74/0xa0 fs/proc/kmsg.c:39 [] proc_reg_read+0xfd/0x180 fs/proc/inode.c:202 [] __vfs_read+0x11c/0x3d0 fs/read_write.c:432 [] vfs_read+0x130/0x360 fs/read_write.c:454 [] SYSC_read fs/read_write.c:569 [inline] [] SyS_read+0xd9/0x1c0 fs/read_write.c:562 [] entry_SYSCALL_64_fastpath+0x1e/0x9a The buggy address belongs to the object at ffff8800af34d680 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 696 bytes inside of 1024-byte region [ffff8800af34d680, ffff8800af34da80) The buggy address belongs to the page: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 0 at kernel/locking/lockdep.c:973 lock_accessed kernel/locking/lockdep.c:973 [inline]() WARNING: CPU: 0 PID: 0 at kernel/locking/lockdep.c:973 __bfs+0x2a9/0x5f0 kernel/locking/lockdep.c:1040()