================================================================== BUG: KASAN: alloca-out-of-bounds in tick_sched_handle+0x16d/0x180 kernel/time/tick-sched.c:162 Read of size 8 at addr ffff8801db106650 by task syz-executor3/9436 CPU: 1 PID: 9436 Comm: syz-executor3 Not tainted 4.16.0+ #2 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b9/0x29f lib/dump_stack.c:53 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 tick_sched_handle+0x16d/0x180 kernel/time/tick-sched.c:162 tick_sched_timer+0x42/0x130 kernel/time/tick-sched.c:1170 __run_hrtimer kernel/time/hrtimer.c:1349 [inline] __hrtimer_run_queues+0x3e3/0x10a0 kernel/time/hrtimer.c:1411 IPVS: set_ctl: invalid protocol: 40190 224.0.0.2:0 lblcr hrtimer_interrupt+0x2f3/0x750 kernel/time/hrtimer.c:1469 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1025 [inline] smp_apic_timer_interrupt+0x15d/0x710 arch/x86/kernel/apic/apic.c:1050 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:862 RIP: 0010:__xfrm6_sort+0x340/0x470 net/ipv6/xfrm6_state.c:83 RSP: 0018:ffff8801db106678 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff12 RAX: ffff88019a340640 RBX: ffff8801db106620 RCX: ffffffff8666d4f3 RDX: 0000000000000100 RSI: ffffffff8666d5e9 RDI: 0000000000000005 RBP: ffff8801db106748 R08: ffff88019a340640 R09: ffff8801db106620 R10: ffffed003b620cc6 R11: 0000000000000003 R12: dffffc0000000000 R13: 0000000000000006 R14: 0000000000000006 R15: 0000000000000000 __xfrm6_tmpl_sort+0x32/0x40 net/ipv6/xfrm6_state.c:153 xfrm_tmpl_sort+0x97/0x200 net/xfrm/xfrm_state.c:1647 __xfrm_policy_check+0xa06/0x2650 net/xfrm/xfrm_policy.c:2497 __xfrm_policy_check2 include/net/xfrm.h:1166 [inline] xfrm_policy_check include/net/xfrm.h:1175 [inline] xfrm6_policy_check include/net/xfrm.h:1185 [inline] rawv6_rcv+0x87f/0x1390 net/ipv6/raw.c:424 ipv6_raw_deliver net/ipv6/raw.c:224 [inline] raw6_local_deliver+0x545/0xcc0 net/ipv6/raw.c:240 ip6_input_finish+0x46a/0x1a30 net/ipv6/ip6_input.c:246 NF_HOOK include/linux/netfilter.h:288 [inline] ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:450 [inline] ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:288 [inline] ipv6_rcv+0xed6/0x22a0 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657 process_backlog+0x219/0x760 net/core/dev.c:5337 napi_poll net/core/dev.c:5735 [inline] net_rx_action+0x7b7/0x1930 net/core/dev.c:5801 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1045 do_softirq.part.17+0x14d/0x190 kernel/softirq.c:329 do_softirq arch/x86/include/asm/preempt.h:23 [inline] __local_bh_enable_ip+0x1ec/0x230 kernel/softirq.c:182 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:728 [inline] ip6_finish_output2+0xcef/0x2810 net/ipv6/ip6_output.c:121 ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:444 [inline] ip6_local_out+0xc5/0x1b0 net/ipv6/output_core.c:176 ip6_send_skb+0xba/0x340 net/ipv6/ip6_output.c:1689 ip6_push_pending_frames+0xc5/0xf0 net/ipv6/ip6_output.c:1709 rawv6_push_pending_frames net/ipv6/raw.c:616 [inline] rawv6_sendmsg+0x356e/0x4590 net/ipv6/raw.c:935 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 ___sys_sendmsg+0x525/0x940 net/socket.c:2117 __sys_sendmmsg+0x240/0x6f0 net/socket.c:2212 SYSC_sendmmsg net/socket.c:2241 [inline] SyS_sendmmsg+0x32/0x40 net/socket.c:2238 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x455259 RSP: 002b:00007f4db9bc4c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f4db9bc56d4 RCX: 0000000000455259 RDX: 0000000000000001 RSI: 0000000020008a00 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004c7 R14: 00000000006fa348 R15: 0000000000000000 The buggy address belongs to the page: page:ffffea00076c4180 count:1 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x2fffc0000000800(reserved) raw: 02fffc0000000800 0000000000000000 0000000000000000 00000001ffffffff raw: ffffea00076c41a0 ffffea00076c41a0 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801db106500: 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f3 f3 f3 f3 ffff8801db106580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801db106600: ca ca ca ca 00 00 04 cb cb cb cb cb 00 00 00 00 ^ ffff8801db106680: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 ffff8801db106700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================