================================================================== BUG: KASAN: slab-out-of-bounds in ip6_dst_idev include/net/ip6_fib.h:141 [inline] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x177c/0x1a00 net/ipv6/ip6_output.c:237 Read of size 8 at addr ffff8801d4079c98 by task syz-executor1/6284 CPU: 0 PID: 6284 Comm: syz-executor1 Not tainted 4.4.152-ge5c5f1f #89 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 224bfe9a6d02b24c ffff8801bc84f5c8 ffffffff81e15fed ffffea0007501e40 ffff8801d4079c98 0000000000000000 ffff8801d4079c98 0000000000001000 ffff8801bc84f600 ffffffff8151b489 ffff8801d4079c98 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] ip6_dst_idev include/net/ip6_fib.h:141 [inline] [] ip6_xmit+0x177c/0x1a00 net/ipv6/ip6_output.c:237 [] inet6_csk_xmit+0x245/0x490 net/ipv6/inet6_connection_sock.c:176 [] l2tp_xmit_core net/l2tp/l2tp_core.c:1084 [inline] [] l2tp_xmit_skb+0xb9c/0xe80 net/l2tp/l2tp_core.c:1179 [] pppol2tp_sendmsg+0x4e0/0x7d0 net/l2tp/l2tp_ppp.c:355 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:648 [] ___sys_sendmsg+0x441/0x880 net/socket.c:1975 [] __sys_sendmmsg+0x12e/0x2e0 net/socket.c:2060 [] SYSC_sendmmsg net/socket.c:2090 [inline] [] SyS_sendmmsg+0x35/0x60 net/socket.c:2085 [] entry_SYSCALL_64_fastpath+0x22/0x9e Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8801d4079c80 which belongs to the cache ip_dst_cache of size 208 The buggy address is located 24 bytes inside of 208-byte region [ffff8801d4079c80, ffff8801d4079d50) The buggy address belongs to the page: BUG: unable to handle kernel paging request at ffffeb88001d4060 IP: [] virt_to_head_page include/linux/mm.h:521 [inline] IP: [] qlink_to_cache mm/kasan/quarantine.c:127 [inline] IP: [] qlist_free_all+0x7d/0xc0 mm/kasan/quarantine.c:163 PGD 0 Oops: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 6325 Comm: syz-executor7 Not tainted 4.4.152-ge5c5f1f #89 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d93f6000 task.stack: ffff8801bc8d0000 RIP: 0010:[] [] virt_to_head_page include/linux/mm.h:521 [inline] RIP: 0010:[] [] qlink_to_cache mm/kasan/quarantine.c:127 [inline] RIP: 0010:[] [] qlist_free_all+0x7d/0xc0 mm/kasan/quarantine.c:163 RSP: 0018:ffff8801bc8d7858 EFLAGS: 00010282 RAX: ffffeb88001d4040 RBX: 0000000000000000 RCX: ffffea0000000000 RDX: 000077ff80000000 RSI: ffffea0007501e40 RDI: 0000000000000000 RBP: ffff8801bc8d7880 R08: ffff8801bc008000 R09: 0000000180070006 R10: ffffea0006f00200 R11: 0000000000000000 R12: ffffea0007501e40 R13: ffffffff814fe94e R14: ffff8801bc8d7898 R15: 0000000080000000 FS: 00007fe83ab85700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffeb88001d4060 CR3: 00000000b225b000 CR4: 00000000001606f0 Stack: 0000000000000000 ffff8801bc8d7898 ffff8801cfb95180 00000000024000c0 ffffffff82f41166 ffff8801bc8d78c8 ffffffff814fedef ffffffff814fecf2 ffff8801d7db2bd0 ffff8801d7f6fe70 0000000000100030 1cb41060ea310eae Call Trace: [] quarantine_reduce+0x18f/0x1d0 mm/kasan/quarantine.c:259 [] kasan_kmalloc+0x9b/0xe0 mm/kasan/kasan.c:601 [] kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:554 [] slab_post_alloc_hook mm/slub.c:1349 [inline] [] slab_alloc_node mm/slub.c:2615 [inline] [] slab_alloc mm/slub.c:2623 [inline] [] kmem_cache_alloc+0xbe/0x2a0 mm/slub.c:2628 [] kmem_cache_alloc_node include/linux/slab.h:350 [inline] [] __alloc_skb+0xe6/0x5b0 net/core/skbuff.c:218 [] alloc_skb_fclone include/linux/skbuff.h:856 [inline] [] sk_stream_alloc_skb+0xa3/0x5d0 net/ipv4/tcp.c:833 [] tcp_sendmsg+0xd34/0x2b10 net/ipv4/tcp.c:1178 [] inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:648 [] SYSC_sendto+0x21c/0x370 net/socket.c:1678 [] SyS_sendto+0x40/0x50 net/socket.c:1646 [] entry_SYSCALL_64_fastpath+0x22/0x9e Code: db 48 89 f0 4c 01 f8 72 59 48 ba 00 00 00 80 ff 77 00 00 48 b9 00 00 00 00 00 ea ff ff 48 01 d0 48 c1 e8 0c 48 c1 e0 06 48 01 c8 <48> 8b 50 20 48 8d 4a ff 83 e2 01 48 0f 45 c1 48 8b 78 30 eb 9c RIP [] virt_to_head_page include/linux/mm.h:521 [inline] RIP [] qlink_to_cache mm/kasan/quarantine.c:127 [inline] RIP [] qlist_free_all+0x7d/0xc0 mm/kasan/quarantine.c:163 RSP CR2: ffffeb88001d4060 ---[ end trace e181d83011db28ae ]---