IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready 8021q: adding VLAN 0 to HW filter on device team0 protocol 8847 is buggy, dev sit0 ================================================================== BUG: KASAN: use-after-free in skb_is_gso include/linux/skbuff.h:4035 [inline] BUG: KASAN: use-after-free in iptunnel_handle_offloads+0x62b/0x710 net/ipv4/ip_tunnel_core.c:170 Read of size 2 at addr ffff8801bf8c85c4 by task syzkaller240200/4434 IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready CPU: 1 PID: 4434 Comm: syzkaller240200 Not tainted 4.16.0+ #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready print_address_description+0x6c/0x20b mm/kasan/report.c:256 IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:431 IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready skb_is_gso include/linux/skbuff.h:4035 [inline] iptunnel_handle_offloads+0x62b/0x710 net/ipv4/ip_tunnel_core.c:170 8021q: adding VLAN 0 to HW filter on device team0 sit_tunnel_xmit__+0x2a/0x160 net/ipv6/sit.c:1006 IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready sit_tunnel_xmit+0x1275/0x30b0 net/ipv6/sit.c:1031 8021q: adding VLAN 0 to HW filter on device team0 protocol 8847 is buggy, dev sit0 protocol 8847 is buggy, dev sit0 protocol 8847 is buggy, dev sit0 protocol 8847 is buggy, dev sit0 protocol 8847 is buggy, dev sit0 protocol 8847 is buggy, dev sit0 __netdev_start_xmit include/linux/netdevice.h:4087 [inline] netdev_start_xmit include/linux/netdevice.h:4096 [inline] xmit_one net/core/dev.c:3053 [inline] dev_hard_start_xmit+0x264/0xc10 net/core/dev.c:3069 protocol 8847 is buggy, dev sit0 protocol 8847 is buggy, dev sit0 protocol 8847 is buggy, dev sit0 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584 IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 packet_snd net/packet/af_packet.c:2944 [inline] packet_sendmsg+0x411d/0x6100 net/packet/af_packet.c:2969 IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 __sys_sendto+0x3d7/0x670 net/socket.c:1789 SYSC_sendto net/socket.c:1801 [inline] SyS_sendto+0x40/0x60 net/socket.c:1797 IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x441909 RSP: 002b:00007fffda4e37e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000000000000001b RCX: 0000000000441909 RDX: 0000000000000000 RSI: 0000000020003fd9 RDI: 0000000000000004 RBP: 00000000004a3518 R08: 0000000020000000 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000212 R12: 00007fffda4e38e8 R13: 00000000004025e0 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 4434: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:552 __do_kmalloc_node mm/slab.c:3670 [inline] __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3684 __kmalloc_reserve.isra.38+0x3a/0xe0 net/core/skbuff.c:137 __alloc_skb+0x14d/0x780 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:987 [inline] alloc_skb_with_frags+0x137/0x760 net/core/skbuff.c:5248 sock_alloc_send_pskb+0x87a/0xae0 net/core/sock.c:2088 packet_alloc_skb net/packet/af_packet.c:2803 [inline] packet_snd net/packet/af_packet.c:2894 [inline] packet_sendmsg+0x1bd1/0x6100 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 __sys_sendto+0x3d7/0x670 net/socket.c:1789 SYSC_sendto net/socket.c:1801 [inline] SyS_sendto+0x40/0x60 net/socket.c:1797 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 4434: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527 __cache_free mm/slab.c:3486 [inline] kfree+0xd9/0x260 mm/slab.c:3801 skb_free_head+0x99/0xc0 net/core/skbuff.c:550 skb_release_data+0x690/0x860 net/core/skbuff.c:570 skb_release_all+0x4a/0x60 net/core/skbuff.c:627 __kfree_skb net/core/skbuff.c:641 [inline] consume_skb+0x18b/0x550 net/core/skbuff.c:701 packet_rcv+0x16a/0x1830 net/packet/af_packet.c:2162 dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018 xmit_one net/core/dev.c:3049 [inline] dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 packet_snd net/packet/af_packet.c:2944 [inline] packet_sendmsg+0x411d/0x6100 net/packet/af_packet.c:2969 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:639 __sys_sendto+0x3d7/0x670 net/socket.c:1789 SYSC_sendto net/socket.c:1801 [inline] SyS_sendto+0x40/0x60 net/socket.c:1797 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The buggy address belongs to the object at ffff8801bf8c8500 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 196 bytes inside of 512-byte region [ffff8801bf8c8500, ffff8801bf8c8700) The buggy address belongs to the page: page:ffffea0006fe3200 count:1 mapcount:0 mapping:ffff8801bf8c8000 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801bf8c8000 0000000000000000 0000000100000006 raw: ffffea0006e3dae0 ffffea0006e0c6a0 ffff8801dac00940 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801bf8c8480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801bf8c8500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801bf8c8580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801bf8c8600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801bf8c8680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================