================================================================== BUG: KASAN: slab-out-of-bounds in ip6_dst_idev include/net/ip6_fib.h:192 [inline] BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264 Read of size 8 at addr ffff8801b033b018 by task syz-executor0/11272 CPU: 1 PID: 11272 Comm: syz-executor0 Not tainted 4.16.0-rc4+ #258 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x23c/0x360 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 ip6_dst_idev include/net/ip6_fib.h:192 [inline] ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264 inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139 l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline] l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148 pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg+0xca/0x110 net/socket.c:639 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2047 kernel msg: ebtables bug: please report to author: bad policy xt_ipvs: protocol family 7 not supported __sys_sendmsg+0xe5/0x210 net/socket.c:2081 xt_ipvs: protocol family 7 not supported SYSC_sendmsg net/socket.c:2092 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2088 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453e69 RSP: 002b:00007f5932cb0c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f5932cb16d4 RCX: 0000000000453e69 RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000015 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004c3 R14: 00000000006f72e8 R15: 0000000000000000 Allocated by task 4288: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541 kmem_cache_zalloc include/linux/slab.h:691 [inline] get_empty_filp+0xfb/0x4f0 fs/file_table.c:122 path_openat+0xed/0x3530 fs/namei.c:3495 do_filp_open+0x25b/0x3b0 fs/namei.c:3553 do_sys_open+0x502/0x6d0 fs/open.c:1059 SYSC_open fs/open.c:1077 [inline] SyS_open+0x2d/0x40 fs/open.c:1072 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 2773: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527 __cache_free mm/slab.c:3485 [inline] kmem_cache_free+0x83/0x2a0 mm/slab.c:3743 file_free_rcu+0x5c/0x70 fs/file_table.c:49 __rcu_reclaim kernel/rcu/rcu.h:172 [inline] rcu_do_batch kernel/rcu/tree.c:2674 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2900 [inline] rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 The buggy address belongs to the object at ffff8801b033b040 which belongs to the cache filp of size 456 The buggy address is located 40 bytes to the left of 456-byte region [ffff8801b033b040, ffff8801b033b208) The buggy address belongs to the page: page:ffffea0006c0cec0 count:1 mapcount:0 mapping:ffff8801b033b040 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801b033b040 0000000000000000 0000000100000006 raw: ffffea0006c3b160 ffffea0006c0cfe0 ffff8801da5d6180 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801b033af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801b033af80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801b033b000: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ^ ffff8801b033b080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801b033b100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================