==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_tnl_xmit2+0x1f95/0x2320 net/ipv6/ip6_tunnel.c:987
Read of size 16 at addr ffff8801d42eb8b0 by task syz-executor.0/6052

CPU: 0 PID: 6052 Comm: syz-executor.0 Not tainted 4.4.174+ #4
 0000000000000000 005325df769aba45 ffff8801bf58f2a0 ffffffff81aad1a1
 0000000000000000 ffffea000750ba00 ffff8801d42eb8b0 0000000000000010
 ffff8801d42eb600 ffff8801bf58f2d8 ffffffff81490120 0000000000000000
Call Trace:
 [<ffffffff81aad1a1>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81aad1a1>] dump_stack+0xc1/0x120 lib/dump_stack.c:51
 [<ffffffff81490120>] print_address_description+0x6f/0x21b mm/kasan/report.c:252
 [<ffffffff81490358>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff81490358>] kasan_report mm/kasan/report.c:408 [inline]
 [<ffffffff81490358>] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393
 [<ffffffff81484faf>] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:439
 [<ffffffff826b3105>] ip6_tnl_xmit2+0x1f95/0x2320 net/ipv6/ip6_tunnel.c:987
 [<ffffffff826b4e59>] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1134 [inline]
 [<ffffffff826b4e59>] ip6_tnl_xmit+0xa09/0xe00 net/ipv6/ip6_tunnel.c:1212
 [<ffffffff82245071>] __netdev_start_xmit include/linux/netdevice.h:3750 [inline]
 [<ffffffff82245071>] netdev_start_xmit include/linux/netdevice.h:3759 [inline]
 [<ffffffff82245071>] xmit_one net/core/dev.c:2781 [inline]
 [<ffffffff82245071>] dev_hard_start_xmit+0x7c1/0x11e0 net/core/dev.c:2797
 [<ffffffff822473cb>] __dev_queue_xmit+0x164b/0x1bb0 net/core/dev.c:3229
 [<ffffffff82247948>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263
 [<ffffffff8225c136>] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1369
 [<ffffffff823c5412>] dst_neigh_output include/net/dst.h:461 [inline]
 [<ffffffff823c5412>] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:213
 [<ffffffff823cc6e2>] ip_finish_output+0x8b2/0xc60 net/ipv4/ip_output.c:288
 [<ffffffff823d04a7>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
 [<ffffffff823d04a7>] ip_output+0x227/0x4c0 net/ipv4/ip_output.c:362
 [<ffffffff823cd21c>] dst_output include/net/dst.h:498 [inline]
 [<ffffffff823cd21c>] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119
 [<ffffffff823ce58c>] ip_queue_xmit+0x89c/0x1ab0 net/ipv4/ip_output.c:461
 [<ffffffff82431dd4>] __tcp_transmit_skb+0x1904/0x2cf0 net/ipv4/tcp_output.c:1034
 [<ffffffff824337e4>] tcp_transmit_skb net/ipv4/tcp_output.c:1047 [inline]
 [<ffffffff824337e4>] tcp_write_xmit+0x624/0x4570 net/ipv4/tcp_output.c:2137
 [<ffffffff82437fcb>] __tcp_push_pending_frames+0xab/0x2b0 net/ipv4/tcp_output.c:2323
 [<ffffffff8243eeab>] tcp_send_fin+0x15b/0xa90 net/ipv4/tcp_output.c:2899
 [<ffffffff823f5b02>] tcp_shutdown net/ipv4/tcp.c:2008 [inline]
 [<ffffffff823f5b02>] tcp_shutdown+0xe2/0x110 net/ipv4/tcp.c:1993
 [<ffffffff824a675b>] inet_shutdown+0x17b/0x360 net/ipv4/af_inet.c:825
 [<ffffffff821dcf5b>] SYSC_shutdown net/socket.c:1832 [inline]
 [<ffffffff821dcf5b>] SyS_shutdown+0xfb/0x1a0 net/socket.c:1823
 [<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a

Allocated by task 6052:
 [<ffffffff8102e3c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff81483f22>] save_stack mm/kasan/kasan.c:512 [inline]
 [<ffffffff81483f22>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff81483f22>] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616
 [<ffffffff81484197>] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601
 [<ffffffff81480521>] __kmalloc+0x141/0x330 mm/slub.c:3613
 [<ffffffff82264216>] kmalloc include/linux/slab.h:481 [inline]
 [<ffffffff82264216>] kzalloc include/linux/slab.h:620 [inline]
 [<ffffffff82264216>] neigh_alloc net/core/neighbour.c:285 [inline]
 [<ffffffff82264216>] __neigh_create+0x1d6/0x1b30 net/core/neighbour.c:457
 [<ffffffff823a024e>] neigh_create include/net/neighbour.h:313 [inline]
 [<ffffffff823a024e>] ipv4_neigh_lookup+0x52e/0x6e0 net/ipv4/route.c:464
 [<ffffffff826b13eb>] dst_neigh_lookup include/net/dst.h:466 [inline]
 [<ffffffff826b13eb>] ip6_tnl_xmit2+0x27b/0x2320 net/ipv6/ip6_tunnel.c:982
 [<ffffffff826b4e59>] ip4ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1134 [inline]
 [<ffffffff826b4e59>] ip6_tnl_xmit+0xa09/0xe00 net/ipv6/ip6_tunnel.c:1212
 [<ffffffff82245071>] __netdev_start_xmit include/linux/netdevice.h:3750 [inline]
 [<ffffffff82245071>] netdev_start_xmit include/linux/netdevice.h:3759 [inline]
 [<ffffffff82245071>] xmit_one net/core/dev.c:2781 [inline]
 [<ffffffff82245071>] dev_hard_start_xmit+0x7c1/0x11e0 net/core/dev.c:2797
 [<ffffffff822473cb>] __dev_queue_xmit+0x164b/0x1bb0 net/core/dev.c:3229
 [<ffffffff82247948>] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263
 [<ffffffff8225c136>] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1369
 [<ffffffff823c5412>] dst_neigh_output include/net/dst.h:461 [inline]
 [<ffffffff823c5412>] ip_finish_output2+0x6a2/0x1280 net/ipv4/ip_output.c:213
 [<ffffffff823cc6e2>] ip_finish_output+0x8b2/0xc60 net/ipv4/ip_output.c:288
 [<ffffffff823d04a7>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
 [<ffffffff823d04a7>] ip_output+0x227/0x4c0 net/ipv4/ip_output.c:362
 [<ffffffff823cd21c>] dst_output include/net/dst.h:498 [inline]
 [<ffffffff823cd21c>] ip_local_out+0x9c/0x180 net/ipv4/ip_output.c:119
 [<ffffffff823ce58c>] ip_queue_xmit+0x89c/0x1ab0 net/ipv4/ip_output.c:461
 [<ffffffff82431dd4>] __tcp_transmit_skb+0x1904/0x2cf0 net/ipv4/tcp_output.c:1034
 [<ffffffff824337e4>] tcp_transmit_skb net/ipv4/tcp_output.c:1047 [inline]
 [<ffffffff824337e4>] tcp_write_xmit+0x624/0x4570 net/ipv4/tcp_output.c:2137
 [<ffffffff82437fcb>] __tcp_push_pending_frames+0xab/0x2b0 net/ipv4/tcp_output.c:2323
 [<ffffffff8243eeab>] tcp_send_fin+0x15b/0xa90 net/ipv4/tcp_output.c:2899
 [<ffffffff823f5b02>] tcp_shutdown net/ipv4/tcp.c:2008 [inline]
 [<ffffffff823f5b02>] tcp_shutdown+0xe2/0x110 net/ipv4/tcp.c:1993
 [<ffffffff824a675b>] inet_shutdown+0x17b/0x360 net/ipv4/af_inet.c:825
 [<ffffffff821dcf5b>] SYSC_shutdown net/socket.c:1832 [inline]
 [<ffffffff821dcf5b>] SyS_shutdown+0xfb/0x1a0 net/socket.c:1823
 [<ffffffff82718ba1>] entry_SYSCALL_64_fastpath+0x1e/0x9a

Freed by task 4857:
 [<ffffffff8102e3c6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff81484820>] save_stack mm/kasan/kasan.c:512 [inline]
 [<ffffffff81484820>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff81484820>] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589
 [<ffffffff81481c44>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff81481c44>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff81481c44>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff81481c44>] kfree+0xf4/0x310 mm/slub.c:3749
 [<ffffffff821fd036>] skb_free_head net/core/skbuff.c:571 [inline]
 [<ffffffff821fd036>] skb_release_data+0x2e6/0x380 net/core/skbuff.c:602
 [<ffffffff821fd11d>] skb_release_all+0x4d/0x60 net/core/skbuff.c:661
 [<ffffffff821fd257>] __kfree_skb net/core/skbuff.c:675 [inline]
 [<ffffffff821fd257>] kfree_skb+0xf7/0x400 net/core/skbuff.c:696
 [<ffffffff826a6732>] ipip_rcv+0x2a2/0x4a0 net/ipv6/sit.c:754
 [<ffffffff82508cb0>] tunnel4_rcv+0xe0/0x240 net/ipv4/tunnel4.c:98
 [<ffffffff823b59c0>] ip_local_deliver_finish+0x3c0/0xa70 net/ipv4/ip_input.c:216
 [<ffffffff823b797f>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
 [<ffffffff823b797f>] NF_HOOK include/linux/netfilter.h:249 [inline]
 [<ffffffff823b797f>] ip_local_deliver+0x1af/0x390 net/ipv4/ip_input.c:257
 [<ffffffff823b67d8>] dst_input include/net/dst.h:504 [inline]
 [<ffffffff823b67d8>] ip_rcv_finish+0x768/0x1220 net/ipv4/ip_input.c:365
 [<ffffffff823b845a>] NF_HOOK_THRESH include/linux/netfilter.h:226 [inline]
 [<ffffffff823b845a>] NF_HOOK include/linux/netfilter.h:249 [inline]
 [<ffffffff823b845a>] ip_rcv+0x8fa/0xe70 net/ipv4/ip_input.c:456
 [<ffffffff82230640>] __netif_receive_skb_core+0x1300/0x2950 net/core/dev.c:4041
 [<ffffffff82238bd8>] __netif_receive_skb+0x58/0x1c0 net/core/dev.c:4076
 [<ffffffff8223fec0>] process_backlog+0x200/0x630 net/core/dev.c:4673
 [<ffffffff8223f2f7>] napi_poll net/core/dev.c:4911 [inline]
 [<ffffffff8223f2f7>] net_rx_action+0x367/0xd30 net/core/dev.c:4976
 [<ffffffff8271bb16>] __do_softirq+0x226/0xa3f kernel/softirq.c:273

The buggy address belongs to the object at ffff8801d42eb600
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 688 bytes inside of
 1024-byte region [ffff8801d42eb600, ffff8801d42eba00)
The buggy address belongs to the page:
kasan: CONFIG_KASAN_INLINE enabledSeaBIOS (version 1.8.2-20191106_143117-google)
Initializing cgroup subsys cpu
Initializing cgroup subsys cpuacct
Linux version 4.4.174+ (syzkaller@ci) (gcc version 9.0.0 20181231 (experimental) (GCC) ) #4 SMP PREEMPT Fri Feb 8 11:15:16 UTC 2019
Command line: BOOT_IMAGE=/vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 workqueue.watchdog_thresh=140 nopti
KERNEL supported cpus:
  Intel GenuineIntel
  AMD AuthenticAMD
x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
x86/fpu: Supporting XSAVE feature 0x01: 'x87 floating point registers'
x86/fpu: Supporting XSAVE feature 0x02: 'SSE registers'
x86/fpu: Supporting XSAVE feature 0x04: 'AVX registers'
x86/fpu: Enabled xstate features 0x7, context size is 832 bytes, using 'standard' format.
e820: BIOS-provided physical RAM map:
BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
BIOS-e820: [mem 0x0000000000100000-0x00000000bfffcfff] usable
BIOS-e820: [mem 0x00000000bfffd000-0x00000000bfffffff] reserved
BIOS-e820: [mem 0x00000000fffbc000-0x00000000ffffffff] reserved
BIOS-e820: [mem 0x0000000100000000-0x000000021fffffff] usable
bootconsole [earlyser0] enabled
NX (Execute Disable) protection: active
Hypervisor detected: KVM
Kernel/User page tables isolation: disabled
e820: last_pfn = 0x220000 max_arch_pfn = 0x400000000
x86/PAT: Configuration [0-7]: WB  WC  UC- UC  UC  UC  UC  UC  
e820: last_pfn = 0xbfffd max_arch_pfn = 0x400000000
found SMP MP-table at [mem 0x000f2470-0x000f247f] mapped at [ffff8800000f2470]
Using GB pages for direct mapping
ACPI: Early table checksum verification disabled
ACPI: RSDP 0x00000000000F21F0 000014 (v00 Google)
ACPI: RSDT 0x00000000BFFFFFC0 000038 (v01 Google GOOGRSDT 00000001 GOOG 00000001)
ACPI: FACP 0x00000000BFFFF380 0000F4 (v02 Google GOOGFACP 00000001 GOOG 00000001)
ACPI: DSDT 0x00000000BFFFDAC0 0018BA (v01 Google GOOGDSDT 00000001 GOOG 00000001)
ACPI: FACS 0x00000000BFFFDA80 000040
ACPI: FACS 0x00000000BFFFDA80 000040
ACPI: SRAT 0x00000000BFFFFEB0 0000C8 (v01 Google GOOGSRAT 00000001 GOOG 00000001)
ACPI: APIC 0x00000000BFFFFE00 000076 (v01 Google GOOGAPIC 00000001 GOOG 00000001)
ACPI: SSDT 0x00000000BFFFF480 000980 (v01 Google GOOGSSDT 00000001 GOOG 00000001)
ACPI: WAET 0x00000000BFFFFE80 000028 (v01 Google GOOGWAET 00000001 GOOG 00000001)
kvm-clock: Using msrs 4b564d01 and 4b564d00
kvm-clock: cpu 0, msr 2:1fffd001, primary cpu clock
kvm-clock: using sched offset of 2407108400 cycles
clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 ns
Zone ranges:
  DMA32    [mem 0x0000000000001000-0x00000000ffffffff]
  Normal   [mem 0x0000000100000000-0x000000021fffffff]
Movable zone start for each node
Early memory node ranges
  node   0: [mem 0x0000000000001000-0x000000000009efff]
  node   0: [mem 0x0000000000100000-0x00000000bfffcfff]
  node   0: [mem 0x0000000100000000-0x000000021fffffff]
Initmem setup node 0 [mem 0x0000000000001000-0x000000021fffffff]
kasan: KernelAddressSanitizer initialized
ACPI: PM-Timer IO Port: 0xb008
ACPI: LAPIC_NMI (acpi_id[0xff] dfl dfl lint[0x1])
IOAPIC[0]: apic_id 0, version 17, address 0xfec00000, GSI 0-23
ACPI: INT_SRC_OVR (bus 0 bus_irq 5 global_irq 5 high level)
ACPI: INT_SRC_OVR (bus 0 bus_irq 9 global_irq 9 high level)
ACPI: INT_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
Using ACPI (MADT) for SMP configuration information
smpboot: Allowing 2 CPUs, 0 hotplug CPUs
e820: [mem 0xc0000000-0xfffbbfff] available for PCI devices
Booting paravirtualized kernel on KVM
clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
setup_percpu: NR_CPUS:8 nr_cpumask_bits:8 nr_cpu_ids:2 nr_node_ids:1
PERCPU: Embedded 41 pages/cpu @ffff8801db600000 s130696 r8192 d29048 u1048576
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 1935238
Kernel command line: BOOT_IMAGE=/vmlinuz root=/dev/sda1 console=ttyS0 earlyprintk=serial vsyscall=native rodata=n oops=panic panic_on_warn=1 nmi_watchdog=panic panic=86400 workqueue.watchdog_thresh=140 nopti
PID hash table entries: 4096 (order: 3, 32768 bytes)
Dentry cache hash table entries: 1048576 (order: 11, 8388608 bytes)
Inode-cache hash table entries: 524288 (order: 10, 4194304 bytes)