netlink: 12 bytes leftover after parsing attributes in process `syz-executor0'. ================================================================== BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:188 [inline] BUG: KASAN: slab-out-of-bounds in bpf_fd_array_map_lookup_elem+0x440/0x4c0 kernel/bpf/arraymap.c:374 Read of size 8 at addr ffff8801d67184e0 by task syz-executor1/12860 CPU: 0 PID: 12860 Comm: syz-executor1 Not tainted 4.15.0-rc7-mm1+ #54 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x23b/0x360 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __read_once_size include/linux/compiler.h:188 [inline] bpf_fd_array_map_lookup_elem+0x440/0x4c0 kernel/bpf/arraymap.c:374 map_lookup_elem+0x6b5/0xbd0 kernel/bpf/syscall.c:577 SYSC_bpf kernel/bpf/syscall.c:1808 [inline] SyS_bpf+0x922/0x4400 kernel/bpf/syscall.c:1782 entry_SYSCALL_64_fastpath+0x29/0xa0 RIP: 0033:0x452ac9 RSP: 002b:00007fd0a9324c58 EFLAGS: 00000212 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452ac9 RDX: 0000000000000018 RSI: 0000000020593fe8 RDI: 0000000000000001 RBP: 0000000000000036 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006ee5b0 R13: 00000000ffffffff R14: 00007fd0a93256d4 R15: 0000000000000000 Allocated by task 12052: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541 kmem_cache_zalloc include/linux/slab.h:694 [inline] get_empty_filp+0xfb/0x4f0 fs/file_table.c:122 alloc_file+0x26/0x390 fs/file_table.c:163 sock_alloc_file+0x1f3/0x560 net/socket.c:411 sock_map_fd+0x34/0x70 net/socket.c:436 SYSC_socket net/socket.c:1331 [inline] SyS_socket+0x125/0x1d0 net/socket.c:1307 entry_SYSCALL_64_fastpath+0x29/0xa0 Freed by task 0: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527 __cache_free mm/slab.c:3485 [inline] kmem_cache_free+0x86/0x2b0 mm/slab.c:3743 file_free_rcu+0x5c/0x70 fs/file_table.c:49 __rcu_reclaim kernel/rcu/rcu.h:172 [inline] rcu_do_batch kernel/rcu/tree.c:2674 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2933 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2900 [inline] rcu_process_callbacks+0xd6c/0x17f0 kernel/rcu/tree.c:2917 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 The buggy address belongs to the object at ffff8801d67182c0 which belongs to the cache filp of size 456 The buggy address is located 88 bytes to the right of 456-byte region [ffff8801d67182c0, ffff8801d6718488) The buggy address belongs to the page: page:ffffea000759c600 count:1 mapcount:0 mapping:ffff8801d6718040 index:0xffff8801d6718cc0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801d6718040 ffff8801d6718cc0 0000000100000005 raw: ffffea000758bd60 ffffea000762b620 ffff8801dae30180 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d6718380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d6718400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801d6718480: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d6718500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801d6718580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================