KASAN: slab-out-of-bounds Read in bpf_test

audit: type=1400 audit(1537870356.412:8): avc:  denied  { prog_load } for  pid=1786 comm="syz-executor167" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in _copy_to_user+0x9a/0xc0 lib/usercopy.c:27
Read of size 710 at addr ffff8801d033fff3 by task syz-executor167/1786

CPU: 0 PID: 1786 Comm: syz-executor167 Not tainted 4.14.71+ #8
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x11b lib/dump_stack.c:53
 print_address_description+0x60/0x22b mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
 _copy_to_user+0x9a/0xc0 lib/usercopy.c:27
 copy_to_user include/linux/uaccess.h:155 [inline]
 bpf_test_finish.isra.0+0xc8/0x190 net/bpf/test_run.c:59
 bpf_prog_test_run_skb+0x4d0/0x8c0 net/bpf/test_run.c:144
 bpf_prog_test_run kernel/bpf/syscall.c:1330 [inline]
 SYSC_bpf kernel/bpf/syscall.c:1602 [inline]
 SyS_bpf+0x79d/0x3640 kernel/bpf/syscall.c:1547
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x440339
RSP: 002b:00007ffdf4655e78 EFLAGS: 00000213 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440339
RDX: 0000000000000028 RSI: 0000000020000180 RDI: 000000000000000a
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401bc0
R13: 0000000000401c50 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 223:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
 __kmalloc+0x153/0x340 mm/slub.c:3760
 kmalloc_array include/linux/slab.h:607 [inline]
 kcalloc include/linux/slab.h:618 [inline]
 alloc_pipe_info+0x15b/0x370 fs/pipe.c:650
 get_pipe_inode fs/pipe.c:712 [inline]
 create_pipe_files+0xdc/0x880 fs/pipe.c:745
 __do_pipe_flags+0x32/0x210 fs/pipe.c:802
 SYSC_pipe2 fs/pipe.c:850 [inline]
 SyS_pipe2+0x83/0x160 fs/pipe.c:844
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 223:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1389 [inline]
 slab_free_freelist_hook mm/slub.c:1410 [inline]
 slab_free mm/slub.c:2966 [inline]
 kfree+0xf5/0x310 mm/slub.c:3897
 free_pipe_info+0x1f5/0x2a0 fs/pipe.c:683
 put_pipe_info+0xb3/0xd0 fs/pipe.c:561
 pipe_release+0x1a6/0x240 fs/pipe.c:582
 __fput+0x25e/0x6f0 fs/file_table.c:210
 task_work_run+0x116/0x190 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x12e/0x150 arch/x86/entry/common.c:163
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:267 [inline]
 do_syscall_64+0x35d/0x4b0 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff8801d033fa80
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 371 bytes to the right of
 1024-byte region [ffff8801d033fa80, ffff8801d033fe80)
The buggy address belongs to the page:
page:ffffea000740cf00 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000008100(slab|head)
raw: 4000000000008100 0000000000000000 0000000000000000 00000001800e000e
raw: 0000000000000000 0000000100000001 ffff8801da802a00 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d033fe80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801d033ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8801d033ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                             ^
 ffff8801d0340000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801d0340080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (72):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Manager
2018/09/25 10:15	android-4.14	666c420fa3ea	0e7547d7	.config	console log	report	syz	C	ci-android-414-kasan-gce-root
2019/08/19 21:26	android-4.14	5d8bfdf81cde	ee12860b	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/25 21:23	android-4.14	ea91d158d712	3d3ec907	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/20 13:30	android-4.14	4e76528bd48d	9bc2a903	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/20 09:40	android-4.14	4e76528bd48d	9bc2a903	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/19 13:18	android-4.14	4e76528bd48d	adf636a8	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/15 04:07	android-4.14	4e76528bd48d	5f5f6d14	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/14 04:35	android-4.14	97c308ca4091	5f5f6d14	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/14 01:24	android-4.14	97c308ca4091	5f5f6d14	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/08 19:32	android-4.14	6c95b90db52b	e85d2a61	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/08 13:45	android-4.14	d4e5dea08bbf	e85d2a61	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/08 10:13	android-4.14	d4e5dea08bbf	e85d2a61	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/07 21:26	android-4.14	d4e5dea08bbf	e85d2a61	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/05 01:19	android-4.14	12064f3a794e	8bd6bd63	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/03 13:45	android-4.14	12064f3a794e	8bd6bd63	.config	console log	report			ci-android-414-kasan-gce-root
2018/11/01 20:53	android-4.14	4ed22187defd	1f38e9ae	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/30 16:59	android-4.14	4ed22187defd	8dbb755a	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/30 06:29	android-4.14	4ed22187defd	2f1090da	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/30 01:45	android-4.14	4ed22187defd	2f1090da	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/29 13:58	android-4.14	4ed22187defd	7df9db2e	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/29 06:54	android-4.14	4ed22187defd	9ca2afa1	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/29 04:04	android-4.14	4ed22187defd	9ca2afa1	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/27 21:13	android-4.14	4ed22187defd	8efba39a	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/27 01:43	android-4.14	4ed22187defd	a8292de9	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/26 19:28	android-4.14	4ed22187defd	a8292de9	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/26 10:16	android-4.14	4ed22187defd	a8292de9	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/25 21:42	android-4.14	4ed22187defd	a8292de9	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/24 15:15	android-4.14	ff26b00b484b	a8292de9	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/24 07:49	android-4.14	ff26b00b484b	a8292de9	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/21 14:27	android-4.14	c556d1ffe528	ecb386fe	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/20 04:40	android-4.14	0ff0788d6a66	ecb386fe	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/20 02:41	android-4.14	0ff0788d6a66	ecb386fe	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/19 18:15	android-4.14	0ff0788d6a66	9aba67b5	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/19 05:30	android-4.14	0ff0788d6a66	9aba67b5	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/19 02:04	android-4.14	0ff0788d6a66	9aba67b5	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/18 05:21	android-4.14	6d46bcc5a747	b2695b95	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/14 02:56	android-4.14	48091d94336e	caf12900	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/14 00:03	android-4.14	48091d94336e	caf12900	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/13 13:32	android-4.14	48091d94336e	caf12900	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/10 15:09	android-4.14	d33692e8014d	5b11ac2c	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/10 09:42	android-4.14	d33692e8014d	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/10 03:25	android-4.14	d33692e8014d	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/09 13:41	android-4.14	d33692e8014d	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/09 09:21	android-4.14	d33692e8014d	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/09 01:52	android-4.14	d33692e8014d	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/08 17:39	android-4.14	d33692e8014d	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/08 16:37	android-4.14	d33692e8014d	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/08 12:57	android-4.14	d33692e8014d	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/07 11:22	android-4.14	d33692e8014d	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/06 07:28	android-4.14	d33692e8014d	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/06 01:00	android-4.14	d33692e8014d	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/10/03 21:00	android-4.14	ff9973a5da5e	8b311eaf	.config	console log	report			ci-android-414-kasan-gce-root
2018/08/31 00:29	android-4.14	47350a9f13c6	938220fd	.config	console log	report			ci-android-414-kasan-gce-root

Crashes (72):

Time

Assets (help?)

2018/09/25 10:15

android-4.14

syz

ci-android-414-kasan-gce-root

2019/08/19 21:26

android-4.14

ci-android-414-kasan-gce-root

2018/11/25 21:23

android-4.14

ci-android-414-kasan-gce-root

2018/11/20 13:30

android-4.14

ci-android-414-kasan-gce-root

2018/11/20 09:40

android-4.14

ci-android-414-kasan-gce-root

2018/11/19 13:18

android-4.14

ci-android-414-kasan-gce-root

2018/11/15 04:07

android-4.14

ci-android-414-kasan-gce-root

2018/11/14 04:35

android-4.14

ci-android-414-kasan-gce-root

2018/11/14 01:24

android-4.14

ci-android-414-kasan-gce-root

2018/11/08 19:32

android-4.14

ci-android-414-kasan-gce-root

2018/11/08 13:45

android-4.14

ci-android-414-kasan-gce-root

2018/11/08 10:13

android-4.14

ci-android-414-kasan-gce-root

2018/11/07 21:26

android-4.14

ci-android-414-kasan-gce-root

2018/11/05 01:19

android-4.14

ci-android-414-kasan-gce-root

2018/11/03 13:45

android-4.14

ci-android-414-kasan-gce-root

2018/11/01 20:53

android-4.14

ci-android-414-kasan-gce-root

2018/10/30 16:59

android-4.14

ci-android-414-kasan-gce-root

2018/10/30 06:29

android-4.14

ci-android-414-kasan-gce-root

2018/10/30 01:45

android-4.14

ci-android-414-kasan-gce-root

2018/10/29 13:58

android-4.14

ci-android-414-kasan-gce-root

2018/10/29 06:54

android-4.14

ci-android-414-kasan-gce-root

2018/10/29 04:04

android-4.14

ci-android-414-kasan-gce-root

2018/10/27 21:13

android-4.14

ci-android-414-kasan-gce-root

2018/10/27 01:43

android-4.14

ci-android-414-kasan-gce-root

2018/10/26 19:28

android-4.14

ci-android-414-kasan-gce-root

2018/10/26 10:16

android-4.14

ci-android-414-kasan-gce-root

2018/10/25 21:42

android-4.14

ci-android-414-kasan-gce-root

2018/10/24 15:15

android-4.14

ci-android-414-kasan-gce-root

2018/10/24 07:49

android-4.14

ci-android-414-kasan-gce-root

2018/10/21 14:27

android-4.14

ci-android-414-kasan-gce-root

2018/10/20 04:40

android-4.14

ci-android-414-kasan-gce-root

2018/10/20 02:41

android-4.14

ci-android-414-kasan-gce-root

2018/10/19 18:15

android-4.14

ci-android-414-kasan-gce-root

2018/10/19 05:30

android-4.14

ci-android-414-kasan-gce-root

2018/10/19 02:04

android-4.14

ci-android-414-kasan-gce-root

2018/10/18 05:21

android-4.14

ci-android-414-kasan-gce-root

2018/10/14 02:56

android-4.14

ci-android-414-kasan-gce-root

2018/10/14 00:03

android-4.14

ci-android-414-kasan-gce-root

2018/10/13 13:32

android-4.14

ci-android-414-kasan-gce-root

2018/10/10 15:09

android-4.14

ci-android-414-kasan-gce-root

2018/10/10 09:42

android-4.14

ci-android-414-kasan-gce-root

2018/10/10 03:25

android-4.14

ci-android-414-kasan-gce-root

2018/10/09 13:41

android-4.14

ci-android-414-kasan-gce-root

2018/10/09 09:21

android-4.14

ci-android-414-kasan-gce-root

2018/10/09 01:52

android-4.14

ci-android-414-kasan-gce-root

2018/10/08 17:39

android-4.14

ci-android-414-kasan-gce-root

2018/10/08 16:37

android-4.14

ci-android-414-kasan-gce-root

2018/10/08 12:57

android-4.14

ci-android-414-kasan-gce-root

2018/10/07 11:22

android-4.14

ci-android-414-kasan-gce-root

2018/10/06 07:28

android-4.14

ci-android-414-kasan-gce-root

2018/10/06 01:00

android-4.14

ci-android-414-kasan-gce-root

2018/10/03 21:00

android-4.14

ci-android-414-kasan-gce-root

2018/08/31 00:29

android-4.14

ci-android-414-kasan-gce-root