syzbot

==================================================================
BUG: KASAN: slab-out-of-bounds in pfkey_msg2xfrm_state net/key/af_key.c:1188 [inline]
BUG: KASAN: slab-out-of-bounds in pfkey_add+0x2565/0x3240 net/key/af_key.c:1506
Read of size 8192 at addr ffff8801b7436f40 by task syzkaller362258/3784

CPU: 0 PID: 3784 Comm: syzkaller362258 Not tainted 4.9.93-gcb02358 #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801d900f6e0 ffffffff81d9c249 ffffea0006dd0d80 ffff8801b7436f40
 0000000000000000 ffff8801b7437100 ffff8801b7436f00 ffff8801d900f718
 ffffffff8156533b ffff8801b7436f40 0000000000002000 0000000000000000
Call Trace:
 [<ffffffff81d9c249>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d9c249>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8156533b>] print_address_description+0x6c/0x234 mm/kasan/report.c:256
 [<ffffffff815655af>] kasan_report_error mm/kasan/report.c:355 [inline]
 [<ffffffff815655af>] kasan_report.cold.6+0xac/0x2f5 mm/kasan/report.c:412
 [<ffffffff8153822f>] check_memory_region_inline mm/kasan/kasan.c:318 [inline]
 [<ffffffff8153822f>] check_memory_region+0x14f/0x1b0 mm/kasan/kasan.c:325
 [<ffffffff81538873>] memcpy+0x23/0x50 mm/kasan/kasan.c:360
 [<ffffffff8358c795>] pfkey_msg2xfrm_state net/key/af_key.c:1188 [inline]
 [<ffffffff8358c795>] pfkey_add+0x2565/0x3240 net/key/af_key.c:1506
 [<ffffffff83582ec1>] pfkey_process+0x671/0x740 net/key/af_key.c:2834
 [<ffffffff835846e6>] pfkey_sendmsg+0x346/0xae0 net/key/af_key.c:3678
 [<ffffffff82ef3fcc>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ef3fcc>] sock_sendmsg+0xcc/0x110 net/socket.c:645
 [<ffffffff82ef5a6c>] ___sys_sendmsg+0x6fc/0x840 net/socket.c:1969
 [<ffffffff82ef7ad9>] __sys_sendmsg+0xd9/0x190 net/socket.c:2003
 [<ffffffff82ef7bbd>] SYSC_sendmsg net/socket.c:2014 [inline]
 [<ffffffff82ef7bbd>] SyS_sendmsg+0x2d/0x50 net/socket.c:2010
 [<ffffffff81006316>] do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 [<ffffffff838d5953>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Allocated by task 3784:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:609
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 __kmalloc_track_caller+0xdc/0x2b0 mm/slub.c:4232
 __kmalloc_reserve.isra.37+0x33/0xc0 net/core/skbuff.c:138
 __alloc_skb+0x11a/0x600 net/core/skbuff.c:231
 alloc_skb include/linux/skbuff.h:919 [inline]
 pfkey_sendmsg+0xfe/0xae0 net/key/af_key.c:3665
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xcc/0x110 net/socket.c:645
 ___sys_sendmsg+0x6fc/0x840 net/socket.c:1969
 __sys_sendmsg+0xd9/0x190 net/socket.c:2003
 SYSC_sendmsg net/socket.c:2014 [inline]
 SyS_sendmsg+0x2d/0x50 net/socket.c:2010
 do_syscall_64+0x1a6/0x490 arch/x86/entry/common.c:282
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

Freed by task 2013:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:505
 set_track mm/kasan/kasan.c:517 [inline]
 kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xfb/0x310 mm/slub.c:3878
 kernfs_fop_release+0xff/0x140 fs/kernfs/file.c:744
 __fput+0x263/0x700 fs/file_table.c:208
 ____fput+0x15/0x20 fs/file_table.c:244
 task_work_run+0x10c/0x180 kernel/task_work.c:116
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:161
 prepare_exit_to_usermode arch/x86/entry/common.c:191 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:260 [inline]
 do_syscall_64+0x364/0x490 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_swapgs+0x5d/0xdb

The buggy address belongs to the object at ffff8801b7436f00
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 64 bytes inside of
 512-byte region [ffff8801b7436f00, ffff8801b7437100)
The buggy address belongs to the page:
page:ffffea0006dd0d80 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x8000000000004080(slab|head)
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801b7437000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801b7437080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801b7437100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff8801b7437180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801b7437200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================