syzbot

 sign-in | mailing list | source | docs
🐞 Open [196] 🐞 Fixed [42] 🐞 Invalid [470] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: slab-out-of-bounds Write in ip6_setup_cork

Status: auto-closed as invalid on 2019/02/22 14:33
First crash: 2359d, last: 2349d

Sample crash report:
==================================================================
netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'.
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0xf4a/0x1200 net/ipv6/ip6_output.c:1230 at addr ffff8801d89fd8bc
Write of size 4 by task syz-executor4/15034
CPU: 1 PID: 15034 Comm: syz-executor4 Not tainted 4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c71cf608 ffffffff81d94429 ffff8801da001c80 ffff8801d89fd8b8[   92.557666] netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'.
 ffff8801d89fd8c0 ffffed003b13fb17 ffff8801d89fd8bc ffff8801c71cf630
 ffffffff8153e3ac ffffed003b13fb17 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153eacc>] kasan_report mm/kasan/report.c:334 [inline]
 [<ffffffff8153eacc>] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334
 [<ffffffff834132ea>] ip6_setup_cork+0xf4a/0x1200 net/ipv6/ip6_output.c:1230
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d89fd8b8, in cache kmalloc-8 size: 8
Allocated:
PID = 15034
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 ip6_setup_cork+0x194/0x1200 net/ipv6/ip6_output.c:1226
 ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:645
 SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 SyS_sendto+0x40/0x50 net/socket.c:1638
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 14914
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 kfree_const+0x31/0x40 mm/util.c:35
 free_vfsmnt+0x5b/0xb0 fs/namespace.c:586
 delayed_free_vfsmnt+0x16/0x20 fs/namespace.c:595
 __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037
 __do_softirq+0x206/0x951 kernel/softirq.c:284
Memory state around the buggy address:
 ffff8801d89fd780: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
 ffff8801d89fd800: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
>ffff8801d89fd880: fc fb fc fc fb fc fc 01 fc fc fb fc fc fb fc fc
                                        ^
 ffff8801d89fd900: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
 ffff8801d89fd980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0xf2c/0x1200 net/ipv6/ip6_output.c:1231 at addr ffff8801d89fd8c0
Write of size 2 by task syz-executor4/15034
CPU: 1 PID: 15034 Comm: syz-executor4 Tainted: G    B           4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c71cf608 ffffffff81d94429 ffff8801da001c80 ffff8801d89fd8b8
 ffff8801d89fd8c0 ffffed003b13fb18 ffff8801d89fd8c0 ffff8801c71cf630
 ffffffff8153e3ac ffffed003b13fb18 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ea9c>] kasan_report mm/kasan/report.c:333 [inline]
 [<ffffffff8153ea9c>] __asan_report_store2_noabort+0x2c/0x30 mm/kasan/report.c:333
 [<ffffffff834132cc>] ip6_setup_cork+0xf2c/0x1200 net/ipv6/ip6_output.c:1231
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d89fd8b8, in cache kmalloc-8 size: 8
Allocated:
PID = 15034
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 ip6_setup_cork+0x194/0x1200 net/ipv6/ip6_output.c:1226
 ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:645
 SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 SyS_sendto+0x40/0x50 net/socket.c:1638
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 14914
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 kfree_const+0x31/0x40 mm/util.c:35
 free_vfsmnt+0x5b/0xb0 fs/namespace.c:586
 delayed_free_vfsmnt+0x16/0x20 fs/namespace.c:595
 __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037
 __do_softirq+0x206/0x951 kernel/softirq.c:284
Memory state around the buggy address:
 ffff8801d89fd780: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
 ffff8801d89fd800: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
>ffff8801d89fd880: fc fb fc fc fb fc fc 01 fc fc fb fc fc fb fc fc
                                           ^
 ffff8801d89fd900: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
 ffff8801d89fd980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0xf40/0x1200 net/ipv6/ip6_output.c:1232 at addr ffff8801d89fd8c2
Write of size 2 by task syz-executor4/15034
CPU: 1 PID: 15034 Comm: syz-executor4 Tainted: G    B           4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c71cf608 ffffffff81d94429 ffff8801da001c80 ffff8801d89fd8b8
 ffff8801d89fd8c0 ffffed003b13fb18 ffff8801d89fd8c2 ffff8801c71cf630
 ffffffff8153e3ac ffffed003b13fb18 ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ea9c>] kasan_report mm/kasan/report.c:333 [inline]
 [<ffffffff8153ea9c>] __asan_report_store2_noabort+0x2c/0x30 mm/kasan/report.c:333
 [<ffffffff834132e0>] ip6_setup_cork+0xf40/0x1200 net/ipv6/ip6_output.c:1232
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d89fd8b8, in cache kmalloc-8 size: 8
Allocated:
PID = 8
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 ip6_setup_cork+0x194/0x1200 net/ipv6/ip6_output.c:1226
 ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:645
 SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 SyS_sendto+0x40/0x50 net/socket.c:1638
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 14914
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 kfree_const+0x31/0x40 mm/util.c:35
 free_vfsmnt+0x5b/0xb0 fs/namespace.c:586
 delayed_free_vfsmnt+0x16/0x20 fs/namespace.c:595
 __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037
 __do_softirq+0x206/0x951 kernel/softirq.c:284
Memory state around the buggy address:
 ffff8801d89fd780: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
 ffff8801d89fd800: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
>ffff8801d89fd880: fc fb fc fc fb fc fc 01 fc fc fb fc fc fb fc fc
                                           ^
 ffff8801d89fd900: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
 ffff8801d89fd980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
==================================================================
==================================================================
BUG: KASAN: use-after-free in ip6_setup_cork+0x1048/0x1200 net/ipv6/ip6_output.c:1234 at addr ffff8801d89fd8d0
Write of size 8 by task syz-executor4/15034
CPU: 0 PID: 15034 Comm: syz-executor4 Tainted: G    B           4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c71cf608 ffffffff81d94429 ffff8801da001c80 ffff8801d89fd8d0
 ffff8801d89fd8d8 ffffed003b13fb1a ffff8801d89fd8d0 ffff8801c71cf630
 ffffffff8153e3ac ffffed003b13fb1a ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153eafc>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153eafc>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff834133e8>] ip6_setup_cork+0x1048/0x1200 net/ipv6/ip6_output.c:1234
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d89fd8d0, in cache kmalloc-8 size: 8
Allocated:
PID = 14888
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc_array include/linux/slab.h:582 [inline]
 kcalloc include/linux/slab.h:593 [inline]
 bpf_convert_filter+0xce/0x1a40 net/core/filter.c:382
 bpf_migrate_filter net/core/filter.c:1009 [inline]
 bpf_prepare_filter+0xab8/0xd90 net/core/filter.c:1068
 bpf_prog_create_from_user+0x1c8/0x2c0 net/core/filter.c:1162
 seccomp_prepare_filter kernel/seccomp.c:373 [inline]
 seccomp_prepare_user_filter kernel/seccomp.c:408 [inline]
 seccomp_set_mode_filter kernel/seccomp.c:750 [inline]
 do_seccomp+0x632/0x1860 kernel/seccomp.c:800
 SYSC_seccomp kernel/seccomp.c:809 [inline]
 SyS_seccomp+0x24/0x30 kernel/seccomp.c:806
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 14888
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 bpf_convert_filter+0x16d7/0x1a40 net/core/filter.c:630
 bpf_migrate_filter net/core/filter.c:1009 [inline]
 bpf_prepare_filter+0xab8/0xd90 net/core/filter.c:1068
 bpf_prog_create_from_user+0x1c8/0x2c0 net/core/filter.c:1162
 seccomp_prepare_filter kernel/seccomp.c:373 [inline]
 seccomp_prepare_user_filter kernel/seccomp.c:408 [inline]
 seccomp_set_mode_filter kernel/seccomp.c:750 [inline]
 do_seccomp+0x632/0x1860 kernel/seccomp.c:800
 SYSC_seccomp kernel/seccomp.c:809 [inline]
 SyS_seccomp+0x24/0x30 kernel/seccomp.c:806
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801d89fd780: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
 ffff8801d89fd800: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
>ffff8801d89fd880: fc fb fc fc fb fc fc 01 fc fc fb fc fc fb fc fc
                                                 ^
 ffff8801d89fd900: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
 ffff8801d89fd980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0x1102/0x1200 net/ipv6/ip6_output.c:1239 at addr ffff8801d89fd8e0
Write of size 8 by task syz-executor4/15034
CPU: 0 PID: 15034 Comm: syz-executor4 Tainted: G    B           4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c71cf608 ffffffff81d94429 ffff8801da001c80 ffff8801d89fd8d0
 ffff8801d89fd8d8 ffffed003b13fb1c ffff8801d89fd8e0 ffff8801c71cf630
 ffffffff8153e3ac ffffed003b13fb1c ffff8801da001c80 0000000000000001
Call Trace:
 [<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153eafc>] kasan_report mm/kasan/report.c:335 [inline]
 [<ffffffff8153eafc>] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335
 [<ffffffff834134a2>] ip6_setup_cork+0x1102/0x1200 net/ipv6/ip6_output.c:1239
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d89fd8d0, in cache kmalloc-8 size: 8
Allocated:
PID = 15076
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232
 memdup_user+0x2c/0xb0 mm/util.c:137
 strndup_user+0x62/0xb0 mm/util.c:168
 SYSC_add_key security/keys/keyctl.c:82 [inline]
 SyS_add_key+0xd3/0x390 security/keys/keyctl.c:60
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 15076
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 SYSC_add_key security/keys/keyctl.c:140 [inline]
 SyS_add_key+0x236/0x390 security/keys/keyctl.c:60
 entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801d89fd780: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
 ffff8801d89fd800: fc fc fb fc fc 04 fc fc 00 fc fc fb fc fc fb fc
>ffff8801d89fd880: fc fb fc fc fb fc fc 01 fc fc fb fc fc fb fc fc
                                                       ^
 ffff8801d89fd900: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb
 ffff8801d89fd980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0x10b6/0x1200 net/ipv6/ip6_output.c:1241 at addr ffff8801d89fd8e0
Read of size 8 by task syz-executor4/15034
CPU: 0 PID: 15034 Comm: syz-executor4 Tainted: G    B           4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c71cf608 ffffffff81d94429 ffff8801da001c80 ffff8801d89fd8d0
 ffff8801d89fd8d8 ffffed003b13fb1c ffff8801d89fd8e0 ffff8801c71cf630
 ffffffff8153e3ac ffffed003b13fb1c ffff8801da001c80 0000000000000000
Call Trace:
 [<ffffffff81d94429>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d94429>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153e3ac>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ea09>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153ea09>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff83413456>] ip6_setup_cork+0x10b6/0x1200 net/ipv6/ip6_output.c:1241
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d89fd8d0, in cache kmalloc-8 size: 8
Allocated:
PID = 15076
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537
 slab_post_alloc_hook mm/slab.h:417 [inline]
 slab_alloc_node mm/slub.c:2715 [inline]
 slab_alloc mm/slub.c:2723 [inline]
 __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232
 memdup_user+0x2c/0xb0 mm/util.c:137
 strndup_user+0x62/0xb0 mm/util.c:168
 SYSC_add_key security/keys/keyctl.c:82 [inline]
 SyS_add_key+0xd3/0x390 security/keys/keyctl.c:60
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 3451975336
BUG: unable to handle kernel paging request at ffffffff87109fa8
IP: [<ffffffff81e43025>] depot_fetch_stack+0x15/0x40 lib/stackdepot.c:194
PGD 441e067 [   95.128931] PUD 441f063 
Oops: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 15034 Comm: syz-executor4 Tainted: G    B           4.9.62-gf09daf1 #91
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d0aeb000 task.stack: ffff8801c71c8000
RIP: 0010:[<ffffffff81e43025>]  [<ffffffff81e43025>] depot_fetch_stack+0x15/0x40 lib/stackdepot.c:194
RSP: 0018:ffff8801c71cf5d8  EFLAGS: 00010006
RAX: 00000000001f8801 RBX: ffff8801d89fd8e0 RCX: ffffc90002ed7000
RDX: 0000000000000000 RSI: ffff8801c71cf5e0 RDI: 0000000000003ff0
RBP: ffff8801c71cf608 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000008 R11: 0000000000000000 R12: ffff8801d89fd8d0
R13: ffff8801d89fd8d8 R14: ffffed003b13fb1c R15: ffff8801d89fd8e0
FS:  00007fe32c5d6700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffff87109fa8 CR3: 00000001aa640000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffffff8156572e 0000000000000000 ffff8801da001c80 0000000000000008
 0935a89996485254 ffff8801da001c80 ffff8801c71cf630 ffffffff8153e3f8
 ffffed003b13fb1c ffff8801da001c80 0000000000000000 ffff8801c71cf6b8
Call Trace:
 [<ffffffff8153e3f8>] kasan_object_err+0x68/0x70 mm/kasan/report.c:170
 [<ffffffff8153e66c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153e66c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153e66c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ea09>] kasan_report mm/kasan/report.c:330 [inline]
 [<ffffffff8153ea09>] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330
 [<ffffffff83413456>] ip6_setup_cork+0x10b6/0x1200 net/ipv6/ip6_output.c:1241
 [<ffffffff83426328>] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802
 [<ffffffff8348c27d>] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240
 [<ffffffff832edcec>] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770
 [<ffffffff82ed2b9a>] sock_sendmsg_nosec net/socket.c:635 [inline]
 [<ffffffff82ed2b9a>] sock_sendmsg+0xca/0x110 net/socket.c:645
 [<ffffffff82ed3af8>] SYSC_sendto+0x2c8/0x340 net/socket.c:1670
 [<ffffffff82ed5fe0>] SyS_sendto+0x40/0x50 net/socket.c:1638
 [<ffffffff838af485>] entry_SYSCALL_64_fastpath+0x23/0xc6
Code: 92 52 ff 0f 0b e8 dc b9 6f ff eb de 66 2e 0f 1f 84 00 00 00 00 00 89 f8 c1 ef 11 55 25 ff ff 1f 00 81 e7 f0 3f 00 00 48 89 e5 5d <48> 03 3c c5 a0 5f 14 86 8b 47 0c 48 83 c7 18 c7 46 10 00 00 00 
RIP  [<ffffffff81e43025>] depot_fetch_stack+0x15/0x40 lib/stackdepot.c:194
 RSP <ffff8801c71cf5d8>
CR2: ffffffff87109fa8
---[ end trace b49e33345a836bed ]---

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/11/18 16:37 https://android.googlesource.com/kernel/common android-4.9 f09daf140e6e bf820689 .config console log report ci-android-49-kasan-gce
2017/11/18 15:01 https://android.googlesource.com/kernel/common android-4.9 f09daf140e6e bf820689 .config console log report ci-android-49-kasan-gce
2017/11/18 05:32 https://android.googlesource.com/kernel/common android-4.9 f09daf140e6e bf820689 .config console log report ci-android-49-kasan-gce
2017/11/14 01:03 https://android.googlesource.com/kernel/common android-4.9 d55e63001fc4 cf38de00 .config console log report ci-android-49-kasan-gce
2017/11/08 11:35 https://android.googlesource.com/kernel/common android-4.9 4ca16e66434d 699e0a68 .config console log report ci-android-49-kasan-gce
2017/11/08 06:03 https://android.googlesource.com/kernel/common android-4.9 4ca16e66434d 699e0a68 .config console log report ci-android-49-kasan-gce
2017/11/08 00:26 https://android.googlesource.com/kernel/common android-4.9 e0907557efa6 d49979f7 .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.