================================================================== BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 lib/vsprintf.c:592 Read of size 1 at addr ffff8801d86fe1a1 by task syz-executor3/14380 CPU: 1 PID: 14380 Comm: syz-executor3 Not tainted 4.9.78-ge9dabe6 #28 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cad4f5d0 ffffffff81d943a9 ffffea000761bf80 ffff8801d86fe1a1 0000000000000000 ffff8801d86fe1a1 ffff8801cad4f82c ffff8801cad4f608 ffffffff8153dc23 ffff8801d86fe1a1 0000000000000001 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description+0x73/0x280 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x275/0x360 mm/kasan/report.c:408 [] __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:426 [] string+0x1e8/0x200 lib/vsprintf.c:592 [] vsnprintf+0x7ad/0x16d0 lib/vsprintf.c:2044 [] __request_module+0x14f/0x750 kernel/kmod.c:146 [] xt_request_find_target+0x8b/0xb0 net/netfilter/x_tables.c:256 [] check_compat_entry_size_and_hooks net/ipv4/netfilter/ip_tables.c:1342 [inline] [] translate_compat_table+0x568/0x1760 net/ipv4/netfilter/ip_tables.c:1431 [] ? 0xffffffff810002b8 [] compat_do_replace.isra.15+0x1a7/0x3a0 net/ipv4/netfilter/ip_tables.c:1534 [] compat_do_ipt_set_ctl+0x106/0x150 net/ipv4/netfilter/ip_tables.c:1563 [] compat_nf_sockopt net/netfilter/nf_sockopt.c:143 [inline] [] compat_nf_setsockopt+0x88/0x130 net/netfilter/nf_sockopt.c:155 [] compat_ip_setsockopt+0x9d/0xf0 net/ipv4/ip_sockglue.c:1277 [] inet_csk_compat_setsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:914 [] compat_tcp_setsockopt+0x3d/0x70 net/ipv4/tcp.c:2748 [] compat_sock_common_setsockopt+0xb2/0x140 net/core/sock.c:2717 [] C_SYSC_setsockopt net/compat.c:398 [inline] [] compat_SyS_setsockopt+0x149/0x290 net/compat.c:381 [] do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline] [] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384 [] entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127 Allocated by task 14380: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609 __kmalloc+0x11d/0x310 mm/slub.c:3741 kmalloc include/linux/slab.h:495 [inline] xt_alloc_table_info+0x71/0x100 net/netfilter/x_tables.c:959 compat_do_replace.isra.15+0x116/0x3a0 net/ipv4/netfilter/ip_tables.c:1523 compat_do_ipt_set_ctl+0x106/0x150 net/ipv4/netfilter/ip_tables.c:1563 compat_nf_sockopt net/netfilter/nf_sockopt.c:143 [inline] compat_nf_setsockopt+0x88/0x130 net/netfilter/nf_sockopt.c:155 compat_ip_setsockopt+0x9d/0xf0 net/ipv4/ip_sockglue.c:1277 inet_csk_compat_setsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:914 compat_tcp_setsockopt+0x3d/0x70 net/ipv4/tcp.c:2748 compat_sock_common_setsockopt+0xb2/0x140 net/core/sock.c:2717 C_SYSC_setsockopt net/compat.c:398 [inline] compat_SyS_setsockopt+0x149/0x290 net/compat.c:381 do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384 entry_SYSENTER_compat+0x74/0x83 arch/x86/entry/entry_64_compat.S:127 Freed by task 5512: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0x103/0x300 mm/slub.c:3878 skb_free_head+0x74/0xb0 net/core/skbuff.c:580 skb_release_data+0x315/0x3f0 net/core/skbuff.c:611 skb_release_all+0x4a/0x60 net/core/skbuff.c:670 __kfree_skb net/core/skbuff.c:684 [inline] consume_skb+0xc6/0x340 net/core/skbuff.c:757 netlink_broadcast_filtered+0x296/0x990 net/netlink/af_netlink.c:1476 kobject_uevent_env+0x6d6/0xb40 lib/kobject_uevent.c:316 kobject_uevent+0x1f/0x30 lib/kobject_uevent.c:374 kobject_cleanup lib/kobject.c:632 [inline] kobject_release+0x139/0x1a0 lib/kobject.c:674 kref_sub include/linux/kref.h:73 [inline] kref_put include/linux/kref.h:98 [inline] kobject_put+0x63/0xc0 lib/kobject.c:691 net_rx_queue_update_kobjects+0x21f/0x3b0 net/core/net-sysfs.c:956 remove_queue_kobjects net/core/net-sysfs.c:1395 [inline] netdev_unregister_kobject+0x9d/0x110 net/core/net-sysfs.c:1530 rollback_registered_many+0x562/0x960 net/core/dev.c:6829 unregister_netdevice_many.part.101+0x1b/0x110 net/core/dev.c:7853 unregister_netdevice_many net/core/dev.c:7852 [inline] default_device_exit_batch+0x34e/0x410 net/core/dev.c:8311 ops_exit_list.isra.4+0x100/0x150 net/core/net_namespace.c:139 cleanup_net+0x31d/0x610 net/core/net_namespace.c:454 process_one_work+0x7e0/0x1610 kernel/workqueue.c:2092 worker_thread+0xe0/0x10d0 kernel/workqueue.c:2226 kthread+0x26d/0x300 kernel/kthread.c:211 ret_from_fork+0x5c/0x70 arch/x86/entry/entry_64.S:477 The buggy address belongs to the object at ffff8801d86fe000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 417 bytes inside of 512-byte region [ffff8801d86fe000, ffff8801d86fe200) The buggy address belongs to the page: page:ffffea000761bf80 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x8000000000004080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d86fe080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d86fe100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d86fe180: 00 00 00 00 01 fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d86fe200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d86fe280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================