================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d3722658 Read of size 8192 by task syz-executor3/5620 ============================================================================= BUG kmalloc-512 (Not tainted): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=0 cpu=0 pid=5620 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in skb_free_head net/core/skbuff.c:571 [inline] age=0 cpu=1 pid=5611 INFO: Freed in skb_release_data+0x2aa/0x380 net/core/skbuff.c:602 age=0 cpu=1 pid=5611 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 skb_free_head net/core/skbuff.c:571 [inline] skb_release_data+0x2aa/0x380 net/core/skbuff.c:602 skb_release_all+0x3d/0x50 net/core/skbuff.c:661 __kfree_skb net/core/skbuff.c:675 [inline] consume_skb+0xd5/0x340 net/core/skbuff.c:748 netlink_broadcast_filtered+0x27c/0xac0 net/netlink/af_netlink.c:1432 kobject_uevent_env+0x5f8/0xa40 lib/kobject_uevent.c:316 kobject_uevent+0xb/0x10 lib/kobject_uevent.c:374 kobject_cleanup lib/kobject.c:632 [inline] kobject_release+0xf4/0x160 lib/kobject.c:674 kref_sub include/linux/kref.h:73 [inline] kref_put include/linux/kref.h:98 [inline] kobject_put+0x51/0xa0 lib/kobject.c:691 netdev_queue_update_kobjects+0x17a/0x250 net/core/net-sysfs.c:1327 remove_queue_kobjects net/core/net-sysfs.c:1377 [inline] netdev_unregister_kobject+0xa5/0x110 net/core/net-sysfs.c:1511 rollback_registered_many+0x3be/0x7c0 net/core/dev.c:6348 rollback_registered+0x77/0xb0 net/core/dev.c:6366 unregister_netdevice_queue+0x68/0x120 net/core/dev.c:7316 unregister_netdevice include/linux/netdevice.h:2282 [inline] __tun_detach+0x6df/0x960 drivers/net/tun.c:548 INFO: Slab 0xffffea00074dc800 objects=20 used=5 fp=0xffff8801d3723630 flags=0x8000000000004080 INFO: Object 0xffff8801d3722640 @offset=9792 fp=0x0000000f03000202 Bytes b4 ffff8801d3722630: 01 00 00 00 c0 15 00 00 d2 96 ff ff 00 00 00 00 ................ Object ffff8801d3722640: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722650: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d3722660: 0a 00 4e 2c 00 00 00 00 00 00 00 00 00 00 00 00 ..N,............ Object ffff8801d3722670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722680: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d3722690: 05 00 05 00 00 00 00 00 0a 00 4e 2c 00 00 00 00 ..........N,.... Object ffff8801d37226a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226b0: 00 00 00 00 00 00 00 00 73 00 53 45 51 4e 55 4d ........s.SEQNUM Object ffff8801d37226c0: 3d 31 36 33 39 00 00 00 30 fe 21 00 00 00 00 00 =1639...0.!..... Object ffff8801d37226d0: 90 01 00 00 00 00 00 00 90 01 00 00 00 00 00 00 ................ Object ffff8801d37226e0: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d37226f0: c8 01 00 00 00 00 00 00 c8 01 00 00 00 00 00 00 ................ Object ffff8801d3722700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722720: 01 00 00 00 04 00 00 00 80 d1 01 00 00 00 00 00 ................ Object ffff8801d3722730: 80 d1 01 00 00 00 00 00 80 d1 01 00 00 00 00 00 ................ Object ffff8801d3722740: 44 06 00 00 00 00 00 00 44 06 00 00 00 00 00 00 D.......D....... Object ffff8801d3722750: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d3722760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722780: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d3722790: 52 e5 74 64 04 00 00 00 a8 fb 01 00 00 00 00 00 R.td............ Object ffff8801d37227a0: a8 fb 21 00 00 00 00 00 a8 fb 21 00 00 00 00 00 ..!.......!..... Object ffff8801d37227b0: 58 04 00 00 00 00 00 00 58 04 00 00 00 00 00 00 X.......X....... Object ffff8801d37227c0: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37227d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37227e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37227f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 5620 Comm: syz-executor3 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 b43ee0cfb348a98e ffff8800b95e7708 ffffffff81cc9b4f ffff8801d3720010 ffff8801d3722640 ffff8800b95e7738 ffffffff814d3af4 ffff8801da402a00 ffffea00074dc800 ffff8801d3722640 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d3722700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d3722780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d3722800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff8801d3722880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3722900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb ================================================================== nla_parse: 10 callbacks suppressed ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d3723978 Read of size 8192 by task syz-executor6/5642 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=0 cpu=0 pid=5642 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in skb_free_head net/core/skbuff.c:571 [inline] age=3 cpu=1 pid=5634 INFO: Freed in skb_release_data+0x2aa/0x380 net/core/skbuff.c:602 age=3 cpu=1 pid=5634 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 skb_free_head net/core/skbuff.c:571 [inline] skb_release_data+0x2aa/0x380 net/core/skbuff.c:602 skb_release_all+0x3d/0x50 net/core/skbuff.c:661 __kfree_skb+0xd/0x20 net/core/skbuff.c:675 kfree_skb+0xdd/0x350 net/core/skbuff.c:696 skb_queue_purge+0x12/0x30 net/core/skbuff.c:2374 netlink_sock_destruct+0xe0/0x260 net/netlink/af_netlink.c:336 sk_destruct+0x3f/0x440 net/core/sock.c:1447 __sk_free+0x4f/0x1f0 net/core/sock.c:1480 sk_free+0x13/0x20 net/core/sock.c:1491 deferred_put_nlk_sk+0x8a/0x1c0 net/netlink/af_netlink.c:669 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2705 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline] rcu_process_callbacks+0x7ff/0x1490 kernel/rcu/tree.c:2957 __do_softirq+0x24d/0xa60 kernel/softirq.c:273 invoke_softirq kernel/softirq.c:350 [inline] irq_exit+0x119/0x140 kernel/softirq.c:391 exiting_irq arch/x86/include/asm/apic.h:653 [inline] smp_apic_timer_interrupt+0x7b/0xa0 arch/x86/kernel/apic/apic.c:926 INFO: Slab 0xffffea00074dc800 objects=20 used=8 fp=0xffff8801d3720330 flags=0x8000000000004080 INFO: Object 0xffff8801d3723960 @offset=14688 fp=0x0000000f03000202 Bytes b4 ffff8801d3723950: 00 00 00 00 f4 15 00 00 32 97 ff ff 00 00 00 00 ........2....... Object ffff8801d3723960: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723970: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d3723980: 0a 00 4e 38 00 00 00 00 00 00 00 00 00 00 00 00 ..N8............ Object ffff8801d3723990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37239a0: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d37239b0: 05 00 05 00 00 00 00 00 0a 00 4e 38 00 00 00 00 ..........N8.... Object ffff8801d37239c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37239d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37239e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37239f0: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8801d3723a00: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8801d3723a10: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8801d3723a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723a40: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... Object ffff8801d3723a50: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8801d3723a60: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ Object ffff8801d3723a70: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d3723a80: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8801d3723a90: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8801d3723aa0: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8801d3723ab0: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8801d3723ac0: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8801d3723ad0: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8801d3723ae0: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d3723af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723b10: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d3723b20: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d3723b30: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d3723b40: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d3723b50: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 5642 Comm: syz-executor6 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 52ad77e9f82b1abc ffff8801d3057708 ffffffff81cc9b4f ffff8801d3720010 ffff8801d3723960 ffff8801d3057738 ffffffff814d3af4 ffff8801da402a00 ffffea00074dc800 ffff8801d3723960 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d3723a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d3723a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d3723b00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc ^ ffff8801d3723b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3723c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. binder: 5717:5720 ioctl 40046205 d3 returned -22 binder: 5717:5720 not enough space to store 3 fds in buffer binder: 5717:5720 transaction failed 29201/-22, size 72-32 line 3273 binder: 5717:5734 ioctl 40046205 d3 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 5717:5734 ioctl 40046207 0 returned -16 binder_alloc: 5717: binder_alloc_buf, no vma binder: 5717:5720 transaction failed 29189/-3, size 72-32 line 3131 netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d3723ca8 Read of size 8192 by task syz-executor4/5783 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=5 cpu=1 pid=5783 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 age=10 cpu=1 pid=5795 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 search_binary_handler+0x124/0x610 fs/exec.c:1471 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 do_execve+0x27/0x30 fs/exec.c:1679 call_usermodehelper_exec_async+0x288/0x4b0 kernel/kmod.c:252 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 INFO: Slab 0xffffea00074dc800 objects=20 used=4 fp=0xffff8801d3722310 flags=0x8000000000004080 INFO: Object 0xffff8801d3723c90 @offset=15504 fp=0x0000000f03000202 Bytes b4 ffff8801d3723c80: 00 00 00 00 3b 16 00 00 43 97 ff ff 00 00 00 00 ....;...C....... Object ffff8801d3723c90: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723ca0: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d3723cb0: 0a 00 4e 30 00 00 00 00 00 00 00 00 00 00 00 00 ..N0............ Object ffff8801d3723cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723cd0: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d3723ce0: 05 00 05 00 00 00 00 00 0a 00 4e 30 00 00 00 00 ..........N0.... Object ffff8801d3723cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723d20: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8801d3723d30: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8801d3723d40: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8801d3723d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723d70: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... Object ffff8801d3723d80: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8801d3723d90: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ Object ffff8801d3723da0: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d3723db0: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8801d3723dc0: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8801d3723dd0: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8801d3723de0: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8801d3723df0: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8801d3723e00: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8801d3723e10: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d3723e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723e40: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d3723e50: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d3723e60: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d3723e70: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d3723e80: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 1 PID: 5783 Comm: syz-executor4 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 0d7b7760a67dfac2 ffff8801d61c7708 ffffffff81cc9b4f ffff8801d3720010 ffff8801d3723c90 ffff8801d61c7738 ffffffff814d3af4 ffff8801da402a00 ffffea00074dc800 ffff8801d3723c90 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d3723d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d3723e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d3723e80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d3723f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3723f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== audit: type=1400 audit(1513193826.162:9): avc: denied { getopt } for pid=5819 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1513193826.192:10): avc: denied { ioctl } for pid=5819 comm="syz-executor0" path="socket:[12509]" dev="sockfs" ino=12509 ioctlcmd=894b scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 5831:5861 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_COMPLETE ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d3722658 Read of size 8192 by task syz-executor2/5920 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=0 cpu=0 pid=5920 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 age=0 cpu=0 pid=5922 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 search_binary_handler+0x124/0x610 fs/exec.c:1471 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 do_execve+0x27/0x30 fs/exec.c:1679 call_usermodehelper_exec_async+0x288/0x4b0 kernel/kmod.c:252 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 INFO: Slab 0xffffea00074dc800 objects=20 used=10 fp=0xffff8801d3721cb0 flags=0x8000000000004080 INFO: Object 0xffff8801d3722640 @offset=9792 fp=0x0000000f03000202 Bytes b4 ffff8801d3722630: 01 00 00 00 25 17 00 00 13 98 ff ff 00 00 00 00 ....%........... Object ffff8801d3722640: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722650: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d3722660: 0a 00 4e 28 00 00 00 00 00 00 00 00 00 00 00 00 ..N(............ Object ffff8801d3722670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722680: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d3722690: 05 00 05 00 00 00 00 00 0a 00 4e 28 00 00 00 00 ..........N(.... Object ffff8801d37226a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226d0: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8801d37226e0: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8801d37226f0: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8801d3722700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722720: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... Object ffff8801d3722730: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8801d3722740: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ Object ffff8801d3722750: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d3722760: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8801d3722770: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8801d3722780: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8801d3722790: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8801d37227a0: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8801d37227b0: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8801d37227c0: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d37227d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37227e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37227f0: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d3722800: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d3722810: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d3722820: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d3722830: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 5920 Comm: syz-executor2 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 59323e89f7cb21ed ffff8801d1a87708 ffffffff81cc9b4f ffff8801d3720010 ffff8801d3722640 ffff8801d1a87738 ffffffff814d3af4 ffff8801da402a00 ffffea00074dc800 ffff8801d3722640 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d3722700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d3722780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d3722800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff8801d3722880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3722900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d3722658 Read of size 8192 by task syz-executor2/5920 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=0 cpu=0 pid=5920 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in skb_free_head net/core/skbuff.c:571 [inline] age=1 cpu=0 pid=5920 INFO: Freed in skb_release_data+0x2aa/0x380 net/core/skbuff.c:602 age=1 cpu=0 pid=5920 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 skb_free_head net/core/skbuff.c:571 [inline] skb_release_data+0x2aa/0x380 net/core/skbuff.c:602 skb_release_all+0x3d/0x50 net/core/skbuff.c:661 __kfree_skb+0xd/0x20 net/core/skbuff.c:675 kfree_skb+0xdd/0x350 net/core/skbuff.c:696 pfkey_sendmsg+0x55c/0x6c0 net/key/af_key.c:3676 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Slab 0xffffea00074dc800 objects=20 used=11 fp=0xffff8801d3720ff0 flags=0x8000000000004080 INFO: Object 0xffff8801d3722640 @offset=9792 fp=0x0000000f03000202 Bytes b4 ffff8801d3722630: 01 00 00 00 25 17 00 00 13 98 ff ff 00 00 00 00 ....%........... Object ffff8801d3722640: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722650: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d3722660: 0a 00 4e 28 00 00 00 00 00 00 00 00 00 00 00 00 ..N(............ Object ffff8801d3722670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722680: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d3722690: 05 00 05 00 00 00 00 00 0a 00 4e 28 00 00 00 00 ..........N(.... Object ffff8801d37226a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226d0: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8801d37226e0: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8801d37226f0: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8801d3722700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722720: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... Object ffff8801d3722730: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8801d3722740: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ Object ffff8801d3722750: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d3722760: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8801d3722770: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8801d3722780: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8801d3722790: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8801d37227a0: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8801d37227b0: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8801d37227c0: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d37227d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37227e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37227f0: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d3722800: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d3722810: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d3722820: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d3722830: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 5920 Comm: syz-executor2 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 59323e89f7cb21ed ffff8801d1a87708 ffffffff81cc9b4f ffff8801d3720010 ffff8801d3722640 ffff8801d1a87738 ffffffff814d3af4 ffff8801da402a00 ffffea00074dc800 ffff8801d3722640 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d3722700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d3722780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d3722800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff8801d3722880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3722900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb ================================================================== audit: type=1400 audit(1513193828.062:11): avc: denied { create } for pid=5933 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket ================================================================== audit: type=1400 audit(1513193828.142:12): avc: denied { getopt } for pid=5933 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket binder: BINDER_SET_CONTEXT_MGR already set binder: 5945:5969 ioctl 40046207 0 returned -16 BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d3723ca8 Read of size 8192 by task syz-executor6/5957 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=9 cpu=1 pid=5957 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in queue_delete+0x8b/0xa0 sound/core/seq/seq_queue.c:156 age=17 cpu=0 pid=5954 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 queue_delete+0x8b/0xa0 sound/core/seq/seq_queue.c:156 snd_seq_queue_delete+0x21/0x40 sound/core/seq/seq_queue.c:219 snd_seq_ioctl_delete_queue+0xbf/0x130 sound/core/seq/seq_clientmgr.c:1571 snd_seq_do_ioctl+0x131/0x160 sound/core/seq/seq_clientmgr.c:2212 snd_seq_kernel_client_ctl+0xc0/0x160 sound/core/seq/seq_clientmgr.c:2426 delete_seq_queue.part.3+0x9d/0x100 sound/core/seq/oss/seq_oss_init.c:389 delete_seq_queue sound/core/seq/oss/seq_oss_init.c:385 [inline] snd_seq_oss_release+0xe7/0x110 sound/core/seq/oss/seq_oss_init.c:434 odev_release+0x49/0x70 sound/core/seq/oss/seq_oss.c:152 __fput+0x202/0x6c0 fs/file_table.c:208 ____fput+0x9/0x10 fs/file_table.c:244 task_work_run+0xd8/0x160 kernel/task_work.c:115 exit_task_work include/linux/task_work.h:21 [inline] do_exit+0x7b9/0x2ab0 kernel/exit.c:753 do_group_exit+0xf4/0x2f0 kernel/exit.c:883 get_signal+0x4c2/0x16a0 kernel/signal.c:2315 INFO: Slab 0xffffea00074dc800 objects=20 used=11 fp=0xffff8801d3723960 flags=0x8000000000004080 INFO: Object 0xffff8801d3723c90 @offset=15504 fp=0x0000000f03000202 Bytes b4 ffff8801d3723c80: 00 00 00 00 38 17 00 00 c5 98 ff ff 00 00 00 00 ....8........... Object ffff8801d3723c90: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723ca0: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d3723cb0: 0a 00 4e 38 00 00 00 00 00 00 00 00 00 00 00 00 ..N8............ Object ffff8801d3723cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723cd0: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d3723ce0: 05 00 05 00 00 00 00 00 0a 00 4e 38 00 00 00 00 ..........N8.... Object ffff8801d3723cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723d00: 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 ................ Object ffff8801d3723d10: ff ff ff ff ff ff ff ff 60 24 76 85 ff ff ff ff ........`$v..... Object ffff8801d3723d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723d30: 40 6f c8 83 ff ff ff ff 00 00 00 00 ad 4e ad de @o...........N.. Object ffff8801d3723d40: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ Object ffff8801d3723d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723d70: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723d80: 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ Object ffff8801d3723d90: 01 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. Object ffff8801d3723da0: ff ff ff ff 00 00 00 00 ff ff ff ff ff ff ff ff ................ Object ffff8801d3723db0: a0 88 9f 84 ff ff ff ff 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723dc0: 00 00 00 00 00 00 00 00 60 3e 85 83 ff ff ff ff ........`>...... Object ffff8801d3723dd0: d0 3d 72 d3 01 88 ff ff d0 3d 72 d3 01 88 ff ff .=r......=r..... Object ffff8801d3723de0: 00 00 00 00 00 00 00 00 90 3d 72 d3 01 88 ff ff .........=r..... Object ffff8801d3723df0: e0 23 76 85 ff ff ff ff 00 00 00 00 00 00 00 00 .#v............. Object ffff8801d3723e00: 00 00 00 00 00 00 00 00 c0 6f c8 83 ff ff ff ff .........o...... Object ffff8801d3723e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3723e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 1 PID: 5957 Comm: syz-executor6 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 21a2ac8a0bd0a31c ffff8800b7817708 ffffffff81cc9b4f ffff8801d3720010 ffff8801d3723c90 ffff8800b7817738 ffffffff814d3af4 ffff8801da402a00 ffffea00074dc800 ffff8801d3723c90 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d3723d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d3723e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d3723e80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d3723f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3723f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== binder: undelivered TRANSACTION_COMPLETE audit: type=1400 audit(1513193829.002:13): avc: denied { write } for pid=5933 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket syz-executor2 uses obsolete (PF_INET,SOCK_PACKET) netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d3722658 Read of size 8192 by task syz-executor1/6074 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=0 cpu=0 pid=6074 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. entry_SYSCALL_64_fastpath+0x16/0x76 netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. INFO: Freed in load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 age=1 cpu=0 pid=6073 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 search_binary_handler+0x124/0x610 fs/exec.c:1471 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 do_execve+0x27/0x30 fs/exec.c:1679 call_usermodehelper_exec_async+0x288/0x4b0 kernel/kmod.c:252 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 INFO: Slab 0xffffea00074dc800 objects=20 used=16 fp=0xffff8801d3722fd0 flags=0x8000000000004080 INFO: Object 0xffff8801d3722640 @offset=9792 fp=0x0000000f03000202 Bytes b4 ffff8801d3722630: 01 00 00 00 cc 17 00 00 33 99 ff ff 00 00 00 00 ........3....... Object ffff8801d3722640: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722650: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d3722660: 0a 00 4e 24 00 00 00 00 00 00 00 00 00 00 00 00 ..N$............ Object ffff8801d3722670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722680: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d3722690: 05 00 05 00 00 00 00 00 0a 00 4e 24 00 00 00 00 ..........N$.... Object ffff8801d37226a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226d0: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8801d37226e0: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8801d37226f0: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8801d3722700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722720: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... Object ffff8801d3722730: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8801d3722740: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ Object ffff8801d3722750: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d3722760: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8801d3722770: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8801d3722780: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8801d3722790: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8801d37227a0: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8801d37227b0: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8801d37227c0: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d37227d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37227e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37227f0: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d3722800: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d3722810: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d3722820: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d3722830: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 6074 Comm: syz-executor1 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 a9729202ae336e60 ffff8800b945f708 ffffffff81cc9b4f ffff8801d3720010 ffff8801d3722640 ffff8800b945f738 ffffffff814d3af4 ffff8801da402a00 ffffea00074dc800 ffff8801d3722640 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d3722700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d3722780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d3722800: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ^ ffff8801d3722880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3722900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc 00 00 ================================================================== binder_alloc: 6101: binder_alloc_buf, no vma binder: 6101:6103 transaction failed 29189/-3, size 0-0 line 3131 netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. binder: BINDER_SET_CONTEXT_MGR already set binder: 6101:6141 ioctl 40046207 0 returned -16 binder: 6101:6103 ioctl c0306201 20008fd0 returned -11 binder_alloc: 6101: binder_alloc_buf, no vma binder: 6101:6103 transaction failed 29189/-3, size 0-0 line 3131 binder: 6101:6141 BC_ACQUIRE_DONE u0000000000000000 no match binder: 6101:6141 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 binder: 6101:6141 BC_DEAD_BINDER_DONE 0000000000000007 not found binder: 6101:6141 ERROR: BC_REGISTER_LOOPER called without request binder: 6101:6141 DecRefs 0 refcount change on invalid ref 1 ret -22 binder: undelivered TRANSACTION_ERROR: 29189 binder_alloc: 6159: binder_alloc_buf, no vma binder: 6159:6161 transaction failed 29189/-3, size 0-0 line 3131 binder: BINDER_SET_CONTEXT_MGR already set binder: 6159:6172 ioctl 40046207 0 returned -16 binder: 6159:6168 ioctl c0306201 20008fd0 returned -11 audit: type=1400 audit(1513193830.352:14): avc: denied { ioctl } for pid=6196 comm="syz-executor3" path="socket:[12001]" dev="sockfs" ino=12001 ioctlcmd=89f6 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 binder: undelivered TRANSACTION_ERROR: 29189 binder: BINDER_SET_CONTEXT_MGR already set binder: 6214:6230 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_COMPLETE netlink: 13 bytes leftover after parsing attributes in process `syz-executor1'. binder: BINDER_SET_CONTEXT_MGR already set binder: 6289:6322 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_COMPLETE binder: undelivered transaction 79, process died. binder_alloc: 6339: binder_alloc_buf, no vma binder: 6339:6343 transaction failed 29189/-3, size 0-0 line 3131 tty_warn_deprecated_flags: 'syz-executor0' is using deprecated serial flags (with no effect): 00008000 tty_warn_deprecated_flags: 'syz-executor0' is using deprecated serial flags (with no effect): 00008000 binder: 6339:6358 BC_ACQUIRE_DONE node 80 has no pending acquire request binder: 6339:6358 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 binder: 6339:6358 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 6339:6358 ERROR: BC_REGISTER_LOOPER called without request binder: 6339:6358 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 6339:6358 ioctl 40046207 0 returned -16 binder: 6339:6378 unknown command 0 binder: 6339:6378 ioctl c0306201 20a85000 returned -22 binder: 6339:6394 BC_ACQUIRE_DONE u0000000000000000 no match binder: 6339:6394 BC_CLEAR_DEATH_NOTIFICATION invalid ref 3 binder: 6339:6394 BC_DEAD_BINDER_DONE 0000000000000003 not found binder: 6339:6394 ERROR: BC_REGISTER_LOOPER called without request binder: 6339:6394 DecRefs 0 refcount change on invalid ref 3 ret -22 binder: undelivered TRANSACTION_ERROR: 29189 audit: type=1400 audit(1513193830.942:15): avc: denied { append } for pid=6408 comm="syz-executor7" path="socket:[12109]" dev="sockfs" ino=12109 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. binder: BINDER_SET_CONTEXT_MGR already set binder: 6519:6540 ioctl 40046207 0 returned -16 binder_alloc: 6519: binder_alloc_buf, no vma binder: 6519:6565 transaction failed 29189/-3, size 0-0 line 3131 netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'. binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_COMPLETE binder: BINDER_SET_CONTEXT_MGR already set binder: 6605:6625 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_COMPLETE binder: 6664:6665 ioctl 40046205 d3 returned -22 netlink: 13 bytes leftover after parsing attributes in process `syz-executor6'. binder: 6664:6665 not enough space to store 3 fds in buffer binder: 6664:6665 transaction failed 29201/-22, size 72-32 line 3273 binder: 6664:6682 ioctl 40046205 d3 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 6664:6682 ioctl 40046207 0 returned -16 binder_alloc: 6664: binder_alloc_buf, no vma binder: 6664:6665 transaction failed 29189/-3, size 72-32 line 3131 netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'. ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d3721cc8 Read of size 8192 by task syz-executor1/6777 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=0 cpu=1 pid=6777 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in load_elf_binary+0x203d/0x4b70 fs/binfmt_elf.c:1074 age=7 cpu=1 pid=6745 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 load_elf_binary+0x203d/0x4b70 fs/binfmt_elf.c:1074 search_binary_handler+0x124/0x610 fs/exec.c:1471 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 do_execve+0x27/0x30 fs/exec.c:1679 call_usermodehelper_exec_async+0x288/0x4b0 kernel/kmod.c:252 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 INFO: Slab 0xffffea00074dc800 objects=20 used=15 fp=0xffff8801d3722640 flags=0x8000000000004080 INFO: Object 0xffff8801d3721cb0 @offset=7344 fp=0x0000000f03000202 Bytes b4 ffff8801d3721ca0: 01 00 00 00 73 1a 00 00 2b 9a ff ff 00 00 00 00 ....s...+....... Object ffff8801d3721cb0: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3721cc0: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d3721cd0: 0a 00 4e 24 00 00 00 00 00 00 00 00 00 00 00 00 ..N$............ Object ffff8801d3721ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3721cf0: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d3721d00: 05 00 05 00 00 00 00 00 0a 00 4e 24 00 00 00 00 ..........N$.... Object ffff8801d3721d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3721d20: 00 00 00 00 00 00 00 00 30 fe 01 00 00 00 00 00 ........0....... Object ffff8801d3721d30: 30 fe 21 00 00 00 00 00 30 fe 21 00 00 00 00 00 0.!.....0.!..... Object ffff8801d3721d40: 90 01 00 00 00 00 00 00 90 01 00 00 00 00 00 00 ................ Object ffff8801d3721d50: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d3721d60: c8 01 00 00 00 00 00 00 c8 01 00 00 00 00 00 00 ................ Object ffff8801d3721d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3721d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3721d90: 01 00 00 00 04 00 00 00 80 d1 01 00 00 00 00 00 ................ Object ffff8801d3721da0: 80 d1 01 00 00 00 00 00 80 d1 01 00 00 00 00 00 ................ Object ffff8801d3721db0: 44 06 00 00 00 00 00 00 44 06 00 00 00 00 00 00 D.......D....... Object ffff8801d3721dc0: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d3721dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3721de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3721df0: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d3721e00: 52 e5 74 64 04 00 00 00 a8 fb 01 00 00 00 00 00 R.td............ Object ffff8801d3721e10: a8 fb 21 00 00 00 00 00 a8 fb 21 00 00 00 00 00 ..!.......!..... Object ffff8801d3721e20: 58 04 00 00 00 00 00 00 58 04 00 00 00 00 00 00 X.......X....... Object ffff8801d3721e30: 01 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d3721e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3721e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3721e60: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d3721e70: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d3721e80: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d3721e90: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d3721ea0: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 1 PID: 6777 Comm: syz-executor1 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 f5506706f04a865f ffff8801d557f708 ffffffff81cc9b4f ffff8801d3720010 ffff8801d3721cb0 ffff8801d557f738 ffffffff814d3af4 ffff8801da402a00 ffffea00074dc800 ffff8801d3721cb0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d3721d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d3721e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d3721e80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff8801d3721f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3721f80: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 ================================================================== binder: BINDER_SET_CONTEXT_MGR already set binder: 6769:6780 ioctl 40046207 0 returned -16 binder: undelivered TRANSACTION_COMPLETE SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket binder: 6815:6821 ioctl 540f 205f4000 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket binder: BINDER_SET_CONTEXT_MGR already set binder: 6815:6821 ioctl 40046207 0 returned -16 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket binder: 6815:6821 ioctl 540f 205f4000 returned -22 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'. ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d3722658 Read of size 8192 by task syz-executor1/6862 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=0 cpu=0 pid=6862 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 age=0 cpu=1 pid=6859 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 search_binary_handler+0x124/0x610 fs/exec.c:1471 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket do_execve+0x27/0x30 fs/exec.c:1679 call_usermodehelper_exec_async+0x288/0x4b0 kernel/kmod.c:252 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket INFO: Slab 0xffffea00074dc800 objects=20 used=14 fp=0xffff8801d3720cc0 flags=0x8000000000004080 INFO: Object 0xffff8801d3722640 @offset=9792 fp=0x0000000f03000202 Bytes b4 ffff8801d3722630: 01 00 00 00 6b 1a 00 00 48 9a ff ff 00 00 00 00 ....k...H....... SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket Object ffff8801d3722640: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722650: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d3722660: 0a 00 4e 24 00 00 00 00 00 00 00 00 00 00 00 00 ..N$............ SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket Object ffff8801d3722670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722680: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d3722690: 05 00 05 00 00 00 00 00 0a 00 4e 24 00 00 00 00 ..........N$.... Object ffff8801d37226a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37226d0: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8801d37226e0: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8801d37226f0: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8801d3722700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3722720: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... Object ffff8801d3722730: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8801d3722740: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ Object ffff8801d3722750: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d3722760: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8801d3722770: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8801d3722780: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8801d3722790: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8801d37227a0: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8801d37227b0: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8801d37227c0: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d37227d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37227e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37227f0: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d3722800: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d3722810: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d3722820: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d3722830: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 6862 Comm: syz-executor1 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 1ef07e8f6d901cbe ffff8800b7b47708 ffffffff81cc9b4f ffff8801d3720010 ffff8801d3722640 ffff8800b7b47738 ffffffff814d3af4 ffff8801da402a00 ffffea00074dc800 ffff8801d3722640 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498