==================================================================
BUG: KASAN: slab-out-of-bounds in pfkey_sadb2xfrm_user_sec_ctx net/key/af_key.c:474 [inline] at addr ffff8801cd717258
BUG: KASAN: slab-out-of-bounds in pfkey_compile_policy+0x8e6/0xd40 net/key/af_key.c:3306 at addr ffff8801cd717258
Read of size 1 by task syz-executor4/23325
CPU: 1 PID: 23325 Comm: syz-executor4 Not tainted 4.9.67-gf26d3c7 #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ca7ff7d8 ffffffff81d906e9 ffff8801da001a00 ffff8801cd717240
 ffff8801cd717260 ffffed0039ae2e4b ffff8801cd717258 ffff8801ca7ff800
 ffffffff8153a2cc ffffed0039ae2e4b ffff8801da001a00 0000000000000000
Call Trace:
 [<ffffffff81d906e9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d906e9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a2cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a58c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a58c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a58c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ab51>] kasan_report+0x21/0x30 mm/kasan/report.c:310
 [<ffffffff81539497>] check_memory_region_inline mm/kasan/kasan.c:308 [inline]
 [<ffffffff81539497>] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315
 [<ffffffff81539993>] memcpy+0x23/0x50 mm/kasan/kasan.c:350
 [<ffffffff83574016>] pfkey_sadb2xfrm_user_sec_ctx net/key/af_key.c:474 [inline]
 [<ffffffff83574016>] pfkey_compile_policy+0x8e6/0xd40 net/key/af_key.c:3306
 [<ffffffff833ccfbe>] xfrm_user_policy+0x2fe/0x530 net/xfrm/xfrm_state.c:1907
 [<ffffffff83207417>] do_ip_setsockopt.isra.12+0x1977/0x2960 net/ipv4/ip_sockglue.c:1151
 [<ffffffff832084ff>] compat_ip_setsockopt+0x4f/0xf0 net/ipv4/ip_sockglue.c:1269
 [<ffffffff83211e65>] inet_csk_compat_setsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:914
 [<ffffffff832281fd>] compat_tcp_setsockopt+0x3d/0x70 net/ipv4/tcp.c:2747
 [<ffffffff82ed5352>] compat_sock_common_setsockopt+0xb2/0x140 net/core/sock.c:2717
 [<ffffffff82fd4989>] C_SYSC_setsockopt net/compat.c:398 [inline]
 [<ffffffff82fd4989>] compat_SyS_setsockopt+0x149/0x290 net/compat.c:381
 [<ffffffff81006fc7>] do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline]
 [<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384
 [<ffffffff838aafe1>] entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124
Object at ffff8801cd717240, in cache kmalloc-32 size: 32
Allocated:
PID = 23325
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 xfrm_user_policy+0xc1/0x530 net/xfrm/xfrm_state.c:1896
 do_ip_setsockopt.isra.12+0x1977/0x2960 net/ipv4/ip_sockglue.c:1151
 compat_ip_setsockopt+0x4f/0xf0 net/ipv4/ip_sockglue.c:1269
 inet_csk_compat_setsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:914
 compat_tcp_setsockopt+0x3d/0x70 net/ipv4/tcp.c:2747
 compat_sock_common_setsockopt+0xb2/0x140 net/core/sock.c:2717
 C_SYSC_setsockopt net/compat.c:398 [inline]
 compat_SyS_setsockopt+0x149/0x290 net/compat.c:381
 do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline]
 do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384
 entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124
Freed:
PID = 23171
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 selinux_cred_free+0x48/0x70 security/selinux/hooks.c:3744
 security_cred_free+0x48/0x80 security/security.c:909
 put_cred_rcu+0x62/0x2c0 kernel/cred.c:116
 __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037
 __do_softirq+0x206/0x951 kernel/softirq.c:284
Memory state around the buggy address:
 ffff8801cd717100: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
 ffff8801cd717180: fb fb fb fb fc fc 00 00 00 00 fc fc fb fb fb fb
>ffff8801cd717200: fc fc fb fb fb fb fc fc 00 00 00 fc fc fc 00 00
                                                    ^
 ffff8801cd717280: 00 00 fc fc fb fb fb fb fc fc fb fb fb fb fc fc
 ffff8801cd717300: 00 00 01 fc fc fc fb fb fb fb fc fc 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: slab-out-of-bounds in pfkey_sadb2xfrm_user_sec_ctx net/key/af_key.c:474 [inline] at addr ffff8801c9604618
BUG: KASAN: slab-out-of-bounds in pfkey_compile_policy+0x8e6/0xd40 net/key/af_key.c:3306 at addr ffff8801c9604618
Read of size 1 by task syz-executor4/23325
CPU: 0 PID: 23325 Comm: syz-executor4 Tainted: G    B           4.9.67-gf26d3c7 #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801ca7ff7d8 ffffffff81d906e9 ffff8801da001a00 ffff8801c9604600
 ffff8801c9604620 ffffed00392c08c3 ffff8801c9604618 ffff8801ca7ff800
 ffffffff8153a2cc ffffed00392c08c3 ffff8801da001a00 0000000000000000
Call Trace:
 [<ffffffff81d906e9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d906e9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a2cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a58c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a58c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a58c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153ab51>] kasan_report+0x21/0x30 mm/kasan/report.c:310
 [<ffffffff81539497>] check_memory_region_inline mm/kasan/kasan.c:308 [inline]
 [<ffffffff81539497>] check_memory_region+0x137/0x190 mm/kasan/kasan.c:315
 [<ffffffff81539993>] memcpy+0x23/0x50 mm/kasan/kasan.c:350
 [<ffffffff83574016>] pfkey_sadb2xfrm_user_sec_ctx net/key/af_key.c:474 [inline]
 [<ffffffff83574016>] pfkey_compile_policy+0x8e6/0xd40 net/key/af_key.c:3306
 [<ffffffff833ccfbe>] xfrm_user_policy+0x2fe/0x530 net/xfrm/xfrm_state.c:1907
 [<ffffffff83207417>] do_ip_setsockopt.isra.12+0x1977/0x2960 net/ipv4/ip_sockglue.c:1151
 [<ffffffff832084ff>] compat_ip_setsockopt+0x4f/0xf0 net/ipv4/ip_sockglue.c:1269
 [<ffffffff83211e65>] inet_csk_compat_setsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:914
 [<ffffffff832281fd>] compat_tcp_setsockopt+0x3d/0x70 net/ipv4/tcp.c:2747
 [<ffffffff82ed5352>] compat_sock_common_setsockopt+0xb2/0x140 net/core/sock.c:2717
 [<ffffffff82fd4989>] C_SYSC_setsockopt net/compat.c:398 [inline]
 [<ffffffff82fd4989>] compat_SyS_setsockopt+0x149/0x290 net/compat.c:381
 [<ffffffff81006fc7>] do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline]
 [<ffffffff81006fc7>] do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384
 [<ffffffff838aafe1>] entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124
Object at ffff8801c9604600, in cache kmalloc-32 size: 32
Allocated:
PID = 23325
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 xfrm_user_policy+0xc1/0x530 net/xfrm/xfrm_state.c:1896
 do_ip_setsockopt.isra.12+0x1977/0x2960 net/ipv4/ip_sockglue.c:1151
 compat_ip_setsockopt+0x4f/0xf0 net/ipv4/ip_sockglue.c:1269
 inet_csk_compat_setsockopt+0x95/0x120 net/ipv4/inet_connection_sock.c:914
 compat_tcp_setsockopt+0x3d/0x70 net/ipv4/tcp.c:2747
 compat_sock_common_setsockopt+0xb2/0x140 net/core/sock.c:2717
 C_SYSC_setsockopt net/compat.c:398 [inline]
 compat_SyS_setsockopt+0x149/0x290 net/compat.c:381
 do_syscall_32_irqs_on arch/x86/entry/common.c:322 [inline]
 do_fast_syscall_32+0x2f7/0x890 arch/x86/entry/common.c:384
 entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124
Freed:
PID = 17
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 selinux_cred_free+0x48/0x70 security/selinux/hooks.c:3744
 security_cred_free+0x48/0x80 security/security.c:909
 put_cred_rcu+0x62/0x2c0 kernel/cred.c:116
 __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 rcu_do_batch kernel/rcu/tree.c:2789 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline]
 rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037
 __do_softirq+0x206/0x951 kernel/softirq.c:284
Memory state around the buggy address:
 ffff8801c9604500: fc fc fb fb fb fb fc fc 00 00 00 00 fc fc 00 00
 ffff8801c9604580: 01 fc fc fc fb fb fb fb fc fc fb fb fb fb fc fc
>ffff8801c9604600: 00 00 00 fc fc fc fb fb fb fb fc fc 00 00 00 00
                            ^
 ffff8801c9604680: fc fc fb fb fb fb fc fc fb fb fb fb fc fc fb fb
 ffff8801c9604700: fb fb fc fc fb fb fb fb fc fc fb fb fb fb fc fc
==================================================================
netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 9 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=7 sclass=netlink_route_socket pig=24236 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=7 sclass=netlink_route_socket pig=24264 comm=syz-executor3
netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'.
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
device lo left promiscuous mode
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=25191 comm=syz-executor0
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=20 sclass=netlink_audit_socket pig=25191 comm=syz-executor0
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=24 sclass=netlink_tcpdiag_socket pig=25191 comm=syz-executor0
nla_parse: 2 callbacks suppressed
netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor0'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=53984 sclass=netlink_route_socket pig=25357 comm=syz-executor2
netlink: 5 bytes leftover after parsing attributes in process `syz-executor2'.
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=53984 sclass=netlink_route_socket pig=25386 comm=syz-executor2
netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'.
skbuff: bad partial csum: csum=55167/11979 len=1612
netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor3'.
device lo entered promiscuous mode
device lo left promiscuous mode
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=1792 sclass=netlink_audit_socket pig=26632 comm=syz-executor0
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=1792 sclass=netlink_audit_socket pig=26642 comm=syz-executor0
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=20793 sclass=netlink_tcpdiag_socket pig=26656 comm=syz-executor1
skbuff: bad partial csum: csum=55167/11979 len=1612
skbuff: bad partial csum: csum=55167/11979 len=1612
selinux_nlmsg_perm: 1 callbacks suppressed
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=18590 sclass=netlink_tcpdiag_socket pig=27901 comm=syz-executor0
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=18590 sclass=netlink_tcpdiag_socket pig=27901 comm=syz-executor0
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=30790 sclass=netlink_tcpdiag_socket pig=28342 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=257 sclass=netlink_tcpdiag_socket pig=28423 comm=syz-executor4
SELinux: unrecognized netlink message: protocol=4 nlmsg_type=257 sclass=netlink_tcpdiag_socket pig=28428 comm=syz-executor4
device lo entered promiscuous mode
device lo left promiscuous mode
nla_parse: 4 callbacks suppressed
netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 5 bytes leftover after parsing attributes in process `syz-executor4'.
SELinux: unrecognized netlink message: protocol=6 nlmsg_type=56083 sclass=netlink_xfrm_socket pig=28895 comm=syz-executor6
netlink: 44 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 44 bytes leftover after parsing attributes in process `syz-executor3'.
netlink: 44 bytes leftover after parsing attributes in process `syz-executor3'.