================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d1065eb6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d1065eb6 Read of size 1 by task syz-executor2/3812 CPU: 1 PID: 3812 Comm: syz-executor2 Not tainted 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c664f788 ffffffff81eacd59 ffff8801dac01a00 ffff8801d1065ea0 ffff8801d1065ec0 ffffed003a20cbd6 ffff8801d1065eb6 ffff8801c664f7b0 ffffffff81546bfc ffffed003a20cbd6 ffff8801dac01a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d1065ea0, in cache kmalloc-32 size: 32 Allocated: PID = 2874 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kmem_cache_alloc_trace+0x106/0x2b0 mm/slub.c:2742 kmalloc include/linux/slab.h:490 [inline] kzalloc include/linux/slab.h:636 [inline] aa_alloc_task_context+0x54/0x90 security/apparmor/context.c:40 apparmor_cred_prepare+0x1d/0xa0 security/apparmor/lsm.c:76 security_prepare_creds+0x7d/0xb0 security/security.c:913 prepare_creds+0x226/0x300 kernel/cred.c:277 SYSC_faccessat fs/open.c:376 [inline] SyS_faccessat fs/open.c:363 [inline] SYSC_access fs/open.c:443 [inline] SyS_access+0x93/0x6a0 fs/open.c:441 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 2900 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 kzfree+0x28/0x30 mm/slab_common.c:1346 aa_free_task_context+0x144/0x1c0 security/apparmor/context.c:54 apparmor_cred_free+0x33/0x70 security/apparmor/lsm.c:51 security_cred_free+0x48/0x80 security/security.c:908 put_cred_rcu+0x62/0x2c0 kernel/cred.c:116 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2779 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3043 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3010 [inline] rcu_process_callbacks+0x889/0x12d0 kernel/rcu/tree.c:3027 __do_softirq+0x22d/0x964 kernel/softirq.c:284 Memory state around the buggy address: ffff8801d1065d80: fb fb fb fb fc fc fb fb fb fb fc fc fb fb fb fb ffff8801d1065e00: fc fc fb fb fb fb fc fc fb fb fb fb fc fc fb fb >ffff8801d1065e80: fb fb fc fc fb fb fb fb fc fc 00 00 00 fc fc fc ^ ffff8801d1065f00: 00 00 00 fc fc fc 00 00 00 fc fc fc 00 00 00 fc ffff8801d1065f80: fc fc fb fb fb fb fc fc 00 00 00 fc fc fc fc fc ================================================================== nla_parse: 105 callbacks suppressed netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 13 bytes leftover after parsing attributes in process `syz-executor7'. random: crng init done nla_parse: 45 callbacks suppressed netlink: 224 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 224 bytes leftover after parsing attributes in process `syz-executor6'.