==================================================================
BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d1065eb6
BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d1065eb6
Read of size 1 by task syz-executor2/3812
CPU: 1 PID: 3812 Comm: syz-executor2 Not tainted 4.9.39-g5b07c2d #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c664f788 ffffffff81eacd59 ffff8801dac01a00 ffff8801d1065ea0
 ffff8801d1065ec0 ffffed003a20cbd6 ffff8801d1065eb6 ffff8801c664f7b0
 ffffffff81546bfc ffffed003a20cbd6 ffff8801dac01a00 0000000000000000
Call Trace:
 [<ffffffff81eacd59>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81eacd59>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81546bfc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff81546ead>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff81546ead>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff81546ead>] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309
 [<ffffffff815471a9>] kasan_report mm/kasan/report.c:327 [inline]
 [<ffffffff815471a9>] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327
 [<ffffffff8358b4bd>] parse_ipsecrequest net/key/af_key.c:1906 [inline]
 [<ffffffff8358b4bd>] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958
 [<ffffffff835a4890>] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250
 [<ffffffff83402532>] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900
 [<ffffffff8323f79e>] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146
 [<ffffffff8324078a>] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235
 [<ffffffff832601b2>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701
 [<ffffffff82f01f55>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705
 [<ffffffff82efefa8>] SYSC_setsockopt net/socket.c:1771 [inline]
 [<ffffffff82efefa8>] SyS_setsockopt+0x158/0x240 net/socket.c:1750
 [<ffffffff839658c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Object at ffff8801d1065ea0, in cache kmalloc-32 size: 32
Allocated:
PID = 2874
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 kmem_cache_alloc_trace+0x106/0x2b0 mm/slub.c:2742
 kmalloc include/linux/slab.h:490 [inline]
 kzalloc include/linux/slab.h:636 [inline]
 aa_alloc_task_context+0x54/0x90 security/apparmor/context.c:40
 apparmor_cred_prepare+0x1d/0xa0 security/apparmor/lsm.c:76
 security_prepare_creds+0x7d/0xb0 security/security.c:913
 prepare_creds+0x226/0x300 kernel/cred.c:277
 SYSC_faccessat fs/open.c:376 [inline]
 SyS_faccessat fs/open.c:363 [inline]
 SYSC_access fs/open.c:443 [inline]
 SyS_access+0x93/0x6a0 fs/open.c:441
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 2900
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571
 slab_free_hook mm/slub.c:1355 [inline]
 slab_free_freelist_hook mm/slub.c:1377 [inline]
 slab_free mm/slub.c:2958 [inline]
 kfree+0xf0/0x2f0 mm/slub.c:3878
 kzfree+0x28/0x30 mm/slab_common.c:1346
 aa_free_task_context+0x144/0x1c0 security/apparmor/context.c:54
 apparmor_cred_free+0x33/0x70 security/apparmor/lsm.c:51
 security_cred_free+0x48/0x80 security/security.c:908
 put_cred_rcu+0x62/0x2c0 kernel/cred.c:116
 __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
 rcu_do_batch kernel/rcu/tree.c:2779 [inline]
 invoke_rcu_callbacks kernel/rcu/tree.c:3043 [inline]
 __rcu_process_callbacks kernel/rcu/tree.c:3010 [inline]
 rcu_process_callbacks+0x889/0x12d0 kernel/rcu/tree.c:3027
 __do_softirq+0x22d/0x964 kernel/softirq.c:284
Memory state around the buggy address:
 ffff8801d1065d80: fb fb fb fb fc fc fb fb fb fb fc fc fb fb fb fb
 ffff8801d1065e00: fc fc fb fb fb fb fc fc fb fb fb fb fc fc fb fb
>ffff8801d1065e80: fb fb fc fc fb fb fb fb fc fc 00 00 00 fc fc fc
                                     ^
 ffff8801d1065f00: 00 00 00 fc fc fc 00 00 00 fc fc fc 00 00 00 fc
 ffff8801d1065f80: fc fc fb fb fb fb fc fc 00 00 00 fc fc fc fc fc
==================================================================
nla_parse: 105 callbacks suppressed
netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor7'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor2'.
netlink: 13 bytes leftover after parsing attributes in process `syz-executor7'.
random: crng init done
nla_parse: 45 callbacks suppressed
netlink: 224 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 224 bytes leftover after parsing attributes in process `syz-executor6'.