================================================================== BUG: KASAN: use-after-free in ip_cmsg_recv_dstaddr net/ipv4/ip_sockglue.c:152 [inline] BUG: KASAN: use-after-free in ip_cmsg_recv_offset+0xc59/0xdd0 net/ipv4/ip_sockglue.c:215 Read of size 4 at addr ffff8801c8886520 by task syz-executor5/4086 CPU: 1 PID: 4086 Comm: syz-executor5 Not tainted 4.9.132+ #51 ffff8801c66ff5a8 ffffffff81b371b9 ffffea0007222180 ffff8801c8886520 0000000000000000 ffff8801c8886520 ffff8801c48d7924 ffff8801c66ff5e0 ffffffff81500bad ffff8801c8886520 0000000000000004 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description+0x6c/0x234 mm/kasan/report.c:256 [] kasan_report_error mm/kasan/report.c:355 [inline] [] kasan_report.cold.6+0x242/0x2fe mm/kasan/report.c:412 [] __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 [] ip_cmsg_recv_dstaddr net/ipv4/ip_sockglue.c:152 [inline] [] ip_cmsg_recv_offset+0xc59/0xdd0 net/ipv4/ip_sockglue.c:215 [] ip_cmsg_recv include/net/ip.h:612 [inline] [] raw_recvmsg+0x577/0x660 net/ipv4/raw.c:769 [] inet_recvmsg+0x23e/0x4c0 net/ipv4/af_inet.c:801 [] sock_recvmsg_nosec net/socket.c:750 [inline] [] sock_recvmsg+0xc6/0x110 net/socket.c:757 [] sock_read_iter+0x24a/0x360 net/socket.c:834 [] do_iter_readv_writev+0x2f8/0x4b0 fs/read_write.c:693 [] do_readv_writev+0x2fa/0x7b0 fs/read_write.c:871 [] vfs_readv+0x84/0xc0 fs/read_write.c:897 [] do_readv+0xe6/0x260 fs/read_write.c:923 [] SYSC_readv fs/read_write.c:1010 [inline] [] SyS_readv+0x27/0x30 fs/read_write.c:1007 [] do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 [] entry_SYSCALL_64_after_swapgs+0x5d/0xdb Allocated by task 4086: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:505 [inline] set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:609 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:594 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:547 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xf0/0x2d0 mm/slub.c:4232 __kmalloc_reserve.isra.5+0x33/0xc0 net/core/skbuff.c:138 __alloc_skb+0x11a/0x5b0 net/core/skbuff.c:231 alloc_skb include/linux/skbuff.h:919 [inline] sock_wmalloc+0x9e/0xe0 net/core/sock.c:1772 __ip_append_data.isra.2+0x20e7/0x2930 net/ipv4/ip_output.c:1039 ip_append_data.part.4+0xe4/0x150 net/ipv4/ip_output.c:1231 ip_append_data+0x68/0x80 net/ipv4/ip_output.c:1220 raw_sendmsg+0xb74/0x2480 net/ipv4/raw.c:652 inet_sendmsg+0x203/0x4d0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:648 [inline] sock_sendmsg+0xbb/0x110 net/socket.c:658 SYSC_sendto net/socket.c:1683 [inline] SyS_sendto+0x220/0x370 net/socket.c:1651 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb Freed by task 4086: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack mm/kasan/kasan.c:505 [inline] set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xfb/0x310 mm/slub.c:3878 skb_free_head+0x8b/0xb0 net/core/skbuff.c:580 pskb_expand_head+0x457/0x8a0 net/core/skbuff.c:1246 __pskb_pull_tail+0xc7/0x1240 net/core/skbuff.c:1615 pskb_may_pull include/linux/skbuff.h:1966 [inline] ip_cmsg_recv_dstaddr net/ipv4/ip_sockglue.c:142 [inline] ip_cmsg_recv_offset+0xbb0/0xdd0 net/ipv4/ip_sockglue.c:215 ip_cmsg_recv include/net/ip.h:612 [inline] raw_recvmsg+0x577/0x660 net/ipv4/raw.c:769 inet_recvmsg+0x23e/0x4c0 net/ipv4/af_inet.c:801 sock_recvmsg_nosec net/socket.c:750 [inline] sock_recvmsg+0xc6/0x110 net/socket.c:757 sock_read_iter+0x24a/0x360 net/socket.c:834 do_iter_readv_writev+0x2f8/0x4b0 fs/read_write.c:693 do_readv_writev+0x2fa/0x7b0 fs/read_write.c:871 vfs_readv+0x84/0xc0 fs/read_write.c:897 do_readv+0xe6/0x260 fs/read_write.c:923 SYSC_readv fs/read_write.c:1010 [inline] SyS_readv+0x27/0x30 fs/read_write.c:1007 do_syscall_64+0x19f/0x550 arch/x86/entry/common.c:285 entry_SYSCALL_64_after_swapgs+0x5d/0xdb The buggy address belongs to the object at ffff8801c8886500 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 32 bytes inside of 512-byte region [ffff8801c8886500, ffff8801c8886700) The buggy address belongs to the page: page:ffffea0007222180 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000004080(slab|head) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801c8886400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c8886480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801c8886500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c8886580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c8886600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== audit_printk_skb: 18 callbacks suppressed audit: type=1400 audit(2000000345.860:2369): avc: denied { prog_load } for pid=4096 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1