================================================================== BUG: KASAN: slab-out-of-bounds in string+0x1e8/0x200 lib/vsprintf.c:592 Read of size 1 at addr ffff8801cafced50 by task syzkaller538128/3345 CPU: 1 PID: 3345 Comm: syzkaller538128 Not tainted 4.9.78-ge9dabe6 #19 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801bf9ff738 ffffffff81d943a9 ffffea00072bf380 ffff8801cafced50 0000000000000000 ffff8801cafced50 ffff8801bf9ff994 ffff8801bf9ff770 ffffffff8153dc23 ffff8801cafced50 0000000000000001 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description+0x73/0x280 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report+0x275/0x360 mm/kasan/report.c:408 [] __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:426 [] string+0x1e8/0x200 lib/vsprintf.c:592 [] vsnprintf+0x7ad/0x16d0 lib/vsprintf.c:2044 [] __request_module+0x14f/0x750 kernel/kmod.c:146 [] xt_request_find_target+0x8b/0xb0 net/netfilter/x_tables.c:256 [] find_check_entry net/ipv4/netfilter/ip_tables.c:567 [inline] [] translate_table+0x177a/0x1e30 net/ipv4/netfilter/ip_tables.c:745 [] ? 0xffffffff810002b8 [] do_replace net/ipv4/netfilter/ip_tables.c:1151 [inline] [] do_ipt_set_ctl+0x2be/0x470 net/ipv4/netfilter/ip_tables.c:1687 [] nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] [] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 [] ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2737 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706 [] SYSC_setsockopt net/socket.c:1772 [inline] [] SyS_setsockopt+0x160/0x250 net/socket.c:1751 [] entry_SYSCALL_64_fastpath+0x29/0xe8 Allocated by task 3345: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:609 __kmalloc+0x11d/0x310 mm/slub.c:3741 kmalloc include/linux/slab.h:495 [inline] xt_alloc_table_info+0x71/0x100 net/netfilter/x_tables.c:959 do_replace net/ipv4/netfilter/ip_tables.c:1140 [inline] do_ipt_set_ctl+0x242/0x470 net/ipv4/netfilter/ip_tables.c:1687 nf_sockopt net/netfilter/nf_sockopt.c:105 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:114 ip_setsockopt+0xa1/0xb0 net/ipv4/ip_sockglue.c:1248 tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2737 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2706 SYSC_setsockopt net/socket.c:1772 [inline] SyS_setsockopt+0x160/0x250 net/socket.c:1751 entry_SYSCALL_64_fastpath+0x29/0xe8 Freed by task 1804: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:505 set_track mm/kasan/kasan.c:517 [inline] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:582 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0x103/0x300 mm/slub.c:3878 seq_release+0x59/0x70 fs/seq_file.c:372 kernfs_fop_release+0xcb/0x140 fs/kernfs/file.c:742 __fput+0x28c/0x6e0 fs/file_table.c:208 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x115/0x190 kernel/task_work.c:116 tracehook_notify_resume include/linux/tracehook.h:191 [inline] exit_to_usermode_loop+0xfc/0x120 arch/x86/entry/common.c:160 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xe6/0xe8 The buggy address belongs to the object at ffff8801cafcec80 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 208 bytes inside of 256-byte region [ffff8801cafcec80, ffff8801cafced80) The buggy address belongs to the page: page:ffffea00072bf380 count:1 mapcount:0 mapping: (null) index:0x0 flags: 0x8000000000000080(slab) page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cafcec00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8801cafcec80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801cafced00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ^ ffff8801cafced80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801cafcee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================