================================================================== BUG: KASAN: slab-out-of-bounds in pfkey_msg2xfrm_state net/key/af_key.c:1227 [inline] BUG: KASAN: slab-out-of-bounds in pfkey_add+0x145d/0x3220 net/key/af_key.c:1506 Read of size 2048 at addr ffff8800ae939440 by task syz-executor7/14372 CPU: 0 PID: 14372 Comm: syz-executor7 Not tainted 4.4.135-g7e3a6fc #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 e6ff7c0576bc0f04 ffff8801b60776c0 ffffffff81e0ed0d ffffea0002ba4e00 ffff8800ae939440 0000000000000000 ffff8800ae939600 ffff8800ae939400 ffff8801b60776f8 ffffffff81515946 ffff8800ae939440 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] print_address_description+0x6c/0x216 mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408 binder: 14383:14385 transaction failed 29201/-22, size 0--4919094034175318182 line 3142 binder_alloc: binder_alloc_mmap_handler: 14383 20001000-20004000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 14383:14385 ioctl 40046207 0 returned -16 binder_alloc: 14383: binder_alloc_buf, no vma binder: 14383:14386 transaction failed 29189/-3, size 0--4919094034175318182 line 3142 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 [] check_memory_region_inline mm/kasan/kasan.c:325 [inline] [] check_memory_region+0x14f/0x1b0 mm/kasan/kasan.c:332 [] memcpy+0x23/0x50 mm/kasan/kasan.c:367 [] pfkey_msg2xfrm_state net/key/af_key.c:1227 [inline] [] pfkey_add+0x145d/0x3220 net/key/af_key.c:1506 [] pfkey_process+0x671/0x740 net/key/af_key.c:2834 [] pfkey_sendmsg+0x346/0xae0 net/key/af_key.c:3678 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:635 [] ___sys_sendmsg+0x745/0x880 net/socket.c:1962 [] __sys_sendmsg+0xd6/0x190 net/socket.c:1996 [] C_SYSC_sendmsg net/compat.c:722 [inline] [] compat_SyS_sendmsg+0x2a/0x40 net/compat.c:720 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x326/0x8b0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Allocated by task 14372: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack+0x43/0xd0 mm/kasan/kasan.c:512 [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616 [] kasan_krealloc+0x64/0x80 mm/kasan/kasan.c:654 [] ksize+0x8a/0xf0 mm/slub.c:3727 [] __alloc_skb+0x133/0x600 net/core/skbuff.c:237 [] alloc_skb include/linux/skbuff.h:815 [inline] [] pfkey_sendmsg+0xfe/0xae0 net/key/af_key.c:3665 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xcc/0x110 net/socket.c:635 [] ___sys_sendmsg+0x745/0x880 net/socket.c:1962 [] __sys_sendmsg+0xd6/0x190 net/socket.c:1996 [] C_SYSC_sendmsg net/compat.c:722 [inline] [] compat_SyS_sendmsg+0x2a/0x40 net/compat.c:720 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x326/0x8b0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8800ae939400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 64 bytes inside of 512-byte region [ffff8800ae939400, ffff8800ae939600) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 3915 Comm: syz-executor1 Not tainted 4.4.135-g7e3a6fc #55 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801bbc14800 task.stack: ffff8801bb448000 RIP: 0010:[] [] write_cr3 arch/x86/include/asm/paravirt.h:86 [inline] RIP: 0010:[] [] load_new_mm_cr3+0x56/0xa0 arch/x86/mm/tlb.c:65 RSP: 0018:ffff8801bb44fb18 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000780000000000 RCX: 1ffffffff0942999 RDX: 0000000000000000 RSI: ffffffff81e6e89b RDI: 0000780000000000 RBP: ffff8801bb44fb20 R08: ffffffff83a44860 R09: ffffffff84a152b8 R10: ffff8801bbc14a50 R11: 0000000000007fa2 R12: ffff8800a681e800 R13: 0000000000000001 R14: ffff8801bbc14ca0 R15: 000002c932ddb64c FS: 0000000000000000(0000) GS:ffff8801db300000(0063) knlGS:000000000a063900 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00007efd3c50b000 CR3: 00000000ad2fb000 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff8801b4cda300 ffff8801bb44fb68 ffffffff810e829c ffff8801db31fde8 bd33f1b4e2d229f6 ffff8801db31f4c0 ffff8800a681e800 ffff8801b4cda300 ffff8801bbc14ca0 000002c932ddb64c ffff8801bb44fbf0 ffffffff838b2eda Call Trace: [] switch_mm_irqs_off+0x6c/0xc10 arch/x86/mm/tlb.c:139 [] context_switch kernel/sched/core.c:2792 [inline] [] __schedule+0x6fa/0x1d70 kernel/sched/core.c:3330 [] schedule+0x7a/0x1b0 kernel/sched/core.c:3359 [] freezable_schedule include/linux/freezer.h:171 [inline] [] do_nanosleep+0x1f4/0x4f0 kernel/time/hrtimer.c:1503 [] hrtimer_nanosleep+0x210/0x540 kernel/time/hrtimer.c:1572 [] C_SYSC_nanosleep kernel/compat.c:254 [inline] [] compat_SyS_nanosleep+0x27e/0x390 kernel/compat.c:239 [] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline] [] do_fast_syscall_32+0x326/0x8b0 arch/x86/entry/common.c:459 [] sysenter_flags_fixed+0xd/0x17 Code: a1 84 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 1e 8b 05 21 dc 92 03 85 c0 75 0d 48 89 df <0f> 22 df 0f 1f 40 00 5b 5d c3 e8 8b 4e 00 00 eb ec e8 94 20 41 RIP [] write_cr3 arch/x86/include/asm/paravirt.h:86 [inline] RIP [] load_new_mm_cr3+0x56/0xa0 arch/x86/mm/tlb.c:65 RSP ---[ end trace c5b1eb1b088f67e1 ]---