================================================================== netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0xf4a/0x1200 net/ipv6/ip6_output.c:1230 at addr ffff8801d89fd8bc Write of size 4 by task syz-executor4/15034 CPU: 1 PID: 15034 Comm: syz-executor4 Not tainted 4.9.62-gf09daf1 #91 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c71cf608 ffffffff81d94429 ffff8801da001c80 ffff8801d89fd8b8[ 92.557666] netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. ffff8801d89fd8c0 ffffed003b13fb17 ffff8801d89fd8bc ffff8801c71cf630 ffffffff8153e3ac ffffed003b13fb17 ffff8801da001c80 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:334 [inline] [] __asan_report_store4_noabort+0x2c/0x30 mm/kasan/report.c:334 [] ip6_setup_cork+0xf4a/0x1200 net/ipv6/ip6_output.c:1230 [] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802 [] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1670 [] SyS_sendto+0x40/0x50 net/socket.c:1638 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d89fd8b8, in cache kmalloc-8 size: 8 Allocated: PID = 15034 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 __kmalloc+0x11d/0x310 mm/slub.c:3741 kmalloc include/linux/slab.h:495 [inline] kzalloc include/linux/slab.h:636 [inline] ip6_setup_cork+0x194/0x1200 net/ipv6/ip6_output.c:1226 ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802 udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 SYSC_sendto+0x2c8/0x340 net/socket.c:1670 SyS_sendto+0x40/0x50 net/socket.c:1638 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 14914 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 kfree_const+0x31/0x40 mm/util.c:35 free_vfsmnt+0x5b/0xb0 fs/namespace.c:586 delayed_free_vfsmnt+0x16/0x20 fs/namespace.c:595 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801d89fd780: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb ffff8801d89fd800: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc >ffff8801d89fd880: fc fb fc fc fb fc fc 01 fc fc fb fc fc fb fc fc ^ ffff8801d89fd900: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb ffff8801d89fd980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0xf2c/0x1200 net/ipv6/ip6_output.c:1231 at addr ffff8801d89fd8c0 Write of size 2 by task syz-executor4/15034 CPU: 1 PID: 15034 Comm: syz-executor4 Tainted: G B 4.9.62-gf09daf1 #91 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c71cf608 ffffffff81d94429 ffff8801da001c80 ffff8801d89fd8b8 ffff8801d89fd8c0 ffffed003b13fb18 ffff8801d89fd8c0 ffff8801c71cf630 ffffffff8153e3ac ffffed003b13fb18 ffff8801da001c80 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:333 [inline] [] __asan_report_store2_noabort+0x2c/0x30 mm/kasan/report.c:333 [] ip6_setup_cork+0xf2c/0x1200 net/ipv6/ip6_output.c:1231 [] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802 [] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1670 [] SyS_sendto+0x40/0x50 net/socket.c:1638 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d89fd8b8, in cache kmalloc-8 size: 8 Allocated: PID = 15034 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 __kmalloc+0x11d/0x310 mm/slub.c:3741 kmalloc include/linux/slab.h:495 [inline] kzalloc include/linux/slab.h:636 [inline] ip6_setup_cork+0x194/0x1200 net/ipv6/ip6_output.c:1226 ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802 udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 SYSC_sendto+0x2c8/0x340 net/socket.c:1670 SyS_sendto+0x40/0x50 net/socket.c:1638 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 14914 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 kfree_const+0x31/0x40 mm/util.c:35 free_vfsmnt+0x5b/0xb0 fs/namespace.c:586 delayed_free_vfsmnt+0x16/0x20 fs/namespace.c:595 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801d89fd780: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb ffff8801d89fd800: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc >ffff8801d89fd880: fc fb fc fc fb fc fc 01 fc fc fb fc fc fb fc fc ^ ffff8801d89fd900: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb ffff8801d89fd980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0xf40/0x1200 net/ipv6/ip6_output.c:1232 at addr ffff8801d89fd8c2 Write of size 2 by task syz-executor4/15034 CPU: 1 PID: 15034 Comm: syz-executor4 Tainted: G B 4.9.62-gf09daf1 #91 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c71cf608 ffffffff81d94429 ffff8801da001c80 ffff8801d89fd8b8 ffff8801d89fd8c0 ffffed003b13fb18 ffff8801d89fd8c2 ffff8801c71cf630 ffffffff8153e3ac ffffed003b13fb18 ffff8801da001c80 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:333 [inline] [] __asan_report_store2_noabort+0x2c/0x30 mm/kasan/report.c:333 [] ip6_setup_cork+0xf40/0x1200 net/ipv6/ip6_output.c:1232 [] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802 [] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1670 [] SyS_sendto+0x40/0x50 net/socket.c:1638 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d89fd8b8, in cache kmalloc-8 size: 8 Allocated: PID = 8 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 __kmalloc+0x11d/0x310 mm/slub.c:3741 kmalloc include/linux/slab.h:495 [inline] kzalloc include/linux/slab.h:636 [inline] ip6_setup_cork+0x194/0x1200 net/ipv6/ip6_output.c:1226 ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802 udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240 inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 sock_sendmsg_nosec net/socket.c:635 [inline] sock_sendmsg+0xca/0x110 net/socket.c:645 SYSC_sendto+0x2c8/0x340 net/socket.c:1670 SyS_sendto+0x40/0x50 net/socket.c:1638 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 14914 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 kfree_const+0x31/0x40 mm/util.c:35 free_vfsmnt+0x5b/0xb0 fs/namespace.c:586 delayed_free_vfsmnt+0x16/0x20 fs/namespace.c:595 __rcu_reclaim kernel/rcu/rcu.h:118 [inline] rcu_do_batch kernel/rcu/tree.c:2789 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:3053 [inline] __rcu_process_callbacks kernel/rcu/tree.c:3020 [inline] rcu_process_callbacks+0x871/0x12c0 kernel/rcu/tree.c:3037 __do_softirq+0x206/0x951 kernel/softirq.c:284 Memory state around the buggy address: ffff8801d89fd780: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb ffff8801d89fd800: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc >ffff8801d89fd880: fc fb fc fc fb fc fc 01 fc fc fb fc fc fb fc fc ^ ffff8801d89fd900: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb ffff8801d89fd980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc ================================================================== ================================================================== BUG: KASAN: use-after-free in ip6_setup_cork+0x1048/0x1200 net/ipv6/ip6_output.c:1234 at addr ffff8801d89fd8d0 Write of size 8 by task syz-executor4/15034 CPU: 0 PID: 15034 Comm: syz-executor4 Tainted: G B 4.9.62-gf09daf1 #91 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c71cf608 ffffffff81d94429 ffff8801da001c80 ffff8801d89fd8d0 ffff8801d89fd8d8 ffffed003b13fb1a ffff8801d89fd8d0 ffff8801c71cf630 ffffffff8153e3ac ffffed003b13fb1a ffff8801da001c80 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:335 [inline] [] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335 [] ip6_setup_cork+0x1048/0x1200 net/ipv6/ip6_output.c:1234 [] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802 [] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1670 [] SyS_sendto+0x40/0x50 net/socket.c:1638 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d89fd8d0, in cache kmalloc-8 size: 8 Allocated: PID = 14888 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 __kmalloc+0x11d/0x310 mm/slub.c:3741 kmalloc_array include/linux/slab.h:582 [inline] kcalloc include/linux/slab.h:593 [inline] bpf_convert_filter+0xce/0x1a40 net/core/filter.c:382 bpf_migrate_filter net/core/filter.c:1009 [inline] bpf_prepare_filter+0xab8/0xd90 net/core/filter.c:1068 bpf_prog_create_from_user+0x1c8/0x2c0 net/core/filter.c:1162 seccomp_prepare_filter kernel/seccomp.c:373 [inline] seccomp_prepare_user_filter kernel/seccomp.c:408 [inline] seccomp_set_mode_filter kernel/seccomp.c:750 [inline] do_seccomp+0x632/0x1860 kernel/seccomp.c:800 SYSC_seccomp kernel/seccomp.c:809 [inline] SyS_seccomp+0x24/0x30 kernel/seccomp.c:806 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 14888 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 bpf_convert_filter+0x16d7/0x1a40 net/core/filter.c:630 bpf_migrate_filter net/core/filter.c:1009 [inline] bpf_prepare_filter+0xab8/0xd90 net/core/filter.c:1068 bpf_prog_create_from_user+0x1c8/0x2c0 net/core/filter.c:1162 seccomp_prepare_filter kernel/seccomp.c:373 [inline] seccomp_prepare_user_filter kernel/seccomp.c:408 [inline] seccomp_set_mode_filter kernel/seccomp.c:750 [inline] do_seccomp+0x632/0x1860 kernel/seccomp.c:800 SYSC_seccomp kernel/seccomp.c:809 [inline] SyS_seccomp+0x24/0x30 kernel/seccomp.c:806 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801d89fd780: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb ffff8801d89fd800: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc >ffff8801d89fd880: fc fb fc fc fb fc fc 01 fc fc fb fc fc fb fc fc ^ ffff8801d89fd900: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb ffff8801d89fd980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0x1102/0x1200 net/ipv6/ip6_output.c:1239 at addr ffff8801d89fd8e0 Write of size 8 by task syz-executor4/15034 CPU: 0 PID: 15034 Comm: syz-executor4 Tainted: G B 4.9.62-gf09daf1 #91 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c71cf608 ffffffff81d94429 ffff8801da001c80 ffff8801d89fd8d0 ffff8801d89fd8d8 ffffed003b13fb1c ffff8801d89fd8e0 ffff8801c71cf630 ffffffff8153e3ac ffffed003b13fb1c ffff8801da001c80 0000000000000001 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:335 [inline] [] __asan_report_store8_noabort+0x2c/0x30 mm/kasan/report.c:335 [] ip6_setup_cork+0x1102/0x1200 net/ipv6/ip6_output.c:1239 [] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802 [] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1670 [] SyS_sendto+0x40/0x50 net/socket.c:1638 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d89fd8d0, in cache kmalloc-8 size: 8 Allocated: PID = 15076 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232 memdup_user+0x2c/0xb0 mm/util.c:137 strndup_user+0x62/0xb0 mm/util.c:168 SYSC_add_key security/keys/keyctl.c:82 [inline] SyS_add_key+0xd3/0x390 security/keys/keyctl.c:60 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 15076 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kfree+0xf0/0x2f0 mm/slub.c:3878 SYSC_add_key security/keys/keyctl.c:140 [inline] SyS_add_key+0x236/0x390 security/keys/keyctl.c:60 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801d89fd780: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb ffff8801d89fd800: fc fc fb fc fc 04 fc fc 00 fc fc fb fc fc fb fc >ffff8801d89fd880: fc fb fc fc fb fc fc 01 fc fc fb fc fc fb fc fc ^ ffff8801d89fd900: fb fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb ffff8801d89fd980: fc fc fb fc fc fb fc fc fb fc fc fb fc fc fb fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in ip6_setup_cork+0x10b6/0x1200 net/ipv6/ip6_output.c:1241 at addr ffff8801d89fd8e0 Read of size 8 by task syz-executor4/15034 CPU: 0 PID: 15034 Comm: syz-executor4 Tainted: G B 4.9.62-gf09daf1 #91 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c71cf608 ffffffff81d94429 ffff8801da001c80 ffff8801d89fd8d0 ffff8801d89fd8d8 ffffed003b13fb1c ffff8801d89fd8e0 ffff8801c71cf630 ffffffff8153e3ac ffffed003b13fb1c ffff8801da001c80 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_setup_cork+0x10b6/0x1200 net/ipv6/ip6_output.c:1241 [] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802 [] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1670 [] SyS_sendto+0x40/0x50 net/socket.c:1638 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d89fd8d0, in cache kmalloc-8 size: 8 Allocated: PID = 15076 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] __kmalloc_track_caller+0xda/0x2b0 mm/slub.c:4232 memdup_user+0x2c/0xb0 mm/util.c:137 strndup_user+0x62/0xb0 mm/util.c:168 SYSC_add_key security/keys/keyctl.c:82 [inline] SyS_add_key+0xd3/0x390 security/keys/keyctl.c:60 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3451975336 BUG: unable to handle kernel paging request at ffffffff87109fa8 IP: [] depot_fetch_stack+0x15/0x40 lib/stackdepot.c:194 PGD 441e067 [ 95.128931] PUD 441f063 Oops: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 15034 Comm: syz-executor4 Tainted: G B 4.9.62-gf09daf1 #91 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801d0aeb000 task.stack: ffff8801c71c8000 RIP: 0010:[] [] depot_fetch_stack+0x15/0x40 lib/stackdepot.c:194 RSP: 0018:ffff8801c71cf5d8 EFLAGS: 00010006 RAX: 00000000001f8801 RBX: ffff8801d89fd8e0 RCX: ffffc90002ed7000 RDX: 0000000000000000 RSI: ffff8801c71cf5e0 RDI: 0000000000003ff0 RBP: ffff8801c71cf608 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000008 R11: 0000000000000000 R12: ffff8801d89fd8d0 R13: ffff8801d89fd8d8 R14: ffffed003b13fb1c R15: ffff8801d89fd8e0 FS: 00007fe32c5d6700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff87109fa8 CR3: 00000001aa640000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff8156572e 0000000000000000 ffff8801da001c80 0000000000000008 0935a89996485254 ffff8801da001c80 ffff8801c71cf630 ffffffff8153e3f8 ffffed003b13fb1c ffff8801da001c80 0000000000000000 ffff8801c71cf6b8 Call Trace: [] kasan_object_err+0x68/0x70 mm/kasan/report.c:170 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:330 [inline] [] __asan_report_load8_noabort+0x29/0x30 mm/kasan/report.c:330 [] ip6_setup_cork+0x10b6/0x1200 net/ipv6/ip6_output.c:1241 [] ip6_make_skb+0x1b8/0x440 net/ipv6/ip6_output.c:1802 [] udpv6_sendmsg+0x1b1d/0x2540 net/ipv6/udp.c:1240 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:770 [] sock_sendmsg_nosec net/socket.c:635 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:645 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1670 [] SyS_sendto+0x40/0x50 net/socket.c:1638 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Code: 92 52 ff 0f 0b e8 dc b9 6f ff eb de 66 2e 0f 1f 84 00 00 00 00 00 89 f8 c1 ef 11 55 25 ff ff 1f 00 81 e7 f0 3f 00 00 48 89 e5 5d <48> 03 3c c5 a0 5f 14 86 8b 47 0c 48 83 c7 18 c7 46 10 00 00 00 RIP [] depot_fetch_stack+0x15/0x40 lib/stackdepot.c:194 RSP CR2: ffffffff87109fa8 ---[ end trace b49e33345a836bed ]---