binder: 21631:21642 transaction failed 29189/-22, size 0-0 line 3008 ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d3735338 Read of size 8192 by task syz-executor6/21637 ============================================================================= BUG kmalloc-512 (Not tainted): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=0 cpu=0 pid=21637 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 age=0 cpu=0 pid=21647 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 search_binary_handler+0x124/0x610 fs/exec.c:1471 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 do_execve+0x27/0x30 fs/exec.c:1679 call_usermodehelper_exec_async+0x288/0x4b0 kernel/kmod.c:252 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 INFO: Slab 0xffffea00074dcd00 objects=20 used=13 fp=0xffff8801d3736310 flags=0x8000000000004080 INFO: Object 0xffff8801d3735320 @offset=4896 fp=0x0000000f03000202 Bytes b4 ffff8801d3735310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3735320: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3735330: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d3735340: 0a 00 4e 38 00 00 00 00 00 00 00 00 00 00 00 00 ..N8............ Object ffff8801d3735350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3735360: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d3735370: 05 00 05 00 00 00 00 00 0a 00 4e 38 00 00 00 00 ..........N8.... Object ffff8801d3735380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3735390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37353a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37353b0: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8801d37353c0: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8801d37353d0: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8801d37353e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37353f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3735400: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... Object ffff8801d3735410: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8801d3735420: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ Object ffff8801d3735430: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d3735440: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8801d3735450: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8801d3735460: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8801d3735470: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8801d3735480: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8801d3735490: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8801d37354a0: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d37354b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37354c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d37354d0: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d37354e0: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d37354f0: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d3735500: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d3735510: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 21637 Comm: syz-executor6 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 721971042a889715 ffff8800b952f708 ffffffff81cc9b4f ffff8801d3734010 ffff8801d3735320 ffff8800b952f738 ffffffff814d3af4 ffff8801da402a00 ffffea00074dcd00 ffff8801d3735320 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d3735400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d3735480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d3735500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d3735580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3735600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d3bb9008 Read of size 8192 by task syz-executor6/21653 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=0 cpu=0 pid=21653 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 age=0 cpu=0 pid=21664 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 search_binary_handler+0x124/0x610 fs/exec.c:1471 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 do_execve+0x27/0x30 fs/exec.c:1679 call_usermodehelper_exec_async+0x288/0x4b0 kernel/kmod.c:252 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 INFO: Slab 0xffffea00074eee00 objects=20 used=12 fp=0xffff8801d3bb9650 flags=0x8000000000004080 INFO: Object 0xffff8801d3bb8ff0 @offset=4080 fp=0x0000000f03000202 Bytes b4 ffff8801d3bb8fe0: 00 00 00 00 91 54 00 00 6d a6 ff ff 00 00 00 00 .....T..m....... Object ffff8801d3bb8ff0: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3bb9000: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d3bb9010: 0a 00 4e 38 00 00 00 00 00 00 00 00 00 00 00 00 ..N8............ Object ffff8801d3bb9020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3bb9030: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d3bb9040: 05 00 05 00 00 00 00 00 0a 00 4e 38 00 00 00 00 ..........N8.... Object ffff8801d3bb9050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3bb9060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3bb9070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3bb9080: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8801d3bb9090: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8801d3bb90a0: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8801d3bb90b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3bb90c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3bb90d0: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... Object ffff8801d3bb90e0: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8801d3bb90f0: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ Object ffff8801d3bb9100: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d3bb9110: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8801d3bb9120: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8801d3bb9130: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8801d3bb9140: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8801d3bb9150: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8801d3bb9160: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8801d3bb9170: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d3bb9180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3bb9190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d3bb91a0: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d3bb91b0: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d3bb91c0: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d3bb91d0: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d3bb91e0: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 21653 Comm: syz-executor6 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 84f51e6dc68ed3d1 ffff8800b5a37708 ffffffff81cc9b4f ffff8801d3bb8010 ffff8801d3bb8ff0 ffff8800b5a37738 ffffffff814d3af4 ffff8801da402a00 ffffea00074eee00 ffff8801d3bb8ff0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d3bb9080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d3bb9100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d3bb9180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc ^ ffff8801d3bb9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d3bb9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== binder: 21631:21662 transaction failed 29189/-22, size 0-0 line 3008 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'. SELinux: unrecognized netlink message: protocol=6 nlmsg_type=45 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=45 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=45 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=45 sclass=netlink_xfrm_socket øÿÿÿ: renamed from lo SELinux: unrecognized netlink message: protocol=4 nlmsg_type=1025 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=1025 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=1025 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d6076cb8 Read of size 8192 by task syz-executor2/22660 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=4 cpu=1 pid=22660 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in skb_free_head net/core/skbuff.c:571 [inline] age=4 cpu=0 pid=22654 INFO: Freed in skb_release_data+0x2aa/0x380 net/core/skbuff.c:602 age=4 cpu=0 pid=22654 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 skb_free_head net/core/skbuff.c:571 [inline] skb_release_data+0x2aa/0x380 net/core/skbuff.c:602 skb_release_all+0x3d/0x50 net/core/skbuff.c:661 __kfree_skb net/core/skbuff.c:675 [inline] consume_skb+0xd5/0x340 net/core/skbuff.c:748 netlink_unicast_kernel net/netlink/af_netlink.c:1224 [inline] netlink_unicast+0x4cd/0x760 net/netlink/af_netlink.c:1249 netlink_sendmsg+0x832/0xbc0 net/netlink/af_netlink.c:1803 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Slab 0xffffea0007581d00 objects=20 used=13 fp=0xffff8801d6074990 flags=0x8000000000004080 INFO: Object 0xffff8801d6076ca0 @offset=11424 fp=0x0000000f03000202 Bytes b4 ffff8801d6076c90: 01 00 00 00 43 39 00 00 5a 9f ff ff 00 00 00 00 ....C9..Z....... Object ffff8801d6076ca0: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076cb0: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d6076cc0: 0a 00 4e 28 00 00 00 00 00 00 00 00 00 00 00 00 ..N(............ Object ffff8801d6076cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076ce0: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d6076cf0: 05 00 05 00 00 00 00 00 0a 00 4e 28 00 00 00 00 ..........N(.... Object ffff8801d6076d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d10: 00 00 00 00 00 00 00 00 99 86 d0 62 ff 55 15 00 ...........b.U.. Object ffff8801d6076d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d30: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8801d6076d40: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8801d6076d50: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8801d6076d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d80: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... Object ffff8801d6076d90: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8801d6076da0: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ Object ffff8801d6076db0: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d6076dc0: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8801d6076dd0: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8801d6076de0: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8801d6076df0: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8801d6076e00: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8801d6076e10: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8801d6076e20: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d6076e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076e50: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d6076e60: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d6076e70: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d6076e80: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d6076e90: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 1 PID: 22660 Comm: syz-executor2 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 9a5cc5c777e7498d ffff8800b4267708 ffffffff81cc9b4f ffff8801d6074010 ffff8801d6076ca0 ffff8800b4267738 ffffffff814d3af4 ffff8801da402a00 ffffea0007581d00 ffff8801d6076ca0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d6076d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d6076e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d6076e80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d6076f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d6076f80: fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00 00 ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d6076cb8 Read of size 8192 by task syz-executor2/22660 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=0 cpu=1 pid=22660 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in skb_free_head net/core/skbuff.c:571 [inline] age=1 cpu=1 pid=22660 INFO: Freed in skb_release_data+0x2aa/0x380 net/core/skbuff.c:602 age=1 cpu=1 pid=22660 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 skb_free_head net/core/skbuff.c:571 [inline] skb_release_data+0x2aa/0x380 net/core/skbuff.c:602 skb_release_all+0x3d/0x50 net/core/skbuff.c:661 __kfree_skb+0xd/0x20 net/core/skbuff.c:675 kfree_skb+0xdd/0x350 net/core/skbuff.c:696 pfkey_sendmsg+0x55c/0x6c0 net/key/af_key.c:3676 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Slab 0xffffea0007581d00 objects=20 used=14 fp=0xffff8801d6076310 flags=0x8000000000004080 INFO: Object 0xffff8801d6076ca0 @offset=11424 fp=0x0000000f03000202 Bytes b4 ffff8801d6076c90: 01 00 00 00 43 39 00 00 5a 9f ff ff 00 00 00 00 ....C9..Z....... Object ffff8801d6076ca0: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076cb0: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d6076cc0: 0a 00 4e 28 00 00 00 00 00 00 00 00 00 00 00 00 ..N(............ Object ffff8801d6076cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076ce0: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d6076cf0: 05 00 05 00 00 00 00 00 0a 00 4e 28 00 00 00 00 ..........N(.... Object ffff8801d6076d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d10: 00 00 00 00 00 00 00 00 99 86 d0 62 ff 55 15 00 ...........b.U.. Object ffff8801d6076d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d30: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8801d6076d40: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8801d6076d50: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8801d6076d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d80: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... Object ffff8801d6076d90: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8801d6076da0: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ Object ffff8801d6076db0: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d6076dc0: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8801d6076dd0: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8801d6076de0: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8801d6076df0: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8801d6076e00: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8801d6076e10: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8801d6076e20: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d6076e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076e50: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d6076e60: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d6076e70: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d6076e80: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d6076e90: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 1 PID: 22660 Comm: syz-executor2 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 9a5cc5c777e7498d ffff8800b4267708 ffffffff81cc9b4f ffff8801d6074010 ffff8801d6076ca0 ffff8800b4267738 ffffffff814d3af4 ffff8801da402a00 ffffea0007581d00 ffff8801d6076ca0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d6076d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d6076e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d6076e80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d6076f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d6076f80: fc fc fc fc fc fc fc fc fc fc 00 00 00 00 00 00 ================================================================== binder: 22691:22699 transaction failed 29189/-22, size 0-0 line 3008 binder: 22691:22699 ioctl c0306201 2000dfd0 returned -14 binder: 22742:22745 transaction failed 29189/-22, size 0-0 line 3008 binder: 22742:22745 ioctl c0306201 2000dfd0 returned -14 binder: 22742:22745 transaction failed 29189/-22, size 0-0 line 3008 binder: undelivered TRANSACTION_ERROR: 29189 ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8800b4195998 Read of size 8192 by task syz-executor4/23173 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=4 cpu=0 pid=23173 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 age=11 cpu=0 pid=23174 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 search_binary_handler+0x124/0x610 fs/exec.c:1471 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 do_execve+0x27/0x30 fs/exec.c:1679 call_usermodehelper_exec_async+0x288/0x4b0 kernel/kmod.c:252 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 INFO: Slab 0xffffea0002d06500 objects=20 used=2 fp=0xffff8800b4197960 flags=0x4000000000004080 INFO: Object 0xffff8800b4195980 @offset=6528 fp=0x0000000f03000202 Bytes b4 ffff8800b4195970: 01 00 00 00 a0 5a 00 00 db a8 ff ff 00 00 00 00 .....Z.......... Object ffff8800b4195980: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b4195990: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8800b41959a0: 0a 00 4e 30 00 00 00 00 00 00 00 00 00 00 00 00 ..N0............ Object ffff8800b41959b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b41959c0: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8800b41959d0: 05 00 05 00 00 00 00 00 0a 00 4e 30 00 00 00 00 ..........N0.... Object ffff8800b41959e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b41959f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b4195a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b4195a10: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8800b4195a20: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8800b4195a30: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8800b4195a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b4195a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b4195a60: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... Object ffff8800b4195a70: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8800b4195a80: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ Object ffff8800b4195a90: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8800b4195aa0: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8800b4195ab0: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8800b4195ac0: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8800b4195ad0: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8800b4195ae0: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8800b4195af0: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8800b4195b00: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8800b4195b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b4195b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b4195b30: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8800b4195b40: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8800b4195b50: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8800b4195b60: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8800b4195b70: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 0 PID: 23173 Comm: syz-executor4 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 d44688089991f23f ffff8800b94ef708 ffffffff81cc9b4f ffff8800b4194010 ffff8800b4195980 ffff8800b94ef738 ffffffff814d3af4 ffff8801da402a00 ffffea0002d06500 ffff8800b4195980 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8800b4195a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800b4195b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8800b4195b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8800b4195c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800b4195c80: fc fc fc fc fc fc fb fb fb fb fb fb fb fb fb fb ================================================================== sg_write: data in/out 327644/32 bytes for SCSI command 0x4-- guessing data in; program syz-executor0 not setting count and/or reply_len properly SELinux: unrecognized netlink message: protocol=6 nlmsg_type=45 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=45 sclass=netlink_xfrm_socket netlink: 4 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 4 bytes leftover after parsing attributes in process `syz-executor7'. SELinux: unrecognized netlink message: protocol=4 nlmsg_type=1025 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=1025 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=45 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=1025 sclass=netlink_tcpdiag_socket binder: 23989:23991 transaction failed 29189/-22, size 0-0 line 3008 binder: 23989:23991 ioctl c0306201 2000dfd0 returned -14 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=45 sclass=netlink_xfrm_socket binder: 23989:23991 transaction failed 29189/-22, size 0-0 line 3008 binder: undelivered TRANSACTION_ERROR: 29189 ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d6076cb8 Read of size 8192 by task syz-executor1/24155 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=0 cpu=1 pid=24155 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 age=1 cpu=1 pid=24160 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 search_binary_handler+0x124/0x610 fs/exec.c:1471 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 do_execve+0x27/0x30 fs/exec.c:1679 call_usermodehelper_exec_async+0x288/0x4b0 kernel/kmod.c:252 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 INFO: Slab 0xffffea0007581d00 objects=20 used=11 fp=0xffff8801d6077630 flags=0x8000000000004080 INFO: Object 0xffff8801d6076ca0 @offset=11424 fp=0x0000000f03000202 Bytes b4 ffff8801d6076c90: 01 00 00 00 43 39 00 00 5a 9f ff ff 00 00 00 00 ....C9..Z....... Object ffff8801d6076ca0: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076cb0: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8801d6076cc0: 0a 00 4e 24 00 00 00 00 00 00 00 00 00 00 00 00 ..N$............ Object ffff8801d6076cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076ce0: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8801d6076cf0: 05 00 05 00 00 00 00 00 0a 00 4e 24 00 00 00 00 ..........N$.... Object ffff8801d6076d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d30: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8801d6076d40: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8801d6076d50: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8801d6076d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076d80: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... SELinux: unrecognized netlink message: protocol=6 nlmsg_type=45 sclass=netlink_xfrm_socket Object ffff8801d6076d90: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8801d6076da0: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ SELinux: unrecognized netlink message: protocol=6 nlmsg_type=45 sclass=netlink_xfrm_socket Object ffff8801d6076db0: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d6076dc0: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8801d6076dd0: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8801d6076de0: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8801d6076df0: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8801d6076e00: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8801d6076e10: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8801d6076e20: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d6076e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d6076e50: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d6076e60: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d6076e70: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d6076e80: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d6076e90: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 1 PID: 24155 Comm: syz-executor1 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 c774e8d760ce5d34 ffff8800b6607708 ffffffff81cc9b4f ffff8801d6074010 ffff8801d6076ca0 ffff8800b6607738 ffffffff814d3af4 ffff8801da402a00 ffffea0007581d00 ffff8801d6076ca0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961