device lo entered promiscuous mode device lo left promiscuous mode ================================================================== BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xa08/0xad0 net/xfrm/xfrm_policy.c:652 at addr ffff8801cca8964c device lo entered promiscuous mode Read of size 2 by task kworker/0:0/4 CPU: 0 PID: 4 Comm: kworker/0:0 Not tainted 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events xfrm_hash_rebuild ffff8801da247ae0 ffffffff81d906e9 ffff8801da002000 ffff8801cca89100 ffff8801cca89900 ffffed00399512c9 ffff8801cca8964c ffff8801da247b08 ffffffff8153a2cc ffffed00399512c9 ffff8801da002000 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:328 [inline] [] __asan_report_load2_noabort+0x29/0x30 mm/kasan/report.c:328 [] xfrm_hash_rebuild+0xa08/0xad0 net/xfrm/xfrm_policy.c:652 [] process_one_work+0x78f/0x15f0 kernel/workqueue.c:2090 [] worker_thread+0xe0/0x10d0 kernel/workqueue.c:2224 [] kthread+0x26d/0x300 kernel/kthread.c:211 [] ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:433 Object at ffff8801cca89100, in cache kmalloc-2048 size: 2048 Allocated: PID = 13766 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 __kmalloc+0x11d/0x310 mm/slub.c:3741 kmalloc include/linux/slab.h:495 [inline] sk_prot_alloc+0x101/0x2a0 net/core/sock.c:1338 sk_alloc+0x3a/0x3a0 net/core/sock.c:1394 pfkey_create+0x1da/0x8d0 net/key/af_key.c:158 __sock_create+0x3ab/0x640 net/socket.c:1182 sock_create net/socket.c:1222 [inline] SYSC_socket net/socket.c:1252 [inline] SyS_socket+0xf0/0x1b0 net/socket.c:1232 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 0 (stack is not available) Memory state around the buggy address: ffff8801cca89500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801cca89580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801cca89600: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801cca89680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801cca89700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== device lo left promiscuous mode keychord: Insufficient bytes present for keycount 250 binder: 13867:13869 BC_INCREFS_DONE u4004630600000000 no match binder: BINDER_SET_CONTEXT_MGR already set binder: 13867:13875 ioctl 40046207 0 returned -16 device lo entered promiscuous mode device lo left promiscuous mode device lo entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket pig=14097 comm=syz-executor5 binder: 14100:14102 got transaction to invalid handle binder: 14100:14102 transaction failed 29201/-22, size 0-0 line 3007 binder: BINDER_SET_CONTEXT_MGR already set binder: 14100:14102 ioctl 40046207 0 returned -16 binder: 14100:14102 got transaction to invalid handle binder: 14100:14102 transaction failed 29201/-22, size 0-0 line 3007 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=14109 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=14109 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket pig=14135 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=14115 comm=syz-executor5 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=14135 comm=syz-executor5 binder: 14154:14157 ioctl 40286608 5 returned -22 binder: 14154:14157 ioctl 40046205 3 returned -22 binder: 14154:14157 ioctl 40046205 3 returned -22 binder: 14154:14157 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 14154:14157 got reply transaction with no transaction stack binder: 14154:14157 transaction failed 29201/-71, size 32-8 line 2923 binder: 14154:14157 ioctl 40046205 1000 returned -22 binder: 14154:14157 ioctl 40286608 5 returned -22 binder: 14154:14183 ioctl 40046205 3 returned -22 binder: 14154:14183 ioctl 40046205 3 returned -22 binder: 14154:14157 Acquire 1 refcount change on invalid ref 1 ret -22 binder: 14154:14192 got reply transaction with no transaction stack binder: 14154:14192 transaction failed 29201/-71, size 32-8 line 2923 binder: 14154:14192 ioctl 40046205 1000 returned -22 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode binder: 14352:14356 ioctl 40046205 0 returned -22 IPv6: ADDRCONF(NETDEV_UP): gre0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): gre0: link becomes ready binder: 14352:14356 ERROR: BC_REGISTER_LOOPER called without request IPv6: Can't replace route, no match found binder_alloc: 14352: binder_alloc_buf, no vma binder: 14352:14364 transaction failed 29189/-3, size 0-0 line 3130 IPv6: Can't replace route, no match found tc_dump_action: action bad kind binder: 14352:14379 ioctl 40046205 0 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 14352:14379 ioctl 40046207 0 returned -16 binder: 14352:14379 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 14352: binder_alloc_buf, no vma binder: 14352:14364 transaction failed 29189/-3, size 0-0 line 3130 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29189 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=14404 comm=syz-executor4 nla_parse: 11 callbacks suppressed netlink: 17 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 17 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'. device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready device lo left promiscuous mode netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'. device lo entered promiscuous mode device lo left promiscuous mode binder: 14599:14605 got transaction with invalid offset (56, min 72 max 72) or object. binder: 14599:14605 transaction failed 29201/-22, size 72-32 line 3193 binder: 14599:14605 ERROR: BC_REGISTER_LOOPER called without request binder: 14599:14605 got reply transaction with no transaction stack binder: 14599:14605 transaction failed 29201/-71, size 24-24 line 2923 binder_alloc: binder_alloc_mmap_handler: 14599 20000000-20002000 already mapped failed -16 binder: BINDER_SET_CONTEXT_MGR already set binder: 14599:14619 ioctl 40046207 0 returned -16 binder_alloc: 14599: binder_alloc_buf, no vma binder: 14599:14619 transaction failed 29189/-3, size 72-32 line 3130 binder: 14599:14619 ERROR: BC_REGISTER_LOOPER called without request binder: 14599:14619 got reply transaction with no transaction stack binder: 14599:14619 transaction failed 29201/-71, size 24-24 line 2923 binder: undelivered TRANSACTION_ERROR: 29201 binder: undelivered TRANSACTION_ERROR: 29201 device lo entered promiscuous mode binder: 14673:14677 ioctl 8918 20ad9000 returned -22 binder: 14673:14677 ioctl 8924 20002000 returned -22 binder: 14673:14677 ERROR: BC_REGISTER_LOOPER called without request binder: 14673:14698 ioctl 8918 20ad9000 returned -22 binder: 14673:14698 ioctl 8924 20002000 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 14673:14698 ERROR: BC_REGISTER_LOOPER called without request binder: 14673:14677 ioctl 40046207 0 returned -16 binder: 14716:14717 ioctl 8924 20002000 returned -22 binder: release 14673:14677 transaction 131 in, still active binder: send failed reply for transaction 131 to 14673:14698 binder: undelivered TRANSACTION_COMPLETE binder: undelivered TRANSACTION_ERROR: 29189 netlink: 48 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 48 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode 9pnet_virtio: no channels available for device ./file0 9pnet_virtio: no channels available for device ./file0 device gre0 entered promiscuous mode device gre0 entered promiscuous mode : renamed from syz2 sock: process `syz-executor2' is using obsolete setsockopt SO_BSDCOMPAT device lo entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. device lo left promiscuous mode A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check. device lo entered promiscuous mode device lo left promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): gre0: link becomes ready SELinux: unrecognized netlink message: protocol=9 nlmsg_type=22 sclass=netlink_audit_socket pig=15533 comm=syz-executor0 mmap: syz-executor5 (15625): VmData 18927616 exceed data ulimit 0. Update limits or use boot option ignore_rlimit_data. IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready qtaguid: iface_stat: create6(lo): no inet dev SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15776 comm=syz-executor3 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15785 comm=syz-executor3 9pnet_virtio: no channels available for device ./file0 program syz-executor5 is using a deprecated SCSI ioctl, please convert it to SG_IO 9pnet_virtio: no channels available for device ./file0 sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 program syz-executor5 is using a deprecated SCSI ioctl, please convert it to SG_IO sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0 nla_parse: 17 callbacks suppressed netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. IPv6: ADDRCONF(NETDEV_UP): gre0: link is not ready device gre0 entered promiscuous mode device gre0 entered promiscuous mode netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'. device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode netlink: 18 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 18 bytes leftover after parsing attributes in process `syz-executor1'. FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 16059 Comm: syz-executor1 Tainted: G B 4.9.67-gf26d3c7 #106 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a9fd75d0 ffffffff81d906e9 ffff8801a9fd78b0 0000000000000000 ffff8801a75a1490 ffff8801a9fd77a0 ffff8801a75a1380 ffff8801a9fd77c8 ffffffff8165e307 0000000041b58ab3 ffff8801a9fd7720 00000001c7ca8067 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323 [] do_anonymous_page mm/memory.c:2747 [inline] [] handle_pte_fault mm/memory.c:3488 [inline] [] __handle_mm_fault mm/memory.c:3577 [inline] [] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614 [] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679 [] SYSC_ioctl fs/ioctl.c:694 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 [] entry_SYSCALL_64_fastpath+0x23/0xc6 netlink: 4 bytes leftover after parsing attributes in process `syz-executor1'. tc_dump_action: action bad kind netlink: 4 bytes leftover after parsing attributes in process `syz-executor1'. tc_dump_action: action bad kind Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable SELinux: unrecognized netlink message: protocol=0 nlmsg_type=48814 sclass=netlink_route_socket pig=16285 comm=syz-executor2