device lo entered promiscuous mode
device lo left promiscuous mode
==================================================================
BUG: KASAN: slab-out-of-bounds in xfrm_hash_rebuild+0xa08/0xad0 net/xfrm/xfrm_policy.c:652 at addr ffff8801cca8964c
device lo entered promiscuous mode
Read of size 2 by task kworker/0:0/4
CPU: 0 PID: 4 Comm: kworker/0:0 Not tainted 4.9.67-gf26d3c7 #106
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events xfrm_hash_rebuild
 ffff8801da247ae0 ffffffff81d906e9 ffff8801da002000 ffff8801cca89100
 ffff8801cca89900 ffffed00399512c9 ffff8801cca8964c ffff8801da247b08
 ffffffff8153a2cc ffffed00399512c9 ffff8801da002000 0000000000000000
Call Trace:
 [<ffffffff81d906e9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d906e9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8153a2cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160
 [<ffffffff8153a58c>] print_address_description mm/kasan/report.c:198 [inline]
 [<ffffffff8153a58c>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff8153a58c>] kasan_report.part.1+0x21c/0x500 mm/kasan/report.c:309
 [<ffffffff8153a8c9>] kasan_report mm/kasan/report.c:328 [inline]
 [<ffffffff8153a8c9>] __asan_report_load2_noabort+0x29/0x30 mm/kasan/report.c:328
 [<ffffffff833b0408>] xfrm_hash_rebuild+0xa08/0xad0 net/xfrm/xfrm_policy.c:652
 [<ffffffff811877cf>] process_one_work+0x78f/0x15f0 kernel/workqueue.c:2090
 [<ffffffff81188710>] worker_thread+0xe0/0x10d0 kernel/workqueue.c:2224
 [<ffffffff811985ad>] kthread+0x26d/0x300 kernel/kthread.c:211
 [<ffffffff838a9c2a>] ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:433
Object at ffff8801cca89100, in cache kmalloc-2048 size: 2048
Allocated:
PID = 13766
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57
 save_stack+0x43/0xd0 mm/kasan/kasan.c:495
 set_track mm/kasan/kasan.c:507 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598
 __kmalloc+0x11d/0x310 mm/slub.c:3741
 kmalloc include/linux/slab.h:495 [inline]
 sk_prot_alloc+0x101/0x2a0 net/core/sock.c:1338
 sk_alloc+0x3a/0x3a0 net/core/sock.c:1394
 pfkey_create+0x1da/0x8d0 net/key/af_key.c:158
 __sock_create+0x3ab/0x640 net/socket.c:1182
 sock_create net/socket.c:1222 [inline]
 SYSC_socket net/socket.c:1252 [inline]
 SyS_socket+0xf0/0x1b0 net/socket.c:1232
 entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 0
(stack is not available)
Memory state around the buggy address:
 ffff8801cca89500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801cca89580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801cca89600: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
                                              ^
 ffff8801cca89680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801cca89700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
device lo left promiscuous mode
keychord: Insufficient bytes present for keycount 250
binder: 13867:13869 BC_INCREFS_DONE u4004630600000000 no match
binder: BINDER_SET_CONTEXT_MGR already set
binder: 13867:13875 ioctl 40046207 0 returned -16
device lo entered promiscuous mode
device lo left promiscuous mode
device lo entered promiscuous mode
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket pig=14097 comm=syz-executor5
binder: 14100:14102 got transaction to invalid handle
binder: 14100:14102 transaction failed 29201/-22, size 0-0 line 3007
binder: BINDER_SET_CONTEXT_MGR already set
binder: 14100:14102 ioctl 40046207 0 returned -16
binder: 14100:14102 got transaction to invalid handle
binder: 14100:14102 transaction failed 29201/-22, size 0-0 line 3007
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=14109 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=14109 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=5 sclass=netlink_route_socket pig=14135 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=4 sclass=netlink_route_socket pig=14115 comm=syz-executor5
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=14135 comm=syz-executor5
binder: 14154:14157 ioctl 40286608 5 returned -22
binder: 14154:14157 ioctl 40046205 3 returned -22
binder: 14154:14157 ioctl 40046205 3 returned -22
binder: 14154:14157 Acquire 1 refcount change on invalid ref 1 ret -22
binder: 14154:14157 got reply transaction with no transaction stack
binder: 14154:14157 transaction failed 29201/-71, size 32-8 line 2923
binder: 14154:14157 ioctl 40046205 1000 returned -22
binder: 14154:14157 ioctl 40286608 5 returned -22
binder: 14154:14183 ioctl 40046205 3 returned -22
binder: 14154:14183 ioctl 40046205 3 returned -22
binder: 14154:14157 Acquire 1 refcount change on invalid ref 1 ret -22
binder: 14154:14192 got reply transaction with no transaction stack
binder: 14154:14192 transaction failed 29201/-71, size 32-8 line 2923
binder: 14154:14192 ioctl 40046205 1000 returned -22
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
device gre0 entered promiscuous mode
binder: 14352:14356 ioctl 40046205 0 returned -22
IPv6: ADDRCONF(NETDEV_UP): gre0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): gre0: link becomes ready
binder: 14352:14356 ERROR: BC_REGISTER_LOOPER called without request
IPv6: Can't replace route, no match found
binder_alloc: 14352: binder_alloc_buf, no vma
binder: 14352:14364 transaction failed 29189/-3, size 0-0 line 3130
IPv6: Can't replace route, no match found
tc_dump_action: action bad kind
binder: 14352:14379 ioctl 40046205 0 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 14352:14379 ioctl 40046207 0 returned -16
binder: 14352:14379 ERROR: BC_REGISTER_LOOPER called without request
binder_alloc: 14352: binder_alloc_buf, no vma
binder: 14352:14364 transaction failed 29189/-3, size 0-0 line 3130
binder: undelivered TRANSACTION_ERROR: 29189
binder: undelivered TRANSACTION_ERROR: 29189
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=14404 comm=syz-executor4
nla_parse: 11 callbacks suppressed
netlink: 17 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 17 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor4'.
device lo entered promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
device lo left promiscuous mode
netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 3 bytes leftover after parsing attributes in process `syz-executor5'.
device lo entered promiscuous mode
device lo left promiscuous mode
binder: 14599:14605 got transaction with invalid offset (56, min 72 max 72) or object.
binder: 14599:14605 transaction failed 29201/-22, size 72-32 line 3193
binder: 14599:14605 ERROR: BC_REGISTER_LOOPER called without request
binder: 14599:14605 got reply transaction with no transaction stack
binder: 14599:14605 transaction failed 29201/-71, size 24-24 line 2923
binder_alloc: binder_alloc_mmap_handler: 14599 20000000-20002000 already mapped failed -16
binder: BINDER_SET_CONTEXT_MGR already set
binder: 14599:14619 ioctl 40046207 0 returned -16
binder_alloc: 14599: binder_alloc_buf, no vma
binder: 14599:14619 transaction failed 29189/-3, size 72-32 line 3130
binder: 14599:14619 ERROR: BC_REGISTER_LOOPER called without request
binder: 14599:14619 got reply transaction with no transaction stack
binder: 14599:14619 transaction failed 29201/-71, size 24-24 line 2923
binder: undelivered TRANSACTION_ERROR: 29201
binder: undelivered TRANSACTION_ERROR: 29201
device lo entered promiscuous mode
binder: 14673:14677 ioctl 8918 20ad9000 returned -22
binder: 14673:14677 ioctl 8924 20002000 returned -22
binder: 14673:14677 ERROR: BC_REGISTER_LOOPER called without request
binder: 14673:14698 ioctl 8918 20ad9000 returned -22
binder: 14673:14698 ioctl 8924 20002000 returned -22
binder: BINDER_SET_CONTEXT_MGR already set
binder: 14673:14698 ERROR: BC_REGISTER_LOOPER called without request
binder: 14673:14677 ioctl 40046207 0 returned -16
binder: 14716:14717 ioctl 8924 20002000 returned -22
binder: release 14673:14677 transaction 131 in, still active
binder: send failed reply for transaction 131 to 14673:14698
binder: undelivered TRANSACTION_COMPLETE
binder: undelivered TRANSACTION_ERROR: 29189
netlink: 48 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 48 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor5'.
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
device gre0 left promiscuous mode
9pnet_virtio: no channels available for device ./file0
9pnet_virtio: no channels available for device ./file0
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
: renamed from syz2
sock: process `syz-executor2' is using obsolete setsockopt SO_BSDCOMPAT
device lo entered promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
device lo left promiscuous mode
A link change request failed with some changes committed already. Interface lo may have been left with an inconsistent configuration, please check.
device lo entered promiscuous mode
device lo left promiscuous mode
IPv6: ADDRCONF(NETDEV_CHANGE): gre0: link becomes ready
SELinux: unrecognized netlink message: protocol=9 nlmsg_type=22 sclass=netlink_audit_socket pig=15533 comm=syz-executor0
mmap: syz-executor5 (15625): VmData 18927616 exceed data ulimit 0. Update limits or use boot option ignore_rlimit_data.
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
IPv6: ADDRCONF(NETDEV_CHANGE): lo: link becomes ready
qtaguid: iface_stat: create6(lo): no inet dev
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15776 comm=syz-executor3
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket pig=15785 comm=syz-executor3
9pnet_virtio: no channels available for device ./file0
program syz-executor5 is using a deprecated SCSI ioctl, please convert it to SG_IO
9pnet_virtio: no channels available for device ./file0
sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0
program syz-executor5 is using a deprecated SCSI ioctl, please convert it to SG_IO
sd 0:0:1:0: ioctl_internal_command: ILLEGAL REQUEST asc=0x20 ascq=0x0
nla_parse: 17 callbacks suppressed
netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'.
IPv6: ADDRCONF(NETDEV_UP): gre0: link is not ready
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
netlink: 2 bytes leftover after parsing attributes in process `syz-executor2'.
device gre0 left promiscuous mode
device gre0 entered promiscuous mode
device gre0 entered promiscuous mode
netlink: 18 bytes leftover after parsing attributes in process `syz-executor1'.
netlink: 18 bytes leftover after parsing attributes in process `syz-executor1'.
FAULT_FLAG_ALLOW_RETRY missing 30
CPU: 1 PID: 16059 Comm: syz-executor1 Tainted: G    B           4.9.67-gf26d3c7 #106
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801a9fd75d0 ffffffff81d906e9 ffff8801a9fd78b0 0000000000000000
 ffff8801a75a1490 ffff8801a9fd77a0 ffff8801a75a1380 ffff8801a9fd77c8
 ffffffff8165e307 0000000041b58ab3 ffff8801a9fd7720 00000001c7ca8067
Call Trace:
 [<ffffffff81d906e9>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d906e9>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff8165e307>] handle_userfault+0xa37/0x1300 fs/userfaultfd.c:323
 [<ffffffff814cd5f1>] do_anonymous_page mm/memory.c:2747 [inline]
 [<ffffffff814cd5f1>] handle_pte_fault mm/memory.c:3488 [inline]
 [<ffffffff814cd5f1>] __handle_mm_fault mm/memory.c:3577 [inline]
 [<ffffffff814cd5f1>] handle_mm_fault+0x1fd1/0x2530 mm/memory.c:3614
 [<ffffffff810dd452>] __do_page_fault+0x5c2/0xd40 arch/x86/mm/fault.c:1406
 [<ffffffff810ddbf7>] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1469
 [<ffffffff838aab58>] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012
 [<ffffffff815aa59a>] vfs_ioctl fs/ioctl.c:43 [inline]
 [<ffffffff815aa59a>] do_vfs_ioctl+0x1aa/0x1140 fs/ioctl.c:679
 [<ffffffff815ab5bf>] SYSC_ioctl fs/ioctl.c:694 [inline]
 [<ffffffff815ab5bf>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
 [<ffffffff838a9985>] entry_SYSCALL_64_fastpath+0x23/0xc6
netlink: 4 bytes leftover after parsing attributes in process `syz-executor1'.
tc_dump_action: action bad kind
netlink: 4 bytes leftover after parsing attributes in process `syz-executor1'.
tc_dump_action: action bad kind
Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable
Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=48814 sclass=netlink_route_socket pig=16285 comm=syz-executor2