device lo entered promiscuous mode
==================================================================
BUG: KASAN: slab-out-of-bounds in pfkey_msg2xfrm_state net/key/af_key.c:1227 [inline]
BUG: KASAN: slab-out-of-bounds in pfkey_add+0x145d/0x3220 net/key/af_key.c:1506
Read of size 3104 at addr ffff8800b8dbe7c0 by task syz-executor0/11079

CPU: 1 PID: 11079 Comm: syz-executor0 Not tainted 4.4.136-gfb7e319 #59
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 e2723084791c8a29 ffff8800ad93f740 ffffffff81e0edad
 ffffea0002e36f80 ffff8800b8dbe7c0 0000000000000000 ffff8800b8dbe980
 ffff8800b8dbe780 ffff8800ad93f778 ffffffff815159b6 ffff8800b8dbe7c0
Call Trace:
 [<ffffffff81e0edad>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81e0edad>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff815159b6>] print_address_description+0x6c/0x216 mm/kasan/report.c:252
 [<ffffffff81515cd5>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff81515cd5>] kasan_report.cold.7+0x175/0x2f7 mm/kasan/report.c:408
 [<ffffffff814f874f>] check_memory_region_inline mm/kasan/kasan.c:325 [inline]
 [<ffffffff814f874f>] check_memory_region+0x14f/0x1b0 mm/kasan/kasan.c:332
 [<ffffffff814f8c93>] memcpy+0x23/0x50 mm/kasan/kasan.c:367
 [<ffffffff8358775d>] pfkey_msg2xfrm_state net/key/af_key.c:1227 [inline]
 [<ffffffff8358775d>] pfkey_add+0x145d/0x3220 net/key/af_key.c:1506
 [<ffffffff8358bdf1>] pfkey_process+0x671/0x740 net/key/af_key.c:2834
 [<ffffffff8358d626>] pfkey_sendmsg+0x346/0xae0 net/key/af_key.c:3678
 [<ffffffff82f1e1fc>] sock_sendmsg_nosec net/socket.c:625 [inline]
 [<ffffffff82f1e1fc>] sock_sendmsg+0xcc/0x110 net/socket.c:635
 [<ffffffff82f1fcc5>] ___sys_sendmsg+0x745/0x880 net/socket.c:1962
 [<ffffffff82f21d66>] __sys_sendmsg+0xd6/0x190 net/socket.c:1996
 [<ffffffff82f21e4d>] SYSC_sendmsg net/socket.c:2007 [inline]
 [<ffffffff82f21e4d>] SyS_sendmsg+0x2d/0x50 net/socket.c:2003
 [<ffffffff838c2825>] entry_SYSCALL_64_fastpath+0x22/0x9e

Allocated by task 11079:
 [<ffffffff810341d6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814f8873>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814f8b57>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814f8b57>] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:616
 [<ffffffff814f9334>] kasan_krealloc+0x64/0x80 mm/kasan/kasan.c:654
 [<ffffffff814f252a>] ksize+0x8a/0xf0 mm/slub.c:3727
 [<ffffffff82f380f3>] __alloc_skb+0x133/0x600 net/core/skbuff.c:237
 [<ffffffff8358d3de>] alloc_skb include/linux/skbuff.h:815 [inline]
 [<ffffffff8358d3de>] pfkey_sendmsg+0xfe/0xae0 net/key/af_key.c:3665
 [<ffffffff82f1e1fc>] sock_sendmsg_nosec net/socket.c:625 [inline]
 [<ffffffff82f1e1fc>] sock_sendmsg+0xcc/0x110 net/socket.c:635
 [<ffffffff82f1fcc5>] ___sys_sendmsg+0x745/0x880 net/socket.c:1962
 [<ffffffff82f21d66>] __sys_sendmsg+0xd6/0x190 net/socket.c:1996
 [<ffffffff82f21e4d>] SYSC_sendmsg net/socket.c:2007 [inline]
 [<ffffffff82f21e4d>] SyS_sendmsg+0x2d/0x50 net/socket.c:2003
 [<ffffffff838c2825>] entry_SYSCALL_64_fastpath+0x22/0x9e

Freed by task 2026:
 [<ffffffff810341d6>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814f8873>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814f91a2>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814f91a2>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589
 [<ffffffff814f66a4>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff814f66a4>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff814f66a4>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff814f66a4>] kfree+0xf4/0x310 mm/slub.c:3749
 [<ffffffff82f371d4>] skb_free_head net/core/skbuff.c:571 [inline]
 [<ffffffff82f371d4>] skb_release_data+0x304/0x3b0 net/core/skbuff.c:602
 [<ffffffff82f372ca>] skb_release_all+0x4a/0x60 net/core/skbuff.c:661
 [<ffffffff82f378d3>] __kfree_skb net/core/skbuff.c:675 [inline]
 [<ffffffff82f378d3>] consume_skb+0xf3/0x3d0 net/core/skbuff.c:748
 [<ffffffff830b1ff2>] netlink_broadcast_filtered+0x2b2/0x9c0 net/netlink/af_netlink.c:1479
 [<ffffffff81e181d8>] kobject_uevent_env+0x6d8/0xb80 lib/kobject_uevent.c:316
 [<ffffffff81e1869f>] kobject_uevent+0x1f/0x30 lib/kobject_uevent.c:374
 [<ffffffff824b00aa>] uevent_store+0x8a/0xe0 drivers/base/core.c:420
 [<ffffffff824abc1e>] dev_attr_store+0x5e/0x90 drivers/base/core.c:137
 [<ffffffff816a80f4>] sysfs_kf_write+0x114/0x180 fs/sysfs/file.c:141
 [<ffffffff816a5893>] kernfs_fop_write+0x2b3/0x400 fs/kernfs/file.c:312
 [<ffffffff8151cbbc>] __vfs_write+0x11c/0x3f0 fs/read_write.c:489
 [<ffffffff8151e991>] vfs_write+0x191/0x4e0 fs/read_write.c:538
 [<ffffffff81520f99>] SYSC_write fs/read_write.c:585 [inline]
 [<ffffffff81520f99>] SyS_write+0xd9/0x1c0 fs/read_write.c:577
 [<ffffffff838c2825>] entry_SYSCALL_64_fastpath+0x22/0x9e

The buggy address belongs to the object at ffff8800b8dbe780
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 64 bytes inside of
 512-byte region [ffff8800b8dbe780, ffff8800b8dbe980)
The buggy address belongs to the page:

=================================
[ INFO: inconsistent lock state ]
4.4.136-gfb7e319 #59 Not tainted
---------------------------------
inconsistent {IN-SOFTIRQ-R} -> {SOFTIRQ-ON-W} usage.
syz-executor0/3918 [HC0[0]:SC0[0]:HE1:SE1] takes:
 (&(&n->hh.hh_lock)->seqcount){+.+-..}, at: [<ffffffff814a69f5>] i_mmap_lock_write include/linux/fs.h:520 [inline]
 (&(&n->hh.hh_lock)->seqcount){+.+-..}, at: [<ffffffff814a69f5>] unlink_file_vma+0x75/0xb0 mm/mmap.c:273
{IN-SOFTIRQ-R} state was registered at:
  [<ffffffff812300d1>] mark_irqflags kernel/locking/lockdep.c:2799 [inline]
  [<ffffffff812300d1>] __lock_acquire+0x10a1/0x5270 kernel/locking/lockdep.c:3169
  [<ffffffff81235a7e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
  [<ffffffff8342a335>] seqcount_lockdep_reader_access include/linux/seqlock.h:80 [inline]
  [<ffffffff8342a335>] read_seqcount_begin include/linux/seqlock.h:163 [inline]
  [<ffffffff8342a335>] read_seqbegin include/linux/seqlock.h:430 [inline]
  [<ffffffff8342a335>] neigh_hh_output include/net/neighbour.h:455 [inline]
  [<ffffffff8342a335>] dst_neigh_output include/net/dst.h:459 [inline]
  [<ffffffff8342a335>] ip6_finish_output2+0xf35/0x1ca0 net/ipv6/ip6_output.c:113
  [<ffffffff83433368>] ip6_finish_output+0x3b8/0x760 net/ipv6/ip6_output.c:131
  [<ffffffff834338c8>] NF_HOOK_COND include/linux/netfilter.h:240 [inline]
  [<ffffffff834338c8>] ip6_output+0x1b8/0x520 net/ipv6/ip6_output.c:145
  [<ffffffff834aed7f>] dst_output include/net/dst.h:498 [inline]
  [<ffffffff834aed7f>] NF_HOOK_THRESH.constprop.41+0x11f/0x310 include/linux/netfilter.h:226
  [<ffffffff834b1009>] NF_HOOK include/linux/netfilter.h:249 [inline]
  [<ffffffff834b1009>] mld_sendpack+0x649/0xbd0 net/ipv6/mcast.c:1646
  [<ffffffff834b2c2a>] mld_send_cr net/ipv6/mcast.c:1932 [inline]
  [<ffffffff834b2c2a>] mld_ifc_timer_expire+0x3ba/0x740 net/ipv6/mcast.c:2430
  [<ffffffff81290a8c>] call_timer_fn+0x18c/0x870 kernel/time/timer.c:1185
  [<ffffffff812917b2>] __run_timers kernel/time/timer.c:1261 [inline]
  [<ffffffff812917b2>] run_timer_softirq+0x642/0xb90 kernel/time/timer.c:1444
  [<ffffffff838c5cec>] __do_softirq+0x22c/0xa1a kernel/softirq.c:273
  [<ffffffff8113f8ad>] invoke_softirq kernel/softirq.c:350 [inline]
  [<ffffffff8113f8ad>] irq_exit+0x10d/0x140 kernel/softirq.c:391
  [<ffffffff838c5451>] exiting_irq arch/x86/include/asm/apic.h:653 [inline]
  [<ffffffff838c5451>] smp_apic_timer_interrupt+0x81/0xa0 arch/x86/kernel/apic/apic.c:926
  [<ffffffff838c4390>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741
  [<ffffffff81025da5>] arch_safe_halt arch/x86/include/asm/paravirt.h:117 [inline]
  [<ffffffff81025da5>] default_idle+0x55/0x3c0 arch/x86/kernel/process.c:290
  [<ffffffff810272f0>] arch_cpu_idle+0x10/0x20 arch/x86/kernel/process.c:281
  [<ffffffff8121bc07>] default_idle_call+0x57/0x70 kernel/sched/idle.c:93
  [<ffffffff8121c3af>] cpuidle_idle_call kernel/sched/idle.c:157 [inline]
  [<ffffffff8121c3af>] cpu_idle_loop kernel/sched/idle.c:253 [inline]
  [<ffffffff8121c3af>] cpu_startup_entry+0x6af/0x780 kernel/sched/idle.c:301
  [<ffffffff838af961>] rest_init+0x188/0x18e init/main.c:410
  [<ffffffff84a4b8a1>] start_kernel+0x6b3/0x6e7 init/main.c:682
  [<ffffffff84a4a30f>] x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:196
  [<ffffffff84a4a450>] x86_64_start_kernel+0x13f/0x162 arch/x86/kernel/head64.c:185
irq event stamp: 784011
hardirqs last  enabled at (784011): [<ffffffff81433b18>] buffered_rmqueue mm/page_alloc.c:2339 [inline]
hardirqs last  enabled at (784011): [<ffffffff81433b18>] get_page_from_freelist+0x798/0x1a60 mm/page_alloc.c:2661
hardirqs last disabled at (784010): [<ffffffff81433830>] buffered_rmqueue mm/page_alloc.c:2283 [inline]
hardirqs last disabled at (784010): [<ffffffff81433830>] get_page_from_freelist+0x4b0/0x1a60 mm/page_alloc.c:2661
softirqs last  enabled at (783854): [<ffffffff838c5f9f>] __do_softirq+0x4df/0xa1a kernel/softirq.c:299
softirqs last disabled at (783843): [<ffffffff8113f8ad>] invoke_softirq kernel/softirq.c:350 [inline]
softirqs last disabled at (783843): [<ffffffff8113f8ad>] irq_exit+0x10d/0x140 kernel/softirq.c:391

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&(&n->hh.hh_lock)->seqcount);
  <Interrupt>
    lock(&(&n->hh.hh_lock)->seqcount);

 *** DEADLOCK ***

no locks held by syz-executor0/3918.

stack backtrace:
CPU: 0 PID: 3918 Comm: syz-executor0 Not tainted 4.4.136-gfb7e319 #59
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 c3133ed6b53d28a3 ffff8801bc847878 ffffffff81e0edad
 ffff8801d6d20000 ffffffff853e6ce0 ffff8801d6d208e0 ffff8801d6d20900
 0000000000000001 ffff8801bc8478e8 ffffffff8140fa6f 0000000000000000
Call Trace:
 [<ffffffff81e0edad>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81e0edad>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff8140fa6f>] print_usage_bug.cold.55+0x327/0x421 kernel/locking/lockdep.c:2267
 [<ffffffff8122d472>] valid_state kernel/locking/lockdep.c:2280 [inline]
 [<ffffffff8122d472>] mark_lock_irq kernel/locking/lockdep.c:2493 [inline]
 [<ffffffff8122d472>] mark_lock+0x2f2/0x1280 kernel/locking/lockdep.c:2933
 [<ffffffff8123015e>] mark_irqflags kernel/locking/lockdep.c:2817 [inline]
 [<ffffffff8123015e>] __lock_acquire+0x112e/0x5270 kernel/locking/lockdep.c:3169
 [<ffffffff81235a7e>] lock_acquire+0x15e/0x450 kernel/locking/lockdep.c:3592
 [<ffffffff838bdbe1>] down_write+0x41/0xa0 kernel/locking/rwsem.c:49
 [<ffffffff814a69f5>] i_mmap_lock_write include/linux/fs.h:520 [inline]
 [<ffffffff814a69f5>] unlink_file_vma+0x75/0xb0 mm/mmap.c:273
 [<ffffffff814945ee>] free_pgtables+0xee/0x330 mm/memory.c:541
 [<ffffffff814b0298>] exit_mmap+0x1d8/0x3a0 mm/mmap.c:2928
 [<ffffffff81125508>] __mmput kernel/fork.c:715 [inline]
 [<ffffffff81125508>] mmput+0xf8/0x2d0 kernel/fork.c:735
 [<ffffffff81135178>] exit_mm kernel/exit.c:444 [inline]
 [<ffffffff81135178>] do_exit+0x8d8/0x26b0 kernel/exit.c:746
 [<ffffffff8113b1d1>] do_group_exit+0x111/0x330 kernel/exit.c:889
 [<ffffffff8113b40d>] SYSC_exit_group kernel/exit.c:900 [inline]
 [<ffffffff8113b40d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:898
 [<ffffffff838c2825>] entry_SYSCALL_64_fastpath+0x22/0x9e
BUG: unable to handle kernel paging request at fffffffd4b808900
IP: [<ffffffff81224cb5>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247
PGD 440f067 PUD 0 
Oops: 0000 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3918 Comm: syz-executor0 Not tainted 4.4.136-gfb7e319 #59
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d6d20000 task.stack: ffff8801bc840000
RIP: 0010:[<ffffffff81224cb5>]  [<ffffffff81224cb5>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247
RSP: 0018:ffff8801db207a00  EFLAGS: 00010046
RAX: 1ffffffff089500f RBX: 0000000000018528 RCX: ffffffff84a14d00
RDX: fffffbffa9701120 RSI: fffffffd4b808900 RDI: ffffffff844a8078
RBP: ffff8801db207a40 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: ffff8801d6d20000 R12: ffffffff844a7fa0
R13: dffffc0000000000 R14: 000000002602bc38 R15: ffffffffb8dbe780
FS:  0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffffd4b808900 CR3: 00000000baeb3000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffffff81224bc0 ffffffff811f10ac ffff88021fffd01b ffff8801d6ad8060
 ffff8801d6ad8000 000000002602bc38 ffff8801d6ad80b0 0000000000000000
 ffff8801db207a88 ffffffff811d9239 0000000000000005 ffff8801db31f4d8
Call Trace:
 <IRQ> 
 [<ffffffff811d9239>] update_curr+0x2c9/0x6d0 kernel/sched/fair.c:882
 [<ffffffff811e443a>] enqueue_entity kernel/sched/fair.c:3512 [inline]
 [<ffffffff811e443a>] enqueue_task_fair+0x2fa/0x2790 kernel/sched/fair.c:4695
 [<ffffffff811bb91d>] enqueue_task kernel/sched/core.c:858 [inline]
 [<ffffffff811bb91d>] activate_task+0x14d/0x280 kernel/sched/core.c:874
 [<ffffffff811bc94f>] ttwu_activate kernel/sched/core.c:1736 [inline]
 [<ffffffff811bc94f>] ttwu_do_activate.constprop.109+0xbf/0x1e0 kernel/sched/core.c:1789
 [<ffffffff811bfb60>] ttwu_queue kernel/sched/core.c:1934 [inline]
 [<ffffffff811bfb60>] try_to_wake_up+0x660/0xf00 kernel/sched/core.c:2068
 [<ffffffff811c0585>] default_wake_function+0x35/0x50 kernel/sched/core.c:3498
 [<ffffffff8121b383>] autoremove_wake_function+0x13/0x90 kernel/sched/wait.c:293
 [<ffffffff81219ed6>] __wake_up_common+0xb6/0x150 kernel/sched/wait.c:73
 [<ffffffff81219fa4>] __wake_up+0x34/0x50 kernel/sched/wait.c:95
 [<ffffffff8125e8f0>] wake_up_klogd_work_func+0x80/0x90 kernel/printk/printk.c:2736
 [<ffffffff813d54a7>] irq_work_run_list+0xd7/0x140 kernel/irq_work.c:156
 [<ffffffff813d5b26>] irq_work_tick+0x116/0x170 kernel/irq_work.c:182
 [<ffffffff8129a809>] update_process_times+0x69/0x70 kernel/time/timer.c:1430
 [<ffffffff812c5195>] tick_sched_handle.isra.15+0x55/0xf0 kernel/time/tick-sched.c:151
 [<ffffffff812c5822>] tick_sched_timer+0x72/0x120 kernel/time/tick-sched.c:1097
 [<ffffffff8129dd4d>] __run_hrtimer kernel/time/hrtimer.c:1261 [inline]
 [<ffffffff8129dd4d>] __hrtimer_run_queues+0x3ad/0x1000 kernel/time/hrtimer.c:1325
 [<ffffffff8129f4c1>] hrtimer_interrupt+0x1b1/0x430 kernel/time/hrtimer.c:1359
 [<ffffffff810ad614>] local_apic_timer_interrupt+0x74/0xa0 arch/x86/kernel/apic/apic.c:901
 [<ffffffff838c544c>] smp_apic_timer_interrupt+0x7c/0xa0 arch/x86/kernel/apic/apic.c:925
 [<ffffffff838c4390>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741
 <EOI> 
 [<ffffffff838bdbe1>] down_write+0x41/0xa0 kernel/locking/rwsem.c:49
 [<ffffffff814a69f5>] i_mmap_lock_write include/linux/fs.h:520 [inline]
 [<ffffffff814a69f5>] unlink_file_vma+0x75/0xb0 mm/mmap.c:273
 [<ffffffff814945ee>] free_pgtables+0xee/0x330 mm/memory.c:541
 [<ffffffff814b0298>] exit_mmap+0x1d8/0x3a0 mm/mmap.c:2928
 [<ffffffff81125508>] __mmput kernel/fork.c:715 [inline]
 [<ffffffff81125508>] mmput+0xf8/0x2d0 kernel/fork.c:735
 [<ffffffff81135178>] exit_mm kernel/exit.c:444 [inline]
 [<ffffffff81135178>] do_exit+0x8d8/0x26b0 kernel/exit.c:746
 [<ffffffff8113b1d1>] do_group_exit+0x111/0x330 kernel/exit.c:889
 [<ffffffff8113b40d>] SYSC_exit_group kernel/exit.c:900 [inline]
 [<ffffffff8113b40d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:898
 [<ffffffff838c2825>] entry_SYSCALL_64_fastpath+0x22/0x9e
Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 c4 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 8f 01 00 00 <4a> 03 1c f9 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 be 01 00 
RIP  [<ffffffff81224cb5>] cpuacct_charge+0x155/0x380 kernel/sched/cpuacct.c:247
 RSP <ffff8801db207a00>
CR2: fffffffd4b808900
---[ end trace 80c510ec26f8703a ]---