binder_alloc: 4128: binder_alloc_buf size 3472328296227680328 failed, no address space binder_alloc: allocated: 0 (num: 0 largest: 0), free: 12288 (num: 1 largest: 12288) binder: 4128:4131 transaction failed 29201/-28, size 0-24 line 3137 binder: undelivered TRANSACTION_ERROR: 29201 ================================================================== BUG: KASAN: use-after-free in ifname_compare_aligned include/linux/netfilter/x_tables.h:362 [inline] BUG: KASAN: use-after-free in ip6_packet_match net/ipv6/netfilter/ip6_tables.c:124 [inline] BUG: KASAN: use-after-free in ip6t_do_table+0x1545/0x1860 net/ipv6/netfilter/ip6_tables.c:382 Read of size 8 at addr ffff8801d690c000 by task syz-executor.0/4140 CPU: 1 PID: 4140 Comm: syz-executor.0 Not tainted 4.4.174+ #17 0000000000000000 ebacb167fb373eec ffff8800a6577028 ffffffff81aad1a1 0000000000000000 ffffea00075a4300 ffff8801d690c000 0000000000000008 dffffc0000000000 ffff8800a6577060 ffffffff81490120 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x120 lib/dump_stack.c:51 [] print_address_description+0x6f/0x21b mm/kasan/report.c:252 [] kasan_report_error mm/kasan/report.c:351 [inline] [] kasan_report mm/kasan/report.c:408 [inline] [] kasan_report.cold+0x8c/0x2be mm/kasan/report.c:393 [] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429 [] ifname_compare_aligned include/linux/netfilter/x_tables.h:362 [inline] [] ip6_packet_match net/ipv6/netfilter/ip6_tables.c:124 [inline] [] ip6t_do_table+0x1545/0x1860 net/ipv6/netfilter/ip6_tables.c:382 [] ip6t_mangle_out net/ipv6/netfilter/ip6table_mangle.c:60 [inline] [] ip6table_mangle_hook+0x2d6/0x710 net/ipv6/netfilter/ip6table_mangle.c:82 [] nf_iterate+0x186/0x220 net/netfilter/core.c:274 [] nf_hook_slow+0x1b6/0x340 net/netfilter/core.c:306 [] nf_hook_thresh include/linux/netfilter.h:187 [inline] [] nf_hook include/linux/netfilter.h:197 [inline] [] __ip6_local_out+0x309/0x4b0 net/ipv6/output_core.c:157 [] ip6_local_out+0x29/0x180 net/ipv6/output_core.c:167 [] ip6_send_skb+0xa2/0x340 net/ipv6/ip6_output.c:1725 [] udp_v6_send_skb+0x438/0xe90 net/ipv6/udp.c:1066 [] udp_v6_push_pending_frames+0x245/0x360 net/ipv6/udp.c:1098 [] udpv6_sendmsg+0x1a37/0x24f0 net/ipv6/udp.c:1358 [] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbe/0x110 net/socket.c:648 [] ___sys_sendmsg+0x369/0x890 net/socket.c:1975 [] __sys_sendmmsg+0x1d6/0x2e0 net/socket.c:2053 [] C_SYSC_sendmmsg net/compat.c:731 [inline] [] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:728 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a Allocated by task 4124: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_kmalloc.part.0+0x62/0xf0 mm/kasan/kasan.c:616 [] kasan_kmalloc+0xb7/0xd0 mm/kasan/kasan.c:601 [] kasan_krealloc+0x60/0x80 mm/kasan/kasan.c:654 [] ksize+0x8a/0xf0 mm/slub.c:3727 [] __alloc_skb+0x139/0x5d0 net/core/skbuff.c:237 [] alloc_skb include/linux/skbuff.h:820 [inline] [] alloc_skb_with_frags+0xb0/0x4f0 net/core/skbuff.c:4540 [] sock_alloc_send_pskb+0x640/0x7d0 net/core/sock.c:1886 [] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:1903 [] __ip6_append_data.isra.0+0x1ff5/0x33f0 net/ipv6/ip6_output.c:1460 [] ip6_make_skb+0x247/0x3f0 net/ipv6/ip6_output.c:1807 [] udpv6_sendmsg+0x1e0a/0x24f0 net/ipv6/udp.c:1324 [] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbe/0x110 net/socket.c:648 [] ___sys_sendmsg+0x369/0x890 net/socket.c:1975 [] __sys_sendmmsg+0x1d6/0x2e0 net/socket.c:2053 [] C_SYSC_sendmmsg net/compat.c:731 [inline] [] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:728 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a Freed by task 4124: [] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63 [] save_stack mm/kasan/kasan.c:512 [inline] [] set_track mm/kasan/kasan.c:524 [inline] [] kasan_slab_free+0xb0/0x190 mm/kasan/kasan.c:589 [] slab_free_hook mm/slub.c:1383 [inline] [] slab_free_freelist_hook mm/slub.c:1405 [inline] [] slab_free mm/slub.c:2859 [inline] [] kfree+0xf4/0x310 mm/slub.c:3749 [] skb_free_head net/core/skbuff.c:571 [inline] [] skb_release_data+0x2e6/0x380 net/core/skbuff.c:602 [] skb_release_all+0x4d/0x60 net/core/skbuff.c:661 [] __kfree_skb net/core/skbuff.c:675 [inline] [] kfree_skb+0xf7/0x400 net/core/skbuff.c:696 [] vti_xmit net/ipv4/ip_vti.c:211 [inline] [] vti_tunnel_xmit+0x318/0x13b0 net/ipv4/ip_vti.c:243 [] __netdev_start_xmit include/linux/netdevice.h:3750 [inline] [] netdev_start_xmit include/linux/netdevice.h:3759 [inline] [] xmit_one net/core/dev.c:2781 [inline] [] dev_hard_start_xmit+0x7c1/0x11e0 net/core/dev.c:2797 [] __dev_queue_xmit+0x164b/0x1bb0 net/core/dev.c:3229 [] dev_queue_xmit+0x18/0x20 net/core/dev.c:3263 [] neigh_direct_output+0x16/0x20 net/core/neighbour.c:1369 [] dst_neigh_output include/net/dst.h:461 [inline] [] ip6_finish_output2+0x9c7/0x1dc0 net/ipv6/ip6_output.c:113 [] ip6_finish_output+0x2f3/0x750 net/ipv6/ip6_output.c:131 [] NF_HOOK_COND include/linux/netfilter.h:240 [inline] [] ip6_output+0x1b4/0x520 net/ipv6/ip6_output.c:145 [] dst_output include/net/dst.h:498 [inline] [] ip6_local_out+0x9c/0x180 net/ipv6/output_core.c:169 [] ip6_send_skb+0xa2/0x340 net/ipv6/ip6_output.c:1725 [] udp_v6_send_skb+0x438/0xe90 net/ipv6/udp.c:1066 [] udpv6_sendmsg+0x1e3d/0x24f0 net/ipv6/udp.c:1330 [] inet_sendmsg+0x202/0x4d0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:638 [inline] [] sock_sendmsg+0xbe/0x110 net/socket.c:648 [] ___sys_sendmsg+0x369/0x890 net/socket.c:1975 [] __sys_sendmmsg+0x1d6/0x2e0 net/socket.c:2053 [] C_SYSC_sendmmsg net/compat.c:731 [inline] [] compat_SyS_sendmmsg+0x32/0x40 net/compat.c:728 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a The buggy address belongs to the object at ffff8801d690c000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 0 bytes inside of 512-byte region [ffff8801d690c000, ffff8801d690c200) The buggy address belongs to the page: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory accessgeneral protection fault: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 0 PID: 4106 Comm: syz-executor.5 Not tainted 4.4.174+ #17 task: ffff8801bb8a5f00 task.stack: ffff880000148000 RIP: 0010:[] [] read_pnet include/net/net_namespace.h:267 [inline] RIP: 0010:[] [] dev_net include/linux/netdevice.h:1894 [inline] RIP: 0010:[] [] __mkroute_output net/ipv4/route.c:2050 [inline] RIP: 0010:[] [] __ip_route_output_key_hash+0x5a6/0x2080 net/ipv4/route.c:2344 RSP: 0018:ffff8801db607918 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: ffff8800b50bada8 RCX: ffff8801bb8a67c8 RDX: 09ebe8eaa84bea45 RSI: ffffffff823a3e7f RDI: 4f5f4755425f522e RBP: ffff8801db607a08 R08: 0000000000000006 R09: 0000000000000001 R10: 0000000000000000 R11: 0000000000000002 R12: 4f5f4755425f4d56 R13: ffff8800a647b5f0 R14: ffffffff82891be0 R15: ffff8801db6079e0 FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:00000000f5573b40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: 00007ffe86e94fbc CR3: 00000001d60fa000 CR4: 00000000001606b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff823a3bcc ffffffff810e1a8a ffff00028271b24e ffff8800ba7cad00 ffff8800b50badd4 0000000080000000 ffff8800b50badd0 1ffff1003b6c0f2c ffff8800a647b300 0000000041b58ab3 ffffffff82ca12ae ffffffff823a3910 Call Trace: [] __ip_route_output_key include/net/route.h:124 [inline] [] ip_route_output_flow+0x2a/0xa0 net/ipv4/route.c:2431 [] ip_route_output_ports include/net/route.h:161 [inline] [] ip_queue_xmit+0x1174/0x1ab0 net/ipv4/ip_output.c:417 [] __tcp_transmit_skb+0x1904/0x2cf0 net/ipv4/tcp_output.c:1034 [] tcp_transmit_skb net/ipv4/tcp_output.c:1047 [inline] [] tcp_xmit_probe_skb+0x3ba/0x4a0 net/ipv4/tcp_output.c:3445 [] tcp_write_wakeup+0x187/0x5c0 net/ipv4/tcp_output.c:3495 [] tcp_send_probe0+0x26/0x3c0 net/ipv4/tcp_output.c:3509 [] tcp_probe_timer net/ipv4/tcp_timer.c:342 [inline] [] tcp_write_timer_handler+0x61b/0x700 net/ipv4/tcp_timer.c:547 [] tcp_write_timer+0xbd/0xd0 net/ipv4/tcp_timer.c:561 [] call_timer_fn+0x18d/0x850 kernel/time/timer.c:1185 [] __run_timers kernel/time/timer.c:1261 [inline] [] run_timer_softirq+0x51f/0xb70 kernel/time/timer.c:1444 [] __do_softirq+0x226/0xa3f kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10a/0x150 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] smp_apic_timer_interrupt+0x7e/0xb0 arch/x86/kernel/apic/apic.c:926 [] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:768 [] __might_fault mm/memory.c:3867 [inline] [] __might_fault+0x14d/0x1d0 mm/memory.c:3852 [] copy_from_user arch/x86/include/asm/uaccess.h:738 [inline] [] input_event_from_user drivers/input/input-compat.c:23 [inline] [] input_event_from_user+0x134/0x2b0 drivers/input/input-compat.c:17 [] uinput_inject_events drivers/input/misc/uinput.c:452 [inline] [] uinput_write+0x942/0xf60 drivers/input/misc/uinput.c:476 [] __vfs_write+0x116/0x3d0 fs/read_write.c:491 [] vfs_write+0x182/0x4e0 fs/read_write.c:540 [] SYSC_write fs/read_write.c:587 [inline] [] SyS_write+0xdc/0x1c0 fs/read_write.c:579 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a Code: df 48 c1 ea 03 80 3c 02 00 0f 85 27 18 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 26 49 8d bc 24 d8 04 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 f7 17 00 00 4d 8b a4 24 d8 04 00 00 48 b8 00 RIP [] read_pnet include/net/net_namespace.h:267 [inline] RIP [] dev_net include/linux/netdevice.h:1894 [inline] RIP [] __mkroute_output net/ipv4/route.c:2050 [inline] RIP [] __ip_route_output_key_hash+0x5a6/0x2080 net/ipv4/route.c:2344 RSP BUG: unable to handle kernel paging request at fffffffb8d2facf0 IP: [] cpuacct_charge+0x14e/0x360 kernel/sched/cpuacct.c:247 PGD 2e0d067 PUD 0 Oops: 0000 [#2] PREEMPT SMP KASAN Modules linked in: CPU: 0 PID: 4106 Comm: syz-executor.5 Tainted: G D 4.4.174+ #17 task: ffff8801bb8a5f00 task.stack: ffff880000148000 RIP: 0010:[] [] cpuacct_charge+0x14e/0x360 kernel/sched/cpuacct.c:247 RSP: 0018:ffff8801db6070e8 EFLAGS: 00010046 RAX: 1ffffffff05d2a33 RBX: 00000000000181a8 RCX: fffffffb8d2facf0 RDX: fffffbff71a5f59e RSI: 0000000000000000 RDI: ffffffff82e95198 RBP: ffff8801db607128 R08: 0000000000000000 R09: 0000000000000001 R10: ffffffff82836880 R11: ffffffff831a5078 R12: ffffffff82e950c0 R13: dffffc0000000000 R14: 000000004bd54eb6 R15: ffffffff8142ac16 FS: 0000000000000000(0000) GS:ffff8801db600000(0063) knlGS:00000000f5573b40 CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 CR2: fffffffb8d2facf0 CR3: 00000001d60fa000 CR4: 00000000001606b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffffffff811f4630 ffffffff82ba5a2e 0000000000000066 ffff8801d3fc1820 ffff8801d3fc17c0 000000004bd54eb6 ffff8801d3fc1870 0000000000000000 ffff8801db607170 ffffffff8117c4a3 0000000000000001 0000000000000000 Call Trace: [] update_curr+0x2c3/0x6e0 kernel/sched/fair.c:882 [] enqueue_entity kernel/sched/fair.c:3512 [inline] [] enqueue_task_fair+0x10f/0xb6c0 kernel/sched/fair.c:4711 [] enqueue_task kernel/sched/core.c:858 [inline] [] activate_task+0x154/0x280 kernel/sched/core.c:874 [] ttwu_activate kernel/sched/core.c:1736 [inline] [] ttwu_do_activate.constprop.0+0xbe/0x1e0 kernel/sched/core.c:1789 [] ttwu_queue kernel/sched/core.c:1934 [inline] [] try_to_wake_up+0x6d1/0x1110 kernel/sched/core.c:2068 [] default_wake_function+0x35/0x50 kernel/sched/core.c:3494 [] autoremove_wake_function+0x12/0x40 kernel/sched/wait.c:293 [] __wake_up_common+0xc0/0x160 kernel/sched/wait.c:73 [] __wake_up+0x34/0x50 kernel/sched/wait.c:95 [] wake_up_klogd_work_func kernel/printk/printk.c:2741 [inline] [] wake_up_klogd_work_func+0x80/0x90 kernel/printk/printk.c:2730 [] irq_work_run_list+0xd8/0x150 kernel/irq_work.c:156 [] irq_work_tick+0x11c/0x180 kernel/irq_work.c:182 [] update_process_times+0x6b/0x70 kernel/time/timer.c:1430 [] tick_sched_handle.isra.0+0x4a/0xf0 kernel/time/tick-sched.c:151 [] tick_sched_timer+0x7a/0x130 kernel/time/tick-sched.c:1097 [] __run_hrtimer kernel/time/hrtimer.c:1261 [inline] [] __hrtimer_run_queues+0x34e/0xfc0 kernel/time/hrtimer.c:1325 [] hrtimer_interrupt+0x1b6/0x450 kernel/time/hrtimer.c:1359 [] local_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:901 [] smp_apic_timer_interrupt+0x79/0xb0 arch/x86/kernel/apic/apic.c:925 [] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:768 [] die.cold+0x21/0x2b arch/x86/kernel/dumpstack.c:316 [] do_general_protection+0x222/0x2b0 arch/x86/kernel/traps.c:463 [] general_protection+0x25/0x30 arch/x86/entry/entry_64.S:1063 [] __ip_route_output_key include/net/route.h:124 [inline] [] ip_route_output_flow+0x2a/0xa0 net/ipv4/route.c:2431 [] ip_route_output_ports include/net/route.h:161 [inline] [] ip_queue_xmit+0x1174/0x1ab0 net/ipv4/ip_output.c:417 [] __tcp_transmit_skb+0x1904/0x2cf0 net/ipv4/tcp_output.c:1034 [] tcp_transmit_skb net/ipv4/tcp_output.c:1047 [inline] [] tcp_xmit_probe_skb+0x3ba/0x4a0 net/ipv4/tcp_output.c:3445 [] tcp_write_wakeup+0x187/0x5c0 net/ipv4/tcp_output.c:3495 [] tcp_send_probe0+0x26/0x3c0 net/ipv4/tcp_output.c:3509 [] tcp_probe_timer net/ipv4/tcp_timer.c:342 [inline] [] tcp_write_timer_handler+0x61b/0x700 net/ipv4/tcp_timer.c:547 [] tcp_write_timer+0xbd/0xd0 net/ipv4/tcp_timer.c:561 [] call_timer_fn+0x18d/0x850 kernel/time/timer.c:1185 [] __run_timers kernel/time/timer.c:1261 [inline] [] run_timer_softirq+0x51f/0xb70 kernel/time/timer.c:1444 [] __do_softirq+0x226/0xa3f kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x10a/0x150 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] smp_apic_timer_interrupt+0x7e/0xb0 arch/x86/kernel/apic/apic.c:926 [] apic_timer_interrupt+0x9d/0xb0 arch/x86/entry/entry_64.S:768 [] __might_fault mm/memory.c:3867 [inline] [] __might_fault+0x14d/0x1d0 mm/memory.c:3852 [] copy_from_user arch/x86/include/asm/uaccess.h:738 [inline] [] input_event_from_user drivers/input/input-compat.c:23 [inline] [] input_event_from_user+0x134/0x2b0 drivers/input/input-compat.c:17 [] uinput_inject_events drivers/input/misc/uinput.c:452 [inline] [] uinput_write+0x942/0xf60 drivers/input/misc/uinput.c:476 [] __vfs_write+0x116/0x3d0 fs/read_write.c:491 [] vfs_write+0x182/0x4e0 fs/read_write.c:540 [] SYSC_write fs/read_write.c:587 [inline] [] SyS_write+0xdc/0x1c0 fs/read_write.c:579 [] do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline] [] do_fast_syscall_32+0x32d/0xa90 arch/x86/entry/common.c:397 [] sysenter_flags_fixed+0xd/0x1a Code: 49 8d bc 24 d8 00 00 00 48 89 f8 48 c1 e8 03 42 80 3c 28 00 0f 85 ba 01 00 00 49 8b 9c 24 d8 00 00 00 80 3a 00 0f 85 8c 01 00 00 <4a> 03 1c fd 40 4c 1a 83 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f RIP [] cpuacct_charge+0x14e/0x360 kernel/sched/cpuacct.c:247 RSP CR2: fffffffb8d2facf0 ---[ end trace d8576eb7e8090e6f ]---