================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801ac8b5014 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801ac8b5014 Read of size 1 by task syz-executor1/23508 page:ffffea0006b22d40 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 23508 Comm: syz-executor1 Not tainted 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a486f7b0 ffffffff81eacd59 ffffed0035916a02 0000000000000001 0000000000000000 ffffed0035916a02 ffff8801ac8b5014 ffff8801a486f830 ffffffff81547141 ffff8801a486f840 ffffffff833df72f ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ac8b4f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801ac8b4f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801ac8b5000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801ac8b5080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801ac8b5100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801ca1c0b54 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801ca1c0b54 Read of size 1 by task syz-executor1/23545 page:ffffea0007287000 count:0 mapcount:-127 mapping: (null) index:0xffff8801ca1c2200 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 23545 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 binder_alloc: binder_alloc_mmap_handler: 23546 204f0000-204f4000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 23546 204f0000-204f4000 already mapped failed -16 ffff8801acb377b0 ffffffff81eacd59 ffffed003943816a 0000000000000001 0000000000000000 ffffed003943816a ffff8801ca1c0b54 ffff8801acb37830 ffffffff81547141 ffff8801acb37840 ffffffff833df72f ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ca1c0a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801ca1c0a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801ca1c0b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801ca1c0b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801ca1c0c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== binder: 23551:23556 ioctl 540f 20553000 returned -22 binder_alloc: binder_alloc_mmap_handler: 23573 204f0000-204f4000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 23578 204f0000-204f4000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 23573 204f0000-204f4000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 23578 204f0000-204f4000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 23593 204f0000-204f4000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 23593 204f0000-204f4000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 23597 204f0000-204f4000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 23597 204f0000-204f4000 already mapped failed -16 ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801ca1c0c94 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801ca1c0c94 Read of size 1 by task syz-executor1/23596 page:ffffea0007287000 count:0 mapcount:-127 mapping: (null) index:0xffff8801ca1c2200 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 23596 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff88019f5a77b0 ffffffff81eacd59 ffffed0039438192 0000000000000001 0000000000000000 ffffed0039438192 ffff8801ca1c0c94 ffff88019f5a7830 ffffffff81547141 ffff88019f5a7840 ffffffff833df72f ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801ca1c0b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801ca1c0c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801ca1c0c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801ca1c0d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801ca1c0d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== binder_alloc: binder_alloc_mmap_handler: 23608 204f0000-204f4000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 23608 204f0000-204f4000 already mapped failed -16 binder_alloc: binder_alloc_mmap_handler: 23609 204f0000-204f4000 already mapped failed -16 binder: 23551:23575 ioctl 540f 20553000 returned -22 binder_alloc: binder_alloc_mmap_handler: 23609 204f0000-204f4000 already mapped failed -16 ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d742d294 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d742d294 Read of size 1 by task syz-executor1/23636 page:ffffea00075d0b40 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 23636 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a8ad77b0 ffffffff81eacd59 ffffed003ae85a52 0000000000000001 0000000000000000 ffffed003ae85a52 ffff8801d742d294 ffff8801a8ad7830 ffffffff81547141 ffff8801a8ad7840 ffffffff833df72f ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801d742d180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801d742d200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801d742d280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801d742d300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801d742d380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801cc309dd4 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801cc309dd4 Read of size 1 by task syz-executor1/23673 page:ffffea000730c240 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 23673 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801a487f7b0 ffffffff81eacd59 ffffed00398613ba 0000000000000001 0000000000000000 ffffed00398613ba ffff8801cc309dd4 ffff8801a487f830 ffffffff81547141 ffff8801a487f840 ffffffff833df72f ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801cc309c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cc309d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801cc309d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801cc309e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cc309e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d94f2c94 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d94f2c94 Read of size 1 by task syz-executor1/23706 CPU: 0 PID: 23706 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cc37f788 ffffffff81eacd59 ffff8801daca0280 ffff8801d94f2c60 ffff8801d94f2ca0 ffffed003b29e592 ffff8801d94f2c94 ffff8801cc37f7b0 ffffffff81546bfc ffffed003b29e592 ffff8801daca0280 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d94f2c60, in cache anon_vma_chain size: 64 Allocated: PID = 23528 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 anon_vma_chain_alloc mm/rmap.c:125 [inline] anon_vma_prepare+0xad/0x3c0 mm/rmap.c:180 do_anonymous_page mm/memory.c:2752 [inline] handle_pte_fault mm/memory.c:3487 [inline] __handle_mm_fault mm/memory.c:3576 [inline] handle_mm_fault+0x1542/0x2400 mm/memory.c:3613 __do_page_fault+0x4eb/0xbd0 arch/x86/mm/fault.c:1397 do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1460 page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 Freed: PID = 23530 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 anon_vma_chain_free mm/rmap.c:130 [inline] unlink_anon_vmas+0x1de/0x5c0 mm/rmap.c:398 free_pgtables+0x21e/0x330 mm/memory.c:566 exit_mmap+0x212/0x3f0 mm/mmap.c:2986 __mmput kernel/fork.c:863 [inline] mmput+0xfb/0x2e0 kernel/fork.c:885 exit_mm kernel/exit.c:514 [inline] do_exit+0x741/0x2a50 kernel/exit.c:820 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x55c/0x1600 kernel/signal.c:2315 do_signal+0x7f/0x1940 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe5/0x130 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801d94f2b80: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc ffff8801d94f2c00: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb >ffff8801d94f2c80: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8801d94f2d00: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc ffff8801d94f2d80: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d94f2a14 BUG: KASAN: slab-out-of-bounds in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d94f2a14 binder_alloc: binder_alloc_mmap_handler: 23737 2007d000-2007e000 already mapped failed -16 Read of size 1 by task syz-executor1/23728 CPU: 0 PID: 23728 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cfb77788 ffffffff81eacd59 ffff8801daca0280 ffff8801d94f29c0 ffff8801d94f2a00 ffffed003b29e542 ffff8801d94f2a14 ffff8801cfb777b0 ffffffff81546bfc ffffed003b29e542 ffff8801daca0280 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d94f29c0, in cache anon_vma_chain size: 64 Allocated: PID = 3566 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 anon_vma_chain_alloc mm/rmap.c:125 [inline] anon_vma_clone+0xde/0x4a0 mm/rmap.c:266 anon_vma_fork+0x87/0x4b0 mm/rmap.c:329 dup_mmap kernel/fork.c:616 [inline] dup_mm kernel/fork.c:1135 [inline] copy_mm kernel/fork.c:1189 [inline] copy_process.part.39+0x2777/0x5f70 kernel/fork.c:1655 copy_process kernel/fork.c:1482 [inline] _do_fork+0x1b8/0xd50 kernel/fork.c:1940 SYSC_clone kernel/fork.c:2050 [inline] SyS_clone+0x37/0x50 kernel/fork.c:2044 do_syscall_64+0x197/0x490 arch/x86/entry/common.c:280 return_from_SYSCALL_64+0x0/0x7a Freed: PID = 23530 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 anon_vma_chain_free mm/rmap.c:130 [inline] unlink_anon_vmas+0x1de/0x5c0 mm/rmap.c:398 free_pgtables+0x21e/0x330 mm/memory.c:566 exit_mmap+0x212/0x3f0 mm/mmap.c:2986 __mmput kernel/fork.c:863 [inline] mmput+0xfb/0x2e0 kernel/fork.c:885 exit_mm kernel/exit.c:514 [inline] do_exit+0x741/0x2a50 kernel/exit.c:820 do_group_exit+0x108/0x320 kernel/exit.c:937 get_signal+0x55c/0x1600 kernel/signal.c:2315 do_signal+0x7f/0x1940 arch/x86/kernel/signal.c:807 exit_to_usermode_loop+0xe5/0x130 arch/x86/entry/common.c:156 prepare_exit_to_usermode arch/x86/entry/common.c:190 [inline] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8801d94f2900: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb ffff8801d94f2980: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb >ffff8801d94f2a00: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc ^ ffff8801d94f2a80: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb ffff8801d94f2b00: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801c6902794 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801c6902794 Read of size 1 by task syz-executor1/23769 page:ffffea00071a4080 count:0 mapcount:-127 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 23769 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 binder_alloc: binder_alloc_mmap_handler: 23797 2007d000-2007e000 already mapped failed -16 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c975f7b0 ffffffff81eacd59 ffffed0038d204f2 0000000000000001 0000000000000000 ffffed0038d204f2 ffff8801c6902794 ffff8801c975f830 ffffffff81547141 ffff8801c975f840 ffffffff833df72f ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801c6902680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c6902700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801c6902780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801c6902800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c6902880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801aba8a3d4 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801aba8a3d4 Read of size 1 by task syz-executor1/23879 CPU: 1 PID: 23879 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d175f788 ffffffff81eacd59 ffff8801dad53a00 ffff8801aba8a200 ffff8801aba8b200 ffffed003575147a ffff8801aba8a3d4 ffff8801d175f7b0 ffffffff81546bfc ffffed003575147a ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801aba8a200, in cache names_cache size: 4096 Allocated: PID = 23690 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 user_path_at_empty+0x2d/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 23690 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 filename_lookup+0x234/0x390 fs/namei.c:2324 user_path_at_empty+0x40/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801aba8a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aba8a300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801aba8a380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801aba8a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aba8a480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801c7ccadd4 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801c7ccadd4 Read of size 1 by task syz-executor4/23888 CPU: 0 PID: 23888 Comm: syz-executor4 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff88019c2af788 ffffffff81eacd59 ffff8801dad53a00 ffff8801c7cca200 ffff8801c7ccb200 ffffed0038f995ba ffff8801c7ccadd4 ffff88019c2af7b0 ffffffff81546bfc ffffed0038f995ba ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801c7cca200, in cache names_cache size: 4096 Allocated: PID = 23474 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 getname+0x19/0x20 fs/namei.c:208 do_sys_open+0x217/0x4b0 fs/open.c:1066 SYSC_open fs/open.c:1090 [inline] SyS_open+0x2d/0x40 fs/open.c:1085 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 23474 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 do_sys_open+0x24c/0x4b0 fs/open.c:1081 SYSC_open fs/open.c:1090 [inline] SyS_open+0x2d/0x40 fs/open.c:1085 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801c7ccac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c7ccad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801c7ccad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c7ccae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c7ccae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801c8bf6dd4 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801c8bf6dd4 Read of size 1 by task syz-executor1/23928 page:ffffea000722fd80 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 23928 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c94477b0 ffffffff81eacd59 ffffed003917edba 0000000000000001 0000000000000000 ffffed003917edba ffff8801c8bf6dd4 ffff8801c9447830 ffffffff81547141 ffff8801c9447840 ffffffff833df72f ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801c8bf6c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c8bf6d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801c8bf6d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801c8bf6e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c8bf6e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801a52e78d4 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801a52e78d4 Read of size 1 by task syz-executor4/23940 page:ffffea000694b9c0 count:0 mapcount:-127 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 23940 Comm: syz-executor4 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aa8df7b0 ffffffff81eacd59 ffffed0034a5cf1a 0000000000000001 0000000000000000 ffffed0034a5cf1a ffff8801a52e78d4 ffff8801aa8df830 ffffffff81547141 ffff8801aa8df840 ffffffff833df72f ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801a52e7780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a52e7800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801a52e7880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801a52e7900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a52e7980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1909 [inline] at addr ffff8801c8bf6dd2 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc73/0xd00 net/key/af_key.c:1958 at addr ffff8801c8bf6dd2 Read of size 2 by task syz-executor1/23928 page:ffffea000722fd80 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 23928 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c94477b0 ffffffff81eacd59 ffffed003917edba 0000000000000002 0000000000000000 ffffed003917edba ffff8801c8bf6dd2 ffff8801c9447830 ffffffff81547141 0000000000000010 ffffffff00000000 ffffffff8358b4b3 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:341 [inline] [] __asan_report_load_n_noabort+0x24/0x30 mm/kasan/report.c:340 [] parse_ipsecrequest net/key/af_key.c:1909 [inline] [] parse_ipsecrequests+0xc73/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801c8bf6c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c8bf6d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801c8bf6d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801c8bf6e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c8bf6e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801a52e7514 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801a52e7514 Read of size 1 by task syz-executor4/23946 page:ffffea000694b9c0 count:0 mapcount:-127 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 0 PID: 23946 Comm: syz-executor4 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ac8477b0 ffffffff81eacd59 ffffed0034a5cea2 0000000000000001 0000000000000000 ffffed0034a5cea2 ffff8801a52e7514 ffff8801ac847830 ffffffff81547141 ffff8801ac847840 ffffffff833df72f ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801a52e7400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a52e7480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801a52e7500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801a52e7580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a52e7600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1913 [inline] at addr ffff8801c8bf6dd5 BUG: KASAN: use-after-free in parse_ipsecrequests+0xcd8/0xd00 net/key/af_key.c:1958 at addr ffff8801c8bf6dd5 Read of size 1 by task syz-executor1/23928 page:ffffea000722fd80 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 23928 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c94477b0 ffffffff81eacd59 ffffed003917edba 0000000000000001 0000000000000000 ffffed003917edba ffff8801c8bf6dd5 ffff8801c9447830 ffffffff81547141 0000000000000010 ffffffff00000000 ffffffff8358b518 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1913 [inline] [] parse_ipsecrequests+0xcd8/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801c8bf6c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c8bf6d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801c8bf6d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801c8bf6e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c8bf6e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequests+0xc8f/0xd00 net/key/af_key.c:1960 at addr ffff8801c8bf6dd0 Read of size 2 by task syz-executor1/23928 page:ffffea000722fd80 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 23928 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c94477b0 ffffffff81eacd59 ffffed003917edba 0000000000000002 0000000000000000 ffffed003917edba ffff8801c8bf6dd0 ffff8801c9447830 ffffffff81547141 0000000000000010 ffffffff00000000 ffffffff8358b4cf Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:341 [inline] [] __asan_report_load_n_noabort+0x24/0x30 mm/kasan/report.c:340 [] parse_ipsecrequests+0xc8f/0xd00 net/key/af_key.c:1960 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801c8bf6c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c8bf6d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801c8bf6d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801c8bf6e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801c8bf6e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: slab-out-of-bounds in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d8697794 BUG: KASAN: slab-out-of-bounds in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d8697794 Read of size 1 by task syz-executor1/23951 CPU: 1 PID: 23951 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c8d2f788 ffffffff81eacd59 ffff8801d9d74140 ffff8801d86976c0 ffff8801d8697758 ffffed003b0d2ef2 ffff8801d8697794 ffff8801c8d2f7b0 ffffffff81546bfc ffffed003b0d2ef2 ffff8801d9d74140 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d86976c0, in cache kernfs_node_cache size: 152 Allocated: PID = 1 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] __kernfs_new_node+0x6c/0x2b0 fs/kernfs/dir.c:619 kernfs_new_node+0x80/0xe0 fs/kernfs/dir.c:651 __kernfs_create_file+0x4b/0x2a0 fs/kernfs/file.c:943 sysfs_add_file_mode_ns+0x225/0x520 fs/sysfs/file.c:307 sysfs_create_file_ns+0x86/0xb0 fs/sysfs/file.c:334 sysfs_create_file include/linux/sysfs.h:494 [inline] device_create_file+0xd2/0x1e0 drivers/base/core.c:599 acpi_device_setup_files+0x1fb/0x5a0 drivers/acpi/device_sysfs.c:553 acpi_device_add+0x6c5/0x970 drivers/acpi/scan.c:699 acpi_add_single_object+0x6bf/0x17b0 drivers/acpi/scan.c:1451 acpi_bus_check_add+0x1c9/0x530 drivers/acpi/scan.c:1691 acpi_ns_walk_namespace+0x1d1/0x31e drivers/acpi/acpica/nswalk.c:270 acpi_walk_namespace+0xb5/0xef drivers/acpi/acpica/nsxfeval.c:618 acpi_bus_scan+0xe2/0xf0 drivers/acpi/scan.c:1894 acpi_scan_init+0x25e/0x5ed drivers/acpi/scan.c:2032 acpi_init+0x5b5/0x63a drivers/acpi/bus.c:1193 do_one_initcall+0xa0/0x220 init/main.c:778 do_initcall_level init/main.c:844 [inline] do_initcalls init/main.c:852 [inline] do_basic_setup init/main.c:870 [inline] kernel_init_freeable+0x480/0x538 init/main.c:1016 kernel_init+0x13/0x180 init/main.c:942 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:433 Freed: PID = 0 (stack is not available) Memory state around the buggy address: ffff8801d8697680: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ffff8801d8697700: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc >ffff8801d8697780: fc fc fc 00 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffff8801d8697800: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 ffff8801d8697880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801ab06add4 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801ab06add4 Read of size 1 by task syz-executor4/23976 CPU: 0 PID: 23976 Comm: syz-executor4 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cee67788 ffffffff81eacd59 ffff8801dad53a00 ffff8801ab06a200 ffff8801ab06b200 ffffed003560d5ba ffff8801ab06add4 ffff8801cee677b0 ffffffff81546bfc ffffed003560d5ba ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801ab06a200, in cache names_cache size: 4096 Allocated: PID = 23206 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_kernel+0x54/0x340 fs/namei.c:217 open_exec+0x17/0x60 fs/exec.c:872 load_elf_binary+0x12ef/0x4690 fs/binfmt_elf.c:754 search_binary_handler+0x142/0x6b0 fs/exec.c:1622 exec_binprm fs/exec.c:1664 [inline] do_execveat_common.isra.37+0x15b2/0x1f20 fs/exec.c:1786 do_execve+0x3a/0x50 fs/exec.c:1830 call_usermodehelper_exec_async+0x29c/0x4d0 kernel/kmod.c:252 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:433 Freed: PID = 23206 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 open_exec+0x41/0x60 fs/exec.c:877 load_elf_binary+0x12ef/0x4690 fs/binfmt_elf.c:754 search_binary_handler+0x142/0x6b0 fs/exec.c:1622 exec_binprm fs/exec.c:1664 [inline] do_execveat_common.isra.37+0x15b2/0x1f20 fs/exec.c:1786 do_execve+0x3a/0x50 fs/exec.c:1830 call_usermodehelper_exec_async+0x29c/0x4d0 kernel/kmod.c:252 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:433 Memory state around the buggy address: ffff8801ab06ac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ab06ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801ab06ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801ab06ae00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801ab06ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801a4042654 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801a4042654 Read of size 1 by task syz-executor1/23991 page:ffffea0006901080 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 23991 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d5dff7b0 ffffffff81eacd59 ffffed00348084ca 0000000000000001 0000000000000000 ffffed00348084ca ffff8801a4042654 ffff8801d5dff830 ffffffff81547141 ffff8801d5dff840 ffffffff833df72f ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801a4042500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a4042580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801a4042600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801a4042680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a4042700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801dad34654 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801dad34654 Read of size 1 by task syz-executor4/24004 CPU: 0 PID: 24004 Comm: syz-executor4 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cee67788 ffffffff81eacd59 ffff8801dad533c0 ffff8801dad345d0 ffff8801dad34688 ffffed003b5a68ca ffff8801dad34654 ffff8801cee677b0 ffffffff81546bfc ffffed003b5a68ca ffff8801dad533c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801dad345d0, in cache vm_area_struct size: 184 Allocated: PID = 23381 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x5c0/0xfe0 mm/mmap.c:1662 do_mmap+0x595/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2014 [inline] vm_mmap_pgoff+0x158/0x1a0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x423/0x580 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 23381 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x15d/0x1a0 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 SYSC_munmap mm/mmap.c:2733 [inline] SyS_munmap+0x72/0xa0 mm/mmap.c:2725 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801dad34500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801dad34580: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb >ffff8801dad34600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801dad34680: fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb ffff8801dad34700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1909 [inline] at addr ffff8801a4042652 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc73/0xd00 net/key/af_key.c:1958 at addr ffff8801a4042652 Read of size 2 by task syz-executor1/23991 page:ffffea0006901080 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 23991 Comm: syz-executor1 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d5dff7b0 ffffffff81eacd59 ffffed00348084ca 0000000000000002 0000000000000000 ffffed00348084ca ffff8801a4042652 ffff8801d5dff830 ffffffff81547141 0000000000000010 ffffffff00000000 ffffffff8358b4b3 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:341 [inline] [] __asan_report_load_n_noabort+0x24/0x30 mm/kasan/report.c:340 [] parse_ipsecrequest net/key/af_key.c:1909 [inline] [] parse_ipsecrequests+0xc73/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801a4042500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a4042580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801a4042600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801a4042680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801a4042700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1909 [inline] at addr ffff8801dad34652 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc73/0xd00 net/key/af_key.c:1958 at addr ffff8801dad34652 Read of size 2 by task syz-executor4/24004 CPU: 0 PID: 24004 Comm: syz-executor4 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cee67788 ffffffff81eacd59 ffff8801dad533c0 ffff8801dad345d0 ffff8801dad34688 ffffed003b5a68ca ffff8801dad34652 ffff8801cee677b0 ffffffff81546bfc ffffed003b5a68ca ffff8801dad533c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:341 [inline] [] __asan_report_load_n_noabort+0x24/0x30 mm/kasan/report.c:340 [] parse_ipsecrequest net/key/af_key.c:1909 [inline] [] parse_ipsecrequests+0xc73/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801dad345d0, in cache vm_area_struct size: 184 Allocated: PID = 23381 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x5c0/0xfe0 mm/mmap.c:1662 do_mmap+0x595/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2014 [inline] vm_mmap_pgoff+0x158/0x1a0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x423/0x580 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 23381 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x15d/0x1a0 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 SYSC_munmap mm/mmap.c:2733 [inline] SyS_munmap+0x72/0xa0 mm/mmap.c:2725 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801dad34500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801dad34580: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb >ffff8801dad34600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801dad34680: fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb ffff8801dad34700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1913 [inline] at addr ffff8801dad34655 BUG: KASAN: use-after-free in parse_ipsecrequests+0xcd8/0xd00 net/key/af_key.c:1958 at addr ffff8801dad34655 Read of size 1 by task syz-executor4/24004 CPU: 1 PID: 24004 Comm: syz-executor4 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cee67788 ffffffff81eacd59 ffff8801dad533c0 ffff8801dad345d0 ffff8801dad34688 ffffed003b5a68ca ffff8801dad34655 ffff8801cee677b0 ffffffff81546bfc ffffed003b5a68ca ffff8801dad533c0 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1913 [inline] [] parse_ipsecrequests+0xcd8/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801dad345d0, in cache vm_area_struct size: 184 Allocated: PID = 23381 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 kmem_cache_zalloc include/linux/slab.h:626 [inline] mmap_region+0x5c0/0xfe0 mm/mmap.c:1662 do_mmap+0x595/0xbe0 mm/mmap.c:1473 do_mmap_pgoff include/linux/mm.h:2014 [inline] vm_mmap_pgoff+0x158/0x1a0 mm/util.c:305 SYSC_mmap_pgoff mm/mmap.c:1523 [inline] SyS_mmap_pgoff+0x423/0x580 mm/mmap.c:1481 SYSC_mmap arch/x86/kernel/sys_x86_64.c:95 [inline] SyS_mmap+0x16/0x20 arch/x86/kernel/sys_x86_64.c:86 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 23381 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 remove_vma+0x15d/0x1a0 mm/mmap.c:175 remove_vma_list mm/mmap.c:2482 [inline] do_munmap+0x7ff/0xeb0 mm/mmap.c:2705 SYSC_munmap mm/mmap.c:2733 [inline] SyS_munmap+0x72/0xa0 mm/mmap.c:2725 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801dad34500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801dad34580: fb fb fc fc fc fc fc fc fc fc fb fb fb fb fb fb >ffff8801dad34600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^