sock: process `syz-executor2' is using obsolete setsockopt SO_BSDCOMPAT ================================================================== BUG: KASAN: slab-out-of-bounds in sock_net_uid include/net/sock.h:1733 [inline] BUG: KASAN: slab-out-of-bounds in ip6_route_me_harder+0x9d8/0xc00 net/ipv6/netfilter.c:26 Read of size 4 at addr ffff8801b11301b0 by task syz-executor5/26675 CPU: 1 PID: 26675 Comm: syz-executor5 Not tainted 4.16.0-rc2+ #250 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x23b/0x360 mm/kasan/report.c:412 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432 sock_net_uid include/net/sock.h:1733 [inline] ip6_route_me_harder+0x9d8/0xc00 net/ipv6/netfilter.c:26 nf_nat_ipv6_local_fn+0x2a4/0x5d0 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:414 ip6table_nat_local_fn+0x2c/0x40 net/ipv6/netfilter/ip6table_nat.c:69 nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483 nf_hook include/linux/netfilter.h:243 [inline] NF_HOOK include/linux/netfilter.h:286 [inline] ip6_xmit+0x10ec/0x2260 net/ipv6/ip6_output.c:277 tcp_v6_send_synack+0x57b/0xaa0 net/ipv6/tcp_ipv6.c:490 tcp_conn_request+0x26fd/0x3660 net/ipv4/tcp_input.c:6335 tcp_v6_conn_request+0x212/0x270 net/ipv6/tcp_ipv6.c:1021 tcp_rcv_state_process+0x92a/0x4760 net/ipv4/tcp_input.c:5842 tcp_v6_do_rcv+0x739/0x1250 net/ipv6/tcp_ipv6.c:1331 tcp_v6_rcv+0x25a0/0x2d40 net/ipv6/tcp_ipv6.c:1521 ip6_input_finish+0x37e/0x17a0 net/ipv6/ip6_input.c:284 NF_HOOK include/linux/netfilter.h:288 [inline] ip6_input+0xdb/0x560 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:449 [inline] ip6_rcv_finish+0x297/0x8c0 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:288 [inline] ipv6_rcv+0xf37/0x1fa0 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x1a41/0x3460 net/core/dev.c:4554 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4619 netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4693 netif_receive_skb+0xae/0x390 net/core/dev.c:4717 tun_rx_batched.isra.52+0x5ee/0x870 drivers/net/tun.c:1556 tun_get_user+0x25a5/0x3810 drivers/net/tun.c:1957 tun_chr_write_iter+0xbd/0x1c0 drivers/net/tun.c:1985 call_write_iter include/linux/fs.h:1781 [inline] do_iter_readv_writev+0x55c/0x830 fs/read_write.c:653 do_iter_write+0x154/0x540 fs/read_write.c:932 vfs_writev+0x18a/0x340 fs/read_write.c:977 do_writev+0xfc/0x2a0 fs/read_write.c:1012 SYSC_writev fs/read_write.c:1085 [inline] SyS_writev+0x27/0x30 fs/read_write.c:1082 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453c41 RSP: 002b:00007fb6c30d6ba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 000000000000004a RCX: 0000000000453c41 RDX: 0000000000000001 RSI: 00007fb6c30d6bf0 RDI: 00000000000000fc RBP: 0000000020000100 R08: 00000000000000fc R09: 0000000000000000 R10: 000000000000004a R11: 0000000000000293 R12: 00000000ffffffff R13: 0000000000000627 R14: 00000000006f9448 R15: 0000000000000000 Allocated by task 22653: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3541 __sigqueue_alloc+0x329/0x660 kernel/signal.c:388 __send_signal+0x2e6/0x1740 kernel/signal.c:1047 send_signal+0x4a/0xc0 kernel/signal.c:1115 specific_send_sig_info kernel/signal.c:1160 [inline] force_sig_info+0x242/0x340 kernel/signal.c:1212 force_sig_info_fault.constprop.30+0x318/0x480 arch/x86/mm/fault.c:224 __bad_area_nosemaphore+0x1d2/0x3e0 arch/x86/mm/fault.c:920 __bad_area+0x151/0x1f0 arch/x86/mm/fault.c:954 bad_area_access_error+0x166/0x240 arch/x86/mm/fault.c:993 __do_page_fault+0x3d1/0xc90 arch/x86/mm/fault.c:1406 do_page_fault+0xee/0x730 arch/x86/mm/fault.c:1501 page_fault+0x82/0x90 arch/x86/entry/entry_64.S:1122 Freed by task 22653: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527 __cache_free mm/slab.c:3485 [inline] kmem_cache_free+0x83/0x2a0 mm/slab.c:3743 __sigqueue_free.part.16+0x51/0x60 kernel/signal.c:411 __sigqueue_free kernel/signal.c:407 [inline] collect_signal kernel/signal.c:547 [inline] __dequeue_signal+0x42c/0x760 kernel/signal.c:569 dequeue_signal+0xb7/0x590 kernel/signal.c:587 get_signal+0x385/0x16d0 kernel/signal.c:2362 do_signal+0x90/0x1e90 arch/x86/kernel/signal.c:809 exit_to_usermode_loop+0x258/0x2f0 arch/x86/entry/common.c:162 prepare_exit_to_usermode+0x2d9/0x350 arch/x86/entry/common.c:196 retint_user+0x8/0x18 The buggy address belongs to the object at ffff8801b11300e0 which belongs to the cache sigqueue of size 160 The buggy address is located 48 bytes to the right of 160-byte region [ffff8801b11300e0, ffff8801b1130180) The buggy address belongs to the page: page:ffffea0006c44c00 count:1 mapcount:0 mapping:ffff8801b1130000 index:0xffff8801b1130000 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801b1130000 ffff8801b1130000 000000010000000d raw: ffffea00073c3020 ffffea0007696560 ffff8801d9a48ac0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801b1130080: fb fb fb fb fc fc fc fc fc fc fc fc fb fb fb fb ffff8801b1130100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801b1130180: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8801b1130200: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff8801b1130280: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================