================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff88010329e2b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff88010329e2b6 Read of size 1 by task syz-executor3/19554 CPU: 0 PID: 19554 Comm: syz-executor3 Not tainted 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d5e9f788 ffffffff81eacd59 ffff8801dad53a00 ffff88010329d500 ffff88010329e500 ffffed0020653c56 ffff88010329e2b6 ffff8801d5e9f7b0 ffffffff81546bfc ffffed0020653c56 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff88010329d500, in cache names_cache size: 4096 Allocated: PID = 18652 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 getname+0x19/0x20 fs/namei.c:208 do_sys_open+0x217/0x4b0 fs/open.c:1066 SYSC_open fs/open.c:1090 [inline] SyS_open+0x2d/0x40 fs/open.c:1085 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 18652 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 do_sys_open+0x24c/0x4b0 fs/open.c:1081 SYSC_open fs/open.c:1090 [inline] SyS_open+0x2d/0x40 fs/open.c:1085 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff88010329e180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88010329e200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88010329e280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88010329e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88010329e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801cbb487b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801cbb487b6 Read of size 1 by task syz-executor3/19596 page:ffffea00072ed200 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 19596 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cce577b0 ffffffff81eacd59 ffffed00397690f6 0000000000000001 0000000000000000 ffffed00397690f6 ffff8801cbb487b6 ffff8801cce57830 ffffffff81547141 0000000000000046 0000000000000000 ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801cbb48680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cbb48700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801cbb48780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801cbb48800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cbb48880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff88010329e4b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff88010329e4b6 Read of size 1 by task syz-executor3/19627 CPU: 0 PID: 19627 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c5557788 ffffffff81eacd59 ffff8801dad53a00 ffff88010329d500 ffff88010329e500 ffffed0020653c96 ffff88010329e4b6 ffff8801c55577b0 ffffffff81546bfc ffffed0020653c96 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff88010329d500, in cache names_cache size: 4096 Allocated: PID = 18652 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 getname+0x19/0x20 fs/namei.c:208 do_sys_open+0x217/0x4b0 fs/open.c:1066 SYSC_open fs/open.c:1090 [inline] SyS_open+0x2d/0x40 fs/open.c:1085 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 18652 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 do_sys_open+0x24c/0x4b0 fs/open.c:1081 SYSC_open fs/open.c:1090 [inline] SyS_open+0x2d/0x40 fs/open.c:1085 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff88010329e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88010329e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88010329e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88010329e500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88010329e580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801aa3266b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801aa3266b6 Read of size 1 by task syz-executor3/19698 CPU: 0 PID: 19698 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d186f788 ffffffff81eacd59 ffff8801dad53a00 ffff8801aa326600 ffff8801aa327600 ffffed0035464cd6 ffff8801aa3266b6 ffff8801d186f7b0 ffffffff81546bfc ffffed0035464cd6 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801aa326600, in cache names_cache size: 4096 Allocated: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 user_path_at_empty+0x2d/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 filename_lookup+0x234/0x390 fs/namei.c:2324 user_path_at_empty+0x40/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801aa326580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801aa326600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801aa326680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801aa326700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801cbb489b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801cbb489b6 Read of size 1 by task syz-executor3/19720 page:ffffea00072ed200 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 19720 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cf96f7b0 ffffffff81eacd59 ffffed0039769136 0000000000000001 0000000000000000 ffffed0039769136 ffff8801cbb489b6 ffff8801cf96f830 ffffffff81547141 0000000000000000 0000000000000000 ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801cbb48880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cbb48900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801cbb48980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801cbb48a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cbb48a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801aa3267b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801aa3267b6 Read of size 1 by task syz-executor3/19724 CPU: 0 PID: 19724 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d83af788 ffffffff81eacd59 ffff8801dad53a00 ffff8801aa326600 ffff8801aa327600 ffffed0035464cf6 ffff8801aa3267b6 ffff8801d83af7b0 ffffffff81546bfc ffffed0035464cf6 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801aa326600, in cache names_cache size: 4096 Allocated: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 user_path_at_empty+0x2d/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 filename_lookup+0x234/0x390 fs/namei.c:2324 user_path_at_empty+0x40/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801aa326680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801aa326780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801aa326800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801cbb48bb6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801cbb48bb6 Read of size 1 by task syz-executor3/19795 page:ffffea00072ed200 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 19795 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aa35f7b0 ffffffff81eacd59 ffffed0039769176 0000000000000001 0000000000000000 ffffed0039769176 ffff8801cbb48bb6 ffff8801aa35f830 ffffffff81547141 0000000000000000 0000000000000000 ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801cbb48a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cbb48b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801cbb48b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801cbb48c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cbb48c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801cbb481b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801cbb481b6 Read of size 1 by task syz-executor3/19809 page:ffffea00072ed200 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 19809 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d09977b0 ffffffff81eacd59 ffffed0039769036 0000000000000001 0000000000000000 ffffed0039769036 ffff8801cbb481b6 ffff8801d0997830 ffffffff81547141 0000000000000046 0000000000000000 ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801cbb48080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cbb48100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801cbb48180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801cbb48200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cbb48280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801cbb482b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801cbb482b6 Read of size 1 by task syz-executor3/19836 page:ffffea00072ed200 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x200000000000000() page dumped because: kasan: bad access detected CPU: 1 PID: 19836 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d127f7b0 ffffffff81eacd59 ffffed0039769056 0000000000000001 0000000000000000 ffffed0039769056 ffff8801cbb482b6 ffff8801d127f830 ffffffff81547141 0000000000000000 0000000000000000 ffffffff8358b4bd Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] print_address_description mm/kasan/report.c:208 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801cbb48180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cbb48200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8801cbb48280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801cbb48300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cbb48380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801aa326eb6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801aa326eb6 Read of size 1 by task syz-executor3/19855 CPU: 0 PID: 19855 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d1127788 ffffffff81eacd59 ffff8801dad53a00 ffff8801aa326600 ffff8801aa327600 ffffed0035464dd6 ffff8801aa326eb6 ffff8801d11277b0 ffffffff81546bfc ffffed0035464dd6 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801aa326600, in cache names_cache size: 4096 Allocated: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 user_path_at_empty+0x2d/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 filename_lookup+0x234/0x390 fs/namei.c:2324 user_path_at_empty+0x40/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801aa326d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801aa326e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801aa326f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d754bfb6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d754bfb6 Read of size 1 by task syz-executor3/19867 CPU: 1 PID: 19867 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801aeebf788 ffffffff81eacd59 ffff8801dad53a00 ffff8801d754b300 ffff8801d754c300 ffffed003aea97f6 ffff8801d754bfb6 ffff8801aeebf7b0 ffffffff81546bfc ffffed003aea97f6 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d754b300, in cache names_cache size: 4096 Allocated: PID = 3447 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 getname fs/namei.c:208 [inline] user_path_parent fs/namei.c:2595 [inline] do_unlinkat+0xd2/0x630 fs/namei.c:4046 SYSC_unlink fs/namei.c:4120 [inline] SyS_unlink+0x1a/0x20 fs/namei.c:4118 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3447 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 do_unlinkat+0x1ca/0x630 fs/namei.c:4089 SYSC_unlink fs/namei.c:4120 [inline] SyS_unlink+0x1a/0x20 fs/namei.c:4118 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801d754be80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d754bf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801d754bf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d754c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d754c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801aa326fb6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801aa326fb6 Read of size 1 by task syz-executor3/19880 CPU: 0 PID: 19880 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ca6df788 ffffffff81eacd59 ffff8801dad53a00 ffff8801aa326600 ffff8801aa327600 ffffed0035464df6 ffff8801aa326fb6 ffff8801ca6df7b0 ffffffff81546bfc ffffed0035464df6 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801aa326600, in cache names_cache size: 4096 Allocated: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 user_path_at_empty+0x2d/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 filename_lookup+0x234/0x390 fs/namei.c:2324 user_path_at_empty+0x40/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801aa326e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801aa326f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801aa327000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa327080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d754b5b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d754b5b6 Read of size 1 by task syz-executor3/19938 CPU: 1 PID: 19938 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b00d7788 ffffffff81eacd59 ffff8801dad53a00 ffff8801d754b300 ffff8801d754c300 ffffed003aea96b6 ffff8801d754b5b6 ffff8801b00d77b0 ffffffff81546bfc ffffed003aea96b6 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d754b300, in cache names_cache size: 4096 Allocated: PID = 3447 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 getname fs/namei.c:208 [inline] user_path_parent fs/namei.c:2595 [inline] do_unlinkat+0xd2/0x630 fs/namei.c:4046 SYSC_unlink fs/namei.c:4120 [inline] SyS_unlink+0x1a/0x20 fs/namei.c:4118 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3447 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 do_unlinkat+0x1ca/0x630 fs/namei.c:4089 SYSC_unlink fs/namei.c:4120 [inline] SyS_unlink+0x1a/0x20 fs/namei.c:4118 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801d754b480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d754b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801d754b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d754b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d754b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d754b7b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d754b7b6 Read of size 1 by task syz-executor3/19954 CPU: 1 PID: 19954 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b26df788 ffffffff81eacd59 ffff8801dad53a00 ffff8801d754b300 ffff8801d754c300 ffffed003aea96f6 ffff8801d754b7b6 ffff8801b26df7b0 ffffffff81546bfc ffffed003aea96f6 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d754b300, in cache names_cache size: 4096 Allocated: PID = 3447 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 getname fs/namei.c:208 [inline] user_path_parent fs/namei.c:2595 [inline] do_unlinkat+0xd2/0x630 fs/namei.c:4046 SYSC_unlink fs/namei.c:4120 [inline] SyS_unlink+0x1a/0x20 fs/namei.c:4118 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3447 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 do_unlinkat+0x1ca/0x630 fs/namei.c:4089 SYSC_unlink fs/namei.c:4120 [inline] SyS_unlink+0x1a/0x20 fs/namei.c:4118 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801d754b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d754b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801d754b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d754b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d754b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801aa3268b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801aa3268b6 Read of size 1 by task syz-executor3/20005 CPU: 0 PID: 20005 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cd13f788 ffffffff81eacd59 ffff8801dad53a00 ffff8801aa326600 ffff8801aa327600 ffffed0035464d16 ffff8801aa3268b6 ffff8801cd13f7b0 ffffffff81546bfc ffffed0035464d16 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801aa326600, in cache names_cache size: 4096 Allocated: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 user_path_at_empty+0x2d/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 filename_lookup+0x234/0x390 fs/namei.c:2324 user_path_at_empty+0x40/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801aa326780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801aa326880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801aa326900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801aa3269b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801aa3269b6 Read of size 1 by task syz-executor3/20010 CPU: 0 PID: 20010 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cae1f788 ffffffff81eacd59 ffff8801dad53a00 ffff8801aa326600 ffff8801aa327600 ffffed0035464d36 ffff8801aa3269b6 ffff8801cae1f7b0 ffffffff81546bfc ffffed0035464d36 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801aa326600, in cache names_cache size: 4096 Allocated: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 user_path_at_empty+0x2d/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 filename_lookup+0x234/0x390 fs/namei.c:2324 user_path_at_empty+0x40/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801aa326880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801aa326980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801aa326a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d754b8b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d754b8b6 Read of size 1 by task syz-executor3/20061 CPU: 1 PID: 20061 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ae25f788 ffffffff81eacd59 ffff8801dad53a00 ffff8801d754b300 ffff8801d754c300 ffffed003aea9716 ffff8801d754b8b6 ffff8801ae25f7b0 ffffffff81546bfc ffffed003aea9716 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d754b300, in cache names_cache size: 4096 Allocated: PID = 3447 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 getname fs/namei.c:208 [inline] user_path_parent fs/namei.c:2595 [inline] do_unlinkat+0xd2/0x630 fs/namei.c:4046 SYSC_unlink fs/namei.c:4120 [inline] SyS_unlink+0x1a/0x20 fs/namei.c:4118 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3447 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 do_unlinkat+0x1ca/0x630 fs/namei.c:4089 SYSC_unlink fs/namei.c:4120 [inline] SyS_unlink+0x1a/0x20 fs/namei.c:4118 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801d754b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d754b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801d754b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d754b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d754b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801aa326ab6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801aa326ab6 Read of size 1 by task syz-executor3/20078 CPU: 0 PID: 20078 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b0bbf788 ffffffff81eacd59 ffff8801dad53a00 ffff8801aa326600 ffff8801aa327600 ffffed0035464d56 ffff8801aa326ab6 ffff8801b0bbf7b0 ffffffff81546bfc ffffed0035464d56 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801aa326600, in cache names_cache size: 4096 Allocated: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 user_path_at_empty+0x2d/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 filename_lookup+0x234/0x390 fs/namei.c:2324 user_path_at_empty+0x40/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801aa326980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801aa326a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801aa326b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801aa326bb6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801aa326bb6 Read of size 1 by task syz-executor3/20135 CPU: 0 PID: 20135 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801c4f8f788 ffffffff81eacd59 ffff8801dad53a00 ffff8801aa326600 ffff8801aa327600 ffffed0035464d76 ffff8801aa326bb6 ffff8801c4f8f7b0 ffffffff81546bfc ffffed0035464d76 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801aa326600, in cache names_cache size: 4096 Allocated: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 user_path_at_empty+0x2d/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 19350 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 filename_lookup+0x234/0x390 fs/namei.c:2324 user_path_at_empty+0x40/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801aa326a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801aa326b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801aa326c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801aa326c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d754b6b6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d754b6b6 Read of size 1 by task syz-executor3/20142 CPU: 1 PID: 20142 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ae41f788 ffffffff81eacd59 ffff8801dad53a00 ffff8801d754b300 ffff8801d754c300 ffffed003aea96d6 ffff8801d754b6b6 ffff8801ae41f7b0 ffffffff81546bfc ffffed003aea96d6 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d754b300, in cache names_cache size: 4096 Allocated: PID = 3447 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 getname fs/namei.c:208 [inline] user_path_parent fs/namei.c:2595 [inline] do_unlinkat+0xd2/0x630 fs/namei.c:4046 SYSC_unlink fs/namei.c:4120 [inline] SyS_unlink+0x1a/0x20 fs/namei.c:4118 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3447 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 do_unlinkat+0x1ca/0x630 fs/namei.c:4089 SYSC_unlink fs/namei.c:4120 [inline] SyS_unlink+0x1a/0x20 fs/namei.c:4118 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801d754b580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d754b600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801d754b680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d754b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d754b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d754bbb6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d754bbb6 Read of size 1 by task syz-executor3/20177 CPU: 1 PID: 20177 Comm: syz-executor3 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d5247788 ffffffff81eacd59 ffff8801dad53a00 ffff8801d754b300 ffff8801d754c300 ffffed003aea9776 ffff8801d754bbb6 ffff8801d52477b0 ffffffff81546bfc ffffed003aea9776 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d754b300, in cache names_cache size: 4096 Allocated: PID = 3447 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 getname fs/namei.c:208 [inline] user_path_parent fs/namei.c:2595 [inline] do_unlinkat+0xd2/0x630 fs/namei.c:4046 SYSC_unlink fs/namei.c:4120 [inline] SyS_unlink+0x1a/0x20 fs/namei.c:4118 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 3447 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 do_unlinkat+0x1ca/0x630 fs/namei.c:4089 SYSC_unlink fs/namei.c:4120 [inline] SyS_unlink+0x1a/0x20 fs/namei.c:4118 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: