device sit0 entered promiscuous mode ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801c94b9ab6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801c94b9ab6 Read of size 1 by task syz-executor2/22534 CPU: 1 PID: 22534 Comm: syz-executor2 Not tainted 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801ab377788 ffffffff81eacd59 ffff8801dad53a00 ffff8801c94b9100 ffff8801c94ba100 ffffed0039297356 ffff8801c94b9ab6 ffff8801ab3777b0 ffffffff81546bfc ffffed0039297356 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801c94b9100, in cache names_cache size: 4096 Allocated: PID = 22500 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 user_path_at_empty+0x2d/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 22500 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 filename_lookup+0x234/0x390 fs/namei.c:2324 user_path_at_empty+0x40/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] vfs_fstatat+0xbe/0x150 fs/stat.c:106 vfs_stat fs/stat.c:123 [inline] SYSC_newstat+0x7e/0xe0 fs/stat.c:270 SyS_newstat+0x1d/0x30 fs/stat.c:266 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801c94b9980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c94b9a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801c94b9a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801c94b9b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801c94b9b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ================================================================== BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d5355eb6 BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d5355eb6 Read of size 1 by task syz-executor2/22609 CPU: 0 PID: 22609 Comm: syz-executor2 Tainted: G B 4.9.39-g5b07c2d #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801d9bcf788 ffffffff81eacd59 ffff8801dad53a00 ffff8801d5355500 ffff8801d5356500 ffffed003aa6abd6 ffff8801d5355eb6 ffff8801d9bcf7b0 ffffffff81546bfc ffffed003aa6abd6 ffff8801dad53a00 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x128 lib/dump_stack.c:51 [] kasan_object_err+0x1c/0x70 mm/kasan/report.c:160 [] print_address_description mm/kasan/report.c:198 [inline] [] kasan_report_error mm/kasan/report.c:287 [inline] [] kasan_report.part.1+0x20d/0x4e0 mm/kasan/report.c:309 [] kasan_report mm/kasan/report.c:327 [inline] [] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327 [] parse_ipsecrequest net/key/af_key.c:1906 [inline] [] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 [] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250 [] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900 [] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146 [] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235 [] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701 [] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705 [] SYSC_setsockopt net/socket.c:1771 [inline] [] SyS_setsockopt+0x158/0x240 net/socket.c:1750 [] entry_SYSCALL_64_fastpath+0x23/0xc6 Object at ffff8801d5355500, in cache names_cache size: 4096 Allocated: PID = 21171 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:598 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:537 slab_post_alloc_hook mm/slab.h:417 [inline] slab_alloc_node mm/slub.c:2715 [inline] slab_alloc mm/slub.c:2723 [inline] kmem_cache_alloc+0xc9/0x2a0 mm/slub.c:2728 getname_flags+0xcb/0x580 fs/namei.c:137 user_path_at_empty+0x2d/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] SYSC_faccessat fs/open.c:395 [inline] SyS_faccessat fs/open.c:363 [inline] SYSC_access fs/open.c:443 [inline] SyS_access+0x234/0x6a0 fs/open.c:441 entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 21171 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:57 save_stack+0x43/0xd0 mm/kasan/kasan.c:495 set_track mm/kasan/kasan.c:507 [inline] kasan_slab_free+0x73/0xc0 mm/kasan/kasan.c:571 slab_free_hook mm/slub.c:1355 [inline] slab_free_freelist_hook mm/slub.c:1377 [inline] slab_free mm/slub.c:2958 [inline] kmem_cache_free+0xb2/0x2e0 mm/slub.c:2980 putname+0xee/0x130 fs/namei.c:257 filename_lookup+0x234/0x390 fs/namei.c:2324 user_path_at_empty+0x40/0x50 fs/namei.c:2576 user_path_at include/linux/namei.h:55 [inline] SYSC_faccessat fs/open.c:395 [inline] SyS_faccessat fs/open.c:363 [inline] SYSC_access fs/open.c:443 [inline] SyS_access+0x234/0x6a0 fs/open.c:441 entry_SYSCALL_64_fastpath+0x23/0xc6 Memory state around the buggy address: ffff8801d5355d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d5355e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801d5355e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8801d5355f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d5355f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode netlink: 48 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 48 bytes leftover after parsing attributes in process `syz-executor5'. device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode device sit0 entered promiscuous mode device sit0 left promiscuous mode