Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. executing program executing program [ 77.595167][ T9852] ================================================================== [ 77.603483][ T9852] BUG: KASAN: use-after-free in bitmap_ip_ext_cleanup+0xd8/0x290 [ 77.611368][ T9852] Read of size 8 at addr ffff8880a7ca67c0 by task syz-executor319/9852 [ 77.619594][ T9852] [ 77.621925][ T9852] CPU: 0 PID: 9852 Comm: syz-executor319 Not tainted 5.5.0-rc5-syzkaller #0 [ 77.630592][ T9852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.641008][ T9852] Call Trace: [ 77.644365][ T9852] dump_stack+0x197/0x210 [ 77.648771][ T9852] ? bitmap_ip_ext_cleanup+0xd8/0x290 [ 77.654145][ T9852] print_address_description.constprop.0.cold+0xd4/0x30b [ 77.661218][ T9852] ? bitmap_ip_ext_cleanup+0xd8/0x290 [ 77.666589][ T9852] ? bitmap_ip_ext_cleanup+0xd8/0x290 [ 77.672045][ T9852] __kasan_report.cold+0x1b/0x41 [ 77.677077][ T9852] ? kfree+0x190/0x2c0 [ 77.681302][ T9852] ? bitmap_ip_ext_cleanup+0xd8/0x290 [ 77.686675][ T9852] kasan_report+0x12/0x20 [ 77.691102][ T9852] check_memory_region+0x134/0x1a0 [ 77.696219][ T9852] __kasan_check_read+0x11/0x20 [ 77.701138][ T9852] bitmap_ip_ext_cleanup+0xd8/0x290 [ 77.706446][ T9852] bitmap_ip_destroy+0x17c/0x1d0 [ 77.711375][ T9852] ip_set_create+0xe47/0x1500 [ 77.716040][ T9852] ? ip_set_destroy+0xb70/0xb70 [ 77.720907][ T9852] ? ip_set_destroy+0xb70/0xb70 [ 77.725901][ T9852] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 77.730857][ T9852] ? nfnetlink_bind+0x2c0/0x2c0 [ 77.735708][ T9852] ? __kasan_check_read+0x11/0x20 [ 77.740769][ T9852] ? __lock_acquire+0x8a0/0x4a00 [ 77.745776][ T9852] ? save_stack+0x5c/0x90 [ 77.750108][ T9852] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 77.756347][ T9852] ? apparmor_capable+0x497/0x900 [ 77.761370][ T9852] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 77.767598][ T9852] ? __kasan_check_read+0x11/0x20 [ 77.772689][ T9852] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 77.778158][ T9852] netlink_rcv_skb+0x177/0x450 [ 77.783007][ T9852] ? nfnetlink_bind+0x2c0/0x2c0 [ 77.787858][ T9852] ? netlink_ack+0xb50/0xb50 [ 77.792437][ T9852] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 77.798672][ T9852] ? ns_capable_common+0x93/0x100 [ 77.803696][ T9852] ? ns_capable+0x20/0x30 [ 77.808078][ T9852] ? __netlink_ns_capable+0x104/0x140 [ 77.813456][ T9852] nfnetlink_rcv+0x1ba/0x460 [ 77.818035][ T9852] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 77.823602][ T9852] ? netlink_deliver_tap+0x24a/0xbf0 [ 77.828887][ T9852] ? __kasan_check_write+0x14/0x20 [ 77.834015][ T9852] netlink_unicast+0x59e/0x7e0 [ 77.838814][ T9852] ? netlink_attachskb+0x870/0x870 [ 77.844034][ T9852] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 77.849781][ T9852] ? __check_object_size+0x3d/0x437 [ 77.855061][ T9852] netlink_sendmsg+0x91c/0xea0 [ 77.859838][ T9852] ? netlink_unicast+0x7e0/0x7e0 [ 77.864778][ T9852] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 77.870318][ T9852] ? apparmor_socket_sendmsg+0x2a/0x30 [ 77.875774][ T9852] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 77.882089][ T9852] ? security_socket_sendmsg+0x8d/0xc0 [ 77.887587][ T9852] ? netlink_unicast+0x7e0/0x7e0 [ 77.892516][ T9852] sock_sendmsg+0xd7/0x130 [ 77.896928][ T9852] ____sys_sendmsg+0x753/0x880 [ 77.901689][ T9852] ? kernel_sendmsg+0x50/0x50 [ 77.906363][ T9852] ? mark_held_locks+0xa4/0xf0 [ 77.911163][ T9852] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 77.917227][ T9852] ? __handle_mm_fault+0x3145/0x3cc0 [ 77.922570][ T9852] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 77.928662][ T9852] ___sys_sendmsg+0x100/0x170 [ 77.933429][ T9852] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 77.939405][ T9852] ? sendmsg_copy_msghdr+0x70/0x70 [ 77.944926][ T9852] ? __do_page_fault+0x56a/0xd80 [ 77.949916][ T9852] ? find_held_lock+0x35/0x130 [ 77.954672][ T9852] ? __do_page_fault+0x56a/0xd80 [ 77.959600][ T9852] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 77.965839][ T9852] ? __fget_light+0x1a9/0x230 [ 77.970518][ T9852] ? __fdget+0x1b/0x20 [ 77.974584][ T9852] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 77.981320][ T9852] __sys_sendmsg+0x105/0x1d0 [ 77.986061][ T9852] ? __sys_sendmsg_sock+0xc0/0xc0 [ 77.991083][ T9852] ? down_read_non_owner+0x490/0x490 [ 77.996362][ T9852] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 78.001875][ T9852] ? do_syscall_64+0x26/0x790 [ 78.006545][ T9852] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.012729][ T9852] ? do_syscall_64+0x26/0x790 [ 78.017415][ T9852] __x64_sys_sendmsg+0x78/0xb0 [ 78.022182][ T9852] do_syscall_64+0xfa/0x790 [ 78.026688][ T9852] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.032569][ T9852] RIP: 0033:0x441459 [ 78.036452][ T9852] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 78.056119][ T9852] RSP: 002b:00007ffe37820b08 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 78.064536][ T9852] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441459 [ 78.072501][ T9852] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 [ 78.080470][ T9852] RBP: 0000000000012efc R08: 00000000004002c8 R09: 00000000004002c8 [ 78.088430][ T9852] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402280 [ 78.096451][ T9852] R13: 0000000000402310 R14: 0000000000000000 R15: 0000000000000000 [ 78.104438][ T9852] [ 78.106769][ T9852] Allocated by task 9852: [ 78.111097][ T9852] save_stack+0x23/0x90 [ 78.115251][ T9852] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 78.120877][ T9852] kasan_kmalloc+0x9/0x10 [ 78.125297][ T9852] __kmalloc+0x163/0x770 [ 78.129740][ T9852] ip_set_alloc+0x38/0x5e [ 78.134115][ T9852] bitmap_ip_create+0x6ec/0xc20 [ 78.139059][ T9852] ip_set_create+0x6f1/0x1500 [ 78.143956][ T9852] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 78.148889][ T9852] netlink_rcv_skb+0x177/0x450 [ 78.153651][ T9852] nfnetlink_rcv+0x1ba/0x460 [ 78.158238][ T9852] netlink_unicast+0x59e/0x7e0 [ 78.163003][ T9852] netlink_sendmsg+0x91c/0xea0 [ 78.167764][ T9852] sock_sendmsg+0xd7/0x130 [ 78.172177][ T9852] ____sys_sendmsg+0x753/0x880 [ 78.176937][ T9852] ___sys_sendmsg+0x100/0x170 [ 78.181728][ T9852] __sys_sendmsg+0x105/0x1d0 [ 78.186405][ T9852] __x64_sys_sendmsg+0x78/0xb0 [ 78.191240][ T9852] do_syscall_64+0xfa/0x790 [ 78.195736][ T9852] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.201728][ T9852] [ 78.204095][ T9852] Freed by task 9852: [ 78.208122][ T9852] save_stack+0x23/0x90 [ 78.212270][ T9852] __kasan_slab_free+0x102/0x150 [ 78.217195][ T9852] kasan_slab_free+0xe/0x10 [ 78.221688][ T9852] kfree+0x10a/0x2c0 [ 78.225582][ T9852] kvfree+0x61/0x70 [ 78.229386][ T9852] ip_set_free+0x16/0x20 [ 78.233610][ T9852] bitmap_ip_destroy+0xae/0x1d0 [ 78.238452][ T9852] ip_set_create+0xe47/0x1500 [ 78.243166][ T9852] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 78.248112][ T9852] netlink_rcv_skb+0x177/0x450 [ 78.253023][ T9852] nfnetlink_rcv+0x1ba/0x460 [ 78.257610][ T9852] netlink_unicast+0x59e/0x7e0 [ 78.262427][ T9852] netlink_sendmsg+0x91c/0xea0 [ 78.267182][ T9852] sock_sendmsg+0xd7/0x130 [ 78.271631][ T9852] ____sys_sendmsg+0x753/0x880 [ 78.276501][ T9852] ___sys_sendmsg+0x100/0x170 [ 78.281217][ T9852] __sys_sendmsg+0x105/0x1d0 [ 78.285799][ T9852] __x64_sys_sendmsg+0x78/0xb0 [ 78.290729][ T9852] do_syscall_64+0xfa/0x790 [ 78.295246][ T9852] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.301121][ T9852] [ 78.303438][ T9852] The buggy address belongs to the object at ffff8880a7ca67c0 [ 78.303438][ T9852] which belongs to the cache kmalloc-32 of size 32 [ 78.317306][ T9852] The buggy address is located 0 bytes inside of [ 78.317306][ T9852] 32-byte region [ffff8880a7ca67c0, ffff8880a7ca67e0) [ 78.330302][ T9852] The buggy address belongs to the page: [ 78.335930][ T9852] page:ffffea00029f2980 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff8880a7ca6fc1 [ 78.346497][ T9852] raw: 00fffe0000000200 ffffea00026bfc88 ffffea00027d0708 ffff8880aa4001c0 [ 78.355174][ T9852] raw: ffff8880a7ca6fc1 ffff8880a7ca6000 000000010000003f 0000000000000000 [ 78.363817][ T9852] page dumped because: kasan: bad access detected [ 78.370384][ T9852] [ 78.372709][ T9852] Memory state around the buggy address: [ 78.378327][ T9852] ffff8880a7ca6680: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 78.386624][ T9852] ffff8880a7ca6700: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 78.395021][ T9852] >ffff8880a7ca6780: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 78.403117][ T9852] ^ [ 78.409332][ T9852] ffff8880a7ca6800: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 78.417452][ T9852] ffff8880a7ca6880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 78.425503][ T9852] ================================================================== [ 78.433553][ T9852] Disabling lock debugging due to kernel taint [ 78.441153][ T9852] Kernel panic - not syncing: panic_on_warn set ... [ 78.447755][ T9852] CPU: 0 PID: 9852 Comm: syz-executor319 Tainted: G B 5.5.0-rc5-syzkaller #0 [ 78.457917][ T9852] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.468084][ T9852] Call Trace: [ 78.471444][ T9852] dump_stack+0x197/0x210 [ 78.475763][ T9852] panic+0x2e3/0x75c [ 78.479671][ T9852] ? add_taint.cold+0x16/0x16 [ 78.484357][ T9852] ? bitmap_ip_ext_cleanup+0xd8/0x290 [ 78.489732][ T9852] ? preempt_schedule+0x4b/0x60 [ 78.494576][ T9852] ? ___preempt_schedule+0x16/0x18 [ 78.499684][ T9852] ? trace_hardirqs_on+0x5e/0x240 [ 78.504776][ T9852] ? bitmap_ip_ext_cleanup+0xd8/0x290 [ 78.510243][ T9852] end_report+0x47/0x4f [ 78.514392][ T9852] ? bitmap_ip_ext_cleanup+0xd8/0x290 [ 78.519865][ T9852] __kasan_report.cold+0xe/0x41 [ 78.524705][ T9852] ? kfree+0x190/0x2c0 [ 78.528754][ T9852] ? bitmap_ip_ext_cleanup+0xd8/0x290 [ 78.534119][ T9852] kasan_report+0x12/0x20 [ 78.538451][ T9852] check_memory_region+0x134/0x1a0 [ 78.543646][ T9852] __kasan_check_read+0x11/0x20 [ 78.548578][ T9852] bitmap_ip_ext_cleanup+0xd8/0x290 [ 78.553773][ T9852] bitmap_ip_destroy+0x17c/0x1d0 [ 78.558716][ T9852] ip_set_create+0xe47/0x1500 [ 78.563450][ T9852] ? ip_set_destroy+0xb70/0xb70 [ 78.568289][ T9852] ? ip_set_destroy+0xb70/0xb70 [ 78.573139][ T9852] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 78.578139][ T9852] ? nfnetlink_bind+0x2c0/0x2c0 [ 78.583014][ T9852] ? __kasan_check_read+0x11/0x20 [ 78.588029][ T9852] ? __lock_acquire+0x8a0/0x4a00 [ 78.592953][ T9852] ? save_stack+0x5c/0x90 [ 78.597323][ T9852] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.603554][ T9852] ? apparmor_capable+0x497/0x900 [ 78.608570][ T9852] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.614891][ T9852] ? __kasan_check_read+0x11/0x20 [ 78.619907][ T9852] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 78.625426][ T9852] netlink_rcv_skb+0x177/0x450 [ 78.630236][ T9852] ? nfnetlink_bind+0x2c0/0x2c0 [ 78.635079][ T9852] ? netlink_ack+0xb50/0xb50 [ 78.639667][ T9852] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.645943][ T9852] ? ns_capable_common+0x93/0x100 [ 78.650961][ T9852] ? ns_capable+0x20/0x30 [ 78.655276][ T9852] ? __netlink_ns_capable+0x104/0x140 [ 78.660646][ T9852] nfnetlink_rcv+0x1ba/0x460 [ 78.665236][ T9852] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 78.670686][ T9852] ? netlink_deliver_tap+0x24a/0xbf0 [ 78.676001][ T9852] ? __kasan_check_write+0x14/0x20 [ 78.681169][ T9852] netlink_unicast+0x59e/0x7e0 [ 78.685972][ T9852] ? netlink_attachskb+0x870/0x870 [ 78.691149][ T9852] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 78.696861][ T9852] ? __check_object_size+0x3d/0x437 [ 78.702053][ T9852] netlink_sendmsg+0x91c/0xea0 [ 78.706819][ T9852] ? netlink_unicast+0x7e0/0x7e0 [ 78.711819][ T9852] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 78.717352][ T9852] ? apparmor_socket_sendmsg+0x2a/0x30 [ 78.722952][ T9852] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.729221][ T9852] ? security_socket_sendmsg+0x8d/0xc0 [ 78.734674][ T9852] ? netlink_unicast+0x7e0/0x7e0 [ 78.739606][ T9852] sock_sendmsg+0xd7/0x130 [ 78.744055][ T9852] ____sys_sendmsg+0x753/0x880 [ 78.748879][ T9852] ? kernel_sendmsg+0x50/0x50 [ 78.753551][ T9852] ? mark_held_locks+0xa4/0xf0 [ 78.758338][ T9852] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 78.764395][ T9852] ? __handle_mm_fault+0x3145/0x3cc0 [ 78.769677][ T9852] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 78.775803][ T9852] ___sys_sendmsg+0x100/0x170 [ 78.780479][ T9852] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 78.786519][ T9852] ? sendmsg_copy_msghdr+0x70/0x70 [ 78.791672][ T9852] ? __do_page_fault+0x56a/0xd80 [ 78.796600][ T9852] ? find_held_lock+0x35/0x130 [ 78.801513][ T9852] ? __do_page_fault+0x56a/0xd80 [ 78.806471][ T9852] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.812869][ T9852] ? __fget_light+0x1a9/0x230 [ 78.817676][ T9852] ? __fdget+0x1b/0x20 [ 78.821822][ T9852] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 78.828110][ T9852] __sys_sendmsg+0x105/0x1d0 [ 78.832710][ T9852] ? __sys_sendmsg_sock+0xc0/0xc0 [ 78.837730][ T9852] ? down_read_non_owner+0x490/0x490 [ 78.843011][ T9852] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 78.848462][ T9852] ? do_syscall_64+0x26/0x790 [ 78.853123][ T9852] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.859185][ T9852] ? do_syscall_64+0x26/0x790 [ 78.863859][ T9852] __x64_sys_sendmsg+0x78/0xb0 [ 78.868619][ T9852] do_syscall_64+0xfa/0x790 [ 78.873149][ T9852] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.879031][ T9852] RIP: 0033:0x441459 [ 78.882941][ T9852] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 78.902530][ T9852] RSP: 002b:00007ffe37820b08 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 78.910940][ T9852] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441459 [ 78.918964][ T9852] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 [ 78.927024][ T9852] RBP: 0000000000012efc R08: 00000000004002c8 R09: 00000000004002c8 [ 78.935028][ T9852] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402280 [ 78.942987][ T9852] R13: 0000000000402310 R14: 0000000000000000 R15: 0000000000000000 [ 78.952505][ T9852] Kernel Offset: disabled [ 78.956850][ T9852] Rebooting in 86400 seconds..