Warning: Permanently added '10.128.0.220' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 66.485226][ T6832] netlink: 32 bytes leftover after parsing attributes in process `syz-executor865'. [ 66.567207][ T6832] ================================================================== [ 66.575466][ T6832] BUG: KASAN: use-after-free in tcf_action_destroy+0x188/0x1b0 [ 66.582986][ T6832] Read of size 8 at addr ffff8880959be400 by task syz-executor865/6832 [ 66.591230][ T6832] [ 66.593544][ T6832] CPU: 1 PID: 6832 Comm: syz-executor865 Not tainted 5.9.0-rc7-syzkaller #0 [ 66.602210][ T6832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.612254][ T6832] Call Trace: [ 66.615528][ T6832] dump_stack+0x198/0x1fd [ 66.619838][ T6832] ? tcf_action_destroy+0x188/0x1b0 [ 66.625014][ T6832] ? tcf_action_destroy+0x188/0x1b0 [ 66.630193][ T6832] print_address_description.constprop.0.cold+0xae/0x497 [ 66.637305][ T6832] ? tcf_action_destroy+0x188/0x1b0 [ 66.642490][ T6832] ? lockdep_hardirqs_off+0x96/0xd0 [ 66.647690][ T6832] ? vprintk_func+0x95/0x1d4 [ 66.652266][ T6832] ? tcf_action_destroy+0x188/0x1b0 [ 66.657451][ T6832] ? tcf_action_destroy+0x188/0x1b0 [ 66.662638][ T6832] kasan_report.cold+0x1f/0x37 [ 66.667396][ T6832] ? tcf_action_destroy+0x188/0x1b0 [ 66.672586][ T6832] tcf_action_destroy+0x188/0x1b0 [ 66.677609][ T6832] tcf_action_init+0x29c/0x3d0 [ 66.682357][ T6832] ? tcf_action_init_1+0xac0/0xac0 [ 66.687470][ T6832] tcf_action_add+0xd9/0x360 [ 66.692047][ T6832] ? tca_action_gd+0xe20/0xe20 [ 66.696810][ T6832] ? lock_acquire+0x1f3/0xaf0 [ 66.701493][ T6832] ? bpf_lsm_capable+0x5/0x10 [ 66.706151][ T6832] ? __nla_parse+0x3d/0x4a [ 66.710553][ T6832] tc_ctl_action+0x33a/0x439 [ 66.715126][ T6832] ? tcf_action_add+0x360/0x360 [ 66.719956][ T6832] ? lock_is_held_type+0xbb/0xf0 [ 66.724885][ T6832] ? tcf_action_add+0x360/0x360 [ 66.729739][ T6832] rtnetlink_rcv_msg+0x44e/0xad0 [ 66.734656][ T6832] ? rtnetlink_put_metrics+0x510/0x510 [ 66.740099][ T6832] ? lock_acquire+0x1f3/0xaf0 [ 66.744772][ T6832] ? netlink_deliver_tap+0x146/0xb70 [ 66.750036][ T6832] netlink_rcv_skb+0x15a/0x430 [ 66.754799][ T6832] ? rtnetlink_put_metrics+0x510/0x510 [ 66.760253][ T6832] ? netlink_ack+0xa10/0xa10 [ 66.764826][ T6832] ? __kmalloc_node_track_caller+0x38/0x60 [ 66.770637][ T6832] netlink_unicast+0x533/0x7d0 [ 66.775382][ T6832] ? netlink_attachskb+0x810/0x810 [ 66.780507][ T6832] ? __phys_addr_symbol+0x2c/0x70 [ 66.785511][ T6832] ? __check_object_size+0x171/0x3e4 [ 66.790802][ T6832] netlink_sendmsg+0x856/0xd90 [ 66.795548][ T6832] ? netlink_unicast+0x7d0/0x7d0 [ 66.800467][ T6832] ? bpf_lsm_socket_sendmsg+0x5/0x10 [ 66.805753][ T6832] ? netlink_unicast+0x7d0/0x7d0 [ 66.810680][ T6832] sock_sendmsg+0xcf/0x120 [ 66.815093][ T6832] ____sys_sendmsg+0x6e8/0x810 [ 66.819848][ T6832] ? kernel_sendmsg+0x50/0x50 [ 66.824500][ T6832] ? do_recvmmsg+0x6d0/0x6d0 [ 66.829069][ T6832] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 66.835130][ T6832] ? lock_is_held_type+0xbb/0xf0 [ 66.840044][ T6832] ? find_held_lock+0x2d/0x110 [ 66.844785][ T6832] ___sys_sendmsg+0xf3/0x170 [ 66.849371][ T6832] ? sendmsg_copy_msghdr+0x160/0x160 [ 66.854632][ T6832] ? __fget_files+0x272/0x400 [ 66.859289][ T6832] ? lock_downgrade+0x830/0x830 [ 66.864142][ T6832] ? do_huge_pmd_anonymous_page+0x8f2/0x2200 [ 66.870125][ T6832] ? __fget_files+0x294/0x400 [ 66.874786][ T6832] ? __fget_light+0xea/0x280 [ 66.879355][ T6832] __sys_sendmsg+0xe5/0x1b0 [ 66.883842][ T6832] ? __sys_sendmsg_sock+0xb0/0xb0 [ 66.888864][ T6832] ? check_preemption_disabled+0x50/0x130 [ 66.894560][ T6832] ? syscall_enter_from_user_mode+0x1d/0x60 [ 66.900440][ T6832] do_syscall_64+0x2d/0x70 [ 66.904843][ T6832] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 66.910722][ T6832] RIP: 0033:0x446c69 [ 66.914613][ T6832] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 66.934192][ T6832] RSP: 002b:00007f3e9aecbd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 66.942603][ T6832] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446c69 [ 66.950586][ T6832] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 66.958536][ T6832] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 66.966501][ T6832] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 66.974535][ T6832] R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098 [ 66.982700][ T6832] [ 66.985010][ T6832] Allocated by task 6832: [ 66.989338][ T6832] kasan_save_stack+0x1b/0x40 [ 66.993991][ T6832] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 66.999597][ T6832] __kmalloc+0x1b0/0x360 [ 67.003838][ T6832] tcf_idr_create+0x5b/0x800 [ 67.008425][ T6832] tcf_connmark_init+0x535/0x960 [ 67.013339][ T6832] tcf_action_init_1+0x6a5/0xac0 [ 67.018251][ T6832] tcf_action_init+0x260/0x3d0 [ 67.022990][ T6832] tcf_action_add+0xd9/0x360 [ 67.027557][ T6832] tc_ctl_action+0x33a/0x439 [ 67.032134][ T6832] rtnetlink_rcv_msg+0x44e/0xad0 [ 67.037069][ T6832] netlink_rcv_skb+0x15a/0x430 [ 67.041808][ T6832] netlink_unicast+0x533/0x7d0 [ 67.046547][ T6832] netlink_sendmsg+0x856/0xd90 [ 67.051286][ T6832] sock_sendmsg+0xcf/0x120 [ 67.055697][ T6832] ____sys_sendmsg+0x6e8/0x810 [ 67.060454][ T6832] ___sys_sendmsg+0xf3/0x170 [ 67.065050][ T6832] __sys_sendmsg+0xe5/0x1b0 [ 67.069528][ T6832] do_syscall_64+0x2d/0x70 [ 67.073920][ T6832] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.079783][ T6832] [ 67.082087][ T6832] Freed by task 6834: [ 67.086043][ T6832] kasan_save_stack+0x1b/0x40 [ 67.090695][ T6832] kasan_set_track+0x1c/0x30 [ 67.095265][ T6832] kasan_set_free_info+0x1b/0x30 [ 67.100176][ T6832] __kasan_slab_free+0xd8/0x120 [ 67.105000][ T6832] kfree+0x10e/0x2b0 [ 67.108894][ T6832] tcf_generic_walker+0x959/0xb60 [ 67.113914][ T6832] tca_action_flush+0x42b/0x920 [ 67.118738][ T6832] tca_action_gd+0x8c9/0xe20 [ 67.123323][ T6832] tc_ctl_action+0x280/0x439 [ 67.127911][ T6832] rtnetlink_rcv_msg+0x44e/0xad0 [ 67.132823][ T6832] netlink_rcv_skb+0x15a/0x430 [ 67.137580][ T6832] netlink_unicast+0x533/0x7d0 [ 67.142327][ T6832] netlink_sendmsg+0x856/0xd90 [ 67.147084][ T6832] sock_sendmsg+0xcf/0x120 [ 67.151479][ T6832] ____sys_sendmsg+0x6e8/0x810 [ 67.156217][ T6832] ___sys_sendmsg+0xf3/0x170 [ 67.160787][ T6832] __sys_sendmsg+0xe5/0x1b0 [ 67.165270][ T6832] do_syscall_64+0x2d/0x70 [ 67.169665][ T6832] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.175534][ T6832] [ 67.177854][ T6832] The buggy address belongs to the object at ffff8880959be400 [ 67.177854][ T6832] which belongs to the cache kmalloc-512 of size 512 [ 67.191914][ T6832] The buggy address is located 0 bytes inside of [ 67.191914][ T6832] 512-byte region [ffff8880959be400, ffff8880959be600) [ 67.204984][ T6832] The buggy address belongs to the page: [ 67.210601][ T6832] page:00000000c72eb1bb refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880959be000 pfn:0x959be [ 67.222022][ T6832] flags: 0xfffe0000000200(slab) [ 67.226868][ T6832] raw: 00fffe0000000200 ffffea00028b5a48 ffffea00029d8588 ffff8880aa040600 [ 67.235441][ T6832] raw: ffff8880959be000 ffff8880959be000 0000000100000002 0000000000000000 [ 67.244023][ T6832] page dumped because: kasan: bad access detected [ 67.250405][ T6832] [ 67.252707][ T6832] Memory state around the buggy address: [ 67.258343][ T6832] ffff8880959be300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.266387][ T6832] ffff8880959be380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 67.274437][ T6832] >ffff8880959be400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.282475][ T6832] ^ [ 67.286524][ T6832] ffff8880959be480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.294586][ T6832] ffff8880959be500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.302626][ T6832] ================================================================== [ 67.310661][ T6832] Disabling lock debugging due to kernel taint [ 67.317311][ T6832] Kernel panic - not syncing: panic_on_warn set ... [ 67.323902][ T6832] CPU: 1 PID: 6832 Comm: syz-executor865 Tainted: G B 5.9.0-rc7-syzkaller #0 [ 67.333946][ T6832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.343989][ T6832] Call Trace: [ 67.347279][ T6832] dump_stack+0x198/0x1fd [ 67.351612][ T6832] ? tcf_action_destroy+0x130/0x1b0 [ 67.356809][ T6832] panic+0x382/0x7fb [ 67.360691][ T6832] ? __warn_printk+0xf3/0xf3 [ 67.365257][ T6832] ? preempt_schedule_common+0x59/0xc0 [ 67.370708][ T6832] ? tcf_action_destroy+0x188/0x1b0 [ 67.375881][ T6832] ? preempt_schedule_thunk+0x16/0x18 [ 67.381226][ T6832] ? trace_hardirqs_on+0x55/0x220 [ 67.386225][ T6832] ? tcf_action_destroy+0x188/0x1b0 [ 67.391394][ T6832] ? tcf_action_destroy+0x188/0x1b0 [ 67.396564][ T6832] end_report+0x4d/0x53 [ 67.400700][ T6832] kasan_report.cold+0xd/0x37 [ 67.405352][ T6832] ? tcf_action_destroy+0x188/0x1b0 [ 67.410525][ T6832] tcf_action_destroy+0x188/0x1b0 [ 67.415524][ T6832] tcf_action_init+0x29c/0x3d0 [ 67.420290][ T6832] ? tcf_action_init_1+0xac0/0xac0 [ 67.425398][ T6832] tcf_action_add+0xd9/0x360 [ 67.429964][ T6832] ? tca_action_gd+0xe20/0xe20 [ 67.434809][ T6832] ? lock_acquire+0x1f3/0xaf0 [ 67.439479][ T6832] ? bpf_lsm_capable+0x5/0x10 [ 67.444130][ T6832] ? __nla_parse+0x3d/0x4a [ 67.448537][ T6832] tc_ctl_action+0x33a/0x439 [ 67.453129][ T6832] ? tcf_action_add+0x360/0x360 [ 67.457957][ T6832] ? lock_is_held_type+0xbb/0xf0 [ 67.462869][ T6832] ? tcf_action_add+0x360/0x360 [ 67.467710][ T6832] rtnetlink_rcv_msg+0x44e/0xad0 [ 67.472622][ T6832] ? rtnetlink_put_metrics+0x510/0x510 [ 67.478083][ T6832] ? lock_acquire+0x1f3/0xaf0 [ 67.482737][ T6832] ? netlink_deliver_tap+0x146/0xb70 [ 67.488006][ T6832] netlink_rcv_skb+0x15a/0x430 [ 67.492741][ T6832] ? rtnetlink_put_metrics+0x510/0x510 [ 67.498171][ T6832] ? netlink_ack+0xa10/0xa10 [ 67.502753][ T6832] ? __kmalloc_node_track_caller+0x38/0x60 [ 67.508532][ T6832] netlink_unicast+0x533/0x7d0 [ 67.513297][ T6832] ? netlink_attachskb+0x810/0x810 [ 67.518384][ T6832] ? __phys_addr_symbol+0x2c/0x70 [ 67.523380][ T6832] ? __check_object_size+0x171/0x3e4 [ 67.528653][ T6832] netlink_sendmsg+0x856/0xd90 [ 67.533391][ T6832] ? netlink_unicast+0x7d0/0x7d0 [ 67.538304][ T6832] ? bpf_lsm_socket_sendmsg+0x5/0x10 [ 67.543569][ T6832] ? netlink_unicast+0x7d0/0x7d0 [ 67.548480][ T6832] sock_sendmsg+0xcf/0x120 [ 67.552869][ T6832] ____sys_sendmsg+0x6e8/0x810 [ 67.557607][ T6832] ? kernel_sendmsg+0x50/0x50 [ 67.562252][ T6832] ? do_recvmmsg+0x6d0/0x6d0 [ 67.566818][ T6832] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 67.572769][ T6832] ? lock_is_held_type+0xbb/0xf0 [ 67.577710][ T6832] ? find_held_lock+0x2d/0x110 [ 67.582446][ T6832] ___sys_sendmsg+0xf3/0x170 [ 67.587009][ T6832] ? sendmsg_copy_msghdr+0x160/0x160 [ 67.592272][ T6832] ? __fget_files+0x272/0x400 [ 67.596938][ T6832] ? lock_downgrade+0x830/0x830 [ 67.601761][ T6832] ? do_huge_pmd_anonymous_page+0x8f2/0x2200 [ 67.607741][ T6832] ? __fget_files+0x294/0x400 [ 67.612392][ T6832] ? __fget_light+0xea/0x280 [ 67.616984][ T6832] __sys_sendmsg+0xe5/0x1b0 [ 67.621563][ T6832] ? __sys_sendmsg_sock+0xb0/0xb0 [ 67.626569][ T6832] ? check_preemption_disabled+0x50/0x130 [ 67.632296][ T6832] ? syscall_enter_from_user_mode+0x1d/0x60 [ 67.638200][ T6832] do_syscall_64+0x2d/0x70 [ 67.642594][ T6832] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.648473][ T6832] RIP: 0033:0x446c69 [ 67.652357][ T6832] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 67.671954][ T6832] RSP: 002b:00007f3e9aecbd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 67.680338][ T6832] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446c69 [ 67.688282][ T6832] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 67.696226][ T6832] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 67.704176][ T6832] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 67.712118][ T6832] R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098 [ 67.721334][ T6832] Kernel Offset: disabled [ 67.725646][ T6832] Rebooting in 86400 seconds..