Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 38.596101] ================================================================== [ 38.603606] BUG: KASAN: use-after-free in __list_del_entry_valid+0xcc/0xf0 [ 38.610621] Read of size 8 at addr ffff8880a6d8fac8 by task syz-executor217/8139 [ 38.618147] [ 38.619854] CPU: 1 PID: 8139 Comm: syz-executor217 Not tainted 4.19.211-syzkaller #0 [ 38.627734] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 38.637078] Call Trace: [ 38.639669] dump_stack+0x1fc/0x2ef [ 38.643303] print_address_description.cold+0x54/0x219 [ 38.648572] kasan_report_error.cold+0x8a/0x1b9 [ 38.653229] ? __list_del_entry_valid+0xcc/0xf0 [ 38.657884] __asan_report_load8_noabort+0x88/0x90 [ 38.662801] ? __list_del_entry_valid+0xcc/0xf0 [ 38.667451] __list_del_entry_valid+0xcc/0xf0 [ 38.671930] __nf_tables_abort+0x1fde/0x2ca0 [ 38.676324] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 38.681324] nf_tables_abort+0x13/0x30 [ 38.685200] nfnetlink_rcv_batch+0xb66/0x1df0 [ 38.689688] ? nfnetlink_bind+0x2b0/0x2b0 [ 38.693835] ? apparmor_capable+0x147/0x750 [ 38.698138] ? apparmor_capable+0x147/0x750 [ 38.702450] ? apparmor_sb_mount+0x970/0x970 [ 38.706843] ? apparmor_sb_mount+0x970/0x970 [ 38.711234] ? lock_downgrade+0x720/0x720 [ 38.715369] ? cap_capable+0x1eb/0x250 [ 38.719238] ? security_capable+0x8f/0xc0 [ 38.723394] ? memset+0x20/0x40 [ 38.726741] ? nla_parse+0x1b2/0x290 [ 38.730460] nfnetlink_rcv+0x3b5/0x420 [ 38.734353] ? nfnetlink_rcv_batch+0x1df0/0x1df0 [ 38.739292] netlink_unicast+0x4d5/0x690 [ 38.743337] ? netlink_sendskb+0x110/0x110 [ 38.747553] ? _copy_from_iter_full+0x229/0x7c0 [ 38.752201] ? __phys_addr_symbol+0x2c/0x70 [ 38.756507] ? __check_object_size+0x17b/0x3e0 [ 38.761072] netlink_sendmsg+0x6c3/0xc50 [ 38.765125] ? aa_af_perm+0x230/0x230 [ 38.768919] ? nlmsg_notify+0x1f0/0x1f0 [ 38.772880] ? kernel_recvmsg+0x220/0x220 [ 38.777015] ? nlmsg_notify+0x1f0/0x1f0 [ 38.780979] sock_sendmsg+0xc3/0x120 [ 38.784673] ___sys_sendmsg+0x7bb/0x8e0 [ 38.788627] ? copy_msghdr_from_user+0x440/0x440 [ 38.793367] ? do_huge_pmd_anonymous_page+0x935/0x1e60 [ 38.798623] ? __fget+0x32f/0x510 [ 38.802059] ? lock_downgrade+0x720/0x720 [ 38.806189] ? check_preemption_disabled+0x41/0x280 [ 38.811184] ? check_preemption_disabled+0x41/0x280 [ 38.816184] ? __fget+0x356/0x510 [ 38.819617] ? do_dup2+0x450/0x450 [ 38.823147] ? __fdget+0x1d0/0x230 [ 38.826761] __x64_sys_sendmsg+0x132/0x220 [ 38.830976] ? __sys_sendmsg+0x1b0/0x1b0 [ 38.835022] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 38.840366] ? trace_hardirqs_off_caller+0x6e/0x210 [ 38.845365] ? do_syscall_64+0x21/0x620 [ 38.849320] do_syscall_64+0xf9/0x620 [ 38.853105] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.858281] RIP: 0033:0x7ff474625bb9 [ 38.861976] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 38.880856] RSP: 002b:00007ff4745d7318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 38.888545] RAX: ffffffffffffffda RBX: 00007ff4746ad408 RCX: 00007ff474625bb9 [ 38.895794] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 38.903044] RBP: 00007ff4746ad400 R08: 0000000000000000 R09: 0000000000000000 [ 38.910293] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff4746ad40c [ 38.917545] R13: 00007ffe9a04582f R14: 00007ff4745d7400 R15: 0000000000022000 [ 38.924802] [ 38.926413] Allocated by task 8139: [ 38.930023] kmem_cache_alloc_trace+0x12f/0x380 [ 38.934673] nf_tables_newtable+0xad9/0x1620 [ 38.939062] nfnetlink_rcv_batch+0x10d5/0x1df0 [ 38.943623] nfnetlink_rcv+0x3b5/0x420 [ 38.947493] netlink_unicast+0x4d5/0x690 [ 38.951533] netlink_sendmsg+0x6c3/0xc50 [ 38.955573] sock_sendmsg+0xc3/0x120 [ 38.959265] ___sys_sendmsg+0x7bb/0x8e0 [ 38.963220] __x64_sys_sendmsg+0x132/0x220 [ 38.967433] do_syscall_64+0xf9/0x620 [ 38.971213] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.976394] [ 38.978002] Freed by task 8160: [ 38.981263] kfree+0xcc/0x210 [ 38.984349] nf_tables_table_destroy+0xee/0x130 [ 38.989000] nf_tables_commit+0x2aba/0x57f0 [ 38.993303] nfnetlink_rcv_batch+0xe22/0x1df0 [ 38.997778] nfnetlink_rcv+0x3b5/0x420 [ 39.001644] netlink_unicast+0x4d5/0x690 [ 39.005681] netlink_sendmsg+0x6c3/0xc50 [ 39.009742] sock_sendmsg+0xc3/0x120 [ 39.013444] ___sys_sendmsg+0x7bb/0x8e0 [ 39.017396] __x64_sys_sendmsg+0x132/0x220 [ 39.021622] do_syscall_64+0xf9/0x620 [ 39.025415] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.030580] [ 39.032194] The buggy address belongs to the object at ffff8880a6d8fac0 [ 39.032194] which belongs to the cache kmalloc-512 of size 512 [ 39.044835] The buggy address is located 8 bytes inside of [ 39.044835] 512-byte region [ffff8880a6d8fac0, ffff8880a6d8fcc0) [ 39.056612] The buggy address belongs to the page: [ 39.061533] page:ffffea00029b63c0 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 [ 39.069673] flags: 0xfff00000000100(slab) [ 39.073809] raw: 00fff00000000100 ffffea0002a36648 ffffea00029b5f88 ffff88813bff0940 [ 39.081760] raw: 0000000000000000 ffff8880a6d8f0c0 0000000100000006 0000000000000000 [ 39.089614] page dumped because: kasan: bad access detected [ 39.095301] [ 39.096905] Memory state around the buggy address: [ 39.101812] ffff8880a6d8f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.109151] ffff8880a6d8fa00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.116516] >ffff8880a6d8fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 39.123849] ^ [ 39.129539] ffff8880a6d8fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.136875] ffff8880a6d8fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.144208] ================================================================== [ 39.151637] Disabling lock debugging due to kernel taint [ 39.158081] Kernel panic - not syncing: panic_on_warn set ... [ 39.158081] [ 39.165553] CPU: 0 PID: 8139 Comm: syz-executor217 Tainted: G B 4.19.211-syzkaller #0 [ 39.174820] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 39.184166] Call Trace: [ 39.186757] dump_stack+0x1fc/0x2ef [ 39.190385] panic+0x26a/0x50e [ 39.193579] ? __warn_printk+0xf3/0xf3 [ 39.197466] ? preempt_schedule_common+0x45/0xc0 [ 39.202213] ? ___preempt_schedule+0x16/0x18 [ 39.206605] ? trace_hardirqs_on+0x55/0x210 [ 39.210920] kasan_end_report+0x43/0x49 [ 39.214874] kasan_report_error.cold+0xa7/0x1b9 [ 39.219520] ? __list_del_entry_valid+0xcc/0xf0 [ 39.224170] __asan_report_load8_noabort+0x88/0x90 [ 39.229084] ? __list_del_entry_valid+0xcc/0xf0 [ 39.233735] __list_del_entry_valid+0xcc/0xf0 [ 39.238238] __nf_tables_abort+0x1fde/0x2ca0 [ 39.242634] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 39.247632] nf_tables_abort+0x13/0x30 [ 39.251499] nfnetlink_rcv_batch+0xb66/0x1df0 [ 39.255991] ? nfnetlink_bind+0x2b0/0x2b0 [ 39.260134] ? apparmor_capable+0x147/0x750 [ 39.264438] ? apparmor_capable+0x147/0x750 [ 39.268743] ? apparmor_sb_mount+0x970/0x970 [ 39.273131] ? apparmor_sb_mount+0x970/0x970 [ 39.277540] ? lock_downgrade+0x720/0x720 [ 39.281669] ? cap_capable+0x1eb/0x250 [ 39.285546] ? security_capable+0x8f/0xc0 [ 39.289697] ? memset+0x20/0x40 [ 39.292959] ? nla_parse+0x1b2/0x290 [ 39.296655] nfnetlink_rcv+0x3b5/0x420 [ 39.300541] ? nfnetlink_rcv_batch+0x1df0/0x1df0 [ 39.305285] netlink_unicast+0x4d5/0x690 [ 39.309329] ? netlink_sendskb+0x110/0x110 [ 39.313548] ? _copy_from_iter_full+0x229/0x7c0 [ 39.318204] ? __phys_addr_symbol+0x2c/0x70 [ 39.322520] ? __check_object_size+0x17b/0x3e0 [ 39.327088] netlink_sendmsg+0x6c3/0xc50 [ 39.331148] ? aa_af_perm+0x230/0x230 [ 39.334939] ? nlmsg_notify+0x1f0/0x1f0 [ 39.338903] ? kernel_recvmsg+0x220/0x220 [ 39.343033] ? nlmsg_notify+0x1f0/0x1f0 [ 39.346999] sock_sendmsg+0xc3/0x120 [ 39.350708] ___sys_sendmsg+0x7bb/0x8e0 [ 39.354669] ? copy_msghdr_from_user+0x440/0x440 [ 39.359405] ? do_huge_pmd_anonymous_page+0x935/0x1e60 [ 39.364671] ? __fget+0x32f/0x510 [ 39.368115] ? lock_downgrade+0x720/0x720 [ 39.372343] ? check_preemption_disabled+0x41/0x280 [ 39.377345] ? check_preemption_disabled+0x41/0x280 [ 39.382541] ? __fget+0x356/0x510 [ 39.385977] ? do_dup2+0x450/0x450 [ 39.389498] ? __fdget+0x1d0/0x230 [ 39.393019] __x64_sys_sendmsg+0x132/0x220 [ 39.397237] ? __sys_sendmsg+0x1b0/0x1b0 [ 39.401285] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 39.406634] ? trace_hardirqs_off_caller+0x6e/0x210 [ 39.411631] ? do_syscall_64+0x21/0x620 [ 39.415588] do_syscall_64+0xf9/0x620 [ 39.419379] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.424551] RIP: 0033:0x7ff474625bb9 [ 39.428258] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 39.447149] RSP: 002b:00007ff4745d7318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 39.454838] RAX: ffffffffffffffda RBX: 00007ff4746ad408 RCX: 00007ff474625bb9 [ 39.462088] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 39.469343] RBP: 00007ff4746ad400 R08: 0000000000000000 R09: 0000000000000000 [ 39.476691] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff4746ad40c [ 39.483943] R13: 00007ffe9a04582f R14: 00007ff4745d7400 R15: 0000000000022000 [ 39.491451] Kernel Offset: disabled [ 39.495063] Rebooting in 86400 seconds..