Warning: Permanently added '10.128.1.23' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 652.803971] ================================================================== [ 652.811423] BUG: KASAN: use-after-free in diAlloc+0xe7e/0x1230 [ 652.817388] Read of size 4 at addr ffff8880b305e90c by task syz-executor178/7979 [ 652.824910] [ 652.826533] CPU: 0 PID: 7979 Comm: syz-executor178 Not tainted 4.14.295-syzkaller #0 [ 652.834399] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 652.843730] Call Trace: [ 652.846295] dump_stack+0x1b2/0x281 [ 652.849905] print_address_description.cold+0x54/0x1d3 [ 652.855161] kasan_report_error.cold+0x8a/0x191 [ 652.859808] ? diAlloc+0xe7e/0x1230 [ 652.863410] __asan_report_load4_noabort+0x68/0x70 [ 652.868314] ? diAlloc+0xe7e/0x1230 [ 652.871917] diAlloc+0xe7e/0x1230 [ 652.875347] ? do_raw_spin_unlock+0x164/0x220 [ 652.879822] ialloc+0x7b/0x940 [ 652.883004] jfs_create.part.0+0xf7/0x800 [ 652.887127] ? _raw_spin_unlock+0x29/0x40 [ 652.891252] ? d_splice_alias+0x3f5/0xb10 [ 652.895383] ? jfs_mkdir+0x50/0x50 [ 652.898900] ? jfs_lookup+0x99/0x170 [ 652.902601] ? d_alloc_parallel+0x82e/0x16b0 [ 652.906997] ? __dquot_initialize+0x228/0xa70 [ 652.911470] ? dquot_initialize_needed+0x240/0x240 [ 652.916382] ? param_get_aalockpolicy+0x70/0x70 [ 652.921030] ? map_id_up+0xe9/0x180 [ 652.924637] ? security_inode_permission+0xb5/0xf0 [ 652.929544] jfs_create+0x35/0x50 [ 652.932989] ? jfs_create.part.0+0x800/0x800 [ 652.937377] lookup_open+0x77a/0x1750 [ 652.941249] ? vfs_mkdir+0x6e0/0x6e0 [ 652.944944] path_openat+0xe08/0x2970 [ 652.948724] ? path_lookupat+0x780/0x780 [ 652.952761] ? trace_hardirqs_on+0x10/0x10 [ 652.956973] ? __lock_acquire+0x5fc/0x3f20 [ 652.961190] do_filp_open+0x179/0x3c0 [ 652.964963] ? may_open_dev+0xe0/0xe0 [ 652.968739] ? lock_downgrade+0x740/0x740 [ 652.972862] ? do_raw_spin_unlock+0x164/0x220 [ 652.977330] ? _raw_spin_unlock+0x29/0x40 [ 652.981452] ? __alloc_fd+0x1be/0x490 [ 652.985228] do_sys_open+0x296/0x410 [ 652.989006] ? filp_open+0x60/0x60 [ 652.992523] ? __close_fd+0x159/0x230 [ 652.996299] ? do_syscall_64+0x4c/0x640 [ 653.000247] ? do_sys_open+0x410/0x410 [ 653.004108] do_syscall_64+0x1d5/0x640 [ 653.007974] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 653.013134] RIP: 0033:0x7f04dea49eb9 [ 653.016819] RSP: 002b:00007ffdbf2222c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 653.024505] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f04dea49eb9 [ 653.031749] RDX: 0000000000000000 RSI: 0000000000141042 RDI: 0000000020000200 [ 653.039006] RBP: 00007f04dea09720 R08: 00005555572832c0 R09: 0000000000000000 [ 653.046253] R10: 00007ffdbf222190 R11: 0000000000000246 R12: 0000000200000004 [ 653.053501] R13: 0000000000000000 R14: 00080000000000f8 R15: 0000000000000000 [ 653.060756] [ 653.062358] Allocated by task 6249: [ 653.065961] kasan_kmalloc+0xeb/0x160 [ 653.069735] kmem_cache_alloc+0x124/0x3c0 [ 653.073856] skb_clone+0x126/0x9a0 [ 653.077370] netlink_broadcast_filtered+0x815/0x9e0 [ 653.082357] netlink_sendmsg+0x9fd/0xbc0 [ 653.086399] sock_sendmsg+0xb5/0x100 [ 653.090088] ___sys_sendmsg+0x6c8/0x800 [ 653.094039] __sys_sendmsg+0xa3/0x120 [ 653.097813] SyS_sendmsg+0x27/0x40 [ 653.101328] do_syscall_64+0x1d5/0x640 [ 653.105193] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 653.110352] [ 653.111950] Freed by task 6249: [ 653.115203] kasan_slab_free+0xc3/0x1a0 [ 653.119150] kmem_cache_free+0x7c/0x2b0 [ 653.123096] kfree_skbmem+0x98/0x100 [ 653.126789] kfree_skb+0xf4/0x390 [ 653.130215] netlink_broadcast_filtered+0x575/0x9e0 [ 653.135202] netlink_sendmsg+0x9fd/0xbc0 [ 653.139235] sock_sendmsg+0xb5/0x100 [ 653.142920] ___sys_sendmsg+0x6c8/0x800 [ 653.146866] __sys_sendmsg+0xa3/0x120 [ 653.150638] SyS_sendmsg+0x27/0x40 [ 653.154150] do_syscall_64+0x1d5/0x640 [ 653.158011] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 653.163169] [ 653.164767] The buggy address belongs to the object at ffff8880b305e8c0 [ 653.164767] which belongs to the cache skbuff_head_cache of size 232 [ 653.177912] The buggy address is located 76 bytes inside of [ 653.177912] 232-byte region [ffff8880b305e8c0, ffff8880b305e9a8) [ 653.189674] The buggy address belongs to the page: [ 653.194577] page:ffffea0002cc1780 count:1 mapcount:0 mapping:ffff8880b305e000 index:0x0 [ 653.202689] flags: 0xfff00000000100(slab) [ 653.206808] raw: 00fff00000000100 ffff8880b305e000 0000000000000000 000000010000000c [ 653.214660] raw: ffffea00026e78a0 ffffea00026ed360 ffff8880b5538900 0000000000000000 [ 653.222506] page dumped because: kasan: bad access detected [ 653.228180] [ 653.229777] Memory state around the buggy address: [ 653.234675] ffff8880b305e800: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 653.242001] ffff8880b305e880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 653.249338] >ffff8880b305e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 653.256662] ^ [ 653.260257] ffff8880b305e980: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc [ 653.267585] ffff8880b305ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 653.274911] ================================================================== [ 653.282237] Disabling lock debugging due to kernel taint [ 653.293613] Kernel panic - not syncing: panic_on_warn set ... [ 653.293613] [ 653.300973] CPU: 1 PID: 7979 Comm: syz-executor178 Tainted: G B 4.14.295-syzkaller #0 [ 653.310050] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 653.319382] Call Trace: [ 653.321943] dump_stack+0x1b2/0x281 [ 653.325541] panic+0x1f9/0x42d [ 653.328705] ? add_taint.cold+0x16/0x16 [ 653.332649] ? ___preempt_schedule+0x16/0x18 [ 653.337027] kasan_end_report+0x43/0x49 [ 653.340975] kasan_report_error.cold+0xa7/0x191 [ 653.345614] ? diAlloc+0xe7e/0x1230 [ 653.349212] __asan_report_load4_noabort+0x68/0x70 [ 653.354109] ? diAlloc+0xe7e/0x1230 [ 653.357704] diAlloc+0xe7e/0x1230 [ 653.361129] ? do_raw_spin_unlock+0x164/0x220 [ 653.365595] ialloc+0x7b/0x940 [ 653.368760] jfs_create.part.0+0xf7/0x800 [ 653.372877] ? _raw_spin_unlock+0x29/0x40 [ 653.377014] ? d_splice_alias+0x3f5/0xb10 [ 653.381130] ? jfs_mkdir+0x50/0x50 [ 653.384638] ? jfs_lookup+0x99/0x170 [ 653.388321] ? d_alloc_parallel+0x82e/0x16b0 [ 653.392699] ? __dquot_initialize+0x228/0xa70 [ 653.397214] ? dquot_initialize_needed+0x240/0x240 [ 653.402127] ? param_get_aalockpolicy+0x70/0x70 [ 653.406765] ? map_id_up+0xe9/0x180 [ 653.410361] ? security_inode_permission+0xb5/0xf0 [ 653.415260] jfs_create+0x35/0x50 [ 653.418685] ? jfs_create.part.0+0x800/0x800 [ 653.423064] lookup_open+0x77a/0x1750 [ 653.426837] ? vfs_mkdir+0x6e0/0x6e0 [ 653.430524] path_openat+0xe08/0x2970 [ 653.434296] ? path_lookupat+0x780/0x780 [ 653.438325] ? trace_hardirqs_on+0x10/0x10 [ 653.442526] ? __lock_acquire+0x5fc/0x3f20 [ 653.446733] do_filp_open+0x179/0x3c0 [ 653.450506] ? may_open_dev+0xe0/0xe0 [ 653.454283] ? lock_downgrade+0x740/0x740 [ 653.458401] ? do_raw_spin_unlock+0x164/0x220 [ 653.462869] ? _raw_spin_unlock+0x29/0x40 [ 653.466989] ? __alloc_fd+0x1be/0x490 [ 653.470761] do_sys_open+0x296/0x410 [ 653.474443] ? filp_open+0x60/0x60 [ 653.477952] ? __close_fd+0x159/0x230 [ 653.481723] ? do_syscall_64+0x4c/0x640 [ 653.485668] ? do_sys_open+0x410/0x410 [ 653.489525] do_syscall_64+0x1d5/0x640 [ 653.493382] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 653.498547] RIP: 0033:0x7f04dea49eb9 [ 653.502228] RSP: 002b:00007ffdbf2222c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 653.509906] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f04dea49eb9 [ 653.517148] RDX: 0000000000000000 RSI: 0000000000141042 RDI: 0000000020000200 [ 653.524388] RBP: 00007f04dea09720 R08: 00005555572832c0 R09: 0000000000000000 [ 653.531626] R10: 00007ffdbf222190 R11: 0000000000000246 R12: 0000000200000004 [ 653.538866] R13: 0000000000000000 R14: 00080000000000f8 R15: 0000000000000000 [ 653.546180] Kernel Offset: disabled [ 653.549779] Rebooting in 86400 seconds..