Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 81.931832][ T9829] ================================================================== [ 81.940170][ T9829] BUG: KASAN: use-after-free in bitmap_port_ext_cleanup+0xe6/0x2a0 [ 81.948151][ T9829] Read of size 8 at addr ffff8880961b7ac0 by task syz-executor097/9829 [ 81.956399][ T9829] [ 81.958722][ T9829] CPU: 1 PID: 9829 Comm: syz-executor097 Not tainted 5.5.0-rc5-syzkaller #0 [ 81.967524][ T9829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.977586][ T9829] Call Trace: [ 81.980876][ T9829] dump_stack+0x197/0x210 [ 81.985397][ T9829] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 81.990967][ T9829] print_address_description.constprop.0.cold+0xd4/0x30b [ 81.998150][ T9829] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.003690][ T9829] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.009492][ T9829] __kasan_report.cold+0x1b/0x41 [ 82.014519][ T9829] ? kfree+0x190/0x2c0 [ 82.018584][ T9829] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.024120][ T9829] kasan_report+0x12/0x20 [ 82.028593][ T9829] check_memory_region+0x134/0x1a0 [ 82.033693][ T9829] __kasan_check_read+0x11/0x20 [ 82.038536][ T9829] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.044075][ T9829] bitmap_port_destroy+0x17c/0x1d0 [ 82.049180][ T9829] ip_set_create+0xe47/0x1500 [ 82.053860][ T9829] ? ip_set_destroy+0xb70/0xb70 [ 82.058766][ T9829] ? ip_set_destroy+0xb70/0xb70 [ 82.063683][ T9829] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 82.068628][ T9829] ? nfnetlink_bind+0x2c0/0x2c0 [ 82.073484][ T9829] ? __kasan_check_read+0x11/0x20 [ 82.078501][ T9829] ? __lock_acquire+0x8a0/0x4a00 [ 82.083431][ T9829] ? save_stack+0x5c/0x90 [ 82.087820][ T9829] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.094436][ T9829] ? apparmor_capable+0x497/0x900 [ 82.099456][ T9829] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.105691][ T9829] ? __kasan_check_read+0x11/0x20 [ 82.110721][ T9829] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 82.116188][ T9829] netlink_rcv_skb+0x177/0x450 [ 82.121036][ T9829] ? nfnetlink_bind+0x2c0/0x2c0 [ 82.126234][ T9829] ? netlink_ack+0xb50/0xb50 [ 82.130844][ T9829] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.137090][ T9829] ? ns_capable_common+0x93/0x100 [ 82.142691][ T9829] ? ns_capable+0x20/0x30 [ 82.147014][ T9829] ? __netlink_ns_capable+0x104/0x140 [ 82.152441][ T9829] nfnetlink_rcv+0x1ba/0x460 [ 82.157031][ T9829] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 82.162523][ T9829] ? netlink_deliver_tap+0x24a/0xbf0 [ 82.167807][ T9829] ? __kasan_check_write+0x14/0x20 [ 82.173022][ T9829] netlink_unicast+0x59e/0x7e0 [ 82.177823][ T9829] ? netlink_attachskb+0x870/0x870 [ 82.183103][ T9829] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 82.188975][ T9829] ? __check_object_size+0x3d/0x437 [ 82.194198][ T9829] netlink_sendmsg+0x91c/0xea0 [ 82.199081][ T9829] ? netlink_unicast+0x7e0/0x7e0 [ 82.204470][ T9829] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 82.210144][ T9829] ? apparmor_socket_sendmsg+0x2a/0x30 [ 82.215742][ T9829] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.222095][ T9829] ? security_socket_sendmsg+0x8d/0xc0 [ 82.227552][ T9829] ? netlink_unicast+0x7e0/0x7e0 [ 82.232596][ T9829] sock_sendmsg+0xd7/0x130 [ 82.237218][ T9829] ____sys_sendmsg+0x753/0x880 [ 82.241976][ T9829] ? kernel_sendmsg+0x50/0x50 [ 82.246672][ T9829] ? mark_held_locks+0xa4/0xf0 [ 82.251428][ T9829] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 82.257584][ T9829] ? __handle_mm_fault+0x3145/0x3cc0 [ 82.262860][ T9829] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 82.268943][ T9829] ___sys_sendmsg+0x100/0x170 [ 82.273645][ T9829] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 82.279627][ T9829] ? sendmsg_copy_msghdr+0x70/0x70 [ 82.284735][ T9829] ? __do_page_fault+0x56a/0xd80 [ 82.289685][ T9829] ? find_held_lock+0x35/0x130 [ 82.294451][ T9829] ? __do_page_fault+0x56a/0xd80 [ 82.299387][ T9829] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.305626][ T9829] ? __fget_light+0x1a9/0x230 [ 82.310450][ T9829] ? __fdget+0x1b/0x20 [ 82.314521][ T9829] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 82.320776][ T9829] __sys_sendmsg+0x105/0x1d0 [ 82.325366][ T9829] ? __sys_sendmsg_sock+0xc0/0xc0 [ 82.330436][ T9829] ? down_read_non_owner+0x490/0x490 [ 82.335810][ T9829] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 82.341260][ T9829] ? do_syscall_64+0x26/0x790 [ 82.346053][ T9829] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.352242][ T9829] ? do_syscall_64+0x26/0x790 [ 82.356977][ T9829] __x64_sys_sendmsg+0x78/0xb0 [ 82.361902][ T9829] do_syscall_64+0xfa/0x790 [ 82.366509][ T9829] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.372509][ T9829] RIP: 0033:0x441399 [ 82.376507][ T9829] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 82.396332][ T9829] RSP: 002b:00007ffdc9133778 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 82.404745][ T9829] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441399 [ 82.413013][ T9829] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 82.420987][ T9829] RBP: 0000000000013fe2 R08: 00000000004002c8 R09: 00000000004002c8 [ 82.428985][ T9829] R10: 0000000000000004 R11: 0000000000000246 R12: 00000000004021c0 [ 82.436972][ T9829] R13: 0000000000402250 R14: 0000000000000000 R15: 0000000000000000 [ 82.444970][ T9829] [ 82.447305][ T9829] Allocated by task 9829: [ 82.451644][ T9829] save_stack+0x23/0x90 [ 82.455793][ T9829] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 82.461419][ T9829] kasan_kmalloc+0x9/0x10 [ 82.465750][ T9829] __kmalloc+0x163/0x770 [ 82.470083][ T9829] ip_set_alloc+0x38/0x5e [ 82.474629][ T9829] bitmap_port_create+0x3dc/0x7c0 [ 82.479653][ T9829] ip_set_create+0x6f1/0x1500 [ 82.484329][ T9829] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 82.489291][ T9829] netlink_rcv_skb+0x177/0x450 [ 82.494168][ T9829] nfnetlink_rcv+0x1ba/0x460 [ 82.499219][ T9829] netlink_unicast+0x59e/0x7e0 [ 82.504091][ T9829] netlink_sendmsg+0x91c/0xea0 [ 82.508956][ T9829] sock_sendmsg+0xd7/0x130 [ 82.513539][ T9829] ____sys_sendmsg+0x753/0x880 [ 82.519071][ T9829] ___sys_sendmsg+0x100/0x170 [ 82.523758][ T9829] __sys_sendmsg+0x105/0x1d0 [ 82.528345][ T9829] __x64_sys_sendmsg+0x78/0xb0 [ 82.533105][ T9829] do_syscall_64+0xfa/0x790 [ 82.537674][ T9829] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.543568][ T9829] [ 82.545887][ T9829] Freed by task 9829: [ 82.549865][ T9829] save_stack+0x23/0x90 [ 82.554015][ T9829] __kasan_slab_free+0x102/0x150 [ 82.558956][ T9829] kasan_slab_free+0xe/0x10 [ 82.563511][ T9829] kfree+0x10a/0x2c0 [ 82.567414][ T9829] kvfree+0x61/0x70 [ 82.571227][ T9829] ip_set_free+0x16/0x20 [ 82.575598][ T9829] bitmap_port_destroy+0xae/0x1d0 [ 82.580691][ T9829] ip_set_create+0xe47/0x1500 [ 82.585517][ T9829] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 82.590441][ T9829] netlink_rcv_skb+0x177/0x450 [ 82.595197][ T9829] nfnetlink_rcv+0x1ba/0x460 [ 82.599799][ T9829] netlink_unicast+0x59e/0x7e0 [ 82.604557][ T9829] netlink_sendmsg+0x91c/0xea0 [ 82.609317][ T9829] sock_sendmsg+0xd7/0x130 [ 82.613829][ T9829] ____sys_sendmsg+0x753/0x880 [ 82.618604][ T9829] ___sys_sendmsg+0x100/0x170 [ 82.623558][ T9829] __sys_sendmsg+0x105/0x1d0 [ 82.628142][ T9829] __x64_sys_sendmsg+0x78/0xb0 [ 82.632954][ T9829] do_syscall_64+0xfa/0x790 [ 82.637708][ T9829] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.643699][ T9829] [ 82.646018][ T9829] The buggy address belongs to the object at ffff8880961b7ac0 [ 82.646018][ T9829] which belongs to the cache kmalloc-32 of size 32 [ 82.659987][ T9829] The buggy address is located 0 bytes inside of [ 82.659987][ T9829] 32-byte region [ffff8880961b7ac0, ffff8880961b7ae0) [ 82.673114][ T9829] The buggy address belongs to the page: [ 82.678743][ T9829] page:ffffea0002586dc0 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff8880961b7fc1 [ 82.689167][ T9829] raw: 00fffe0000000200 ffffea00028b9f88 ffffea0002512448 ffff8880aa4001c0 [ 82.697749][ T9829] raw: ffff8880961b7fc1 ffff8880961b7000 0000000100000015 0000000000000000 [ 82.706319][ T9829] page dumped because: kasan: bad access detected [ 82.712726][ T9829] [ 82.715049][ T9829] Memory state around the buggy address: [ 82.720671][ T9829] ffff8880961b7980: fb fb fb fb fc fc fc fc 00 03 fc fc fc fc fc fc [ 82.728851][ T9829] ffff8880961b7a00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 82.737040][ T9829] >ffff8880961b7a80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 82.745278][ T9829] ^ [ 82.751422][ T9829] ffff8880961b7b00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 82.759569][ T9829] ffff8880961b7b80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 82.767744][ T9829] ================================================================== [ 82.775847][ T9829] Disabling lock debugging due to kernel taint [ 82.784415][ T9829] Kernel panic - not syncing: panic_on_warn set ... [ 82.791175][ T9829] CPU: 1 PID: 9829 Comm: syz-executor097 Tainted: G B 5.5.0-rc5-syzkaller #0 [ 82.801532][ T9829] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.811593][ T9829] Call Trace: [ 82.814881][ T9829] dump_stack+0x197/0x210 [ 82.819205][ T9829] panic+0x2e3/0x75c [ 82.823123][ T9829] ? add_taint.cold+0x16/0x16 [ 82.827801][ T9829] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.833775][ T9829] ? preempt_schedule+0x4b/0x60 [ 82.838735][ T9829] ? ___preempt_schedule+0x16/0x18 [ 82.843850][ T9829] ? trace_hardirqs_on+0x5e/0x240 [ 82.849297][ T9829] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.854843][ T9829] end_report+0x47/0x4f [ 82.859154][ T9829] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.864713][ T9829] __kasan_report.cold+0xe/0x41 [ 82.869577][ T9829] ? kfree+0x190/0x2c0 [ 82.873909][ T9829] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.879454][ T9829] kasan_report+0x12/0x20 [ 82.884297][ T9829] check_memory_region+0x134/0x1a0 [ 82.889403][ T9829] __kasan_check_read+0x11/0x20 [ 82.894254][ T9829] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.899616][ T9829] bitmap_port_destroy+0x17c/0x1d0 [ 82.904772][ T9829] ip_set_create+0xe47/0x1500 [ 82.909485][ T9829] ? ip_set_destroy+0xb70/0xb70 [ 82.914513][ T9829] ? ip_set_destroy+0xb70/0xb70 [ 82.919353][ T9829] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 82.924472][ T9829] ? nfnetlink_bind+0x2c0/0x2c0 [ 82.929420][ T9829] ? __kasan_check_read+0x11/0x20 [ 82.934440][ T9829] ? __lock_acquire+0x8a0/0x4a00 [ 82.939542][ T9829] ? save_stack+0x5c/0x90 [ 82.943863][ T9829] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.950201][ T9829] ? apparmor_capable+0x497/0x900 [ 82.955225][ T9829] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.961461][ T9829] ? __kasan_check_read+0x11/0x20 [ 82.966479][ T9829] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 82.971935][ T9829] netlink_rcv_skb+0x177/0x450 [ 82.976691][ T9829] ? nfnetlink_bind+0x2c0/0x2c0 [ 82.981698][ T9829] ? netlink_ack+0xb50/0xb50 [ 82.986278][ T9829] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.992521][ T9829] ? ns_capable_common+0x93/0x100 [ 82.997538][ T9829] ? ns_capable+0x20/0x30 [ 83.001860][ T9829] ? __netlink_ns_capable+0x104/0x140 [ 83.007451][ T9829] nfnetlink_rcv+0x1ba/0x460 [ 83.012046][ T9829] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 83.017708][ T9829] ? netlink_deliver_tap+0x24a/0xbf0 [ 83.023044][ T9829] ? __kasan_check_write+0x14/0x20 [ 83.028208][ T9829] netlink_unicast+0x59e/0x7e0 [ 83.032965][ T9829] ? netlink_attachskb+0x870/0x870 [ 83.038070][ T9829] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 83.043781][ T9829] ? __check_object_size+0x3d/0x437 [ 83.049320][ T9829] netlink_sendmsg+0x91c/0xea0 [ 83.054170][ T9829] ? netlink_unicast+0x7e0/0x7e0 [ 83.059099][ T9829] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 83.064638][ T9829] ? apparmor_socket_sendmsg+0x2a/0x30 [ 83.070177][ T9829] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.076537][ T9829] ? security_socket_sendmsg+0x8d/0xc0 [ 83.081986][ T9829] ? netlink_unicast+0x7e0/0x7e0 [ 83.086914][ T9829] sock_sendmsg+0xd7/0x130 [ 83.091484][ T9829] ____sys_sendmsg+0x753/0x880 [ 83.096287][ T9829] ? kernel_sendmsg+0x50/0x50 [ 83.101087][ T9829] ? mark_held_locks+0xa4/0xf0 [ 83.105838][ T9829] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 83.111993][ T9829] ? __handle_mm_fault+0x3145/0x3cc0 [ 83.117284][ T9829] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 83.123347][ T9829] ___sys_sendmsg+0x100/0x170 [ 83.128082][ T9829] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 83.134061][ T9829] ? sendmsg_copy_msghdr+0x70/0x70 [ 83.139167][ T9829] ? __do_page_fault+0x56a/0xd80 [ 83.144150][ T9829] ? find_held_lock+0x35/0x130 [ 83.148975][ T9829] ? __do_page_fault+0x56a/0xd80 [ 83.153996][ T9829] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.160389][ T9829] ? __fget_light+0x1a9/0x230 [ 83.165076][ T9829] ? __fdget+0x1b/0x20 [ 83.169137][ T9829] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 83.175627][ T9829] __sys_sendmsg+0x105/0x1d0 [ 83.180222][ T9829] ? __sys_sendmsg_sock+0xc0/0xc0 [ 83.185243][ T9829] ? down_read_non_owner+0x490/0x490 [ 83.190730][ T9829] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 83.196397][ T9829] ? do_syscall_64+0x26/0x790 [ 83.201336][ T9829] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 83.207413][ T9829] ? do_syscall_64+0x26/0x790 [ 83.212271][ T9829] __x64_sys_sendmsg+0x78/0xb0 [ 83.217028][ T9829] do_syscall_64+0xfa/0x790 [ 83.221521][ T9829] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 83.227401][ T9829] RIP: 0033:0x441399 [ 83.231344][ T9829] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 83.251078][ T9829] RSP: 002b:00007ffdc9133778 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 83.259484][ T9829] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441399 [ 83.267576][ T9829] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 83.275600][ T9829] RBP: 0000000000013fe2 R08: 00000000004002c8 R09: 00000000004002c8 [ 83.283565][ T9829] R10: 0000000000000004 R11: 0000000000000246 R12: 00000000004021c0 [ 83.291522][ T9829] R13: 0000000000402250 R14: 0000000000000000 R15: 0000000000000000 [ 83.301151][ T9829] Kernel Offset: disabled [ 83.305664][ T9829] Rebooting in 86400 seconds..