Warning: Permanently added '10.128.0.91' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
[   36.740685] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'.
[   36.750733] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'.
[   36.760953] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'.
[   36.771058] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'.
[   36.780988] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'.
executing program
executing program
executing program
executing program
executing program
[   36.791241] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'.
[   36.810682] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'.
[   36.820072] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'.
[   36.829982] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'.
[   36.841523] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'.
[   36.880378] ==================================================================
[   36.887892] BUG: KASAN: use-after-free in tc_chain_fill_node+0x7f5/0x860
[   36.894721] Read of size 8 at addr ffff8880ab5d4500 by task syz-executor222/8124
[   36.902251] 
[   36.903883] CPU: 0 PID: 8124 Comm: syz-executor222 Not tainted 4.19.211-syzkaller #0
[   36.911740] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   36.921073] Call Trace:
[   36.923659]  dump_stack+0x1fc/0x2ef
[   36.927271]  print_address_description.cold+0x54/0x219
[   36.932755]  kasan_report_error.cold+0x8a/0x1b9
[   36.937422]  ? tc_chain_fill_node+0x7f5/0x860
[   36.941912]  __asan_report_load8_noabort+0x88/0x90
[   36.946832]  ? tc_chain_fill_node+0x7f5/0x860
[   36.951320]  tc_chain_fill_node+0x7f5/0x860
[   36.955716]  ? tfilter_notify+0x270/0x270
[   36.959858]  ? memset+0x20/0x40
[   36.963132]  tc_chain_notify+0x100/0x1f0
[   36.967276]  __tcf_chain_put+0xe5/0x4b0
[   36.971241]  tc_new_tfilter+0x729/0x16c0
[   36.975298]  ? tcf_chain_tp_remove+0x2c0/0x2c0
[   36.979867]  ? do_raw_spin_unlock+0x171/0x230
[   36.984359]  ? _raw_spin_unlock+0x29/0x40
[   36.988501]  ? __mutex_lock+0x368/0x1190
[   36.992551]  ? rtnetlink_rcv_msg+0x3fe/0xb80
[   36.996941]  ? mutex_trylock+0x1a0/0x1a0
[   37.001014]  ? tcf_chain_tp_remove+0x2c0/0x2c0
[   37.005590]  rtnetlink_rcv_msg+0x453/0xb80
[   37.009809]  ? rtnl_calcit.isra.0+0x430/0x430
[   37.014295]  ? __netlink_lookup+0x3fc/0x730
[   37.018610]  ? lock_downgrade+0x720/0x720
[   37.022827]  ? check_preemption_disabled+0x41/0x280
[   37.027971]  netlink_rcv_skb+0x160/0x440
[   37.032124]  ? rtnl_calcit.isra.0+0x430/0x430
[   37.036646]  ? netlink_ack+0xae0/0xae0
[   37.040676]  netlink_unicast+0x4d5/0x690
[   37.044750]  ? netlink_sendskb+0x110/0x110
[   37.049282]  ? _copy_from_iter_full+0x229/0x7c0
[   37.054042]  ? __phys_addr_symbol+0x2c/0x70
[   37.058384]  ? __check_object_size+0x17b/0x3e0
[   37.062977]  netlink_sendmsg+0x6c3/0xc50
[   37.067118]  ? aa_af_perm+0x230/0x230
[   37.071357]  ? nlmsg_notify+0x1f0/0x1f0
[   37.075311]  ? kernel_recvmsg+0x220/0x220
[   37.079749]  ? nlmsg_notify+0x1f0/0x1f0
[   37.083820]  sock_sendmsg+0xc3/0x120
[   37.087530]  ___sys_sendmsg+0x7bb/0x8e0
[   37.091502]  ? copy_msghdr_from_user+0x440/0x440
[   37.096248]  ? __fget+0x32f/0x510
[   37.099686]  ? lock_downgrade+0x720/0x720
[   37.103825]  ? check_preemption_disabled+0x41/0x280
[   37.108823]  ? check_preemption_disabled+0x41/0x280
[   37.113822]  ? __fget+0x356/0x510
[   37.117258]  ? do_dup2+0x450/0x450
[   37.120828]  ? __fd_install+0x1b4/0x610
[   37.124874]  ? __fdget+0x1d0/0x230
[   37.128490]  __x64_sys_sendmsg+0x132/0x220
[   37.132802]  ? __sys_sendmsg+0x1b0/0x1b0
[   37.136854]  ? __se_sys_futex+0x298/0x3b0
[   37.141181]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   37.146704]  ? trace_hardirqs_off_caller+0x6e/0x210
[   37.151722]  ? do_syscall_64+0x21/0x620
[   37.155689]  do_syscall_64+0xf9/0x620
[   37.159564]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.164735] RIP: 0033:0x7f2993357bf9
[   37.168431] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   37.187404] RSP: 002b:00007f2993309318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   37.195092] RAX: ffffffffffffffda RBX: 00007f29933df428 RCX: 00007f2993357bf9
[   37.202352] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000005
[   37.209614] RBP: 00007f29933df420 R08: 0000000000000000 R09: 0000000000000000
[   37.216870] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f29933ad074
[   37.224218] R13: 00007ffe4ce14f6f R14: 00007f2993309400 R15: 0000000000022000
[   37.231573] 
[   37.233186] Allocated by task 8118:
[   37.236798]  __kmalloc_node+0x4c/0x70
[   37.240582]  qdisc_alloc+0xb2/0xa40
[   37.244209]  qdisc_create+0xdc/0x1130
[   37.248091]  tc_modify_qdisc+0x50d/0x1a80
[   37.252226]  rtnetlink_rcv_msg+0x453/0xb80
[   37.256451]  netlink_rcv_skb+0x160/0x440
[   37.260502]  netlink_unicast+0x4d5/0x690
[   37.264730]  netlink_sendmsg+0x6c3/0xc50
[   37.268864]  sock_sendmsg+0xc3/0x120
[   37.272645]  ___sys_sendmsg+0x7bb/0x8e0
[   37.276599]  __x64_sys_sendmsg+0x132/0x220
[   37.280903]  do_syscall_64+0xf9/0x620
[   37.284693]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.289863] 
[   37.291482] Freed by task 8133:
[   37.294744]  kfree+0xcc/0x210
[   37.297835]  qdisc_destroy+0x501/0x790
[   37.301704]  qdisc_graft+0xb61/0x1130
[   37.305493]  tc_modify_qdisc+0xd3d/0x1a80
[   37.309633]  rtnetlink_rcv_msg+0x453/0xb80
[   37.313847]  netlink_rcv_skb+0x160/0x440
[   37.317887]  netlink_unicast+0x4d5/0x690
[   37.326655]  netlink_sendmsg+0x6c3/0xc50
[   37.330706]  sock_sendmsg+0xc3/0x120
[   37.334489]  ___sys_sendmsg+0x7bb/0x8e0
[   37.338444]  __x64_sys_sendmsg+0x132/0x220
[   37.342890]  do_syscall_64+0xf9/0x620
[   37.346684]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.351945] 
[   37.353571] The buggy address belongs to the object at ffff8880ab5d44c0
[   37.353571]  which belongs to the cache kmalloc-1024 of size 1024
[   37.367119] The buggy address is located 64 bytes inside of
[   37.367119]  1024-byte region [ffff8880ab5d44c0, ffff8880ab5d48c0)
[   37.379253] The buggy address belongs to the page:
[   37.384166] page:ffffea0002ad7500 count:1 mapcount:0 mapping:ffff88813bff0ac0 index:0x0 compound_mapcount: 0
[   37.394119] flags: 0xfff00000008100(slab|head)
[   37.398688] raw: 00fff00000008100 ffffea0002ab5e88 ffffea000267ec88 ffff88813bff0ac0
[   37.406558] raw: 0000000000000000 ffff8880ab5d4040 0000000100000007 0000000000000000
[   37.414535] page dumped because: kasan: bad access detected
[   37.420230] 
[   37.422033] Memory state around the buggy address:
[   37.427209]  ffff8880ab5d4400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   37.434706]  ffff8880ab5d4480: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   37.442143] >ffff8880ab5d4500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.449492]                    ^
[   37.452849]  ffff8880ab5d4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.460189]  ffff8880ab5d4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.467538] ==================================================================
[   37.475150] Disabling lock debugging due to kernel taint
[   37.481874] Kernel panic - not syncing: panic_on_warn set ...
[   37.481874] 
[   37.489261] CPU: 0 PID: 8124 Comm: syz-executor222 Tainted: G    B             4.19.211-syzkaller #0
[   37.498525] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
[   37.507875] Call Trace:
[   37.510463]  dump_stack+0x1fc/0x2ef
[   37.514095]  panic+0x26a/0x50e
[   37.517287]  ? __warn_printk+0xf3/0xf3
[   37.521283]  ? preempt_schedule_common+0x45/0xc0
[   37.526041]  ? ___preempt_schedule+0x16/0x18
[   37.530431]  ? trace_hardirqs_on+0x55/0x210
[   37.534936]  kasan_end_report+0x43/0x49
[   37.538913]  kasan_report_error.cold+0xa7/0x1b9
[   37.543677]  ? tc_chain_fill_node+0x7f5/0x860
[   37.548242]  __asan_report_load8_noabort+0x88/0x90
[   37.553271]  ? tc_chain_fill_node+0x7f5/0x860
[   37.557883]  tc_chain_fill_node+0x7f5/0x860
[   37.562194]  ? tfilter_notify+0x270/0x270
[   37.566332]  ? memset+0x20/0x40
[   37.569783]  tc_chain_notify+0x100/0x1f0
[   37.573889]  __tcf_chain_put+0xe5/0x4b0
[   37.578063]  tc_new_tfilter+0x729/0x16c0
[   37.582138]  ? tcf_chain_tp_remove+0x2c0/0x2c0
[   37.586707]  ? do_raw_spin_unlock+0x171/0x230
[   37.591188]  ? _raw_spin_unlock+0x29/0x40
[   37.595316]  ? __mutex_lock+0x368/0x1190
[   37.599358]  ? rtnetlink_rcv_msg+0x3fe/0xb80
[   37.603744]  ? mutex_trylock+0x1a0/0x1a0
[   37.607789]  ? tcf_chain_tp_remove+0x2c0/0x2c0
[   37.612355]  rtnetlink_rcv_msg+0x453/0xb80
[   37.616578]  ? rtnl_calcit.isra.0+0x430/0x430
[   37.621055]  ? __netlink_lookup+0x3fc/0x730
[   37.625369]  ? lock_downgrade+0x720/0x720
[   37.629602]  ? check_preemption_disabled+0x41/0x280
[   37.634620]  netlink_rcv_skb+0x160/0x440
[   37.638678]  ? rtnl_calcit.isra.0+0x430/0x430
[   37.643158]  ? netlink_ack+0xae0/0xae0
[   37.647033]  netlink_unicast+0x4d5/0x690
[   37.651080]  ? netlink_sendskb+0x110/0x110
[   37.656011]  ? _copy_from_iter_full+0x229/0x7c0
[   37.660794]  ? __phys_addr_symbol+0x2c/0x70
[   37.665203]  ? __check_object_size+0x17b/0x3e0
[   37.669773]  netlink_sendmsg+0x6c3/0xc50
[   37.673831]  ? aa_af_perm+0x230/0x230
[   37.677629]  ? nlmsg_notify+0x1f0/0x1f0
[   37.681598]  ? kernel_recvmsg+0x220/0x220
[   37.685751]  ? nlmsg_notify+0x1f0/0x1f0
[   37.689717]  sock_sendmsg+0xc3/0x120
[   37.693463]  ___sys_sendmsg+0x7bb/0x8e0
[   37.697433]  ? copy_msghdr_from_user+0x440/0x440
[   37.702180]  ? __fget+0x32f/0x510
[   37.705616]  ? lock_downgrade+0x720/0x720
[   37.709760]  ? check_preemption_disabled+0x41/0x280
[   37.714764]  ? check_preemption_disabled+0x41/0x280
[   37.719769]  ? __fget+0x356/0x510
[   37.723205]  ? do_dup2+0x450/0x450
[   37.726726]  ? __fd_install+0x1b4/0x610
[   37.730683]  ? __fdget+0x1d0/0x230
[   37.734205]  __x64_sys_sendmsg+0x132/0x220
[   37.738420]  ? __sys_sendmsg+0x1b0/0x1b0
[   37.742462]  ? __se_sys_futex+0x298/0x3b0
[   37.746613]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   37.751954]  ? trace_hardirqs_off_caller+0x6e/0x210
[   37.756946]  ? do_syscall_64+0x21/0x620
[   37.760897]  do_syscall_64+0xf9/0x620
[   37.764678]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   37.769845] RIP: 0033:0x7f2993357bf9
[   37.773558] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[   37.792437] RSP: 002b:00007f2993309318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   37.801571] RAX: ffffffffffffffda RBX: 00007f29933df428 RCX: 00007f2993357bf9
[   37.809004] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000005
[   37.816256] RBP: 00007f29933df420 R08: 0000000000000000 R09: 0000000000000000
[   37.823607] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f29933ad074
[   37.830958] R13: 00007ffe4ce14f6f R14: 00007f2993309400 R15: 0000000000022000
[   37.838463] Kernel Offset: disabled
[   37.842089] Rebooting in 86400 seconds..