Warning: Permanently added '10.128.0.91' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 36.740685] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'. [ 36.750733] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'. [ 36.760953] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'. [ 36.771058] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'. [ 36.780988] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'. executing program executing program executing program executing program executing program [ 36.791241] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'. [ 36.810682] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'. [ 36.820072] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'. [ 36.829982] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'. [ 36.841523] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor222'. [ 36.880378] ================================================================== [ 36.887892] BUG: KASAN: use-after-free in tc_chain_fill_node+0x7f5/0x860 [ 36.894721] Read of size 8 at addr ffff8880ab5d4500 by task syz-executor222/8124 [ 36.902251] [ 36.903883] CPU: 0 PID: 8124 Comm: syz-executor222 Not tainted 4.19.211-syzkaller #0 [ 36.911740] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 36.921073] Call Trace: [ 36.923659] dump_stack+0x1fc/0x2ef [ 36.927271] print_address_description.cold+0x54/0x219 [ 36.932755] kasan_report_error.cold+0x8a/0x1b9 [ 36.937422] ? tc_chain_fill_node+0x7f5/0x860 [ 36.941912] __asan_report_load8_noabort+0x88/0x90 [ 36.946832] ? tc_chain_fill_node+0x7f5/0x860 [ 36.951320] tc_chain_fill_node+0x7f5/0x860 [ 36.955716] ? tfilter_notify+0x270/0x270 [ 36.959858] ? memset+0x20/0x40 [ 36.963132] tc_chain_notify+0x100/0x1f0 [ 36.967276] __tcf_chain_put+0xe5/0x4b0 [ 36.971241] tc_new_tfilter+0x729/0x16c0 [ 36.975298] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 36.979867] ? do_raw_spin_unlock+0x171/0x230 [ 36.984359] ? _raw_spin_unlock+0x29/0x40 [ 36.988501] ? __mutex_lock+0x368/0x1190 [ 36.992551] ? rtnetlink_rcv_msg+0x3fe/0xb80 [ 36.996941] ? mutex_trylock+0x1a0/0x1a0 [ 37.001014] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 37.005590] rtnetlink_rcv_msg+0x453/0xb80 [ 37.009809] ? rtnl_calcit.isra.0+0x430/0x430 [ 37.014295] ? __netlink_lookup+0x3fc/0x730 [ 37.018610] ? lock_downgrade+0x720/0x720 [ 37.022827] ? check_preemption_disabled+0x41/0x280 [ 37.027971] netlink_rcv_skb+0x160/0x440 [ 37.032124] ? rtnl_calcit.isra.0+0x430/0x430 [ 37.036646] ? netlink_ack+0xae0/0xae0 [ 37.040676] netlink_unicast+0x4d5/0x690 [ 37.044750] ? netlink_sendskb+0x110/0x110 [ 37.049282] ? _copy_from_iter_full+0x229/0x7c0 [ 37.054042] ? __phys_addr_symbol+0x2c/0x70 [ 37.058384] ? __check_object_size+0x17b/0x3e0 [ 37.062977] netlink_sendmsg+0x6c3/0xc50 [ 37.067118] ? aa_af_perm+0x230/0x230 [ 37.071357] ? nlmsg_notify+0x1f0/0x1f0 [ 37.075311] ? kernel_recvmsg+0x220/0x220 [ 37.079749] ? nlmsg_notify+0x1f0/0x1f0 [ 37.083820] sock_sendmsg+0xc3/0x120 [ 37.087530] ___sys_sendmsg+0x7bb/0x8e0 [ 37.091502] ? copy_msghdr_from_user+0x440/0x440 [ 37.096248] ? __fget+0x32f/0x510 [ 37.099686] ? lock_downgrade+0x720/0x720 [ 37.103825] ? check_preemption_disabled+0x41/0x280 [ 37.108823] ? check_preemption_disabled+0x41/0x280 [ 37.113822] ? __fget+0x356/0x510 [ 37.117258] ? do_dup2+0x450/0x450 [ 37.120828] ? __fd_install+0x1b4/0x610 [ 37.124874] ? __fdget+0x1d0/0x230 [ 37.128490] __x64_sys_sendmsg+0x132/0x220 [ 37.132802] ? __sys_sendmsg+0x1b0/0x1b0 [ 37.136854] ? __se_sys_futex+0x298/0x3b0 [ 37.141181] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 37.146704] ? trace_hardirqs_off_caller+0x6e/0x210 [ 37.151722] ? do_syscall_64+0x21/0x620 [ 37.155689] do_syscall_64+0xf9/0x620 [ 37.159564] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.164735] RIP: 0033:0x7f2993357bf9 [ 37.168431] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 37.187404] RSP: 002b:00007f2993309318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 37.195092] RAX: ffffffffffffffda RBX: 00007f29933df428 RCX: 00007f2993357bf9 [ 37.202352] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000005 [ 37.209614] RBP: 00007f29933df420 R08: 0000000000000000 R09: 0000000000000000 [ 37.216870] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f29933ad074 [ 37.224218] R13: 00007ffe4ce14f6f R14: 00007f2993309400 R15: 0000000000022000 [ 37.231573] [ 37.233186] Allocated by task 8118: [ 37.236798] __kmalloc_node+0x4c/0x70 [ 37.240582] qdisc_alloc+0xb2/0xa40 [ 37.244209] qdisc_create+0xdc/0x1130 [ 37.248091] tc_modify_qdisc+0x50d/0x1a80 [ 37.252226] rtnetlink_rcv_msg+0x453/0xb80 [ 37.256451] netlink_rcv_skb+0x160/0x440 [ 37.260502] netlink_unicast+0x4d5/0x690 [ 37.264730] netlink_sendmsg+0x6c3/0xc50 [ 37.268864] sock_sendmsg+0xc3/0x120 [ 37.272645] ___sys_sendmsg+0x7bb/0x8e0 [ 37.276599] __x64_sys_sendmsg+0x132/0x220 [ 37.280903] do_syscall_64+0xf9/0x620 [ 37.284693] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.289863] [ 37.291482] Freed by task 8133: [ 37.294744] kfree+0xcc/0x210 [ 37.297835] qdisc_destroy+0x501/0x790 [ 37.301704] qdisc_graft+0xb61/0x1130 [ 37.305493] tc_modify_qdisc+0xd3d/0x1a80 [ 37.309633] rtnetlink_rcv_msg+0x453/0xb80 [ 37.313847] netlink_rcv_skb+0x160/0x440 [ 37.317887] netlink_unicast+0x4d5/0x690 [ 37.326655] netlink_sendmsg+0x6c3/0xc50 [ 37.330706] sock_sendmsg+0xc3/0x120 [ 37.334489] ___sys_sendmsg+0x7bb/0x8e0 [ 37.338444] __x64_sys_sendmsg+0x132/0x220 [ 37.342890] do_syscall_64+0xf9/0x620 [ 37.346684] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.351945] [ 37.353571] The buggy address belongs to the object at ffff8880ab5d44c0 [ 37.353571] which belongs to the cache kmalloc-1024 of size 1024 [ 37.367119] The buggy address is located 64 bytes inside of [ 37.367119] 1024-byte region [ffff8880ab5d44c0, ffff8880ab5d48c0) [ 37.379253] The buggy address belongs to the page: [ 37.384166] page:ffffea0002ad7500 count:1 mapcount:0 mapping:ffff88813bff0ac0 index:0x0 compound_mapcount: 0 [ 37.394119] flags: 0xfff00000008100(slab|head) [ 37.398688] raw: 00fff00000008100 ffffea0002ab5e88 ffffea000267ec88 ffff88813bff0ac0 [ 37.406558] raw: 0000000000000000 ffff8880ab5d4040 0000000100000007 0000000000000000 [ 37.414535] page dumped because: kasan: bad access detected [ 37.420230] [ 37.422033] Memory state around the buggy address: [ 37.427209] ffff8880ab5d4400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.434706] ffff8880ab5d4480: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.442143] >ffff8880ab5d4500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.449492] ^ [ 37.452849] ffff8880ab5d4580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.460189] ffff8880ab5d4600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.467538] ================================================================== [ 37.475150] Disabling lock debugging due to kernel taint [ 37.481874] Kernel panic - not syncing: panic_on_warn set ... [ 37.481874] [ 37.489261] CPU: 0 PID: 8124 Comm: syz-executor222 Tainted: G B 4.19.211-syzkaller #0 [ 37.498525] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 37.507875] Call Trace: [ 37.510463] dump_stack+0x1fc/0x2ef [ 37.514095] panic+0x26a/0x50e [ 37.517287] ? __warn_printk+0xf3/0xf3 [ 37.521283] ? preempt_schedule_common+0x45/0xc0 [ 37.526041] ? ___preempt_schedule+0x16/0x18 [ 37.530431] ? trace_hardirqs_on+0x55/0x210 [ 37.534936] kasan_end_report+0x43/0x49 [ 37.538913] kasan_report_error.cold+0xa7/0x1b9 [ 37.543677] ? tc_chain_fill_node+0x7f5/0x860 [ 37.548242] __asan_report_load8_noabort+0x88/0x90 [ 37.553271] ? tc_chain_fill_node+0x7f5/0x860 [ 37.557883] tc_chain_fill_node+0x7f5/0x860 [ 37.562194] ? tfilter_notify+0x270/0x270 [ 37.566332] ? memset+0x20/0x40 [ 37.569783] tc_chain_notify+0x100/0x1f0 [ 37.573889] __tcf_chain_put+0xe5/0x4b0 [ 37.578063] tc_new_tfilter+0x729/0x16c0 [ 37.582138] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 37.586707] ? do_raw_spin_unlock+0x171/0x230 [ 37.591188] ? _raw_spin_unlock+0x29/0x40 [ 37.595316] ? __mutex_lock+0x368/0x1190 [ 37.599358] ? rtnetlink_rcv_msg+0x3fe/0xb80 [ 37.603744] ? mutex_trylock+0x1a0/0x1a0 [ 37.607789] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 37.612355] rtnetlink_rcv_msg+0x453/0xb80 [ 37.616578] ? rtnl_calcit.isra.0+0x430/0x430 [ 37.621055] ? __netlink_lookup+0x3fc/0x730 [ 37.625369] ? lock_downgrade+0x720/0x720 [ 37.629602] ? check_preemption_disabled+0x41/0x280 [ 37.634620] netlink_rcv_skb+0x160/0x440 [ 37.638678] ? rtnl_calcit.isra.0+0x430/0x430 [ 37.643158] ? netlink_ack+0xae0/0xae0 [ 37.647033] netlink_unicast+0x4d5/0x690 [ 37.651080] ? netlink_sendskb+0x110/0x110 [ 37.656011] ? _copy_from_iter_full+0x229/0x7c0 [ 37.660794] ? __phys_addr_symbol+0x2c/0x70 [ 37.665203] ? __check_object_size+0x17b/0x3e0 [ 37.669773] netlink_sendmsg+0x6c3/0xc50 [ 37.673831] ? aa_af_perm+0x230/0x230 [ 37.677629] ? nlmsg_notify+0x1f0/0x1f0 [ 37.681598] ? kernel_recvmsg+0x220/0x220 [ 37.685751] ? nlmsg_notify+0x1f0/0x1f0 [ 37.689717] sock_sendmsg+0xc3/0x120 [ 37.693463] ___sys_sendmsg+0x7bb/0x8e0 [ 37.697433] ? copy_msghdr_from_user+0x440/0x440 [ 37.702180] ? __fget+0x32f/0x510 [ 37.705616] ? lock_downgrade+0x720/0x720 [ 37.709760] ? check_preemption_disabled+0x41/0x280 [ 37.714764] ? check_preemption_disabled+0x41/0x280 [ 37.719769] ? __fget+0x356/0x510 [ 37.723205] ? do_dup2+0x450/0x450 [ 37.726726] ? __fd_install+0x1b4/0x610 [ 37.730683] ? __fdget+0x1d0/0x230 [ 37.734205] __x64_sys_sendmsg+0x132/0x220 [ 37.738420] ? __sys_sendmsg+0x1b0/0x1b0 [ 37.742462] ? __se_sys_futex+0x298/0x3b0 [ 37.746613] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 37.751954] ? trace_hardirqs_off_caller+0x6e/0x210 [ 37.756946] ? do_syscall_64+0x21/0x620 [ 37.760897] do_syscall_64+0xf9/0x620 [ 37.764678] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.769845] RIP: 0033:0x7f2993357bf9 [ 37.773558] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 37.792437] RSP: 002b:00007f2993309318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 37.801571] RAX: ffffffffffffffda RBX: 00007f29933df428 RCX: 00007f2993357bf9 [ 37.809004] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000005 [ 37.816256] RBP: 00007f29933df420 R08: 0000000000000000 R09: 0000000000000000 [ 37.823607] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f29933ad074 [ 37.830958] R13: 00007ffe4ce14f6f R14: 00007f2993309400 R15: 0000000000022000 [ 37.838463] Kernel Offset: disabled [ 37.842089] Rebooting in 86400 seconds..