Warning: Permanently added '10.128.0.239' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 64.120500][ T6832] netlink: 8 bytes leftover after parsing attributes in process `syz-executor151'. [ 64.125834][ T6837] netlink: 8 bytes leftover after parsing attributes in process `syz-executor151'. [ 64.140818][ T6839] netlink: 8 bytes leftover after parsing attributes in process `syz-executor151'. [ 64.141187][ T6840] netlink: 8 bytes leftover after parsing attributes in process `syz-executor151'. [ 64.153797][ T6837] ================================================================== [ 64.167680][ T6837] BUG: KASAN: use-after-free in tipc_nl_publ_dump+0xae0/0xce0 [ 64.175141][ T6837] Read of size 2 at addr ffff8880a2dd0a84 by task syz-executor151/6837 [ 64.183366][ T6837] [ 64.185702][ T6837] CPU: 1 PID: 6837 Comm: syz-executor151 Not tainted 5.8.0-rc2-syzkaller #0 [ 64.194355][ T6837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.204392][ T6837] Call Trace: [ 64.207671][ T6837] dump_stack+0x18f/0x20d [ 64.212071][ T6837] ? tipc_nl_publ_dump+0xae0/0xce0 [ 64.217188][ T6837] ? tipc_nl_publ_dump+0xae0/0xce0 [ 64.222317][ T6837] print_address_description.constprop.0.cold+0xae/0x436 [ 64.229334][ T6837] ? vprintk_func+0x97/0x1a6 [ 64.233938][ T6837] ? tipc_nl_publ_dump+0xae0/0xce0 [ 64.239047][ T6837] kasan_report.cold+0x1f/0x37 [ 64.243802][ T6837] ? tipc_nl_publ_dump+0xae0/0xce0 [ 64.248902][ T6837] tipc_nl_publ_dump+0xae0/0xce0 [ 64.253862][ T6837] ? __mutex_lock+0x626/0x10d0 [ 64.258668][ T6837] ? tipc_nl_sk_dump+0x30/0x30 [ 64.263432][ T6837] ? check_preemption_disabled+0x38/0x220 [ 64.269144][ T6837] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 64.274676][ T6837] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 64.280641][ T6837] ? __kmalloc_node_track_caller+0x38/0x60 [ 64.286435][ T6837] ? kasan_unpoison_shadow+0x33/0x40 [ 64.291824][ T6837] ? __phys_addr+0x9a/0x110 [ 64.296320][ T6837] ? memset+0x20/0x40 [ 64.300335][ T6837] genl_lock_dumpit+0x7f/0xb0 [ 64.305148][ T6837] netlink_dump+0x4cd/0xf60 [ 64.309645][ T6837] ? netlink_insert+0x1670/0x1670 [ 64.314661][ T6837] ? __mutex_unlock_slowpath+0xe2/0x610 [ 64.320203][ T6837] ? genl_start+0x45a/0x6e0 [ 64.324700][ T6837] __netlink_dump_start+0x643/0x900 [ 64.329975][ T6837] ? genl_rcv_msg+0x9e0/0x9e0 [ 64.334645][ T6837] ? tipc_nl_sk_dump+0x30/0x30 [ 64.339401][ T6837] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 64.345126][ T6837] ? genl_rcv+0x40/0x40 [ 64.349269][ T6837] ? mutex_lock_io_nested+0xf60/0xf60 [ 64.354635][ T6837] ? mark_lock+0xbc/0x1710 [ 64.359057][ T6837] ? genl_rcv_msg+0x9e0/0x9e0 [ 64.363721][ T6837] ? genl_unlock+0x20/0x20 [ 64.368159][ T6837] ? genl_parallel_done+0x170/0x170 [ 64.373349][ T6837] ? __radix_tree_lookup+0x1f3/0x290 [ 64.378630][ T6837] genl_rcv_msg+0x797/0x9e0 [ 64.383134][ T6837] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 64.390084][ T6837] ? lock_acquire+0x1f1/0xad0 [ 64.394754][ T6837] ? genl_rcv+0x15/0x40 [ 64.398901][ T6837] ? lock_release+0x8d0/0x8d0 [ 64.403616][ T6837] netlink_rcv_skb+0x15a/0x430 [ 64.408372][ T6837] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 64.415300][ T6837] ? netlink_ack+0xa10/0xa10 [ 64.419910][ T6837] genl_rcv+0x24/0x40 [ 64.423896][ T6837] netlink_unicast+0x533/0x7d0 [ 64.428655][ T6837] ? netlink_attachskb+0x810/0x810 [ 64.433773][ T6837] ? _copy_from_iter_full+0x247/0x890 [ 64.439145][ T6837] ? __phys_addr+0x9a/0x110 [ 64.443673][ T6837] ? __phys_addr_symbol+0x2c/0x70 [ 64.448700][ T6837] ? __check_object_size+0x171/0x3e4 [ 64.454068][ T6837] netlink_sendmsg+0x856/0xd90 [ 64.458831][ T6837] ? netlink_unicast+0x7d0/0x7d0 [ 64.463769][ T6837] ? netlink_unicast+0x7d0/0x7d0 [ 64.468709][ T6837] sock_sendmsg+0xcf/0x120 [ 64.473324][ T6837] ____sys_sendmsg+0x6e8/0x810 [ 64.478079][ T6837] ? kernel_sendmsg+0x50/0x50 [ 64.482746][ T6837] ? do_recvmmsg+0x6d0/0x6d0 [ 64.487331][ T6837] ? find_held_lock+0x2d/0x110 [ 64.492100][ T6837] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 64.498080][ T6837] ? lock_downgrade+0x820/0x820 [ 64.502977][ T6837] ___sys_sendmsg+0xf3/0x170 [ 64.507562][ T6837] ? sendmsg_copy_msghdr+0x160/0x160 [ 64.512857][ T6837] ? debug_object_active_state+0x260/0x350 [ 64.518792][ T6837] ? lock_downgrade+0x820/0x820 [ 64.523641][ T6837] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 64.529525][ T6837] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 64.535515][ T6837] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 64.541340][ T6837] ? debug_object_active_state+0x260/0x350 [ 64.547150][ T6837] ? trace_hardirqs_off+0x27/0x210 [ 64.552257][ T6837] ? __fget_light+0x215/0x280 [ 64.556934][ T6837] __sys_sendmsg+0xe5/0x1b0 [ 64.561431][ T6837] ? __sys_sendmsg_sock+0xb0/0xb0 [ 64.566449][ T6837] ? check_preemption_disabled+0x38/0x220 [ 64.572294][ T6837] ? do_syscall_64+0x1c/0xe0 [ 64.576885][ T6837] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 64.582864][ T6837] do_syscall_64+0x60/0xe0 [ 64.587279][ T6837] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.593171][ T6837] RIP: 0033:0x445f09 [ 64.597048][ T6837] Code: Bad RIP value. [ 64.601101][ T6837] RSP: 002b:00007ffd14d85c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 64.609602][ T6837] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445f09 [ 64.617565][ T6837] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 [ 64.625591][ T6837] RBP: 00000000006d0018 R08: 0000000000000000 R09: 00000000004002e0 [ 64.633550][ T6837] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030a0 [ 64.641510][ T6837] R13: 0000000000403130 R14: 0000000000000000 R15: 0000000000000000 [ 64.649485][ T6837] [ 64.651891][ T6837] Allocated by task 6839: [ 64.656212][ T6837] save_stack+0x1b/0x40 [ 64.660480][ T6837] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 64.666111][ T6837] __alloc_skb+0xae/0x550 [ 64.670439][ T6837] netlink_sendmsg+0x94f/0xd90 [ 64.675204][ T6837] sock_sendmsg+0xcf/0x120 [ 64.679632][ T6837] ____sys_sendmsg+0x6e8/0x810 [ 64.684405][ T6837] ___sys_sendmsg+0xf3/0x170 [ 64.688986][ T6837] __sys_sendmsg+0xe5/0x1b0 [ 64.693487][ T6837] do_syscall_64+0x60/0xe0 [ 64.697907][ T6837] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.703879][ T6837] [ 64.706197][ T6837] Freed by task 6839: [ 64.710245][ T6837] save_stack+0x1b/0x40 [ 64.714451][ T6837] __kasan_slab_free+0xf5/0x140 [ 64.719318][ T6837] kfree+0x103/0x2c0 [ 64.723208][ T6837] skb_release_data+0x6d9/0x910 [ 64.728048][ T6837] consume_skb+0xc2/0x160 [ 64.732455][ T6837] netlink_unicast+0x53b/0x7d0 [ 64.737213][ T6837] netlink_sendmsg+0x856/0xd90 [ 64.741966][ T6837] sock_sendmsg+0xcf/0x120 [ 64.746386][ T6837] ____sys_sendmsg+0x6e8/0x810 [ 64.751141][ T6837] ___sys_sendmsg+0xf3/0x170 [ 64.755723][ T6837] __sys_sendmsg+0xe5/0x1b0 [ 64.760402][ T6837] do_syscall_64+0x60/0xe0 [ 64.764810][ T6837] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.770707][ T6837] [ 64.773029][ T6837] The buggy address belongs to the object at ffff8880a2dd0800 [ 64.773029][ T6837] which belongs to the cache kmalloc-1k of size 1024 [ 64.787069][ T6837] The buggy address is located 644 bytes inside of [ 64.787069][ T6837] 1024-byte region [ffff8880a2dd0800, ffff8880a2dd0c00) [ 64.800410][ T6837] The buggy address belongs to the page: [ 64.806039][ T6837] page:ffffea00028b7400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 64.815135][ T6837] flags: 0xfffe0000000200(slab) [ 64.819993][ T6837] raw: 00fffe0000000200 ffffea00027d2a08 ffffea0002a22908 ffff8880aa000c40 [ 64.828579][ T6837] raw: 0000000000000000 ffff8880a2dd0000 0000000100000002 0000000000000000 [ 64.837156][ T6837] page dumped because: kasan: bad access detected [ 64.843564][ T6837] [ 64.845878][ T6837] Memory state around the buggy address: [ 64.851747][ T6837] ffff8880a2dd0980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.859807][ T6837] ffff8880a2dd0a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.867866][ T6837] >ffff8880a2dd0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.876061][ T6837] ^ [ 64.880130][ T6837] ffff8880a2dd0b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.888184][ T6837] ffff8880a2dd0b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.896344][ T6837] ================================================================== [ 64.904395][ T6837] Disabling lock debugging due to kernel taint [ 64.911543][ T6837] Kernel panic - not syncing: panic_on_warn set ... executing program [ 64.918159][ T6837] CPU: 1 PID: 6837 Comm: syz-executor151 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 64.928228][ T6837] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.938387][ T6837] Call Trace: [ 64.941687][ T6837] dump_stack+0x18f/0x20d [ 64.946039][ T6837] ? tipc_nl_publ_dump+0xa30/0xce0 [ 64.951161][ T6837] panic+0x2e3/0x75c [ 64.955092][ T6837] ? __warn_printk+0xf3/0xf3 [ 64.959686][ T6837] ? preempt_schedule_common+0x59/0xc0 [ 64.965132][ T6837] ? tipc_nl_publ_dump+0xae0/0xce0 [ 64.970235][ T6837] ? preempt_schedule_thunk+0x16/0x18 [ 64.975732][ T6837] ? trace_hardirqs_on+0x55/0x220 [ 64.980879][ T6837] ? tipc_nl_publ_dump+0xae0/0xce0 [ 64.985980][ T6837] ? tipc_nl_publ_dump+0xae0/0xce0 [ 64.991079][ T6837] end_report+0x4d/0x53 [ 64.995225][ T6837] kasan_report.cold+0xd/0x37 [ 64.999894][ T6837] ? tipc_nl_publ_dump+0xae0/0xce0 [ 65.004995][ T6837] tipc_nl_publ_dump+0xae0/0xce0 [ 65.010174][ T6837] ? __mutex_lock+0x626/0x10d0 [ 65.014932][ T6837] ? tipc_nl_sk_dump+0x30/0x30 [ 65.019683][ T6837] ? check_preemption_disabled+0x38/0x220 [ 65.025406][ T6837] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 65.030961][ T6837] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 65.036936][ T6837] ? __kmalloc_node_track_caller+0x38/0x60 [ 65.042732][ T6837] ? kasan_unpoison_shadow+0x33/0x40 [ 65.048175][ T6837] ? __phys_addr+0x9a/0x110 [ 65.052798][ T6837] ? memset+0x20/0x40 [ 65.056783][ T6837] genl_lock_dumpit+0x7f/0xb0 [ 65.061458][ T6837] netlink_dump+0x4cd/0xf60 [ 65.065950][ T6837] ? netlink_insert+0x1670/0x1670 [ 65.070962][ T6837] ? __mutex_unlock_slowpath+0xe2/0x610 [ 65.076700][ T6837] ? genl_start+0x45a/0x6e0 [ 65.081267][ T6837] __netlink_dump_start+0x643/0x900 [ 65.086465][ T6837] ? genl_rcv_msg+0x9e0/0x9e0 [ 65.091132][ T6837] ? tipc_nl_sk_dump+0x30/0x30 [ 65.095888][ T6837] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 65.101596][ T6837] ? genl_rcv+0x40/0x40 [ 65.105740][ T6837] ? mutex_lock_io_nested+0xf60/0xf60 [ 65.111101][ T6837] ? mark_lock+0xbc/0x1710 [ 65.115509][ T6837] ? genl_rcv_msg+0x9e0/0x9e0 [ 65.120171][ T6837] ? genl_unlock+0x20/0x20 [ 65.124575][ T6837] ? genl_parallel_done+0x170/0x170 [ 65.129763][ T6837] ? __radix_tree_lookup+0x1f3/0x290 [ 65.135039][ T6837] genl_rcv_msg+0x797/0x9e0 [ 65.139552][ T6837] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 65.146487][ T6837] ? lock_acquire+0x1f1/0xad0 [ 65.151250][ T6837] ? genl_rcv+0x15/0x40 [ 65.155554][ T6837] ? lock_release+0x8d0/0x8d0 [ 65.160465][ T6837] netlink_rcv_skb+0x15a/0x430 [ 65.165216][ T6837] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 65.172141][ T6837] ? netlink_ack+0xa10/0xa10 [ 65.176871][ T6837] genl_rcv+0x24/0x40 [ 65.180859][ T6837] netlink_unicast+0x533/0x7d0 [ 65.185730][ T6837] ? netlink_attachskb+0x810/0x810 [ 65.190907][ T6837] ? _copy_from_iter_full+0x247/0x890 [ 65.196268][ T6837] ? __phys_addr+0x9a/0x110 [ 65.200759][ T6837] ? __phys_addr_symbol+0x2c/0x70 [ 65.205771][ T6837] ? __check_object_size+0x171/0x3e4 [ 65.211209][ T6837] netlink_sendmsg+0x856/0xd90 [ 65.215967][ T6837] ? netlink_unicast+0x7d0/0x7d0 [ 65.220894][ T6837] ? netlink_unicast+0x7d0/0x7d0 [ 65.225964][ T6837] sock_sendmsg+0xcf/0x120 [ 65.230375][ T6837] ____sys_sendmsg+0x6e8/0x810 [ 65.235131][ T6837] ? kernel_sendmsg+0x50/0x50 [ 65.239797][ T6837] ? do_recvmmsg+0x6d0/0x6d0 [ 65.244374][ T6837] ? find_held_lock+0x2d/0x110 [ 65.249130][ T6837] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 65.255212][ T6837] ? lock_downgrade+0x820/0x820 [ 65.260052][ T6837] ___sys_sendmsg+0xf3/0x170 [ 65.264639][ T6837] ? sendmsg_copy_msghdr+0x160/0x160 [ 65.269915][ T6837] ? debug_object_active_state+0x260/0x350 [ 65.275735][ T6837] ? lock_downgrade+0x820/0x820 [ 65.280687][ T6837] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 65.286636][ T6837] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 65.292612][ T6837] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 65.298655][ T6837] ? debug_object_active_state+0x260/0x350 [ 65.304548][ T6837] ? trace_hardirqs_off+0x27/0x210 [ 65.309653][ T6837] ? __fget_light+0x215/0x280 [ 65.314459][ T6837] __sys_sendmsg+0xe5/0x1b0 [ 65.319088][ T6837] ? __sys_sendmsg_sock+0xb0/0xb0 [ 65.324104][ T6837] ? check_preemption_disabled+0x38/0x220 [ 65.329860][ T6837] ? do_syscall_64+0x1c/0xe0 [ 65.334439][ T6837] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 65.340601][ T6837] do_syscall_64+0x60/0xe0 [ 65.345070][ T6837] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.350963][ T6837] RIP: 0033:0x445f09 [ 65.354845][ T6837] Code: Bad RIP value. [ 65.358898][ T6837] RSP: 002b:00007ffd14d85c88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 65.367307][ T6837] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445f09 [ 65.375400][ T6837] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 [ 65.383466][ T6837] RBP: 00000000006d0018 R08: 0000000000000000 R09: 00000000004002e0 [ 65.391430][ T6837] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030a0 [ 65.399486][ T6837] R13: 0000000000403130 R14: 0000000000000000 R15: 0000000000000000 [ 65.409022][ T6837] Kernel Offset: disabled [ 65.413356][ T6837] Rebooting in 86400 seconds..