Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 65.276006][ T6880] netlink: 32 bytes leftover after parsing attributes in process `syz-executor259'. [ 65.395017][ T6880] ================================================================== [ 65.403768][ T6880] BUG: KASAN: use-after-free in tcf_action_destroy+0x188/0x1b0 [ 65.411899][ T6880] Read of size 8 at addr ffff8880a6998c00 by task syz-executor259/6880 [ 65.420893][ T6880] [ 65.423831][ T6880] CPU: 0 PID: 6880 Comm: syz-executor259 Not tainted 5.9.0-rc3-syzkaller #0 [ 65.435440][ T6880] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.446286][ T6880] Call Trace: [ 65.450069][ T6880] dump_stack+0x198/0x1fd [ 65.454617][ T6880] ? tcf_action_destroy+0x188/0x1b0 [ 65.460174][ T6880] ? tcf_action_destroy+0x188/0x1b0 [ 65.466499][ T6880] print_address_description.constprop.0.cold+0xae/0x497 [ 65.474722][ T6880] ? tcf_action_destroy+0x188/0x1b0 [ 65.481802][ T6880] ? lockdep_hardirqs_off+0x96/0xd0 [ 65.487766][ T6880] ? vprintk_func+0x97/0x1a6 [ 65.493335][ T6880] ? tcf_action_destroy+0x188/0x1b0 [ 65.498850][ T6880] ? tcf_action_destroy+0x188/0x1b0 [ 65.505205][ T6880] kasan_report.cold+0x1f/0x37 [ 65.510328][ T6880] ? tcf_action_destroy+0x188/0x1b0 [ 65.515644][ T6880] tcf_action_destroy+0x188/0x1b0 [ 65.521246][ T6880] tcf_action_init+0x285/0x380 [ 65.526392][ T6880] ? tcf_action_init_1+0xac0/0xac0 [ 65.531763][ T6880] tcf_action_add+0xd9/0x360 [ 65.537239][ T6880] ? tca_action_gd+0xda0/0xda0 [ 65.542672][ T6880] ? lock_acquire+0x1f3/0xae0 [ 65.548120][ T6880] ? bpf_lsm_capable+0x5/0x10 [ 65.553607][ T6880] ? __nla_parse+0x3d/0x4a [ 65.558722][ T6880] tc_ctl_action+0x33a/0x439 [ 65.564403][ T6880] ? tcf_action_add+0x360/0x360 [ 65.569535][ T6880] ? lock_is_held_type+0xbb/0xf0 [ 65.575341][ T6880] ? tcf_action_add+0x360/0x360 [ 65.585794][ T6880] rtnetlink_rcv_msg+0x44e/0xad0 [ 65.590737][ T6880] ? rtnetlink_put_metrics+0x510/0x510 [ 65.596199][ T6880] ? lock_acquire+0x1f3/0xae0 [ 65.601173][ T6880] ? netlink_deliver_tap+0x146/0xb70 [ 65.607153][ T6880] netlink_rcv_skb+0x15a/0x430 [ 65.611983][ T6880] ? rtnetlink_put_metrics+0x510/0x510 [ 65.617727][ T6880] ? netlink_ack+0xa10/0xa10 [ 65.623150][ T6880] ? __kmalloc_node_track_caller+0x38/0x60 [ 65.629411][ T6880] netlink_unicast+0x533/0x7d0 [ 65.635758][ T6880] ? netlink_attachskb+0x810/0x810 [ 65.641606][ T6880] ? __phys_addr_symbol+0x2c/0x70 [ 65.647082][ T6880] ? __check_object_size+0x171/0x3e4 [ 65.652511][ T6880] netlink_sendmsg+0x856/0xd90 [ 65.657273][ T6880] ? netlink_unicast+0x7d0/0x7d0 [ 65.662602][ T6880] ? bpf_lsm_socket_sendmsg+0x5/0x10 [ 65.668323][ T6880] ? netlink_unicast+0x7d0/0x7d0 [ 65.673767][ T6880] sock_sendmsg+0xcf/0x120 [ 65.679037][ T6880] ____sys_sendmsg+0x6e8/0x810 [ 65.684035][ T6880] ? kernel_sendmsg+0x50/0x50 [ 65.689072][ T6880] ? do_recvmmsg+0x6d0/0x6d0 [ 65.694035][ T6880] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 65.701652][ T6880] ? lock_is_held_type+0xbb/0xf0 [ 65.706923][ T6880] ? find_held_lock+0x2d/0x110 [ 65.712412][ T6880] ___sys_sendmsg+0xf3/0x170 [ 65.718488][ T6880] ? sendmsg_copy_msghdr+0x160/0x160 [ 65.724566][ T6880] ? __fget_files+0x272/0x400 [ 65.730401][ T6880] ? lock_downgrade+0x830/0x830 [ 65.736062][ T6880] ? do_huge_pmd_anonymous_page+0x8f2/0x2200 [ 65.742982][ T6880] ? __fget_files+0x294/0x400 [ 65.748370][ T6880] ? __fget_light+0xea/0x280 [ 65.753944][ T6880] __sys_sendmsg+0xe5/0x1b0 [ 65.759014][ T6880] ? __sys_sendmsg_sock+0xb0/0xb0 [ 65.764542][ T6880] ? syscall_enter_from_user_mode+0x20/0x290 [ 65.771225][ T6880] ? lockdep_hardirqs_on+0x53/0x100 [ 65.777077][ T6880] do_syscall_64+0x2d/0x70 [ 65.782269][ T6880] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.788670][ T6880] RIP: 0033:0x446c69 [ 65.793217][ T6880] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 65.815866][ T6880] RSP: 002b:00007f16641f8d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 65.825061][ T6880] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446c69 [ 65.834740][ T6880] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 65.842890][ T6880] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 65.851421][ T6880] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 65.859836][ T6880] R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098 [ 65.869029][ T6880] [ 65.871359][ T6880] Allocated by task 6880: [ 65.875745][ T6880] kasan_save_stack+0x1b/0x40 [ 65.881181][ T6880] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 65.888429][ T6880] __kmalloc+0x1b0/0x310 [ 65.893485][ T6880] tcf_idr_create+0x5b/0x7b0 [ 65.898612][ T6880] tcf_connmark_init+0x535/0x960 [ 65.903758][ T6880] tcf_action_init_1+0x6a5/0xac0 [ 65.908744][ T6880] tcf_action_init+0x249/0x380 [ 65.913718][ T6880] tcf_action_add+0xd9/0x360 [ 65.918321][ T6880] tc_ctl_action+0x33a/0x439 [ 65.925250][ T6880] rtnetlink_rcv_msg+0x44e/0xad0 [ 65.930545][ T6880] netlink_rcv_skb+0x15a/0x430 [ 65.936947][ T6880] netlink_unicast+0x533/0x7d0 [ 65.944172][ T6880] netlink_sendmsg+0x856/0xd90 [ 65.949494][ T6880] sock_sendmsg+0xcf/0x120 [ 65.954377][ T6880] ____sys_sendmsg+0x6e8/0x810 [ 65.959618][ T6880] ___sys_sendmsg+0xf3/0x170 [ 65.965306][ T6880] __sys_sendmsg+0xe5/0x1b0 [ 65.969829][ T6880] do_syscall_64+0x2d/0x70 [ 65.974849][ T6880] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.981233][ T6880] [ 65.984008][ T6880] Freed by task 6882: [ 65.988204][ T6880] kasan_save_stack+0x1b/0x40 [ 65.993398][ T6880] kasan_set_track+0x1c/0x30 [ 65.998171][ T6880] kasan_set_free_info+0x1b/0x30 [ 66.003264][ T6880] __kasan_slab_free+0xd8/0x120 [ 66.008604][ T6880] kfree+0x10e/0x2b0 [ 66.012826][ T6880] tcf_generic_walker+0x959/0xb60 [ 66.018248][ T6880] tca_action_flush+0x42b/0x920 [ 66.024800][ T6880] tca_action_gd+0x8ac/0xda0 [ 66.030104][ T6880] tc_ctl_action+0x280/0x439 [ 66.035205][ T6880] rtnetlink_rcv_msg+0x44e/0xad0 [ 66.041245][ T6880] netlink_rcv_skb+0x15a/0x430 [ 66.048924][ T6880] netlink_unicast+0x533/0x7d0 [ 66.055198][ T6880] netlink_sendmsg+0x856/0xd90 [ 66.062044][ T6880] sock_sendmsg+0xcf/0x120 [ 66.069688][ T6880] ____sys_sendmsg+0x6e8/0x810 [ 66.076485][ T6880] ___sys_sendmsg+0xf3/0x170 [ 66.082607][ T6880] __sys_sendmsg+0xe5/0x1b0 [ 66.087912][ T6880] do_syscall_64+0x2d/0x70 [ 66.092367][ T6880] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 66.098332][ T6880] [ 66.101000][ T6880] The buggy address belongs to the object at ffff8880a6998c00 [ 66.101000][ T6880] which belongs to the cache kmalloc-512 of size 512 [ 66.116317][ T6880] The buggy address is located 0 bytes inside of [ 66.116317][ T6880] 512-byte region [ffff8880a6998c00, ffff8880a6998e00) [ 66.132980][ T6880] The buggy address belongs to the page: [ 66.139099][ T6880] page:00000000db318149 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a6998400 pfn:0xa6998 [ 66.152663][ T6880] flags: 0xfffe0000000200(slab) [ 66.157854][ T6880] raw: 00fffe0000000200 ffffea00029e0748 ffffea00029b4808 ffff8880aa040600 [ 66.168958][ T6880] raw: ffff8880a6998400 ffff8880a6998000 0000000100000003 0000000000000000 [ 66.178470][ T6880] page dumped because: kasan: bad access detected [ 66.185489][ T6880] [ 66.187941][ T6880] Memory state around the buggy address: [ 66.198980][ T6880] ffff8880a6998b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.208874][ T6880] ffff8880a6998b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.218309][ T6880] >ffff8880a6998c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.228741][ T6880] ^ [ 66.232838][ T6880] ffff8880a6998c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.241354][ T6880] ffff8880a6998d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.251405][ T6880] ================================================================== [ 66.260203][ T6880] Disabling lock debugging due to kernel taint [ 66.269593][ T6880] Kernel panic - not syncing: panic_on_warn set ... [ 66.276458][ T6880] CPU: 0 PID: 6880 Comm: syz-executor259 Tainted: G B 5.9.0-rc3-syzkaller #0 [ 66.287588][ T6880] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.298121][ T6880] Call Trace: [ 66.301432][ T6880] dump_stack+0x198/0x1fd [ 66.305779][ T6880] ? tcf_action_destroy+0x120/0x1b0 [ 66.311181][ T6880] panic+0x347/0x7c0 [ 66.315215][ T6880] ? __warn_printk+0xf3/0xf3 [ 66.319851][ T6880] ? preempt_schedule_common+0x59/0xc0 [ 66.325860][ T6880] ? tcf_action_destroy+0x188/0x1b0 [ 66.331089][ T6880] ? preempt_schedule_thunk+0x16/0x18 [ 66.336836][ T6880] ? trace_hardirqs_on+0x55/0x220 [ 66.342182][ T6880] ? tcf_action_destroy+0x188/0x1b0 [ 66.347641][ T6880] ? tcf_action_destroy+0x188/0x1b0 [ 66.353097][ T6880] end_report+0x4d/0x53 [ 66.358336][ T6880] kasan_report.cold+0xd/0x37 [ 66.364136][ T6880] ? tcf_action_destroy+0x188/0x1b0 [ 66.369901][ T6880] tcf_action_destroy+0x188/0x1b0 [ 66.375783][ T6880] tcf_action_init+0x285/0x380 [ 66.381484][ T6880] ? tcf_action_init_1+0xac0/0xac0 [ 66.387234][ T6880] tcf_action_add+0xd9/0x360 [ 66.392961][ T6880] ? tca_action_gd+0xda0/0xda0 [ 66.398023][ T6880] ? lock_acquire+0x1f3/0xae0 [ 66.403955][ T6880] ? bpf_lsm_capable+0x5/0x10 [ 66.409413][ T6880] ? __nla_parse+0x3d/0x4a [ 66.414269][ T6880] tc_ctl_action+0x33a/0x439 [ 66.421116][ T6880] ? tcf_action_add+0x360/0x360 [ 66.426314][ T6880] ? lock_is_held_type+0xbb/0xf0 [ 66.432353][ T6880] ? tcf_action_add+0x360/0x360 [ 66.437595][ T6880] rtnetlink_rcv_msg+0x44e/0xad0 [ 66.442843][ T6880] ? rtnetlink_put_metrics+0x510/0x510 [ 66.448455][ T6880] ? lock_acquire+0x1f3/0xae0 [ 66.453538][ T6880] ? netlink_deliver_tap+0x146/0xb70 [ 66.459141][ T6880] netlink_rcv_skb+0x15a/0x430 [ 66.464664][ T6880] ? rtnetlink_put_metrics+0x510/0x510 [ 66.470944][ T6880] ? netlink_ack+0xa10/0xa10 [ 66.475627][ T6880] ? __kmalloc_node_track_caller+0x38/0x60 [ 66.486534][ T6880] netlink_unicast+0x533/0x7d0 [ 66.492355][ T6880] ? netlink_attachskb+0x810/0x810 [ 66.497792][ T6880] ? __phys_addr_symbol+0x2c/0x70 [ 66.503496][ T6880] ? __check_object_size+0x171/0x3e4 [ 66.509049][ T6880] netlink_sendmsg+0x856/0xd90 [ 66.514050][ T6880] ? netlink_unicast+0x7d0/0x7d0 [ 66.519246][ T6880] ? bpf_lsm_socket_sendmsg+0x5/0x10 [ 66.524881][ T6880] ? netlink_unicast+0x7d0/0x7d0 [ 66.532159][ T6880] sock_sendmsg+0xcf/0x120 [ 66.538104][ T6880] ____sys_sendmsg+0x6e8/0x810 [ 66.542957][ T6880] ? kernel_sendmsg+0x50/0x50 [ 66.548155][ T6880] ? do_recvmmsg+0x6d0/0x6d0 [ 66.553084][ T6880] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 66.559533][ T6880] ? lock_is_held_type+0xbb/0xf0 [ 66.564719][ T6880] ? find_held_lock+0x2d/0x110 [ 66.569798][ T6880] ___sys_sendmsg+0xf3/0x170 [ 66.574929][ T6880] ? sendmsg_copy_msghdr+0x160/0x160 [ 66.581541][ T6880] ? __fget_files+0x272/0x400 [ 66.587255][ T6880] ? lock_downgrade+0x830/0x830 [ 66.592753][ T6880] ? do_huge_pmd_anonymous_page+0x8f2/0x2200 [ 66.599470][ T6880] ? __fget_files+0x294/0x400 [ 66.604720][ T6880] ? __fget_light+0xea/0x280 [ 66.609843][ T6880] __sys_sendmsg+0xe5/0x1b0 [ 66.614748][ T6880] ? __sys_sendmsg_sock+0xb0/0xb0 [ 66.620166][ T6880] ? syscall_enter_from_user_mode+0x20/0x290 [ 66.626993][ T6880] ? lockdep_hardirqs_on+0x53/0x100 [ 66.633325][ T6880] do_syscall_64+0x2d/0x70 [ 66.638091][ T6880] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 66.645587][ T6880] RIP: 0033:0x446c69 [ 66.650024][ T6880] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 66.672396][ T6880] RSP: 002b:00007f16641f8d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 66.682006][ T6880] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446c69 [ 66.689978][ T6880] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 66.699585][ T6880] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 66.708751][ T6880] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 66.718166][ T6880] R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098 [ 66.729754][ T6880] Kernel Offset: disabled [ 66.734868][ T6880] Rebooting in 86400 seconds..