Warning: Permanently added '10.128.0.83' (ED25519) to the list of known hosts. executing program [ 34.631997][ T5987] netlink: 'syz-executor315': attribute type 8 has an invalid length. [ 34.634291][ T5987] ================================================================== [ 34.636360][ T5987] BUG: KASAN: stack-out-of-bounds in __nla_validate_parse+0x134/0x24cc [ 34.638369][ T5987] Write of size 32 at addr ffff800096f26b60 by task syz-executor315/5987 [ 34.640592][ T5987] [ 34.641207][ T5987] CPU: 0 PID: 5987 Comm: syz-executor315 Not tainted 6.5.0-rc4-syzkaller-g86d7896480b0 #0 [ 34.643871][ T5987] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 [ 34.646561][ T5987] Call trace: [ 34.647450][ T5987] dump_backtrace+0x1b8/0x1e4 [ 34.648741][ T5987] show_stack+0x2c/0x44 [ 34.649840][ T5987] dump_stack_lvl+0xd0/0x124 [ 34.651098][ T5987] print_report+0x174/0x514 [ 34.652357][ T5987] kasan_report+0xd8/0x138 [ 34.653530][ T5987] kasan_check_range+0x254/0x294 [ 34.654824][ T5987] __asan_memset+0x34/0x64 [ 34.655987][ T5987] __nla_validate_parse+0x134/0x24cc [ 34.657364][ T5987] __nla_parse+0x60/0x7c [ 34.658491][ T5987] fl_set_key_cfm+0x190/0x370 [ 34.659752][ T5987] fl_set_key+0x1924/0x5378 [ 34.660889][ T5987] fl_tmplt_create+0x1e4/0x458 [ 34.662158][ T5987] tc_ctl_chain+0x1030/0x1694 [ 34.663337][ T5987] rtnetlink_rcv_msg+0x748/0xdc0 [ 34.664616][ T5987] netlink_rcv_skb+0x214/0x3c4 [ 34.665836][ T5987] rtnetlink_rcv+0x28/0x38 [ 34.666998][ T5987] netlink_unicast+0x660/0x8d4 [ 34.668235][ T5987] netlink_sendmsg+0x834/0xb18 [ 34.669446][ T5987] ____sys_sendmsg+0x56c/0x840 [ 34.670662][ T5987] __sys_sendmsg+0x26c/0x33c [ 34.671828][ T5987] __arm64_sys_sendmsg+0x80/0x94 [ 34.673084][ T5987] invoke_syscall+0x98/0x2c0 [ 34.674288][ T5987] el0_svc_common+0x138/0x244 [ 34.675700][ T5987] do_el0_svc+0x64/0x198 [ 34.676934][ T5987] el0_svc+0x4c/0x160 [ 34.678042][ T5987] el0t_64_sync_handler+0x84/0xfc [ 34.679470][ T5987] el0t_64_sync+0x190/0x194 [ 34.680724][ T5987] [ 34.681377][ T5987] The buggy address belongs to stack of task syz-executor315/5987 [ 34.683482][ T5987] and is located at offset 32 in frame: [ 34.684979][ T5987] fl_set_key_cfm+0x0/0x370 [ 34.686203][ T5987] [ 34.686797][ T5987] This frame has 1 object: [ 34.687977][ T5987] [32, 56) 'nla_cfm_opt' [ 34.687987][ T5987] [ 34.689805][ T5987] The buggy address belongs to the virtual mapping at [ 34.689805][ T5987] [ffff800096f20000, ffff800096f29000) created by: [ 34.689805][ T5987] copy_process+0x488/0x34b8 [ 34.694616][ T5987] [ 34.695249][ T5987] The buggy address belongs to the physical page: [ 34.696986][ T5987] page:000000002c6f789e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b547 [ 34.699788][ T5987] flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) [ 34.701723][ T5987] page_type: 0xffffffff() [ 34.702907][ T5987] raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000 [ 34.705322][ T5987] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 34.707628][ T5987] page dumped because: kasan: bad access detected [ 34.709323][ T5987] [ 34.709965][ T5987] Memory state around the buggy address: [ 34.711468][ T5987] ffff800096f26a00: 00 00 f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00 [ 34.713649][ T5987] ffff800096f26a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.715853][ T5987] >ffff800096f26b00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 [ 34.718016][ T5987] ^ [ 34.720150][ T5987] ffff800096f26b80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.722397][ T5987] ffff800096f26c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.724552][ T5987] ================================================================== [ 34.728331][ T5987] Disabling lock debugging due to kernel taint [ 34.730174][ T5987] netlink: 'syz-executor315': attribute type 2 has an invalid length.