Warning: Permanently added '10.128.0.69' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 76.430174][ T6829] netlink: 8 bytes leftover after parsing attributes in process `syz-executor028'. [ 76.433279][ T6834] netlink: 8 bytes leftover after parsing attributes in process `syz-executor028'. [ 76.451512][ T6835] netlink: 8 bytes leftover after parsing attributes in process `syz-executor028'. [ 76.451657][ T6836] netlink: 8 bytes leftover after parsing attributes in process `syz-executor028'. [ 76.461742][ T6837] netlink: 8 bytes leftover after parsing attributes in process `syz-executor028'. executing program [ 76.477732][ T6836] ================================================================== [ 76.488015][ T6836] BUG: KASAN: use-after-free in tipc_nl_publ_dump+0xae0/0xce0 [ 76.495486][ T6836] Read of size 2 at addr ffff8880a702fa84 by task syz-executor028/6836 [ 76.503712][ T6836] [ 76.506047][ T6836] CPU: 0 PID: 6836 Comm: syz-executor028 Not tainted 5.8.0-rc2-syzkaller #0 [ 76.514890][ T6836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.524967][ T6836] Call Trace: [ 76.528256][ T6836] dump_stack+0x18f/0x20d [ 76.532591][ T6836] ? tipc_nl_publ_dump+0xae0/0xce0 [ 76.537771][ T6836] ? tipc_nl_publ_dump+0xae0/0xce0 [ 76.542886][ T6836] print_address_description.constprop.0.cold+0xae/0x436 [ 76.549927][ T6836] ? vprintk_func+0x97/0x1a6 [ 76.554549][ T6836] ? tipc_nl_publ_dump+0xae0/0xce0 [ 76.559671][ T6836] kasan_report.cold+0x1f/0x37 [ 76.564792][ T6836] ? tipc_nl_publ_dump+0xae0/0xce0 [ 76.569905][ T6836] tipc_nl_publ_dump+0xae0/0xce0 [ 76.574838][ T6836] ? __mutex_lock+0x626/0x10d0 [ 76.579773][ T6836] ? tipc_nl_sk_dump+0x30/0x30 [ 76.584534][ T6836] ? check_preemption_disabled+0x38/0x220 [ 76.590332][ T6836] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 76.595868][ T6836] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 76.601864][ T6836] ? __kmalloc_node_track_caller+0x38/0x60 [ 76.607668][ T6836] ? kasan_unpoison_shadow+0x33/0x40 [ 76.612946][ T6836] ? __phys_addr+0x9a/0x110 [ 76.617434][ T6836] ? memset+0x20/0x40 [ 76.621407][ T6836] genl_lock_dumpit+0x7f/0xb0 [ 76.626097][ T6836] netlink_dump+0x4cd/0xf60 [ 76.630593][ T6836] ? netlink_insert+0x1670/0x1670 [ 76.635713][ T6836] ? __mutex_unlock_slowpath+0xe2/0x610 [ 76.641368][ T6836] ? genl_start+0x45a/0x6e0 [ 76.645892][ T6836] __netlink_dump_start+0x643/0x900 [ 76.651088][ T6836] ? genl_rcv_msg+0x9e0/0x9e0 [ 76.655769][ T6836] ? tipc_nl_sk_dump+0x30/0x30 [ 76.660523][ T6836] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 76.666240][ T6836] ? genl_rcv+0x40/0x40 [ 76.670405][ T6836] ? mutex_lock_io_nested+0xf60/0xf60 [ 76.675956][ T6836] ? mark_lock+0xbc/0x1710 [ 76.680365][ T6836] ? genl_rcv_msg+0x9e0/0x9e0 [ 76.685030][ T6836] ? genl_unlock+0x20/0x20 [ 76.689440][ T6836] ? genl_parallel_done+0x170/0x170 [ 76.694635][ T6836] ? __radix_tree_lookup+0x1f3/0x290 [ 76.700036][ T6836] genl_rcv_msg+0x797/0x9e0 [ 76.704549][ T6836] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 76.711696][ T6836] ? lock_acquire+0x1f1/0xad0 [ 76.716557][ T6836] ? genl_rcv+0x15/0x40 [ 76.720707][ T6836] ? lock_release+0x8d0/0x8d0 [ 76.725377][ T6836] netlink_rcv_skb+0x15a/0x430 [ 76.730140][ T6836] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 76.737158][ T6836] ? netlink_ack+0xa10/0xa10 [ 76.741751][ T6836] genl_rcv+0x24/0x40 [ 76.745723][ T6836] netlink_unicast+0x533/0x7d0 [ 76.750487][ T6836] ? netlink_attachskb+0x810/0x810 [ 76.755604][ T6836] ? _copy_from_iter_full+0x247/0x890 [ 76.760974][ T6836] ? __phys_addr+0x9a/0x110 [ 76.765470][ T6836] ? __phys_addr_symbol+0x2c/0x70 [ 76.770506][ T6836] ? __check_object_size+0x171/0x3e4 [ 76.776034][ T6836] netlink_sendmsg+0x856/0xd90 [ 76.780819][ T6836] ? netlink_unicast+0x7d0/0x7d0 [ 76.785885][ T6836] ? netlink_unicast+0x7d0/0x7d0 [ 76.790827][ T6836] sock_sendmsg+0xcf/0x120 [ 76.795364][ T6836] ____sys_sendmsg+0x6e8/0x810 [ 76.800154][ T6836] ? kernel_sendmsg+0x50/0x50 [ 76.804960][ T6836] ? do_recvmmsg+0x6d0/0x6d0 [ 76.809634][ T6836] ? find_held_lock+0x2d/0x110 [ 76.814411][ T6836] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 76.820390][ T6836] ? lock_downgrade+0x820/0x820 [ 76.825247][ T6836] ___sys_sendmsg+0xf3/0x170 [ 76.829833][ T6836] ? sendmsg_copy_msghdr+0x160/0x160 [ 76.835131][ T6836] ? debug_object_active_state+0x260/0x350 [ 76.840929][ T6836] ? lock_downgrade+0x820/0x820 [ 76.845773][ T6836] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 76.851561][ T6836] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 76.857652][ T6836] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 76.863452][ T6836] ? debug_object_active_state+0x260/0x350 [ 76.869266][ T6836] ? trace_hardirqs_off+0x27/0x210 [ 76.874383][ T6836] ? __fget_light+0x215/0x280 [ 76.879333][ T6836] __sys_sendmsg+0xe5/0x1b0 [ 76.883838][ T6836] ? __sys_sendmsg_sock+0xb0/0xb0 [ 76.888858][ T6836] ? check_preemption_disabled+0x38/0x220 [ 76.894589][ T6836] ? do_syscall_64+0x1c/0xe0 [ 76.899247][ T6836] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 76.905415][ T6836] do_syscall_64+0x60/0xe0 [ 76.909834][ T6836] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 76.915719][ T6836] RIP: 0033:0x445f09 [ 76.919636][ T6836] Code: Bad RIP value. [ 76.923735][ T6836] RSP: 002b:00007ffc70cae918 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 76.932231][ T6836] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445f09 [ 76.940355][ T6836] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 [ 76.948338][ T6836] RBP: 00000000006d0018 R08: 0000000000000000 R09: 00000000004002e0 [ 76.956401][ T6836] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030a0 [ 76.964482][ T6836] R13: 0000000000403130 R14: 0000000000000000 R15: 0000000000000000 [ 76.972468][ T6836] [ 76.974787][ T6836] Allocated by task 6834: [ 76.979126][ T6836] save_stack+0x1b/0x40 [ 76.983272][ T6836] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 76.988906][ T6836] __alloc_skb+0xae/0x550 [ 76.993230][ T6836] netlink_sendmsg+0x94f/0xd90 [ 76.998001][ T6836] sock_sendmsg+0xcf/0x120 [ 77.002851][ T6836] ____sys_sendmsg+0x6e8/0x810 [ 77.007596][ T6836] ___sys_sendmsg+0xf3/0x170 [ 77.012263][ T6836] __sys_sendmsg+0xe5/0x1b0 [ 77.016759][ T6836] do_syscall_64+0x60/0xe0 [ 77.021171][ T6836] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 77.027050][ T6836] [ 77.029375][ T6836] Freed by task 6834: [ 77.033624][ T6836] save_stack+0x1b/0x40 [ 77.037816][ T6836] __kasan_slab_free+0xf5/0x140 [ 77.042653][ T6836] kfree+0x103/0x2c0 [ 77.046531][ T6836] skb_release_data+0x6d9/0x910 [ 77.051361][ T6836] consume_skb+0xc2/0x160 [ 77.055672][ T6836] netlink_unicast+0x53b/0x7d0 [ 77.060426][ T6836] netlink_sendmsg+0x856/0xd90 [ 77.065187][ T6836] sock_sendmsg+0xcf/0x120 [ 77.069598][ T6836] ____sys_sendmsg+0x6e8/0x810 [ 77.074349][ T6836] ___sys_sendmsg+0xf3/0x170 [ 77.079013][ T6836] __sys_sendmsg+0xe5/0x1b0 [ 77.083499][ T6836] do_syscall_64+0x60/0xe0 [ 77.087922][ T6836] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 77.093790][ T6836] [ 77.096116][ T6836] The buggy address belongs to the object at ffff8880a702f800 [ 77.096116][ T6836] which belongs to the cache kmalloc-1k of size 1024 [ 77.110177][ T6836] The buggy address is located 644 bytes inside of [ 77.110177][ T6836] 1024-byte region [ffff8880a702f800, ffff8880a702fc00) [ 77.123533][ T6836] The buggy address belongs to the page: [ 77.129172][ T6836] page:ffffea00029c0bc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 77.138352][ T6836] flags: 0xfffe0000000200(slab) [ 77.143194][ T6836] raw: 00fffe0000000200 ffffea00027c1008 ffffea0002864a48 ffff8880aa000c40 [ 77.151762][ T6836] raw: 0000000000000000 ffff8880a702f000 0000000100000002 0000000000000000 [ 77.160329][ T6836] page dumped because: kasan: bad access detected [ 77.166722][ T6836] [ 77.169036][ T6836] Memory state around the buggy address: [ 77.174671][ T6836] ffff8880a702f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.182806][ T6836] ffff8880a702fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.190873][ T6836] >ffff8880a702fa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.198956][ T6836] ^ [ 77.203016][ T6836] ffff8880a702fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.211064][ T6836] ffff8880a702fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.219108][ T6836] ================================================================== [ 77.227167][ T6836] Disabling lock debugging due to kernel taint [ 77.234280][ T6836] Kernel panic - not syncing: panic_on_warn set ... [ 77.241065][ T6836] CPU: 0 PID: 6836 Comm: syz-executor028 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 77.251144][ T6836] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.261206][ T6836] Call Trace: [ 77.268855][ T6836] dump_stack+0x18f/0x20d [ 77.273199][ T6836] ? tipc_nl_publ_dump+0xa10/0xce0 [ 77.278317][ T6836] panic+0x2e3/0x75c [ 77.282212][ T6836] ? __warn_printk+0xf3/0xf3 [ 77.286783][ T6836] ? preempt_schedule_common+0x59/0xc0 [ 77.292753][ T6836] ? tipc_nl_publ_dump+0xae0/0xce0 [ 77.297857][ T6836] ? preempt_schedule_thunk+0x16/0x18 [ 77.303223][ T6836] ? trace_hardirqs_on+0x55/0x220 [ 77.308249][ T6836] ? tipc_nl_publ_dump+0xae0/0xce0 [ 77.313343][ T6836] ? tipc_nl_publ_dump+0xae0/0xce0 [ 77.318641][ T6836] end_report+0x4d/0x53 [ 77.322823][ T6836] kasan_report.cold+0xd/0x37 [ 77.327517][ T6836] ? tipc_nl_publ_dump+0xae0/0xce0 [ 77.332613][ T6836] tipc_nl_publ_dump+0xae0/0xce0 [ 77.337538][ T6836] ? __mutex_lock+0x626/0x10d0 [ 77.342282][ T6836] ? tipc_nl_sk_dump+0x30/0x30 [ 77.347048][ T6836] ? check_preemption_disabled+0x38/0x220 [ 77.352759][ T6836] ? rcu_read_lock_sched_held+0x3a/0xb0 [ 77.358314][ T6836] ? kmem_cache_alloc_node_trace+0x3b0/0x400 [ 77.364300][ T6836] ? __kmalloc_node_track_caller+0x38/0x60 [ 77.370114][ T6836] ? kasan_unpoison_shadow+0x33/0x40 [ 77.375502][ T6836] ? __phys_addr+0x9a/0x110 [ 77.380119][ T6836] ? memset+0x20/0x40 [ 77.384105][ T6836] genl_lock_dumpit+0x7f/0xb0 [ 77.388863][ T6836] netlink_dump+0x4cd/0xf60 [ 77.393444][ T6836] ? netlink_insert+0x1670/0x1670 [ 77.398549][ T6836] ? __mutex_unlock_slowpath+0xe2/0x610 [ 77.404088][ T6836] ? genl_start+0x45a/0x6e0 [ 77.408593][ T6836] __netlink_dump_start+0x643/0x900 [ 77.413785][ T6836] ? genl_rcv_msg+0x9e0/0x9e0 [ 77.418450][ T6836] ? tipc_nl_sk_dump+0x30/0x30 [ 77.423199][ T6836] genl_family_rcv_msg_dumpit+0x2ac/0x310 [ 77.429424][ T6836] ? genl_rcv+0x40/0x40 [ 77.433574][ T6836] ? mutex_lock_io_nested+0xf60/0xf60 [ 77.438941][ T6836] ? mark_lock+0xbc/0x1710 [ 77.443369][ T6836] ? genl_rcv_msg+0x9e0/0x9e0 [ 77.448045][ T6836] ? genl_unlock+0x20/0x20 [ 77.452442][ T6836] ? genl_parallel_done+0x170/0x170 [ 77.457646][ T6836] ? __radix_tree_lookup+0x1f3/0x290 [ 77.462969][ T6836] genl_rcv_msg+0x797/0x9e0 [ 77.467493][ T6836] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 77.474416][ T6836] ? lock_acquire+0x1f1/0xad0 [ 77.479098][ T6836] ? genl_rcv+0x15/0x40 [ 77.483240][ T6836] ? lock_release+0x8d0/0x8d0 [ 77.487909][ T6836] netlink_rcv_skb+0x15a/0x430 [ 77.492679][ T6836] ? genl_family_rcv_msg_attrs_parse.isra.0+0x310/0x310 [ 77.499597][ T6836] ? netlink_ack+0xa10/0xa10 [ 77.504176][ T6836] genl_rcv+0x24/0x40 [ 77.508140][ T6836] netlink_unicast+0x533/0x7d0 [ 77.512890][ T6836] ? netlink_attachskb+0x810/0x810 [ 77.517978][ T6836] ? _copy_from_iter_full+0x247/0x890 [ 77.523509][ T6836] ? __phys_addr+0x9a/0x110 [ 77.528167][ T6836] ? __phys_addr_symbol+0x2c/0x70 [ 77.533227][ T6836] ? __check_object_size+0x171/0x3e4 [ 77.538512][ T6836] netlink_sendmsg+0x856/0xd90 [ 77.543271][ T6836] ? netlink_unicast+0x7d0/0x7d0 [ 77.548228][ T6836] ? netlink_unicast+0x7d0/0x7d0 [ 77.553162][ T6836] sock_sendmsg+0xcf/0x120 [ 77.557565][ T6836] ____sys_sendmsg+0x6e8/0x810 [ 77.562312][ T6836] ? kernel_sendmsg+0x50/0x50 [ 77.566969][ T6836] ? do_recvmmsg+0x6d0/0x6d0 [ 77.571537][ T6836] ? find_held_lock+0x2d/0x110 [ 77.576284][ T6836] ? lockdep_hardirqs_on_prepare+0x590/0x590 [ 77.582258][ T6836] ? lock_downgrade+0x820/0x820 [ 77.587094][ T6836] ___sys_sendmsg+0xf3/0x170 [ 77.592192][ T6836] ? sendmsg_copy_msghdr+0x160/0x160 [ 77.597474][ T6836] ? debug_object_active_state+0x260/0x350 [ 77.603274][ T6836] ? lock_downgrade+0x820/0x820 [ 77.608121][ T6836] ? _raw_spin_unlock_irqrestore+0x62/0xe0 [ 77.613918][ T6836] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 77.619901][ T6836] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 77.625701][ T6836] ? debug_object_active_state+0x260/0x350 [ 77.631584][ T6836] ? trace_hardirqs_off+0x27/0x210 [ 77.636862][ T6836] ? __fget_light+0x215/0x280 [ 77.641670][ T6836] __sys_sendmsg+0xe5/0x1b0 [ 77.646190][ T6836] ? __sys_sendmsg_sock+0xb0/0xb0 [ 77.651333][ T6836] ? check_preemption_disabled+0x38/0x220 [ 77.657043][ T6836] ? do_syscall_64+0x1c/0xe0 [ 77.661630][ T6836] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 77.667619][ T6836] do_syscall_64+0x60/0xe0 [ 77.672245][ T6836] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 77.678667][ T6836] RIP: 0033:0x445f09 [ 77.682644][ T6836] Code: Bad RIP value. [ 77.687218][ T6836] RSP: 002b:00007ffc70cae918 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 77.696578][ T6836] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445f09 [ 77.704717][ T6836] RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 [ 77.712770][ T6836] RBP: 00000000006d0018 R08: 0000000000000000 R09: 00000000004002e0 [ 77.721149][ T6836] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004030a0 [ 77.729144][ T6836] R13: 0000000000403130 R14: 0000000000000000 R15: 0000000000000000 [ 77.738711][ T6836] Kernel Offset: disabled [ 77.743035][ T6836] Rebooting in 86400 seconds..