Warning: Permanently added '10.128.1.8' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 85.326176][ T9482] ================================================================== [ 85.334412][ T9482] BUG: KASAN: use-after-free in bitmap_port_ext_cleanup+0xe6/0x2a0 [ 85.342327][ T9482] Read of size 8 at addr ffff8880a1920740 by task syz-executor072/9482 [ 85.350544][ T9482] [ 85.352858][ T9482] CPU: 0 PID: 9482 Comm: syz-executor072 Not tainted 5.5.0-rc4-syzkaller #0 [ 85.361505][ T9482] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 85.371573][ T9482] Call Trace: [ 85.374853][ T9482] dump_stack+0x197/0x210 [ 85.379185][ T9482] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 85.384725][ T9482] print_address_description.constprop.0.cold+0xd4/0x30b [ 85.391730][ T9482] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 85.397257][ T9482] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 85.402782][ T9482] __kasan_report.cold+0x1b/0x41 [ 85.407704][ T9482] ? kfree+0x190/0x2c0 [ 85.411818][ T9482] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 85.417443][ T9482] kasan_report+0x12/0x20 [ 85.421758][ T9482] check_memory_region+0x134/0x1a0 [ 85.426849][ T9482] __kasan_check_read+0x11/0x20 [ 85.431679][ T9482] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 85.437034][ T9482] bitmap_port_destroy+0x17c/0x1d0 [ 85.442130][ T9482] ip_set_create+0xe47/0x1500 [ 85.446809][ T9482] ? ip_set_destroy+0xb70/0xb70 [ 85.451667][ T9482] ? ip_set_destroy+0xb70/0xb70 [ 85.456504][ T9482] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 85.461429][ T9482] ? nfnetlink_bind+0x2c0/0x2c0 [ 85.466277][ T9482] ? __kasan_check_read+0x11/0x20 [ 85.471287][ T9482] ? __lock_acquire+0x8a0/0x4a00 [ 85.476212][ T9482] ? save_stack+0x5c/0x90 [ 85.480533][ T9482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 85.486765][ T9482] ? apparmor_capable+0x497/0x900 [ 85.491776][ T9482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 85.498009][ T9482] ? __kasan_check_read+0x11/0x20 [ 85.503030][ T9482] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 85.508480][ T9482] netlink_rcv_skb+0x177/0x450 [ 85.513226][ T9482] ? nfnetlink_bind+0x2c0/0x2c0 [ 85.518058][ T9482] ? netlink_ack+0xb50/0xb50 [ 85.522635][ T9482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 85.528872][ T9482] ? ns_capable_common+0x93/0x100 [ 85.533877][ T9482] ? ns_capable+0x20/0x30 [ 85.538203][ T9482] ? __netlink_ns_capable+0x104/0x140 [ 85.543561][ T9482] nfnetlink_rcv+0x1ba/0x460 [ 85.548143][ T9482] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 85.553593][ T9482] ? netlink_deliver_tap+0x24a/0xbe0 [ 85.558867][ T9482] ? __kasan_check_write+0x14/0x20 [ 85.564007][ T9482] netlink_unicast+0x58c/0x7d0 [ 85.568753][ T9482] ? netlink_attachskb+0x870/0x870 [ 85.573887][ T9482] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 85.579587][ T9482] ? __check_object_size+0x3d/0x437 [ 85.584783][ T9482] netlink_sendmsg+0x91c/0xea0 [ 85.589531][ T9482] ? netlink_unicast+0x7d0/0x7d0 [ 85.594447][ T9482] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 85.599970][ T9482] ? apparmor_socket_sendmsg+0x2a/0x30 [ 85.605407][ T9482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 85.611627][ T9482] ? security_socket_sendmsg+0x8d/0xc0 [ 85.617104][ T9482] ? netlink_unicast+0x7d0/0x7d0 [ 85.622025][ T9482] sock_sendmsg+0xd7/0x130 [ 85.626422][ T9482] ____sys_sendmsg+0x753/0x880 [ 85.631169][ T9482] ? kernel_sendmsg+0x50/0x50 [ 85.635852][ T9482] ? mark_held_locks+0xa4/0xf0 [ 85.640607][ T9482] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 85.646662][ T9482] ? __handle_mm_fault+0x3145/0x3cc0 [ 85.651928][ T9482] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 85.657984][ T9482] ___sys_sendmsg+0x100/0x170 [ 85.662656][ T9482] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 85.668626][ T9482] ? sendmsg_copy_msghdr+0x70/0x70 [ 85.673726][ T9482] ? __do_page_fault+0x56a/0xd80 [ 85.678708][ T9482] ? find_held_lock+0x35/0x130 [ 85.683453][ T9482] ? __do_page_fault+0x56a/0xd80 [ 85.688375][ T9482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 85.694597][ T9482] ? __fget_light+0x1a9/0x230 [ 85.699268][ T9482] ? __fdget+0x1b/0x20 [ 85.703332][ T9482] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 85.709567][ T9482] __sys_sendmsg+0x105/0x1d0 [ 85.714136][ T9482] ? __sys_sendmsg_sock+0xc0/0xc0 [ 85.719142][ T9482] ? down_read_non_owner+0x490/0x490 [ 85.724413][ T9482] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 85.729854][ T9482] ? do_syscall_64+0x26/0x790 [ 85.734509][ T9482] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 85.740551][ T9482] ? do_syscall_64+0x26/0x790 [ 85.745217][ T9482] __x64_sys_sendmsg+0x78/0xb0 [ 85.749963][ T9482] do_syscall_64+0xfa/0x790 [ 85.754448][ T9482] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 85.760315][ T9482] RIP: 0033:0x4413d9 [ 85.764241][ T9482] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 85.783840][ T9482] RSP: 002b:00007ffefd628468 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 85.792233][ T9482] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004413d9 [ 85.800190][ T9482] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 85.808149][ T9482] RBP: 0000000000014d2f R08: 00000000004002c8 R09: 00000000004002c8 [ 85.816147][ T9482] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402200 [ 85.824100][ T9482] R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 [ 85.832065][ T9482] [ 85.834377][ T9482] Allocated by task 9482: [ 85.838692][ T9482] save_stack+0x23/0x90 [ 85.842885][ T9482] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 85.848511][ T9482] kasan_kmalloc+0x9/0x10 [ 85.852826][ T9482] __kmalloc+0x163/0x770 [ 85.857088][ T9482] ip_set_alloc+0x38/0x5e [ 85.861415][ T9482] bitmap_port_create+0x3dc/0x7c0 [ 85.866432][ T9482] ip_set_create+0x6f1/0x1500 [ 85.871111][ T9482] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 85.876033][ T9482] netlink_rcv_skb+0x177/0x450 [ 85.880777][ T9482] nfnetlink_rcv+0x1ba/0x460 [ 85.885353][ T9482] netlink_unicast+0x58c/0x7d0 [ 85.890110][ T9482] netlink_sendmsg+0x91c/0xea0 [ 85.894856][ T9482] sock_sendmsg+0xd7/0x130 [ 85.899250][ T9482] ____sys_sendmsg+0x753/0x880 [ 85.903993][ T9482] ___sys_sendmsg+0x100/0x170 [ 85.908647][ T9482] __sys_sendmsg+0x105/0x1d0 [ 85.913232][ T9482] __x64_sys_sendmsg+0x78/0xb0 [ 85.917992][ T9482] do_syscall_64+0xfa/0x790 [ 85.922478][ T9482] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 85.928345][ T9482] [ 85.930665][ T9482] Freed by task 9482: [ 85.934628][ T9482] save_stack+0x23/0x90 [ 85.938774][ T9482] __kasan_slab_free+0x102/0x150 [ 85.943696][ T9482] kasan_slab_free+0xe/0x10 [ 85.948201][ T9482] kfree+0x10a/0x2c0 [ 85.952075][ T9482] kvfree+0x61/0x70 [ 85.955862][ T9482] ip_set_free+0x16/0x20 [ 85.960107][ T9482] bitmap_port_destroy+0xae/0x1d0 [ 85.965244][ T9482] ip_set_create+0xe47/0x1500 [ 85.969899][ T9482] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 85.974814][ T9482] netlink_rcv_skb+0x177/0x450 [ 85.979556][ T9482] nfnetlink_rcv+0x1ba/0x460 [ 85.984127][ T9482] netlink_unicast+0x58c/0x7d0 [ 85.988873][ T9482] netlink_sendmsg+0x91c/0xea0 [ 85.993630][ T9482] sock_sendmsg+0xd7/0x130 [ 85.998039][ T9482] ____sys_sendmsg+0x753/0x880 [ 86.002783][ T9482] ___sys_sendmsg+0x100/0x170 [ 86.007440][ T9482] __sys_sendmsg+0x105/0x1d0 [ 86.012011][ T9482] __x64_sys_sendmsg+0x78/0xb0 [ 86.016752][ T9482] do_syscall_64+0xfa/0x790 [ 86.021234][ T9482] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 86.027099][ T9482] [ 86.029411][ T9482] The buggy address belongs to the object at ffff8880a1920740 [ 86.029411][ T9482] which belongs to the cache kmalloc-32 of size 32 [ 86.043269][ T9482] The buggy address is located 0 bytes inside of [ 86.043269][ T9482] 32-byte region [ffff8880a1920740, ffff8880a1920760) [ 86.056266][ T9482] The buggy address belongs to the page: [ 86.061882][ T9482] page:ffffea0002864800 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff8880a1920fc1 [ 86.072286][ T9482] raw: 00fffe0000000200 ffffea00029a9cc8 ffffea00027e6548 ffff8880aa4001c0 [ 86.080866][ T9482] raw: ffff8880a1920fc1 ffff8880a1920000 0000000100000037 0000000000000000 [ 86.089425][ T9482] page dumped because: kasan: bad access detected [ 86.095810][ T9482] [ 86.098145][ T9482] Memory state around the buggy address: [ 86.103768][ T9482] ffff8880a1920600: 02 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 86.111821][ T9482] ffff8880a1920680: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 86.119862][ T9482] >ffff8880a1920700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 86.127899][ T9482] ^ [ 86.134029][ T9482] ffff8880a1920780: fb fb fb fb fc fc fc fc 00 00 00 00 fc fc fc fc [ 86.142069][ T9482] ffff8880a1920800: 00 00 fc fc fc fc fc fc 00 fc fc fc fc fc fc fc [ 86.150136][ T9482] ================================================================== [ 86.158188][ T9482] Disabling lock debugging due to kernel taint [ 86.165233][ T9482] Kernel panic - not syncing: panic_on_warn set ... [ 86.171833][ T9482] CPU: 0 PID: 9482 Comm: syz-executor072 Tainted: G B 5.5.0-rc4-syzkaller #0 [ 86.181873][ T9482] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 86.192005][ T9482] Call Trace: [ 86.195275][ T9482] dump_stack+0x197/0x210 [ 86.199601][ T9482] panic+0x2e3/0x75c [ 86.203484][ T9482] ? add_taint.cold+0x16/0x16 [ 86.208144][ T9482] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 86.213682][ T9482] ? preempt_schedule+0x4b/0x60 [ 86.218526][ T9482] ? ___preempt_schedule+0x16/0x18 [ 86.223627][ T9482] ? trace_hardirqs_on+0x5e/0x240 [ 86.228634][ T9482] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 86.234158][ T9482] end_report+0x47/0x4f [ 86.238303][ T9482] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 86.243826][ T9482] __kasan_report.cold+0xe/0x41 [ 86.248652][ T9482] ? kfree+0x190/0x2c0 [ 86.252700][ T9482] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 86.258220][ T9482] kasan_report+0x12/0x20 [ 86.262543][ T9482] check_memory_region+0x134/0x1a0 [ 86.267629][ T9482] __kasan_check_read+0x11/0x20 [ 86.272460][ T9482] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 86.277809][ T9482] bitmap_port_destroy+0x17c/0x1d0 [ 86.282900][ T9482] ip_set_create+0xe47/0x1500 [ 86.287558][ T9482] ? ip_set_destroy+0xb70/0xb70 [ 86.292395][ T9482] ? ip_set_destroy+0xb70/0xb70 [ 86.297224][ T9482] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 86.302150][ T9482] ? nfnetlink_bind+0x2c0/0x2c0 [ 86.306981][ T9482] ? __kasan_check_read+0x11/0x20 [ 86.311995][ T9482] ? __lock_acquire+0x8a0/0x4a00 [ 86.316909][ T9482] ? save_stack+0x5c/0x90 [ 86.321216][ T9482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 86.327430][ T9482] ? apparmor_capable+0x497/0x900 [ 86.332433][ T9482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 86.338648][ T9482] ? __kasan_check_read+0x11/0x20 [ 86.343649][ T9482] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 86.349087][ T9482] netlink_rcv_skb+0x177/0x450 [ 86.353830][ T9482] ? nfnetlink_bind+0x2c0/0x2c0 [ 86.358684][ T9482] ? netlink_ack+0xb50/0xb50 [ 86.363272][ T9482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 86.369490][ T9482] ? ns_capable_common+0x93/0x100 [ 86.374489][ T9482] ? ns_capable+0x20/0x30 [ 86.378800][ T9482] ? __netlink_ns_capable+0x104/0x140 [ 86.384148][ T9482] nfnetlink_rcv+0x1ba/0x460 [ 86.388718][ T9482] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 86.394152][ T9482] ? netlink_deliver_tap+0x24a/0xbe0 [ 86.399414][ T9482] ? __kasan_check_write+0x14/0x20 [ 86.404504][ T9482] netlink_unicast+0x58c/0x7d0 [ 86.409247][ T9482] ? netlink_attachskb+0x870/0x870 [ 86.414336][ T9482] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 86.420034][ T9482] ? __check_object_size+0x3d/0x437 [ 86.425210][ T9482] netlink_sendmsg+0x91c/0xea0 [ 86.429957][ T9482] ? netlink_unicast+0x7d0/0x7d0 [ 86.434873][ T9482] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 86.440519][ T9482] ? apparmor_socket_sendmsg+0x2a/0x30 [ 86.445975][ T9482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 86.452211][ T9482] ? security_socket_sendmsg+0x8d/0xc0 [ 86.457653][ T9482] ? netlink_unicast+0x7d0/0x7d0 [ 86.462572][ T9482] sock_sendmsg+0xd7/0x130 [ 86.466971][ T9482] ____sys_sendmsg+0x753/0x880 [ 86.471718][ T9482] ? kernel_sendmsg+0x50/0x50 [ 86.476374][ T9482] ? mark_held_locks+0xa4/0xf0 [ 86.481114][ T9482] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 86.487170][ T9482] ? __handle_mm_fault+0x3145/0x3cc0 [ 86.492472][ T9482] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 86.498556][ T9482] ___sys_sendmsg+0x100/0x170 [ 86.503211][ T9482] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 86.509185][ T9482] ? sendmsg_copy_msghdr+0x70/0x70 [ 86.514292][ T9482] ? __do_page_fault+0x56a/0xd80 [ 86.519209][ T9482] ? find_held_lock+0x35/0x130 [ 86.523953][ T9482] ? __do_page_fault+0x56a/0xd80 [ 86.528877][ T9482] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 86.535095][ T9482] ? __fget_light+0x1a9/0x230 [ 86.539755][ T9482] ? __fdget+0x1b/0x20 [ 86.543848][ T9482] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 86.550067][ T9482] __sys_sendmsg+0x105/0x1d0 [ 86.554636][ T9482] ? __sys_sendmsg_sock+0xc0/0xc0 [ 86.559663][ T9482] ? down_read_non_owner+0x490/0x490 [ 86.564952][ T9482] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 86.570402][ T9482] ? do_syscall_64+0x26/0x790 [ 86.575063][ T9482] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 86.581120][ T9482] ? do_syscall_64+0x26/0x790 [ 86.585780][ T9482] __x64_sys_sendmsg+0x78/0xb0 [ 86.590575][ T9482] do_syscall_64+0xfa/0x790 [ 86.595058][ T9482] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 86.600926][ T9482] RIP: 0033:0x4413d9 [ 86.604799][ T9482] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 86.624386][ T9482] RSP: 002b:00007ffefd628468 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 86.632788][ T9482] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004413d9 [ 86.640742][ T9482] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 86.648692][ T9482] RBP: 0000000000014d2f R08: 00000000004002c8 R09: 00000000004002c8 [ 86.656690][ T9482] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402200 [ 86.664648][ T9482] R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 [ 86.673928][ T9482] Kernel Offset: disabled [ 86.678259][ T9482] Rebooting in 86400 seconds..