netlink: 'syz-executor315': attribute type 8 has an invalid length. ================================================================== BUG: KASAN: stack-out-of-bounds in __nla_validate_parse+0x134/0x24cc lib/nlattr.c:588 Write of size 32 at addr ffff800096f26b60 by task syz-executor315/5987 CPU: 0 PID: 5987 Comm: syz-executor315 Not tainted 6.5.0-rc4-syzkaller-g86d7896480b0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023 Call trace: dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233 show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0x174/0x514 mm/kasan/report.c:475 kasan_report+0xd8/0x138 mm/kasan/report.c:588 kasan_check_range+0x254/0x294 mm/kasan/generic.c:187 __asan_memset+0x34/0x64 mm/kasan/shadow.c:84 __nla_validate_parse+0x134/0x24cc lib/nlattr.c:588 __nla_parse+0x60/0x7c lib/nlattr.c:700 nla_parse_nested include/net/netlink.h:1262 [inline] fl_set_key_cfm+0x190/0x370 net/sched/cls_flower.c:1718 fl_set_key+0x1924/0x5378 net/sched/cls_flower.c:1884 fl_tmplt_create+0x1e4/0x458 net/sched/cls_flower.c:2666 tc_chain_tmplt_add net/sched/cls_api.c:2959 [inline] tc_ctl_chain+0x1030/0x1694 net/sched/cls_api.c:3068 rtnetlink_rcv_msg+0x748/0xdc0 net/core/rtnetlink.c:6424 netlink_rcv_skb+0x214/0x3c4 net/netlink/af_netlink.c:2549 rtnetlink_rcv+0x28/0x38 net/core/rtnetlink.c:6442 netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline] netlink_unicast+0x660/0x8d4 net/netlink/af_netlink.c:1365 netlink_sendmsg+0x834/0xb18 net/netlink/af_netlink.c:1914 sock_sendmsg_nosec net/socket.c:725 [inline] sock_sendmsg net/socket.c:748 [inline] ____sys_sendmsg+0x56c/0x840 net/socket.c:2494 ___sys_sendmsg net/socket.c:2548 [inline] __sys_sendmsg+0x26c/0x33c net/socket.c:2577 __do_sys_sendmsg net/socket.c:2586 [inline] __se_sys_sendmsg net/socket.c:2584 [inline] __arm64_sys_sendmsg+0x80/0x94 net/socket.c:2584 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall+0x98/0x2c0 arch/arm64/kernel/syscall.c:52 el0_svc_common+0x138/0x244 arch/arm64/kernel/syscall.c:139 do_el0_svc+0x64/0x198 arch/arm64/kernel/syscall.c:188 el0_svc+0x4c/0x160 arch/arm64/kernel/entry-common.c:647 el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:665 el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:591 The buggy address belongs to stack of task syz-executor315/5987 and is located at offset 32 in frame: fl_set_key_cfm+0x0/0x370 net/sched/cls_flower.c:391 This frame has 1 object: [32, 56) 'nla_cfm_opt' The buggy address belongs to the virtual mapping at [ffff800096f20000, ffff800096f29000) created by: copy_process+0x488/0x34b8 kernel/fork.c:2330 The buggy address belongs to the physical page: page:000000002c6f789e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10b547 flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 05ffc00000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff800096f26a00: 00 00 f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00 ffff800096f26a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff800096f26b00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f3 ^ ffff800096f26b80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 ffff800096f26c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== netlink: 'syz-executor315': attribute type 2 has an invalid length.