================================================================== BUG: KASAN: use-after-free in atomic_sub_return include/asm-generic/atomic-instrumented.h:258 [inline] BUG: KASAN: use-after-free in skb_release_data+0x101/0x770 net/core/skbuff.c:563 Write of size 4 at addr ffff8881cafdd764 by task syz-executor.5/8657 CPU: 0 PID: 8657 Comm: syz-executor.5 Not tainted 4.14.134+ #22 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xca/0x134 lib/dump_stack.c:53 print_address_description+0x60/0x226 mm/kasan/report.c:187 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316 Allocated by task 8657: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:495 netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'. slab_post_alloc_hook mm/slab.h:439 [inline] slab_alloc_node mm/slub.c:2758 [inline] slab_alloc mm/slub.c:2766 [inline] __kmalloc_track_caller+0xf1/0x310 mm/slub.c:4333 netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'. __kmalloc_reserve.isra.0+0x2d/0xc0 net/core/skbuff.c:137 __alloc_skb+0x118/0x5c0 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:980 [inline] sock_wmalloc+0xb6/0x110 net/core/sock.c:1925 packet_sendmsg_spkt+0x3bb/0x1210 net/packet/af_packet.c:1962 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb7/0x100 net/socket.c:656 ___sys_sendmsg+0x752/0x890 net/socket.c:2062 __sys_sendmsg+0xb6/0x150 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2103 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 0xffffffffffffffff Freed by task 8657: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x164/0x210 mm/kasan/common.c:457 slab_free_hook mm/slub.c:1403 [inline] slab_free_freelist_hook mm/slub.c:1430 [inline] slab_free mm/slub.c:3005 [inline] kfree+0xfa/0x320 mm/slub.c:3942 skb_free_head+0x83/0xa0 net/core/skbuff.c:554 skb_release_data+0x4e5/0x770 net/core/skbuff.c:574 skb_release_all+0x46/0x60 net/core/skbuff.c:631 __kfree_skb net/core/skbuff.c:645 [inline] consume_skb+0xdc/0x360 net/core/skbuff.c:705 packet_rcv+0xdf/0x1290 net/packet/af_packet.c:2178 dev_queue_xmit_nit+0x6e1/0x970 net/core/dev.c:1975 0xffffffffffffffff The buggy address belongs to the object at ffff8881cafdd680 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 228 bytes inside of 512-byte region [ffff8881cafdd680, ffff8881cafdd880) The buggy address belongs to the page: page:ffffea00072bf700 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000010200(slab|head) raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c raw: ffffea00068a1a80 0000000800000008 ffff8881da802c00 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881cafdd600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881cafdd680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881cafdd700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881cafdd780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881cafdd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================