================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:199 [inline] BUG: KASAN: use-after-free in sock_cgroup_ptr include/linux/cgroup.h:836 [inline] BUG: KASAN: use-after-free in inet_diag_bc_sk+0xa5a/0xfa0 net/ipv4/inet_diag.c:749 Read of size 8 at addr ffff8880a40b9260 by task syz-executor.3/8419 CPU: 0 PID: 8419 Comm: syz-executor.3 Not tainted 5.7.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x128/0x182 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x317 mm/kasan/report.c:382 __kasan_report.cold.11+0x35/0x4d mm/kasan/report.c:511 kasan_report+0x32/0x50 mm/kasan/common.c:625 __read_once_size include/linux/compiler.h:199 [inline] sock_cgroup_ptr include/linux/cgroup.h:836 [inline] inet_diag_bc_sk+0xa5a/0xfa0 net/ipv4/inet_diag.c:749 inet_diag_dump_icsk+0x98c/0xf30 net/ipv4/inet_diag.c:1061 __inet_diag_dump+0xf7/0x1b0 net/ipv4/inet_diag.c:1113 netlink_dump+0x481/0xf50 net/netlink/af_netlink.c:2245 __netlink_dump_start+0x567/0x820 net/netlink/af_netlink.c:2353 netlink_dump_start include/linux/netlink.h:246 [inline] inet_diag_handler_cmd+0x1fe/0x280 net/ipv4/inet_diag.c:1278 __sock_diag_cmd net/core/sock_diag.c:233 [inline] sock_diag_rcv_msg+0x282/0x370 net/core/sock_diag.c:264 netlink_rcv_skb+0x119/0x340 net/netlink/af_netlink.c:2469 sock_diag_rcv+0x21/0x30 net/core/sock_diag.c:275 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x434/0x630 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x714/0xc60 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xac/0xe0 net/socket.c:672 sock_write_iter+0x218/0x380 net/socket.c:1004 call_write_iter include/linux/fs.h:1907 [inline] do_iter_readv_writev+0x4f1/0x7c0 fs/read_write.c:694 do_iter_write+0x129/0x540 fs/read_write.c:999 vfs_writev+0x16d/0x2d0 fs/read_write.c:1072 do_writev+0x214/0x280 fs/read_write.c:1115 do_syscall_64+0xc6/0x620 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45c829 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fcea4a7cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 000000000050d140 RCX: 000000000045c829 RDX: 0000000000000001 RSI: 0000000020000140 RDI: 0000000000000005 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000d18 R14: 00000000004cb1f4 R15: 00007fcea4a7d6d4 The buggy address belongs to the page: page:ffffea0002902e40 refcount:0 mapcount:0 mapping:00000000e34ef6da index:0x0 flags: 0xfffe0000000000() raw: 00fffe0000000000 ffffea0002915208 ffff8880ae83b138 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a40b9100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880a40b9180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8880a40b9200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8880a40b9280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8880a40b9300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ==================================================================