netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. ================================================================== BUG: KASAN: use-after-free in __list_add_valid+0x9a/0xa0 lib/list_debug.c:26 Read of size 8 at addr ffff88800e727920 by task syz-executor.0/5891 CPU: 0 PID: 5891 Comm: syz-executor.0 Not tainted 4.19.89-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __list_add_valid+0x9a/0xa0 lib/list_debug.c:26 __list_add include/linux/list.h:60 [inline] list_add_tail include/linux/list.h:93 [inline] cma_listen_on_all drivers/infiniband/core/cma.c:2380 [inline] rdma_listen+0x63b/0x8e0 drivers/infiniband/core/cma.c:3408 ucma_listen+0x14d/0x1c0 drivers/infiniband/core/ucma.c:1100 ucma_write+0x2d7/0x3c0 drivers/infiniband/core/ucma.c:1689 __vfs_write+0x114/0x810 fs/read_write.c:485 vfs_write+0x20c/0x560 fs/read_write.c:549 ksys_write+0x14f/0x2d0 fs/read_write.c:599 __do_sys_write fs/read_write.c:611 [inline] __se_sys_write fs/read_write.c:608 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:608 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45a909 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fa965857c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 000000000045a909 RDX: 0000000000000010 RSI: 00000000200001c0 RDI: 0000000000000005 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa9658586d4 R13: 00000000004cbc11 R14: 00000000004e57b8 R15: 00000000ffffffff Allocated by task 5651: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc mm/kasan/kasan.c:553 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531 __do_kmalloc_node mm/slab.c:3689 [inline] __kmalloc_node_track_caller+0x51/0x80 mm/slab.c:3703 __kmalloc_reserve.isra.0+0x40/0xf0 net/core/skbuff.c:137 __alloc_skb+0x10b/0x5f0 net/core/skbuff.c:205 alloc_skb include/linux/skbuff.h:995 [inline] nlmsg_new include/net/netlink.h:511 [inline] audit_buffer_alloc kernel/audit.c:1680 [inline] audit_log_start kernel/audit.c:1793 [inline] audit_log_start+0x302/0x7a0 kernel/audit.c:1744 common_lsm_audit+0xd3/0x1d70 security/lsm_audit.c:452 slow_avc_audit+0x1a3/0x230 security/selinux/avc.c:802 avc_audit security/selinux/include/avc.h:138 [inline] avc_has_perm+0x54d/0x610 security/selinux/avc.c:1205 inode_has_perm.isra.0+0x176/0x210 security/selinux/hooks.c:1852 selinux_mmap_file+0x104/0x1d0 security/selinux/hooks.c:3759 security_mmap_file+0xa4/0x1e0 security/security.c:934 vm_mmap_pgoff+0xf0/0x230 mm/util.c:353 ksys_mmap_pgoff+0x4aa/0x630 mm/mmap.c:1586 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:100 [inline] __se_sys_mmap arch/x86/kernel/sys_x86_64.c:91 [inline] __x64_sys_mmap+0xe9/0x1b0 arch/x86/kernel/sys_x86_64.c:91 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 28: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kfree+0xcf/0x220 mm/slab.c:3822 skb_free_head+0x99/0xc0 net/core/skbuff.c:554 skb_release_data+0x619/0x8d0 net/core/skbuff.c:574 skb_release_all+0x4d/0x60 net/core/skbuff.c:631 __kfree_skb net/core/skbuff.c:645 [inline] kfree_skb net/core/skbuff.c:663 [inline] kfree_skb+0xe8/0x390 net/core/skbuff.c:657 kauditd_hold_skb+0x160/0x190 kernel/audit.c:583 kauditd_send_queue+0x12d/0x170 kernel/audit.c:742 kauditd_thread+0x71c/0xa50 kernel/audit.c:868 kthread+0x354/0x420 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff88800e727740 which belongs to the cache kmalloc-2048 of size 2048 The buggy address is located 480 bytes inside of 2048-byte region [ffff88800e727740, ffff88800e727f40) The buggy address belongs to the page: page:ffffea000039c980 count:1 mapcount:0 mapping:ffff88812c31cc40 index:0x0 compound_mapcount: 0 flags: 0xfffe0000008100(slab|head) raw: 00fffe0000008100 ffffea00024b4688 ffffea0000571388 ffff88812c31cc40 raw: 0000000000000000 ffff88800e726640 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88800e727800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800e727880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88800e727900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb net_ratelimit: 18 callbacks suppressed protocol 88fb is buggy, dev hsr_slave_0 ^ ffff88800e727980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88800e727a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb protocol 88fb is buggy, dev hsr_slave_1 ================================================================== protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1 protocol 88fb is buggy, dev hsr_slave_0 protocol 88fb is buggy, dev hsr_slave_1