netlink: 4 bytes leftover after parsing attributes in process `syz-executor.1'. ============================= WARNING: suspicious RCU usage 4.14.307-syzkaller #0 Not tainted ----------------------------- net/tipc/bearer.c:177 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 2 locks held by syz-executor.4/11594: #0: (cb_lock){++++}, at: [] genl_rcv+0x15/0x40 net/netlink/genetlink.c:635 #1: (genl_mutex){+.+.}, at: [] genl_lock net/netlink/genetlink.c:33 [inline] #1: (genl_mutex){+.+.}, at: [] genl_rcv_msg+0x112/0x140 net/netlink/genetlink.c:623 stack backtrace: CPU: 1 PID: 11594 Comm: syz-executor.4 Not tainted 4.14.307-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 tipc_bearer_find+0x1ff/0x2f0 net/tipc/bearer.c:177 tipc_nl_compat_link_set+0x40b/0xb90 net/tipc/netlink_compat.c:807 __tipc_nl_compat_doit net/tipc/netlink_compat.c:316 [inline] tipc_nl_compat_doit+0x192/0x5d0 net/tipc/netlink_compat.c:364 tipc_nl_compat_handle net/tipc/netlink_compat.c:1215 [inline] tipc_nl_compat_recv+0xa0b/0xae0 net/tipc/netlink_compat.c:1297 genl_family_rcv_msg+0x572/0xb20 net/netlink/genetlink.c:600 genl_rcv_msg+0xaf/0x140 net/netlink/genetlink.c:625 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2461 genl_rcv+0x24/0x40 net/netlink/genetlink.c:636 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x651/0xbc0 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062 __sys_sendmsg+0xa3/0x120 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2103 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7fdb14e670f9 RSP: 002b:00007fdb133d9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdb14f86f80 RCX: 00007fdb14e670f9 RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000003 RBP: 00007fdb14ec2ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffc730626f R14: 00007fdb133d9300 R15: 0000000000022000 netlink: 52 bytes leftover after parsing attributes in process `syz-executor.5'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'. IPVS: set_ctl: invalid protocol: 0 224.0.0.2:0 syz-executor.0 calls setitimer() with new_value NULL pointer. Misfeature support will be removed netlink: 28 bytes leftover after parsing attributes in process `syz-executor.0'. ================================================================== BUG: KASAN: slab-out-of-bounds in tipc_nametbl_lookup_dst_nodes+0x4ad/0x4c0 net/tipc/name_table.c:670 Read of size 4 at addr ffff8880a659be10 by task syz-executor.4/12139 CPU: 1 PID: 12139 Comm: syz-executor.4 Not tainted 4.14.307-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x281 lib/dump_stack.c:58 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:251 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:350 kasan_report mm/kasan/report.c:408 [inline] __asan_report_load4_noabort+0x68/0x70 mm/kasan/report.c:428 tipc_nametbl_lookup_dst_nodes+0x4ad/0x4c0 net/tipc/name_table.c:670 tipc_sendmcast+0x51a/0xac0 net/tipc/socket.c:768 __tipc_sendmsg+0xbab/0xf90 net/tipc/socket.c:975 __tipc_sendstream+0x695/0x8c0 net/tipc/socket.c:1069 tipc_sendstream net/tipc/socket.c:1043 [inline] tipc_send_packet+0x5a/0x90 net/tipc/socket.c:1119 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062 __sys_sendmsg+0xa3/0x120 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2103 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 RIP: 0033:0x7fdb14e670f9 RSP: 002b:00007fdb133d9168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdb14f86f80 RCX: 00007fdb14e670f9 RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000003 RBP: 00007fdb14ec2ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffc730626f R14: 00007fdb133d9300 R15: 0000000000022000 Allocated by task 8005: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xeb/0x160 mm/kasan/kasan.c:551 __do_kmalloc mm/slab.c:3720 [inline] __kmalloc+0x15a/0x400 mm/slab.c:3729 tipc_nameseq_create+0x53/0x290 net/tipc/name_table.c:152 tipc_nametbl_insert_publ+0xb37/0x14e0 net/tipc/name_table.c:476 tipc_nametbl_publish+0x211/0x3f0 net/tipc/name_table.c:701 tipc_sk_publish net/tipc/socket.c:2206 [inline] tipc_bind+0x2c4/0x600 net/tipc/socket.c:630 tipc_create_listen_sock net/tipc/server.c:338 [inline] tipc_open_listening_sock net/tipc/server.c:396 [inline] tipc_server_start+0x31f/0x880 net/tipc/server.c:611 tipc_topsrv_start net/tipc/subscr.c:382 [inline] tipc_topsrv_init_net+0x53b/0x730 net/tipc/subscr.c:397 ops_init+0xaa/0x3e0 net/core/net_namespace.c:118 setup_net+0x22f/0x530 net/core/net_namespace.c:298 copy_net_ns+0x19b/0x440 net/core/net_namespace.c:422 create_new_namespaces+0x375/0x720 kernel/nsproxy.c:107 unshare_nsproxy_namespaces+0xa1/0x1d0 kernel/nsproxy.c:206 SYSC_unshare kernel/fork.c:2413 [inline] SyS_unshare+0x308/0x7f0 kernel/fork.c:2363 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x5e/0xd3 Freed by task 4741: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xc3/0x1a0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3496 [inline] kfree+0xc9/0x250 mm/slab.c:3815 aa_free_task_context+0xda/0x130 security/apparmor/context.c:54 apparmor_cred_free+0x34/0x70 security/apparmor/lsm.c:58 security_cred_free+0x71/0xb0 security/security.c:1003 put_cred_rcu+0xe3/0x300 kernel/cred.c:117 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2699 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline] rcu_process_callbacks+0x780/0x1180 kernel/rcu/tree.c:2946 __do_softirq+0x24d/0x9ff kernel/softirq.c:288 The buggy address belongs to the object at ffff8880a659be00 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 16 bytes inside of 32-byte region [ffff8880a659be00, ffff8880a659be20) The buggy address belongs to the page: page:ffffea00029966c0 count:1 mapcount:0 mapping:ffff8880a659b000 index:0xffff8880a659bfc1 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffff8880a659b000 ffff8880a659bfc1 000000010000003b raw: ffffea0002c038e0 ffffea0002cb6220 ffff88813fe741c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a659bd00: fb fb fb fb fc fc fc fc 05 fc fc fc fc fc fc fc ffff8880a659bd80: 00 00 00 fc fc fc fc fc 00 00 00 fc fc fc fc fc >ffff8880a659be00: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff8880a659be80: 00 fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc ffff8880a659bf00: 05 fc fc fc fc fc fc fc 05 fc fc fc fc fc fc fc ==================================================================