RBP: 00007f9ee1ececa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00007ffd63f0a73f R14: 00007f9ee1ecf9c0 R15: 000000000118bf2c tipc: Failed do clone local mcast rcv buffer ================================================================== BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:2063 [inline] BUG: KASAN: use-after-free in __skb_dequeue include/linux/skbuff.h:2082 [inline] BUG: KASAN: use-after-free in __skb_queue_purge include/linux/skbuff.h:2798 [inline] BUG: KASAN: use-after-free in tipc_mcast_xmit+0xfaa/0x1170 net/tipc/bcast.c:422 Read of size 8 at addr ffff88809f44d800 by task syz-executor.1/31068 CPU: 1 PID: 31068 Comm: syz-executor.1 Not tainted 5.9.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x198/0x1fd lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 __skb_unlink include/linux/skbuff.h:2063 [inline] __skb_dequeue include/linux/skbuff.h:2082 [inline] __skb_queue_purge include/linux/skbuff.h:2798 [inline] tipc_mcast_xmit+0xfaa/0x1170 net/tipc/bcast.c:422 tipc_sendmcast+0xaaf/0xef0 net/tipc/socket.c:864 __tipc_sendmsg+0xee3/0x18a0 net/tipc/socket.c:1453 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1386 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45dd99 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f9ee1ecec78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000002e740 RCX: 000000000045dd99 RDX: 0000000000000000 RSI: 0000000020001300 RDI: 0000000000000004 RBP: 00007f9ee1ececa0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00007ffd63f0a73f R14: 00007f9ee1ecf9c0 R15: 000000000118bf2c Allocated by task 31068: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 slab_post_alloc_hook mm/slab.h:518 [inline] slab_alloc_node mm/slab.c:3254 [inline] kmem_cache_alloc_node+0x136/0x430 mm/slab.c:3574 __alloc_skb+0x71/0x550 net/core/skbuff.c:198 alloc_skb_fclone include/linux/skbuff.h:1144 [inline] tipc_buf_acquire+0x28/0xf0 net/tipc/msg.c:76 tipc_msg_build+0x6b8/0x10c0 net/tipc/msg.c:428 tipc_sendmcast+0x855/0xef0 net/tipc/socket.c:858 __tipc_sendmsg+0xee3/0x18a0 net/tipc/socket.c:1453 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1386 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 31068: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422 __cache_free mm/slab.c:3418 [inline] kmem_cache_free.part.0+0x74/0x1e0 mm/slab.c:3693 kfree_skbmem+0x166/0x1b0 net/core/skbuff.c:643 kfree_skb+0x7d/0x100 include/linux/refcount.h:270 tipc_buf_append+0x6dc/0xcf0 net/tipc/msg.c:198 tipc_msg_reassemble+0x175/0x4f0 net/tipc/msg.c:790 tipc_mcast_xmit+0x699/0x1170 net/tipc/bcast.c:386 tipc_sendmcast+0xaaf/0xef0 net/tipc/socket.c:864 __tipc_sendmsg+0xee3/0x18a0 net/tipc/socket.c:1453 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1386 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:671 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff88809f44d800 which belongs to the cache skbuff_fclone_cache of size 456 The buggy address is located 0 bytes inside of 456-byte region [ffff88809f44d800, ffff88809f44d9c8) The buggy address belongs to the page: page:00000000f32818e6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x9f44d flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002976b48 ffffea0002647cc8 ffff8880a903cd00 raw: 0000000000000000 ffff88809f44d080 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88809f44d700: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc ffff88809f44d780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88809f44d800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88809f44d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88809f44d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================