netlink: 20 bytes leftover after parsing attributes in process `syz-executor.2'. ================================================================== BUG: KASAN: use-after-free in packet_rcv+0x5aa/0x1490 net/packet/af_packet.c:2104 Read of size 1 at addr ffff8880b156c9ec by task syz-executor.4/10205 CPU: 1 PID: 10205 Comm: syz-executor.4 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load1_noabort+0x88/0x90 mm/kasan/report.c:430 packet_rcv+0x5aa/0x1490 net/packet/af_packet.c:2104 deliver_skb net/core/dev.c:1956 [inline] __netif_receive_skb_core+0x19a7/0x3270 net/core/dev.c:4833 __netif_receive_skb_one_core+0xae/0x180 net/core/dev.c:4952 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5066 process_backlog+0x241/0x700 net/core/dev.c:5849 napi_poll net/core/dev.c:6280 [inline] net_rx_action+0x4ac/0xfb0 net/core/dev.c:6346 __do_softirq+0x265/0x980 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x215/0x260 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:536 [inline] smp_apic_timer_interrupt+0x136/0x550 arch/x86/kernel/apic/apic.c:1098 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894 RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:789 [inline] RIP: 0010:rcu_read_unlock_special+0x456/0xfc0 kernel/rcu/tree_plugin.h:601 Code: 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 bd 09 00 00 48 83 3d ee 24 a0 08 00 0f 84 37 06 00 00 48 8b 3c 24 57 9d <0f> 1f 44 00 00 48 83 c4 40 5b 5d 41 5c 41 5d 41 5e 41 5f c3 c3 48 RSP: 0018:ffff8880aaa076a0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13 RAX: 1ffffffff13e3051 RBX: 0000000000000000 RCX: 1ffff11013576dd5 RDX: dffffc0000000000 RSI: ffff88809abb6eb0 RDI: 0000000000000286 RBP: ffff88809abb6974 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88809abb6600 R13: ffff88809abb6976 R14: ffff88809abb6975 R15: ffffffff89f88280 __rcu_read_unlock+0x158/0x160 kernel/rcu/tree_plugin.h:428 rcu_read_unlock include/linux/rcupdate.h:680 [inline] __unlock_page_memcg+0x54/0x100 mm/memcontrol.c:1955 page_remove_rmap+0xe5/0x120 mm/rmap.c:1297 zap_pte_range mm/memory.c:1350 [inline] zap_pmd_range mm/memory.c:1463 [inline] zap_pud_range mm/memory.c:1492 [inline] zap_p4d_range mm/memory.c:1513 [inline] unmap_page_range+0x147d/0x2c50 mm/memory.c:1534 L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. unmap_single_vma+0x198/0x300 mm/memory.c:1579 unmap_vmas+0xa9/0x180 mm/memory.c:1609 exit_mmap+0x2b9/0x530 mm/mmap.c:3093 __mmput kernel/fork.c:1016 [inline] mmput+0x14e/0x4a0 kernel/fork.c:1037 exit_mm kernel/exit.c:549 [inline] do_exit+0xaec/0x2be0 kernel/exit.c:857 do_group_exit+0x125/0x310 kernel/exit.c:967 get_signal+0x3f2/0x1f70 kernel/signal.c:2589 do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799 exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fb403560059 Code: Bad RIP value. RSP: 002b:00007fb401ed5168 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 RAX: 0000000000000000 RBX: 00007fb403672f60 RCX: 00007fb403560059 RDX: 0000000000000199 RSI: 00000000200017c0 RDI: 0000000000000005 RBP: 00007fb4035ba08d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000f0ff7f R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffd1576276f R14: 00007fb401ed5300 R15: 0000000000022000 Allocated by task 10211: __do_kmalloc mm/slab.c:3727 [inline] __kmalloc+0x15a/0x3c0 mm/slab.c:3736 kmalloc include/linux/slab.h:520 [inline] sk_prot_alloc+0x1e2/0x2d0 net/core/sock.c:1483 sk_alloc+0x36/0xec0 net/core/sock.c:1537 packet_create+0x117/0x850 net/packet/af_packet.c:3259 __sock_create+0x3d8/0x740 net/socket.c:1365 sock_create net/socket.c:1416 [inline] __sys_socket+0xef/0x200 net/socket.c:1458 __do_sys_socket net/socket.c:1467 [inline] __se_sys_socket net/socket.c:1465 [inline] __x64_sys_socket+0x6f/0xb0 net/socket.c:1465 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 10211: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 sk_prot_free net/core/sock.c:1520 [inline] __sk_destruct+0x684/0x8a0 net/core/sock.c:1602 sk_destruct net/core/sock.c:1617 [inline] __sk_free+0x165/0x3b0 net/core/sock.c:1628 sk_free+0x3b/0x50 net/core/sock.c:1639 sock_put include/net/sock.h:1713 [inline] packet_release+0x890/0xb70 net/packet/af_packet.c:3088 __sock_release+0xcd/0x2a0 net/socket.c:599 sock_close+0x15/0x20 net/socket.c:1214 __fput+0x2ce/0x890 fs/file_table.c:278 task_work_run+0x148/0x1c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xbf3/0x2be0 kernel/exit.c:870 do_group_exit+0x125/0x310 kernel/exit.c:967 get_signal+0x3f2/0x1f70 kernel/signal.c:2589 do_signal+0x8f/0x1670 arch/x86/kernel/signal.c:799 exit_to_usermode_loop+0x204/0x2a0 arch/x86/entry/common.c:163 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880b156c2c0 which belongs to the cache kmalloc-4096 of size 4096 The buggy address is located 1836 bytes inside of 4096-byte region [ffff8880b156c2c0, ffff8880b156d2c0) The buggy address belongs to the page: page:ffffea0002c55b00 count:1 mapcount:0 mapping:ffff88813bff0dc0 index:0x0 compound_mapcount: 0 flags: 0xfff00000008100(slab|head) raw: 00fff00000008100 ffffea00025a3388 ffffea00026f6e88 ffff88813bff0dc0 raw: 0000000000000000 ffff8880b156c2c0 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880b156c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880b156c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880b156c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880b156ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880b156ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ---------------- Code disassembly (best guess), 7 bytes skipped: 0: df 48 c1 fisttps -0x3f(%rax) 3: e8 03 80 3c 10 callq 0x103c800b 8: 00 0f add %cl,(%rdi) a: 85 bd 09 00 00 48 test %edi,0x48000009(%rbp) 10: 83 3d ee 24 a0 08 00 cmpl $0x0,0x8a024ee(%rip) # 0x8a02505 17: 0f 84 37 06 00 00 je 0x654 1d: 48 8b 3c 24 mov (%rsp),%rdi 21: 57 push %rdi 22: 9d popfq * 23: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) <-- trapping instruction 28: 48 83 c4 40 add $0x40,%rsp 2c: 5b pop %rbx 2d: 5d pop %rbp 2e: 41 5c pop %r12 30: 41 5d pop %r13 32: 41 5e pop %r14 34: 41 5f pop %r15 36: c3 retq 37: c3 retq 38: 48 rex.W