netlink: 24 bytes leftover after parsing attributes in process `syz-executor.5'. ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3295 Read of size 8 at addr ffff8880b0cab8c8 by task syz-executor.3/22028 CPU: 1 PID: 22028 Comm: syz-executor.3 Not tainted 4.19.211-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 __lock_acquire+0x2cb4/0x3ff0 kernel/locking/lockdep.c:3295 lock_acquire+0x170/0x3c0 kernel/locking/lockdep.c:3908 __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline] _raw_spin_lock_bh+0x2f/0x40 kernel/locking/spinlock.c:168 spin_lock_bh include/linux/spinlock.h:334 [inline] psock_map_pop.constprop.0+0x28/0x1f0 kernel/bpf/sockmap.c:302 bpf_tcp_remove+0x47d/0xa00 kernel/bpf/sockmap.c:366 bpf_tcp_close+0x12b/0x390 kernel/bpf/sockmap.c:403 inet_release+0xd7/0x1e0 net/ipv4/af_inet.c:427 inet6_release+0x4c/0x70 net/ipv6/af_inet6.c:472 __sock_release+0xcd/0x2a0 net/socket.c:599 sock_close+0x15/0x20 net/socket.c:1214 __fput+0x2ce/0x890 fs/file_table.c:278 task_work_run+0x148/0x1c0 kernel/task_work.c:113 tracehook_notify_resume include/linux/tracehook.h:193 [inline] exit_to_usermode_loop+0x251/0x2a0 arch/x86/entry/common.c:167 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline] syscall_return_slowpath arch/x86/entry/common.c:271 [inline] do_syscall_64+0x538/0x620 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7fed044ff0c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fed02a71168 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 00007fed0461ef80 RCX: 00007fed044ff0c9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000006 RBP: 00007fed0455aae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 dccp_close: ABORT with 3 bytes unread R13: 00007ffec4b52eef R14: 00007fed02a71300 R15: 0000000000022000 Allocated by task 22028: kmem_cache_alloc_node_trace+0x151/0x3b0 mm/slab.c:3668 kmalloc_node include/linux/slab.h:553 [inline] kzalloc_node include/linux/slab.h:720 [inline] smap_init_psock kernel/bpf/sockmap.c:1636 [inline] __sock_map_ctx_update_elem.constprop.0+0x366/0xea0 kernel/bpf/sockmap.c:1940 sock_hash_ctx_update_elem.isra.0+0x69d/0x1100 kernel/bpf/sockmap.c:2411 sock_hash_update_elem+0x210/0x480 kernel/bpf/sockmap.c:2495 map_update_elem kernel/bpf/syscall.c:821 [inline] __do_sys_bpf kernel/bpf/syscall.c:2414 [inline] __se_sys_bpf+0x2cf1/0x3a20 kernel/bpf/syscall.c:2384 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 4385: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff8880b0cab680 which belongs to the cache kmalloc-1024 of size 1024 The buggy address is located 584 bytes inside of 1024-byte region [ffff8880b0cab680, ffff8880b0caba80) The buggy address belongs to the page: page:ffffea0002c32a80 count:1 mapcount:0 mapping:ffff88813bff0ac0 index:0xffff8880b0caa000 compound_mapcount: 0 flags: 0xfff00000008100(slab|head) raw: 00fff00000008100 ffffea0002b85c08 ffffea0002917208 ffff88813bff0ac0 raw: ffff8880b0caa000 ffff8880b0caa000 0000000100000005 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880b0cab780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880b0cab800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880b0cab880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880b0cab900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880b0cab980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================