================================================================== BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat net/netfilter/nf_nat_core.c:847 [inline] BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x5ed/0x640 net/netfilter/nf_nat_core.c:884 Read of size 8 at addr ffffffff883072d8 by task syz-executor.4/11963 CPU: 0 PID: 11963 Comm: syz-executor.4 Not tainted 4.19.133-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2fe lib/dump_stack.c:118 print_address_description.cold+0x5/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 nfnetlink_parse_nat net/netfilter/nf_nat_core.c:847 [inline] nfnetlink_parse_nat_setup+0x5ed/0x640 net/netfilter/nf_nat_core.c:884 ctnetlink_parse_nat_setup+0xb6/0x640 net/netfilter/nf_conntrack_netlink.c:1521 ctnetlink_setup_nat net/netfilter/nf_conntrack_netlink.c:1596 [inline] ctnetlink_create_conntrack+0x505/0x12c0 net/netfilter/nf_conntrack_netlink.c:1984 ctnetlink_new_conntrack+0x4f3/0xde0 net/netfilter/nf_conntrack_netlink.c:2114 TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. nfnetlink_rcv_msg+0xc4f/0xf60 net/netfilter/nfnetlink.c:228 netlink_rcv_skb+0x160/0x440 net/netlink/af_netlink.c:2455 nfnetlink_rcv+0x1b2/0x41b net/netfilter/nfnetlink.c:560 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x4d5/0x690 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x6bb/0xc40 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:622 [inline] sock_sendmsg+0xc3/0x120 net/socket.c:632 ___sys_sendmsg+0x7bb/0x8e0 net/socket.c:2115 __sys_sendmsg net/socket.c:2153 [inline] __do_sys_sendmsg net/socket.c:2162 [inline] __se_sys_sendmsg net/socket.c:2160 [inline] __x64_sys_sendmsg+0x132/0x220 net/socket.c:2160 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45c1d9 Code: 8d b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f8488a4ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000000273c0 RCX: 000000000045c1d9 RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000004 RBP: 000000000078bf40 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000078bf0c R13: 00007ffd0d20596f R14: 00007f8488a4b9c0 R15: 000000000078bf0c The buggy address belongs to the variable: nft_flow_offload_policy+0x38/0x100 Memory state around the buggy address: ffffffff88307180: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 ffffffff88307200: 00 00 00 00 00 fa fa fa fa fa fa fa 00 05 fa fa >ffffffff88307280: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 07 fa ^ ffffffff88307300: fa fa fa fa 00 00 00 00 fa fa fa fa 00 00 00 00 ffffffff88307380: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa ==================================================================