bisecting cause commit starting from 9f68e3655aae6d49d6ba05dd263f99f33c2567af building syzkaller on 0eb59c27682ecbe1d467de4c4accbb3f9c807042 testing commit 9f68e3655aae6d49d6ba05dd263f99f33c2567af with gcc (GCC) 8.1.0 kernel signature: 78246d18ea1b5b71dbd8d8d3a6ab87c69ebf676cb13bca860af11d1a1e89394a all runs: crashed: KASAN: use-after-free Read in root_remove_peer_lists testing release v5.5 testing commit d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 with gcc (GCC) 8.1.0 kernel signature: 4c75108e967e30ceac9282097f549dbf22b8de6643e09e52436beb5bed8ac97e all runs: OK # git bisect start 9f68e3655aae6d49d6ba05dd263f99f33c2567af d5226fa6dbae0569ee43ecfc08bdcd6770fc4755 Bisecting: 3686 revisions left to test after this (roughly 12 steps) [fb95aae6e67c4e319a24b3eea32032d4246a5335] Merge tag 'sound-5.6-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound testing commit fb95aae6e67c4e319a24b3eea32032d4246a5335 with gcc (GCC) 8.1.0 kernel signature: eb7a11c96693203e98db5a02d59162902bdf78a2fdc57a75085444ed5fa0c1b2 all runs: crashed: KASAN: use-after-free Read in root_remove_peer_lists # git bisect bad fb95aae6e67c4e319a24b3eea32032d4246a5335 Bisecting: 2267 revisions left to test after this (roughly 11 steps) [f76e4c167ea2212e23c15ee7e601a865e822c291] net: phy: add default ARCH_BCM_IPROC for MDIO_BCM_IPROC testing commit f76e4c167ea2212e23c15ee7e601a865e822c291 with gcc (GCC) 8.1.0 kernel signature: 443213cb13a30cd68725a2e0bd3917ffa8ad6a0ab7c8042cbfc00beba5734070 all runs: crashed: KASAN: use-after-free Read in root_remove_peer_lists # git bisect bad f76e4c167ea2212e23c15ee7e601a865e822c291 Bisecting: 810 revisions left to test after this (roughly 10 steps) [f41aa387a7896c193b384c5fb531cd2cb9e00128] Merge branch 'selftest-makefile-cleanup' testing commit f41aa387a7896c193b384c5fb531cd2cb9e00128 with gcc (GCC) 8.1.0 kernel signature: 8051fbb1448da350d255a414c90ef8f9f4751229d66ba693f4739fa52afb78b2 all runs: crashed: KASAN: use-after-free Read in root_remove_peer_lists # git bisect bad f41aa387a7896c193b384c5fb531cd2cb9e00128 Bisecting: 404 revisions left to test after this (roughly 9 steps) [9f6cff995e98258b6b81cc864532f633e5b3a081] Merge branch 'Simplify-IPv6-route-offload-API' testing commit 9f6cff995e98258b6b81cc864532f633e5b3a081 with gcc (GCC) 8.1.0 kernel signature: 7df365c577aa818671d4534d0833a1c3f99f7f99518ba6911daaa0873f915bca all runs: crashed: KASAN: use-after-free Read in root_remove_peer_lists # git bisect bad 9f6cff995e98258b6b81cc864532f633e5b3a081 Bisecting: 202 revisions left to test after this (roughly 8 steps) [206f54b66cbf6f71e9e86f50f60ffdf7f565c3b7] net: bcmgenet: Utilize bcmgenet_set_features() during resume/open testing commit 206f54b66cbf6f71e9e86f50f60ffdf7f565c3b7 with gcc (GCC) 8.1.0 kernel signature: 0e4a7cbde3cc82f487c00a40a7d52c979635d52491e77c3fc53a4976e3a6b2ee all runs: crashed: KASAN: use-after-free Read in root_remove_peer_lists # git bisect bad 206f54b66cbf6f71e9e86f50f60ffdf7f565c3b7 Bisecting: 101 revisions left to test after this (roughly 7 steps) [a8674f753e36f566d6c1d992ab85323d784281d9] ipv4: Notify newly added route if should be offloaded testing commit a8674f753e36f566d6c1d992ab85323d784281d9 with gcc (GCC) 8.1.0 kernel signature: d84199ce722b466365dba4b230d9aff7c5d4162a3e368587cd81f115f7d69f84 all runs: crashed: KASAN: use-after-free Read in root_remove_peer_lists # git bisect bad a8674f753e36f566d6c1d992ab85323d784281d9 Bisecting: 49 revisions left to test after this (roughly 6 steps) [bea0f4a5115aaf6f59c6d2125f52ff149874b6d2] Merge branch 'sfp-slow-to-probe-copper' testing commit bea0f4a5115aaf6f59c6d2125f52ff149874b6d2 with gcc (GCC) 8.1.0 kernel signature: ff4fcd8548a143398607021e5922b56832a496e7a56b19d9e11733e5efa074e7 all runs: crashed: KASAN: use-after-free Read in root_remove_peer_lists # git bisect bad bea0f4a5115aaf6f59c6d2125f52ff149874b6d2 Bisecting: 24 revisions left to test after this (roughly 5 steps) [bb9d8454bb0fed028558d1e66b12d50db5e43e06] Merge branch 'tipc-introduce-variable-window-congestion-control' testing commit bb9d8454bb0fed028558d1e66b12d50db5e43e06 with gcc (GCC) 8.1.0 kernel signature: 6eab893f8891d2b8083a6aad425d59729912bd173b2b48fe690750d1aeb387e8 all runs: crashed: KASAN: use-after-free Read in root_remove_peer_lists # git bisect bad bb9d8454bb0fed028558d1e66b12d50db5e43e06 Bisecting: 12 revisions left to test after this (roughly 4 steps) [e70ac628289766bc2c81a0db161368b69da774fd] qed: remove redundant assignments to rc testing commit e70ac628289766bc2c81a0db161368b69da774fd with gcc (GCC) 8.1.0 kernel signature: 039ed43be2105259cdf5d6b5ac059caba544845ecb913744feb0e097898a6ff0 all runs: crashed: KASAN: use-after-free Read in root_remove_peer_lists # git bisect bad e70ac628289766bc2c81a0db161368b69da774fd Bisecting: 6 revisions left to test after this (roughly 3 steps) [3cd9d35ee5f7a23203443f1a0d3c344f034c0dc7] dt-bindings: net: bluetooth: Minor fix in broadcom-bluetooth testing commit 3cd9d35ee5f7a23203443f1a0d3c344f034c0dc7 with gcc (GCC) 8.1.0 kernel signature: 9fb9786ec01871fdd3c0355292530090956592a088b56802575614a292615d46 all runs: OK # git bisect good 3cd9d35ee5f7a23203443f1a0d3c344f034c0dc7 Bisecting: 3 revisions left to test after this (roughly 2 steps) [7ecacafc240638148567742cca41aa7144b4fe1e] Bluetooth: btusb: Disable runtime suspend on Realtek devices testing commit 7ecacafc240638148567742cca41aa7144b4fe1e with gcc (GCC) 8.1.0 kernel signature: e81c4555cb043da75fb9e62b54ae99eeae66ad4c9de3541f4c9f3bab815eff83 all runs: OK # git bisect good 7ecacafc240638148567742cca41aa7144b4fe1e Bisecting: 1 revision left to test after this (roughly 1 step) [4a63ef710cc3e79ce58b46b122118e415a44b3db] Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next testing commit 4a63ef710cc3e79ce58b46b122118e415a44b3db with gcc (GCC) 8.1.0 kernel signature: 06d6001a86009dba077b5fd194c3c5d40e654cfe68f5e8b02855c1695f1e0ba3 all runs: crashed: KASAN: use-after-free Read in root_remove_peer_lists # git bisect bad 4a63ef710cc3e79ce58b46b122118e415a44b3db Bisecting: 0 revisions left to test after this (roughly 0 steps) [e7096c131e5161fa3b8e52a650d7719d2857adfd] net: WireGuard secure network tunnel testing commit e7096c131e5161fa3b8e52a650d7719d2857adfd with gcc (GCC) 8.1.0 kernel signature: 3b05a1b2d24eebf3baecc0360abd40bb46293a952aae63d5e4b48a3d3e2406ea all runs: crashed: KASAN: use-after-free Read in root_remove_peer_lists # git bisect bad e7096c131e5161fa3b8e52a650d7719d2857adfd e7096c131e5161fa3b8e52a650d7719d2857adfd is the first bad commit commit e7096c131e5161fa3b8e52a650d7719d2857adfd Author: Jason A. Donenfeld Date: Mon Dec 9 00:27:34 2019 +0100 net: WireGuard secure network tunnel WireGuard is a layer 3 secure networking tunnel made specifically for the kernel, that aims to be much simpler and easier to audit than IPsec. Extensive documentation and description of the protocol and considerations, along with formal proofs of the cryptography, are available at: * https://www.wireguard.com/ * https://www.wireguard.com/papers/wireguard.pdf This commit implements WireGuard as a simple network device driver, accessible in the usual RTNL way used by virtual network drivers. It makes use of the udp_tunnel APIs, GRO, GSO, NAPI, and the usual set of networking subsystem APIs. It has a somewhat novel multicore queueing system designed for maximum throughput and minimal latency of encryption operations, but it is implemented modestly using workqueues and NAPI. Configuration is done via generic Netlink, and following a review from the Netlink maintainer a year ago, several high profile userspace tools have already implemented the API. This commit also comes with several different tests, both in-kernel tests and out-of-kernel tests based on network namespaces, taking profit of the fact that sockets used by WireGuard intentionally stay in the namespace the WireGuard interface was originally created, exactly like the semantics of userspace tun devices. See wireguard.com/netns/ for pictures and examples. The source code is fairly short, but rather than combining everything into a single file, WireGuard is developed as cleanly separable files, making auditing and comprehension easier. Things are laid out as follows: * noise.[ch], cookie.[ch], messages.h: These implement the bulk of the cryptographic aspects of the protocol, and are mostly data-only in nature, taking in buffers of bytes and spitting out buffers of bytes. They also handle reference counting for their various shared pieces of data, like keys and key lists. * ratelimiter.[ch]: Used as an integral part of cookie.[ch] for ratelimiting certain types of cryptographic operations in accordance with particular WireGuard semantics. * allowedips.[ch], peerlookup.[ch]: The main lookup structures of WireGuard, the former being trie-like with particular semantics, an integral part of the design of the protocol, and the latter just being nice helper functions around the various hashtables we use. * device.[ch]: Implementation of functions for the netdevice and for rtnl, responsible for maintaining the life of a given interface and wiring it up to the rest of WireGuard. * peer.[ch]: Each interface has a list of peers, with helper functions available here for creation, destruction, and reference counting. * socket.[ch]: Implementation of functions related to udp_socket and the general set of kernel socket APIs, for sending and receiving ciphertext UDP packets, and taking care of WireGuard-specific sticky socket routing semantics for the automatic roaming. * netlink.[ch]: Userspace API entry point for configuring WireGuard peers and devices. The API has been implemented by several userspace tools and network management utility, and the WireGuard project distributes the basic wg(8) tool. * queueing.[ch]: Shared function on the rx and tx path for handling the various queues used in the multicore algorithms. * send.c: Handles encrypting outgoing packets in parallel on multiple cores, before sending them in order on a single core, via workqueues and ring buffers. Also handles sending handshake and cookie messages as part of the protocol, in parallel. * receive.c: Handles decrypting incoming packets in parallel on multiple cores, before passing them off in order to be ingested via the rest of the networking subsystem with GRO via the typical NAPI poll function. Also handles receiving handshake and cookie messages as part of the protocol, in parallel. * timers.[ch]: Uses the timer wheel to implement protocol particular event timeouts, and gives a set of very simple event-driven entry point functions for callers. * main.c, version.h: Initialization and deinitialization of the module. * selftest/*.h: Runtime unit tests for some of the most security sensitive functions. * tools/testing/selftests/wireguard/netns.sh: Aforementioned testing script using network namespaces. This commit aims to be as self-contained as possible, implementing WireGuard as a standalone module not needing much special handling or coordination from the network subsystem. I expect for future optimizations to the network stack to positively improve WireGuard, and vice-versa, but for the time being, this exists as intentionally standalone. We introduce a menu option for CONFIG_WIREGUARD, as well as providing a verbose debug log and self-tests via CONFIG_WIREGUARD_DEBUG. Signed-off-by: Jason A. Donenfeld Cc: David Miller Cc: Greg KH Cc: Linus Torvalds Cc: Herbert Xu Cc: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: David S. Miller MAINTAINERS | 8 + drivers/net/Kconfig | 41 ++ drivers/net/Makefile | 1 + drivers/net/wireguard/Makefile | 18 + drivers/net/wireguard/allowedips.c | 381 ++++++++++++ drivers/net/wireguard/allowedips.h | 59 ++ drivers/net/wireguard/cookie.c | 236 ++++++++ drivers/net/wireguard/cookie.h | 59 ++ drivers/net/wireguard/device.c | 458 +++++++++++++++ drivers/net/wireguard/device.h | 73 +++ drivers/net/wireguard/main.c | 64 +++ drivers/net/wireguard/messages.h | 128 +++++ drivers/net/wireguard/netlink.c | 642 +++++++++++++++++++++ drivers/net/wireguard/netlink.h | 12 + drivers/net/wireguard/noise.c | 828 +++++++++++++++++++++++++++ drivers/net/wireguard/noise.h | 137 +++++ drivers/net/wireguard/peer.c | 240 ++++++++ drivers/net/wireguard/peer.h | 83 +++ drivers/net/wireguard/peerlookup.c | 221 +++++++ drivers/net/wireguard/peerlookup.h | 64 +++ drivers/net/wireguard/queueing.c | 53 ++ drivers/net/wireguard/queueing.h | 197 +++++++ drivers/net/wireguard/ratelimiter.c | 223 ++++++++ drivers/net/wireguard/ratelimiter.h | 19 + drivers/net/wireguard/receive.c | 595 +++++++++++++++++++ drivers/net/wireguard/selftest/allowedips.c | 683 ++++++++++++++++++++++ drivers/net/wireguard/selftest/counter.c | 104 ++++ drivers/net/wireguard/selftest/ratelimiter.c | 226 ++++++++ drivers/net/wireguard/send.c | 413 +++++++++++++ drivers/net/wireguard/socket.c | 437 ++++++++++++++ drivers/net/wireguard/socket.h | 44 ++ drivers/net/wireguard/timers.c | 243 ++++++++ drivers/net/wireguard/timers.h | 31 + drivers/net/wireguard/version.h | 1 + include/uapi/linux/wireguard.h | 196 +++++++ tools/testing/selftests/wireguard/netns.sh | 537 +++++++++++++++++ 36 files changed, 7755 insertions(+) create mode 100644 drivers/net/wireguard/Makefile create mode 100644 drivers/net/wireguard/allowedips.c create mode 100644 drivers/net/wireguard/allowedips.h create mode 100644 drivers/net/wireguard/cookie.c create mode 100644 drivers/net/wireguard/cookie.h create mode 100644 drivers/net/wireguard/device.c create mode 100644 drivers/net/wireguard/device.h create mode 100644 drivers/net/wireguard/main.c create mode 100644 drivers/net/wireguard/messages.h create mode 100644 drivers/net/wireguard/netlink.c create mode 100644 drivers/net/wireguard/netlink.h create mode 100644 drivers/net/wireguard/noise.c create mode 100644 drivers/net/wireguard/noise.h create mode 100644 drivers/net/wireguard/peer.c create mode 100644 drivers/net/wireguard/peer.h create mode 100644 drivers/net/wireguard/peerlookup.c create mode 100644 drivers/net/wireguard/peerlookup.h create mode 100644 drivers/net/wireguard/queueing.c create mode 100644 drivers/net/wireguard/queueing.h create mode 100644 drivers/net/wireguard/ratelimiter.c create mode 100644 drivers/net/wireguard/ratelimiter.h create mode 100644 drivers/net/wireguard/receive.c create mode 100644 drivers/net/wireguard/selftest/allowedips.c create mode 100644 drivers/net/wireguard/selftest/counter.c create mode 100644 drivers/net/wireguard/selftest/ratelimiter.c create mode 100644 drivers/net/wireguard/send.c create mode 100644 drivers/net/wireguard/socket.c create mode 100644 drivers/net/wireguard/socket.h create mode 100644 drivers/net/wireguard/timers.c create mode 100644 drivers/net/wireguard/timers.h create mode 100644 drivers/net/wireguard/version.h create mode 100644 include/uapi/linux/wireguard.h create mode 100755 tools/testing/selftests/wireguard/netns.sh parent commit e42617b825f8073569da76dc4510bfa019b1c35a wasn't tested testing commit e42617b825f8073569da76dc4510bfa019b1c35a with gcc (GCC) 8.1.0 kernel signature: d443f679a6468c3571d367134675b2fe92fe2bc27e8d1f044b565253697b3c9e culprit signature: 3b05a1b2d24eebf3baecc0360abd40bb46293a952aae63d5e4b48a3d3e2406ea parent signature: d443f679a6468c3571d367134675b2fe92fe2bc27e8d1f044b565253697b3c9e revisions tested: 15, total time: 3h3m33.115782668s (build: 1h41m30.50026249s, test: 1h18m19.248944405s) first bad commit: e7096c131e5161fa3b8e52a650d7719d2857adfd net: WireGuard secure network tunnel cc: ["davem@davemloft.net" "jason@zx2c4.com"] crash: KASAN: use-after-free Read in root_remove_peer_lists ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0xe7/0xf3 lib/list_debug.c:54 Read of size 8 at addr ffff8880a27b96b8 by task syz-executor.3/8323 CPU: 0 PID: 8323 Comm: syz-executor.3 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x12d/0x187 lib/dump_stack.c:118 print_address_description.constprop.8.cold.10+0x9/0x31d mm/kasan/report.c:374 __kasan_report.cold.11+0x1b/0x3a mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 __list_del_entry_valid+0xe7/0xf3 lib/list_debug.c:54 __list_del_entry include/linux/list.h:131 [inline] list_del include/linux/list.h:139 [inline] root_remove_peer_lists+0x1c7/0x420 drivers/net/wireguard/allowedips.c:70 wg_allowedips_free+0x1ba/0x2d0 drivers/net/wireguard/allowedips.c:305 wg_peer_remove_all+0xc5/0x5f0 drivers/net/wireguard/peer.c:187 wg_set_device+0xbde/0x1180 drivers/net/wireguard/netlink.c:542 genl_family_rcv_msg_doit net/netlink/genetlink.c:672 [inline] genl_family_rcv_msg net/netlink/genetlink.c:717 [inline] genl_rcv_msg+0x5d9/0x10e0 net/netlink/genetlink.c:734 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2477 genl_rcv+0x23/0x40 net/netlink/genetlink.c:745 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x45e/0x6a0 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x7b0/0xcb0 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:659 ____sys_sendmsg+0x603/0x950 net/socket.c:2330 ___sys_sendmsg+0xe4/0x160 net/socket.c:2384 __sys_sendmsg+0xd9/0x180 net/socket.c:2417 __do_sys_sendmsg net/socket.c:2426 [inline] __se_sys_sendmsg net/socket.c:2424 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2424 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x45b399 Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f9b1a002c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f9b1a0036d4 RCX: 000000000045b399 RDX: 0000000000000000 RSI: 0000000020001340 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000004 R13: 00000000000009ba R14: 00000000004cb2b8 R15: 0000000000000009 Allocated by task 8320: save_stack+0x21/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.17+0xc7/0xd0 mm/kasan/common.c:513 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 kmem_cache_alloc_trace+0x15b/0x780 mm/slab.c:3551 kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:670 [inline] add+0x4e4/0x1810 drivers/net/wireguard/allowedips.c:241 wg_allowedips_insert_v4+0xc7/0x170 drivers/net/wireguard/allowedips.c:325 set_allowedip drivers/net/wireguard/netlink.c:343 [inline] set_peer+0xd09/0x10e0 drivers/net/wireguard/netlink.c:468 wg_set_device+0x876/0x1180 drivers/net/wireguard/netlink.c:591 genl_family_rcv_msg_doit net/netlink/genetlink.c:672 [inline] genl_family_rcv_msg net/netlink/genetlink.c:717 [inline] genl_rcv_msg+0x5d9/0x10e0 net/netlink/genetlink.c:734 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2477 genl_rcv+0x23/0x40 net/netlink/genetlink.c:745 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x45e/0x6a0 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x7b0/0xcb0 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:659 ____sys_sendmsg+0x603/0x950 net/socket.c:2330 ___sys_sendmsg+0xe4/0x160 net/socket.c:2384 __sys_sendmsg+0xd9/0x180 net/socket.c:2417 __do_sys_sendmsg net/socket.c:2426 [inline] __se_sys_sendmsg net/socket.c:2424 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2424 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 8320: save_stack+0x21/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kfree+0x108/0x2c0 mm/slab.c:3757 add+0xf90/0x1810 drivers/net/wireguard/allowedips.c:271 wg_allowedips_insert_v4+0xc7/0x170 drivers/net/wireguard/allowedips.c:325 set_allowedip drivers/net/wireguard/netlink.c:343 [inline] set_peer+0xd09/0x10e0 drivers/net/wireguard/netlink.c:468 wg_set_device+0x876/0x1180 drivers/net/wireguard/netlink.c:591 genl_family_rcv_msg_doit net/netlink/genetlink.c:672 [inline] genl_family_rcv_msg net/netlink/genetlink.c:717 [inline] genl_rcv_msg+0x5d9/0x10e0 net/netlink/genetlink.c:734 netlink_rcv_skb+0x13c/0x380 net/netlink/af_netlink.c:2477 genl_rcv+0x23/0x40 net/netlink/genetlink.c:745 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x45e/0x6a0 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x7b0/0xcb0 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:639 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:659 ____sys_sendmsg+0x603/0x950 net/socket.c:2330 ___sys_sendmsg+0xe4/0x160 net/socket.c:2384 __sys_sendmsg+0xd9/0x180 net/socket.c:2417 __do_sys_sendmsg net/socket.c:2426 [inline] __se_sys_sendmsg net/socket.c:2424 [inline] __x64_sys_sendmsg+0x73/0xb0 net/socket.c:2424 do_syscall_64+0xca/0x5f0 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880a27b9680 which belongs to the cache kmalloc-64 of size 64 The buggy address is located 56 bytes inside of 64-byte region [ffff8880a27b9680, ffff8880a27b96c0) The buggy address belongs to the page: page:ffffea000289ee40 refcount:1 mapcount:0 mapping:ffff8880aa400380 index:0x0 raw: 00fffe0000000200 ffffea00028b8948 ffffea00028ae5c8 ffff8880aa400380 raw: 0000000000000000 ffff8880a27b9000 0000000100000020 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a27b9580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880a27b9600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff8880a27b9680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ^ ffff8880a27b9700: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc ffff8880a27b9780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ==================================================================