[ 399.508144] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.3'. [ 399.550236] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.2'. [ 399.613296] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.5'. [ 399.622498] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.1'. [ 399.645105] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.0'. [ 399.654552] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.3'. [ 399.682160] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.4'. [ 399.728733] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.2'. [ 399.790605] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.5'. [ 399.799761] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.3'. [ 404.581145] nla_parse: 96 callbacks suppressed [ 404.581149] netlink: 32 bytes leftover after parsing attributes in process `syz-executor.0'. [ 405.065665] syz-executor.3 (5959) used greatest stack depth: 23352 bytes left [ 405.154415] syz-executor.2 (5960) used greatest stack depth: 23144 bytes left [ 406.190852] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 406.198225] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 406.206996] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 406.214341] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 406.222810] device bridge_slave_1 left promiscuous mode [ 406.229316] bridge0: port 2(bridge_slave_1) entered disabled state [ 406.276300] device bridge_slave_0 left promiscuous mode [ 406.282713] bridge0: port 1(bridge_slave_0) entered disabled state [ 406.330372] device veth1_macvtap left promiscuous mode [ 406.336733] device veth0_macvtap left promiscuous mode [ 406.343914] device veth1_vlan left promiscuous mode [ 406.349796] device veth0_vlan left promiscuous mode [ 406.475027] device hsr_slave_1 left promiscuous mode [ 406.527198] device hsr_slave_0 left promiscuous mode [ 406.570330] team0 (unregistering): Port device team_slave_1 removed [ 406.579539] team0 (unregistering): Port device team_slave_0 removed [ 406.590794] bond0 (unregistering): Releasing backup interface bond_slave_1 Warning: Permanently added '10.128.0.208' (ECDSA) to the list of known hosts. [ 406.637463] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 406.713121] bond0 (unregistering): Released all slaves [ 406.944231] netlink: 32 bytes leftover after parsing attributes in process `syz-executor044'. [ 406.953110] netlink: 32 bytes leftover after parsing attributes in process `syz-executor044'. [ 406.963526] netlink: 32 bytes leftover after parsing attributes in process `syz-executor044'. [ 406.972968] netlink: 32 bytes leftover after parsing attributes in process `syz-executor044'. [ 406.983141] netlink: 32 bytes leftover after parsing attributes in process `syz-executor044'. [ 406.997995] netlink: 32 bytes leftover after parsing attributes in process `syz-executor044'. [ 407.008527] ================================================================== [ 407.016489] BUG: KASAN: use-after-free in tcf_action_destroy+0xda/0xf0 [ 407.023348] Read of size 8 at addr ffff8881dc6e7280 by task syz-executor044/2257 [ 407.032074] [ 407.033703] CPU: 0 PID: 2257 Comm: syz-executor044 Not tainted 4.19.176-syzkaller #0 [ 407.041666] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 407.051224] Call Trace: [ 407.053987] dump_stack+0x17c/0x226 [ 407.057618] print_address_description.cold.6+0x9/0x211 [ 407.063165] kasan_report.cold.7+0x242/0x2fe [ 407.067658] ? tcf_action_destroy+0xda/0xf0 [ 407.072154] __asan_report_load8_noabort+0x14/0x20 [ 407.077256] tcf_action_destroy+0xda/0xf0 [ 407.081496] tcf_action_init+0x292/0x300 [ 407.085658] ? tcf_action_init_1+0xaf0/0xaf0 [ 407.090093] tcf_action_add+0xf2/0x320 [ 407.094109] ? tca_action_gd+0x1440/0x1440 [ 407.098483] ? __mutex_lock+0xd81/0x1200 [ 407.103757] ? lock_downgrade+0x860/0x860 [ 407.108094] ? memset+0x31/0x40 [ 407.111370] ? nla_parse+0x34/0x280 [ 407.115083] tc_ctl_action+0x28d/0x3d0 [ 407.119061] ? tcf_action_add+0x320/0x320 [ 407.123213] rtnetlink_rcv_msg+0x34f/0x950 [ 407.127530] ? rtnl_calcit.isra.10+0x360/0x360 [ 407.132101] ? __netlink_lookup+0x2fd/0x630 [ 407.136414] ? lock_downgrade+0x860/0x860 [ 407.140572] netlink_rcv_skb+0x13e/0x3d0 [ 407.144719] ? lock_downgrade+0x860/0x860 [ 407.148949] ? rtnl_calcit.isra.10+0x360/0x360 [ 407.153614] ? netlink_ack+0x990/0x990 [ 407.157926] ? netlink_deliver_tap+0x182/0xb00 [ 407.162838] ? kasan_check_read+0x11/0x20 [ 407.167089] rtnetlink_rcv+0x10/0x20 [ 407.171032] netlink_unicast+0x443/0x660 [ 407.175101] ? netlink_sendskb+0x40/0x40 [ 407.179281] ? _copy_from_iter_full+0x189/0x770 [ 407.184212] ? __check_object_size+0x1e0/0x300 [ 407.188987] netlink_sendmsg+0x667/0xc60 [ 407.193175] ? nlmsg_notify+0x140/0x140 [ 407.197196] ? apparmor_socket_sendmsg+0x1b/0x20 [ 407.202119] ? nlmsg_notify+0x140/0x140 [ 407.206173] sock_sendmsg+0xac/0xf0 [ 407.209878] ___sys_sendmsg+0x647/0x950 [ 407.213846] ? do_huge_pmd_anonymous_page+0xdb8/0x1dd0 [ 407.219108] ? copy_msghdr_from_user+0x430/0x430 [ 407.224110] ? __fget+0x285/0x400 [ 407.227634] ? kasan_check_read+0x11/0x20 [ 407.231848] ? __fget+0x2a2/0x400 [ 407.235616] ? do_dup2+0x3f0/0x3f0 [ 407.239222] ? __handle_mm_fault+0x21a4/0x4100 [ 407.243877] ? __fget_light+0x174/0x1e0 [ 407.248077] ? __fdget+0xe/0x10 [ 407.251802] __sys_sendmsg+0xd9/0x180 [ 407.255756] ? __ia32_sys_shutdown+0x70/0x70 [ 407.260159] ? up_read+0x1a/0x110 [ 407.263594] ? __do_page_fault+0x53a/0xb30 [ 407.267899] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 407.273530] __x64_sys_sendmsg+0x73/0xb0 [ 407.277661] do_syscall_64+0xd0/0x4e0 [ 407.281442] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 407.286615] RIP: 0033:0x445c79 [ 407.290248] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 407.309839] RSP: 002b:00007fe8534c5318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 407.317792] RAX: ffffffffffffffda RBX: 00000000004cb428 RCX: 0000000000445c79 [ 407.325304] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 407.332566] RBP: 00000000004cb420 R08: 0000000000000000 R09: 0000000000000000 [ 407.340109] R10: 0000000000000000 R11: 0000000000000246 R12: 6b72616d6e6e6f63 [ 407.347368] R13: 00007fff77e6f01f R14: 00007fe8534c5400 R15: 0000000000022000 [ 407.354751] [ 407.356400] Allocated by task 2248: [ 407.360096] kasan_kmalloc.part.1+0x62/0xf0 [ 407.364414] kasan_kmalloc+0xaf/0xc0 [ 407.368112] __kmalloc+0x15d/0x3d0 [ 407.372243] tcf_idr_create+0x55/0x560 [ 407.376313] tcf_connmark_init+0x3d8/0x6a0 [ 407.380623] tcf_action_init_1+0x837/0xaf0 [ 407.385297] tcf_action_init+0x178/0x300 [ 407.389518] tcf_action_add+0xf2/0x320 [ 407.393486] tc_ctl_action+0x28d/0x3d0 [ 407.397367] rtnetlink_rcv_msg+0x34f/0x950 [ 407.401690] netlink_rcv_skb+0x13e/0x3d0 [ 407.406091] rtnetlink_rcv+0x10/0x20 [ 407.409887] netlink_unicast+0x443/0x660 [ 407.414146] netlink_sendmsg+0x667/0xc60 [ 407.418547] sock_sendmsg+0xac/0xf0 [ 407.422330] ___sys_sendmsg+0x647/0x950 [ 407.426458] __sys_sendmsg+0xd9/0x180 [ 407.430250] __x64_sys_sendmsg+0x73/0xb0 [ 407.434378] do_syscall_64+0xd0/0x4e0 [ 407.438338] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 407.443777] [ 407.445477] Freed by task 2248: [ 407.448736] __kasan_slab_free+0x13c/0x220 [ 407.452950] kasan_slab_free+0xe/0x10 [ 407.456728] kfree+0xcf/0x220 [ 407.459860] tcf_action_cleanup+0xfd/0x130 [ 407.464072] __tcf_action_put+0xbe/0x100 [ 407.468115] __tcf_idr_release+0x6a/0x90 [ 407.472153] tcf_action_destroy+0x7d/0xf0 [ 407.476302] tcf_action_init+0x292/0x300 [ 407.480470] tcf_action_add+0xf2/0x320 [ 407.484425] tc_ctl_action+0x28d/0x3d0 [ 407.488299] rtnetlink_rcv_msg+0x34f/0x950 [ 407.492609] netlink_rcv_skb+0x13e/0x3d0 [ 407.497075] rtnetlink_rcv+0x10/0x20 [ 407.500765] netlink_unicast+0x443/0x660 [ 407.504933] netlink_sendmsg+0x667/0xc60 [ 407.509094] sock_sendmsg+0xac/0xf0 [ 407.512802] ___sys_sendmsg+0x647/0x950 [ 407.516863] __sys_sendmsg+0xd9/0x180 [ 407.520653] __x64_sys_sendmsg+0x73/0xb0 [ 407.524780] do_syscall_64+0xd0/0x4e0 [ 407.528558] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 407.533811] [ 407.535604] The buggy address belongs to the object at ffff8881dc6e7280 [ 407.535604] which belongs to the cache kmalloc-256 of size 256 [ 407.548799] The buggy address is located 0 bytes inside of [ 407.548799] 256-byte region [ffff8881dc6e7280, ffff8881dc6e7380) [ 407.560568] The buggy address belongs to the page: [ 407.565620] page:ffffea000771b9c0 count:1 mapcount:0 mapping:ffff8881f60007c0 index:0x0 [ 407.574178] flags: 0x17ffe0000000100(slab) [ 407.578740] raw: 017ffe0000000100 ffffea00077b8708 ffffea000771d288 ffff8881f60007c0 [ 407.586695] raw: 0000000000000000 ffff8881dc6e7000 000000010000000c 0000000000000000 [ 407.594736] page dumped because: kasan: bad access detected [ 407.600512] [ 407.602125] Memory state around the buggy address: [ 407.607238] ffff8881dc6e7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 407.614661] ffff8881dc6e7200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 407.622100] >ffff8881dc6e7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 407.629435] ^ [ 407.632779] ffff8881dc6e7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 407.640486] ffff8881dc6e7380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 407.648008] ================================================================== [ 407.655433] Disabling lock debugging due to kernel taint [ 407.688830] Kernel panic - not syncing: panic_on_warn set ... [ 407.688830] [ 407.696521] CPU: 1 PID: 2257 Comm: syz-executor044 Tainted: G B 4.19.176-syzkaller #0 [ 407.706352] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 407.715939] Call Trace: [ 407.718616] dump_stack+0x17c/0x226 [ 407.722344] panic+0x1cd/0x375 [ 407.725532] ? __warn_printk+0xd6/0xd6 [ 407.729498] ? ___preempt_schedule+0x16/0x18 [ 407.733922] kasan_end_report+0x47/0x4f [ 407.738060] kasan_report.cold.7+0x76/0x2fe [ 407.742370] ? tcf_action_destroy+0xda/0xf0 [ 407.746682] __asan_report_load8_noabort+0x14/0x20 [ 407.751599] tcf_action_destroy+0xda/0xf0 [ 407.755830] tcf_action_init+0x292/0x300 [ 407.759995] ? tcf_action_init_1+0xaf0/0xaf0 [ 407.764501] tcf_action_add+0xf2/0x320 [ 407.768761] ? tca_action_gd+0x1440/0x1440 [ 407.773076] ? __mutex_lock+0xd81/0x1200 [ 407.777306] ? lock_downgrade+0x860/0x860 [ 407.781541] ? memset+0x31/0x40 [ 407.784812] ? nla_parse+0x34/0x280 [ 407.788427] tc_ctl_action+0x28d/0x3d0 [ 407.792425] ? tcf_action_add+0x320/0x320 [ 407.796849] rtnetlink_rcv_msg+0x34f/0x950 [ 407.801227] ? rtnl_calcit.isra.10+0x360/0x360 [ 407.805804] ? __netlink_lookup+0x2fd/0x630 [ 407.810568] ? lock_downgrade+0x860/0x860 [ 407.815021] netlink_rcv_skb+0x13e/0x3d0 [ 407.819338] ? lock_downgrade+0x860/0x860 [ 407.823583] ? rtnl_calcit.isra.10+0x360/0x360 [ 407.828241] ? netlink_ack+0x990/0x990 [ 407.832208] ? netlink_deliver_tap+0x182/0xb00 [ 407.837011] ? kasan_check_read+0x11/0x20 [ 407.841254] rtnetlink_rcv+0x10/0x20 [ 407.845413] netlink_unicast+0x443/0x660 [ 407.849809] ? netlink_sendskb+0x40/0x40 [ 407.853858] ? _copy_from_iter_full+0x189/0x770 [ 407.858534] ? __check_object_size+0x1e0/0x300 [ 407.863128] netlink_sendmsg+0x667/0xc60 [ 407.867198] ? nlmsg_notify+0x140/0x140 [ 407.871345] ? apparmor_socket_sendmsg+0x1b/0x20 [ 407.876365] ? nlmsg_notify+0x140/0x140 [ 407.880771] sock_sendmsg+0xac/0xf0 [ 407.884548] ___sys_sendmsg+0x647/0x950 [ 407.889088] ? do_huge_pmd_anonymous_page+0xdb8/0x1dd0 [ 407.894775] ? copy_msghdr_from_user+0x430/0x430 [ 407.899876] ? __fget+0x285/0x400 [ 407.903500] ? kasan_check_read+0x11/0x20 [ 407.907652] ? __fget+0x2a2/0x400 [ 407.911091] ? do_dup2+0x3f0/0x3f0 [ 407.914701] ? __handle_mm_fault+0x21a4/0x4100 [ 407.919353] ? __fget_light+0x174/0x1e0 [ 407.923335] ? __fdget+0xe/0x10 [ 407.926692] __sys_sendmsg+0xd9/0x180 [ 407.930808] ? __ia32_sys_shutdown+0x70/0x70 [ 407.935564] ? up_read+0x1a/0x110 [ 407.940655] ? __do_page_fault+0x53a/0xb30 [ 407.944883] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 407.950234] __x64_sys_sendmsg+0x73/0xb0 [ 407.954299] do_syscall_64+0xd0/0x4e0 [ 407.958167] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 407.963562] RIP: 0033:0x445c79 [ 407.966948] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 407.987190] RSP: 002b:00007fe8534c5318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 407.995645] RAX: ffffffffffffffda RBX: 00000000004cb428 RCX: 0000000000445c79 [ 408.003192] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 408.010544] RBP: 00000000004cb420 R08: 0000000000000000 R09: 0000000000000000 [ 408.017988] R10: 0000000000000000 R11: 0000000000000246 R12: 6b72616d6e6e6f63 [ 408.025382] R13: 00007fff77e6f01f R14: 00007fe8534c5400 R15: 0000000000022000 [ 408.033814] Kernel Offset: disabled [ 408.037536] Rebooting in 86400 seconds..