Untitled

1. netlink: 'syz.0.3890': attribute type 4 has an invalid length.
2. TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters.
3. ==================================================================
4. BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
5. BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
6. BUG: KASAN: null-ptr-deref in sock_kmalloc+0x4a/0x100 net/core/sock.c:2425
7. Read of size 4 at addr 0000000000000270 by task syz.0.3891/24197
8.  
9. CPU: 3 PID: 24197 Comm: syz.0.3891 Not tainted 5.15.169 #1
10. Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
11. Call Trace:
12. <IRQ>
13. __dump_stack lib/dump_stack.c:88 [inline]
14. dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
15. __kasan_report mm/kasan/report.c:438 [inline]
16. kasan_report.cold+0x116/0x11b mm/kasan/report.c:451
17. check_region_inline mm/kasan/generic.c:183 [inline]
18. kasan_check_range+0xfd/0x1f0 mm/kasan/generic.c:189
19. instrument_atomic_read include/linux/instrumented.h:71 [inline]
20. atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
21. sock_kmalloc+0x4a/0x100 net/core/sock.c:2425
22. ipv6_renew_options+0x275/0x960 net/ipv6/exthdrs.c:1310
23. calipso_req_setattr+0x131/0x2e0 net/ipv6/calipso.c:1207
24. calipso_req_setattr+0x52/0x80 net/netlabel/netlabel_calipso.c:596
25. netlbl_req_setattr+0x18c/0x580 net/netlabel/netlabel_kapi.c:1224
26. selinux_netlbl_inet_conn_request+0x1fe/0x330 security/selinux/netlabel.c:337
27. selinux_inet_conn_request+0x1cc/0x2a0 security/selinux/hooks.c:5583
28. security_inet_conn_request+0x56/0xb0 security/security.c:2344
29. tcp_v6_route_req+0x24f/0x520 net/ipv6/tcp_ipv6.c:858
30. tcp_conn_request+0xaa4/0x3120 net/ipv4/tcp_input.c:6995
31. tcp_v6_conn_request net/ipv6/tcp_ipv6.c:1218 [inline]
32. tcp_v6_conn_request+0x24c/0x420 net/ipv6/tcp_ipv6.c:1205
33. tcp_rcv_state_process+0x9e5/0x47c0 net/ipv4/tcp_input.c:6512
34. tcp_v6_do_rcv+0x438/0x16b0 net/ipv6/tcp_ipv6.c:1551
35. tcp_v6_rcv+0x32d4/0x3620 net/ipv6/tcp_ipv6.c:1755
36. ip6_protocol_deliver_rcu+0x2f5/0x1800 net/ipv6/ip6_input.c:425
37. ip6_input_finish+0x64/0x1b0 net/ipv6/ip6_input.c:466
38. NF_HOOK include/linux/netfilter.h:302 [inline]
39. NF_HOOK include/linux/netfilter.h:296 [inline]
40. ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:475
41. dst_input include/net/dst.h:453 [inline]
42. ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
43. ip6_rcv_finish net/ipv6/ip6_input.c:69 [inline]
44. NF_HOOK include/linux/netfilter.h:302 [inline]
45. NF_HOOK include/linux/netfilter.h:296 [inline]
46. ipv6_rcv+0x155/0x520 net/ipv6/ip6_input.c:300
47. __netif_receive_skb_one_core+0x12e/0x1f0 net/core/dev.c:5489
48. __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5603
49. process_backlog+0x222/0x820 net/core/dev.c:6480
50. __napi_poll+0xb9/0x5b0 net/core/dev.c:7039
51. napi_poll net/core/dev.c:7106 [inline]
52. net_rx_action+0x8b1/0xbb0 net/core/dev.c:7196
53. handle_softirqs+0x1bd/0x6e0 kernel/softirq.c:558
54. do_softirq kernel/softirq.c:459 [inline]
55. do_softirq+0xad/0xe0 kernel/softirq.c:446
56. </IRQ>
57. <TASK>
58. __local_bh_enable_ip+0xd7/0x100 kernel/softirq.c:383
59. local_bh_enable include/linux/bottom_half.h:32 [inline]
60. rcu_read_unlock_bh include/linux/rcupdate.h:809 [inline]
61. ip6_finish_output2+0xb71/0x1d00 net/ipv6/ip6_output.c:131
62. __ip6_finish_output.part.0+0x509/0xc10 net/ipv6/ip6_output.c:201
63. __ip6_finish_output net/ipv6/ip6_output.c:186 [inline]
64. ip6_finish_output net/ipv6/ip6_output.c:211 [inline]
65. NF_HOOK_COND include/linux/netfilter.h:291 [inline]
66. ip6_output+0x30b/0x9f0 net/ipv6/ip6_output.c:234
67. dst_output include/net/dst.h:443 [inline]
68. NF_HOOK include/linux/netfilter.h:302 [inline]
69. NF_HOOK include/linux/netfilter.h:296 [inline]
70. ip6_xmit+0x1053/0x1d50 net/ipv6/ip6_output.c:338
71. inet6_csk_xmit+0x36d/0x6f0 net/ipv6/inet6_connection_sock.c:135
72. __tcp_transmit_skb+0x18d8/0x35a0 net/ipv4/tcp_output.c:1402
73. tcp_transmit_skb net/ipv4/tcp_output.c:1420 [inline]
74. tcp_send_syn_data net/ipv4/tcp_output.c:3851 [inline]
75. tcp_connect+0x23b0/0x4600 net/ipv4/tcp_output.c:3890
76. tcp_v6_connect+0x1419/0x1c40 net/ipv6/tcp_ipv6.c:337
77. __inet_stream_connect+0x8d8/0xe70 net/ipv4/af_inet.c:674
78. tcp_sendmsg_fastopen net/ipv4/tcp.c:1195 [inline]
79. tcp_sendmsg_locked+0x2004/0x2ce0 net/ipv4/tcp.c:1237
80. tcp_sendmsg+0x2b/0x50 net/ipv4/tcp.c:1457
81. inet6_sendmsg+0xb5/0x140 net/ipv6/af_inet6.c:669
82. sock_sendmsg_nosec net/socket.c:704 [inline]
83. __sock_sendmsg+0xf2/0x190 net/socket.c:716
84. __sys_sendto+0x21c/0x320 net/socket.c:2063
85. __do_sys_sendto net/socket.c:2075 [inline]
86. __se_sys_sendto net/socket.c:2071 [inline]
87. __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2071
88. do_syscall_x64 arch/x86/entry/common.c:50 [inline]
89. do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80
90. entry_SYSCALL_64_after_hwframe+0x6c/0xd6
91. RIP: 0033:0x2b4da5fe19c9
92. Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
93. RSP: 002b:00002b4da7f5e038 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
94. RAX: ffffffffffffffda RBX: 00002b4da61fdf80 RCX: 00002b4da5fe19c9
95. RDX: fffffffffffffedd RSI: 0000000020000280 RDI: 0000000000000004
96. RBP: 00002b4da608e1b6 R08: 0000000020000080 R09: 000000000000001c
97. R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000000
98. R13: 0000000000000000 R14: 00002b4da61fdf80 R15: 00007ffed7f48918
99. </TASK>
100. ==================================================================
101. general protection fault, probably for non-canonical address 0xdffffc000000004e: 0000 [#1] SMP KASAN NOPTI
102. KASAN: null-ptr-deref in range [0x0000000000000270-0x0000000000000277]
103. CPU: 3 PID: 24197 Comm: syz.0.3891 Tainted: G B 5.15.169 #1
104. Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
105. RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:29 [inline]
106. RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline]
107. RIP: 0010:sock_kmalloc+0x5b/0x100 net/core/sock.c:2425
108. Code: e8 ca ed 29 fe 4c 8d b5 70 02 00 00 be 04 00 00 00 4c 89 f7 e8 a6 b6 58 fe 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 7b 44
109. RSP: 0018:ffff88811af892c0 EFLAGS: 00010216
110. RAX: dffffc0000000000 RBX: 0000000000000050 RCX: ffffffff8114cf6e
111. RDX: 000000000000004e RSI: ffffffff83d60b46 RDI: 0000000000000005
112. RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000003
113. R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000005000
114. R13: 0000000000000a20 R14: 0000000000000270 R15: 0000000000000050
115. FS: 00002b4da7f5e6c0(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000
116. CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
117. CR2: 00002b4da5f6aad0 CR3: 0000000118874000 CR4: 0000000000350ee0
118. Call Trace:
119. <IRQ>
120. ipv6_renew_options+0x275/0x960 net/ipv6/exthdrs.c:1310
121. calipso_req_setattr+0x131/0x2e0 net/ipv6/calipso.c:1207
122. calipso_req_setattr+0x52/0x80 net/netlabel/netlabel_calipso.c:596
123. netlbl_req_setattr+0x18c/0x580 net/netlabel/netlabel_kapi.c:1224
124. selinux_netlbl_inet_conn_request+0x1fe/0x330 security/selinux/netlabel.c:337
125. selinux_inet_conn_request+0x1cc/0x2a0 security/selinux/hooks.c:5583
126. security_inet_conn_request+0x56/0xb0 security/security.c:2344
127. tcp_v6_route_req+0x24f/0x520 net/ipv6/tcp_ipv6.c:858
128. tcp_conn_request+0xaa4/0x3120 net/ipv4/tcp_input.c:6995
129. tcp_v6_conn_request net/ipv6/tcp_ipv6.c:1218 [inline]
130. tcp_v6_conn_request+0x24c/0x420 net/ipv6/tcp_ipv6.c:1205
131. tcp_rcv_state_process+0x9e5/0x47c0 net/ipv4/tcp_input.c:6512
132. tcp_v6_do_rcv+0x438/0x16b0 net/ipv6/tcp_ipv6.c:1551
133. tcp_v6_rcv+0x32d4/0x3620 net/ipv6/tcp_ipv6.c:1755
134. ip6_protocol_deliver_rcu+0x2f5/0x1800 net/ipv6/ip6_input.c:425
135. ip6_input_finish+0x64/0x1b0 net/ipv6/ip6_input.c:466
136. NF_HOOK include/linux/netfilter.h:302 [inline]
137. NF_HOOK include/linux/netfilter.h:296 [inline]
138. ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:475
139. dst_input include/net/dst.h:453 [inline]
140. ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
141. ip6_rcv_finish net/ipv6/ip6_input.c:69 [inline]
142. NF_HOOK include/linux/netfilter.h:302 [inline]
143. NF_HOOK include/linux/netfilter.h:296 [inline]
144. ipv6_rcv+0x155/0x520 net/ipv6/ip6_input.c:300
145. __netif_receive_skb_one_core+0x12e/0x1f0 net/core/dev.c:5489
146. __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5603
147. process_backlog+0x222/0x820 net/core/dev.c:6480
148. __napi_poll+0xb9/0x5b0 net/core/dev.c:7039
149. napi_poll net/core/dev.c:7106 [inline]
150. net_rx_action+0x8b1/0xbb0 net/core/dev.c:7196
151. handle_softirqs+0x1bd/0x6e0 kernel/softirq.c:558
152. do_softirq kernel/softirq.c:459 [inline]
153. do_softirq+0xad/0xe0 kernel/softirq.c:446
154. </IRQ>
155. <TASK>
156. __local_bh_enable_ip+0xd7/0x100 kernel/softirq.c:383
157. local_bh_enable include/linux/bottom_half.h:32 [inline]
158. rcu_read_unlock_bh include/linux/rcupdate.h:809 [inline]
159. ip6_finish_output2+0xb71/0x1d00 net/ipv6/ip6_output.c:131
160. __ip6_finish_output.part.0+0x509/0xc10 net/ipv6/ip6_output.c:201
161. __ip6_finish_output net/ipv6/ip6_output.c:186 [inline]
162. ip6_finish_output net/ipv6/ip6_output.c:211 [inline]
163. NF_HOOK_COND include/linux/netfilter.h:291 [inline]
164. ip6_output+0x30b/0x9f0 net/ipv6/ip6_output.c:234
165. dst_output include/net/dst.h:443 [inline]
166. NF_HOOK include/linux/netfilter.h:302 [inline]
167. NF_HOOK include/linux/netfilter.h:296 [inline]
168. ip6_xmit+0x1053/0x1d50 net/ipv6/ip6_output.c:338
169. inet6_csk_xmit+0x36d/0x6f0 net/ipv6/inet6_connection_sock.c:135
170. __tcp_transmit_skb+0x18d8/0x35a0 net/ipv4/tcp_output.c:1402
171. tcp_transmit_skb net/ipv4/tcp_output.c:1420 [inline]
172. tcp_send_syn_data net/ipv4/tcp_output.c:3851 [inline]
173. tcp_connect+0x23b0/0x4600 net/ipv4/tcp_output.c:3890
174. tcp_v6_connect+0x1419/0x1c40 net/ipv6/tcp_ipv6.c:337
175. __inet_stream_connect+0x8d8/0xe70 net/ipv4/af_inet.c:674
176. tcp_sendmsg_fastopen net/ipv4/tcp.c:1195 [inline]
177. tcp_sendmsg_locked+0x2004/0x2ce0 net/ipv4/tcp.c:1237
178. tcp_sendmsg+0x2b/0x50 net/ipv4/tcp.c:1457
179. inet6_sendmsg+0xb5/0x140 net/ipv6/af_inet6.c:669
180. sock_sendmsg_nosec net/socket.c:704 [inline]
181. __sock_sendmsg+0xf2/0x190 net/socket.c:716
182. __sys_sendto+0x21c/0x320 net/socket.c:2063
183. __do_sys_sendto net/socket.c:2075 [inline]
184. __se_sys_sendto net/socket.c:2071 [inline]
185. __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2071
186. do_syscall_x64 arch/x86/entry/common.c:50 [inline]
187. do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80
188. entry_SYSCALL_64_after_hwframe+0x6c/0xd6
189. RIP: 0033:0x2b4da5fe19c9
190. Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
191. RSP: 002b:00002b4da7f5e038 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
192. RAX: ffffffffffffffda RBX: 00002b4da61fdf80 RCX: 00002b4da5fe19c9
193. RDX: fffffffffffffedd RSI: 0000000020000280 RDI: 0000000000000004
194. RBP: 00002b4da608e1b6 R08: 0000000020000080 R09: 000000000000001c
195. R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000000
196. R13: 0000000000000000 R14: 00002b4da61fdf80 R15: 00007ffed7f48918
197. </TASK>
198. Modules linked in:
199. ---[ end trace 4107fc4a25216d57 ]---
200. RIP: 0010:arch_atomic_read arch/x86/include/asm/atomic.h:29 [inline]
201. RIP: 0010:atomic_read include/linux/atomic/atomic-instrumented.h:28 [inline]
202. RIP: 0010:sock_kmalloc+0x5b/0x100 net/core/sock.c:2425
203. Code: e8 ca ed 29 fe 4c 8d b5 70 02 00 00 be 04 00 00 00 4c 89 f7 e8 a6 b6 58 fe 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 4c 89 f0 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 7b 44
204. RSP: 0018:ffff88811af892c0 EFLAGS: 00010216
205. RAX: dffffc0000000000 RBX: 0000000000000050 RCX: ffffffff8114cf6e
206. RDX: 000000000000004e RSI: ffffffff83d60b46 RDI: 0000000000000005
207. RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000003
208. R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000005000
209. R13: 0000000000000a20 R14: 0000000000000270 R15: 0000000000000050
210. FS: 00002b4da7f5e6c0(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000
211. CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
212. CR2: 00002b4da5f6aad0 CR3: 0000000118874000 CR4: 0000000000350ee0
213. ----------------
214. Code disassembly (best guess):
215. 0: e8 ca ed 29 fe call 0xfe29edcf
216. 5: 4c 8d b5 70 02 00 00 lea 0x270(%rbp),%r14
217. c: be 04 00 00 00 mov $0x4,%esi
218. 11: 4c 89 f7 mov %r14,%rdi
219. 14: e8 a6 b6 58 fe call 0xfe58b6bf
220. 19: 4c 89 f2 mov %r14,%rdx
221. 1c: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
222. 23: fc ff df
223. 26: 48 c1 ea 03 shr $0x3,%rdx
224. * 2a: 0f b6 14 02 movzbl (%rdx,%rax,1),%edx <-- trapping instruction
225. 2e: 4c 89 f0 mov %r14,%rax
226. 31: 83 e0 07 and $0x7,%eax
227. 34: 83 c0 03 add $0x3,%eax
228. 37: 38 d0 cmp %dl,%al
229. 39: 7c 04 jl 0x3f
230. 3b: 84 d2 test %dl,%dl
231. 3d: 75 7b jne 0xba
232. 3f: 44 rex.R