================================================================== BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:2066 [inline] BUG: KASAN: use-after-free in __skb_try_recv_from_queue+0x767/0x820 net/core/datagram.c:199 Write of size 8 at addr ffff888000022008 by task systemd-journal/3896 CPU: 0 PID: 3896 Comm: systemd-journal Not tainted 5.9.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x198/0x1fd lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 __skb_unlink include/linux/skbuff.h:2066 [inline] __skb_try_recv_from_queue+0x767/0x820 net/core/datagram.c:199 __skb_try_recv_datagram+0x153/0x3d0 net/core/datagram.c:265 __skb_recv_datagram+0x1a1/0x220 net/core/datagram.c:297 skb_recv_datagram+0xa7/0xe0 net/core/datagram.c:317 netlink_recvmsg+0xe3/0xee0 net/netlink/af_netlink.c:1942 sock_recvmsg_nosec net/socket.c:885 [inline] sock_recvmsg net/socket.c:903 [inline] sock_recvmsg net/socket.c:899 [inline] ____sys_recvmsg+0x2c4/0x640 net/socket.c:2576 ___sys_recvmsg+0x127/0x200 net/socket.c:2618 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2652 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f3b836f5dc7 Code: 89 01 b8 ff ff ff ff eb d8 66 2e 0f 1f 84 00 00 00 00 00 8b 05 0a b6 20 00 85 c0 75 2e 48 63 ff 48 63 d2 b8 2f 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 b1 71 20 00 f7 d8 64 89 02 48 RSP: 002b:00007ffd896aff08 EFLAGS: 00000246 ORIG_RAX: 000000000000002f RAX: ffffffffffffffda RBX: 00007ffd896b0480 RCX: 00007f3b836f5dc7 RDX: 0000000040000040 RSI: 00007ffd896aff60 RDI: 0000000000000003 RBP: 00007ffd896aff60 R08: 0000000000000008 R09: 000055891fa466b8 R10: 000055891fa46680 R11: 0000000000000246 R12: 0000000000000001 R13: 0000000000000003 R14: 000055891dfde958 R15: 0005aeb7553342b5 Allocated by task 3896: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 slab_post_alloc_hook mm/slab.h:518 [inline] slab_alloc mm/slab.c:3312 [inline] kmem_cache_alloc+0x13a/0x3a0 mm/slab.c:3482 prepare_creds+0x39/0x6c0 kernel/cred.c:258 access_override_creds fs/open.c:353 [inline] do_faccessat+0x3d7/0x820 fs/open.c:417 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 3896: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422 __cache_free mm/slab.c:3418 [inline] kmem_cache_free.part.0+0x74/0x1e0 mm/slab.c:3693 __put_cred+0x1de/0x250 kernel/cred.c:148 put_cred include/linux/cred.h:287 [inline] put_cred include/linux/cred.h:280 [inline] revert_creds+0x1a8/0x1f0 kernel/cred.c:598 do_faccessat+0x2ca/0x820 fs/open.c:464 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff888000022000 which belongs to the cache cred_jar of size 184 The buggy address is located 8 bytes inside of 184-byte region [ffff888000022000, ffff8880000220b8) The buggy address belongs to the page: page:00000000de652c9c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x22 flags: 0x7ffe0000000200(slab) raw: 007ffe0000000200 ffffea0000033048 ffffea0001066508 ffff8880aa06f900 raw: 0000000000000000 ffff888000022000 0000000100000010 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888000021f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888000021f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888000022000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888000022080: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc ffff888000022100: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================