syzbot

netlink: 44 bytes leftover after parsing attributes in process `syz.0.17'.
------------[ cut here ]------------
memcpy: detected field-spanning write (size 32) of single field "&new->sel" at net/sched/cls_u32.c:855 (size 16)
WARNING: net/sched/cls_u32.c:855 at u32_init_knode net/sched/cls_u32.c:855 [inline], CPU#0: syz.0.17/5487
WARNING: net/sched/cls_u32.c:855 at u32_change+0x1da0/0x2720 net/sched/cls_u32.c:921, CPU#0: syz.0.17/5487
Modules linked in:
CPU: 0 UID: 0 PID: 5487 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:u32_init_knode net/sched/cls_u32.c:855 [inline]
RIP: 0010:u32_change+0x1daf/0x2720 net/sched/cls_u32.c:921
Code: 3d 4c eb 42 06 01 75 33 e8 0e 0e 0d f8 eb 50 e8 07 0e 0d f8 48 8d 3d 00 1f 68 06 b9 10 00 00 00 4c 89 f6 48 c7 c2 00 64 e1 8c <67> 48 0f b9 3a e9 af ee ff ff e8 e2 0d 0d f8 eb 24 e8 db 0d 0d f8
RSP: 0018:ffffc90004976fc0 EFLAGS: 00010293
RAX: ffffffff89b88e29 RBX: ffff888038a7c800 RCX: 0000000000000010
RDX: ffffffff8ce16400 RSI: 0000000000000020 RDI: ffffffff9020ad30
RBP: ffffc90004977178 R08: 0000000000000dc0 R09: 00000000ffffffff
R10: dffffc0000000000 R11: fffffbfff20232f7 R12: ffff888033a63ce8
R13: 0000000000000001 R14: 0000000000000020 R15: 0000000000000001
FS:  00005555621f5500(0000) GS:ffff88808ca5b000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe0048eff8 CR3: 000000005563f000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 tc_new_tfilter+0xe1c/0x1630 net/sched/cls_api.c:2423
 rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958
 netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg net/socket.c:742 [inline]
 ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592
 ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646
 __sys_sendmmsg+0x27c/0x4e0 net/socket.c:2735
 __do_sys_sendmmsg net/socket.c:2762 [inline]
 __se_sys_sendmmsg net/socket.c:2759 [inline]
 __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2759
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f78ead9c629
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff46c64d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f78eb015fa0 RCX: 00007f78ead9c629
RDX: 04000000000001f2 RSI: 0000200000000000 RDI: 0000000000000004
RBP: 00007f78eae32b39 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f78eb015fac R14: 00007f78eb015fa0 R15: 00007f78eb015fa0
 </TASK>
----------------
Code disassembly (best guess):
   0:	3d 4c eb 42 06       	cmp    $0x642eb4c,%eax
   5:	01 75 33             	add    %esi,0x33(%rbp)
   8:	e8 0e 0e 0d f8       	call   0xf80d0e1b
   d:	eb 50                	jmp    0x5f
   f:	e8 07 0e 0d f8       	call   0xf80d0e1b
  14:	48 8d 3d 00 1f 68 06 	lea    0x6681f00(%rip),%rdi        # 0x6681f1b
  1b:	b9 10 00 00 00       	mov    $0x10,%ecx
  20:	4c 89 f6             	mov    %r14,%rsi
  23:	48 c7 c2 00 64 e1 8c 	mov    $0xffffffff8ce16400,%rdx
* 2a:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2f:	e9 af ee ff ff       	jmp    0xffffeee3
  34:	e8 e2 0d 0d f8       	call   0xf80d0e1b
  39:	eb 24                	jmp    0x5f
  3b:	e8 db 0d 0d f8       	call   0xf80d0e1b