Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 105.514689][ T26] kauditd_printk_skb: 4 callbacks suppressed [ 105.514703][ T26] audit: type=1400 audit(1584907593.728:42): avc: denied { map } for pid=10501 comm="syz-executor747" path="/root/syz-executor747486061" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 105.533162][T10502] IPVS: ftp: loaded support on port[0] = 21 [ 105.584939][T10502] ================================================================== [ 105.593419][T10502] BUG: KASAN: slab-out-of-bounds in tcindex_set_parms+0x17fd/0x1a00 [ 105.601391][T10502] Write of size 16 at addr ffff8880a231e6b8 by task syz-executor747/10502 [ 105.609867][T10502] [ 105.612224][T10502] CPU: 1 PID: 10502 Comm: syz-executor747 Not tainted 5.6.0-rc6-syzkaller #0 [ 105.621104][T10502] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 105.631146][T10502] Call Trace: [ 105.634436][T10502] dump_stack+0x188/0x20d [ 105.638753][T10502] ? tcindex_set_parms+0x17fd/0x1a00 [ 105.644022][T10502] ? tcindex_set_parms+0x17fd/0x1a00 [ 105.649290][T10502] print_address_description.constprop.0.cold+0xd3/0x315 [ 105.657332][T10502] ? tcindex_set_parms+0x17fd/0x1a00 [ 105.662600][T10502] ? tcindex_set_parms+0x17fd/0x1a00 [ 105.667865][T10502] __kasan_report.cold+0x1a/0x32 [ 105.672786][T10502] ? tcindex_set_parms+0x17fd/0x1a00 [ 105.678060][T10502] kasan_report+0xe/0x20 [ 105.682285][T10502] tcindex_set_parms+0x17fd/0x1a00 [ 105.687387][T10502] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 105.693443][T10502] ? mark_held_locks+0xe0/0xe0 [ 105.698213][T10502] ? nla_memcpy+0xa0/0xa0 [ 105.702540][T10502] ? tcindex_change+0x203/0x2e0 [ 105.707378][T10502] tcindex_change+0x203/0x2e0 [ 105.712049][T10502] ? tcindex_set_parms+0x1a00/0x1a00 [ 105.717327][T10502] tc_new_tfilter+0xa59/0x20b0 [ 105.722074][T10502] ? tcindex_set_parms+0x1a00/0x1a00 [ 105.727344][T10502] ? tc_del_tfilter+0x1430/0x1430 [ 105.732361][T10502] ? __lock_acquire+0x80b/0x3ca0 [ 105.737311][T10502] ? rcu_read_lock_held+0x9c/0xb0 [ 105.742333][T10502] ? tc_del_tfilter+0x1430/0x1430 [ 105.747336][T10502] rtnetlink_rcv_msg+0x810/0xad0 [ 105.752255][T10502] ? rtnl_bridge_getlink+0x880/0x880 [ 105.757528][T10502] ? mark_held_locks+0xe0/0xe0 [ 105.762271][T10502] ? netlink_deliver_tap+0x146/0xb50 [ 105.767537][T10502] netlink_rcv_skb+0x15a/0x410 [ 105.772291][T10502] ? rtnl_bridge_getlink+0x880/0x880 [ 105.777556][T10502] ? netlink_ack+0xa80/0xa80 [ 105.782138][T10502] netlink_unicast+0x537/0x740 [ 105.786909][T10502] ? netlink_attachskb+0x810/0x810 [ 105.792053][T10502] ? _copy_from_iter_full+0x25c/0x870 [ 105.797419][T10502] netlink_sendmsg+0x882/0xe10 [ 105.802190][T10502] ? netlink_unicast+0x740/0x740 [ 105.807137][T10502] ? netlink_unicast+0x740/0x740 [ 105.812074][T10502] sock_sendmsg+0xcf/0x120 [ 105.816532][T10502] ____sys_sendmsg+0x6b9/0x7d0 [ 105.821285][T10502] ? kernel_sendmsg+0x50/0x50 [ 105.825951][T10502] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 105.831562][T10502] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 105.837564][T10502] ___sys_sendmsg+0x100/0x170 [ 105.842240][T10502] ? sendmsg_copy_msghdr+0x70/0x70 [ 105.847492][T10502] ? lock_downgrade+0x7f0/0x7f0 [ 105.852336][T10502] ? lock_acquire+0x197/0x420 [ 105.857007][T10502] ? __might_fault+0xef/0x1d0 [ 105.861791][T10502] ? __might_fault+0x190/0x1d0 [ 105.866544][T10502] ? _copy_to_user+0x107/0x150 [ 105.871297][T10502] ? move_addr_to_user+0xb3/0x200 [ 105.876393][T10502] ? __fget_light+0x1a5/0x270 [ 105.881064][T10502] __sys_sendmsg+0xec/0x1b0 [ 105.885572][T10502] ? __sys_sendmsg_sock+0xb0/0xb0 [ 105.890579][T10502] ? mark_held_locks+0x9f/0xe0 [ 105.895337][T10502] ? trace_hardirqs_off_caller+0x55/0x230 [ 105.901036][T10502] ? do_syscall_64+0x21/0x7d0 [ 105.905699][T10502] do_syscall_64+0xf6/0x7d0 [ 105.910199][T10502] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.916080][T10502] RIP: 0033:0x440e79 [ 105.919955][T10502] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 105.939556][T10502] RSP: 002b:00007ffead913b38 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 105.947965][T10502] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 105.956073][T10502] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 105.969453][T10502] RBP: 00007ffead913b40 R08: 0000000120080522 R09: 0000000120080522 [ 105.977671][T10502] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 105.985624][T10502] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 105.993720][T10502] [ 105.996039][T10502] Allocated by task 10502: [ 106.000447][T10502] save_stack+0x1b/0x80 [ 106.004593][T10502] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 106.010204][T10502] kmem_cache_alloc_trace+0x153/0x7d0 [ 106.015556][T10502] tipc_crypto_start+0x77/0x370 [ 106.020384][T10502] tipc_init_net+0x331/0x5c0 [ 106.024955][T10502] ops_init+0xaf/0x420 [ 106.028997][T10502] setup_net+0x2d4/0x850 [ 106.033214][T10502] copy_net_ns+0x293/0x590 [ 106.037617][T10502] create_new_namespaces+0x3fb/0xb30 [ 106.042878][T10502] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 106.050165][T10502] ksys_unshare+0x43d/0x8e0 [ 106.054660][T10502] __x64_sys_unshare+0x2d/0x40 [ 106.059413][T10502] do_syscall_64+0xf6/0x7d0 [ 106.063905][T10502] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.069784][T10502] [ 106.072093][T10502] Freed by task 2515: [ 106.076060][T10502] save_stack+0x1b/0x80 [ 106.080192][T10502] __kasan_slab_free+0xf7/0x140 [ 106.085629][T10502] kfree+0x109/0x2b0 [ 106.089516][T10502] umh_complete+0x81/0x90 [ 106.093820][T10502] call_usermodehelper_exec_async+0x459/0x710 [ 106.099863][T10502] ret_from_fork+0x24/0x30 [ 106.104248][T10502] [ 106.106586][T10502] The buggy address belongs to the object at ffff8880a231e600 [ 106.106586][T10502] which belongs to the cache kmalloc-192 of size 192 [ 106.120962][T10502] The buggy address is located 184 bytes inside of [ 106.120962][T10502] 192-byte region [ffff8880a231e600, ffff8880a231e6c0) [ 106.134304][T10502] The buggy address belongs to the page: [ 106.139935][T10502] page:ffffea000288c780 refcount:1 mapcount:0 mapping:ffff8880aa000000 index:0x0 [ 106.149069][T10502] flags: 0xfffe0000000200(slab) [ 106.153923][T10502] raw: 00fffe0000000200 ffffea0002884d08 ffffea00028895c8 ffff8880aa000000 [ 106.162490][T10502] raw: 0000000000000000 ffff8880a231e000 0000000100000010 0000000000000000 [ 106.171062][T10502] page dumped because: kasan: bad access detected [ 106.177463][T10502] [ 106.179783][T10502] Memory state around the buggy address: [ 106.185393][T10502] ffff8880a231e580: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 106.193431][T10502] ffff8880a231e600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 106.201489][T10502] >ffff8880a231e680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 106.209547][T10502] ^ [ 106.215690][T10502] ffff8880a231e700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 106.223750][T10502] ffff8880a231e780: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 106.231795][T10502] ================================================================== [ 106.239841][T10502] Disabling lock debugging due to kernel taint [ 106.247169][T10502] Kernel panic - not syncing: panic_on_warn set ... [ 106.253798][T10502] CPU: 1 PID: 10502 Comm: syz-executor747 Tainted: G B 5.6.0-rc6-syzkaller #0 [ 106.264008][T10502] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 106.274129][T10502] Call Trace: [ 106.277406][T10502] dump_stack+0x188/0x20d [ 106.281714][T10502] panic+0x2e3/0x75c [ 106.285588][T10502] ? add_taint.cold+0x16/0x16 [ 106.290243][T10502] ? preempt_schedule_common+0x5e/0xc0 [ 106.296647][T10502] ? tcindex_set_parms+0x17fd/0x1a00 [ 106.301907][T10502] ? ___preempt_schedule+0x16/0x18 [ 106.307025][T10502] ? trace_hardirqs_on+0x55/0x220 [ 106.312053][T10502] ? tcindex_set_parms+0x17fd/0x1a00 [ 106.317344][T10502] end_report+0x43/0x49 [ 106.321541][T10502] ? tcindex_set_parms+0x17fd/0x1a00 [ 106.326827][T10502] __kasan_report.cold+0xd/0x32 [ 106.331669][T10502] ? tcindex_set_parms+0x17fd/0x1a00 [ 106.336951][T10502] kasan_report+0xe/0x20 [ 106.341181][T10502] tcindex_set_parms+0x17fd/0x1a00 [ 106.346288][T10502] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 106.352165][T10502] ? mark_held_locks+0xe0/0xe0 [ 106.356921][T10502] ? nla_memcpy+0xa0/0xa0 [ 106.362026][T10502] ? tcindex_change+0x203/0x2e0 [ 106.366866][T10502] tcindex_change+0x203/0x2e0 [ 106.371535][T10502] ? tcindex_set_parms+0x1a00/0x1a00 [ 106.376809][T10502] tc_new_tfilter+0xa59/0x20b0 [ 106.381554][T10502] ? tcindex_set_parms+0x1a00/0x1a00 [ 106.386822][T10502] ? tc_del_tfilter+0x1430/0x1430 [ 106.391825][T10502] ? __lock_acquire+0x80b/0x3ca0 [ 106.396751][T10502] ? rcu_read_lock_held+0x9c/0xb0 [ 106.402714][T10502] ? tc_del_tfilter+0x1430/0x1430 [ 106.407743][T10502] rtnetlink_rcv_msg+0x810/0xad0 [ 106.412685][T10502] ? rtnl_bridge_getlink+0x880/0x880 [ 106.417966][T10502] ? mark_held_locks+0xe0/0xe0 [ 106.422726][T10502] ? netlink_deliver_tap+0x146/0xb50 [ 106.428009][T10502] netlink_rcv_skb+0x15a/0x410 [ 106.438620][T10502] ? rtnl_bridge_getlink+0x880/0x880 [ 106.443895][T10502] ? netlink_ack+0xa80/0xa80 [ 106.448474][T10502] netlink_unicast+0x537/0x740 [ 106.453236][T10502] ? netlink_attachskb+0x810/0x810 [ 106.458349][T10502] ? _copy_from_iter_full+0x25c/0x870 [ 106.463715][T10502] netlink_sendmsg+0x882/0xe10 [ 106.468485][T10502] ? netlink_unicast+0x740/0x740 [ 106.473412][T10502] ? netlink_unicast+0x740/0x740 [ 106.487540][T10502] sock_sendmsg+0xcf/0x120 [ 106.491953][T10502] ____sys_sendmsg+0x6b9/0x7d0 [ 106.496692][T10502] ? kernel_sendmsg+0x50/0x50 [ 106.501351][T10502] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 106.506869][T10502] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 106.512864][T10502] ___sys_sendmsg+0x100/0x170 [ 106.517551][T10502] ? sendmsg_copy_msghdr+0x70/0x70 [ 106.522655][T10502] ? lock_downgrade+0x7f0/0x7f0 [ 106.527590][T10502] ? lock_acquire+0x197/0x420 [ 106.532956][T10502] ? __might_fault+0xef/0x1d0 [ 106.537633][T10502] ? __might_fault+0x190/0x1d0 [ 106.542403][T10502] ? _copy_to_user+0x107/0x150 [ 106.547185][T10502] ? move_addr_to_user+0xb3/0x200 [ 106.552209][T10502] ? __fget_light+0x1a5/0x270 [ 106.557012][T10502] __sys_sendmsg+0xec/0x1b0 [ 106.561514][T10502] ? __sys_sendmsg_sock+0xb0/0xb0 [ 106.566525][T10502] ? mark_held_locks+0x9f/0xe0 [ 106.571282][T10502] ? trace_hardirqs_off_caller+0x55/0x230 [ 106.577005][T10502] ? do_syscall_64+0x21/0x7d0 [ 106.581680][T10502] do_syscall_64+0xf6/0x7d0 [ 106.586427][T10502] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.592295][T10502] RIP: 0033:0x440e79 [ 106.596167][T10502] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 106.615930][T10502] RSP: 002b:00007ffead913b38 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 106.624330][T10502] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 106.632279][T10502] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 106.640224][T10502] RBP: 00007ffead913b40 R08: 0000000120080522 R09: 0000000120080522 [ 106.648170][T10502] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 106.656183][T10502] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 106.665769][T10502] Kernel Offset: disabled [ 106.670144][T10502] Rebooting in 86400 seconds..