[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 77.598652][ T27] audit: type=1800 audit(1584604704.718:25): pid=9388 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 77.631221][ T27] audit: type=1800 audit(1584604704.718:26): pid=9388 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 77.657307][ T27] audit: type=1800 audit(1584604704.718:27): pid=9388 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.236' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 89.884708][ T9543] IPVS: ftp: loaded support on port[0] = 21 [ 89.917112][ T9543] ================================================================== [ 89.925423][ T9543] BUG: KASAN: slab-out-of-bounds in tcindex_set_parms+0x17fd/0x1a00 [ 89.933380][ T9543] Write of size 16 at addr ffff8880a3ac3bb8 by task syz-executor703/9543 [ 89.941760][ T9543] [ 89.944082][ T9543] CPU: 1 PID: 9543 Comm: syz-executor703 Not tainted 5.6.0-rc6-syzkaller #0 [ 89.952911][ T9543] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 89.963033][ T9543] Call Trace: [ 89.966306][ T9543] dump_stack+0x188/0x20d [ 89.970758][ T9543] ? tcindex_set_parms+0x17fd/0x1a00 [ 89.976302][ T9543] ? tcindex_set_parms+0x17fd/0x1a00 [ 89.981591][ T9543] print_address_description.constprop.0.cold+0xd3/0x315 [ 89.988630][ T9543] ? tcindex_set_parms+0x17fd/0x1a00 [ 89.993898][ T9543] ? tcindex_set_parms+0x17fd/0x1a00 [ 89.999172][ T9543] __kasan_report.cold+0x1a/0x32 [ 90.004112][ T9543] ? tcindex_set_parms+0x17fd/0x1a00 [ 90.009437][ T9543] kasan_report+0xe/0x20 [ 90.014118][ T9543] tcindex_set_parms+0x17fd/0x1a00 [ 90.019331][ T9543] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 90.025416][ T9543] ? mark_held_locks+0xe0/0xe0 [ 90.030193][ T9543] ? nla_memcpy+0xa0/0xa0 [ 90.034510][ T9543] ? tcindex_change+0x203/0x2e0 [ 90.039424][ T9543] tcindex_change+0x203/0x2e0 [ 90.044099][ T9543] ? tcindex_set_parms+0x1a00/0x1a00 [ 90.049377][ T9543] tc_new_tfilter+0xa59/0x20b0 [ 90.054123][ T9543] ? tcindex_set_parms+0x1a00/0x1a00 [ 90.059397][ T9543] ? tc_del_tfilter+0x1430/0x1430 [ 90.064454][ T9543] ? __lock_acquire+0x80b/0x3ca0 [ 90.069493][ T9543] ? apparmor_capable+0x454/0x8a0 [ 90.074528][ T9543] ? rcu_read_lock_held+0x9c/0xb0 [ 90.079562][ T9543] ? tc_del_tfilter+0x1430/0x1430 [ 90.084586][ T9543] rtnetlink_rcv_msg+0x810/0xad0 [ 90.089649][ T9543] ? rtnl_bridge_getlink+0x880/0x880 [ 90.094942][ T9543] ? mark_held_locks+0xe0/0xe0 [ 90.099692][ T9543] ? netlink_deliver_tap+0x146/0xb50 [ 90.105001][ T9543] netlink_rcv_skb+0x15a/0x410 [ 90.109765][ T9543] ? rtnl_bridge_getlink+0x880/0x880 [ 90.115044][ T9543] ? netlink_ack+0xa80/0xa80 [ 90.119627][ T9543] netlink_unicast+0x537/0x740 [ 90.124377][ T9543] ? netlink_attachskb+0x810/0x810 [ 90.129467][ T9543] ? _copy_from_iter_full+0x25c/0x870 [ 90.134822][ T9543] ? __phys_addr_symbol+0x2c/0x70 [ 90.139843][ T9543] ? __check_object_size+0x171/0x437 [ 90.145132][ T9543] netlink_sendmsg+0x882/0xe10 [ 90.149883][ T9543] ? aa_af_perm+0x260/0x260 [ 90.154367][ T9543] ? netlink_unicast+0x740/0x740 [ 90.159391][ T9543] ? netlink_unicast+0x740/0x740 [ 90.164313][ T9543] sock_sendmsg+0xcf/0x120 [ 90.169801][ T9543] ____sys_sendmsg+0x6b9/0x7d0 [ 90.174548][ T9543] ? kernel_sendmsg+0x50/0x50 [ 90.180490][ T9543] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 90.187522][ T9543] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 90.193509][ T9543] ___sys_sendmsg+0x100/0x170 [ 90.198170][ T9543] ? sendmsg_copy_msghdr+0x70/0x70 [ 90.204583][ T9543] ? lock_downgrade+0x7f0/0x7f0 [ 90.209422][ T9543] ? lock_acquire+0x197/0x420 [ 90.214109][ T9543] ? __might_fault+0xef/0x1d0 [ 90.219010][ T9543] ? __might_fault+0x190/0x1d0 [ 90.223789][ T9543] ? _copy_to_user+0x107/0x150 [ 90.228552][ T9543] ? move_addr_to_user+0xb3/0x200 [ 90.233844][ T9543] ? __fget_light+0x1a5/0x270 [ 90.238511][ T9543] __sys_sendmsg+0xec/0x1b0 [ 90.243013][ T9543] ? __sys_sendmsg_sock+0xb0/0xb0 [ 90.248049][ T9543] ? mark_held_locks+0x9f/0xe0 [ 90.252830][ T9543] ? trace_hardirqs_off_caller+0x55/0x230 [ 90.258550][ T9543] ? do_syscall_64+0x21/0x7d0 [ 90.263482][ T9543] do_syscall_64+0xf6/0x7d0 [ 90.267978][ T9543] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 90.273864][ T9543] RIP: 0033:0x440e79 [ 90.277740][ T9543] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 90.297415][ T9543] RSP: 002b:00007ffdc0362a88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 90.305818][ T9543] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 90.313773][ T9543] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 90.321740][ T9543] RBP: 00007ffdc0362a90 R08: 0000000120080522 R09: 0000000120080522 [ 90.329710][ T9543] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 90.337691][ T9543] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 90.345930][ T9543] [ 90.348251][ T9543] Allocated by task 1: [ 90.352313][ T9543] save_stack+0x1b/0x80 [ 90.356446][ T9543] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 90.362055][ T9543] kmem_cache_alloc_node_trace+0x161/0x790 [ 90.367844][ T9543] alloc_worker+0x43/0x1c0 [ 90.372255][ T9543] init_rescuer.part.0+0x1a/0x190 [ 90.377268][ T9543] alloc_workqueue+0x740/0xe90 [ 90.382009][ T9543] nfit_init+0x134/0x188 [ 90.386228][ T9543] do_one_initcall+0x10a/0x7d0 [ 90.390967][ T9543] kernel_init_freeable+0x501/0x5ae [ 90.396142][ T9543] kernel_init+0xd/0x1bb [ 90.400373][ T9543] ret_from_fork+0x24/0x30 [ 90.404761][ T9543] [ 90.407076][ T9543] Freed by task 0: [ 90.410766][ T9543] (stack is not available) [ 90.415152][ T9543] [ 90.417474][ T9543] The buggy address belongs to the object at ffff8880a3ac3b00 [ 90.417474][ T9543] which belongs to the cache kmalloc-192 of size 192 [ 90.432373][ T9543] The buggy address is located 184 bytes inside of [ 90.432373][ T9543] 192-byte region [ffff8880a3ac3b00, ffff8880a3ac3bc0) [ 90.445642][ T9543] The buggy address belongs to the page: [ 90.451258][ T9543] page:ffffea00028eb0c0 refcount:1 mapcount:0 mapping:ffff8880aa000000 index:0x0 [ 90.460344][ T9543] flags: 0xfffe0000000200(slab) [ 90.465180][ T9543] raw: 00fffe0000000200 ffffea00028e0c48 ffff8880aa001148 ffff8880aa000000 [ 90.473932][ T9543] raw: 0000000000000000 ffff8880a3ac3000 0000000100000010 0000000000000000 [ 90.482582][ T9543] page dumped because: kasan: bad access detected [ 90.488970][ T9543] [ 90.491337][ T9543] Memory state around the buggy address: [ 90.497071][ T9543] ffff8880a3ac3a80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 90.505118][ T9543] ffff8880a3ac3b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 90.513320][ T9543] >ffff8880a3ac3b80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 90.521442][ T9543] ^ [ 90.527315][ T9543] ffff8880a3ac3c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 90.535352][ T9543] ffff8880a3ac3c80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 90.543393][ T9543] ================================================================== [ 90.551433][ T9543] Disabling lock debugging due to kernel taint [ 90.558828][ T9543] Kernel panic - not syncing: panic_on_warn set ... [ 90.566158][ T9543] CPU: 1 PID: 9543 Comm: syz-executor703 Tainted: G B 5.6.0-rc6-syzkaller #0 [ 90.576297][ T9543] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 90.586359][ T9543] Call Trace: [ 90.589658][ T9543] dump_stack+0x188/0x20d [ 90.593969][ T9543] panic+0x2e3/0x75c [ 90.597842][ T9543] ? add_taint.cold+0x16/0x16 [ 90.602498][ T9543] ? preempt_schedule_common+0x5e/0xc0 [ 90.607948][ T9543] ? tcindex_set_parms+0x17fd/0x1a00 [ 90.613222][ T9543] ? ___preempt_schedule+0x16/0x18 [ 90.618399][ T9543] ? trace_hardirqs_on+0x55/0x220 [ 90.623422][ T9543] ? tcindex_set_parms+0x17fd/0x1a00 [ 90.628804][ T9543] end_report+0x43/0x49 [ 90.633061][ T9543] ? tcindex_set_parms+0x17fd/0x1a00 [ 90.638546][ T9543] __kasan_report.cold+0xd/0x32 [ 90.643431][ T9543] ? tcindex_set_parms+0x17fd/0x1a00 [ 90.648701][ T9543] kasan_report+0xe/0x20 [ 90.652923][ T9543] tcindex_set_parms+0x17fd/0x1a00 [ 90.658042][ T9543] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 90.663925][ T9543] ? mark_held_locks+0xe0/0xe0 [ 90.668685][ T9543] ? nla_memcpy+0xa0/0xa0 [ 90.673005][ T9543] ? tcindex_change+0x203/0x2e0 [ 90.677929][ T9543] tcindex_change+0x203/0x2e0 [ 90.682588][ T9543] ? tcindex_set_parms+0x1a00/0x1a00 [ 90.687862][ T9543] tc_new_tfilter+0xa59/0x20b0 [ 90.692618][ T9543] ? tcindex_set_parms+0x1a00/0x1a00 [ 90.697889][ T9543] ? tc_del_tfilter+0x1430/0x1430 [ 90.702892][ T9543] ? __lock_acquire+0x80b/0x3ca0 [ 90.708073][ T9543] ? apparmor_capable+0x454/0x8a0 [ 90.713239][ T9543] ? rcu_read_lock_held+0x9c/0xb0 [ 90.718263][ T9543] ? tc_del_tfilter+0x1430/0x1430 [ 90.723803][ T9543] rtnetlink_rcv_msg+0x810/0xad0 [ 90.728738][ T9543] ? rtnl_bridge_getlink+0x880/0x880 [ 90.734032][ T9543] ? mark_held_locks+0xe0/0xe0 [ 90.739097][ T9543] ? netlink_deliver_tap+0x146/0xb50 [ 90.744374][ T9543] netlink_rcv_skb+0x15a/0x410 [ 90.749983][ T9543] ? rtnl_bridge_getlink+0x880/0x880 [ 90.755265][ T9543] ? netlink_ack+0xa80/0xa80 [ 90.760311][ T9543] netlink_unicast+0x537/0x740 [ 90.765075][ T9543] ? netlink_attachskb+0x810/0x810 [ 90.770179][ T9543] ? _copy_from_iter_full+0x25c/0x870 [ 90.775545][ T9543] ? __phys_addr_symbol+0x2c/0x70 [ 90.780576][ T9543] ? __check_object_size+0x171/0x437 [ 90.785843][ T9543] netlink_sendmsg+0x882/0xe10 [ 90.790649][ T9543] ? aa_af_perm+0x260/0x260 [ 90.795129][ T9543] ? netlink_unicast+0x740/0x740 [ 90.800075][ T9543] ? netlink_unicast+0x740/0x740 [ 90.805015][ T9543] sock_sendmsg+0xcf/0x120 [ 90.809410][ T9543] ____sys_sendmsg+0x6b9/0x7d0 [ 90.814154][ T9543] ? kernel_sendmsg+0x50/0x50 [ 90.818809][ T9543] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 90.824433][ T9543] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 90.830399][ T9543] ___sys_sendmsg+0x100/0x170 [ 90.835058][ T9543] ? sendmsg_copy_msghdr+0x70/0x70 [ 90.840151][ T9543] ? lock_downgrade+0x7f0/0x7f0 [ 90.845379][ T9543] ? lock_acquire+0x197/0x420 [ 90.850039][ T9543] ? __might_fault+0xef/0x1d0 [ 90.854699][ T9543] ? __might_fault+0x190/0x1d0 [ 90.859459][ T9543] ? _copy_to_user+0x107/0x150 [ 90.864204][ T9543] ? move_addr_to_user+0xb3/0x200 [ 90.869303][ T9543] ? __fget_light+0x1a5/0x270 [ 90.873968][ T9543] __sys_sendmsg+0xec/0x1b0 [ 90.878451][ T9543] ? __sys_sendmsg_sock+0xb0/0xb0 [ 90.883455][ T9543] ? mark_held_locks+0x9f/0xe0 [ 90.888215][ T9543] ? trace_hardirqs_off_caller+0x55/0x230 [ 90.894182][ T9543] ? do_syscall_64+0x21/0x7d0 [ 90.898851][ T9543] do_syscall_64+0xf6/0x7d0 [ 90.903379][ T9543] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 90.909250][ T9543] RIP: 0033:0x440e79 [ 90.913128][ T9543] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 90.933452][ T9543] RSP: 002b:00007ffdc0362a88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 90.941861][ T9543] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 90.950026][ T9543] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 90.957993][ T9543] RBP: 00007ffdc0362a90 R08: 0000000120080522 R09: 0000000120080522 [ 90.966014][ T9543] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 90.974090][ T9543] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 90.983829][ T9543] Kernel Offset: disabled [ 90.988247][ T9543] Rebooting in 86400 seconds..