[ 85.889802][ T27] audit: type=1800 audit(1579579894.066:26): pid=9419 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 86.676180][ T27] kauditd_printk_skb: 2 callbacks suppressed [ 86.676191][ T27] audit: type=1800 audit(1579579894.866:29): pid=9419 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 86.703038][ T27] audit: type=1800 audit(1579579894.866:30): pid=9419 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.37' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 95.637393][ T9572] ================================================================== [ 95.645633][ T9572] BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x43d/0x520 [ 95.653778][ T9572] Write of size 1 at addr ffff8880a4f10590 by task syz-executor958/9572 [ 95.662089][ T9572] [ 95.664423][ T9572] CPU: 1 PID: 9572 Comm: syz-executor958 Not tainted 5.5.0-rc6-syzkaller #0 [ 95.673127][ T9572] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 95.683171][ T9572] Call Trace: [ 95.686483][ T9572] dump_stack+0x197/0x210 [ 95.690810][ T9572] ? setup_udp_tunnel_sock+0x43d/0x520 [ 95.696257][ T9572] print_address_description.constprop.0.cold+0xd4/0x30b [ 95.703372][ T9572] ? setup_udp_tunnel_sock+0x43d/0x520 [ 95.708935][ T9572] ? setup_udp_tunnel_sock+0x43d/0x520 [ 95.714396][ T9572] __kasan_report.cold+0x1b/0x41 [ 95.719322][ T9572] ? trace_hardirqs_on+0x51/0x240 [ 95.724341][ T9572] ? setup_udp_tunnel_sock+0x43d/0x520 [ 95.729909][ T9572] kasan_report+0x12/0x20 [ 95.734238][ T9572] __asan_report_store1_noabort+0x17/0x20 [ 95.739941][ T9572] setup_udp_tunnel_sock+0x43d/0x520 [ 95.745225][ T9572] gtp_encap_enable_socket+0x338/0x420 [ 95.750692][ T9572] ? gtp_find_pdp_by_link+0x480/0x480 [ 95.756056][ T9572] ? memset+0x32/0x40 [ 95.760024][ T9572] ? gtp1_pdp_find.isra.0+0x180/0x180 [ 95.765462][ T9572] ? __gtp_encap_destroy+0x1e0/0x1e0 [ 95.770735][ T9572] ? alloc_netdev_mqs+0xa22/0xde0 [ 95.775790][ T9572] gtp_newlink+0x95/0xc60 [ 95.780202][ T9572] ? rtnl_create_link+0x192/0xab0 [ 95.785365][ T9572] ? netlink_ns_capable+0x26/0x30 [ 95.790639][ T9572] ? gtp_genl_get_pdp+0x5c0/0x5c0 [ 95.795656][ T9572] __rtnl_newlink+0x109e/0x1790 [ 95.800508][ T9572] ? rtnl_link_unregister+0x250/0x250 [ 95.805877][ T9572] ? is_bpf_text_address+0xce/0x160 [ 95.811118][ T9572] ? kernel_text_address+0x73/0xf0 [ 95.816237][ T9572] ? unwind_get_return_address+0x61/0xa0 [ 95.821941][ T9572] ? profile_setup.cold+0xbb/0xbb [ 95.826960][ T9572] ? arch_stack_walk+0x97/0xf0 [ 95.831727][ T9572] ? stack_trace_save+0xac/0xe0 [ 95.836560][ T9572] ? stack_trace_consume_entry+0x190/0x190 [ 95.842353][ T9572] ? mark_lock+0xc2/0x1220 [ 95.846782][ T9572] ? save_stack+0x5c/0x90 [ 95.851107][ T9572] ? save_stack+0x23/0x90 [ 95.855428][ T9572] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 95.861830][ T9572] ? kasan_kmalloc+0x9/0x10 [ 95.866412][ T9572] ? kmem_cache_alloc_trace+0x158/0x790 [ 95.871971][ T9572] ? rtnl_newlink+0x4b/0xa0 [ 95.876565][ T9572] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 95.882106][ T9572] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 95.888179][ T9572] rtnl_newlink+0x69/0xa0 [ 95.892498][ T9572] ? __rtnl_newlink+0x1790/0x1790 [ 95.897562][ T9572] rtnetlink_rcv_msg+0x45e/0xaf0 [ 95.902500][ T9572] ? rtnl_bridge_getlink+0x910/0x910 [ 95.907771][ T9572] ? lock_downgrade+0x920/0x920 [ 95.912607][ T9572] ? netlink_deliver_tap+0x228/0xbe0 [ 95.917886][ T9572] ? find_held_lock+0x35/0x130 [ 95.922710][ T9572] netlink_rcv_skb+0x177/0x450 [ 95.927508][ T9572] ? rtnl_bridge_getlink+0x910/0x910 [ 95.932880][ T9572] ? netlink_ack+0xb50/0xb50 [ 95.937490][ T9572] ? __kasan_check_read+0x11/0x20 [ 95.942517][ T9572] ? netlink_deliver_tap+0x24a/0xbe0 [ 95.947906][ T9572] rtnetlink_rcv+0x1d/0x30 [ 95.952500][ T9572] netlink_unicast+0x58c/0x7d0 [ 95.957249][ T9572] ? netlink_attachskb+0x870/0x870 [ 95.962353][ T9572] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 95.968113][ T9572] ? __check_object_size+0x3d/0x437 [ 95.973310][ T9572] netlink_sendmsg+0x91c/0xea0 [ 95.978072][ T9572] ? netlink_unicast+0x7d0/0x7d0 [ 95.982995][ T9572] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 95.988531][ T9572] ? apparmor_socket_sendmsg+0x2a/0x30 [ 95.994028][ T9572] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.000254][ T9572] ? security_socket_sendmsg+0x8d/0xc0 [ 96.005705][ T9572] ? netlink_unicast+0x7d0/0x7d0 [ 96.010694][ T9572] sock_sendmsg+0xd7/0x130 [ 96.015105][ T9572] ____sys_sendmsg+0x753/0x880 [ 96.019894][ T9572] ? kernel_sendmsg+0x50/0x50 [ 96.024661][ T9572] ? mark_held_locks+0xa4/0xf0 [ 96.029467][ T9572] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 96.035524][ T9572] ? __handle_mm_fault+0x3145/0x3cc0 [ 96.040847][ T9572] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 96.046912][ T9572] ___sys_sendmsg+0x100/0x170 [ 96.051586][ T9572] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 96.057661][ T9572] ? sendmsg_copy_msghdr+0x70/0x70 [ 96.062916][ T9572] ? __do_page_fault+0x56a/0xd80 [ 96.067973][ T9572] ? find_held_lock+0x35/0x130 [ 96.072827][ T9572] ? __do_page_fault+0x56a/0xd80 [ 96.077759][ T9572] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.083986][ T9572] ? __fget_light+0x1a9/0x230 [ 96.088657][ T9572] ? __fdget+0x1b/0x20 [ 96.092730][ T9572] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 96.099078][ T9572] __sys_sendmsg+0x105/0x1d0 [ 96.103661][ T9572] ? __sys_sendmsg_sock+0xc0/0xc0 [ 96.108728][ T9572] ? down_read_non_owner+0x490/0x490 [ 96.114056][ T9572] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 96.119620][ T9572] ? do_syscall_64+0x26/0x790 [ 96.124294][ T9572] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.130535][ T9572] ? do_syscall_64+0x26/0x790 [ 96.135537][ T9572] __x64_sys_sendmsg+0x78/0xb0 [ 96.140565][ T9572] do_syscall_64+0xfa/0x790 [ 96.145245][ T9572] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.151183][ T9572] RIP: 0033:0x4402b9 [ 96.155063][ T9572] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 96.174865][ T9572] RSP: 002b:00007fff066defd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 96.183519][ T9572] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9 [ 96.191571][ T9572] RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 [ 96.199641][ T9572] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 96.207608][ T9572] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b40 [ 96.215621][ T9572] R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000 [ 96.223593][ T9572] [ 96.225944][ T9572] Allocated by task 9572: [ 96.230416][ T9572] save_stack+0x23/0x90 [ 96.234607][ T9572] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 96.240615][ T9572] kasan_slab_alloc+0xf/0x20 [ 96.245315][ T9572] kmem_cache_alloc+0x121/0x710 [ 96.250189][ T9572] sk_prot_alloc+0x67/0x310 [ 96.254763][ T9572] sk_alloc+0x39/0xfd0 [ 96.258828][ T9572] inet_create+0x363/0xdf0 [ 96.263241][ T9572] __sock_create+0x3ce/0x730 [ 96.267915][ T9572] __sys_socket+0x103/0x220 [ 96.272474][ T9572] __x64_sys_socket+0x73/0xb0 [ 96.277162][ T9572] do_syscall_64+0xfa/0x790 [ 96.281662][ T9572] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.287555][ T9572] [ 96.289877][ T9572] Freed by task 0: [ 96.293582][ T9572] (stack is not available) [ 96.298074][ T9572] [ 96.300402][ T9572] The buggy address belongs to the object at ffff8880a4f10040 [ 96.300402][ T9572] which belongs to the cache RAW of size 1360 [ 96.314177][ T9572] The buggy address is located 0 bytes to the right of [ 96.314177][ T9572] 1360-byte region [ffff8880a4f10040, ffff8880a4f10590) [ 96.328075][ T9572] The buggy address belongs to the page: [ 96.333706][ T9572] page:ffffea000293c400 refcount:1 mapcount:0 mapping:ffff8880a7b9e8c0 index:0x0 compound_mapcount: 0 [ 96.344631][ T9572] raw: 00fffe0000010200 ffff8880a73c2348 ffff8880a73c2348 ffff8880a7b9e8c0 [ 96.353212][ T9572] raw: 0000000000000000 ffff8880a4f10040 0000000100000005 0000000000000000 [ 96.361886][ T9572] page dumped because: kasan: bad access detected [ 96.368295][ T9572] [ 96.370615][ T9572] Memory state around the buggy address: [ 96.376430][ T9572] ffff8880a4f10480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 96.384486][ T9572] ffff8880a4f10500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 96.393114][ T9572] >ffff8880a4f10580: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.401247][ T9572] ^ [ 96.405830][ T9572] ffff8880a4f10600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.413920][ T9572] ffff8880a4f10680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.421992][ T9572] ================================================================== [ 96.430176][ T9572] Disabling lock debugging due to kernel taint [ 96.437660][ T9572] Kernel panic - not syncing: panic_on_warn set ... [ 96.444261][ T9572] CPU: 0 PID: 9572 Comm: syz-executor958 Tainted: G B 5.5.0-rc6-syzkaller #0 [ 96.454305][ T9572] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 96.464476][ T9572] Call Trace: [ 96.467775][ T9572] dump_stack+0x197/0x210 [ 96.472095][ T9572] panic+0x2e3/0x75c [ 96.476023][ T9572] ? add_taint.cold+0x16/0x16 [ 96.480834][ T9572] ? setup_udp_tunnel_sock+0x43d/0x520 [ 96.486601][ T9572] ? preempt_schedule+0x4b/0x60 [ 96.491499][ T9572] ? ___preempt_schedule+0x16/0x18 [ 96.496606][ T9572] ? trace_hardirqs_on+0x5e/0x240 [ 96.501736][ T9572] ? setup_udp_tunnel_sock+0x43d/0x520 [ 96.507578][ T9572] end_report+0x47/0x4f [ 96.511721][ T9572] ? setup_udp_tunnel_sock+0x43d/0x520 [ 96.517215][ T9572] __kasan_report.cold+0xe/0x41 [ 96.522057][ T9572] ? trace_hardirqs_on+0x51/0x240 [ 96.527420][ T9572] ? setup_udp_tunnel_sock+0x43d/0x520 [ 96.532976][ T9572] kasan_report+0x12/0x20 [ 96.537346][ T9572] __asan_report_store1_noabort+0x17/0x20 [ 96.543060][ T9572] setup_udp_tunnel_sock+0x43d/0x520 [ 96.548480][ T9572] gtp_encap_enable_socket+0x338/0x420 [ 96.553924][ T9572] ? gtp_find_pdp_by_link+0x480/0x480 [ 96.559316][ T9572] ? memset+0x32/0x40 [ 96.563291][ T9572] ? gtp1_pdp_find.isra.0+0x180/0x180 [ 96.568652][ T9572] ? __gtp_encap_destroy+0x1e0/0x1e0 [ 96.573922][ T9572] ? alloc_netdev_mqs+0xa22/0xde0 [ 96.578944][ T9572] gtp_newlink+0x95/0xc60 [ 96.583271][ T9572] ? rtnl_create_link+0x192/0xab0 [ 96.588284][ T9572] ? netlink_ns_capable+0x26/0x30 [ 96.593305][ T9572] ? gtp_genl_get_pdp+0x5c0/0x5c0 [ 96.598321][ T9572] __rtnl_newlink+0x109e/0x1790 [ 96.603242][ T9572] ? rtnl_link_unregister+0x250/0x250 [ 96.608605][ T9572] ? is_bpf_text_address+0xce/0x160 [ 96.613893][ T9572] ? kernel_text_address+0x73/0xf0 [ 96.619143][ T9572] ? unwind_get_return_address+0x61/0xa0 [ 96.624764][ T9572] ? profile_setup.cold+0xbb/0xbb [ 96.629782][ T9572] ? arch_stack_walk+0x97/0xf0 [ 96.634532][ T9572] ? stack_trace_save+0xac/0xe0 [ 96.639384][ T9572] ? stack_trace_consume_entry+0x190/0x190 [ 96.645342][ T9572] ? mark_lock+0xc2/0x1220 [ 96.649762][ T9572] ? save_stack+0x5c/0x90 [ 96.654079][ T9572] ? save_stack+0x23/0x90 [ 96.659082][ T9572] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 96.664999][ T9572] ? kasan_kmalloc+0x9/0x10 [ 96.669491][ T9572] ? kmem_cache_alloc_trace+0x158/0x790 [ 96.675105][ T9572] ? rtnl_newlink+0x4b/0xa0 [ 96.679644][ T9572] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 96.685224][ T9572] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 96.691194][ T9572] rtnl_newlink+0x69/0xa0 [ 96.695517][ T9572] ? __rtnl_newlink+0x1790/0x1790 [ 96.700527][ T9572] rtnetlink_rcv_msg+0x45e/0xaf0 [ 96.705455][ T9572] ? rtnl_bridge_getlink+0x910/0x910 [ 96.710778][ T9572] ? lock_downgrade+0x920/0x920 [ 96.715622][ T9572] ? netlink_deliver_tap+0x228/0xbe0 [ 96.721006][ T9572] ? find_held_lock+0x35/0x130 [ 96.725787][ T9572] netlink_rcv_skb+0x177/0x450 [ 96.730707][ T9572] ? rtnl_bridge_getlink+0x910/0x910 [ 96.735988][ T9572] ? netlink_ack+0xb50/0xb50 [ 96.740572][ T9572] ? __kasan_check_read+0x11/0x20 [ 96.745699][ T9572] ? netlink_deliver_tap+0x24a/0xbe0 [ 96.751023][ T9572] rtnetlink_rcv+0x1d/0x30 [ 96.755439][ T9572] netlink_unicast+0x58c/0x7d0 [ 96.760197][ T9572] ? netlink_attachskb+0x870/0x870 [ 96.765296][ T9572] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 96.771256][ T9572] ? __check_object_size+0x3d/0x437 [ 96.776801][ T9572] netlink_sendmsg+0x91c/0xea0 [ 96.782940][ T9572] ? netlink_unicast+0x7d0/0x7d0 [ 96.787955][ T9572] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 96.793491][ T9572] ? apparmor_socket_sendmsg+0x2a/0x30 [ 96.798946][ T9572] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.805182][ T9572] ? security_socket_sendmsg+0x8d/0xc0 [ 96.810627][ T9572] ? netlink_unicast+0x7d0/0x7d0 [ 96.815700][ T9572] sock_sendmsg+0xd7/0x130 [ 96.820111][ T9572] ____sys_sendmsg+0x753/0x880 [ 96.824895][ T9572] ? kernel_sendmsg+0x50/0x50 [ 96.829605][ T9572] ? mark_held_locks+0xa4/0xf0 [ 96.834351][ T9572] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 96.840539][ T9572] ? __handle_mm_fault+0x3145/0x3cc0 [ 96.845801][ T9572] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 96.851857][ T9572] ___sys_sendmsg+0x100/0x170 [ 96.856535][ T9572] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 96.862508][ T9572] ? sendmsg_copy_msghdr+0x70/0x70 [ 96.867626][ T9572] ? __do_page_fault+0x56a/0xd80 [ 96.872744][ T9572] ? find_held_lock+0x35/0x130 [ 96.877535][ T9572] ? __do_page_fault+0x56a/0xd80 [ 96.882474][ T9572] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 96.888716][ T9572] ? __fget_light+0x1a9/0x230 [ 96.893419][ T9572] ? __fdget+0x1b/0x20 [ 96.897488][ T9572] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 96.903813][ T9572] __sys_sendmsg+0x105/0x1d0 [ 96.912501][ T9572] ? __sys_sendmsg_sock+0xc0/0xc0 [ 96.917535][ T9572] ? down_read_non_owner+0x490/0x490 [ 96.922804][ T9572] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 96.928255][ T9572] ? do_syscall_64+0x26/0x790 [ 96.932920][ T9572] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.939093][ T9572] ? do_syscall_64+0x26/0x790 [ 96.944255][ T9572] __x64_sys_sendmsg+0x78/0xb0 [ 96.949003][ T9572] do_syscall_64+0xfa/0x790 [ 96.953578][ T9572] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.959459][ T9572] RIP: 0033:0x4402b9 [ 96.963343][ T9572] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 96.983130][ T9572] RSP: 002b:00007fff066defd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 96.991546][ T9572] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9 [ 96.999507][ T9572] RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 [ 97.008355][ T9572] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 97.016318][ T9572] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b40 [ 97.024331][ T9572] R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000 [ 97.033903][ T9572] Kernel Offset: disabled [ 97.038240][ T9572] Rebooting in 86400 seconds..