[ 43.474262] audit: type=1800 audit(1580255890.007:30): pid=7975 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 47.842169] kauditd_printk_skb: 4 callbacks suppressed [ 47.842185] audit: type=1400 audit(1580255894.397:35): avc: denied { map } for pid=8149 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts. executing program [ 54.644589] audit: type=1400 audit(1580255901.197:36): avc: denied { map } for pid=8161 comm="syz-executor916" path="/root/syz-executor916294225" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 54.666172] IPVS: ftp: loaded support on port[0] = 21 [ 54.701499] ================================================================== [ 54.709185] BUG: KASAN: slab-out-of-bounds in __nla_put_nohdr+0x46/0x50 [ 54.715994] Read of size 8 at addr ffff88809664f480 by task syz-executor916/8162 [ 54.723530] [ 54.725205] CPU: 0 PID: 8162 Comm: syz-executor916 Not tainted 4.19.99-syzkaller #0 [ 54.733026] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.742437] Call Trace: [ 54.745026] dump_stack+0x197/0x210 [ 54.748660] ? __nla_put_nohdr+0x46/0x50 [ 54.752733] print_address_description.cold+0x7c/0x20d [ 54.758160] ? __nla_put_nohdr+0x46/0x50 [ 54.762328] kasan_report.cold+0x8c/0x2ba [ 54.766500] check_memory_region+0x123/0x190 [ 54.770923] memcpy+0x24/0x50 [ 54.774069] __nla_put_nohdr+0x46/0x50 [ 54.777967] nla_put_nohdr+0xff/0x140 [ 54.781764] tcf_em_tree_dump+0x67e/0x960 [ 54.785962] ? tcf_em_lookup+0x150/0x150 [ 54.790113] ? memcpy+0x46/0x50 [ 54.794400] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.799940] ? tcf_exts_dump+0x12d/0x590 [ 54.804038] basic_dump+0x21e/0x4c0 [ 54.807677] ? basic_classify+0x2b0/0x2b0 [ 54.811830] ? __nla_put+0x37/0x40 [ 54.815361] ? nla_put+0x116/0x150 [ 54.819034] ? basic_classify+0x2b0/0x2b0 [ 54.823182] tcf_fill_node+0x574/0x950 [ 54.827065] ? tcf_chain_flush+0x340/0x340 [ 54.831291] ? skb_trim+0x190/0x190 [ 54.834937] ? basic_init+0x1f0/0x1f0 [ 54.838837] tfilter_notify+0x129/0x270 [ 54.842839] tc_new_tfilter+0xcc8/0x1790 [ 54.846926] ? tc_del_tfilter+0xe60/0xe60 [ 54.851123] ? rtnetlink_rcv_msg+0x40a/0xb00 [ 54.855525] ? mutex_trylock+0x1e0/0x1e0 [ 54.859592] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.865143] ? tc_del_tfilter+0xe60/0xe60 [ 54.869304] rtnetlink_rcv_msg+0x463/0xb00 [ 54.873547] ? rtnetlink_put_metrics+0x560/0x560 [ 54.878304] ? netlink_deliver_tap+0x22d/0xc20 [ 54.882940] ? find_held_lock+0x35/0x130 [ 54.887061] netlink_rcv_skb+0x17d/0x460 [ 54.891118] ? rtnetlink_put_metrics+0x560/0x560 [ 54.895901] ? netlink_ack+0xb30/0xb30 [ 54.899789] ? kasan_check_read+0x11/0x20 [ 54.903941] ? netlink_deliver_tap+0x254/0xc20 [ 54.908515] rtnetlink_rcv+0x1d/0x30 [ 54.912216] netlink_unicast+0x53a/0x730 [ 54.916327] ? netlink_attachskb+0x770/0x770 [ 54.920840] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.926391] netlink_sendmsg+0x8ae/0xd70 [ 54.930465] ? netlink_unicast+0x730/0x730 [ 54.934713] ? selinux_socket_sendmsg+0x36/0x40 [ 54.939378] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.944936] ? security_socket_sendmsg+0x8d/0xc0 [ 54.949687] ? netlink_unicast+0x730/0x730 [ 54.953927] sock_sendmsg+0xd7/0x130 [ 54.957638] ___sys_sendmsg+0x803/0x920 [ 54.961648] ? copy_msghdr_from_user+0x430/0x430 [ 54.966471] ? __might_fault+0x12b/0x1e0 [ 54.970554] ? __might_fault+0x12b/0x1e0 [ 54.974617] ? lock_downgrade+0x880/0x880 [ 54.978780] ? kasan_check_read+0x11/0x20 [ 54.982935] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.988524] ? __fget_light+0x1a9/0x230 [ 54.992517] ? __fdget+0x1b/0x20 [ 54.995878] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.001473] __sys_sendmsg+0x105/0x1d0 [ 55.005367] ? __ia32_sys_shutdown+0x80/0x80 [ 55.009785] ? up_read+0x1a/0x110 [ 55.013272] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 55.018083] ? do_syscall_64+0x26/0x620 [ 55.022070] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.027432] ? do_syscall_64+0x26/0x620 [ 55.031520] __x64_sys_sendmsg+0x78/0xb0 [ 55.035705] do_syscall_64+0xfd/0x620 [ 55.039522] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.044714] RIP: 0033:0x4410b9 [ 55.047896] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.066804] RSP: 002b:00007ffd1d397b08 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 55.074674] RAX: ffffffffffffffda RBX: 00000000004a28b0 RCX: 00000000004410b9 [ 55.081979] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 55.089257] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522 [ 55.096942] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004025c0 [ 55.104265] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000 [ 55.111596] [ 55.113262] Allocated by task 8162: [ 55.116935] save_stack+0x45/0xd0 [ 55.120407] kasan_kmalloc+0xce/0xf0 [ 55.124216] __kmalloc_track_caller+0x159/0x750 [ 55.128913] kmemdup+0x27/0x60 [ 55.132095] em_nbyte_change+0xd6/0x150 [ 55.136079] tcf_em_tree_validate+0x9a9/0xf30 [ 55.140664] basic_change+0x126e/0x1370 [ 55.144647] tc_new_tfilter+0xc54/0x1790 [ 55.148706] rtnetlink_rcv_msg+0x463/0xb00 [ 55.152958] netlink_rcv_skb+0x17d/0x460 [ 55.157017] rtnetlink_rcv+0x1d/0x30 [ 55.160747] netlink_unicast+0x53a/0x730 [ 55.164818] netlink_sendmsg+0x8ae/0xd70 [ 55.168878] sock_sendmsg+0xd7/0x130 [ 55.172679] ___sys_sendmsg+0x803/0x920 [ 55.176667] __sys_sendmsg+0x105/0x1d0 [ 55.180570] __x64_sys_sendmsg+0x78/0xb0 [ 55.184629] do_syscall_64+0xfd/0x620 [ 55.188463] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.193646] [ 55.195286] Freed by task 5714: [ 55.198602] save_stack+0x45/0xd0 [ 55.202056] __kasan_slab_free+0x102/0x150 [ 55.206298] kasan_slab_free+0xe/0x10 [ 55.210097] kfree+0xcf/0x220 [ 55.213208] vfs_getxattr+0x1fa/0x2a0 [ 55.217013] getxattr+0x110/0x2d0 [ 55.220527] path_getxattr+0xd1/0x170 [ 55.224319] __x64_sys_lgetxattr+0x9a/0xf0 [ 55.228558] do_syscall_64+0xfd/0x620 [ 55.232353] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.237531] [ 55.239196] The buggy address belongs to the object at ffff88809664f480 [ 55.239196] which belongs to the cache kmalloc-32 of size 32 [ 55.251729] The buggy address is located 0 bytes inside of [ 55.251729] 32-byte region [ffff88809664f480, ffff88809664f4a0) [ 55.263348] The buggy address belongs to the page: [ 55.268270] page:ffffea00025993c0 count:1 mapcount:0 mapping:ffff88812c31c1c0 index:0xffff88809664ffc1 [ 55.277715] flags: 0xfffe0000000100(slab) [ 55.281896] raw: 00fffe0000000100 ffffea00029852c8 ffff88812c314248 ffff88812c31c1c0 [ 55.289784] raw: ffff88809664ffc1 ffff88809664f000 000000010000003f 0000000000000000 [ 55.297739] page dumped because: kasan: bad access detected [ 55.303455] [ 55.305090] Memory state around the buggy address: [ 55.310023] ffff88809664f380: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 55.317474] ffff88809664f400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 55.324846] >ffff88809664f480: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 55.332329] ^ [ 55.335705] ffff88809664f500: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 55.343072] ffff88809664f580: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 55.350477] ================================================================== [ 55.357830] Disabling lock debugging due to kernel taint [ 55.364004] Kernel panic - not syncing: panic_on_warn set ... [ 55.364004] [ 55.371390] CPU: 0 PID: 8162 Comm: syz-executor916 Tainted: G B 4.19.99-syzkaller #0 [ 55.380568] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.389962] Call Trace: [ 55.392593] dump_stack+0x197/0x210 [ 55.396263] ? __nla_put_nohdr+0x46/0x50 [ 55.400335] panic+0x26a/0x50e [ 55.403520] ? __warn_printk+0xf3/0xf3 [ 55.407516] ? __nla_put_nohdr+0x46/0x50 [ 55.411614] ? preempt_schedule+0x4b/0x60 [ 55.415781] ? ___preempt_schedule+0x16/0x18 [ 55.420242] ? trace_hardirqs_on+0x5e/0x220 [ 55.424597] ? __nla_put_nohdr+0x46/0x50 [ 55.428708] kasan_end_report+0x47/0x4f [ 55.432686] kasan_report.cold+0xa9/0x2ba [ 55.436953] check_memory_region+0x123/0x190 [ 55.441365] memcpy+0x24/0x50 [ 55.444465] __nla_put_nohdr+0x46/0x50 [ 55.448360] nla_put_nohdr+0xff/0x140 [ 55.452164] tcf_em_tree_dump+0x67e/0x960 [ 55.456324] ? tcf_em_lookup+0x150/0x150 [ 55.460381] ? memcpy+0x46/0x50 [ 55.463653] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.469222] ? tcf_exts_dump+0x12d/0x590 [ 55.473287] basic_dump+0x21e/0x4c0 [ 55.477026] ? basic_classify+0x2b0/0x2b0 [ 55.481173] ? __nla_put+0x37/0x40 [ 55.484702] ? nla_put+0x116/0x150 [ 55.488232] ? basic_classify+0x2b0/0x2b0 [ 55.492419] tcf_fill_node+0x574/0x950 [ 55.496365] ? tcf_chain_flush+0x340/0x340 [ 55.500793] ? skb_trim+0x190/0x190 [ 55.504463] ? basic_init+0x1f0/0x1f0 [ 55.508270] tfilter_notify+0x129/0x270 [ 55.512252] tc_new_tfilter+0xcc8/0x1790 [ 55.516369] ? tc_del_tfilter+0xe60/0xe60 [ 55.520566] ? rtnetlink_rcv_msg+0x40a/0xb00 [ 55.525023] ? mutex_trylock+0x1e0/0x1e0 [ 55.529131] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.534663] ? tc_del_tfilter+0xe60/0xe60 [ 55.538814] rtnetlink_rcv_msg+0x463/0xb00 [ 55.543070] ? rtnetlink_put_metrics+0x560/0x560 [ 55.547835] ? netlink_deliver_tap+0x22d/0xc20 [ 55.552466] ? find_held_lock+0x35/0x130 [ 55.556532] netlink_rcv_skb+0x17d/0x460 [ 55.560611] ? rtnetlink_put_metrics+0x560/0x560 [ 55.565397] ? netlink_ack+0xb30/0xb30 [ 55.569289] ? kasan_check_read+0x11/0x20 [ 55.573445] ? netlink_deliver_tap+0x254/0xc20 [ 55.578032] rtnetlink_rcv+0x1d/0x30 [ 55.581735] netlink_unicast+0x53a/0x730 [ 55.585807] ? netlink_attachskb+0x770/0x770 [ 55.590234] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.595802] netlink_sendmsg+0x8ae/0xd70 [ 55.599916] ? netlink_unicast+0x730/0x730 [ 55.604182] ? selinux_socket_sendmsg+0x36/0x40 [ 55.608852] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.614451] ? security_socket_sendmsg+0x8d/0xc0 [ 55.619298] ? netlink_unicast+0x730/0x730 [ 55.623620] sock_sendmsg+0xd7/0x130 [ 55.627388] ___sys_sendmsg+0x803/0x920 [ 55.631358] ? copy_msghdr_from_user+0x430/0x430 [ 55.636121] ? __might_fault+0x12b/0x1e0 [ 55.640193] ? __might_fault+0x12b/0x1e0 [ 55.644268] ? lock_downgrade+0x880/0x880 [ 55.648463] ? kasan_check_read+0x11/0x20 [ 55.652657] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.658218] ? __fget_light+0x1a9/0x230 [ 55.662241] ? __fdget+0x1b/0x20 [ 55.665612] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.671155] __sys_sendmsg+0x105/0x1d0 [ 55.675102] ? __ia32_sys_shutdown+0x80/0x80 [ 55.679648] ? up_read+0x1a/0x110 [ 55.683098] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 55.687895] ? do_syscall_64+0x26/0x620 [ 55.691976] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.701756] ? do_syscall_64+0x26/0x620 [ 55.705741] __x64_sys_sendmsg+0x78/0xb0 [ 55.709922] do_syscall_64+0xfd/0x620 [ 55.713721] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.718911] RIP: 0033:0x4410b9 [ 55.722116] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.741026] RSP: 002b:00007ffd1d397b08 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 55.748817] RAX: ffffffffffffffda RBX: 00000000004a28b0 RCX: 00000000004410b9 [ 55.756081] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 55.763400] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522 [ 55.770669] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004025c0 [ 55.777937] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000 [ 55.786674] Kernel Offset: disabled [ 55.790316] Rebooting in 86400 seconds..