[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.20' (ECDSA) to the list of known hosts. syzkaller login: [ 34.651286] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.736624] netlink: 4 bytes leftover after parsing attributes in process `syz-executor245'. [ 34.745911] ================================================================== [ 34.753280] BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x2cb4/0x3ff0 [ 34.760360] Read of size 8 at addr ffff8880a4dc5ba0 by task syz-executor245/8085 [ 34.767865] [ 34.769486] CPU: 0 PID: 8085 Comm: syz-executor245 Not tainted 4.19.211-syzkaller #0 [ 34.777339] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.786678] Call Trace: [ 34.789244] dump_stack+0x1fc/0x2ef [ 34.792850] print_address_description.cold+0x54/0x219 [ 34.798102] kasan_report_error.cold+0x8a/0x1b9 [ 34.802750] ? __lock_acquire+0x2cb4/0x3ff0 [ 34.807047] __asan_report_load8_noabort+0x88/0x90 [ 34.811958] ? unwind_get_return_address+0x70/0x90 [ 34.816864] ? __lock_acquire+0x2cb4/0x3ff0 [ 34.821161] __lock_acquire+0x2cb4/0x3ff0 [ 34.825300] ? mark_held_locks+0xf0/0xf0 [ 34.829346] ? check_usage+0x19a/0x670 [ 34.833224] ? check_usage_backwards+0x300/0x300 [ 34.837956] ? __kernel_text_address+0x9/0x30 [ 34.842427] ? check_usage_forwards+0x310/0x310 [ 34.847073] ? __save_stack_trace+0xaf/0x190 [ 34.851459] lock_acquire+0x170/0x3c0 [ 34.855238] ? xt_find_match+0xa3/0x280 [ 34.859207] ? xt_find_match+0xa3/0x280 [ 34.863159] __mutex_lock+0xd7/0x1190 [ 34.866934] ? xt_find_match+0xa3/0x280 [ 34.870887] ? check_usage_forwards+0x310/0x310 [ 34.875540] ? xt_find_match+0xa3/0x280 [ 34.879506] ? mutex_trylock+0x1a0/0x1a0 [ 34.883543] ? mark_held_locks+0xf0/0xf0 [ 34.887590] ? mark_held_locks+0xf0/0xf0 [ 34.891630] ? cache_alloc_refill+0x95/0x340 [ 34.896015] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 34.901182] xt_find_match+0xa3/0x280 [ 34.905147] xt_request_find_match+0x88/0x110 [ 34.909619] em_ipt_change+0x1c7/0x470 [ 34.913481] ? check_match+0x1e0/0x1e0 [ 34.917346] ? lock_acquire+0x170/0x3c0 [ 34.921404] ? tcf_em_lookup+0x1c/0x150 [ 34.925373] ? do_raw_read_unlock+0x3b/0x70 [ 34.929669] ? _raw_read_unlock+0x29/0x40 [ 34.933791] ? check_match+0x1e0/0x1e0 [ 34.937653] tcf_em_tree_validate+0x8fa/0xea0 [ 34.942128] ? tcf_em_tree_destroy+0x50/0x50 [ 34.946514] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 34.951507] basic_change+0x1173/0x1260 [ 34.955459] ? basic_delete+0x630/0x630 [ 34.959422] ? check_preemption_disabled+0x41/0x280 [ 34.964418] ? basic_delete+0x630/0x630 [ 34.968371] tc_new_tfilter+0xb52/0x16c0 [ 34.972409] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 34.976979] ? __mutex_lock+0x368/0x1190 [ 34.981028] ? apparmor_capable+0x147/0x750 [ 34.985327] ? apparmor_capable+0x147/0x750 [ 34.989639] ? rtnetlink_rcv_msg+0x3fe/0xb80 [ 34.994027] ? mutex_trylock+0x1a0/0x1a0 [ 34.998090] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 35.002649] rtnetlink_rcv_msg+0x453/0xb80 [ 35.006860] ? rtnl_calcit.isra.0+0x430/0x430 [ 35.011332] ? __netlink_lookup+0x3fc/0x730 [ 35.015629] ? lock_downgrade+0x720/0x720 [ 35.019752] ? check_preemption_disabled+0x41/0x280 [ 35.024871] netlink_rcv_skb+0x160/0x440 [ 35.028907] ? rtnl_calcit.isra.0+0x430/0x430 [ 35.033388] ? netlink_ack+0xae0/0xae0 [ 35.037351] netlink_unicast+0x4d5/0x690 [ 35.041400] ? netlink_sendskb+0x110/0x110 [ 35.045620] ? _copy_from_iter_full+0x229/0x7c0 [ 35.050272] ? __phys_addr_symbol+0x2c/0x70 [ 35.054570] ? __check_object_size+0x17b/0x3e0 [ 35.059127] netlink_sendmsg+0x6c3/0xc50 [ 35.063162] ? aa_af_perm+0x230/0x230 [ 35.066938] ? nlmsg_notify+0x1f0/0x1f0 [ 35.070896] ? kernel_recvmsg+0x220/0x220 [ 35.075018] ? nlmsg_notify+0x1f0/0x1f0 [ 35.078969] sock_sendmsg+0xc3/0x120 [ 35.082657] ___sys_sendmsg+0x7bb/0x8e0 [ 35.086610] ? mark_held_locks+0xf0/0xf0 [ 35.090647] ? copy_msghdr_from_user+0x440/0x440 [ 35.095382] ? lock_downgrade+0x720/0x720 [ 35.099506] ? __wake_up_common_lock+0xb0/0x170 [ 35.104150] ? __might_fault+0x11f/0x1d0 [ 35.108188] ? lock_downgrade+0x720/0x720 [ 35.112310] ? lock_acquire+0x170/0x3c0 [ 35.116264] ? __might_fault+0xef/0x1d0 [ 35.120219] ? __might_fault+0x192/0x1d0 [ 35.124265] ? _copy_to_user+0xb8/0x100 [ 35.128222] ? move_addr_to_user+0x190/0x1d0 [ 35.132612] ? __fdget+0x1a0/0x230 [ 35.136151] __x64_sys_sendmsg+0x132/0x220 [ 35.140370] ? __sys_sendmsg+0x1b0/0x1b0 [ 35.144420] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.149761] ? trace_hardirqs_off_caller+0x6e/0x210 [ 35.154755] ? do_syscall_64+0x21/0x620 [ 35.158708] do_syscall_64+0xf9/0x620 [ 35.162495] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.167661] RIP: 0033:0x7f4e3d3b0769 [ 35.171350] Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 35.190227] RSP: 002b:00007fff666a0938 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.197914] RAX: ffffffffffffffda RBX: 00007f4e3d41ded0 RCX: 00007f4e3d3b0769 [ 35.205158] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003 [ 35.212408] RBP: 00007fff666a0948 R08: 00007f4e3d41de40 R09: 00007f4e3d41de40 [ 35.219653] R10: 00007f4e3d41de40 R11: 0000000000000246 R12: 00007fff666a0950 [ 35.226898] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 35.234142] [ 35.235746] Allocated by task 1: [ 35.239096] kmem_cache_alloc_trace+0x12f/0x380 [ 35.243741] xt_init+0x128/0x2a9 [ 35.247083] do_one_initcall+0xf1/0x740 [ 35.251147] kernel_init_freeable+0x9c5/0xab7 [ 35.255618] kernel_init+0xd/0x1ba [ 35.259146] ret_from_fork+0x24/0x30 [ 35.262833] [ 35.264435] Freed by task 0: [ 35.267425] (stack is not available) [ 35.271106] [ 35.272708] The buggy address belongs to the object at ffff8880a4dc4840 [ 35.272708] which belongs to the cache kmalloc-4096 of size 4096 [ 35.285510] The buggy address is located 864 bytes to the right of [ 35.285510] 4096-byte region [ffff8880a4dc4840, ffff8880a4dc5840) [ 35.298057] The buggy address belongs to the page: [ 35.302961] page:ffffea0002937100 count:1 mapcount:0 mapping:ffff88813bff0dc0 index:0x0 compound_mapcount: 0 [ 35.312899] flags: 0xfff00000008100(slab|head) [ 35.317461] raw: 00fff00000008100 ffffea0002937088 ffffea000293ce88 ffff88813bff0dc0 [ 35.325325] raw: 0000000000000000 ffff8880a4dc4840 0000000100000001 0000000000000000 [ 35.333177] page dumped because: kasan: bad access detected [ 35.338855] [ 35.340456] Memory state around the buggy address: [ 35.345361] ffff8880a4dc5a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.352706] ffff8880a4dc5b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.360038] >ffff8880a4dc5b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.367367] ^ [ 35.371751] ffff8880a4dc5c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.379085] ffff8880a4dc5c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.386436] ================================================================== [ 35.393775] Disabling lock debugging due to kernel taint [ 35.399202] Kernel panic - not syncing: panic_on_warn set ... [ 35.399202] [ 35.406559] CPU: 0 PID: 8085 Comm: syz-executor245 Tainted: G B 4.19.211-syzkaller #0 [ 35.415803] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.425140] Call Trace: [ 35.427800] dump_stack+0x1fc/0x2ef [ 35.431405] panic+0x26a/0x50e [ 35.434589] ? __warn_printk+0xf3/0xf3 [ 35.438484] ? lock_downgrade+0x720/0x720 [ 35.442610] ? print_shadow_for_address+0xb8/0x114 [ 35.447536] ? trace_hardirqs_off+0x64/0x200 [ 35.451922] kasan_end_report+0x43/0x49 [ 35.455891] kasan_report_error.cold+0xa7/0x1b9 [ 35.460552] ? __lock_acquire+0x2cb4/0x3ff0 [ 35.464873] __asan_report_load8_noabort+0x88/0x90 [ 35.469787] ? unwind_get_return_address+0x70/0x90 [ 35.474699] ? __lock_acquire+0x2cb4/0x3ff0 [ 35.479038] __lock_acquire+0x2cb4/0x3ff0 [ 35.483185] ? mark_held_locks+0xf0/0xf0 [ 35.487242] ? check_usage+0x19a/0x670 [ 35.491117] ? check_usage_backwards+0x300/0x300 [ 35.495860] ? __kernel_text_address+0x9/0x30 [ 35.500344] ? check_usage_forwards+0x310/0x310 [ 35.504993] ? __save_stack_trace+0xaf/0x190 [ 35.509543] lock_acquire+0x170/0x3c0 [ 35.513335] ? xt_find_match+0xa3/0x280 [ 35.517307] ? xt_find_match+0xa3/0x280 [ 35.521260] __mutex_lock+0xd7/0x1190 [ 35.525043] ? xt_find_match+0xa3/0x280 [ 35.528998] ? check_usage_forwards+0x310/0x310 [ 35.533689] ? xt_find_match+0xa3/0x280 [ 35.537641] ? mutex_trylock+0x1a0/0x1a0 [ 35.541680] ? mark_held_locks+0xf0/0xf0 [ 35.545717] ? mark_held_locks+0xf0/0xf0 [ 35.549760] ? cache_alloc_refill+0x95/0x340 [ 35.554145] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 35.559314] xt_find_match+0xa3/0x280 [ 35.563090] xt_request_find_match+0x88/0x110 [ 35.567561] em_ipt_change+0x1c7/0x470 [ 35.571424] ? check_match+0x1e0/0x1e0 [ 35.575293] ? lock_acquire+0x170/0x3c0 [ 35.579249] ? tcf_em_lookup+0x1c/0x150 [ 35.583199] ? do_raw_read_unlock+0x3b/0x70 [ 35.587508] ? _raw_read_unlock+0x29/0x40 [ 35.591632] ? check_match+0x1e0/0x1e0 [ 35.595494] tcf_em_tree_validate+0x8fa/0xea0 [ 35.599966] ? tcf_em_tree_destroy+0x50/0x50 [ 35.604351] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.609344] basic_change+0x1173/0x1260 [ 35.613295] ? basic_delete+0x630/0x630 [ 35.617249] ? check_preemption_disabled+0x41/0x280 [ 35.622241] ? basic_delete+0x630/0x630 [ 35.626189] tc_new_tfilter+0xb52/0x16c0 [ 35.630235] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 35.634807] ? __mutex_lock+0x368/0x1190 [ 35.638845] ? apparmor_capable+0x147/0x750 [ 35.643141] ? apparmor_capable+0x147/0x750 [ 35.647450] ? rtnetlink_rcv_msg+0x3fe/0xb80 [ 35.651845] ? mutex_trylock+0x1a0/0x1a0 [ 35.655886] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 35.660450] rtnetlink_rcv_msg+0x453/0xb80 [ 35.664661] ? rtnl_calcit.isra.0+0x430/0x430 [ 35.669131] ? __netlink_lookup+0x3fc/0x730 [ 35.673430] ? lock_downgrade+0x720/0x720 [ 35.677559] ? check_preemption_disabled+0x41/0x280 [ 35.682572] netlink_rcv_skb+0x160/0x440 [ 35.686609] ? rtnl_calcit.isra.0+0x430/0x430 [ 35.691078] ? netlink_ack+0xae0/0xae0 [ 35.694943] netlink_unicast+0x4d5/0x690 [ 35.698977] ? netlink_sendskb+0x110/0x110 [ 35.703190] ? _copy_from_iter_full+0x229/0x7c0 [ 35.707835] ? __phys_addr_symbol+0x2c/0x70 [ 35.712135] ? __check_object_size+0x17b/0x3e0 [ 35.716696] netlink_sendmsg+0x6c3/0xc50 [ 35.720733] ? aa_af_perm+0x230/0x230 [ 35.724509] ? nlmsg_notify+0x1f0/0x1f0 [ 35.728461] ? kernel_recvmsg+0x220/0x220 [ 35.732604] ? nlmsg_notify+0x1f0/0x1f0 [ 35.736564] sock_sendmsg+0xc3/0x120 [ 35.740251] ___sys_sendmsg+0x7bb/0x8e0 [ 35.744211] ? mark_held_locks+0xf0/0xf0 [ 35.748248] ? copy_msghdr_from_user+0x440/0x440 [ 35.752981] ? lock_downgrade+0x720/0x720 [ 35.757122] ? __wake_up_common_lock+0xb0/0x170 [ 35.761814] ? __might_fault+0x11f/0x1d0 [ 35.765851] ? lock_downgrade+0x720/0x720 [ 35.770080] ? lock_acquire+0x170/0x3c0 [ 35.774036] ? __might_fault+0xef/0x1d0 [ 35.777999] ? __might_fault+0x192/0x1d0 [ 35.782057] ? _copy_to_user+0xb8/0x100 [ 35.786012] ? move_addr_to_user+0x190/0x1d0 [ 35.790397] ? __fdget+0x1a0/0x230 [ 35.793924] __x64_sys_sendmsg+0x132/0x220 [ 35.798137] ? __sys_sendmsg+0x1b0/0x1b0 [ 35.802192] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.807533] ? trace_hardirqs_off_caller+0x6e/0x210 [ 35.812524] ? do_syscall_64+0x21/0x620 [ 35.816472] do_syscall_64+0xf9/0x620 [ 35.820248] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.825422] RIP: 0033:0x7f4e3d3b0769 [ 35.829112] Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 35.847987] RSP: 002b:00007fff666a0938 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.855671] RAX: ffffffffffffffda RBX: 00007f4e3d41ded0 RCX: 00007f4e3d3b0769 [ 35.862937] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003 [ 35.870181] RBP: 00007fff666a0948 R08: 00007f4e3d41de40 R09: 00007f4e3d41de40 [ 35.877431] R10: 00007f4e3d41de40 R11: 0000000000000246 R12: 00007fff666a0950 [ 35.884674] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 35.892131] Kernel Offset: disabled [ 35.895736] Rebooting in 86400 seconds..