Starting sshd: OK syzkaller syzkaller login: [ 14.793511][ T22] kauditd_printk_skb: 60 callbacks suppressed [ 14.793517][ T22] audit: type=1400 audit(1634717813.229:71): avc: denied { transition } for pid=265 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 14.801068][ T22] audit: type=1400 audit(1634717813.239:72): avc: denied { write } for pid=265 comm="sh" path="pipe:[9845]" dev="pipefs" ino=9845 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 [ 14.812602][ T263] sshd (263) used greatest stack depth: 23248 bytes left [ 15.822827][ T266] sshd (266) used greatest stack depth: 22352 bytes left Warning: Permanently added '10.128.0.117' (ECDSA) to the list of known hosts. executing program [ 45.399902][ T22] audit: type=1400 audit(1634717843.839:73): avc: denied { execmem } for pid=298 comm="syz-executor969" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 45.419460][ T22] audit: type=1400 audit(1634717843.839:74): avc: denied { create } for pid=299 comm="syz-executor969" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 45.440292][ T22] audit: type=1400 audit(1634717843.839:75): avc: denied { write } for pid=299 comm="syz-executor969" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 [ 45.460980][ T22] audit: type=1400 audit(1634717843.839:76): avc: denied { read } for pid=299 comm="syz-executor969" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=netlink_generic_socket permissive=1 executing program [ 50.399918][ T115] cfg80211: failed to load regulatory.db [ 50.428018][ T300] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 [ 50.437661][ T300] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db [ 50.446532][ T300] ================================================================== [ 50.454585][ T300] BUG: KASAN: use-after-free in __list_add_valid+0x36/0xc0 [ 50.461748][ T300] Read of size 8 at addr ffff8881ee42e188 by task syz-executor969/300 [ 50.469861][ T300] [ 50.472179][ T300] CPU: 1 PID: 300 Comm: syz-executor969 Not tainted 5.4.125-syzkaller-00029-g5970ec26e0c8 #0 [ 50.482289][ T300] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.492313][ T300] Call Trace: [ 50.495575][ T300] dump_stack+0x1d8/0x24e [ 50.499890][ T300] ? show_regs_print_info+0x12/0x12 [ 50.505055][ T300] ? printk+0xcf/0x114 [ 50.509108][ T300] print_address_description+0x9b/0x650 [ 50.514626][ T300] ? devkmsg_release+0x11c/0x11c [ 50.519542][ T300] ? device_add+0x5d8/0x18a0 [ 50.524100][ T300] __kasan_report+0x182/0x260 [ 50.528758][ T300] ? __list_add_valid+0x36/0xc0 [ 50.533589][ T300] kasan_report+0x30/0x60 [ 50.537888][ T300] __list_add_valid+0x36/0xc0 [ 50.542537][ T300] firmware_fallback_sysfs+0x480/0xb20 [ 50.547975][ T300] _request_firmware+0x1287/0x1770 [ 50.553058][ T300] ? request_firmware+0x50/0x50 [ 50.557877][ T300] ? __nla_validate+0x50/0x50 [ 50.562520][ T300] request_firmware+0x33/0x50 [ 50.567164][ T300] reg_reload_regdb+0xa0/0x220 [ 50.571895][ T300] ? reg_query_regdb_wmm+0x510/0x510 [ 50.577148][ T300] ? nl80211_pre_doit+0x156/0x590 [ 50.582140][ T300] genl_rcv_msg+0xed8/0x13b0 [ 50.586700][ T300] ? genl_rcv+0x40/0x40 [ 50.590838][ T300] ? rhashtable_jhash2+0x1bf/0x2e0 [ 50.595912][ T300] ? jhash+0x740/0x740 [ 50.599947][ T300] ? rht_key_hashfn+0x112/0x1e0 [ 50.604779][ T300] ? rht_lock+0x100/0x100 [ 50.609089][ T300] ? __sys_sendmsg+0x2c4/0x3b0 [ 50.613831][ T300] ? rht_key_hashfn+0x1e0/0x1e0 [ 50.618653][ T300] ? netlink_hash+0xd0/0xd0 [ 50.623133][ T300] netlink_rcv_skb+0x200/0x480 [ 50.627869][ T300] ? genl_rcv+0x40/0x40 [ 50.631994][ T300] ? netlink_ack+0xab0/0xab0 [ 50.636589][ T300] ? __down_read+0xf1/0x210 [ 50.641075][ T300] ? __init_rwsem+0x200/0x200 [ 50.645721][ T300] ? __rcu_read_lock+0x50/0x50 [ 50.650453][ T300] ? selinux_vm_enough_memory+0x170/0x170 [ 50.656141][ T300] genl_rcv+0x24/0x40 [ 50.660091][ T300] netlink_unicast+0x865/0x9f0 [ 50.664823][ T300] ? netlink_detachskb+0x40/0x40 [ 50.669747][ T300] ? _copy_from_iter_full+0x29e/0x830 [ 50.675122][ T300] ? __virt_addr_valid+0x1fd/0x290 [ 50.680204][ T300] netlink_sendmsg+0x9ab/0xd40 [ 50.684948][ T300] ? netlink_getsockopt+0x8e0/0x8e0 [ 50.690131][ T300] ? import_iovec+0x1bc/0x380 [ 50.694785][ T300] ? security_socket_sendmsg+0x9d/0xb0 [ 50.700223][ T300] ? netlink_getsockopt+0x8e0/0x8e0 [ 50.705393][ T300] ____sys_sendmsg+0x583/0x8c0 [ 50.710128][ T300] ? __sys_sendmsg_sock+0x2b0/0x2b0 [ 50.715295][ T300] __sys_sendmsg+0x2c4/0x3b0 [ 50.719854][ T300] ? ____sys_sendmsg+0x8c0/0x8c0 [ 50.724767][ T300] ? _raw_spin_lock_irq+0xa4/0x1b0 [ 50.729845][ T300] ? _raw_spin_unlock_irq+0x4a/0x60 [ 50.735014][ T300] do_syscall_64+0xcb/0x1e0 [ 50.739501][ T300] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 50.745361][ T300] RIP: 0033:0x7f4c71d097c9 [ 50.749745][ T300] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 50.769315][ T300] RSP: 002b:00007fff41cadef8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 50.777691][ T300] RAX: ffffffffffffffda RBX: 000000000000b142 RCX: 00007f4c71d097c9 [ 50.785631][ T300] RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 [ 50.793570][ T300] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007fff41cae098 [ 50.801509][ T300] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff41cadf0c [ 50.809452][ T300] R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 [ 50.817409][ T300] [ 50.819711][ T300] Allocated by task 115: [ 50.823924][ T300] __kasan_kmalloc+0x137/0x1e0 [ 50.828654][ T300] kmem_cache_alloc_trace+0x139/0x2b0 [ 50.833992][ T300] _request_firmware+0x524/0x1770 [ 50.838982][ T300] request_firmware_work_func+0x121/0x260 [ 50.844670][ T300] process_one_work+0x679/0x1030 [ 50.849574][ T300] worker_thread+0xa6f/0x1400 [ 50.854219][ T300] kthread+0x30f/0x330 [ 50.858256][ T300] ret_from_fork+0x1f/0x30 [ 50.862634][ T300] [ 50.864936][ T300] Freed by task 115: [ 50.868797][ T300] __kasan_slab_free+0x18a/0x240 [ 50.873715][ T300] slab_free_freelist_hook+0x7b/0x150 [ 50.879069][ T300] kfree+0xe0/0x660 [ 50.882856][ T300] release_firmware+0x47f/0x4d0 [ 50.887670][ T300] _request_firmware+0x145a/0x1770 [ 50.892745][ T300] request_firmware_work_func+0x121/0x260 [ 50.898434][ T300] process_one_work+0x679/0x1030 [ 50.903338][ T300] worker_thread+0xa6f/0x1400 [ 50.907981][ T300] kthread+0x30f/0x330 [ 50.912016][ T300] ret_from_fork+0x1f/0x30 [ 50.916408][ T300] [ 50.918712][ T300] The buggy address belongs to the object at ffff8881ee42e100 [ 50.918712][ T300] which belongs to the cache kmalloc-192 of size 192 [ 50.932735][ T300] The buggy address is located 136 bytes inside of [ 50.932735][ T300] 192-byte region [ffff8881ee42e100, ffff8881ee42e1c0) [ 50.945969][ T300] The buggy address belongs to the page: [ 50.951571][ T300] page:ffffea0007b90b80 refcount:1 mapcount:0 mapping:ffff8881f5c02a00 index:0x0 [ 50.960642][ T300] flags: 0x8000000000000200(slab) [ 50.965632][ T300] raw: 8000000000000200 dead000000000100 dead000000000122 ffff8881f5c02a00 [ 50.974185][ T300] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 50.982731][ T300] page dumped because: kasan: bad access detected [ 50.989109][ T300] page_owner tracks the page as allocated [ 50.994794][ T300] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY) [ 51.006742][ T300] prep_new_page+0x19a/0x380 [ 51.011303][ T300] get_page_from_freelist+0x550/0x8b0 [ 51.016648][ T300] __alloc_pages_nodemask+0x3a2/0x880 [ 51.021987][ T300] alloc_slab_page+0x39/0x3e0 [ 51.026631][ T300] new_slab+0x97/0x460 [ 51.030669][ T300] ___slab_alloc+0x330/0x4c0 [ 51.035224][ T300] kmem_cache_alloc_trace+0x199/0x2b0 [ 51.040562][ T300] _request_firmware+0x524/0x1770 [ 51.045554][ T300] request_firmware_work_func+0x121/0x260 [ 51.051241][ T300] process_one_work+0x679/0x1030 [ 51.056145][ T300] worker_thread+0xa6f/0x1400 [ 51.060791][ T300] kthread+0x30f/0x330 [ 51.064827][ T300] ret_from_fork+0x1f/0x30 [ 51.069204][ T300] page_owner free stack trace missing [ 51.074538][ T300] [ 51.076835][ T300] Memory state around the buggy address: [ 51.082433][ T300] ffff8881ee42e080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 51.090461][ T300] ffff8881ee42e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.098490][ T300] >ffff8881ee42e180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 51.106515][ T300] ^ [ 51.110810][ T300] ffff8881ee42e200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.118837][ T300] ffff8881ee42e280: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 51.126860][ T300] ================================================================== [ 51.134899][ T300] Disabling lock debugging due to kernel taint executing program [ 55.401522][ T300] syz-executor969 (300) used greatest stack depth: 21840 bytes left [ 55.404783][ T303] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 [ 55.419047][ T303] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db executing program [ 60.406256][ T305] platform regulatory.0: Direct firmware load for regulatory.db failed with error -2 [ 60.415800][ T305] platform regulatory.0: Falling back to sysfs fallback for: regulatory.db