[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 87.564863] audit: type=1400 audit(1598927777.643:8): avc: denied { execmem } for pid=6352 comm="syz-executor513" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 87.587308] IPVS: ftp: loaded support on port[0] = 21 [ 87.625373] IPVS: ftp: loaded support on port[0] = 21 executing program executing program [ 87.660441] IPVS: ftp: loaded support on port[0] = 21 executing program [ 87.704841] IPVS: ftp: loaded support on port[0] = 21 [ 87.743642] IPVS: ftp: loaded support on port[0] = 21 executing program [ 87.781866] IPVS: ftp: loaded support on port[0] = 21 executing program [ 88.213879] ================================================================== [ 88.221322] BUG: KASAN: use-after-free in u32_clear_hnode+0x37d/0x410 [ 88.227874] Read of size 8 at addr ffff88808c1756b0 by task kworker/u4:5/4257 [ 88.235120] [ 88.236722] CPU: 1 PID: 4257 Comm: kworker/u4:5 Not tainted 4.14.195-syzkaller #0 [ 88.244314] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 88.253683] Workqueue: netns cleanup_net [ 88.257718] Call Trace: [ 88.260311] dump_stack+0x1b2/0x283 [ 88.263915] print_address_description.cold+0x54/0x1d3 [ 88.269169] kasan_report_error.cold+0x8a/0x194 [ 88.273820] ? u32_clear_hnode+0x37d/0x410 [ 88.278028] __asan_report_load8_noabort+0x68/0x70 [ 88.282931] ? u32_clear_hnode+0x37d/0x410 [ 88.287137] u32_clear_hnode+0x37d/0x410 [ 88.291197] u32_destroy+0x1e7/0x3f0 [ 88.294887] tcf_chain_flush+0x147/0x2b0 [ 88.298923] tcf_block_put+0xd0/0x220 [ 88.302699] hfsc_destroy_qdisc+0xd8/0x350 [ 88.306907] ? hfsc_reset_qdisc+0x97a/0xd20 [ 88.311203] ? hfsc_walk+0x2e0/0x2e0 [ 88.314891] qdisc_destroy+0x13c/0x310 [ 88.318787] dev_shutdown+0x27a/0x43e [ 88.322607] rollback_registered_many+0x6e0/0xb30 [ 88.327709] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 88.333144] ? dev_set_mac_address+0x2d0/0x2d0 [ 88.337706] ? ops_exit_list+0xa5/0x150 [ 88.341657] unregister_netdevice_many.part.0+0x18/0x2e0 [ 88.347080] unregister_netdevice_many+0x36/0x50 [ 88.351820] ip_tunnel_delete_net+0x274/0x320 [ 88.356295] ? lock_downgrade+0x740/0x740 [ 88.360419] ? ip_tunnel_dellink+0x400/0x400 [ 88.364800] ? ipip_get_size+0x10/0x10 [ 88.368662] ops_exit_list+0xa5/0x150 [ 88.372440] cleanup_net+0x3b3/0x840 [ 88.376129] ? net_drop_ns+0x70/0x70 [ 88.379828] ? lock_acquire+0x170/0x3f0 [ 88.383777] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 88.389212] process_one_work+0x793/0x14a0 [ 88.393424] ? work_busy+0x320/0x320 [ 88.397117] ? worker_thread+0x158/0xff0 [ 88.401152] ? _raw_spin_unlock_irq+0x24/0x80 [ 88.405629] worker_thread+0x5cc/0xff0 [ 88.409494] ? rescuer_thread+0xc80/0xc80 [ 88.413617] kthread+0x30d/0x420 [ 88.416956] ? kthread_create_on_node+0xd0/0xd0 [ 88.421596] ret_from_fork+0x24/0x30 [ 88.425295] [ 88.426897] Allocated by task 6386: [ 88.430507] kasan_kmalloc+0xeb/0x160 [ 88.434280] kmem_cache_alloc_trace+0x131/0x3d0 [ 88.438919] u32_init+0x3e4/0x884 [ 88.442343] tc_ctl_tfilter+0xde3/0x1c01 [ 88.446379] rtnetlink_rcv_msg+0x3be/0xb10 [ 88.450587] netlink_rcv_skb+0x125/0x390 [ 88.454618] netlink_unicast+0x437/0x610 [ 88.458735] netlink_sendmsg+0x62e/0xb80 [ 88.462766] sock_sendmsg+0xb5/0x100 [ 88.466451] ___sys_sendmsg+0x326/0x800 [ 88.470396] __sys_sendmmsg+0x129/0x330 [ 88.474341] SyS_sendmmsg+0x2f/0x50 [ 88.477939] do_syscall_64+0x1d5/0x640 [ 88.481800] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 88.486958] [ 88.488558] Freed by task 4257: [ 88.491812] kasan_slab_free+0xc3/0x1a0 [ 88.495757] kfree+0xc9/0x250 [ 88.498838] u32_destroy_key.constprop.0.isra.0+0x105/0x1d0 [ 88.504519] u32_clear_hnode+0x2de/0x410 [ 88.508566] u32_destroy+0x1e7/0x3f0 [ 88.512251] tcf_chain_flush+0x147/0x2b0 [ 88.516281] tcf_block_put+0xd0/0x220 [ 88.520066] hfsc_destroy_qdisc+0xd8/0x350 [ 88.524279] qdisc_destroy+0x13c/0x310 [ 88.528137] dev_shutdown+0x27a/0x43e [ 88.531912] rollback_registered_many+0x6e0/0xb30 [ 88.536725] unregister_netdevice_many.part.0+0x18/0x2e0 [ 88.542146] unregister_netdevice_many+0x36/0x50 [ 88.546874] ip_tunnel_delete_net+0x274/0x320 [ 88.551339] ops_exit_list+0xa5/0x150 [ 88.555110] cleanup_net+0x3b3/0x840 [ 88.558796] process_one_work+0x793/0x14a0 [ 88.563008] worker_thread+0x5cc/0xff0 [ 88.566881] kthread+0x30d/0x420 [ 88.570219] ret_from_fork+0x24/0x30 [ 88.573901] [ 88.575504] The buggy address belongs to the object at ffff88808c175680 [ 88.575504] which belongs to the cache kmalloc-64 of size 64 [ 88.587957] The buggy address is located 48 bytes inside of [ 88.587957] 64-byte region [ffff88808c175680, ffff88808c1756c0) [ 88.599639] The buggy address belongs to the page: [ 88.604542] page:ffffea0002305d40 count:1 mapcount:0 mapping:ffff88808c175000 index:0xffff88808c175f80 [ 88.614391] flags: 0xfffe0000000100(slab) [ 88.618512] raw: 00fffe0000000100 ffff88808c175000 ffff88808c175f80 000000010000001e [ 88.626813] raw: ffffea0002703120 ffffea00021e5520 ffff88812fe52340 0000000000000000 [ 88.634663] page dumped because: kasan: bad access detected [ 88.640344] [ 88.641942] Memory state around the buggy address: [ 88.646855] ffff88808c175580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 88.654184] ffff88808c175600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 88.661512] >ffff88808c175680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 88.668842] ^ [ 88.673753] ffff88808c175700: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 88.681082] ffff88808c175780: 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc [ 88.688420] ================================================================== [ 88.695762] Disabling lock debugging due to kernel taint [ 88.704147] Kernel panic - not syncing: panic_on_warn set ... [ 88.704147] [ 88.711515] CPU: 0 PID: 4257 Comm: kworker/u4:5 Tainted: G B 4.14.195-syzkaller #0 [ 88.720334] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 88.729675] Workqueue: netns cleanup_net [ 88.733707] Call Trace: [ 88.736270] dump_stack+0x1b2/0x283 [ 88.739870] panic+0x1f9/0x42d [ 88.743083] ? add_taint.cold+0x16/0x16 [ 88.747032] ? ___preempt_schedule+0x16/0x18 [ 88.751411] kasan_end_report+0x43/0x49 [ 88.755470] kasan_report_error.cold+0xa7/0x194 [ 88.760112] ? u32_clear_hnode+0x37d/0x410 [ 88.764318] __asan_report_load8_noabort+0x68/0x70 [ 88.769221] ? u32_clear_hnode+0x37d/0x410 [ 88.773426] u32_clear_hnode+0x37d/0x410 [ 88.777460] u32_destroy+0x1e7/0x3f0 [ 88.781147] tcf_chain_flush+0x147/0x2b0 [ 88.785181] tcf_block_put+0xd0/0x220 [ 88.788956] hfsc_destroy_qdisc+0xd8/0x350 [ 88.793163] ? hfsc_reset_qdisc+0x97a/0xd20 [ 88.797457] ? hfsc_walk+0x2e0/0x2e0 [ 88.801139] qdisc_destroy+0x13c/0x310 [ 88.804999] dev_shutdown+0x27a/0x43e [ 88.808772] rollback_registered_many+0x6e0/0xb30 [ 88.813590] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 88.819013] ? dev_set_mac_address+0x2d0/0x2d0 [ 88.823653] ? ops_exit_list+0xa5/0x150 [ 88.827627] unregister_netdevice_many.part.0+0x18/0x2e0 [ 88.833065] unregister_netdevice_many+0x36/0x50 [ 88.837804] ip_tunnel_delete_net+0x274/0x320 [ 88.842283] ? lock_downgrade+0x740/0x740 [ 88.846403] ? ip_tunnel_dellink+0x400/0x400 [ 88.850783] ? ipip_get_size+0x10/0x10 [ 88.854640] ops_exit_list+0xa5/0x150 [ 88.858412] cleanup_net+0x3b3/0x840 [ 88.862100] ? net_drop_ns+0x70/0x70 [ 88.865813] ? lock_acquire+0x170/0x3f0 [ 88.869770] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 88.875195] process_one_work+0x793/0x14a0 [ 88.879403] ? work_busy+0x320/0x320 [ 88.883088] ? worker_thread+0x158/0xff0 [ 88.887126] ? _raw_spin_unlock_irq+0x24/0x80 [ 88.891591] worker_thread+0x5cc/0xff0 [ 88.895464] ? rescuer_thread+0xc80/0xc80 [ 88.899583] kthread+0x30d/0x420 [ 88.902929] ? kthread_create_on_node+0xd0/0xd0 [ 88.907586] ret_from_fork+0x24/0x30 [ 88.912582] Kernel Offset: disabled [ 88.916193] Rebooting in 86400 seconds..