[ 46.337896] audit: type=1800 audit(1583918093.401:30): pid=7965 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 50.734259] kauditd_printk_skb: 4 callbacks suppressed [ 50.734272] audit: type=1400 audit(1583918097.811:35): avc: denied { map } for pid=8139 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.40' (ECDSA) to the list of known hosts. executing program [ 57.509196] audit: type=1400 audit(1583918104.591:36): avc: denied { map } for pid=8151 comm="syz-executor606" path="/root/syz-executor606153954" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 57.524664] IPVS: ftp: loaded support on port[0] = 21 [ 57.567630] ================================================================== [ 57.575167] BUG: KASAN: slab-out-of-bounds in tcindex_set_parms+0x17d0/0x19d0 [ 57.582530] Write of size 16 at addr ffff8880a7af60b8 by task syz-executor606/8152 [ 57.590311] [ 57.591933] CPU: 1 PID: 8152 Comm: syz-executor606 Not tainted 4.19.108-syzkaller #0 [ 57.599800] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.609149] Call Trace: [ 57.611759] dump_stack+0x188/0x20d [ 57.615382] ? tcindex_set_parms+0x17d0/0x19d0 [ 57.619956] print_address_description.cold+0x7c/0x212 [ 57.625235] ? tcindex_set_parms+0x17d0/0x19d0 [ 57.629816] kasan_report.cold+0x88/0x2b9 [ 57.633950] tcindex_set_parms+0x17d0/0x19d0 [ 57.638434] ? avc_has_perm_noaudit+0x316/0x520 [ 57.643093] ? tcindex_alloc_perfect_hash+0x350/0x350 [ 57.648275] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 57.653449] ? validate_nla+0x328/0x800 [ 57.657430] ? tcindex_change+0x200/0x2d3 [ 57.661561] tcindex_change+0x200/0x2d3 [ 57.665522] ? tcindex_set_parms+0x19d0/0x19d0 [ 57.670091] ? tcindex_set_parms+0x19d0/0x19d0 [ 57.674659] tc_new_tfilter+0xa6b/0x1450 [ 57.678740] ? tc_del_tfilter+0xd40/0xd40 [ 57.683421] ? __mutex_lock+0x3cd/0x1300 [ 57.687540] ? selinux_ipv4_output+0x50/0x50 [ 57.691951] ? rtnetlink_rcv_msg+0x3fe/0xaf0 [ 57.696422] ? tc_del_tfilter+0xd40/0xd40 [ 57.700576] rtnetlink_rcv_msg+0x453/0xaf0 [ 57.704833] ? rtnetlink_put_metrics+0x520/0x520 [ 57.709936] ? find_held_lock+0x2d/0x110 [ 57.713998] netlink_rcv_skb+0x160/0x410 [ 57.718168] ? rtnetlink_put_metrics+0x520/0x520 [ 57.722920] ? netlink_ack+0xa60/0xa60 [ 57.726799] netlink_unicast+0x4d7/0x6a0 [ 57.730848] ? netlink_attachskb+0x710/0x710 [ 57.735367] netlink_sendmsg+0x80b/0xcd0 [ 57.739418] ? netlink_unicast+0x6a0/0x6a0 [ 57.743634] ? move_addr_to_kernel.part.0+0x110/0x110 [ 57.748818] ? netlink_unicast+0x6a0/0x6a0 [ 57.753034] sock_sendmsg+0xcf/0x120 [ 57.756733] ___sys_sendmsg+0x803/0x920 [ 57.760713] ? copy_msghdr_from_user+0x410/0x410 [ 57.765476] ? find_held_lock+0x2d/0x110 [ 57.769520] ? __might_fault+0x11f/0x1d0 [ 57.773564] ? lock_downgrade+0x740/0x740 [ 57.777701] ? __might_fault+0x192/0x1d0 [ 57.781746] ? _copy_to_user+0xb8/0x100 [ 57.785711] ? move_addr_to_user+0xa8/0x1e0 [ 57.790019] ? __fget_light+0x1a2/0x230 [ 57.793977] __sys_sendmsg+0xec/0x1b0 [ 57.797774] ? __ia32_sys_shutdown+0x70/0x70 [ 57.802184] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 57.806939] ? trace_hardirqs_off_caller+0x55/0x210 [ 57.811964] ? do_syscall_64+0x21/0x620 [ 57.815961] do_syscall_64+0xf9/0x620 [ 57.819858] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.825222] RIP: 0033:0x440eb9 [ 57.828470] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 57.848767] RSP: 002b:00007ffccbed80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 57.857550] RAX: ffffffffffffffda RBX: 00000000004a2690 RCX: 0000000000440eb9 [ 57.864839] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 57.872602] RBP: 00000000004a2690 R08: 0000000120080522 R09: 0000000120080522 [ 57.880409] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004023c0 [ 57.888547] R13: 0000000000402450 R14: 0000000000000000 R15: 0000000000000000 [ 57.895823] [ 57.897445] Allocated by task 1: [ 57.900802] kasan_kmalloc+0xbf/0xe0 [ 57.904497] kmem_cache_alloc+0x127/0x710 [ 57.908640] __kernfs_new_node+0xd2/0x680 [ 57.912780] kernfs_new_node+0x92/0x120 [ 57.917459] kernfs_create_dir_ns+0x48/0x150 [ 57.927158] sysfs_create_dir_ns+0x127/0x280 [ 57.931814] kobject_add_internal+0x29d/0x8c0 [ 57.936466] kobject_add+0x150/0x1c0 [ 57.940207] device_add+0x3a4/0x1660 [ 57.944093] workqueue_sysfs_register+0x1a5/0x3e0 [ 57.949023] __alloc_workqueue_key+0x666/0xf10 [ 57.956324] ib_core_init+0x61/0x2cb [ 57.960404] do_one_initcall+0xf1/0x734 [ 57.964367] kernel_init_freeable+0x4c9/0x5bb [ 57.968935] kernel_init+0xd/0x1c0 [ 57.972671] ret_from_fork+0x24/0x30 [ 57.976377] [ 57.977996] Freed by task 0: [ 57.981169] (stack is not available) [ 57.985125] [ 57.986795] The buggy address belongs to the object at ffff8880a7af6000 [ 57.986795] which belongs to the cache kernfs_node_cache of size 160 [ 58.000418] The buggy address is located 24 bytes to the right of [ 58.000418] 160-byte region [ffff8880a7af6000, ffff8880a7af60a0) [ 58.013094] The buggy address belongs to the page: [ 58.018108] page:ffffea00029ebd80 count:1 mapcount:0 mapping:ffff88821bc46c80 index:0xffff8880a7af6fee [ 58.029553] flags: 0xfffe0000000100(slab) [ 58.033693] raw: 00fffe0000000100 ffffea00029ebd08 ffffea00029ebdc8 ffff88821bc46c80 [ 58.043966] raw: ffff8880a7af6fee ffff8880a7af6000 0000000100000012 0000000000000000 [ 58.053180] page dumped because: kasan: bad access detected [ 58.059815] [ 58.061966] Memory state around the buggy address: [ 58.069246] ffff8880a7af5f80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 58.076703] ffff8880a7af6000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.084062] >ffff8880a7af6080: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 [ 58.091504] ^ [ 58.096747] ffff8880a7af6100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 58.105422] ffff8880a7af6180: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 58.113826] ================================================================== [ 58.121185] Disabling lock debugging due to kernel taint [ 58.127065] Kernel panic - not syncing: panic_on_warn set ... [ 58.127065] [ 58.135074] CPU: 1 PID: 8152 Comm: syz-executor606 Tainted: G B 4.19.108-syzkaller #0 [ 58.148365] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.159384] Call Trace: [ 58.161969] dump_stack+0x188/0x20d [ 58.165795] panic+0x26a/0x50e [ 58.169334] ? __warn_printk+0xf3/0xf3 [ 58.173385] ? preempt_schedule_common+0x4a/0xc0 [ 58.178416] ? tcindex_set_parms+0x17d0/0x19d0 [ 58.183002] ? ___preempt_schedule+0x16/0x18 [ 58.187537] ? trace_hardirqs_on+0x55/0x210 [ 58.191850] ? tcindex_set_parms+0x17d0/0x19d0 [ 58.196434] kasan_end_report+0x43/0x49 [ 58.200406] kasan_report.cold+0xa4/0x2b9 [ 58.204550] tcindex_set_parms+0x17d0/0x19d0 [ 58.208962] ? avc_has_perm_noaudit+0x316/0x520 [ 58.213619] ? tcindex_alloc_perfect_hash+0x350/0x350 [ 58.218803] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 58.223973] ? validate_nla+0x328/0x800 [ 58.227941] ? tcindex_change+0x200/0x2d3 [ 58.232081] tcindex_change+0x200/0x2d3 [ 58.236054] ? tcindex_set_parms+0x19d0/0x19d0 [ 58.240619] ? tcindex_set_parms+0x19d0/0x19d0 [ 58.245184] tc_new_tfilter+0xa6b/0x1450 [ 58.249233] ? tc_del_tfilter+0xd40/0xd40 [ 58.253380] ? __mutex_lock+0x3cd/0x1300 [ 58.257427] ? selinux_ipv4_output+0x50/0x50 [ 58.262002] ? rtnetlink_rcv_msg+0x3fe/0xaf0 [ 58.266398] ? tc_del_tfilter+0xd40/0xd40 [ 58.270529] rtnetlink_rcv_msg+0x453/0xaf0 [ 58.274843] ? rtnetlink_put_metrics+0x520/0x520 [ 58.279587] ? find_held_lock+0x2d/0x110 [ 58.283631] netlink_rcv_skb+0x160/0x410 [ 58.287690] ? rtnetlink_put_metrics+0x520/0x520 [ 58.292702] ? netlink_ack+0xa60/0xa60 [ 58.296608] netlink_unicast+0x4d7/0x6a0 [ 58.300663] ? netlink_attachskb+0x710/0x710 [ 58.305066] netlink_sendmsg+0x80b/0xcd0 [ 58.309116] ? netlink_unicast+0x6a0/0x6a0 [ 58.313333] ? move_addr_to_kernel.part.0+0x110/0x110 [ 58.318519] ? netlink_unicast+0x6a0/0x6a0 [ 58.322736] sock_sendmsg+0xcf/0x120 [ 58.326429] ___sys_sendmsg+0x803/0x920 [ 58.330415] ? copy_msghdr_from_user+0x410/0x410 [ 58.335258] ? find_held_lock+0x2d/0x110 [ 58.339312] ? __might_fault+0x11f/0x1d0 [ 58.343372] ? lock_downgrade+0x740/0x740 [ 58.347522] ? __might_fault+0x192/0x1d0 [ 58.351581] ? _copy_to_user+0xb8/0x100 [ 58.355549] ? move_addr_to_user+0xa8/0x1e0 [ 58.359931] ? __fget_light+0x1a2/0x230 [ 58.363964] __sys_sendmsg+0xec/0x1b0 [ 58.367755] ? __ia32_sys_shutdown+0x70/0x70 [ 58.372149] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 58.377035] ? trace_hardirqs_off_caller+0x55/0x210 [ 58.382058] ? do_syscall_64+0x21/0x620 [ 58.386543] do_syscall_64+0xf9/0x620 [ 58.390349] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.395580] RIP: 0033:0x440eb9 [ 58.398800] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.417802] RSP: 002b:00007ffccbed80a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 58.425499] RAX: ffffffffffffffda RBX: 00000000004a2690 RCX: 0000000000440eb9 [ 58.432793] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 58.440048] RBP: 00000000004a2690 R08: 0000000120080522 R09: 0000000120080522 [ 58.447431] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004023c0 [ 58.454691] R13: 0000000000402450 R14: 0000000000000000 R15: 0000000000000000 [ 58.463319] Kernel Offset: disabled [ 58.466943] Rebooting in 86400 seconds..