Warning: Permanently added '10.128.15.205' (ECDSA) to the list of known hosts. [ 59.627861] random: sshd: uninitialized urandom read (32 bytes read) [ 59.741401] audit: type=1400 audit(1584551797.681:36): avc: denied { map } for pid=7252 comm="syz-executor815" path="/root/syz-executor815421090" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 59.971061] IPVS: ftp: loaded support on port[0] = 21 executing program [ 60.769715] ================================================================== [ 60.777362] BUG: KASAN: slab-out-of-bounds in tcindex_set_parms+0x1521/0x16a0 [ 60.784636] Write of size 16 at addr ffff888095dda8f0 by task syz-executor815/7253 [ 60.792435] [ 60.794062] CPU: 0 PID: 7253 Comm: syz-executor815 Not tainted 4.14.173-syzkaller #0 [ 60.801935] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.811293] Call Trace: [ 60.813929] dump_stack+0x13e/0x194 [ 60.817543] ? tcindex_set_parms+0x1521/0x16a0 [ 60.822124] print_address_description.cold+0x7c/0x1e2 [ 60.827444] ? tcindex_set_parms+0x1521/0x16a0 [ 60.832017] kasan_report.cold+0xa9/0x2ae [ 60.836270] tcindex_set_parms+0x1521/0x16a0 [ 60.840667] ? tcindex_alloc_perfect_hash+0x300/0x300 [ 60.845857] ? avc_has_perm_noaudit+0x297/0x400 [ 60.850531] ? nla_parse+0x183/0x240 [ 60.854300] tcindex_change+0x1b5/0x270 [ 60.858278] ? tcindex_set_parms+0x16a0/0x16a0 [ 60.862854] ? tcindex_lookup+0x8c/0x310 [ 60.866917] ? tcindex_set_parms+0x16a0/0x16a0 [ 60.871492] tc_ctl_tfilter+0xf13/0x18e6 [ 60.875573] ? tfilter_notify+0x240/0x240 [ 60.879713] ? mutex_trylock+0x1a0/0x1a0 [ 60.883821] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 60.888219] ? tfilter_notify+0x240/0x240 [ 60.892365] rtnetlink_rcv_msg+0x3be/0xb10 [ 60.896601] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 60.901180] ? save_trace+0x290/0x290 [ 60.905080] ? save_trace+0x290/0x290 [ 60.908869] netlink_rcv_skb+0x127/0x370 [ 60.912926] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 60.917496] ? netlink_ack+0x960/0x960 [ 60.921369] netlink_unicast+0x437/0x620 [ 60.925415] ? netlink_attachskb+0x600/0x600 [ 60.929805] netlink_sendmsg+0x733/0xbe0 [ 60.933867] ? netlink_unicast+0x620/0x620 [ 60.938145] ? SYSC_sendto+0x2b0/0x2b0 [ 60.942133] ? security_socket_sendmsg+0x83/0xb0 [ 60.946988] ? netlink_unicast+0x620/0x620 [ 60.951260] sock_sendmsg+0xc5/0x100 [ 60.954961] ___sys_sendmsg+0x70a/0x840 [ 60.958924] ? copy_msghdr_from_user+0x380/0x380 [ 60.963663] ? trace_hardirqs_on+0x10/0x10 [ 60.967930] ? save_trace+0x290/0x290 [ 60.971715] ? find_held_lock+0x2d/0x110 [ 60.975756] ? __might_fault+0x104/0x1b0 [ 60.979795] ? lock_acquire+0x170/0x3f0 [ 60.983795] ? lock_downgrade+0x6e0/0x6e0 [ 60.987927] ? __might_fault+0x177/0x1b0 [ 60.992021] ? _copy_to_user+0x82/0xd0 [ 60.995891] ? __fget_light+0x16a/0x1f0 [ 60.999846] ? sockfd_lookup_light+0xb2/0x160 [ 61.004322] __sys_sendmsg+0xa3/0x120 [ 61.008102] ? SyS_shutdown+0x160/0x160 [ 61.012064] ? up_read+0x17/0x30 [ 61.015457] ? __do_page_fault+0x35b/0xb40 [ 61.019678] SyS_sendmsg+0x27/0x40 [ 61.023197] ? __sys_sendmsg+0x120/0x120 [ 61.027255] do_syscall_64+0x1d5/0x640 [ 61.031139] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 61.036317] RIP: 0033:0x440e79 [ 61.039500] RSP: 002b:00007fffaef80ca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 61.047204] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 61.054464] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 61.061720] RBP: 00007fffaef80cb0 R08: 0000000120080522 R09: 0000000120080522 [ 61.068976] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 61.076238] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 61.088969] [ 61.090577] Allocated by task 7253: [ 61.094226] save_stack+0x32/0xa0 [ 61.097666] kasan_kmalloc+0xbf/0xe0 [ 61.101357] __kmalloc_track_caller+0x153/0x7b0 [ 61.106003] kmemdup+0x23/0x50 [ 61.109172] mpls_dev_sysctl_register+0x94/0x290 [ 61.113902] mpls_dev_notify+0x1f9/0x691 [ 61.117940] notifier_call_chain+0x107/0x1a0 [ 61.122329] register_netdevice+0x9e2/0xc70 [ 61.126626] register_netdev+0x17/0x30 [ 61.130491] sit_init_net+0x2cf/0x8d0 [ 61.134270] ops_init+0xa5/0x3c0 [ 61.137612] setup_net+0x22f/0x500 [ 61.141129] copy_net_ns+0x19b/0x440 [ 61.144821] create_new_namespaces+0x375/0x730 [ 61.149379] unshare_nsproxy_namespaces+0xa5/0x1e0 [ 61.154288] SyS_unshare+0x2ea/0x740 [ 61.157991] do_syscall_64+0x1d5/0x640 [ 61.161857] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 61.167021] [ 61.168638] Freed by task 17: [ 61.171744] save_stack+0x32/0xa0 [ 61.175190] kasan_slab_free+0x75/0xc0 [ 61.179070] kfree+0xcb/0x260 [ 61.182155] rcu_process_callbacks+0x8a3/0x1190 [ 61.186901] __do_softirq+0x254/0x9bf [ 61.190686] [ 61.192301] The buggy address belongs to the object at ffff888095dda840 [ 61.192301] which belongs to the cache kmalloc-128 of size 128 [ 61.204947] The buggy address is located 48 bytes to the right of [ 61.204947] 128-byte region [ffff888095dda840, ffff888095dda8c0) [ 61.217256] The buggy address belongs to the page: [ 61.222172] page:ffffea0002577680 count:1 mapcount:0 mapping:ffff888095dda000 index:0x0 [ 61.230293] flags: 0xfffe0000000100(slab) [ 61.234420] raw: 00fffe0000000100 ffff888095dda000 0000000000000000 0000000100000015 [ 61.242280] raw: ffffea0002936ae0 ffffea0002593920 ffff88812fe56640 0000000000000000 [ 61.250139] page dumped because: kasan: bad access detected [ 61.255826] [ 61.257428] Memory state around the buggy address: [ 61.262335] ffff888095dda780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 61.269687] ffff888095dda800: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 61.277023] >ffff888095dda880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 61.284360] ^ [ 61.291349] ffff888095dda900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 61.298703] ffff888095dda980: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 61.306044] ================================================================== [ 61.313382] Disabling lock debugging due to kernel taint [ 61.318930] Kernel panic - not syncing: panic_on_warn set ... [ 61.318930] [ 61.326295] CPU: 0 PID: 7253 Comm: syz-executor815 Tainted: G B 4.14.173-syzkaller #0 [ 61.335370] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.344703] Call Trace: [ 61.347273] dump_stack+0x13e/0x194 [ 61.350881] panic+0x1f9/0x42d [ 61.354053] ? add_taint.cold+0x16/0x16 [ 61.358031] ? preempt_schedule_common+0x4a/0xc0 [ 61.362806] ? tcindex_set_parms+0x1521/0x16a0 [ 61.367371] ? ___preempt_schedule+0x16/0x18 [ 61.371760] ? tcindex_set_parms+0x1521/0x16a0 [ 61.376322] kasan_end_report+0x43/0x49 [ 61.380278] kasan_report.cold+0x12f/0x2ae [ 61.384491] tcindex_set_parms+0x1521/0x16a0 [ 61.388920] ? tcindex_alloc_perfect_hash+0x300/0x300 [ 61.394091] ? avc_has_perm_noaudit+0x297/0x400 [ 61.398754] ? nla_parse+0x183/0x240 [ 61.402452] tcindex_change+0x1b5/0x270 [ 61.406409] ? tcindex_set_parms+0x16a0/0x16a0 [ 61.410975] ? tcindex_lookup+0x8c/0x310 [ 61.415020] ? tcindex_set_parms+0x16a0/0x16a0 [ 61.419579] tc_ctl_tfilter+0xf13/0x18e6 [ 61.423621] ? tfilter_notify+0x240/0x240 [ 61.427748] ? mutex_trylock+0x1a0/0x1a0 [ 61.431809] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 61.436210] ? tfilter_notify+0x240/0x240 [ 61.440353] rtnetlink_rcv_msg+0x3be/0xb10 [ 61.444571] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 61.449137] ? save_trace+0x290/0x290 [ 61.452921] ? save_trace+0x290/0x290 [ 61.456705] netlink_rcv_skb+0x127/0x370 [ 61.460801] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 61.465507] ? netlink_ack+0x960/0x960 [ 61.469394] netlink_unicast+0x437/0x620 [ 61.473440] ? netlink_attachskb+0x600/0x600 [ 61.477846] netlink_sendmsg+0x733/0xbe0 [ 61.481895] ? netlink_unicast+0x620/0x620 [ 61.486109] ? SYSC_sendto+0x2b0/0x2b0 [ 61.489979] ? security_socket_sendmsg+0x83/0xb0 [ 61.494716] ? netlink_unicast+0x620/0x620 [ 61.499096] sock_sendmsg+0xc5/0x100 [ 61.502788] ___sys_sendmsg+0x70a/0x840 [ 61.506740] ? copy_msghdr_from_user+0x380/0x380 [ 61.511476] ? trace_hardirqs_on+0x10/0x10 [ 61.515690] ? save_trace+0x290/0x290 [ 61.519469] ? find_held_lock+0x2d/0x110 [ 61.523507] ? __might_fault+0x104/0x1b0 [ 61.527541] ? lock_acquire+0x170/0x3f0 [ 61.531491] ? lock_downgrade+0x6e0/0x6e0 [ 61.535644] ? __might_fault+0x177/0x1b0 [ 61.539680] ? _copy_to_user+0x82/0xd0 [ 61.543545] ? __fget_light+0x16a/0x1f0 [ 61.547495] ? sockfd_lookup_light+0xb2/0x160 [ 61.551986] __sys_sendmsg+0xa3/0x120 [ 61.555761] ? SyS_shutdown+0x160/0x160 [ 61.559711] ? up_read+0x17/0x30 [ 61.563054] ? __do_page_fault+0x35b/0xb40 [ 61.567267] SyS_sendmsg+0x27/0x40 [ 61.570800] ? __sys_sendmsg+0x120/0x120 [ 61.574839] do_syscall_64+0x1d5/0x640 [ 61.578706] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 61.583872] RIP: 0033:0x440e79 [ 61.587056] RSP: 002b:00007fffaef80ca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 61.594739] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 61.601988] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 61.609247] RBP: 00007fffaef80cb0 R08: 0000000120080522 R09: 0000000120080522 [ 61.616496] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 61.623743] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 61.632217] Kernel Offset: disabled [ 61.635851] Rebooting in 86400 seconds..