Warning: Permanently added '10.128.1.13' (ECDSA) to the list of known hosts. 2019/10/30 16:44:47 parsed 1 programs 2019/10/30 16:44:49 executed programs: 0 syzkaller login: [ 22.937404] audit: type=1400 audit(1572453891.100:5): avc: denied { associate } for pid=2067 comm="syz-executor.2" name="syz2" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 2019/10/30 16:44:54 executed programs: 88 [ 29.225498] ================================================================== [ 29.233683] BUG: KASAN: use-after-free in ip6t_do_table+0x1545/0x1860 [ 29.240263] Read of size 8 at addr ffff8801c717c000 by task syz-executor.1/4030 [ 29.247696] [ 29.249396] CPU: 1 PID: 4030 Comm: syz-executor.1 Not tainted 4.9.194+ #0 [ 29.256961] ffff8801d3b17058 ffffffff81b67001 0000000000000000 ffffea00071c5f00 [ 29.265086] ffff8801c717c000 0000000000000008 ffffffff82795bb5 ffff8801d3b17090 [ 29.273406] ffffffff8150c4f1 0000000000000000 ffff8801c717c000 ffff8801c717c000 [ 29.282127] Call Trace: [ 29.284735] [<00000000c36fc239>] dump_stack+0xc1/0x120 [ 29.290195] [<00000000bba391e9>] ? ip6t_do_table+0x1545/0x1860 [ 29.297835] [<000000005ca6c6f1>] print_address_description+0x6f/0x23a [ 29.306038] [<00000000bba391e9>] ? ip6t_do_table+0x1545/0x1860 [ 29.312732] [<00000000de016736>] kasan_report.cold+0x8c/0x2ba [ 29.318789] [<00000000527ee32c>] __asan_report_load8_noabort+0x14/0x20 [ 29.325612] [<00000000bba391e9>] ip6t_do_table+0x1545/0x1860 [ 29.331483] [<000000004734b74e>] ? mark_held_locks+0xb1/0x100 [ 29.337885] [<000000006b3dbb8c>] ? __nf_ct_refresh_acct+0x1ca/0x230 [ 29.344386] [<00000000cf6ca227>] ? ip6t_alloc_initial_table+0x680/0x680 [ 29.353047] [<0000000058ea4877>] ? ip6frag_obj_cmpfn+0x60/0x60 [ 29.359524] [<000000003207fd8e>] ip6table_mangle_hook+0x2dc/0x6d0 [ 29.365831] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 29.373212] [<000000001d7de4a2>] ? ip6table_mangle_net_exit+0xa0/0xa0 [ 29.379979] [<00000000e820801b>] nf_iterate+0x12e/0x310 [ 29.385670] [<00000000126d4182>] nf_hook_slow+0x114/0x1f0 [ 29.391288] [<000000008825e9c8>] ? nf_iterate+0x310/0x310 [ 29.396906] [<00000000f19b0b50>] __ip6_local_out+0x498/0x630 [ 29.402792] [<000000000a6086cf>] ? __ip6_local_out+0x240/0x630 [ 29.408831] [<00000000712dae35>] ? ip6_find_1stfragopt+0x260/0x260 [ 29.415227] [<00000000b7dc6fe7>] ? icmpv6_send+0x1b0/0x1b0 [ 29.421351] [<00000000f5b5a1d8>] ? ip6_output+0x730/0x730 [ 29.426976] [<0000000067348c25>] ip6_local_out+0x29/0x180 [ 29.432588] [<000000001be402a3>] ip6_send_skb+0xa2/0x340 [ 29.438415] [<00000000b93e98b1>] ? csum_ipv6_magic+0x20/0x80 [ 29.444289] [<00000000f8886476>] udp_v6_send_skb+0x438/0xe90 [ 29.450190] [<00000000dfb61db3>] udp_v6_push_pending_frames+0x245/0x360 [ 29.457038] [<0000000002377ad2>] ? udp_v6_send_skb+0xe90/0xe90 [ 29.463081] [<000000001aa5039f>] ? ip_reply_glue_bits+0xb0/0xb0 [ 29.469210] [<000000009dc517a6>] udpv6_sendmsg+0x19b0/0x2430 [ 29.475079] [<00000000422683f4>] ? __lock_acquire+0x5e0/0x4390 [ 29.481132] [<000000001aa5039f>] ? ip_reply_glue_bits+0xb0/0xb0 [ 29.487440] [<0000000081dc240c>] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 29.494918] [<00000000839b4d3f>] ? sock_has_perm+0x29a/0x3e0 [ 29.500785] [<00000000b9721303>] ? sock_has_perm+0xa6/0x3e0 [ 29.506742] [<0000000053b983f2>] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 29.514970] [<000000004fb39eda>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 29.521882] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 29.528712] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 29.535695] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 29.542666] [<00000000a515a7ed>] ? inet_sendmsg+0x143/0x4d0 [ 29.548456] [<000000003ad2b485>] inet_sendmsg+0x202/0x4d0 [ 29.555561] [<0000000069398fb4>] ? inet_sendmsg+0x76/0x4d0 [ 29.563776] [<00000000dc140be3>] ? inet_recvmsg+0x4d0/0x4d0 [ 29.569570] [<000000000ff5f1e1>] sock_sendmsg+0xbe/0x110 [ 29.575205] [<0000000076b0d0f2>] ___sys_sendmsg+0x387/0x8b0 [ 29.581001] [<00000000ffafd49d>] ? copy_msghdr_from_user+0x550/0x550 [ 29.588359] [<000000004fb39eda>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 29.595105] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 29.601942] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 29.608774] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 29.615802] [<0000000050faeccb>] ? __fget+0x208/0x370 [ 29.621417] [<00000000bb5473e1>] ? __fget+0x22f/0x370 [ 29.626698] [<00000000cfa48a73>] ? __fget+0x47/0x370 [ 29.631884] [<0000000004576dce>] ? __fget_light+0x172/0x1f0 [ 29.647602] [<00000000d04dd00e>] ? __fdget+0x1b/0x20 [ 29.655147] [<000000006a68d485>] __sys_sendmmsg+0x164/0x3d0 [ 29.661039] [<00000000a1e9f39e>] ? SyS_sendmsg+0x50/0x50 [ 29.666567] [<00000000e1ff9753>] ? __might_fault+0x114/0x1d0 [ 29.672817] [<00000000a51cae90>] ? __might_fault+0x18e/0x1d0 [ 29.679047] [<000000004977a2e9>] ? __might_fault+0xe4/0x1d0 [ 29.685349] [<000000002e673c6d>] ? SyS_clock_gettime+0x118/0x1f0 [ 29.691693] [<00000000fcf37e64>] ? SyS_clock_settime+0x230/0x230 [ 29.698734] [<0000000058b54925>] SyS_sendmmsg+0x35/0x60 [ 29.704171] [<0000000092944b04>] ? __sys_sendmmsg+0x3d0/0x3d0 [ 29.710127] [<00000000db1d678d>] do_syscall_64+0x1ad/0x5c0 [ 29.715822] [<000000006ed50e6b>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 29.722747] [ 29.724635] The buggy address belongs to the page: [ 29.733890] page:ffffea00071c5f00 count:0 mapcount:-127 mapping: (null) index:0x0 [ 29.742481] flags: 0x4000000000000000() [ 29.746432] page dumped because: kasan: bad access detected [ 29.752120] [ 29.753786] Memory state around the buggy address: [ 29.758781] ffff8801c717bf00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 29.766129] ffff8801c717bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.773786] >ffff8801c717c000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.781150] ^ [ 29.784510] ffff8801c717c080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.792548] ffff8801c717c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 29.800516] ================================================================== [ 29.808313] Disabling lock debugging due to kernel taint [ 29.813827] Kernel panic - not syncing: panic_on_warn set ... [ 29.813827] [ 29.821206] CPU: 1 PID: 4030 Comm: syz-executor.1 Tainted: G B 4.9.194+ #0 [ 29.829609] ffff8801d3b16f98 ffffffff81b67001 ffff8801d3b17000 ffffffff82e40f17 [ 29.839389] 00000000ffffffff 0000000000000001 ffffffff82795bb5 ffff8801d3b17078 [ 29.847956] ffffffff813fef3a 0000000041b58ab3 ffffffff82e32f55 ffffffff813fed61 [ 29.856205] Call Trace: [ 29.859648] [<00000000c36fc239>] dump_stack+0xc1/0x120 [ 29.865011] [<00000000bba391e9>] ? ip6t_do_table+0x1545/0x1860 [ 29.871069] [<00000000d47ce2e2>] panic+0x1d9/0x3bd [ 29.876160] [<00000000879c9024>] ? add_taint.cold+0x16/0x16 [ 29.881954] [<0000000080d437a0>] kasan_end_report+0x47/0x4f [ 29.887822] [<0000000072c9e51b>] kasan_report.cold+0xa9/0x2ba [ 29.893971] [<00000000527ee32c>] __asan_report_load8_noabort+0x14/0x20 [ 29.900908] [<00000000bba391e9>] ip6t_do_table+0x1545/0x1860 [ 29.906800] [<000000004734b74e>] ? mark_held_locks+0xb1/0x100 [ 29.912820] [<000000006b3dbb8c>] ? __nf_ct_refresh_acct+0x1ca/0x230 [ 29.920109] [<00000000cf6ca227>] ? ip6t_alloc_initial_table+0x680/0x680 [ 29.927164] [<0000000058ea4877>] ? ip6frag_obj_cmpfn+0x60/0x60 [ 29.933295] [<000000003207fd8e>] ip6table_mangle_hook+0x2dc/0x6d0 [ 29.940167] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 29.947193] [<000000001d7de4a2>] ? ip6table_mangle_net_exit+0xa0/0xa0 [ 29.953850] [<00000000e820801b>] nf_iterate+0x12e/0x310 [ 29.959305] [<00000000126d4182>] nf_hook_slow+0x114/0x1f0 [ 29.964919] [<000000008825e9c8>] ? nf_iterate+0x310/0x310 [ 29.970530] [<00000000f19b0b50>] __ip6_local_out+0x498/0x630 [ 29.976405] [<000000000a6086cf>] ? __ip6_local_out+0x240/0x630 [ 29.982460] [<00000000712dae35>] ? ip6_find_1stfragopt+0x260/0x260 [ 29.988871] [<00000000b7dc6fe7>] ? icmpv6_send+0x1b0/0x1b0 [ 29.994675] [<00000000f5b5a1d8>] ? ip6_output+0x730/0x730 [ 30.000295] [<0000000067348c25>] ip6_local_out+0x29/0x180 [ 30.005914] [<000000001be402a3>] ip6_send_skb+0xa2/0x340 [ 30.011441] [<00000000b93e98b1>] ? csum_ipv6_magic+0x20/0x80 [ 30.017367] [<00000000f8886476>] udp_v6_send_skb+0x438/0xe90 [ 30.023244] [<00000000dfb61db3>] udp_v6_push_pending_frames+0x245/0x360 [ 30.030085] [<0000000002377ad2>] ? udp_v6_send_skb+0xe90/0xe90 [ 30.036129] [<000000001aa5039f>] ? ip_reply_glue_bits+0xb0/0xb0 [ 30.042260] [<000000009dc517a6>] udpv6_sendmsg+0x19b0/0x2430 [ 30.048128] [<00000000422683f4>] ? __lock_acquire+0x5e0/0x4390 [ 30.054361] [<000000001aa5039f>] ? ip_reply_glue_bits+0xb0/0xb0 [ 30.060487] [<0000000081dc240c>] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 30.067420] [<00000000839b4d3f>] ? sock_has_perm+0x29a/0x3e0 [ 30.073493] [<00000000b9721303>] ? sock_has_perm+0xa6/0x3e0 [ 30.079286] [<0000000053b983f2>] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 30.086821] [<000000004fb39eda>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 30.093837] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 30.100856] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 30.107782] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 30.114711] [<00000000a515a7ed>] ? inet_sendmsg+0x143/0x4d0 [ 30.120500] [<000000003ad2b485>] inet_sendmsg+0x202/0x4d0 [ 30.126233] [<0000000069398fb4>] ? inet_sendmsg+0x76/0x4d0 [ 30.132015] [<00000000dc140be3>] ? inet_recvmsg+0x4d0/0x4d0 [ 30.137818] [<000000000ff5f1e1>] sock_sendmsg+0xbe/0x110 [ 30.143347] [<0000000076b0d0f2>] ___sys_sendmsg+0x387/0x8b0 [ 30.149143] [<00000000ffafd49d>] ? copy_msghdr_from_user+0x550/0x550 [ 30.155799] [<000000004fb39eda>] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 30.162551] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 30.169380] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 30.176646] [<00000000e960e4af>] ? check_preemption_disabled+0x3c/0x200 [ 30.183469] [<0000000050faeccb>] ? __fget+0x208/0x370 [ 30.188727] [<00000000bb5473e1>] ? __fget+0x22f/0x370 [ 30.194081] [<00000000cfa48a73>] ? __fget+0x47/0x370 [ 30.199272] [<0000000004576dce>] ? __fget_light+0x172/0x1f0 [ 30.205260] [<00000000d04dd00e>] ? __fdget+0x1b/0x20 [ 30.210433] [<000000006a68d485>] __sys_sendmmsg+0x164/0x3d0 [ 30.216233] [<00000000a1e9f39e>] ? SyS_sendmsg+0x50/0x50 [ 30.222012] [<00000000e1ff9753>] ? __might_fault+0x114/0x1d0 [ 30.228074] [<00000000a51cae90>] ? __might_fault+0x18e/0x1d0 [ 30.234033] [<000000004977a2e9>] ? __might_fault+0xe4/0x1d0 [ 30.239837] [<000000002e673c6d>] ? SyS_clock_gettime+0x118/0x1f0 [ 30.246055] [<00000000fcf37e64>] ? SyS_clock_settime+0x230/0x230 [ 30.252276] [<0000000058b54925>] SyS_sendmmsg+0x35/0x60 [ 30.258248] [<0000000092944b04>] ? __sys_sendmmsg+0x3d0/0x3d0 [ 30.264291] [<00000000db1d678d>] do_syscall_64+0x1ad/0x5c0 [ 30.270048] [<000000006ed50e6b>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb [ 30.278240] Kernel Offset: disabled [ 30.281891] Rebooting in 86400 seconds..