Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 35.662452] audit: type=1400 audit(1602021056.656:8): avc: denied { execmem } for pid=6378 comm="syz-executor848" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 35.671617] netlink: 32 bytes leftover after parsing attributes in process `syz-executor848'. [ 35.695691] netlink: 32 bytes leftover after parsing attributes in process `syz-executor848'. [ 35.704814] netlink: 32 bytes leftover after parsing attributes in process `syz-executor848'. [ 35.714712] netlink: 32 bytes leftover after parsing attributes in process `syz-executor848'. [ 35.729543] ================================================================== [ 35.737028] BUG: KASAN: stack-out-of-bounds in tcf_action_destroy+0x138/0x170 [ 35.744293] Read of size 8 at addr ffff888097c777a0 by task syz-executor848/6394 [ 35.751810] [ 35.753431] CPU: 0 PID: 6394 Comm: syz-executor848 Not tainted 4.14.198-syzkaller #0 [ 35.761296] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.770635] Call Trace: [ 35.773219] dump_stack+0x1b2/0x283 [ 35.776841] print_address_description.cold+0x54/0x1d3 [ 35.782110] kasan_report_error.cold+0x8a/0x194 [ 35.786768] ? tcf_action_destroy+0x138/0x170 [ 35.791257] __asan_report_load8_noabort+0x68/0x70 [ 35.796178] ? tcf_action_destroy+0x138/0x170 [ 35.800664] tcf_action_destroy+0x138/0x170 [ 35.804978] tcf_action_init+0x294/0x400 [ 35.809058] ? tcf_action_init_1+0x9e0/0x9e0 [ 35.813457] ? finish_task_switch+0x178/0x610 [ 35.817941] ? finish_task_switch+0x14d/0x610 [ 35.822452] ? memset+0x20/0x40 [ 35.825723] ? nla_parse+0x157/0x1f0 [ 35.829426] tc_ctl_action+0x2e3/0x50f [ 35.833307] ? tca_action_gd+0x790/0x790 [ 35.837359] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 35.841760] ? tca_action_gd+0x790/0x790 [ 35.845812] rtnetlink_rcv_msg+0x3be/0xb10 [ 35.850042] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 35.854531] ? __netlink_lookup+0x345/0x5d0 [ 35.858848] netlink_rcv_skb+0x125/0x390 [ 35.862901] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 35.867406] ? netlink_ack+0x9a0/0x9a0 [ 35.871293] netlink_unicast+0x437/0x610 [ 35.875346] ? netlink_sendskb+0xd0/0xd0 [ 35.879408] netlink_sendmsg+0x62e/0xb80 [ 35.883467] ? nlmsg_notify+0x170/0x170 [ 35.887431] ? kernel_recvmsg+0x210/0x210 [ 35.891574] ? security_socket_sendmsg+0x83/0xb0 [ 35.896324] ? nlmsg_notify+0x170/0x170 [ 35.900289] sock_sendmsg+0xb5/0x100 [ 35.903994] ___sys_sendmsg+0x6c8/0x800 [ 35.907959] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 35.912707] ? lock_downgrade+0x740/0x740 [ 35.916847] ? do_raw_spin_unlock+0x164/0x220 [ 35.921334] ? _raw_spin_unlock+0x29/0x40 [ 35.925470] ? do_huge_pmd_anonymous_page+0x732/0x1670 [ 35.930733] ? __fget+0x1fe/0x360 [ 35.934176] ? lock_acquire+0x170/0x3f0 [ 35.938135] ? lock_downgrade+0x740/0x740 [ 35.942278] ? __fget+0x225/0x360 [ 35.945720] ? __fdget+0x196/0x1f0 [ 35.949251] ? sockfd_lookup_light+0xb2/0x160 [ 35.953735] __sys_sendmsg+0xa3/0x120 [ 35.957523] ? SyS_shutdown+0x160/0x160 [ 35.961491] ? up_read+0x17/0x30 [ 35.964843] ? __do_page_fault+0x19a/0xb50 [ 35.969073] SyS_sendmsg+0x27/0x40 [ 35.972601] ? __sys_sendmsg+0x120/0x120 [ 35.976651] do_syscall_64+0x1d5/0x640 [ 35.980532] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.985709] RIP: 0033:0x446c19 [ 35.988902] RSP: 002b:00007f335551ed98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.996596] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446c19 [ 36.003850] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 36.011105] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 36.018359] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 36.025612] R13: 0001008400000000 R14: 0000000000e60000 R15: 053b003000000098 [ 36.032876] [ 36.034488] The buggy address belongs to the page: [ 36.039403] page:ffffea00025f1dc0 count:0 mapcount:0 mapping: (null) index:0x0 [ 36.047535] flags: 0xfffe0000000000() [ 36.051335] raw: 00fffe0000000000 0000000000000000 0000000000000000 00000000ffffffff [ 36.059204] raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000 [ 36.067063] page dumped because: kasan: bad access detected [ 36.072754] [ 36.074372] Memory state around the buggy address: [ 36.079288] ffff888097c77680: 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 [ 36.086633] ffff888097c77700: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.093996] >ffff888097c77780: f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00 00 f3 [ 36.101341] ^ [ 36.105742] ffff888097c77800: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.113094] ffff888097c77880: f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 f3 f3 f3 f3 [ 36.120437] ================================================================== [ 36.127779] Disabling lock debugging due to kernel taint [ 36.145283] Kernel panic - not syncing: panic_on_warn set ... [ 36.145283] [ 36.152654] CPU: 1 PID: 6394 Comm: syz-executor848 Tainted: G B 4.14.198-syzkaller #0 [ 36.161734] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.171077] Call Trace: [ 36.173659] dump_stack+0x1b2/0x283 [ 36.177273] panic+0x1f9/0x42d [ 36.180443] ? add_taint.cold+0x16/0x16 [ 36.184402] ? ___preempt_schedule+0x16/0x18 [ 36.188785] kasan_end_report+0x43/0x49 [ 36.192732] kasan_report_error.cold+0xa7/0x194 [ 36.197380] ? tcf_action_destroy+0x138/0x170 [ 36.201854] __asan_report_load8_noabort+0x68/0x70 [ 36.206758] ? tcf_action_destroy+0x138/0x170 [ 36.211314] tcf_action_destroy+0x138/0x170 [ 36.215610] tcf_action_init+0x294/0x400 [ 36.219644] ? tcf_action_init_1+0x9e0/0x9e0 [ 36.224025] ? finish_task_switch+0x178/0x610 [ 36.228491] ? finish_task_switch+0x14d/0x610 [ 36.232978] ? memset+0x20/0x40 [ 36.236257] ? nla_parse+0x157/0x1f0 [ 36.239945] tc_ctl_action+0x2e3/0x50f [ 36.243812] ? tca_action_gd+0x790/0x790 [ 36.247853] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 36.252236] ? tca_action_gd+0x790/0x790 [ 36.256270] rtnetlink_rcv_msg+0x3be/0xb10 [ 36.260482] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 36.264954] ? __netlink_lookup+0x345/0x5d0 [ 36.269255] netlink_rcv_skb+0x125/0x390 [ 36.273309] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 36.277778] ? netlink_ack+0x9a0/0x9a0 [ 36.281642] netlink_unicast+0x437/0x610 [ 36.286461] ? netlink_sendskb+0xd0/0xd0 [ 36.290496] netlink_sendmsg+0x62e/0xb80 [ 36.294549] ? nlmsg_notify+0x170/0x170 [ 36.298494] ? kernel_recvmsg+0x210/0x210 [ 36.302615] ? security_socket_sendmsg+0x83/0xb0 [ 36.307345] ? nlmsg_notify+0x170/0x170 [ 36.311291] sock_sendmsg+0xb5/0x100 [ 36.314977] ___sys_sendmsg+0x6c8/0x800 [ 36.318938] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 36.323682] ? lock_downgrade+0x740/0x740 [ 36.327802] ? do_raw_spin_unlock+0x164/0x220 [ 36.332270] ? _raw_spin_unlock+0x29/0x40 [ 36.336390] ? do_huge_pmd_anonymous_page+0x732/0x1670 [ 36.341638] ? __fget+0x1fe/0x360 [ 36.345064] ? lock_acquire+0x170/0x3f0 [ 36.349008] ? lock_downgrade+0x740/0x740 [ 36.353129] ? __fget+0x225/0x360 [ 36.356553] ? __fdget+0x196/0x1f0 [ 36.360069] ? sockfd_lookup_light+0xb2/0x160 [ 36.364536] __sys_sendmsg+0xa3/0x120 [ 36.368310] ? SyS_shutdown+0x160/0x160 [ 36.372259] ? up_read+0x17/0x30 [ 36.375597] ? __do_page_fault+0x19a/0xb50 [ 36.379806] SyS_sendmsg+0x27/0x40 [ 36.383333] ? __sys_sendmsg+0x120/0x120 [ 36.387369] do_syscall_64+0x1d5/0x640 [ 36.391230] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 36.396403] RIP: 0033:0x446c19 [ 36.399580] RSP: 002b:00007f335551ed98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 36.407259] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446c19 [ 36.414501] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 36.421756] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 36.429017] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 36.436257] R13: 0001008400000000 R14: 0000000000e60000 R15: 053b003000000098 [ 36.444528] Kernel Offset: disabled [ 36.448138] Rebooting in 86400 seconds..