[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [ 115.912678][ T27] audit: type=1400 audit(1579748718.834:37): avc: denied { watch } for pid=10591 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 120.189751][ T27] kauditd_printk_skb: 3 callbacks suppressed [ 120.189767][ T27] audit: type=1400 audit(1579748723.114:41): avc: denied { map } for pid=10674 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.153' (ECDSA) to the list of known hosts. executing program [ 126.936722][ T27] audit: type=1400 audit(1579748729.854:42): avc: denied { map } for pid=10686 comm="syz-executor502" path="/root/syz-executor502800525" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 126.941659][T10686] ================================================================== [ 126.973532][T10686] BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x43d/0x520 [ 126.981676][T10686] Write of size 1 at addr ffff8880a4952590 by task syz-executor502/10686 [ 126.990083][T10686] [ 126.992405][T10686] CPU: 1 PID: 10686 Comm: syz-executor502 Not tainted 5.5.0-rc7-syzkaller #0 [ 127.001156][T10686] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 127.011449][T10686] Call Trace: [ 127.014861][T10686] dump_stack+0x197/0x210 [ 127.019185][T10686] ? setup_udp_tunnel_sock+0x43d/0x520 [ 127.024726][T10686] print_address_description.constprop.0.cold+0xd4/0x30b [ 127.031751][T10686] ? setup_udp_tunnel_sock+0x43d/0x520 [ 127.037219][T10686] ? setup_udp_tunnel_sock+0x43d/0x520 [ 127.042675][T10686] __kasan_report.cold+0x1b/0x41 [ 127.047619][T10686] ? trace_hardirqs_on+0x51/0x240 [ 127.052645][T10686] ? setup_udp_tunnel_sock+0x43d/0x520 [ 127.058464][T10686] kasan_report+0x12/0x20 [ 127.062805][T10686] __asan_report_store1_noabort+0x17/0x20 [ 127.068541][T10686] setup_udp_tunnel_sock+0x43d/0x520 [ 127.073821][T10686] gtp_encap_enable_socket+0x338/0x420 [ 127.079400][T10686] ? gtp_find_pdp_by_link+0x480/0x480 [ 127.084875][T10686] ? memset+0x32/0x40 [ 127.088862][T10686] ? gtp1_pdp_find.isra.0+0x180/0x180 [ 127.094394][T10686] ? __gtp_encap_destroy+0x1e0/0x1e0 [ 127.099808][T10686] ? alloc_netdev_mqs+0xa22/0xde0 [ 127.104963][T10686] gtp_newlink+0x95/0xc60 [ 127.109306][T10686] ? rtnl_create_link+0x192/0xab0 [ 127.114331][T10686] ? netlink_ns_capable+0x26/0x30 [ 127.119590][T10686] ? gtp_genl_get_pdp+0x5c0/0x5c0 [ 127.124621][T10686] __rtnl_newlink+0x109e/0x1790 [ 127.129546][T10686] ? rtnl_link_unregister+0x250/0x250 [ 127.134925][T10686] ? is_bpf_text_address+0xce/0x160 [ 127.140127][T10686] ? kernel_text_address+0x73/0xf0 [ 127.145465][T10686] ? unwind_get_return_address+0x61/0xa0 [ 127.151088][T10686] ? profile_setup.cold+0xbb/0xbb [ 127.156122][T10686] ? arch_stack_walk+0x97/0xf0 [ 127.161040][T10686] ? stack_trace_save+0xac/0xe0 [ 127.165955][T10686] ? stack_trace_consume_entry+0x190/0x190 [ 127.171884][T10686] ? mark_lock+0xc2/0x1220 [ 127.176350][T10686] ? save_stack+0x5c/0x90 [ 127.180751][T10686] ? save_stack+0x23/0x90 [ 127.185127][T10686] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 127.190932][T10686] ? kasan_kmalloc+0x9/0x10 [ 127.195423][T10686] ? kmem_cache_alloc_trace+0x158/0x790 [ 127.201001][T10686] ? rtnl_newlink+0x4b/0xa0 [ 127.205626][T10686] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 127.211179][T10686] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 127.217184][T10686] rtnl_newlink+0x69/0xa0 [ 127.221514][T10686] ? __rtnl_newlink+0x1790/0x1790 [ 127.226622][T10686] rtnetlink_rcv_msg+0x45e/0xaf0 [ 127.231764][T10686] ? rtnl_bridge_getlink+0x910/0x910 [ 127.237071][T10686] ? lock_downgrade+0x920/0x920 [ 127.241962][T10686] ? netlink_deliver_tap+0x228/0xbe0 [ 127.247260][T10686] ? find_held_lock+0x35/0x130 [ 127.252239][T10686] netlink_rcv_skb+0x177/0x450 [ 127.256996][T10686] ? rtnl_bridge_getlink+0x910/0x910 [ 127.262340][T10686] ? netlink_ack+0xb50/0xb50 [ 127.267148][T10686] ? __kasan_check_read+0x11/0x20 [ 127.272172][T10686] ? netlink_deliver_tap+0x24a/0xbe0 [ 127.277467][T10686] rtnetlink_rcv+0x1d/0x30 [ 127.282041][T10686] netlink_unicast+0x58c/0x7d0 [ 127.286919][T10686] ? netlink_attachskb+0x870/0x870 [ 127.292032][T10686] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 127.298286][T10686] netlink_sendmsg+0x91c/0xea0 [ 127.303354][T10686] ? netlink_unicast+0x7d0/0x7d0 [ 127.308386][T10686] ? tomoyo_socket_sendmsg+0x26/0x30 [ 127.313723][T10686] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 127.319969][T10686] ? security_socket_sendmsg+0x8d/0xc0 [ 127.325669][T10686] ? netlink_unicast+0x7d0/0x7d0 [ 127.330602][T10686] sock_sendmsg+0xd7/0x130 [ 127.335021][T10686] ____sys_sendmsg+0x753/0x880 [ 127.339851][T10686] ? kernel_sendmsg+0x50/0x50 [ 127.344710][T10686] ? mark_held_locks+0xa4/0xf0 [ 127.349484][T10686] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 127.355663][T10686] ? __handle_mm_fault+0x3145/0x3cc0 [ 127.361062][T10686] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 127.367372][T10686] ___sys_sendmsg+0x100/0x170 [ 127.372073][T10686] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 127.378282][T10686] ? sendmsg_copy_msghdr+0x70/0x70 [ 127.383529][T10686] ? __do_page_fault+0x56a/0xd80 [ 127.388526][T10686] ? find_held_lock+0x35/0x130 [ 127.393292][T10686] ? __do_page_fault+0x56a/0xd80 [ 127.398355][T10686] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 127.404713][T10686] ? __fget_light+0x1a9/0x230 [ 127.409452][T10686] ? __fdget+0x1b/0x20 [ 127.413523][T10686] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 127.419979][T10686] __sys_sendmsg+0x105/0x1d0 [ 127.424584][T10686] ? __sys_sendmsg_sock+0xc0/0xc0 [ 127.429614][T10686] ? down_read_non_owner+0x490/0x490 [ 127.434942][T10686] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 127.440546][T10686] ? do_syscall_64+0x26/0x790 [ 127.445344][T10686] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 127.451539][T10686] ? do_syscall_64+0x26/0x790 [ 127.456291][T10686] __x64_sys_sendmsg+0x78/0xb0 [ 127.461159][T10686] do_syscall_64+0xfa/0x790 [ 127.465769][T10686] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 127.471659][T10686] RIP: 0033:0x4402b9 [ 127.475644][T10686] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 127.495332][T10686] RSP: 002b:00007ffc780292f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 127.503838][T10686] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9 [ 127.511867][T10686] RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 [ 127.520001][T10686] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 127.527988][T10686] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b40 [ 127.535967][T10686] R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000 [ 127.544063][T10686] [ 127.546388][T10686] Allocated by task 10686: [ 127.550804][T10686] save_stack+0x23/0x90 [ 127.555019][T10686] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 127.560751][T10686] kasan_slab_alloc+0xf/0x20 [ 127.565448][T10686] kmem_cache_alloc+0x121/0x710 [ 127.570353][T10686] sk_prot_alloc+0x67/0x310 [ 127.575047][T10686] sk_alloc+0x39/0xfd0 [ 127.579175][T10686] inet_create+0x363/0xdf0 [ 127.583645][T10686] __sock_create+0x3ce/0x730 [ 127.588248][T10686] __sys_socket+0x103/0x220 [ 127.592743][T10686] __x64_sys_socket+0x73/0xb0 [ 127.597486][T10686] do_syscall_64+0xfa/0x790 [ 127.602119][T10686] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 127.608001][T10686] [ 127.610334][T10686] Freed by task 0: [ 127.614045][T10686] (stack is not available) [ 127.618454][T10686] [ 127.620774][T10686] The buggy address belongs to the object at ffff8880a4952040 [ 127.620774][T10686] which belongs to the cache RAW of size 1360 [ 127.634322][T10686] The buggy address is located 0 bytes to the right of [ 127.634322][T10686] 1360-byte region [ffff8880a4952040, ffff8880a4952590) [ 127.648144][T10686] The buggy address belongs to the page: [ 127.654002][T10686] page:ffffea0002925480 refcount:1 mapcount:0 mapping:ffff88821a8abe00 index:0x0 compound_mapcount: 0 [ 127.665391][T10686] raw: 00fffe0000010200 ffff8880a4d7a348 ffff8880a4d7a348 ffff88821a8abe00 [ 127.674007][T10686] raw: 0000000000000000 ffff8880a4952040 0000000100000005 0000000000000000 [ 127.682583][T10686] page dumped because: kasan: bad access detected [ 127.688989][T10686] [ 127.688994][T10686] Memory state around the buggy address: [ 127.689008][T10686] ffff8880a4952480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 127.689019][T10686] ffff8880a4952500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 127.689029][T10686] >ffff8880a4952580: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 127.689035][T10686] ^ [ 127.689045][T10686] ffff8880a4952600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 127.689056][T10686] ffff8880a4952680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 127.689061][T10686] ================================================================== [ 127.689065][T10686] Disabling lock debugging due to kernel taint [ 127.760213][T10686] Kernel panic - not syncing: panic_on_warn set ... [ 127.766856][T10686] CPU: 0 PID: 10686 Comm: syz-executor502 Tainted: G B 5.5.0-rc7-syzkaller #0 [ 127.777025][T10686] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 127.787104][T10686] Call Trace: [ 127.790444][T10686] dump_stack+0x197/0x210 [ 127.794764][T10686] panic+0x2e3/0x75c [ 127.798653][T10686] ? add_taint.cold+0x16/0x16 [ 127.803413][T10686] ? setup_udp_tunnel_sock+0x43d/0x520 [ 127.809108][T10686] ? preempt_schedule+0x4b/0x60 [ 127.814059][T10686] ? ___preempt_schedule+0x16/0x18 [ 127.819187][T10686] ? trace_hardirqs_on+0x5e/0x240 [ 127.824265][T10686] ? setup_udp_tunnel_sock+0x43d/0x520 [ 127.830056][T10686] end_report+0x47/0x4f [ 127.834253][T10686] ? setup_udp_tunnel_sock+0x43d/0x520 [ 127.839775][T10686] __kasan_report.cold+0xe/0x41 [ 127.844917][T10686] ? trace_hardirqs_on+0x51/0x240 [ 127.849932][T10686] ? setup_udp_tunnel_sock+0x43d/0x520 [ 127.855390][T10686] kasan_report+0x12/0x20 [ 127.859861][T10686] __asan_report_store1_noabort+0x17/0x20 [ 127.865620][T10686] setup_udp_tunnel_sock+0x43d/0x520 [ 127.870949][T10686] gtp_encap_enable_socket+0x338/0x420 [ 127.876422][T10686] ? gtp_find_pdp_by_link+0x480/0x480 [ 127.881799][T10686] ? memset+0x32/0x40 [ 127.885776][T10686] ? gtp1_pdp_find.isra.0+0x180/0x180 [ 127.891250][T10686] ? __gtp_encap_destroy+0x1e0/0x1e0 [ 127.896709][T10686] ? alloc_netdev_mqs+0xa22/0xde0 [ 127.901745][T10686] gtp_newlink+0x95/0xc60 [ 127.906080][T10686] ? rtnl_create_link+0x192/0xab0 [ 127.911112][T10686] ? netlink_ns_capable+0x26/0x30 [ 127.916282][T10686] ? gtp_genl_get_pdp+0x5c0/0x5c0 [ 127.921317][T10686] __rtnl_newlink+0x109e/0x1790 [ 127.926159][T10686] ? rtnl_link_unregister+0x250/0x250 [ 127.931641][T10686] ? is_bpf_text_address+0xce/0x160 [ 127.936889][T10686] ? kernel_text_address+0x73/0xf0 [ 127.942132][T10686] ? unwind_get_return_address+0x61/0xa0 [ 127.947767][T10686] ? profile_setup.cold+0xbb/0xbb [ 127.952781][T10686] ? arch_stack_walk+0x97/0xf0 [ 127.957544][T10686] ? stack_trace_save+0xac/0xe0 [ 127.962378][T10686] ? stack_trace_consume_entry+0x190/0x190 [ 127.968197][T10686] ? mark_lock+0xc2/0x1220 [ 127.972693][T10686] ? save_stack+0x5c/0x90 [ 127.977111][T10686] ? save_stack+0x23/0x90 [ 127.981491][T10686] ? __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 127.987423][T10686] ? kasan_kmalloc+0x9/0x10 [ 127.991924][T10686] ? kmem_cache_alloc_trace+0x158/0x790 [ 127.997474][T10686] ? rtnl_newlink+0x4b/0xa0 [ 128.001981][T10686] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 128.007578][T10686] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 128.013721][T10686] rtnl_newlink+0x69/0xa0 [ 128.018033][T10686] ? __rtnl_newlink+0x1790/0x1790 [ 128.023250][T10686] rtnetlink_rcv_msg+0x45e/0xaf0 [ 128.028192][T10686] ? rtnl_bridge_getlink+0x910/0x910 [ 128.033474][T10686] ? lock_downgrade+0x920/0x920 [ 128.038333][T10686] ? netlink_deliver_tap+0x228/0xbe0 [ 128.043644][T10686] ? find_held_lock+0x35/0x130 [ 128.048514][T10686] netlink_rcv_skb+0x177/0x450 [ 128.053331][T10686] ? rtnl_bridge_getlink+0x910/0x910 [ 128.058752][T10686] ? netlink_ack+0xb50/0xb50 [ 128.063341][T10686] ? __kasan_check_read+0x11/0x20 [ 128.068414][T10686] ? netlink_deliver_tap+0x24a/0xbe0 [ 128.073818][T10686] rtnetlink_rcv+0x1d/0x30 [ 128.078220][T10686] netlink_unicast+0x58c/0x7d0 [ 128.083044][T10686] ? netlink_attachskb+0x870/0x870 [ 128.088156][T10686] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 128.094445][T10686] netlink_sendmsg+0x91c/0xea0 [ 128.099680][T10686] ? netlink_unicast+0x7d0/0x7d0 [ 128.104644][T10686] ? tomoyo_socket_sendmsg+0x26/0x30 [ 128.109985][T10686] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 128.116228][T10686] ? security_socket_sendmsg+0x8d/0xc0 [ 128.121684][T10686] ? netlink_unicast+0x7d0/0x7d0 [ 128.126872][T10686] sock_sendmsg+0xd7/0x130 [ 128.132850][T10686] ____sys_sendmsg+0x753/0x880 [ 128.137634][T10686] ? kernel_sendmsg+0x50/0x50 [ 128.142355][T10686] ? mark_held_locks+0xa4/0xf0 [ 128.147246][T10686] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 128.153500][T10686] ? __handle_mm_fault+0x3145/0x3cc0 [ 128.158805][T10686] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 128.164917][T10686] ___sys_sendmsg+0x100/0x170 [ 128.169596][T10686] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 128.175573][T10686] ? sendmsg_copy_msghdr+0x70/0x70 [ 128.180697][T10686] ? __do_page_fault+0x56a/0xd80 [ 128.185696][T10686] ? find_held_lock+0x35/0x130 [ 128.190463][T10686] ? __do_page_fault+0x56a/0xd80 [ 128.195408][T10686] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 128.201647][T10686] ? __fget_light+0x1a9/0x230 [ 128.206464][T10686] ? __fdget+0x1b/0x20 [ 128.210533][T10686] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 128.216776][T10686] __sys_sendmsg+0x105/0x1d0 [ 128.221362][T10686] ? __sys_sendmsg_sock+0xc0/0xc0 [ 128.226384][T10686] ? down_read_non_owner+0x490/0x490 [ 128.231770][T10686] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 128.237213][T10686] ? do_syscall_64+0x26/0x790 [ 128.241890][T10686] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 128.247941][T10686] ? do_syscall_64+0x26/0x790 [ 128.252719][T10686] __x64_sys_sendmsg+0x78/0xb0 [ 128.257616][T10686] do_syscall_64+0xfa/0x790 [ 128.262123][T10686] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 128.268094][T10686] RIP: 0033:0x4402b9 [ 128.271992][T10686] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 128.291863][T10686] RSP: 002b:00007ffc780292f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 128.300275][T10686] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9 [ 128.308353][T10686] RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 [ 128.316549][T10686] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 128.324519][T10686] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b40 [ 128.332691][T10686] R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000 [ 128.342380][T10686] Kernel Offset: disabled [ 128.346716][T10686] Rebooting in 86400 seconds..