[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 52.014005][ T23] audit: type=1800 audit(1579361162.786:25): pid=8582 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 52.033401][ T23] audit: type=1800 audit(1579361162.786:26): pid=8582 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 52.102354][ T23] audit: type=1800 audit(1579361162.786:27): pid=8582 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.198' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 80.007202][ T8736] ================================================================== [ 80.015775][ T8736] BUG: KASAN: use-after-free in bitmap_port_destroy+0x1f2/0x3c0 [ 80.023948][ T8736] Read of size 8 at addr ffff8880a5048a40 by task syz-executor419/8736 [ 80.032694][ T8736] [ 80.035018][ T8736] CPU: 1 PID: 8736 Comm: syz-executor419 Not tainted 5.5.0-rc6-syzkaller #0 [ 80.043871][ T8736] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.054066][ T8736] Call Trace: [ 80.057356][ T8736] dump_stack+0x1fb/0x318 [ 80.061792][ T8736] print_address_description+0x74/0x5c0 [ 80.067326][ T8736] ? vprintk_default+0x28/0x30 [ 80.072093][ T8736] ? vprintk_func+0x158/0x170 [ 80.076763][ T8736] ? printk+0x62/0x8d [ 80.080853][ T8736] __kasan_report+0x149/0x1c0 [ 80.085723][ T8736] ? bitmap_port_destroy+0x1f2/0x3c0 [ 80.091115][ T8736] kasan_report+0x26/0x50 [ 80.095525][ T8736] check_memory_region+0x2b6/0x2f0 [ 80.102965][ T8736] __kasan_check_read+0x11/0x20 [ 80.108603][ T8736] bitmap_port_destroy+0x1f2/0x3c0 [ 80.113855][ T8736] ip_set_create+0xae0/0xfd0 [ 80.118481][ T8736] ? ip_set_protocol+0x5b0/0x5b0 [ 80.123694][ T8736] nfnetlink_rcv_msg+0x9ae/0xcd0 [ 80.129253][ T8736] ? cap_capable+0x25b/0x290 [ 80.133842][ T8736] ? cap_capable+0x25b/0x290 [ 80.138447][ T8736] netlink_rcv_skb+0x19e/0x3e0 [ 80.143348][ T8736] ? nfnetlink_bind+0x250/0x250 [ 80.148253][ T8736] nfnetlink_rcv+0x1e0/0x1e50 [ 80.153032][ T8736] ? rcu_lock_release+0x9/0x30 [ 80.157810][ T8736] ? rcu_lock_release+0x21/0x30 [ 80.162806][ T8736] ? netlink_deliver_tap+0x142/0x880 [ 80.168454][ T8736] netlink_unicast+0x767/0x920 [ 80.173444][ T8736] netlink_sendmsg+0xa2c/0xd50 [ 80.179074][ T8736] ? netlink_getsockopt+0x9f0/0x9f0 [ 80.184302][ T8736] ____sys_sendmsg+0x4f7/0x7f0 [ 80.189240][ T8736] __sys_sendmsg+0x1ed/0x290 [ 80.193835][ T8736] ? up_read+0x1d/0x20 [ 80.197900][ T8736] ? do_user_addr_fault+0x654/0xaf0 [ 80.203097][ T8736] ? check_preemption_disabled+0xb4/0x260 [ 80.208816][ T8736] ? debug_smp_processor_id+0x9/0x20 [ 80.214370][ T8736] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 80.220151][ T8736] ? trace_irq_disable_rcuidle+0x23/0x1e0 [ 80.226025][ T8736] ? do_syscall_64+0x1d/0x1c0 [ 80.230808][ T8736] __x64_sys_sendmsg+0x7f/0x90 [ 80.235576][ T8736] do_syscall_64+0xf7/0x1c0 [ 80.240813][ T8736] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.246975][ T8736] RIP: 0033:0x441399 [ 80.250946][ T8736] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 80.272090][ T8736] RSP: 002b:00007ffc467ccc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 80.280490][ T8736] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441399 [ 80.288697][ T8736] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 80.297061][ T8736] RBP: 0000000000013851 R08: 00000000004002c8 R09: 00000000004002c8 [ 80.305150][ T8736] R10: 0000000000000004 R11: 0000000000000246 R12: 00000000004021c0 [ 80.313631][ T8736] R13: 0000000000402250 R14: 0000000000000000 R15: 0000000000000000 [ 80.321617][ T8736] [ 80.323937][ T8736] Allocated by task 8736: [ 80.328278][ T8736] __kasan_kmalloc+0x118/0x1c0 [ 80.333055][ T8736] kasan_kmalloc+0x9/0x10 [ 80.337384][ T8736] __kmalloc+0x254/0x340 [ 80.341759][ T8736] kzalloc+0x21/0x40 [ 80.345637][ T8736] ip_set_alloc+0x32/0x60 [ 80.349957][ T8736] bitmap_port_create+0x32c/0x790 [ 80.355106][ T8736] ip_set_create+0x421/0xfd0 [ 80.359864][ T8736] nfnetlink_rcv_msg+0x9ae/0xcd0 [ 80.364803][ T8736] netlink_rcv_skb+0x19e/0x3e0 [ 80.369811][ T8736] nfnetlink_rcv+0x1e0/0x1e50 [ 80.374699][ T8736] netlink_unicast+0x767/0x920 [ 80.379468][ T8736] netlink_sendmsg+0xa2c/0xd50 [ 80.384223][ T8736] ____sys_sendmsg+0x4f7/0x7f0 [ 80.388986][ T8736] __sys_sendmsg+0x1ed/0x290 [ 80.393772][ T8736] __x64_sys_sendmsg+0x7f/0x90 [ 80.398545][ T8736] do_syscall_64+0xf7/0x1c0 [ 80.403161][ T8736] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.409774][ T8736] [ 80.412114][ T8736] Freed by task 8736: [ 80.416537][ T8736] __kasan_slab_free+0x12e/0x1e0 [ 80.421459][ T8736] kasan_slab_free+0xe/0x10 [ 80.425946][ T8736] kfree+0x10d/0x220 [ 80.429825][ T8736] kvfree+0x46/0x50 [ 80.433724][ T8736] ip_set_free+0x15/0x20 [ 80.438079][ T8736] bitmap_port_destroy+0xb6/0x3c0 [ 80.443399][ T8736] ip_set_create+0xae0/0xfd0 [ 80.447977][ T8736] nfnetlink_rcv_msg+0x9ae/0xcd0 [ 80.453033][ T8736] netlink_rcv_skb+0x19e/0x3e0 [ 80.457789][ T8736] nfnetlink_rcv+0x1e0/0x1e50 [ 80.462541][ T8736] netlink_unicast+0x767/0x920 [ 80.467416][ T8736] netlink_sendmsg+0xa2c/0xd50 [ 80.472426][ T8736] ____sys_sendmsg+0x4f7/0x7f0 [ 80.477446][ T8736] __sys_sendmsg+0x1ed/0x290 [ 80.482252][ T8736] __x64_sys_sendmsg+0x7f/0x90 [ 80.488051][ T8736] do_syscall_64+0xf7/0x1c0 [ 80.492831][ T8736] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.500017][ T8736] [ 80.502374][ T8736] The buggy address belongs to the object at ffff8880a5048a40 [ 80.502374][ T8736] which belongs to the cache kmalloc-32 of size 32 [ 80.516442][ T8736] The buggy address is located 0 bytes inside of [ 80.516442][ T8736] 32-byte region [ffff8880a5048a40, ffff8880a5048a60) [ 80.529436][ T8736] The buggy address belongs to the page: [ 80.535069][ T8736] page:ffffea0002941200 refcount:1 mapcount:0 mapping:ffff8880aa8001c0 index:0xffff8880a5048fc1 [ 80.545482][ T8736] raw: 00fffe0000000200 ffffea0002a257c8 ffffea00029a6b88 ffff8880aa8001c0 [ 80.554172][ T8736] raw: ffff8880a5048fc1 ffff8880a5048000 000000010000003f 0000000000000000 [ 80.562737][ T8736] page dumped because: kasan: bad access detected [ 80.569154][ T8736] [ 80.571466][ T8736] Memory state around the buggy address: [ 80.577081][ T8736] ffff8880a5048900: 05 fc fc fc fc fc fc fc 05 fc fc fc fc fc fc fc [ 80.585390][ T8736] ffff8880a5048980: 05 fc fc fc fc fc fc fc 00 00 01 fc fc fc fc fc [ 80.593547][ T8736] >ffff8880a5048a00: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 80.601588][ T8736] ^ [ 80.607730][ T8736] ffff8880a5048a80: 06 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 80.615794][ T8736] ffff8880a5048b00: 00 00 01 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 80.623838][ T8736] ================================================================== [ 80.631886][ T8736] Disabling lock debugging due to kernel taint [ 80.639388][ T8736] Kernel panic - not syncing: panic_on_warn set ... [ 80.646094][ T8736] CPU: 1 PID: 8736 Comm: syz-executor419 Tainted: G B 5.5.0-rc6-syzkaller #0 [ 80.656260][ T8736] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.666416][ T8736] Call Trace: [ 80.669694][ T8736] dump_stack+0x1fb/0x318 [ 80.674114][ T8736] panic+0x264/0x7a9 [ 80.678009][ T8736] ? __kasan_report+0x193/0x1c0 [ 80.682836][ T8736] ? trace_hardirqs_on+0x34/0x80 [ 80.687760][ T8736] ? __kasan_report+0x193/0x1c0 [ 80.692652][ T8736] __kasan_report+0x1b9/0x1c0 [ 80.697421][ T8736] ? bitmap_port_destroy+0x1f2/0x3c0 [ 80.702985][ T8736] kasan_report+0x26/0x50 [ 80.707399][ T8736] check_memory_region+0x2b6/0x2f0 [ 80.712493][ T8736] __kasan_check_read+0x11/0x20 [ 80.717494][ T8736] bitmap_port_destroy+0x1f2/0x3c0 [ 80.722643][ T8736] ip_set_create+0xae0/0xfd0 [ 80.727247][ T8736] ? ip_set_protocol+0x5b0/0x5b0 [ 80.732182][ T8736] nfnetlink_rcv_msg+0x9ae/0xcd0 [ 80.737117][ T8736] ? cap_capable+0x25b/0x290 [ 80.741744][ T8736] ? cap_capable+0x25b/0x290 [ 80.746352][ T8736] netlink_rcv_skb+0x19e/0x3e0 [ 80.751093][ T8736] ? nfnetlink_bind+0x250/0x250 [ 80.755930][ T8736] nfnetlink_rcv+0x1e0/0x1e50 [ 80.760600][ T8736] ? rcu_lock_release+0x9/0x30 [ 80.765343][ T8736] ? rcu_lock_release+0x21/0x30 [ 80.770318][ T8736] ? netlink_deliver_tap+0x142/0x880 [ 80.775722][ T8736] netlink_unicast+0x767/0x920 [ 80.780494][ T8736] netlink_sendmsg+0xa2c/0xd50 [ 80.785236][ T8736] ? netlink_getsockopt+0x9f0/0x9f0 [ 80.790518][ T8736] ____sys_sendmsg+0x4f7/0x7f0 [ 80.795402][ T8736] __sys_sendmsg+0x1ed/0x290 [ 80.799995][ T8736] ? up_read+0x1d/0x20 [ 80.804050][ T8736] ? do_user_addr_fault+0x654/0xaf0 [ 80.809227][ T8736] ? check_preemption_disabled+0xb4/0x260 [ 80.814929][ T8736] ? debug_smp_processor_id+0x9/0x20 [ 80.820223][ T8736] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 80.825670][ T8736] ? trace_irq_disable_rcuidle+0x23/0x1e0 [ 80.831384][ T8736] ? do_syscall_64+0x1d/0x1c0 [ 80.836303][ T8736] __x64_sys_sendmsg+0x7f/0x90 [ 80.841130][ T8736] do_syscall_64+0xf7/0x1c0 [ 80.845617][ T8736] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.851489][ T8736] RIP: 0033:0x441399 [ 80.855371][ T8736] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 80.875332][ T8736] RSP: 002b:00007ffc467ccc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 80.883746][ T8736] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441399 [ 80.891816][ T8736] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 80.899785][ T8736] RBP: 0000000000013851 R08: 00000000004002c8 R09: 00000000004002c8 [ 80.907742][ T8736] R10: 0000000000000004 R11: 0000000000000246 R12: 00000000004021c0 [ 80.915863][ T8736] R13: 0000000000402250 R14: 0000000000000000 R15: 0000000000000000 [ 80.925824][ T8736] Kernel Offset: disabled [ 80.930184][ T8736] Rebooting in 86400 seconds..