Warning: Permanently added '10.128.0.98' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 82.132461] audit: type=1400 audit(1580113720.793:36): avc: denied { map } for pid=8004 comm="syz-executor049" path="/root/syz-executor049918253" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 82.176133] audit: type=1400 audit(1580113720.793:37): avc: denied { create } for pid=8013 comm="syz-executor049" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 82.200794] audit: type=1400 audit(1580113720.793:38): avc: denied { write } for pid=8013 comm="syz-executor049" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 executing program executing program [ 82.487981] ================================================================== [ 82.495676] BUG: KASAN: use-after-free in __list_del_entry_valid+0xd2/0xf5 [ 82.502695] Read of size 8 at addr ffff88809a072a48 by task syz-executor049/8024 [ 82.510223] [ 82.511869] CPU: 0 PID: 8024 Comm: syz-executor049 Not tainted 4.19.98-syzkaller #0 [ 82.519768] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.529159] Call Trace: [ 82.531752] dump_stack+0x197/0x210 [ 82.535439] ? __list_del_entry_valid+0xd2/0xf5 [ 82.540100] print_address_description.cold+0x7c/0x20d [ 82.545502] ? __list_del_entry_valid+0xd2/0xf5 [ 82.550237] kasan_report.cold+0x8c/0x2ba [ 82.554478] __asan_report_load8_noabort+0x14/0x20 [ 82.559411] __list_del_entry_valid+0xd2/0xf5 [ 82.563924] __nf_tables_abort+0x1e77/0x2a70 [ 82.568342] ? nfnl_err_del+0x115/0x170 [ 82.572311] nf_tables_abort+0x17/0x30 [ 82.576239] nfnetlink_rcv_batch+0xae3/0x1750 [ 82.580762] ? nf_tables_delobj+0x8f0/0x8f0 [ 82.585094] ? nfnl_err_del+0x170/0x170 [ 82.589068] ? selinux_ipv4_output+0x50/0x50 [ 82.593475] ? __netlink_lookup+0x3ab/0x760 [ 82.597800] ? selinux_capable+0x36/0x40 [ 82.601856] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.607383] ? security_capable+0x95/0xc0 [ 82.611526] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.617056] ? ns_capable_common+0x93/0x100 [ 82.621371] ? memset+0x32/0x40 [ 82.624651] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.630193] ? nla_parse+0x1fc/0x2f0 [ 82.633904] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 82.638924] nfnetlink_rcv+0x3ed/0x460 [ 82.642818] ? nfnetlink_rcv_batch+0x1750/0x1750 [ 82.647777] ? netlink_deliver_tap+0x254/0xc20 [ 82.652360] ? kasan_check_write+0x14/0x20 [ 82.656602] netlink_unicast+0x53a/0x730 [ 82.660673] ? netlink_attachskb+0x770/0x770 [ 82.665189] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.670736] netlink_sendmsg+0x8ae/0xd70 [ 82.674792] ? netlink_unicast+0x730/0x730 [ 82.679034] ? selinux_socket_sendmsg+0x36/0x40 [ 82.683809] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.689368] ? security_socket_sendmsg+0x8d/0xc0 [ 82.694189] ? netlink_unicast+0x730/0x730 [ 82.698453] sock_sendmsg+0xd7/0x130 [ 82.702170] ___sys_sendmsg+0x803/0x920 [ 82.706150] ? copy_msghdr_from_user+0x430/0x430 [ 82.710908] ? __fget+0x367/0x540 [ 82.714374] ? iterate_fd+0x360/0x360 [ 82.718232] ? find_held_lock+0x35/0x130 [ 82.722300] ? __fd_install+0x1bc/0x640 [ 82.726274] ? __fget_light+0x1a9/0x230 [ 82.730252] ? __fdget+0x1b/0x20 [ 82.733609] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 82.739157] __sys_sendmsg+0x105/0x1d0 [ 82.743068] ? __ia32_sys_shutdown+0x80/0x80 [ 82.747480] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 82.752231] ? do_syscall_64+0x26/0x620 [ 82.756215] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.761606] ? do_syscall_64+0x26/0x620 [ 82.765577] __x64_sys_sendmsg+0x78/0xb0 [ 82.769640] do_syscall_64+0xfd/0x620 [ 82.773439] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.778629] RIP: 0033:0x447089 [ 82.781819] Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 82.800713] RSP: 002b:00007f0556bc4d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 82.808416] RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 0000000000447089 [ 82.815686] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 82.822951] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000 [ 82.830213] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c [ 82.837486] R13: 000000200a000000 R14: 0000000000006c00 R15: 0000001000000014 [ 82.844810] [ 82.846435] Allocated by task 8024: [ 82.850072] save_stack+0x45/0xd0 [ 82.853513] kasan_kmalloc+0xce/0xf0 [ 82.857224] kmem_cache_alloc_trace+0x152/0x760 [ 82.861887] nf_tables_newtable+0xa99/0x1430 [ 82.866289] nfnetlink_rcv_batch+0xef6/0x1750 [ 82.870779] nfnetlink_rcv+0x3ed/0x460 [ 82.874668] netlink_unicast+0x53a/0x730 [ 82.878726] netlink_sendmsg+0x8ae/0xd70 [ 82.882777] sock_sendmsg+0xd7/0x130 [ 82.886479] ___sys_sendmsg+0x803/0x920 [ 82.890452] __sys_sendmsg+0x105/0x1d0 [ 82.894346] __x64_sys_sendmsg+0x78/0xb0 [ 82.898402] do_syscall_64+0xfd/0x620 [ 82.902237] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.907410] [ 82.909025] Freed by task 8027: [ 82.912299] save_stack+0x45/0xd0 [ 82.915746] __kasan_slab_free+0x102/0x150 [ 82.919975] kasan_slab_free+0xe/0x10 [ 82.923770] kfree+0xcf/0x220 [ 82.926868] nf_tables_table_destroy.isra.0+0xef/0x130 [ 82.932149] nf_tables_commit+0x2d9d/0x41a0 [ 82.936496] nfnetlink_rcv_batch+0xcf6/0x1750 [ 82.940986] nfnetlink_rcv+0x3ed/0x460 [ 82.944870] netlink_unicast+0x53a/0x730 [ 82.948972] netlink_sendmsg+0x8ae/0xd70 [ 82.953135] sock_sendmsg+0xd7/0x130 [ 82.956890] ___sys_sendmsg+0x803/0x920 [ 82.960861] __sys_sendmsg+0x105/0x1d0 [ 82.964740] __x64_sys_sendmsg+0x78/0xb0 [ 82.968804] do_syscall_64+0xfd/0x620 [ 82.972669] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.977862] [ 82.979492] The buggy address belongs to the object at ffff88809a072a40 [ 82.979492] which belongs to the cache kmalloc-512 of size 512 [ 82.992240] The buggy address is located 8 bytes inside of [ 82.992240] 512-byte region [ffff88809a072a40, ffff88809a072c40) [ 83.003969] The buggy address belongs to the page: [ 83.008896] page:ffffea0002681c80 count:1 mapcount:0 mapping:ffff88812c31c940 index:0x0 [ 83.017088] flags: 0xfffe0000000100(slab) [ 83.021275] raw: 00fffe0000000100 ffffea000294efc8 ffffea0002633a48 ffff88812c31c940 [ 83.029164] raw: 0000000000000000 ffff88809a072040 0000000100000006 0000000000000000 [ 83.037044] page dumped because: kasan: bad access detected [ 83.042752] [ 83.044363] Memory state around the buggy address: [ 83.049278] ffff88809a072900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.056634] ffff88809a072980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 83.064030] >ffff88809a072a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 83.071404] ^ [ 83.077109] ffff88809a072a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.084468] ffff88809a072b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 83.093076] ================================================================== [ 83.100419] Disabling lock debugging due to kernel taint [ 83.109492] Kernel panic - not syncing: panic_on_warn set ... [ 83.109492] [ 83.116860] CPU: 0 PID: 8024 Comm: syz-executor049 Tainted: G B 4.19.98-syzkaller #0 [ 83.126028] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 83.135431] Call Trace: [ 83.138010] dump_stack+0x197/0x210 [ 83.141807] ? __list_del_entry_valid+0xd2/0xf5 [ 83.146464] panic+0x26a/0x50e [ 83.149698] ? __warn_printk+0xf3/0xf3 [ 83.153578] ? __list_del_entry_valid+0xd2/0xf5 [ 83.158248] ? preempt_schedule+0x4b/0x60 [ 83.162395] ? ___preempt_schedule+0x16/0x18 [ 83.166805] ? trace_hardirqs_on+0x5e/0x220 [ 83.171128] ? __list_del_entry_valid+0xd2/0xf5 [ 83.175838] kasan_end_report+0x47/0x4f [ 83.179801] kasan_report.cold+0xa9/0x2ba [ 83.183942] __asan_report_load8_noabort+0x14/0x20 [ 83.188861] __list_del_entry_valid+0xd2/0xf5 [ 83.193359] __nf_tables_abort+0x1e77/0x2a70 [ 83.197773] ? nfnl_err_del+0x115/0x170 [ 83.201740] nf_tables_abort+0x17/0x30 [ 83.205621] nfnetlink_rcv_batch+0xae3/0x1750 [ 83.210128] ? nf_tables_delobj+0x8f0/0x8f0 [ 83.214467] ? nfnl_err_del+0x170/0x170 [ 83.218435] ? selinux_ipv4_output+0x50/0x50 [ 83.222946] ? __netlink_lookup+0x3ab/0x760 [ 83.227284] ? selinux_capable+0x36/0x40 [ 83.231338] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.236886] ? security_capable+0x95/0xc0 [ 83.241028] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.246557] ? ns_capable_common+0x93/0x100 [ 83.250866] ? memset+0x32/0x40 [ 83.254139] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.259668] ? nla_parse+0x1fc/0x2f0 [ 83.263371] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 83.268396] nfnetlink_rcv+0x3ed/0x460 [ 83.272286] ? nfnetlink_rcv_batch+0x1750/0x1750 [ 83.277027] ? netlink_deliver_tap+0x254/0xc20 [ 83.281650] ? kasan_check_write+0x14/0x20 [ 83.285884] netlink_unicast+0x53a/0x730 [ 83.289934] ? netlink_attachskb+0x770/0x770 [ 83.294410] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.299956] netlink_sendmsg+0x8ae/0xd70 [ 83.304012] ? netlink_unicast+0x730/0x730 [ 83.308240] ? selinux_socket_sendmsg+0x36/0x40 [ 83.312903] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.318435] ? security_socket_sendmsg+0x8d/0xc0 [ 83.323230] ? netlink_unicast+0x730/0x730 [ 83.327458] sock_sendmsg+0xd7/0x130 [ 83.331201] ___sys_sendmsg+0x803/0x920 [ 83.335235] ? copy_msghdr_from_user+0x430/0x430 [ 83.339986] ? __fget+0x367/0x540 [ 83.343487] ? iterate_fd+0x360/0x360 [ 83.347295] ? find_held_lock+0x35/0x130 [ 83.351395] ? __fd_install+0x1bc/0x640 [ 83.355406] ? __fget_light+0x1a9/0x230 [ 83.359382] ? __fdget+0x1b/0x20 [ 83.362741] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 83.368295] __sys_sendmsg+0x105/0x1d0 [ 83.372181] ? __ia32_sys_shutdown+0x80/0x80 [ 83.376587] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 83.381335] ? do_syscall_64+0x26/0x620 [ 83.385304] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 83.390656] ? do_syscall_64+0x26/0x620 [ 83.394619] __x64_sys_sendmsg+0x78/0xb0 [ 83.398669] do_syscall_64+0xfd/0x620 [ 83.402522] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 83.407701] RIP: 0033:0x447089 [ 83.410877] Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 83.429938] RSP: 002b:00007f0556bc4d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 83.437636] RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 0000000000447089 [ 83.444891] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 83.452218] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000 [ 83.459474] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c [ 83.466732] R13: 000000200a000000 R14: 0000000000006c00 R15: 0000001000000014 [ 83.475263] Kernel Offset: disabled [ 83.478892] Rebooting in 86400 seconds..