[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts. syzkaller login: [ 43.464299] audit: type=1400 audit(1590940474.747:8): avc: denied { execmem } for pid=6326 comm="syz-executor262" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 43.702895] IPVS: ftp: loaded support on port[0] = 21 [ 44.559178] chnl_net:caif_netlink_parms(): no params data found [ 44.635737] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.642765] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.649762] device bridge_slave_0 entered promiscuous mode [ 44.658444] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.666076] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.673186] device bridge_slave_1 entered promiscuous mode [ 44.689982] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 44.698736] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 44.716572] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 44.723831] team0: Port device team_slave_0 added [ 44.729247] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 44.736775] team0: Port device team_slave_1 added [ 44.751972] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 44.758305] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 44.784437] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 44.795807] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 44.802101] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 44.828455] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 44.839137] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 44.846859] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 44.904859] device hsr_slave_0 entered promiscuous mode [ 44.961805] device hsr_slave_1 entered promiscuous mode [ 45.002171] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 45.009324] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 45.071170] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.077635] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.084616] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.090983] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.120063] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 45.126932] 8021q: adding VLAN 0 to HW filter on device bond0 [ 45.135687] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 45.144482] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.153748] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.160753] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.170738] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 45.178035] 8021q: adding VLAN 0 to HW filter on device team0 [ 45.187148] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 45.195277] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.201759] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.210577] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 45.218598] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.224987] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.239360] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 45.248198] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 45.257924] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 45.267975] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 45.278394] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 45.287444] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 45.294176] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 45.306669] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 45.314786] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 45.322513] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 45.333869] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 45.382325] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 45.392363] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 45.423605] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 45.430569] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 45.437814] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 45.446682] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 45.454787] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 45.462862] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 45.471992] device veth0_vlan entered promiscuous mode [ 45.480528] device veth1_vlan entered promiscuous mode [ 45.487020] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 45.495692] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 45.506624] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 45.516079] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 45.523808] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 45.530930] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 45.539486] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 45.548052] device veth0_macvtap entered promiscuous mode [ 45.556566] device veth1_macvtap entered promiscuous mode [ 45.565090] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 45.574764] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 45.584780] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 45.592214] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 45.598939] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 45.607271] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 45.617623] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 45.625164] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 45.631857] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 45.639696] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 45.720091] netlink: 72 bytes leftover after parsing attributes in process `syz-executor262'. [ 45.730896] FAULT_INJECTION: forcing a failure. [ 45.730896] name fail_page_alloc, interval 1, probability 0, space 0, times 1 [ 45.743321] CPU: 0 PID: 6555 Comm: syz-executor262 Not tainted 4.14.182-syzkaller #0 [ 45.751309] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.760727] Call Trace: [ 45.763319] dump_stack+0x1b2/0x283 [ 45.767020] should_fail.cold+0x10a/0x154 [ 45.771246] __alloc_pages_nodemask+0x22b/0x2730 [ 45.776025] ? trace_hardirqs_on+0x10/0x10 [ 45.780246] ? deref_stack_reg+0x8a/0xc0 [ 45.784308] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 45.790177] ? unwind_next_frame+0xe38/0x1700 [ 45.794654] ? gfp_pfmemalloc_allowed+0x150/0x150 [ 45.799477] ? is_bpf_text_address+0x7c/0x120 [ 45.803978] ? lock_downgrade+0x6e0/0x6e0 [ 45.808130] ? is_bpf_text_address+0xa3/0x120 [ 45.812629] ? kernel_text_address+0x6e/0xe0 [ 45.817038] alloc_pages_current+0xe7/0x1e0 [ 45.821357] depot_save_stack+0x3cc/0x401 [ 45.825630] kasan_kmalloc.part.0+0xa6/0xd0 [ 45.830007] ? kasan_kmalloc.part.0+0x4f/0xd0 [ 45.834667] ? kmem_cache_alloc_trace+0x137/0x3f0 [ 45.839584] ? qfq_change_class+0x47c/0x107a [ 45.844074] ? tc_ctl_tclass+0x3e2/0xa00 [ 45.848752] ? rtnetlink_rcv_msg+0x3be/0xb10 [ 45.853257] ? netlink_rcv_skb+0x127/0x370 [ 45.857475] ? netlink_unicast+0x437/0x610 [ 45.861951] ? netlink_sendmsg+0x64a/0xbb0 [ 45.866165] ? sock_sendmsg+0xb5/0x100 [ 45.870043] ? ___sys_sendmsg+0x349/0x840 [ 45.874191] ? __sys_sendmmsg+0x129/0x330 [ 45.878317] ? SyS_sendmmsg+0x2f/0x50 [ 45.882096] ? do_syscall_64+0x1d5/0x640 [ 45.886432] ? entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 45.891787] ? trace_hardirqs_on+0x10/0x10 [ 45.896006] ? trace_hardirqs_on+0x10/0x10 [ 45.900243] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 45.905679] ? fs_reclaim_acquire+0x10/0x10 [ 45.909994] ? kasan_unpoison_shadow+0x30/0x40 [ 45.914555] ? kasan_kmalloc+0x76/0xc0 [ 45.918438] kmem_cache_alloc_trace+0x137/0x3f0 [ 45.923089] qfq_change_class+0x47c/0x107a [ 45.927327] ? qfq_enqueue+0x1390/0x1390 [ 45.931373] ? nla_parse+0x162/0x220 [ 45.935073] ? qdisc_match_from_root+0x148/0x220 [ 45.939818] ? qfq_enqueue+0x1390/0x1390 [ 45.943872] tc_ctl_tclass+0x3e2/0xa00 [ 45.947751] ? qdisc_tree_reduce_backlog+0x490/0x490 [ 45.952999] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 45.957424] ? qdisc_tree_reduce_backlog+0x490/0x490 [ 45.962514] rtnetlink_rcv_msg+0x3be/0xb10 [ 45.966731] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 45.971208] ? netdev_pick_tx+0x2e0/0x2e0 [ 45.975342] netlink_rcv_skb+0x127/0x370 [ 45.979408] ? memcpy+0x35/0x50 [ 45.982749] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 45.987234] ? netlink_ack+0x970/0x970 [ 45.991127] netlink_unicast+0x437/0x610 [ 45.995208] ? netlink_sendskb+0x50/0x50 [ 45.999265] netlink_sendmsg+0x64a/0xbb0 [ 46.003310] ? nlmsg_notify+0x160/0x160 [ 46.007278] ? move_addr_to_kernel.part.0+0xf0/0xf0 [ 46.012276] ? security_socket_sendmsg+0x83/0xb0 [ 46.017019] ? nlmsg_notify+0x160/0x160 [ 46.020986] sock_sendmsg+0xb5/0x100 [ 46.024695] ___sys_sendmsg+0x349/0x840 [ 46.028667] ? copy_msghdr_from_user+0x380/0x380 [ 46.033407] ? lock_downgrade+0x6e0/0x6e0 [ 46.037536] ? kstrtouint+0xe6/0x130 [ 46.041240] ? _kstrtoul+0x110/0x110 [ 46.044947] ? __might_fault+0x177/0x1b0 [ 46.049016] ? _copy_from_user+0x94/0x100 [ 46.053147] ? get_pid_task+0x91/0x130 [ 46.057048] ? check_preemption_disabled+0x35/0x240 [ 46.062047] ? lock_downgrade+0x6e0/0x6e0 [ 46.066177] ? __fget_light+0x16a/0x1f0 [ 46.070150] ? sockfd_lookup_light+0xb2/0x160 [ 46.074633] __sys_sendmmsg+0x129/0x330 [ 46.078588] ? SyS_sendmsg+0x40/0x40 [ 46.082312] ? lock_downgrade+0x6e0/0x6e0 [ 46.086449] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 46.092026] ? vfs_write+0x319/0x4d0 [ 46.095728] ? SyS_write+0x14d/0x210 [ 46.099426] ? SyS_read+0x210/0x210 [ 46.103042] SyS_sendmmsg+0x2f/0x50 [ 46.106677] ? __sys_sendmmsg+0x330/0x330 [ 46.110805] do_syscall_64+0x1d5/0x640 [ 46.114675] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 46.119929] RIP: 0033:0x444089 [ 46.123113] RSP: 002b:00007fffd2a727a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 46.130818] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000444089 [ 46.138084] RDX: 0492492492492642 RSI: 0000000020000180 RDI: 0000000000000006 [ 46.145391] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000001bbbbbb [ 46.152781] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 46.160067] R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000 executing program [ 46.176051] netlink: 72 bytes leftover after parsing attributes in process `syz-executor262'. [ 46.189850] netlink: 72 bytes leftover after parsing attributes in process `syz-executor262'. [ 46.199674] FAULT_INJECTION: forcing a failure. [ 46.199674] name failslab, interval 1, probability 0, space 0, times 1 [ 46.211529] CPU: 0 PID: 6556 Comm: syz-executor262 Not tainted 4.14.182-syzkaller #0 [ 46.219415] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.228774] Call Trace: [ 46.231352] dump_stack+0x1b2/0x283 [ 46.234985] should_fail.cold+0x10a/0x154 [ 46.239112] should_failslab+0xd6/0x130 [ 46.243076] kmem_cache_alloc_node+0x25f/0x400 [ 46.247982] __alloc_skb+0x9a/0x4c0 [ 46.251593] ? __kmalloc_reserve.isra.0+0xd0/0xd0 [ 46.256420] ? qfq_enqueue+0x1390/0x1390 [ 46.260487] tclass_notify.isra.0.constprop.0+0x80/0x190 [ 46.265938] tc_ctl_tclass+0x408/0xa00 [ 46.269811] ? qdisc_tree_reduce_backlog+0x490/0x490 [ 46.274896] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 46.279286] ? qdisc_tree_reduce_backlog+0x490/0x490 [ 46.284388] rtnetlink_rcv_msg+0x3be/0xb10 [ 46.288602] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 46.293092] ? netdev_pick_tx+0x2e0/0x2e0 [ 46.297225] netlink_rcv_skb+0x127/0x370 [ 46.301262] ? memcpy+0x35/0x50 [ 46.304517] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 46.308998] ? netlink_ack+0x970/0x970 [ 46.312866] netlink_unicast+0x437/0x610 [ 46.316920] ? netlink_sendskb+0x50/0x50 [ 46.320983] netlink_sendmsg+0x64a/0xbb0 [ 46.325045] ? nlmsg_notify+0x160/0x160 [ 46.328992] ? move_addr_to_kernel.part.0+0xf0/0xf0 [ 46.333995] ? security_socket_sendmsg+0x83/0xb0 [ 46.338728] ? nlmsg_notify+0x160/0x160 [ 46.342680] sock_sendmsg+0xb5/0x100 [ 46.346385] ___sys_sendmsg+0x349/0x840 [ 46.350372] ? copy_msghdr_from_user+0x380/0x380 [ 46.355114] ? lock_downgrade+0x6e0/0x6e0 [ 46.359334] ? kstrtouint+0xe6/0x130 [ 46.363030] ? _kstrtoul+0x110/0x110 [ 46.366753] ? __might_fault+0x177/0x1b0 [ 46.370808] ? _copy_from_user+0x94/0x100 [ 46.374937] ? get_pid_task+0x91/0x130 [ 46.378893] ? check_preemption_disabled+0x35/0x240 [ 46.383886] ? lock_downgrade+0x6e0/0x6e0 [ 46.388012] ? __fget_light+0x16a/0x1f0 [ 46.391966] ? sockfd_lookup_light+0xb2/0x160 [ 46.396474] __sys_sendmmsg+0x129/0x330 [ 46.400427] ? SyS_sendmsg+0x40/0x40 [ 46.404135] ? lock_downgrade+0x6e0/0x6e0 [ 46.408283] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 46.413719] ? vfs_write+0x319/0x4d0 [ 46.417428] ? SyS_write+0x14d/0x210 [ 46.421120] ? SyS_read+0x210/0x210 [ 46.424738] SyS_sendmmsg+0x2f/0x50 [ 46.428345] ? __sys_sendmmsg+0x330/0x330 [ 46.432478] do_syscall_64+0x1d5/0x640 [ 46.436351] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 46.441519] RIP: 0033:0x444089 [ 46.444694] RSP: 002b:00007fffd2a727a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 46.452641] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000444089 [ 46.459888] RDX: 0492492492492642 RSI: 0000000020000180 RDI: 0000000000000006 [ 46.467596] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 executing program [ 46.474878] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 46.482129] R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000 [ 46.495158] netlink: 72 bytes leftover after parsing attributes in process `syz-executor262'. [ 46.507494] netlink: 72 bytes leftover after parsing attributes in process `syz-executor262'. [ 46.517179] FAULT_INJECTION: forcing a failure. [ 46.517179] name failslab, interval 1, probability 0, space 0, times 0 [ 46.528452] CPU: 0 PID: 6557 Comm: syz-executor262 Not tainted 4.14.182-syzkaller #0 [ 46.536323] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.545673] Call Trace: [ 46.548259] dump_stack+0x1b2/0x283 [ 46.551878] should_fail.cold+0x10a/0x154 [ 46.556014] should_failslab+0xd6/0x130 [ 46.559973] kmem_cache_alloc_node+0x25f/0x400 [ 46.564573] __alloc_skb+0x9a/0x4c0 [ 46.568200] ? __kmalloc_reserve.isra.0+0xd0/0xd0 [ 46.573024] ? qfq_enqueue+0x1390/0x1390 [ 46.577065] tclass_notify.isra.0.constprop.0+0x80/0x190 [ 46.582497] tc_ctl_tclass+0x408/0xa00 [ 46.586377] ? qdisc_tree_reduce_backlog+0x490/0x490 [ 46.591457] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 46.595850] ? qdisc_tree_reduce_backlog+0x490/0x490 [ 46.600969] rtnetlink_rcv_msg+0x3be/0xb10 [ 46.605378] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 46.609856] ? netdev_pick_tx+0x2e0/0x2e0 [ 46.613989] netlink_rcv_skb+0x127/0x370 [ 46.618051] ? memcpy+0x35/0x50 [ 46.621330] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 46.625920] ? netlink_ack+0x970/0x970 [ 46.629901] netlink_unicast+0x437/0x610 [ 46.633968] ? netlink_sendskb+0x50/0x50 [ 46.638021] netlink_sendmsg+0x64a/0xbb0 [ 46.642084] ? nlmsg_notify+0x160/0x160 [ 46.646056] ? move_addr_to_kernel.part.0+0xf0/0xf0 [ 46.651055] ? security_socket_sendmsg+0x83/0xb0 [ 46.655802] ? nlmsg_notify+0x160/0x160 [ 46.659757] sock_sendmsg+0xb5/0x100 [ 46.663468] ___sys_sendmsg+0x349/0x840 [ 46.667455] ? copy_msghdr_from_user+0x380/0x380 [ 46.672207] ? lock_downgrade+0x6e0/0x6e0 [ 46.676340] ? kstrtouint+0xe6/0x130 [ 46.680083] ? _kstrtoul+0x110/0x110 [ 46.683777] ? __might_fault+0x177/0x1b0 [ 46.687828] ? _copy_from_user+0x94/0x100 [ 46.691984] ? get_pid_task+0x91/0x130 [ 46.695875] ? check_preemption_disabled+0x35/0x240 [ 46.700879] ? lock_downgrade+0x6e0/0x6e0 [ 46.705019] ? __fget_light+0x16a/0x1f0 [ 46.709080] ? sockfd_lookup_light+0xb2/0x160 [ 46.713559] __sys_sendmmsg+0x129/0x330 [ 46.717533] ? SyS_sendmsg+0x40/0x40 [ 46.721243] ? lock_downgrade+0x6e0/0x6e0 [ 46.725392] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 46.730827] ? vfs_write+0x319/0x4d0 [ 46.734525] ? SyS_write+0x14d/0x210 [ 46.738232] ? SyS_read+0x210/0x210 [ 46.741944] SyS_sendmmsg+0x2f/0x50 [ 46.745553] ? __sys_sendmmsg+0x330/0x330 [ 46.749686] do_syscall_64+0x1d5/0x640 [ 46.753559] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 46.758734] RIP: 0033:0x444089 [ 46.761910] RSP: 002b:00007fffd2a727a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 46.769761] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000444089 executing program [ 46.777014] RDX: 0492492492492642 RSI: 0000000020000180 RDI: 0000000000000006 [ 46.784272] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 [ 46.791528] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 46.798783] R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000 [ 46.811828] netlink: 72 bytes leftover after parsing attributes in process `syz-executor262'. [ 46.824527] netlink: 72 bytes leftover after parsing attributes in process `syz-executor262'. [ 46.834227] FAULT_INJECTION: forcing a failure. [ 46.834227] name failslab, interval 1, probability 0, space 0, times 0 [ 46.845505] CPU: 0 PID: 6558 Comm: syz-executor262 Not tainted 4.14.182-syzkaller #0 [ 46.853507] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.862868] Call Trace: [ 46.865458] dump_stack+0x1b2/0x283 [ 46.869070] should_fail.cold+0x10a/0x154 [ 46.873199] should_failslab+0xd6/0x130 [ 46.877156] kmem_cache_alloc_trace+0x2b7/0x3f0 [ 46.881821] qfq_change_class+0x47c/0x107a [ 46.886056] ? qfq_enqueue+0x1390/0x1390 [ 46.890103] ? nla_parse+0x162/0x220 [ 46.893796] ? qdisc_match_from_root+0x148/0x220 [ 46.898530] ? qfq_enqueue+0x1390/0x1390 [ 46.902570] tc_ctl_tclass+0x3e2/0xa00 [ 46.906545] ? qdisc_tree_reduce_backlog+0x490/0x490 [ 46.911655] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 46.916053] ? qdisc_tree_reduce_backlog+0x490/0x490 [ 46.921143] rtnetlink_rcv_msg+0x3be/0xb10 [ 46.925376] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 46.929855] ? netdev_pick_tx+0x2e0/0x2e0 [ 46.934006] netlink_rcv_skb+0x127/0x370 [ 46.938054] ? memcpy+0x35/0x50 [ 46.941322] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 46.945822] ? netlink_ack+0x970/0x970 [ 46.949708] netlink_unicast+0x437/0x610 [ 46.953774] ? netlink_sendskb+0x50/0x50 [ 46.957817] netlink_sendmsg+0x64a/0xbb0 [ 46.961859] ? nlmsg_notify+0x160/0x160 [ 46.965818] ? move_addr_to_kernel.part.0+0xf0/0xf0 [ 46.970824] ? security_socket_sendmsg+0x83/0xb0 [ 46.975655] ? nlmsg_notify+0x160/0x160 [ 46.979629] sock_sendmsg+0xb5/0x100 [ 46.983427] ___sys_sendmsg+0x349/0x840 [ 46.987379] ? copy_msghdr_from_user+0x380/0x380 [ 46.992115] ? lock_downgrade+0x6e0/0x6e0 [ 46.996269] ? kstrtouint+0xe6/0x130 [ 46.999963] ? _kstrtoul+0x110/0x110 [ 47.003658] ? __might_fault+0x177/0x1b0 [ 47.007722] ? _copy_from_user+0x94/0x100 [ 47.011856] ? get_pid_task+0x91/0x130 [ 47.015738] ? check_preemption_disabled+0x35/0x240 [ 47.020733] ? lock_downgrade+0x6e0/0x6e0 [ 47.024868] ? __fget_light+0x16a/0x1f0 [ 47.028839] ? sockfd_lookup_light+0xb2/0x160 [ 47.033312] __sys_sendmmsg+0x129/0x330 [ 47.037280] ? SyS_sendmsg+0x40/0x40 [ 47.041006] ? lock_downgrade+0x6e0/0x6e0 [ 47.045163] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 47.050609] ? vfs_write+0x319/0x4d0 [ 47.054303] ? SyS_write+0x14d/0x210 [ 47.058017] ? SyS_read+0x210/0x210 [ 47.061625] SyS_sendmmsg+0x2f/0x50 [ 47.065232] ? __sys_sendmmsg+0x330/0x330 [ 47.069461] do_syscall_64+0x1d5/0x640 [ 47.073348] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 47.078516] RIP: 0033:0x444089 [ 47.081682] RSP: 002b:00007fffd2a727a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 47.089383] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000444089 [ 47.096632] RDX: 0492492492492642 RSI: 0000000020000180 RDI: 0000000000000006 [ 47.103895] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 [ 47.111149] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 47.118397] R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000 [ 47.127350] ================================================================== [ 47.134862] BUG: KASAN: use-after-free in qfq_find_class+0x144/0x170 [ 47.141350] Read of size 4 at addr ffff8880a9a93d80 by task syz-executor262/6558 [ 47.148965] [ 47.150686] CPU: 0 PID: 6558 Comm: syz-executor262 Not tainted 4.14.182-syzkaller #0 [ 47.158565] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.167912] Call Trace: [ 47.170503] dump_stack+0x1b2/0x283 [ 47.174212] ? qfq_find_class+0x144/0x170 [ 47.178339] print_address_description.cold+0x54/0x1dc [ 47.183598] ? qfq_find_class+0x144/0x170 [ 47.187724] kasan_report.cold+0xa9/0x2b9 [ 47.191850] qfq_find_class+0x144/0x170 [ 47.195802] ? qdisc_lookup+0x58/0x1f0 [ 47.199668] tc_ctl_tclass+0x5a4/0xa00 [ 47.203567] ? qdisc_tree_reduce_backlog+0x490/0x490 [ 47.208693] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 47.213189] ? qdisc_tree_reduce_backlog+0x490/0x490 [ 47.218282] rtnetlink_rcv_msg+0x3be/0xb10 [ 47.222498] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 47.226972] ? netdev_pick_tx+0x2e0/0x2e0 [ 47.231101] netlink_rcv_skb+0x127/0x370 [ 47.235142] ? memcpy+0x35/0x50 [ 47.238399] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 47.242892] ? netlink_ack+0x970/0x970 [ 47.246764] netlink_unicast+0x437/0x610 [ 47.250827] ? netlink_sendskb+0x50/0x50 [ 47.254877] netlink_sendmsg+0x64a/0xbb0 [ 47.258918] ? nlmsg_notify+0x160/0x160 [ 47.262870] ? move_addr_to_kernel.part.0+0xf0/0xf0 [ 47.267865] ? security_socket_sendmsg+0x83/0xb0 [ 47.272605] ? nlmsg_notify+0x160/0x160 [ 47.276562] sock_sendmsg+0xb5/0x100 [ 47.280263] ___sys_sendmsg+0x349/0x840 [ 47.284231] ? copy_msghdr_from_user+0x380/0x380 [ 47.288973] ? trace_hardirqs_on+0x10/0x10 [ 47.293206] ? _kstrtoul+0x110/0x110 [ 47.296897] ? __might_fault+0x177/0x1b0 [ 47.300936] ? _copy_from_user+0x94/0x100 [ 47.305061] ? get_pid_task+0x91/0x130 [ 47.308929] ? __might_fault+0x104/0x1b0 [ 47.312985] ? lock_acquire+0x170/0x3f0 [ 47.316958] __sys_sendmmsg+0x129/0x330 [ 47.320910] ? SyS_sendmsg+0x40/0x40 [ 47.324605] ? lock_downgrade+0x6e0/0x6e0 [ 47.328742] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 47.334175] ? vfs_write+0x319/0x4d0 [ 47.337876] ? SyS_write+0x14d/0x210 [ 47.341584] ? SyS_read+0x210/0x210 [ 47.345188] SyS_sendmmsg+0x2f/0x50 [ 47.348795] ? __sys_sendmmsg+0x330/0x330 [ 47.353200] do_syscall_64+0x1d5/0x640 [ 47.357094] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 47.362260] RIP: 0033:0x444089 [ 47.365443] RSP: 002b:00007fffd2a727a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 47.373141] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000444089 [ 47.380393] RDX: 0492492492492642 RSI: 0000000020000180 RDI: 0000000000000006 [ 47.387653] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 [ 47.394909] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 47.402179] R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000 [ 47.409436] [ 47.411064] Allocated by task 6558: [ 47.414699] kasan_kmalloc.part.0+0x4f/0xd0 [ 47.419013] kmem_cache_alloc_trace+0x14d/0x3f0 [ 47.423661] qfq_change_class+0x7d2/0x107a [ 47.427875] tc_ctl_tclass+0x3e2/0xa00 [ 47.431758] rtnetlink_rcv_msg+0x3be/0xb10 [ 47.436021] netlink_rcv_skb+0x127/0x370 [ 47.440078] netlink_unicast+0x437/0x610 [ 47.444138] netlink_sendmsg+0x64a/0xbb0 [ 47.448192] sock_sendmsg+0xb5/0x100 [ 47.451902] ___sys_sendmsg+0x349/0x840 [ 47.455868] __sys_sendmmsg+0x129/0x330 [ 47.459821] SyS_sendmmsg+0x2f/0x50 [ 47.463442] do_syscall_64+0x1d5/0x640 [ 47.467323] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 47.472485] [ 47.474105] Freed by task 6558: [ 47.477368] kasan_slab_free+0xaf/0x190 [ 47.481387] kfree+0xcb/0x260 [ 47.484485] qfq_change_class+0xd86/0x107a [ 47.488695] tc_ctl_tclass+0x3e2/0xa00 [ 47.492561] rtnetlink_rcv_msg+0x3be/0xb10 [ 47.496773] netlink_rcv_skb+0x127/0x370 [ 47.500810] netlink_unicast+0x437/0x610 [ 47.504872] netlink_sendmsg+0x64a/0xbb0 [ 47.509013] sock_sendmsg+0xb5/0x100 [ 47.512810] ___sys_sendmsg+0x349/0x840 [ 47.516765] __sys_sendmmsg+0x129/0x330 [ 47.520726] SyS_sendmmsg+0x2f/0x50 [ 47.524338] do_syscall_64+0x1d5/0x640 [ 47.528262] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 47.533427] [ 47.535036] The buggy address belongs to the object at ffff8880a9a93d80 [ 47.535036] which belongs to the cache kmalloc-128 of size 128 [ 47.547788] The buggy address is located 0 bytes inside of [ 47.547788] 128-byte region [ffff8880a9a93d80, ffff8880a9a93e00) [ 47.559738] The buggy address belongs to the page: [ 47.564650] page:ffffea0002a6a4c0 count:1 mapcount:0 mapping:ffff8880a9a93000 index:0x0 [ 47.572773] flags: 0xfffe0000000100(slab) [ 47.576915] raw: 00fffe0000000100 ffff8880a9a93000 0000000000000000 0000000100000015 [ 47.584792] raw: ffffea0002814ee0 ffffea000253e560 ffff8880aa800640 0000000000000000 [ 47.593607] page dumped because: kasan: bad access detected [ 47.599291] [ 47.600912] Memory state around the buggy address: [ 47.605829] ffff8880a9a93c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 47.613182] ffff8880a9a93d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 47.620545] >ffff8880a9a93d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.627882] ^ [ 47.631240] ffff8880a9a93e00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 47.638583] ffff8880a9a93e80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 47.645934] ================================================================== [ 47.653283] Disabling lock debugging due to kernel taint [ 47.659964] Kernel panic - not syncing: panic_on_warn set ... [ 47.659964] [ 47.667340] CPU: 0 PID: 6558 Comm: syz-executor262 Tainted: G B 4.14.182-syzkaller #0 [ 47.676426] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.685770] Call Trace: [ 47.688353] dump_stack+0x1b2/0x283 [ 47.692005] panic+0x1f9/0x42d [ 47.695186] ? add_taint.cold+0x16/0x16 [ 47.699136] ? preempt_schedule_common+0x4a/0xc0 [ 47.703879] ? qfq_find_class+0x144/0x170 [ 47.708031] ? ___preempt_schedule+0x16/0x18 [ 47.712429] ? qfq_find_class+0x144/0x170 [ 47.716585] kasan_end_report+0x43/0x49 [ 47.720547] kasan_report.cold+0x12f/0x2b9 [ 47.724769] qfq_find_class+0x144/0x170 [ 47.728733] ? qdisc_lookup+0x58/0x1f0 [ 47.732660] tc_ctl_tclass+0x5a4/0xa00 [ 47.736530] ? qdisc_tree_reduce_backlog+0x490/0x490 [ 47.741611] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 47.746015] ? qdisc_tree_reduce_backlog+0x490/0x490 [ 47.751097] rtnetlink_rcv_msg+0x3be/0xb10 [ 47.755332] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 47.759807] ? netdev_pick_tx+0x2e0/0x2e0 [ 47.763954] netlink_rcv_skb+0x127/0x370 [ 47.768012] ? memcpy+0x35/0x50 [ 47.771480] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 47.775952] ? netlink_ack+0x970/0x970 [ 47.779833] netlink_unicast+0x437/0x610 [ 47.783876] ? netlink_sendskb+0x50/0x50 [ 47.787914] netlink_sendmsg+0x64a/0xbb0 [ 47.791960] ? nlmsg_notify+0x160/0x160 [ 47.795933] ? move_addr_to_kernel.part.0+0xf0/0xf0 [ 47.800935] ? security_socket_sendmsg+0x83/0xb0 [ 47.805683] ? nlmsg_notify+0x160/0x160 [ 47.809649] sock_sendmsg+0xb5/0x100 [ 47.813341] ___sys_sendmsg+0x349/0x840 [ 47.817303] ? copy_msghdr_from_user+0x380/0x380 [ 47.822044] ? trace_hardirqs_on+0x10/0x10 [ 47.826289] ? _kstrtoul+0x110/0x110 [ 47.830012] ? __might_fault+0x177/0x1b0 [ 47.834054] ? _copy_from_user+0x94/0x100 [ 47.838179] ? get_pid_task+0x91/0x130 [ 47.842133] ? __might_fault+0x104/0x1b0 [ 47.846188] ? lock_acquire+0x170/0x3f0 [ 47.850144] __sys_sendmmsg+0x129/0x330 [ 47.854097] ? SyS_sendmsg+0x40/0x40 [ 47.857848] ? lock_downgrade+0x6e0/0x6e0 [ 47.862040] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 47.867517] ? vfs_write+0x319/0x4d0 [ 47.871225] ? SyS_write+0x14d/0x210 [ 47.874919] ? SyS_read+0x210/0x210 [ 47.878524] SyS_sendmmsg+0x2f/0x50 [ 47.882127] ? __sys_sendmmsg+0x330/0x330 [ 47.886255] do_syscall_64+0x1d5/0x640 [ 47.890138] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 47.895318] RIP: 0033:0x444089 [ 47.898484] RSP: 002b:00007fffd2a727a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 47.906183] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000444089 [ 47.913434] RDX: 0492492492492642 RSI: 0000000020000180 RDI: 0000000000000006 [ 47.920694] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 [ 47.927939] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 47.935208] R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000 [ 47.943811] Kernel Offset: disabled [ 47.947425] Rebooting in 86400 seconds..