[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 82.935254][ T27] audit: type=1800 audit(1578571801.832:25): pid=9474 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 82.970668][ T27] audit: type=1800 audit(1578571801.832:26): pid=9474 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 83.015197][ T27] audit: type=1800 audit(1578571801.842:27): pid=9474 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.93' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 94.533438][ T9632] ================================================================== [ 94.542526][ T9632] BUG: KASAN: use-after-free in bitmap_port_ext_cleanup+0xe6/0x2a0 [ 94.550548][ T9632] Read of size 8 at addr ffff888095924380 by task syz-executor197/9632 [ 94.558953][ T9632] [ 94.561368][ T9632] CPU: 1 PID: 9632 Comm: syz-executor197 Not tainted 5.5.0-rc5-syzkaller #0 [ 94.570593][ T9632] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 94.582640][ T9632] Call Trace: [ 94.586038][ T9632] dump_stack+0x197/0x210 [ 94.590450][ T9632] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 94.596488][ T9632] print_address_description.constprop.0.cold+0xd4/0x30b [ 94.604021][ T9632] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 94.610395][ T9632] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 94.616523][ T9632] __kasan_report.cold+0x1b/0x41 [ 94.621485][ T9632] ? kfree+0x150/0x2c0 [ 94.625649][ T9632] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 94.631307][ T9632] kasan_report+0x12/0x20 [ 94.635670][ T9632] check_memory_region+0x134/0x1a0 [ 94.641029][ T9632] __kasan_check_read+0x11/0x20 [ 94.645954][ T9632] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 94.651493][ T9632] bitmap_port_destroy+0x17c/0x1d0 [ 94.656680][ T9632] ip_set_create+0xe47/0x1500 [ 94.662054][ T9632] ? ip_set_destroy+0xb70/0xb70 [ 94.669499][ T9632] ? ip_set_destroy+0xb70/0xb70 [ 94.675402][ T9632] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 94.680428][ T9632] ? nfnetlink_bind+0x2c0/0x2c0 [ 94.685284][ T9632] ? __kasan_check_read+0x11/0x20 [ 94.690610][ T9632] ? __lock_acquire+0x8a0/0x4a00 [ 94.695720][ T9632] ? save_stack+0x5c/0x90 [ 94.700082][ T9632] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 94.706442][ T9632] ? apparmor_capable+0x497/0x900 [ 94.712334][ T9632] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 94.718580][ T9632] ? __kasan_check_read+0x11/0x20 [ 94.723696][ T9632] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 94.729185][ T9632] netlink_rcv_skb+0x177/0x450 [ 94.733986][ T9632] ? nfnetlink_bind+0x2c0/0x2c0 [ 94.738844][ T9632] ? netlink_ack+0xb50/0xb50 [ 94.743436][ T9632] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 94.749761][ T9632] ? ns_capable_common+0x93/0x100 [ 94.754774][ T9632] ? ns_capable+0x20/0x30 [ 94.759196][ T9632] ? __netlink_ns_capable+0x104/0x140 [ 94.764734][ T9632] nfnetlink_rcv+0x1ba/0x460 [ 94.769384][ T9632] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 94.774919][ T9632] ? netlink_deliver_tap+0x24a/0xbe0 [ 94.780579][ T9632] ? __kasan_check_write+0x14/0x20 [ 94.785684][ T9632] netlink_unicast+0x58c/0x7d0 [ 94.790713][ T9632] ? netlink_attachskb+0x870/0x870 [ 94.795838][ T9632] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 94.802866][ T9632] ? __check_object_size+0x3d/0x437 [ 94.808062][ T9632] netlink_sendmsg+0x91c/0xea0 [ 94.812829][ T9632] ? netlink_unicast+0x7d0/0x7d0 [ 94.817859][ T9632] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 94.824784][ T9632] ? apparmor_socket_sendmsg+0x2a/0x30 [ 94.830259][ T9632] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 94.836627][ T9632] ? security_socket_sendmsg+0x8d/0xc0 [ 94.842093][ T9632] ? netlink_unicast+0x7d0/0x7d0 [ 94.847033][ T9632] sock_sendmsg+0xd7/0x130 [ 94.852308][ T9632] ____sys_sendmsg+0x753/0x880 [ 94.857147][ T9632] ? kernel_sendmsg+0x50/0x50 [ 94.861812][ T9632] ? mark_held_locks+0xa4/0xf0 [ 94.866578][ T9632] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 94.872876][ T9632] ? __handle_mm_fault+0x3145/0x3cc0 [ 94.878170][ T9632] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 94.886544][ T9632] ___sys_sendmsg+0x100/0x170 [ 94.893453][ T9632] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 94.899709][ T9632] ? sendmsg_copy_msghdr+0x70/0x70 [ 94.904842][ T9632] ? __do_page_fault+0x56a/0xd80 [ 94.909795][ T9632] ? find_held_lock+0x35/0x130 [ 94.914547][ T9632] ? __do_page_fault+0x56a/0xd80 [ 94.919487][ T9632] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 94.925719][ T9632] ? __fget_light+0x1a9/0x230 [ 94.930393][ T9632] ? __fdget+0x1b/0x20 [ 94.934447][ T9632] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 94.940699][ T9632] __sys_sendmsg+0x105/0x1d0 [ 94.945452][ T9632] ? __sys_sendmsg_sock+0xc0/0xc0 [ 94.950463][ T9632] ? down_read_non_owner+0x490/0x490 [ 94.955774][ T9632] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 94.961487][ T9632] ? do_syscall_64+0x26/0x790 [ 94.966147][ T9632] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 94.973779][ T9632] ? do_syscall_64+0x26/0x790 [ 94.979567][ T9632] __x64_sys_sendmsg+0x78/0xb0 [ 94.984463][ T9632] do_syscall_64+0xfa/0x790 [ 94.988977][ T9632] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 94.995013][ T9632] RIP: 0033:0x4413d9 [ 95.000570][ T9632] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 95.022401][ T9632] RSP: 002b:00007ffec7301a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 95.031875][ T9632] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004413d9 [ 95.040182][ T9632] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 95.048139][ T9632] RBP: 0000000000017120 R08: 00000000004002c8 R09: 00000000004002c8 [ 95.056126][ T9632] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402200 [ 95.064325][ T9632] R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 [ 95.072536][ T9632] [ 95.075574][ T9632] Allocated by task 9632: [ 95.079915][ T9632] save_stack+0x23/0x90 [ 95.084873][ T9632] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 95.091646][ T9632] kasan_kmalloc+0x9/0x10 [ 95.097135][ T9632] __kmalloc+0x163/0x770 [ 95.101692][ T9632] ip_set_alloc+0x38/0x5e [ 95.106263][ T9632] bitmap_port_create+0x3dc/0x7c0 [ 95.111770][ T9632] ip_set_create+0x6f1/0x1500 [ 95.116724][ T9632] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 95.122363][ T9632] netlink_rcv_skb+0x177/0x450 [ 95.127497][ T9632] nfnetlink_rcv+0x1ba/0x460 [ 95.132384][ T9632] netlink_unicast+0x58c/0x7d0 [ 95.137531][ T9632] netlink_sendmsg+0x91c/0xea0 [ 95.142838][ T9632] sock_sendmsg+0xd7/0x130 [ 95.147606][ T9632] ____sys_sendmsg+0x753/0x880 [ 95.152378][ T9632] ___sys_sendmsg+0x100/0x170 [ 95.157225][ T9632] __sys_sendmsg+0x105/0x1d0 [ 95.161806][ T9632] __x64_sys_sendmsg+0x78/0xb0 [ 95.166585][ T9632] do_syscall_64+0xfa/0x790 [ 95.171287][ T9632] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 95.178699][ T9632] [ 95.181351][ T9632] Freed by task 9632: [ 95.185425][ T9632] save_stack+0x23/0x90 [ 95.189582][ T9632] __kasan_slab_free+0x102/0x150 [ 95.194789][ T9632] kasan_slab_free+0xe/0x10 [ 95.199558][ T9632] kfree+0x10a/0x2c0 [ 95.203651][ T9632] kvfree+0x61/0x70 [ 95.207640][ T9632] ip_set_free+0x16/0x20 [ 95.212802][ T9632] bitmap_port_destroy+0xae/0x1d0 [ 95.218872][ T9632] ip_set_create+0xe47/0x1500 [ 95.224035][ T9632] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 95.229481][ T9632] netlink_rcv_skb+0x177/0x450 [ 95.234871][ T9632] nfnetlink_rcv+0x1ba/0x460 [ 95.239551][ T9632] netlink_unicast+0x58c/0x7d0 [ 95.244411][ T9632] netlink_sendmsg+0x91c/0xea0 [ 95.249264][ T9632] sock_sendmsg+0xd7/0x130 [ 95.253729][ T9632] ____sys_sendmsg+0x753/0x880 [ 95.258594][ T9632] ___sys_sendmsg+0x100/0x170 [ 95.263409][ T9632] __sys_sendmsg+0x105/0x1d0 [ 95.268010][ T9632] __x64_sys_sendmsg+0x78/0xb0 [ 95.273040][ T9632] do_syscall_64+0xfa/0x790 [ 95.277915][ T9632] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 95.284342][ T9632] [ 95.286782][ T9632] The buggy address belongs to the object at ffff888095924380 [ 95.286782][ T9632] which belongs to the cache kmalloc-32 of size 32 [ 95.301844][ T9632] The buggy address is located 0 bytes inside of [ 95.301844][ T9632] 32-byte region [ffff888095924380, ffff8880959243a0) [ 95.315227][ T9632] The buggy address belongs to the page: [ 95.321215][ T9632] page:ffffea0002564900 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff888095924fc1 [ 95.332810][ T9632] raw: 00fffe0000000200 ffffea0002a18788 ffffea0002a5b0c8 ffff8880aa4001c0 [ 95.341916][ T9632] raw: ffff888095924fc1 ffff888095924000 0000000100000025 0000000000000000 [ 95.351122][ T9632] page dumped because: kasan: bad access detected [ 95.358098][ T9632] [ 95.360522][ T9632] Memory state around the buggy address: [ 95.366520][ T9632] ffff888095924280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 95.379101][ T9632] ffff888095924300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 95.389141][ T9632] >ffff888095924380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 95.399757][ T9632] ^ [ 95.404792][ T9632] ffff888095924400: fb fb fb fb fc fc fc fc 00 01 fc fc fc fc fc fc [ 95.413794][ T9632] ffff888095924480: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 95.422176][ T9632] ================================================================== [ 95.431991][ T9632] Disabling lock debugging due to kernel taint [ 95.439412][ T9632] Kernel panic - not syncing: panic_on_warn set ... [ 95.446675][ T9632] CPU: 1 PID: 9632 Comm: syz-executor197 Tainted: G B 5.5.0-rc5-syzkaller #0 [ 95.457102][ T9632] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 95.468360][ T9632] Call Trace: [ 95.471766][ T9632] dump_stack+0x197/0x210 [ 95.476876][ T9632] panic+0x2e3/0x75c [ 95.480760][ T9632] ? add_taint.cold+0x16/0x16 [ 95.485526][ T9632] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 95.491844][ T9632] ? preempt_schedule+0x4b/0x60 [ 95.497054][ T9632] ? ___preempt_schedule+0x16/0x18 [ 95.502578][ T9632] ? trace_hardirqs_on+0x5e/0x240 [ 95.507865][ T9632] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 95.513549][ T9632] end_report+0x47/0x4f [ 95.518121][ T9632] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 95.523802][ T9632] __kasan_report.cold+0xe/0x41 [ 95.528874][ T9632] ? kfree+0x150/0x2c0 [ 95.533035][ T9632] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 95.538756][ T9632] kasan_report+0x12/0x20 [ 95.543087][ T9632] check_memory_region+0x134/0x1a0 [ 95.548359][ T9632] __kasan_check_read+0x11/0x20 [ 95.553207][ T9632] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 95.558686][ T9632] bitmap_port_destroy+0x17c/0x1d0 [ 95.564160][ T9632] ip_set_create+0xe47/0x1500 [ 95.569361][ T9632] ? ip_set_destroy+0xb70/0xb70 [ 95.574223][ T9632] ? ip_set_destroy+0xb70/0xb70 [ 95.579095][ T9632] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 95.584038][ T9632] ? nfnetlink_bind+0x2c0/0x2c0 [ 95.589089][ T9632] ? __kasan_check_read+0x11/0x20 [ 95.595594][ T9632] ? __lock_acquire+0x8a0/0x4a00 [ 95.600799][ T9632] ? save_stack+0x5c/0x90 [ 95.607120][ T9632] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 95.614072][ T9632] ? apparmor_capable+0x497/0x900 [ 95.619335][ T9632] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 95.626388][ T9632] ? __kasan_check_read+0x11/0x20 [ 95.633528][ T9632] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 95.640532][ T9632] netlink_rcv_skb+0x177/0x450 [ 95.646794][ T9632] ? nfnetlink_bind+0x2c0/0x2c0 [ 95.653976][ T9632] ? netlink_ack+0xb50/0xb50 [ 95.659678][ T9632] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 95.669843][ T9632] ? ns_capable_common+0x93/0x100 [ 95.677351][ T9632] ? ns_capable+0x20/0x30 [ 95.684837][ T9632] ? __netlink_ns_capable+0x104/0x140 [ 95.691080][ T9632] nfnetlink_rcv+0x1ba/0x460 [ 95.698256][ T9632] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 95.706361][ T9632] ? netlink_deliver_tap+0x24a/0xbe0 [ 95.715793][ T9632] ? __kasan_check_write+0x14/0x20 [ 95.723989][ T9632] netlink_unicast+0x58c/0x7d0 [ 95.730884][ T9632] ? netlink_attachskb+0x870/0x870 [ 95.739295][ T9632] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 95.747139][ T9632] ? __check_object_size+0x3d/0x437 [ 95.754292][ T9632] netlink_sendmsg+0x91c/0xea0 [ 95.760360][ T9632] ? netlink_unicast+0x7d0/0x7d0 [ 95.767159][ T9632] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 95.774591][ T9632] ? apparmor_socket_sendmsg+0x2a/0x30 [ 95.783456][ T9632] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 95.791992][ T9632] ? security_socket_sendmsg+0x8d/0xc0 [ 95.802370][ T9632] ? netlink_unicast+0x7d0/0x7d0 [ 95.810045][ T9632] sock_sendmsg+0xd7/0x130 [ 95.814903][ T9632] ____sys_sendmsg+0x753/0x880 [ 95.820192][ T9632] ? kernel_sendmsg+0x50/0x50 [ 95.825938][ T9632] ? mark_held_locks+0xa4/0xf0 [ 95.831872][ T9632] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 95.838473][ T9632] ? __handle_mm_fault+0x3145/0x3cc0 [ 95.843760][ T9632] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 95.849930][ T9632] ___sys_sendmsg+0x100/0x170 [ 95.855183][ T9632] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 95.862478][ T9632] ? sendmsg_copy_msghdr+0x70/0x70 [ 95.868792][ T9632] ? __do_page_fault+0x56a/0xd80 [ 95.875649][ T9632] ? find_held_lock+0x35/0x130 [ 95.881038][ T9632] ? __do_page_fault+0x56a/0xd80 [ 95.886268][ T9632] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 95.896376][ T9632] ? __fget_light+0x1a9/0x230 [ 95.902119][ T9632] ? __fdget+0x1b/0x20 [ 95.906581][ T9632] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 95.914256][ T9632] __sys_sendmsg+0x105/0x1d0 [ 95.919059][ T9632] ? __sys_sendmsg_sock+0xc0/0xc0 [ 95.924798][ T9632] ? down_read_non_owner+0x490/0x490 [ 95.930299][ T9632] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 95.937598][ T9632] ? do_syscall_64+0x26/0x790 [ 95.943110][ T9632] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 95.949256][ T9632] ? do_syscall_64+0x26/0x790 [ 95.954797][ T9632] __x64_sys_sendmsg+0x78/0xb0 [ 95.960560][ T9632] do_syscall_64+0xfa/0x790 [ 95.965164][ T9632] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 95.971149][ T9632] RIP: 0033:0x4413d9 [ 95.976315][ T9632] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 96.001143][ T9632] RSP: 002b:00007ffec7301a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 96.009995][ T9632] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004413d9 [ 96.017983][ T9632] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 96.025958][ T9632] RBP: 0000000000017120 R08: 00000000004002c8 R09: 00000000004002c8 [ 96.033933][ T9632] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402200 [ 96.041980][ T9632] R13: 0000000000402290 R14: 0000000000000000 R15: 0000000000000000 [ 96.051937][ T9632] Kernel Offset: disabled [ 96.056304][ T9632] Rebooting in 86400 seconds..