[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.44' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.714098] audit: type=1400 audit(1599873442.828:8): avc: denied { execmem } for pid=6464 comm="syz-executor872" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 40.742342] IPVS: ftp: loaded support on port[0] = 21 [ 40.778134] ================================================================== [ 40.785517] BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x2cb4/0x3ff0 [ 40.792546] Read of size 8 at addr ffff8882160c8fe0 by task syz-executor872/6465 [ 40.800056] [ 40.801671] CPU: 0 PID: 6465 Comm: syz-executor872 Not tainted 4.19.144-syzkaller #0 [ 40.809534] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.818889] Call Trace: [ 40.821467] dump_stack+0x1fc/0x2fe [ 40.825076] print_address_description.cold+0x54/0x219 [ 40.830339] kasan_report_error.cold+0x8a/0x1c7 [ 40.835029] ? __lock_acquire+0x2cb4/0x3ff0 [ 40.839344] __asan_report_load8_noabort+0x88/0x90 [ 40.844251] ? __lock_acquire+0x2cb4/0x3ff0 [ 40.848551] __lock_acquire+0x2cb4/0x3ff0 [ 40.852676] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 40.858571] ? deref_stack_reg+0x1d0/0x1d0 [ 40.862790] ? mark_held_locks+0xf0/0xf0 [ 40.866829] ? check_usage+0x19a/0x670 [ 40.870696] ? bpf_prog_kallsyms_find.part.0+0x1ad/0x270 [ 40.876143] ? check_usage_backwards+0x300/0x300 [ 40.880878] ? __kernel_text_address+0x9/0x30 [ 40.885357] ? check_usage_forwards+0x310/0x310 [ 40.890008] ? __save_stack_trace+0xaf/0x190 [ 40.894403] lock_acquire+0x170/0x3c0 [ 40.898187] ? xt_find_match+0xa3/0x280 [ 40.902160] ? xt_find_match+0xa3/0x280 [ 40.906126] __mutex_lock+0xd7/0x1260 [ 40.909908] ? xt_find_match+0xa3/0x280 [ 40.913886] ? check_usage_forwards+0x310/0x310 [ 40.918555] ? xt_find_match+0xa3/0x280 [ 40.922524] ? __mutex_add_waiter+0x160/0x160 [ 40.927014] ? mark_held_locks+0xf0/0xf0 [ 40.931060] ? mark_held_locks+0xf0/0xf0 [ 40.935105] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 40.940195] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 40.945369] xt_find_match+0xa3/0x280 [ 40.949171] xt_request_find_match+0x88/0x110 [ 40.953652] em_ipt_change+0x1c7/0x46b [ 40.957524] ? check_match+0x1e0/0x1e0 [ 40.961413] ? lock_acquire+0x170/0x3c0 [ 40.965376] ? tcf_em_lookup+0x1c/0x150 [ 40.969334] ? do_raw_read_unlock+0x3b/0x70 [ 40.973649] ? _raw_read_unlock+0x29/0x40 [ 40.977781] ? check_match+0x1e0/0x1e0 [ 40.981649] tcf_em_tree_validate+0x8fa/0xe95 [ 40.986142] ? tcf_em_tree_destroy+0x50/0x50 [ 40.990551] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 40.995553] ? kmem_cache_alloc_trace+0x323/0x380 [ 41.000400] flow_change+0x2a4/0x1ca0 [ 41.004205] ? flow_init+0xf0/0xf0 [ 41.007734] ? kmem_cache_alloc_trace+0x323/0x380 [ 41.012559] ? flow_init+0xf0/0xf0 [ 41.016082] tc_new_tfilter+0xb52/0x16c0 [ 41.020130] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 41.024696] ? check_nnp_nosuid.isra.0+0x2a0/0x2a0 [ 41.029625] ? rtnetlink_rcv_msg+0x3fe/0xb80 [ 41.034030] ? __mutex_add_waiter+0x160/0x160 [ 41.038528] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 41.043146] rtnetlink_rcv_msg+0x453/0xb80 [ 41.047382] ? rtnl_calcit.isra.0+0x430/0x430 [ 41.051875] ? __netlink_lookup+0x3fc/0x730 [ 41.056184] ? lock_downgrade+0x720/0x720 [ 41.060318] ? check_preemption_disabled+0x41/0x280 [ 41.065344] netlink_rcv_skb+0x160/0x440 [ 41.069431] ? rtnl_calcit.isra.0+0x430/0x430 [ 41.073937] ? netlink_ack+0xae0/0xae0 [ 41.077827] netlink_unicast+0x4d5/0x690 [ 41.081880] ? netlink_sendskb+0x110/0x110 [ 41.086097] netlink_sendmsg+0x6bb/0xc40 [ 41.090141] ? nlmsg_notify+0x1a0/0x1a0 [ 41.094092] ? kernel_recvmsg+0x220/0x220 [ 41.098221] ? nlmsg_notify+0x1a0/0x1a0 [ 41.102196] sock_sendmsg+0xc3/0x120 [ 41.105896] ___sys_sendmsg+0x3b3/0x8e0 [ 41.109874] ? copy_msghdr_from_user+0x440/0x440 [ 41.114617] ? mark_held_locks+0xf0/0xf0 [ 41.118673] ? mark_held_locks+0xf0/0xf0 [ 41.122713] ? mark_held_locks+0xf0/0xf0 [ 41.126753] ? fs_reclaim_release+0xd0/0x110 [ 41.131145] ? __might_fault+0x11f/0x1d0 [ 41.135198] ? lock_downgrade+0x720/0x720 [ 41.139339] ? lock_acquire+0x170/0x3c0 [ 41.143297] __sys_sendmmsg+0x195/0x470 [ 41.147275] ? __ia32_sys_sendmsg+0x220/0x220 [ 41.151771] ? alloc_file+0x326/0x4d0 [ 41.155558] ? check_preemption_disabled+0x41/0x280 [ 41.160599] ? __fd_install+0x1eb/0x610 [ 41.164557] ? __sys_socket+0x16d/0x200 [ 41.168548] ? move_addr_to_kernel+0x70/0x70 [ 41.172950] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.177707] __x64_sys_sendmmsg+0x99/0x100 [ 41.181930] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 41.186503] do_syscall_64+0xf9/0x620 [ 41.190328] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.195519] RIP: 0033:0x440d09 [ 41.198697] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 0f fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 41.217582] RSP: 002b:00007ffd6392a5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 41.225277] RAX: ffffffffffffffda RBX: 00000000004a2570 RCX: 0000000000440d09 [ 41.232534] RDX: 010efe10675dec16 RSI: 0000000020000200 RDI: 0000000000000004 [ 41.239788] RBP: 00007ffd6392a5c0 R08: 0000000120080522 R09: 0000000120080522 [ 41.247041] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004a2570 [ 41.254294] R13: 0000000000402220 R14: 0000000000000000 R15: 0000000000000000 [ 41.261549] [ 41.263166] Allocated by task 1: [ 41.266512] kmem_cache_alloc+0x122/0x370 [ 41.270637] __proc_create+0x2b3/0x860 [ 41.274497] proc_create_reg+0xb2/0x180 [ 41.278467] proc_create_net_single+0x84/0x170 [ 41.283044] ip6_route_net_init_late+0x86/0xa0 [ 41.287629] ops_init+0xb3/0x410 [ 41.290981] register_pernet_operations+0x32f/0x790 [ 41.295979] register_pernet_subsys+0x25/0x40 [ 41.300469] ip6_route_init+0x13d/0x3ae [ 41.304444] inet6_init+0x2ec/0x6b3 [ 41.308053] do_one_initcall+0xf1/0x734 [ 41.312000] kernel_init_freeable+0x9ab/0xa9d [ 41.316470] kernel_init+0xd/0x1bd [ 41.320000] ret_from_fork+0x24/0x30 [ 41.323682] [ 41.325295] Freed by task 0: [ 41.328297] (stack is not available) [ 41.332021] [ 41.333636] The buggy address belongs to the object at ffff8882160c8e40 [ 41.333636] which belongs to the cache proc_dir_entry of size 256 [ 41.346529] The buggy address is located 160 bytes to the right of [ 41.346529] 256-byte region [ffff8882160c8e40, ffff8882160c8f40) [ 41.358898] The buggy address belongs to the page: [ 41.363807] page:ffffea0008583200 count:1 mapcount:0 mapping:ffff88821b6856c0 index:0x0 [ 41.371925] flags: 0x57ffe0000000100(slab) [ 41.376140] raw: 057ffe0000000100 ffffea000859fc88 ffffea0008583748 ffff88821b6856c0 [ 41.384004] raw: 0000000000000000 ffff8882160c8080 000000010000000c 0000000000000000 [ 41.391870] page dumped because: kasan: bad access detected [ 41.397554] [ 41.399153] Memory state around the buggy address: [ 41.404066] ffff8882160c8e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.411404] ffff8882160c8f00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 41.418741] >ffff8882160c8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.426072] ^ [ 41.432542] ffff8882160c9000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.439879] ffff8882160c9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.447233] ================================================================== [ 41.454577] Disabling lock debugging due to kernel taint [ 41.460012] Kernel panic - not syncing: panic_on_warn set ... [ 41.460012] [ 41.467358] CPU: 0 PID: 6465 Comm: syz-executor872 Tainted: G B 4.19.144-syzkaller #0 [ 41.476611] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.485939] Call Trace: [ 41.488520] dump_stack+0x1fc/0x2fe [ 41.492209] panic+0x26a/0x50e [ 41.495377] ? __warn_printk+0xf3/0xf3 [ 41.499258] ? lock_downgrade+0x720/0x720 [ 41.503462] ? print_shadow_for_address+0xb8/0x114 [ 41.508420] ? trace_hardirqs_off+0x64/0x200 [ 41.512831] kasan_end_report+0x43/0x49 [ 41.516796] kasan_report_error.cold+0xa7/0x1c7 [ 41.521478] ? __lock_acquire+0x2cb4/0x3ff0 [ 41.525775] __asan_report_load8_noabort+0x88/0x90 [ 41.530684] ? __lock_acquire+0x2cb4/0x3ff0 [ 41.534983] __lock_acquire+0x2cb4/0x3ff0 [ 41.539109] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 41.544979] ? deref_stack_reg+0x1d0/0x1d0 [ 41.549208] ? mark_held_locks+0xf0/0xf0 [ 41.553241] ? check_usage+0x19a/0x670 [ 41.557116] ? bpf_prog_kallsyms_find.part.0+0x1ad/0x270 [ 41.562561] ? check_usage_backwards+0x300/0x300 [ 41.567296] ? __kernel_text_address+0x9/0x30 [ 41.571769] ? check_usage_forwards+0x310/0x310 [ 41.576409] ? __save_stack_trace+0xaf/0x190 [ 41.580795] lock_acquire+0x170/0x3c0 [ 41.584583] ? xt_find_match+0xa3/0x280 [ 41.588533] ? xt_find_match+0xa3/0x280 [ 41.592495] __mutex_lock+0xd7/0x1260 [ 41.596268] ? xt_find_match+0xa3/0x280 [ 41.600220] ? check_usage_forwards+0x310/0x310 [ 41.604865] ? xt_find_match+0xa3/0x280 [ 41.608814] ? __mutex_add_waiter+0x160/0x160 [ 41.613298] ? mark_held_locks+0xf0/0xf0 [ 41.617408] ? mark_held_locks+0xf0/0xf0 [ 41.621579] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 41.626972] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 41.632180] xt_find_match+0xa3/0x280 [ 41.636012] xt_request_find_match+0x88/0x110 [ 41.640498] em_ipt_change+0x1c7/0x46b [ 41.644367] ? check_match+0x1e0/0x1e0 [ 41.648253] ? lock_acquire+0x170/0x3c0 [ 41.652205] ? tcf_em_lookup+0x1c/0x150 [ 41.656158] ? do_raw_read_unlock+0x3b/0x70 [ 41.660461] ? _raw_read_unlock+0x29/0x40 [ 41.664585] ? check_match+0x1e0/0x1e0 [ 41.668452] tcf_em_tree_validate+0x8fa/0xe95 [ 41.672933] ? tcf_em_tree_destroy+0x50/0x50 [ 41.677327] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 41.682324] ? kmem_cache_alloc_trace+0x323/0x380 [ 41.687147] flow_change+0x2a4/0x1ca0 [ 41.690927] ? flow_init+0xf0/0xf0 [ 41.694441] ? kmem_cache_alloc_trace+0x323/0x380 [ 41.699263] ? flow_init+0xf0/0xf0 [ 41.702778] tc_new_tfilter+0xb52/0x16c0 [ 41.706816] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 41.711473] ? check_nnp_nosuid.isra.0+0x2a0/0x2a0 [ 41.716408] ? rtnetlink_rcv_msg+0x3fe/0xb80 [ 41.720795] ? __mutex_add_waiter+0x160/0x160 [ 41.725346] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 41.729905] rtnetlink_rcv_msg+0x453/0xb80 [ 41.734116] ? rtnl_calcit.isra.0+0x430/0x430 [ 41.738649] ? __netlink_lookup+0x3fc/0x730 [ 41.743090] ? lock_downgrade+0x720/0x720 [ 41.747296] ? check_preemption_disabled+0x41/0x280 [ 41.752575] netlink_rcv_skb+0x160/0x440 [ 41.756773] ? rtnl_calcit.isra.0+0x430/0x430 [ 41.761377] ? netlink_ack+0xae0/0xae0 [ 41.765343] netlink_unicast+0x4d5/0x690 [ 41.769465] ? netlink_sendskb+0x110/0x110 [ 41.773711] netlink_sendmsg+0x6bb/0xc40 [ 41.777774] ? nlmsg_notify+0x1a0/0x1a0 [ 41.781749] ? kernel_recvmsg+0x220/0x220 [ 41.785886] ? nlmsg_notify+0x1a0/0x1a0 [ 41.789854] sock_sendmsg+0xc3/0x120 [ 41.793572] ___sys_sendmsg+0x3b3/0x8e0 [ 41.797562] ? copy_msghdr_from_user+0x440/0x440 [ 41.802315] ? mark_held_locks+0xf0/0xf0 [ 41.806352] ? mark_held_locks+0xf0/0xf0 [ 41.810391] ? mark_held_locks+0xf0/0xf0 [ 41.814438] ? fs_reclaim_release+0xd0/0x110 [ 41.818837] ? __might_fault+0x11f/0x1d0 [ 41.822886] ? lock_downgrade+0x720/0x720 [ 41.827009] ? lock_acquire+0x170/0x3c0 [ 41.830963] __sys_sendmmsg+0x195/0x470 [ 41.834948] ? __ia32_sys_sendmsg+0x220/0x220 [ 41.839422] ? alloc_file+0x326/0x4d0 [ 41.843216] ? check_preemption_disabled+0x41/0x280 [ 41.848210] ? __fd_install+0x1eb/0x610 [ 41.852159] ? __sys_socket+0x16d/0x200 [ 41.856104] ? move_addr_to_kernel+0x70/0x70 [ 41.860489] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.865220] __x64_sys_sendmmsg+0x99/0x100 [ 41.869435] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 41.873991] do_syscall_64+0xf9/0x620 [ 41.877771] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.882950] RIP: 0033:0x440d09 [ 41.886209] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 0f fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 41.905108] RSP: 002b:00007ffd6392a5b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 41.912801] RAX: ffffffffffffffda RBX: 00000000004a2570 RCX: 0000000000440d09 [ 41.920095] RDX: 010efe10675dec16 RSI: 0000000020000200 RDI: 0000000000000004 [ 41.927353] RBP: 00007ffd6392a5c0 R08: 0000000120080522 R09: 0000000120080522 [ 41.934599] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004a2570 [ 41.941843] R13: 0000000000402220 R14: 0000000000000000 R15: 0000000000000000 [ 41.950128] Kernel Offset: disabled [ 41.953741] Rebooting in 86400 seconds..