Warning: Permanently added '10.128.0.204' (ECDSA) to the list of known hosts. executing program [ 55.009608] kauditd_printk_skb: 5 callbacks suppressed [ 55.009625] audit: type=1400 audit(1579765814.873:36): avc: denied { map } for pid=8188 comm="syz-executor570" path="/root/syz-executor570990499" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 55.014716] ================================================================== [ 55.049063] BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x356/0x420 [ 55.056665] Write of size 1 at addr ffff8880a672a568 by task syz-executor570/8188 [ 55.064397] [ 55.066034] CPU: 1 PID: 8188 Comm: syz-executor570 Not tainted 4.19.97-syzkaller #0 [ 55.074012] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.083375] Call Trace: [ 55.086370] dump_stack+0x197/0x210 [ 55.090733] ? setup_udp_tunnel_sock+0x356/0x420 [ 55.095777] print_address_description.cold+0x7c/0x20d [ 55.101061] ? setup_udp_tunnel_sock+0x356/0x420 [ 55.105831] kasan_report.cold+0x8c/0x2ba [ 55.110027] __asan_report_store1_noabort+0x17/0x20 [ 55.115052] setup_udp_tunnel_sock+0x356/0x420 [ 55.119974] gtp_encap_enable_socket+0x2cb/0x3a0 [ 55.124762] ? gtp_find_dev+0x200/0x200 [ 55.128849] ? memset+0x32/0x40 [ 55.132213] ? gtp1_pdp_find.isra.0+0x180/0x180 [ 55.137281] ? __gtp_encap_destroy+0x190/0x190 [ 55.141920] ? alloc_netdev_mqs+0x9fc/0xdb0 [ 55.146275] gtp_newlink+0x95/0xc10 [ 55.149992] ? rtnl_create_link+0x148/0xa00 [ 55.154329] ? netlink_ns_capable+0x26/0x30 [ 55.158683] ? gtp_genl_get_pdp+0x5c0/0x5c0 [ 55.163025] rtnl_newlink+0x1042/0x1600 [ 55.167042] ? rtnl_link_unregister+0x250/0x250 [ 55.171719] ? find_held_lock+0x35/0x130 [ 55.175801] ? is_bpf_text_address+0xac/0x170 [ 55.180496] ? __lock_acquire+0x6ee/0x49c0 [ 55.185585] ? __lock_acquire+0x6ee/0x49c0 [ 55.190711] ? kasan_check_read+0x11/0x20 [ 55.195256] ? mark_held_locks+0x100/0x100 [ 55.199513] ? mark_held_locks+0x100/0x100 [ 55.203896] ? __lock_acquire+0x6ee/0x49c0 [ 55.208217] ? __save_stack_trace+0x99/0x100 [ 55.212638] ? avc_has_perm_noaudit+0x38f/0x570 [ 55.217431] ? __lock_acquire+0x6ee/0x49c0 [ 55.221682] ? mark_held_locks+0x100/0x100 [ 55.226150] ? avc_has_perm_noaudit+0x3b6/0x570 [ 55.230961] ? avc_has_extended_perms+0x10f0/0x10f0 [ 55.236095] ? avc_has_extended_perms+0x10f0/0x10f0 [ 55.241229] ? find_held_lock+0x35/0x130 [ 55.245308] ? rtnetlink_rcv_msg+0x3d0/0xb00 [ 55.249733] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.255331] ? rtnl_link_unregister+0x250/0x250 [ 55.260177] rtnetlink_rcv_msg+0x463/0xb00 [ 55.264431] ? rtnetlink_put_metrics+0x560/0x560 [ 55.269392] ? netlink_deliver_tap+0x22d/0xc20 [ 55.273989] ? find_held_lock+0x35/0x130 [ 55.278308] netlink_rcv_skb+0x17d/0x460 [ 55.282613] ? rtnetlink_put_metrics+0x560/0x560 [ 55.287603] ? netlink_ack+0xb30/0xb30 [ 55.291497] ? kasan_check_read+0x11/0x20 [ 55.295757] ? netlink_deliver_tap+0x254/0xc20 [ 55.300446] rtnetlink_rcv+0x1d/0x30 [ 55.304175] netlink_unicast+0x53a/0x730 [ 55.308236] ? netlink_attachskb+0x770/0x770 [ 55.312658] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.318860] netlink_sendmsg+0x8ae/0xd70 [ 55.323056] ? netlink_unicast+0x730/0x730 [ 55.327307] ? selinux_socket_sendmsg+0x36/0x40 [ 55.332487] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.338201] ? security_socket_sendmsg+0x8d/0xc0 [ 55.343014] ? netlink_unicast+0x730/0x730 [ 55.347404] sock_sendmsg+0xd7/0x130 [ 55.351270] ___sys_sendmsg+0x803/0x920 [ 55.355417] ? copy_msghdr_from_user+0x430/0x430 [ 55.360407] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.366060] ? __handle_mm_fault+0x7d1/0x3f80 [ 55.370581] ? copy_page_range+0x2030/0x2030 [ 55.375001] ? __do_page_fault+0x676/0xe90 [ 55.379243] ? find_held_lock+0x35/0x130 [ 55.383377] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.388939] ? __fget_light+0x1a9/0x230 [ 55.393057] ? __fdget+0x1b/0x20 [ 55.396625] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.402351] __sys_sendmsg+0x105/0x1d0 [ 55.406238] ? __ia32_sys_shutdown+0x80/0x80 [ 55.410756] ? up_read+0x1a/0x110 [ 55.414321] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 55.419388] ? do_syscall_64+0x26/0x620 [ 55.423477] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.428866] ? do_syscall_64+0x26/0x620 [ 55.432977] __x64_sys_sendmsg+0x78/0xb0 [ 55.437131] do_syscall_64+0xfd/0x620 [ 55.441122] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.446308] RIP: 0033:0x4402b9 [ 55.449492] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.471320] RSP: 002b:00007ffffec32fb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 55.479393] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9 [ 55.487046] RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 [ 55.495499] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 55.502821] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b40 [ 55.510101] R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000 [ 55.517617] [ 55.519397] Allocated by task 8188: [ 55.523056] save_stack+0x45/0xd0 [ 55.526517] kasan_kmalloc+0xce/0xf0 [ 55.530220] kasan_slab_alloc+0xf/0x20 [ 55.534098] kmem_cache_alloc+0x12e/0x700 [ 55.538326] sk_prot_alloc+0x67/0x2e0 [ 55.542190] sk_alloc+0x39/0xf70 [ 55.545667] inet_create+0x368/0xdf0 [ 55.549407] __sock_create+0x3d8/0x730 [ 55.553288] __sys_socket+0x103/0x220 [ 55.557081] __x64_sys_socket+0x73/0xb0 [ 55.561325] do_syscall_64+0xfd/0x620 [ 55.565141] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.570315] [ 55.571939] Freed by task 0: [ 55.574999] (stack is not available) [ 55.578762] [ 55.580386] The buggy address belongs to the object at ffff8880a672a040 [ 55.580386] which belongs to the cache RAW of size 1320 [ 55.593178] The buggy address is located 0 bytes to the right of [ 55.593178] 1320-byte region [ffff8880a672a040, ffff8880a672a568) [ 55.605487] The buggy address belongs to the page: [ 55.610424] page:ffffea000299ca80 count:1 mapcount:0 mapping:ffff8880a6d0fb00 index:0x0 compound_mapcount: 0 [ 55.620392] flags: 0xfffe0000008100(slab|head) [ 55.624974] raw: 00fffe0000008100 ffff8880a6f82648 ffff8880a6f82648 ffff8880a6d0fb00 [ 55.632870] raw: 0000000000000000 ffff8880a672a040 0000000100000005 0000000000000000 [ 55.640754] page dumped because: kasan: bad access detected [ 55.646468] [ 55.648092] Memory state around the buggy address: [ 55.653810] ffff8880a672a400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.661177] ffff8880a672a480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 55.668543] >ffff8880a672a500: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 55.675908] ^ [ 55.682791] ffff8880a672a580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.690398] ffff8880a672a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 55.697761] ================================================================== [ 55.705113] Disabling lock debugging due to kernel taint [ 55.711513] Kernel panic - not syncing: panic_on_warn set ... [ 55.711513] [ 55.719052] CPU: 1 PID: 8188 Comm: syz-executor570 Tainted: G B 4.19.97-syzkaller #0 [ 55.728316] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.737730] Call Trace: [ 55.740367] dump_stack+0x197/0x210 [ 55.744007] ? setup_udp_tunnel_sock+0x356/0x420 [ 55.748775] panic+0x26a/0x50e [ 55.752313] ? __warn_printk+0xf3/0xf3 [ 55.756216] ? setup_udp_tunnel_sock+0x356/0x420 [ 55.761157] ? preempt_schedule+0x4b/0x60 [ 55.765825] ? ___preempt_schedule+0x16/0x18 [ 55.770535] ? trace_hardirqs_on+0x5e/0x220 [ 55.775061] ? setup_udp_tunnel_sock+0x356/0x420 [ 55.779811] kasan_end_report+0x47/0x4f [ 55.783830] kasan_report.cold+0xa9/0x2ba [ 55.788199] __asan_report_store1_noabort+0x17/0x20 [ 55.793267] setup_udp_tunnel_sock+0x356/0x420 [ 55.797976] gtp_encap_enable_socket+0x2cb/0x3a0 [ 55.802743] ? gtp_find_dev+0x200/0x200 [ 55.806718] ? memset+0x32/0x40 [ 55.810033] ? gtp1_pdp_find.isra.0+0x180/0x180 [ 55.814713] ? __gtp_encap_destroy+0x190/0x190 [ 55.819532] ? alloc_netdev_mqs+0x9fc/0xdb0 [ 55.823866] gtp_newlink+0x95/0xc10 [ 55.827496] ? rtnl_create_link+0x148/0xa00 [ 55.831828] ? netlink_ns_capable+0x26/0x30 [ 55.836161] ? gtp_genl_get_pdp+0x5c0/0x5c0 [ 55.840508] rtnl_newlink+0x1042/0x1600 [ 55.844488] ? rtnl_link_unregister+0x250/0x250 [ 55.849252] ? find_held_lock+0x35/0x130 [ 55.853321] ? is_bpf_text_address+0xac/0x170 [ 55.857817] ? __lock_acquire+0x6ee/0x49c0 [ 55.862079] ? __lock_acquire+0x6ee/0x49c0 [ 55.866326] ? kasan_check_read+0x11/0x20 [ 55.870486] ? mark_held_locks+0x100/0x100 [ 55.874719] ? mark_held_locks+0x100/0x100 [ 55.879002] ? __lock_acquire+0x6ee/0x49c0 [ 55.883294] ? __save_stack_trace+0x99/0x100 [ 55.888790] ? avc_has_perm_noaudit+0x38f/0x570 [ 55.893785] ? __lock_acquire+0x6ee/0x49c0 [ 55.898189] ? mark_held_locks+0x100/0x100 [ 55.902488] ? avc_has_perm_noaudit+0x3b6/0x570 [ 55.907334] ? avc_has_extended_perms+0x10f0/0x10f0 [ 55.912369] ? avc_has_extended_perms+0x10f0/0x10f0 [ 55.917409] ? find_held_lock+0x35/0x130 [ 55.921489] ? rtnetlink_rcv_msg+0x3d0/0xb00 [ 55.925931] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.931489] ? rtnl_link_unregister+0x250/0x250 [ 55.936162] rtnetlink_rcv_msg+0x463/0xb00 [ 55.940419] ? rtnetlink_put_metrics+0x560/0x560 [ 55.945216] ? netlink_deliver_tap+0x22d/0xc20 [ 55.949933] ? find_held_lock+0x35/0x130 [ 55.954097] netlink_rcv_skb+0x17d/0x460 [ 55.958174] ? rtnetlink_put_metrics+0x560/0x560 [ 55.962965] ? netlink_ack+0xb30/0xb30 [ 55.966846] ? kasan_check_read+0x11/0x20 [ 55.970997] ? netlink_deliver_tap+0x254/0xc20 [ 55.975607] rtnetlink_rcv+0x1d/0x30 [ 55.979403] netlink_unicast+0x53a/0x730 [ 55.983474] ? netlink_attachskb+0x770/0x770 [ 55.988030] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.993577] netlink_sendmsg+0x8ae/0xd70 [ 55.997644] ? netlink_unicast+0x730/0x730 [ 56.001985] ? selinux_socket_sendmsg+0x36/0x40 [ 56.006717] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.012339] ? security_socket_sendmsg+0x8d/0xc0 [ 56.017267] ? netlink_unicast+0x730/0x730 [ 56.021548] sock_sendmsg+0xd7/0x130 [ 56.025285] ___sys_sendmsg+0x803/0x920 [ 56.029284] ? copy_msghdr_from_user+0x430/0x430 [ 56.034058] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.039610] ? __handle_mm_fault+0x7d1/0x3f80 [ 56.044225] ? copy_page_range+0x2030/0x2030 [ 56.049007] ? __do_page_fault+0x676/0xe90 [ 56.053301] ? find_held_lock+0x35/0x130 [ 56.057373] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.063053] ? __fget_light+0x1a9/0x230 [ 56.067294] ? __fdget+0x1b/0x20 [ 56.070678] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 56.076239] __sys_sendmsg+0x105/0x1d0 [ 56.080255] ? __ia32_sys_shutdown+0x80/0x80 [ 56.084658] ? up_read+0x1a/0x110 [ 56.102016] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 56.106906] ? do_syscall_64+0x26/0x620 [ 56.110995] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.116361] ? do_syscall_64+0x26/0x620 [ 56.120332] __x64_sys_sendmsg+0x78/0xb0 [ 56.124384] do_syscall_64+0xfd/0x620 [ 56.128184] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.133807] RIP: 0033:0x4402b9 [ 56.136997] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 56.155930] RSP: 002b:00007ffffec32fb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 56.163685] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9 [ 56.170958] RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 [ 56.178391] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 56.185670] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b40 [ 56.193190] R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000 [ 56.201850] Kernel Offset: disabled [ 56.205487] Rebooting in 86400 seconds..