[ 33.372593] audit: type=1800 audit(1584544964.133:33): pid=7155 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.401312] audit: type=1800 audit(1584544964.133:34): pid=7155 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.381563] random: sshd: uninitialized urandom read (32 bytes read) [ 36.755867] audit: type=1400 audit(1584544967.513:35): avc: denied { map } for pid=7328 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.798764] random: sshd: uninitialized urandom read (32 bytes read) [ 37.513214] random: sshd: uninitialized urandom read (32 bytes read) [ 42.375899] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.235' (ECDSA) to the list of known hosts. [ 48.019342] random: sshd: uninitialized urandom read (32 bytes read) [ 48.154536] audit: type=1400 audit(1584544978.913:36): avc: denied { map } for pid=7340 comm="syz-executor874" path="/root/syz-executor874015636" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 48.431038] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program [ 49.275811] ================================================================== [ 49.283277] BUG: KASAN: use-after-free in tcindex_set_parms+0x1521/0x16a0 [ 49.290185] Write of size 16 at addr ffff88809ba21400 by task syz-executor874/7345 [ 49.297973] [ 49.299594] CPU: 1 PID: 7345 Comm: syz-executor874 Not tainted 4.14.173-syzkaller #0 [ 49.307451] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.316784] Call Trace: [ 49.319379] dump_stack+0x13e/0x194 [ 49.323055] ? tcindex_set_parms+0x1521/0x16a0 [ 49.327635] print_address_description.cold+0x7c/0x1e2 [ 49.332955] ? tcindex_set_parms+0x1521/0x16a0 [ 49.337540] kasan_report.cold+0xa9/0x2ae [ 49.341677] tcindex_set_parms+0x1521/0x16a0 [ 49.346074] ? tcindex_alloc_perfect_hash+0x300/0x300 [ 49.351249] ? avc_has_perm_noaudit+0x297/0x400 [ 49.355914] ? nla_parse+0x183/0x240 [ 49.360656] tcindex_change+0x1b5/0x270 [ 49.364616] ? tcindex_set_parms+0x16a0/0x16a0 [ 49.369233] ? tcindex_lookup+0x8c/0x310 [ 49.373318] ? tcindex_set_parms+0x16a0/0x16a0 [ 49.377932] tc_ctl_tfilter+0xf13/0x18e6 [ 49.382025] ? tfilter_notify+0x240/0x240 [ 49.386155] ? mutex_trylock+0x1a0/0x1a0 [ 49.390201] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 49.394653] ? tfilter_notify+0x240/0x240 [ 49.398794] rtnetlink_rcv_msg+0x3be/0xb10 [ 49.403033] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 49.407597] ? save_trace+0x290/0x290 [ 49.411392] ? save_trace+0x290/0x290 [ 49.415174] netlink_rcv_skb+0x127/0x370 [ 49.419219] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 49.423793] ? netlink_ack+0x960/0x960 [ 49.427685] netlink_unicast+0x437/0x620 [ 49.431732] ? netlink_attachskb+0x600/0x600 [ 49.436123] netlink_sendmsg+0x733/0xbe0 [ 49.440167] ? netlink_unicast+0x620/0x620 [ 49.444381] ? SYSC_sendto+0x2b0/0x2b0 [ 49.448259] ? security_socket_sendmsg+0x83/0xb0 [ 49.453010] ? netlink_unicast+0x620/0x620 [ 49.457233] sock_sendmsg+0xc5/0x100 [ 49.461018] ___sys_sendmsg+0x70a/0x840 [ 49.464977] ? copy_msghdr_from_user+0x380/0x380 [ 49.469871] ? trace_hardirqs_on+0x10/0x10 [ 49.474090] ? save_trace+0x290/0x290 [ 49.477874] ? find_held_lock+0x2d/0x110 [ 49.481921] ? __might_fault+0x104/0x1b0 [ 49.485967] ? lock_acquire+0x170/0x3f0 [ 49.489923] ? lock_downgrade+0x6e0/0x6e0 [ 49.494077] ? __might_fault+0x177/0x1b0 [ 49.498121] ? _copy_to_user+0x82/0xd0 [ 49.502001] ? __fget_light+0x16a/0x1f0 [ 49.505960] ? sockfd_lookup_light+0xb2/0x160 [ 49.510436] __sys_sendmsg+0xa3/0x120 [ 49.514219] ? SyS_shutdown+0x160/0x160 [ 49.518198] ? up_read+0x17/0x30 [ 49.521550] ? __do_page_fault+0x35b/0xb40 [ 49.525768] SyS_sendmsg+0x27/0x40 [ 49.529287] ? __sys_sendmsg+0x120/0x120 [ 49.533331] do_syscall_64+0x1d5/0x640 [ 49.537227] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 49.542396] RIP: 0033:0x4416f9 [ 49.545568] RSP: 002b:00007ffcd14bceb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 49.553280] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004416f9 [ 49.560547] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 49.567818] RBP: 00007ffcd14bcec0 R08: 0000000100000000 R09: 0000000100000000 [ 49.575128] R10: 0000000100000000 R11: 0000000000000246 R12: 000000000000c075 [ 49.582423] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000 [ 49.589683] [ 49.591309] Allocated by task 1: [ 49.594666] save_stack+0x32/0xa0 [ 49.598107] kasan_kmalloc+0xbf/0xe0 [ 49.601805] kmem_cache_alloc_trace+0x14d/0x7b0 [ 49.606450] call_usermodehelper_setup+0x6f/0x2e0 [ 49.611272] kobject_uevent_env+0xa79/0xc50 [ 49.615575] device_add+0xa02/0x1400 [ 49.619268] device_create_groups_vargs+0x1dc/0x250 [ 49.624263] device_create_with_groups+0xd4/0x100 [ 49.629086] misc_register+0x3b1/0x5b0 [ 49.632954] binder_init+0x2bb/0x4e1 [ 49.636649] do_one_initcall+0x88/0x202 [ 49.640635] kernel_init_freeable+0x465/0x526 [ 49.645115] kernel_init+0xd/0x15b [ 49.648639] ret_from_fork+0x24/0x30 [ 49.652329] [ 49.654344] Freed by task 3318: [ 49.657613] save_stack+0x32/0xa0 [ 49.661051] kasan_slab_free+0x75/0xc0 [ 49.664919] kfree+0xcb/0x260 [ 49.668013] umh_complete+0x6d/0x80 [ 49.671629] call_usermodehelper_exec_async+0x413/0x4c0 [ 49.677090] ret_from_fork+0x24/0x30 [ 49.680781] [ 49.682390] The buggy address belongs to the object at ffff88809ba213c0 [ 49.682390] which belongs to the cache kmalloc-128 of size 128 [ 49.695038] The buggy address is located 64 bytes inside of [ 49.695038] 128-byte region [ffff88809ba213c0, ffff88809ba21440) [ 49.706914] The buggy address belongs to the page: [ 49.711822] page:ffffea00026e8840 count:1 mapcount:0 mapping:ffff88809ba21000 index:0x0 [ 49.719944] flags: 0xfffe0000000100(slab) [ 49.724071] raw: 00fffe0000000100 ffff88809ba21000 0000000000000000 0000000100000015 [ 49.731944] raw: ffffea00026b6960 ffffea00026e8be0 ffff88812fe56640 0000000000000000 [ 49.739803] page dumped because: kasan: bad access detected [ 49.745491] [ 49.747099] Memory state around the buggy address: [ 49.752007] ffff88809ba21300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 49.759465] ffff88809ba21380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 49.766831] >ffff88809ba21400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 49.774186] ^ [ 49.777540] ffff88809ba21480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.784899] ffff88809ba21500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 49.792258] ================================================================== [ 49.799614] Disabling lock debugging due to kernel taint [ 49.805733] Kernel panic - not syncing: panic_on_warn set ... [ 49.805733] [ 49.813117] CPU: 0 PID: 7345 Comm: syz-executor874 Tainted: G B 4.14.173-syzkaller #0 [ 49.822205] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.831540] Call Trace: [ 49.834177] dump_stack+0x13e/0x194 [ 49.837826] panic+0x1f9/0x42d [ 49.841053] ? add_taint.cold+0x16/0x16 [ 49.845009] ? preempt_schedule_common+0x4a/0xc0 [ 49.849760] ? tcindex_set_parms+0x1521/0x16a0 [ 49.854323] ? ___preempt_schedule+0x16/0x18 [ 49.859338] ? tcindex_set_parms+0x1521/0x16a0 [ 49.863912] kasan_end_report+0x43/0x49 [ 49.867881] kasan_report.cold+0x12f/0x2ae [ 49.872126] tcindex_set_parms+0x1521/0x16a0 [ 49.876518] ? tcindex_alloc_perfect_hash+0x300/0x300 [ 49.881693] ? avc_has_perm_noaudit+0x297/0x400 [ 49.886373] ? nla_parse+0x183/0x240 [ 49.890072] tcindex_change+0x1b5/0x270 [ 49.894067] ? tcindex_set_parms+0x16a0/0x16a0 [ 49.898631] ? tcindex_lookup+0x8c/0x310 [ 49.902672] ? tcindex_set_parms+0x16a0/0x16a0 [ 49.907232] tc_ctl_tfilter+0xf13/0x18e6 [ 49.911289] ? tfilter_notify+0x240/0x240 [ 49.915514] ? mutex_trylock+0x1a0/0x1a0 [ 49.919553] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 49.924015] ? tfilter_notify+0x240/0x240 [ 49.928145] rtnetlink_rcv_msg+0x3be/0xb10 [ 49.932362] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 49.937025] ? save_trace+0x290/0x290 [ 49.940813] ? save_trace+0x290/0x290 [ 49.944653] netlink_rcv_skb+0x127/0x370 [ 49.948695] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 49.953259] ? netlink_ack+0x960/0x960 [ 49.957165] netlink_unicast+0x437/0x620 [ 49.961208] ? netlink_attachskb+0x600/0x600 [ 49.965719] netlink_sendmsg+0x733/0xbe0 [ 49.969762] ? netlink_unicast+0x620/0x620 [ 49.974007] ? SYSC_sendto+0x2b0/0x2b0 [ 49.977917] ? security_socket_sendmsg+0x83/0xb0 [ 49.982668] ? netlink_unicast+0x620/0x620 [ 49.986884] sock_sendmsg+0xc5/0x100 [ 49.990580] ___sys_sendmsg+0x70a/0x840 [ 49.994537] ? copy_msghdr_from_user+0x380/0x380 [ 49.999271] ? trace_hardirqs_on+0x10/0x10 [ 50.003498] ? save_trace+0x290/0x290 [ 50.007275] ? find_held_lock+0x2d/0x110 [ 50.011329] ? __might_fault+0x104/0x1b0 [ 50.015369] ? lock_acquire+0x170/0x3f0 [ 50.019332] ? lock_downgrade+0x6e0/0x6e0 [ 50.023520] ? __might_fault+0x177/0x1b0 [ 50.027564] ? _copy_to_user+0x82/0xd0 [ 50.031434] ? __fget_light+0x16a/0x1f0 [ 50.035396] ? sockfd_lookup_light+0xb2/0x160 [ 50.039874] __sys_sendmsg+0xa3/0x120 [ 50.043719] ? SyS_shutdown+0x160/0x160 [ 50.047723] ? up_read+0x17/0x30 [ 50.051068] ? __do_page_fault+0x35b/0xb40 [ 50.055293] SyS_sendmsg+0x27/0x40 [ 50.058827] ? __sys_sendmsg+0x120/0x120 [ 50.062882] do_syscall_64+0x1d5/0x640 [ 50.066748] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 50.071916] RIP: 0033:0x4416f9 [ 50.075083] RSP: 002b:00007ffcd14bceb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 50.082782] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004416f9 [ 50.090048] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 50.097310] RBP: 00007ffcd14bcec0 R08: 0000000100000000 R09: 0000000100000000 [ 50.104571] R10: 0000000100000000 R11: 0000000000000246 R12: 000000000000c075 [ 50.111823] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000 [ 50.120482] Kernel Offset: disabled [ 50.124104] Rebooting in 86400 seconds..