[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.109' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.266576] ================================================================== [ 33.274019] BUG: KASAN: slab-out-of-bounds in ipt_init_target+0x213/0x250 [ 33.280931] Read of size 1 at addr ffff8880b37669df by task syz-executor126/7954 [ 33.288435] [ 33.290045] CPU: 1 PID: 7954 Comm: syz-executor126 Not tainted 4.14.285-syzkaller #0 [ 33.297907] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.307235] Call Trace: [ 33.309806] dump_stack+0x1b2/0x281 [ 33.313437] print_address_description.cold+0x54/0x1d3 [ 33.318706] kasan_report_error.cold+0x8a/0x191 [ 33.323362] ? ipt_init_target+0x213/0x250 [ 33.327587] __asan_report_load1_noabort+0x68/0x70 [ 33.332599] ? tcf_idr_create+0x300/0x780 [ 33.336731] ? ipt_init_target+0x213/0x250 [ 33.340955] ipt_init_target+0x213/0x250 [ 33.344993] ? tcf_ipt_walker+0x200/0x200 [ 33.349117] ? fs_reclaim_release+0xd0/0x110 [ 33.353517] ? memcpy+0x35/0x50 [ 33.356775] __tcf_ipt_init+0x48d/0xc00 [ 33.360728] ? ipt_init_target+0x250/0x250 [ 33.364940] ? tc_lookup_action_n+0xac/0xd0 [ 33.369242] ? lock_downgrade+0x740/0x740 [ 33.373367] tcf_ipt_init+0x43/0x50 [ 33.376970] tcf_action_init_1+0x51a/0x9e0 [ 33.381182] ? tcf_action_dump_old+0x80/0x80 [ 33.385572] ? nla_parse+0x157/0x1f0 [ 33.389274] tcf_action_init+0x26d/0x400 [ 33.393314] ? tcf_action_init_1+0x9e0/0x9e0 [ 33.397718] ? memset+0x20/0x40 [ 33.400972] ? nla_parse+0x157/0x1f0 [ 33.404662] tc_ctl_action+0x2e3/0x510 [ 33.408528] ? tca_action_gd+0x790/0x790 [ 33.412573] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 33.416959] ? tca_action_gd+0x790/0x790 [ 33.421001] rtnetlink_rcv_msg+0x3be/0xb10 [ 33.425328] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 33.429809] ? __netlink_lookup+0x345/0x5d0 [ 33.434113] netlink_rcv_skb+0x125/0x390 [ 33.438154] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 33.442638] ? netlink_ack+0x9a0/0x9a0 [ 33.446518] netlink_unicast+0x437/0x610 [ 33.450560] ? netlink_sendskb+0xd0/0xd0 [ 33.454597] ? __check_object_size+0x179/0x230 [ 33.459152] netlink_sendmsg+0x648/0xbc0 [ 33.463190] ? nlmsg_notify+0x1b0/0x1b0 [ 33.467138] ? kernel_recvmsg+0x210/0x210 [ 33.471265] ? security_socket_sendmsg+0x83/0xb0 [ 33.476008] ? nlmsg_notify+0x1b0/0x1b0 [ 33.479969] sock_sendmsg+0xb5/0x100 [ 33.483662] ___sys_sendmsg+0x6c8/0x800 [ 33.487622] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 33.492356] ? lock_downgrade+0x740/0x740 [ 33.496480] ? __lru_cache_add+0x178/0x250 [ 33.500692] ? do_raw_spin_unlock+0x164/0x220 [ 33.505169] ? _raw_spin_unlock+0x29/0x40 [ 33.509293] ? do_huge_pmd_anonymous_page+0x72e/0x1700 [ 33.514544] ? prep_transhuge_page+0xa0/0xa0 [ 33.518935] ? _raw_spin_unlock+0x29/0x40 [ 33.523057] ? __pmd_alloc+0x27f/0x3f0 [ 33.526928] ? __handle_mm_fault+0x80f/0x4620 [ 33.531404] ? lock_downgrade+0x740/0x740 [ 33.535528] ? vm_insert_page+0x7c0/0x7c0 [ 33.539649] ? __fdget+0x167/0x1f0 [ 33.543166] ? sockfd_lookup_light+0xb2/0x160 [ 33.547635] __sys_sendmsg+0xa3/0x120 [ 33.551410] ? SyS_shutdown+0x160/0x160 [ 33.555392] ? up_read+0x17/0x30 [ 33.558733] ? __do_page_fault+0x159/0xad0 [ 33.562945] SyS_sendmsg+0x27/0x40 [ 33.566468] ? __sys_sendmsg+0x120/0x120 [ 33.570505] do_syscall_64+0x1d5/0x640 [ 33.574368] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.579536] RIP: 0033:0x7f95ae8c6249 [ 33.583220] RSP: 002b:00007ffe7224bad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 33.590914] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f95ae8c6249 [ 33.598156] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 33.605408] RBP: 00007f95ae88a230 R08: 000000000000000c R09: 0000000000000000 [ 33.612655] R10: 0000000000000006 R11: 0000000000000246 R12: 00007f95ae88a2c0 [ 33.619904] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.627171] [ 33.628779] Allocated by task 7954: [ 33.632404] kasan_kmalloc+0xeb/0x160 [ 33.636205] __kmalloc_track_caller+0x155/0x400 [ 33.640855] kmemdup+0x23/0x50 [ 33.644044] __tcf_ipt_init+0x464/0xc00 [ 33.648002] tcf_ipt_init+0x43/0x50 [ 33.651606] tcf_action_init_1+0x51a/0x9e0 [ 33.655824] tcf_action_init+0x26d/0x400 [ 33.659860] tc_ctl_action+0x2e3/0x510 [ 33.663726] rtnetlink_rcv_msg+0x3be/0xb10 [ 33.667944] netlink_rcv_skb+0x125/0x390 [ 33.671988] netlink_unicast+0x437/0x610 [ 33.676034] netlink_sendmsg+0x648/0xbc0 [ 33.680090] sock_sendmsg+0xb5/0x100 [ 33.683788] ___sys_sendmsg+0x6c8/0x800 [ 33.687752] __sys_sendmsg+0xa3/0x120 [ 33.691528] SyS_sendmsg+0x27/0x40 [ 33.695045] do_syscall_64+0x1d5/0x640 [ 33.698924] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.704090] [ 33.705701] Freed by task 6210: [ 33.708969] kasan_slab_free+0xc3/0x1a0 [ 33.712921] kfree+0xc9/0x250 [ 33.716014] single_release+0x85/0xb0 [ 33.719794] close_pdeo.part.0+0xdd/0x2c0 [ 33.723917] proc_reg_release+0x1fd/0x250 [ 33.728049] __fput+0x25f/0x7a0 [ 33.731326] task_work_run+0x11f/0x190 [ 33.735199] exit_to_usermode_loop+0x1ad/0x200 [ 33.739809] do_syscall_64+0x4a3/0x640 [ 33.743681] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.748853] [ 33.750473] The buggy address belongs to the object at ffff8880b37669c0 [ 33.750473] which belongs to the cache kmalloc-32 of size 32 [ 33.762937] The buggy address is located 31 bytes inside of [ 33.762937] 32-byte region [ffff8880b37669c0, ffff8880b37669e0) [ 33.774616] The buggy address belongs to the page: [ 33.779525] page:ffffea0002cdd980 count:1 mapcount:0 mapping:ffff8880b3766000 index:0xffff8880b3766fc1 [ 33.788966] flags: 0xfff00000000100(slab) [ 33.793125] raw: 00fff00000000100 ffff8880b3766000 ffff8880b3766fc1 000000010000001f [ 33.801067] raw: ffffea000285f420 ffffea0002cc83a0 ffff88813fe741c0 0000000000000000 [ 33.808924] page dumped because: kasan: bad access detected [ 33.814608] [ 33.816211] Memory state around the buggy address: [ 33.821111] ffff8880b3766880: 00 06 fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 33.828444] ffff8880b3766900: fb fb fb fb fc fc fc fc 00 01 fc fc fc fc fc fc [ 33.835783] >ffff8880b3766980: fb fb fb fb fc fc fc fc 03 fc fc fc fc fc fc fc [ 33.843148] ^ [ 33.849451] ffff8880b3766a00: fb fb fb fb fc fc fc fc 00 04 fc fc fc fc fc fc [ 33.856789] ffff8880b3766a80: fb fb fb fb fc fc fc fc 00 02 fc fc fc fc fc fc [ 33.864137] ================================================================== [ 33.871468] Disabling lock debugging due to kernel taint [ 33.880178] Kernel panic - not syncing: panic_on_warn set ... [ 33.880178] [ 33.887549] CPU: 0 PID: 7954 Comm: syz-executor126 Tainted: G B 4.14.285-syzkaller #0 [ 33.896636] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.905982] Call Trace: [ 33.908570] dump_stack+0x1b2/0x281 [ 33.912182] panic+0x1f9/0x42d [ 33.915347] ? add_taint.cold+0x16/0x16 [ 33.919301] ? ___preempt_schedule+0x16/0x18 [ 33.923684] kasan_end_report+0x43/0x49 [ 33.927722] kasan_report_error.cold+0xa7/0x191 [ 33.932364] ? ipt_init_target+0x213/0x250 [ 33.936620] __asan_report_load1_noabort+0x68/0x70 [ 33.941520] ? tcf_idr_create+0x300/0x780 [ 33.945645] ? ipt_init_target+0x213/0x250 [ 33.949867] ipt_init_target+0x213/0x250 [ 33.953911] ? tcf_ipt_walker+0x200/0x200 [ 33.958038] ? fs_reclaim_release+0xd0/0x110 [ 33.962430] ? memcpy+0x35/0x50 [ 33.965706] __tcf_ipt_init+0x48d/0xc00 [ 33.969679] ? ipt_init_target+0x250/0x250 [ 33.973895] ? tc_lookup_action_n+0xac/0xd0 [ 33.978193] ? lock_downgrade+0x740/0x740 [ 33.982313] tcf_ipt_init+0x43/0x50 [ 33.985962] tcf_action_init_1+0x51a/0x9e0 [ 33.990177] ? tcf_action_dump_old+0x80/0x80 [ 33.994565] ? nla_parse+0x157/0x1f0 [ 33.998262] tcf_action_init+0x26d/0x400 [ 34.002305] ? tcf_action_init_1+0x9e0/0x9e0 [ 34.006740] ? memset+0x20/0x40 [ 34.009992] ? nla_parse+0x157/0x1f0 [ 34.013678] tc_ctl_action+0x2e3/0x510 [ 34.017566] ? tca_action_gd+0x790/0x790 [ 34.021600] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 34.025983] ? tca_action_gd+0x790/0x790 [ 34.030015] rtnetlink_rcv_msg+0x3be/0xb10 [ 34.034223] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 34.038695] ? __netlink_lookup+0x345/0x5d0 [ 34.042989] netlink_rcv_skb+0x125/0x390 [ 34.047023] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 34.051494] ? netlink_ack+0x9a0/0x9a0 [ 34.055355] netlink_unicast+0x437/0x610 [ 34.059391] ? netlink_sendskb+0xd0/0xd0 [ 34.063426] ? __check_object_size+0x179/0x230 [ 34.068085] netlink_sendmsg+0x648/0xbc0 [ 34.072120] ? nlmsg_notify+0x1b0/0x1b0 [ 34.076068] ? kernel_recvmsg+0x210/0x210 [ 34.080201] ? security_socket_sendmsg+0x83/0xb0 [ 34.084931] ? nlmsg_notify+0x1b0/0x1b0 [ 34.088890] sock_sendmsg+0xb5/0x100 [ 34.092580] ___sys_sendmsg+0x6c8/0x800 [ 34.096536] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 34.101264] ? lock_downgrade+0x740/0x740 [ 34.105386] ? __lru_cache_add+0x178/0x250 [ 34.109594] ? do_raw_spin_unlock+0x164/0x220 [ 34.114079] ? _raw_spin_unlock+0x29/0x40 [ 34.118210] ? do_huge_pmd_anonymous_page+0x72e/0x1700 [ 34.123461] ? prep_transhuge_page+0xa0/0xa0 [ 34.127842] ? _raw_spin_unlock+0x29/0x40 [ 34.131973] ? __pmd_alloc+0x27f/0x3f0 [ 34.135833] ? __handle_mm_fault+0x80f/0x4620 [ 34.140299] ? lock_downgrade+0x740/0x740 [ 34.144418] ? vm_insert_page+0x7c0/0x7c0 [ 34.148537] ? __fdget+0x167/0x1f0 [ 34.152050] ? sockfd_lookup_light+0xb2/0x160 [ 34.156535] __sys_sendmsg+0xa3/0x120 [ 34.160307] ? SyS_shutdown+0x160/0x160 [ 34.164258] ? up_read+0x17/0x30 [ 34.167596] ? __do_page_fault+0x159/0xad0 [ 34.171802] SyS_sendmsg+0x27/0x40 [ 34.175313] ? __sys_sendmsg+0x120/0x120 [ 34.179348] do_syscall_64+0x1d5/0x640 [ 34.183212] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.188376] RIP: 0033:0x7f95ae8c6249 [ 34.192059] RSP: 002b:00007ffe7224bad8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 34.199740] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f95ae8c6249 [ 34.206988] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 34.214241] RBP: 00007f95ae88a230 R08: 000000000000000c R09: 0000000000000000 [ 34.221482] R10: 0000000000000006 R11: 0000000000000246 R12: 00007f95ae88a2c0 [ 34.228723] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 34.236040] Kernel Offset: disabled [ 34.239644] Rebooting in 86400 seconds..