[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [ 94.967107][ T27] audit: type=1400 audit(1579479643.639:37): avc: denied { watch } for pid=10235 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 98.443144][ T27] kauditd_printk_skb: 3 callbacks suppressed [ 98.443160][ T27] audit: type=1400 audit(1579479647.119:41): avc: denied { map } for pid=10324 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. [ 105.171873][ T27] audit: type=1400 audit(1579479653.839:42): avc: denied { map } for pid=10336 comm="syz-executor506" path="/root/syz-executor506017696" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 105.176543][T10336] ================================================================== [ 105.199237][ T27] audit: type=1400 audit(1579479653.849:43): avc: denied { create } for pid=10336 comm="syz-executor506" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 105.207064][T10336] BUG: KASAN: slab-out-of-bounds in bitmap_ip_list+0x40f/0xf20 [ 105.207075][T10336] Read of size 8 at addr ffff8880a7b3c500 by task syz-executor506/10336 [ 105.207078][T10336] [ 105.207093][T10336] CPU: 0 PID: 10336 Comm: syz-executor506 Not tainted 5.5.0-rc6-syzkaller #0 [ 105.207101][T10336] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 105.207112][T10336] Call Trace: [ 105.233114][ T27] audit: type=1400 audit(1579479653.849:44): avc: denied { write } for pid=10336 comm="syz-executor506" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 105.239557][T10336] dump_stack+0x197/0x210 [ 105.301298][T10336] ? bitmap_ip_list+0x40f/0xf20 [ 105.306132][T10336] print_address_description.constprop.0.cold+0xd4/0x30b [ 105.313130][T10336] ? bitmap_ip_list+0x40f/0xf20 [ 105.317954][T10336] ? bitmap_ip_list+0x40f/0xf20 [ 105.322780][T10336] __kasan_report.cold+0x1b/0x41 [ 105.327696][T10336] ? bitmap_ip_list+0x40f/0xf20 [ 105.332525][T10336] kasan_report+0x12/0x20 [ 105.336832][T10336] check_memory_region+0x134/0x1a0 [ 105.341939][T10336] __kasan_check_read+0x11/0x20 [ 105.346777][T10336] bitmap_ip_list+0x40f/0xf20 [ 105.351435][T10336] ? bitmap_ip_add+0xe60/0xe60 [ 105.356178][T10336] ? nla_put+0x110/0x150 [ 105.360399][T10336] ip_set_dump_start+0x96c/0x1ca0 [ 105.365404][T10336] ? ip_set_rename+0x720/0x720 [ 105.370148][T10336] ? __kmalloc_reserve.isra.0+0xf0/0xf0 [ 105.375752][T10336] ? perf_trace_lock_acquire+0x4a0/0x530 [ 105.381391][T10336] ? __kasan_check_write+0x14/0x20 [ 105.386489][T10336] netlink_dump+0x558/0xfb0 [ 105.390989][T10336] ? __netlink_sendskb+0xc0/0xc0 [ 105.395919][T10336] __netlink_dump_start+0x66a/0x930 [ 105.401102][T10336] ip_set_dump+0x15a/0x1d0 [ 105.405500][T10336] ? call_ad+0x5a0/0x5a0 [ 105.409720][T10336] ? ip_set_rename+0x720/0x720 [ 105.414481][T10336] ? __ip_set_put_netlink.isra.0+0x90/0x90 [ 105.420282][T10336] ? call_ad+0x5a0/0x5a0 [ 105.424504][T10336] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 105.429425][T10336] ? nfnetlink_bind+0x2c0/0x2c0 [ 105.434268][T10336] ? avc_has_extended_perms+0x10f0/0x10f0 [ 105.439968][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 105.446185][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 105.452414][T10336] ? cred_has_capability+0x199/0x330 [ 105.457689][T10336] ? selinux_sb_eat_lsm_opts+0x700/0x700 [ 105.463300][T10336] ? selinux_sb_eat_lsm_opts+0x700/0x700 [ 105.468910][T10336] ? __check_heap_object+0x53/0xb3 [ 105.473995][T10336] ? __lock_acquire+0x8a0/0x4a00 [ 105.478911][T10336] netlink_rcv_skb+0x177/0x450 [ 105.483673][T10336] ? nfnetlink_bind+0x2c0/0x2c0 [ 105.488525][T10336] ? netlink_ack+0xb50/0xb50 [ 105.493162][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 105.499558][T10336] ? ns_capable_common+0x93/0x100 [ 105.504565][T10336] ? ns_capable+0x20/0x30 [ 105.508888][T10336] ? __netlink_ns_capable+0x104/0x140 [ 105.514259][T10336] nfnetlink_rcv+0x1ba/0x460 [ 105.518834][T10336] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 105.524275][T10336] ? netlink_deliver_tap+0x24a/0xbe0 [ 105.529552][T10336] ? __kasan_check_write+0x14/0x20 [ 105.534651][T10336] netlink_unicast+0x58c/0x7d0 [ 105.539397][T10336] ? netlink_attachskb+0x870/0x870 [ 105.544502][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 105.550722][T10336] netlink_sendmsg+0x91c/0xea0 [ 105.555468][T10336] ? netlink_unicast+0x7d0/0x7d0 [ 105.560387][T10336] ? tomoyo_socket_sendmsg+0x26/0x30 [ 105.565654][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 105.571872][T10336] ? security_socket_sendmsg+0x8d/0xc0 [ 105.577309][T10336] ? netlink_unicast+0x7d0/0x7d0 [ 105.582223][T10336] sock_sendmsg+0xd7/0x130 [ 105.586616][T10336] ____sys_sendmsg+0x753/0x880 [ 105.591359][T10336] ? kernel_sendmsg+0x50/0x50 [ 105.596014][T10336] ? rcu_lockdep_current_cpu_online+0xe3/0x130 [ 105.602149][T10336] ___sys_sendmsg+0x100/0x170 [ 105.606805][T10336] ? sendmsg_copy_msghdr+0x70/0x70 [ 105.611891][T10336] ? __kasan_check_read+0x11/0x20 [ 105.616911][T10336] ? __lock_acquire+0x8a0/0x4a00 [ 105.621858][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 105.628083][T10336] ? __this_cpu_preempt_check+0x35/0x190 [ 105.633697][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 105.639919][T10336] ? percpu_counter_add_batch+0x13c/0x190 [ 105.645633][T10336] ? __fd_install+0x1bc/0x640 [ 105.650313][T10336] ? find_held_lock+0x35/0x130 [ 105.655059][T10336] ? __fd_install+0x1bc/0x640 [ 105.659723][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 105.665950][T10336] ? __fget_light+0x1a9/0x230 [ 105.670629][T10336] ? __fdget+0x1b/0x20 [ 105.674690][T10336] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 105.680928][T10336] __sys_sendmsg+0x105/0x1d0 [ 105.685502][T10336] ? __sys_sendmsg_sock+0xc0/0xc0 [ 105.690515][T10336] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 105.695957][T10336] ? do_syscall_64+0x26/0x790 [ 105.700617][T10336] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.706664][T10336] ? do_syscall_64+0x26/0x790 [ 105.711325][T10336] __x64_sys_sendmsg+0x78/0xb0 [ 105.716069][T10336] do_syscall_64+0xfa/0x790 [ 105.720556][T10336] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.726423][T10336] RIP: 0033:0x440569 [ 105.730298][T10336] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 105.749894][T10336] RSP: 002b:00007ffda8ba3b78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 105.758292][T10336] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440569 [ 105.766241][T10336] RDX: 0000000000000010 RSI: 00000000200003c0 RDI: 0000000000000004 [ 105.774192][T10336] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 105.782142][T10336] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401df0 [ 105.790089][T10336] R13: 0000000000401e80 R14: 0000000000000000 R15: 0000000000000000 [ 105.798056][T10336] [ 105.800364][T10336] Allocated by task 10336: [ 105.804808][T10336] save_stack+0x23/0x90 [ 105.808943][T10336] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 105.814620][T10336] kasan_kmalloc+0x9/0x10 [ 105.818932][T10336] __kmalloc+0x163/0x770 [ 105.823151][T10336] ip_set_alloc+0x38/0x5e [ 105.827469][T10336] bitmap_ip_create+0x6ec/0xc20 [ 105.832296][T10336] ip_set_create+0x6f1/0x1500 [ 105.836949][T10336] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 105.841859][T10336] netlink_rcv_skb+0x177/0x450 [ 105.846602][T10336] nfnetlink_rcv+0x1ba/0x460 [ 105.851168][T10336] netlink_unicast+0x58c/0x7d0 [ 105.855907][T10336] netlink_sendmsg+0x91c/0xea0 [ 105.860645][T10336] sock_sendmsg+0xd7/0x130 [ 105.865038][T10336] ____sys_sendmsg+0x753/0x880 [ 105.869776][T10336] ___sys_sendmsg+0x100/0x170 [ 105.874491][T10336] __sys_sendmsg+0x105/0x1d0 [ 105.879055][T10336] __x64_sys_sendmsg+0x78/0xb0 [ 105.883797][T10336] do_syscall_64+0xfa/0x790 [ 105.888277][T10336] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.894139][T10336] [ 105.896444][T10336] Freed by task 10108: [ 105.900525][T10336] save_stack+0x23/0x90 [ 105.904657][T10336] __kasan_slab_free+0x102/0x150 [ 105.909591][T10336] kasan_slab_free+0xe/0x10 [ 105.914093][T10336] kfree+0x10a/0x2c0 [ 105.917969][T10336] security_cred_free+0xa9/0x110 [ 105.922888][T10336] put_cred_rcu+0x129/0x4b0 [ 105.927372][T10336] __put_cred+0x1ef/0x270 [ 105.931683][T10336] do_faccessat+0x693/0x7f0 [ 105.936165][T10336] __x64_sys_access+0x59/0x80 [ 105.940822][T10336] do_syscall_64+0xfa/0x790 [ 105.945304][T10336] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.951184][T10336] [ 105.953502][T10336] The buggy address belongs to the object at ffff8880a7b3c500 [ 105.953502][T10336] which belongs to the cache kmalloc-32 of size 32 [ 105.967367][T10336] The buggy address is located 0 bytes inside of [ 105.967367][T10336] 32-byte region [ffff8880a7b3c500, ffff8880a7b3c520) [ 105.980354][T10336] The buggy address belongs to the page: [ 105.985967][T10336] page:ffffea00029ecf00 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff8880a7b3cfc1 [ 105.996373][T10336] raw: 00fffe0000000200 ffffea0002623e88 ffffea000269b348 ffff8880aa4001c0 [ 106.004943][T10336] raw: ffff8880a7b3cfc1 ffff8880a7b3c000 000000010000003d 0000000000000000 [ 106.013499][T10336] page dumped because: kasan: bad access detected [ 106.019880][T10336] [ 106.022183][T10336] Memory state around the buggy address: [ 106.027793][T10336] ffff8880a7b3c400: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 106.035830][T10336] ffff8880a7b3c480: 00 00 01 fc fc fc fc fc 00 00 00 04 fc fc fc fc [ 106.043866][T10336] >ffff8880a7b3c500: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 106.051901][T10336] ^ [ 106.055946][T10336] ffff8880a7b3c580: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 106.063980][T10336] ffff8880a7b3c600: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc executing program [ 106.072013][T10336] ================================================================== [ 106.080045][T10336] Disabling lock debugging due to kernel taint [ 106.087696][T10336] Kernel panic - not syncing: panic_on_warn set ... [ 106.094297][T10336] CPU: 0 PID: 10336 Comm: syz-executor506 Tainted: G B 5.5.0-rc6-syzkaller #0 [ 106.104414][T10336] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 106.114464][T10336] Call Trace: [ 106.117740][T10336] dump_stack+0x197/0x210 [ 106.122047][T10336] panic+0x2e3/0x75c [ 106.125916][T10336] ? add_taint.cold+0x16/0x16 [ 106.130574][T10336] ? bitmap_ip_list+0x40f/0xf20 [ 106.135419][T10336] ? preempt_schedule+0x4b/0x60 [ 106.140244][T10336] ? ___preempt_schedule+0x16/0x18 [ 106.145333][T10336] ? trace_hardirqs_on+0x5e/0x240 [ 106.150332][T10336] ? bitmap_ip_list+0x40f/0xf20 [ 106.155158][T10336] end_report+0x47/0x4f [ 106.159290][T10336] ? bitmap_ip_list+0x40f/0xf20 [ 106.164114][T10336] __kasan_report.cold+0xe/0x41 [ 106.168941][T10336] ? bitmap_ip_list+0x40f/0xf20 [ 106.173783][T10336] kasan_report+0x12/0x20 [ 106.178086][T10336] check_memory_region+0x134/0x1a0 [ 106.183173][T10336] __kasan_check_read+0x11/0x20 [ 106.188013][T10336] bitmap_ip_list+0x40f/0xf20 [ 106.192665][T10336] ? bitmap_ip_add+0xe60/0xe60 [ 106.197404][T10336] ? nla_put+0x110/0x150 [ 106.201619][T10336] ip_set_dump_start+0x96c/0x1ca0 [ 106.206619][T10336] ? ip_set_rename+0x720/0x720 [ 106.211357][T10336] ? __kmalloc_reserve.isra.0+0xf0/0xf0 [ 106.216879][T10336] ? perf_trace_lock_acquire+0x4a0/0x530 [ 106.222487][T10336] ? __kasan_check_write+0x14/0x20 [ 106.227574][T10336] netlink_dump+0x558/0xfb0 [ 106.232069][T10336] ? __netlink_sendskb+0xc0/0xc0 [ 106.236983][T10336] __netlink_dump_start+0x66a/0x930 [ 106.242156][T10336] ip_set_dump+0x15a/0x1d0 [ 106.246563][T10336] ? call_ad+0x5a0/0x5a0 [ 106.250780][T10336] ? ip_set_rename+0x720/0x720 [ 106.255522][T10336] ? __ip_set_put_netlink.isra.0+0x90/0x90 [ 106.261303][T10336] ? call_ad+0x5a0/0x5a0 [ 106.265521][T10336] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 106.270438][T10336] ? nfnetlink_bind+0x2c0/0x2c0 [ 106.275265][T10336] ? avc_has_extended_perms+0x10f0/0x10f0 [ 106.280960][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 106.287195][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 106.293427][T10336] ? cred_has_capability+0x199/0x330 [ 106.298702][T10336] ? selinux_sb_eat_lsm_opts+0x700/0x700 [ 106.304314][T10336] ? selinux_sb_eat_lsm_opts+0x700/0x700 [ 106.309934][T10336] ? __check_heap_object+0x53/0xb3 [ 106.315025][T10336] ? __lock_acquire+0x8a0/0x4a00 [ 106.319987][T10336] netlink_rcv_skb+0x177/0x450 [ 106.324730][T10336] ? nfnetlink_bind+0x2c0/0x2c0 [ 106.329554][T10336] ? netlink_ack+0xb50/0xb50 [ 106.334120][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 106.340338][T10336] ? ns_capable_common+0x93/0x100 [ 106.345374][T10336] ? ns_capable+0x20/0x30 [ 106.349681][T10336] ? __netlink_ns_capable+0x104/0x140 [ 106.355030][T10336] nfnetlink_rcv+0x1ba/0x460 [ 106.359596][T10336] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 106.365027][T10336] ? netlink_deliver_tap+0x24a/0xbe0 [ 106.370286][T10336] ? __kasan_check_write+0x14/0x20 [ 106.375408][T10336] netlink_unicast+0x58c/0x7d0 [ 106.380146][T10336] ? netlink_attachskb+0x870/0x870 [ 106.385233][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 106.391447][T10336] netlink_sendmsg+0x91c/0xea0 [ 106.396191][T10336] ? netlink_unicast+0x7d0/0x7d0 [ 106.401120][T10336] ? tomoyo_socket_sendmsg+0x26/0x30 [ 106.406381][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 106.412611][T10336] ? security_socket_sendmsg+0x8d/0xc0 [ 106.418070][T10336] ? netlink_unicast+0x7d0/0x7d0 [ 106.422996][T10336] sock_sendmsg+0xd7/0x130 [ 106.427403][T10336] ____sys_sendmsg+0x753/0x880 [ 106.432146][T10336] ? kernel_sendmsg+0x50/0x50 [ 106.436805][T10336] ? rcu_lockdep_current_cpu_online+0xe3/0x130 [ 106.442950][T10336] ___sys_sendmsg+0x100/0x170 [ 106.447611][T10336] ? sendmsg_copy_msghdr+0x70/0x70 [ 106.452742][T10336] ? __kasan_check_read+0x11/0x20 [ 106.457743][T10336] ? __lock_acquire+0x8a0/0x4a00 [ 106.462660][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 106.468915][T10336] ? __this_cpu_preempt_check+0x35/0x190 [ 106.474525][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 106.480739][T10336] ? percpu_counter_add_batch+0x13c/0x190 [ 106.486466][T10336] ? __fd_install+0x1bc/0x640 [ 106.491116][T10336] ? find_held_lock+0x35/0x130 [ 106.495852][T10336] ? __fd_install+0x1bc/0x640 [ 106.500506][T10336] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 106.506719][T10336] ? __fget_light+0x1a9/0x230 [ 106.511439][T10336] ? __fdget+0x1b/0x20 [ 106.515493][T10336] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 106.521713][T10336] __sys_sendmsg+0x105/0x1d0 [ 106.526282][T10336] ? __sys_sendmsg_sock+0xc0/0xc0 [ 106.531289][T10336] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 106.536724][T10336] ? do_syscall_64+0x26/0x790 [ 106.541374][T10336] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.547449][T10336] ? do_syscall_64+0x26/0x790 [ 106.552104][T10336] __x64_sys_sendmsg+0x78/0xb0 [ 106.556857][T10336] do_syscall_64+0xfa/0x790 [ 106.561339][T10336] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.567205][T10336] RIP: 0033:0x440569 [ 106.571076][T10336] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 106.590654][T10336] RSP: 002b:00007ffda8ba3b78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 106.599036][T10336] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440569 [ 106.607002][T10336] RDX: 0000000000000010 RSI: 00000000200003c0 RDI: 0000000000000004 [ 106.614961][T10336] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 106.622908][T10336] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000401df0 [ 106.630853][T10336] R13: 0000000000401e80 R14: 0000000000000000 R15: 0000000000000000 [ 106.640066][T10336] Kernel Offset: disabled [ 106.644386][T10336] Rebooting in 86400 seconds..