[ 39.039278] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.15.194' (ECDSA) to the list of known hosts. [ 44.716493] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 44.844907] audit: type=1400 audit(1582969593.600:36): avc: denied { map } for pid=7452 comm="syz-executor259" path="/root/syz-executor259891909" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.848058] netlink: 40 bytes leftover after parsing attributes in process `syz-executor259'. [ 44.871823] audit: type=1400 audit(1582969593.600:37): avc: denied { create } for pid=7452 comm="syz-executor259" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 44.904746] ================================================================== [ 44.904762] audit: type=1400 audit(1582969593.600:38): avc: denied { write } for pid=7452 comm="syz-executor259" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 44.936287] BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x364/0x370 [ 44.944252] Read of size 8 at addr ffffffff873ca678 by task syz-executor259/7452 [ 44.951884] [ 44.953500] CPU: 1 PID: 7452 Comm: syz-executor259 Not tainted 4.14.172-syzkaller #0 [ 44.961358] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.971346] Call Trace: [ 44.973974] dump_stack+0x13e/0x194 [ 44.977587] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 44.982676] print_address_description.cold+0x5/0x1e2 [ 44.987863] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 44.992960] kasan_report.cold+0xa9/0x2ae [ 44.997090] nfnetlink_parse_nat_setup+0x364/0x370 [ 45.002027] ? nf_nat_alloc_null_binding+0x40/0x40 [ 45.006942] ? nf_nat_alloc_null_binding+0x40/0x40 [ 45.011869] ctnetlink_parse_nat_setup+0x70/0x490 [ 45.016694] ctnetlink_create_conntrack+0x437/0x1040 [ 45.021786] ? ctnetlink_del_conntrack+0x5a0/0x5a0 [ 45.026713] ? __do_once_done+0x1be/0x240 [ 45.030844] ? hash_conntrack_raw+0x2ab/0x410 [ 45.035316] ? nf_ct_get_id+0x160/0x160 [ 45.039273] ctnetlink_new_conntrack+0x460/0xc30 [ 45.044010] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 45.049367] ? mutex_trylock+0x1a0/0x1a0 [ 45.053415] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 45.058763] nfnetlink_rcv_msg+0xa08/0xc00 [ 45.063006] ? __kernel_text_address+0x9/0x30 [ 45.067499] netlink_rcv_skb+0x127/0x370 [ 45.071552] ? __lock_acquire+0x513/0x4620 [ 45.075784] ? nfnetlink_bind+0x240/0x240 [ 45.079928] ? netlink_ack+0x960/0x960 [ 45.084001] ? ns_capable_common+0x127/0x150 [ 45.088403] nfnetlink_rcv+0x1ab/0x1650 [ 45.092384] ? find_held_lock+0x2d/0x110 [ 45.096652] ? __netlink_lookup+0x2de/0x590 [ 45.101174] ? save_trace+0x290/0x290 [ 45.104975] ? save_trace+0x290/0x290 [ 45.108825] ? nfnl_err_del+0x150/0x150 [ 45.112802] ? find_held_lock+0x2d/0x110 [ 45.116861] ? netlink_deliver_tap+0x90/0x860 [ 45.121407] ? rcu_is_watching+0x11/0xb0 [ 45.125456] ? lock_downgrade+0x6e0/0x6e0 [ 45.129617] netlink_unicast+0x437/0x620 [ 45.133689] ? netlink_attachskb+0x600/0x600 [ 45.138130] netlink_sendmsg+0x733/0xbe0 [ 45.142197] ? netlink_unicast+0x620/0x620 [ 45.146419] ? SYSC_sendto+0x2b0/0x2b0 [ 45.150299] ? security_socket_sendmsg+0x83/0xb0 [ 45.155198] ? netlink_unicast+0x620/0x620 [ 45.159420] sock_sendmsg+0xc5/0x100 [ 45.163134] ___sys_sendmsg+0x70a/0x840 [ 45.167263] ? do_huge_pmd_anonymous_page+0xc63/0x11e0 [ 45.172619] ? copy_msghdr_from_user+0x380/0x380 [ 45.177456] ? lock_downgrade+0x6e0/0x6e0 [ 45.181632] ? __lru_cache_add+0x17b/0x250 [ 45.185904] ? do_raw_spin_unlock+0x164/0x250 [ 45.190384] ? _raw_spin_unlock+0x29/0x40 [ 45.194515] ? prep_transhuge_page+0xa0/0xa0 [ 45.198902] ? pud_val+0x6c/0xd0 [ 45.202248] ? pmd_val+0xd0/0xd0 [ 45.205592] ? trace_hardirqs_on+0x10/0x10 [ 45.209806] ? __handle_mm_fault+0x644/0x3280 [ 45.214281] ? save_trace+0x290/0x290 [ 45.218059] ? copy_page_range+0x1d70/0x1d70 [ 45.222638] ? __fget_light+0x16a/0x1f0 [ 45.226595] ? sockfd_lookup_light+0xb2/0x160 [ 45.231071] __sys_sendmsg+0xa3/0x120 [ 45.234853] ? SyS_shutdown+0x160/0x160 [ 45.238810] ? up_read+0x17/0x30 [ 45.242157] ? __do_page_fault+0x35b/0xb40 [ 45.246387] SyS_sendmsg+0x27/0x40 [ 45.249995] ? __sys_sendmsg+0x120/0x120 [ 45.254094] do_syscall_64+0x1d5/0x640 [ 45.257974] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.263150] RIP: 0033:0x4401a9 [ 45.266350] RSP: 002b:00007ffe366dfc88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.274040] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401a9 [ 45.281290] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 45.288557] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 45.295828] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a30 [ 45.303093] R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000 [ 45.311069] [ 45.312675] The buggy address belongs to the variable: [ 45.317952] nft_notrack_ops+0xb8/0xc0 [ 45.321813] [ 45.323438] Memory state around the buggy address: [ 45.328363] ffffffff873ca500: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 00 [ 45.335703] ffffffff873ca580: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 [ 45.343041] >ffffffff873ca600: 00 00 00 fa fa fa fa fa 00 fa fa fa fa fa fa fa [ 45.350421] ^ [ 45.357672] ffffffff873ca680: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa [ 45.365025] ffffffff873ca700: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa [ 45.372373] ================================================================== [ 45.379716] Disabling lock debugging due to kernel taint [ 45.385977] Kernel panic - not syncing: panic_on_warn set ... [ 45.385977] [ 45.393348] CPU: 1 PID: 7452 Comm: syz-executor259 Tainted: G B 4.14.172-syzkaller #0 [ 45.402433] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.411774] Call Trace: [ 45.414363] dump_stack+0x13e/0x194 [ 45.417969] panic+0x1f9/0x42d [ 45.421140] ? add_taint.cold+0x16/0x16 [ 45.425095] ? preempt_schedule_common+0x4a/0xc0 [ 45.429843] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 45.434939] ? ___preempt_schedule+0x16/0x18 [ 45.439343] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 45.444780] kasan_end_report+0x43/0x49 [ 45.448856] kasan_report.cold+0x12f/0x2ae [ 45.453080] nfnetlink_parse_nat_setup+0x364/0x370 [ 45.457996] ? nf_nat_alloc_null_binding+0x40/0x40 [ 45.462911] ? nf_nat_alloc_null_binding+0x40/0x40 [ 45.467886] ctnetlink_parse_nat_setup+0x70/0x490 [ 45.472763] ctnetlink_create_conntrack+0x437/0x1040 [ 45.477890] ? ctnetlink_del_conntrack+0x5a0/0x5a0 [ 45.482848] ? __do_once_done+0x1be/0x240 [ 45.486976] ? hash_conntrack_raw+0x2ab/0x410 [ 45.491470] ? nf_ct_get_id+0x160/0x160 [ 45.495426] ctnetlink_new_conntrack+0x460/0xc30 [ 45.500166] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 45.505512] ? mutex_trylock+0x1a0/0x1a0 [ 45.509611] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 45.515004] nfnetlink_rcv_msg+0xa08/0xc00 [ 45.519272] ? __kernel_text_address+0x9/0x30 [ 45.523771] netlink_rcv_skb+0x127/0x370 [ 45.527984] ? __lock_acquire+0x513/0x4620 [ 45.532207] ? nfnetlink_bind+0x240/0x240 [ 45.536423] ? netlink_ack+0x960/0x960 [ 45.540304] ? ns_capable_common+0x127/0x150 [ 45.544700] nfnetlink_rcv+0x1ab/0x1650 [ 45.548651] ? find_held_lock+0x2d/0x110 [ 45.552689] ? __netlink_lookup+0x2de/0x590 [ 45.556987] ? save_trace+0x290/0x290 [ 45.560765] ? save_trace+0x290/0x290 [ 45.564544] ? nfnl_err_del+0x150/0x150 [ 45.568495] ? find_held_lock+0x2d/0x110 [ 45.572636] ? netlink_deliver_tap+0x90/0x860 [ 45.577139] ? rcu_is_watching+0x11/0xb0 [ 45.581236] ? lock_downgrade+0x6e0/0x6e0 [ 45.585433] netlink_unicast+0x437/0x620 [ 45.589479] ? netlink_attachskb+0x600/0x600 [ 45.593868] netlink_sendmsg+0x733/0xbe0 [ 45.597908] ? netlink_unicast+0x620/0x620 [ 45.602163] ? SYSC_sendto+0x2b0/0x2b0 [ 45.606032] ? security_socket_sendmsg+0x83/0xb0 [ 45.610767] ? netlink_unicast+0x620/0x620 [ 45.614976] sock_sendmsg+0xc5/0x100 [ 45.618694] ___sys_sendmsg+0x70a/0x840 [ 45.622718] ? do_huge_pmd_anonymous_page+0xc63/0x11e0 [ 45.628168] ? copy_msghdr_from_user+0x380/0x380 [ 45.632982] ? lock_downgrade+0x6e0/0x6e0 [ 45.637117] ? __lru_cache_add+0x17b/0x250 [ 45.641348] ? do_raw_spin_unlock+0x164/0x250 [ 45.645830] ? _raw_spin_unlock+0x29/0x40 [ 45.649962] ? prep_transhuge_page+0xa0/0xa0 [ 45.654490] ? pud_val+0x6c/0xd0 [ 45.657863] ? pmd_val+0xd0/0xd0 [ 45.661211] ? trace_hardirqs_on+0x10/0x10 [ 45.665440] ? __handle_mm_fault+0x644/0x3280 [ 45.670082] ? save_trace+0x290/0x290 [ 45.673985] ? copy_page_range+0x1d70/0x1d70 [ 45.678391] ? __fget_light+0x16a/0x1f0 [ 45.682504] ? sockfd_lookup_light+0xb2/0x160 [ 45.686985] __sys_sendmsg+0xa3/0x120 [ 45.690770] ? SyS_shutdown+0x160/0x160 [ 45.694907] ? up_read+0x17/0x30 [ 45.698275] ? __do_page_fault+0x35b/0xb40 [ 45.702493] SyS_sendmsg+0x27/0x40 [ 45.706013] ? __sys_sendmsg+0x120/0x120 [ 45.710061] do_syscall_64+0x1d5/0x640 [ 45.713942] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.719126] RIP: 0033:0x4401a9 [ 45.722305] RSP: 002b:00007ffe366dfc88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.730048] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401a9 [ 45.737327] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 45.744588] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 45.751848] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a30 [ 45.759113] R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000 [ 45.767897] Kernel Offset: disabled [ 45.771591] Rebooting in 86400 seconds..