Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 40.705257] audit: type=1800 audit(1572250913.730:33): pid=7472 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 40.727579] audit: type=1800 audit(1572250913.730:34): pid=7472 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 45.173316] audit: type=1400 audit(1572250918.200:35): avc: denied { map } for pid=7648 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.40' (ECDSA) to the list of known hosts. executing program [ 85.095997] audit: type=1400 audit(1572250958.120:36): avc: denied { map } for pid=7660 comm="syz-executor726" path="/root/syz-executor726039997" dev="sda1" ino=1426 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 85.220848] hrtimer: interrupt took 46364 ns executing program [ 85.289071] syz-executor726 (7662) used greatest stack depth: 21888 bytes left executing program executing program executing program [ 86.605188] ================================================================== [ 86.613168] BUG: KASAN: use-after-free in tc_chain_fill_node+0x891/0x8b0 [ 86.620227] Read of size 8 at addr ffff88807b45ec80 by task syz-executor726/7767 [ 86.627773] [ 86.629431] CPU: 0 PID: 7767 Comm: syz-executor726 Not tainted 4.19.80 #0 [ 86.636517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 86.646435] Call Trace: [ 86.649058] dump_stack+0x172/0x1f0 [ 86.652718] ? tc_chain_fill_node+0x891/0x8b0 [ 86.657245] print_address_description.cold+0x7c/0x20d [ 86.662553] ? tc_chain_fill_node+0x891/0x8b0 [ 86.667083] kasan_report.cold+0x8c/0x2ba [ 86.671417] __asan_report_load8_noabort+0x14/0x20 [ 86.676370] tc_chain_fill_node+0x891/0x8b0 [ 86.680815] ? tcf_block_cb_register+0x70/0x70 [ 86.685522] ? skb_scrub_packet+0x490/0x490 [ 86.689894] ? lock_downgrade+0x880/0x880 [ 86.694184] tc_chain_notify+0x102/0x200 [ 86.698461] __tcf_chain_put+0x380/0x500 [ 86.702703] tc_ctl_chain+0xbca/0xff0 [ 86.706601] ? tcf_block_find+0x630/0x630 [ 86.711058] ? __lock_acquire+0x6ee/0x49c0 [ 86.715860] ? mutex_trylock+0x1e0/0x1e0 [ 86.720457] ? find_held_lock+0x35/0x130 [ 86.724713] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 86.730575] ? tcf_block_find+0x630/0x630 [ 86.735223] rtnetlink_rcv_msg+0x463/0xb00 [ 86.739654] ? rtnetlink_put_metrics+0x560/0x560 [ 86.744536] ? netlink_deliver_tap+0x22d/0xc20 [ 86.749243] ? find_held_lock+0x35/0x130 [ 86.753316] netlink_rcv_skb+0x17d/0x460 [ 86.757502] ? rtnetlink_put_metrics+0x560/0x560 [ 86.762446] ? netlink_ack+0xb30/0xb30 [ 86.766428] ? kasan_check_read+0x11/0x20 [ 86.770588] ? netlink_deliver_tap+0x254/0xc20 [ 86.775182] rtnetlink_rcv+0x1d/0x30 [ 86.778928] netlink_unicast+0x537/0x720 [ 86.783112] ? netlink_attachskb+0x770/0x770 [ 86.787534] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 86.793377] netlink_sendmsg+0x8ae/0xd70 [ 86.797624] ? netlink_unicast+0x720/0x720 [ 86.801877] ? selinux_socket_sendmsg+0x36/0x40 [ 86.806548] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 86.812318] ? security_socket_sendmsg+0x8d/0xc0 [ 86.817079] ? netlink_unicast+0x720/0x720 [ 86.822044] sock_sendmsg+0xd7/0x130 [ 86.826253] ___sys_sendmsg+0x803/0x920 [ 86.830352] ? copy_msghdr_from_user+0x430/0x430 [ 86.835184] ? lock_downgrade+0x880/0x880 [ 86.839341] ? kasan_check_read+0x11/0x20 [ 86.843767] ? __fget+0x367/0x540 [ 86.847237] ? iterate_fd+0x360/0x360 [ 86.851331] ? __fget_light+0x1a9/0x230 [ 86.855492] ? __fdget+0x1b/0x20 [ 86.859225] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 86.868688] __sys_sendmsg+0x105/0x1d0 [ 86.872804] ? __ia32_sys_shutdown+0x80/0x80 [ 86.877414] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 86.882219] ? do_syscall_64+0x26/0x620 [ 86.886774] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 86.892150] ? do_syscall_64+0x26/0x620 [ 86.896418] __x64_sys_sendmsg+0x78/0xb0 [ 86.900582] do_syscall_64+0xfd/0x620 [ 86.904391] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 86.909842] RIP: 0033:0x446e19 [ 86.913046] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 86.933044] RSP: 002b:00007f6cd9300d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 86.941236] RAX: ffffffffffffffda RBX: 00000000006dbc98 RCX: 0000000000446e19 [ 86.948645] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 000000000000000b [ 86.956733] RBP: 00000000006dbc90 R08: 0000000000000000 R09: 0000000000000000 [ 86.964638] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc9c [ 86.972519] R13: 0000000000000000 R14: 0000000000000000 R15: 0507002400000048 [ 86.980100] [ 86.981895] Allocated by task 7758: [ 86.985546] save_stack+0x45/0xd0 [ 86.989171] kasan_kmalloc+0xce/0xf0 [ 86.993041] __kmalloc_node+0x51/0x80 [ 86.996854] qdisc_alloc+0xbb/0xa60 [ 87.000882] qdisc_create+0xec/0x1230 [ 87.005017] tc_modify_qdisc+0xab0/0x1bdc [ 87.009180] rtnetlink_rcv_msg+0x463/0xb00 [ 87.013420] netlink_rcv_skb+0x17d/0x460 [ 87.017751] rtnetlink_rcv+0x1d/0x30 [ 87.021592] netlink_unicast+0x537/0x720 [ 87.025849] netlink_sendmsg+0x8ae/0xd70 [ 87.030300] sock_sendmsg+0xd7/0x130 [ 87.034030] ___sys_sendmsg+0x803/0x920 [ 87.038007] __sys_sendmsg+0x105/0x1d0 [ 87.042053] __x64_sys_sendmsg+0x78/0xb0 [ 87.046215] do_syscall_64+0xfd/0x620 [ 87.050345] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.055656] [ 87.057276] Freed by task 7761: [ 87.060863] save_stack+0x45/0xd0 [ 87.064498] __kasan_slab_free+0x102/0x150 [ 87.068736] kasan_slab_free+0xe/0x10 [ 87.072690] kfree+0xcf/0x220 [ 87.076110] qdisc_free+0x89/0x100 [ 87.079886] qdisc_destroy+0x4cf/0x690 [ 87.084267] notify_and_destroy+0xa2/0xb0 [ 87.088639] qdisc_graft+0x4f3/0x1030 [ 87.092740] tc_modify_qdisc+0xcae/0x1bdc [ 87.097381] rtnetlink_rcv_msg+0x463/0xb00 [ 87.102110] netlink_rcv_skb+0x17d/0x460 [ 87.106434] rtnetlink_rcv+0x1d/0x30 [ 87.110509] netlink_unicast+0x537/0x720 [ 87.115278] netlink_sendmsg+0x8ae/0xd70 [ 87.119488] sock_sendmsg+0xd7/0x130 [ 87.123848] ___sys_sendmsg+0x803/0x920 [ 87.128123] __sys_sendmsg+0x105/0x1d0 [ 87.132442] __x64_sys_sendmsg+0x78/0xb0 [ 87.137111] do_syscall_64+0xfd/0x620 [ 87.141241] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.146468] [ 87.148184] The buggy address belongs to the object at ffff88807b45ec40 [ 87.148184] which belongs to the cache kmalloc-4096 of size 4096 [ 87.162002] The buggy address is located 64 bytes inside of [ 87.162002] 4096-byte region [ffff88807b45ec40, ffff88807b45fc40) [ 87.174736] The buggy address belongs to the page: [ 87.179673] page:ffffea0001ed1780 count:1 mapcount:0 mapping:ffff88812c3f0dc0 index:0x0 compound_mapcount: 0 [ 87.190202] flags: 0x1fffc0000008100(slab|head) [ 87.195122] raw: 01fffc0000008100 ffffea000272c488 ffffea0001ed1008 ffff88812c3f0dc0 [ 87.203143] raw: 0000000000000000 ffff88807b45ec40 0000000100000001 0000000000000000 [ 87.211117] page dumped because: kasan: bad access detected [ 87.216922] [ 87.218543] Memory state around the buggy address: [ 87.223468] ffff88807b45eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.231165] ffff88807b45ec00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 87.238749] >ffff88807b45ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.246558] ^ [ 87.250153] ffff88807b45ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.257784] ffff88807b45ed80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.265805] ================================================================== [ 87.273169] Disabling lock debugging due to kernel taint [ 87.297673] Kernel panic - not syncing: panic_on_warn set ... [ 87.297673] [ 87.307015] CPU: 0 PID: 7767 Comm: syz-executor726 Tainted: G B 4.19.80 #0 [ 87.315503] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 87.325043] Call Trace: [ 87.327650] dump_stack+0x172/0x1f0 [ 87.331436] ? tc_chain_fill_node+0x891/0x8b0 [ 87.335949] panic+0x26a/0x50e [ 87.339156] ? __warn_printk+0xf3/0xf3 [ 87.343198] ? tc_chain_fill_node+0x891/0x8b0 [ 87.347711] ? preempt_schedule+0x4b/0x60 [ 87.352037] ? ___preempt_schedule+0x16/0x18 [ 87.356551] ? trace_hardirqs_on+0x5e/0x220 [ 87.360889] ? tc_chain_fill_node+0x891/0x8b0 [ 87.365402] kasan_end_report+0x47/0x4f [ 87.369461] kasan_report.cold+0xa9/0x2ba [ 87.373836] __asan_report_load8_noabort+0x14/0x20 [ 87.379273] tc_chain_fill_node+0x891/0x8b0 [ 87.383979] ? tcf_block_cb_register+0x70/0x70 [ 87.388675] ? skb_scrub_packet+0x490/0x490 [ 87.393515] ? lock_downgrade+0x880/0x880 [ 87.397742] tc_chain_notify+0x102/0x200 [ 87.401804] __tcf_chain_put+0x380/0x500 [ 87.405979] tc_ctl_chain+0xbca/0xff0 [ 87.409779] ? tcf_block_find+0x630/0x630 [ 87.413927] ? __lock_acquire+0x6ee/0x49c0 [ 87.418250] ? mutex_trylock+0x1e0/0x1e0 [ 87.422657] ? find_held_lock+0x35/0x130 [ 87.426999] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 87.432732] ? tcf_block_find+0x630/0x630 [ 87.437763] rtnetlink_rcv_msg+0x463/0xb00 [ 87.442303] ? rtnetlink_put_metrics+0x560/0x560 [ 87.447246] ? netlink_deliver_tap+0x22d/0xc20 [ 87.451834] ? find_held_lock+0x35/0x130 [ 87.456021] netlink_rcv_skb+0x17d/0x460 [ 87.460290] ? rtnetlink_put_metrics+0x560/0x560 [ 87.465426] ? netlink_ack+0xb30/0xb30 [ 87.469331] ? kasan_check_read+0x11/0x20 [ 87.473558] ? netlink_deliver_tap+0x254/0xc20 [ 87.478364] rtnetlink_rcv+0x1d/0x30 [ 87.482198] netlink_unicast+0x537/0x720 [ 87.486652] ? netlink_attachskb+0x770/0x770 [ 87.491066] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 87.496612] netlink_sendmsg+0x8ae/0xd70 [ 87.500797] ? netlink_unicast+0x720/0x720 [ 87.505205] ? selinux_socket_sendmsg+0x36/0x40 [ 87.510095] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 87.516244] ? security_socket_sendmsg+0x8d/0xc0 [ 87.521145] ? netlink_unicast+0x720/0x720 [ 87.525548] sock_sendmsg+0xd7/0x130 [ 87.529272] ___sys_sendmsg+0x803/0x920 [ 87.533374] ? copy_msghdr_from_user+0x430/0x430 [ 87.538132] ? lock_downgrade+0x880/0x880 [ 87.542279] ? kasan_check_read+0x11/0x20 [ 87.546452] ? __fget+0x367/0x540 [ 87.550034] ? iterate_fd+0x360/0x360 [ 87.553922] ? __fget_light+0x1a9/0x230 [ 87.557999] ? __fdget+0x1b/0x20 [ 87.561367] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 87.566906] __sys_sendmsg+0x105/0x1d0 [ 87.570851] ? __ia32_sys_shutdown+0x80/0x80 [ 87.575269] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 87.580270] ? do_syscall_64+0x26/0x620 [ 87.584331] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.589698] ? do_syscall_64+0x26/0x620 [ 87.593679] __x64_sys_sendmsg+0x78/0xb0 [ 87.597779] do_syscall_64+0xfd/0x620 [ 87.601582] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.606768] RIP: 0033:0x446e19 [ 87.609979] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 87.629142] RSP: 002b:00007f6cd9300d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 87.636858] RAX: ffffffffffffffda RBX: 00000000006dbc98 RCX: 0000000000446e19 [ 87.644186] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 000000000000000b [ 87.651546] RBP: 00000000006dbc90 R08: 0000000000000000 R09: 0000000000000000 [ 87.659003] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc9c [ 87.666283] R13: 0000000000000000 R14: 0000000000000000 R15: 0507002400000048 [ 87.675666] Kernel Offset: disabled [ 87.679577] Rebooting in 86400 seconds..