Warning: Permanently added '[localhost]:40806' (ECDSA) to the list of known hosts. [ 124.399214][ T40] audit: type=1400 audit(1584466071.943:42): avc: denied { map } for pid=9421 comm="syz-executor138" path="/syz-executor138334790" dev="sda1" ino=16528 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:file_t:s0 tclass=file permissive=1 [ 124.457655][ T9422] IPVS: ftp: loaded support on port[0] = 21 executing program [ 125.033253][ T8] tipc: TX() has been purged, node left! [ 127.406553][ T8] ================================================================== [ 127.415940][ T8] BUG: KASAN: use-after-free in route4_destroy+0x6bf/0x800 [ 127.415940][ T8] Read of size 8 at addr ffff8880237f7b00 by task kworker/u16:0/8 [ 127.415940][ T8] [ 127.415940][ T8] CPU: 2 PID: 8 Comm: kworker/u16:0 Not tainted 5.6.0-rc6-syzkaller #0 [ 127.415940][ T8] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 127.463434][ T8] Workqueue: netns cleanup_net [ 127.463434][ T8] Call Trace: [ 127.463434][ T8] dump_stack+0x188/0x20d [ 127.463434][ T8] ? route4_destroy+0x6bf/0x800 [ 127.463434][ T8] ? route4_destroy+0x6bf/0x800 [ 127.463434][ T8] print_address_description.constprop.0.cold+0xd3/0x315 [ 127.463434][ T8] ? route4_destroy+0x6bf/0x800 [ 127.463434][ T8] ? route4_destroy+0x6bf/0x800 [ 127.463434][ T8] __kasan_report.cold+0x1a/0x32 [ 127.463434][ T8] ? route4_destroy+0x6bf/0x800 [ 127.463434][ T8] kasan_report+0xe/0x20 [ 127.532057][ T8] route4_destroy+0x6bf/0x800 [ 127.532057][ T8] ? mutex_trylock+0x2c0/0x2c0 [ 127.532057][ T8] ? route4_init+0xa0/0xa0 [ 127.532057][ T8] ? __mutex_unlock_slowpath+0xe2/0x660 [ 127.532057][ T8] tcf_proto_destroy+0x6e/0x310 [ 127.532057][ T8] tcf_proto_put+0x8c/0xc0 [ 127.532057][ T8] tcf_chain_flush+0x266/0x390 [ 127.532057][ T8] __tcf_block_put+0x1a4/0x540 [ 127.532057][ T8] tcf_block_put+0xb3/0x100 [ 127.532057][ T8] ? tcf_block_put_ext+0x40/0x40 [ 127.532057][ T8] ? qdisc_dequeue_head+0x330/0x330 [ 127.532057][ T8] ? hrtimer_cancel+0x29/0x40 [ 127.532057][ T8] hfsc_destroy_qdisc+0xe0/0x280 [ 127.532057][ T8] ? hfsc_walk+0x330/0x330 [ 127.532057][ T8] qdisc_destroy+0x118/0x690 [ 127.532057][ T8] qdisc_put+0xcd/0xe0 [ 127.532057][ T8] dev_shutdown+0x2b5/0x486 [ 127.532057][ T8] rollback_registered_many+0x603/0xe70 [ 127.532057][ T8] ? find_held_lock+0x2d/0x110 [ 127.532057][ T8] ? netif_set_real_num_tx_queues+0x700/0x700 [ 127.532057][ T8] ? default_device_exit_batch+0x1ab/0x3d0 [ 127.532057][ T8] ? mark_lock+0xbc/0x1220 [ 127.532057][ T8] unregister_netdevice_many.part.0+0x16/0x1e0 [ 127.532057][ T8] default_device_exit_batch+0x311/0x3d0 [ 127.682179][ T8] ? unregister_netdevice_many+0x50/0x50 [ 127.682179][ T8] ? prepare_to_wait_exclusive+0x2c0/0x2c0 [ 127.682179][ T8] ? unregister_netdevice_many+0x50/0x50 [ 127.682179][ T8] ? dev_change_net_namespace+0xcf0/0xcf0 [ 127.682179][ T8] ops_exit_list.isra.0+0x103/0x150 [ 127.682179][ T8] cleanup_net+0x511/0xa50 [ 127.682179][ T8] ? unregister_pernet_device+0x70/0x70 [ 127.682179][ T8] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 127.682179][ T8] process_one_work+0x94b/0x1690 [ 127.682179][ T8] ? pwq_dec_nr_in_flight+0x310/0x310 [ 127.682179][ T8] ? do_raw_spin_lock+0x129/0x2e0 [ 127.682179][ T8] worker_thread+0x96/0xe20 [ 127.682179][ T8] ? process_one_work+0x1690/0x1690 [ 127.682179][ T8] kthread+0x357/0x430 [ 127.682179][ T8] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 127.682179][ T8] ret_from_fork+0x24/0x30 [ 127.682179][ T8] [ 127.682179][ T8] Allocated by task 9423: [ 127.682179][ T8] save_stack+0x1b/0x80 [ 127.682179][ T8] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 127.682179][ T8] kmem_cache_alloc_trace+0x153/0x7d0 [ 127.682179][ T8] route4_change+0x2a9/0x2250 [ 127.682179][ T8] tc_new_tfilter+0xa59/0x20b0 [ 127.682179][ T8] rtnetlink_rcv_msg+0x810/0xad0 [ 127.682179][ T8] netlink_rcv_skb+0x15a/0x410 [ 127.682179][ T8] netlink_unicast+0x537/0x740 [ 127.682179][ T8] netlink_sendmsg+0x882/0xe10 [ 127.682179][ T8] sock_sendmsg+0xcf/0x120 [ 127.682179][ T8] ____sys_sendmsg+0x6b9/0x7d0 [ 127.862268][ T8] ___sys_sendmsg+0x100/0x170 [ 127.862268][ T8] __sys_sendmsg+0xec/0x1b0 [ 127.862268][ T8] do_syscall_64+0xf6/0x7d0 [ 127.862268][ T8] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 127.862268][ T8] [ 127.862268][ T8] Freed by task 8: [ 127.862268][ T8] save_stack+0x1b/0x80 [ 127.862268][ T8] __kasan_slab_free+0xf7/0x140 [ 127.902039][ T8] kfree+0x109/0x2b0 [ 127.902039][ T8] route4_delete_filter_work+0x17/0x20 [ 127.902039][ T8] process_one_work+0x94b/0x1690 [ 127.902039][ T8] worker_thread+0x96/0xe20 [ 127.902039][ T8] kthread+0x357/0x430 [ 127.902039][ T8] ret_from_fork+0x24/0x30 [ 127.902039][ T8] [ 127.902039][ T8] The buggy address belongs to the object at ffff8880237f7b00 [ 127.902039][ T8] which belongs to the cache kmalloc-192 of size 192 [ 127.902039][ T8] The buggy address is located 0 bytes inside of [ 127.902039][ T8] 192-byte region [ffff8880237f7b00, ffff8880237f7bc0) [ 127.902039][ T8] The buggy address belongs to the page: [ 127.902039][ T8] page:ffffea00008dfdc0 refcount:1 mapcount:0 mapping:ffff88802cc00000 index:0x0 [ 127.902039][ T8] flags: 0xfffe0000000200(slab) [ 127.902039][ T8] raw: 00fffe0000000200 ffffea0000ab8108 ffffea00009eb088 ffff88802cc00000 [ 127.902039][ T8] raw: 0000000000000000 ffff8880237f7000 0000000100000010 0000000000000000 [ 127.902039][ T8] page dumped because: kasan: bad access detected [ 127.902039][ T8] [ 127.902039][ T8] Memory state around the buggy address: [ 127.902039][ T8] ffff8880237f7a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 127.902039][ T8] ffff8880237f7a80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 127.902039][ T8] >ffff8880237f7b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 127.902039][ T8] ^ [ 127.902039][ T8] ffff8880237f7b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 127.902039][ T8] ffff8880237f7c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 127.902039][ T8] ================================================================== [ 127.902039][ T8] Disabling lock debugging due to kernel taint [ 128.120847][ T8] Kernel panic - not syncing: panic_on_warn set ... [ 128.128812][ T8] CPU: 2 PID: 8 Comm: kworker/u16:0 Tainted: G B 5.6.0-rc6-syzkaller #0 [ 128.128812][ T8] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 [ 128.128812][ T8] Workqueue: netns cleanup_net [ 128.128812][ T8] Call Trace: [ 128.128812][ T8] dump_stack+0x188/0x20d [ 128.128812][ T8] panic+0x2e3/0x75c [ 128.128812][ T8] ? add_taint.cold+0x16/0x16 [ 128.128812][ T8] ? preempt_schedule_common+0x5e/0xc0 [ 128.128812][ T8] ? route4_destroy+0x6bf/0x800 [ 128.128812][ T8] ? ___preempt_schedule+0x16/0x18 [ 128.128812][ T8] ? trace_hardirqs_on+0x55/0x220 [ 128.128812][ T8] ? route4_destroy+0x6bf/0x800 [ 128.128812][ T8] end_report+0x43/0x49 [ 128.128812][ T8] ? route4_destroy+0x6bf/0x800 [ 128.128812][ T8] __kasan_report.cold+0xd/0x32 [ 128.128812][ T8] ? route4_destroy+0x6bf/0x800 [ 128.128812][ T8] kasan_report+0xe/0x20 [ 128.128812][ T8] route4_destroy+0x6bf/0x800 [ 128.128812][ T8] ? mutex_trylock+0x2c0/0x2c0 [ 128.128812][ T8] ? route4_init+0xa0/0xa0 [ 128.128812][ T8] ? __mutex_unlock_slowpath+0xe2/0x660 [ 128.128812][ T8] tcf_proto_destroy+0x6e/0x310 [ 128.128812][ T8] tcf_proto_put+0x8c/0xc0 [ 128.128812][ T8] tcf_chain_flush+0x266/0x390 [ 128.128812][ T8] __tcf_block_put+0x1a4/0x540 [ 128.128812][ T8] tcf_block_put+0xb3/0x100 [ 128.128812][ T8] ? tcf_block_put_ext+0x40/0x40 [ 128.128812][ T8] ? qdisc_dequeue_head+0x330/0x330 [ 128.128812][ T8] ? hrtimer_cancel+0x29/0x40 [ 128.128812][ T8] hfsc_destroy_qdisc+0xe0/0x280 [ 128.128812][ T8] ? hfsc_walk+0x330/0x330 [ 128.128812][ T8] qdisc_destroy+0x118/0x690 [ 128.128812][ T8] qdisc_put+0xcd/0xe0 [ 128.128812][ T8] dev_shutdown+0x2b5/0x486 [ 128.128812][ T8] rollback_registered_many+0x603/0xe70 [ 128.128812][ T8] ? find_held_lock+0x2d/0x110 [ 128.128812][ T8] ? netif_set_real_num_tx_queues+0x700/0x700 [ 128.128812][ T8] ? default_device_exit_batch+0x1ab/0x3d0 [ 128.128812][ T8] ? mark_lock+0xbc/0x1220 [ 128.128812][ T8] unregister_netdevice_many.part.0+0x16/0x1e0 [ 128.128812][ T8] default_device_exit_batch+0x311/0x3d0 [ 128.128812][ T8] ? unregister_netdevice_many+0x50/0x50 [ 128.128812][ T8] ? prepare_to_wait_exclusive+0x2c0/0x2c0 [ 128.128812][ T8] ? unregister_netdevice_many+0x50/0x50 [ 128.128812][ T8] ? dev_change_net_namespace+0xcf0/0xcf0 [ 128.128812][ T8] ops_exit_list.isra.0+0x103/0x150 [ 128.128812][ T8] cleanup_net+0x511/0xa50 [ 128.128812][ T8] ? unregister_pernet_device+0x70/0x70 [ 128.128812][ T8] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 128.128812][ T8] process_one_work+0x94b/0x1690 [ 128.128812][ T8] ? pwq_dec_nr_in_flight+0x310/0x310 [ 128.128812][ T8] ? do_raw_spin_lock+0x129/0x2e0 [ 128.128812][ T8] worker_thread+0x96/0xe20 [ 128.128812][ T8] ? process_one_work+0x1690/0x1690 [ 128.128812][ T8] kthread+0x357/0x430 [ 128.128812][ T8] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 128.128812][ T8] ret_from_fork+0x24/0x30 [ 128.128812][ T8] Kernel Offset: disabled [ 128.128812][ T8] Rebooting in 86400 seconds..