Warning: Permanently added '10.128.0.93' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 38.551240] audit: type=1400 audit(1602976135.984:8): avc: denied { execmem } for pid=6489 comm="syz-executor322" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 38.590213] ================================================================== [ 38.590240] BUG: KASAN: slab-out-of-bounds in bit_putcs+0xbe2/0xd35 [ 38.590247] Read of size 1 at addr ffff8880898b123e by task syz-executor322/6489 [ 38.590249] [ 38.590258] CPU: 1 PID: 6489 Comm: syz-executor322 Not tainted 4.19.152-syzkaller #0 [ 38.590262] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.590265] Call Trace: [ 38.590275] dump_stack+0x22c/0x33e [ 38.590288] print_address_description.cold+0x56/0x25c [ 38.590297] kasan_report_error.cold+0x66/0xb9 [ 38.590310] ? bit_putcs+0xbe2/0xd35 [ 38.590319] __asan_report_load1_noabort+0x88/0x90 [ 38.590327] ? bit_putcs+0xbe2/0xd35 [ 38.590334] bit_putcs+0xbe2/0xd35 [ 38.590349] ? bit_cursor+0x1750/0x1750 [ 38.590362] ? fb_get_color_depth+0x11a/0x240 [ 38.590372] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 38.590381] ? bit_cursor+0x1750/0x1750 [ 38.590387] fbcon_putcs+0x389/0x5d0 [ 38.590395] ? fbcon_cursor+0x7f0/0x7f0 [ 38.590405] do_con_write+0x671/0x1f40 [ 38.590422] ? do_con_trol+0x5d50/0x5d50 [ 38.590429] ? n_tty_write+0x1ea/0xff0 [ 38.590441] ? mark_held_locks+0xa6/0xf0 [ 38.590451] con_write+0x22/0xb0 [ 38.590458] n_tty_write+0x3c0/0xff0 [ 38.590472] ? n_tty_ioctl+0x360/0x360 [ 38.590482] ? do_wait_intr_irq+0x340/0x340 [ 38.590492] ? __might_fault+0x192/0x1d0 [ 38.590501] tty_write+0x496/0x890 [ 38.590508] ? n_tty_ioctl+0x360/0x360 [ 38.590520] __vfs_write+0xf7/0x770 [ 38.590526] ? tty_compat_ioctl+0x270/0x270 [ 38.590534] ? kernel_read+0x110/0x110 [ 38.590545] ? __inode_security_revalidate+0xef/0x140 [ 38.590553] ? avc_policy_seqno+0x9/0x70 [ 38.590560] ? selinux_file_permission+0xc1/0x5a0 [ 38.590571] ? security_file_permission+0x1c0/0x230 [ 38.590582] vfs_write+0x1f3/0x540 [ 38.590591] ksys_write+0x12b/0x2a0 [ 38.590599] ? __ia32_sys_read+0xb0/0xb0 [ 38.590608] ? trace_hardirqs_off_caller+0x6e/0x210 [ 38.590617] ? do_syscall_64+0x21/0x670 [ 38.590626] do_syscall_64+0xf9/0x670 [ 38.590636] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.590642] RIP: 0033:0x4403c9 [ 38.590650] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 38.590654] RSP: 002b:00007fff5d8fd448 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 38.590661] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403c9 [ 38.590665] RDX: 0000000000001006 RSI: 0000000020000180 RDI: 0000000000000006 [ 38.590670] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 38.590674] R10: 000000000000000d R11: 0000000000000246 R12: 0000000000401c30 [ 38.590678] R13: 0000000000401cc0 R14: 0000000000000000 R15: 0000000000000000 [ 38.590687] [ 38.590691] Allocated by task 6471: [ 38.590700] __kmalloc_node_track_caller+0x4c/0x70 [ 38.590706] __alloc_skb+0xae/0x580 [ 38.590714] __tcp_send_ack+0xb3/0x610 [ 38.590721] tcp_delack_timer_handler+0x339/0x760 [ 38.590728] tcp_delack_timer+0x95/0x270 [ 38.590735] call_timer_fn+0x177/0x760 [ 38.590741] expire_timers+0x243/0x500 [ 38.590747] run_timer_softirq+0x259/0x730 [ 38.590753] __do_softirq+0x27d/0xad2 [ 38.590755] [ 38.590758] Freed by task 0: [ 38.590764] kfree+0xcc/0x250 [ 38.590770] skb_release_data+0x6ea/0x930 [ 38.590775] consume_skb+0x113/0x3e0 [ 38.590782] __dev_kfree_skb_any+0x9c/0xd0 [ 38.590788] napi_consume_skb+0x4a8/0x650 [ 38.590796] free_old_xmit_skbs+0xdb/0x240 [ 38.590803] start_xmit+0x156/0x17c0 [ 38.590810] dev_hard_start_xmit+0x1a8/0x960 [ 38.590817] sch_direct_xmit+0x2cf/0xf70 [ 38.590823] __qdisc_run+0x4fc/0x1680 [ 38.590829] __dev_queue_xmit+0x21fe/0x2ec0 [ 38.590836] ip_finish_output2+0xc04/0x1640 [ 38.590842] ip_finish_output+0x88e/0xd80 [ 38.590848] ip_output+0x203/0x650 [ 38.590853] ip_local_out+0xaf/0x170 [ 38.590859] __ip_queue_xmit+0x8a0/0x1bd0 [ 38.590866] __tcp_transmit_skb+0x1c72/0x36c0 [ 38.590872] tcp_write_xmit+0x839/0x5050 [ 38.590879] __tcp_push_pending_frames+0xae/0x280 [ 38.590885] tcp_rcv_established+0x1359/0x1d10 [ 38.590890] tcp_v4_do_rcv+0x5d6/0x870 [ 38.590896] tcp_v4_rcv+0x2c1d/0x3bd0 [ 38.590902] ip_local_deliver_finish+0x4cb/0xc80 [ 38.590907] ip_local_deliver+0x188/0x560 [ 38.590912] ip_rcv_finish+0x1ca/0x2e0 [ 38.590917] ip_rcv+0xca/0x420 [ 38.590924] __netif_receive_skb_one_core+0x114/0x180 [ 38.590931] __netif_receive_skb+0x27/0x1c0 [ 38.590938] netif_receive_skb_internal+0x110/0x450 [ 38.590945] napi_gro_receive+0x303/0x460 [ 38.590951] receive_buf+0x1045/0x6250 [ 38.590958] virtnet_poll+0x52f/0xda0 [ 38.590964] net_rx_action+0x4e5/0x10d0 [ 38.590971] __do_softirq+0x27d/0xad2 [ 38.590973] [ 38.590978] The buggy address belongs to the object at ffff8880898b0dc0 [ 38.590978] which belongs to the cache kmalloc-1024 of size 1024 [ 38.590984] The buggy address is located 126 bytes to the right of [ 38.590984] 1024-byte region [ffff8880898b0dc0, ffff8880898b11c0) [ 38.590987] The buggy address belongs to the page: [ 38.590993] page:ffffea0002262c00 count:1 mapcount:0 mapping:ffff88812c3f6ac0 index:0x0 compound_mapcount: 0 [ 38.591001] flags: 0xfffe0000008100(slab|head) [ 38.591012] raw: 00fffe0000008100 ffffea0002931388 ffffea0002267b08 ffff88812c3f6ac0 [ 38.591020] raw: 0000000000000000 ffff8880898b0040 0000000100000007 0000000000000000 [ 38.591023] page dumped because: kasan: bad access detected [ 38.591024] [ 38.591026] Memory state around the buggy address: [ 38.591032] ffff8880898b1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.591038] ffff8880898b1180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.591043] >ffff8880898b1200: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 38.591046] ^ [ 38.591051] ffff8880898b1280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.591056] ffff8880898b1300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 38.591059] ================================================================== [ 38.591062] Disabling lock debugging due to kernel taint [ 38.591066] Kernel panic - not syncing: panic_on_warn set ... [ 38.591066] [ 38.591073] CPU: 1 PID: 6489 Comm: syz-executor322 Tainted: G B 4.19.152-syzkaller #0 [ 38.591077] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.591078] Call Trace: [ 38.591085] dump_stack+0x22c/0x33e [ 38.591094] panic+0x2ac/0x565 [ 38.591102] ? __warn_printk+0xf3/0xf3 [ 38.591109] ? lock_downgrade+0x750/0x750 [ 38.591117] ? print_shadow_for_address+0xb8/0x116 [ 38.591123] ? trace_hardirqs_on+0x55/0x210 [ 38.591130] kasan_end_report+0x43/0x49 [ 38.591137] kasan_report_error.cold+0x83/0xb9 [ 38.591143] ? bit_putcs+0xbe2/0xd35 [ 38.591150] __asan_report_load1_noabort+0x88/0x90 [ 38.591156] ? bit_putcs+0xbe2/0xd35 [ 38.591163] bit_putcs+0xbe2/0xd35 [ 38.591173] ? bit_cursor+0x1750/0x1750 [ 38.591182] ? fb_get_color_depth+0x11a/0x240 [ 38.591189] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 38.591196] ? bit_cursor+0x1750/0x1750 [ 38.591202] fbcon_putcs+0x389/0x5d0 [ 38.591208] ? fbcon_cursor+0x7f0/0x7f0 [ 38.591215] do_con_write+0x671/0x1f40 [ 38.591226] ? do_con_trol+0x5d50/0x5d50 [ 38.591232] ? n_tty_write+0x1ea/0xff0 [ 38.591240] ? mark_held_locks+0xa6/0xf0 [ 38.591248] con_write+0x22/0xb0 [ 38.591254] n_tty_write+0x3c0/0xff0 [ 38.591264] ? n_tty_ioctl+0x360/0x360 [ 38.591271] ? do_wait_intr_irq+0x340/0x340 [ 38.591278] ? __might_fault+0x192/0x1d0 [ 38.591285] tty_write+0x496/0x890 [ 38.591291] ? n_tty_ioctl+0x360/0x360 [ 38.591299] __vfs_write+0xf7/0x770 [ 38.591310] ? tty_compat_ioctl+0x270/0x270 [ 38.591317] ? kernel_read+0x110/0x110 [ 38.591324] ? __inode_security_revalidate+0xef/0x140 [ 38.591331] ? avc_policy_seqno+0x9/0x70 [ 38.591337] ? selinux_file_permission+0xc1/0x5a0 [ 38.591346] ? security_file_permission+0x1c0/0x230 [ 38.591354] vfs_write+0x1f3/0x540 [ 38.591361] ksys_write+0x12b/0x2a0 [ 38.591368] ? __ia32_sys_read+0xb0/0xb0 [ 38.591375] ? trace_hardirqs_off_caller+0x6e/0x210 [ 38.591382] ? do_syscall_64+0x21/0x670 [ 38.591390] do_syscall_64+0xf9/0x670 [ 38.591397] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.591402] RIP: 0033:0x4403c9 [ 38.591408] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 38.591411] RSP: 002b:00007fff5d8fd448 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 38.591417] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004403c9 [ 38.591421] RDX: 0000000000001006 RSI: 0000000020000180 RDI: 0000000000000006 [ 38.591425] RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 [ 38.591429] R10: 000000000000000d R11: 0000000000000246 R12: 0000000000401c30 [ 38.591432] R13: 0000000000401cc0 R14: 0000000000000000 R15: 0000000000000000 [ 38.592725] Kernel Offset: disabled [ 39.445430] Rebooting in 86400 seconds..