[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 86.824764][ T28] audit: type=1800 audit(1580124472.949:25): pid=9405 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 86.844541][ T28] audit: type=1800 audit(1580124472.959:26): pid=9405 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 86.866520][ T28] audit: type=1800 audit(1580124472.959:27): pid=9405 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 102.717352][ T9557] ================================================================== [ 102.726833][ T9557] BUG: KASAN: slab-out-of-bounds in bitmap_port_ext_cleanup+0xe6/0x2a0 [ 102.735222][ T9557] Read of size 8 at addr ffff8880a4664000 by task syz-executor656/9557 [ 102.743827][ T9557] [ 102.746160][ T9557] CPU: 0 PID: 9557 Comm: syz-executor656 Not tainted 5.5.0-rc6-next-20200116-syzkaller #0 [ 102.756777][ T9557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 102.768855][ T9557] Call Trace: [ 102.772604][ T9557] dump_stack+0x197/0x210 [ 102.778031][ T9557] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 102.783700][ T9557] print_address_description.constprop.0.cold+0xd4/0x30b [ 102.791185][ T9557] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 102.797040][ T9557] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 102.802600][ T9557] __kasan_report.cold+0x1b/0x32 [ 102.807654][ T9557] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 102.813624][ T9557] kasan_report+0x12/0x20 [ 102.818165][ T9557] check_memory_region+0x134/0x1a0 [ 102.823280][ T9557] __kasan_check_read+0x11/0x20 [ 102.828249][ T9557] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 102.833942][ T9557] bitmap_port_destroy+0x180/0x1d0 [ 102.839190][ T9557] ip_set_create+0xe47/0x1500 [ 102.843874][ T9557] ? ip_set_destroy+0xb70/0xb70 [ 102.848964][ T9557] ? ip_set_destroy+0xb70/0xb70 [ 102.854107][ T9557] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 102.859275][ T9557] ? nfnetlink_bind+0x2c0/0x2c0 [ 102.864127][ T9557] ? __kasan_check_read+0x11/0x20 [ 102.869586][ T9557] ? __lock_acquire+0x8a0/0x4a00 [ 102.874957][ T9557] ? save_stack+0x5c/0x90 [ 102.879508][ T9557] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 102.885811][ T9557] ? apparmor_capable+0x4df/0x910 [ 102.891143][ T9557] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 102.897638][ T9557] ? __kasan_check_read+0x11/0x20 [ 102.902872][ T9557] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 102.908498][ T9557] netlink_rcv_skb+0x177/0x450 [ 102.913418][ T9557] ? nfnetlink_bind+0x2c0/0x2c0 [ 102.918447][ T9557] ? netlink_ack+0xb50/0xb50 [ 102.923300][ T9557] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 102.929766][ T9557] ? ns_capable_common+0x93/0x100 [ 102.934971][ T9557] ? ns_capable+0x20/0x30 [ 102.939426][ T9557] ? __netlink_ns_capable+0x104/0x140 [ 102.944927][ T9557] nfnetlink_rcv+0x1ba/0x460 [ 102.949529][ T9557] ? nfnetlink_rcv_batch+0x1780/0x1780 [ 102.955159][ T9557] ? netlink_deliver_tap+0x248/0xbf0 [ 102.961036][ T9557] ? __kasan_check_write+0x14/0x20 [ 102.966475][ T9557] netlink_unicast+0x59e/0x7e0 [ 102.971458][ T9557] ? netlink_attachskb+0x870/0x870 [ 102.976584][ T9557] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 102.982347][ T9557] ? __check_object_size+0x3d/0x437 [ 102.988468][ T9557] netlink_sendmsg+0x91c/0xea0 [ 102.993670][ T9557] ? netlink_unicast+0x7e0/0x7e0 [ 102.998914][ T9557] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 103.005531][ T9557] ? apparmor_socket_sendmsg+0x2a/0x30 [ 103.011216][ T9557] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.018051][ T9557] ? security_socket_sendmsg+0x8d/0xc0 [ 103.024059][ T9557] ? netlink_unicast+0x7e0/0x7e0 [ 103.029018][ T9557] sock_sendmsg+0xd7/0x130 [ 103.034113][ T9557] ____sys_sendmsg+0x753/0x880 [ 103.039421][ T9557] ? kernel_sendmsg+0x50/0x50 [ 103.044309][ T9557] ___sys_sendmsg+0x100/0x170 [ 103.049340][ T9557] ? sendmsg_copy_msghdr+0x70/0x70 [ 103.054668][ T9557] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 103.061040][ T9557] ? prep_transhuge_page+0xa0/0xa0 [ 103.066155][ T9557] ? do_page_fault+0x579/0x12e1 [ 103.071731][ T9557] ? find_held_lock+0x35/0x130 [ 103.076805][ T9557] ? do_page_fault+0x579/0x12e1 [ 103.081675][ T9557] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.088038][ T9557] ? __fget_light+0x1ad/0x270 [ 103.093379][ T9557] ? __fdget+0x1b/0x20 [ 103.097591][ T9557] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 103.104099][ T9557] __sys_sendmsg+0x105/0x1d0 [ 103.108926][ T9557] ? __sys_sendmsg_sock+0xc0/0xc0 [ 103.114224][ T9557] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 103.119706][ T9557] ? do_syscall_64+0x26/0x790 [ 103.124452][ T9557] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.130764][ T9557] ? do_syscall_64+0x26/0x790 [ 103.135668][ T9557] __x64_sys_sendmsg+0x78/0xb0 [ 103.140444][ T9557] do_syscall_64+0xfa/0x790 [ 103.145363][ T9557] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.151473][ T9557] RIP: 0033:0x441399 [ 103.155476][ T9557] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 103.175731][ T9557] RSP: 002b:00007ffc2d0c10e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 103.184867][ T9557] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441399 [ 103.193510][ T9557] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 103.202267][ T9557] RBP: 0000000000019110 R08: 00000000004002c8 R09: 00000000004002c8 [ 103.213138][ T9557] R10: 0000000000000004 R11: 0000000000000246 R12: 00000000004021c0 [ 103.222057][ T9557] R13: 0000000000402250 R14: 0000000000000000 R15: 0000000000000000 [ 103.232729][ T9557] [ 103.235157][ T9557] Allocated by task 9557: [ 103.240737][ T9557] save_stack+0x23/0x90 [ 103.246707][ T9557] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 103.253409][ T9557] kasan_kmalloc+0x9/0x10 [ 103.258640][ T9557] __kmalloc+0x163/0x770 [ 103.263117][ T9557] ip_set_alloc+0x38/0x5e [ 103.268123][ T9557] bitmap_port_create+0x3dc/0x7c0 [ 103.274588][ T9557] ip_set_create+0x6f1/0x1500 [ 103.280308][ T9557] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 103.285362][ T9557] netlink_rcv_skb+0x177/0x450 [ 103.290611][ T9557] nfnetlink_rcv+0x1ba/0x460 [ 103.295502][ T9557] netlink_unicast+0x59e/0x7e0 [ 103.300488][ T9557] netlink_sendmsg+0x91c/0xea0 [ 103.305755][ T9557] sock_sendmsg+0xd7/0x130 [ 103.310669][ T9557] ____sys_sendmsg+0x753/0x880 [ 103.315720][ T9557] ___sys_sendmsg+0x100/0x170 [ 103.320607][ T9557] __sys_sendmsg+0x105/0x1d0 [ 103.325552][ T9557] __x64_sys_sendmsg+0x78/0xb0 [ 103.330369][ T9557] do_syscall_64+0xfa/0x790 [ 103.334955][ T9557] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.340831][ T9557] [ 103.343403][ T9557] Freed by task 9289: [ 103.347390][ T9557] save_stack+0x23/0x90 [ 103.351637][ T9557] __kasan_slab_free+0x102/0x150 [ 103.357247][ T9557] kasan_slab_free+0xe/0x10 [ 103.362215][ T9557] kfree+0x10a/0x2c0 [ 103.366314][ T9557] tomoyo_path_perm+0x24e/0x430 [ 103.371409][ T9557] tomoyo_inode_getattr+0x1d/0x30 [ 103.377134][ T9557] security_inode_getattr+0xf2/0x150 [ 103.382765][ T9557] vfs_getattr+0x25/0x70 [ 103.388773][ T9557] vfs_statx+0x15d/0x200 [ 103.393729][ T9557] __do_sys_newstat+0xa4/0x130 [ 103.398905][ T9557] __x64_sys_newstat+0x54/0x80 [ 103.403977][ T9557] do_syscall_64+0xfa/0x790 [ 103.408629][ T9557] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.414686][ T9557] [ 103.417015][ T9557] The buggy address belongs to the object at ffff8880a4664000 [ 103.417015][ T9557] which belongs to the cache kmalloc-32 of size 32 [ 103.431432][ T9557] The buggy address is located 0 bytes inside of [ 103.431432][ T9557] 32-byte region [ffff8880a4664000, ffff8880a4664020) [ 103.444597][ T9557] The buggy address belongs to the page: [ 103.450544][ T9557] page:ffffea0002919900 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff8880a4664fc1 [ 103.461684][ T9557] flags: 0xfffe0000000200(slab) [ 103.466535][ T9557] raw: 00fffe0000000200 ffffea00029a04c8 ffffea00029cd048 ffff8880aa4001c0 [ 103.475324][ T9557] raw: ffff8880a4664fc1 ffff8880a4664000 000000010000002b 0000000000000000 [ 103.484826][ T9557] page dumped because: kasan: bad access detected [ 103.491318][ T9557] [ 103.493685][ T9557] Memory state around the buggy address: [ 103.499314][ T9557] ffff8880a4663f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 103.507762][ T9557] ffff8880a4663f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 103.516221][ T9557] >ffff8880a4664000: 04 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 103.524378][ T9557] ^ [ 103.528548][ T9557] ffff8880a4664080: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 103.536724][ T9557] ffff8880a4664100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 103.545266][ T9557] ================================================================== [ 103.553548][ T9557] Disabling lock debugging due to kernel taint [ 103.562314][ T9557] Kernel panic - not syncing: panic_on_warn set ... [ 103.569551][ T9557] CPU: 0 PID: 9557 Comm: syz-executor656 Tainted: G B 5.5.0-rc6-next-20200116-syzkaller #0 [ 103.581259][ T9557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 103.592107][ T9557] Call Trace: [ 103.595414][ T9557] dump_stack+0x197/0x210 [ 103.600225][ T9557] panic+0x2e3/0x75c [ 103.604201][ T9557] ? add_taint.cold+0x16/0x16 [ 103.609730][ T9557] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 103.616148][ T9557] ? preempt_schedule+0x4b/0x60 [ 103.622390][ T9557] ? ___preempt_schedule+0x16/0x18 [ 103.628106][ T9557] ? trace_hardirqs_on+0x5e/0x240 [ 103.633212][ T9557] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 103.638963][ T9557] end_report+0x47/0x4f [ 103.643431][ T9557] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 103.648984][ T9557] __kasan_report.cold+0xe/0x32 [ 103.654013][ T9557] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 103.659644][ T9557] kasan_report+0x12/0x20 [ 103.663986][ T9557] check_memory_region+0x134/0x1a0 [ 103.669903][ T9557] __kasan_check_read+0x11/0x20 [ 103.674936][ T9557] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 103.680821][ T9557] bitmap_port_destroy+0x180/0x1d0 [ 103.686374][ T9557] ip_set_create+0xe47/0x1500 [ 103.691692][ T9557] ? ip_set_destroy+0xb70/0xb70 [ 103.696813][ T9557] ? ip_set_destroy+0xb70/0xb70 [ 103.701671][ T9557] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 103.706723][ T9557] ? nfnetlink_bind+0x2c0/0x2c0 [ 103.711647][ T9557] ? __kasan_check_read+0x11/0x20 [ 103.716810][ T9557] ? __lock_acquire+0x8a0/0x4a00 [ 103.722132][ T9557] ? save_stack+0x5c/0x90 [ 103.726605][ T9557] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.733267][ T9557] ? apparmor_capable+0x4df/0x910 [ 103.740176][ T9557] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.746682][ T9557] ? __kasan_check_read+0x11/0x20 [ 103.752407][ T9557] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 103.758717][ T9557] netlink_rcv_skb+0x177/0x450 [ 103.763694][ T9557] ? nfnetlink_bind+0x2c0/0x2c0 [ 103.768640][ T9557] ? netlink_ack+0xb50/0xb50 [ 103.773228][ T9557] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.780111][ T9557] ? ns_capable_common+0x93/0x100 [ 103.785147][ T9557] ? ns_capable+0x20/0x30 [ 103.789725][ T9557] ? __netlink_ns_capable+0x104/0x140 [ 103.795524][ T9557] nfnetlink_rcv+0x1ba/0x460 [ 103.800597][ T9557] ? nfnetlink_rcv_batch+0x1780/0x1780 [ 103.806474][ T9557] ? netlink_deliver_tap+0x248/0xbf0 [ 103.811890][ T9557] ? __kasan_check_write+0x14/0x20 [ 103.817133][ T9557] netlink_unicast+0x59e/0x7e0 [ 103.821894][ T9557] ? netlink_attachskb+0x870/0x870 [ 103.827040][ T9557] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 103.832759][ T9557] ? __check_object_size+0x3d/0x437 [ 103.837953][ T9557] netlink_sendmsg+0x91c/0xea0 [ 103.842906][ T9557] ? netlink_unicast+0x7e0/0x7e0 [ 103.848435][ T9557] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 103.854637][ T9557] ? apparmor_socket_sendmsg+0x2a/0x30 [ 103.860192][ T9557] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.867025][ T9557] ? security_socket_sendmsg+0x8d/0xc0 [ 103.872696][ T9557] ? netlink_unicast+0x7e0/0x7e0 [ 103.877779][ T9557] sock_sendmsg+0xd7/0x130 [ 103.882250][ T9557] ____sys_sendmsg+0x753/0x880 [ 103.887134][ T9557] ? kernel_sendmsg+0x50/0x50 [ 103.891819][ T9557] ___sys_sendmsg+0x100/0x170 [ 103.896489][ T9557] ? sendmsg_copy_msghdr+0x70/0x70 [ 103.901599][ T9557] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 103.907584][ T9557] ? prep_transhuge_page+0xa0/0xa0 [ 103.912781][ T9557] ? do_page_fault+0x579/0x12e1 [ 103.918089][ T9557] ? find_held_lock+0x35/0x130 [ 103.923015][ T9557] ? do_page_fault+0x579/0x12e1 [ 103.928104][ T9557] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 103.934768][ T9557] ? __fget_light+0x1ad/0x270 [ 103.939985][ T9557] ? __fdget+0x1b/0x20 [ 103.944278][ T9557] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 103.950974][ T9557] __sys_sendmsg+0x105/0x1d0 [ 103.955841][ T9557] ? __sys_sendmsg_sock+0xc0/0xc0 [ 103.961075][ T9557] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 103.966811][ T9557] ? do_syscall_64+0x26/0x790 [ 103.971626][ T9557] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.978078][ T9557] ? do_syscall_64+0x26/0x790 [ 103.982869][ T9557] __x64_sys_sendmsg+0x78/0xb0 [ 103.987642][ T9557] do_syscall_64+0xfa/0x790 [ 103.992144][ T9557] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 103.998034][ T9557] RIP: 0033:0x441399 [ 104.003666][ T9557] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 104.023584][ T9557] RSP: 002b:00007ffc2d0c10e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 104.032080][ T9557] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441399 [ 104.040049][ T9557] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 104.048443][ T9557] RBP: 0000000000019110 R08: 00000000004002c8 R09: 00000000004002c8 [ 104.056647][ T9557] R10: 0000000000000004 R11: 0000000000000246 R12: 00000000004021c0 [ 104.064730][ T9557] R13: 0000000000402250 R14: 0000000000000000 R15: 0000000000000000 [ 104.074597][ T9557] Kernel Offset: disabled [ 104.078962][ T9557] Rebooting in 86400 seconds..