[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   92.101261][ T9760] sshd (9760) used greatest stack depth: 22936 bytes left
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   92.470309][   T27] kauditd_printk_skb: 2 callbacks suppressed
[   92.470322][   T27] audit: type=1800 audit(1579473027.462:29): pid=9693 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   92.497891][   T27] audit: type=1800 audit(1579473027.472:30): pid=9693 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.156' (ECDSA) to the list of known hosts.
executing program
executing program
syzkaller login: [  104.823203][ T9847] ==================================================================
[  104.831900][ T9847] BUG: KASAN: use-after-free in bitmap_ip_ext_cleanup+0xd8/0x290
[  104.839648][ T9847] Read of size 8 at addr ffff88809d48dc80 by task syz-executor164/9847
[  104.847877][ T9847] 
[  104.850421][ T9847] CPU: 1 PID: 9847 Comm: syz-executor164 Not tainted 5.5.0-rc6-syzkaller #0
[  104.859080][ T9847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  104.869274][ T9847] Call Trace:
[  104.872650][ T9847]  dump_stack+0x197/0x210
[  104.877111][ T9847]  ? bitmap_ip_ext_cleanup+0xd8/0x290
[  104.882557][ T9847]  print_address_description.constprop.0.cold+0xd4/0x30b
[  104.889700][ T9847]  ? bitmap_ip_ext_cleanup+0xd8/0x290
[  104.895325][ T9847]  ? bitmap_ip_ext_cleanup+0xd8/0x290
[  104.900741][ T9847]  __kasan_report.cold+0x1b/0x41
[  104.905673][ T9847]  ? kfree+0x210/0x2c0
[  104.909889][ T9847]  ? bitmap_ip_ext_cleanup+0xd8/0x290
[  104.915616][ T9847]  kasan_report+0x12/0x20
[  104.920065][ T9847]  check_memory_region+0x134/0x1a0
[  104.925198][ T9847]  __kasan_check_read+0x11/0x20
[  104.930089][ T9847]  bitmap_ip_ext_cleanup+0xd8/0x290
[  104.935361][ T9847]  bitmap_ip_destroy+0x17c/0x1d0
[  104.940286][ T9847]  ip_set_create+0xe47/0x1500
[  104.944960][ T9847]  ? ip_set_destroy+0xb70/0xb70
[  104.949822][ T9847]  ? ip_set_destroy+0xb70/0xb70
[  104.954843][ T9847]  nfnetlink_rcv_msg+0xcf2/0xfb0
[  104.959806][ T9847]  ? nfnetlink_bind+0x2c0/0x2c0
[  104.964678][ T9847]  ? __kasan_check_read+0x11/0x20
[  104.969712][ T9847]  ? __lock_acquire+0x8a0/0x4a00
[  104.974761][ T9847]  ? save_stack+0x5c/0x90
[  104.979112][ T9847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  104.985382][ T9847]  ? apparmor_capable+0x497/0x900
[  104.990414][ T9847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  104.996752][ T9847]  ? __kasan_check_read+0x11/0x20
[  105.001783][ T9847]  ? apparmor_cred_prepare+0x7b0/0x7b0
[  105.007246][ T9847]  netlink_rcv_skb+0x177/0x450
[  105.012191][ T9847]  ? nfnetlink_bind+0x2c0/0x2c0
[  105.017041][ T9847]  ? netlink_ack+0xb50/0xb50
[  105.021637][ T9847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  105.028012][ T9847]  ? ns_capable_common+0x93/0x100
[  105.033051][ T9847]  ? ns_capable+0x20/0x30
[  105.037390][ T9847]  ? __netlink_ns_capable+0x104/0x140
[  105.042769][ T9847]  nfnetlink_rcv+0x1ba/0x460
[  105.047361][ T9847]  ? nfnetlink_rcv_batch+0x17a0/0x17a0
[  105.052808][ T9847]  ? netlink_deliver_tap+0x24a/0xbe0
[  105.058244][ T9847]  ? __kasan_check_write+0x14/0x20
[  105.063357][ T9847]  netlink_unicast+0x58c/0x7d0
[  105.068256][ T9847]  ? netlink_attachskb+0x870/0x870
[  105.073375][ T9847]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[  105.079174][ T9847]  ? __check_object_size+0x3d/0x437
[  105.084483][ T9847]  netlink_sendmsg+0x91c/0xea0
[  105.089284][ T9847]  ? netlink_unicast+0x7d0/0x7d0
[  105.094432][ T9847]  ? aa_sock_msg_perm.isra.0+0xba/0x170
[  105.099997][ T9847]  ? apparmor_socket_sendmsg+0x2a/0x30
[  105.105450][ T9847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  105.111699][ T9847]  ? security_socket_sendmsg+0x8d/0xc0
[  105.117159][ T9847]  ? netlink_unicast+0x7d0/0x7d0
[  105.122197][ T9847]  sock_sendmsg+0xd7/0x130
[  105.126640][ T9847]  ____sys_sendmsg+0x753/0x880
[  105.131407][ T9847]  ? kernel_sendmsg+0x50/0x50
[  105.136264][ T9847]  ? mark_held_locks+0xa4/0xf0
[  105.141312][ T9847]  ? do_huge_pmd_anonymous_page+0x1463/0x1a50
[  105.147386][ T9847]  ___sys_sendmsg+0x100/0x170
[  105.152059][ T9847]  ? sendmsg_copy_msghdr+0x70/0x70
[  105.157169][ T9847]  ? prep_transhuge_page+0xa0/0xa0
[  105.162284][ T9847]  ? __do_page_fault+0x56a/0xd80
[  105.167295][ T9847]  ? find_held_lock+0x35/0x130
[  105.172227][ T9847]  ? __do_page_fault+0x56a/0xd80
[  105.177165][ T9847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  105.183555][ T9847]  ? __fget_light+0x1a9/0x230
[  105.188256][ T9847]  ? __fdget+0x1b/0x20
[  105.192323][ T9847]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  105.198763][ T9847]  __sys_sendmsg+0x105/0x1d0
[  105.203346][ T9847]  ? __sys_sendmsg_sock+0xc0/0xc0
[  105.208380][ T9847]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  105.213841][ T9847]  ? do_fast_syscall_32+0xd1/0xe16
[  105.218947][ T9847]  ? entry_SYSENTER_compat+0x70/0x7f
[  105.224230][ T9847]  ? do_fast_syscall_32+0xd1/0xe16
[  105.229457][ T9847]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[  105.234925][ T9847]  do_fast_syscall_32+0x27b/0xe16
[  105.239952][ T9847]  entry_SYSENTER_compat+0x70/0x7f
[  105.245058][ T9847] RIP: 0023:0xf7ff49a9
[  105.249110][ T9847] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  105.268829][ T9847] RSP: 002b:00000000ff97f9fc EFLAGS: 00000202 ORIG_RAX: 0000000000000172
[  105.277338][ T9847] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000300
[  105.285452][ T9847] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ff97fb14
[  105.293442][ T9847] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  105.301411][ T9847] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  105.309370][ T9847] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  105.317940][ T9847] 
[  105.320258][ T9847] Allocated by task 9847:
[  105.324746][ T9847]  save_stack+0x23/0x90
[  105.328901][ T9847]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[  105.334660][ T9847]  kasan_kmalloc+0x9/0x10
[  105.339166][ T9847]  __kmalloc+0x163/0x770
[  105.343394][ T9847]  ip_set_alloc+0x38/0x5e
[  105.347733][ T9847]  bitmap_ip_create+0x6ec/0xc20
[  105.352579][ T9847]  ip_set_create+0x6f1/0x1500
[  105.357248][ T9847]  nfnetlink_rcv_msg+0xcf2/0xfb0
[  105.362207][ T9847]  netlink_rcv_skb+0x177/0x450
[  105.367086][ T9847]  nfnetlink_rcv+0x1ba/0x460
[  105.371764][ T9847]  netlink_unicast+0x58c/0x7d0
[  105.376586][ T9847]  netlink_sendmsg+0x91c/0xea0
[  105.381423][ T9847]  sock_sendmsg+0xd7/0x130
[  105.385933][ T9847]  ____sys_sendmsg+0x753/0x880
[  105.390686][ T9847]  ___sys_sendmsg+0x100/0x170
[  105.395346][ T9847]  __sys_sendmsg+0x105/0x1d0
[  105.399931][ T9847]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[  105.405385][ T9847]  do_fast_syscall_32+0x27b/0xe16
[  105.410402][ T9847]  entry_SYSENTER_compat+0x70/0x7f
[  105.415581][ T9847] 
[  105.417895][ T9847] Freed by task 9847:
[  105.421871][ T9847]  save_stack+0x23/0x90
[  105.426026][ T9847]  __kasan_slab_free+0x102/0x150
[  105.431018][ T9847]  kasan_slab_free+0xe/0x10
[  105.435518][ T9847]  kfree+0x10a/0x2c0
[  105.439405][ T9847]  kvfree+0x61/0x70
[  105.443303][ T9847]  ip_set_free+0x16/0x20
[  105.447548][ T9847]  bitmap_ip_destroy+0xae/0x1d0
[  105.452402][ T9847]  ip_set_create+0xe47/0x1500
[  105.457070][ T9847]  nfnetlink_rcv_msg+0xcf2/0xfb0
[  105.462000][ T9847]  netlink_rcv_skb+0x177/0x450
[  105.466748][ T9847]  nfnetlink_rcv+0x1ba/0x460
[  105.471328][ T9847]  netlink_unicast+0x58c/0x7d0
[  105.476091][ T9847]  netlink_sendmsg+0x91c/0xea0
[  105.480917][ T9847]  sock_sendmsg+0xd7/0x130
[  105.485523][ T9847]  ____sys_sendmsg+0x753/0x880
[  105.490296][ T9847]  ___sys_sendmsg+0x100/0x170
[  105.495210][ T9847]  __sys_sendmsg+0x105/0x1d0
[  105.499895][ T9847]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[  105.505350][ T9847]  do_fast_syscall_32+0x27b/0xe16
[  105.510442][ T9847]  entry_SYSENTER_compat+0x70/0x7f
[  105.515539][ T9847] 
[  105.517912][ T9847] The buggy address belongs to the object at ffff88809d48dc80
[  105.517912][ T9847]  which belongs to the cache kmalloc-32 of size 32
[  105.531884][ T9847] The buggy address is located 0 bytes inside of
[  105.531884][ T9847]  32-byte region [ffff88809d48dc80, ffff88809d48dca0)
[  105.545050][ T9847] The buggy address belongs to the page:
[  105.550678][ T9847] page:ffffea0002752340 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff88809d48dfc1
[  105.561167][ T9847] raw: 00fffe0000000200 ffffea00027706c8 ffffea0002778788 ffff8880aa4001c0
[  105.569984][ T9847] raw: ffff88809d48dfc1 ffff88809d48d000 000000010000003e 0000000000000000
[  105.578591][ T9847] page dumped because: kasan: bad access detected
[  105.584992][ T9847] 
[  105.587309][ T9847] Memory state around the buggy address:
[  105.593128][ T9847]  ffff88809d48db80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[  105.601236][ T9847]  ffff88809d48dc00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[  105.609292][ T9847] >ffff88809d48dc80: fb fb fb fb fc fc fc fc 00 fc fc fc fc fc fc fc
[  105.617500][ T9847]                    ^
[  105.621817][ T9847]  ffff88809d48dd00: fb fb fb fb fc fc fc fc 00 01 fc fc fc fc fc fc
[  105.629897][ T9847]  ffff88809d48dd80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc
[  105.637945][ T9847] ==================================================================
[  105.646060][ T9847] Disabling lock debugging due to kernel taint
[  105.654418][ T9847] Kernel panic - not syncing: panic_on_warn set ...
[  105.661301][ T9847] CPU: 1 PID: 9847 Comm: syz-executor164 Tainted: G    B             5.5.0-rc6-syzkaller #0
[  105.671349][ T9847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  105.681408][ T9847] Call Trace:
[  105.684693][ T9847]  dump_stack+0x197/0x210
[  105.689067][ T9847]  panic+0x2e3/0x75c
[  105.693012][ T9847]  ? add_taint.cold+0x16/0x16
[  105.697675][ T9847]  ? bitmap_ip_ext_cleanup+0xd8/0x290
[  105.703182][ T9847]  ? preempt_schedule+0x4b/0x60
[  105.708055][ T9847]  ? ___preempt_schedule+0x16/0x18
[  105.713282][ T9847]  ? trace_hardirqs_on+0x5e/0x240
[  105.718401][ T9847]  ? bitmap_ip_ext_cleanup+0xd8/0x290
[  105.723935][ T9847]  end_report+0x47/0x4f
[  105.728201][ T9847]  ? bitmap_ip_ext_cleanup+0xd8/0x290
[  105.733566][ T9847]  __kasan_report.cold+0xe/0x41
[  105.738419][ T9847]  ? kfree+0x210/0x2c0
[  105.742598][ T9847]  ? bitmap_ip_ext_cleanup+0xd8/0x290
[  105.748043][ T9847]  kasan_report+0x12/0x20
[  105.752356][ T9847]  check_memory_region+0x134/0x1a0
[  105.757502][ T9847]  __kasan_check_read+0x11/0x20
[  105.762350][ T9847]  bitmap_ip_ext_cleanup+0xd8/0x290
[  105.768412][ T9847]  bitmap_ip_destroy+0x17c/0x1d0
[  105.773447][ T9847]  ip_set_create+0xe47/0x1500
[  105.778251][ T9847]  ? ip_set_destroy+0xb70/0xb70
[  105.783111][ T9847]  ? ip_set_destroy+0xb70/0xb70
[  105.787959][ T9847]  nfnetlink_rcv_msg+0xcf2/0xfb0
[  105.792895][ T9847]  ? nfnetlink_bind+0x2c0/0x2c0
[  105.797751][ T9847]  ? __kasan_check_read+0x11/0x20
[  105.802773][ T9847]  ? __lock_acquire+0x8a0/0x4a00
[  105.807757][ T9847]  ? save_stack+0x5c/0x90
[  105.812087][ T9847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  105.818350][ T9847]  ? apparmor_capable+0x497/0x900
[  105.823386][ T9847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  105.829800][ T9847]  ? __kasan_check_read+0x11/0x20
[  105.834883][ T9847]  ? apparmor_cred_prepare+0x7b0/0x7b0
[  105.840336][ T9847]  netlink_rcv_skb+0x177/0x450
[  105.845092][ T9847]  ? nfnetlink_bind+0x2c0/0x2c0
[  105.849988][ T9847]  ? netlink_ack+0xb50/0xb50
[  105.854598][ T9847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  105.860909][ T9847]  ? ns_capable_common+0x93/0x100
[  105.866040][ T9847]  ? ns_capable+0x20/0x30
[  105.870361][ T9847]  ? __netlink_ns_capable+0x104/0x140
[  105.875731][ T9847]  nfnetlink_rcv+0x1ba/0x460
[  105.880454][ T9847]  ? nfnetlink_rcv_batch+0x17a0/0x17a0
[  105.885918][ T9847]  ? netlink_deliver_tap+0x24a/0xbe0
[  105.891368][ T9847]  ? __kasan_check_write+0x14/0x20
[  105.896708][ T9847]  netlink_unicast+0x58c/0x7d0
[  105.901490][ T9847]  ? netlink_attachskb+0x870/0x870
[  105.906649][ T9847]  ? __sanitizer_cov_trace_cmp8+0x18/0x20
[  105.912655][ T9847]  ? __check_object_size+0x3d/0x437
[  105.917871][ T9847]  netlink_sendmsg+0x91c/0xea0
[  105.922632][ T9847]  ? netlink_unicast+0x7d0/0x7d0
[  105.927565][ T9847]  ? aa_sock_msg_perm.isra.0+0xba/0x170
[  105.933105][ T9847]  ? apparmor_socket_sendmsg+0x2a/0x30
[  105.938790][ T9847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  105.945027][ T9847]  ? security_socket_sendmsg+0x8d/0xc0
[  105.950658][ T9847]  ? netlink_unicast+0x7d0/0x7d0
[  105.955665][ T9847]  sock_sendmsg+0xd7/0x130
[  105.960130][ T9847]  ____sys_sendmsg+0x753/0x880
[  105.965097][ T9847]  ? kernel_sendmsg+0x50/0x50
[  105.972181][ T9847]  ? mark_held_locks+0xa4/0xf0
[  105.977004][ T9847]  ? do_huge_pmd_anonymous_page+0x1463/0x1a50
[  105.983317][ T9847]  ___sys_sendmsg+0x100/0x170
[  105.988034][ T9847]  ? sendmsg_copy_msghdr+0x70/0x70
[  105.993461][ T9847]  ? prep_transhuge_page+0xa0/0xa0
[  105.998704][ T9847]  ? __do_page_fault+0x56a/0xd80
[  106.003698][ T9847]  ? find_held_lock+0x35/0x130
[  106.008461][ T9847]  ? __do_page_fault+0x56a/0xd80
[  106.013510][ T9847]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  106.019809][ T9847]  ? __fget_light+0x1a9/0x230
[  106.024486][ T9847]  ? __fdget+0x1b/0x20
[  106.028653][ T9847]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  106.035037][ T9847]  __sys_sendmsg+0x105/0x1d0
[  106.039744][ T9847]  ? __sys_sendmsg_sock+0xc0/0xc0
[  106.044769][ T9847]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  106.050220][ T9847]  ? do_fast_syscall_32+0xd1/0xe16
[  106.055331][ T9847]  ? entry_SYSENTER_compat+0x70/0x7f
[  106.060887][ T9847]  ? do_fast_syscall_32+0xd1/0xe16
[  106.066000][ T9847]  __ia32_compat_sys_sendmsg+0x7a/0xb0
[  106.071554][ T9847]  do_fast_syscall_32+0x27b/0xe16
[  106.076570][ T9847]  entry_SYSENTER_compat+0x70/0x7f
[  106.081681][ T9847] RIP: 0023:0xf7ff49a9
[  106.085793][ T9847] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
[  106.105640][ T9847] RSP: 002b:00000000ff97f9fc EFLAGS: 00000202 ORIG_RAX: 0000000000000172
[  106.114358][ T9847] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000300
[  106.122323][ T9847] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ff97fb14
[  106.130393][ T9847] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[  106.138711][ T9847] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[  106.147026][ T9847] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[  106.160694][ T9847] Kernel Offset: disabled
[  106.165050][ T9847] Rebooting in 86400 seconds..