Warning: Permanently added '10.128.10.62' (ECDSA) to the list of known hosts. [ 63.064332] audit: type=1400 audit(1571274724.090:36): avc: denied { map } for pid=7628 comm="syz-executor929" path="/root/syz-executor929544538" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 63.086723] IPVS: ftp: loaded support on port[0] = 21 [ 63.146486] chnl_net:caif_netlink_parms(): no params data found [ 63.185437] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.192561] bridge0: port 1(bridge_slave_0) entered disabled state [ 63.200202] device bridge_slave_0 entered promiscuous mode [ 63.208260] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.214782] bridge0: port 2(bridge_slave_1) entered disabled state [ 63.222270] device bridge_slave_1 entered promiscuous mode [ 63.239389] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 63.249074] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 63.267590] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 63.275805] team0: Port device team_slave_0 added [ 63.281916] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 63.289263] team0: Port device team_slave_1 added [ 63.294795] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 63.302207] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 63.383602] device hsr_slave_0 entered promiscuous mode [ 63.452651] device hsr_slave_1 entered promiscuous mode [ 63.522055] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 63.529327] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 63.544568] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.551034] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.558216] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.564635] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.598447] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 63.605980] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.615140] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 63.624983] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 63.644865] bridge0: port 1(bridge_slave_0) entered disabled state [ 63.653173] bridge0: port 2(bridge_slave_1) entered disabled state [ 63.664608] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 63.675555] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 63.682939] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.704684] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 63.712917] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.719267] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.726285] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 63.735304] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.741863] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.749244] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 63.757280] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 63.766140] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 63.776738] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 63.789091] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network executing program [ 63.800258] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 63.807916] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 63.815180] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 63.828202] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 63.838887] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.883071] netlink: 'syz-executor929': attribute type 2 has an invalid length. [ 63.921631] protocol 88fb is buggy, dev hsr_slave_0 [ 63.926973] protocol 88fb is buggy, dev hsr_slave_1 executing program [ 64.026113] netlink: 'syz-executor929': attribute type 2 has an invalid length. [ 64.041445] protocol 88fb is buggy, dev hsr_slave_0 [ 64.046606] protocol 88fb is buggy, dev hsr_slave_1 [ 64.072641] netlink: 'syz-executor929': attribute type 2 has an invalid length. [ 64.080624] ================================================================== [ 64.088204] BUG: KASAN: slab-out-of-bounds in tcf_exts_destroy+0xb3/0xd0 [ 64.095059] Read of size 8 at addr ffff8880a4549790 by task syz-executor929/7634 [ 64.102765] [ 64.104383] CPU: 0 PID: 7634 Comm: syz-executor929 Not tainted 4.19.79 #0 [ 64.111287] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.121333] Call Trace: [ 64.123931] dump_stack+0x172/0x1f0 [ 64.127583] ? tcf_exts_destroy+0xb3/0xd0 [ 64.131733] print_address_description.cold+0x7c/0x20d [ 64.137007] ? tcf_exts_destroy+0xb3/0xd0 [ 64.141154] kasan_report.cold+0x8c/0x2ba [ 64.145486] __asan_report_load8_noabort+0x14/0x20 [ 64.150414] tcf_exts_destroy+0xb3/0xd0 [ 64.154401] tcindex_free_perfect_hash.isra.0+0xb3/0x150 [ 64.159857] tcindex_set_parms+0x10e7/0x1e20 [ 64.161452] protocol 88fb is buggy, dev hsr_slave_0 [ 64.164285] ? tcindex_alloc_perfect_hash+0x350/0x350 [ 64.169419] protocol 88fb is buggy, dev hsr_slave_1 [ 64.174532] ? vprintk_default+0x28/0x30 [ 64.174544] ? vprintk_func+0x86/0x189 [ 64.174556] ? printk+0xba/0xed [ 64.174579] ? validate_nla+0x19f/0x810 [ 64.174591] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 64.174601] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 64.174616] ? validate_nla+0x32f/0x810 [ 64.208916] tcindex_change+0x22d/0x315 [ 64.212897] ? tcindex_change+0x22d/0x315 [ 64.217039] ? tcindex_set_parms+0x1e20/0x1e20 [ 64.221616] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 64.227141] ? tcindex_lookup+0x9d/0x3c0 [ 64.231187] ? tcindex_set_parms+0x1e20/0x1e20 [ 64.235757] tc_new_tfilter+0xc54/0x1790 [ 64.239821] ? tc_del_tfilter+0xe60/0xe60 [ 64.243987] ? rtnetlink_rcv_msg+0x40a/0xb00 [ 64.248425] ? kfree_skbmem+0xcb/0x150 [ 64.252314] ? mutex_trylock+0x1e0/0x1e0 [ 64.256378] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 64.261902] ? tc_del_tfilter+0xe60/0xe60 [ 64.266076] rtnetlink_rcv_msg+0x463/0xb00 [ 64.270302] ? rtnetlink_put_metrics+0x560/0x560 [ 64.275045] ? netdev_pick_tx+0x300/0x300 [ 64.279184] ? netlink_deliver_tap+0x22d/0xc20 [ 64.281436] protocol 88fb is buggy, dev hsr_slave_0 [ 64.283762] ? find_held_lock+0x35/0x130 [ 64.283782] netlink_rcv_skb+0x17d/0x460 [ 64.288836] protocol 88fb is buggy, dev hsr_slave_1 [ 64.292865] ? rtnetlink_put_metrics+0x560/0x560 [ 64.292882] ? netlink_ack+0xb30/0xb30 [ 64.292895] ? kasan_check_read+0x11/0x20 [ 64.292913] ? netlink_deliver_tap+0x254/0xc20 [ 64.319327] rtnetlink_rcv+0x1d/0x30 [ 64.323161] netlink_unicast+0x537/0x720 [ 64.327304] ? netlink_attachskb+0x770/0x770 [ 64.331722] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 64.337275] netlink_sendmsg+0x8ae/0xd70 [ 64.341338] ? netlink_unicast+0x720/0x720 [ 64.345583] ? selinux_socket_sendmsg+0x36/0x40 [ 64.350234] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 64.355767] ? security_socket_sendmsg+0x8d/0xc0 [ 64.360510] ? netlink_unicast+0x720/0x720 [ 64.364732] sock_sendmsg+0xd7/0x130 [ 64.368430] ___sys_sendmsg+0x3e2/0x920 [ 64.372408] ? copy_msghdr_from_user+0x430/0x430 [ 64.377256] ? find_held_lock+0x35/0x130 [ 64.381307] ? fs_reclaim_acquire+0x20/0x20 [ 64.385636] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 64.391176] ? check_preemption_disabled+0x48/0x290 [ 64.396232] ? __lock_acquire+0x6ee/0x49c0 [ 64.400460] ? rcu_read_lock_sched_held+0x110/0x130 [ 64.405474] ? kmem_cache_alloc+0x32a/0x700 [ 64.409795] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 64.415330] ? __fget_light+0x1a9/0x230 [ 64.419310] ? __fdget+0x1b/0x20 [ 64.422661] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 64.428379] ? sockfd_lookup_light+0xcb/0x180 [ 64.432864] __sys_sendmmsg+0x1bf/0x4e0 [ 64.436827] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 64.441167] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 64.446687] ? __fd_install+0x200/0x640 [ 64.450652] ? fd_install+0x4d/0x60 [ 64.454283] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 64.459470] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 64.464219] ? do_syscall_64+0x26/0x620 [ 64.468177] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 64.473527] ? do_syscall_64+0x26/0x620 [ 64.477491] __x64_sys_sendmmsg+0x9d/0x100 [ 64.481710] do_syscall_64+0xfd/0x620 [ 64.485498] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 64.490688] RIP: 0033:0x443299 [ 64.493869] Code: e8 9c 07 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 64.512903] RSP: 002b:00007ffde91bb8a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 64.521389] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443299 [ 64.528643] RDX: 0000000000000332 RSI: 0000000020000140 RDI: 0000000000000008 [ 64.535895] RBP: 000000000000000c R08: 0000000000000000 R09: 0000000000000000 [ 64.543151] R10: 0000000000000000 R11: 0000000000000246 R12: 0030766461746162 [ 64.550420] R13: 00000000004041f0 R14: 0000000000000000 R15: 0000000000000000 [ 64.557695] [ 64.559307] Allocated by task 7634: [ 64.562920] save_stack+0x45/0xd0 [ 64.566358] kasan_kmalloc+0xce/0xf0 [ 64.570353] __kmalloc+0x15d/0x750 [ 64.573992] tcindex_alloc_perfect_hash+0x5b/0x350 [ 64.578905] tcindex_set_parms+0x44e/0x1e20 [ 64.583224] tcindex_change+0x22d/0x315 [ 64.587181] tc_new_tfilter+0xc54/0x1790 [ 64.591245] rtnetlink_rcv_msg+0x463/0xb00 [ 64.595477] netlink_rcv_skb+0x17d/0x460 [ 64.599534] rtnetlink_rcv+0x1d/0x30 [ 64.603232] netlink_unicast+0x537/0x720 [ 64.607275] netlink_sendmsg+0x8ae/0xd70 [ 64.611370] sock_sendmsg+0xd7/0x130 [ 64.615075] ___sys_sendmsg+0x3e2/0x920 [ 64.619031] __sys_sendmmsg+0x1bf/0x4e0 [ 64.623007] __x64_sys_sendmmsg+0x9d/0x100 [ 64.627316] do_syscall_64+0xfd/0x620 [ 64.631117] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 64.636286] [ 64.637894] Freed by task 2232: [ 64.641160] save_stack+0x45/0xd0 [ 64.644598] __kasan_slab_free+0x102/0x150 [ 64.648819] kasan_slab_free+0xe/0x10 [ 64.652686] kfree+0xcf/0x220 [ 64.655776] umh_complete+0x8d/0xa0 [ 64.659386] call_usermodehelper_exec_async+0x560/0x640 [ 64.664819] ret_from_fork+0x24/0x30 [ 64.668519] [ 64.670139] The buggy address belongs to the object at ffff8880a4549700 [ 64.670139] which belongs to the cache kmalloc-192 of size 192 [ 64.682782] The buggy address is located 144 bytes inside of [ 64.682782] 192-byte region [ffff8880a4549700, ffff8880a45497c0) [ 64.694656] The buggy address belongs to the page: [ 64.699583] page:ffffea0002915240 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0x0 [ 64.707725] flags: 0x1fffc0000000100(slab) [ 64.711963] raw: 01fffc0000000100 ffffea00028faa88 ffffea00028f1f88 ffff88812c3f0040 [ 64.719843] raw: 0000000000000000 ffff8880a4549000 0000000100000010 0000000000000000 [ 64.727707] page dumped because: kasan: bad access detected [ 64.733396] [ 64.735006] Memory state around the buggy address: [ 64.739922] ffff8880a4549680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 64.747268] ffff8880a4549700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.754625] >ffff8880a4549780: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.761992] ^ [ 64.765864] ffff8880a4549800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 64.773210] ffff8880a4549880: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc [ 64.780549] ================================================================== [ 64.787891] Disabling lock debugging due to kernel taint [ 64.794373] Kernel panic - not syncing: panic_on_warn set ... [ 64.794373] [ 64.801757] CPU: 0 PID: 7634 Comm: syz-executor929 Tainted: G B 4.19.79 #0 [ 64.810054] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.819398] Call Trace: [ 64.821976] dump_stack+0x172/0x1f0 [ 64.825590] ? tcf_exts_destroy+0xb3/0xd0 [ 64.829808] panic+0x263/0x507 [ 64.832984] ? __warn_printk+0xf3/0xf3 [ 64.836856] ? tcf_exts_destroy+0xb3/0xd0 [ 64.841004] ? preempt_schedule+0x4b/0x60 [ 64.845137] ? ___preempt_schedule+0x16/0x18 [ 64.849531] ? trace_hardirqs_on+0x5e/0x220 [ 64.853839] ? tcf_exts_destroy+0xb3/0xd0 [ 64.857970] kasan_end_report+0x47/0x4f [ 64.861940] kasan_report.cold+0xa9/0x2ba [ 64.866081] __asan_report_load8_noabort+0x14/0x20 [ 64.871004] tcf_exts_destroy+0xb3/0xd0 [ 64.874972] tcindex_free_perfect_hash.isra.0+0xb3/0x150 [ 64.880409] tcindex_set_parms+0x10e7/0x1e20 [ 64.884830] ? tcindex_alloc_perfect_hash+0x350/0x350 [ 64.890004] ? vprintk_default+0x28/0x30 [ 64.894069] ? vprintk_func+0x86/0x189 [ 64.897939] ? printk+0xba/0xed [ 64.901214] ? validate_nla+0x19f/0x810 [ 64.905171] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 64.910355] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 64.915362] ? validate_nla+0x32f/0x810 [ 64.919326] tcindex_change+0x22d/0x315 [ 64.923295] ? tcindex_change+0x22d/0x315 [ 64.927432] ? tcindex_set_parms+0x1e20/0x1e20 [ 64.932007] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 64.937539] ? tcindex_lookup+0x9d/0x3c0 [ 64.941698] ? tcindex_set_parms+0x1e20/0x1e20 [ 64.946305] tc_new_tfilter+0xc54/0x1790 [ 64.950359] ? tc_del_tfilter+0xe60/0xe60 [ 64.954509] ? rtnetlink_rcv_msg+0x40a/0xb00 [ 64.958908] ? kfree_skbmem+0xcb/0x150 [ 64.962781] ? mutex_trylock+0x1e0/0x1e0 [ 64.966833] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 64.972355] ? tc_del_tfilter+0xe60/0xe60 [ 64.976507] rtnetlink_rcv_msg+0x463/0xb00 [ 64.980730] ? rtnetlink_put_metrics+0x560/0x560 [ 64.985487] ? netdev_pick_tx+0x300/0x300 [ 64.989627] ? netlink_deliver_tap+0x22d/0xc20 [ 64.994201] ? find_held_lock+0x35/0x130 [ 64.998252] netlink_rcv_skb+0x17d/0x460 [ 65.002745] ? rtnetlink_put_metrics+0x560/0x560 [ 65.007488] ? netlink_ack+0xb30/0xb30 [ 65.011548] ? kasan_check_read+0x11/0x20 [ 65.015688] ? netlink_deliver_tap+0x254/0xc20 [ 65.020267] rtnetlink_rcv+0x1d/0x30 [ 65.023978] netlink_unicast+0x537/0x720 [ 65.028051] ? netlink_attachskb+0x770/0x770 [ 65.032453] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 65.037984] netlink_sendmsg+0x8ae/0xd70 [ 65.042042] ? netlink_unicast+0x720/0x720 [ 65.046265] ? selinux_socket_sendmsg+0x36/0x40 [ 65.051103] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 65.056638] ? security_socket_sendmsg+0x8d/0xc0 [ 65.061388] ? netlink_unicast+0x720/0x720 [ 65.065626] sock_sendmsg+0xd7/0x130 [ 65.069338] ___sys_sendmsg+0x3e2/0x920 [ 65.073464] ? copy_msghdr_from_user+0x430/0x430 [ 65.078381] ? find_held_lock+0x35/0x130 [ 65.082443] ? fs_reclaim_acquire+0x20/0x20 [ 65.086754] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 65.092294] ? check_preemption_disabled+0x48/0x290 [ 65.097298] ? __lock_acquire+0x6ee/0x49c0 [ 65.101522] ? rcu_read_lock_sched_held+0x110/0x130 [ 65.106564] ? kmem_cache_alloc+0x32a/0x700 [ 65.110923] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 65.116464] ? __fget_light+0x1a9/0x230 [ 65.120433] ? __fdget+0x1b/0x20 [ 65.123786] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 65.129308] ? sockfd_lookup_light+0xcb/0x180 [ 65.133805] __sys_sendmmsg+0x1bf/0x4e0 [ 65.137771] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 65.142085] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 65.147619] ? __fd_install+0x200/0x640 [ 65.151584] ? fd_install+0x4d/0x60 [ 65.155234] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 65.159972] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 65.164722] ? do_syscall_64+0x26/0x620 [ 65.168695] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.174083] ? do_syscall_64+0x26/0x620 [ 65.178051] __x64_sys_sendmmsg+0x9d/0x100 [ 65.182332] do_syscall_64+0xfd/0x620 [ 65.186130] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 65.191324] RIP: 0033:0x443299 [ 65.194509] Code: e8 9c 07 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 65.213395] RSP: 002b:00007ffde91bb8a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 65.221101] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443299 [ 65.228364] RDX: 0000000000000332 RSI: 0000000020000140 RDI: 0000000000000008 [ 65.235618] RBP: 000000000000000c R08: 0000000000000000 R09: 0000000000000000 [ 65.242890] R10: 0000000000000000 R11: 0000000000000246 R12: 0030766461746162 [ 65.250143] R13: 00000000004041f0 R14: 0000000000000000 R15: 0000000000000000 [ 65.258954] Kernel Offset: disabled [ 65.262592] Rebooting in 86400 seconds..