[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.236' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 45.776977] audit: type=1400 audit(1601012673.005:8): avc: denied { execmem } for pid=6493 comm="syz-executor703" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 45.791882] netlink: 32 bytes leftover after parsing attributes in process `syz-executor703'. [ 45.806919] netlink: 32 bytes leftover after parsing attributes in process `syz-executor703'. [ 45.818054] netlink: 32 bytes leftover after parsing attributes in process `syz-executor703'. [ 45.827599] netlink: 32 bytes leftover after parsing attributes in process `syz-executor703'. [ 45.836969] netlink: 32 bytes leftover after parsing attributes in process `syz-executor703'. [ 45.846536] netlink: 32 bytes leftover after parsing attributes in process `syz-executor703'. [ 45.876225] ================================================================== [ 45.883801] BUG: KASAN: use-after-free in tcf_action_destroy+0x188/0x1b0 [ 45.890654] Read of size 8 at addr ffff88809fad7bc0 by task syz-executor703/6504 [ 45.898188] [ 45.899826] CPU: 0 PID: 6504 Comm: syz-executor703 Not tainted 4.19.147-syzkaller #0 [ 45.907711] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.917115] Call Trace: [ 45.920176] dump_stack+0x22c/0x33e [ 45.923805] print_address_description.cold+0x56/0x25c [ 45.929098] kasan_report_error.cold+0x66/0xb9 [ 45.933686] ? tcf_action_destroy+0x188/0x1b0 [ 45.938198] __asan_report_load8_noabort+0x88/0x90 [ 45.943132] ? tcf_action_destroy+0x188/0x1b0 [ 45.947643] tcf_action_destroy+0x188/0x1b0 [ 45.952006] tcf_action_init+0x2ff/0x490 [ 45.956087] ? __lock_acquire+0x6ec/0x3ff0 [ 45.960321] ? tcf_action_init_1+0xc40/0xc40 [ 45.964843] ? avc_has_perm_noaudit+0x224/0x3e0 [ 45.969520] tcf_action_add+0xd9/0x360 [ 45.973421] ? tca_action_gd+0x1720/0x1720 [ 45.977690] ? memset+0x20/0x40 [ 45.980985] ? nla_parse+0x1b2/0x290 [ 45.984723] tc_ctl_action+0x337/0x417 [ 45.988620] ? tcf_action_add+0x360/0x360 [ 45.992842] ? tcf_action_add+0x360/0x360 [ 45.997009] rtnetlink_rcv_msg+0x498/0xc10 [ 46.001262] ? rtnl_get_link+0x270/0x270 [ 46.005344] ? __netlink_lookup+0x481/0x7e0 [ 46.009692] ? find_held_lock+0x2d/0x110 [ 46.013768] netlink_rcv_skb+0x160/0x440 [ 46.018779] ? rtnl_get_link+0x270/0x270 [ 46.022845] ? netlink_ack+0xae0/0xae0 [ 46.026741] netlink_unicast+0x4d5/0x690 [ 46.030800] ? netlink_sendskb+0x110/0x110 [ 46.035068] netlink_sendmsg+0x717/0xcc0 [ 46.039153] ? nlmsg_notify+0x1a0/0x1a0 [ 46.043118] ? __sock_recv_ts_and_drops+0x540/0x540 [ 46.048157] ? nlmsg_notify+0x1a0/0x1a0 [ 46.052128] sock_sendmsg+0xc7/0x130 [ 46.055856] ___sys_sendmsg+0x7bb/0x8f0 [ 46.059822] ? copy_msghdr_from_user+0x440/0x440 [ 46.064767] ? find_held_lock+0x2d/0x110 [ 46.068845] ? __fget+0x386/0x570 [ 46.072352] ? lock_downgrade+0x750/0x750 [ 46.076503] ? check_preemption_disabled+0x41/0x2b0 [ 46.081526] ? __fget+0x3ad/0x570 [ 46.085282] ? copy_fd_bitmaps+0x2c0/0x2c0 [ 46.089507] ? __fget_light+0x1d1/0x230 [ 46.093488] __x64_sys_sendmsg+0x132/0x220 [ 46.097725] ? __sys_sendmsg+0x1b0/0x1b0 [ 46.101794] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 46.106551] ? trace_hardirqs_off_caller+0x69/0x210 [ 46.111570] ? do_syscall_64+0x21/0x670 [ 46.115536] do_syscall_64+0xf9/0x670 [ 46.119352] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.124725] RIP: 0033:0x446d29 [ 46.127904] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 46.146797] RSP: 002b:00007fc5afe92d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 46.154498] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446d29 [ 46.161766] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 46.169037] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 46.176305] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 46.183583] R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098 [ 46.190860] [ 46.192471] Allocated by task 6503: [ 46.196095] __kmalloc+0x15a/0x4f0 [ 46.199696] tcf_idr_create+0x5b/0x650 [ 46.203874] tcf_connmark_init+0x4f3/0x7fa [ 46.208098] tcf_action_init_1+0x962/0xc40 [ 46.212354] tcf_action_init+0x2c3/0x490 [ 46.216425] tcf_action_add+0xd9/0x360 [ 46.220319] tc_ctl_action+0x337/0x417 [ 46.224220] rtnetlink_rcv_msg+0x498/0xc10 [ 46.228452] netlink_rcv_skb+0x160/0x440 [ 46.232682] netlink_unicast+0x4d5/0x690 [ 46.236754] netlink_sendmsg+0x717/0xcc0 [ 46.240807] sock_sendmsg+0xc7/0x130 [ 46.244608] ___sys_sendmsg+0x7bb/0x8f0 [ 46.248569] __x64_sys_sendmsg+0x132/0x220 [ 46.252811] do_syscall_64+0xf9/0x670 [ 46.256617] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.261783] [ 46.263402] Freed by task 6524: [ 46.266684] kfree+0xcc/0x250 [ 46.269793] __tcf_action_put+0xf4/0x130 [ 46.273845] tcf_generic_walker+0x62d/0xa20 [ 46.278152] tca_action_gd+0x95f/0x1720 [ 46.282129] tc_ctl_action+0x27d/0x417 [ 46.286000] rtnetlink_rcv_msg+0x498/0xc10 [ 46.290219] netlink_rcv_skb+0x160/0x440 [ 46.294276] netlink_unicast+0x4d5/0x690 [ 46.298321] netlink_sendmsg+0x717/0xcc0 [ 46.302380] sock_sendmsg+0xc7/0x130 [ 46.306076] ___sys_sendmsg+0x7bb/0x8f0 [ 46.310048] __x64_sys_sendmsg+0x132/0x220 [ 46.314287] do_syscall_64+0xf9/0x670 [ 46.318087] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.323264] [ 46.324902] The buggy address belongs to the object at ffff88809fad7bc0 [ 46.324902] which belongs to the cache kmalloc-256 of size 256 [ 46.337566] The buggy address is located 0 bytes inside of [ 46.337566] 256-byte region [ffff88809fad7bc0, ffff88809fad7cc0) [ 46.349286] The buggy address belongs to the page: [ 46.354221] page:ffffea00027eb5c0 count:1 mapcount:0 mapping:ffff88812c3f67c0 index:0xffff88809fad7e40 [ 46.363658] flags: 0xfffe0000000100(slab) [ 46.367824] raw: 00fffe0000000100 ffffea00027e3c88 ffffea00027f3648 ffff88812c3f67c0 [ 46.375717] raw: ffff88809fad7e40 ffff88809fad7080 0000000100000004 0000000000000000 [ 46.383674] page dumped because: kasan: bad access detected [ 46.389373] [ 46.391674] Memory state around the buggy address: [ 46.396815] ffff88809fad7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.404168] ffff88809fad7b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.411532] >ffff88809fad7b80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 46.418895] ^ [ 46.424391] ffff88809fad7c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.431819] ffff88809fad7c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 46.439192] ================================================================== [ 46.446553] Disabling lock debugging due to kernel taint [ 46.452986] Kernel panic - not syncing: panic_on_warn set ... [ 46.452986] [ 46.460372] CPU: 0 PID: 6504 Comm: syz-executor703 Tainted: G B 4.19.147-syzkaller #0 [ 46.469726] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.479095] Call Trace: [ 46.481692] dump_stack+0x22c/0x33e [ 46.485340] panic+0x2ac/0x565 [ 46.488548] ? __warn_printk+0xf3/0xf3 [ 46.492449] ? preempt_schedule_common+0x45/0xc0 [ 46.497213] ? ___preempt_schedule+0x16/0x18 [ 46.501632] ? trace_hardirqs_on+0x55/0x210 [ 46.505973] kasan_end_report+0x43/0x49 [ 46.509958] kasan_report_error.cold+0x83/0xb9 [ 46.514548] ? tcf_action_destroy+0x188/0x1b0 [ 46.519389] __asan_report_load8_noabort+0x88/0x90 [ 46.524307] ? tcf_action_destroy+0x188/0x1b0 [ 46.528786] tcf_action_destroy+0x188/0x1b0 [ 46.533106] tcf_action_init+0x2ff/0x490 [ 46.537508] ? __lock_acquire+0x6ec/0x3ff0 [ 46.541732] ? tcf_action_init_1+0xc40/0xc40 [ 46.546157] ? avc_has_perm_noaudit+0x224/0x3e0 [ 46.550843] tcf_action_add+0xd9/0x360 [ 46.554733] ? tca_action_gd+0x1720/0x1720 [ 46.558962] ? memset+0x20/0x40 [ 46.562246] ? nla_parse+0x1b2/0x290 [ 46.566011] tc_ctl_action+0x337/0x417 [ 46.569940] ? tcf_action_add+0x360/0x360 [ 46.574078] ? tcf_action_add+0x360/0x360 [ 46.578262] rtnetlink_rcv_msg+0x498/0xc10 [ 46.582506] ? rtnl_get_link+0x270/0x270 [ 46.586575] ? __netlink_lookup+0x481/0x7e0 [ 46.590891] ? find_held_lock+0x2d/0x110 [ 46.594945] netlink_rcv_skb+0x160/0x440 [ 46.598996] ? rtnl_get_link+0x270/0x270 [ 46.603042] ? netlink_ack+0xae0/0xae0 [ 46.606933] netlink_unicast+0x4d5/0x690 [ 46.611013] ? netlink_sendskb+0x110/0x110 [ 46.615253] netlink_sendmsg+0x717/0xcc0 [ 46.619310] ? nlmsg_notify+0x1a0/0x1a0 [ 46.623274] ? __sock_recv_ts_and_drops+0x540/0x540 [ 46.628296] ? nlmsg_notify+0x1a0/0x1a0 [ 46.632263] sock_sendmsg+0xc7/0x130 [ 46.635977] ___sys_sendmsg+0x7bb/0x8f0 [ 46.639954] ? copy_msghdr_from_user+0x440/0x440 [ 46.644707] ? find_held_lock+0x2d/0x110 [ 46.648786] ? __fget+0x386/0x570 [ 46.652238] ? lock_downgrade+0x750/0x750 [ 46.656383] ? check_preemption_disabled+0x41/0x2b0 [ 46.661391] ? __fget+0x3ad/0x570 [ 46.664838] ? copy_fd_bitmaps+0x2c0/0x2c0 [ 46.669094] ? __fget_light+0x1d1/0x230 [ 46.673083] __x64_sys_sendmsg+0x132/0x220 [ 46.677337] ? __sys_sendmsg+0x1b0/0x1b0 [ 46.681413] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 46.686165] ? trace_hardirqs_off_caller+0x69/0x210 [ 46.691177] ? do_syscall_64+0x21/0x670 [ 46.695153] do_syscall_64+0xf9/0x670 [ 46.698952] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.704778] RIP: 0033:0x446d29 [ 46.707994] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 46.726896] RSP: 002b:00007fc5afe92d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 46.734594] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446d29 [ 46.741908] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 46.749167] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 46.756472] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 46.763733] R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098 [ 46.772183] Kernel Offset: disabled [ 46.775925] Rebooting in 86400 seconds..