Warning: Permanently added '10.128.0.224' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 52.803408] audit: type=1400 audit(1597488265.375:8): avc: denied { execmem } for pid=6479 comm="syz-executor452" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 52.884808] ================================================================== [ 52.892289] BUG: KASAN: use-after-free in __list_del_entry_valid+0xcc/0xef [ 52.899294] Read of size 8 at addr ffff8880a905acc8 by task syz-executor452/6490 [ 52.906854] [ 52.908486] CPU: 0 PID: 6490 Comm: syz-executor452 Not tainted 4.19.139-syzkaller #0 [ 52.916502] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.925864] Call Trace: [ 52.928446] dump_stack+0x1fc/0x2fe [ 52.932058] print_address_description.cold+0x54/0x219 [ 52.937317] kasan_report_error.cold+0x8a/0x1c7 [ 52.941973] ? __list_del_entry_valid+0xcc/0xef [ 52.946638] __asan_report_load8_noabort+0x88/0x90 [ 52.951566] ? __list_del_entry_valid+0xcc/0xef [ 52.956227] __list_del_entry_valid+0xcc/0xef [ 52.960705] __nf_tables_abort+0x1fde/0x2ca0 [ 52.965146] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 52.970144] nf_tables_abort+0x13/0x30 [ 52.974019] nfnetlink_rcv_batch+0xb66/0x1df0 [ 52.978504] ? nfnetlink_bind+0x2b0/0x2b0 [ 52.982661] ? __netlink_lookup+0x383/0x730 [ 52.986975] ? lock_downgrade+0x720/0x720 [ 52.991104] ? cap_capable+0x1eb/0x250 [ 52.994990] ? security_capable+0x8f/0xc0 [ 52.999129] ? memset+0x20/0x40 [ 53.002397] ? nla_parse+0x1b2/0x290 [ 53.006100] nfnetlink_rcv+0x3b5/0x41b [ 53.009975] ? nfnetlink_rcv_batch+0x1df0/0x1df0 [ 53.014714] netlink_unicast+0x4d5/0x690 [ 53.018772] ? netlink_sendskb+0x110/0x110 [ 53.023000] netlink_sendmsg+0x6bb/0xc40 [ 53.027060] ? nlmsg_notify+0x1a0/0x1a0 [ 53.031024] ? kernel_recvmsg+0x220/0x220 [ 53.035158] ? nlmsg_notify+0x1a0/0x1a0 [ 53.039120] sock_sendmsg+0xc3/0x120 [ 53.042825] ___sys_sendmsg+0x7bb/0x8e0 [ 53.046801] ? copy_msghdr_from_user+0x440/0x440 [ 53.051539] ? do_huge_pmd_anonymous_page+0x939/0x1cc0 [ 53.056798] ? __fget+0x32f/0x510 [ 53.060236] ? lock_downgrade+0x720/0x720 [ 53.064370] ? check_preemption_disabled+0x41/0x280 [ 53.069372] ? check_preemption_disabled+0x41/0x280 [ 53.074380] ? __fget+0x356/0x510 [ 53.077841] ? do_dup2+0x450/0x450 [ 53.081381] ? __fdget+0x1d0/0x230 [ 53.084905] __x64_sys_sendmsg+0x132/0x220 [ 53.089123] ? __sys_sendmsg+0x1b0/0x1b0 [ 53.093181] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.097918] ? trace_hardirqs_off_caller+0x69/0x210 [ 53.102915] ? do_syscall_64+0x21/0x620 [ 53.106872] do_syscall_64+0xf9/0x620 [ 53.110660] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.115829] RIP: 0033:0x446b09 [ 53.119002] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 53.137882] RSP: 002b:00007ff3020aed98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 53.145577] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446b09 [ 53.152836] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 53.160084] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 53.167348] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 53.174601] R13: 000000200a000000 R14: 0000000000006c1e R15: 0000001000000014 [ 53.181871] [ 53.183480] Allocated by task 6490: [ 53.187098] kmem_cache_alloc_trace+0x12f/0x380 [ 53.191758] nf_tables_newtable+0xad9/0x1620 [ 53.196157] nfnetlink_rcv_batch+0x10d5/0x1df0 [ 53.200728] nfnetlink_rcv+0x3b5/0x41b [ 53.204595] netlink_unicast+0x4d5/0x690 [ 53.208636] netlink_sendmsg+0x6bb/0xc40 [ 53.212675] sock_sendmsg+0xc3/0x120 [ 53.216388] ___sys_sendmsg+0x7bb/0x8e0 [ 53.220350] __x64_sys_sendmsg+0x132/0x220 [ 53.224566] do_syscall_64+0xf9/0x620 [ 53.228346] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.233524] [ 53.235128] Freed by task 6505: [ 53.238432] kfree+0xcc/0x210 [ 53.241534] nf_tables_table_destroy+0xee/0x130 [ 53.246181] nf_tables_commit+0x2aba/0x57e6 [ 53.250481] nfnetlink_rcv_batch+0xe22/0x1df0 [ 53.254953] nfnetlink_rcv+0x3b5/0x41b [ 53.258818] netlink_unicast+0x4d5/0x690 [ 53.262858] netlink_sendmsg+0x6bb/0xc40 [ 53.266897] sock_sendmsg+0xc3/0x120 [ 53.270593] ___sys_sendmsg+0x7bb/0x8e0 [ 53.274547] __x64_sys_sendmsg+0x132/0x220 [ 53.278759] do_syscall_64+0xf9/0x620 [ 53.282539] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.287711] [ 53.289329] The buggy address belongs to the object at ffff8880a905acc0 [ 53.289329] which belongs to the cache kmalloc-512 of size 512 [ 53.301989] The buggy address is located 8 bytes inside of [ 53.301989] 512-byte region [ffff8880a905acc0, ffff8880a905aec0) [ 53.313688] The buggy address belongs to the page: [ 53.318606] page:ffffea0002a41680 count:1 mapcount:0 mapping:ffff88812c39c940 index:0xffff8880a905aa40 [ 53.328047] flags: 0xfffe0000000100(slab) [ 53.332206] raw: 00fffe0000000100 ffffea00027b15c8 ffffea0002209288 ffff88812c39c940 [ 53.340093] raw: ffff8880a905aa40 ffff8880a905a040 0000000100000005 0000000000000000 [ 53.347963] page dumped because: kasan: bad access detected [ 53.353664] [ 53.355282] Memory state around the buggy address: [ 53.360188] ffff8880a905ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.367525] ffff8880a905ac00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 53.374870] >ffff8880a905ac80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 53.382228] ^ [ 53.387917] ffff8880a905ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.395269] ffff8880a905ad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.402602] ================================================================== [ 53.409938] Disabling lock debugging due to kernel taint [ 53.420163] Kernel panic - not syncing: panic_on_warn set ... [ 53.420163] [ 53.427561] CPU: 1 PID: 6490 Comm: syz-executor452 Tainted: G B 4.19.139-syzkaller #0 [ 53.436819] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.446164] Call Trace: [ 53.448754] dump_stack+0x1fc/0x2fe [ 53.452420] panic+0x26a/0x50e [ 53.455609] ? __warn_printk+0xf3/0xf3 [ 53.459535] ? preempt_schedule_common+0x45/0xc0 [ 53.464271] ? ___preempt_schedule+0x16/0x18 [ 53.468658] ? trace_hardirqs_on+0x55/0x210 [ 53.472957] kasan_end_report+0x43/0x49 [ 53.476910] kasan_report_error.cold+0xa7/0x1c7 [ 53.481555] ? __list_del_entry_valid+0xcc/0xef [ 53.486231] __asan_report_load8_noabort+0x88/0x90 [ 53.491142] ? __list_del_entry_valid+0xcc/0xef [ 53.495791] __list_del_entry_valid+0xcc/0xef [ 53.500264] __nf_tables_abort+0x1fde/0x2ca0 [ 53.504652] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 53.509644] nf_tables_abort+0x13/0x30 [ 53.513507] nfnetlink_rcv_batch+0xb66/0x1df0 [ 53.517985] ? nfnetlink_bind+0x2b0/0x2b0 [ 53.522115] ? __netlink_lookup+0x383/0x730 [ 53.526441] ? lock_downgrade+0x720/0x720 [ 53.530588] ? cap_capable+0x1eb/0x250 [ 53.534474] ? security_capable+0x8f/0xc0 [ 53.538599] ? memset+0x20/0x40 [ 53.541854] ? nla_parse+0x1b2/0x290 [ 53.545546] nfnetlink_rcv+0x3b5/0x41b [ 53.549428] ? nfnetlink_rcv_batch+0x1df0/0x1df0 [ 53.554161] netlink_unicast+0x4d5/0x690 [ 53.558203] ? netlink_sendskb+0x110/0x110 [ 53.562459] netlink_sendmsg+0x6bb/0xc40 [ 53.566528] ? nlmsg_notify+0x1a0/0x1a0 [ 53.570492] ? kernel_recvmsg+0x220/0x220 [ 53.574616] ? nlmsg_notify+0x1a0/0x1a0 [ 53.578705] sock_sendmsg+0xc3/0x120 [ 53.582395] ___sys_sendmsg+0x7bb/0x8e0 [ 53.586344] ? copy_msghdr_from_user+0x440/0x440 [ 53.591084] ? do_huge_pmd_anonymous_page+0x939/0x1cc0 [ 53.596354] ? __fget+0x32f/0x510 [ 53.599787] ? lock_downgrade+0x720/0x720 [ 53.603908] ? check_preemption_disabled+0x41/0x280 [ 53.608913] ? check_preemption_disabled+0x41/0x280 [ 53.613903] ? __fget+0x356/0x510 [ 53.617334] ? do_dup2+0x450/0x450 [ 53.620850] ? __fdget+0x1d0/0x230 [ 53.624379] __x64_sys_sendmsg+0x132/0x220 [ 53.628589] ? __sys_sendmsg+0x1b0/0x1b0 [ 53.632626] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.637389] ? trace_hardirqs_off_caller+0x69/0x210 [ 53.642383] ? do_syscall_64+0x21/0x620 [ 53.646330] do_syscall_64+0xf9/0x620 [ 53.650112] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.655278] RIP: 0033:0x446b09 [ 53.658447] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 53.677337] RSP: 002b:00007ff3020aed98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 53.685018] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446b09 [ 53.692265] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 53.699512] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 53.706756] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 53.714014] R13: 000000200a000000 R14: 0000000000006c1e R15: 0000001000000014 [ 53.722270] Kernel Offset: disabled [ 53.725882] Rebooting in 86400 seconds..