[ 33.434389] audit: type=1800 audit(1580164516.071:33): pid=7170 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.462189] audit: type=1800 audit(1580164516.071:34): pid=7170 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 36.457927] random: sshd: uninitialized urandom read (32 bytes read) [ 36.747525] audit: type=1400 audit(1580164519.381:35): avc: denied { map } for pid=7343 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 36.798228] random: sshd: uninitialized urandom read (32 bytes read) [ 37.536543] random: sshd: uninitialized urandom read (32 bytes read) [ 37.729807] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.183' (ECDSA) to the list of known hosts. [ 43.317911] random: sshd: uninitialized urandom read (32 bytes read) [ 43.437885] audit: type=1400 audit(1580164526.071:36): avc: denied { map } for pid=7355 comm="syz-executor935" path="/root/syz-executor935341964" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 43.670920] IPVS: ftp: loaded support on port[0] = 21 executing program [ 44.495486] ================================================================== [ 44.503989] BUG: KASAN: slab-out-of-bounds in __nla_put_nohdr+0x46/0x50 [ 44.512322] Read of size 8 at addr ffff88809fb72f80 by task syz-executor935/7356 [ 44.522164] [ 44.523796] CPU: 0 PID: 7356 Comm: syz-executor935 Not tainted 4.14.168-syzkaller #0 [ 44.532796] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.544126] Call Trace: [ 44.547021] dump_stack+0x142/0x197 [ 44.551692] ? __nla_put_nohdr+0x46/0x50 [ 44.556745] print_address_description.cold+0x7c/0x1dc [ 44.562474] ? __nla_put_nohdr+0x46/0x50 [ 44.566724] kasan_report.cold+0xa9/0x2af [ 44.571260] check_memory_region+0x123/0x190 [ 44.575883] memcpy+0x24/0x50 [ 44.579156] __nla_put_nohdr+0x46/0x50 [ 44.584067] nla_put_nohdr+0xe8/0x120 [ 44.588418] tcf_em_tree_dump+0x5d1/0x890 [ 44.593116] ? tcf_em_lookup+0x130/0x130 [ 44.598584] ? tcf_proto_lookup_ops+0xf0/0xf0 [ 44.604050] ? nla_put+0xf8/0x130 [ 44.608802] basic_dump+0x1bd/0x410 [ 44.612441] ? basic_classify+0x280/0x280 [ 44.617901] ? nla_put+0xf8/0x130 [ 44.621561] ? basic_classify+0x280/0x280 [ 44.627322] tcf_fill_node+0x536/0x860 [ 44.631492] ? tcf_exts_change+0x130/0x130 [ 44.636056] ? __lock_is_held+0xb6/0x140 [ 44.640864] tfilter_notify+0x11d/0x240 [ 44.647089] tc_ctl_tfilter+0x1048/0x1aba [ 44.651372] ? tfilter_notify+0x240/0x240 [ 44.655606] ? mutex_trylock+0x1c0/0x1c0 [ 44.659783] ? save_trace+0x290/0x290 [ 44.664134] ? tfilter_notify+0x240/0x240 [ 44.669408] rtnetlink_rcv_msg+0x3da/0xb70 [ 44.674470] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.679534] ? netlink_deliver_tap+0x93/0x8f0 [ 44.686633] netlink_rcv_skb+0x14f/0x3c0 [ 44.692052] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 44.698196] ? lock_downgrade+0x740/0x740 [ 44.704216] ? netlink_ack+0x9a0/0x9a0 [ 44.708270] ? netlink_deliver_tap+0xba/0x8f0 [ 44.713784] rtnetlink_rcv+0x1d/0x30 [ 44.717542] netlink_unicast+0x44d/0x650 [ 44.723049] ? netlink_attachskb+0x6a0/0x6a0 [ 44.729922] ? security_netlink_send+0x81/0xb0 [ 44.735235] netlink_sendmsg+0x7c4/0xc60 [ 44.739866] ? netlink_unicast+0x650/0x650 [ 44.745109] ? security_socket_sendmsg+0x89/0xb0 [ 44.750369] ? netlink_unicast+0x650/0x650 [ 44.761849] sock_sendmsg+0xce/0x110 [ 44.765576] ___sys_sendmsg+0x70a/0x840 [ 44.771342] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 44.777099] ? __might_fault+0x110/0x1d0 [ 44.782147] ? find_held_lock+0x35/0x130 [ 44.786264] ? __might_fault+0x110/0x1d0 [ 44.790723] ? lock_downgrade+0x740/0x740 [ 44.795030] ? kasan_check_read+0x11/0x20 [ 44.800358] ? _copy_to_user+0x87/0xd0 [ 44.805308] ? move_addr_to_user+0x94/0x1a0 [ 44.810306] ? __fget_light+0x172/0x1f0 [ 44.814560] ? __fdget+0x1b/0x20 [ 44.818076] ? sockfd_lookup_light+0xb4/0x160 [ 44.823508] __sys_sendmsg+0xb9/0x140 [ 44.828573] ? SyS_shutdown+0x170/0x170 [ 44.832684] SyS_sendmsg+0x2d/0x50 [ 44.836822] ? __sys_sendmsg+0x140/0x140 [ 44.842364] do_syscall_64+0x1e8/0x640 [ 44.846864] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.853810] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.859412] RIP: 0033:0x4410b9 [ 44.863131] RSP: 002b:00007ffff343aaf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 44.872997] RAX: ffffffffffffffda RBX: 00000000004a28b0 RCX: 00000000004410b9 [ 44.881928] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 44.891481] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522 [ 44.901453] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004025c0 [ 44.910332] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000 [ 44.917739] [ 44.920159] Allocated by task 7356: [ 44.924542] save_stack_trace+0x16/0x20 [ 44.928748] save_stack+0x45/0xd0 [ 44.932878] kasan_kmalloc+0xce/0xf0 [ 44.937391] __kmalloc_track_caller+0x159/0x790 [ 44.942429] kmemdup+0x27/0x60 [ 44.946338] em_nbyte_change+0xb9/0x130 [ 44.950484] tcf_em_tree_validate+0x922/0xe7e [ 44.955194] basic_change+0x451/0xfb0 [ 44.959154] tc_ctl_tfilter+0xff1/0x1aba [ 44.963623] rtnetlink_rcv_msg+0x3da/0xb70 [ 44.967995] netlink_rcv_skb+0x14f/0x3c0 [ 44.972189] rtnetlink_rcv+0x1d/0x30 [ 44.976007] netlink_unicast+0x44d/0x650 [ 44.980278] netlink_sendmsg+0x7c4/0xc60 [ 44.984697] sock_sendmsg+0xce/0x110 [ 44.988698] ___sys_sendmsg+0x70a/0x840 [ 44.992836] __sys_sendmsg+0xb9/0x140 [ 44.997020] SyS_sendmsg+0x2d/0x50 [ 45.000653] do_syscall_64+0x1e8/0x640 [ 45.005293] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.010941] [ 45.012613] Freed by task 5619: [ 45.016074] save_stack_trace+0x16/0x20 [ 45.020208] save_stack+0x45/0xd0 [ 45.023969] kasan_slab_free+0x75/0xc0 [ 45.028153] kfree+0xcc/0x270 [ 45.031315] xattr_getsecurity+0x104/0x110 [ 45.036326] vfs_getxattr+0xc6/0x110 [ 45.040211] getxattr+0xef/0x2a0 [ 45.043959] path_getxattr+0xa3/0x100 [ 45.048798] SyS_lgetxattr+0x31/0x40 [ 45.052872] do_syscall_64+0x1e8/0x640 [ 45.057363] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.063211] [ 45.065133] The buggy address belongs to the object at ffff88809fb72f80 [ 45.065133] which belongs to the cache kmalloc-32 of size 32 [ 45.078601] The buggy address is located 0 bytes inside of [ 45.078601] 32-byte region [ffff88809fb72f80, ffff88809fb72fa0) [ 45.091513] The buggy address belongs to the page: [ 45.096833] page:ffffea00027edc80 count:1 mapcount:0 mapping:ffff88809fb72000 index:0xffff88809fb72fc1 [ 45.107449] flags: 0xfffe0000000100(slab) [ 45.112205] raw: 00fffe0000000100 ffff88809fb72000 ffff88809fb72fc1 000000010000003b [ 45.120107] raw: ffffea00027e1aa0 ffffea00027d7120 ffff8880aa8001c0 0000000000000000 [ 45.129116] page dumped because: kasan: bad access detected [ 45.135067] [ 45.136952] Memory state around the buggy address: [ 45.142801] ffff88809fb72e80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 45.152035] ffff88809fb72f00: 06 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 45.160905] >ffff88809fb72f80: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.170827] ^ [ 45.174853] ffff88809fb73000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.189505] ffff88809fb73080: fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc [ 45.201804] ================================================================== [ 45.213317] Disabling lock debugging due to kernel taint [ 45.221631] Kernel panic - not syncing: panic_on_warn set ... [ 45.221631] [ 45.234485] CPU: 1 PID: 7356 Comm: syz-executor935 Tainted: G B 4.14.168-syzkaller #0 [ 45.247812] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.257854] Call Trace: [ 45.260462] dump_stack+0x142/0x197 [ 45.265682] ? __nla_put_nohdr+0x46/0x50 [ 45.269917] panic+0x1f9/0x42d [ 45.273115] ? add_taint.cold+0x16/0x16 [ 45.277389] ? ___preempt_schedule+0x16/0x18 [ 45.282699] kasan_end_report+0x47/0x4f [ 45.287761] kasan_report.cold+0x130/0x2af [ 45.292105] check_memory_region+0x123/0x190 [ 45.297048] memcpy+0x24/0x50 [ 45.300489] __nla_put_nohdr+0x46/0x50 [ 45.304387] nla_put_nohdr+0xe8/0x120 [ 45.308543] tcf_em_tree_dump+0x5d1/0x890 [ 45.312851] ? tcf_em_lookup+0x130/0x130 [ 45.317413] ? tcf_proto_lookup_ops+0xf0/0xf0 [ 45.322319] ? nla_put+0xf8/0x130 [ 45.325987] basic_dump+0x1bd/0x410 [ 45.329747] ? basic_classify+0x280/0x280 [ 45.334644] ? nla_put+0xf8/0x130 [ 45.338217] ? basic_classify+0x280/0x280 [ 45.343222] tcf_fill_node+0x536/0x860 [ 45.347813] ? tcf_exts_change+0x130/0x130 [ 45.352197] ? __lock_is_held+0xb6/0x140 [ 45.356561] tfilter_notify+0x11d/0x240 [ 45.360894] tc_ctl_tfilter+0x1048/0x1aba [ 45.365141] ? tfilter_notify+0x240/0x240 [ 45.369665] ? mutex_trylock+0x1c0/0x1c0 [ 45.374110] ? save_trace+0x290/0x290 [ 45.378381] ? tfilter_notify+0x240/0x240 [ 45.390715] rtnetlink_rcv_msg+0x3da/0xb70 [ 45.395384] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.400325] ? netlink_deliver_tap+0x93/0x8f0 [ 45.405994] netlink_rcv_skb+0x14f/0x3c0 [ 45.410327] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 45.415490] ? lock_downgrade+0x740/0x740 [ 45.420067] ? netlink_ack+0x9a0/0x9a0 [ 45.423971] ? netlink_deliver_tap+0xba/0x8f0 [ 45.429001] rtnetlink_rcv+0x1d/0x30 [ 45.433063] netlink_unicast+0x44d/0x650 [ 45.437340] ? netlink_attachskb+0x6a0/0x6a0 [ 45.442148] ? security_netlink_send+0x81/0xb0 [ 45.447245] netlink_sendmsg+0x7c4/0xc60 [ 45.451626] ? netlink_unicast+0x650/0x650 [ 45.456306] ? security_socket_sendmsg+0x89/0xb0 [ 45.461284] ? netlink_unicast+0x650/0x650 [ 45.466099] sock_sendmsg+0xce/0x110 [ 45.471274] ___sys_sendmsg+0x70a/0x840 [ 45.475330] ? copy_msghdr_from_user+0x3f0/0x3f0 [ 45.480487] ? __might_fault+0x110/0x1d0 [ 45.485417] ? find_held_lock+0x35/0x130 [ 45.489479] ? __might_fault+0x110/0x1d0 [ 45.493912] ? lock_downgrade+0x740/0x740 [ 45.498923] ? kasan_check_read+0x11/0x20 [ 45.503780] ? _copy_to_user+0x87/0xd0 [ 45.509032] ? move_addr_to_user+0x94/0x1a0 [ 45.513859] ? __fget_light+0x172/0x1f0 [ 45.518388] ? __fdget+0x1b/0x20 [ 45.522523] ? sockfd_lookup_light+0xb4/0x160 [ 45.528426] __sys_sendmsg+0xb9/0x140 [ 45.532885] ? SyS_shutdown+0x170/0x170 [ 45.536959] SyS_sendmsg+0x2d/0x50 [ 45.541246] ? __sys_sendmsg+0x140/0x140 [ 45.545532] do_syscall_64+0x1e8/0x640 [ 45.549461] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.554842] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 45.560478] RIP: 0033:0x4410b9 [ 45.564009] RSP: 002b:00007ffff343aaf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.572071] RAX: ffffffffffffffda RBX: 00000000004a28b0 RCX: 00000000004410b9 [ 45.580043] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 45.587506] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522 [ 45.594948] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004025c0 [ 45.603608] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000 [ 45.613993] Kernel Offset: disabled [ 45.617940] Rebooting in 86400 seconds..