[ 87.641973][ T27] audit: type=1800 audit(1579880970.773:26): pid=9532 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 88.498832][ T27] kauditd_printk_skb: 2 callbacks suppressed [ 88.498843][ T27] audit: type=1800 audit(1579880971.653:29): pid=9532 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 88.525447][ T27] audit: type=1800 audit(1579880971.653:30): pid=9532 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.11' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 98.579303][ T9689] ================================================================== [ 98.587522][ T9689] BUG: KASAN: slab-out-of-bounds in bitmap_ipmac_ext_cleanup+0xd8/0x290 [ 98.595835][ T9689] Read of size 8 at addr ffff888096095e00 by task syz-executor426/9689 [ 98.604183][ T9689] [ 98.606544][ T9689] CPU: 0 PID: 9689 Comm: syz-executor426 Not tainted 5.5.0-rc7-syzkaller #0 [ 98.615214][ T9689] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 98.625258][ T9689] Call Trace: [ 98.628538][ T9689] dump_stack+0x197/0x210 [ 98.632870][ T9689] ? bitmap_ipmac_ext_cleanup+0xd8/0x290 [ 98.639006][ T9689] print_address_description.constprop.0.cold+0xd4/0x30b [ 98.646079][ T9689] ? bitmap_ipmac_ext_cleanup+0xd8/0x290 [ 98.651769][ T9689] ? bitmap_ipmac_ext_cleanup+0xd8/0x290 [ 98.657397][ T9689] __kasan_report.cold+0x1b/0x41 [ 98.662466][ T9689] ? bitmap_ipmac_ext_cleanup+0xd8/0x290 [ 98.668149][ T9689] kasan_report+0x12/0x20 [ 98.672482][ T9689] check_memory_region+0x134/0x1a0 [ 98.677641][ T9689] __kasan_check_read+0x11/0x20 [ 98.682479][ T9689] bitmap_ipmac_ext_cleanup+0xd8/0x290 [ 98.687923][ T9689] bitmap_ipmac_destroy+0x180/0x1d0 [ 98.693109][ T9689] ip_set_create+0xe47/0x1500 [ 98.697770][ T9689] ? ip_set_destroy+0xb70/0xb70 [ 98.702620][ T9689] ? ip_set_destroy+0xb70/0xb70 [ 98.707463][ T9689] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 98.712440][ T9689] ? nfnetlink_bind+0x2c0/0x2c0 [ 98.717276][ T9689] ? __kasan_check_read+0x11/0x20 [ 98.722348][ T9689] ? __lock_acquire+0x8a0/0x4a00 [ 98.727290][ T9689] ? save_stack+0x5c/0x90 [ 98.731627][ T9689] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 98.737866][ T9689] ? apparmor_capable+0x497/0x900 [ 98.742973][ T9689] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 98.749223][ T9689] ? __kasan_check_read+0x11/0x20 [ 98.754352][ T9689] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 98.759821][ T9689] netlink_rcv_skb+0x177/0x450 [ 98.764577][ T9689] ? nfnetlink_bind+0x2c0/0x2c0 [ 98.769434][ T9689] ? netlink_ack+0xb50/0xb50 [ 98.774053][ T9689] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 98.780379][ T9689] ? ns_capable_common+0x93/0x100 [ 98.785536][ T9689] ? ns_capable+0x20/0x30 [ 98.789871][ T9689] ? __netlink_ns_capable+0x104/0x140 [ 98.795314][ T9689] nfnetlink_rcv+0x1ba/0x460 [ 98.800083][ T9689] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 98.805647][ T9689] ? netlink_deliver_tap+0x24a/0xbe0 [ 98.810947][ T9689] ? __kasan_check_write+0x14/0x20 [ 98.816051][ T9689] netlink_unicast+0x58c/0x7d0 [ 98.820916][ T9689] ? netlink_attachskb+0x870/0x870 [ 98.826021][ T9689] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 98.831730][ T9689] ? __check_object_size+0x3d/0x437 [ 98.836935][ T9689] netlink_sendmsg+0x91c/0xea0 [ 98.841853][ T9689] ? netlink_unicast+0x7d0/0x7d0 [ 98.846798][ T9689] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 98.852409][ T9689] ? apparmor_socket_sendmsg+0x2a/0x30 [ 98.857975][ T9689] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 98.864213][ T9689] ? security_socket_sendmsg+0x8d/0xc0 [ 98.869662][ T9689] ? netlink_unicast+0x7d0/0x7d0 [ 98.874602][ T9689] sock_sendmsg+0xd7/0x130 [ 98.879012][ T9689] ____sys_sendmsg+0x753/0x880 [ 98.883773][ T9689] ? kernel_sendmsg+0x50/0x50 [ 98.888474][ T9689] ? mark_held_locks+0xa4/0xf0 [ 98.893493][ T9689] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 98.899663][ T9689] ? __handle_mm_fault+0x3145/0x3cc0 [ 98.904953][ T9689] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 98.911106][ T9689] ___sys_sendmsg+0x100/0x170 [ 98.915828][ T9689] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 98.921806][ T9689] ? sendmsg_copy_msghdr+0x70/0x70 [ 98.927004][ T9689] ? __do_page_fault+0x56a/0xd80 [ 98.931943][ T9689] ? find_held_lock+0x35/0x130 [ 98.936724][ T9689] ? __do_page_fault+0x56a/0xd80 [ 98.941674][ T9689] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 98.947927][ T9689] ? __fget_light+0x1a9/0x230 [ 98.952601][ T9689] ? __fdget+0x1b/0x20 [ 98.956653][ T9689] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 98.962889][ T9689] __sys_sendmsg+0x105/0x1d0 [ 98.967520][ T9689] ? __sys_sendmsg_sock+0xc0/0xc0 [ 98.972583][ T9689] ? down_read_non_owner+0x490/0x490 [ 98.977865][ T9689] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 98.983400][ T9689] ? do_syscall_64+0x26/0x790 [ 98.988064][ T9689] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 98.994212][ T9689] ? do_syscall_64+0x26/0x790 [ 98.998972][ T9689] __x64_sys_sendmsg+0x78/0xb0 [ 99.003743][ T9689] do_syscall_64+0xfa/0x790 [ 99.008253][ T9689] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 99.014131][ T9689] RIP: 0033:0x4413f9 [ 99.018010][ T9689] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 99.037635][ T9689] RSP: 002b:00007ffd6f5c81a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 99.046040][ T9689] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004413f9 [ 99.054106][ T9689] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 [ 99.062074][ T9689] RBP: 00000000000180e7 R08: 00000000004002c8 R09: 00000000004002c8 [ 99.070072][ T9689] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402220 [ 99.078084][ T9689] R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000 [ 99.087283][ T9689] [ 99.089595][ T9689] Allocated by task 9689: [ 99.093965][ T9689] save_stack+0x23/0x90 [ 99.098111][ T9689] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 99.103738][ T9689] kasan_kmalloc+0x9/0x10 [ 99.108063][ T9689] __kmalloc+0x163/0x770 [ 99.112298][ T9689] ip_set_alloc+0x38/0x5e [ 99.116617][ T9689] bitmap_ipmac_create+0x4e8/0xa00 [ 99.121718][ T9689] ip_set_create+0x6f1/0x1500 [ 99.126445][ T9689] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 99.131525][ T9689] netlink_rcv_skb+0x177/0x450 [ 99.136277][ T9689] nfnetlink_rcv+0x1ba/0x460 [ 99.140857][ T9689] netlink_unicast+0x58c/0x7d0 [ 99.145627][ T9689] netlink_sendmsg+0x91c/0xea0 [ 99.150386][ T9689] sock_sendmsg+0xd7/0x130 [ 99.154791][ T9689] ____sys_sendmsg+0x753/0x880 [ 99.159543][ T9689] ___sys_sendmsg+0x100/0x170 [ 99.164258][ T9689] __sys_sendmsg+0x105/0x1d0 [ 99.168838][ T9689] __x64_sys_sendmsg+0x78/0xb0 [ 99.173610][ T9689] do_syscall_64+0xfa/0x790 [ 99.178737][ T9689] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 99.184749][ T9689] [ 99.187075][ T9689] Freed by task 0: [ 99.190777][ T9689] (stack is not available) [ 99.195175][ T9689] [ 99.197567][ T9689] The buggy address belongs to the object at ffff888096094000 [ 99.197567][ T9689] which belongs to the cache kmalloc-8k of size 8192 [ 99.211756][ T9689] The buggy address is located 7680 bytes inside of [ 99.211756][ T9689] 8192-byte region [ffff888096094000, ffff888096096000) [ 99.225207][ T9689] The buggy address belongs to the page: [ 99.230838][ T9689] page:ffffea0002582500 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0 [ 99.241761][ T9689] raw: 00fffe0000010200 ffffea0002761e08 ffff8880aa401b48 ffff8880aa4021c0 [ 99.250387][ T9689] raw: 0000000000000000 ffff888096094000 0000000100000001 0000000000000000 [ 99.259309][ T9689] page dumped because: kasan: bad access detected [ 99.265706][ T9689] [ 99.268016][ T9689] Memory state around the buggy address: [ 99.273686][ T9689] ffff888096095d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 99.281753][ T9689] ffff888096095d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 99.290107][ T9689] >ffff888096095e00: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 99.298203][ T9689] ^ [ 99.302298][ T9689] ffff888096095e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 99.310348][ T9689] ffff888096095f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 99.318431][ T9689] ================================================================== [ 99.326541][ T9689] Disabling lock debugging due to kernel taint [ 99.334833][ T9689] Kernel panic - not syncing: panic_on_warn set ... [ 99.341567][ T9689] CPU: 0 PID: 9689 Comm: syz-executor426 Tainted: G B 5.5.0-rc7-syzkaller #0 [ 99.351715][ T9689] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 99.361759][ T9689] Call Trace: [ 99.365047][ T9689] dump_stack+0x197/0x210 [ 99.369361][ T9689] panic+0x2e3/0x75c [ 99.373236][ T9689] ? add_taint.cold+0x16/0x16 [ 99.377911][ T9689] ? bitmap_ipmac_ext_cleanup+0xd8/0x290 [ 99.383539][ T9689] ? preempt_schedule+0x4b/0x60 [ 99.388383][ T9689] ? ___preempt_schedule+0x16/0x18 [ 99.393482][ T9689] ? trace_hardirqs_on+0x5e/0x240 [ 99.398637][ T9689] ? bitmap_ipmac_ext_cleanup+0xd8/0x290 [ 99.404262][ T9689] end_report+0x47/0x4f [ 99.408409][ T9689] ? bitmap_ipmac_ext_cleanup+0xd8/0x290 [ 99.414079][ T9689] __kasan_report.cold+0xe/0x41 [ 99.418936][ T9689] ? bitmap_ipmac_ext_cleanup+0xd8/0x290 [ 99.424559][ T9689] kasan_report+0x12/0x20 [ 99.428886][ T9689] check_memory_region+0x134/0x1a0 [ 99.433983][ T9689] __kasan_check_read+0x11/0x20 [ 99.438951][ T9689] bitmap_ipmac_ext_cleanup+0xd8/0x290 [ 99.444546][ T9689] bitmap_ipmac_destroy+0x180/0x1d0 [ 99.449733][ T9689] ip_set_create+0xe47/0x1500 [ 99.454392][ T9689] ? ip_set_destroy+0xb70/0xb70 [ 99.459252][ T9689] ? ip_set_destroy+0xb70/0xb70 [ 99.464112][ T9689] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 99.469054][ T9689] ? nfnetlink_bind+0x2c0/0x2c0 [ 99.473974][ T9689] ? __kasan_check_read+0x11/0x20 [ 99.478986][ T9689] ? __lock_acquire+0x8a0/0x4a00 [ 99.483917][ T9689] ? save_stack+0x5c/0x90 [ 99.488238][ T9689] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 99.494534][ T9689] ? apparmor_capable+0x497/0x900 [ 99.499847][ T9689] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 99.506085][ T9689] ? __kasan_check_read+0x11/0x20 [ 99.511105][ T9689] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 99.516650][ T9689] netlink_rcv_skb+0x177/0x450 [ 99.522106][ T9689] ? nfnetlink_bind+0x2c0/0x2c0 [ 99.527747][ T9689] ? netlink_ack+0xb50/0xb50 [ 99.532329][ T9689] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 99.538565][ T9689] ? ns_capable_common+0x93/0x100 [ 99.543652][ T9689] ? ns_capable+0x20/0x30 [ 99.547978][ T9689] ? __netlink_ns_capable+0x104/0x140 [ 99.553373][ T9689] nfnetlink_rcv+0x1ba/0x460 [ 99.558019][ T9689] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 99.563492][ T9689] ? netlink_deliver_tap+0x24a/0xbe0 [ 99.568822][ T9689] ? __kasan_check_write+0x14/0x20 [ 99.573952][ T9689] netlink_unicast+0x58c/0x7d0 [ 99.578846][ T9689] ? netlink_attachskb+0x870/0x870 [ 99.584004][ T9689] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 99.589712][ T9689] ? __check_object_size+0x3d/0x437 [ 99.594899][ T9689] netlink_sendmsg+0x91c/0xea0 [ 99.599646][ T9689] ? netlink_unicast+0x7d0/0x7d0 [ 99.604577][ T9689] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 99.610106][ T9689] ? apparmor_socket_sendmsg+0x2a/0x30 [ 99.615556][ T9689] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 99.621792][ T9689] ? security_socket_sendmsg+0x8d/0xc0 [ 99.627242][ T9689] ? netlink_unicast+0x7d0/0x7d0 [ 99.632205][ T9689] sock_sendmsg+0xd7/0x130 [ 99.636632][ T9689] ____sys_sendmsg+0x753/0x880 [ 99.641387][ T9689] ? kernel_sendmsg+0x50/0x50 [ 99.646111][ T9689] ? mark_held_locks+0xa4/0xf0 [ 99.650912][ T9689] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 99.656969][ T9689] ? __handle_mm_fault+0x3145/0x3cc0 [ 99.662248][ T9689] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 99.668345][ T9689] ___sys_sendmsg+0x100/0x170 [ 99.673102][ T9689] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 99.679069][ T9689] ? sendmsg_copy_msghdr+0x70/0x70 [ 99.684196][ T9689] ? __do_page_fault+0x56a/0xd80 [ 99.689156][ T9689] ? find_held_lock+0x35/0x130 [ 99.693925][ T9689] ? __do_page_fault+0x56a/0xd80 [ 99.698956][ T9689] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 99.705462][ T9689] ? __fget_light+0x1a9/0x230 [ 99.710183][ T9689] ? __fdget+0x1b/0x20 [ 99.714244][ T9689] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 99.720487][ T9689] __sys_sendmsg+0x105/0x1d0 [ 99.725068][ T9689] ? __sys_sendmsg_sock+0xc0/0xc0 [ 99.730098][ T9689] ? down_read_non_owner+0x490/0x490 [ 99.735495][ T9689] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 99.740982][ T9689] ? do_syscall_64+0x26/0x790 [ 99.745650][ T9689] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 99.751708][ T9689] ? do_syscall_64+0x26/0x790 [ 99.756384][ T9689] __x64_sys_sendmsg+0x78/0xb0 [ 99.761252][ T9689] do_syscall_64+0xfa/0x790 [ 99.765743][ T9689] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 99.771671][ T9689] RIP: 0033:0x4413f9 [ 99.775657][ T9689] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 99.795250][ T9689] RSP: 002b:00007ffd6f5c81a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 99.803753][ T9689] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004413f9 [ 99.811714][ T9689] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 [ 99.819681][ T9689] RBP: 00000000000180e7 R08: 00000000004002c8 R09: 00000000004002c8 [ 99.827676][ T9689] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000402220 [ 99.835635][ T9689] R13: 00000000004022b0 R14: 0000000000000000 R15: 0000000000000000 [ 99.845869][ T9689] Kernel Offset: disabled [ 99.850201][ T9689] Rebooting in 86400 seconds..