[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts. syzkaller login: [ 34.080109] audit: type=1400 audit(1592543444.662:8): avc: denied { execmem } for pid=6369 comm="syz-executor586" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 34.305630] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program [ 35.047536] netlink: 8 bytes leftover after parsing attributes in process `syz-executor586'. [ 35.056506] tunl0: Master is either lo or non-ether device [ 35.067142] netlink: 8 bytes leftover after parsing attributes in process `syz-executor586'. [ 35.076692] gre0: Master is either lo or non-ether device [ 35.086728] netlink: 8 bytes leftover after parsing attributes in process `syz-executor586'. [ 35.103324] netlink: 8 bytes leftover after parsing attributes in process `syz-executor586'. [ 35.113389] ================================================================== [ 35.120884] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x8f8/0x950 [ 35.127972] Read of size 8 at addr ffff888097fc3608 by task syz-executor586/6396 [ 35.135494] [ 35.137104] CPU: 0 PID: 6396 Comm: syz-executor586 Not tainted 4.14.184-syzkaller #0 [ 35.144975] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.154321] Call Trace: [ 35.156937] dump_stack+0x1b2/0x283 [ 35.160544] ? radix_tree_next_chunk+0x8f8/0x950 [ 35.165297] print_address_description.cold+0x54/0x1dc [ 35.170566] ? radix_tree_next_chunk+0x8f8/0x950 [ 35.175300] kasan_report.cold+0xa9/0x2b9 [ 35.179458] radix_tree_next_chunk+0x8f8/0x950 [ 35.184022] ida_remove+0x9b/0x210 [ 35.187555] ? ida_destroy+0x1b0/0x1b0 [ 35.191420] ? lock_acquire+0x170/0x3f0 [ 35.195381] ida_simple_remove+0x31/0x4c [ 35.199458] ipvlan_link_new+0x4f9/0xfc0 [ 35.203610] rtnl_newlink+0xecb/0x1720 [ 35.207478] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 35.212037] ? rtnl_link_unregister+0x1f0/0x1f0 [ 35.216681] ? avc_has_perm_noaudit+0x157/0x2a0 [ 35.221329] ? lock_acquire+0x170/0x3f0 [ 35.225298] ? lock_acquire+0x170/0x3f0 [ 35.229294] ? lock_acquire+0x170/0x3f0 [ 35.233247] ? lock_downgrade+0x6e0/0x6e0 [ 35.237371] ? rtnl_link_unregister+0x1f0/0x1f0 [ 35.242015] rtnetlink_rcv_msg+0x3be/0xb10 [ 35.246229] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 35.250701] ? __netlink_lookup+0x332/0x5c0 [ 35.255017] netlink_rcv_skb+0x127/0x370 [ 35.259069] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 35.263540] ? netlink_ack+0x970/0x970 [ 35.267422] netlink_unicast+0x437/0x610 [ 35.271463] ? netlink_sendskb+0x50/0x50 [ 35.275503] netlink_sendmsg+0x64a/0xbb0 [ 35.279546] ? nlmsg_notify+0x160/0x160 [ 35.283496] ? move_addr_to_kernel.part.0+0xf0/0xf0 [ 35.288492] ? security_socket_sendmsg+0x83/0xb0 [ 35.293241] ? nlmsg_notify+0x160/0x160 [ 35.297192] sock_sendmsg+0xb5/0x100 [ 35.300884] ___sys_sendmsg+0x70a/0x840 [ 35.304847] ? copy_msghdr_from_user+0x380/0x380 [ 35.309594] ? trace_hardirqs_on+0x10/0x10 [ 35.313805] ? trace_hardirqs_on+0x10/0x10 [ 35.318102] ? fs_reclaim_acquire+0x10/0x10 [ 35.322399] ? __might_fault+0x104/0x1b0 [ 35.326442] ? lock_acquire+0x170/0x3f0 [ 35.330394] ? lock_downgrade+0x6e0/0x6e0 [ 35.334521] ? __might_fault+0x177/0x1b0 [ 35.338567] ? _copy_to_user+0x82/0xd0 [ 35.342429] ? __fget_light+0x16a/0x1f0 [ 35.346384] ? sockfd_lookup_light+0xb2/0x160 [ 35.350854] __sys_sendmsg+0xa3/0x120 [ 35.354645] ? SyS_shutdown+0x160/0x160 [ 35.358612] ? move_addr_to_kernel+0x60/0x60 [ 35.363015] ? __do_page_fault+0x19a/0xb50 [ 35.367226] SyS_sendmsg+0x27/0x40 [ 35.370741] ? __sys_sendmsg+0x120/0x120 [ 35.374796] do_syscall_64+0x1d5/0x640 [ 35.378680] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.383849] RIP: 0033:0x441479 [ 35.387033] RSP: 002b:00007ffc5fd602b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.394715] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441479 [ 35.401961] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 35.409207] RBP: 00007ffc5fd602c0 R08: 0000000100000000 R09: 0000000100000000 [ 35.416453] R10: 0000000100000000 R11: 0000000000000246 R12: 000000000000891c [ 35.423720] R13: 00000000004023d0 R14: 0000000000000000 R15: 0000000000000000 [ 35.430991] [ 35.432596] Allocated by task 6396: [ 35.436221] kasan_kmalloc.part.0+0x4f/0xd0 [ 35.440519] kmem_cache_alloc_trace+0x14d/0x3f0 [ 35.445202] ipvlan_link_new+0x640/0xfc0 [ 35.449239] rtnl_newlink+0xecb/0x1720 [ 35.453113] rtnetlink_rcv_msg+0x3be/0xb10 [ 35.457324] netlink_rcv_skb+0x127/0x370 [ 35.461361] netlink_unicast+0x437/0x610 [ 35.465394] netlink_sendmsg+0x64a/0xbb0 [ 35.469431] sock_sendmsg+0xb5/0x100 [ 35.473141] ___sys_sendmsg+0x70a/0x840 [ 35.477104] __sys_sendmsg+0xa3/0x120 [ 35.480878] SyS_sendmsg+0x27/0x40 [ 35.484393] do_syscall_64+0x1d5/0x640 [ 35.488273] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.493435] [ 35.495036] Freed by task 6396: [ 35.498292] kasan_slab_free+0xaf/0x190 [ 35.502240] kfree+0xcb/0x260 [ 35.505321] ipvlan_uninit+0xb6/0xe0 [ 35.509007] register_netdevice+0x797/0xca0 [ 35.513307] ipvlan_link_new+0x485/0xfc0 [ 35.517347] rtnl_newlink+0xecb/0x1720 [ 35.521208] rtnetlink_rcv_msg+0x3be/0xb10 [ 35.525445] netlink_rcv_skb+0x127/0x370 [ 35.529497] netlink_unicast+0x437/0x610 [ 35.533561] netlink_sendmsg+0x64a/0xbb0 [ 35.537607] sock_sendmsg+0xb5/0x100 [ 35.541382] ___sys_sendmsg+0x70a/0x840 [ 35.545331] __sys_sendmsg+0xa3/0x120 [ 35.549106] SyS_sendmsg+0x27/0x40 [ 35.552653] do_syscall_64+0x1d5/0x640 [ 35.556564] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.561725] [ 35.563330] The buggy address belongs to the object at ffff888097fc2d40 [ 35.563330] which belongs to the cache kmalloc-4096 of size 4096 [ 35.576199] The buggy address is located 2248 bytes inside of [ 35.576199] 4096-byte region [ffff888097fc2d40, ffff888097fc3d40) [ 35.588228] The buggy address belongs to the page: [ 35.593133] page:ffffea00025ff080 count:1 mapcount:0 mapping:ffff888097fc2d40 index:0x0 compound_mapcount: 0 [ 35.603078] flags: 0xfffe0000008100(slab|head) [ 35.607636] raw: 00fffe0000008100 ffff888097fc2d40 0000000000000000 0000000100000001 [ 35.615520] raw: ffffea00025fbe20 ffff8880aa801a48 ffff8880aa800dc0 0000000000000000 [ 35.623420] page dumped because: kasan: bad access detected [ 35.629107] [ 35.630707] Memory state around the buggy address: [ 35.635619] ffff888097fc3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.642954] ffff888097fc3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.650291] >ffff888097fc3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.657634] ^ [ 35.661235] ffff888097fc3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.668570] ffff888097fc3700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.675901] ================================================================== [ 35.683248] Disabling lock debugging due to kernel taint [ 35.688671] Kernel panic - not syncing: panic_on_warn set ... [ 35.688671] [ 35.696025] CPU: 0 PID: 6396 Comm: syz-executor586 Tainted: G B 4.14.184-syzkaller #0 [ 35.705094] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.714441] Call Trace: [ 35.717017] dump_stack+0x1b2/0x283 [ 35.720626] panic+0x1f9/0x42d [ 35.723793] ? add_taint.cold+0x16/0x16 [ 35.727743] ? lock_downgrade+0x6e0/0x6e0 [ 35.731918] ? radix_tree_next_chunk+0x8f8/0x950 [ 35.736659] kasan_end_report+0x43/0x49 [ 35.740617] kasan_report.cold+0x12f/0x2b9 [ 35.744959] radix_tree_next_chunk+0x8f8/0x950 [ 35.749543] ida_remove+0x9b/0x210 [ 35.753070] ? ida_destroy+0x1b0/0x1b0 [ 35.756939] ? lock_acquire+0x170/0x3f0 [ 35.760900] ida_simple_remove+0x31/0x4c [ 35.764936] ipvlan_link_new+0x4f9/0xfc0 [ 35.768975] rtnl_newlink+0xecb/0x1720 [ 35.772835] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 35.777392] ? rtnl_link_unregister+0x1f0/0x1f0 [ 35.782035] ? avc_has_perm_noaudit+0x157/0x2a0 [ 35.786699] ? lock_acquire+0x170/0x3f0 [ 35.790649] ? lock_acquire+0x170/0x3f0 [ 35.794615] ? lock_acquire+0x170/0x3f0 [ 35.798562] ? lock_downgrade+0x6e0/0x6e0 [ 35.802727] ? rtnl_link_unregister+0x1f0/0x1f0 [ 35.807369] rtnetlink_rcv_msg+0x3be/0xb10 [ 35.811586] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 35.816056] ? __netlink_lookup+0x332/0x5c0 [ 35.820353] netlink_rcv_skb+0x127/0x370 [ 35.824391] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 35.828909] ? netlink_ack+0x970/0x970 [ 35.832779] netlink_unicast+0x437/0x610 [ 35.836820] ? netlink_sendskb+0x50/0x50 [ 35.840861] netlink_sendmsg+0x64a/0xbb0 [ 35.844901] ? nlmsg_notify+0x160/0x160 [ 35.848868] ? move_addr_to_kernel.part.0+0xf0/0xf0 [ 35.853873] ? security_socket_sendmsg+0x83/0xb0 [ 35.858620] ? nlmsg_notify+0x160/0x160 [ 35.862584] sock_sendmsg+0xb5/0x100 [ 35.866274] ___sys_sendmsg+0x70a/0x840 [ 35.870223] ? copy_msghdr_from_user+0x380/0x380 [ 35.874952] ? trace_hardirqs_on+0x10/0x10 [ 35.879169] ? trace_hardirqs_on+0x10/0x10 [ 35.883380] ? fs_reclaim_acquire+0x10/0x10 [ 35.887679] ? __might_fault+0x104/0x1b0 [ 35.891731] ? lock_acquire+0x170/0x3f0 [ 35.895693] ? lock_downgrade+0x6e0/0x6e0 [ 35.899831] ? __might_fault+0x177/0x1b0 [ 35.903892] ? _copy_to_user+0x82/0xd0 [ 35.907754] ? __fget_light+0x16a/0x1f0 [ 35.911703] ? sockfd_lookup_light+0xb2/0x160 [ 35.916175] __sys_sendmsg+0xa3/0x120 [ 35.919955] ? SyS_shutdown+0x160/0x160 [ 35.923905] ? move_addr_to_kernel+0x60/0x60 [ 35.928303] ? __do_page_fault+0x19a/0xb50 [ 35.932514] SyS_sendmsg+0x27/0x40 [ 35.936027] ? __sys_sendmsg+0x120/0x120 [ 35.940083] do_syscall_64+0x1d5/0x640 [ 35.943968] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.949147] RIP: 0033:0x441479 [ 35.952324] RSP: 002b:00007ffc5fd602b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.960006] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441479 [ 35.967251] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000004 [ 35.974515] RBP: 00007ffc5fd602c0 R08: 0000000100000000 R09: 0000000100000000 [ 35.981761] R10: 0000000100000000 R11: 0000000000000246 R12: 000000000000891c [ 35.989005] R13: 00000000004023d0 R14: 0000000000000000 R15: 0000000000000000 [ 35.997487] Kernel Offset: disabled [ 36.001106] Rebooting in 86400 seconds..