Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.202' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 28.663683] netlink: 32 bytes leftover after parsing attributes in process `syz-executor533'. [ 28.673231] netlink: 32 bytes leftover after parsing attributes in process `syz-executor533'. [ 28.683019] netlink: 32 bytes leftover after parsing attributes in process `syz-executor533'. [ 28.692080] netlink: 32 bytes leftover after parsing attributes in process `syz-executor533'. [ 28.700972] netlink: 32 bytes leftover after parsing attributes in process `syz-executor533'. [ 28.710918] ================================================================== [ 28.718405] BUG: KASAN: stack-out-of-bounds in tcf_action_destroy+0x138/0x170 [ 28.725675] Read of size 8 at addr ffff8880a241f7a0 by task syz-executor533/7984 [ 28.733207] [ 28.734924] CPU: 0 PID: 7984 Comm: syz-executor533 Not tainted 4.14.202-syzkaller #0 [ 28.742975] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.752985] Call Trace: [ 28.755882] dump_stack+0x1b2/0x283 [ 28.759983] print_address_description.cold+0x54/0x1d3 [ 28.765270] kasan_report_error.cold+0x8a/0x194 [ 28.769935] ? tcf_action_destroy+0x138/0x170 [ 28.774422] __asan_report_load8_noabort+0x68/0x70 [ 28.779345] ? tcf_action_destroy+0x138/0x170 [ 28.784007] tcf_action_destroy+0x138/0x170 [ 28.788348] tcf_action_init+0x294/0x400 [ 28.792435] ? tcf_action_init_1+0x9e0/0x9e0 [ 28.796840] ? memset+0x20/0x40 [ 28.800106] ? nla_parse+0x157/0x1f0 [ 28.803813] tc_ctl_action+0x2e3/0x50f [ 28.807692] ? tca_action_gd+0x790/0x790 [ 28.811741] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 28.816165] ? tca_action_gd+0x790/0x790 [ 28.820223] rtnetlink_rcv_msg+0x3be/0xb10 [ 28.824463] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 28.828957] ? __netlink_lookup+0x345/0x5d0 [ 28.833271] netlink_rcv_skb+0x125/0x390 [ 28.837321] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 28.842243] ? netlink_ack+0x9a0/0x9a0 [ 28.846115] netlink_unicast+0x437/0x610 [ 28.850178] ? netlink_sendskb+0xd0/0xd0 [ 28.854238] ? __check_object_size+0x179/0x22c [ 28.858838] netlink_sendmsg+0x62e/0xb80 [ 28.862903] ? nlmsg_notify+0x170/0x170 [ 28.866872] ? kernel_recvmsg+0x210/0x210 [ 28.871133] ? security_socket_sendmsg+0x83/0xb0 [ 28.875878] ? nlmsg_notify+0x170/0x170 [ 28.879953] sock_sendmsg+0xb5/0x100 [ 28.883725] ___sys_sendmsg+0x6c8/0x800 [ 28.887780] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 28.892605] ? lock_downgrade+0x740/0x740 [ 28.896736] ? do_raw_spin_unlock+0x164/0x220 [ 28.901213] ? _raw_spin_unlock+0x29/0x40 [ 28.905356] ? do_huge_pmd_anonymous_page+0x732/0x1670 [ 28.910634] ? __fget+0x1fe/0x360 [ 28.914084] ? lock_acquire+0x170/0x3f0 [ 28.918037] ? lock_downgrade+0x740/0x740 [ 28.922190] ? __fget+0x225/0x360 [ 28.925622] ? __fdget+0x196/0x1f0 [ 28.929146] ? sockfd_lookup_light+0xb2/0x160 [ 28.933646] __sys_sendmsg+0xa3/0x120 [ 28.937459] ? SyS_shutdown+0x160/0x160 [ 28.941419] ? up_read+0x17/0x30 [ 28.944773] ? __do_page_fault+0x159/0xad0 [ 28.949044] SyS_sendmsg+0x27/0x40 [ 28.952582] ? __sys_sendmsg+0x120/0x120 [ 28.956783] do_syscall_64+0x1d5/0x640 [ 28.960840] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.966369] RIP: 0033:0x446c19 [ 28.969549] RSP: 002b:00007fe1c0732d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 28.977243] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446c19 [ 28.984597] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 28.991865] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 28.999128] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 29.006391] R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098 [ 29.013899] [ 29.015511] The buggy address belongs to the page: [ 29.020446] page:ffffea00028907c0 count:0 mapcount:0 mapping: (null) index:0x0 [ 29.028576] flags: 0xfff00000000000() [ 29.032451] raw: 00fff00000000000 0000000000000000 0000000000000000 00000000ffffffff [ 29.040317] raw: 0000000000000000 ffffea00028907e0 0000000000000000 0000000000000000 [ 29.048188] page dumped because: kasan: bad access detected [ 29.054580] [ 29.056191] Memory state around the buggy address: [ 29.061098] ffff8880a241f680: 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 [ 29.068453] ffff8880a241f700: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.075796] >ffff8880a241f780: f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00 00 f3 [ 29.083154] ^ [ 29.087549] ffff8880a241f800: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 29.094893] ffff8880a241f880: f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 f3 f3 f3 f3 [ 29.102461] ================================================================== [ 29.109826] Disabling lock debugging due to kernel taint [ 29.116297] Kernel panic - not syncing: panic_on_warn set ... [ 29.116297] [ 29.123666] CPU: 0 PID: 7984 Comm: syz-executor533 Tainted: G B 4.14.202-syzkaller #0 [ 29.132941] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.142807] Call Trace: [ 29.145380] dump_stack+0x1b2/0x283 [ 29.148992] panic+0x1f9/0x42d [ 29.152175] ? add_taint.cold+0x16/0x16 [ 29.156136] ? ___preempt_schedule+0x16/0x18 [ 29.160539] kasan_end_report+0x43/0x49 [ 29.164511] kasan_report_error.cold+0xa7/0x194 [ 29.169173] ? tcf_action_destroy+0x138/0x170 [ 29.173661] __asan_report_load8_noabort+0x68/0x70 [ 29.178584] ? tcf_action_destroy+0x138/0x170 [ 29.183063] tcf_action_destroy+0x138/0x170 [ 29.187380] tcf_action_init+0x294/0x400 [ 29.191497] ? tcf_action_init_1+0x9e0/0x9e0 [ 29.195909] ? memset+0x20/0x40 [ 29.199173] ? nla_parse+0x157/0x1f0 [ 29.202940] tc_ctl_action+0x2e3/0x50f [ 29.206827] ? tca_action_gd+0x790/0x790 [ 29.210874] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 29.215289] ? tca_action_gd+0x790/0x790 [ 29.219334] rtnetlink_rcv_msg+0x3be/0xb10 [ 29.223583] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 29.228059] ? __netlink_lookup+0x345/0x5d0 [ 29.232365] netlink_rcv_skb+0x125/0x390 [ 29.236416] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 29.240910] ? netlink_ack+0x9a0/0x9a0 [ 29.244785] netlink_unicast+0x437/0x610 [ 29.248830] ? netlink_sendskb+0xd0/0xd0 [ 29.252871] ? __check_object_size+0x179/0x22c [ 29.257436] netlink_sendmsg+0x62e/0xb80 [ 29.261541] ? nlmsg_notify+0x170/0x170 [ 29.265516] ? kernel_recvmsg+0x210/0x210 [ 29.269655] ? security_socket_sendmsg+0x83/0xb0 [ 29.274403] ? nlmsg_notify+0x170/0x170 [ 29.278356] sock_sendmsg+0xb5/0x100 [ 29.282062] ___sys_sendmsg+0x6c8/0x800 [ 29.286024] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 29.290772] ? lock_downgrade+0x740/0x740 [ 29.294906] ? do_raw_spin_unlock+0x164/0x220 [ 29.299391] ? _raw_spin_unlock+0x29/0x40 [ 29.303598] ? do_huge_pmd_anonymous_page+0x732/0x1670 [ 29.308882] ? __fget+0x1fe/0x360 [ 29.312326] ? lock_acquire+0x170/0x3f0 [ 29.316434] ? lock_downgrade+0x740/0x740 [ 29.320686] ? __fget+0x225/0x360 [ 29.324126] ? __fdget+0x196/0x1f0 [ 29.327648] ? sockfd_lookup_light+0xb2/0x160 [ 29.332129] __sys_sendmsg+0xa3/0x120 [ 29.335928] ? SyS_shutdown+0x160/0x160 [ 29.339898] ? up_read+0x17/0x30 [ 29.343242] ? __do_page_fault+0x159/0xad0 [ 29.347453] SyS_sendmsg+0x27/0x40 [ 29.350974] ? __sys_sendmsg+0x120/0x120 [ 29.355021] do_syscall_64+0x1d5/0x640 [ 29.358917] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.364098] RIP: 0033:0x446c19 [ 29.367293] RSP: 002b:00007fe1c0732d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 29.374979] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446c19 [ 29.382337] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 29.389689] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 29.396959] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 29.404211] R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098 [ 29.412072] Kernel Offset: disabled [ 29.415701] Rebooting in 86400 seconds..