Warning: Permanently added '10.128.0.120' (ECDSA) to the list of known hosts. syzkaller login: [ 34.493784] audit: type=1400 audit(1595495471.072:8): avc: denied { execmem } for pid=6339 comm="syz-executor617" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 34.726365] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program [ 35.386046] netlink: 24 bytes leftover after parsing attributes in process `syz-executor617'. [ 35.399843] tunl0: Master is either lo or non-ether device [ 35.410407] netlink: 24 bytes leftover after parsing attributes in process `syz-executor617'. [ 35.424645] gre0: Master is either lo or non-ether device [ 35.433975] netlink: 24 bytes leftover after parsing attributes in process `syz-executor617'. [ 35.448714] ================================================================== [ 35.456182] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x89f/0x8c0 [ 35.463363] Read of size 8 at addr ffff88809762f188 by task syz-executor617/6373 [ 35.470876] [ 35.472487] CPU: 0 PID: 6373 Comm: syz-executor617 Not tainted 4.14.189-syzkaller #0 [ 35.480344] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.489699] Call Trace: [ 35.492355] dump_stack+0x1b2/0x283 [ 35.495971] print_address_description.cold+0x54/0x1d3 [ 35.501235] kasan_report_error.cold+0x8a/0x194 [ 35.505884] ? radix_tree_next_chunk+0x89f/0x8c0 [ 35.510619] __asan_report_load8_noabort+0x68/0x70 [ 35.515527] ? radix_tree_next_chunk+0x89f/0x8c0 [ 35.520267] radix_tree_next_chunk+0x89f/0x8c0 [ 35.524858] ida_remove+0x9b/0x210 [ 35.528375] ? ida_destroy+0x1b0/0x1b0 [ 35.532252] ? lock_acquire+0x170/0x3f0 [ 35.536208] ida_simple_remove+0x31/0x4c [ 35.540262] ipvlan_link_new+0x50c/0xfa0 [ 35.544319] rtnl_newlink+0xf88/0x1810 [ 35.548206] ? __lock_acquire+0x5fc/0x3f20 [ 35.552612] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 35.557181] ? trace_hardirqs_on+0x10/0x10 [ 35.561394] ? rtnl_dellink+0x6a0/0x6a0 [ 35.565346] ? trace_hardirqs_on+0x10/0x10 [ 35.570787] ? lock_acquire+0x170/0x3f0 [ 35.574758] ? lock_acquire+0x170/0x3f0 [ 35.578709] ? lock_downgrade+0x740/0x740 [ 35.582838] ? rtnl_dellink+0x6a0/0x6a0 [ 35.586789] rtnetlink_rcv_msg+0x3be/0xb10 [ 35.591003] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 35.595477] ? __netlink_lookup+0x345/0x5d0 [ 35.599779] netlink_rcv_skb+0x125/0x390 [ 35.603833] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 35.608317] ? netlink_ack+0x9a0/0x9a0 [ 35.612185] netlink_unicast+0x437/0x610 [ 35.616237] ? netlink_sendskb+0xd0/0xd0 [ 35.620300] netlink_sendmsg+0x62e/0xb80 [ 35.624355] ? nlmsg_notify+0x170/0x170 [ 35.628316] ? kernel_recvmsg+0x210/0x210 [ 35.632445] ? security_socket_sendmsg+0x83/0xb0 [ 35.637179] ? nlmsg_notify+0x170/0x170 [ 35.641134] sock_sendmsg+0xb5/0x100 [ 35.644938] ___sys_sendmsg+0x6c8/0x800 [ 35.648902] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 35.653636] ? trace_hardirqs_on+0x10/0x10 [ 35.657856] ? lock_acquire+0x170/0x3f0 [ 35.661807] ? lock_downgrade+0x740/0x740 [ 35.665940] ? __might_fault+0x104/0x1b0 [ 35.670002] ? lock_acquire+0x170/0x3f0 [ 35.673966] ? lock_downgrade+0x740/0x740 [ 35.678108] ? __might_fault+0x177/0x1b0 [ 35.682161] ? _copy_to_user+0x82/0xd0 [ 35.686031] ? move_addr_to_user+0x13f/0x180 [ 35.690418] ? __fdget+0x167/0x1f0 [ 35.693946] ? sockfd_lookup_light+0xb2/0x160 [ 35.698444] __sys_sendmsg+0xa3/0x120 [ 35.702223] ? SyS_shutdown+0x160/0x160 [ 35.706177] ? move_addr_to_kernel+0x60/0x60 [ 35.710650] ? __do_page_fault+0x19a/0xb50 [ 35.714889] SyS_sendmsg+0x27/0x40 [ 35.718426] ? __sys_sendmsg+0x120/0x120 [ 35.722467] do_syscall_64+0x1d5/0x640 [ 35.726354] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.731525] RIP: 0033:0x441749 [ 35.734707] RSP: 002b:00007fff47d7c8f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.742425] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441749 [ 35.749692] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003 [ 35.756960] RBP: 00007fff47d7c900 R08: 0000000100000000 R09: 0000000100000000 [ 35.764226] R10: 0000000100000000 R11: 0000000000000246 R12: 0000000000008a6a [ 35.771500] R13: 0000000000402620 R14: 0000000000000000 R15: 0000000000000000 [ 35.778759] [ 35.780380] Allocated by task 6373: [ 35.784020] kasan_kmalloc+0xeb/0x160 [ 35.787808] kmem_cache_alloc_trace+0x131/0x3d0 [ 35.792465] ipvlan_link_new+0x64f/0xfa0 [ 35.796519] rtnl_newlink+0xf88/0x1810 [ 35.800388] rtnetlink_rcv_msg+0x3be/0xb10 [ 35.804725] netlink_rcv_skb+0x125/0x390 [ 35.809476] netlink_unicast+0x437/0x610 [ 35.813525] netlink_sendmsg+0x62e/0xb80 [ 35.817564] sock_sendmsg+0xb5/0x100 [ 35.821254] ___sys_sendmsg+0x6c8/0x800 [ 35.825218] __sys_sendmsg+0xa3/0x120 [ 35.828994] SyS_sendmsg+0x27/0x40 [ 35.832523] do_syscall_64+0x1d5/0x640 [ 35.836397] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.841560] [ 35.843164] Freed by task 6373: [ 35.846424] kasan_slab_free+0xc3/0x1a0 [ 35.850380] kfree+0xc9/0x250 [ 35.853467] ipvlan_uninit+0xb6/0xe0 [ 35.857161] register_netdevice+0x7fd/0xe40 [ 35.861467] ipvlan_link_new+0x499/0xfa0 [ 35.865532] rtnl_newlink+0xf88/0x1810 [ 35.869407] rtnetlink_rcv_msg+0x3be/0xb10 [ 35.873629] netlink_rcv_skb+0x125/0x390 [ 35.877692] netlink_unicast+0x437/0x610 [ 35.881731] netlink_sendmsg+0x62e/0xb80 [ 35.885769] sock_sendmsg+0xb5/0x100 [ 35.889464] ___sys_sendmsg+0x6c8/0x800 [ 35.893462] __sys_sendmsg+0xa3/0x120 [ 35.897248] SyS_sendmsg+0x27/0x40 [ 35.900781] do_syscall_64+0x1d5/0x640 [ 35.904644] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.909805] [ 35.911433] The buggy address belongs to the object at ffff88809762e8c0 [ 35.911433] which belongs to the cache kmalloc-4096 of size 4096 [ 35.924242] The buggy address is located 2248 bytes inside of [ 35.924242] 4096-byte region [ffff88809762e8c0, ffff88809762f8c0) [ 35.936281] The buggy address belongs to the page: [ 35.941203] page:ffffea00025d8b80 count:1 mapcount:0 mapping:ffff88809762e8c0 index:0x0 compound_mapcount: 0 [ 35.951149] flags: 0xfffe0000008100(slab|head) [ 35.955711] raw: 00fffe0000008100 ffff88809762e8c0 0000000000000000 0000000100000001 [ 35.963574] raw: ffffea00025da1a0 ffff88812fe44a48 ffff88812fe54dc0 0000000000000000 [ 35.971454] page dumped because: kasan: bad access detected [ 35.977138] [ 35.978740] Memory state around the buggy address: [ 35.983650] ffff88809762f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.990990] ffff88809762f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.998339] >ffff88809762f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.005705] ^ [ 36.009311] ffff88809762f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.016651] ffff88809762f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.023988] ================================================================== [ 36.031334] Disabling lock debugging due to kernel taint [ 36.036761] Kernel panic - not syncing: panic_on_warn set ... [ 36.036761] [ 36.044100] CPU: 0 PID: 6373 Comm: syz-executor617 Tainted: G B 4.14.189-syzkaller #0 [ 36.053174] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.062514] Call Trace: [ 36.065092] dump_stack+0x1b2/0x283 [ 36.068713] panic+0x1f9/0x42d [ 36.071890] ? add_taint.cold+0x16/0x16 [ 36.075849] ? lock_downgrade+0x740/0x740 [ 36.079997] kasan_end_report+0x43/0x49 [ 36.083961] kasan_report_error.cold+0xa7/0x194 [ 36.088640] ? radix_tree_next_chunk+0x89f/0x8c0 [ 36.093390] __asan_report_load8_noabort+0x68/0x70 [ 36.098302] ? radix_tree_next_chunk+0x89f/0x8c0 [ 36.103122] radix_tree_next_chunk+0x89f/0x8c0 [ 36.107690] ida_remove+0x9b/0x210 [ 36.111208] ? ida_destroy+0x1b0/0x1b0 [ 36.115075] ? lock_acquire+0x170/0x3f0 [ 36.119040] ida_simple_remove+0x31/0x4c [ 36.123099] ipvlan_link_new+0x50c/0xfa0 [ 36.127140] rtnl_newlink+0xf88/0x1810 [ 36.131025] ? __lock_acquire+0x5fc/0x3f20 [ 36.135240] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 36.139810] ? trace_hardirqs_on+0x10/0x10 [ 36.144037] ? rtnl_dellink+0x6a0/0x6a0 [ 36.147986] ? trace_hardirqs_on+0x10/0x10 [ 36.152197] ? lock_acquire+0x170/0x3f0 [ 36.156172] ? lock_acquire+0x170/0x3f0 [ 36.160123] ? lock_downgrade+0x740/0x740 [ 36.164248] ? rtnl_dellink+0x6a0/0x6a0 [ 36.168212] rtnetlink_rcv_msg+0x3be/0xb10 [ 36.172442] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 36.176915] ? __netlink_lookup+0x345/0x5d0 [ 36.181222] netlink_rcv_skb+0x125/0x390 [ 36.185270] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 36.189744] ? netlink_ack+0x9a0/0x9a0 [ 36.193666] netlink_unicast+0x437/0x610 [ 36.197711] ? netlink_sendskb+0xd0/0xd0 [ 36.201923] netlink_sendmsg+0x62e/0xb80 [ 36.205974] ? nlmsg_notify+0x170/0x170 [ 36.209935] ? kernel_recvmsg+0x210/0x210 [ 36.214081] ? security_socket_sendmsg+0x83/0xb0 [ 36.218819] ? nlmsg_notify+0x170/0x170 [ 36.222771] sock_sendmsg+0xb5/0x100 [ 36.226462] ___sys_sendmsg+0x6c8/0x800 [ 36.230411] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 36.235144] ? trace_hardirqs_on+0x10/0x10 [ 36.239381] ? lock_acquire+0x170/0x3f0 [ 36.243350] ? lock_downgrade+0x740/0x740 [ 36.247477] ? __might_fault+0x104/0x1b0 [ 36.251519] ? lock_acquire+0x170/0x3f0 [ 36.255470] ? lock_downgrade+0x740/0x740 [ 36.259598] ? __might_fault+0x177/0x1b0 [ 36.263637] ? _copy_to_user+0x82/0xd0 [ 36.267503] ? move_addr_to_user+0x13f/0x180 [ 36.271889] ? __fdget+0x167/0x1f0 [ 36.275412] ? sockfd_lookup_light+0xb2/0x160 [ 36.279882] __sys_sendmsg+0xa3/0x120 [ 36.283658] ? SyS_shutdown+0x160/0x160 [ 36.287633] ? move_addr_to_kernel+0x60/0x60 [ 36.292018] ? __do_page_fault+0x19a/0xb50 [ 36.296229] SyS_sendmsg+0x27/0x40 [ 36.299760] ? __sys_sendmsg+0x120/0x120 [ 36.304082] do_syscall_64+0x1d5/0x640 [ 36.307959] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 36.313148] RIP: 0033:0x441749 [ 36.316317] RSP: 002b:00007fff47d7c8f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 36.324006] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441749 [ 36.331261] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003 [ 36.338509] RBP: 00007fff47d7c900 R08: 0000000100000000 R09: 0000000100000000 [ 36.345847] R10: 0000000100000000 R11: 0000000000000246 R12: 0000000000008a6a [ 36.353110] R13: 0000000000402620 R14: 0000000000000000 R15: 0000000000000000 [ 36.361456] Kernel Offset: disabled [ 36.365092] Rebooting in 86400 seconds..