[ 44.149076] audit: type=1800 audit(1580297491.141:29): pid=7974 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2447 res=0 [ 44.190972] audit: type=1800 audit(1580297491.141:30): pid=7974 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2490 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.97' (ECDSA) to the list of known hosts. syzkaller login: [ 53.392064] kauditd_printk_skb: 5 callbacks suppressed [ 53.392081] audit: type=1400 audit(1580297500.381:36): avc: denied { map } for pid=8161 comm="syz-executor175" path="/root/syz-executor175804167" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 53.398140] ================================================================== executing program [ 53.398175] BUG: KASAN: global-out-of-bounds in get_unique_tuple+0x1a23/0x1d40 [ 53.398187] Read of size 8 at addr ffffffff884fc480 by task syz-executor175/8161 [ 53.398190] [ 53.398205] CPU: 1 PID: 8161 Comm: syz-executor175 Not tainted 4.19.99-syzkaller #0 [ 53.398214] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.398219] Call Trace: [ 53.398237] dump_stack+0x197/0x210 [ 53.398254] ? get_unique_tuple+0x1a23/0x1d40 [ 53.398275] print_address_description.cold+0x5/0x20d [ 53.434614] audit: type=1400 audit(1580297500.381:37): avc: denied { create } for pid=8161 comm="syz-executor175" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 53.441455] ? get_unique_tuple+0x1a23/0x1d40 [ 53.450278] audit: type=1400 audit(1580297500.381:38): avc: denied { write } for pid=8161 comm="syz-executor175" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 53.457844] kasan_report.cold+0x8c/0x2ba [ 53.457866] __asan_report_load8_noabort+0x14/0x20 [ 53.457886] get_unique_tuple+0x1a23/0x1d40 [ 53.457900] ? nf_ct_invert_tuplepr+0x125/0x200 [ 53.457915] ? find_held_lock+0x35/0x130 [ 53.457929] ? nft_hash_estimate+0x1a0/0x1a0 [ 53.457946] ? hash_by_src+0x3c0/0x3c0 [ 53.457964] ? lock_downgrade+0x880/0x880 [ 53.584577] ? kasan_check_read+0x11/0x20 [ 53.588914] nf_nat_setup_info+0x212/0x9e0 [ 53.593389] ? nf_nat_proto_clean+0x200/0x200 [ 53.598214] ? save_stack+0x45/0xd0 [ 53.601970] ? kasan_kmalloc+0xce/0xf0 [ 53.606183] ? kasan_slab_alloc+0xf/0x20 [ 53.610637] ? kmem_cache_alloc+0x12e/0x700 [ 53.615142] ? __nf_conntrack_alloc+0xdb/0x680 [ 53.622701] ? nf_conntrack_alloc+0x38/0x50 [ 53.627149] ? ctnetlink_create_conntrack+0xd0/0x1300 [ 53.632336] ? ctnetlink_new_conntrack+0x527/0xe50 [ 53.637272] ? nfnetlink_rcv_msg+0xd0d/0xfcf [ 53.641766] ? netlink_rcv_skb+0x17d/0x460 [ 53.646337] ? nfnetlink_rcv+0x1c0/0x460 [ 53.650517] ? netlink_unicast+0x53a/0x730 [ 53.654802] ? netlink_sendmsg+0x8ae/0xd70 [ 53.659038] ? sock_sendmsg+0xd7/0x130 [ 53.663743] ? ___sys_sendmsg+0x803/0x920 [ 53.668072] ? __sys_sendmsg+0x105/0x1d0 [ 53.672150] ? __x64_sys_sendmsg+0x78/0xb0 [ 53.676658] ? do_syscall_64+0xfd/0x620 [ 53.680982] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.686357] ? mark_held_locks+0x100/0x100 [ 53.691460] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 53.696665] ? depot_save_stack+0x1de/0x44f [ 53.701483] __nf_nat_alloc_null_binding+0x164/0x1d0 [ 53.706609] ? nf_nat_setup_info+0x9e0/0x9e0 [ 53.711338] ? nft_hash_estimate+0x1a0/0x1a0 [ 53.716115] ? nft_hash_estimate+0x1a0/0x1a0 [ 53.720828] nfnetlink_parse_nat_setup+0x3ca/0x450 [ 53.727527] ? nf_nat_inet_fn+0x8b0/0x8b0 [ 53.731935] ? rcu_read_lock_sched_held+0x110/0x130 [ 53.737477] ? __lock_is_held+0xb6/0x140 [ 53.741716] ctnetlink_parse_nat_setup+0xc5/0x660 [ 53.746581] ctnetlink_create_conntrack+0x4ea/0x1300 [ 53.751818] ? ctnetlink_dump_table+0x12e0/0x12e0 [ 53.757015] ? __nf_conntrack_confirm+0x31e0/0x31e0 [ 53.762046] ctnetlink_new_conntrack+0x527/0xe50 [ 53.767170] ? ctnetlink_create_conntrack+0x1300/0x1300 [ 53.772594] ? find_held_lock+0x35/0x130 [ 53.776676] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 53.782050] ? ctnetlink_create_conntrack+0x1300/0x1300 [ 53.787812] nfnetlink_rcv_msg+0xd0d/0xfcf [ 53.792386] ? nfnetlink_bind+0x2c0/0x2c0 [ 53.796823] ? avc_has_extended_perms+0x10f0/0x10f0 [ 53.804844] ? __save_stack_trace+0x99/0x100 [ 53.809555] ? selinux_ipv4_output+0x50/0x50 [ 53.814062] ? netlink_sendmsg+0x97b/0xd70 [ 53.818602] ? mark_held_locks+0x100/0x100 [ 53.823019] netlink_rcv_skb+0x17d/0x460 [ 53.827525] ? nfnetlink_bind+0x2c0/0x2c0 [ 53.831806] ? netlink_ack+0xb30/0xb30 [ 53.835995] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.841730] ? ns_capable_common+0x93/0x100 [ 53.846280] ? ns_capable+0x20/0x30 [ 53.850206] ? __netlink_ns_capable+0x104/0x140 [ 53.855130] nfnetlink_rcv+0x1c0/0x460 [ 53.859145] ? nfnetlink_rcv_batch+0x1750/0x1750 [ 53.864255] ? netlink_deliver_tap+0x254/0xc20 [ 53.869052] ? kasan_check_write+0x14/0x20 [ 53.873643] netlink_unicast+0x53a/0x730 [ 53.877717] ? netlink_attachskb+0x770/0x770 [ 53.882267] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.887824] netlink_sendmsg+0x8ae/0xd70 [ 53.892220] ? netlink_unicast+0x730/0x730 [ 53.896557] ? selinux_socket_sendmsg+0x36/0x40 [ 53.901635] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.907537] ? security_socket_sendmsg+0x8d/0xc0 [ 53.912398] ? netlink_unicast+0x730/0x730 [ 53.916847] sock_sendmsg+0xd7/0x130 [ 53.920742] ___sys_sendmsg+0x803/0x920 [ 53.924744] ? copy_msghdr_from_user+0x430/0x430 [ 53.929508] ? rcu_read_lock_sched_held+0x110/0x130 [ 53.934654] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.940582] ? percpu_counter_add_batch+0x13c/0x190 [ 53.945622] ? __fd_install+0x1bc/0x640 [ 53.949619] ? find_held_lock+0x35/0x130 [ 53.954196] ? __fd_install+0x1bc/0x640 [ 53.958519] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.964308] ? __fget_light+0x1a9/0x230 [ 53.968377] ? __fdget+0x1b/0x20 [ 53.971921] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 53.977495] __sys_sendmsg+0x105/0x1d0 [ 53.981601] ? __ia32_sys_shutdown+0x80/0x80 [ 53.986211] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 53.991124] ? do_syscall_64+0x26/0x620 [ 53.995435] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.001226] ? do_syscall_64+0x26/0x620 [ 54.005421] __x64_sys_sendmsg+0x78/0xb0 [ 54.009639] do_syscall_64+0xfd/0x620 [ 54.013541] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.018817] RIP: 0033:0x440229 [ 54.022151] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.041622] RSP: 002b:00007ffe7ea27a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 54.058219] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440229 [ 54.065920] RDX: 0000000000000000 RSI: 0000000020000640 RDI: 0000000000000003 [ 54.073371] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 54.080851] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ab0 [ 54.088744] R13: 0000000000401b40 R14: 0000000000000000 R15: 0000000000000000 [ 54.097186] [ 54.098987] The buggy address belongs to the variable: [ 54.104511] nft_rt_policy+0x1a0/0x1e0 [ 54.108623] [ 54.110301] Memory state around the buggy address: [ 54.115353] ffffffff884fc380: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa [ 54.122960] ffffffff884fc400: 00 00 00 00 fa fa fa fa 00 00 00 00 fa fa fa fa [ 54.130522] >ffffffff884fc480: 07 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 [ 54.138502] ^ [ 54.142054] ffffffff884fc500: 00 00 00 00 00 fa fa fa fa fa fa fa 00 00 00 00 [ 54.149732] ffffffff884fc580: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa [ 54.157694] ================================================================== [ 54.166995] Disabling lock debugging due to kernel taint [ 54.172781] Kernel panic - not syncing: panic_on_warn set ... [ 54.172781] [ 54.180737] CPU: 1 PID: 8161 Comm: syz-executor175 Tainted: G B 4.19.99-syzkaller #0 [ 54.190490] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.200528] Call Trace: [ 54.203309] dump_stack+0x197/0x210 [ 54.207376] ? get_unique_tuple+0x1a23/0x1d40 [ 54.212006] panic+0x26a/0x50e [ 54.215324] ? __warn_printk+0xf3/0xf3 [ 54.219224] ? get_unique_tuple+0x1a23/0x1d40 [ 54.223870] ? preempt_schedule+0x4b/0x60 [ 54.228018] ? ___preempt_schedule+0x16/0x18 [ 54.232759] ? trace_hardirqs_on+0x5e/0x220 [ 54.237571] ? get_unique_tuple+0x1a23/0x1d40 [ 54.242213] kasan_end_report+0x47/0x4f [ 54.246498] kasan_report.cold+0xa9/0x2ba [ 54.251114] __asan_report_load8_noabort+0x14/0x20 [ 54.256248] get_unique_tuple+0x1a23/0x1d40 [ 54.260677] ? nf_ct_invert_tuplepr+0x125/0x200 [ 54.265727] ? find_held_lock+0x35/0x130 [ 54.270239] ? nft_hash_estimate+0x1a0/0x1a0 [ 54.274859] ? hash_by_src+0x3c0/0x3c0 [ 54.278948] ? lock_downgrade+0x880/0x880 [ 54.283136] ? kasan_check_read+0x11/0x20 [ 54.287399] nf_nat_setup_info+0x212/0x9e0 [ 54.291809] ? nf_nat_proto_clean+0x200/0x200 [ 54.296398] ? save_stack+0x45/0xd0 [ 54.300222] ? kasan_kmalloc+0xce/0xf0 [ 54.304242] ? kasan_slab_alloc+0xf/0x20 [ 54.308311] ? kmem_cache_alloc+0x12e/0x700 [ 54.312635] ? __nf_conntrack_alloc+0xdb/0x680 [ 54.317479] ? nf_conntrack_alloc+0x38/0x50 [ 54.321891] ? ctnetlink_create_conntrack+0xd0/0x1300 [ 54.327178] ? ctnetlink_new_conntrack+0x527/0xe50 [ 54.332277] ? nfnetlink_rcv_msg+0xd0d/0xfcf [ 54.336985] ? netlink_rcv_skb+0x17d/0x460 [ 54.341601] ? nfnetlink_rcv+0x1c0/0x460 [ 54.345683] ? netlink_unicast+0x53a/0x730 [ 54.350170] ? netlink_sendmsg+0x8ae/0xd70 [ 54.354411] ? sock_sendmsg+0xd7/0x130 [ 54.358984] ? ___sys_sendmsg+0x803/0x920 [ 54.363248] ? __sys_sendmsg+0x105/0x1d0 [ 54.367715] ? __x64_sys_sendmsg+0x78/0xb0 [ 54.372112] ? do_syscall_64+0xfd/0x620 [ 54.376087] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.381465] ? mark_held_locks+0x100/0x100 [ 54.385795] ? _raw_spin_unlock_irqrestore+0x6b/0xe0 [ 54.391541] ? depot_save_stack+0x1de/0x44f [ 54.395864] __nf_nat_alloc_null_binding+0x164/0x1d0 [ 54.401148] ? nf_nat_setup_info+0x9e0/0x9e0 [ 54.405558] ? nft_hash_estimate+0x1a0/0x1a0 [ 54.409995] ? nft_hash_estimate+0x1a0/0x1a0 [ 54.414415] nfnetlink_parse_nat_setup+0x3ca/0x450 [ 54.419350] ? nf_nat_inet_fn+0x8b0/0x8b0 [ 54.423588] ? rcu_read_lock_sched_held+0x110/0x130 [ 54.429368] ? __lock_is_held+0xb6/0x140 [ 54.433578] ctnetlink_parse_nat_setup+0xc5/0x660 [ 54.438423] ctnetlink_create_conntrack+0x4ea/0x1300 [ 54.443979] ? ctnetlink_dump_table+0x12e0/0x12e0 [ 54.448993] ? __nf_conntrack_confirm+0x31e0/0x31e0 [ 54.454082] ctnetlink_new_conntrack+0x527/0xe50 [ 54.458854] ? ctnetlink_create_conntrack+0x1300/0x1300 [ 54.464568] ? find_held_lock+0x35/0x130 [ 54.468653] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 54.473881] ? ctnetlink_create_conntrack+0x1300/0x1300 [ 54.479740] nfnetlink_rcv_msg+0xd0d/0xfcf [ 54.484030] ? nfnetlink_bind+0x2c0/0x2c0 [ 54.488207] ? avc_has_extended_perms+0x10f0/0x10f0 [ 54.493219] ? __save_stack_trace+0x99/0x100 [ 54.497635] ? selinux_ipv4_output+0x50/0x50 [ 54.502067] ? netlink_sendmsg+0x97b/0xd70 [ 54.506430] ? mark_held_locks+0x100/0x100 [ 54.510730] netlink_rcv_skb+0x17d/0x460 [ 54.514902] ? nfnetlink_bind+0x2c0/0x2c0 [ 54.519064] ? netlink_ack+0xb30/0xb30 [ 54.523410] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.529819] ? ns_capable_common+0x93/0x100 [ 54.534190] ? ns_capable+0x20/0x30 [ 54.537820] ? __netlink_ns_capable+0x104/0x140 [ 54.542483] nfnetlink_rcv+0x1c0/0x460 [ 54.546371] ? nfnetlink_rcv_batch+0x1750/0x1750 [ 54.551123] ? netlink_deliver_tap+0x254/0xc20 [ 54.555706] ? kasan_check_write+0x14/0x20 [ 54.560053] netlink_unicast+0x53a/0x730 [ 54.564117] ? netlink_attachskb+0x770/0x770 [ 54.568667] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.574384] netlink_sendmsg+0x8ae/0xd70 [ 54.578448] ? netlink_unicast+0x730/0x730 [ 54.583129] ? selinux_socket_sendmsg+0x36/0x40 [ 54.587917] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.594171] ? security_socket_sendmsg+0x8d/0xc0 [ 54.599057] ? netlink_unicast+0x730/0x730 [ 54.603364] sock_sendmsg+0xd7/0x130 [ 54.607237] ___sys_sendmsg+0x803/0x920 [ 54.611240] ? copy_msghdr_from_user+0x430/0x430 [ 54.615994] ? rcu_read_lock_sched_held+0x110/0x130 [ 54.621013] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.626553] ? percpu_counter_add_batch+0x13c/0x190 [ 54.631859] ? __fd_install+0x1bc/0x640 [ 54.635874] ? find_held_lock+0x35/0x130 [ 54.639948] ? __fd_install+0x1bc/0x640 [ 54.644006] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.649542] ? __fget_light+0x1a9/0x230 [ 54.653623] ? __fdget+0x1b/0x20 [ 54.657017] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.662557] __sys_sendmsg+0x105/0x1d0 [ 54.666497] ? __ia32_sys_shutdown+0x80/0x80 [ 54.670917] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.675673] ? do_syscall_64+0x26/0x620 [ 54.679994] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.685362] ? do_syscall_64+0x26/0x620 [ 54.689502] __x64_sys_sendmsg+0x78/0xb0 [ 54.693700] do_syscall_64+0xfd/0x620 [ 54.697505] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.702686] RIP: 0033:0x440229 [ 54.705922] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.724961] RSP: 002b:00007ffe7ea27a68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 54.732939] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440229 [ 54.740324] RDX: 0000000000000000 RSI: 0000000020000640 RDI: 0000000000000003 [ 54.748421] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 54.755941] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401ab0 [ 54.763318] R13: 0000000000401b40 R14: 0000000000000000 R15: 0000000000000000 [ 54.772217] Kernel Offset: disabled [ 54.775876] Rebooting in 86400 seconds..