Warning: Permanently added '10.128.0.125' (ECDSA) to the list of known hosts. executing program [ 105.553244][ T27] audit: type=1400 audit(1584912408.180:42): avc: denied { map } for pid=10697 comm="syz-executor408" path="/root/syz-executor408914736" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 105.571138][T10698] IPVS: ftp: loaded support on port[0] = 21 [ 105.617536][T10698] ================================================================== [ 105.625765][T10698] BUG: KASAN: use-after-free in tcindex_set_parms+0x17fd/0x1a00 [ 105.634471][T10698] Write of size 16 at addr ffff8880a354dab8 by task syz-executor408/10698 [ 105.643073][T10698] [ 105.645393][T10698] CPU: 0 PID: 10698 Comm: syz-executor408 Not tainted 5.6.0-rc6-syzkaller #0 [ 105.654960][T10698] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 105.665066][T10698] Call Trace: [ 105.668352][T10698] dump_stack+0x188/0x20d [ 105.674773][T10698] ? tcindex_set_parms+0x17fd/0x1a00 [ 105.680400][T10698] ? tcindex_set_parms+0x17fd/0x1a00 [ 105.685687][T10698] print_address_description.constprop.0.cold+0xd3/0x315 [ 105.692766][T10698] ? tcindex_set_parms+0x17fd/0x1a00 [ 105.698062][T10698] ? tcindex_set_parms+0x17fd/0x1a00 [ 105.704389][T10698] __kasan_report.cold+0x1a/0x32 [ 105.709497][T10698] ? tcindex_set_parms+0x17fd/0x1a00 [ 105.714777][T10698] kasan_report+0xe/0x20 [ 105.719033][T10698] tcindex_set_parms+0x17fd/0x1a00 [ 105.724279][T10698] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 105.730389][T10698] ? mark_held_locks+0xe0/0xe0 [ 105.735188][T10698] ? nla_memcpy+0xa0/0xa0 [ 105.739525][T10698] ? tcindex_change+0x203/0x2e0 [ 105.744385][T10698] tcindex_change+0x203/0x2e0 [ 105.749097][T10698] ? tcindex_set_parms+0x1a00/0x1a00 [ 105.754511][T10698] tc_new_tfilter+0xa59/0x20b0 [ 105.759370][T10698] ? tcindex_set_parms+0x1a00/0x1a00 [ 105.764654][T10698] ? tc_del_tfilter+0x1430/0x1430 [ 105.769728][T10698] ? __lock_acquire+0x80b/0x3ca0 [ 105.774794][T10698] ? rcu_read_lock_held+0x9c/0xb0 [ 105.780076][T10698] ? tc_del_tfilter+0x1430/0x1430 [ 105.785205][T10698] rtnetlink_rcv_msg+0x810/0xad0 [ 105.790282][T10698] ? rtnl_bridge_getlink+0x880/0x880 [ 105.795565][T10698] ? mark_held_locks+0xe0/0xe0 [ 105.800535][T10698] ? netlink_deliver_tap+0x146/0xb50 [ 105.805956][T10698] netlink_rcv_skb+0x15a/0x410 [ 105.810812][T10698] ? rtnl_bridge_getlink+0x880/0x880 [ 105.816162][T10698] ? netlink_ack+0xa80/0xa80 [ 105.820760][T10698] netlink_unicast+0x537/0x740 [ 105.825541][T10698] ? netlink_attachskb+0x810/0x810 [ 105.831152][T10698] ? _copy_from_iter_full+0x25c/0x870 [ 105.836877][T10698] netlink_sendmsg+0x882/0xe10 [ 105.841655][T10698] ? netlink_unicast+0x740/0x740 [ 105.846777][T10698] ? netlink_unicast+0x740/0x740 [ 105.851757][T10698] sock_sendmsg+0xcf/0x120 [ 105.856191][T10698] ____sys_sendmsg+0x6b9/0x7d0 [ 105.861143][T10698] ? kernel_sendmsg+0x50/0x50 [ 105.866086][T10698] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 105.871628][T10698] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 105.877732][T10698] ___sys_sendmsg+0x100/0x170 [ 105.882594][T10698] ? sendmsg_copy_msghdr+0x70/0x70 [ 105.887839][T10698] ? lock_downgrade+0x7f0/0x7f0 [ 105.892854][T10698] ? lock_acquire+0x197/0x420 [ 105.897537][T10698] ? __might_fault+0xef/0x1d0 [ 105.902373][T10698] ? __might_fault+0x190/0x1d0 [ 105.907135][T10698] ? _copy_to_user+0x107/0x150 [ 105.912312][T10698] ? move_addr_to_user+0xb3/0x200 [ 105.918151][T10698] ? __fget_light+0x1a5/0x270 [ 105.922818][T10698] __sys_sendmsg+0xec/0x1b0 [ 105.927304][T10698] ? __sys_sendmsg_sock+0xb0/0xb0 [ 105.932313][T10698] ? mark_held_locks+0x9f/0xe0 [ 105.937244][T10698] ? trace_hardirqs_off_caller+0x55/0x230 [ 105.943083][T10698] ? do_syscall_64+0x21/0x7d0 [ 105.947814][T10698] do_syscall_64+0xf6/0x7d0 [ 105.952310][T10698] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.958236][T10698] RIP: 0033:0x440e79 [ 105.962116][T10698] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 105.984108][T10698] RSP: 002b:00007ffecff38fc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 105.992515][T10698] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 106.000499][T10698] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 106.008467][T10698] RBP: 00007ffecff38fd0 R08: 0000000120080522 R09: 0000000120080522 [ 106.016492][T10698] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 106.024453][T10698] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 106.032899][T10698] [ 106.035323][T10698] Allocated by task 1: [ 106.039478][T10698] save_stack+0x1b/0x80 [ 106.043805][T10698] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 106.049576][T10698] kmem_cache_alloc_trace+0x153/0x7d0 [ 106.055326][T10698] call_usermodehelper_setup+0x98/0x300 [ 106.061084][T10698] kobject_uevent_env+0xcfb/0x11f0 [ 106.066188][T10698] tty_register_device_attr+0x475/0x6f0 [ 106.071717][T10698] tty_register_driver+0x42d/0x800 [ 106.076807][T10698] pty_init+0x6cb/0xeb2 [ 106.080985][T10698] do_one_initcall+0x10a/0x7d0 [ 106.085831][T10698] kernel_init_freeable+0x501/0x5ae [ 106.091029][T10698] kernel_init+0xd/0x1bb [ 106.095293][T10698] ret_from_fork+0x24/0x30 [ 106.100002][T10698] [ 106.102545][T10698] Freed by task 2259: [ 106.106556][T10698] save_stack+0x1b/0x80 [ 106.110836][T10698] __kasan_slab_free+0xf7/0x140 [ 106.115700][T10698] kfree+0x109/0x2b0 [ 106.119737][T10698] umh_complete+0x81/0x90 [ 106.124212][T10698] call_usermodehelper_exec_async+0x459/0x710 [ 106.130533][T10698] ret_from_fork+0x24/0x30 [ 106.135067][T10698] [ 106.137380][T10698] The buggy address belongs to the object at ffff8880a354da00 [ 106.137380][T10698] which belongs to the cache kmalloc-192 of size 192 [ 106.151610][T10698] The buggy address is located 184 bytes inside of [ 106.151610][T10698] 192-byte region [ffff8880a354da00, ffff8880a354dac0) [ 106.164883][T10698] The buggy address belongs to the page: [ 106.170651][T10698] page:ffffea00028d5340 refcount:1 mapcount:0 mapping:ffff8880aa000000 index:0x0 [ 106.179751][T10698] flags: 0xfffe0000000200(slab) [ 106.184734][T10698] raw: 00fffe0000000200 ffffea00028d1088 ffff8880aa001148 ffff8880aa000000 [ 106.193351][T10698] raw: 0000000000000000 ffff8880a354d000 0000000100000010 0000000000000000 [ 106.202080][T10698] page dumped because: kasan: bad access detected [ 106.208594][T10698] [ 106.210900][T10698] Memory state around the buggy address: [ 106.216728][T10698] ffff8880a354d980: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 106.225000][T10698] ffff8880a354da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.233397][T10698] >ffff8880a354da80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 106.241467][T10698] ^ [ 106.248310][T10698] ffff8880a354db00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 106.256642][T10698] ffff8880a354db80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 106.264707][T10698] ================================================================== [ 106.272775][T10698] Disabling lock debugging due to kernel taint [ 106.280085][T10698] Kernel panic - not syncing: panic_on_warn set ... [ 106.286704][T10698] CPU: 0 PID: 10698 Comm: syz-executor408 Tainted: G B 5.6.0-rc6-syzkaller #0 [ 106.296845][T10698] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 106.306886][T10698] Call Trace: [ 106.310226][T10698] dump_stack+0x188/0x20d [ 106.314555][T10698] panic+0x2e3/0x75c [ 106.318441][T10698] ? add_taint.cold+0x16/0x16 [ 106.323103][T10698] ? preempt_schedule_common+0x5e/0xc0 [ 106.328683][T10698] ? tcindex_set_parms+0x17fd/0x1a00 [ 106.334061][T10698] ? ___preempt_schedule+0x16/0x18 [ 106.339279][T10698] ? trace_hardirqs_on+0x55/0x220 [ 106.344321][T10698] ? tcindex_set_parms+0x17fd/0x1a00 [ 106.349725][T10698] end_report+0x43/0x49 [ 106.353939][T10698] ? tcindex_set_parms+0x17fd/0x1a00 [ 106.359216][T10698] __kasan_report.cold+0xd/0x32 [ 106.364057][T10698] ? tcindex_set_parms+0x17fd/0x1a00 [ 106.369325][T10698] kasan_report+0xe/0x20 [ 106.373562][T10698] tcindex_set_parms+0x17fd/0x1a00 [ 106.378664][T10698] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 106.384552][T10698] ? mark_held_locks+0xe0/0xe0 [ 106.389333][T10698] ? nla_memcpy+0xa0/0xa0 [ 106.393932][T10698] ? tcindex_change+0x203/0x2e0 [ 106.398766][T10698] tcindex_change+0x203/0x2e0 [ 106.403430][T10698] ? tcindex_set_parms+0x1a00/0x1a00 [ 106.408823][T10698] tc_new_tfilter+0xa59/0x20b0 [ 106.413588][T10698] ? tcindex_set_parms+0x1a00/0x1a00 [ 106.418866][T10698] ? tc_del_tfilter+0x1430/0x1430 [ 106.423901][T10698] ? __lock_acquire+0x80b/0x3ca0 [ 106.428901][T10698] ? rcu_read_lock_held+0x9c/0xb0 [ 106.434209][T10698] ? tc_del_tfilter+0x1430/0x1430 [ 106.439357][T10698] rtnetlink_rcv_msg+0x810/0xad0 [ 106.444544][T10698] ? rtnl_bridge_getlink+0x880/0x880 [ 106.449845][T10698] ? mark_held_locks+0xe0/0xe0 [ 106.454606][T10698] ? netlink_deliver_tap+0x146/0xb50 [ 106.459893][T10698] netlink_rcv_skb+0x15a/0x410 [ 106.468496][T10698] ? rtnl_bridge_getlink+0x880/0x880 [ 106.473793][T10698] ? netlink_ack+0xa80/0xa80 [ 106.478380][T10698] netlink_unicast+0x537/0x740 [ 106.483138][T10698] ? netlink_attachskb+0x810/0x810 [ 106.488265][T10698] ? _copy_from_iter_full+0x25c/0x870 [ 106.493637][T10698] netlink_sendmsg+0x882/0xe10 [ 106.498508][T10698] ? netlink_unicast+0x740/0x740 [ 106.503611][T10698] ? netlink_unicast+0x740/0x740 [ 106.508550][T10698] sock_sendmsg+0xcf/0x120 [ 106.513137][T10698] ____sys_sendmsg+0x6b9/0x7d0 [ 106.517918][T10698] ? kernel_sendmsg+0x50/0x50 [ 106.522608][T10698] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 106.528166][T10698] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 106.534141][T10698] ___sys_sendmsg+0x100/0x170 [ 106.538839][T10698] ? sendmsg_copy_msghdr+0x70/0x70 [ 106.543961][T10698] ? lock_downgrade+0x7f0/0x7f0 [ 106.548803][T10698] ? lock_acquire+0x197/0x420 [ 106.553560][T10698] ? __might_fault+0xef/0x1d0 [ 106.558363][T10698] ? __might_fault+0x190/0x1d0 [ 106.563460][T10698] ? _copy_to_user+0x107/0x150 [ 106.568434][T10698] ? move_addr_to_user+0xb3/0x200 [ 106.573997][T10698] ? __fget_light+0x1a5/0x270 [ 106.578694][T10698] __sys_sendmsg+0xec/0x1b0 [ 106.583285][T10698] ? __sys_sendmsg_sock+0xb0/0xb0 [ 106.588294][T10698] ? mark_held_locks+0x9f/0xe0 [ 106.593074][T10698] ? trace_hardirqs_off_caller+0x55/0x230 [ 106.598779][T10698] ? do_syscall_64+0x21/0x7d0 [ 106.603627][T10698] do_syscall_64+0xf6/0x7d0 [ 106.608119][T10698] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.614014][T10698] RIP: 0033:0x440e79 [ 106.618020][T10698] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 106.638410][T10698] RSP: 002b:00007ffecff38fc8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 106.646804][T10698] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 106.654753][T10698] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 106.662720][T10698] RBP: 00007ffecff38fd0 R08: 0000000120080522 R09: 0000000120080522 [ 106.670935][T10698] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 106.678894][T10698] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 106.688102][T10698] Kernel Offset: disabled [ 106.692433][T10698] Rebooting in 86400 seconds..