[ 78.622833][ T26] audit: type=1800 audit(1579626913.936:26): pid=9508 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 79.544475][ T26] kauditd_printk_skb: 2 callbacks suppressed [ 79.544487][ T26] audit: type=1800 audit(1579626914.876:29): pid=9508 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 79.571037][ T26] audit: type=1800 audit(1579626914.876:30): pid=9508 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.231' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 90.229228][ T9661] IPVS: ftp: loaded support on port[0] = 21 [ 90.259618][ T9661] ================================================================== [ 90.267947][ T9661] BUG: KASAN: slab-out-of-bounds in __nla_put_nohdr+0x46/0x50 [ 90.275396][ T9661] Read of size 12 at addr ffff8880a90c9240 by task syz-executor466/9661 [ 90.283704][ T9661] [ 90.286025][ T9661] CPU: 0 PID: 9661 Comm: syz-executor466 Not tainted 5.5.0-rc7-syzkaller #0 [ 90.294683][ T9661] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 90.304802][ T9661] Call Trace: [ 90.308083][ T9661] dump_stack+0x197/0x210 [ 90.312417][ T9661] ? __nla_put_nohdr+0x46/0x50 [ 90.317172][ T9661] print_address_description.constprop.0.cold+0xd4/0x30b [ 90.324226][ T9661] ? __nla_put_nohdr+0x46/0x50 [ 90.329019][ T9661] ? __nla_put_nohdr+0x46/0x50 [ 90.333784][ T9661] __kasan_report.cold+0x1b/0x41 [ 90.338723][ T9661] ? __nla_put_nohdr+0x46/0x50 [ 90.343474][ T9661] kasan_report+0x12/0x20 [ 90.347802][ T9661] check_memory_region+0x134/0x1a0 [ 90.353023][ T9661] memcpy+0x24/0x50 [ 90.356873][ T9661] __nla_put_nohdr+0x46/0x50 [ 90.361453][ T9661] nla_put_nohdr+0xf9/0x140 [ 90.365947][ T9661] tcf_em_tree_dump+0x67e/0x960 [ 90.370800][ T9661] ? tcf_em_lookup+0x150/0x150 [ 90.375715][ T9661] ? __nla_put_64bit+0x37/0x40 [ 90.380727][ T9661] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 90.386958][ T9661] ? tcf_exts_dump+0xa2/0x5a0 [ 90.391646][ T9661] basic_dump+0x379/0x690 [ 90.396179][ T9661] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 90.402325][ T9661] ? basic_bind_class+0xb0/0xb0 [ 90.407268][ T9661] ? memcpy+0x46/0x50 [ 90.411252][ T9661] ? nla_put+0x110/0x150 [ 90.415499][ T9661] ? basic_bind_class+0xb0/0xb0 [ 90.420350][ T9661] tcf_fill_node+0x58b/0x970 [ 90.425080][ T9661] ? tcf_get_next_chain+0x50/0x50 [ 90.430104][ T9661] ? __kmalloc_reserve.isra.0+0xf0/0xf0 [ 90.435641][ T9661] ? basic_init+0x1f0/0x1f0 [ 90.440200][ T9661] tfilter_notify+0x134/0x290 [ 90.444888][ T9661] tc_new_tfilter+0xc18/0x2590 [ 90.449665][ T9661] ? basic_init+0x1f0/0x1f0 [ 90.454223][ T9661] ? tc_del_tfilter+0x1560/0x1560 [ 90.459245][ T9661] ? __kasan_check_read+0x11/0x20 [ 90.464267][ T9661] ? __lock_acquire+0x8a0/0x4a00 [ 90.469193][ T9661] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 90.475485][ T9661] ? rtnetlink_rcv_msg+0x7e3/0xaf0 [ 90.480671][ T9661] ? find_held_lock+0x35/0x130 [ 90.485488][ T9661] ? rcu_read_lock_held_common+0x130/0x130 [ 90.491295][ T9661] ? tc_del_tfilter+0x1560/0x1560 [ 90.496319][ T9661] ? __kasan_check_read+0x11/0x20 [ 90.501397][ T9661] ? tc_del_tfilter+0x1560/0x1560 [ 90.506460][ T9661] rtnetlink_rcv_msg+0x824/0xaf0 [ 90.511395][ T9661] ? rtnl_bridge_getlink+0x910/0x910 [ 90.516686][ T9661] ? lock_downgrade+0x920/0x920 [ 90.521543][ T9661] ? netlink_deliver_tap+0x228/0xbe0 [ 90.526933][ T9661] ? find_held_lock+0x35/0x130 [ 90.531850][ T9661] netlink_rcv_skb+0x177/0x450 [ 90.536640][ T9661] ? rtnl_bridge_getlink+0x910/0x910 [ 90.541965][ T9661] ? netlink_ack+0xb50/0xb50 [ 90.546542][ T9661] ? __kasan_check_read+0x11/0x20 [ 90.551698][ T9661] ? netlink_deliver_tap+0x24a/0xbe0 [ 90.557095][ T9661] rtnetlink_rcv+0x1d/0x30 [ 90.561504][ T9661] netlink_unicast+0x58c/0x7d0 [ 90.566320][ T9661] ? netlink_attachskb+0x870/0x870 [ 90.571487][ T9661] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 90.577818][ T9661] ? __check_object_size+0x3d/0x437 [ 90.583020][ T9661] netlink_sendmsg+0x91c/0xea0 [ 90.587863][ T9661] ? netlink_unicast+0x7d0/0x7d0 [ 90.592800][ T9661] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 90.598351][ T9661] ? apparmor_socket_sendmsg+0x2a/0x30 [ 90.603859][ T9661] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 90.610201][ T9661] ? security_socket_sendmsg+0x8d/0xc0 [ 90.615802][ T9661] ? netlink_unicast+0x7d0/0x7d0 [ 90.620787][ T9661] sock_sendmsg+0xd7/0x130 [ 90.625203][ T9661] ____sys_sendmsg+0x753/0x880 [ 90.629961][ T9661] ? kernel_sendmsg+0x50/0x50 [ 90.634641][ T9661] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 90.640614][ T9661] ? __lock_acquire+0x16f2/0x4a00 [ 90.645645][ T9661] ___sys_sendmsg+0x100/0x170 [ 90.650314][ T9661] ? sendmsg_copy_msghdr+0x70/0x70 [ 90.655427][ T9661] ? lock_downgrade+0x920/0x920 [ 90.660281][ T9661] ? __kasan_check_read+0x11/0x20 [ 90.665359][ T9661] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 90.671624][ T9661] ? __fget_light+0x1a9/0x230 [ 90.676298][ T9661] ? __fdget+0x1b/0x20 [ 90.680352][ T9661] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 90.686598][ T9661] __sys_sendmsg+0x105/0x1d0 [ 90.691267][ T9661] ? __sys_sendmsg_sock+0xc0/0xc0 [ 90.696410][ T9661] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 90.701868][ T9661] ? do_fast_syscall_32+0xd1/0xe16 [ 90.707231][ T9661] ? entry_SYSENTER_compat+0x70/0x7f [ 90.712531][ T9661] ? do_fast_syscall_32+0xd1/0xe16 [ 90.717709][ T9661] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 90.723161][ T9661] do_fast_syscall_32+0x27b/0xe16 [ 90.728177][ T9661] entry_SYSENTER_compat+0x70/0x7f [ 90.733283][ T9661] RIP: 0023:0xf7fc19a9 [ 90.737344][ T9661] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 90.756985][ T9661] RSP: 002b:00000000ffb05bec EFLAGS: 00000246 ORIG_RAX: 0000000000000172 [ 90.765612][ T9661] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0 [ 90.773722][ T9661] RDX: 0000000000000000 RSI: 0000000000000172 RDI: 0000000000000004 [ 90.781864][ T9661] RBP: 0000000020000240 R08: 0000000000000000 R09: 0000000000000000 [ 90.789838][ T9661] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 90.797811][ T9661] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 90.805824][ T9661] [ 90.808152][ T9661] Allocated by task 9661: [ 90.812579][ T9661] save_stack+0x23/0x90 [ 90.816736][ T9661] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 90.822376][ T9661] kasan_kmalloc+0x9/0x10 [ 90.826791][ T9661] __kmalloc_track_caller+0x15f/0x760 [ 90.832221][ T9661] kmemdup+0x27/0x60 [ 90.836118][ T9661] em_nbyte_change+0xd6/0x150 [ 90.840790][ T9661] tcf_em_tree_validate+0x9b5/0xf3c [ 90.846099][ T9661] basic_change+0x513/0x14a0 [ 90.851285][ T9661] tc_new_tfilter+0xbbd/0x2590 [ 90.856058][ T9661] rtnetlink_rcv_msg+0x824/0xaf0 [ 90.861016][ T9661] netlink_rcv_skb+0x177/0x450 [ 90.865913][ T9661] rtnetlink_rcv+0x1d/0x30 [ 90.870324][ T9661] netlink_unicast+0x58c/0x7d0 [ 90.875081][ T9661] netlink_sendmsg+0x91c/0xea0 [ 90.879827][ T9661] sock_sendmsg+0xd7/0x130 [ 90.884360][ T9661] ____sys_sendmsg+0x753/0x880 [ 90.889114][ T9661] ___sys_sendmsg+0x100/0x170 [ 90.893799][ T9661] __sys_sendmsg+0x105/0x1d0 [ 90.898378][ T9661] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 90.903838][ T9661] do_fast_syscall_32+0x27b/0xe16 [ 90.908859][ T9661] entry_SYSENTER_compat+0x70/0x7f [ 90.913954][ T9661] [ 90.916266][ T9661] Freed by task 9390: [ 90.920242][ T9661] save_stack+0x23/0x90 [ 90.924477][ T9661] __kasan_slab_free+0x102/0x150 [ 90.929412][ T9661] kasan_slab_free+0xe/0x10 [ 90.934012][ T9661] kfree+0x10a/0x2c0 [ 90.938084][ T9661] tomoyo_check_open_permission+0x19e/0x3e0 [ 90.943998][ T9661] tomoyo_file_open+0xa9/0xd0 [ 90.948686][ T9661] security_file_open+0x71/0x300 [ 90.953612][ T9661] do_dentry_open+0x37a/0x1380 [ 90.958377][ T9661] vfs_open+0xa0/0xd0 [ 90.962357][ T9661] path_openat+0x118b/0x3180 [ 90.966996][ T9661] do_filp_open+0x1a1/0x280 [ 90.971563][ T9661] do_sys_open+0x3fe/0x5d0 [ 90.976097][ T9661] __x64_sys_open+0x7e/0xc0 [ 90.980593][ T9661] do_syscall_64+0xfa/0x790 [ 90.985096][ T9661] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 90.990978][ T9661] [ 90.993313][ T9661] The buggy address belongs to the object at ffff8880a90c9240 [ 90.993313][ T9661] which belongs to the cache kmalloc-32 of size 32 [ 91.007188][ T9661] The buggy address is located 0 bytes inside of [ 91.007188][ T9661] 32-byte region [ffff8880a90c9240, ffff8880a90c9260) [ 91.020237][ T9661] The buggy address belongs to the page: [ 91.025995][ T9661] page:ffffea0002a43240 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff8880a90c9fc1 [ 91.036392][ T9661] raw: 00fffe0000000200 ffffea0002a3f948 ffffea000257e0c8 ffff8880aa4001c0 [ 91.045081][ T9661] raw: ffff8880a90c9fc1 ffff8880a90c9000 0000000100000030 0000000000000000 [ 91.053885][ T9661] page dumped because: kasan: bad access detected [ 91.060285][ T9661] [ 91.062609][ T9661] Memory state around the buggy address: [ 91.068269][ T9661] ffff8880a90c9100: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 91.076353][ T9661] ffff8880a90c9180: 00 01 fc fc fc fc fc fc 00 00 00 00 fc fc fc fc [ 91.084409][ T9661] >ffff8880a90c9200: fb fb fb fb fc fc fc fc 04 fc fc fc fc fc fc fc [ 91.093470][ T9661] ^ [ 91.099659][ T9661] ffff8880a90c9280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 91.107716][ T9661] ffff8880a90c9300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 91.116539][ T9661] ================================================================== [ 91.124626][ T9661] Disabling lock debugging due to kernel taint [ 91.130978][ T9661] Kernel panic - not syncing: panic_on_warn set ... [ 91.137570][ T9661] CPU: 0 PID: 9661 Comm: syz-executor466 Tainted: G B 5.5.0-rc7-syzkaller #0 [ 91.147620][ T9661] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 91.157783][ T9661] Call Trace: [ 91.161071][ T9661] dump_stack+0x197/0x210 [ 91.165402][ T9661] panic+0x2e3/0x75c [ 91.169339][ T9661] ? add_taint.cold+0x16/0x16 [ 91.174028][ T9661] ? __nla_put_nohdr+0x46/0x50 [ 91.178786][ T9661] ? preempt_schedule+0x4b/0x60 [ 91.183621][ T9661] ? ___preempt_schedule+0x16/0x18 [ 91.188836][ T9661] ? trace_hardirqs_on+0x5e/0x240 [ 91.193848][ T9661] ? __nla_put_nohdr+0x46/0x50 [ 91.198615][ T9661] end_report+0x47/0x4f [ 91.202876][ T9661] ? __nla_put_nohdr+0x46/0x50 [ 91.207625][ T9661] __kasan_report.cold+0xe/0x41 [ 91.212527][ T9661] ? __nla_put_nohdr+0x46/0x50 [ 91.217379][ T9661] kasan_report+0x12/0x20 [ 91.221845][ T9661] check_memory_region+0x134/0x1a0 [ 91.226973][ T9661] memcpy+0x24/0x50 [ 91.230780][ T9661] __nla_put_nohdr+0x46/0x50 [ 91.235413][ T9661] nla_put_nohdr+0xf9/0x140 [ 91.239911][ T9661] tcf_em_tree_dump+0x67e/0x960 [ 91.244810][ T9661] ? tcf_em_lookup+0x150/0x150 [ 91.249576][ T9661] ? __nla_put_64bit+0x37/0x40 [ 91.254327][ T9661] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 91.260581][ T9661] ? tcf_exts_dump+0xa2/0x5a0 [ 91.265258][ T9661] basic_dump+0x379/0x690 [ 91.269581][ T9661] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 91.275559][ T9661] ? basic_bind_class+0xb0/0xb0 [ 91.280420][ T9661] ? memcpy+0x46/0x50 [ 91.284398][ T9661] ? nla_put+0x110/0x150 [ 91.288664][ T9661] ? basic_bind_class+0xb0/0xb0 [ 91.293541][ T9661] tcf_fill_node+0x58b/0x970 [ 91.298242][ T9661] ? tcf_get_next_chain+0x50/0x50 [ 91.303330][ T9661] ? __kmalloc_reserve.isra.0+0xf0/0xf0 [ 91.308865][ T9661] ? basic_init+0x1f0/0x1f0 [ 91.313366][ T9661] tfilter_notify+0x134/0x290 [ 91.318043][ T9661] tc_new_tfilter+0xc18/0x2590 [ 91.323002][ T9661] ? basic_init+0x1f0/0x1f0 [ 91.327495][ T9661] ? tc_del_tfilter+0x1560/0x1560 [ 91.332512][ T9661] ? __kasan_check_read+0x11/0x20 [ 91.337598][ T9661] ? __lock_acquire+0x8a0/0x4a00 [ 91.342692][ T9661] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 91.349006][ T9661] ? rtnetlink_rcv_msg+0x7e3/0xaf0 [ 91.354129][ T9661] ? find_held_lock+0x35/0x130 [ 91.358982][ T9661] ? rcu_read_lock_held_common+0x130/0x130 [ 91.364790][ T9661] ? tc_del_tfilter+0x1560/0x1560 [ 91.369821][ T9661] ? __kasan_check_read+0x11/0x20 [ 91.374932][ T9661] ? tc_del_tfilter+0x1560/0x1560 [ 91.379953][ T9661] rtnetlink_rcv_msg+0x824/0xaf0 [ 91.384945][ T9661] ? rtnl_bridge_getlink+0x910/0x910 [ 91.390226][ T9661] ? lock_downgrade+0x920/0x920 [ 91.395074][ T9661] ? netlink_deliver_tap+0x228/0xbe0 [ 91.400354][ T9661] ? find_held_lock+0x35/0x130 [ 91.405106][ T9661] netlink_rcv_skb+0x177/0x450 [ 91.409907][ T9661] ? rtnl_bridge_getlink+0x910/0x910 [ 91.415190][ T9661] ? netlink_ack+0xb50/0xb50 [ 91.419791][ T9661] ? __kasan_check_read+0x11/0x20 [ 91.424811][ T9661] ? netlink_deliver_tap+0x24a/0xbe0 [ 91.430086][ T9661] rtnetlink_rcv+0x1d/0x30 [ 91.434483][ T9661] netlink_unicast+0x58c/0x7d0 [ 91.439259][ T9661] ? netlink_attachskb+0x870/0x870 [ 91.444459][ T9661] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 91.450219][ T9661] ? __check_object_size+0x3d/0x437 [ 91.455420][ T9661] netlink_sendmsg+0x91c/0xea0 [ 91.460371][ T9661] ? netlink_unicast+0x7d0/0x7d0 [ 91.465309][ T9661] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 91.470898][ T9661] ? apparmor_socket_sendmsg+0x2a/0x30 [ 91.476353][ T9661] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 91.482716][ T9661] ? security_socket_sendmsg+0x8d/0xc0 [ 91.488184][ T9661] ? netlink_unicast+0x7d0/0x7d0 [ 91.493115][ T9661] sock_sendmsg+0xd7/0x130 [ 91.497707][ T9661] ____sys_sendmsg+0x753/0x880 [ 91.502463][ T9661] ? kernel_sendmsg+0x50/0x50 [ 91.507153][ T9661] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 91.513135][ T9661] ? __lock_acquire+0x16f2/0x4a00 [ 91.518267][ T9661] ___sys_sendmsg+0x100/0x170 [ 91.522939][ T9661] ? sendmsg_copy_msghdr+0x70/0x70 [ 91.528123][ T9661] ? lock_downgrade+0x920/0x920 [ 91.532982][ T9661] ? __kasan_check_read+0x11/0x20 [ 91.538004][ T9661] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 91.544274][ T9661] ? __fget_light+0x1a9/0x230 [ 91.549045][ T9661] ? __fdget+0x1b/0x20 [ 91.553162][ T9661] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 91.559399][ T9661] __sys_sendmsg+0x105/0x1d0 [ 91.563983][ T9661] ? __sys_sendmsg_sock+0xc0/0xc0 [ 91.569120][ T9661] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 91.574588][ T9661] ? do_fast_syscall_32+0xd1/0xe16 [ 91.579697][ T9661] ? entry_SYSENTER_compat+0x70/0x7f [ 91.585082][ T9661] ? do_fast_syscall_32+0xd1/0xe16 [ 91.590183][ T9661] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 91.595636][ T9661] do_fast_syscall_32+0x27b/0xe16 [ 91.600774][ T9661] entry_SYSENTER_compat+0x70/0x7f [ 91.605908][ T9661] RIP: 0023:0xf7fc19a9 [ 91.610093][ T9661] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 91.629688][ T9661] RSP: 002b:00000000ffb05bec EFLAGS: 00000246 ORIG_RAX: 0000000000000172 [ 91.638095][ T9661] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0 [ 91.646304][ T9661] RDX: 0000000000000000 RSI: 0000000000000172 RDI: 0000000000000004 [ 91.654269][ T9661] RBP: 0000000020000240 R08: 0000000000000000 R09: 0000000000000000 [ 91.662294][ T9661] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 91.670984][ T9661] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 91.680535][ T9661] Kernel Offset: disabled [ 91.684868][ T9661] Rebooting in 86400 seconds..