[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 84.450002][ T27] audit: type=1800 audit(1579404900.759:25): pid=9477 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 84.490668][ T27] audit: type=1800 audit(1579404900.769:26): pid=9477 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 84.515183][ T27] audit: type=1800 audit(1579404900.769:27): pid=9477 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.54' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 107.379733][ T9633] ================================================================== [ 107.387997][ T9633] BUG: KASAN: use-after-free in bitmap_port_ext_cleanup+0xe6/0x2a0 [ 107.395878][ T9633] Read of size 8 at addr ffff88809fde6f80 by task syz-executor587/9633 [ 107.404243][ T9633] [ 107.406566][ T9633] CPU: 0 PID: 9633 Comm: syz-executor587 Not tainted 5.5.0-rc6-syzkaller #0 [ 107.415327][ T9633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 107.425468][ T9633] Call Trace: [ 107.428754][ T9633] dump_stack+0x197/0x210 [ 107.433084][ T9633] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 107.438618][ T9633] print_address_description.constprop.0.cold+0xd4/0x30b [ 107.445627][ T9633] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 107.451155][ T9633] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 107.456701][ T9633] __kasan_report.cold+0x1b/0x41 [ 107.461637][ T9633] ? kfree+0x210/0x2c0 [ 107.465814][ T9633] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 107.471349][ T9633] kasan_report+0x12/0x20 [ 107.475676][ T9633] check_memory_region+0x134/0x1a0 [ 107.480775][ T9633] __kasan_check_read+0x11/0x20 [ 107.485633][ T9633] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 107.491093][ T9633] bitmap_port_destroy+0x17c/0x1d0 [ 107.496199][ T9633] ip_set_create+0xe47/0x1500 [ 107.500862][ T9633] ? ip_set_destroy+0xb70/0xb70 [ 107.505724][ T9633] ? ip_set_destroy+0xb70/0xb70 [ 107.510559][ T9633] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 107.515485][ T9633] ? nfnetlink_bind+0x2c0/0x2c0 [ 107.520323][ T9633] ? __kasan_check_read+0x11/0x20 [ 107.525329][ T9633] ? __lock_acquire+0x8a0/0x4a00 [ 107.530260][ T9633] ? save_stack+0x5c/0x90 [ 107.534602][ T9633] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 107.540840][ T9633] ? apparmor_capable+0x497/0x900 [ 107.545845][ T9633] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 107.552079][ T9633] ? __kasan_check_read+0x11/0x20 [ 107.557171][ T9633] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 107.562892][ T9633] netlink_rcv_skb+0x177/0x450 [ 107.567646][ T9633] ? nfnetlink_bind+0x2c0/0x2c0 [ 107.572490][ T9633] ? netlink_ack+0xb50/0xb50 [ 107.578019][ T9633] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 107.584242][ T9633] ? ns_capable_common+0x93/0x100 [ 107.589250][ T9633] ? ns_capable+0x20/0x30 [ 107.593563][ T9633] ? __netlink_ns_capable+0x104/0x140 [ 107.598934][ T9633] nfnetlink_rcv+0x1ba/0x460 [ 107.603509][ T9633] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 107.609989][ T9633] ? netlink_deliver_tap+0x24a/0xbe0 [ 107.615270][ T9633] ? __kasan_check_write+0x14/0x20 [ 107.620375][ T9633] netlink_unicast+0x58c/0x7d0 [ 107.625219][ T9633] ? netlink_attachskb+0x870/0x870 [ 107.630314][ T9633] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 107.636026][ T9633] ? __check_object_size+0x3d/0x437 [ 107.641225][ T9633] netlink_sendmsg+0x91c/0xea0 [ 107.645984][ T9633] ? netlink_unicast+0x7d0/0x7d0 [ 107.651866][ T9633] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 107.657433][ T9633] ? apparmor_socket_sendmsg+0x2a/0x30 [ 107.662888][ T9633] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 107.669136][ T9633] ? security_socket_sendmsg+0x8d/0xc0 [ 107.674591][ T9633] ? netlink_unicast+0x7d0/0x7d0 [ 107.679522][ T9633] sock_sendmsg+0xd7/0x130 [ 107.683934][ T9633] ____sys_sendmsg+0x753/0x880 [ 107.688687][ T9633] ? kernel_sendmsg+0x50/0x50 [ 107.693362][ T9633] ? mark_held_locks+0xa4/0xf0 [ 107.698119][ T9633] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 107.704174][ T9633] ? __handle_mm_fault+0x3145/0x3cc0 [ 107.709549][ T9633] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 107.715628][ T9633] ___sys_sendmsg+0x100/0x170 [ 107.720306][ T9633] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 107.726289][ T9633] ? sendmsg_copy_msghdr+0x70/0x70 [ 107.731404][ T9633] ? __do_page_fault+0x56a/0xd80 [ 107.736325][ T9633] ? find_held_lock+0x35/0x130 [ 107.741085][ T9633] ? __do_page_fault+0x56a/0xd80 [ 107.746014][ T9633] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 107.752421][ T9633] ? __fget_light+0x1a9/0x230 [ 107.757087][ T9633] ? __fdget+0x1b/0x20 [ 107.761527][ T9633] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 107.767773][ T9633] __sys_sendmsg+0x105/0x1d0 [ 107.772357][ T9633] ? __sys_sendmsg_sock+0xc0/0xc0 [ 107.777539][ T9633] ? down_read_non_owner+0x490/0x490 [ 107.782899][ T9633] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 107.788344][ T9633] ? do_syscall_64+0x26/0x790 [ 107.793008][ T9633] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.799069][ T9633] ? do_syscall_64+0x26/0x790 [ 107.803752][ T9633] __x64_sys_sendmsg+0x78/0xb0 [ 107.808515][ T9633] do_syscall_64+0xfa/0x790 [ 107.814226][ T9633] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.820108][ T9633] RIP: 0033:0x441399 [ 107.823990][ T9633] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 107.843581][ T9633] RSP: 002b:00007ffd8cebf948 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 107.851993][ T9633] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441399 [ 107.859949][ T9633] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 107.869123][ T9633] RBP: 000000000001a34e R08: 00000000004002c8 R09: 00000000004002c8 [ 107.877088][ T9633] R10: 0000000000000004 R11: 0000000000000246 R12: 00000000004021c0 [ 107.885058][ T9633] R13: 0000000000402250 R14: 0000000000000000 R15: 0000000000000000 [ 107.893023][ T9633] [ 107.895342][ T9633] Allocated by task 9633: [ 107.899658][ T9633] save_stack+0x23/0x90 [ 107.903798][ T9633] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 107.909421][ T9633] kasan_kmalloc+0x9/0x10 [ 107.913734][ T9633] __kmalloc+0x163/0x770 [ 107.918306][ T9633] ip_set_alloc+0x38/0x5e [ 107.922616][ T9633] bitmap_port_create+0x3dc/0x7c0 [ 107.927632][ T9633] ip_set_create+0x6f1/0x1500 [ 107.933086][ T9633] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 107.938057][ T9633] netlink_rcv_skb+0x177/0x450 [ 107.942808][ T9633] nfnetlink_rcv+0x1ba/0x460 [ 107.947436][ T9633] netlink_unicast+0x58c/0x7d0 [ 107.952192][ T9633] netlink_sendmsg+0x91c/0xea0 [ 107.956981][ T9633] sock_sendmsg+0xd7/0x130 [ 107.961379][ T9633] ____sys_sendmsg+0x753/0x880 [ 107.966132][ T9633] ___sys_sendmsg+0x100/0x170 [ 107.970851][ T9633] __sys_sendmsg+0x105/0x1d0 [ 107.975423][ T9633] __x64_sys_sendmsg+0x78/0xb0 [ 107.980166][ T9633] do_syscall_64+0xfa/0x790 [ 107.984651][ T9633] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.990526][ T9633] [ 107.992845][ T9633] Freed by task 9633: [ 107.996807][ T9633] save_stack+0x23/0x90 [ 108.000939][ T9633] __kasan_slab_free+0x102/0x150 [ 108.005868][ T9633] kasan_slab_free+0xe/0x10 [ 108.010357][ T9633] kfree+0x10a/0x2c0 [ 108.014930][ T9633] kvfree+0x61/0x70 [ 108.018718][ T9633] ip_set_free+0x16/0x20 [ 108.022954][ T9633] bitmap_port_destroy+0xae/0x1d0 [ 108.027957][ T9633] ip_set_create+0xe47/0x1500 [ 108.032623][ T9633] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 108.037542][ T9633] netlink_rcv_skb+0x177/0x450 [ 108.042287][ T9633] nfnetlink_rcv+0x1ba/0x460 [ 108.046866][ T9633] netlink_unicast+0x58c/0x7d0 [ 108.052570][ T9633] netlink_sendmsg+0x91c/0xea0 [ 108.058239][ T9633] sock_sendmsg+0xd7/0x130 [ 108.062638][ T9633] ____sys_sendmsg+0x753/0x880 [ 108.067390][ T9633] ___sys_sendmsg+0x100/0x170 [ 108.072053][ T9633] __sys_sendmsg+0x105/0x1d0 [ 108.076703][ T9633] __x64_sys_sendmsg+0x78/0xb0 [ 108.081454][ T9633] do_syscall_64+0xfa/0x790 [ 108.085948][ T9633] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 108.091823][ T9633] [ 108.094134][ T9633] The buggy address belongs to the object at ffff88809fde6f80 [ 108.094134][ T9633] which belongs to the cache kmalloc-32 of size 32 [ 108.108576][ T9633] The buggy address is located 0 bytes inside of [ 108.108576][ T9633] 32-byte region [ffff88809fde6f80, ffff88809fde6fa0) [ 108.121573][ T9633] The buggy address belongs to the page: [ 108.127300][ T9633] page:ffffea00027f7980 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff88809fde6fc1 [ 108.137708][ T9633] raw: 00fffe0000000200 ffffea0002819bc8 ffffea0002a144c8 ffff8880aa4001c0 [ 108.146301][ T9633] raw: ffff88809fde6fc1 ffff88809fde6000 0000000100000033 0000000000000000 [ 108.154874][ T9633] page dumped because: kasan: bad access detected [ 108.161264][ T9633] [ 108.163573][ T9633] Memory state around the buggy address: [ 108.169183][ T9633] ffff88809fde6e80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 108.177237][ T9633] ffff88809fde6f00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 108.185283][ T9633] >ffff88809fde6f80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 108.193326][ T9633] ^ [ 108.197394][ T9633] ffff88809fde7000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 108.205439][ T9633] ffff88809fde7080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 108.213501][ T9633] ================================================================== [ 108.221655][ T9633] Disabling lock debugging due to kernel taint [ 108.230139][ T9633] Kernel panic - not syncing: panic_on_warn set ... [ 108.236726][ T9633] CPU: 0 PID: 9633 Comm: syz-executor587 Tainted: G B 5.5.0-rc6-syzkaller #0 [ 108.246758][ T9633] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 108.256802][ T9633] Call Trace: [ 108.260077][ T9633] dump_stack+0x197/0x210 [ 108.264388][ T9633] panic+0x2e3/0x75c [ 108.268303][ T9633] ? add_taint.cold+0x16/0x16 [ 108.272979][ T9633] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 108.278503][ T9633] ? preempt_schedule+0x4b/0x60 [ 108.283356][ T9633] ? ___preempt_schedule+0x16/0x18 [ 108.288451][ T9633] ? trace_hardirqs_on+0x5e/0x240 [ 108.293459][ T9633] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 108.298988][ T9633] end_report+0x47/0x4f [ 108.303139][ T9633] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 108.308686][ T9633] __kasan_report.cold+0xe/0x41 [ 108.313521][ T9633] ? kfree+0x210/0x2c0 [ 108.317601][ T9633] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 108.323128][ T9633] kasan_report+0x12/0x20 [ 108.327439][ T9633] check_memory_region+0x134/0x1a0 [ 108.332539][ T9633] __kasan_check_read+0x11/0x20 [ 108.337378][ T9633] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 108.342867][ T9633] bitmap_port_destroy+0x17c/0x1d0 [ 108.348409][ T9633] ip_set_create+0xe47/0x1500 [ 108.353209][ T9633] ? ip_set_destroy+0xb70/0xb70 [ 108.358170][ T9633] ? ip_set_destroy+0xb70/0xb70 [ 108.363016][ T9633] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 108.367946][ T9633] ? nfnetlink_bind+0x2c0/0x2c0 [ 108.372794][ T9633] ? __kasan_check_read+0x11/0x20 [ 108.377810][ T9633] ? __lock_acquire+0x8a0/0x4a00 [ 108.382766][ T9633] ? save_stack+0x5c/0x90 [ 108.387222][ T9633] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.393456][ T9633] ? apparmor_capable+0x497/0x900 [ 108.398733][ T9633] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.405014][ T9633] ? __kasan_check_read+0x11/0x20 [ 108.410095][ T9633] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 108.415549][ T9633] netlink_rcv_skb+0x177/0x450 [ 108.420301][ T9633] ? nfnetlink_bind+0x2c0/0x2c0 [ 108.425674][ T9633] ? netlink_ack+0xb50/0xb50 [ 108.430249][ T9633] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.436476][ T9633] ? ns_capable_common+0x93/0x100 [ 108.441618][ T9633] ? ns_capable+0x20/0x30 [ 108.445957][ T9633] ? __netlink_ns_capable+0x104/0x140 [ 108.451455][ T9633] nfnetlink_rcv+0x1ba/0x460 [ 108.456040][ T9633] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 108.461486][ T9633] ? netlink_deliver_tap+0x24a/0xbe0 [ 108.466759][ T9633] ? __kasan_check_write+0x14/0x20 [ 108.471860][ T9633] netlink_unicast+0x58c/0x7d0 [ 108.477240][ T9633] ? netlink_attachskb+0x870/0x870 [ 108.482429][ T9633] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 108.488576][ T9633] ? __check_object_size+0x3d/0x437 [ 108.493786][ T9633] netlink_sendmsg+0x91c/0xea0 [ 108.498546][ T9633] ? netlink_unicast+0x7d0/0x7d0 [ 108.503487][ T9633] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 108.509130][ T9633] ? apparmor_socket_sendmsg+0x2a/0x30 [ 108.514597][ T9633] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.520856][ T9633] ? security_socket_sendmsg+0x8d/0xc0 [ 108.526421][ T9633] ? netlink_unicast+0x7d0/0x7d0 [ 108.531467][ T9633] sock_sendmsg+0xd7/0x130 [ 108.535958][ T9633] ____sys_sendmsg+0x753/0x880 [ 108.540741][ T9633] ? kernel_sendmsg+0x50/0x50 [ 108.545407][ T9633] ? mark_held_locks+0xa4/0xf0 [ 108.550209][ T9633] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 108.556637][ T9633] ? __handle_mm_fault+0x3145/0x3cc0 [ 108.562112][ T9633] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 108.568172][ T9633] ___sys_sendmsg+0x100/0x170 [ 108.572849][ T9633] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 108.578815][ T9633] ? sendmsg_copy_msghdr+0x70/0x70 [ 108.583979][ T9633] ? __do_page_fault+0x56a/0xd80 [ 108.588910][ T9633] ? find_held_lock+0x35/0x130 [ 108.593657][ T9633] ? __do_page_fault+0x56a/0xd80 [ 108.598595][ T9633] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.604820][ T9633] ? __fget_light+0x1a9/0x230 [ 108.609497][ T9633] ? __fdget+0x1b/0x20 [ 108.613552][ T9633] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 108.619932][ T9633] __sys_sendmsg+0x105/0x1d0 [ 108.624614][ T9633] ? __sys_sendmsg_sock+0xc0/0xc0 [ 108.629634][ T9633] ? down_read_non_owner+0x490/0x490 [ 108.634906][ T9633] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 108.640596][ T9633] ? do_syscall_64+0x26/0x790 [ 108.645340][ T9633] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 108.651408][ T9633] ? do_syscall_64+0x26/0x790 [ 108.656135][ T9633] __x64_sys_sendmsg+0x78/0xb0 [ 108.660896][ T9633] do_syscall_64+0xfa/0x790 [ 108.665402][ T9633] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 108.671296][ T9633] RIP: 0033:0x441399 [ 108.675203][ T9633] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 108.695060][ T9633] RSP: 002b:00007ffd8cebf948 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 108.704205][ T9633] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441399 [ 108.712425][ T9633] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 108.721503][ T9633] RBP: 000000000001a34e R08: 00000000004002c8 R09: 00000000004002c8 [ 108.729477][ T9633] R10: 0000000000000004 R11: 0000000000000246 R12: 00000000004021c0 [ 108.737447][ T9633] R13: 0000000000402250 R14: 0000000000000000 R15: 0000000000000000 [ 108.747037][ T9633] Kernel Offset: disabled [ 108.752038][ T9633] Rebooting in 86400 seconds..