Warning: Permanently added '10.128.0.191' (ECDSA) to the list of known hosts. 2019/10/30 17:00:24 parsed 1 programs 2019/10/30 17:00:26 executed programs: 0 2019/10/30 17:00:31 executed programs: 134 2019/10/30 17:00:36 executed programs: 293 2019/10/30 17:00:41 executed programs: 463 syzkaller login: [ 44.162577] ================================================================== [ 44.169999] BUG: KASAN: use-after-free in ip6t_do_table+0x1545/0x1860 [ 44.176581] Read of size 8 at addr ffff8800b59e0000 by task syz-executor.2/4184 [ 44.184024] [ 44.185653] CPU: 0 PID: 4184 Comm: syz-executor.2 Not tainted 4.4.174+ #4 [ 44.192571] 0000000000000000 ee9e6d6bb21d7b26 ffff8800b4f870a8 ffffffff81aad1a1 [ 44.200602] 0000000000000000 ffffea0002d67800 ffff8800b59e0000 0000000000000008 [ 44.208654] dffffc0000000000 ffff8800b4f870e0 ffffffff81490120 0000000000000000 [ 44.216708] Call Trace: [ 44.219302] [] dump_stack+0xc1/0x120 [ 44.224666] [] print_address_description+0x6f/0x21b [ 44.231406] [] kasan_report.cold+0x8c/0x2be [ 44.237486] [] ? ip6t_do_table+0x1545/0x1860 [ 44.243534] [] __asan_report_load8_noabort+0x14/0x20 [ 44.250274] [] ip6t_do_table+0x1545/0x1860 [ 44.256148] [] ? mark_held_locks+0xb1/0x100 [ 44.262095] [] ? nf_conntrack_in+0x13ef/0x1c20 [ 44.268402] [] ? __nf_ct_refresh_acct+0x1d2/0x280 [ 44.274890] [] ? ip6t_alloc_initial_table+0x680/0x680 [ 44.281739] [] ? trace_hardirqs_on+0x10/0x10 [ 44.287798] [] ip6table_mangle_hook+0x2d6/0x710 [ 44.294113] [] nf_iterate+0x186/0x220 [ 44.299543] [] nf_hook_slow+0x1b6/0x340 [ 44.305214] [] ? nf_iterate+0x220/0x220 [ 44.310876] [] ? nf_iterate+0x220/0x220 [ 44.316503] [] ? memset+0x32/0x40 [ 44.321605] [] __ip6_local_out+0x309/0x4b0 [ 44.327473] [] ? ip6_find_1stfragopt+0x260/0x260 [ 44.333861] [] ? icmpv6_send+0x1b0/0x1b0 [ 44.339597] [] ? ip6_output+0x520/0x520 [ 44.345232] [] ? __ip6_append_data.isra.0+0xc73/0x33f0 [ 44.352142] [] ip6_local_out+0x29/0x180 [ 44.357832] [] ip6_send_skb+0xa2/0x340 [ 44.363372] [] ? csum_ipv6_magic+0x2b/0x80 [ 44.369242] [] udp_v6_send_skb+0x438/0xe90 [ 44.375109] [] udp_v6_push_pending_frames+0x245/0x360 [ 44.381936] [] ? udp_v6_send_skb+0xe90/0xe90 [ 44.387989] [] ? mark_held_locks+0xb1/0x100 [ 44.393961] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 44.400086] [] udpv6_sendmsg+0x1a37/0x24f0 [ 44.405949] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 44.412079] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 44.418983] [] ? sock_has_perm+0x2a8/0x400 [ 44.424850] [] ? sock_has_perm+0xa6/0x400 [ 44.430623] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 44.438138] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.444884] [] ? check_preemption_disabled+0x3c/0x200 [ 44.451699] [] ? check_preemption_disabled+0x3c/0x200 [ 44.458518] [] ? inet_sendmsg+0x143/0x4d0 [ 44.464293] [] inet_sendmsg+0x202/0x4d0 [ 44.469894] [] ? inet_sendmsg+0x76/0x4d0 [ 44.475590] [] ? inet_recvmsg+0x4d0/0x4d0 [ 44.481378] [] sock_sendmsg+0xbe/0x110 [ 44.486925] [] ___sys_sendmsg+0x369/0x890 [ 44.492714] [] ? copy_msghdr_from_user+0x550/0x550 [ 44.499302] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.506071] [] ? check_preemption_disabled+0x3c/0x200 [ 44.513107] [] ? check_preemption_disabled+0x3c/0x200 [ 44.519932] [] ? __fget+0x13b/0x370 [ 44.525211] [] ? __fget+0x162/0x370 [ 44.530472] [] ? __fget+0x47/0x370 [ 44.535652] [] ? __fget_light+0xa3/0x1f0 [ 44.541352] [] ? __fdget+0x1b/0x20 [ 44.546530] [] __sys_sendmmsg+0x130/0x2e0 [ 44.552308] [] ? SyS_sendmsg+0x50/0x50 [ 44.557828] [] ? __might_fault+0x117/0x1d0 [ 44.563693] [] ? __might_fault+0x191/0x1d0 [ 44.569567] [] ? __might_fault+0xe7/0x1d0 [ 44.575355] [] ? SyS_clock_gettime+0x118/0x1e0 [ 44.581580] [] ? SyS_clock_settime+0x220/0x220 [ 44.587808] [] SyS_sendmmsg+0x35/0x60 [ 44.593250] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 44.599908] [ 44.601512] The buggy address belongs to the page: [ 44.608338] page:ffffea0002d67800 count:0 mapcount:-127 mapping: (null) index:0x0 [ 44.617421] flags: 0x0() [ 44.620199] page dumped because: kasan: bad access detected [ 44.625883] [ 44.627486] Memory state around the buggy address: [ 44.632403] ffff8800b59dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.639753] ffff8800b59dff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.647094] >ffff8800b59e0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.654451] ^ [ 44.657809] ffff8800b59e0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.665161] ffff8800b59e0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 44.672501] ================================================================== [ 44.679845] Disabling lock debugging due to kernel taint [ 44.685352] Kernel panic - not syncing: panic_on_warn set ... [ 44.685352] [ 44.692711] CPU: 0 PID: 4184 Comm: syz-executor.2 Tainted: G B 4.4.174+ #4 [ 44.701357] 0000000000000000 ee9e6d6bb21d7b26 ffff8800b4f86fe8 ffffffff81aad1a1 [ 44.709440] ffff8800b4f870f8 ffffffff82c5cf1b ffff8800b59e0000 0000000000000008 [ 44.717453] dffffc0000000000 ffff8800b4f870c8 ffffffff813a48c2 0000000041b58ab3 [ 44.725999] Call Trace: [ 44.728585] [] dump_stack+0xc1/0x120 [ 44.733967] [] panic+0x1b9/0x37b [ 44.738967] [] ? add_taint.cold+0x16/0x16 [ 44.744747] [] kasan_end_report+0x47/0x4f [ 44.750540] [] kasan_report.cold+0xa9/0x2be [ 44.756503] [] ? ip6t_do_table+0x1545/0x1860 [ 44.762570] [] __asan_report_load8_noabort+0x14/0x20 [ 44.769328] [] ip6t_do_table+0x1545/0x1860 [ 44.775312] [] ? mark_held_locks+0xb1/0x100 [ 44.781275] [] ? nf_conntrack_in+0x13ef/0x1c20 [ 44.787498] [] ? __nf_ct_refresh_acct+0x1d2/0x280 [ 44.794066] [] ? ip6t_alloc_initial_table+0x680/0x680 [ 44.800890] [] ? trace_hardirqs_on+0x10/0x10 [ 44.806934] [] ip6table_mangle_hook+0x2d6/0x710 [ 44.813246] [] nf_iterate+0x186/0x220 [ 44.818781] [] nf_hook_slow+0x1b6/0x340 [ 44.824398] [] ? nf_iterate+0x220/0x220 [ 44.830015] [] ? nf_iterate+0x220/0x220 [ 44.835619] [] ? memset+0x32/0x40 [ 44.840715] [] __ip6_local_out+0x309/0x4b0 [ 44.846586] [] ? ip6_find_1stfragopt+0x260/0x260 [ 44.852976] [] ? icmpv6_send+0x1b0/0x1b0 [ 44.858687] [] ? ip6_output+0x520/0x520 [ 44.864298] [] ? __ip6_append_data.isra.0+0xc73/0x33f0 [ 44.871211] [] ip6_local_out+0x29/0x180 [ 44.876820] [] ip6_send_skb+0xa2/0x340 [ 44.882360] [] ? csum_ipv6_magic+0x2b/0x80 [ 44.888244] [] udp_v6_send_skb+0x438/0xe90 [ 44.894124] [] udp_v6_push_pending_frames+0x245/0x360 [ 44.900941] [] ? udp_v6_send_skb+0xe90/0xe90 [ 44.906980] [] ? mark_held_locks+0xb1/0x100 [ 44.912946] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 44.919069] [] udpv6_sendmsg+0x1a37/0x24f0 [ 44.924951] [] ? ip_reply_glue_bits+0xc0/0xc0 [ 44.931078] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 44.938025] [] ? sock_has_perm+0x2a8/0x400 [ 44.943896] [] ? sock_has_perm+0xa6/0x400 [ 44.949693] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 44.957211] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 44.963967] [] ? check_preemption_disabled+0x3c/0x200 [ 44.972177] [] ? check_preemption_disabled+0x3c/0x200 [ 44.978997] [] ? inet_sendmsg+0x143/0x4d0 [ 44.984773] [] inet_sendmsg+0x202/0x4d0 [ 44.990377] [] ? inet_sendmsg+0x76/0x4d0 [ 44.996065] [] ? inet_recvmsg+0x4d0/0x4d0 [ 45.001857] [] sock_sendmsg+0xbe/0x110 [ 45.007460] [] ___sys_sendmsg+0x369/0x890 [ 45.013239] [] ? copy_msghdr_from_user+0x550/0x550 [ 45.019803] [] ? debug_lockdep_rcu_enabled+0x71/0xa0 [ 45.026534] [] ? check_preemption_disabled+0x3c/0x200 [ 45.033699] [] ? check_preemption_disabled+0x3c/0x200 [ 45.040538] [] ? __fget+0x13b/0x370 [ 45.045795] [] ? __fget+0x162/0x370 [ 45.051051] [] ? __fget+0x47/0x370 [ 45.056225] [] ? __fget_light+0xa3/0x1f0 [ 45.061923] [] ? __fdget+0x1b/0x20 [ 45.067104] [] __sys_sendmmsg+0x130/0x2e0 [ 45.072883] [] ? SyS_sendmsg+0x50/0x50 [ 45.078419] [] ? __might_fault+0x117/0x1d0 [ 45.084284] [] ? __might_fault+0x191/0x1d0 [ 45.090153] [] ? __might_fault+0xe7/0x1d0 [ 45.095953] [] ? SyS_clock_gettime+0x118/0x1e0 [ 45.102167] [] ? SyS_clock_settime+0x220/0x220 [ 45.108393] [] SyS_sendmmsg+0x35/0x60 [ 45.113824] [] entry_SYSCALL_64_fastpath+0x1e/0x9a [ 45.120947] Kernel Offset: disabled [ 45.124562] Rebooting in 86400 seconds..