[ 33.912796] audit: type=1800 audit(1583689843.655:33): pid=7158 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 33.939724] audit: type=1800 audit(1583689843.655:34): pid=7158 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 38.181015] random: sshd: uninitialized urandom read (32 bytes read) [ 38.430988] audit: type=1400 audit(1583689848.175:35): avc: denied { map } for pid=7332 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 38.474414] random: sshd: uninitialized urandom read (32 bytes read) [ 39.178098] random: sshd: uninitialized urandom read (32 bytes read) [ 41.733367] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.1.37' (ECDSA) to the list of known hosts. [ 47.364203] random: sshd: uninitialized urandom read (32 bytes read) executing program [ 47.493858] audit: type=1400 audit(1583689857.235:36): avc: denied { map } for pid=7344 comm="syz-executor611" path="/root/syz-executor611707297" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 47.497004] netlink: 20 bytes leftover after parsing attributes in process `syz-executor611'. [ 47.520229] audit: type=1400 audit(1583689857.235:37): avc: denied { create } for pid=7344 comm="syz-executor611" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 47.520250] audit: type=1400 audit(1583689857.235:38): avc: denied { write } for pid=7344 comm="syz-executor611" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 47.578118] ================================================================== [ 47.585534] BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x364/0x370 [ 47.593508] Read of size 8 at addr ffffffff873c8e38 by task syz-executor611/7344 [ 47.601020] [ 47.602631] CPU: 1 PID: 7344 Comm: syz-executor611 Not tainted 4.14.172-syzkaller #0 [ 47.610502] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.619861] Call Trace: [ 47.622440] dump_stack+0x13e/0x194 [ 47.626059] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 47.631162] print_address_description.cold+0x5/0x1e2 [ 47.636340] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 47.641514] kasan_report.cold+0xa9/0x2ae [ 47.645652] nfnetlink_parse_nat_setup+0x364/0x370 [ 47.650568] ? nf_nat_alloc_null_binding+0x40/0x40 [ 47.655506] ? nf_nat_alloc_null_binding+0x40/0x40 [ 47.660433] ctnetlink_parse_nat_setup+0x70/0x490 [ 47.665258] ctnetlink_create_conntrack+0x437/0x1040 [ 47.670341] ? ctnetlink_del_conntrack+0x5a0/0x5a0 [ 47.675251] ? __do_once_done+0x1be/0x240 [ 47.679381] ? hash_conntrack_raw+0x2ab/0x410 [ 47.683857] ? nf_ct_get_id+0x160/0x160 [ 47.687819] ctnetlink_new_conntrack+0x460/0xc30 [ 47.692575] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 47.697969] ? mutex_trylock+0x1a0/0x1a0 [ 47.702020] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 47.707382] nfnetlink_rcv_msg+0xa08/0xc00 [ 47.711627] ? __kernel_text_address+0x9/0x30 [ 47.716113] netlink_rcv_skb+0x127/0x370 [ 47.720156] ? __lock_acquire+0x513/0x4620 [ 47.724371] ? nfnetlink_bind+0x240/0x240 [ 47.728499] ? netlink_ack+0x960/0x960 [ 47.732371] ? ns_capable_common+0x127/0x150 [ 47.736777] nfnetlink_rcv+0x1ab/0x1650 [ 47.740787] ? find_held_lock+0x2d/0x110 [ 47.744835] ? __netlink_lookup+0x2de/0x590 [ 47.749140] ? save_trace+0x290/0x290 [ 47.753048] ? save_trace+0x290/0x290 [ 47.756834] ? nfnl_err_del+0x150/0x150 [ 47.760792] ? find_held_lock+0x2d/0x110 [ 47.764853] ? netlink_deliver_tap+0x90/0x860 [ 47.769332] ? rcu_is_watching+0x11/0xb0 [ 47.773378] ? lock_downgrade+0x6e0/0x6e0 [ 47.777508] netlink_unicast+0x437/0x620 [ 47.781550] ? netlink_attachskb+0x600/0x600 [ 47.785940] netlink_sendmsg+0x733/0xbe0 [ 47.790000] ? netlink_unicast+0x620/0x620 [ 47.794236] ? SYSC_sendto+0x2b0/0x2b0 [ 47.798118] ? security_socket_sendmsg+0x83/0xb0 [ 47.802862] ? netlink_unicast+0x620/0x620 [ 47.807092] sock_sendmsg+0xc5/0x100 [ 47.810788] ___sys_sendmsg+0x70a/0x840 [ 47.814831] ? do_huge_pmd_anonymous_page+0xc63/0x11e0 [ 47.820101] ? copy_msghdr_from_user+0x380/0x380 [ 47.824839] ? lock_downgrade+0x6e0/0x6e0 [ 47.828967] ? __lru_cache_add+0x17b/0x250 [ 47.833202] ? do_raw_spin_unlock+0x164/0x250 [ 47.837689] ? _raw_spin_unlock+0x29/0x40 [ 47.841824] ? prep_transhuge_page+0xa0/0xa0 [ 47.846214] ? pud_val+0x6c/0xd0 [ 47.849852] ? pmd_val+0xd0/0xd0 [ 47.853201] ? trace_hardirqs_on+0x10/0x10 [ 47.857425] ? __handle_mm_fault+0x644/0x3280 [ 47.861905] ? save_trace+0x290/0x290 [ 47.865834] ? copy_page_range+0x1d70/0x1d70 [ 47.870228] ? __fget_light+0x16a/0x1f0 [ 47.874246] ? sockfd_lookup_light+0xb2/0x160 [ 47.878722] __sys_sendmsg+0xa3/0x120 [ 47.882507] ? SyS_shutdown+0x160/0x160 [ 47.886509] ? up_read+0x17/0x30 [ 47.889856] ? __do_page_fault+0x35b/0xb40 [ 47.894073] SyS_sendmsg+0x27/0x40 [ 47.897591] ? __sys_sendmsg+0x120/0x120 [ 47.901632] do_syscall_64+0x1d5/0x640 [ 47.905531] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 47.910701] RIP: 0033:0x4401a9 [ 47.913871] RSP: 002b:00007fff4821d358 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 47.921565] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401a9 [ 47.928833] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 47.936109] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 47.943358] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a30 [ 47.950624] R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000 [ 47.957883] [ 47.959489] The buggy address belongs to the variable: [ 47.964748] nft_bitwise_policy+0xb8/0xc0 [ 47.968886] [ 47.970490] Memory state around the buggy address: [ 47.975413] ffffffff873c8d00: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa [ 47.982804] ffffffff873c8d80: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa [ 47.990210] >ffffffff873c8e00: 00 02 fa fa fa fa fa fa 00 00 00 00 00 00 00 00 [ 47.997551] ^ [ 48.002753] ffffffff873c8e80: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 [ 48.010108] ffffffff873c8f00: 00 00 00 00 fa fa fa fa 00 00 00 04 fa fa fa fa [ 48.017453] ================================================================== [ 48.024790] Disabling lock debugging due to kernel taint [ 48.030781] Kernel panic - not syncing: panic_on_warn set ... [ 48.030781] [ 48.038191] CPU: 1 PID: 7344 Comm: syz-executor611 Tainted: G B 4.14.172-syzkaller #0 [ 48.047292] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.056672] Call Trace: [ 48.059245] dump_stack+0x13e/0x194 [ 48.062898] panic+0x1f9/0x42d [ 48.066069] ? add_taint.cold+0x16/0x16 [ 48.070082] ? preempt_schedule_common+0x4a/0xc0 [ 48.074834] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 48.080048] ? ___preempt_schedule+0x16/0x18 [ 48.084495] ? nfnetlink_parse_nat_setup+0x364/0x370 [ 48.089591] kasan_end_report+0x43/0x49 [ 48.093591] kasan_report.cold+0x12f/0x2ae [ 48.097940] nfnetlink_parse_nat_setup+0x364/0x370 [ 48.102850] ? nf_nat_alloc_null_binding+0x40/0x40 [ 48.107899] ? nf_nat_alloc_null_binding+0x40/0x40 [ 48.112867] ctnetlink_parse_nat_setup+0x70/0x490 [ 48.117688] ctnetlink_create_conntrack+0x437/0x1040 [ 48.122770] ? ctnetlink_del_conntrack+0x5a0/0x5a0 [ 48.127678] ? __do_once_done+0x1be/0x240 [ 48.131841] ? hash_conntrack_raw+0x2ab/0x410 [ 48.136314] ? nf_ct_get_id+0x160/0x160 [ 48.140267] ctnetlink_new_conntrack+0x460/0xc30 [ 48.145008] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 48.150353] ? mutex_trylock+0x1a0/0x1a0 [ 48.154396] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 48.159740] nfnetlink_rcv_msg+0xa08/0xc00 [ 48.163982] ? __kernel_text_address+0x9/0x30 [ 48.168474] netlink_rcv_skb+0x127/0x370 [ 48.172514] ? __lock_acquire+0x513/0x4620 [ 48.176740] ? nfnetlink_bind+0x240/0x240 [ 48.180866] ? netlink_ack+0x960/0x960 [ 48.184731] ? ns_capable_common+0x127/0x150 [ 48.189118] nfnetlink_rcv+0x1ab/0x1650 [ 48.193096] ? find_held_lock+0x2d/0x110 [ 48.197140] ? __netlink_lookup+0x2de/0x590 [ 48.201444] ? save_trace+0x290/0x290 [ 48.205237] ? save_trace+0x290/0x290 [ 48.209016] ? nfnl_err_del+0x150/0x150 [ 48.212972] ? find_held_lock+0x2d/0x110 [ 48.217016] ? netlink_deliver_tap+0x90/0x860 [ 48.222013] ? rcu_is_watching+0x11/0xb0 [ 48.226052] ? lock_downgrade+0x6e0/0x6e0 [ 48.230182] netlink_unicast+0x437/0x620 [ 48.234236] ? netlink_attachskb+0x600/0x600 [ 48.238631] netlink_sendmsg+0x733/0xbe0 [ 48.242683] ? netlink_unicast+0x620/0x620 [ 48.247416] ? SYSC_sendto+0x2b0/0x2b0 [ 48.251303] ? security_socket_sendmsg+0x83/0xb0 [ 48.256033] ? netlink_unicast+0x620/0x620 [ 48.260244] sock_sendmsg+0xc5/0x100 [ 48.263952] ___sys_sendmsg+0x70a/0x840 [ 48.267904] ? do_huge_pmd_anonymous_page+0xc63/0x11e0 [ 48.273176] ? copy_msghdr_from_user+0x380/0x380 [ 48.277909] ? lock_downgrade+0x6e0/0x6e0 [ 48.282036] ? __lru_cache_add+0x17b/0x250 [ 48.286249] ? do_raw_spin_unlock+0x164/0x250 [ 48.290735] ? _raw_spin_unlock+0x29/0x40 [ 48.294861] ? prep_transhuge_page+0xa0/0xa0 [ 48.299258] ? pud_val+0x6c/0xd0 [ 48.302609] ? pmd_val+0xd0/0xd0 [ 48.305963] ? trace_hardirqs_on+0x10/0x10 [ 48.310190] ? __handle_mm_fault+0x644/0x3280 [ 48.314670] ? save_trace+0x290/0x290 [ 48.318652] ? copy_page_range+0x1d70/0x1d70 [ 48.323046] ? __fget_light+0x16a/0x1f0 [ 48.327005] ? sockfd_lookup_light+0xb2/0x160 [ 48.331496] __sys_sendmsg+0xa3/0x120 [ 48.335275] ? SyS_shutdown+0x160/0x160 [ 48.339227] ? up_read+0x17/0x30 [ 48.342586] ? __do_page_fault+0x35b/0xb40 [ 48.346804] SyS_sendmsg+0x27/0x40 [ 48.350324] ? __sys_sendmsg+0x120/0x120 [ 48.354364] do_syscall_64+0x1d5/0x640 [ 48.358237] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 48.363421] RIP: 0033:0x4401a9 [ 48.366594] RSP: 002b:00007fff4821d358 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 48.374308] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401a9 [ 48.381556] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 48.388804] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 48.396084] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401a30 [ 48.403335] R13: 0000000000401ac0 R14: 0000000000000000 R15: 0000000000000000 [ 48.412070] Kernel Offset: disabled [ 48.415705] Rebooting in 86400 seconds..