[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.994532] audit: type=1400 audit(1591447222.218:8): avc: denied { execmem } for pid=6335 comm="syz-executor019" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 32.043940] netlink: 20 bytes leftover after parsing attributes in process `syz-executor019'. [ 32.053120] ================================================================== [ 32.060594] BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x373/0x380 [ 32.068727] Read of size 8 at addr ffffffff871c7398 by task syz-executor019/6337 [ 32.076238] [ 32.077843] CPU: 0 PID: 6337 Comm: syz-executor019 Not tainted 4.14.183-syzkaller #0 [ 32.085803] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.095307] Call Trace: [ 32.097892] dump_stack+0x1b2/0x283 [ 32.101513] ? nfnetlink_parse_nat_setup+0x373/0x380 [ 32.106594] print_address_description.cold+0x5/0x1dc [ 32.111809] ? nfnetlink_parse_nat_setup+0x373/0x380 [ 32.116900] kasan_report.cold+0xa9/0x2b9 [ 32.121040] nfnetlink_parse_nat_setup+0x373/0x380 [ 32.125966] ? nf_nat_alloc_null_binding+0x40/0x40 [ 32.130875] ? __nf_conntrack_alloc.isra.0+0xa2/0x550 [ 32.136062] ? nf_nat_alloc_null_binding+0x40/0x40 [ 32.141079] ctnetlink_parse_nat_setup+0x70/0x490 [ 32.145902] ctnetlink_create_conntrack+0x477/0x1040 [ 32.151432] ? queue_work_on+0xf7/0x1d0 [ 32.155996] ? ctnetlink_glue_parse+0x440/0x440 [ 32.160657] ? __do_once_done+0x1be/0x240 [ 32.164809] ? hash_conntrack_raw.isra.0+0x2b0/0x3f0 [ 32.170002] ? __nf_ct_refresh_acct+0x240/0x240 [ 32.174650] ctnetlink_new_conntrack+0x45f/0xbf4 [ 32.179384] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 32.184728] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 32.190160] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 32.195498] nfnetlink_rcv_msg+0x9e1/0xc00 [ 32.199733] netlink_rcv_skb+0x127/0x370 [ 32.203775] ? __lock_acquire+0x563/0x42a0 [ 32.207986] ? nfnetlink_net_exit_batch+0x150/0x150 [ 32.212979] ? netlink_ack+0x970/0x970 [ 32.216863] ? ns_capable_common+0x127/0x150 [ 32.221247] nfnetlink_rcv+0x1ab/0x1650 [ 32.225213] ? trace_hardirqs_on+0x10/0x10 [ 32.229436] ? pipe_to_sendpage+0x226/0x2d0 [ 32.233731] ? __netlink_lookup+0x332/0x5c0 [ 32.238028] ? lock_downgrade+0x6e0/0x6e0 [ 32.242150] ? nfnl_err_del+0x150/0x150 [ 32.246097] ? netlink_seq_start+0x120/0x120 [ 32.250479] ? netlink_deliver_tap+0x90/0x860 [ 32.254951] ? rcu_is_watching+0x11/0xb0 [ 32.258987] ? lock_downgrade+0x6e0/0x6e0 [ 32.263135] netlink_unicast+0x437/0x610 [ 32.267171] ? netlink_sendskb+0x50/0x50 [ 32.271209] netlink_sendmsg+0x64a/0xbb0 [ 32.275263] ? nlmsg_notify+0x160/0x160 [ 32.279228] ? security_socket_sendmsg+0x83/0xb0 [ 32.283975] ? nlmsg_notify+0x160/0x160 [ 32.287924] sock_sendmsg+0xb5/0x100 [ 32.291629] sock_no_sendpage+0xe5/0x110 [ 32.295688] ? sk_clear_memalloc+0x120/0x120 [ 32.300099] ? sk_clear_memalloc+0x120/0x120 [ 32.304519] kernel_sendpage+0x82/0xd0 [ 32.308390] sock_sendpage+0x84/0xa0 [ 32.312095] pipe_to_sendpage+0x226/0x2d0 [ 32.316227] ? kernel_sendpage+0xd0/0xd0 [ 32.320280] ? direct_splice_actor+0x160/0x160 [ 32.324860] ? splice_from_pipe_next.part.0+0x1e4/0x290 [ 32.330200] __splice_from_pipe+0x332/0x740 [ 32.334502] ? direct_splice_actor+0x160/0x160 [ 32.339072] ? direct_splice_actor+0x160/0x160 [ 32.343628] splice_from_pipe+0xc6/0x120 [ 32.347665] ? splice_shrink_spd+0xb0/0xb0 [ 32.351879] ? rw_verify_area+0xe1/0x290 [ 32.355934] ? splice_from_pipe+0x120/0x120 [ 32.360229] SyS_splice+0xca0/0x1230 [ 32.363938] ? lock_downgrade+0x6e0/0x6e0 [ 32.368060] ? compat_SyS_vmsplice+0x150/0x150 [ 32.372636] ? do_syscall_64+0x4c/0x640 [ 32.376584] ? compat_SyS_vmsplice+0x150/0x150 [ 32.381154] do_syscall_64+0x1d5/0x640 [ 32.385045] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.390227] RIP: 0033:0x445959 [ 32.393408] RSP: 002b:00007f50a4df8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 32.401110] RAX: ffffffffffffffda RBX: 00000000006dac58 RCX: 0000000000445959 [ 32.408441] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 [ 32.415686] RBP: 00000000006dac50 R08: 000000000004ffe0 R09: 0000000000000000 [ 32.423113] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac5c [ 32.430360] R13: 00000000004ade28 R14: 0000000000000006 R15: 0000000000000018 [ 32.437718] [ 32.439319] The buggy address belongs to the variable: [ 32.444585] nft_quota_ops+0xb8/0xc0 [ 32.448275] [ 32.449875] Memory state around the buggy address: [ 32.454790] ffffffff871c7280: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 00 [ 32.462137] ffffffff871c7300: 00 00 00 00 00 00 00 fa fa fa fa fa 06 fa fa fa [ 32.469482] >ffffffff871c7380: fa fa fa fa 00 00 00 00 00 00 fa fa fa fa fa fa [ 32.476829] ^ [ 32.480966] ffffffff871c7400: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa [ 32.489288] ffffffff871c7480: 00 00 00 03 fa fa fa fa 04 fa fa fa fa fa fa fa [ 32.496627] ================================================================== [ 32.503963] Disabling lock debugging due to kernel taint [ 32.519548] Kernel panic - not syncing: panic_on_warn set ... [ 32.519548] [ 32.526940] CPU: 1 PID: 6337 Comm: syz-executor019 Tainted: G B 4.14.183-syzkaller #0 [ 32.536949] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.546307] Call Trace: [ 32.548879] dump_stack+0x1b2/0x283 [ 32.552484] panic+0x1f9/0x42d [ 32.555723] ? add_taint.cold+0x16/0x16 [ 32.559684] ? preempt_schedule_common+0x4a/0xc0 [ 32.564425] ? nfnetlink_parse_nat_setup+0x373/0x380 [ 32.569505] ? ___preempt_schedule+0x16/0x18 [ 32.573909] ? nfnetlink_parse_nat_setup+0x373/0x380 [ 32.578999] kasan_end_report+0x43/0x49 [ 32.582962] kasan_report.cold+0x12f/0x2b9 [ 32.587186] nfnetlink_parse_nat_setup+0x373/0x380 [ 32.592089] ? nf_nat_alloc_null_binding+0x40/0x40 [ 32.596993] ? __nf_conntrack_alloc.isra.0+0xa2/0x550 [ 32.602155] ? nf_nat_alloc_null_binding+0x40/0x40 [ 32.607058] ctnetlink_parse_nat_setup+0x70/0x490 [ 32.611891] ctnetlink_create_conntrack+0x477/0x1040 [ 32.616967] ? queue_work_on+0xf7/0x1d0 [ 32.620915] ? ctnetlink_glue_parse+0x440/0x440 [ 32.625578] ? __do_once_done+0x1be/0x240 [ 32.629708] ? hash_conntrack_raw.isra.0+0x2b0/0x3f0 [ 32.634796] ? __nf_ct_refresh_acct+0x240/0x240 [ 32.639443] ctnetlink_new_conntrack+0x45f/0xbf4 [ 32.644188] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 32.649547] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 32.654990] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 32.660332] nfnetlink_rcv_msg+0x9e1/0xc00 [ 32.664549] netlink_rcv_skb+0x127/0x370 [ 32.668595] ? __lock_acquire+0x563/0x42a0 [ 32.672802] ? nfnetlink_net_exit_batch+0x150/0x150 [ 32.677844] ? netlink_ack+0x970/0x970 [ 32.681716] ? ns_capable_common+0x127/0x150 [ 32.686105] nfnetlink_rcv+0x1ab/0x1650 [ 32.690062] ? trace_hardirqs_on+0x10/0x10 [ 32.694292] ? pipe_to_sendpage+0x226/0x2d0 [ 32.698605] ? __netlink_lookup+0x332/0x5c0 [ 32.702903] ? lock_downgrade+0x6e0/0x6e0 [ 32.707043] ? nfnl_err_del+0x150/0x150 [ 32.711125] ? netlink_seq_start+0x120/0x120 [ 32.715509] ? netlink_deliver_tap+0x90/0x860 [ 32.719983] ? rcu_is_watching+0x11/0xb0 [ 32.724021] ? lock_downgrade+0x6e0/0x6e0 [ 32.728215] netlink_unicast+0x437/0x610 [ 32.732371] ? netlink_sendskb+0x50/0x50 [ 32.736433] netlink_sendmsg+0x64a/0xbb0 [ 32.740498] ? nlmsg_notify+0x160/0x160 [ 32.744465] ? security_socket_sendmsg+0x83/0xb0 [ 32.749306] ? nlmsg_notify+0x160/0x160 [ 32.753347] sock_sendmsg+0xb5/0x100 [ 32.757054] sock_no_sendpage+0xe5/0x110 [ 32.761091] ? sk_clear_memalloc+0x120/0x120 [ 32.765490] ? sk_clear_memalloc+0x120/0x120 [ 32.769885] kernel_sendpage+0x82/0xd0 [ 32.773747] sock_sendpage+0x84/0xa0 [ 32.777434] pipe_to_sendpage+0x226/0x2d0 [ 32.781554] ? kernel_sendpage+0xd0/0xd0 [ 32.785589] ? direct_splice_actor+0x160/0x160 [ 32.790158] ? splice_from_pipe_next.part.0+0x1e4/0x290 [ 32.795508] __splice_from_pipe+0x332/0x740 [ 32.799803] ? direct_splice_actor+0x160/0x160 [ 32.804359] ? direct_splice_actor+0x160/0x160 [ 32.808930] splice_from_pipe+0xc6/0x120 [ 32.812983] ? splice_shrink_spd+0xb0/0xb0 [ 32.817192] ? rw_verify_area+0xe1/0x290 [ 32.821226] ? splice_from_pipe+0x120/0x120 [ 32.825518] SyS_splice+0xca0/0x1230 [ 32.829209] ? lock_downgrade+0x6e0/0x6e0 [ 32.833333] ? compat_SyS_vmsplice+0x150/0x150 [ 32.837901] ? do_syscall_64+0x4c/0x640 [ 32.841849] ? compat_SyS_vmsplice+0x150/0x150 [ 32.846411] do_syscall_64+0x1d5/0x640 [ 32.850275] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.855481] RIP: 0033:0x445959 [ 32.858658] RSP: 002b:00007f50a4df8d88 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 32.866338] RAX: ffffffffffffffda RBX: 00000000006dac58 RCX: 0000000000445959 [ 32.873594] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 [ 32.880840] RBP: 00000000006dac50 R08: 000000000004ffe0 R09: 0000000000000000 [ 32.888093] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac5c [ 32.895346] R13: 00000000004ade28 R14: 0000000000000006 R15: 0000000000000018 [ 32.904126] Kernel Offset: disabled [ 32.907743] Rebooting in 86400 seconds..