[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.1.38' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   58.918881][ T6828] netlink: 32 bytes leftover after parsing attributes in process `syz-executor793'.
[   58.998939][ T6828] ==================================================================
[   59.007137][ T6828] BUG: KASAN: use-after-free in tcf_action_destroy+0x188/0x1b0
[   59.014710][ T6828] Read of size 8 at addr ffff8880a73a4800 by task syz-executor793/6828
[   59.022918][ T6828] 
[   59.025229][ T6828] CPU: 0 PID: 6828 Comm: syz-executor793 Not tainted 5.9.0-rc3-syzkaller #0
[   59.033871][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.043940][ T6828] Call Trace:
[   59.047211][ T6828]  dump_stack+0x198/0x1fd
[   59.051522][ T6828]  ? tcf_action_destroy+0x188/0x1b0
[   59.056697][ T6828]  ? tcf_action_destroy+0x188/0x1b0
[   59.061873][ T6828]  print_address_description.constprop.0.cold+0xae/0x497
[   59.068882][ T6828]  ? tcf_action_destroy+0x188/0x1b0
[   59.074068][ T6828]  ? lockdep_hardirqs_off+0x96/0xd0
[   59.079261][ T6828]  ? vprintk_func+0x97/0x1a6
[   59.083880][ T6828]  ? tcf_action_destroy+0x188/0x1b0
[   59.089075][ T6828]  ? tcf_action_destroy+0x188/0x1b0
[   59.094246][ T6828]  kasan_report.cold+0x1f/0x37
[   59.099006][ T6828]  ? tcf_action_destroy+0x188/0x1b0
[   59.104200][ T6828]  tcf_action_destroy+0x188/0x1b0
[   59.109261][ T6828]  tcf_action_init+0x285/0x380
[   59.114010][ T6828]  ? tcf_action_init_1+0xac0/0xac0
[   59.119128][ T6828]  tcf_action_add+0xd9/0x360
[   59.123743][ T6828]  ? tca_action_gd+0xda0/0xda0
[   59.128519][ T6828]  ? lock_acquire+0x1f3/0xae0
[   59.133188][ T6828]  ? bpf_lsm_capable+0x5/0x10
[   59.137844][ T6828]  ? __nla_parse+0x3d/0x4a
[   59.142276][ T6828]  tc_ctl_action+0x33a/0x439
[   59.146844][ T6828]  ? tcf_action_add+0x360/0x360
[   59.151674][ T6828]  ? lock_is_held_type+0xbb/0xf0
[   59.156626][ T6828]  ? tcf_action_add+0x360/0x360
[   59.161454][ T6828]  rtnetlink_rcv_msg+0x44e/0xad0
[   59.166429][ T6828]  ? rtnetlink_put_metrics+0x510/0x510
[   59.171873][ T6828]  ? lock_acquire+0x1f3/0xae0
[   59.176525][ T6828]  ? netlink_deliver_tap+0x146/0xb70
[   59.181791][ T6828]  netlink_rcv_skb+0x15a/0x430
[   59.186532][ T6828]  ? rtnetlink_put_metrics+0x510/0x510
[   59.191967][ T6828]  ? netlink_ack+0xa10/0xa10
[   59.196540][ T6828]  ? __kmalloc_node_track_caller+0x38/0x60
[   59.202357][ T6828]  netlink_unicast+0x533/0x7d0
[   59.207098][ T6828]  ? netlink_attachskb+0x810/0x810
[   59.212226][ T6828]  ? __phys_addr_symbol+0x2c/0x70
[   59.217222][ T6828]  ? __check_object_size+0x171/0x3e4
[   59.222551][ T6828]  netlink_sendmsg+0x856/0xd90
[   59.227379][ T6828]  ? netlink_unicast+0x7d0/0x7d0
[   59.232297][ T6828]  ? bpf_lsm_socket_sendmsg+0x5/0x10
[   59.237553][ T6828]  ? netlink_unicast+0x7d0/0x7d0
[   59.242466][ T6828]  sock_sendmsg+0xcf/0x120
[   59.246861][ T6828]  ____sys_sendmsg+0x6e8/0x810
[   59.251603][ T6828]  ? kernel_sendmsg+0x50/0x50
[   59.256250][ T6828]  ? do_recvmmsg+0x6d0/0x6d0
[   59.260834][ T6828]  ? lockdep_hardirqs_on_prepare+0x530/0x530
[   59.266805][ T6828]  ? lock_is_held_type+0xbb/0xf0
[   59.271774][ T6828]  ? find_held_lock+0x2d/0x110
[   59.276550][ T6828]  ___sys_sendmsg+0xf3/0x170
[   59.281121][ T6828]  ? sendmsg_copy_msghdr+0x160/0x160
[   59.286385][ T6828]  ? __fget_files+0x272/0x400
[   59.291055][ T6828]  ? lock_downgrade+0x830/0x830
[   59.295904][ T6828]  ? do_huge_pmd_anonymous_page+0x8f2/0x2200
[   59.301865][ T6828]  ? __fget_files+0x294/0x400
[   59.306553][ T6828]  ? __fget_light+0xea/0x280
[   59.311124][ T6828]  __sys_sendmsg+0xe5/0x1b0
[   59.315605][ T6828]  ? __sys_sendmsg_sock+0xb0/0xb0
[   59.320643][ T6828]  ? syscall_enter_from_user_mode+0x20/0x290
[   59.326598][ T6828]  ? lockdep_hardirqs_on+0x53/0x100
[   59.331771][ T6828]  do_syscall_64+0x2d/0x70
[   59.336162][ T6828]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   59.342027][ T6828] RIP: 0033:0x445d79
[   59.345898][ T6828] Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 11 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   59.365489][ T6828] RSP: 002b:00007f152bcf3d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   59.373880][ T6828] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445d79
[   59.381830][ T6828] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003
[   59.389797][ T6828] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
[   59.397754][ T6828] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
[   59.405700][ T6828] R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098
[   59.413653][ T6828] 
[   59.415956][ T6828] Allocated by task 6828:
[   59.420261][ T6828]  kasan_save_stack+0x1b/0x40
[   59.424910][ T6828]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   59.430528][ T6828]  __kmalloc+0x1b0/0x310
[   59.434747][ T6828]  tcf_idr_create+0x5b/0x7b0
[   59.439308][ T6828]  tcf_connmark_init+0x535/0x960
[   59.444228][ T6828]  tcf_action_init_1+0x6a5/0xac0
[   59.449141][ T6828]  tcf_action_init+0x249/0x380
[   59.453886][ T6828]  tcf_action_add+0xd9/0x360
[   59.458463][ T6828]  tc_ctl_action+0x33a/0x439
[   59.463025][ T6828]  rtnetlink_rcv_msg+0x44e/0xad0
[   59.467935][ T6828]  netlink_rcv_skb+0x15a/0x430
[   59.472672][ T6828]  netlink_unicast+0x533/0x7d0
[   59.477407][ T6828]  netlink_sendmsg+0x856/0xd90
[   59.482144][ T6828]  sock_sendmsg+0xcf/0x120
[   59.486529][ T6828]  ____sys_sendmsg+0x6e8/0x810
[   59.491272][ T6828]  ___sys_sendmsg+0xf3/0x170
[   59.495847][ T6828]  __sys_sendmsg+0xe5/0x1b0
[   59.500332][ T6828]  do_syscall_64+0x2d/0x70
[   59.504720][ T6828]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   59.510581][ T6828] 
[   59.512882][ T6828] Freed by task 6830:
[   59.516873][ T6828]  kasan_save_stack+0x1b/0x40
[   59.521551][ T6828]  kasan_set_track+0x1c/0x30
[   59.526119][ T6828]  kasan_set_free_info+0x1b/0x30
[   59.531029][ T6828]  __kasan_slab_free+0xd8/0x120
[   59.535877][ T6828]  kfree+0x10e/0x2b0
[   59.539747][ T6828]  tcf_generic_walker+0x959/0xb60
[   59.544745][ T6828]  tca_action_flush+0x42b/0x920
[   59.549582][ T6828]  tca_action_gd+0x8ac/0xda0
[   59.554143][ T6828]  tc_ctl_action+0x280/0x439
[   59.558715][ T6828]  rtnetlink_rcv_msg+0x44e/0xad0
[   59.563627][ T6828]  netlink_rcv_skb+0x15a/0x430
[   59.568374][ T6828]  netlink_unicast+0x533/0x7d0
[   59.573111][ T6828]  netlink_sendmsg+0x856/0xd90
[   59.577845][ T6828]  sock_sendmsg+0xcf/0x120
[   59.582241][ T6828]  ____sys_sendmsg+0x6e8/0x810
[   59.586990][ T6828]  ___sys_sendmsg+0xf3/0x170
[   59.591639][ T6828]  __sys_sendmsg+0xe5/0x1b0
[   59.596116][ T6828]  do_syscall_64+0x2d/0x70
[   59.600506][ T6828]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   59.606376][ T6828] 
[   59.608679][ T6828] The buggy address belongs to the object at ffff8880a73a4800
[   59.608679][ T6828]  which belongs to the cache kmalloc-512 of size 512
[   59.622719][ T6828] The buggy address is located 0 bytes inside of
[   59.622719][ T6828]  512-byte region [ffff8880a73a4800, ffff8880a73a4a00)
[   59.635800][ T6828] The buggy address belongs to the page:
[   59.641409][ T6828] page:00000000b3316a5a refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a73a4000 pfn:0xa73a4
[   59.652830][ T6828] flags: 0xfffe0000000200(slab)
[   59.657656][ T6828] raw: 00fffe0000000200 ffffea0002506248 ffffea0002a386c8 ffff8880aa040600
[   59.666211][ T6828] raw: ffff8880a73a4000 ffff8880a73a4000 0000000100000001 0000000000000000
[   59.674765][ T6828] page dumped because: kasan: bad access detected
[   59.681148][ T6828] 
[   59.683447][ T6828] Memory state around the buggy address:
[   59.689062][ T6828]  ffff8880a73a4700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   59.697095][ T6828]  ffff8880a73a4780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   59.705130][ T6828] >ffff8880a73a4800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.713161][ T6828]                    ^
[   59.717201][ T6828]  ffff8880a73a4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.725234][ T6828]  ffff8880a73a4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.733279][ T6828] ==================================================================
[   59.741321][ T6828] Disabling lock debugging due to kernel taint
[   59.747993][ T6828] Kernel panic - not syncing: panic_on_warn set ...
[   59.754584][ T6828] CPU: 0 PID: 6828 Comm: syz-executor793 Tainted: G    B             5.9.0-rc3-syzkaller #0
[   59.764629][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.774672][ T6828] Call Trace:
[   59.777955][ T6828]  dump_stack+0x198/0x1fd
[   59.782283][ T6828]  ? tcf_action_destroy+0xa0/0x1b0
[   59.787382][ T6828]  panic+0x347/0x7c0
[   59.791249][ T6828]  ? __warn_printk+0xf3/0xf3
[   59.795819][ T6828]  ? preempt_schedule_common+0x59/0xc0
[   59.801254][ T6828]  ? tcf_action_destroy+0x188/0x1b0
[   59.806421][ T6828]  ? preempt_schedule_thunk+0x16/0x18
[   59.811774][ T6828]  ? trace_hardirqs_on+0x55/0x220
[   59.816780][ T6828]  ? tcf_action_destroy+0x188/0x1b0
[   59.821947][ T6828]  ? tcf_action_destroy+0x188/0x1b0
[   59.827113][ T6828]  end_report+0x4d/0x53
[   59.831240][ T6828]  kasan_report.cold+0xd/0x37
[   59.835887][ T6828]  ? tcf_action_destroy+0x188/0x1b0
[   59.841071][ T6828]  tcf_action_destroy+0x188/0x1b0
[   59.846066][ T6828]  tcf_action_init+0x285/0x380
[   59.850813][ T6828]  ? tcf_action_init_1+0xac0/0xac0
[   59.855909][ T6828]  tcf_action_add+0xd9/0x360
[   59.860469][ T6828]  ? tca_action_gd+0xda0/0xda0
[   59.865204][ T6828]  ? lock_acquire+0x1f3/0xae0
[   59.869869][ T6828]  ? bpf_lsm_capable+0x5/0x10
[   59.874517][ T6828]  ? __nla_parse+0x3d/0x4a
[   59.878918][ T6828]  tc_ctl_action+0x33a/0x439
[   59.883478][ T6828]  ? tcf_action_add+0x360/0x360
[   59.888309][ T6828]  ? lock_is_held_type+0xbb/0xf0
[   59.893220][ T6828]  ? tcf_action_add+0x360/0x360
[   59.898042][ T6828]  rtnetlink_rcv_msg+0x44e/0xad0
[   59.902952][ T6828]  ? rtnetlink_put_metrics+0x510/0x510
[   59.908394][ T6828]  ? lock_acquire+0x1f3/0xae0
[   59.913055][ T6828]  ? netlink_deliver_tap+0x146/0xb70
[   59.918320][ T6828]  netlink_rcv_skb+0x15a/0x430
[   59.923056][ T6828]  ? rtnetlink_put_metrics+0x510/0x510
[   59.928484][ T6828]  ? netlink_ack+0xa10/0xa10
[   59.933060][ T6828]  ? __kmalloc_node_track_caller+0x38/0x60
[   59.938839][ T6828]  netlink_unicast+0x533/0x7d0
[   59.943574][ T6828]  ? netlink_attachskb+0x810/0x810
[   59.948659][ T6828]  ? __phys_addr_symbol+0x2c/0x70
[   59.953661][ T6828]  ? __check_object_size+0x171/0x3e4
[   59.958916][ T6828]  netlink_sendmsg+0x856/0xd90
[   59.963661][ T6828]  ? netlink_unicast+0x7d0/0x7d0
[   59.968569][ T6828]  ? bpf_lsm_socket_sendmsg+0x5/0x10
[   59.973832][ T6828]  ? netlink_unicast+0x7d0/0x7d0
[   59.978754][ T6828]  sock_sendmsg+0xcf/0x120
[   59.983150][ T6828]  ____sys_sendmsg+0x6e8/0x810
[   59.987882][ T6828]  ? kernel_sendmsg+0x50/0x50
[   59.992527][ T6828]  ? do_recvmmsg+0x6d0/0x6d0
[   59.997099][ T6828]  ? lockdep_hardirqs_on_prepare+0x530/0x530
[   60.003049][ T6828]  ? lock_is_held_type+0xbb/0xf0
[   60.007955][ T6828]  ? find_held_lock+0x2d/0x110
[   60.012688][ T6828]  ___sys_sendmsg+0xf3/0x170
[   60.017259][ T6828]  ? sendmsg_copy_msghdr+0x160/0x160
[   60.022516][ T6828]  ? __fget_files+0x272/0x400
[   60.027161][ T6828]  ? lock_downgrade+0x830/0x830
[   60.031981][ T6828]  ? do_huge_pmd_anonymous_page+0x8f2/0x2200
[   60.037931][ T6828]  ? __fget_files+0x294/0x400
[   60.042592][ T6828]  ? __fget_light+0xea/0x280
[   60.047161][ T6828]  __sys_sendmsg+0xe5/0x1b0
[   60.051637][ T6828]  ? __sys_sendmsg_sock+0xb0/0xb0
[   60.056643][ T6828]  ? syscall_enter_from_user_mode+0x20/0x290
[   60.062593][ T6828]  ? lockdep_hardirqs_on+0x53/0x100
[   60.067760][ T6828]  do_syscall_64+0x2d/0x70
[   60.072146][ T6828]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   60.078877][ T6828] RIP: 0033:0x445d79
[   60.082746][ T6828] Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 11 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   60.102333][ T6828] RSP: 002b:00007f152bcf3d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   60.110713][ T6828] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445d79
[   60.118663][ T6828] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003
[   60.126611][ T6828] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
[   60.134554][ T6828] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
[   60.142496][ T6828] R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098
[   60.151710][ T6828] Kernel Offset: disabled
[   60.156021][ T6828] Rebooting in 86400 seconds..