[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.38' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 58.918881][ T6828] netlink: 32 bytes leftover after parsing attributes in process `syz-executor793'. [ 58.998939][ T6828] ================================================================== [ 59.007137][ T6828] BUG: KASAN: use-after-free in tcf_action_destroy+0x188/0x1b0 [ 59.014710][ T6828] Read of size 8 at addr ffff8880a73a4800 by task syz-executor793/6828 [ 59.022918][ T6828] [ 59.025229][ T6828] CPU: 0 PID: 6828 Comm: syz-executor793 Not tainted 5.9.0-rc3-syzkaller #0 [ 59.033871][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.043940][ T6828] Call Trace: [ 59.047211][ T6828] dump_stack+0x198/0x1fd [ 59.051522][ T6828] ? tcf_action_destroy+0x188/0x1b0 [ 59.056697][ T6828] ? tcf_action_destroy+0x188/0x1b0 [ 59.061873][ T6828] print_address_description.constprop.0.cold+0xae/0x497 [ 59.068882][ T6828] ? tcf_action_destroy+0x188/0x1b0 [ 59.074068][ T6828] ? lockdep_hardirqs_off+0x96/0xd0 [ 59.079261][ T6828] ? vprintk_func+0x97/0x1a6 [ 59.083880][ T6828] ? tcf_action_destroy+0x188/0x1b0 [ 59.089075][ T6828] ? tcf_action_destroy+0x188/0x1b0 [ 59.094246][ T6828] kasan_report.cold+0x1f/0x37 [ 59.099006][ T6828] ? tcf_action_destroy+0x188/0x1b0 [ 59.104200][ T6828] tcf_action_destroy+0x188/0x1b0 [ 59.109261][ T6828] tcf_action_init+0x285/0x380 [ 59.114010][ T6828] ? tcf_action_init_1+0xac0/0xac0 [ 59.119128][ T6828] tcf_action_add+0xd9/0x360 [ 59.123743][ T6828] ? tca_action_gd+0xda0/0xda0 [ 59.128519][ T6828] ? lock_acquire+0x1f3/0xae0 [ 59.133188][ T6828] ? bpf_lsm_capable+0x5/0x10 [ 59.137844][ T6828] ? __nla_parse+0x3d/0x4a [ 59.142276][ T6828] tc_ctl_action+0x33a/0x439 [ 59.146844][ T6828] ? tcf_action_add+0x360/0x360 [ 59.151674][ T6828] ? lock_is_held_type+0xbb/0xf0 [ 59.156626][ T6828] ? tcf_action_add+0x360/0x360 [ 59.161454][ T6828] rtnetlink_rcv_msg+0x44e/0xad0 [ 59.166429][ T6828] ? rtnetlink_put_metrics+0x510/0x510 [ 59.171873][ T6828] ? lock_acquire+0x1f3/0xae0 [ 59.176525][ T6828] ? netlink_deliver_tap+0x146/0xb70 [ 59.181791][ T6828] netlink_rcv_skb+0x15a/0x430 [ 59.186532][ T6828] ? rtnetlink_put_metrics+0x510/0x510 [ 59.191967][ T6828] ? netlink_ack+0xa10/0xa10 [ 59.196540][ T6828] ? __kmalloc_node_track_caller+0x38/0x60 [ 59.202357][ T6828] netlink_unicast+0x533/0x7d0 [ 59.207098][ T6828] ? netlink_attachskb+0x810/0x810 [ 59.212226][ T6828] ? __phys_addr_symbol+0x2c/0x70 [ 59.217222][ T6828] ? __check_object_size+0x171/0x3e4 [ 59.222551][ T6828] netlink_sendmsg+0x856/0xd90 [ 59.227379][ T6828] ? netlink_unicast+0x7d0/0x7d0 [ 59.232297][ T6828] ? bpf_lsm_socket_sendmsg+0x5/0x10 [ 59.237553][ T6828] ? netlink_unicast+0x7d0/0x7d0 [ 59.242466][ T6828] sock_sendmsg+0xcf/0x120 [ 59.246861][ T6828] ____sys_sendmsg+0x6e8/0x810 [ 59.251603][ T6828] ? kernel_sendmsg+0x50/0x50 [ 59.256250][ T6828] ? do_recvmmsg+0x6d0/0x6d0 [ 59.260834][ T6828] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 59.266805][ T6828] ? lock_is_held_type+0xbb/0xf0 [ 59.271774][ T6828] ? find_held_lock+0x2d/0x110 [ 59.276550][ T6828] ___sys_sendmsg+0xf3/0x170 [ 59.281121][ T6828] ? sendmsg_copy_msghdr+0x160/0x160 [ 59.286385][ T6828] ? __fget_files+0x272/0x400 [ 59.291055][ T6828] ? lock_downgrade+0x830/0x830 [ 59.295904][ T6828] ? do_huge_pmd_anonymous_page+0x8f2/0x2200 [ 59.301865][ T6828] ? __fget_files+0x294/0x400 [ 59.306553][ T6828] ? __fget_light+0xea/0x280 [ 59.311124][ T6828] __sys_sendmsg+0xe5/0x1b0 [ 59.315605][ T6828] ? __sys_sendmsg_sock+0xb0/0xb0 [ 59.320643][ T6828] ? syscall_enter_from_user_mode+0x20/0x290 [ 59.326598][ T6828] ? lockdep_hardirqs_on+0x53/0x100 [ 59.331771][ T6828] do_syscall_64+0x2d/0x70 [ 59.336162][ T6828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.342027][ T6828] RIP: 0033:0x445d79 [ 59.345898][ T6828] Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 11 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 59.365489][ T6828] RSP: 002b:00007f152bcf3d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 59.373880][ T6828] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445d79 [ 59.381830][ T6828] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 59.389797][ T6828] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 59.397754][ T6828] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c [ 59.405700][ T6828] R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098 [ 59.413653][ T6828] [ 59.415956][ T6828] Allocated by task 6828: [ 59.420261][ T6828] kasan_save_stack+0x1b/0x40 [ 59.424910][ T6828] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 59.430528][ T6828] __kmalloc+0x1b0/0x310 [ 59.434747][ T6828] tcf_idr_create+0x5b/0x7b0 [ 59.439308][ T6828] tcf_connmark_init+0x535/0x960 [ 59.444228][ T6828] tcf_action_init_1+0x6a5/0xac0 [ 59.449141][ T6828] tcf_action_init+0x249/0x380 [ 59.453886][ T6828] tcf_action_add+0xd9/0x360 [ 59.458463][ T6828] tc_ctl_action+0x33a/0x439 [ 59.463025][ T6828] rtnetlink_rcv_msg+0x44e/0xad0 [ 59.467935][ T6828] netlink_rcv_skb+0x15a/0x430 [ 59.472672][ T6828] netlink_unicast+0x533/0x7d0 [ 59.477407][ T6828] netlink_sendmsg+0x856/0xd90 [ 59.482144][ T6828] sock_sendmsg+0xcf/0x120 [ 59.486529][ T6828] ____sys_sendmsg+0x6e8/0x810 [ 59.491272][ T6828] ___sys_sendmsg+0xf3/0x170 [ 59.495847][ T6828] __sys_sendmsg+0xe5/0x1b0 [ 59.500332][ T6828] do_syscall_64+0x2d/0x70 [ 59.504720][ T6828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.510581][ T6828] [ 59.512882][ T6828] Freed by task 6830: [ 59.516873][ T6828] kasan_save_stack+0x1b/0x40 [ 59.521551][ T6828] kasan_set_track+0x1c/0x30 [ 59.526119][ T6828] kasan_set_free_info+0x1b/0x30 [ 59.531029][ T6828] __kasan_slab_free+0xd8/0x120 [ 59.535877][ T6828] kfree+0x10e/0x2b0 [ 59.539747][ T6828] tcf_generic_walker+0x959/0xb60 [ 59.544745][ T6828] tca_action_flush+0x42b/0x920 [ 59.549582][ T6828] tca_action_gd+0x8ac/0xda0 [ 59.554143][ T6828] tc_ctl_action+0x280/0x439 [ 59.558715][ T6828] rtnetlink_rcv_msg+0x44e/0xad0 [ 59.563627][ T6828] netlink_rcv_skb+0x15a/0x430 [ 59.568374][ T6828] netlink_unicast+0x533/0x7d0 [ 59.573111][ T6828] netlink_sendmsg+0x856/0xd90 [ 59.577845][ T6828] sock_sendmsg+0xcf/0x120 [ 59.582241][ T6828] ____sys_sendmsg+0x6e8/0x810 [ 59.586990][ T6828] ___sys_sendmsg+0xf3/0x170 [ 59.591639][ T6828] __sys_sendmsg+0xe5/0x1b0 [ 59.596116][ T6828] do_syscall_64+0x2d/0x70 [ 59.600506][ T6828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.606376][ T6828] [ 59.608679][ T6828] The buggy address belongs to the object at ffff8880a73a4800 [ 59.608679][ T6828] which belongs to the cache kmalloc-512 of size 512 [ 59.622719][ T6828] The buggy address is located 0 bytes inside of [ 59.622719][ T6828] 512-byte region [ffff8880a73a4800, ffff8880a73a4a00) [ 59.635800][ T6828] The buggy address belongs to the page: [ 59.641409][ T6828] page:00000000b3316a5a refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a73a4000 pfn:0xa73a4 [ 59.652830][ T6828] flags: 0xfffe0000000200(slab) [ 59.657656][ T6828] raw: 00fffe0000000200 ffffea0002506248 ffffea0002a386c8 ffff8880aa040600 [ 59.666211][ T6828] raw: ffff8880a73a4000 ffff8880a73a4000 0000000100000001 0000000000000000 [ 59.674765][ T6828] page dumped because: kasan: bad access detected [ 59.681148][ T6828] [ 59.683447][ T6828] Memory state around the buggy address: [ 59.689062][ T6828] ffff8880a73a4700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.697095][ T6828] ffff8880a73a4780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.705130][ T6828] >ffff8880a73a4800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.713161][ T6828] ^ [ 59.717201][ T6828] ffff8880a73a4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.725234][ T6828] ffff8880a73a4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.733279][ T6828] ================================================================== [ 59.741321][ T6828] Disabling lock debugging due to kernel taint [ 59.747993][ T6828] Kernel panic - not syncing: panic_on_warn set ... [ 59.754584][ T6828] CPU: 0 PID: 6828 Comm: syz-executor793 Tainted: G B 5.9.0-rc3-syzkaller #0 [ 59.764629][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.774672][ T6828] Call Trace: [ 59.777955][ T6828] dump_stack+0x198/0x1fd [ 59.782283][ T6828] ? tcf_action_destroy+0xa0/0x1b0 [ 59.787382][ T6828] panic+0x347/0x7c0 [ 59.791249][ T6828] ? __warn_printk+0xf3/0xf3 [ 59.795819][ T6828] ? preempt_schedule_common+0x59/0xc0 [ 59.801254][ T6828] ? tcf_action_destroy+0x188/0x1b0 [ 59.806421][ T6828] ? preempt_schedule_thunk+0x16/0x18 [ 59.811774][ T6828] ? trace_hardirqs_on+0x55/0x220 [ 59.816780][ T6828] ? tcf_action_destroy+0x188/0x1b0 [ 59.821947][ T6828] ? tcf_action_destroy+0x188/0x1b0 [ 59.827113][ T6828] end_report+0x4d/0x53 [ 59.831240][ T6828] kasan_report.cold+0xd/0x37 [ 59.835887][ T6828] ? tcf_action_destroy+0x188/0x1b0 [ 59.841071][ T6828] tcf_action_destroy+0x188/0x1b0 [ 59.846066][ T6828] tcf_action_init+0x285/0x380 [ 59.850813][ T6828] ? tcf_action_init_1+0xac0/0xac0 [ 59.855909][ T6828] tcf_action_add+0xd9/0x360 [ 59.860469][ T6828] ? tca_action_gd+0xda0/0xda0 [ 59.865204][ T6828] ? lock_acquire+0x1f3/0xae0 [ 59.869869][ T6828] ? bpf_lsm_capable+0x5/0x10 [ 59.874517][ T6828] ? __nla_parse+0x3d/0x4a [ 59.878918][ T6828] tc_ctl_action+0x33a/0x439 [ 59.883478][ T6828] ? tcf_action_add+0x360/0x360 [ 59.888309][ T6828] ? lock_is_held_type+0xbb/0xf0 [ 59.893220][ T6828] ? tcf_action_add+0x360/0x360 [ 59.898042][ T6828] rtnetlink_rcv_msg+0x44e/0xad0 [ 59.902952][ T6828] ? rtnetlink_put_metrics+0x510/0x510 [ 59.908394][ T6828] ? lock_acquire+0x1f3/0xae0 [ 59.913055][ T6828] ? netlink_deliver_tap+0x146/0xb70 [ 59.918320][ T6828] netlink_rcv_skb+0x15a/0x430 [ 59.923056][ T6828] ? rtnetlink_put_metrics+0x510/0x510 [ 59.928484][ T6828] ? netlink_ack+0xa10/0xa10 [ 59.933060][ T6828] ? __kmalloc_node_track_caller+0x38/0x60 [ 59.938839][ T6828] netlink_unicast+0x533/0x7d0 [ 59.943574][ T6828] ? netlink_attachskb+0x810/0x810 [ 59.948659][ T6828] ? __phys_addr_symbol+0x2c/0x70 [ 59.953661][ T6828] ? __check_object_size+0x171/0x3e4 [ 59.958916][ T6828] netlink_sendmsg+0x856/0xd90 [ 59.963661][ T6828] ? netlink_unicast+0x7d0/0x7d0 [ 59.968569][ T6828] ? bpf_lsm_socket_sendmsg+0x5/0x10 [ 59.973832][ T6828] ? netlink_unicast+0x7d0/0x7d0 [ 59.978754][ T6828] sock_sendmsg+0xcf/0x120 [ 59.983150][ T6828] ____sys_sendmsg+0x6e8/0x810 [ 59.987882][ T6828] ? kernel_sendmsg+0x50/0x50 [ 59.992527][ T6828] ? do_recvmmsg+0x6d0/0x6d0 [ 59.997099][ T6828] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 60.003049][ T6828] ? lock_is_held_type+0xbb/0xf0 [ 60.007955][ T6828] ? find_held_lock+0x2d/0x110 [ 60.012688][ T6828] ___sys_sendmsg+0xf3/0x170 [ 60.017259][ T6828] ? sendmsg_copy_msghdr+0x160/0x160 [ 60.022516][ T6828] ? __fget_files+0x272/0x400 [ 60.027161][ T6828] ? lock_downgrade+0x830/0x830 [ 60.031981][ T6828] ? do_huge_pmd_anonymous_page+0x8f2/0x2200 [ 60.037931][ T6828] ? __fget_files+0x294/0x400 [ 60.042592][ T6828] ? __fget_light+0xea/0x280 [ 60.047161][ T6828] __sys_sendmsg+0xe5/0x1b0 [ 60.051637][ T6828] ? __sys_sendmsg_sock+0xb0/0xb0 [ 60.056643][ T6828] ? syscall_enter_from_user_mode+0x20/0x290 [ 60.062593][ T6828] ? lockdep_hardirqs_on+0x53/0x100 [ 60.067760][ T6828] do_syscall_64+0x2d/0x70 [ 60.072146][ T6828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.078877][ T6828] RIP: 0033:0x445d79 [ 60.082746][ T6828] Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 11 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.102333][ T6828] RSP: 002b:00007f152bcf3d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 60.110713][ T6828] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445d79 [ 60.118663][ T6828] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 60.126611][ T6828] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 60.134554][ T6828] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c [ 60.142496][ T6828] R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098 [ 60.151710][ T6828] Kernel Offset: disabled [ 60.156021][ T6828] Rebooting in 86400 seconds..