[ 72.306700][ T27] audit: type=1800 audit(1579371936.582:26): pid=9726 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 73.285025][ T27] kauditd_printk_skb: 2 callbacks suppressed [ 73.285037][ T27] audit: type=1800 audit(1579371937.592:29): pid=9726 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 73.311750][ T27] audit: type=1800 audit(1579371937.592:30): pid=9726 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts. executing program executing program syzkaller login: [ 82.519800][ T9880] ================================================================== [ 82.527999][ T9880] BUG: KASAN: use-after-free in bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.535885][ T9880] Read of size 8 at addr ffff88809ae62740 by task syz-executor957/9880 [ 82.544142][ T9880] [ 82.546473][ T9880] CPU: 0 PID: 9880 Comm: syz-executor957 Not tainted 5.5.0-rc6-syzkaller #0 [ 82.555140][ T9880] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 82.565186][ T9880] Call Trace: [ 82.568564][ T9880] dump_stack+0x197/0x210 [ 82.572883][ T9880] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.578429][ T9880] print_address_description.constprop.0.cold+0xd4/0x30b [ 82.585496][ T9880] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.591035][ T9880] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.596577][ T9880] __kasan_report.cold+0x1b/0x41 [ 82.601510][ T9880] ? kfree+0x180/0x2c0 [ 82.605579][ T9880] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.611183][ T9880] kasan_report+0x12/0x20 [ 82.615506][ T9880] check_memory_region+0x134/0x1a0 [ 82.620671][ T9880] __kasan_check_read+0x11/0x20 [ 82.625609][ T9880] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 82.631002][ T9880] bitmap_port_destroy+0x17c/0x1d0 [ 82.636205][ T9880] ip_set_create+0xe47/0x1500 [ 82.640873][ T9880] ? ip_set_destroy+0xb70/0xb70 [ 82.645785][ T9880] ? ip_set_destroy+0xb70/0xb70 [ 82.650741][ T9880] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 82.655675][ T9880] ? nfnetlink_bind+0x2c0/0x2c0 [ 82.660683][ T9880] ? __kasan_check_read+0x11/0x20 [ 82.665884][ T9880] ? __lock_acquire+0x8a0/0x4a00 [ 82.670919][ T9880] ? save_stack+0x5c/0x90 [ 82.675261][ T9880] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.681596][ T9880] ? apparmor_capable+0x497/0x900 [ 82.686633][ T9880] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.692955][ T9880] ? __kasan_check_read+0x11/0x20 [ 82.698103][ T9880] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 82.703791][ T9880] netlink_rcv_skb+0x177/0x450 [ 82.708561][ T9880] ? nfnetlink_bind+0x2c0/0x2c0 [ 82.713424][ T9880] ? netlink_ack+0xb50/0xb50 [ 82.718004][ T9880] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.725128][ T9880] ? ns_capable_common+0x93/0x100 [ 82.730154][ T9880] ? ns_capable+0x20/0x30 [ 82.734477][ T9880] ? __netlink_ns_capable+0x104/0x140 [ 82.739850][ T9880] nfnetlink_rcv+0x1ba/0x460 [ 82.744428][ T9880] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 82.749889][ T9880] ? netlink_deliver_tap+0x24a/0xbe0 [ 82.755242][ T9880] ? __kasan_check_write+0x14/0x20 [ 82.760415][ T9880] netlink_unicast+0x58c/0x7d0 [ 82.765222][ T9880] ? netlink_attachskb+0x870/0x870 [ 82.770325][ T9880] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 82.776034][ T9880] ? __check_object_size+0x3d/0x437 [ 82.781264][ T9880] netlink_sendmsg+0x91c/0xea0 [ 82.786159][ T9880] ? netlink_unicast+0x7d0/0x7d0 [ 82.791103][ T9880] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 82.796752][ T9880] ? apparmor_socket_sendmsg+0x2a/0x30 [ 82.802238][ T9880] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.808495][ T9880] ? security_socket_sendmsg+0x8d/0xc0 [ 82.813978][ T9880] ? netlink_unicast+0x7d0/0x7d0 [ 82.818902][ T9880] sock_sendmsg+0xd7/0x130 [ 82.823326][ T9880] ____sys_sendmsg+0x753/0x880 [ 82.828087][ T9880] ? kernel_sendmsg+0x50/0x50 [ 82.832759][ T9880] ? mark_held_locks+0xa4/0xf0 [ 82.837529][ T9880] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 82.843680][ T9880] ___sys_sendmsg+0x100/0x170 [ 82.848366][ T9880] ? sendmsg_copy_msghdr+0x70/0x70 [ 82.853497][ T9880] ? prep_transhuge_page+0xa0/0xa0 [ 82.858597][ T9880] ? __do_page_fault+0x56a/0xd80 [ 82.863537][ T9880] ? find_held_lock+0x35/0x130 [ 82.868294][ T9880] ? __do_page_fault+0x56a/0xd80 [ 82.873241][ T9880] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.879465][ T9880] ? __fget_light+0x1a9/0x230 [ 82.884175][ T9880] ? __fdget+0x1b/0x20 [ 82.888362][ T9880] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 82.894677][ T9880] __sys_sendmsg+0x105/0x1d0 [ 82.899345][ T9880] ? __sys_sendmsg_sock+0xc0/0xc0 [ 82.904383][ T9880] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 82.910045][ T9880] ? do_fast_syscall_32+0xd1/0xe16 [ 82.915176][ T9880] ? entry_SYSENTER_compat+0x70/0x7f [ 82.920587][ T9880] ? do_fast_syscall_32+0xd1/0xe16 [ 82.925700][ T9880] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 82.931222][ T9880] do_fast_syscall_32+0x27b/0xe16 [ 82.936276][ T9880] entry_SYSENTER_compat+0x70/0x7f [ 82.941395][ T9880] RIP: 0023:0xf7f31a39 [ 82.945599][ T9880] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 82.965194][ T9880] RSP: 002b:00000000ffd5fa0c EFLAGS: 00000202 ORIG_RAX: 0000000000000172 [ 82.973602][ T9880] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020001080 [ 82.981744][ T9880] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffd5fb24 [ 82.989711][ T9880] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 82.997886][ T9880] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 83.006021][ T9880] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 83.014012][ T9880] [ 83.016340][ T9880] Allocated by task 9880: [ 83.020794][ T9880] save_stack+0x23/0x90 [ 83.024944][ T9880] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 83.030703][ T9880] kasan_kmalloc+0x9/0x10 [ 83.035107][ T9880] __kmalloc+0x163/0x770 [ 83.039445][ T9880] ip_set_alloc+0x38/0x5e [ 83.043858][ T9880] bitmap_port_create+0x3dc/0x7c0 [ 83.048981][ T9880] ip_set_create+0x6f1/0x1500 [ 83.053750][ T9880] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 83.058687][ T9880] netlink_rcv_skb+0x177/0x450 [ 83.063522][ T9880] nfnetlink_rcv+0x1ba/0x460 [ 83.068240][ T9880] netlink_unicast+0x58c/0x7d0 [ 83.073099][ T9880] netlink_sendmsg+0x91c/0xea0 [ 83.077849][ T9880] sock_sendmsg+0xd7/0x130 [ 83.082366][ T9880] ____sys_sendmsg+0x753/0x880 [ 83.087123][ T9880] ___sys_sendmsg+0x100/0x170 [ 83.091790][ T9880] __sys_sendmsg+0x105/0x1d0 [ 83.096428][ T9880] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 83.101961][ T9880] do_fast_syscall_32+0x27b/0xe16 [ 83.106981][ T9880] entry_SYSENTER_compat+0x70/0x7f [ 83.112075][ T9880] [ 83.114410][ T9880] Freed by task 9880: [ 83.118384][ T9880] save_stack+0x23/0x90 [ 83.122551][ T9880] __kasan_slab_free+0x102/0x150 [ 83.127589][ T9880] kasan_slab_free+0xe/0x10 [ 83.132275][ T9880] kfree+0x10a/0x2c0 [ 83.136261][ T9880] kvfree+0x61/0x70 [ 83.140059][ T9880] ip_set_free+0x16/0x20 [ 83.144816][ T9880] bitmap_port_destroy+0xae/0x1d0 [ 83.149945][ T9880] ip_set_create+0xe47/0x1500 [ 83.154623][ T9880] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 83.159738][ T9880] netlink_rcv_skb+0x177/0x450 [ 83.164493][ T9880] nfnetlink_rcv+0x1ba/0x460 [ 83.169091][ T9880] netlink_unicast+0x58c/0x7d0 [ 83.173979][ T9880] netlink_sendmsg+0x91c/0xea0 [ 83.178724][ T9880] sock_sendmsg+0xd7/0x130 [ 83.183200][ T9880] ____sys_sendmsg+0x753/0x880 [ 83.188001][ T9880] ___sys_sendmsg+0x100/0x170 [ 83.192671][ T9880] __sys_sendmsg+0x105/0x1d0 [ 83.197319][ T9880] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 83.202772][ T9880] do_fast_syscall_32+0x27b/0xe16 [ 83.207783][ T9880] entry_SYSENTER_compat+0x70/0x7f [ 83.212873][ T9880] [ 83.215302][ T9880] The buggy address belongs to the object at ffff88809ae62740 [ 83.215302][ T9880] which belongs to the cache kmalloc-32 of size 32 [ 83.229307][ T9880] The buggy address is located 0 bytes inside of [ 83.229307][ T9880] 32-byte region [ffff88809ae62740, ffff88809ae62760) [ 83.242300][ T9880] The buggy address belongs to the page: [ 83.248163][ T9880] page:ffffea00026b9880 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff88809ae62fc1 [ 83.258680][ T9880] raw: 00fffe0000000200 ffffea0002915648 ffffea00026d7f08 ffff8880aa4001c0 [ 83.267325][ T9880] raw: ffff88809ae62fc1 ffff88809ae62000 000000010000003e 0000000000000000 [ 83.276431][ T9880] page dumped because: kasan: bad access detected [ 83.282884][ T9880] [ 83.285212][ T9880] Memory state around the buggy address: [ 83.290882][ T9880] ffff88809ae62600: fb fb fb fb fc fc fc fc 00 04 fc fc fc fc fc fc [ 83.299006][ T9880] ffff88809ae62680: 00 04 fc fc fc fc fc fc 00 00 06 fc fc fc fc fc [ 83.307303][ T9880] >ffff88809ae62700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 83.315468][ T9880] ^ [ 83.322506][ T9880] ffff88809ae62780: fb fb fb fb fc fc fc fc 04 fc fc fc fc fc fc fc [ 83.330642][ T9880] ffff88809ae62800: 05 fc fc fc fc fc fc fc 05 fc fc fc fc fc fc fc [ 83.339060][ T9880] ================================================================== [ 83.347106][ T9880] Disabling lock debugging due to kernel taint [ 83.353848][ T9880] Kernel panic - not syncing: panic_on_warn set ... [ 83.360463][ T9880] CPU: 0 PID: 9880 Comm: syz-executor957 Tainted: G B 5.5.0-rc6-syzkaller #0 [ 83.370507][ T9880] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 83.380551][ T9880] Call Trace: [ 83.383830][ T9880] dump_stack+0x197/0x210 [ 83.388141][ T9880] panic+0x2e3/0x75c [ 83.392110][ T9880] ? add_taint.cold+0x16/0x16 [ 83.396785][ T9880] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 83.402321][ T9880] ? preempt_schedule+0x4b/0x60 [ 83.407162][ T9880] ? ___preempt_schedule+0x16/0x18 [ 83.412385][ T9880] ? trace_hardirqs_on+0x5e/0x240 [ 83.418731][ T9880] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 83.424268][ T9880] end_report+0x47/0x4f [ 83.428458][ T9880] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 83.434146][ T9880] __kasan_report.cold+0xe/0x41 [ 83.438989][ T9880] ? kfree+0x180/0x2c0 [ 83.443055][ T9880] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 83.449359][ T9880] kasan_report+0x12/0x20 [ 83.453679][ T9880] check_memory_region+0x134/0x1a0 [ 83.458783][ T9880] __kasan_check_read+0x11/0x20 [ 83.463622][ T9880] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 83.468982][ T9880] bitmap_port_destroy+0x17c/0x1d0 [ 83.474088][ T9880] ip_set_create+0xe47/0x1500 [ 83.478791][ T9880] ? ip_set_destroy+0xb70/0xb70 [ 83.483740][ T9880] ? ip_set_destroy+0xb70/0xb70 [ 83.488585][ T9880] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 83.493560][ T9880] ? nfnetlink_bind+0x2c0/0x2c0 [ 83.498506][ T9880] ? __kasan_check_read+0x11/0x20 [ 83.503564][ T9880] ? __lock_acquire+0x8a0/0x4a00 [ 83.508490][ T9880] ? save_stack+0x5c/0x90 [ 83.512813][ T9880] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.519038][ T9880] ? apparmor_capable+0x497/0x900 [ 83.524062][ T9880] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.530301][ T9880] ? __kasan_check_read+0x11/0x20 [ 83.535350][ T9880] ? apparmor_cred_prepare+0x7b0/0x7b0 [ 83.540791][ T9880] netlink_rcv_skb+0x177/0x450 [ 83.545546][ T9880] ? nfnetlink_bind+0x2c0/0x2c0 [ 83.550392][ T9880] ? netlink_ack+0xb50/0xb50 [ 83.554969][ T9880] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.561199][ T9880] ? ns_capable_common+0x93/0x100 [ 83.566216][ T9880] ? ns_capable+0x20/0x30 [ 83.570535][ T9880] ? __netlink_ns_capable+0x104/0x140 [ 83.575892][ T9880] nfnetlink_rcv+0x1ba/0x460 [ 83.580490][ T9880] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 83.585937][ T9880] ? netlink_deliver_tap+0x24a/0xbe0 [ 83.591270][ T9880] ? __kasan_check_write+0x14/0x20 [ 83.596375][ T9880] netlink_unicast+0x58c/0x7d0 [ 83.601131][ T9880] ? netlink_attachskb+0x870/0x870 [ 83.606228][ T9880] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 83.611941][ T9880] ? __check_object_size+0x3d/0x437 [ 83.617126][ T9880] netlink_sendmsg+0x91c/0xea0 [ 83.621919][ T9880] ? netlink_unicast+0x7d0/0x7d0 [ 83.626849][ T9880] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 83.632389][ T9880] ? apparmor_socket_sendmsg+0x2a/0x30 [ 83.638024][ T9880] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.644264][ T9880] ? security_socket_sendmsg+0x8d/0xc0 [ 83.649942][ T9880] ? netlink_unicast+0x7d0/0x7d0 [ 83.654989][ T9880] sock_sendmsg+0xd7/0x130 [ 83.659398][ T9880] ____sys_sendmsg+0x753/0x880 [ 83.664148][ T9880] ? kernel_sendmsg+0x50/0x50 [ 83.668995][ T9880] ? mark_held_locks+0xa4/0xf0 [ 83.673897][ T9880] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 83.679966][ T9880] ___sys_sendmsg+0x100/0x170 [ 83.684635][ T9880] ? sendmsg_copy_msghdr+0x70/0x70 [ 83.689911][ T9880] ? prep_transhuge_page+0xa0/0xa0 [ 83.695148][ T9880] ? __do_page_fault+0x56a/0xd80 [ 83.700072][ T9880] ? find_held_lock+0x35/0x130 [ 83.704878][ T9880] ? __do_page_fault+0x56a/0xd80 [ 83.710691][ T9880] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 83.717028][ T9880] ? __fget_light+0x1a9/0x230 [ 83.721692][ T9880] ? __fdget+0x1b/0x20 [ 83.727943][ T9880] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 83.734169][ T9880] __sys_sendmsg+0x105/0x1d0 [ 83.739326][ T9880] ? __sys_sendmsg_sock+0xc0/0xc0 [ 83.744545][ T9880] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 83.749993][ T9880] ? do_fast_syscall_32+0xd1/0xe16 [ 83.755284][ T9880] ? entry_SYSENTER_compat+0x70/0x7f [ 83.760613][ T9880] ? do_fast_syscall_32+0xd1/0xe16 [ 83.765714][ T9880] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 83.771288][ T9880] do_fast_syscall_32+0x27b/0xe16 [ 83.776303][ T9880] entry_SYSENTER_compat+0x70/0x7f [ 83.781523][ T9880] RIP: 0023:0xf7f31a39 [ 83.785610][ T9880] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 83.805435][ T9880] RSP: 002b:00000000ffd5fa0c EFLAGS: 00000202 ORIG_RAX: 0000000000000172 [ 83.813959][ T9880] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020001080 [ 83.821921][ T9880] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 00000000ffd5fb24 [ 83.829885][ T9880] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 83.837841][ T9880] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 83.845825][ T9880] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 83.855401][ T9880] Kernel Offset: disabled [ 83.859804][ T9880] Rebooting in 86400 seconds..