[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.190' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 42.574031] audit: type=1400 audit(1598215576.637:8): avc: denied { execmem } for pid=6472 comm="syz-executor669" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 executing program executing program executing program executing program [ 42.697249] ================================================================== [ 42.704751] BUG: KASAN: use-after-free in __list_del_entry_valid+0xcc/0xef [ 42.711772] Read of size 8 at addr ffff8880a5082308 by task syz-executor669/6483 [ 42.719392] [ 42.721030] CPU: 1 PID: 6483 Comm: syz-executor669 Not tainted 4.19.141-syzkaller #0 [ 42.728908] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.738292] Call Trace: [ 42.740901] dump_stack+0x1fc/0x2fe [ 42.744518] print_address_description.cold+0x54/0x219 [ 42.749785] kasan_report_error.cold+0x8a/0x1c7 [ 42.754449] ? __list_del_entry_valid+0xcc/0xef [ 42.759102] __asan_report_load8_noabort+0x88/0x90 [ 42.764019] ? __list_del_entry_valid+0xcc/0xef [ 42.768672] __list_del_entry_valid+0xcc/0xef [ 42.773155] __nf_tables_abort+0x1fde/0x2ca0 [ 42.777573] ? mark_held_locks+0xa6/0xf0 [ 42.781640] ? kfree+0x110/0x210 [ 42.785016] ? nfnetlink_rcv_batch+0x125c/0x1df0 [ 42.789774] nf_tables_abort+0x13/0x30 [ 42.793674] nfnetlink_rcv_batch+0xb66/0x1df0 [ 42.798202] ? nfnetlink_bind+0x2b0/0x2b0 [ 42.802356] ? __netlink_lookup+0x353/0x730 [ 42.806680] ? lock_downgrade+0x720/0x720 [ 42.810809] ? cap_capable+0x1eb/0x250 [ 42.814697] ? security_capable+0x8f/0xc0 [ 42.818826] ? memset+0x20/0x40 [ 42.822088] ? nla_parse+0x1b2/0x290 [ 42.825789] nfnetlink_rcv+0x3b5/0x41b [ 42.829666] ? nfnetlink_rcv_batch+0x1df0/0x1df0 [ 42.834427] netlink_unicast+0x4d5/0x690 [ 42.838500] ? netlink_sendskb+0x110/0x110 [ 42.842743] netlink_sendmsg+0x6bb/0xc40 [ 42.846804] ? nlmsg_notify+0x1a0/0x1a0 [ 42.850759] ? kernel_recvmsg+0x220/0x220 [ 42.854900] ? nlmsg_notify+0x1a0/0x1a0 [ 42.858866] sock_sendmsg+0xc3/0x120 [ 42.862578] ___sys_sendmsg+0x7bb/0x8e0 [ 42.866555] ? copy_msghdr_from_user+0x440/0x440 [ 42.871306] ? do_huge_pmd_anonymous_page+0x939/0x1cc0 [ 42.876578] ? __fget+0x32f/0x510 [ 42.880052] ? lock_downgrade+0x720/0x720 [ 42.884189] ? check_preemption_disabled+0x41/0x280 [ 42.889188] ? check_preemption_disabled+0x41/0x280 [ 42.894192] ? __fget+0x356/0x510 [ 42.897633] ? do_dup2+0x450/0x450 [ 42.901185] ? __fdget+0x1d0/0x230 [ 42.904738] __x64_sys_sendmsg+0x132/0x220 [ 42.908982] ? __sys_sendmsg+0x1b0/0x1b0 [ 42.913032] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.917768] ? trace_hardirqs_off_caller+0x69/0x210 [ 42.922783] ? do_syscall_64+0x21/0x620 [ 42.926757] do_syscall_64+0xf9/0x620 [ 42.930551] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.935748] RIP: 0033:0x446af9 [ 42.938924] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 42.957813] RSP: 002b:00007f29fb665d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 42.965525] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446af9 [ 42.972802] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 42.980059] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 42.987317] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 42.994602] R13: 000000200a000000 R14: 0000002000006c1e R15: 0000001000000014 [ 43.001870] [ 43.003485] Allocated by task 6483: [ 43.007109] kmem_cache_alloc_trace+0x12f/0x380 [ 43.011762] nf_tables_newtable+0xad9/0x1620 [ 43.016155] nfnetlink_rcv_batch+0x10d5/0x1df0 [ 43.020761] nfnetlink_rcv+0x3b5/0x41b [ 43.024628] netlink_unicast+0x4d5/0x690 [ 43.028668] netlink_sendmsg+0x6bb/0xc40 [ 43.032719] sock_sendmsg+0xc3/0x120 [ 43.036443] ___sys_sendmsg+0x7bb/0x8e0 [ 43.040413] __x64_sys_sendmsg+0x132/0x220 [ 43.044680] do_syscall_64+0xf9/0x620 [ 43.048468] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.053632] [ 43.055238] Freed by task 6499: [ 43.058499] kfree+0xcc/0x210 [ 43.061586] nf_tables_table_destroy+0xee/0x130 [ 43.066236] nf_tables_commit+0x2aba/0x57e6 [ 43.070539] nfnetlink_rcv_batch+0xe22/0x1df0 [ 43.075017] nfnetlink_rcv+0x3b5/0x41b [ 43.078885] netlink_unicast+0x4d5/0x690 [ 43.082943] netlink_sendmsg+0x6bb/0xc40 [ 43.086991] sock_sendmsg+0xc3/0x120 [ 43.090688] ___sys_sendmsg+0x7bb/0x8e0 [ 43.094640] __x64_sys_sendmsg+0x132/0x220 [ 43.098863] do_syscall_64+0xf9/0x620 [ 43.102667] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.107840] [ 43.109448] The buggy address belongs to the object at ffff8880a5082300 [ 43.109448] which belongs to the cache kmalloc-512 of size 512 [ 43.122102] The buggy address is located 8 bytes inside of [ 43.122102] 512-byte region [ffff8880a5082300, ffff8880a5082500) [ 43.133786] The buggy address belongs to the page: [ 43.138727] page:ffffea0002942080 count:1 mapcount:0 mapping:ffff88812c39c940 index:0xffff8880a5082800 [ 43.148156] flags: 0xfffe0000000100(slab) [ 43.152303] raw: 00fffe0000000100 ffffea0002278048 ffffea0002855dc8 ffff88812c39c940 [ 43.160177] raw: ffff8880a5082800 ffff8880a5082080 0000000100000003 0000000000000000 [ 43.168055] page dumped because: kasan: bad access detected [ 43.173746] [ 43.175369] Memory state around the buggy address: [ 43.180421] ffff8880a5082200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.187775] ffff8880a5082280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc executing program [ 43.195132] >ffff8880a5082300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.202484] ^ [ 43.206107] ffff8880a5082380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.213473] ffff8880a5082400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.220816] ================================================================== [ 43.228177] Disabling lock debugging due to kernel taint [ 43.240476] Kernel panic - not syncing: panic_on_warn set ... [ 43.240476] [ 43.247883] CPU: 0 PID: 6483 Comm: syz-executor669 Tainted: G B 4.19.141-syzkaller #0 [ 43.257157] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.266513] Call Trace: [ 43.269114] dump_stack+0x1fc/0x2fe [ 43.272753] panic+0x26a/0x50e [ 43.275950] ? __warn_printk+0xf3/0xf3 [ 43.279868] ? preempt_schedule_common+0x45/0xc0 [ 43.284667] ? ___preempt_schedule+0x16/0x18 [ 43.289067] ? trace_hardirqs_on+0x55/0x210 [ 43.293395] kasan_end_report+0x43/0x49 [ 43.297364] kasan_report_error.cold+0xa7/0x1c7 [ 43.302017] ? __list_del_entry_valid+0xcc/0xef [ 43.306668] __asan_report_load8_noabort+0x88/0x90 [ 43.311580] ? __list_del_entry_valid+0xcc/0xef [ 43.316282] __list_del_entry_valid+0xcc/0xef [ 43.320777] __nf_tables_abort+0x1fde/0x2ca0 [ 43.325175] ? mark_held_locks+0xa6/0xf0 [ 43.329222] ? kfree+0x110/0x210 [ 43.332576] ? nfnetlink_rcv_batch+0x125c/0x1df0 [ 43.337315] nf_tables_abort+0x13/0x30 [ 43.341210] nfnetlink_rcv_batch+0xb66/0x1df0 [ 43.345714] ? nfnetlink_bind+0x2b0/0x2b0 [ 43.349862] ? __netlink_lookup+0x353/0x730 [ 43.354200] ? lock_downgrade+0x720/0x720 [ 43.358364] ? cap_capable+0x1eb/0x250 [ 43.362240] ? security_capable+0x8f/0xc0 [ 43.366378] ? memset+0x20/0x40 [ 43.369658] ? nla_parse+0x1b2/0x290 [ 43.373369] nfnetlink_rcv+0x3b5/0x41b [ 43.377277] ? nfnetlink_rcv_batch+0x1df0/0x1df0 [ 43.382024] netlink_unicast+0x4d5/0x690 [ 43.386069] ? netlink_sendskb+0x110/0x110 [ 43.390294] netlink_sendmsg+0x6bb/0xc40 [ 43.394338] ? nlmsg_notify+0x1a0/0x1a0 [ 43.398300] ? kernel_recvmsg+0x220/0x220 [ 43.402430] ? nlmsg_notify+0x1a0/0x1a0 [ 43.406388] sock_sendmsg+0xc3/0x120 [ 43.410088] ___sys_sendmsg+0x7bb/0x8e0 [ 43.414082] ? copy_msghdr_from_user+0x440/0x440 [ 43.418833] ? do_huge_pmd_anonymous_page+0x939/0x1cc0 [ 43.424097] ? __fget+0x32f/0x510 [ 43.427550] ? lock_downgrade+0x720/0x720 [ 43.431700] ? check_preemption_disabled+0x41/0x280 [ 43.436715] ? check_preemption_disabled+0x41/0x280 [ 43.441730] ? __fget+0x356/0x510 [ 43.445185] ? do_dup2+0x450/0x450 [ 43.448729] ? __fdget+0x1d0/0x230 [ 43.452264] __x64_sys_sendmsg+0x132/0x220 [ 43.456510] ? __sys_sendmsg+0x1b0/0x1b0 [ 43.460575] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.465315] ? trace_hardirqs_off_caller+0x69/0x210 [ 43.470316] ? do_syscall_64+0x21/0x620 [ 43.474273] do_syscall_64+0xf9/0x620 [ 43.478077] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.483254] RIP: 0033:0x446af9 [ 43.486475] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 43.505381] RSP: 002b:00007f29fb665d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 43.513073] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446af9 [ 43.520325] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 43.527607] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 43.534898] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 43.542152] R13: 000000200a000000 R14: 0000002000006c1e R15: 0000001000000014 [ 43.550514] Kernel Offset: disabled [ 43.554147] Rebooting in 86400 seconds..