Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts. syzkaller login: [ 33.479505] audit: type=1400 audit(1591668159.693:8): avc: denied { execmem } for pid=6331 comm="syz-executor215" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.725252] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.564316] ================================================================== [ 34.571966] BUG: KASAN: use-after-free in u32_destroy_key.constprop.0+0x1a7/0x1e0 [ 34.580611] Read of size 4 at addr ffff88809a949d98 by task kworker/u4:2/121 [ 34.587793] [ 34.589421] CPU: 1 PID: 121 Comm: kworker/u4:2 Not tainted 4.14.183-syzkaller #0 [ 34.596936] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.606277] Workqueue: tc_filter_workqueue u32_delete_key_freepf_work [ 34.612833] Call Trace: [ 34.615404] dump_stack+0x1b2/0x283 [ 34.619012] ? u32_destroy_key.constprop.0+0x1a7/0x1e0 [ 34.624283] print_address_description.cold+0x54/0x1dc [ 34.629557] ? u32_destroy_key.constprop.0+0x1a7/0x1e0 [ 34.634917] kasan_report.cold+0xa9/0x2b9 [ 34.639068] u32_destroy_key.constprop.0+0x1a7/0x1e0 [ 34.644170] u32_delete_key_freepf_work+0x1c/0x22 [ 34.649041] process_one_work+0x7c0/0x14c0 [ 34.653259] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 34.657923] ? worker_thread+0x163/0x1080 [ 34.662049] ? _raw_spin_unlock_irq+0x24/0x90 [ 34.666884] worker_thread+0x5d7/0x1080 [ 34.670840] ? process_one_work+0x14c0/0x14c0 [ 34.675329] kthread+0x30d/0x420 [ 34.678721] ? kthread_create_on_node+0xd0/0xd0 [ 34.683725] ret_from_fork+0x24/0x30 [ 34.687425] [ 34.689035] Allocated by task 6353: [ 34.692655] kasan_kmalloc.part.0+0x4f/0xd0 [ 34.696969] kmem_cache_alloc_trace+0x14d/0x3f0 [ 34.701625] u32_init+0x3e9/0x890 [ 34.705073] tc_ctl_tfilter+0xa68/0x18e7 [ 34.709126] rtnetlink_rcv_msg+0x3be/0xb10 [ 34.713337] netlink_rcv_skb+0x127/0x370 [ 34.717375] netlink_unicast+0x437/0x610 [ 34.721410] netlink_sendmsg+0x64a/0xbb0 [ 34.725465] sock_sendmsg+0xb5/0x100 [ 34.729168] ___sys_sendmsg+0x349/0x840 [ 34.733133] __sys_sendmmsg+0x129/0x330 [ 34.737081] SyS_sendmmsg+0x2f/0x50 [ 34.740701] do_syscall_64+0x1d5/0x640 [ 34.744840] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.750003] [ 34.751617] Freed by task 121: [ 34.754803] kasan_slab_free+0xaf/0x190 [ 34.758765] kfree+0xcb/0x260 [ 34.761849] u32_destroy_key.constprop.0+0x108/0x1e0 [ 34.766941] u32_delete_key_freepf_work+0x1c/0x22 [ 34.771776] process_one_work+0x7c0/0x14c0 [ 34.775999] worker_thread+0x5d7/0x1080 [ 34.779963] kthread+0x30d/0x420 [ 34.783379] ret_from_fork+0x24/0x30 [ 34.787078] [ 34.788863] The buggy address belongs to the object at ffff88809a949d80 [ 34.788863] which belongs to the cache kmalloc-64 of size 64 [ 34.801377] The buggy address is located 24 bytes inside of [ 34.801377] 64-byte region [ffff88809a949d80, ffff88809a949dc0) [ 34.813295] The buggy address belongs to the page: [ 34.818367] page:ffffea00026a5240 count:1 mapcount:0 mapping:ffff88809a949000 index:0x0 [ 34.826857] flags: 0xfffe0000000100(slab) [ 34.831006] raw: 00fffe0000000100 ffff88809a949000 0000000000000000 0000000100000020 [ 34.838894] raw: ffffea00026a0a20 ffffea00026818a0 ffff8880aa800340 0000000000000000 [ 34.846782] page dumped because: kasan: bad access detected [ 34.852489] [ 34.854116] Memory state around the buggy address: [ 34.859040] ffff88809a949c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.866393] ffff88809a949d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.873752] >ffff88809a949d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.881089] ^ [ 34.885234] ffff88809a949e00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 34.892579] ffff88809a949e80: 00 00 00 00 00 00 00 06 fc fc fc fc fc fc fc fc [ 34.899926] ================================================================== [ 34.907266] Disabling lock debugging due to kernel taint [ 34.922670] Kernel panic - not syncing: panic_on_warn set ... [ 34.922670] [ 34.922678] CPU: 0 PID: 121 Comm: kworker/u4:2 Tainted: G B 4.14.183-syzkaller #0 [ 34.922681] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.922694] Workqueue: tc_filter_workqueue u32_delete_key_freepf_work [ 34.922698] Call Trace: [ 34.922711] dump_stack+0x1b2/0x283 [ 34.922721] panic+0x1f9/0x42d [ 34.922728] ? add_taint.cold+0x16/0x16 [ 34.922736] ? preempt_schedule_common+0x4a/0xc0 [ 34.922743] ? u32_destroy_key.constprop.0+0x1a7/0x1e0 [ 34.922750] ? ___preempt_schedule+0x16/0x18 [ 34.922759] ? u32_destroy_key.constprop.0+0x1a7/0x1e0 [ 34.922768] kasan_end_report+0x43/0x49 [ 34.922775] kasan_report.cold+0x12f/0x2b9 [ 34.922787] u32_destroy_key.constprop.0+0x1a7/0x1e0 [ 35.001151] u32_delete_key_freepf_work+0x1c/0x22 [ 35.005991] process_one_work+0x7c0/0x14c0 [ 35.010373] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 35.015119] ? worker_thread+0x163/0x1080 [ 35.019245] ? _raw_spin_unlock_irq+0x24/0x90 [ 35.023721] worker_thread+0x5d7/0x1080 [ 35.027673] ? process_one_work+0x14c0/0x14c0 [ 35.032145] kthread+0x30d/0x420 [ 35.035488] ? kthread_create_on_node+0xd0/0xd0 [ 35.040133] ret_from_fork+0x24/0x30 [ 35.045288] Kernel Offset: disabled [ 35.048930] Rebooting in 86400 seconds..