Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 103.825353][ T26] audit: type=1400 audit(1579435406.128:37): avc: denied { watch } for pid=10568 comm="restorecond" path="/root/.ssh" dev="sda1" ino=16179 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 107.873753][ T26] kauditd_printk_skb: 3 callbacks suppressed [ 107.873767][ T26] audit: type=1400 audit(1579435410.178:41): avc: denied { map } for pid=10655 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.109' (ECDSA) to the list of known hosts. executing program executing program [ 121.265291][ T26] audit: type=1400 audit(1579435423.568:42): avc: denied { map } for pid=10667 comm="syz-executor850" path="/root/syz-executor850563928" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 121.280778][T10669] ================================================================== [ 121.292740][ T26] audit: type=1400 audit(1579435423.568:43): avc: denied { create } for pid=10668 comm="syz-executor850" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 121.300738][T10669] BUG: KASAN: use-after-free in bitmap_port_ext_cleanup+0xe6/0x2a0 [ 121.300750][T10669] Read of size 8 at addr ffff8880a7caf2c0 by task syz-executor850/10669 [ 121.300754][T10669] [ 121.300768][T10669] CPU: 0 PID: 10669 Comm: syz-executor850 Not tainted 5.5.0-rc6-syzkaller #0 [ 121.300776][T10669] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 121.300780][T10669] Call Trace: [ 121.300800][T10669] dump_stack+0x197/0x210 [ 121.300815][T10669] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 121.300836][T10669] print_address_description.constprop.0.cold+0xd4/0x30b [ 121.300849][T10669] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 121.300863][T10669] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 121.300877][T10669] __kasan_report.cold+0x1b/0x41 [ 121.300890][T10669] ? kfree+0x210/0x2c0 [ 121.300903][T10669] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 121.300919][T10669] kasan_report+0x12/0x20 [ 121.300938][T10669] check_memory_region+0x134/0x1a0 [ 121.300956][T10669] __kasan_check_read+0x11/0x20 [ 121.328160][ T26] audit: type=1400 audit(1579435423.568:44): avc: denied { write } for pid=10668 comm="syz-executor850" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 [ 121.333993][T10669] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 121.454790][T10669] bitmap_port_destroy+0x17c/0x1d0 [ 121.459896][T10669] ip_set_create+0xe47/0x1500 [ 121.464589][T10669] ? ip_set_destroy+0xb70/0xb70 [ 121.469442][T10669] ? ip_set_destroy+0xb70/0xb70 [ 121.474280][T10669] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 121.479239][T10669] ? nfnetlink_bind+0x2c0/0x2c0 [ 121.484155][T10669] ? avc_has_extended_perms+0x10f0/0x10f0 [ 121.489953][T10669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 121.496199][T10669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 121.502540][T10669] ? cred_has_capability+0x199/0x330 [ 121.507895][T10669] ? selinux_sb_eat_lsm_opts+0x700/0x700 [ 121.513534][T10669] ? selinux_sb_eat_lsm_opts+0x700/0x700 [ 121.519427][T10669] ? __check_heap_object+0x53/0xb3 [ 121.524629][T10669] ? __lock_acquire+0x8a0/0x4a00 [ 121.529557][T10669] netlink_rcv_skb+0x177/0x450 [ 121.534325][T10669] ? nfnetlink_bind+0x2c0/0x2c0 [ 121.539174][T10669] ? netlink_ack+0xb50/0xb50 [ 121.543805][T10669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 121.550058][T10669] ? ns_capable_common+0x93/0x100 [ 121.555083][T10669] ? ns_capable+0x20/0x30 [ 121.559405][T10669] ? __netlink_ns_capable+0x104/0x140 [ 121.564788][T10669] nfnetlink_rcv+0x1ba/0x460 [ 121.569536][T10669] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 121.574987][T10669] ? netlink_deliver_tap+0x24a/0xbe0 [ 121.580283][T10669] ? __kasan_check_write+0x14/0x20 [ 121.585443][T10669] netlink_unicast+0x58c/0x7d0 [ 121.590219][T10669] ? netlink_attachskb+0x870/0x870 [ 121.595327][T10669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 121.601567][T10669] netlink_sendmsg+0x91c/0xea0 [ 121.606382][T10669] ? netlink_unicast+0x7d0/0x7d0 [ 121.611342][T10669] ? tomoyo_socket_sendmsg+0x26/0x30 [ 121.616618][T10669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 121.622887][T10669] ? security_socket_sendmsg+0x8d/0xc0 [ 121.628365][T10669] ? netlink_unicast+0x7d0/0x7d0 [ 121.633302][T10669] sock_sendmsg+0xd7/0x130 [ 121.637766][T10669] ____sys_sendmsg+0x753/0x880 [ 121.642546][T10669] ? kernel_sendmsg+0x50/0x50 [ 121.647230][T10669] ? mark_held_locks+0xa4/0xf0 [ 121.652108][T10669] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 121.658188][T10669] ? __handle_mm_fault+0x3145/0x3cc0 [ 121.663562][T10669] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 121.669896][T10669] ___sys_sendmsg+0x100/0x170 [ 121.675207][T10669] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 121.681351][T10669] ? sendmsg_copy_msghdr+0x70/0x70 [ 121.686475][T10669] ? __do_page_fault+0x56a/0xd80 [ 121.691408][T10669] ? find_held_lock+0x35/0x130 [ 121.696175][T10669] ? __do_page_fault+0x56a/0xd80 [ 121.701242][T10669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 121.707556][T10669] ? __fget_light+0x1a9/0x230 [ 121.712238][T10669] ? __fdget+0x1b/0x20 [ 121.716303][T10669] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 121.722545][T10669] __sys_sendmsg+0x105/0x1d0 [ 121.727174][T10669] ? __sys_sendmsg_sock+0xc0/0xc0 [ 121.732192][T10669] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 121.737761][T10669] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 121.743224][T10669] ? do_syscall_64+0x26/0x790 [ 121.748028][T10669] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 121.754093][T10669] ? do_syscall_64+0x26/0x790 [ 121.758876][T10669] __x64_sys_sendmsg+0x78/0xb0 [ 121.763675][T10669] do_syscall_64+0xfa/0x790 [ 121.768235][T10669] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 121.774121][T10669] RIP: 0033:0x441399 [ 121.778020][T10669] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 121.797757][T10669] RSP: 002b:00007ffecc9aac18 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 121.806232][T10669] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441399 [ 121.814255][T10669] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 121.822737][T10669] RBP: 000000000001d988 R08: 00000000004002c8 R09: 00000000004002c8 [ 121.830846][T10669] R10: 0000000000000004 R11: 0000000000000246 R12: 00000000004021c0 [ 121.838811][T10669] R13: 0000000000402250 R14: 0000000000000000 R15: 0000000000000000 [ 121.846799][T10669] [ 121.849118][T10669] Allocated by task 10669: [ 121.853558][T10669] save_stack+0x23/0x90 [ 121.857723][T10669] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 121.863502][T10669] kasan_kmalloc+0x9/0x10 [ 121.867830][T10669] __kmalloc+0x163/0x770 [ 121.872066][T10669] ip_set_alloc+0x38/0x5e [ 121.876487][T10669] bitmap_port_create+0x3dc/0x7c0 [ 121.881505][T10669] ip_set_create+0x6f1/0x1500 [ 121.886183][T10669] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 121.891272][T10669] netlink_rcv_skb+0x177/0x450 [ 121.896227][T10669] nfnetlink_rcv+0x1ba/0x460 [ 121.900853][T10669] netlink_unicast+0x58c/0x7d0 [ 121.905615][T10669] netlink_sendmsg+0x91c/0xea0 [ 121.911536][T10669] sock_sendmsg+0xd7/0x130 [ 121.915947][T10669] ____sys_sendmsg+0x753/0x880 [ 121.920857][T10669] ___sys_sendmsg+0x100/0x170 [ 121.925527][T10669] __sys_sendmsg+0x105/0x1d0 [ 121.930253][T10669] __x64_sys_sendmsg+0x78/0xb0 [ 121.935023][T10669] do_syscall_64+0xfa/0x790 [ 121.939694][T10669] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 121.945680][T10669] [ 121.948129][T10669] Freed by task 10669: [ 121.952253][T10669] save_stack+0x23/0x90 [ 121.956420][T10669] __kasan_slab_free+0x102/0x150 [ 121.961362][T10669] kasan_slab_free+0xe/0x10 [ 121.965963][T10669] kfree+0x10a/0x2c0 [ 121.970006][T10669] kvfree+0x61/0x70 [ 121.973862][T10669] ip_set_free+0x16/0x20 [ 121.978454][T10669] bitmap_port_destroy+0xae/0x1d0 [ 121.983526][T10669] ip_set_create+0xe47/0x1500 [ 121.988337][T10669] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 121.993283][T10669] netlink_rcv_skb+0x177/0x450 [ 121.998113][T10669] nfnetlink_rcv+0x1ba/0x460 [ 122.002705][T10669] netlink_unicast+0x58c/0x7d0 [ 122.007458][T10669] netlink_sendmsg+0x91c/0xea0 [ 122.012229][T10669] sock_sendmsg+0xd7/0x130 [ 122.016653][T10669] ____sys_sendmsg+0x753/0x880 [ 122.021419][T10669] ___sys_sendmsg+0x100/0x170 [ 122.026095][T10669] __sys_sendmsg+0x105/0x1d0 [ 122.030800][T10669] __x64_sys_sendmsg+0x78/0xb0 [ 122.036167][T10669] do_syscall_64+0xfa/0x790 [ 122.040680][T10669] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.046665][T10669] [ 122.049013][T10669] The buggy address belongs to the object at ffff8880a7caf2c0 [ 122.049013][T10669] which belongs to the cache kmalloc-32 of size 32 [ 122.062984][T10669] The buggy address is located 0 bytes inside of [ 122.062984][T10669] 32-byte region [ffff8880a7caf2c0, ffff8880a7caf2e0) [ 122.076529][T10669] The buggy address belongs to the page: [ 122.082284][T10669] page:ffffea00029f2bc0 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff8880a7caffc1 [ 122.092995][T10669] raw: 00fffe0000000200 ffffea00027f9ac8 ffffea0002a6c708 ffff8880aa4001c0 [ 122.101592][T10669] raw: ffff8880a7caffc1 ffff8880a7caf000 000000010000002f 0000000000000000 [ 122.110165][T10669] page dumped because: kasan: bad access detected [ 122.116567][T10669] [ 122.118941][T10669] Memory state around the buggy address: [ 122.124591][T10669] ffff8880a7caf180: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 122.132646][T10669] ffff8880a7caf200: 00 07 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 122.140794][T10669] >ffff8880a7caf280: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 122.148855][T10669] ^ [ 122.155128][T10669] ffff8880a7caf300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 122.163873][T10669] ffff8880a7caf380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 122.171921][T10669] ================================================================== [ 122.179968][T10669] Disabling lock debugging due to kernel taint [ 122.187016][T10669] Kernel panic - not syncing: panic_on_warn set ... [ 122.193616][T10669] CPU: 0 PID: 10669 Comm: syz-executor850 Tainted: G B 5.5.0-rc6-syzkaller #0 [ 122.204005][T10669] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 122.214160][T10669] Call Trace: [ 122.217445][T10669] dump_stack+0x197/0x210 [ 122.221769][T10669] panic+0x2e3/0x75c [ 122.225658][T10669] ? add_taint.cold+0x16/0x16 [ 122.230460][T10669] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 122.236134][T10669] ? preempt_schedule+0x4b/0x60 [ 122.240979][T10669] ? ___preempt_schedule+0x16/0x18 [ 122.246179][T10669] ? trace_hardirqs_on+0x5e/0x240 [ 122.251410][T10669] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 122.257051][T10669] end_report+0x47/0x4f [ 122.261785][T10669] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 122.267322][T10669] __kasan_report.cold+0xe/0x41 [ 122.272170][T10669] ? kfree+0x210/0x2c0 [ 122.276227][T10669] ? bitmap_port_ext_cleanup+0xe6/0x2a0 [ 122.281896][T10669] kasan_report+0x12/0x20 [ 122.286320][T10669] check_memory_region+0x134/0x1a0 [ 122.291490][T10669] __kasan_check_read+0x11/0x20 [ 122.296367][T10669] bitmap_port_ext_cleanup+0xe6/0x2a0 [ 122.301768][T10669] bitmap_port_destroy+0x17c/0x1d0 [ 122.306907][T10669] ip_set_create+0xe47/0x1500 [ 122.311690][T10669] ? ip_set_destroy+0xb70/0xb70 [ 122.316647][T10669] ? ip_set_destroy+0xb70/0xb70 [ 122.326127][T10669] nfnetlink_rcv_msg+0xcf2/0xfb0 [ 122.331462][T10669] ? nfnetlink_bind+0x2c0/0x2c0 [ 122.336329][T10669] ? avc_has_extended_perms+0x10f0/0x10f0 [ 122.342069][T10669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 122.348310][T10669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 122.354806][T10669] ? cred_has_capability+0x199/0x330 [ 122.360187][T10669] ? selinux_sb_eat_lsm_opts+0x700/0x700 [ 122.365905][T10669] ? selinux_sb_eat_lsm_opts+0x700/0x700 [ 122.371671][T10669] ? __check_heap_object+0x53/0xb3 [ 122.376815][T10669] ? __lock_acquire+0x8a0/0x4a00 [ 122.381786][T10669] netlink_rcv_skb+0x177/0x450 [ 122.386569][T10669] ? nfnetlink_bind+0x2c0/0x2c0 [ 122.391470][T10669] ? netlink_ack+0xb50/0xb50 [ 122.396192][T10669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 122.402454][T10669] ? ns_capable_common+0x93/0x100 [ 122.407578][T10669] ? ns_capable+0x20/0x30 [ 122.411898][T10669] ? __netlink_ns_capable+0x104/0x140 [ 122.417281][T10669] nfnetlink_rcv+0x1ba/0x460 [ 122.421862][T10669] ? nfnetlink_rcv_batch+0x17a0/0x17a0 [ 122.427534][T10669] ? netlink_deliver_tap+0x24a/0xbe0 [ 122.433825][T10669] ? __kasan_check_write+0x14/0x20 [ 122.438937][T10669] netlink_unicast+0x58c/0x7d0 [ 122.443707][T10669] ? netlink_attachskb+0x870/0x870 [ 122.448816][T10669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 122.455376][T10669] netlink_sendmsg+0x91c/0xea0 [ 122.460143][T10669] ? netlink_unicast+0x7d0/0x7d0 [ 122.465183][T10669] ? tomoyo_socket_sendmsg+0x26/0x30 [ 122.470891][T10669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 122.477136][T10669] ? security_socket_sendmsg+0x8d/0xc0 [ 122.482594][T10669] ? netlink_unicast+0x7d0/0x7d0 [ 122.488588][T10669] sock_sendmsg+0xd7/0x130 [ 122.493100][T10669] ____sys_sendmsg+0x753/0x880 [ 122.497875][T10669] ? kernel_sendmsg+0x50/0x50 [ 122.502563][T10669] ? mark_held_locks+0xa4/0xf0 [ 122.507320][T10669] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 122.513378][T10669] ? __handle_mm_fault+0x3145/0x3cc0 [ 122.518684][T10669] ? do_huge_pmd_anonymous_page+0x1463/0x1a50 [ 122.524855][T10669] ___sys_sendmsg+0x100/0x170 [ 122.529558][T10669] ? do_huge_pmd_anonymous_page+0xceb/0x1a50 [ 122.535567][T10669] ? sendmsg_copy_msghdr+0x70/0x70 [ 122.540823][T10669] ? __do_page_fault+0x56a/0xd80 [ 122.545925][T10669] ? find_held_lock+0x35/0x130 [ 122.550900][T10669] ? __do_page_fault+0x56a/0xd80 [ 122.555871][T10669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 122.562441][T10669] ? __fget_light+0x1a9/0x230 [ 122.567250][T10669] ? __fdget+0x1b/0x20 [ 122.571413][T10669] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 122.577658][T10669] __sys_sendmsg+0x105/0x1d0 [ 122.582257][T10669] ? __sys_sendmsg_sock+0xc0/0xc0 [ 122.587513][T10669] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 122.593267][T10669] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 122.598814][T10669] ? do_syscall_64+0x26/0x790 [ 122.603887][T10669] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.609953][T10669] ? do_syscall_64+0x26/0x790 [ 122.614767][T10669] __x64_sys_sendmsg+0x78/0xb0 [ 122.619798][T10669] do_syscall_64+0xfa/0x790 [ 122.624305][T10669] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 122.630280][T10669] RIP: 0033:0x441399 [ 122.634514][T10669] Code: e8 fc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 122.654414][T10669] RSP: 002b:00007ffecc9aac18 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 122.663004][T10669] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441399 [ 122.670974][T10669] RDX: 0000000000000000 RSI: 0000000020001080 RDI: 0000000000000003 [ 122.679051][T10669] RBP: 000000000001d988 R08: 00000000004002c8 R09: 00000000004002c8 [ 122.687018][T10669] R10: 0000000000000004 R11: 0000000000000246 R12: 00000000004021c0 [ 122.695223][T10669] R13: 0000000000402250 R14: 0000000000000000 R15: 0000000000000000 [ 122.705044][T10669] Kernel Offset: disabled [ 122.709569][T10669] Rebooting in 86400 seconds..