Warning: Permanently added '10.128.1.44' (ECDSA) to the list of known hosts. [ 35.342322] IPVS: ftp: loaded support on port[0] = 21 executing program [ 35.414267] netlink: 4 bytes leftover after parsing attributes in process `syz-executor325'. [ 35.423955] ================================================================== [ 35.431317] BUG: KASAN: slab-out-of-bounds in __lock_acquire+0x2cb4/0x3ff0 [ 35.438309] Read of size 8 at addr ffff8880a4dcf420 by task syz-executor325/8129 [ 35.445814] [ 35.447425] CPU: 0 PID: 8129 Comm: syz-executor325 Not tainted 4.19.211-syzkaller #0 [ 35.455278] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 35.464610] Call Trace: [ 35.467185] dump_stack+0x1fc/0x2ef [ 35.470799] print_address_description.cold+0x54/0x219 [ 35.476054] kasan_report_error.cold+0x8a/0x1b9 [ 35.480708] ? __lock_acquire+0x2cb4/0x3ff0 [ 35.485008] __asan_report_load8_noabort+0x88/0x90 [ 35.489924] ? unwind_get_return_address+0x70/0x90 [ 35.494831] ? __lock_acquire+0x2cb4/0x3ff0 [ 35.499129] __lock_acquire+0x2cb4/0x3ff0 [ 35.503255] ? mark_held_locks+0xf0/0xf0 [ 35.507289] ? check_usage+0x19a/0x670 [ 35.511153] ? check_usage_backwards+0x300/0x300 [ 35.515884] ? __kernel_text_address+0x9/0x30 [ 35.520361] ? check_usage_forwards+0x310/0x310 [ 35.525008] ? __save_stack_trace+0xaf/0x190 [ 35.529393] lock_acquire+0x170/0x3c0 [ 35.533170] ? xt_find_match+0xa3/0x280 [ 35.537120] ? xt_find_match+0xa3/0x280 [ 35.541069] __mutex_lock+0xd7/0x1190 [ 35.544847] ? xt_find_match+0xa3/0x280 [ 35.548796] ? check_usage_forwards+0x310/0x310 [ 35.553444] ? xt_find_match+0xa3/0x280 [ 35.557403] ? mutex_trylock+0x1a0/0x1a0 [ 35.561447] ? mark_held_locks+0xf0/0xf0 [ 35.565487] ? mark_held_locks+0xf0/0xf0 [ 35.569525] ? fs_reclaim_release+0xd0/0x110 [ 35.573915] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 35.579089] xt_find_match+0xa3/0x280 [ 35.582872] xt_request_find_match+0x88/0x110 [ 35.587353] em_ipt_change+0x1c7/0x470 [ 35.591240] ? check_match+0x1e0/0x1e0 [ 35.595106] ? lock_acquire+0x170/0x3c0 [ 35.599058] ? tcf_em_lookup+0x1c/0x150 [ 35.603019] ? do_raw_read_unlock+0x3b/0x70 [ 35.607317] ? _raw_read_unlock+0x29/0x40 [ 35.611445] ? check_match+0x1e0/0x1e0 [ 35.615313] tcf_em_tree_validate+0x8fa/0xea0 [ 35.619790] ? tcf_em_tree_destroy+0x50/0x50 [ 35.624181] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 35.629182] basic_change+0x1173/0x1260 [ 35.633139] ? basic_delete+0x630/0x630 [ 35.637092] ? check_preemption_disabled+0x41/0x280 [ 35.642099] ? basic_delete+0x630/0x630 [ 35.646055] tc_new_tfilter+0xb52/0x16c0 [ 35.650108] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 35.654684] ? __mutex_lock+0x368/0x1190 [ 35.658721] ? apparmor_capable+0x147/0x750 [ 35.663018] ? apparmor_capable+0x147/0x750 [ 35.667317] ? rtnetlink_rcv_msg+0x3fe/0xb80 [ 35.671702] ? mutex_trylock+0x1a0/0x1a0 [ 35.675770] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 35.680331] rtnetlink_rcv_msg+0x453/0xb80 [ 35.684543] ? rtnl_calcit.isra.0+0x430/0x430 [ 35.689019] ? __netlink_lookup+0x3fc/0x730 [ 35.693322] ? lock_downgrade+0x720/0x720 [ 35.697450] ? check_preemption_disabled+0x41/0x280 [ 35.702442] netlink_rcv_skb+0x160/0x440 [ 35.706481] ? rtnl_calcit.isra.0+0x430/0x430 [ 35.710954] ? netlink_ack+0xae0/0xae0 [ 35.714830] netlink_unicast+0x4d5/0x690 [ 35.718871] ? netlink_sendskb+0x110/0x110 [ 35.723087] ? _copy_from_iter_full+0x229/0x7c0 [ 35.727739] ? __phys_addr_symbol+0x2c/0x70 [ 35.732051] ? __check_object_size+0x17b/0x3e0 [ 35.736616] netlink_sendmsg+0x6c3/0xc50 [ 35.740655] ? aa_af_perm+0x230/0x230 [ 35.744444] ? nlmsg_notify+0x1f0/0x1f0 [ 35.748399] ? kernel_recvmsg+0x220/0x220 [ 35.752537] ? nlmsg_notify+0x1f0/0x1f0 [ 35.756591] sock_sendmsg+0xc3/0x120 [ 35.760280] ___sys_sendmsg+0x7bb/0x8e0 [ 35.764233] ? mark_held_locks+0xf0/0xf0 [ 35.768270] ? copy_msghdr_from_user+0x440/0x440 [ 35.773005] ? lock_downgrade+0x720/0x720 [ 35.777137] ? __wake_up_common_lock+0xb0/0x170 [ 35.781800] ? __might_fault+0x11f/0x1d0 [ 35.785848] ? lock_downgrade+0x720/0x720 [ 35.789995] ? lock_acquire+0x170/0x3c0 [ 35.793951] ? __might_fault+0xef/0x1d0 [ 35.797901] ? __might_fault+0x192/0x1d0 [ 35.801943] ? _copy_to_user+0xb8/0x100 [ 35.805900] ? move_addr_to_user+0x190/0x1d0 [ 35.810287] ? __fdget+0x1a0/0x230 [ 35.813808] __x64_sys_sendmsg+0x132/0x220 [ 35.818036] ? __sys_sendmsg+0x1b0/0x1b0 [ 35.822081] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.827425] ? trace_hardirqs_off_caller+0x6e/0x210 [ 35.832425] ? do_syscall_64+0x21/0x620 [ 35.836379] do_syscall_64+0xf9/0x620 [ 35.840158] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.845340] RIP: 0033:0x7f7c8d4216a9 [ 35.849036] Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 35.867913] RSP: 002b:00007fff7c1d0578 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.875597] RAX: ffffffffffffffda RBX: 00007f7c8d48eed0 RCX: 00007f7c8d4216a9 [ 35.882846] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 35.890102] RBP: 00007fff7c1d0588 R08: 00007f7c8d48ee40 R09: 00007f7c8d48ee40 [ 35.897870] R10: 00007f7c8d48ee40 R11: 0000000000000246 R12: 00007fff7c1d0590 [ 35.905119] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 35.912367] [ 35.913982] Allocated by task 1: [ 35.917327] kmem_cache_alloc_trace+0x12f/0x380 [ 35.922153] xt_init+0x128/0x2a9 [ 35.925500] do_one_initcall+0xf1/0x740 [ 35.929453] kernel_init_freeable+0x9c5/0xab7 [ 35.933932] kernel_init+0xd/0x1ba [ 35.937450] ret_from_fork+0x24/0x30 [ 35.941132] [ 35.942736] Freed by task 0: [ 35.945726] (stack is not available) [ 35.949410] [ 35.951015] The buggy address belongs to the object at ffff8880a4dce0c0 [ 35.951015] which belongs to the cache kmalloc-4096 of size 4096 [ 35.963822] The buggy address is located 864 bytes to the right of [ 35.963822] 4096-byte region [ffff8880a4dce0c0, ffff8880a4dcf0c0) [ 35.976279] The buggy address belongs to the page: [ 35.981185] page:ffffea0002937380 count:1 mapcount:0 mapping:ffff88813bff0dc0 index:0x0 compound_mapcount: 0 [ 35.991126] flags: 0xfff00000008100(slab|head) [ 35.995694] raw: 00fff00000008100 ffffea0002937308 ffffea0002937708 ffff88813bff0dc0 [ 36.003551] raw: 0000000000000000 ffff8880a4dce0c0 0000000100000001 0000000000000000 [ 36.011403] page dumped because: kasan: bad access detected [ 36.017080] [ 36.018686] Memory state around the buggy address: [ 36.023590] ffff8880a4dcf300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.030925] ffff8880a4dcf380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.038258] >ffff8880a4dcf400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.045591] ^ [ 36.049979] ffff8880a4dcf480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.057314] ffff8880a4dcf500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.064644] ================================================================== [ 36.072062] Disabling lock debugging due to kernel taint [ 36.077485] Kernel panic - not syncing: panic_on_warn set ... [ 36.077485] [ 36.084826] CPU: 0 PID: 8129 Comm: syz-executor325 Tainted: G B 4.19.211-syzkaller #0 [ 36.094065] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 36.103396] Call Trace: [ 36.105969] dump_stack+0x1fc/0x2ef [ 36.109574] panic+0x26a/0x50e [ 36.112744] ? __warn_printk+0xf3/0xf3 [ 36.116606] ? lock_downgrade+0x720/0x720 [ 36.120730] ? print_shadow_for_address+0xb8/0x114 [ 36.125641] ? trace_hardirqs_off+0x64/0x200 [ 36.130023] kasan_end_report+0x43/0x49 [ 36.133975] kasan_report_error.cold+0xa7/0x1b9 [ 36.138620] ? __lock_acquire+0x2cb4/0x3ff0 [ 36.142940] __asan_report_load8_noabort+0x88/0x90 [ 36.147843] ? unwind_get_return_address+0x70/0x90 [ 36.152748] ? __lock_acquire+0x2cb4/0x3ff0 [ 36.157049] __lock_acquire+0x2cb4/0x3ff0 [ 36.161332] ? mark_held_locks+0xf0/0xf0 [ 36.165374] ? check_usage+0x19a/0x670 [ 36.169246] ? check_usage_backwards+0x300/0x300 [ 36.173980] ? __kernel_text_address+0x9/0x30 [ 36.178459] ? check_usage_forwards+0x310/0x310 [ 36.183107] ? __save_stack_trace+0xaf/0x190 [ 36.187496] lock_acquire+0x170/0x3c0 [ 36.191279] ? xt_find_match+0xa3/0x280 [ 36.195231] ? xt_find_match+0xa3/0x280 [ 36.199184] __mutex_lock+0xd7/0x1190 [ 36.202959] ? xt_find_match+0xa3/0x280 [ 36.206907] ? check_usage_forwards+0x310/0x310 [ 36.211638] ? xt_find_match+0xa3/0x280 [ 36.215585] ? mutex_trylock+0x1a0/0x1a0 [ 36.219623] ? mark_held_locks+0xf0/0xf0 [ 36.223662] ? mark_held_locks+0xf0/0xf0 [ 36.227699] ? fs_reclaim_release+0xd0/0x110 [ 36.232087] ? __sanitizer_cov_trace_switch+0x4b/0x80 [ 36.237251] xt_find_match+0xa3/0x280 [ 36.241032] xt_request_find_match+0x88/0x110 [ 36.245502] em_ipt_change+0x1c7/0x470 [ 36.249364] ? check_match+0x1e0/0x1e0 [ 36.253225] ? lock_acquire+0x170/0x3c0 [ 36.257173] ? tcf_em_lookup+0x1c/0x150 [ 36.261128] ? do_raw_read_unlock+0x3b/0x70 [ 36.265424] ? _raw_read_unlock+0x29/0x40 [ 36.269543] ? check_match+0x1e0/0x1e0 [ 36.273407] tcf_em_tree_validate+0x8fa/0xea0 [ 36.277883] ? tcf_em_tree_destroy+0x50/0x50 [ 36.282267] ? rcu_read_lock_sched_held+0x16c/0x1d0 [ 36.287257] basic_change+0x1173/0x1260 [ 36.291210] ? basic_delete+0x630/0x630 [ 36.295161] ? check_preemption_disabled+0x41/0x280 [ 36.300154] ? basic_delete+0x630/0x630 [ 36.304104] tc_new_tfilter+0xb52/0x16c0 [ 36.308144] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 36.312703] ? __mutex_lock+0x368/0x1190 [ 36.316742] ? apparmor_capable+0x147/0x750 [ 36.321046] ? apparmor_capable+0x147/0x750 [ 36.325342] ? rtnetlink_rcv_msg+0x3fe/0xb80 [ 36.329725] ? mutex_trylock+0x1a0/0x1a0 [ 36.333772] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 36.338328] rtnetlink_rcv_msg+0x453/0xb80 [ 36.342540] ? rtnl_calcit.isra.0+0x430/0x430 [ 36.347012] ? __netlink_lookup+0x3fc/0x730 [ 36.351311] ? lock_downgrade+0x720/0x720 [ 36.355436] ? check_preemption_disabled+0x41/0x280 [ 36.360428] netlink_rcv_skb+0x160/0x440 [ 36.364466] ? rtnl_calcit.isra.0+0x430/0x430 [ 36.368937] ? netlink_ack+0xae0/0xae0 [ 36.372803] netlink_unicast+0x4d5/0x690 [ 36.376853] ? netlink_sendskb+0x110/0x110 [ 36.381074] ? _copy_from_iter_full+0x229/0x7c0 [ 36.385720] ? __phys_addr_symbol+0x2c/0x70 [ 36.390021] ? __check_object_size+0x17b/0x3e0 [ 36.394579] netlink_sendmsg+0x6c3/0xc50 [ 36.398631] ? aa_af_perm+0x230/0x230 [ 36.402517] ? nlmsg_notify+0x1f0/0x1f0 [ 36.406468] ? kernel_recvmsg+0x220/0x220 [ 36.410592] ? nlmsg_notify+0x1f0/0x1f0 [ 36.414545] sock_sendmsg+0xc3/0x120 [ 36.418234] ___sys_sendmsg+0x7bb/0x8e0 [ 36.422187] ? mark_held_locks+0xf0/0xf0 [ 36.426226] ? copy_msghdr_from_user+0x440/0x440 [ 36.430958] ? lock_downgrade+0x720/0x720 [ 36.435090] ? __wake_up_common_lock+0xb0/0x170 [ 36.439738] ? __might_fault+0x11f/0x1d0 [ 36.443840] ? lock_downgrade+0x720/0x720 [ 36.447964] ? lock_acquire+0x170/0x3c0 [ 36.451916] ? __might_fault+0xef/0x1d0 [ 36.455875] ? __might_fault+0x192/0x1d0 [ 36.459915] ? _copy_to_user+0xb8/0x100 [ 36.463873] ? move_addr_to_user+0x190/0x1d0 [ 36.468257] ? __fdget+0x1a0/0x230 [ 36.471777] __x64_sys_sendmsg+0x132/0x220 [ 36.475989] ? __sys_sendmsg+0x1b0/0x1b0 [ 36.480066] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.485410] ? trace_hardirqs_off_caller+0x6e/0x210 [ 36.490404] ? do_syscall_64+0x21/0x620 [ 36.494354] do_syscall_64+0xf9/0x620 [ 36.498132] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.503298] RIP: 0033:0x7f7c8d4216a9 [ 36.506990] Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 36.525868] RSP: 002b:00007fff7c1d0578 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 36.533550] RAX: ffffffffffffffda RBX: 00007f7c8d48eed0 RCX: 00007f7c8d4216a9 [ 36.540796] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 36.548129] RBP: 00007fff7c1d0588 R08: 00007f7c8d48ee40 R09: 00007f7c8d48ee40 [ 36.555378] R10: 00007f7c8d48ee40 R11: 0000000000000246 R12: 00007fff7c1d0590 [ 36.562646] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 36.570113] Kernel Offset: disabled [ 36.573722] Rebooting in 86400 seconds..