[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.161' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 40.340548] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'. [ 40.352951] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'. [ 40.362018] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'. [ 40.371273] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'. [ 40.380549] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'. executing program executing program executing program executing program executing program [ 40.390835] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'. [ 40.410467] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'. [ 40.421021] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'. [ 40.431995] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'. [ 40.441570] netlink: 1096 bytes leftover after parsing attributes in process `syz-executor106'. [ 40.515843] ================================================================== [ 40.523450] BUG: KASAN: use-after-free in tc_chain_fill_node+0x7f5/0x860 [ 40.530292] Read of size 8 at addr ffff8880aac4fb80 by task syz-executor106/8116 [ 40.537829] [ 40.539642] CPU: 0 PID: 8116 Comm: syz-executor106 Not tainted 4.19.211-syzkaller #0 [ 40.547516] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 40.557651] Call Trace: [ 40.560373] dump_stack+0x1fc/0x2ef [ 40.564084] print_address_description.cold+0x54/0x219 [ 40.569349] kasan_report_error.cold+0x8a/0x1b9 [ 40.574010] ? tc_chain_fill_node+0x7f5/0x860 [ 40.578495] __asan_report_load8_noabort+0x88/0x90 [ 40.583418] ? tc_chain_fill_node+0x7f5/0x860 [ 40.587913] tc_chain_fill_node+0x7f5/0x860 [ 40.592230] ? tfilter_notify+0x270/0x270 [ 40.596375] ? memset+0x20/0x40 [ 40.599658] tc_chain_notify+0x100/0x1f0 [ 40.603711] __tcf_chain_put+0xe5/0x4b0 [ 40.607678] tc_new_tfilter+0x729/0x16c0 [ 40.611748] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 40.616327] ? do_raw_spin_unlock+0x171/0x230 [ 40.620828] ? _raw_spin_unlock+0x29/0x40 [ 40.624965] ? __mutex_lock+0x368/0x1190 [ 40.629109] ? rtnetlink_rcv_msg+0x3fe/0xb80 [ 40.633526] ? mutex_trylock+0x1a0/0x1a0 [ 40.637589] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 40.642171] rtnetlink_rcv_msg+0x453/0xb80 [ 40.646512] ? rtnl_calcit.isra.0+0x430/0x430 [ 40.651015] ? __netlink_lookup+0x3fc/0x730 [ 40.655338] ? lock_downgrade+0x720/0x720 [ 40.659485] ? check_preemption_disabled+0x41/0x280 [ 40.664496] netlink_rcv_skb+0x160/0x440 [ 40.668550] ? rtnl_calcit.isra.0+0x430/0x430 [ 40.673058] ? netlink_ack+0xae0/0xae0 [ 40.676933] netlink_unicast+0x4d5/0x690 [ 40.680978] ? netlink_sendskb+0x110/0x110 [ 40.685223] ? _copy_from_iter_full+0x229/0x7c0 [ 40.689872] ? __phys_addr_symbol+0x2c/0x70 [ 40.694173] ? __check_object_size+0x17b/0x3e0 [ 40.698736] netlink_sendmsg+0x6c3/0xc50 [ 40.702795] ? aa_af_perm+0x230/0x230 [ 40.706607] ? nlmsg_notify+0x1f0/0x1f0 [ 40.711477] ? kernel_recvmsg+0x220/0x220 [ 40.715620] ? nlmsg_notify+0x1f0/0x1f0 [ 40.719718] sock_sendmsg+0xc3/0x120 [ 40.723428] ___sys_sendmsg+0x7bb/0x8e0 [ 40.727387] ? copy_msghdr_from_user+0x440/0x440 [ 40.732141] ? __fget+0x32f/0x510 [ 40.735599] ? lock_downgrade+0x720/0x720 [ 40.739785] ? check_preemption_disabled+0x41/0x280 [ 40.744835] ? check_preemption_disabled+0x41/0x280 [ 40.749843] ? __fget+0x356/0x510 [ 40.753386] ? do_dup2+0x450/0x450 [ 40.757006] ? __fd_install+0x1b4/0x610 [ 40.760978] ? __fdget+0x1d0/0x230 [ 40.764561] __x64_sys_sendmsg+0x132/0x220 [ 40.769311] ? __sys_sendmsg+0x1b0/0x1b0 [ 40.773359] ? __se_sys_futex+0x298/0x3b0 [ 40.777497] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.782852] ? trace_hardirqs_off_caller+0x6e/0x210 [ 40.787938] ? do_syscall_64+0x21/0x620 [ 40.791905] do_syscall_64+0xf9/0x620 [ 40.796134] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.801314] RIP: 0033:0x7f4122cbebf9 [ 40.805016] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 40.824583] RSP: 002b:00007f4122c70318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 40.832363] RAX: ffffffffffffffda RBX: 00007f4122d46428 RCX: 00007f4122cbebf9 [ 40.839618] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000005 [ 40.846879] RBP: 00007f4122d46420 R08: 0000000000000000 R09: 0000000000000000 [ 40.854137] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4122d14074 [ 40.861400] R13: 00007ffcc82f853f R14: 00007f4122c70400 R15: 0000000000022000 [ 40.868761] [ 40.870377] Allocated by task 8105: [ 40.873995] __kmalloc_node+0x4c/0x70 [ 40.877809] qdisc_alloc+0xb2/0xa40 [ 40.881502] qdisc_create+0xdc/0x1130 [ 40.885436] tc_modify_qdisc+0x50d/0x1a80 [ 40.889583] rtnetlink_rcv_msg+0x453/0xb80 [ 40.893805] netlink_rcv_skb+0x160/0x440 [ 40.897846] netlink_unicast+0x4d5/0x690 [ 40.902060] netlink_sendmsg+0x6c3/0xc50 [ 40.906191] sock_sendmsg+0xc3/0x120 [ 40.909977] ___sys_sendmsg+0x7bb/0x8e0 [ 40.914596] __x64_sys_sendmsg+0x132/0x220 [ 40.918946] do_syscall_64+0xf9/0x620 [ 40.922742] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.927914] [ 40.929536] Freed by task 8111: [ 40.932810] kfree+0xcc/0x210 [ 40.935921] qdisc_destroy+0x501/0x790 [ 40.939809] qdisc_graft+0xb61/0x1130 [ 40.943612] tc_modify_qdisc+0xd3d/0x1a80 [ 40.947839] rtnetlink_rcv_msg+0x453/0xb80 [ 40.952490] netlink_rcv_skb+0x160/0x440 [ 40.956711] netlink_unicast+0x4d5/0x690 [ 40.960752] netlink_sendmsg+0x6c3/0xc50 [ 40.964802] sock_sendmsg+0xc3/0x120 [ 40.968504] ___sys_sendmsg+0x7bb/0x8e0 [ 40.972465] __x64_sys_sendmsg+0x132/0x220 [ 40.976721] do_syscall_64+0xf9/0x620 [ 40.980528] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.986349] [ 40.988186] The buggy address belongs to the object at ffff8880aac4fb40 [ 40.988186] which belongs to the cache kmalloc-1024 of size 1024 [ 41.001934] The buggy address is located 64 bytes inside of [ 41.001934] 1024-byte region [ffff8880aac4fb40, ffff8880aac4ff40) [ 41.014666] The buggy address belongs to the page: [ 41.020005] page:ffffea0002ab1380 count:1 mapcount:0 mapping:ffff88813bff0ac0 index:0x0 compound_mapcount: 0 [ 41.030951] flags: 0xfff00000008100(slab|head) [ 41.035533] raw: 00fff00000008100 ffffea0002c57d88 ffffea0002cf8488 ffff88813bff0ac0 [ 41.044304] raw: 0000000000000000 ffff8880aac4e040 0000000100000007 0000000000000000 [ 41.052185] page dumped because: kasan: bad access detected [ 41.057891] [ 41.059501] Memory state around the buggy address: [ 41.064417] ffff8880aac4fa80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 41.071847] ffff8880aac4fb00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.079552] >ffff8880aac4fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.086994] ^ [ 41.090341] ffff8880aac4fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.097778] ffff8880aac4fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.105234] ================================================================== [ 41.112574] Disabling lock debugging due to kernel taint [ 41.119564] Kernel panic - not syncing: panic_on_warn set ... [ 41.119564] [ 41.127038] CPU: 0 PID: 8116 Comm: syz-executor106 Tainted: G B 4.19.211-syzkaller #0 [ 41.136572] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 41.145922] Call Trace: [ 41.148600] dump_stack+0x1fc/0x2ef [ 41.152232] panic+0x26a/0x50e [ 41.155428] ? __warn_printk+0xf3/0xf3 [ 41.159314] ? preempt_schedule_common+0x45/0xc0 [ 41.164067] ? ___preempt_schedule+0x16/0x18 [ 41.168455] ? trace_hardirqs_on+0x55/0x210 [ 41.172803] kasan_end_report+0x43/0x49 [ 41.176789] kasan_report_error.cold+0xa7/0x1b9 [ 41.181441] ? tc_chain_fill_node+0x7f5/0x860 [ 41.186216] __asan_report_load8_noabort+0x88/0x90 [ 41.191330] ? tc_chain_fill_node+0x7f5/0x860 [ 41.195840] tc_chain_fill_node+0x7f5/0x860 [ 41.200148] ? tfilter_notify+0x270/0x270 [ 41.204290] ? memset+0x20/0x40 [ 41.207551] tc_chain_notify+0x100/0x1f0 [ 41.211590] __tcf_chain_put+0xe5/0x4b0 [ 41.215543] tc_new_tfilter+0x729/0x16c0 [ 41.219606] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 41.224179] ? do_raw_spin_unlock+0x171/0x230 [ 41.228654] ? _raw_spin_unlock+0x29/0x40 [ 41.232778] ? __mutex_lock+0x368/0x1190 [ 41.236817] ? rtnetlink_rcv_msg+0x3fe/0xb80 [ 41.241665] ? mutex_trylock+0x1a0/0x1a0 [ 41.245752] ? tcf_chain_tp_remove+0x2c0/0x2c0 [ 41.250320] rtnetlink_rcv_msg+0x453/0xb80 [ 41.254644] ? rtnl_calcit.isra.0+0x430/0x430 [ 41.259125] ? __netlink_lookup+0x3fc/0x730 [ 41.263692] ? lock_downgrade+0x720/0x720 [ 41.267832] ? check_preemption_disabled+0x41/0x280 [ 41.272828] netlink_rcv_skb+0x160/0x440 [ 41.276866] ? rtnl_calcit.isra.0+0x430/0x430 [ 41.281345] ? netlink_ack+0xae0/0xae0 [ 41.285227] netlink_unicast+0x4d5/0x690 [ 41.289270] ? netlink_sendskb+0x110/0x110 [ 41.293517] ? _copy_from_iter_full+0x229/0x7c0 [ 41.298169] ? __phys_addr_symbol+0x2c/0x70 [ 41.302581] ? __check_object_size+0x17b/0x3e0 [ 41.307150] netlink_sendmsg+0x6c3/0xc50 [ 41.311282] ? aa_af_perm+0x230/0x230 [ 41.315156] ? nlmsg_notify+0x1f0/0x1f0 [ 41.319200] ? kernel_recvmsg+0x220/0x220 [ 41.323445] ? nlmsg_notify+0x1f0/0x1f0 [ 41.327530] sock_sendmsg+0xc3/0x120 [ 41.331236] ___sys_sendmsg+0x7bb/0x8e0 [ 41.335204] ? copy_msghdr_from_user+0x440/0x440 [ 41.339941] ? __fget+0x32f/0x510 [ 41.343387] ? lock_downgrade+0x720/0x720 [ 41.347529] ? check_preemption_disabled+0x41/0x280 [ 41.352542] ? check_preemption_disabled+0x41/0x280 [ 41.357630] ? __fget+0x356/0x510 [ 41.361065] ? do_dup2+0x450/0x450 [ 41.364589] ? __fd_install+0x1b4/0x610 [ 41.369683] ? __fdget+0x1d0/0x230 [ 41.373212] __x64_sys_sendmsg+0x132/0x220 [ 41.377452] ? __sys_sendmsg+0x1b0/0x1b0 [ 41.381505] ? __se_sys_futex+0x298/0x3b0 [ 41.386248] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 41.391734] ? trace_hardirqs_off_caller+0x6e/0x210 [ 41.396742] ? do_syscall_64+0x21/0x620 [ 41.400702] do_syscall_64+0xf9/0x620 [ 41.404491] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.409754] RIP: 0033:0x7f4122cbebf9 [ 41.413443] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 41.432509] RSP: 002b:00007f4122c70318 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 41.440283] RAX: ffffffffffffffda RBX: 00007f4122d46428 RCX: 00007f4122cbebf9 [ 41.447652] RDX: 0000000000000000 RSI: 0000000020000340 RDI: 0000000000000005 [ 41.454911] RBP: 00007f4122d46420 R08: 0000000000000000 R09: 0000000000000000 [ 41.462198] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4122d14074 [ 41.469448] R13: 00007ffcc82f853f R14: 00007f4122c70400 R15: 0000000000022000 [ 41.476876] Kernel Offset: disabled [ 41.480484] Rebooting in 86400 seconds..