Warning: Permanently added '10.128.0.84' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 32.313914] audit: type=1400 audit(1593625130.721:8): avc: denied { execmem } for pid=6330 comm="syz-executor561" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 32.335376] ================================================================== [ 32.342976] BUG: KASAN: global-out-of-bounds in get_unique_tuple+0x16c7/0x19e0 [ 32.350419] Read of size 8 at addr ffffffff871c7300 by task syz-executor561/6330 [ 32.357925] [ 32.359530] CPU: 0 PID: 6330 Comm: syz-executor561 Not tainted 4.14.184-syzkaller #0 [ 32.367383] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.376710] Call Trace: [ 32.379279] dump_stack+0x1b2/0x283 [ 32.382883] ? get_unique_tuple+0x16c7/0x19e0 [ 32.387370] print_address_description.cold+0x5/0x1dc [ 32.392535] ? get_unique_tuple+0x16c7/0x19e0 [ 32.397001] kasan_report.cold+0xa9/0x2b9 [ 32.401122] get_unique_tuple+0x16c7/0x19e0 [ 32.405421] ? unwind_next_frame+0xe38/0x1700 [ 32.409890] ? nf_nat_cleanup_conntrack+0x50/0x50 [ 32.414706] ? lock_downgrade+0x6e0/0x6e0 [ 32.418829] nf_nat_setup_info+0x17b/0x720 [ 32.423038] ? get_unique_tuple+0x19e0/0x19e0 [ 32.427508] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 32.432621] ? kasan_kmalloc.part.0+0xa6/0xd0 [ 32.437096] ? kasan_kmalloc.part.0+0x4f/0xd0 [ 32.441563] ? kmem_cache_alloc+0x124/0x3c0 [ 32.445862] ? __nf_conntrack_alloc.isra.0+0xa2/0x550 [ 32.451026] ? ctnetlink_create_conntrack+0x9e/0x1040 [ 32.456189] ? ctnetlink_new_conntrack+0x45f/0xbf4 [ 32.461088] ? nfnetlink_rcv_msg+0x9e1/0xc00 [ 32.465471] ? __lock_acquire+0x655/0x42a0 [ 32.469677] ? SyS_sendmsg+0x27/0x40 [ 32.473378] __nf_nat_alloc_null_binding+0x13f/0x180 [ 32.478459] ? nf_nat_setup_info+0x720/0x720 [ 32.482847] nfnetlink_parse_nat_setup+0x318/0x380 [ 32.487748] ? nf_nat_alloc_null_binding+0x40/0x40 [ 32.492655] ? __nf_conntrack_alloc.isra.0+0xa2/0x550 [ 32.497829] ? check_preemption_disabled+0x35/0x240 [ 32.502819] ? nf_nat_alloc_null_binding+0x40/0x40 [ 32.507723] ctnetlink_parse_nat_setup+0x70/0x490 [ 32.512540] ctnetlink_create_conntrack+0x437/0x1040 [ 32.517615] ? queue_work_on+0xf7/0x1d0 [ 32.521563] ? ctnetlink_glue_parse+0x440/0x440 [ 32.526204] ? __do_once_done+0x1be/0x240 [ 32.530329] ? hash_conntrack_raw.isra.0+0x2b0/0x3f0 [ 32.535416] ? __nf_ct_refresh_acct+0x240/0x240 [ 32.540062] ctnetlink_new_conntrack+0x45f/0xbf4 [ 32.544806] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 32.550142] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 32.555578] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 32.560923] nfnetlink_rcv_msg+0x9e1/0xc00 [ 32.565159] netlink_rcv_skb+0x127/0x370 [ 32.569194] ? nfnetlink_net_exit_batch+0x150/0x150 [ 32.574182] ? netlink_ack+0x970/0x970 [ 32.578045] ? ns_capable_common+0x127/0x150 [ 32.582427] nfnetlink_rcv+0x1ab/0x1650 [ 32.586376] ? trace_hardirqs_on+0x10/0x10 [ 32.590586] ? __netlink_lookup+0x332/0x5c0 [ 32.594896] ? lock_downgrade+0x6e0/0x6e0 [ 32.599029] ? nfnl_err_del+0x150/0x150 [ 32.602979] ? netlink_seq_start+0x120/0x120 [ 32.607357] ? netlink_deliver_tap+0x90/0x860 [ 32.611825] ? rcu_is_watching+0x11/0xb0 [ 32.615862] ? lock_downgrade+0x6e0/0x6e0 [ 32.619983] netlink_unicast+0x437/0x610 [ 32.624075] ? netlink_sendskb+0x50/0x50 [ 32.628115] netlink_sendmsg+0x64a/0xbb0 [ 32.632173] ? nlmsg_notify+0x160/0x160 [ 32.636119] ? move_addr_to_kernel.part.0+0xf0/0xf0 [ 32.641113] ? security_socket_sendmsg+0x83/0xb0 [ 32.645931] ? nlmsg_notify+0x160/0x160 [ 32.649880] sock_sendmsg+0xb5/0x100 [ 32.653577] ___sys_sendmsg+0x70a/0x840 [ 32.657543] ? copy_msghdr_from_user+0x380/0x380 [ 32.662293] ? lock_downgrade+0x6e0/0x6e0 [ 32.666427] ? __lru_cache_add+0x17b/0x250 [ 32.670637] ? do_raw_spin_unlock+0x164/0x250 [ 32.675107] ? do_huge_pmd_anonymous_page+0x758/0x1690 [ 32.680358] ? prep_transhuge_page+0xa0/0xa0 [ 32.684738] ? trace_hardirqs_on+0x10/0x10 [ 32.688948] ? __handle_mm_fault+0x9cc/0x3670 [ 32.693420] ? __fget_light+0x16a/0x1f0 [ 32.697422] ? sockfd_lookup_light+0xb2/0x160 [ 32.701893] __sys_sendmsg+0xa3/0x120 [ 32.705675] ? SyS_shutdown+0x160/0x160 [ 32.709625] ? up_read+0x17/0x30 [ 32.712965] ? __do_page_fault+0x19a/0xb50 [ 32.717174] SyS_sendmsg+0x27/0x40 [ 32.720687] ? __sys_sendmsg+0x120/0x120 [ 32.724722] do_syscall_64+0x1d5/0x640 [ 32.728585] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.733746] RIP: 0033:0x4402d9 [ 32.736906] RSP: 002b:00007ffdd0520888 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 32.744585] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402d9 [ 32.751829] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 [ 32.759071] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 32.766323] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b60 [ 32.773570] R13: 0000000000401bf0 R14: 0000000000000000 R15: 0000000000000000 [ 32.780823] [ 32.782422] The buggy address belongs to the variable: [ 32.787710] nft_nat_ops+0x80/0xc0 [ 32.791309] [ 32.792910] Memory state around the buggy address: [ 32.797815] ffffffff871c7200: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa [ 32.805161] ffffffff871c7280: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa [ 32.812508] >ffffffff871c7300: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 [ 32.819848] ^ [ 32.823193] ffffffff871c7380: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 [ 32.830529] ffffffff871c7400: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 [ 32.837861] ================================================================== [ 32.845191] Disabling lock debugging due to kernel taint [ 32.851656] Kernel panic - not syncing: panic_on_warn set ... [ 32.851656] [ 32.859009] CPU: 0 PID: 6330 Comm: syz-executor561 Tainted: G B 4.14.184-syzkaller #0 [ 32.868092] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.877432] Call Trace: [ 32.880004] dump_stack+0x1b2/0x283 [ 32.883613] panic+0x1f9/0x42d [ 32.886780] ? add_taint.cold+0x16/0x16 [ 32.890729] ? preempt_schedule_common+0x4a/0xc0 [ 32.895457] ? get_unique_tuple+0x16c7/0x19e0 [ 32.899921] ? ___preempt_schedule+0x16/0x18 [ 32.904299] ? get_unique_tuple+0x16c7/0x19e0 [ 32.908766] kasan_end_report+0x43/0x49 [ 32.912713] kasan_report.cold+0x12f/0x2b9 [ 32.916918] get_unique_tuple+0x16c7/0x19e0 [ 32.921253] ? unwind_next_frame+0xe38/0x1700 [ 32.925720] ? nf_nat_cleanup_conntrack+0x50/0x50 [ 32.930536] ? lock_downgrade+0x6e0/0x6e0 [ 32.934657] nf_nat_setup_info+0x17b/0x720 [ 32.938861] ? get_unique_tuple+0x19e0/0x19e0 [ 32.943354] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 32.948432] ? kasan_kmalloc.part.0+0xa6/0xd0 [ 32.952898] ? kasan_kmalloc.part.0+0x4f/0xd0 [ 32.957372] ? kmem_cache_alloc+0x124/0x3c0 [ 32.961665] ? __nf_conntrack_alloc.isra.0+0xa2/0x550 [ 32.966824] ? ctnetlink_create_conntrack+0x9e/0x1040 [ 32.971985] ? ctnetlink_new_conntrack+0x45f/0xbf4 [ 32.976885] ? nfnetlink_rcv_msg+0x9e1/0xc00 [ 32.981268] ? __lock_acquire+0x655/0x42a0 [ 32.985473] ? SyS_sendmsg+0x27/0x40 [ 32.989159] __nf_nat_alloc_null_binding+0x13f/0x180 [ 32.994233] ? nf_nat_setup_info+0x720/0x720 [ 32.998615] nfnetlink_parse_nat_setup+0x318/0x380 [ 33.003514] ? nf_nat_alloc_null_binding+0x40/0x40 [ 33.008415] ? __nf_conntrack_alloc.isra.0+0xa2/0x550 [ 33.013582] ? check_preemption_disabled+0x35/0x240 [ 33.018569] ? nf_nat_alloc_null_binding+0x40/0x40 [ 33.023472] ctnetlink_parse_nat_setup+0x70/0x490 [ 33.028300] ctnetlink_create_conntrack+0x437/0x1040 [ 33.033374] ? queue_work_on+0xf7/0x1d0 [ 33.037319] ? ctnetlink_glue_parse+0x440/0x440 [ 33.041960] ? __do_once_done+0x1be/0x240 [ 33.046081] ? hash_conntrack_raw.isra.0+0x2b0/0x3f0 [ 33.051157] ? __nf_ct_refresh_acct+0x240/0x240 [ 33.055798] ctnetlink_new_conntrack+0x45f/0xbf4 [ 33.060529] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 33.065862] ? __ww_mutex_wakeup_for_backoff+0x210/0x210 [ 33.071288] ? ctnetlink_create_conntrack+0x1040/0x1040 [ 33.076620] nfnetlink_rcv_msg+0x9e1/0xc00 [ 33.080834] netlink_rcv_skb+0x127/0x370 [ 33.084867] ? nfnetlink_net_exit_batch+0x150/0x150 [ 33.089852] ? netlink_ack+0x970/0x970 [ 33.093716] ? ns_capable_common+0x127/0x150 [ 33.098094] nfnetlink_rcv+0x1ab/0x1650 [ 33.102054] ? trace_hardirqs_on+0x10/0x10 [ 33.106260] ? __netlink_lookup+0x332/0x5c0 [ 33.110555] ? lock_downgrade+0x6e0/0x6e0 [ 33.114674] ? nfnl_err_del+0x150/0x150 [ 33.118619] ? netlink_seq_start+0x120/0x120 [ 33.123000] ? netlink_deliver_tap+0x90/0x860 [ 33.127466] ? rcu_is_watching+0x11/0xb0 [ 33.131497] ? lock_downgrade+0x6e0/0x6e0 [ 33.135615] netlink_unicast+0x437/0x610 [ 33.139649] ? netlink_sendskb+0x50/0x50 [ 33.143681] netlink_sendmsg+0x64a/0xbb0 [ 33.147715] ? nlmsg_notify+0x160/0x160 [ 33.151660] ? move_addr_to_kernel.part.0+0xf0/0xf0 [ 33.156664] ? security_socket_sendmsg+0x83/0xb0 [ 33.161390] ? nlmsg_notify+0x160/0x160 [ 33.165336] sock_sendmsg+0xb5/0x100 [ 33.169020] ___sys_sendmsg+0x70a/0x840 [ 33.172965] ? copy_msghdr_from_user+0x380/0x380 [ 33.177690] ? lock_downgrade+0x6e0/0x6e0 [ 33.181810] ? __lru_cache_add+0x17b/0x250 [ 33.186032] ? do_raw_spin_unlock+0x164/0x250 [ 33.190498] ? do_huge_pmd_anonymous_page+0x758/0x1690 [ 33.195745] ? prep_transhuge_page+0xa0/0xa0 [ 33.200125] ? trace_hardirqs_on+0x10/0x10 [ 33.204334] ? __handle_mm_fault+0x9cc/0x3670 [ 33.208798] ? __fget_light+0x16a/0x1f0 [ 33.212744] ? sockfd_lookup_light+0xb2/0x160 [ 33.217208] __sys_sendmsg+0xa3/0x120 [ 33.220978] ? SyS_shutdown+0x160/0x160 [ 33.224925] ? up_read+0x17/0x30 [ 33.228264] ? __do_page_fault+0x19a/0xb50 [ 33.232470] SyS_sendmsg+0x27/0x40 [ 33.235979] ? __sys_sendmsg+0x120/0x120 [ 33.240010] do_syscall_64+0x1d5/0x640 [ 33.243871] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.249030] RIP: 0033:0x4402d9 [ 33.252193] RSP: 002b:00007ffdd0520888 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 33.259873] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402d9 [ 33.267113] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 [ 33.274361] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 33.281609] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b60 [ 33.288853] R13: 0000000000401bf0 R14: 0000000000000000 R15: 0000000000000000 [ 33.297313] Kernel Offset: disabled [ 33.300934] Rebooting in 86400 seconds..