Warning: Permanently added '10.128.10.58' (ECDSA) to the list of known hosts. executing program [ 32.095438] audit: type=1400 audit(1599773511.414:8): avc: denied { execmem } for pid=6365 comm="syz-executor811" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 32.117350] IPVS: ftp: loaded support on port[0] = 21 [ 32.148416] netlink: 24 bytes leftover after parsing attributes in process `syz-executor811'. [ 32.162164] ================================================================== [ 32.169640] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x89f/0x8c0 [ 32.176746] Read of size 8 at addr ffff88809c1ccd48 by task syz-executor811/6368 [ 32.184254] [ 32.185872] CPU: 0 PID: 6368 Comm: syz-executor811 Not tainted 4.14.197-syzkaller #0 [ 32.193726] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.203055] Call Trace: [ 32.205622] dump_stack+0x1b2/0x283 [ 32.209227] print_address_description.cold+0x54/0x1d3 [ 32.214482] kasan_report_error.cold+0x8a/0x194 [ 32.219131] ? radix_tree_next_chunk+0x89f/0x8c0 [ 32.223861] __asan_report_load8_noabort+0x68/0x70 [ 32.228829] ? radix_tree_next_chunk+0x89f/0x8c0 [ 32.233567] radix_tree_next_chunk+0x89f/0x8c0 [ 32.238132] ida_remove+0x9b/0x210 [ 32.241650] ? ida_destroy+0x1b0/0x1b0 [ 32.245515] ? lock_acquire+0x170/0x3f0 [ 32.249474] ida_simple_remove+0x31/0x4c [ 32.253515] ipvlan_link_new+0x50c/0xfa0 [ 32.257579] rtnl_newlink+0xf88/0x1830 [ 32.261454] ? __lock_acquire+0x5fc/0x3f20 [ 32.265669] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 32.270312] ? trace_hardirqs_on+0x10/0x10 [ 32.274524] ? rtnl_dellink+0x6a0/0x6a0 [ 32.278482] ? trace_hardirqs_on+0x10/0x10 [ 32.282693] ? lock_acquire+0x170/0x3f0 [ 32.286656] ? lock_acquire+0x170/0x3f0 [ 32.290601] ? lock_downgrade+0x740/0x740 [ 32.294728] ? rtnl_dellink+0x6a0/0x6a0 [ 32.298677] rtnetlink_rcv_msg+0x3be/0xb10 [ 32.302899] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 32.307380] ? __netlink_lookup+0x345/0x5d0 [ 32.311688] netlink_rcv_skb+0x125/0x390 [ 32.315776] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 32.320290] ? netlink_ack+0x9a0/0x9a0 [ 32.324156] netlink_unicast+0x437/0x610 [ 32.328209] ? netlink_sendskb+0xd0/0xd0 [ 32.332245] netlink_sendmsg+0x62e/0xb80 [ 32.336281] ? nlmsg_notify+0x170/0x170 [ 32.340227] ? kernel_recvmsg+0x210/0x210 [ 32.344369] ? security_socket_sendmsg+0x83/0xb0 [ 32.349097] ? nlmsg_notify+0x170/0x170 [ 32.353047] sock_sendmsg+0xb5/0x100 [ 32.356736] ___sys_sendmsg+0x6c8/0x800 [ 32.360685] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 32.365415] ? trace_hardirqs_on+0x10/0x10 [ 32.369713] ? lock_acquire+0x170/0x3f0 [ 32.373673] ? lock_downgrade+0x740/0x740 [ 32.377805] ? __might_fault+0x104/0x1b0 [ 32.381837] ? lock_acquire+0x170/0x3f0 [ 32.385784] ? lock_downgrade+0x740/0x740 [ 32.389905] ? __might_fault+0x177/0x1b0 [ 32.393939] ? _copy_to_user+0x82/0xd0 [ 32.397815] ? move_addr_to_user+0x13f/0x180 [ 32.402204] ? __fdget+0x167/0x1f0 [ 32.405715] ? sockfd_lookup_light+0xb2/0x160 [ 32.410196] __sys_sendmsg+0xa3/0x120 [ 32.413974] ? SyS_shutdown+0x160/0x160 [ 32.418193] ? move_addr_to_kernel+0x60/0x60 [ 32.422596] ? __do_page_fault+0x19a/0xb50 [ 32.426826] SyS_sendmsg+0x27/0x40 [ 32.430355] ? __sys_sendmsg+0x120/0x120 [ 32.434398] do_syscall_64+0x1d5/0x640 [ 32.438275] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.443443] RIP: 0033:0x440ec9 [ 32.446619] RSP: 002b:00007fffd7bebda8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 32.454304] RAX: ffffffffffffffda RBX: 00000000004a2690 RCX: 0000000000440ec9 [ 32.461553] RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000004 [ 32.468797] RBP: 00007fffd7bebdb0 R08: 0000000120080522 R09: 0000000120080522 [ 32.476050] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2690 [ 32.483292] R13: 00000000004023e0 R14: 0000000000000000 R15: 0000000000000000 [ 32.490539] [ 32.492144] Allocated by task 6368: [ 32.495747] kasan_kmalloc+0xeb/0x160 [ 32.499539] kmem_cache_alloc_trace+0x131/0x3d0 [ 32.504182] ipvlan_link_new+0x64f/0xfa0 [ 32.508226] rtnl_newlink+0xf88/0x1830 [ 32.512087] rtnetlink_rcv_msg+0x3be/0xb10 [ 32.516293] netlink_rcv_skb+0x125/0x390 [ 32.520354] netlink_unicast+0x437/0x610 [ 32.524396] netlink_sendmsg+0x62e/0xb80 [ 32.528431] sock_sendmsg+0xb5/0x100 [ 32.532129] ___sys_sendmsg+0x6c8/0x800 [ 32.536086] __sys_sendmsg+0xa3/0x120 [ 32.539866] SyS_sendmsg+0x27/0x40 [ 32.543380] do_syscall_64+0x1d5/0x640 [ 32.547330] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.552498] [ 32.554108] Freed by task 6368: [ 32.557361] kasan_slab_free+0xc3/0x1a0 [ 32.561307] kfree+0xc9/0x250 [ 32.564402] ipvlan_uninit+0xb6/0xe0 [ 32.568101] register_netdevice+0x7fd/0xe40 [ 32.572396] ipvlan_link_new+0x499/0xfa0 [ 32.576430] rtnl_newlink+0xf88/0x1830 [ 32.580293] rtnetlink_rcv_msg+0x3be/0xb10 [ 32.584499] netlink_rcv_skb+0x125/0x390 [ 32.588533] netlink_unicast+0x437/0x610 [ 32.592569] netlink_sendmsg+0x62e/0xb80 [ 32.596610] sock_sendmsg+0xb5/0x100 [ 32.600307] ___sys_sendmsg+0x6c8/0x800 [ 32.604272] __sys_sendmsg+0xa3/0x120 [ 32.608056] SyS_sendmsg+0x27/0x40 [ 32.611569] do_syscall_64+0x1d5/0x640 [ 32.615430] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.620589] [ 32.622204] The buggy address belongs to the object at ffff88809c1cc480 [ 32.622204] which belongs to the cache kmalloc-4096 of size 4096 [ 32.635005] The buggy address is located 2248 bytes inside of [ 32.635005] 4096-byte region [ffff88809c1cc480, ffff88809c1cd480) [ 32.647023] The buggy address belongs to the page: [ 32.651926] page:ffffea0002707300 count:1 mapcount:0 mapping:ffff88809c1cc480 index:0x0 compound_mapcount: 0 [ 32.661878] flags: 0xfffe0000008100(slab|head) [ 32.666434] raw: 00fffe0000008100 ffff88809c1cc480 0000000000000000 0000000100000001 [ 32.674301] raw: ffffea000219a520 ffff88812fe51a48 ffff88812fe50dc0 0000000000000000 [ 32.682157] page dumped because: kasan: bad access detected [ 32.687848] [ 32.689457] Memory state around the buggy address: [ 32.694359] ffff88809c1ccc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.701695] ffff88809c1ccc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.709032] >ffff88809c1ccd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.716368] ^ [ 32.722049] ffff88809c1ccd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.729394] ffff88809c1cce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 32.736733] ================================================================== [ 32.744063] Disabling lock debugging due to kernel taint [ 32.749485] Kernel panic - not syncing: panic_on_warn set ... [ 32.749485] [ 32.756818] CPU: 0 PID: 6368 Comm: syz-executor811 Tainted: G B 4.14.197-syzkaller #0 [ 32.765891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.775321] Call Trace: [ 32.777888] dump_stack+0x1b2/0x283 [ 32.781488] panic+0x1f9/0x42d [ 32.784658] ? add_taint.cold+0x16/0x16 [ 32.788606] ? lock_downgrade+0x740/0x740 [ 32.792746] kasan_end_report+0x43/0x49 [ 32.796702] kasan_report_error.cold+0xa7/0x194 [ 32.801343] ? radix_tree_next_chunk+0x89f/0x8c0 [ 32.806071] __asan_report_load8_noabort+0x68/0x70 [ 32.810972] ? radix_tree_next_chunk+0x89f/0x8c0 [ 32.815700] radix_tree_next_chunk+0x89f/0x8c0 [ 32.820255] ida_remove+0x9b/0x210 [ 32.823856] ? ida_destroy+0x1b0/0x1b0 [ 32.827716] ? lock_acquire+0x170/0x3f0 [ 32.831663] ida_simple_remove+0x31/0x4c [ 32.835708] ipvlan_link_new+0x50c/0xfa0 [ 32.839756] rtnl_newlink+0xf88/0x1830 [ 32.843617] ? __lock_acquire+0x5fc/0x3f20 [ 32.847821] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 32.852374] ? trace_hardirqs_on+0x10/0x10 [ 32.856579] ? rtnl_dellink+0x6a0/0x6a0 [ 32.860523] ? trace_hardirqs_on+0x10/0x10 [ 32.864727] ? lock_acquire+0x170/0x3f0 [ 32.868682] ? lock_acquire+0x170/0x3f0 [ 32.872638] ? lock_downgrade+0x740/0x740 [ 32.876759] ? rtnl_dellink+0x6a0/0x6a0 [ 32.880705] rtnetlink_rcv_msg+0x3be/0xb10 [ 32.884912] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 32.889384] ? __netlink_lookup+0x345/0x5d0 [ 32.894039] netlink_rcv_skb+0x125/0x390 [ 32.898071] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 32.902539] ? netlink_ack+0x9a0/0x9a0 [ 32.906400] netlink_unicast+0x437/0x610 [ 32.910437] ? netlink_sendskb+0xd0/0xd0 [ 32.914480] netlink_sendmsg+0x62e/0xb80 [ 32.918514] ? nlmsg_notify+0x170/0x170 [ 32.922461] ? kernel_recvmsg+0x210/0x210 [ 32.926584] ? security_socket_sendmsg+0x83/0xb0 [ 32.931318] ? nlmsg_notify+0x170/0x170 [ 32.935267] sock_sendmsg+0xb5/0x100 [ 32.938959] ___sys_sendmsg+0x6c8/0x800 [ 32.942905] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 32.947644] ? trace_hardirqs_on+0x10/0x10 [ 32.951853] ? lock_acquire+0x170/0x3f0 [ 32.958057] ? lock_downgrade+0x740/0x740 [ 32.962176] ? __might_fault+0x104/0x1b0 [ 32.966207] ? lock_acquire+0x170/0x3f0 [ 32.970165] ? lock_downgrade+0x740/0x740 [ 32.974306] ? __might_fault+0x177/0x1b0 [ 32.978349] ? _copy_to_user+0x82/0xd0 [ 32.982212] ? move_addr_to_user+0x13f/0x180 [ 32.986590] ? __fdget+0x167/0x1f0 [ 32.990102] ? sockfd_lookup_light+0xb2/0x160 [ 32.994581] __sys_sendmsg+0xa3/0x120 [ 32.998366] ? SyS_shutdown+0x160/0x160 [ 33.002333] ? move_addr_to_kernel+0x60/0x60 [ 33.006742] ? __do_page_fault+0x19a/0xb50 [ 33.010984] SyS_sendmsg+0x27/0x40 [ 33.014506] ? __sys_sendmsg+0x120/0x120 [ 33.018553] do_syscall_64+0x1d5/0x640 [ 33.022433] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.027608] RIP: 0033:0x440ec9 [ 33.030775] RSP: 002b:00007fffd7bebda8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 33.038471] RAX: ffffffffffffffda RBX: 00000000004a2690 RCX: 0000000000440ec9 [ 33.045716] RDX: 0000000000000000 RSI: 0000000020000480 RDI: 0000000000000004 [ 33.053005] RBP: 00007fffd7bebdb0 R08: 0000000120080522 R09: 0000000120080522 [ 33.060333] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2690 [ 33.067576] R13: 00000000004023e0 R14: 0000000000000000 R15: 0000000000000000 [ 33.076122] Kernel Offset: disabled [ 33.079737] Rebooting in 86400 seconds..