Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.495199] netlink: 1572 bytes leftover after parsing attributes in process `syz-executor312'. [ 27.504174] netlink: 5728 bytes leftover after parsing attributes in process `syz-executor312'. [ 27.513806] netlink: 128 bytes leftover after parsing attributes in process `syz-executor312'. [ 27.523173] netlink: 4 bytes leftover after parsing attributes in process `syz-executor312'. [ 27.532437] ================================================================== [ 27.539857] BUG: KASAN: slab-out-of-bounds in ipt_init_target+0x213/0x250 [ 27.546762] Read of size 1 at addr ffff8880af659bdf by task syz-executor312/7982 [ 27.554266] [ 27.555870] CPU: 0 PID: 7982 Comm: syz-executor312 Not tainted 4.14.295-syzkaller #0 [ 27.563719] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 27.573043] Call Trace: [ 27.575608] dump_stack+0x1b2/0x281 [ 27.579215] print_address_description.cold+0x54/0x1d3 [ 27.584464] kasan_report_error.cold+0x8a/0x191 [ 27.589107] ? ipt_init_target+0x213/0x250 [ 27.593316] __asan_report_load1_noabort+0x68/0x70 [ 27.598220] ? tcf_idr_create+0x1f0/0x780 [ 27.602340] ? ipt_init_target+0x213/0x250 [ 27.606550] ipt_init_target+0x213/0x250 [ 27.610588] ? tcf_ipt_walker+0x200/0x200 [ 27.614708] ? fs_reclaim_release+0xd0/0x110 [ 27.619095] ? memcpy+0x35/0x50 [ 27.622375] __tcf_ipt_init+0x48d/0xc00 [ 27.626341] ? ipt_init_target+0x250/0x250 [ 27.630559] ? tc_lookup_action_n+0xac/0xd0 [ 27.634866] ? lock_downgrade+0x740/0x740 [ 27.639087] tcf_ipt_init+0x43/0x50 [ 27.642709] tcf_action_init_1+0x51a/0x9e0 [ 27.646921] ? tcf_action_dump_old+0x80/0x80 [ 27.651348] ? printk+0x9e/0xbc [ 27.654621] ? log_store.cold+0x16/0x16 [ 27.658584] ? nla_parse+0x157/0x1f0 [ 27.662279] tcf_action_init+0x26d/0x400 [ 27.666318] ? tcf_action_init_1+0x9e0/0x9e0 [ 27.670796] ? nla_parse+0x157/0x1f0 [ 27.674497] tc_ctl_action+0x2e3/0x510 [ 27.678359] ? tca_action_gd+0x790/0x790 [ 27.682481] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 27.686878] ? tca_action_gd+0x790/0x790 [ 27.690911] rtnetlink_rcv_msg+0x3be/0xb10 [ 27.695162] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 27.699634] ? __netlink_lookup+0x345/0x5d0 [ 27.703933] netlink_rcv_skb+0x125/0x390 [ 27.707967] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 27.712451] ? netlink_ack+0x9a0/0x9a0 [ 27.716321] netlink_unicast+0x437/0x610 [ 27.720359] ? netlink_sendskb+0xd0/0xd0 [ 27.724392] ? __check_object_size+0x179/0x230 [ 27.728960] netlink_sendmsg+0x648/0xbc0 [ 27.733003] ? nlmsg_notify+0x1b0/0x1b0 [ 27.736950] ? kernel_recvmsg+0x210/0x210 [ 27.741078] ? security_socket_sendmsg+0x83/0xb0 [ 27.745806] ? nlmsg_notify+0x1b0/0x1b0 [ 27.749768] sock_sendmsg+0xb5/0x100 [ 27.753464] ___sys_sendmsg+0x6c8/0x800 [ 27.757415] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 27.762149] ? lock_downgrade+0x740/0x740 [ 27.766316] ? __lru_cache_add+0x178/0x250 [ 27.770525] ? do_raw_spin_unlock+0x164/0x220 [ 27.774995] ? _raw_spin_unlock+0x29/0x40 [ 27.779116] ? do_huge_pmd_anonymous_page+0x72e/0x1700 [ 27.784366] ? prep_transhuge_page+0xa0/0xa0 [ 27.788745] ? _raw_spin_unlock+0x29/0x40 [ 27.792867] ? __pmd_alloc+0x27f/0x3f0 [ 27.796738] ? __handle_mm_fault+0x80f/0x4620 [ 27.801212] ? lock_downgrade+0x740/0x740 [ 27.805346] ? vm_insert_page+0x7c0/0x7c0 [ 27.809473] ? __fdget+0x167/0x1f0 [ 27.812993] ? sockfd_lookup_light+0xb2/0x160 [ 27.817479] __sys_sendmsg+0xa3/0x120 [ 27.821268] ? SyS_shutdown+0x160/0x160 [ 27.825234] ? up_read+0x17/0x30 [ 27.828582] ? __do_page_fault+0x159/0xad0 [ 27.832795] SyS_sendmsg+0x27/0x40 [ 27.836312] ? __sys_sendmsg+0x120/0x120 [ 27.840346] do_syscall_64+0x1d5/0x640 [ 27.844210] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.849375] RIP: 0033:0x7f1bea640179 [ 27.853060] RSP: 002b:00007ffd20a67048 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 27.860742] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1bea640179 [ 27.867986] RDX: 0000000000000000 RSI: 0000000020007bc0 RDI: 0000000000000003 [ 27.875230] RBP: 00007f1bea604160 R08: 0000000000000000 R09: 0000000000000000 [ 27.882481] R10: fffffffffffffff0 R11: 0000000000000246 R12: 00007f1bea6041f0 [ 27.889724] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 27.896981] [ 27.898581] Allocated by task 7982: [ 27.902181] kasan_kmalloc+0xeb/0x160 [ 27.905956] __kmalloc_track_caller+0x155/0x400 [ 27.910597] kmemdup+0x23/0x50 [ 27.913765] __tcf_ipt_init+0x464/0xc00 [ 27.917737] tcf_ipt_init+0x43/0x50 [ 27.921351] tcf_action_init_1+0x51a/0x9e0 [ 27.925557] tcf_action_init+0x26d/0x400 [ 27.929588] tc_ctl_action+0x2e3/0x510 [ 27.933451] rtnetlink_rcv_msg+0x3be/0xb10 [ 27.937658] netlink_rcv_skb+0x125/0x390 [ 27.941690] netlink_unicast+0x437/0x610 [ 27.945859] netlink_sendmsg+0x648/0xbc0 [ 27.949897] sock_sendmsg+0xb5/0x100 [ 27.953587] ___sys_sendmsg+0x6c8/0x800 [ 27.957534] __sys_sendmsg+0xa3/0x120 [ 27.961305] SyS_sendmsg+0x27/0x40 [ 27.964822] do_syscall_64+0x1d5/0x640 [ 27.968686] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 27.973847] [ 27.975450] Freed by task 1: [ 27.978445] kasan_slab_free+0xc3/0x1a0 [ 27.982394] kfree+0xc9/0x250 [ 27.985477] kobject_uevent_env+0x26c/0xf30 [ 27.989774] tty_register_device_attr+0x444/0x710 [ 27.994589] tty_register_driver+0x3a6/0x750 [ 27.998970] pty_init+0x66a/0xdca [ 28.002397] do_one_initcall+0x88/0x210 [ 28.006348] kernel_init_freeable+0x565/0x626 [ 28.010823] kernel_init+0xd/0x161 [ 28.014341] ret_from_fork+0x24/0x30 [ 28.018024] [ 28.019635] The buggy address belongs to the object at ffff8880af659bc0 [ 28.019635] which belongs to the cache kmalloc-32 of size 32 [ 28.032100] The buggy address is located 31 bytes inside of [ 28.032100] 32-byte region [ffff8880af659bc0, ffff8880af659be0) [ 28.043772] The buggy address belongs to the page: [ 28.048675] page:ffffea0002bd9640 count:1 mapcount:0 mapping:ffff8880af659000 index:0xffff8880af659fc1 [ 28.058093] flags: 0xfff00000000100(slab) [ 28.062220] raw: 00fff00000000100 ffff8880af659000 ffff8880af659fc1 000000010000003f [ 28.070076] raw: ffffea0002bdf120 ffff88813fe64248 ffff88813fe741c0 0000000000000000 [ 28.077959] page dumped because: kasan: bad access detected [ 28.083645] [ 28.085246] Memory state around the buggy address: [ 28.090601] ffff8880af659a80: 06 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 28.097933] ffff8880af659b00: fb fb fb fb fc fc fc fc 06 fc fc fc fc fc fc fc [ 28.105272] >ffff8880af659b80: 06 fc fc fc fc fc fc fc 00 fc fc fc fc fc fc fc [ 28.112604] ^ [ 28.118814] ffff8880af659c00: 06 fc fc fc fc fc fc fc 06 fc fc fc fc fc fc fc [ 28.126234] ffff8880af659c80: 06 fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [ 28.133566] ================================================================== [ 28.140902] Disabling lock debugging due to kernel taint [ 28.149801] Kernel panic - not syncing: panic_on_warn set ... [ 28.149801] [ 28.157199] CPU: 1 PID: 7982 Comm: syz-executor312 Tainted: G B 4.14.295-syzkaller #0 [ 28.166286] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 28.175751] Call Trace: [ 28.178340] dump_stack+0x1b2/0x281 [ 28.181956] panic+0x1f9/0x42d [ 28.185128] ? add_taint.cold+0x16/0x16 [ 28.189078] ? ___preempt_schedule+0x16/0x18 [ 28.193466] kasan_end_report+0x43/0x49 [ 28.197413] kasan_report_error.cold+0xa7/0x191 [ 28.202059] ? ipt_init_target+0x213/0x250 [ 28.206271] __asan_report_load1_noabort+0x68/0x70 [ 28.211315] ? tcf_idr_create+0x1f0/0x780 [ 28.215456] ? ipt_init_target+0x213/0x250 [ 28.219673] ipt_init_target+0x213/0x250 [ 28.223712] ? tcf_ipt_walker+0x200/0x200 [ 28.227835] ? fs_reclaim_release+0xd0/0x110 [ 28.232219] ? memcpy+0x35/0x50 [ 28.235474] __tcf_ipt_init+0x48d/0xc00 [ 28.239445] ? ipt_init_target+0x250/0x250 [ 28.243665] ? tc_lookup_action_n+0xac/0xd0 [ 28.247969] ? lock_downgrade+0x740/0x740 [ 28.252097] tcf_ipt_init+0x43/0x50 [ 28.255705] tcf_action_init_1+0x51a/0x9e0 [ 28.259916] ? tcf_action_dump_old+0x80/0x80 [ 28.264300] ? printk+0x9e/0xbc [ 28.267552] ? log_store.cold+0x16/0x16 [ 28.271502] ? nla_parse+0x157/0x1f0 [ 28.275189] tcf_action_init+0x26d/0x400 [ 28.279222] ? tcf_action_init_1+0x9e0/0x9e0 [ 28.283608] ? nla_parse+0x157/0x1f0 [ 28.287297] tc_ctl_action+0x2e3/0x510 [ 28.291160] ? tca_action_gd+0x790/0x790 [ 28.295198] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 28.299582] ? tca_action_gd+0x790/0x790 [ 28.303614] rtnetlink_rcv_msg+0x3be/0xb10 [ 28.307825] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 28.312297] ? __netlink_lookup+0x345/0x5d0 [ 28.316592] netlink_rcv_skb+0x125/0x390 [ 28.320628] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 28.325098] ? netlink_ack+0x9a0/0x9a0 [ 28.328962] netlink_unicast+0x437/0x610 [ 28.332997] ? netlink_sendskb+0xd0/0xd0 [ 28.337031] ? __check_object_size+0x179/0x230 [ 28.341586] netlink_sendmsg+0x648/0xbc0 [ 28.345620] ? nlmsg_notify+0x1b0/0x1b0 [ 28.349568] ? kernel_recvmsg+0x210/0x210 [ 28.353690] ? security_socket_sendmsg+0x83/0xb0 [ 28.358421] ? nlmsg_notify+0x1b0/0x1b0 [ 28.362368] sock_sendmsg+0xb5/0x100 [ 28.366053] ___sys_sendmsg+0x6c8/0x800 [ 28.369999] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 28.374728] ? lock_downgrade+0x740/0x740 [ 28.378847] ? __lru_cache_add+0x178/0x250 [ 28.383052] ? do_raw_spin_unlock+0x164/0x220 [ 28.387519] ? _raw_spin_unlock+0x29/0x40 [ 28.391645] ? do_huge_pmd_anonymous_page+0x72e/0x1700 [ 28.396895] ? prep_transhuge_page+0xa0/0xa0 [ 28.401278] ? _raw_spin_unlock+0x29/0x40 [ 28.405400] ? __pmd_alloc+0x27f/0x3f0 [ 28.409266] ? __handle_mm_fault+0x80f/0x4620 [ 28.413738] ? lock_downgrade+0x740/0x740 [ 28.417860] ? vm_insert_page+0x7c0/0x7c0 [ 28.421982] ? __fdget+0x167/0x1f0 [ 28.425496] ? sockfd_lookup_light+0xb2/0x160 [ 28.429966] __sys_sendmsg+0xa3/0x120 [ 28.433742] ? SyS_shutdown+0x160/0x160 [ 28.437707] ? up_read+0x17/0x30 [ 28.441052] ? __do_page_fault+0x159/0xad0 [ 28.445259] SyS_sendmsg+0x27/0x40 [ 28.448778] ? __sys_sendmsg+0x120/0x120 [ 28.452822] do_syscall_64+0x1d5/0x640 [ 28.456690] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 28.461854] RIP: 0033:0x7f1bea640179 [ 28.465540] RSP: 002b:00007ffd20a67048 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 28.473220] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f1bea640179 [ 28.480462] RDX: 0000000000000000 RSI: 0000000020007bc0 RDI: 0000000000000003 [ 28.487704] RBP: 00007f1bea604160 R08: 0000000000000000 R09: 0000000000000000 [ 28.495423] R10: fffffffffffffff0 R11: 0000000000000246 R12: 00007f1bea6041f0 [ 28.502667] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 28.509987] Kernel Offset: disabled [ 28.513593] Rebooting in 86400 seconds..