[ 36.017442] audit: type=1800 audit(1584713957.308:33): pid=7317 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rc.local" dev="sda1" ino=2465 res=0 [ 36.044524] audit: type=1800 audit(1584713957.308:34): pid=7317 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op="collect_data" cause="failed(directio)" comm="startpar" name="rmnologin" dev="sda1" ino=2456 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 37.659396] random: sshd: uninitialized urandom read (32 bytes read) [ 37.859156] audit: type=1400 audit(1584713959.148:35): avc: denied { map } for pid=7490 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 37.909924] random: sshd: uninitialized urandom read (32 bytes read) [ 38.620239] random: sshd: uninitialized urandom read (32 bytes read) [ 38.812518] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.185' (ECDSA) to the list of known hosts. [ 44.422531] random: sshd: uninitialized urandom read (32 bytes read) [ 44.542715] audit: type=1400 audit(1584713965.838:36): avc: denied { map } for pid=7502 comm="syz-executor746" path="/root/syz-executor746596600" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 44.801067] IPVS: ftp: loaded support on port[0] = 21 [ 45.587494] chnl_net:caif_netlink_parms(): no params data found [ 45.634844] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.642043] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.650549] device bridge_slave_0 entered promiscuous mode [ 45.657696] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.664156] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.671264] device bridge_slave_1 entered promiscuous mode [ 45.686711] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 45.695658] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 45.711747] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 45.719023] team0: Port device team_slave_0 added [ 45.724822] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 45.731987] team0: Port device team_slave_1 added [ 45.746393] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 45.752927] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 45.778148] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 45.789602] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 45.795929] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 45.821167] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 45.831848] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 45.839276] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 45.902330] device hsr_slave_0 entered promiscuous mode [ 45.950381] device hsr_slave_1 entered promiscuous mode [ 45.990805] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 45.997937] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 46.047976] audit: type=1400 audit(1584713967.338:37): avc: denied { create } for pid=7503 comm="syz-executor746" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 46.073268] audit: type=1400 audit(1584713967.338:38): avc: denied { write } for pid=7503 comm="syz-executor746" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 46.090757] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.097601] audit: type=1400 audit(1584713967.368:39): avc: denied { read } for pid=7503 comm="syz-executor746" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 [ 46.103602] bridge0: port 2(bridge_slave_1) entered forwarding state [ 46.104001] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.140510] bridge0: port 1(bridge_slave_0) entered forwarding state [ 46.173450] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 46.179530] 8021q: adding VLAN 0 to HW filter on device bond0 [ 46.188386] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 46.197792] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 46.217227] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.224603] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.235066] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 46.241313] 8021q: adding VLAN 0 to HW filter on device team0 [ 46.249819] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 46.258043] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.264448] bridge0: port 1(bridge_slave_0) entered forwarding state [ 46.275102] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 46.282806] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.289317] bridge0: port 2(bridge_slave_1) entered forwarding state [ 46.305040] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 46.312779] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 46.323107] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 46.336297] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 46.347516] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 46.358792] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 46.365545] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 46.373580] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 46.381284] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 46.394117] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 46.401934] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 46.408708] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 46.421617] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 46.482312] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 46.495290] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 46.531923] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 46.538957] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 46.545765] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 46.554966] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 46.563146] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 46.570163] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 46.577165] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 46.586893] device veth0_vlan entered promiscuous mode [ 46.596199] device veth1_vlan entered promiscuous mode [ 46.609269] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 46.618559] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 46.625835] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 46.635082] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 46.645531] device veth0_macvtap entered promiscuous mode [ 46.651925] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 46.659942] device veth1_macvtap entered promiscuous mode [ 46.666335] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 46.674741] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 46.683866] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 46.692909] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 46.699991] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 46.706984] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 46.714307] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 46.721802] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 46.729473] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 46.740371] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 46.747273] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 46.754204] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 46.762346] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 46.860966] FAULT_INJECTION: forcing a failure. [ 46.860966] name failslab, interval 1, probability 0, space 0, times 1 [ 46.872608] CPU: 0 PID: 7503 Comm: syz-executor746 Not tainted 4.14.174-syzkaller #0 [ 46.880665] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.890020] Call Trace: [ 46.892719] dump_stack+0x13e/0x194 [ 46.896337] should_fail.cold+0x10a/0x14b [ 46.900476] should_failslab+0xd6/0x130 [ 46.904490] kmem_cache_alloc_trace+0x2db/0x7b0 [ 46.909143] ? mark_held_locks+0xa6/0xf0 [ 46.913200] ? __local_bh_enable_ip+0x94/0x190 [ 46.917790] qfq_change_class+0xb3b/0x1081 [ 46.922036] ? qfq_enqueue+0x1630/0x1630 [ 46.926078] ? nla_parse+0x183/0x240 [ 46.929785] ? qdisc_match_from_root+0x148/0x220 [ 46.934542] ? qfq_enqueue+0x1630/0x1630 [ 46.938579] tc_ctl_tclass+0x3e2/0xa00 [ 46.942462] ? qdisc_tree_reduce_backlog+0x4a0/0x4a0 [ 46.947547] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 46.951953] ? qdisc_tree_reduce_backlog+0x4a0/0x4a0 [ 46.957048] rtnetlink_rcv_msg+0x3be/0xb10 [ 46.961281] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 46.965858] ? netdev_pick_tx+0x2e0/0x2e0 [ 46.970018] ? skb_clone+0x11c/0x310 [ 46.973719] ? save_trace+0x290/0x290 [ 46.977513] netlink_rcv_skb+0x127/0x370 [ 46.981572] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 46.986134] ? netlink_ack+0x980/0x980 [ 46.990002] netlink_unicast+0x437/0x620 [ 46.994075] ? netlink_attachskb+0x600/0x600 [ 46.998471] netlink_sendmsg+0x733/0xbe0 [ 47.002525] ? netlink_unicast+0x620/0x620 [ 47.006740] ? SYSC_sendto+0x2b0/0x2b0 [ 47.010617] ? security_socket_sendmsg+0x83/0xb0 [ 47.015360] ? netlink_unicast+0x620/0x620 [ 47.020530] sock_sendmsg+0xc5/0x100 [ 47.024225] ___sys_sendmsg+0x349/0x840 [ 47.028189] ? copy_msghdr_from_user+0x380/0x380 [ 47.032929] ? lock_downgrade+0x6e0/0x6e0 [ 47.037060] ? save_trace+0x290/0x290 [ 47.040861] ? kstrtouint+0xe6/0x130 [ 47.044578] ? find_held_lock+0x2d/0x110 [ 47.049238] ? get_pid_task+0x91/0x130 [ 47.053108] ? check_preemption_disabled+0x35/0x240 [ 47.058204] ? lock_downgrade+0x6e0/0x6e0 [ 47.062353] ? __fget_light+0x16a/0x1f0 [ 47.066327] ? sockfd_lookup_light+0xb2/0x160 [ 47.071676] __sys_sendmmsg+0x129/0x330 [ 47.075648] ? SyS_sendmsg+0x40/0x40 [ 47.079356] ? save_trace+0x290/0x290 [ 47.083142] ? lock_downgrade+0x6e0/0x6e0 [ 47.087282] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 47.092832] ? vfs_write+0xff/0x4e0 [ 47.096453] ? SyS_write+0x14d/0x210 [ 47.100234] ? SyS_read+0x210/0x210 [ 47.103846] SyS_sendmmsg+0x2f/0x50 [ 47.107453] ? __sys_sendmmsg+0x330/0x330 [ 47.111587] do_syscall_64+0x1d5/0x640 [ 47.115486] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 47.120743] RIP: 0033:0x443da9 [ 47.123923] RSP: 002b:00007fff4325eea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 47.131792] RAX: ffffffffffffffda RBX: 00007fff4325ef20 RCX: 0000000000443da9 [ 47.139052] RDX: 0492492492492642 RSI: 0000000020000180 RDI: 0000000000000009 [ 47.146320] RBP: 0000000000000000 R08: 0000000000000001 R09: 00000000bb1414ac [ 47.153581] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 47.160846] R13: 000000000000000a R14: 0000000000000000 R15: 0000000000000000 [ 47.174032] ================================================================== [ 47.181639] BUG: KASAN: use-after-free in qdisc_class_hash_insert+0x25e/0x270 [ 47.188906] Write of size 8 at addr ffff88809ce1f9d0 by task syz-executor746/7503 [ 47.196513] [ 47.198130] CPU: 1 PID: 7503 Comm: syz-executor746 Not tainted 4.14.174-syzkaller #0 [ 47.206018] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.215355] Call Trace: [ 47.217954] dump_stack+0x13e/0x194 [ 47.221580] ? qdisc_class_hash_insert+0x25e/0x270 [ 47.226553] print_address_description.cold+0x7c/0x1e2 [ 47.231834] ? qdisc_class_hash_insert+0x25e/0x270 [ 47.236750] kasan_report.cold+0xa9/0x2ae [ 47.240911] qdisc_class_hash_insert+0x25e/0x270 [ 47.245665] qfq_change_class+0x88f/0x1081 [ 47.249957] ? qfq_enqueue+0x1630/0x1630 [ 47.254010] ? nla_parse+0x183/0x240 [ 47.257706] ? qdisc_match_from_root+0x148/0x220 [ 47.262447] ? qfq_enqueue+0x1630/0x1630 [ 47.266488] tc_ctl_tclass+0x3e2/0xa00 [ 47.270361] ? qdisc_tree_reduce_backlog+0x4a0/0x4a0 [ 47.275447] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 47.279836] ? qdisc_tree_reduce_backlog+0x4a0/0x4a0 [ 47.285022] rtnetlink_rcv_msg+0x3be/0xb10 [ 47.289236] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 47.293798] ? netdev_pick_tx+0x2e0/0x2e0 [ 47.297940] ? skb_clone+0x11c/0x310 [ 47.301635] ? save_trace+0x290/0x290 [ 47.305505] netlink_rcv_skb+0x127/0x370 [ 47.309572] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 47.314139] ? netlink_ack+0x980/0x980 [ 47.318027] netlink_unicast+0x437/0x620 [ 47.322080] ? netlink_attachskb+0x600/0x600 [ 47.326484] netlink_sendmsg+0x733/0xbe0 [ 47.330530] ? netlink_unicast+0x620/0x620 [ 47.334762] ? SYSC_sendto+0x2b0/0x2b0 [ 47.338644] ? security_socket_sendmsg+0x83/0xb0 [ 47.343380] ? netlink_unicast+0x620/0x620 [ 47.347596] sock_sendmsg+0xc5/0x100 [ 47.351290] ___sys_sendmsg+0x349/0x840 [ 47.355245] ? copy_msghdr_from_user+0x380/0x380 [ 47.360071] ? trace_hardirqs_on+0x10/0x10 [ 47.364291] ? save_trace+0x290/0x290 [ 47.368091] ? save_trace+0x290/0x290 [ 47.371879] ? find_held_lock+0x2d/0x110 [ 47.375932] ? find_held_lock+0x2d/0x110 [ 47.379977] ? __might_fault+0x104/0x1b0 [ 47.384080] __sys_sendmmsg+0x129/0x330 [ 47.388048] ? SyS_sendmsg+0x40/0x40 [ 47.391749] ? save_trace+0x290/0x290 [ 47.395564] ? lock_downgrade+0x6e0/0x6e0 [ 47.399700] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 47.405150] ? vfs_write+0xff/0x4e0 [ 47.408766] ? SyS_write+0x14d/0x210 [ 47.412580] ? SyS_read+0x210/0x210 [ 47.416200] SyS_sendmmsg+0x2f/0x50 [ 47.419811] ? __sys_sendmmsg+0x330/0x330 [ 47.424006] do_syscall_64+0x1d5/0x640 [ 47.427932] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 47.433117] RIP: 0033:0x443da9 [ 47.436300] RSP: 002b:00007fff4325eea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 47.444000] RAX: ffffffffffffffda RBX: 00007fff4325ef20 RCX: 0000000000443da9 [ 47.451675] RDX: 0492492492492642 RSI: 0000000020000180 RDI: 0000000000000009 [ 47.458930] RBP: 0000000000000000 R08: 0000000000000001 R09: 00000000bb1414ac [ 47.466184] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 47.473447] R13: 000000000000000a R14: 0000000000000000 R15: 0000000000000000 [ 47.480707] [ 47.482312] Allocated by task 7503: [ 47.485925] save_stack+0x32/0xa0 [ 47.489357] kasan_kmalloc+0xbf/0xe0 [ 47.493047] kmem_cache_alloc_trace+0x14d/0x7b0 [ 47.497717] qfq_change_class+0x64e/0x1081 [ 47.502078] tc_ctl_tclass+0x3e2/0xa00 [ 47.506095] rtnetlink_rcv_msg+0x3be/0xb10 [ 47.510422] netlink_rcv_skb+0x127/0x370 [ 47.514466] netlink_unicast+0x437/0x620 [ 47.518559] netlink_sendmsg+0x733/0xbe0 [ 47.522604] sock_sendmsg+0xc5/0x100 [ 47.526298] ___sys_sendmsg+0x349/0x840 [ 47.530252] __sys_sendmmsg+0x129/0x330 [ 47.534206] SyS_sendmmsg+0x2f/0x50 [ 47.537810] do_syscall_64+0x1d5/0x640 [ 47.541689] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 47.546909] [ 47.548521] Freed by task 7503: [ 47.551786] save_stack+0x32/0xa0 [ 47.555232] kasan_slab_free+0x75/0xc0 [ 47.559105] kfree+0xcb/0x260 [ 47.562253] qfq_change_class+0xd82/0x1081 [ 47.566477] tc_ctl_tclass+0x3e2/0xa00 [ 47.570393] rtnetlink_rcv_msg+0x3be/0xb10 [ 47.574630] netlink_rcv_skb+0x127/0x370 [ 47.578792] netlink_unicast+0x437/0x620 [ 47.582935] netlink_sendmsg+0x733/0xbe0 [ 47.586992] sock_sendmsg+0xc5/0x100 [ 47.590717] ___sys_sendmsg+0x349/0x840 [ 47.594673] __sys_sendmmsg+0x129/0x330 [ 47.598624] SyS_sendmmsg+0x2f/0x50 [ 47.602232] do_syscall_64+0x1d5/0x640 [ 47.606095] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 47.611259] [ 47.612864] The buggy address belongs to the object at ffff88809ce1f9c0 [ 47.612864] which belongs to the cache kmalloc-128 of size 128 [ 47.625522] The buggy address is located 16 bytes inside of [ 47.625522] 128-byte region [ffff88809ce1f9c0, ffff88809ce1fa40) [ 47.637376] The buggy address belongs to the page: [ 47.642297] page:ffffea00027387c0 count:1 mapcount:0 mapping:ffff88809ce1f000 index:0x0 [ 47.650419] flags: 0xfffe0000000100(slab) [ 47.654573] raw: 00fffe0000000100 ffff88809ce1f000 0000000000000000 0000000100000015 [ 47.662432] raw: ffffea000272b3e0 ffffea000294bb20 ffff88812fe56640 0000000000000000 [ 47.670296] page dumped because: kasan: bad access detected [ 47.675993] [ 47.677603] Memory state around the buggy address: [ 47.682508] ffff88809ce1f880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 47.689946] ffff88809ce1f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.697285] >ffff88809ce1f980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 47.704619] ^ [ 47.710565] ffff88809ce1fa00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 47.717901] ffff88809ce1fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 47.725252] ================================================================== [ 47.732602] Disabling lock debugging due to kernel taint [ 47.738091] Kernel panic - not syncing: panic_on_warn set ... [ 47.738091] [ 47.745447] CPU: 1 PID: 7503 Comm: syz-executor746 Tainted: G B 4.14.174-syzkaller #0 [ 47.754528] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.763863] Call Trace: [ 47.766452] dump_stack+0x13e/0x194 [ 47.770062] panic+0x1f9/0x42d [ 47.773246] ? add_taint.cold+0x16/0x16 [ 47.777205] ? qdisc_class_hash_insert+0x25e/0x270 [ 47.782116] kasan_end_report+0x43/0x49 [ 47.786082] kasan_report.cold+0x12f/0x2ae [ 47.790298] qdisc_class_hash_insert+0x25e/0x270 [ 47.795072] qfq_change_class+0x88f/0x1081 [ 47.799317] ? qfq_enqueue+0x1630/0x1630 [ 47.803457] ? nla_parse+0x183/0x240 [ 47.807292] ? qdisc_match_from_root+0x148/0x220 [ 47.812054] ? qfq_enqueue+0x1630/0x1630 [ 47.816100] tc_ctl_tclass+0x3e2/0xa00 [ 47.819980] ? qdisc_tree_reduce_backlog+0x4a0/0x4a0 [ 47.825071] ? rtnetlink_rcv_msg+0x2e8/0xb10 [ 47.829465] ? qdisc_tree_reduce_backlog+0x4a0/0x4a0 [ 47.834548] rtnetlink_rcv_msg+0x3be/0xb10 [ 47.838768] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 47.843332] ? netdev_pick_tx+0x2e0/0x2e0 [ 47.847461] ? skb_clone+0x11c/0x310 [ 47.851156] ? save_trace+0x290/0x290 [ 47.855037] netlink_rcv_skb+0x127/0x370 [ 47.859079] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 47.863670] ? netlink_ack+0x980/0x980 [ 47.867554] netlink_unicast+0x437/0x620 [ 47.871615] ? netlink_attachskb+0x600/0x600 [ 47.876013] netlink_sendmsg+0x733/0xbe0 [ 47.880260] ? netlink_unicast+0x620/0x620 [ 47.884489] ? SYSC_sendto+0x2b0/0x2b0 [ 47.888377] ? security_socket_sendmsg+0x83/0xb0 [ 47.893181] ? netlink_unicast+0x620/0x620 [ 47.897406] sock_sendmsg+0xc5/0x100 [ 47.901126] ___sys_sendmsg+0x349/0x840 [ 47.905084] ? copy_msghdr_from_user+0x380/0x380 [ 47.909863] ? trace_hardirqs_on+0x10/0x10 [ 47.915052] ? save_trace+0x290/0x290 [ 47.918841] ? save_trace+0x290/0x290 [ 47.922645] ? find_held_lock+0x2d/0x110 [ 47.926701] ? find_held_lock+0x2d/0x110 [ 47.930752] ? __might_fault+0x104/0x1b0 [ 47.934801] __sys_sendmmsg+0x129/0x330 [ 47.938781] ? SyS_sendmsg+0x40/0x40 [ 47.942653] ? save_trace+0x290/0x290 [ 47.946541] ? lock_downgrade+0x6e0/0x6e0 [ 47.950677] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 47.956111] ? vfs_write+0xff/0x4e0 [ 47.959730] ? SyS_write+0x14d/0x210 [ 47.963461] ? SyS_read+0x210/0x210 [ 47.967082] SyS_sendmmsg+0x2f/0x50 [ 47.970690] ? __sys_sendmmsg+0x330/0x330 [ 47.974820] do_syscall_64+0x1d5/0x640 [ 47.978690] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 47.983866] RIP: 0033:0x443da9 [ 47.987047] RSP: 002b:00007fff4325eea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 [ 47.994735] RAX: ffffffffffffffda RBX: 00007fff4325ef20 RCX: 0000000000443da9 [ 48.001986] RDX: 0492492492492642 RSI: 0000000020000180 RDI: 0000000000000009 [ 48.009248] RBP: 0000000000000000 R08: 0000000000000001 R09: 00000000bb1414ac [ 48.016497] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 48.023802] R13: 000000000000000a R14: 0000000000000000 R15: 0000000000000000 [ 48.032429] Kernel Offset: disabled [ 48.036054] Rebooting in 86400 seconds..