[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 36.116359] audit: type=1800 audit(1538922099.730:25): pid=5656 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 36.152673] audit: type=1800 audit(1538922099.730:26): pid=5656 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 36.180024] audit: type=1800 audit(1538922099.740:27): pid=5656 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 65.850804] FAULT_INJECTION: forcing a failure. [ 65.850804] name failslab, interval 1, probability 0, space 0, times 1 [ 65.862174] CPU: 0 PID: 5808 Comm: syz-executor549 Not tainted 4.19.0-rc6+ #132 [ 65.869612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.878949] Call Trace: [ 65.881538] dump_stack+0x1c4/0x2b4 [ 65.885156] ? dump_stack_print_info.cold.2+0x52/0x52 [ 65.890405] should_fail.cold.4+0xa/0x17 [ 65.894462] ? fault_create_debugfs_attr+0x1f0/0x1f0 [ 65.899550] ? mm_fault_error+0x380/0x380 [ 65.903690] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 65.909263] ? tcp_leave_memory_pressure+0x2a/0x110 [ 65.914284] ? vmalloc_sync_all+0x30/0x30 [ 65.918420] ? retint_kernel+0x2d/0x2d [ 65.922295] ? trace_hardirqs_on_caller+0xc0/0x310 [ 65.927211] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 65.932039] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 65.936786] ? trace_hardirqs_off+0x310/0x310 [ 65.941272] ? alloc_pages_current+0x114/0x210 [ 65.945844] ? fs_reclaim_acquire+0x20/0x20 [ 65.950155] ? lock_downgrade+0x900/0x900 [ 65.954288] ? __might_fault+0x12b/0x1e0 [ 65.958334] ? ___might_sleep+0x1ed/0x300 [ 65.962478] ? arch_local_save_flags+0x40/0x40 [ 65.967053] ? arch_local_save_flags+0x40/0x40 [ 65.971636] __should_failslab+0x124/0x180 [ 65.975866] should_failslab+0x9/0x14 [ 65.979659] __kmalloc+0x2d4/0x760 [ 65.983190] ? __sanitizer_cov_trace_cmp8+0x18/0x20 [ 65.988191] ? _copy_from_iter+0x39d/0x1090 [ 65.992563] ? tls_push_record+0x107/0x1480 [ 65.996880] ? usercopy_warn+0x110/0x110 [ 66.000930] tls_push_record+0x107/0x1480 [ 66.005067] ? _copy_from_iter_nocache+0x1050/0x1050 [ 66.010162] tls_sw_sendmsg+0xe4b/0x1310 [ 66.014214] ? decrypt_skb_update+0x6a0/0x6a0 [ 66.018690] ? aa_sk_perm+0x218/0x8b0 [ 66.022473] ? aa_af_perm+0x5a0/0x5a0 [ 66.026259] ? usercopy_warn+0x110/0x110 [ 66.030315] inet_sendmsg+0x1a1/0x690 [ 66.034107] ? ipip_gro_receive+0x100/0x100 [ 66.038415] ? apparmor_socket_sendmsg+0x29/0x30 [ 66.043207] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.048803] ? security_socket_sendmsg+0x94/0xc0 [ 66.053553] ? ipip_gro_receive+0x100/0x100 [ 66.057861] sock_sendmsg+0xd5/0x120 [ 66.061564] __sys_sendto+0x3d7/0x670 [ 66.065368] ? __ia32_sys_getpeername+0xb0/0xb0 [ 66.070030] ? lock_downgrade+0x900/0x900 [ 66.074167] ? lock_release+0x970/0x970 [ 66.078177] ? check_preemption_disabled+0x48/0x200 [ 66.083187] ? fsnotify_first_mark+0x350/0x350 [ 66.087756] ? __fsnotify_parent+0xcc/0x420 [ 66.092071] ? fsnotify+0x12f0/0x12f0 [ 66.095861] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.101391] ? __sb_end_write+0xd9/0x110 [ 66.105446] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.110970] ? ksys_write+0x1ae/0x260 [ 66.114757] ? trace_hardirqs_on+0xbd/0x310 [ 66.119056] ? __ia32_sys_read+0xb0/0xb0 [ 66.123105] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.128454] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 66.133891] __x64_sys_sendto+0xe1/0x1a0 [ 66.138092] do_syscall_64+0x1b9/0x820 [ 66.142204] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 66.147608] ? syscall_return_slowpath+0x5e0/0x5e0 [ 66.152521] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 66.157345] ? trace_hardirqs_on_caller+0x310/0x310 [ 66.162342] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 66.167346] ? prepare_exit_to_usermode+0x291/0x3b0 [ 66.172348] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 66.177175] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.182347] RIP: 0033:0x4406d9 [ 66.185534] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 14 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 66.204462] RSP: 002b:00007ffdf407a728 EFLAGS: 00000212 ORIG_RAX: 000000000000002c [ 66.212159] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004406d9 [ 66.219416] RDX: 00000000fffffdef RSI: 00000000200005c0 RDI: 0000000000000003 [ 66.226670] RBP: 00000000006cb018 R08: 0000000020000000 R09: 000000000000001c [ 66.233930] R10: 0000000000000040 R11: 0000000000000212 R12: 0000000000000004 [ 66.241190] R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000 [ 66.250184] ================================================================== [ 66.257551] BUG: KASAN: use-after-free in tls_push_record+0x10b9/0x1480 [ 66.264300] Write of size 1 at addr ffff8801bbd98000 by task syz-executor549/5808 [ 66.271908] [ 66.273532] CPU: 0 PID: 5808 Comm: syz-executor549 Not tainted 4.19.0-rc6+ #132 [ 66.280962] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.290305] Call Trace: [ 66.292896] dump_stack+0x1c4/0x2b4 [ 66.296514] ? dump_stack_print_info.cold.2+0x52/0x52 [ 66.301688] ? printk+0xa7/0xcf [ 66.304951] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 66.309700] print_address_description.cold.8+0x9/0x1ff [ 66.315049] kasan_report.cold.9+0x242/0x309 [ 66.319448] ? tls_push_record+0x10b9/0x1480 [ 66.323849] __asan_report_store1_noabort+0x17/0x20 [ 66.328855] tls_push_record+0x10b9/0x1480 [ 66.333079] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.338609] ? lock_sock_nested+0x9a/0x120 [ 66.342831] tls_sw_push_pending_record+0x22/0x30 [ 66.347662] tls_sk_proto_close+0x69c/0xbb0 [ 66.351971] ? lock_acquire+0x1ed/0x520 [ 66.355985] ? tcp_check_oom+0x530/0x530 [ 66.360034] ? tls_write_space+0x390/0x390 [ 66.364250] ? arch_local_save_flags+0x40/0x40 [ 66.368819] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 66.374564] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.380094] ? ipv6_sock_ac_close+0x34f/0x470 [ 66.384575] ? ipv6_sock_mc_close+0x162/0x1d0 [ 66.389056] ? ip_mc_drop_socket+0x20b/0x270 [ 66.393449] ? down_write+0x8a/0x130 [ 66.397149] inet_release+0x104/0x1f0 [ 66.400933] inet6_release+0x50/0x70 [ 66.404636] __sock_release+0xd7/0x250 [ 66.408510] ? __sock_release+0x250/0x250 [ 66.412642] sock_close+0x19/0x20 [ 66.416078] __fput+0x385/0xa30 [ 66.419346] ? get_max_files+0x20/0x20 [ 66.423221] ? trace_hardirqs_on+0xbd/0x310 [ 66.427528] ? kasan_check_read+0x11/0x20 [ 66.431665] ? ___might_sleep+0x1ed/0x300 [ 66.435800] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 66.441238] ? arch_local_save_flags+0x40/0x40 [ 66.445809] ? kasan_check_write+0x14/0x20 [ 66.450032] ? do_raw_spin_lock+0xc1/0x200 [ 66.454253] ____fput+0x15/0x20 [ 66.457525] task_work_run+0x1e8/0x2a0 [ 66.461403] ? task_work_cancel+0x240/0x240 [ 66.465797] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 66.471334] ? switch_task_namespaces+0x9d/0xd0 [ 66.475990] do_exit+0x1ad7/0x2610 [ 66.479520] ? mm_update_next_owner+0x990/0x990 [ 66.484191] ? release_sock+0x1ec/0x2c0 [ 66.488156] ? __release_sock+0x3a0/0x3a0 [ 66.492309] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.497842] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 66.503483] ? tls_sw_sendmsg+0xcfd/0x1310 [ 66.507719] ? decrypt_skb_update+0x6a0/0x6a0 [ 66.512203] ? aa_sk_perm+0x218/0x8b0 [ 66.515999] ? aa_af_perm+0x5a0/0x5a0 [ 66.519785] ? usercopy_warn+0x110/0x110 [ 66.523833] ? inet_sendmsg+0x1a8/0x690 [ 66.527798] ? ipip_gro_receive+0x100/0x100 [ 66.532155] ? apparmor_socket_sendmsg+0x29/0x30 [ 66.536908] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.542444] ? security_socket_sendmsg+0x94/0xc0 [ 66.547187] ? ipip_gro_receive+0x100/0x100 [ 66.551509] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.557090] ? sock_sendmsg+0x5a/0x120 [ 66.561017] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.566652] ? __sys_sendto+0x475/0x670 [ 66.570616] ? __ia32_sys_getpeername+0xb0/0xb0 [ 66.575325] ? lock_downgrade+0x900/0x900 [ 66.579464] ? lock_release+0x970/0x970 [ 66.583430] ? check_preemption_disabled+0x48/0x200 [ 66.588441] ? fsnotify_first_mark+0x350/0x350 [ 66.593009] ? __fsnotify_parent+0xcc/0x420 [ 66.597314] ? fsnotify+0x12f0/0x12f0 [ 66.601107] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.606632] ? __sb_end_write+0xd9/0x110 [ 66.610786] do_group_exit+0x177/0x440 [ 66.614663] ? trace_hardirqs_on+0xbd/0x310 [ 66.618973] ? __ia32_sys_exit+0x50/0x50 [ 66.623029] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 66.628518] __x64_sys_exit_group+0x3e/0x50 [ 66.632831] do_syscall_64+0x1b9/0x820 [ 66.636707] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 66.642061] ? syscall_return_slowpath+0x5e0/0x5e0 [ 66.646979] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 66.651816] ? trace_hardirqs_on_caller+0x310/0x310 [ 66.656822] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 66.661841] ? prepare_exit_to_usermode+0x291/0x3b0 [ 66.666849] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 66.671730] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 66.676906] RIP: 0033:0x43f398 [ 66.680089] Code: Bad RIP value. [ 66.683441] RSP: 002b:00007ffdf407a748 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 66.691184] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f398 [ 66.698446] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 66.705919] RBP: 00000000004bf108 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 66.713176] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001 [ 66.720433] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 66.727696] [ 66.729303] The buggy address belongs to the page: [ 66.734219] page:ffffea0006ef6600 count:0 mapcount:-128 mapping:0000000000000000 index:0x0 [ 66.742604] flags: 0x2fffc0000000000() [ 66.746478] raw: 02fffc0000000000 ffffea0006ff6608 ffff88021fffaef8 0000000000000000 [ 66.754402] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 [ 66.762331] page dumped because: kasan: bad access detected [ 66.768063] [ 66.769679] Memory state around the buggy address: [ 66.774589] ffff8801bbd97f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 66.782028] ffff8801bbd97f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 66.789372] >ffff8801bbd98000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 66.796756] ^ [ 66.800107] ffff8801bbd98080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 66.807447] ffff8801bbd98100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 66.814835] ================================================================== [ 66.822633] Kernel panic - not syncing: panic_on_warn set ... [ 66.822633] [ 66.829996] CPU: 0 PID: 5808 Comm: syz-executor549 Tainted: G B 4.19.0-rc6+ #132 [ 66.838991] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.848388] Call Trace: [ 66.850970] dump_stack+0x1c4/0x2b4 [ 66.854584] ? dump_stack_print_info.cold.2+0x52/0x52 [ 66.859768] panic+0x238/0x4e7 [ 66.862991] ? add_taint.cold.5+0x16/0x16 [ 66.867136] ? preempt_schedule+0x4d/0x60 [ 66.871275] ? ___preempt_schedule+0x16/0x18 [ 66.875707] ? trace_hardirqs_on+0xb4/0x310 [ 66.880024] kasan_end_report+0x47/0x4f [ 66.883976] kasan_report.cold.9+0x76/0x309 [ 66.888385] ? tls_push_record+0x10b9/0x1480 [ 66.892791] __asan_report_store1_noabort+0x17/0x20 [ 66.897801] tls_push_record+0x10b9/0x1480 [ 66.902128] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.907657] ? lock_sock_nested+0x9a/0x120 [ 66.911984] tls_sw_push_pending_record+0x22/0x30 [ 66.916813] tls_sk_proto_close+0x69c/0xbb0 [ 66.921119] ? lock_acquire+0x1ed/0x520 [ 66.925080] ? tcp_check_oom+0x530/0x530 [ 66.929135] ? tls_write_space+0x390/0x390 [ 66.933456] ? arch_local_save_flags+0x40/0x40 [ 66.938029] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 66.943466] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 66.949087] ? ipv6_sock_ac_close+0x34f/0x470 [ 66.953566] ? ipv6_sock_mc_close+0x162/0x1d0 [ 66.958041] ? ip_mc_drop_socket+0x20b/0x270 [ 66.962431] ? down_write+0x8a/0x130 [ 66.966134] inet_release+0x104/0x1f0 [ 66.969919] inet6_release+0x50/0x70 [ 66.973615] __sock_release+0xd7/0x250 [ 66.977483] ? __sock_release+0x250/0x250 [ 66.981618] sock_close+0x19/0x20 [ 66.985058] __fput+0x385/0xa30 [ 66.988320] ? get_max_files+0x20/0x20 [ 66.992193] ? trace_hardirqs_on+0xbd/0x310 [ 66.996501] ? kasan_check_read+0x11/0x20 [ 67.000718] ? ___might_sleep+0x1ed/0x300 [ 67.004911] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 67.010372] ? arch_local_save_flags+0x40/0x40 [ 67.014945] ? kasan_check_write+0x14/0x20 [ 67.019162] ? do_raw_spin_lock+0xc1/0x200 [ 67.023449] ____fput+0x15/0x20 [ 67.026723] task_work_run+0x1e8/0x2a0 [ 67.030598] ? task_work_cancel+0x240/0x240 [ 67.034910] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 67.040434] ? switch_task_namespaces+0x9d/0xd0 [ 67.045092] do_exit+0x1ad7/0x2610 [ 67.048635] ? mm_update_next_owner+0x990/0x990 [ 67.053295] ? release_sock+0x1ec/0x2c0 [ 67.057260] ? __release_sock+0x3a0/0x3a0 [ 67.061414] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.066937] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 67.072458] ? tls_sw_sendmsg+0xcfd/0x1310 [ 67.076690] ? decrypt_skb_update+0x6a0/0x6a0 [ 67.081169] ? aa_sk_perm+0x218/0x8b0 [ 67.084957] ? aa_af_perm+0x5a0/0x5a0 [ 67.088741] ? usercopy_warn+0x110/0x110 [ 67.092786] ? inet_sendmsg+0x1a8/0x690 [ 67.096745] ? ipip_gro_receive+0x100/0x100 [ 67.101190] ? apparmor_socket_sendmsg+0x29/0x30 [ 67.105953] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.111616] ? security_socket_sendmsg+0x94/0xc0 [ 67.116378] ? ipip_gro_receive+0x100/0x100 [ 67.120691] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.126214] ? sock_sendmsg+0x5a/0x120 [ 67.130113] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.135746] ? __sys_sendto+0x475/0x670 [ 67.139711] ? __ia32_sys_getpeername+0xb0/0xb0 [ 67.144363] ? lock_downgrade+0x900/0x900 [ 67.148500] ? lock_release+0x970/0x970 [ 67.152461] ? check_preemption_disabled+0x48/0x200 [ 67.157465] ? fsnotify_first_mark+0x350/0x350 [ 67.162135] ? __fsnotify_parent+0xcc/0x420 [ 67.166444] ? fsnotify+0x12f0/0x12f0 [ 67.170234] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 67.175772] ? __sb_end_write+0xd9/0x110 [ 67.179832] do_group_exit+0x177/0x440 [ 67.183706] ? trace_hardirqs_on+0xbd/0x310 [ 67.188009] ? __ia32_sys_exit+0x50/0x50 [ 67.192063] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 67.197510] __x64_sys_exit_group+0x3e/0x50 [ 67.201826] do_syscall_64+0x1b9/0x820 [ 67.205815] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 67.211185] ? syscall_return_slowpath+0x5e0/0x5e0 [ 67.216212] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 67.221057] ? trace_hardirqs_on_caller+0x310/0x310 [ 67.226168] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 67.231186] ? prepare_exit_to_usermode+0x291/0x3b0 [ 67.236299] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 67.241143] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 67.246390] RIP: 0033:0x43f398 [ 67.249584] Code: Bad RIP value. [ 67.252935] RSP: 002b:00007ffdf407a748 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 67.260744] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f398 [ 67.268070] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 67.275345] RBP: 00000000004bf108 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 67.282622] R10: 0000000000000040 R11: 0000000000000246 R12: 0000000000000001 [ 67.289918] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 67.298187] Kernel Offset: disabled [ 67.301880] Rebooting in 86400 seconds..