[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 77.388821][ T27] audit: type=1800 audit(1578409265.694:25): pid=9422 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 77.427983][ T27] audit: type=1800 audit(1578409265.694:26): pid=9422 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 77.470259][ T27] audit: type=1800 audit(1578409265.694:27): pid=9422 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.174' (ECDSA) to the list of known hosts. syzkaller login: [ 88.302615][ T9576] IPVS: ftp: loaded support on port[0] = 21 [ 88.360913][ T9576] chnl_net:caif_netlink_parms(): no params data found [ 88.392275][ T9576] bridge0: port 1(bridge_slave_0) entered blocking state [ 88.400547][ T9576] bridge0: port 1(bridge_slave_0) entered disabled state [ 88.408864][ T9576] device bridge_slave_0 entered promiscuous mode [ 88.417020][ T9576] bridge0: port 2(bridge_slave_1) entered blocking state [ 88.424216][ T9576] bridge0: port 2(bridge_slave_1) entered disabled state [ 88.432291][ T9576] device bridge_slave_1 entered promiscuous mode [ 88.449479][ T9576] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 88.460473][ T9576] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 88.481074][ T9576] team0: Port device team_slave_0 added [ 88.488514][ T9576] team0: Port device team_slave_1 added [ 88.569773][ T9576] device hsr_slave_0 entered promiscuous mode [ 88.658315][ T9576] device hsr_slave_1 entered promiscuous mode [ 88.780597][ T9576] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 88.860527][ T9576] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 88.929817][ T9576] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 89.001084][ T9576] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 89.069684][ T9576] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.076844][ T9576] bridge0: port 2(bridge_slave_1) entered forwarding state [ 89.084760][ T9576] bridge0: port 1(bridge_slave_0) entered blocking state [ 89.091977][ T9576] bridge0: port 1(bridge_slave_0) entered forwarding state [ 89.134680][ T9576] 8021q: adding VLAN 0 to HW filter on device bond0 [ 89.150300][ T2728] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 89.160335][ T2728] bridge0: port 1(bridge_slave_0) entered disabled state [ 89.169336][ T2728] bridge0: port 2(bridge_slave_1) entered disabled state [ 89.177213][ T2728] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 89.190828][ T9576] 8021q: adding VLAN 0 to HW filter on device team0 [ 89.201840][ T2826] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 89.210667][ T2826] bridge0: port 1(bridge_slave_0) entered blocking state [ 89.218631][ T2826] bridge0: port 1(bridge_slave_0) entered forwarding state [ 89.238139][ T2728] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 89.246757][ T2728] bridge0: port 2(bridge_slave_1) entered blocking state [ 89.254854][ T2728] bridge0: port 2(bridge_slave_1) entered forwarding state [ 89.264398][ T2728] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 89.275791][ T2728] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 89.284853][ T2728] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 89.297434][ T2826] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 89.310766][ T9576] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 89.323618][ T9576] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 89.332328][ T2826] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 89.353526][ T9576] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 89.364162][ T2714] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 89.371717][ T2714] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 89.389722][ T2826] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 89.399196][ T2826] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 89.416798][ T9576] device veth0_vlan entered promiscuous mode [ 89.423874][ T2766] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 89.432572][ T2766] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 89.442723][ T2766] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready executing program [ 89.451781][ T2766] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 89.463525][ T9576] device veth1_vlan entered promiscuous mode [ 89.518028][ T9576] ================================================================== [ 89.527185][ T9576] BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 [ 89.534623][ T9576] Read of size 4 at addr ffff88809e024801 by task syz-executor117/9576 [ 89.542836][ T9576] [ 89.545153][ T9576] CPU: 1 PID: 9576 Comm: syz-executor117 Not tainted 5.5.0-rc5-syzkaller #0 [ 89.553820][ T9576] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 89.563854][ T9576] Call Trace: [ 89.567158][ T9576] dump_stack+0x197/0x210 [ 89.571483][ T9576] ? macvlan_broadcast+0x547/0x620 [ 89.576587][ T9576] print_address_description.constprop.0.cold+0xd4/0x30b [ 89.583730][ T9576] ? macvlan_broadcast+0x547/0x620 [ 89.588913][ T9576] ? macvlan_broadcast+0x547/0x620 [ 89.594005][ T9576] __kasan_report.cold+0x1b/0x41 [ 89.598925][ T9576] ? validate_xmit_xfrm+0x3d0/0xf10 [ 89.604106][ T9576] ? macvlan_broadcast+0x547/0x620 [ 89.609216][ T9576] kasan_report+0x12/0x20 [ 89.613528][ T9576] __asan_report_load_n_noabort+0xf/0x20 [ 89.619139][ T9576] macvlan_broadcast+0x547/0x620 [ 89.624063][ T9576] ? validate_xmit_skb+0x81f/0xe50 [ 89.629172][ T9576] macvlan_start_xmit+0x402/0x77f [ 89.634178][ T9576] dev_direct_xmit+0x419/0x630 [ 89.638920][ T9576] ? __check_heap_object+0x51/0xb3 [ 89.644006][ T9576] ? validate_xmit_skb_list+0x150/0x150 [ 89.649532][ T9576] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 89.655750][ T9576] ? netdev_pick_tx+0x14e/0xb00 [ 89.660584][ T9576] packet_direct_xmit+0x1a9/0x250 [ 89.665585][ T9576] packet_sendmsg+0x260d/0x6220 [ 89.670434][ T9576] ? ___might_sleep+0x163/0x2c0 [ 89.675273][ T9576] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 89.681507][ T9576] ? aa_label_sk_perm+0x91/0xf0 [ 89.686353][ T9576] ? packet_notifier+0x880/0x880 [ 89.691283][ T9576] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 89.696844][ T9576] ? apparmor_socket_sendmsg+0x2a/0x30 [ 89.702284][ T9576] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 89.708516][ T9576] ? security_socket_sendmsg+0x8d/0xc0 [ 89.713982][ T9576] ? packet_notifier+0x880/0x880 [ 89.718938][ T9576] sock_sendmsg+0xd7/0x130 [ 89.723376][ T9576] __sys_sendto+0x262/0x380 [ 89.727899][ T9576] ? __ia32_sys_getpeername+0xb0/0xb0 [ 89.733260][ T9576] ? __ia32_sys_socketpair+0xf0/0xf0 [ 89.738545][ T9576] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 89.744001][ T9576] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 89.749447][ T9576] ? do_syscall_64+0x26/0x790 [ 89.754104][ T9576] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 89.760148][ T9576] __x64_sys_sendto+0xe1/0x1a0 [ 89.764894][ T9576] do_syscall_64+0xfa/0x790 [ 89.769380][ T9576] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 89.775352][ T9576] RIP: 0033:0x442399 [ 89.779225][ T9576] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 89.798826][ T9576] RSP: 002b:00007fff86990268 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 89.807225][ T9576] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442399 [ 89.815182][ T9576] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 [ 89.823141][ T9576] RBP: 00007fff86990290 R08: 0000000000000000 R09: 0000000000000000 [ 89.831105][ T9576] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 89.839106][ T9576] R13: 0000000000403930 R14: 0000000000000000 R15: 0000000000000000 [ 89.847066][ T9576] [ 89.849377][ T9576] Allocated by task 9561: [ 89.853701][ T9576] save_stack+0x23/0x90 [ 89.857846][ T9576] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 89.863460][ T9576] kasan_kmalloc+0x9/0x10 [ 89.869591][ T9576] __kmalloc+0x163/0x770 [ 89.873816][ T9576] tomoyo_realpath_from_path+0xc5/0x660 [ 89.879338][ T9576] tomoyo_path_perm+0x230/0x430 [ 89.884168][ T9576] tomoyo_inode_getattr+0x1d/0x30 [ 89.889180][ T9576] security_inode_getattr+0xf2/0x150 [ 89.894469][ T9576] vfs_getattr+0x25/0x70 [ 89.898697][ T9576] vfs_statx_fd+0x71/0xc0 [ 89.903008][ T9576] __do_sys_newfstat+0x9b/0x120 [ 89.907854][ T9576] __x64_sys_newfstat+0x54/0x80 [ 89.912871][ T9576] do_syscall_64+0xfa/0x790 [ 89.917454][ T9576] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 89.923321][ T9576] [ 89.925641][ T9576] Freed by task 9561: [ 89.929604][ T9576] save_stack+0x23/0x90 [ 89.933745][ T9576] __kasan_slab_free+0x102/0x150 [ 89.938669][ T9576] kasan_slab_free+0xe/0x10 [ 89.943158][ T9576] kfree+0x10a/0x2c0 [ 89.947049][ T9576] tomoyo_realpath_from_path+0x1a7/0x660 [ 89.952656][ T9576] tomoyo_path_perm+0x230/0x430 [ 89.957485][ T9576] tomoyo_inode_getattr+0x1d/0x30 [ 89.962576][ T9576] security_inode_getattr+0xf2/0x150 [ 89.967846][ T9576] vfs_getattr+0x25/0x70 [ 89.972061][ T9576] vfs_statx_fd+0x71/0xc0 [ 89.976377][ T9576] __do_sys_newfstat+0x9b/0x120 [ 89.981203][ T9576] __x64_sys_newfstat+0x54/0x80 [ 89.986029][ T9576] do_syscall_64+0xfa/0x790 [ 89.990518][ T9576] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 89.996380][ T9576] [ 89.998698][ T9576] The buggy address belongs to the object at ffff88809e024000 [ 89.998698][ T9576] which belongs to the cache kmalloc-4k of size 4096 [ 90.012735][ T9576] The buggy address is located 2049 bytes inside of [ 90.012735][ T9576] 4096-byte region [ffff88809e024000, ffff88809e025000) [ 90.026149][ T9576] The buggy address belongs to the page: [ 90.031772][ T9576] page:ffffea0002780900 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 [ 90.042865][ T9576] raw: 00fffe0000010200 ffffea000248a788 ffffea0002385108 ffff8880aa402000 [ 90.051427][ T9576] raw: 0000000000000000 ffff88809e024000 0000000100000001 0000000000000000 [ 90.060086][ T9576] page dumped because: kasan: bad access detected [ 90.066493][ T9576] [ 90.068808][ T9576] Memory state around the buggy address: [ 90.074427][ T9576] ffff88809e024700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 90.082474][ T9576] ffff88809e024780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 90.090516][ T9576] >ffff88809e024800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 90.098560][ T9576] ^ [ 90.102607][ T9576] ffff88809e024880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 90.110656][ T9576] ffff88809e024900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 90.118700][ T9576] ================================================================== [ 90.126750][ T9576] Disabling lock debugging due to kernel taint [ 90.132985][ T9576] Kernel panic - not syncing: panic_on_warn set ... [ 90.139581][ T9576] CPU: 1 PID: 9576 Comm: syz-executor117 Tainted: G B 5.5.0-rc5-syzkaller #0 [ 90.149632][ T9576] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 90.159780][ T9576] Call Trace: [ 90.163110][ T9576] dump_stack+0x197/0x210 [ 90.167420][ T9576] panic+0x2e3/0x75c [ 90.171329][ T9576] ? add_taint.cold+0x16/0x16 [ 90.176028][ T9576] ? trace_hardirqs_on+0x5e/0x240 [ 90.181028][ T9576] ? trace_hardirqs_on+0x5e/0x240 [ 90.186042][ T9576] ? macvlan_broadcast+0x547/0x620 [ 90.191133][ T9576] end_report+0x47/0x4f [ 90.195266][ T9576] ? macvlan_broadcast+0x547/0x620 [ 90.200352][ T9576] __kasan_report.cold+0xe/0x41 [ 90.205200][ T9576] ? validate_xmit_xfrm+0x3d0/0xf10 [ 90.210373][ T9576] ? macvlan_broadcast+0x547/0x620 [ 90.215462][ T9576] kasan_report+0x12/0x20 [ 90.219853][ T9576] __asan_report_load_n_noabort+0xf/0x20 [ 90.225469][ T9576] macvlan_broadcast+0x547/0x620 [ 90.230382][ T9576] ? validate_xmit_skb+0x81f/0xe50 [ 90.235469][ T9576] macvlan_start_xmit+0x402/0x77f [ 90.240487][ T9576] dev_direct_xmit+0x419/0x630 [ 90.245226][ T9576] ? __check_heap_object+0x51/0xb3 [ 90.250325][ T9576] ? validate_xmit_skb_list+0x150/0x150 [ 90.255848][ T9576] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 90.262073][ T9576] ? netdev_pick_tx+0x14e/0xb00 [ 90.266900][ T9576] packet_direct_xmit+0x1a9/0x250 [ 90.271911][ T9576] packet_sendmsg+0x260d/0x6220 [ 90.276747][ T9576] ? ___might_sleep+0x163/0x2c0 [ 90.281575][ T9576] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 90.287801][ T9576] ? aa_label_sk_perm+0x91/0xf0 [ 90.292630][ T9576] ? packet_notifier+0x880/0x880 [ 90.297557][ T9576] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 90.303076][ T9576] ? apparmor_socket_sendmsg+0x2a/0x30 [ 90.308511][ T9576] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 90.314734][ T9576] ? security_socket_sendmsg+0x8d/0xc0 [ 90.320179][ T9576] ? packet_notifier+0x880/0x880 [ 90.325092][ T9576] sock_sendmsg+0xd7/0x130 [ 90.329482][ T9576] __sys_sendto+0x262/0x380 [ 90.333984][ T9576] ? __ia32_sys_getpeername+0xb0/0xb0 [ 90.339347][ T9576] ? __ia32_sys_socketpair+0xf0/0xf0 [ 90.344628][ T9576] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 90.350069][ T9576] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 90.355511][ T9576] ? do_syscall_64+0x26/0x790 [ 90.360212][ T9576] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 90.366269][ T9576] __x64_sys_sendto+0xe1/0x1a0 [ 90.371024][ T9576] do_syscall_64+0xfa/0x790 [ 90.375506][ T9576] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 90.381385][ T9576] RIP: 0033:0x442399 [ 90.385255][ T9576] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 90.404885][ T9576] RSP: 002b:00007fff86990268 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 90.413283][ T9576] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442399 [ 90.421329][ T9576] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 [ 90.429276][ T9576] RBP: 00007fff86990290 R08: 0000000000000000 R09: 0000000000000000 [ 90.437223][ T9576] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 90.445272][ T9576] R13: 0000000000403930 R14: 0000000000000000 R15: 0000000000000000 [ 90.454553][ T9576] Kernel Offset: disabled [ 90.458881][ T9576] Rebooting in 86400 seconds..