[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   28.801109] kauditd_printk_skb: 8 callbacks suppressed
[   28.801121] audit: type=1800 audit(1544614684.203:29): pid=5861 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   28.827470] audit: type=1800 audit(1544614684.203:30): pid=5861 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   32.460467] sshd (6000) used greatest stack depth: 15744 bytes left
Warning: Permanently added '10.128.0.67' (ECDSA) to the list of known hosts.
executing program
executing program
[   39.716332] ==================================================================
[   39.723795] BUG: KASAN: use-after-free in tipc_group_bc_cong+0x327/0x3f0
[   39.730621] Read of size 2 at addr ffff8881d8571d74 by task syz-executor640/6024
[   39.738129] 
[   39.739754] CPU: 0 PID: 6024 Comm: syz-executor640 Not tainted 4.20.0-rc6+ #340
[   39.747182] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.756518] Call Trace:
[   39.759095]  dump_stack+0x244/0x39d
[   39.762711]  ? dump_stack_print_info.cold.1+0x20/0x20
[   39.767888]  ? printk+0xa7/0xcf
[   39.771159]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   39.775908]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[   39.781002]  print_address_description.cold.7+0x9/0x1ff
[   39.786355]  kasan_report.cold.8+0x242/0x309
[   39.790752]  ? tipc_group_bc_cong+0x327/0x3f0
[   39.795245]  __asan_report_load2_noabort+0x14/0x20
[   39.800189]  tipc_group_bc_cong+0x327/0x3f0
[   39.804518]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   39.809618]  ? tipc_group_cong+0x5d0/0x5d0
[   39.813839]  ? remove_wait_queue+0x1a6/0x360
[   39.818262]  ? add_wait_queue+0x2b0/0x2b0
[   39.822403]  ? __local_bh_enable_ip+0x160/0x260
[   39.827063]  tipc_send_group_bcast+0x50a/0xd90
[   39.831642]  ? tipc_sk_sock_err.isra.61+0x2f0/0x2f0
[   39.836650]  ? __init_waitqueue_head+0x150/0x150
[   39.841395]  ? refill_pi_state_cache.part.8+0x310/0x310
[   39.846751]  ? mark_held_locks+0x130/0x130
[   39.850969]  ? futex_wait_setup+0x266/0x3e0
[   39.855293]  ? futex_wake+0x760/0x760
[   39.859093]  ? print_usage_bug+0xc0/0xc0
[   39.863171]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   39.868349]  __tipc_sendmsg+0xeec/0x1d40
[   39.872397]  ? futex_wait+0x5ec/0xa50
[   39.876188]  ? tipc_sendmcast+0xf50/0xf50
[   39.880349]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   39.885525]  ? zap_class+0x640/0x640
[   39.889237]  ? print_usage_bug+0xc0/0xc0
[   39.893296]  ? find_held_lock+0x36/0x1c0
[   39.897347]  ? mark_held_locks+0xc7/0x130
[   39.901481]  ? __local_bh_enable_ip+0x160/0x260
[   39.906142]  ? __local_bh_enable_ip+0x160/0x260
[   39.910810]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   39.915381]  ? trace_hardirqs_on+0xbd/0x310
[   39.919704]  ? lock_release+0xa00/0xa00
[   39.923696]  ? lock_sock_nested+0xe2/0x120
[   39.927949]  ? trace_hardirqs_off_caller+0x310/0x310
[   39.933053]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   39.938579]  ? check_preemption_disabled+0x48/0x280
[   39.943583]  ? lock_sock_nested+0x9a/0x120
[   39.947803]  ? lock_sock_nested+0x9a/0x120
[   39.952067]  ? __local_bh_enable_ip+0x160/0x260
[   39.956760]  tipc_sendmsg+0x50/0x70
[   39.960372]  ? __tipc_sendmsg+0x1d40/0x1d40
[   39.964683]  sock_sendmsg+0xd5/0x120
[   39.968386]  ___sys_sendmsg+0x7fd/0x930
[   39.972346]  ? find_held_lock+0x36/0x1c0
[   39.976395]  ? copy_msghdr_from_user+0x580/0x580
[   39.981140]  ? __fd_install+0x2b5/0x8f0
[   39.985102]  ? check_preemption_disabled+0x48/0x280
[   39.990108]  ? __fget_light+0x2e9/0x430
[   39.994071]  ? fget_raw+0x20/0x20
[   39.997514]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.003053]  ? __fd_install+0x2f9/0x8f0
[   40.007015]  ? get_unused_fd_flags+0x1a0/0x1a0
[   40.011602]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   40.017130]  ? sockfd_lookup_light+0xc5/0x160
[   40.021618]  __sys_sendmsg+0x11d/0x280
[   40.025490]  ? __ia32_sys_shutdown+0x80/0x80
[   40.029884]  ? fput+0x130/0x1a0
[   40.033151]  ? __x64_sys_futex+0x47f/0x6a0
[   40.037389]  ? do_syscall_64+0x9a/0x820
[   40.041364]  ? do_syscall_64+0x9a/0x820
[   40.045346]  ? trace_hardirqs_off_caller+0x310/0x310
[   40.050441]  __x64_sys_sendmsg+0x78/0xb0
[   40.054489]  do_syscall_64+0x1b9/0x820
[   40.058361]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   40.063715]  ? syscall_return_slowpath+0x5e0/0x5e0
[   40.068636]  ? trace_hardirqs_on_caller+0x310/0x310
[   40.073646]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   40.078664]  ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250
[   40.085315]  ? __switch_to_asm+0x40/0x70
[   40.089363]  ? __switch_to_asm+0x34/0x70
[   40.093422]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.098270]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.103458] RIP: 0033:0x446389
[   40.106636] Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   40.125523] RSP: 002b:00007fbb49751db8 EFLAGS: 00000297 ORIG_RAX: 000000000000002e
[   40.133230] RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000446389
[   40.140494] RDX: 0000000000000000 RSI: 00000000200006c0 RDI: 0000000000000005
[   40.147763] RBP: 00000000006dac30 R08: 0000000000000000 R09: 0000000000000000
[   40.155024] R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dac3c
[   40.162280] R13: 00007ffe2780e5af R14: 00007fbb497529c0 R15: 00000000006dad2c
[   40.169542] 
[   40.171154] Allocated by task 6025:
[   40.174768]  save_stack+0x43/0xd0
[   40.178223]  kasan_kmalloc+0xc7/0xe0
[   40.181943]  kmem_cache_alloc_trace+0x152/0x750
[   40.186594]  tipc_group_create+0x152/0xa70
[   40.190813]  tipc_setsockopt+0x2d1/0xd70
[   40.194859]  __sys_setsockopt+0x1ba/0x3c0
[   40.198992]  __x64_sys_setsockopt+0xbe/0x150
[   40.203388]  do_syscall_64+0x1b9/0x820
[   40.207267]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.212445] 
[   40.214057] Freed by task 6025:
[   40.217328]  save_stack+0x43/0xd0
[   40.220777]  __kasan_slab_free+0x102/0x150
[   40.224998]  kasan_slab_free+0xe/0x10
[   40.228784]  kfree+0xcf/0x230
[   40.231875]  tipc_group_delete+0x2e4/0x3f0
[   40.236094]  tipc_sk_leave+0x113/0x220
[   40.239967]  tipc_setsockopt+0x97d/0xd70
[   40.244025]  __sys_setsockopt+0x1ba/0x3c0
[   40.248179]  __x64_sys_setsockopt+0xbe/0x150
[   40.252592]  do_syscall_64+0x1b9/0x820
[   40.256467]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.261636] 
[   40.263252] The buggy address belongs to the object at ffff8881d8571d00
[   40.263252]  which belongs to the cache kmalloc-192 of size 192
[   40.275894] The buggy address is located 116 bytes inside of
[   40.275894]  192-byte region [ffff8881d8571d00, ffff8881d8571dc0)
[   40.287750] The buggy address belongs to the page:
[   40.292680] page:ffffea0007615c40 count:1 mapcount:0 mapping:ffff8881da800040 index:0xffff8881d8571200
[   40.302476] flags: 0x2fffc0000000200(slab)
[   40.306712] raw: 02fffc0000000200 ffffea0007604348 ffffea0007616988 ffff8881da800040
[   40.314594] raw: ffff8881d8571200 ffff8881d8571000 0000000100000006 0000000000000000
[   40.322467] page dumped because: kasan: bad access detected
[   40.328159] 
[   40.329782] Memory state around the buggy address:
[   40.334694]  ffff8881d8571c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.342038]  ffff8881d8571c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   40.349395] >ffff8881d8571d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.356751]                                                              ^
[   40.363747]  ffff8881d8571d80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   40.371091]  ffff8881d8571e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.378430] ==================================================================
[   40.385767] Disabling lock debugging due to kernel taint
[   40.391727] Kernel panic - not syncing: panic_on_warn set ...
[   40.397617] CPU: 0 PID: 6024 Comm: syz-executor640 Tainted: G    B             4.20.0-rc6+ #340
[   40.406442] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.415776] Call Trace:
[   40.418351]  dump_stack+0x244/0x39d
[   40.421967]  ? dump_stack_print_info.cold.1+0x20/0x20
[   40.427145]  panic+0x2ad/0x55c
[   40.430322]  ? add_taint.cold.5+0x16/0x16
[   40.434456]  ? preempt_schedule+0x4d/0x60
[   40.438612]  ? ___preempt_schedule+0x16/0x18
[   40.443029]  ? trace_hardirqs_on+0xb4/0x310
[   40.447339]  kasan_end_report+0x47/0x4f
[   40.451316]  kasan_report.cold.8+0x76/0x309
[   40.455622]  ? tipc_group_bc_cong+0x327/0x3f0
[   40.460102]  __asan_report_load2_noabort+0x14/0x20
[   40.465013]  tipc_group_bc_cong+0x327/0x3f0
[   40.469320]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   40.474418]  ? tipc_group_cong+0x5d0/0x5d0
[   40.478660]  ? remove_wait_queue+0x1a6/0x360
[   40.483056]  ? add_wait_queue+0x2b0/0x2b0
[   40.487188]  ? __local_bh_enable_ip+0x160/0x260
[   40.491846]  tipc_send_group_bcast+0x50a/0xd90
[   40.496418]  ? tipc_sk_sock_err.isra.61+0x2f0/0x2f0
[   40.501421]  ? __init_waitqueue_head+0x150/0x150
[   40.506163]  ? refill_pi_state_cache.part.8+0x310/0x310
[   40.511518]  ? mark_held_locks+0x130/0x130
[   40.515738]  ? futex_wait_setup+0x266/0x3e0
[   40.520048]  ? futex_wake+0x760/0x760
[   40.523833]  ? print_usage_bug+0xc0/0xc0
[   40.527878]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   40.533056]  __tipc_sendmsg+0xeec/0x1d40
[   40.537100]  ? futex_wait+0x5ec/0xa50
[   40.540896]  ? tipc_sendmcast+0xf50/0xf50
[   40.545027]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   40.550200]  ? zap_class+0x640/0x640
[   40.553923]  ? print_usage_bug+0xc0/0xc0
[   40.558001]  ? find_held_lock+0x36/0x1c0
[   40.562053]  ? mark_held_locks+0xc7/0x130
[   40.566194]  ? __local_bh_enable_ip+0x160/0x260
[   40.570873]  ? __local_bh_enable_ip+0x160/0x260
[   40.575527]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   40.580094]  ? trace_hardirqs_on+0xbd/0x310
[   40.584413]  ? lock_release+0xa00/0xa00
[   40.588369]  ? lock_sock_nested+0xe2/0x120
[   40.592609]  ? trace_hardirqs_off_caller+0x310/0x310
[   40.597709]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.603244]  ? check_preemption_disabled+0x48/0x280
[   40.608247]  ? lock_sock_nested+0x9a/0x120
[   40.612464]  ? lock_sock_nested+0x9a/0x120
[   40.616683]  ? __local_bh_enable_ip+0x160/0x260
[   40.621336]  tipc_sendmsg+0x50/0x70
[   40.624949]  ? __tipc_sendmsg+0x1d40/0x1d40
[   40.629257]  sock_sendmsg+0xd5/0x120
[   40.632956]  ___sys_sendmsg+0x7fd/0x930
[   40.636926]  ? find_held_lock+0x36/0x1c0
[   40.640978]  ? copy_msghdr_from_user+0x580/0x580
[   40.645745]  ? __fd_install+0x2b5/0x8f0
[   40.649721]  ? check_preemption_disabled+0x48/0x280
[   40.654729]  ? __fget_light+0x2e9/0x430
[   40.658740]  ? fget_raw+0x20/0x20
[   40.662178]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.667696]  ? __fd_install+0x2f9/0x8f0
[   40.671660]  ? get_unused_fd_flags+0x1a0/0x1a0
[   40.676282]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   40.681806]  ? sockfd_lookup_light+0xc5/0x160
[   40.686288]  __sys_sendmsg+0x11d/0x280
[   40.690161]  ? __ia32_sys_shutdown+0x80/0x80
[   40.694556]  ? fput+0x130/0x1a0
[   40.697820]  ? __x64_sys_futex+0x47f/0x6a0
[   40.702036]  ? do_syscall_64+0x9a/0x820
[   40.706006]  ? do_syscall_64+0x9a/0x820
[   40.709987]  ? trace_hardirqs_off_caller+0x310/0x310
[   40.715075]  __x64_sys_sendmsg+0x78/0xb0
[   40.719123]  do_syscall_64+0x1b9/0x820
[   40.722996]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   40.728345]  ? syscall_return_slowpath+0x5e0/0x5e0
[   40.733275]  ? trace_hardirqs_on_caller+0x310/0x310
[   40.738275]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   40.743279]  ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250
[   40.749935]  ? __switch_to_asm+0x40/0x70
[   40.753977]  ? __switch_to_asm+0x34/0x70
[   40.758025]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.762852]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.768025] RIP: 0033:0x446389
[   40.771201] Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   40.790096] RSP: 002b:00007fbb49751db8 EFLAGS: 00000297 ORIG_RAX: 000000000000002e
[   40.797786] RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000446389
[   40.805036] RDX: 0000000000000000 RSI: 00000000200006c0 RDI: 0000000000000005
[   40.812291] RBP: 00000000006dac30 R08: 0000000000000000 R09: 0000000000000000
[   40.819556] R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dac3c
[   40.826825] R13: 00007ffe2780e5af R14: 00007fbb497529c0 R15: 00000000006dad2c
[   40.835051] Kernel Offset: disabled
[   40.838675] Rebooting in 86400 seconds..