[info] Using makefile-style concurrent boot in runlevel 2. [ 28.489750] audit: type=1800 audit(1552247565.768:21): pid=7088 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 44.423955] device ifb0 entered promiscuous mode [ 44.436909] device ifb0 left promiscuous mode executing program [ 44.513436] device ifb0 entered promiscuous mode [ 44.559402] device ifb0 left promiscuous mode executing program executing program executing program [ 44.627272] device ifb0 entered promiscuous mode [ 44.635575] device ifb0 left promiscuous mode [ 44.698066] ================================================================== [ 44.705507] BUG: KASAN: use-after-free in x25_device_event+0x296/0x2b0 [ 44.712150] Read of size 8 at addr ffff8880a01cd7d0 by task syz-executor410/7295 [ 44.719667] [ 44.721288] CPU: 0 PID: 7295 Comm: syz-executor410 Not tainted 5.0.0+ #116 [ 44.728279] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.737622] Call Trace: [ 44.740199] dump_stack+0x172/0x1f0 [ 44.743876] ? x25_device_event+0x296/0x2b0 [ 44.748193] print_address_description.cold+0x7c/0x20d [ 44.753450] ? x25_device_event+0x296/0x2b0 [ 44.757754] ? x25_device_event+0x296/0x2b0 [ 44.762073] kasan_report.cold+0x1b/0x40 [ 44.766121] ? sock_def_wakeup+0x170/0x280 [ 44.770341] ? x25_device_event+0x296/0x2b0 [ 44.774649] __asan_report_load8_noabort+0x14/0x20 [ 44.779560] x25_device_event+0x296/0x2b0 [ 44.783693] notifier_call_chain+0xc7/0x240 [ 44.788005] raw_notifier_call_chain+0x2e/0x40 [ 44.792572] call_netdevice_notifiers_info+0x3f/0x90 [ 44.797658] __dev_notify_flags+0x1e9/0x2c0 [ 44.801980] ? dev_change_name+0xa00/0xa00 [ 44.806196] ? __dev_change_flags+0x513/0x6e0 [ 44.810676] ? dev_set_allmulti+0x30/0x30 [ 44.814807] ? mutex_trylock+0x1e0/0x1e0 [ 44.818869] ? find_held_lock+0x35/0x130 [ 44.822912] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.828432] dev_change_flags+0x10d/0x170 [ 44.832563] dev_ifsioc+0x2b0/0x940 [ 44.836183] ? register_gifconf+0x70/0x70 [ 44.840318] dev_ioctl+0x1b8/0xc70 [ 44.843850] sock_do_ioctl+0x1bd/0x300 [ 44.847720] ? compat_ifr_data_ioctl+0x160/0x160 [ 44.852461] ? mark_held_locks+0x100/0x100 [ 44.856678] sock_ioctl+0x32b/0x610 [ 44.860288] ? dlci_ioctl_set+0x40/0x40 [ 44.864254] ? __fget+0x340/0x540 [ 44.867690] ? find_held_lock+0x35/0x130 [ 44.871850] ? __fget+0x340/0x540 [ 44.875292] ? dlci_ioctl_set+0x40/0x40 [ 44.879249] do_vfs_ioctl+0xd6e/0x1390 [ 44.883121] ? ioctl_preallocate+0x210/0x210 [ 44.887510] ? __fget+0x367/0x540 [ 44.890948] ? iterate_fd+0x360/0x360 [ 44.894730] ? calculate_sigpending+0x87/0xa0 [ 44.899212] ? security_file_ioctl+0x93/0xc0 [ 44.903604] ksys_ioctl+0xab/0xd0 [ 44.907038] __x64_sys_ioctl+0x73/0xb0 [ 44.910907] do_syscall_64+0x103/0x610 [ 44.914779] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.919953] RIP: 0033:0x4467c9 [ 44.923129] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 44.942012] RSP: 002b:00007f95b473ed98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 44.949698] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9 [ 44.956946] RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003 [ 44.964194] RBP: 00000000006dbc50 R08: 00007f95b473f700 R09: 0000000000000000 [ 44.971510] R10: 00007f95b473f700 R11: 0000000000000246 R12: 00000000006dbc5c [ 44.978774] R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669 [ 44.986035] [ 44.987646] Allocated by task 7282: [ 44.991256] save_stack+0x45/0xd0 [ 44.994688] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 44.999599] kasan_kmalloc+0x9/0x10 [ 45.003205] kmem_cache_alloc_trace+0x151/0x760 [ 45.007854] x25_link_device_up+0x46/0x3f0 [ 45.012067] x25_device_event+0x116/0x2b0 [ 45.016198] notifier_call_chain+0xc7/0x240 [ 45.020500] raw_notifier_call_chain+0x2e/0x40 [ 45.025063] call_netdevice_notifiers_info+0x3f/0x90 [ 45.030149] __dev_notify_flags+0x121/0x2c0 [ 45.034448] dev_change_flags+0x10d/0x170 [ 45.038591] dev_ifsioc+0x2b0/0x940 [ 45.042201] dev_ioctl+0x1b8/0xc70 [ 45.045720] sock_do_ioctl+0x1bd/0x300 [ 45.049584] sock_ioctl+0x32b/0x610 [ 45.053201] do_vfs_ioctl+0xd6e/0x1390 [ 45.057069] ksys_ioctl+0xab/0xd0 [ 45.060502] __x64_sys_ioctl+0x73/0xb0 [ 45.064371] do_syscall_64+0x103/0x610 [ 45.068239] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.073403] [ 45.075010] Freed by task 7279: [ 45.078269] save_stack+0x45/0xd0 [ 45.081712] __kasan_slab_free+0x102/0x150 [ 45.085930] kasan_slab_free+0xe/0x10 [ 45.089710] kfree+0xcf/0x230 [ 45.092804] __x25_remove_neigh+0x187/0x1f0 [ 45.097104] x25_link_device_down+0xc7/0x130 [ 45.101492] x25_device_event+0x261/0x2b0 [ 45.105619] notifier_call_chain+0xc7/0x240 [ 45.109921] raw_notifier_call_chain+0x2e/0x40 [ 45.114482] call_netdevice_notifiers_info+0x3f/0x90 [ 45.119564] __dev_notify_flags+0x1e9/0x2c0 [ 45.123864] dev_change_flags+0x10d/0x170 [ 45.127990] dev_ifsioc+0x2b0/0x940 [ 45.131596] dev_ioctl+0x1b8/0xc70 [ 45.135114] sock_do_ioctl+0x1bd/0x300 [ 45.138983] sock_ioctl+0x32b/0x610 [ 45.142590] do_vfs_ioctl+0xd6e/0x1390 [ 45.146456] ksys_ioctl+0xab/0xd0 [ 45.149889] __x64_sys_ioctl+0x73/0xb0 [ 45.153759] do_syscall_64+0x103/0x610 [ 45.157627] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.162802] [ 45.164412] The buggy address belongs to the object at ffff8880a01cd7c0 [ 45.164412] which belongs to the cache kmalloc-256 of size 256 [ 45.177056] The buggy address is located 16 bytes inside of [ 45.177056] 256-byte region [ffff8880a01cd7c0, ffff8880a01cd8c0) [ 45.188822] The buggy address belongs to the page: [ 45.193730] page:ffffea0002807340 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0 [ 45.201854] flags: 0x1fffc0000000200(slab) [ 45.206080] raw: 01fffc0000000200 ffffea000281ae48 ffff88812c3f1648 ffff88812c3f07c0 [ 45.213942] raw: 0000000000000000 ffff8880a01cd040 000000010000000c 0000000000000000 [ 45.221806] page dumped because: kasan: bad access detected [ 45.227490] [ 45.229094] Memory state around the buggy address: [ 45.234002] ffff8880a01cd680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 45.241340] ffff8880a01cd700: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc [ 45.248678] >ffff8880a01cd780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 45.256013] ^ [ 45.261963] ffff8880a01cd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.269301] ffff8880a01cd880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 45.276635] ================================================================== [ 45.283969] Disabling lock debugging due to kernel taint [ 45.289455] Kernel panic - not syncing: panic_on_warn set ... [ 45.295323] CPU: 0 PID: 7295 Comm: syz-executor410 Tainted: G B 5.0.0+ #116 [ 45.303701] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.313033] Call Trace: [ 45.315617] dump_stack+0x172/0x1f0 [ 45.319230] panic+0x2cb/0x65c [ 45.322406] ? __warn_printk+0xf3/0xf3 [ 45.326272] ? retint_kernel+0x2d/0x2d [ 45.330140] ? trace_hardirqs_on+0x5e/0x230 [ 45.334443] ? x25_device_event+0x296/0x2b0 [ 45.338744] end_report+0x47/0x4f [ 45.342179] ? x25_device_event+0x296/0x2b0 [ 45.346480] kasan_report.cold+0xe/0x40 [ 45.350497] ? sock_def_wakeup+0x170/0x280 [ 45.354716] ? x25_device_event+0x296/0x2b0 [ 45.359019] __asan_report_load8_noabort+0x14/0x20 [ 45.363925] x25_device_event+0x296/0x2b0 [ 45.368063] notifier_call_chain+0xc7/0x240 [ 45.372367] raw_notifier_call_chain+0x2e/0x40 [ 45.376930] call_netdevice_notifiers_info+0x3f/0x90 [ 45.382010] __dev_notify_flags+0x1e9/0x2c0 [ 45.386310] ? dev_change_name+0xa00/0xa00 [ 45.390522] ? __dev_change_flags+0x513/0x6e0 [ 45.394995] ? dev_set_allmulti+0x30/0x30 [ 45.399123] ? mutex_trylock+0x1e0/0x1e0 [ 45.403161] ? find_held_lock+0x35/0x130 [ 45.407199] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.412720] dev_change_flags+0x10d/0x170 [ 45.416854] dev_ifsioc+0x2b0/0x940 [ 45.420458] ? register_gifconf+0x70/0x70 [ 45.424586] dev_ioctl+0x1b8/0xc70 [ 45.428107] sock_do_ioctl+0x1bd/0x300 [ 45.431974] ? compat_ifr_data_ioctl+0x160/0x160 [ 45.436711] ? mark_held_locks+0x100/0x100 [ 45.440930] sock_ioctl+0x32b/0x610 [ 45.444533] ? dlci_ioctl_set+0x40/0x40 [ 45.448486] ? __fget+0x340/0x540 [ 45.451917] ? find_held_lock+0x35/0x130 [ 45.455957] ? __fget+0x340/0x540 [ 45.459391] ? dlci_ioctl_set+0x40/0x40 [ 45.463345] do_vfs_ioctl+0xd6e/0x1390 [ 45.467219] ? ioctl_preallocate+0x210/0x210 [ 45.471620] ? __fget+0x367/0x540 [ 45.475055] ? iterate_fd+0x360/0x360 [ 45.478838] ? calculate_sigpending+0x87/0xa0 [ 45.483318] ? security_file_ioctl+0x93/0xc0 [ 45.487708] ksys_ioctl+0xab/0xd0 [ 45.491141] __x64_sys_ioctl+0x73/0xb0 [ 45.495008] do_syscall_64+0x103/0x610 [ 45.498878] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.504046] RIP: 0033:0x4467c9 [ 45.507223] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 45.526109] RSP: 002b:00007f95b473ed98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 45.533798] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9 [ 45.541048] RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003 [ 45.548351] RBP: 00000000006dbc50 R08: 00007f95b473f700 R09: 0000000000000000 [ 45.555606] R10: 00007f95b473f700 R11: 0000000000000246 R12: 00000000006dbc5c [ 45.562856] R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669 [ 45.570827] Kernel Offset: disabled [ 45.574441] Rebooting in 86400 seconds..