[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.821560][ T27] audit: type=1800 audit(1553060029.041:25): pid=7725 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 39.848790][ T27] audit: type=1800 audit(1553060029.041:26): pid=7725 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 39.875305][ T27] audit: type=1800 audit(1553060029.041:27): pid=7725 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 51.474665][ T7876] ================================================================== [ 51.482863][ T7876] BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x2166/0x34f0 [ 51.490598][ T7876] Read of size 4 at addr ffff8880900732b4 by task syz-executor226/7876 [ 51.498818][ T7876] [ 51.501153][ T7876] CPU: 1 PID: 7876 Comm: syz-executor226 Not tainted 5.0.0+ #101 [ 51.508864][ T7876] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.519957][ T7876] Call Trace: [ 51.523252][ T7876] dump_stack+0x172/0x1f0 [ 51.527565][ T7876] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 51.532920][ T7876] print_address_description.cold+0x7c/0x20d [ 51.538889][ T7876] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 51.544249][ T7876] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 51.549603][ T7876] kasan_report.cold+0x1b/0x40 [ 51.554374][ T7876] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 51.559814][ T7876] __asan_report_load4_noabort+0x14/0x20 [ 51.565449][ T7876] tipc_sk_filter_rcv+0x2166/0x34f0 [ 51.570662][ T7876] ? tipc_sk_overlimit2+0xa0/0xa0 [ 51.575674][ T7876] ? __local_bh_enable_ip+0x15a/0x270 [ 51.581024][ T7876] ? lockdep_hardirqs_on+0x19e/0x5d0 [ 51.586305][ T7876] ? tipc_sk_rcv+0x562/0x25a0 [ 51.590974][ T7876] ? __local_bh_enable_ip+0x15a/0x270 [ 51.596336][ T7876] tipc_sk_rcv+0xc45/0x25a0 [ 51.600835][ T7876] ? __lock_acquire+0x548/0x3fb0 [ 51.605763][ T7876] ? __kmalloc_reserve.isra.0+0x40/0xf0 [ 51.611343][ T7876] ? sock_recvmsg+0xd0/0x110 [ 51.615916][ T7876] ? ___sys_recvmsg+0x273/0x5a0 [ 51.620753][ T7876] ? tipc_sk_filter_rcv+0x34f0/0x34f0 [ 51.626112][ T7876] ? tipc_node_xmit+0x20b/0x640 [ 51.630951][ T7876] ? find_held_lock+0x35/0x130 [ 51.635705][ T7876] ? tipc_node_xmit+0x20b/0x640 [ 51.640545][ T7876] ? lock_downgrade+0x880/0x880 [ 51.645405][ T7876] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.651636][ T7876] ? kasan_check_read+0x11/0x20 [ 51.657253][ T7876] tipc_node_xmit+0x296/0x640 [ 51.661915][ T7876] ? tipc_node_get_linkname+0x110/0x110 [ 51.667459][ T7876] ? kasan_kmalloc+0x9/0x10 [ 51.671957][ T7876] ? __kmalloc_node_track_caller+0x4e/0x70 [ 51.677744][ T7876] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 51.684229][ T7876] ? lockdep_init_map+0x1be/0x6d0 [ 51.689239][ T7876] tipc_node_xmit_skb+0x10f/0x190 [ 51.694240][ T7876] ? skb_trim+0x190/0x190 [ 51.698559][ T7876] ? tipc_node_xmit+0x640/0x640 [ 51.703474][ T7876] ? memset+0x32/0x40 [ 51.707443][ T7876] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.713689][ T7876] ? tipc_msg_create+0x20f/0x270 [ 51.718624][ T7876] tipc_sk_send_ack+0x40e/0x4e0 [ 51.723460][ T7876] tipc_recvstream+0x8e3/0xa10 [ 51.728219][ T7876] ? tipc_recvmsg+0xc90/0xc90 [ 51.733271][ T7876] ? apparmor_socket_recvmsg+0x2a/0x30 [ 51.747316][ T7876] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.753567][ T7876] ? security_socket_recvmsg+0x9b/0xd0 [ 51.759010][ T7876] ? tipc_recvmsg+0xc90/0xc90 [ 51.763671][ T7876] sock_recvmsg+0xd0/0x110 [ 51.768065][ T7876] ? __sock_recv_ts_and_drops+0x590/0x590 [ 51.773794][ T7876] ___sys_recvmsg+0x273/0x5a0 [ 51.778460][ T7876] ? ___sys_sendmsg+0x930/0x930 [ 51.783312][ T7876] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 51.789544][ T7876] ? kasan_check_read+0x11/0x20 [ 51.794376][ T7876] ? __fget+0x381/0x550 [ 51.798525][ T7876] ? ksys_dup3+0x3e0/0x3e0 [ 51.802935][ T7876] ? __fget_light+0x1a9/0x230 [ 51.807591][ T7876] ? __fdget+0x1b/0x20 [ 51.811641][ T7876] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 51.817879][ T7876] __sys_recvmsg+0x102/0x1d0 [ 51.822450][ T7876] ? __ia32_sys_sendmmsg+0x100/0x100 [ 51.827742][ T7876] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 51.833182][ T7876] ? do_syscall_64+0x26/0x610 [ 51.837855][ T7876] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.843930][ T7876] ? do_syscall_64+0x26/0x610 [ 51.848596][ T7876] __x64_sys_recvmsg+0x78/0xb0 [ 51.853344][ T7876] do_syscall_64+0x103/0x610 [ 51.857916][ T7876] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 51.863805][ T7876] RIP: 0033:0x445879 [ 51.867678][ T7876] Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 51.887287][ T7876] RSP: 002b:00007fbe925c8db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 51.895684][ T7876] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445879 [ 51.903663][ T7876] RDX: 0000000000003f00 RSI: 0000000020000200 RDI: 0000000000000003 [ 51.911627][ T7876] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 51.919589][ T7876] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c [ 51.927559][ T7876] R13: 00007fff8c8d10ff R14: 00007fbe925c99c0 R15: 20c49ba5e353f7cf [ 51.935527][ T7876] [ 51.937841][ T7876] Allocated by task 7876: [ 51.942158][ T7876] save_stack+0x45/0xd0 [ 51.946313][ T7876] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 51.951956][ T7876] kasan_kmalloc+0x9/0x10 [ 51.956266][ T7876] __kmalloc_node_track_caller+0x4e/0x70 [ 51.961989][ T7876] __kmalloc_reserve.isra.0+0x40/0xf0 [ 51.967369][ T7876] __alloc_skb+0x10b/0x5e0 [ 51.971777][ T7876] tipc_buf_acquire+0x2f/0x100 [ 51.976523][ T7876] tipc_msg_create+0x38/0x270 [ 51.981177][ T7876] tipc_sk_send_ack+0x19b/0x4e0 [ 51.986007][ T7876] tipc_recvstream+0x8e3/0xa10 [ 51.990844][ T7876] sock_recvmsg+0xd0/0x110 [ 51.995246][ T7876] ___sys_recvmsg+0x273/0x5a0 [ 51.999926][ T7876] __sys_recvmsg+0x102/0x1d0 [ 52.004605][ T7876] __x64_sys_recvmsg+0x78/0xb0 [ 52.009354][ T7876] do_syscall_64+0x103/0x610 [ 52.013947][ T7876] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.019813][ T7876] [ 52.022118][ T7876] Freed by task 7876: [ 52.026091][ T7876] save_stack+0x45/0xd0 [ 52.030226][ T7876] __kasan_slab_free+0x102/0x150 [ 52.035142][ T7876] kasan_slab_free+0xe/0x10 [ 52.039630][ T7876] kfree+0xcf/0x230 [ 52.043416][ T7876] skb_free_head+0x93/0xb0 [ 52.047811][ T7876] skb_release_data+0x576/0x7a0 [ 52.052673][ T7876] skb_release_all+0x4d/0x60 [ 52.057267][ T7876] kfree_skb+0xe8/0x390 [ 52.061420][ T7876] tipc_sk_filter_rcv+0x241b/0x34f0 [ 52.066598][ T7876] tipc_sk_rcv+0xc45/0x25a0 [ 52.071083][ T7876] tipc_node_xmit+0x296/0x640 [ 52.075748][ T7876] tipc_node_xmit_skb+0x10f/0x190 [ 52.080751][ T7876] tipc_sk_send_ack+0x40e/0x4e0 [ 52.085582][ T7876] tipc_recvstream+0x8e3/0xa10 [ 52.090323][ T7876] sock_recvmsg+0xd0/0x110 [ 52.094720][ T7876] ___sys_recvmsg+0x273/0x5a0 [ 52.099378][ T7876] __sys_recvmsg+0x102/0x1d0 [ 52.103965][ T7876] __x64_sys_recvmsg+0x78/0xb0 [ 52.108732][ T7876] do_syscall_64+0x103/0x610 [ 52.113304][ T7876] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.119171][ T7876] [ 52.121480][ T7876] The buggy address belongs to the object at ffff888090073200 [ 52.121480][ T7876] which belongs to the cache kmalloc-1k of size 1024 [ 52.135521][ T7876] The buggy address is located 180 bytes inside of [ 52.135521][ T7876] 1024-byte region [ffff888090073200, ffff888090073600) [ 52.148883][ T7876] The buggy address belongs to the page: [ 52.154511][ T7876] page:ffffea0002401c80 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 52.165172][ T7876] flags: 0x1fffc0000010200(slab|head) [ 52.170694][ T7876] raw: 01fffc0000010200 ffffea00025a2c08 ffff88812c3f1848 ffff88812c3f0ac0 [ 52.179639][ T7876] raw: 0000000000000000 ffff888090072000 0000000100000007 0000000000000000 [ 52.188487][ T7876] page dumped because: kasan: bad access detected [ 52.195063][ T7876] [ 52.197392][ T7876] Memory state around the buggy address: [ 52.203009][ T7876] ffff888090073180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.213937][ T7876] ffff888090073200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.222005][ T7876] >ffff888090073280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.230056][ T7876] ^ [ 52.235777][ T7876] ffff888090073300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.244019][ T7876] ffff888090073380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.252069][ T7876] ================================================================== [ 52.260117][ T7876] Disabling lock debugging due to kernel taint [ 52.266350][ T7876] Kernel panic - not syncing: panic_on_warn set ... [ 52.273050][ T7876] CPU: 1 PID: 7876 Comm: syz-executor226 Tainted: G B 5.0.0+ #101 [ 52.282135][ T7876] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.292173][ T7876] Call Trace: [ 52.295451][ T7876] dump_stack+0x172/0x1f0 [ 52.299762][ T7876] panic+0x2cb/0x65c [ 52.303646][ T7876] ? __warn_printk+0xf3/0xf3 [ 52.308233][ T7876] ? trace_hardirqs_on+0x5e/0x230 [ 52.313238][ T7876] ? trace_hardirqs_on+0x5e/0x230 [ 52.318249][ T7876] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 52.323698][ T7876] end_report+0x47/0x4f [ 52.327866][ T7876] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 52.333345][ T7876] kasan_report.cold+0xe/0x40 [ 52.338011][ T7876] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 52.343367][ T7876] __asan_report_load4_noabort+0x14/0x20 [ 52.348979][ T7876] tipc_sk_filter_rcv+0x2166/0x34f0 [ 52.354165][ T7876] ? tipc_sk_overlimit2+0xa0/0xa0 [ 52.359194][ T7876] ? __local_bh_enable_ip+0x15a/0x270 [ 52.364547][ T7876] ? lockdep_hardirqs_on+0x19e/0x5d0 [ 52.369808][ T7876] ? tipc_sk_rcv+0x562/0x25a0 [ 52.374463][ T7876] ? __local_bh_enable_ip+0x15a/0x270 [ 52.379848][ T7876] tipc_sk_rcv+0xc45/0x25a0 [ 52.384331][ T7876] ? __lock_acquire+0x548/0x3fb0 [ 52.389273][ T7876] ? __kmalloc_reserve.isra.0+0x40/0xf0 [ 52.394815][ T7876] ? sock_recvmsg+0xd0/0x110 [ 52.399387][ T7876] ? ___sys_recvmsg+0x273/0x5a0 [ 52.404236][ T7876] ? tipc_sk_filter_rcv+0x34f0/0x34f0 [ 52.409610][ T7876] ? tipc_node_xmit+0x20b/0x640 [ 52.414459][ T7876] ? find_held_lock+0x35/0x130 [ 52.419226][ T7876] ? tipc_node_xmit+0x20b/0x640 [ 52.424062][ T7876] ? lock_downgrade+0x880/0x880 [ 52.428894][ T7876] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.435121][ T7876] ? kasan_check_read+0x11/0x20 [ 52.439983][ T7876] tipc_node_xmit+0x296/0x640 [ 52.444650][ T7876] ? tipc_node_get_linkname+0x110/0x110 [ 52.450178][ T7876] ? kasan_kmalloc+0x9/0x10 [ 52.454662][ T7876] ? __kmalloc_node_track_caller+0x4e/0x70 [ 52.460471][ T7876] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 52.466692][ T7876] ? lockdep_init_map+0x1be/0x6d0 [ 52.471714][ T7876] tipc_node_xmit_skb+0x10f/0x190 [ 52.476927][ T7876] ? skb_trim+0x190/0x190 [ 52.481364][ T7876] ? tipc_node_xmit+0x640/0x640 [ 52.486211][ T7876] ? memset+0x32/0x40 [ 52.490193][ T7876] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.496551][ T7876] ? tipc_msg_create+0x20f/0x270 [ 52.501489][ T7876] tipc_sk_send_ack+0x40e/0x4e0 [ 52.506328][ T7876] tipc_recvstream+0x8e3/0xa10 [ 52.511084][ T7876] ? tipc_recvmsg+0xc90/0xc90 [ 52.515852][ T7876] ? apparmor_socket_recvmsg+0x2a/0x30 [ 52.521434][ T7876] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.527844][ T7876] ? security_socket_recvmsg+0x9b/0xd0 [ 52.533309][ T7876] ? tipc_recvmsg+0xc90/0xc90 [ 52.537973][ T7876] sock_recvmsg+0xd0/0x110 [ 52.542368][ T7876] ? __sock_recv_ts_and_drops+0x590/0x590 [ 52.548065][ T7876] ___sys_recvmsg+0x273/0x5a0 [ 52.552722][ T7876] ? ___sys_sendmsg+0x930/0x930 [ 52.557577][ T7876] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 52.563818][ T7876] ? kasan_check_read+0x11/0x20 [ 52.568650][ T7876] ? __fget+0x381/0x550 [ 52.572784][ T7876] ? ksys_dup3+0x3e0/0x3e0 [ 52.577176][ T7876] ? __fget_light+0x1a9/0x230 [ 52.581846][ T7876] ? __fdget+0x1b/0x20 [ 52.585898][ T7876] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 52.592942][ T7876] __sys_recvmsg+0x102/0x1d0 [ 52.597721][ T7876] ? __ia32_sys_sendmmsg+0x100/0x100 [ 52.603091][ T7876] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 52.608717][ T7876] ? do_syscall_64+0x26/0x610 [ 52.613666][ T7876] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.619896][ T7876] ? do_syscall_64+0x26/0x610 [ 52.624586][ T7876] __x64_sys_recvmsg+0x78/0xb0 [ 52.629365][ T7876] do_syscall_64+0x103/0x610 [ 52.635107][ T7876] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 52.640992][ T7876] RIP: 0033:0x445879 [ 52.644881][ T7876] Code: e8 bc b7 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 52.664489][ T7876] RSP: 002b:00007fbe925c8db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002f [ 52.672893][ T7876] RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445879 [ 52.680843][ T7876] RDX: 0000000000003f00 RSI: 0000000020000200 RDI: 0000000000000003 [ 52.688911][ T7876] RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 [ 52.696865][ T7876] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c [ 52.704821][ T7876] R13: 00007fff8c8d10ff R14: 00007fbe925c99c0 R15: 20c49ba5e353f7cf [ 52.713518][ T7876] Kernel Offset: disabled [ 52.717847][ T7876] Rebooting in 86400 seconds..