[   34.308382][   T26] audit: type=1800 audit(1553056128.609:27): pid=7388 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[   34.343781][   T26] audit: type=1800 audit(1553056128.689:28): pid=7388 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   34.989377][   T26] audit: type=1800 audit(1553056129.329:29): pid=7388 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   35.009563][   T26] audit: type=1800 audit(1553056129.329:30): pid=7388 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   45.042013][   T89] ==================================================================
[   45.050285][   T89] BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x2166/0x34f0
[   45.057998][   T89] Read of size 4 at addr ffff88808fe3c574 by task kworker/u4:2/89
[   45.066133][   T89] 
[   45.068455][   T89] CPU: 0 PID: 89 Comm: kworker/u4:2 Not tainted 5.0.0+ #101
[   45.075727][   T89] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   45.085785][   T89] Workqueue: tipc_send tipc_conn_send_work
[   45.091576][   T89] Call Trace:
[   45.094872][   T89]  dump_stack+0x172/0x1f0
[   45.099189][   T89]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   45.104551][   T89]  print_address_description.cold+0x7c/0x20d
[   45.110523][   T89]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   45.115892][   T89]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   45.121256][   T89]  kasan_report.cold+0x1b/0x40
[   45.126009][   T89]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   45.131466][   T89]  __asan_report_load4_noabort+0x14/0x20
[   45.137171][   T89]  tipc_sk_filter_rcv+0x2166/0x34f0
[   45.142379][   T89]  ? tipc_sk_overlimit2+0xa0/0xa0
[   45.147398][   T89]  ? __local_bh_enable_ip+0x15a/0x270
[   45.152757][   T89]  ? lockdep_hardirqs_on+0x19e/0x5d0
[   45.158037][   T89]  ? tipc_sk_rcv+0x562/0x25a0
[   45.162721][   T89]  ? __local_bh_enable_ip+0x15a/0x270
[   45.168092][   T89]  tipc_sk_rcv+0xc45/0x25a0
[   45.172594][   T89]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   45.179718][   T89]  ? tipc_sk_filter_rcv+0x34f0/0x34f0
[   45.185083][   T89]  ? __alloc_skb+0x3cd/0x5e0
[   45.189662][   T89]  ? skb_trim+0x190/0x190
[   45.194005][   T89]  ? memset+0x32/0x40
[   45.197990][   T89]  ? tipc_msg_init+0x190/0x1d0
[   45.202759][   T89]  ? lockdep_init_map+0x1be/0x6d0
[   45.207788][   T89]  tipc_topsrv_kern_evt+0x3b7/0x580
[   45.212976][   T89]  ? tipc_conn_recv_work+0x100/0x100
[   45.218337][   T89]  ? __local_bh_enable_ip+0x15a/0x270
[   45.223707][   T89]  ? tipc_conn_send_to_sock+0x389/0x5f0
[   45.229254][   T89]  tipc_conn_send_to_sock+0x43e/0x5f0
[   45.234626][   T89]  ? tipc_topsrv_kern_evt+0x580/0x580
[   45.240013][   T89]  tipc_conn_send_work+0x65/0x80
[   45.244947][   T89]  process_one_work+0x98e/0x1790
[   45.249881][   T89]  ? pwq_dec_nr_in_flight+0x320/0x320
[   45.255332][   T89]  ? lock_acquire+0x16f/0x3f0
[   45.260037][   T89]  worker_thread+0x98/0xe40
[   45.264904][   T89]  kthread+0x357/0x430
[   45.269048][   T89]  ? process_one_work+0x1790/0x1790
[   45.274245][   T89]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   45.280475][   T89]  ret_from_fork+0x3a/0x50
[   45.284889][   T89] 
[   45.287202][   T89] Allocated by task 89:
[   45.291433][   T89]  save_stack+0x45/0xd0
[   45.295575][   T89]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   45.301196][   T89]  kasan_kmalloc+0x9/0x10
[   45.305513][   T89]  __kmalloc_node_track_caller+0x4e/0x70
[   45.311140][   T89]  __kmalloc_reserve.isra.0+0x40/0xf0
[   45.316494][   T89]  __alloc_skb+0x10b/0x5e0
[   45.320895][   T89]  tipc_buf_acquire+0x2f/0x100
[   45.325654][   T89]  tipc_msg_create+0x38/0x270
[   45.330316][   T89]  tipc_topsrv_kern_evt+0x2a7/0x580
[   45.335510][   T89]  tipc_conn_send_to_sock+0x43e/0x5f0
[   45.340879][   T89]  tipc_conn_send_work+0x65/0x80
[   45.345800][   T89]  process_one_work+0x98e/0x1790
[   45.350724][   T89]  worker_thread+0x98/0xe40
[   45.355254][   T89]  kthread+0x357/0x430
[   45.359317][   T89]  ret_from_fork+0x3a/0x50
[   45.363727][   T89] 
[   45.366038][   T89] Freed by task 89:
[   45.369850][   T89]  save_stack+0x45/0xd0
[   45.373993][   T89]  __kasan_slab_free+0x102/0x150
[   45.378917][   T89]  kasan_slab_free+0xe/0x10
[   45.383404][   T89]  kfree+0xcf/0x230
[   45.387302][   T89]  skb_free_head+0x93/0xb0
[   45.391711][   T89]  skb_release_data+0x576/0x7a0
[   45.396545][   T89]  skb_release_all+0x4d/0x60
[   45.401120][   T89]  kfree_skb+0xe8/0x390
[   45.405261][   T89]  tipc_sk_filter_rcv+0x1e6a/0x34f0
[   45.410452][   T89]  tipc_sk_rcv+0xc45/0x25a0
[   45.414947][   T89]  tipc_topsrv_kern_evt+0x3b7/0x580
[   45.420132][   T89]  tipc_conn_send_to_sock+0x43e/0x5f0
[   45.425489][   T89]  tipc_conn_send_work+0x65/0x80
[   45.430413][   T89]  process_one_work+0x98e/0x1790
[   45.435334][   T89]  worker_thread+0x98/0xe40
[   45.439828][   T89]  kthread+0x357/0x430
[   45.443880][   T89]  ret_from_fork+0x3a/0x50
[   45.448273][   T89] 
[   45.450590][   T89] The buggy address belongs to the object at ffff88808fe3c4c0
[   45.450590][   T89]  which belongs to the cache kmalloc-1k of size 1024
[   45.467537][   T89] The buggy address is located 180 bytes inside of
[   45.467537][   T89]  1024-byte region [ffff88808fe3c4c0, ffff88808fe3c8c0)
[   45.482111][   T89] The buggy address belongs to the page:
[   45.487840][   T89] page:ffffea00023f8f00 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0
[   45.498593][   T89] flags: 0x1fffc0000010200(slab|head)
[   45.503976][   T89] raw: 01fffc0000010200 ffffea00023eab08 ffffea0002411a88 ffff88812c3f0ac0
[   45.512551][   T89] raw: 0000000000000000 ffff88808fe3c040 0000000100000007 0000000000000000
[   45.521115][   T89] page dumped because: kasan: bad access detected
[   45.527505][   T89] 
[   45.529816][   T89] Memory state around the buggy address:
[   45.535438][   T89]  ffff88808fe3c400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   45.543576][   T89]  ffff88808fe3c480: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   45.551640][   T89] >ffff88808fe3c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.559857][   T89]                                                              ^
[   45.567577][   T89]  ffff88808fe3c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.575628][   T89]  ffff88808fe3c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   45.583674][   T89] ==================================================================
[   45.591979][   T89] Disabling lock debugging due to kernel taint
[   45.598173][   T89] Kernel panic - not syncing: panic_on_warn set ...
[   45.604750][   T89] CPU: 0 PID: 89 Comm: kworker/u4:2 Tainted: G    B             5.0.0+ #101
[   45.613412][   T89] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   45.623468][   T89] Workqueue: tipc_send tipc_conn_send_work
[   45.629257][   T89] Call Trace:
[   45.632537][   T89]  dump_stack+0x172/0x1f0
[   45.636852][   T89]  panic+0x2cb/0x65c
[   45.640820][   T89]  ? __warn_printk+0xf3/0xf3
[   45.645397][   T89]  ? trace_hardirqs_on+0x5e/0x230
[   45.650422][   T89]  ? trace_hardirqs_on+0x5e/0x230
[   45.655433][   T89]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   45.660803][   T89]  end_report+0x47/0x4f
[   45.664954][   T89]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   45.670318][   T89]  kasan_report.cold+0xe/0x40
[   45.674980][   T89]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   45.680338][   T89]  __asan_report_load4_noabort+0x14/0x20
[   45.686377][   T89]  tipc_sk_filter_rcv+0x2166/0x34f0
[   45.691567][   T89]  ? tipc_sk_overlimit2+0xa0/0xa0
[   45.696579][   T89]  ? __local_bh_enable_ip+0x15a/0x270
[   45.701937][   T89]  ? lockdep_hardirqs_on+0x19e/0x5d0
[   45.707212][   T89]  ? tipc_sk_rcv+0x562/0x25a0
[   45.711980][   T89]  ? __local_bh_enable_ip+0x15a/0x270
[   45.717450][   T89]  tipc_sk_rcv+0xc45/0x25a0
[   45.722580][   T89]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   45.728998][   T89]  ? tipc_sk_filter_rcv+0x34f0/0x34f0
[   45.734381][   T89]  ? __alloc_skb+0x3cd/0x5e0
[   45.738978][   T89]  ? skb_trim+0x190/0x190
[   45.743356][   T89]  ? memset+0x32/0x40
[   45.747328][   T89]  ? tipc_msg_init+0x190/0x1d0
[   45.752091][   T89]  ? lockdep_init_map+0x1be/0x6d0
[   45.757118][   T89]  tipc_topsrv_kern_evt+0x3b7/0x580
[   45.762301][   T89]  ? tipc_conn_recv_work+0x100/0x100
[   45.767573][   T89]  ? __local_bh_enable_ip+0x15a/0x270
[   45.772957][   T89]  ? tipc_conn_send_to_sock+0x389/0x5f0
[   45.778507][   T89]  tipc_conn_send_to_sock+0x43e/0x5f0
[   45.783869][   T89]  ? tipc_topsrv_kern_evt+0x580/0x580
[   45.789347][   T89]  tipc_conn_send_work+0x65/0x80
[   45.794277][   T89]  process_one_work+0x98e/0x1790
[   45.799206][   T89]  ? pwq_dec_nr_in_flight+0x320/0x320
[   45.804575][   T89]  ? lock_acquire+0x16f/0x3f0
[   45.809247][   T89]  worker_thread+0x98/0xe40
[   45.813828][   T89]  kthread+0x357/0x430
[   45.817898][   T89]  ? process_one_work+0x1790/0x1790
[   45.823081][   T89]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   45.829310][   T89]  ret_from_fork+0x3a/0x50
[   45.835101][   T89] Kernel Offset: disabled
[   45.839660][   T89] Rebooting in 86400 seconds..