[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   29.694149] kauditd_printk_skb: 7 callbacks suppressed
[   29.694161] audit: type=1800 audit(1544730142.708:29): pid=5924 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   29.725659] audit: type=1800 audit(1544730142.708:30): pid=5924 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0
[....] startpar: service(s) returned failure: rsyslog ...[?25l[?1c7[1G[[31mFAIL[39;49m8[?25h[?0c [31mfailed![39;49m

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   33.465773] sshd (6084) used greatest stack depth: 16296 bytes left
Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts.
executing program
[   40.501325] ==================================================================
[   40.508826] BUG: KASAN: use-after-free in tipc_group_bc_cong+0x327/0x3f0
[   40.515657] Read of size 2 at addr ffff8881d882d774 by task syz-executor113/6103
[   40.523324] 
[   40.524937] CPU: 0 PID: 6103 Comm: syz-executor113 Not tainted 4.20.0-rc6-next-20181213+ #170
[   40.533579] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.543160] Call Trace:
[   40.545747]  dump_stack+0x244/0x39d
[   40.549363]  ? dump_stack_print_info.cold.1+0x20/0x20
[   40.554536]  ? printk+0xa7/0xcf
[   40.557803]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   40.562549]  print_address_description.cold.4+0x9/0x1ff
[   40.567910]  ? tipc_group_bc_cong+0x327/0x3f0
[   40.572393]  kasan_report.cold.5+0x1b/0x39
[   40.576610]  ? tipc_group_bc_cong+0x327/0x3f0
[   40.581090]  ? tipc_group_bc_cong+0x327/0x3f0
[   40.585571]  __asan_report_load2_noabort+0x14/0x20
[   40.590485]  tipc_group_bc_cong+0x327/0x3f0
[   40.594809]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   40.599899]  ? tipc_group_cong+0x5d0/0x5d0
[   40.604121]  ? remove_wait_queue+0x1a6/0x360
[   40.608521]  ? add_wait_queue+0x2b0/0x2b0
[   40.612656]  ? __local_bh_enable_ip+0x160/0x260
[   40.617325]  tipc_send_group_bcast+0x50a/0xd90
[   40.621930]  ? tipc_sk_sock_err.isra.60+0x2f0/0x2f0
[   40.626935]  ? __init_waitqueue_head+0x150/0x150
[   40.631689]  ? refill_pi_state_cache.part.7+0x310/0x310
[   40.637042]  ? mark_held_locks+0x130/0x130
[   40.641265]  ? futex_wait_setup+0x266/0x3e0
[   40.645575]  ? handle_futex_death+0x230/0x230
[   40.650071]  ? print_usage_bug+0xc0/0xc0
[   40.654119]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   40.659308]  __tipc_sendmsg+0xeec/0x1d40
[   40.663357]  ? futex_wait+0x5ec/0xa50
[   40.667145]  ? tipc_sendmcast+0xf50/0xf50
[   40.671294]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   40.676485]  ? graph_lock+0x270/0x270
[   40.680287]  ? print_usage_bug+0xc0/0xc0
[   40.684353]  ? find_held_lock+0x36/0x1c0
[   40.688416]  ? mark_held_locks+0xc7/0x130
[   40.692562]  ? __local_bh_enable_ip+0x160/0x260
[   40.697227]  ? __local_bh_enable_ip+0x160/0x260
[   40.701887]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   40.706457]  ? trace_hardirqs_on+0xbd/0x310
[   40.710762]  ? lock_release+0xa00/0xa00
[   40.714722]  ? lock_sock_nested+0xe2/0x120
[   40.718940]  ? trace_hardirqs_off_caller+0x310/0x310
[   40.724031]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.729557]  ? check_preemption_disabled+0x48/0x280
[   40.734576]  ? lock_sock_nested+0x9a/0x120
[   40.738796]  ? lock_sock_nested+0x9a/0x120
[   40.743018]  ? __local_bh_enable_ip+0x160/0x260
[   40.747678]  tipc_sendmsg+0x50/0x70
[   40.751288]  ? __tipc_sendmsg+0x1d40/0x1d40
[   40.755593]  sock_sendmsg+0xd5/0x120
[   40.759292]  ___sys_sendmsg+0x7fd/0x930
[   40.763277]  ? find_held_lock+0x36/0x1c0
[   40.767339]  ? copy_msghdr_from_user+0x580/0x580
[   40.772097]  ? __fd_install+0x2b5/0x8f0
[   40.776080]  ? check_preemption_disabled+0x48/0x280
[   40.781101]  ? __fget_light+0x2e9/0x430
[   40.785071]  ? fget_raw+0x20/0x20
[   40.788524]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.794061]  ? __fd_install+0x2f9/0x8f0
[   40.798049]  ? get_unused_fd_flags+0x1a0/0x1a0
[   40.802652]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   40.808194]  ? sockfd_lookup_light+0xc5/0x160
[   40.812692]  __sys_sendmsg+0x11d/0x280
[   40.816572]  ? __ia32_sys_shutdown+0x80/0x80
[   40.820966]  ? __x64_sys_futex+0x476/0x690
[   40.825186]  ? do_syscall_64+0x9a/0x820
[   40.829144]  ? do_syscall_64+0x9a/0x820
[   40.833119]  ? trace_hardirqs_off_caller+0x310/0x310
[   40.838223]  __x64_sys_sendmsg+0x78/0xb0
[   40.842299]  do_syscall_64+0x1b9/0x820
[   40.846190]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   40.851538]  ? syscall_return_slowpath+0x5e0/0x5e0
[   40.856458]  ? trace_hardirqs_on_caller+0x310/0x310
[   40.861463]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   40.866467]  ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250
[   40.873114]  ? __switch_to_asm+0x40/0x70
[   40.877156]  ? __switch_to_asm+0x34/0x70
[   40.881207]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.886049]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.891227] RIP: 0033:0x446389
[   40.894418] Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   40.913332] RSP: 002b:00007faaade0fdb8 EFLAGS: 00000297 ORIG_RAX: 000000000000002e
[   40.921038] RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000446389
[   40.928299] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000005
[   40.935560] RBP: 00000000006dac30 R08: 0000000000000000 R09: 0000000000000000
[   40.942813] R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dac3c
[   40.950067] R13: 00007ffca0f14eef R14: 00007faaade109c0 R15: 00000000006dad2c
[   40.957321] 
[   40.958928] Allocated by task 6104:
[   40.962545]  save_stack+0x43/0xd0
[   40.965987]  kasan_kmalloc+0xcb/0xd0
[   40.969680]  kmem_cache_alloc_trace+0x154/0x740
[   40.974333]  tipc_group_create+0x152/0xa70
[   40.978548]  tipc_setsockopt+0x2d1/0xd70
[   40.982598]  __sys_setsockopt+0x1ba/0x3c0
[   40.986732]  __x64_sys_setsockopt+0xbe/0x150
[   40.991121]  do_syscall_64+0x1b9/0x820
[   40.994992]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   41.000157] 
[   41.001808] Freed by task 6104:
[   41.005064]  save_stack+0x43/0xd0
[   41.008520]  __kasan_slab_free+0x102/0x150
[   41.012735]  kasan_slab_free+0xe/0x10
[   41.016599]  kfree+0xcf/0x230
[   41.019690]  tipc_group_delete+0x2e4/0x3f0
[   41.023921]  tipc_sk_leave+0x113/0x220
[   41.027806]  tipc_setsockopt+0x97d/0xd70
[   41.031874]  __sys_setsockopt+0x1ba/0x3c0
[   41.036016]  __x64_sys_setsockopt+0xbe/0x150
[   41.040409]  do_syscall_64+0x1b9/0x820
[   41.044276]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   41.049440] 
[   41.051060] The buggy address belongs to the object at ffff8881d882d700
[   41.051060]  which belongs to the cache kmalloc-192 of size 192
[   41.063703] The buggy address is located 116 bytes inside of
[   41.063703]  192-byte region [ffff8881d882d700, ffff8881d882d7c0)
[   41.075555] The buggy address belongs to the page:
[   41.080478] page:ffffea0007620b40 count:1 mapcount:0 mapping:ffff8881da800040 index:0xffff8881d882df00
[   41.089896] flags: 0x2fffc0000000200(slab)
[   41.094114] raw: 02fffc0000000200 ffffea0007620e48 ffffea0007621388 ffff8881da800040
[   41.101979] raw: ffff8881d882df00 ffff8881d882d000 0000000100000009 0000000000000000
[   41.109834] page dumped because: kasan: bad access detected
[   41.115520] 
[   41.117124] Memory state around the buggy address:
[   41.122028]  ffff8881d882d600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.129369]  ffff8881d882d680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   41.136708] >ffff8881d882d700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.144043]                                                              ^
[   41.151038]  ffff8881d882d780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   41.158394]  ffff8881d882d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   41.165763] ==================================================================
[   41.173110] Disabling lock debugging due to kernel taint
[   41.178912] Kernel panic - not syncing: panic_on_warn set ...
[   41.184815] CPU: 0 PID: 6103 Comm: syz-executor113 Tainted: G    B             4.20.0-rc6-next-20181213+ #170
[   41.194846] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   41.204175] Call Trace:
[   41.206749]  dump_stack+0x244/0x39d
[   41.210397]  ? dump_stack_print_info.cold.1+0x20/0x20
[   41.215592]  ? tipc_group_bc_cong+0x250/0x3f0
[   41.220087]  panic+0x2ad/0x632
[   41.223286]  ? add_taint.cold.5+0x16/0x16
[   41.227435]  ? preempt_schedule+0x4d/0x60
[   41.231570]  ? ___preempt_schedule+0x16/0x18
[   41.235960]  ? trace_hardirqs_on+0xb4/0x310
[   41.240273]  ? tipc_group_bc_cong+0x327/0x3f0
[   41.244752]  end_report+0x47/0x4f
[   41.248188]  kasan_report.cold.5+0xe/0x39
[   41.252317]  ? tipc_group_bc_cong+0x327/0x3f0
[   41.256796]  ? tipc_group_bc_cong+0x327/0x3f0
[   41.261278]  __asan_report_load2_noabort+0x14/0x20
[   41.266187]  tipc_group_bc_cong+0x327/0x3f0
[   41.270488]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[   41.275584]  ? tipc_group_cong+0x5d0/0x5d0
[   41.279815]  ? remove_wait_queue+0x1a6/0x360
[   41.284201]  ? add_wait_queue+0x2b0/0x2b0
[   41.288342]  ? __local_bh_enable_ip+0x160/0x260
[   41.293002]  tipc_send_group_bcast+0x50a/0xd90
[   41.297571]  ? tipc_sk_sock_err.isra.60+0x2f0/0x2f0
[   41.302577]  ? __init_waitqueue_head+0x150/0x150
[   41.307314]  ? refill_pi_state_cache.part.7+0x310/0x310
[   41.312663]  ? mark_held_locks+0x130/0x130
[   41.316884]  ? futex_wait_setup+0x266/0x3e0
[   41.321185]  ? handle_futex_death+0x230/0x230
[   41.325658]  ? print_usage_bug+0xc0/0xc0
[   41.329700]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   41.334888]  __tipc_sendmsg+0xeec/0x1d40
[   41.338931]  ? futex_wait+0x5ec/0xa50
[   41.342718]  ? tipc_sendmcast+0xf50/0xf50
[   41.346847]  ? __sanitizer_cov_trace_switch+0x53/0x90
[   41.352056]  ? graph_lock+0x270/0x270
[   41.355850]  ? print_usage_bug+0xc0/0xc0
[   41.359899]  ? find_held_lock+0x36/0x1c0
[   41.363943]  ? mark_held_locks+0xc7/0x130
[   41.368072]  ? __local_bh_enable_ip+0x160/0x260
[   41.372721]  ? __local_bh_enable_ip+0x160/0x260
[   41.377374]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   41.381945]  ? trace_hardirqs_on+0xbd/0x310
[   41.386275]  ? lock_release+0xa00/0xa00
[   41.390238]  ? lock_sock_nested+0xe2/0x120
[   41.394489]  ? trace_hardirqs_off_caller+0x310/0x310
[   41.399609]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   41.405156]  ? check_preemption_disabled+0x48/0x280
[   41.410160]  ? lock_sock_nested+0x9a/0x120
[   41.414378]  ? lock_sock_nested+0x9a/0x120
[   41.418605]  ? __local_bh_enable_ip+0x160/0x260
[   41.423277]  tipc_sendmsg+0x50/0x70
[   41.426896]  ? __tipc_sendmsg+0x1d40/0x1d40
[   41.431197]  sock_sendmsg+0xd5/0x120
[   41.434908]  ___sys_sendmsg+0x7fd/0x930
[   41.438880]  ? find_held_lock+0x36/0x1c0
[   41.442921]  ? copy_msghdr_from_user+0x580/0x580
[   41.447665]  ? __fd_install+0x2b5/0x8f0
[   41.451666]  ? check_preemption_disabled+0x48/0x280
[   41.456667]  ? __fget_light+0x2e9/0x430
[   41.460656]  ? fget_raw+0x20/0x20
[   41.464096]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   41.469615]  ? __fd_install+0x2f9/0x8f0
[   41.473571]  ? get_unused_fd_flags+0x1a0/0x1a0
[   41.478138]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   41.483658]  ? sockfd_lookup_light+0xc5/0x160
[   41.488134]  __sys_sendmsg+0x11d/0x280
[   41.492001]  ? __ia32_sys_shutdown+0x80/0x80
[   41.496396]  ? __x64_sys_futex+0x476/0x690
[   41.500611]  ? do_syscall_64+0x9a/0x820
[   41.504566]  ? do_syscall_64+0x9a/0x820
[   41.508532]  ? trace_hardirqs_off_caller+0x310/0x310
[   41.513618]  __x64_sys_sendmsg+0x78/0xb0
[   41.517675]  do_syscall_64+0x1b9/0x820
[   41.521590]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   41.526949]  ? syscall_return_slowpath+0x5e0/0x5e0
[   41.531874]  ? trace_hardirqs_on_caller+0x310/0x310
[   41.536867]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   41.541875]  ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250
[   41.548567]  ? __switch_to_asm+0x40/0x70
[   41.552702]  ? __switch_to_asm+0x34/0x70
[   41.556744]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   41.561601]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   41.566771] RIP: 0033:0x446389
[   41.569942] Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   41.588820] RSP: 002b:00007faaade0fdb8 EFLAGS: 00000297 ORIG_RAX: 000000000000002e
[   41.596524] RAX: ffffffffffffffda RBX: 00000000006dac38 RCX: 0000000000446389
[   41.603785] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000005
[   41.611031] RBP: 00000000006dac30 R08: 0000000000000000 R09: 0000000000000000
[   41.618281] R10: 0000000000000000 R11: 0000000000000297 R12: 00000000006dac3c
[   41.625530] R13: 00007ffca0f14eef R14: 00007faaade109c0 R15: 00000000006dad2c
[   41.633725] Kernel Offset: disabled
[   41.637344] Rebooting in 86400 seconds..