[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 51.331727][ T27] audit: type=1800 audit(1579609972.392:25): pid=8591 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 51.351076][ T27] audit: type=1800 audit(1579609972.392:26): pid=8591 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 51.406484][ T27] audit: type=1800 audit(1579609972.392:27): pid=8591 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 67.395631][ T8755] netlink: 20 bytes leftover after parsing attributes in process `syz-executor694'. [ 67.406098][ T8760] netlink: 20 bytes leftover after parsing attributes in process `syz-executor694'. [ 67.418016][ T8758] netlink: 20 bytes leftover after parsing attributes in process `syz-executor694'. [ 67.428769][ T8759] netlink: 20 bytes leftover after parsing attributes in process `syz-executor694'. [ 67.467054][ T8761] netlink: 20 bytes leftover after parsing attributes in process `syz-executor694'. executing program executing program executing program executing program executing program [ 67.566842][ T8762] netlink: 20 bytes leftover after parsing attributes in process `syz-executor694'. executing program [ 67.647269][ T8780] netlink: 20 bytes leftover after parsing attributes in process `syz-executor694'. [ 67.659264][ T8781] netlink: 20 bytes leftover after parsing attributes in process `syz-executor694'. [ 67.673359][ T8783] netlink: 20 bytes leftover after parsing attributes in process `syz-executor694'. [ 67.683199][ T8784] netlink: 20 bytes leftover after parsing attributes in process `syz-executor694'. executing program executing program [ 67.898813][ T8782] ================================================================== [ 67.907007][ T8782] BUG: KASAN: use-after-free in __list_del_entry_valid+0x2f/0x100 [ 67.914794][ T8782] Read of size 8 at addr ffff888097973008 by task syz-executor694/8782 [ 67.923017][ T8782] [ 67.925330][ T8782] CPU: 1 PID: 8782 Comm: syz-executor694 Not tainted 5.5.0-rc7-syzkaller #0 [ 67.933982][ T8782] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.944058][ T8782] Call Trace: [ 67.947342][ T8782] dump_stack+0x1fb/0x318 [ 67.951682][ T8782] print_address_description+0x74/0x5c0 [ 67.957225][ T8782] ? vprintk_default+0x28/0x30 [ 67.961966][ T8782] ? vprintk_func+0x158/0x170 [ 67.966619][ T8782] ? printk+0x62/0x8d [ 67.970597][ T8782] __kasan_report+0x149/0x1c0 [ 67.975256][ T8782] ? do_raw_spin_unlock+0x100/0x950 [ 67.980448][ T8782] ? __list_del_entry_valid+0x2f/0x100 [ 67.985896][ T8782] kasan_report+0x26/0x50 [ 67.990206][ T8782] __asan_report_load8_noabort+0x14/0x20 [ 67.995814][ T8782] __list_del_entry_valid+0x2f/0x100 [ 68.001087][ T8782] __nf_tables_abort+0x16d2/0x2e80 [ 68.006223][ T8782] ? kfree+0x14c/0x220 [ 68.010274][ T8782] ? nfnetlink_rcv+0x19a1/0x1e50 [ 68.015190][ T8782] nf_tables_abort+0x15/0x30 [ 68.019757][ T8782] nfnetlink_rcv+0x1a88/0x1e50 [ 68.024542][ T8782] ? rcu_lock_release+0x21/0x30 [ 68.029383][ T8782] ? netlink_deliver_tap+0x142/0x880 [ 68.034650][ T8782] netlink_unicast+0x767/0x920 [ 68.039410][ T8782] netlink_sendmsg+0xa2c/0xd50 [ 68.044154][ T8782] ? netlink_getsockopt+0x9f0/0x9f0 [ 68.049327][ T8782] ____sys_sendmsg+0x4f7/0x7f0 [ 68.054072][ T8782] __sys_sendmsg+0x1ed/0x290 [ 68.058650][ T8782] ? up_read+0x1d/0x20 [ 68.062709][ T8782] ? do_user_addr_fault+0x654/0xaf0 [ 68.067893][ T8782] ? check_preemption_disabled+0xb4/0x260 [ 68.073608][ T8782] ? debug_smp_processor_id+0x9/0x20 [ 68.078870][ T8782] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 68.084309][ T8782] ? trace_irq_disable_rcuidle+0x23/0x1e0 [ 68.090027][ T8782] ? do_syscall_64+0x1d/0x1c0 [ 68.094692][ T8782] __x64_sys_sendmsg+0x7f/0x90 [ 68.099442][ T8782] do_syscall_64+0xf7/0x1c0 [ 68.103963][ T8782] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.109830][ T8782] RIP: 0033:0x4470c9 [ 68.113710][ T8782] Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 68.133302][ T8782] RSP: 002b:00007ffb4f1fad98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 68.141697][ T8782] RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 00000000004470c9 [ 68.149676][ T8782] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 68.157628][ T8782] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000 [ 68.165582][ T8782] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c [ 68.173565][ T8782] R13: 00000000200002c0 R14: 00000000004af6c8 R15: 0000000000000000 [ 68.181531][ T8782] [ 68.183836][ T8782] Allocated by task 8782: [ 68.188147][ T8782] __kasan_kmalloc+0x118/0x1c0 [ 68.192885][ T8782] kasan_kmalloc+0x9/0x10 [ 68.197190][ T8782] kmem_cache_alloc_trace+0x221/0x2f0 [ 68.202553][ T8782] nf_tables_newtable+0x350/0x1b10 [ 68.207662][ T8782] nfnetlink_rcv+0xecf/0x1e50 [ 68.212318][ T8782] netlink_unicast+0x767/0x920 [ 68.217066][ T8782] netlink_sendmsg+0xa2c/0xd50 [ 68.221820][ T8782] ____sys_sendmsg+0x4f7/0x7f0 [ 68.226566][ T8782] __sys_sendmsg+0x1ed/0x290 [ 68.231132][ T8782] __x64_sys_sendmsg+0x7f/0x90 [ 68.235949][ T8782] do_syscall_64+0xf7/0x1c0 [ 68.240430][ T8782] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.246308][ T8782] [ 68.248622][ T8782] Freed by task 2679: [ 68.252593][ T8782] __kasan_slab_free+0x12e/0x1e0 [ 68.257614][ T8782] kasan_slab_free+0xe/0x10 [ 68.262127][ T8782] kfree+0x10d/0x220 [ 68.266017][ T8782] nf_tables_trans_destroy_work+0x9b8/0xbb0 [ 68.271893][ T8782] process_one_work+0x7f5/0x10d0 [ 68.276820][ T8782] worker_thread+0xbbc/0x1630 [ 68.281481][ T8782] kthread+0x332/0x350 [ 68.285527][ T8782] ret_from_fork+0x24/0x30 [ 68.289922][ T8782] [ 68.292253][ T8782] The buggy address belongs to the object at ffff888097973000 [ 68.292253][ T8782] which belongs to the cache kmalloc-512 of size 512 [ 68.306300][ T8782] The buggy address is located 8 bytes inside of [ 68.306300][ T8782] 512-byte region [ffff888097973000, ffff888097973200) [ 68.319392][ T8782] The buggy address belongs to the page: [ 68.325029][ T8782] page:ffffea00025e5cc0 refcount:1 mapcount:0 mapping:ffff8880aa800a80 index:0x0 [ 68.336122][ T8782] raw: 00fffe0000000200 ffffea0002a53ac8 ffffea0002806848 ffff8880aa800a80 [ 68.344686][ T8782] raw: 0000000000000000 ffff888097973000 0000000100000004 0000000000000000 [ 68.353250][ T8782] page dumped because: kasan: bad access detected [ 68.359637][ T8782] [ 68.361941][ T8782] Memory state around the buggy address: [ 68.367550][ T8782] ffff888097972f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.375604][ T8782] ffff888097972f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.383652][ T8782] >ffff888097973000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.391697][ T8782] ^ [ 68.396007][ T8782] ffff888097973080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.404045][ T8782] ffff888097973100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.412078][ T8782] ================================================================== [ 68.420111][ T8782] Disabling lock debugging due to kernel taint [ 68.426822][ T8782] Kernel panic - not syncing: panic_on_warn set ... [ 68.433407][ T8782] CPU: 1 PID: 8782 Comm: syz-executor694 Tainted: G B 5.5.0-rc7-syzkaller #0 [ 68.443450][ T8782] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.453477][ T8782] Call Trace: [ 68.456760][ T8782] dump_stack+0x1fb/0x318 [ 68.461088][ T8782] panic+0x264/0x7a9 [ 68.464965][ T8782] ? __kasan_report+0x193/0x1c0 [ 68.469802][ T8782] ? trace_hardirqs_on+0x34/0x80 [ 68.474728][ T8782] ? __kasan_report+0x193/0x1c0 [ 68.479555][ T8782] __kasan_report+0x1b9/0x1c0 [ 68.484208][ T8782] ? do_raw_spin_unlock+0x100/0x950 [ 68.489384][ T8782] ? __list_del_entry_valid+0x2f/0x100 [ 68.494840][ T8782] kasan_report+0x26/0x50 [ 68.499145][ T8782] __asan_report_load8_noabort+0x14/0x20 [ 68.504752][ T8782] __list_del_entry_valid+0x2f/0x100 [ 68.510104][ T8782] __nf_tables_abort+0x16d2/0x2e80 [ 68.515195][ T8782] ? kfree+0x14c/0x220 [ 68.519237][ T8782] ? nfnetlink_rcv+0x19a1/0x1e50 [ 68.524157][ T8782] nf_tables_abort+0x15/0x30 [ 68.528719][ T8782] nfnetlink_rcv+0x1a88/0x1e50 [ 68.533472][ T8782] ? rcu_lock_release+0x21/0x30 [ 68.538295][ T8782] ? netlink_deliver_tap+0x142/0x880 [ 68.543558][ T8782] netlink_unicast+0x767/0x920 [ 68.548299][ T8782] netlink_sendmsg+0xa2c/0xd50 [ 68.553039][ T8782] ? netlink_getsockopt+0x9f0/0x9f0 [ 68.558216][ T8782] ____sys_sendmsg+0x4f7/0x7f0 [ 68.562967][ T8782] __sys_sendmsg+0x1ed/0x290 [ 68.567535][ T8782] ? up_read+0x1d/0x20 [ 68.571577][ T8782] ? do_user_addr_fault+0x654/0xaf0 [ 68.576751][ T8782] ? check_preemption_disabled+0xb4/0x260 [ 68.582452][ T8782] ? debug_smp_processor_id+0x9/0x20 [ 68.587711][ T8782] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 68.593155][ T8782] ? trace_irq_disable_rcuidle+0x23/0x1e0 [ 68.598849][ T8782] ? do_syscall_64+0x1d/0x1c0 [ 68.603500][ T8782] __x64_sys_sendmsg+0x7f/0x90 [ 68.608241][ T8782] do_syscall_64+0xf7/0x1c0 [ 68.612732][ T8782] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.618596][ T8782] RIP: 0033:0x4470c9 [ 68.622479][ T8782] Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 06 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 68.642063][ T8782] RSP: 002b:00007ffb4f1fad98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 68.650451][ T8782] RAX: ffffffffffffffda RBX: 00000000006dcc28 RCX: 00000000004470c9 [ 68.658400][ T8782] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 [ 68.666347][ T8782] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000 [ 68.674306][ T8782] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c [ 68.682254][ T8782] R13: 00000000200002c0 R14: 00000000004af6c8 R15: 0000000000000000 [ 68.691464][ T8782] Kernel Offset: disabled [ 68.695778][ T8782] Rebooting in 86400 seconds..