[ 35.661045][ T26] audit: type=1800 audit(1552356372.588:27): pid=7390 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 35.681631][ T26] audit: type=1800 audit(1552356372.598:28): pid=7390 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 36.499248][ T26] audit: type=1800 audit(1552356373.518:29): pid=7390 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 36.525472][ T26] audit: type=1800 audit(1552356373.518:30): pid=7390 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.104' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 54.197584][ T7552] device ifb0 entered promiscuous mode [ 54.215701][ T7561] device ifb0 left promiscuous mode executing program [ 54.362525][ T7562] device ifb0 entered promiscuous mode [ 54.372955][ T7558] device ifb0 left promiscuous mode executing program executing program executing program executing program executing program [ 54.557284][ T7582] device ifb0 entered promiscuous mode [ 54.570139][ T7583] device ifb0 left promiscuous mode executing program [ 54.671684][ T7594] device ifb0 entered promiscuous mode [ 54.724938][ T7599] device ifb0 left promiscuous mode executing program executing program executing program executing program executing program [ 54.793713][ T7607] device ifb0 entered promiscuous mode [ 54.849431][ T7608] device ifb0 left promiscuous mode [ 54.908930][ T7608] ================================================================== [ 54.917281][ T7608] BUG: KASAN: use-after-free in x25_device_event+0x296/0x2b0 [ 54.924660][ T7608] Read of size 8 at addr ffff88809f8c5bd0 by task syz-executor410/7608 [ 54.932887][ T7608] [ 54.935220][ T7608] CPU: 1 PID: 7608 Comm: syz-executor410 Not tainted 5.0.0-next-20190306 #4 [ 54.943880][ T7608] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.953990][ T7608] Call Trace: [ 54.957344][ T7608] dump_stack+0x172/0x1f0 [ 54.961688][ T7608] ? x25_device_event+0x296/0x2b0 [ 54.966721][ T7608] print_address_description.cold+0x7c/0x20d [ 54.972706][ T7608] ? x25_device_event+0x296/0x2b0 [ 54.977899][ T7608] ? x25_device_event+0x296/0x2b0 [ 54.982941][ T7608] kasan_report.cold+0x1b/0x40 [ 54.987703][ T7608] ? x25_device_event+0x296/0x2b0 [ 54.992717][ T7608] __asan_report_load8_noabort+0x14/0x20 [ 54.998340][ T7608] x25_device_event+0x296/0x2b0 [ 55.003187][ T7608] notifier_call_chain+0xc7/0x240 [ 55.008203][ T7608] raw_notifier_call_chain+0x2e/0x40 [ 55.013475][ T7608] call_netdevice_notifiers_info+0x3f/0x90 [ 55.019266][ T7608] __dev_notify_flags+0x1e9/0x2c0 [ 55.024275][ T7608] ? dev_change_name+0xa00/0xa00 [ 55.029196][ T7608] ? __dev_change_flags+0x513/0x6e0 [ 55.034394][ T7608] ? dev_set_allmulti+0x30/0x30 [ 55.039268][ T7608] ? mutex_trylock+0x1e0/0x1e0 [ 55.044025][ T7608] ? find_held_lock+0x35/0x130 [ 55.048799][ T7608] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.055044][ T7608] dev_change_flags+0x10d/0x170 [ 55.059905][ T7608] dev_ifsioc+0x5bf/0x990 [ 55.064240][ T7608] ? register_gifconf+0x70/0x70 [ 55.069087][ T7608] dev_ioctl+0x1b8/0xc90 [ 55.073425][ T7608] sock_do_ioctl+0x1bd/0x300 [ 55.078098][ T7608] ? compat_ifr_data_ioctl+0x160/0x160 [ 55.083551][ T7608] ? tomoyo_domain+0xc5/0x160 [ 55.088232][ T7608] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.094470][ T7608] ? tomoyo_path_number_perm+0x263/0x520 [ 55.100089][ T7608] sock_ioctl+0x32b/0x610 [ 55.104403][ T7608] ? dlci_ioctl_set+0x40/0x40 [ 55.109133][ T7608] ? __fget+0x35a/0x550 [ 55.113287][ T7608] ? dlci_ioctl_set+0x40/0x40 [ 55.117948][ T7608] do_vfs_ioctl+0xd6e/0x1390 [ 55.122538][ T7608] ? ioctl_preallocate+0x210/0x210 [ 55.127630][ T7608] ? __fget+0x381/0x550 [ 55.131793][ T7608] ? ksys_dup3+0x3e0/0x3e0 [ 55.136195][ T7608] ? tomoyo_file_ioctl+0x23/0x30 [ 55.141129][ T7608] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.147389][ T7608] ? security_file_ioctl+0x93/0xc0 [ 55.152487][ T7608] ksys_ioctl+0xab/0xd0 [ 55.156630][ T7608] __x64_sys_ioctl+0x73/0xb0 [ 55.161206][ T7608] do_syscall_64+0x103/0x610 [ 55.165846][ T7608] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.171719][ T7608] RIP: 0033:0x4467c9 [ 55.175602][ T7608] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.195189][ T7608] RSP: 002b:00007f148f5add98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 55.203596][ T7608] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9 [ 55.212296][ T7608] RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003 [ 55.220252][ T7608] RBP: 00000000006dbc50 R08: 00007f148f5ae700 R09: 0000000000000000 [ 55.228205][ T7608] R10: 00007f148f5ae700 R11: 0000000000000246 R12: 00000000006dbc5c [ 55.236163][ T7608] R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669 [ 55.244125][ T7608] [ 55.246440][ T7608] Allocated by task 7594: [ 55.250765][ T7608] save_stack+0x45/0xd0 [ 55.254905][ T7608] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 55.260995][ T7608] kasan_kmalloc+0x9/0x10 [ 55.265308][ T7608] kmem_cache_alloc_trace+0x151/0x760 [ 55.270664][ T7608] x25_link_device_up+0x46/0x3f0 [ 55.275589][ T7608] x25_device_event+0x116/0x2b0 [ 55.280425][ T7608] notifier_call_chain+0xc7/0x240 [ 55.285461][ T7608] raw_notifier_call_chain+0x2e/0x40 [ 55.290743][ T7608] call_netdevice_notifiers_info+0x3f/0x90 [ 55.296537][ T7608] __dev_notify_flags+0x121/0x2c0 [ 55.301547][ T7608] dev_change_flags+0x10d/0x170 [ 55.306380][ T7608] dev_ifsioc+0x5bf/0x990 [ 55.310696][ T7608] dev_ioctl+0x1b8/0xc90 [ 55.314920][ T7608] sock_do_ioctl+0x1bd/0x300 [ 55.319583][ T7608] sock_ioctl+0x32b/0x610 [ 55.323899][ T7608] do_vfs_ioctl+0xd6e/0x1390 [ 55.328494][ T7608] ksys_ioctl+0xab/0xd0 [ 55.332632][ T7608] __x64_sys_ioctl+0x73/0xb0 [ 55.337206][ T7608] do_syscall_64+0x103/0x610 [ 55.341802][ T7608] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.347722][ T7608] [ 55.350033][ T7608] Freed by task 7599: [ 55.354000][ T7608] save_stack+0x45/0xd0 [ 55.358140][ T7608] __kasan_slab_free+0x102/0x150 [ 55.363088][ T7608] kasan_slab_free+0xe/0x10 [ 55.367589][ T7608] kfree+0xcf/0x230 [ 55.371381][ T7608] __x25_remove_neigh+0x187/0x1f0 [ 55.376387][ T7608] x25_link_device_down+0xc7/0x130 [ 55.381500][ T7608] x25_device_event+0x261/0x2b0 [ 55.386335][ T7608] notifier_call_chain+0xc7/0x240 [ 55.391346][ T7608] raw_notifier_call_chain+0x2e/0x40 [ 55.396614][ T7608] call_netdevice_notifiers_info+0x3f/0x90 [ 55.402407][ T7608] __dev_notify_flags+0x1e9/0x2c0 [ 55.407410][ T7608] dev_change_flags+0x10d/0x170 [ 55.412247][ T7608] dev_ifsioc+0x5bf/0x990 [ 55.416570][ T7608] dev_ioctl+0x1b8/0xc90 [ 55.420795][ T7608] sock_do_ioctl+0x1bd/0x300 [ 55.425371][ T7608] sock_ioctl+0x32b/0x610 [ 55.429699][ T7608] do_vfs_ioctl+0xd6e/0x1390 [ 55.434271][ T7608] ksys_ioctl+0xab/0xd0 [ 55.438414][ T7608] __x64_sys_ioctl+0x73/0xb0 [ 55.442988][ T7608] do_syscall_64+0x103/0x610 [ 55.447560][ T7608] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.453426][ T7608] [ 55.455742][ T7608] The buggy address belongs to the object at ffff88809f8c5bc0 [ 55.455742][ T7608] which belongs to the cache kmalloc-256 of size 256 [ 55.470162][ T7608] The buggy address is located 16 bytes inside of [ 55.470162][ T7608] 256-byte region [ffff88809f8c5bc0, ffff88809f8c5cc0) [ 55.483411][ T7608] The buggy address belongs to the page: [ 55.489045][ T7608] page:ffffea00027e3140 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0 [ 55.497886][ T7608] flags: 0x1fffc0000000200(slab) [ 55.502822][ T7608] raw: 01fffc0000000200 ffffea00027e8fc8 ffff88812c3f1648 ffff88812c3f07c0 [ 55.511402][ T7608] raw: 0000000000000000 ffff88809f8c5080 000000010000000c 0000000000000000 [ 55.519970][ T7608] page dumped because: kasan: bad access detected [ 55.526446][ T7608] [ 55.528759][ T7608] Memory state around the buggy address: [ 55.534386][ T7608] ffff88809f8c5a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.542431][ T7608] ffff88809f8c5b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.550487][ T7608] >ffff88809f8c5b80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 55.558531][ T7608] ^ [ 55.565186][ T7608] ffff88809f8c5c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 55.573228][ T7608] ffff88809f8c5c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 55.581277][ T7608] ================================================================== [ 55.589315][ T7608] Disabling lock debugging due to kernel taint [ 55.595627][ T7608] Kernel panic - not syncing: panic_on_warn set ... [ 55.602216][ T7608] CPU: 1 PID: 7608 Comm: syz-executor410 Tainted: G B 5.0.0-next-20190306 #4 [ 55.612275][ T7608] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.622319][ T7608] Call Trace: [ 55.625597][ T7608] dump_stack+0x172/0x1f0 [ 55.629933][ T7608] panic+0x2cb/0x65c [ 55.633811][ T7608] ? __warn_printk+0xf3/0xf3 [ 55.638382][ T7608] ? retint_kernel+0x2d/0x2d [ 55.642969][ T7608] ? trace_hardirqs_on+0x5e/0x230 [ 55.647979][ T7608] ? x25_device_event+0x296/0x2b0 [ 55.652983][ T7608] end_report+0x47/0x4f [ 55.657121][ T7608] ? x25_device_event+0x296/0x2b0 [ 55.662127][ T7608] kasan_report.cold+0xe/0x40 [ 55.666787][ T7608] ? x25_device_event+0x296/0x2b0 [ 55.671792][ T7608] __asan_report_load8_noabort+0x14/0x20 [ 55.677404][ T7608] x25_device_event+0x296/0x2b0 [ 55.682242][ T7608] notifier_call_chain+0xc7/0x240 [ 55.687267][ T7608] raw_notifier_call_chain+0x2e/0x40 [ 55.692541][ T7608] call_netdevice_notifiers_info+0x3f/0x90 [ 55.698335][ T7608] __dev_notify_flags+0x1e9/0x2c0 [ 55.703438][ T7608] ? dev_change_name+0xa00/0xa00 [ 55.708355][ T7608] ? __dev_change_flags+0x513/0x6e0 [ 55.713534][ T7608] ? dev_set_allmulti+0x30/0x30 [ 55.718370][ T7608] ? mutex_trylock+0x1e0/0x1e0 [ 55.723132][ T7608] ? find_held_lock+0x35/0x130 [ 55.727875][ T7608] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.734109][ T7608] dev_change_flags+0x10d/0x170 [ 55.738975][ T7608] dev_ifsioc+0x5bf/0x990 [ 55.743287][ T7608] ? register_gifconf+0x70/0x70 [ 55.748118][ T7608] dev_ioctl+0x1b8/0xc90 [ 55.752345][ T7608] sock_do_ioctl+0x1bd/0x300 [ 55.756936][ T7608] ? compat_ifr_data_ioctl+0x160/0x160 [ 55.762383][ T7608] ? tomoyo_domain+0xc5/0x160 [ 55.767566][ T7608] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.773787][ T7608] ? tomoyo_path_number_perm+0x263/0x520 [ 55.779423][ T7608] sock_ioctl+0x32b/0x610 [ 55.783737][ T7608] ? dlci_ioctl_set+0x40/0x40 [ 55.788406][ T7608] ? __fget+0x35a/0x550 [ 55.792806][ T7608] ? dlci_ioctl_set+0x40/0x40 [ 55.797465][ T7608] do_vfs_ioctl+0xd6e/0x1390 [ 55.802035][ T7608] ? ioctl_preallocate+0x210/0x210 [ 55.807125][ T7608] ? __fget+0x381/0x550 [ 55.811262][ T7608] ? ksys_dup3+0x3e0/0x3e0 [ 55.815661][ T7608] ? tomoyo_file_ioctl+0x23/0x30 [ 55.820593][ T7608] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.826920][ T7608] ? security_file_ioctl+0x93/0xc0 [ 55.832019][ T7608] ksys_ioctl+0xab/0xd0 [ 55.836158][ T7608] __x64_sys_ioctl+0x73/0xb0 [ 55.840816][ T7608] do_syscall_64+0x103/0x610 [ 55.845388][ T7608] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.851260][ T7608] RIP: 0033:0x4467c9 [ 55.855146][ T7608] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.874751][ T7608] RSP: 002b:00007f148f5add98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 55.883154][ T7608] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9 [ 55.891121][ T7608] RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003 [ 55.899073][ T7608] RBP: 00000000006dbc50 R08: 00007f148f5ae700 R09: 0000000000000000 [ 55.907021][ T7608] R10: 00007f148f5ae700 R11: 0000000000000246 R12: 00000000006dbc5c [ 55.914980][ T7608] R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669 [ 55.924070][ T7608] Kernel Offset: disabled [ 55.928555][ T7608] Rebooting in 86400 seconds..