[ 75.939270][ T27] audit: type=1800 audit(1564567557.095:29): pid=10747 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 75.973155][ T27] audit: type=1800 audit(1564567557.095:30): pid=10747 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 Starting mcstransd: [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.10' (ECDSA) to the list of known hosts. syzkaller login: [ 93.558330][ T27] kauditd_printk_skb: 5 callbacks suppressed [ 93.558346][ T27] audit: type=1400 audit(1564567574.715:36): avc: denied { map } for pid=10938 comm="syz-executor498" path="/root/syz-executor498284758" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 93.600997][T10939] IPVS: ftp: loaded support on port[0] = 21 [ 93.644324][T10939] chnl_net:caif_netlink_parms(): no params data found [ 93.667202][T10939] bridge0: port 1(bridge_slave_0) entered blocking state [ 93.674582][T10939] bridge0: port 1(bridge_slave_0) entered disabled state [ 93.682242][T10939] device bridge_slave_0 entered promiscuous mode [ 93.690035][T10939] bridge0: port 2(bridge_slave_1) entered blocking state [ 93.697319][T10939] bridge0: port 2(bridge_slave_1) entered disabled state [ 93.705031][T10939] device bridge_slave_1 entered promiscuous mode [ 93.719548][T10939] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 93.730156][T10939] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 93.747851][T10939] team0: Port device team_slave_0 added [ 93.754932][T10939] team0: Port device team_slave_1 added [ 93.835283][T10939] device hsr_slave_0 entered promiscuous mode [ 93.913875][T10939] device hsr_slave_1 entered promiscuous mode [ 93.969379][T10939] bridge0: port 2(bridge_slave_1) entered blocking state [ 93.976879][T10939] bridge0: port 2(bridge_slave_1) entered forwarding state [ 93.984351][T10939] bridge0: port 1(bridge_slave_0) entered blocking state [ 93.991618][T10939] bridge0: port 1(bridge_slave_0) entered forwarding state [ 94.019431][T10939] 8021q: adding VLAN 0 to HW filter on device bond0 [ 94.030889][ T3014] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 94.039602][ T3014] bridge0: port 1(bridge_slave_0) entered disabled state [ 94.047774][ T3014] bridge0: port 2(bridge_slave_1) entered disabled state [ 94.055553][ T3014] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 94.066383][T10939] 8021q: adding VLAN 0 to HW filter on device team0 [ 94.076121][ T3610] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 94.084983][ T3610] bridge0: port 1(bridge_slave_0) entered blocking state [ 94.092185][ T3610] bridge0: port 1(bridge_slave_0) entered forwarding state [ 94.114344][ T3014] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 94.122832][ T3014] bridge0: port 2(bridge_slave_1) entered blocking state [ 94.129975][ T3014] bridge0: port 2(bridge_slave_1) entered forwarding state [ 94.138432][ T3014] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 94.147036][ T3014] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 94.155808][ T3014] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready executing program [ 94.164224][ T3014] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 94.173368][T10939] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 94.181321][ T3014] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 94.197924][T10939] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 94.317848][T10949] IPVS: ftp: loaded support on port[0] = 21 [ 94.488622][T10948] IPVS: ftp: loaded support on port[0] = 21 executing program [ 94.757589][T10952] IPVS: ftp: loaded support on port[0] = 21 [ 94.998749][T10954] IPVS: ftp: loaded support on port[0] = 21 executing program [ 95.200819][T10958] IPVS: ftp: loaded support on port[0] = 21 [ 95.450043][T10960] IPVS: ftp: loaded support on port[0] = 21 [ 95.635692][T10959] ================================================================== [ 95.643906][T10959] BUG: KASAN: use-after-free in do_raw_spin_lock+0x28a/0x2e0 [ 95.652439][T10959] Read of size 4 at addr ffff88809741928c by task syz-executor498/10959 [ 95.660799][T10959] [ 95.663126][T10959] CPU: 1 PID: 10959 Comm: syz-executor498 Not tainted 5.3.0-rc2+ #83 [ 95.671243][T10959] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 95.681459][T10959] Call Trace: [ 95.684808][T10959] dump_stack+0x172/0x1f0 [ 95.689144][T10959] ? do_raw_spin_lock+0x28a/0x2e0 [ 95.694220][T10959] print_address_description.cold+0xd4/0x306 [ 95.700205][T10959] ? do_raw_spin_lock+0x28a/0x2e0 [ 95.705269][T10959] ? do_raw_spin_lock+0x28a/0x2e0 [ 95.710289][T10959] __kasan_report.cold+0x1b/0x36 [ 95.715232][T10959] ? do_raw_spin_lock+0x28a/0x2e0 [ 95.720372][T10959] kasan_report+0x12/0x17 [ 95.724743][T10959] __asan_report_load4_noabort+0x14/0x20 [ 95.730369][T10959] do_raw_spin_lock+0x28a/0x2e0 [ 95.735211][T10959] ? rwlock_bug.part.0+0x90/0x90 [ 95.740135][T10959] ? lock_acquire+0x190/0x410 [ 95.744789][T10959] ? release_sock+0x20/0x1c0 [ 95.749410][T10959] ? __sk_free+0x100/0x360 [ 95.753985][T10959] _raw_spin_lock_bh+0x3b/0x50 [ 95.758753][T10959] ? release_sock+0x20/0x1c0 [ 95.763324][T10959] release_sock+0x20/0x1c0 [ 95.767724][T10959] nr_release+0x303/0x3e0 [ 95.772054][T10959] __sock_release+0xce/0x280 [ 95.776630][T10959] sock_close+0x1e/0x30 [ 95.780768][T10959] __fput+0x2ff/0x890 [ 95.784798][T10959] ? __sock_release+0x280/0x280 [ 95.789646][T10959] ____fput+0x16/0x20 [ 95.793607][T10959] task_work_run+0x145/0x1c0 [ 95.798190][T10959] do_exit+0x92f/0x2e50 [ 95.802325][T10959] ? mm_update_next_owner+0x640/0x640 [ 95.807990][T10959] ? __kasan_check_write+0x14/0x20 [ 95.813204][T10959] ? lock_downgrade+0x920/0x920 [ 95.818152][T10959] ? rwlock_bug.part.0+0x90/0x90 [ 95.823079][T10959] ? get_signal+0x20e/0x2500 [ 95.827912][T10959] do_group_exit+0x135/0x360 [ 95.832489][T10959] get_signal+0x47c/0x2500 [ 95.837406][T10959] ? nr_find_next_circuit+0xb0/0xb0 [ 95.842666][T10959] do_signal+0x87/0x1700 [ 95.848741][T10959] ? fput+0x1b/0x20 [ 95.852557][T10959] ? __sys_connect+0x12d/0x330 [ 95.857459][T10959] ? setup_sigcontext+0x7d0/0x7d0 [ 95.862571][T10959] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 95.869265][T10959] ? do_futex+0x1dc0/0x1dc0 [ 95.873758][T10959] ? trace_hardirqs_on+0x67/0x240 [ 95.878779][T10959] exit_to_usermode_loop+0x286/0x380 [ 95.884491][T10959] do_syscall_64+0x5a9/0x6a0 [ 95.889104][T10959] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 95.895190][T10959] RIP: 0033:0x447d09 [ 95.899224][T10959] Code: Bad RIP value. [ 95.903319][T10959] RSP: 002b:00007f2a183b8db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 95.912134][T10959] RAX: fffffffffffffe00 RBX: 00000000006ddc48 RCX: 0000000000447d09 [ 95.920432][T10959] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006ddc48 [ 95.928717][T10959] RBP: 00000000006ddc40 R08: 0000000000000000 R09: 0000000000000000 [ 95.937590][T10959] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc4c [ 95.946270][T10959] R13: 00007ffd227e7f8f R14: 00007f2a183b99c0 R15: 0000000000000000 [ 95.954400][T10959] [ 95.956731][T10959] Allocated by task 7: [ 95.960869][T10959] save_stack+0x23/0x90 [ 95.965017][T10959] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 95.970710][T10959] kasan_kmalloc+0x9/0x10 [ 95.975113][T10959] __kmalloc+0x163/0x770 [ 95.979358][T10959] sk_prot_alloc+0x23a/0x310 [ 95.983931][T10959] sk_alloc+0x39/0xf70 [ 95.988025][T10959] nr_rx_frame+0x733/0x1e73 [ 95.993005][T10959] nr_loopback_timer+0x7b/0x170 [ 95.997860][T10959] call_timer_fn+0x1ac/0x780 [ 96.003690][T10959] run_timer_softirq+0x697/0x17a0 [ 96.008812][T10959] __do_softirq+0x262/0x98c [ 96.013295][T10959] [ 96.015646][T10959] Freed by task 10959: [ 96.019815][T10959] save_stack+0x23/0x90 [ 96.024109][T10959] __kasan_slab_free+0x102/0x150 [ 96.029032][T10959] kasan_slab_free+0xe/0x10 [ 96.033530][T10959] kfree+0x10a/0x2c0 [ 96.037551][T10959] __sk_destruct+0x4f7/0x6e0 [ 96.042139][T10959] sk_destruct+0x86/0xa0 [ 96.046551][T10959] __sk_free+0xfb/0x360 [ 96.050692][T10959] sk_free+0x42/0x50 [ 96.054568][T10959] nr_destroy_socket+0x3ea/0x4a0 [ 96.059533][T10959] nr_release+0x347/0x3e0 [ 96.063846][T10959] __sock_release+0xce/0x280 [ 96.068413][T10959] sock_close+0x1e/0x30 [ 96.072548][T10959] __fput+0x2ff/0x890 [ 96.076513][T10959] ____fput+0x16/0x20 [ 96.080531][T10959] task_work_run+0x145/0x1c0 [ 96.085117][T10959] do_exit+0x92f/0x2e50 [ 96.089304][T10959] do_group_exit+0x135/0x360 [ 96.093885][T10959] get_signal+0x47c/0x2500 [ 96.098281][T10959] do_signal+0x87/0x1700 [ 96.102506][T10959] exit_to_usermode_loop+0x286/0x380 [ 96.107786][T10959] do_syscall_64+0x5a9/0x6a0 [ 96.112358][T10959] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.118233][T10959] [ 96.120545][T10959] The buggy address belongs to the object at ffff888097419200 [ 96.120545][T10959] which belongs to the cache kmalloc-2k of size 2048 [ 96.134629][T10959] The buggy address is located 140 bytes inside of [ 96.134629][T10959] 2048-byte region [ffff888097419200, ffff888097419a00) [ 96.148020][T10959] The buggy address belongs to the page: [ 96.153683][T10959] page:ffffea00025d0600 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 compound_mapcount: 0 [ 96.164604][T10959] flags: 0x1fffc0000010200(slab|head) [ 96.169966][T10959] raw: 01fffc0000010200 ffffea00022a6988 ffffea000261c588 ffff8880aa400e00 [ 96.178588][T10959] raw: 0000000000000000 ffff888097418100 0000000100000003 0000000000000000 [ 96.187159][T10959] page dumped because: kasan: bad access detected [ 96.193554][T10959] [ 96.195880][T10959] Memory state around the buggy address: [ 96.201498][T10959] ffff888097419180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 96.209552][T10959] ffff888097419200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.217648][T10959] >ffff888097419280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.225810][T10959] ^ [ 96.230121][T10959] ffff888097419300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.238162][T10959] ffff888097419380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 96.246201][T10959] ================================================================== [ 96.254307][T10959] Kernel panic - not syncing: panic_on_warn set ... [ 96.260896][T10959] CPU: 1 PID: 10959 Comm: syz-executor498 Tainted: G B 5.3.0-rc2+ #83 [ 96.270368][T10959] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 96.280505][T10959] Call Trace: [ 96.283796][T10959] dump_stack+0x172/0x1f0 [ 96.288121][T10959] panic+0x2dc/0x755 [ 96.292049][T10959] ? add_taint.cold+0x16/0x16 [ 96.296713][T10959] ? trace_hardirqs_on+0x5e/0x240 [ 96.301853][T10959] ? trace_hardirqs_on+0x5e/0x240 [ 96.306884][T10959] ? do_raw_spin_lock+0x28a/0x2e0 [ 96.311955][T10959] end_report+0x47/0x4f [ 96.316102][T10959] ? do_raw_spin_lock+0x28a/0x2e0 [ 96.321215][T10959] __kasan_report.cold+0xe/0x36 [ 96.326061][T10959] ? do_raw_spin_lock+0x28a/0x2e0 [ 96.331073][T10959] kasan_report+0x12/0x17 [ 96.335382][T10959] __asan_report_load4_noabort+0x14/0x20 [ 96.340996][T10959] do_raw_spin_lock+0x28a/0x2e0 [ 96.346017][T10959] ? rwlock_bug.part.0+0x90/0x90 [ 96.350978][T10959] ? lock_acquire+0x190/0x410 [ 96.355646][T10959] ? release_sock+0x20/0x1c0 [ 96.360317][T10959] ? __sk_free+0x100/0x360 [ 96.364717][T10959] _raw_spin_lock_bh+0x3b/0x50 [ 96.369462][T10959] ? release_sock+0x20/0x1c0 [ 96.374093][T10959] release_sock+0x20/0x1c0 [ 96.378498][T10959] nr_release+0x303/0x3e0 [ 96.382850][T10959] __sock_release+0xce/0x280 [ 96.387435][T10959] sock_close+0x1e/0x30 [ 96.391572][T10959] __fput+0x2ff/0x890 [ 96.395534][T10959] ? __sock_release+0x280/0x280 [ 96.400364][T10959] ____fput+0x16/0x20 [ 96.404455][T10959] task_work_run+0x145/0x1c0 [ 96.409023][T10959] do_exit+0x92f/0x2e50 [ 96.413271][T10959] ? mm_update_next_owner+0x640/0x640 [ 96.418840][T10959] ? __kasan_check_write+0x14/0x20 [ 96.424101][T10959] ? lock_downgrade+0x920/0x920 [ 96.429081][T10959] ? rwlock_bug.part.0+0x90/0x90 [ 96.434016][T10959] ? get_signal+0x20e/0x2500 [ 96.438589][T10959] do_group_exit+0x135/0x360 [ 96.443334][T10959] get_signal+0x47c/0x2500 [ 96.447816][T10959] ? nr_find_next_circuit+0xb0/0xb0 [ 96.452998][T10959] do_signal+0x87/0x1700 [ 96.457233][T10959] ? fput+0x1b/0x20 [ 96.470683][T10959] ? __sys_connect+0x12d/0x330 [ 96.475515][T10959] ? setup_sigcontext+0x7d0/0x7d0 [ 96.480618][T10959] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 96.486846][T10959] ? do_futex+0x1dc0/0x1dc0 [ 96.491338][T10959] ? trace_hardirqs_on+0x67/0x240 [ 96.496386][T10959] exit_to_usermode_loop+0x286/0x380 [ 96.501666][T10959] do_syscall_64+0x5a9/0x6a0 [ 96.506245][T10959] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 96.512122][T10959] RIP: 0033:0x447d09 [ 96.516002][T10959] Code: Bad RIP value. [ 96.520135][T10959] RSP: 002b:00007f2a183b8db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 96.528637][T10959] RAX: fffffffffffffe00 RBX: 00000000006ddc48 RCX: 0000000000447d09 [ 96.536589][T10959] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006ddc48 [ 96.544648][T10959] RBP: 00000000006ddc40 R08: 0000000000000000 R09: 0000000000000000 [ 96.552748][T10959] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc4c [ 96.560761][T10959] R13: 00007ffd227e7f8f R14: 00007f2a183b99c0 R15: 0000000000000000 [ 96.570169][T10959] Kernel Offset: disabled [ 96.574500][T10959] Rebooting in 86400 seconds..