[ 37.434088][ T26] audit: type=1800 audit(1553058740.782:27): pid=7702 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 37.462687][ T26] audit: type=1800 audit(1553058740.782:28): pid=7702 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 37.988586][ T26] audit: type=1800 audit(1553058741.402:29): pid=7702 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.72' (ECDSA) to the list of known hosts. 2019/03/20 05:12:33 parsed 1 programs 2019/03/20 05:12:35 executed programs: 0 syzkaller login: [ 52.416179][ T7889] IPVS: ftp: loaded support on port[0] = 21 [ 52.475030][ T7889] chnl_net:caif_netlink_parms(): no params data found [ 52.506640][ T7889] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.514132][ T7889] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.522061][ T7889] device bridge_slave_0 entered promiscuous mode [ 52.530397][ T7889] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.539182][ T7889] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.547166][ T7889] device bridge_slave_1 entered promiscuous mode [ 52.563039][ T7889] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.573164][ T7889] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.592060][ T7889] team0: Port device team_slave_0 added [ 52.598945][ T7889] team0: Port device team_slave_1 added [ 52.678307][ T7889] device hsr_slave_0 entered promiscuous mode [ 52.747190][ T7889] device hsr_slave_1 entered promiscuous mode [ 52.823741][ T7889] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.830950][ T7889] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.838737][ T7889] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.845774][ T7889] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.876017][ T7889] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.889802][ T2986] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.901238][ T2986] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.910516][ T2986] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.918761][ T2986] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 52.930826][ T7889] 8021q: adding VLAN 0 to HW filter on device team0 [ 52.941073][ T3478] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 52.949871][ T3478] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.957001][ T3478] bridge0: port 1(bridge_slave_0) entered forwarding state [ 52.967155][ T2986] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 52.975430][ T2986] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.982590][ T2986] bridge0: port 2(bridge_slave_1) entered forwarding state [ 53.000358][ T7893] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 53.015718][ T7889] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 53.027895][ T7889] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 53.040208][ T7893] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 53.049213][ T7893] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 53.057695][ T7893] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 53.066145][ T7893] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 53.074660][ T7893] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 53.090758][ T7889] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 53.829542][ T8019] ================================================================== [ 53.837746][ T8019] BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.845461][ T8019] Read of size 4 at addr ffff8880a86ee9b4 by task syz-executor.0/8019 [ 53.853593][ T8019] [ 53.855920][ T8019] CPU: 0 PID: 8019 Comm: syz-executor.0 Not tainted 5.0.0+ #101 [ 53.863661][ T8019] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.873712][ T8019] Call Trace: [ 53.876995][ T8019] dump_stack+0x172/0x1f0 [ 53.881412][ T8019] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.886780][ T8019] print_address_description.cold+0x7c/0x20d [ 53.892756][ T8019] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.898148][ T8019] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.903515][ T8019] kasan_report.cold+0x1b/0x40 [ 53.908277][ T8019] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.913645][ T8019] __asan_report_load4_noabort+0x14/0x20 [ 53.919300][ T8019] tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.924523][ T8019] ? debug_object_deactivate+0x1e4/0x360 [ 53.930177][ T8019] ? find_held_lock+0x35/0x130 [ 53.934936][ T8019] ? tipc_sk_overlimit2+0xa0/0xa0 [ 53.939952][ T8019] ? lock_downgrade+0x880/0x880 [ 53.944796][ T8019] ? __lock_acquire+0x548/0x3fb0 [ 53.949732][ T8019] ? __release_sock+0xca/0x3a0 [ 53.954537][ T8019] tipc_sk_backlog_rcv+0xeb/0x1e0 [ 53.959567][ T8019] ? tipc_sk_mcast_rcv+0x1020/0x1020 [ 53.964842][ T8019] ? __local_bh_enable_ip+0x15a/0x270 [ 53.970208][ T8019] ? lockdep_hardirqs_on+0x418/0x5d0 [ 53.975522][ T8019] ? __release_sock+0xca/0x3a0 [ 53.980313][ T8019] ? trace_hardirqs_on+0x67/0x230 [ 53.985326][ T8019] ? __release_sock+0xca/0x3a0 [ 53.990082][ T8019] ? __local_bh_enable_ip+0x15a/0x270 [ 53.995508][ T8019] __release_sock+0x12e/0x3a0 [ 54.000195][ T8019] release_sock+0x59/0x1c0 [ 54.004594][ T8019] tipc_release+0x9ed/0x14d0 [ 54.009176][ T8019] __sock_release+0xd3/0x2b0 [ 54.013748][ T8019] ? __sock_release+0x2b0/0x2b0 [ 54.018580][ T8019] sock_close+0x1b/0x30 [ 54.022720][ T8019] __fput+0x2e5/0x8d0 [ 54.026702][ T8019] ____fput+0x16/0x20 [ 54.030681][ T8019] task_work_run+0x14a/0x1c0 [ 54.035280][ T8019] exit_to_usermode_loop+0x273/0x2c0 [ 54.040559][ T8019] do_syscall_64+0x52d/0x610 [ 54.045136][ T8019] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.051030][ T8019] RIP: 0033:0x411e31 [ 54.054919][ T8019] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 54.074512][ T8019] RSP: 002b:00007fff5a197d60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 54.082913][ T8019] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000411e31 [ 54.090876][ T8019] RDX: 0000000000000000 RSI: 0000000000740170 RDI: 0000000000000006 [ 54.098835][ T8019] RBP: 0000000000000000 R08: 0000000000740168 R09: 000000000000d22f [ 54.106796][ T8019] R10: 00007fff5a197c80 R11: 0000000000000293 R12: 0000000000000001 [ 54.114760][ T8019] R13: 00007fff5a197da0 R14: 0000000000000000 R15: 00007fff5a197db0 [ 54.122732][ T8019] [ 54.125045][ T8019] Allocated by task 45: [ 54.129198][ T8019] save_stack+0x45/0xd0 [ 54.133366][ T8019] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 54.138984][ T8019] kasan_kmalloc+0x9/0x10 [ 54.143300][ T8019] __kmalloc_node_track_caller+0x4e/0x70 [ 54.148920][ T8019] __kmalloc_reserve.isra.0+0x40/0xf0 [ 54.154278][ T8019] __alloc_skb+0x10b/0x5e0 [ 54.158688][ T8019] tipc_buf_acquire+0x2f/0x100 [ 54.163484][ T8019] tipc_msg_create+0x38/0x270 [ 54.168157][ T8019] tipc_topsrv_kern_evt+0x2a7/0x580 [ 54.173356][ T8019] tipc_conn_send_to_sock+0x43e/0x5f0 [ 54.178711][ T8019] tipc_conn_send_work+0x65/0x80 [ 54.183632][ T8019] process_one_work+0x98e/0x1790 [ 54.188550][ T8019] worker_thread+0x98/0xe40 [ 54.193035][ T8019] kthread+0x357/0x430 [ 54.197082][ T8019] ret_from_fork+0x3a/0x50 [ 54.201573][ T8019] [ 54.203905][ T8019] Freed by task 8019: [ 54.207884][ T8019] save_stack+0x45/0xd0 [ 54.212018][ T8019] __kasan_slab_free+0x102/0x150 [ 54.216933][ T8019] kasan_slab_free+0xe/0x10 [ 54.221415][ T8019] kfree+0xcf/0x230 [ 54.225219][ T8019] skb_free_head+0x93/0xb0 [ 54.229623][ T8019] skb_release_data+0x576/0x7a0 [ 54.234487][ T8019] skb_release_all+0x4d/0x60 [ 54.239058][ T8019] kfree_skb+0xe8/0x390 [ 54.243211][ T8019] tipc_sk_filter_rcv+0x1e6a/0x34f0 [ 54.248392][ T8019] tipc_sk_backlog_rcv+0xeb/0x1e0 [ 54.253396][ T8019] __release_sock+0x12e/0x3a0 [ 54.258052][ T8019] release_sock+0x59/0x1c0 [ 54.262458][ T8019] tipc_release+0x9ed/0x14d0 [ 54.267030][ T8019] __sock_release+0xd3/0x2b0 [ 54.271600][ T8019] sock_close+0x1b/0x30 [ 54.275737][ T8019] __fput+0x2e5/0x8d0 [ 54.279710][ T8019] ____fput+0x16/0x20 [ 54.283692][ T8019] task_work_run+0x14a/0x1c0 [ 54.288279][ T8019] exit_to_usermode_loop+0x273/0x2c0 [ 54.293548][ T8019] do_syscall_64+0x52d/0x610 [ 54.298121][ T8019] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.303995][ T8019] [ 54.306325][ T8019] The buggy address belongs to the object at ffff8880a86ee900 [ 54.306325][ T8019] which belongs to the cache kmalloc-1k of size 1024 [ 54.320363][ T8019] The buggy address is located 180 bytes inside of [ 54.320363][ T8019] 1024-byte region [ffff8880a86ee900, ffff8880a86eed00) [ 54.333698][ T8019] The buggy address belongs to the page: [ 54.339315][ T8019] page:ffffea0002a1bb80 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 54.350014][ T8019] flags: 0x1fffc0000010200(slab|head) [ 54.355394][ T8019] raw: 01fffc0000010200 ffffea00028f8d08 ffffea00028f9f88 ffff88812c3f0ac0 [ 54.363992][ T8019] raw: 0000000000000000 ffff8880a86ee000 0000000100000007 0000000000000000 [ 54.372556][ T8019] page dumped because: kasan: bad access detected [ 54.378945][ T8019] [ 54.381252][ T8019] Memory state around the buggy address: [ 54.386866][ T8019] ffff8880a86ee880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.394908][ T8019] ffff8880a86ee900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.402950][ T8019] >ffff8880a86ee980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.410997][ T8019] ^ [ 54.416607][ T8019] ffff8880a86eea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.424650][ T8019] ffff8880a86eea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 54.432687][ T8019] ================================================================== [ 54.440726][ T8019] Disabling lock debugging due to kernel taint [ 54.450790][ T8019] Kernel panic - not syncing: panic_on_warn set ... [ 54.457391][ T8019] CPU: 0 PID: 8019 Comm: syz-executor.0 Tainted: G B 5.0.0+ #101 [ 54.466403][ T8019] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.476461][ T8019] Call Trace: [ 54.479755][ T8019] dump_stack+0x172/0x1f0 [ 54.484072][ T8019] panic+0x2cb/0x65c [ 54.487954][ T8019] ? __warn_printk+0xf3/0xf3 [ 54.492528][ T8019] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 54.497910][ T8019] ? preempt_schedule+0x4b/0x60 [ 54.502745][ T8019] ? ___preempt_schedule+0x16/0x18 [ 54.507834][ T8019] ? trace_hardirqs_on+0x5e/0x230 [ 54.512843][ T8019] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 54.518191][ T8019] end_report+0x47/0x4f [ 54.522329][ T8019] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 54.527681][ T8019] kasan_report.cold+0xe/0x40 [ 54.532343][ T8019] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 54.537709][ T8019] __asan_report_load4_noabort+0x14/0x20 [ 54.543329][ T8019] tipc_sk_filter_rcv+0x2166/0x34f0 [ 54.548509][ T8019] ? debug_object_deactivate+0x1e4/0x360 [ 54.554120][ T8019] ? find_held_lock+0x35/0x130 [ 54.560130][ T8019] ? tipc_sk_overlimit2+0xa0/0xa0 [ 54.565135][ T8019] ? lock_downgrade+0x880/0x880 [ 54.569986][ T8019] ? __lock_acquire+0x548/0x3fb0 [ 54.574935][ T8019] ? __release_sock+0xca/0x3a0 [ 54.579686][ T8019] tipc_sk_backlog_rcv+0xeb/0x1e0 [ 54.584716][ T8019] ? tipc_sk_mcast_rcv+0x1020/0x1020 [ 54.589983][ T8019] ? __local_bh_enable_ip+0x15a/0x270 [ 54.595336][ T8019] ? lockdep_hardirqs_on+0x418/0x5d0 [ 54.600599][ T8019] ? __release_sock+0xca/0x3a0 [ 54.605345][ T8019] ? trace_hardirqs_on+0x67/0x230 [ 54.610359][ T8019] ? __release_sock+0xca/0x3a0 [ 54.615102][ T8019] ? __local_bh_enable_ip+0x15a/0x270 [ 54.620468][ T8019] __release_sock+0x12e/0x3a0 [ 54.625138][ T8019] release_sock+0x59/0x1c0 [ 54.629550][ T8019] tipc_release+0x9ed/0x14d0 [ 54.634123][ T8019] __sock_release+0xd3/0x2b0 [ 54.638692][ T8019] ? __sock_release+0x2b0/0x2b0 [ 54.643519][ T8019] sock_close+0x1b/0x30 [ 54.647656][ T8019] __fput+0x2e5/0x8d0 [ 54.651619][ T8019] ____fput+0x16/0x20 [ 54.655580][ T8019] task_work_run+0x14a/0x1c0 [ 54.660153][ T8019] exit_to_usermode_loop+0x273/0x2c0 [ 54.665420][ T8019] do_syscall_64+0x52d/0x610 [ 54.670009][ T8019] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.675882][ T8019] RIP: 0033:0x411e31 [ 54.679753][ T8019] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 54.699341][ T8019] RSP: 002b:00007fff5a197d60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 54.707733][ T8019] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000411e31 [ 54.715686][ T8019] RDX: 0000000000000000 RSI: 0000000000740170 RDI: 0000000000000006 [ 54.723634][ T8019] RBP: 0000000000000000 R08: 0000000000740168 R09: 000000000000d22f [ 54.731595][ T8019] R10: 00007fff5a197c80 R11: 0000000000000293 R12: 0000000000000001 [ 54.739554][ T8019] R13: 00007fff5a197da0 R14: 0000000000000000 R15: 00007fff5a197db0 [ 54.748168][ T8019] Kernel Offset: disabled [ 54.752488][ T8019] Rebooting in 86400 seconds..