[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 60.803580][ T26] audit: type=1800 audit(1574139197.085:25): pid=8642 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 60.834549][ T26] audit: type=1800 audit(1574139197.085:26): pid=8642 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 60.872496][ T26] audit: type=1800 audit(1574139197.095:27): pid=8642 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.166' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 69.623038][ T8796] FAULT_INJECTION: forcing a failure. [ 69.623038][ T8796] name failslab, interval 1, probability 0, space 0, times 1 [ 69.636359][ T8796] CPU: 0 PID: 8796 Comm: syz-executor276 Not tainted 5.4.0-rc8 #0 [ 69.644939][ T8796] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.655377][ T8796] Call Trace: [ 69.658939][ T8796] dump_stack+0x197/0x210 [ 69.663392][ T8796] should_fail.cold+0xa/0x15 [ 69.668075][ T8796] ? fault_create_debugfs_attr+0x180/0x180 [ 69.674081][ T8796] ? ___might_sleep+0x163/0x2c0 [ 69.679135][ T8796] __should_failslab+0x121/0x190 [ 69.685406][ T8796] should_failslab+0x9/0x14 [ 69.689906][ T8796] kmem_cache_alloc_trace+0x2d3/0x790 [ 69.695530][ T8796] ? init_timer_key+0x13b/0x3a0 [ 69.700381][ T8796] slip_open+0x95b/0x11b7 [ 69.704837][ T8796] ? sl_change_mtu+0x5d0/0x5d0 [ 69.709752][ T8796] ? __kasan_check_write+0x14/0x20 [ 69.714917][ T8796] ? down_write+0xdf/0x150 [ 69.719331][ T8796] ? sl_change_mtu+0x5d0/0x5d0 [ 69.724118][ T8796] tty_ldisc_open.isra.0+0xa3/0x110 [ 69.730440][ T8796] tty_set_ldisc+0x30e/0x6b0 [ 69.735045][ T8796] tty_ioctl+0xe8d/0x14f0 [ 69.739539][ T8796] ? do_tty_hangup+0x30/0x30 [ 69.744314][ T8796] ? tomoyo_path_number_perm+0x459/0x520 [ 69.749947][ T8796] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 69.756641][ T8796] ? tomoyo_path_number_perm+0x263/0x520 [ 69.762542][ T8796] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 69.769092][ T8796] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 69.775377][ T8796] ? vfs_write+0x34c/0x5d0 [ 69.779805][ T8796] ? do_tty_hangup+0x30/0x30 [ 69.784410][ T8796] do_vfs_ioctl+0xdb6/0x13e0 [ 69.789133][ T8796] ? ioctl_preallocate+0x210/0x210 [ 69.794243][ T8796] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 69.800667][ T8796] ? __sb_end_write+0x11a/0x1a0 [ 69.805541][ T8796] ? vfs_write+0x160/0x5d0 [ 69.810190][ T8796] ? tomoyo_file_ioctl+0x23/0x30 [ 69.815315][ T8796] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 69.821771][ T8796] ? security_file_ioctl+0x8d/0xc0 [ 69.827116][ T8796] ksys_ioctl+0xab/0xd0 [ 69.831299][ T8796] __x64_sys_ioctl+0x73/0xb0 [ 69.836070][ T8796] do_syscall_64+0xfa/0x760 [ 69.840578][ T8796] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 69.846716][ T8796] RIP: 0033:0x441149 [ 69.850806][ T8796] Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 69.871680][ T8796] RSP: 002b:00007ffcfb9185b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 69.880495][ T8796] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441149 [ 69.888468][ T8796] RDX: 0000000020000040 RSI: 0000000000005423 RDI: 0000000000000003 [ 69.896616][ T8796] RBP: 00007ffcfb9185d0 R08: 0000000000000002 R09: 0000000000000000 [ 69.904582][ T8796] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 69.913099][ T8796] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 executing program [ 70.099312][ T8797] ================================================================== [ 70.108474][ T8797] BUG: KASAN: use-after-free in slip_open+0xecd/0x11b7 [ 70.115533][ T8797] Read of size 8 at addr ffff88809431cb48 by task syz-executor276/8797 [ 70.124159][ T8797] [ 70.126494][ T8797] CPU: 0 PID: 8797 Comm: syz-executor276 Not tainted 5.4.0-rc8 #0 [ 70.134585][ T8797] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.145347][ T8797] Call Trace: [ 70.149062][ T8797] dump_stack+0x197/0x210 [ 70.153841][ T8797] ? slip_open+0xecd/0x11b7 [ 70.158743][ T8797] print_address_description.constprop.0.cold+0xd4/0x30b [ 70.165964][ T8797] ? slip_open+0xecd/0x11b7 [ 70.171129][ T8797] ? slip_open+0xecd/0x11b7 [ 70.175855][ T8797] __kasan_report.cold+0x1b/0x41 [ 70.180916][ T8797] ? slip_open+0xecd/0x11b7 [ 70.185684][ T8797] kasan_report+0x12/0x20 [ 70.190018][ T8797] __asan_report_load8_noabort+0x14/0x20 [ 70.195737][ T8797] slip_open+0xecd/0x11b7 [ 70.200209][ T8797] ? lock_downgrade+0x920/0x920 [ 70.205065][ T8797] ? sl_change_mtu+0x5d0/0x5d0 [ 70.209828][ T8797] ? __kasan_check_write+0x14/0x20 [ 70.214943][ T8797] ? down_write+0xdf/0x150 [ 70.219605][ T8797] ? sl_change_mtu+0x5d0/0x5d0 [ 70.224447][ T8797] tty_ldisc_open.isra.0+0xa3/0x110 [ 70.229707][ T8797] tty_set_ldisc+0x30e/0x6b0 [ 70.234769][ T8797] tty_ioctl+0xe8d/0x14f0 [ 70.239100][ T8797] ? do_tty_hangup+0x30/0x30 [ 70.243818][ T8797] ? tomoyo_path_number_perm+0x459/0x520 [ 70.249797][ T8797] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 70.256037][ T8797] ? tomoyo_path_number_perm+0x263/0x520 [ 70.261804][ T8797] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 70.268018][ T8797] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 70.274312][ T8797] ? vfs_write+0x34c/0x5d0 [ 70.279030][ T8797] ? do_tty_hangup+0x30/0x30 [ 70.284025][ T8797] do_vfs_ioctl+0xdb6/0x13e0 [ 70.288748][ T8797] ? ioctl_preallocate+0x210/0x210 [ 70.294093][ T8797] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 70.300339][ T8797] ? __sb_end_write+0x11a/0x1a0 [ 70.305392][ T8797] ? vfs_write+0x160/0x5d0 [ 70.309961][ T8797] ? tomoyo_file_ioctl+0x23/0x30 [ 70.314899][ T8797] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 70.321136][ T8797] ? security_file_ioctl+0x8d/0xc0 [ 70.326736][ T8797] ksys_ioctl+0xab/0xd0 [ 70.331204][ T8797] __x64_sys_ioctl+0x73/0xb0 [ 70.336019][ T8797] do_syscall_64+0xfa/0x760 [ 70.340791][ T8797] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.346792][ T8797] RIP: 0033:0x441149 [ 70.350689][ T8797] Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 70.370621][ T8797] RSP: 002b:00007ffcfb9185b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 70.379057][ T8797] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441149 [ 70.387102][ T8797] RDX: 0000000020000040 RSI: 0000000000005423 RDI: 0000000000000003 [ 70.395481][ T8797] RBP: 00007ffcfb9185d0 R08: 0000000000000002 R09: 0000000000000000 [ 70.403988][ T8797] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 70.411958][ T8797] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 [ 70.419952][ T8797] [ 70.422304][ T8797] Allocated by task 8796: [ 70.426714][ T8797] save_stack+0x23/0x90 [ 70.431008][ T8797] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 70.436636][ T8797] kasan_kmalloc+0x9/0x10 [ 70.441447][ T8797] __kmalloc_node+0x4e/0x70 [ 70.445975][ T8797] kvmalloc_node+0x68/0x100 [ 70.450860][ T8797] alloc_netdev_mqs+0x98/0xde0 [ 70.455740][ T8797] slip_open+0x38e/0x11b7 [ 70.460293][ T8797] tty_ldisc_open.isra.0+0xa3/0x110 [ 70.465617][ T8797] tty_set_ldisc+0x30e/0x6b0 [ 70.470201][ T8797] tty_ioctl+0xe8d/0x14f0 [ 70.474803][ T8797] do_vfs_ioctl+0xdb6/0x13e0 [ 70.479486][ T8797] ksys_ioctl+0xab/0xd0 [ 70.483698][ T8797] __x64_sys_ioctl+0x73/0xb0 [ 70.489214][ T8797] do_syscall_64+0xfa/0x760 [ 70.493898][ T8797] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.500003][ T8797] [ 70.502325][ T8797] Freed by task 8796: [ 70.507146][ T8797] save_stack+0x23/0x90 [ 70.511313][ T8797] __kasan_slab_free+0x102/0x150 [ 70.516246][ T8797] kasan_slab_free+0xe/0x10 [ 70.520825][ T8797] kfree+0x10a/0x2c0 [ 70.524709][ T8797] kvfree+0x61/0x70 [ 70.528560][ T8797] free_netdev+0x3c0/0x470 [ 70.533010][ T8797] slip_open+0xd70/0x11b7 [ 70.537339][ T8797] tty_ldisc_open.isra.0+0xa3/0x110 [ 70.542554][ T8797] tty_set_ldisc+0x30e/0x6b0 [ 70.547330][ T8797] tty_ioctl+0xe8d/0x14f0 [ 70.551662][ T8797] do_vfs_ioctl+0xdb6/0x13e0 [ 70.556248][ T8797] ksys_ioctl+0xab/0xd0 [ 70.560617][ T8797] __x64_sys_ioctl+0x73/0xb0 [ 70.565203][ T8797] do_syscall_64+0xfa/0x760 [ 70.569713][ T8797] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.575594][ T8797] [ 70.577919][ T8797] The buggy address belongs to the object at ffff88809431c000 [ 70.577919][ T8797] which belongs to the cache kmalloc-4k of size 4096 [ 70.591964][ T8797] The buggy address is located 2888 bytes inside of [ 70.591964][ T8797] 4096-byte region [ffff88809431c000, ffff88809431d000) [ 70.605404][ T8797] The buggy address belongs to the page: [ 70.611043][ T8797] page:ffffea000250c700 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 [ 70.621979][ T8797] raw: 01fffc0000010200 ffffea0002a18b88 ffffea0002a14788 ffff8880aa402000 [ 70.630565][ T8797] raw: 0000000000000000 ffff88809431c000 0000000100000001 0000000000000000 [ 70.640206][ T8797] page dumped because: kasan: bad access detected [ 70.646705][ T8797] [ 70.649015][ T8797] Memory state around the buggy address: [ 70.654644][ T8797] ffff88809431ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.663041][ T8797] ffff88809431ca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.671237][ T8797] >ffff88809431cb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.679301][ T8797] ^ [ 70.685763][ T8797] ffff88809431cb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.693932][ T8797] ffff88809431cc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.701975][ T8797] ================================================================== [ 70.710017][ T8797] Disabling lock debugging due to kernel taint [ 70.716352][ T8797] Kernel panic - not syncing: panic_on_warn set ... [ 70.722946][ T8797] CPU: 0 PID: 8797 Comm: syz-executor276 Tainted: G B 5.4.0-rc8 #0 [ 70.732133][ T8797] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.742175][ T8797] Call Trace: [ 70.745474][ T8797] dump_stack+0x197/0x210 [ 70.749808][ T8797] panic+0x2e3/0x75c [ 70.753685][ T8797] ? add_taint.cold+0x16/0x16 [ 70.758360][ T8797] ? slip_open+0xecd/0x11b7 [ 70.762857][ T8797] ? preempt_schedule+0x4b/0x60 [ 70.767969][ T8797] ? ___preempt_schedule+0x16/0x20 [ 70.773089][ T8797] ? trace_hardirqs_on+0x5e/0x240 [ 70.778102][ T8797] ? slip_open+0xecd/0x11b7 [ 70.782592][ T8797] end_report+0x47/0x4f [ 70.786746][ T8797] ? slip_open+0xecd/0x11b7 [ 70.791232][ T8797] __kasan_report.cold+0xe/0x41 [ 70.796187][ T8797] ? slip_open+0xecd/0x11b7 [ 70.800690][ T8797] kasan_report+0x12/0x20 [ 70.805007][ T8797] __asan_report_load8_noabort+0x14/0x20 [ 70.810640][ T8797] slip_open+0xecd/0x11b7 [ 70.814963][ T8797] ? lock_downgrade+0x920/0x920 [ 70.819798][ T8797] ? sl_change_mtu+0x5d0/0x5d0 [ 70.824552][ T8797] ? __kasan_check_write+0x14/0x20 [ 70.829664][ T8797] ? down_write+0xdf/0x150 [ 70.834094][ T8797] ? sl_change_mtu+0x5d0/0x5d0 [ 70.839147][ T8797] tty_ldisc_open.isra.0+0xa3/0x110 [ 70.844538][ T8797] tty_set_ldisc+0x30e/0x6b0 [ 70.849129][ T8797] tty_ioctl+0xe8d/0x14f0 [ 70.853457][ T8797] ? do_tty_hangup+0x30/0x30 [ 70.858042][ T8797] ? tomoyo_path_number_perm+0x459/0x520 [ 70.863657][ T8797] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 70.869982][ T8797] ? tomoyo_path_number_perm+0x263/0x520 [ 70.875609][ T8797] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 70.881398][ T8797] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 70.887624][ T8797] ? vfs_write+0x34c/0x5d0 [ 70.892026][ T8797] ? do_tty_hangup+0x30/0x30 [ 70.896609][ T8797] do_vfs_ioctl+0xdb6/0x13e0 [ 70.901303][ T8797] ? ioctl_preallocate+0x210/0x210 [ 70.906410][ T8797] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 70.912738][ T8797] ? __sb_end_write+0x11a/0x1a0 [ 70.917578][ T8797] ? vfs_write+0x160/0x5d0 [ 70.922008][ T8797] ? tomoyo_file_ioctl+0x23/0x30 [ 70.926941][ T8797] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 70.933162][ T8797] ? security_file_ioctl+0x8d/0xc0 [ 70.938276][ T8797] ksys_ioctl+0xab/0xd0 [ 70.942457][ T8797] __x64_sys_ioctl+0x73/0xb0 [ 70.947064][ T8797] do_syscall_64+0xfa/0x760 [ 70.951558][ T8797] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.957436][ T8797] RIP: 0033:0x441149 [ 70.961329][ T8797] Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 70.981276][ T8797] RSP: 002b:00007ffcfb9185b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 70.989691][ T8797] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441149 [ 70.997960][ T8797] RDX: 0000000020000040 RSI: 0000000000005423 RDI: 0000000000000003 [ 71.005919][ T8797] RBP: 00007ffcfb9185d0 R08: 0000000000000002 R09: 0000000000000000 [ 71.013888][ T8797] R10: 0000000000000000 R11: 0000000000000246 R12: ffffffffffffffff [ 71.021854][ T8797] R13: 0000000000000004 R14: 0000000000000000 R15: 0000000000000000 [ 71.031393][ T8797] Kernel Offset: disabled [ 71.035737][ T8797] Rebooting in 86400 seconds..