[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   79.908096][   T26] audit: type=1800 audit(1583921559.860:25): pid=9395 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   79.927870][   T26] audit: type=1800 audit(1583921559.860:26): pid=9395 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   79.981231][   T26] audit: type=1800 audit(1583921559.860:27): pid=9395 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.119' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   90.325667][ T9548] IPVS: ftp: loaded support on port[0] = 21
[   90.358817][ T9549] ==================================================================
[   90.367019][ T9549] BUG: KASAN: use-after-free in tcindex_set_parms+0x17fd/0x1a00
[   90.374628][ T9549] Write of size 16 at addr ffff8880a1cfe630 by task syz-executor556/9549
[   90.383010][ T9549] 
[   90.385322][ T9549] CPU: 1 PID: 9549 Comm: syz-executor556 Not tainted 5.6.0-rc3-syzkaller #0
[   90.393964][ T9549] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   90.403997][ T9549] Call Trace:
[   90.407272][ T9549]  dump_stack+0x188/0x20d
[   90.411587][ T9549]  ? tcindex_set_parms+0x17fd/0x1a00
[   90.416852][ T9549]  ? tcindex_set_parms+0x17fd/0x1a00
[   90.422129][ T9549]  print_address_description.constprop.0.cold+0xd3/0x315
[   90.429137][ T9549]  ? tcindex_set_parms+0x17fd/0x1a00
[   90.434406][ T9549]  ? tcindex_set_parms+0x17fd/0x1a00
[   90.439681][ T9549]  __kasan_report.cold+0x1a/0x32
[   90.444602][ T9549]  ? tcindex_set_parms+0x17fd/0x1a00
[   90.449870][ T9549]  kasan_report+0xe/0x20
[   90.454108][ T9549]  tcindex_set_parms+0x17fd/0x1a00
[   90.459219][ T9549]  ? tcindex_alloc_perfect_hash+0x320/0x320
[   90.465110][ T9549]  ? mark_held_locks+0xe0/0xe0
[   90.469876][ T9549]  ? nla_memcpy+0xa0/0xa0
[   90.474321][ T9549]  ? tcindex_change+0x203/0x2e0
[   90.479153][ T9549]  tcindex_change+0x203/0x2e0
[   90.483950][ T9549]  ? tcindex_set_parms+0x1a00/0x1a00
[   90.489226][ T9549]  tc_new_tfilter+0xa59/0x20b0
[   90.493974][ T9549]  ? tcindex_set_parms+0x1a00/0x1a00
[   90.499244][ T9549]  ? tc_del_tfilter+0x1430/0x1430
[   90.504251][ T9549]  ? __lock_acquire+0x80b/0x3ca0
[   90.509174][ T9549]  ? apparmor_capable+0x454/0x8a0
[   90.514185][ T9549]  ? rcu_read_lock_held+0x9c/0xb0
[   90.519281][ T9549]  ? tc_del_tfilter+0x1430/0x1430
[   90.524299][ T9549]  rtnetlink_rcv_msg+0x810/0xad0
[   90.529222][ T9549]  ? rtnl_bridge_getlink+0x870/0x870
[   90.534523][ T9549]  ? mark_held_locks+0xe0/0xe0
[   90.539267][ T9549]  ? netlink_deliver_tap+0x146/0xb50
[   90.544570][ T9549]  netlink_rcv_skb+0x15a/0x410
[   90.549314][ T9549]  ? rtnl_bridge_getlink+0x870/0x870
[   90.554613][ T9549]  ? netlink_ack+0xa80/0xa80
[   90.559243][ T9549]  netlink_unicast+0x537/0x740
[   90.563992][ T9549]  ? netlink_attachskb+0x810/0x810
[   90.569082][ T9549]  ? _copy_from_iter_full+0x25c/0x870
[   90.574439][ T9549]  ? __phys_addr_symbol+0x2c/0x70
[   90.579451][ T9549]  ? __check_object_size+0x171/0x437
[   90.584735][ T9549]  netlink_sendmsg+0x882/0xe10
[   90.589501][ T9549]  ? aa_af_perm+0x260/0x260
[   90.593989][ T9549]  ? netlink_unicast+0x740/0x740
[   90.598915][ T9549]  ? netlink_unicast+0x740/0x740
[   90.603834][ T9549]  sock_sendmsg+0xcf/0x120
[   90.608230][ T9549]  ____sys_sendmsg+0x6b9/0x7d0
[   90.613008][ T9549]  ? kernel_sendmsg+0x50/0x50
[   90.617682][ T9549]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   90.623221][ T9549]  ? rcu_read_lock_any_held.part.0+0x50/0x50
[   90.629201][ T9549]  ___sys_sendmsg+0x100/0x170
[   90.633864][ T9549]  ? sendmsg_copy_msghdr+0x70/0x70
[   90.638963][ T9549]  ? lock_downgrade+0x7f0/0x7f0
[   90.643832][ T9549]  ? lock_acquire+0x197/0x420
[   90.648490][ T9549]  ? __might_fault+0xef/0x1d0
[   90.653166][ T9549]  ? __might_fault+0x190/0x1d0
[   90.657955][ T9549]  ? _copy_to_user+0x107/0x150
[   90.662707][ T9549]  ? move_addr_to_user+0xb3/0x200
[   90.667775][ T9549]  ? __fget_light+0x1a5/0x270
[   90.672454][ T9549]  __sys_sendmsg+0xec/0x1b0
[   90.676939][ T9549]  ? __sys_sendmsg_sock+0xb0/0xb0
[   90.681940][ T9549]  ? mark_held_locks+0x9f/0xe0
[   90.686694][ T9549]  ? trace_hardirqs_off_caller+0x55/0x230
[   90.692393][ T9549]  ? do_syscall_64+0x21/0x790
[   90.697052][ T9549]  do_syscall_64+0xf6/0x790
[   90.701579][ T9549]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   90.707458][ T9549] RIP: 0033:0x441739
[   90.711330][ T9549] Code: e8 5c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   90.730917][ T9549] RSP: 002b:00007ffd9cd96ed8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   90.739324][ T9549] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441739
[   90.747299][ T9549] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
[   90.755250][ T9549] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522
[   90.763204][ T9549] R10: 0000000120080522 R11: 0000000000000246 R12: 0000000000402600
[   90.771160][ T9549] R13: 0000000000402690 R14: 0000000000000000 R15: 0000000000000000
[   90.779233][ T9549] 
[   90.781540][ T9549] Allocated by task 1:
[   90.785593][ T9549]  save_stack+0x1b/0x80
[   90.789730][ T9549]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   90.795368][ T9549]  kmem_cache_alloc_trace+0x153/0x7d0
[   90.800730][ T9549]  call_usermodehelper_setup+0x98/0x300
[   90.806254][ T9549]  kobject_uevent_env+0xcfb/0x11f0
[   90.811341][ T9549]  tty_register_device_attr+0x475/0x6f0
[   90.816863][ T9549]  tty_register_driver+0x42d/0x800
[   90.821966][ T9549]  ttyprintk_init+0x282/0x2cd
[   90.826622][ T9549]  do_one_initcall+0x10a/0x7d0
[   90.831367][ T9549]  kernel_init_freeable+0x501/0x5ae
[   90.836555][ T9549]  kernel_init+0xd/0x1bb
[   90.840776][ T9549]  ret_from_fork+0x24/0x30
[   90.845164][ T9549] 
[   90.847485][ T9549] Freed by task 2511:
[   90.851463][ T9549]  save_stack+0x1b/0x80
[   90.855608][ T9549]  __kasan_slab_free+0xf7/0x140
[   90.860439][ T9549]  kfree+0x109/0x2b0
[   90.864313][ T9549]  umh_complete+0x81/0x90
[   90.868620][ T9549]  call_usermodehelper_exec_async+0x459/0x710
[   90.874668][ T9549]  ret_from_fork+0x24/0x30
[   90.879056][ T9549] 
[   90.881364][ T9549] The buggy address belongs to the object at ffff8880a1cfe600
[   90.881364][ T9549]  which belongs to the cache kmalloc-192 of size 192
[   90.895396][ T9549] The buggy address is located 48 bytes inside of
[   90.895396][ T9549]  192-byte region [ffff8880a1cfe600, ffff8880a1cfe6c0)
[   90.908563][ T9549] The buggy address belongs to the page:
[   90.914178][ T9549] page:ffffea0002873f80 refcount:1 mapcount:0 mapping:ffff8880aa000000 index:0xffff8880a1cfef00
[   90.924562][ T9549] flags: 0xfffe0000000200(slab)
[   90.929394][ T9549] raw: 00fffe0000000200 ffffea0002882508 ffff8880aa001138 ffff8880aa000000
[   90.937955][ T9549] raw: ffff8880a1cfef00 ffff8880a1cfe000 000000010000000a 0000000000000000
[   90.946554][ T9549] page dumped because: kasan: bad access detected
[   90.952974][ T9549] 
[   90.955281][ T9549] Memory state around the buggy address:
[   90.960890][ T9549]  ffff8880a1cfe500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   90.968932][ T9549]  ffff8880a1cfe580: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   90.976969][ T9549] >ffff8880a1cfe600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   90.985003][ T9549]                                      ^
[   90.990731][ T9549]  ffff8880a1cfe680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   90.998782][ T9549]  ffff8880a1cfe700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   91.006858][ T9549] ==================================================================
[   91.014897][ T9549] Disabling lock debugging due to kernel taint
[   91.022312][ T9549] Kernel panic - not syncing: panic_on_warn set ...
[   91.028910][ T9549] CPU: 0 PID: 9549 Comm: syz-executor556 Tainted: G    B             5.6.0-rc3-syzkaller #0
[   91.038940][ T9549] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   91.048972][ T9549] Call Trace:
[   91.052245][ T9549]  dump_stack+0x188/0x20d
[   91.056553][ T9549]  panic+0x2e3/0x75c
[   91.060432][ T9549]  ? add_taint.cold+0x16/0x16
[   91.065087][ T9549]  ? preempt_schedule_common+0x5e/0xc0
[   91.070524][ T9549]  ? tcindex_set_parms+0x17fd/0x1a00
[   91.075802][ T9549]  ? ___preempt_schedule+0x16/0x18
[   91.080911][ T9549]  ? trace_hardirqs_on+0x55/0x220
[   91.085919][ T9549]  ? tcindex_set_parms+0x17fd/0x1a00
[   91.091182][ T9549]  end_report+0x43/0x49
[   91.095313][ T9549]  ? tcindex_set_parms+0x17fd/0x1a00
[   91.100571][ T9549]  __kasan_report.cold+0xd/0x32
[   91.105397][ T9549]  ? tcindex_set_parms+0x17fd/0x1a00
[   91.110786][ T9549]  kasan_report+0xe/0x20
[   91.115011][ T9549]  tcindex_set_parms+0x17fd/0x1a00
[   91.120174][ T9549]  ? tcindex_alloc_perfect_hash+0x320/0x320
[   91.126057][ T9549]  ? mark_held_locks+0xe0/0xe0
[   91.130813][ T9549]  ? nla_memcpy+0xa0/0xa0
[   91.135134][ T9549]  ? tcindex_change+0x203/0x2e0
[   91.139968][ T9549]  tcindex_change+0x203/0x2e0
[   91.144633][ T9549]  ? tcindex_set_parms+0x1a00/0x1a00
[   91.149950][ T9549]  tc_new_tfilter+0xa59/0x20b0
[   91.154739][ T9549]  ? tcindex_set_parms+0x1a00/0x1a00
[   91.160018][ T9549]  ? tc_del_tfilter+0x1430/0x1430
[   91.165027][ T9549]  ? __lock_acquire+0x80b/0x3ca0
[   91.169982][ T9549]  ? apparmor_capable+0x454/0x8a0
[   91.174988][ T9549]  ? rcu_read_lock_held+0x9c/0xb0
[   91.180004][ T9549]  ? tc_del_tfilter+0x1430/0x1430
[   91.185006][ T9549]  rtnetlink_rcv_msg+0x810/0xad0
[   91.189959][ T9549]  ? rtnl_bridge_getlink+0x870/0x870
[   91.195232][ T9549]  ? mark_held_locks+0xe0/0xe0
[   91.199984][ T9549]  ? netlink_deliver_tap+0x146/0xb50
[   91.205260][ T9549]  netlink_rcv_skb+0x15a/0x410
[   91.210075][ T9549]  ? rtnl_bridge_getlink+0x870/0x870
[   91.215346][ T9549]  ? netlink_ack+0xa80/0xa80
[   91.219922][ T9549]  netlink_unicast+0x537/0x740
[   91.224673][ T9549]  ? netlink_attachskb+0x810/0x810
[   91.229768][ T9549]  ? _copy_from_iter_full+0x25c/0x870
[   91.235117][ T9549]  ? __phys_addr_symbol+0x2c/0x70
[   91.240116][ T9549]  ? __check_object_size+0x171/0x437
[   91.245380][ T9549]  netlink_sendmsg+0x882/0xe10
[   91.250136][ T9549]  ? aa_af_perm+0x260/0x260
[   91.254642][ T9549]  ? netlink_unicast+0x740/0x740
[   91.259561][ T9549]  ? netlink_unicast+0x740/0x740
[   91.264475][ T9549]  sock_sendmsg+0xcf/0x120
[   91.268865][ T9549]  ____sys_sendmsg+0x6b9/0x7d0
[   91.273606][ T9549]  ? kernel_sendmsg+0x50/0x50
[   91.278259][ T9549]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   91.283780][ T9549]  ? rcu_read_lock_any_held.part.0+0x50/0x50
[   91.289749][ T9549]  ___sys_sendmsg+0x100/0x170
[   91.294425][ T9549]  ? sendmsg_copy_msghdr+0x70/0x70
[   91.299517][ T9549]  ? lock_downgrade+0x7f0/0x7f0
[   91.304345][ T9549]  ? lock_acquire+0x197/0x420
[   91.308997][ T9549]  ? __might_fault+0xef/0x1d0
[   91.313651][ T9549]  ? __might_fault+0x190/0x1d0
[   91.318399][ T9549]  ? _copy_to_user+0x107/0x150
[   91.323141][ T9549]  ? move_addr_to_user+0xb3/0x200
[   91.328143][ T9549]  ? __fget_light+0x1a5/0x270
[   91.332798][ T9549]  __sys_sendmsg+0xec/0x1b0
[   91.337277][ T9549]  ? __sys_sendmsg_sock+0xb0/0xb0
[   91.342279][ T9549]  ? mark_held_locks+0x9f/0xe0
[   91.347026][ T9549]  ? trace_hardirqs_off_caller+0x55/0x230
[   91.352722][ T9549]  ? do_syscall_64+0x21/0x790
[   91.357374][ T9549]  do_syscall_64+0xf6/0x790
[   91.361931][ T9549]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   91.367809][ T9549] RIP: 0033:0x441739
[   91.371679][ T9549] Code: e8 5c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   91.391261][ T9549] RSP: 002b:00007ffd9cd96ed8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   91.399646][ T9549] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441739
[   91.407595][ T9549] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
[   91.415546][ T9549] RBP: 00000000006cc018 R08: 0000000120080522 R09: 0000000120080522
[   91.423537][ T9549] R10: 0000000120080522 R11: 0000000000000246 R12: 0000000000402600
[   91.431517][ T9549] R13: 0000000000402690 R14: 0000000000000000 R15: 0000000000000000
[   91.440720][ T9549] Kernel Offset: disabled
[   91.445042][ T9549] Rebooting in 86400 seconds..