[ 38.427343][ T26] audit: type=1800 audit(1552230876.478:27): pid=7687 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 38.447077][ T26] audit: type=1800 audit(1552230876.478:28): pid=7687 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.139507][ T26] audit: type=1800 audit(1552230877.248:29): pid=7687 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 39.166464][ T26] audit: type=1800 audit(1552230877.248:30): pid=7687 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 49.028151][ T7846] device ifb0 entered promiscuous mode [ 49.065850][ T7846] device ifb0 left promiscuous mode executing program [ 49.230242][ T7854] device ifb0 entered promiscuous mode [ 49.239105][ T7853] device ifb0 left promiscuous mode executing program executing program executing program executing program executing program [ 49.464457][ T7879] device ifb0 entered promiscuous mode [ 49.473940][ T7880] device ifb0 left promiscuous mode executing program [ 49.598136][ T7891] device ifb0 entered promiscuous mode [ 49.647451][ T7896] device ifb0 left promiscuous mode executing program executing program executing program executing program executing program [ 49.710700][ T7907] device ifb0 entered promiscuous mode [ 49.717408][ T7908] device ifb0 left promiscuous mode executing program [ 49.837425][ T7916] device ifb0 entered promiscuous mode [ 49.891261][ T7921] device ifb0 left promiscuous mode executing program executing program executing program executing program executing program [ 49.961592][ T7930] device ifb0 entered promiscuous mode [ 49.971190][ T7931] device ifb0 left promiscuous mode [ 50.087460][ T7931] ================================================================== [ 50.095715][ T7931] BUG: KASAN: use-after-free in x25_device_event+0x296/0x2b0 [ 50.103121][ T7931] Read of size 8 at addr ffff8880a3c68150 by task syz-executor187/7931 [ 50.111354][ T7931] [ 50.113692][ T7931] CPU: 0 PID: 7931 Comm: syz-executor187 Not tainted 5.0.0+ #15 [ 50.121306][ T7931] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.131359][ T7931] Call Trace: [ 50.134658][ T7931] dump_stack+0x172/0x1f0 [ 50.138989][ T7931] ? x25_device_event+0x296/0x2b0 [ 50.144011][ T7931] print_address_description.cold+0x7c/0x20d [ 50.149980][ T7931] ? x25_device_event+0x296/0x2b0 [ 50.155010][ T7931] ? x25_device_event+0x296/0x2b0 [ 50.160486][ T7931] kasan_report.cold+0x1b/0x40 [ 50.165248][ T7931] ? x25_device_event+0x296/0x2b0 [ 50.170272][ T7931] __asan_report_load8_noabort+0x14/0x20 [ 50.175892][ T7931] x25_device_event+0x296/0x2b0 [ 50.180804][ T7931] notifier_call_chain+0xc7/0x240 [ 50.185856][ T7931] raw_notifier_call_chain+0x2e/0x40 [ 50.191148][ T7931] call_netdevice_notifiers_info+0x3f/0x90 [ 50.196946][ T7931] __dev_notify_flags+0x1e9/0x2c0 [ 50.201965][ T7931] ? dev_change_name+0xa00/0xa00 [ 50.206907][ T7931] ? __dev_change_flags+0x513/0x6e0 [ 50.212110][ T7931] ? dev_set_allmulti+0x30/0x30 [ 50.216954][ T7931] ? mutex_trylock+0x1e0/0x1e0 [ 50.221717][ T7931] ? find_held_lock+0x35/0x130 [ 50.226486][ T7931] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.232723][ T7931] dev_change_flags+0x10d/0x170 [ 50.237587][ T7931] dev_ifsioc+0x5bf/0x990 [ 50.241912][ T7931] ? register_gifconf+0x70/0x70 [ 50.246771][ T7931] dev_ioctl+0x1b8/0xc90 [ 50.251026][ T7931] sock_do_ioctl+0x1bd/0x300 [ 50.255624][ T7931] ? compat_ifr_data_ioctl+0x160/0x160 [ 50.261077][ T7931] ? tomoyo_domain+0xc5/0x160 [ 50.266550][ T7931] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.272809][ T7931] ? tomoyo_path_number_perm+0x263/0x520 [ 50.278453][ T7931] sock_ioctl+0x32b/0x610 [ 50.282792][ T7931] ? dlci_ioctl_set+0x40/0x40 [ 50.287471][ T7931] ? __fget+0x35a/0x550 [ 50.291623][ T7931] ? dlci_ioctl_set+0x40/0x40 [ 50.296291][ T7931] do_vfs_ioctl+0xd6e/0x1390 [ 50.300881][ T7931] ? ioctl_preallocate+0x210/0x210 [ 50.305986][ T7931] ? smack_file_ioctl+0x196/0x310 [ 50.311024][ T7931] ? smack_inode_link+0x2d0/0x2d0 [ 50.316066][ T7931] ? tomoyo_file_ioctl+0x23/0x30 [ 50.320996][ T7931] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.327233][ T7931] ? security_file_ioctl+0x93/0xc0 [ 50.332353][ T7931] ksys_ioctl+0xab/0xd0 [ 50.336501][ T7931] __x64_sys_ioctl+0x73/0xb0 [ 50.341086][ T7931] do_syscall_64+0x103/0x610 [ 50.345680][ T7931] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.351562][ T7931] RIP: 0033:0x4467c9 [ 50.355450][ T7931] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 50.375053][ T7931] RSP: 002b:00007fd5c7921d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 50.383454][ T7931] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9 [ 50.391416][ T7931] RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003 [ 50.399396][ T7931] RBP: 00000000006dbc50 R08: 00007fd5c7922700 R09: 0000000000000000 [ 50.407358][ T7931] R10: 00007fd5c7922700 R11: 0000000000000246 R12: 00000000006dbc5c [ 50.415319][ T7931] R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669 [ 50.423297][ T7931] [ 50.425617][ T7931] Allocated by task 7916: [ 50.429962][ T7931] save_stack+0x45/0xd0 [ 50.434109][ T7931] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 50.439736][ T7931] kasan_kmalloc+0x9/0x10 [ 50.444081][ T7931] kmem_cache_alloc_trace+0x151/0x760 [ 50.449443][ T7931] x25_link_device_up+0x46/0x3f0 [ 50.454371][ T7931] x25_device_event+0x116/0x2b0 [ 50.459212][ T7931] notifier_call_chain+0xc7/0x240 [ 50.464404][ T7931] raw_notifier_call_chain+0x2e/0x40 [ 50.469707][ T7931] call_netdevice_notifiers_info+0x3f/0x90 [ 50.475504][ T7931] __dev_notify_flags+0x121/0x2c0 [ 50.480520][ T7931] dev_change_flags+0x10d/0x170 [ 50.485363][ T7931] dev_ifsioc+0x5bf/0x990 [ 50.489686][ T7931] dev_ioctl+0x1b8/0xc90 [ 50.493920][ T7931] sock_do_ioctl+0x1bd/0x300 [ 50.498512][ T7931] sock_ioctl+0x32b/0x610 [ 50.502843][ T7931] do_vfs_ioctl+0xd6e/0x1390 [ 50.507522][ T7931] ksys_ioctl+0xab/0xd0 [ 50.511675][ T7931] __x64_sys_ioctl+0x73/0xb0 [ 50.516256][ T7931] do_syscall_64+0x103/0x610 [ 50.520838][ T7931] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.526723][ T7931] [ 50.529041][ T7931] Freed by task 7932: [ 50.533040][ T7931] save_stack+0x45/0xd0 [ 50.537198][ T7931] __kasan_slab_free+0x102/0x150 [ 50.542130][ T7931] kasan_slab_free+0xe/0x10 [ 50.546634][ T7931] kfree+0xcf/0x230 [ 50.550438][ T7931] x25_connect+0x8d8/0xde0 [ 50.554857][ T7931] __sys_connect+0x266/0x330 [ 50.559516][ T7931] __x64_sys_connect+0x73/0xb0 [ 50.564276][ T7931] do_syscall_64+0x103/0x610 [ 50.568870][ T7931] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.574746][ T7931] [ 50.577097][ T7931] The buggy address belongs to the object at ffff8880a3c68140 [ 50.577097][ T7931] which belongs to the cache kmalloc-256 of size 256 [ 50.591155][ T7931] The buggy address is located 16 bytes inside of [ 50.591155][ T7931] 256-byte region [ffff8880a3c68140, ffff8880a3c68240) [ 50.604320][ T7931] The buggy address belongs to the page: [ 50.609952][ T7931] page:ffffea00028f1a00 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0 [ 50.618805][ T7931] flags: 0x1fffc0000000200(slab) [ 50.623770][ T7931] raw: 01fffc0000000200 ffffea00028d6b08 ffffea000294f608 ffff88812c3f07c0 [ 50.632353][ T7931] raw: 0000000000000000 ffff8880a3c68000 000000010000000c 0000000000000000 [ 50.640920][ T7931] page dumped because: kasan: bad access detected [ 50.647317][ T7931] [ 50.649630][ T7931] Memory state around the buggy address: [ 50.655254][ T7931] ffff8880a3c68000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.663302][ T7931] ffff8880a3c68080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.671366][ T7931] >ffff8880a3c68100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 50.679412][ T7931] ^ [ 50.686075][ T7931] ffff8880a3c68180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 50.694125][ T7931] ffff8880a3c68200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 50.702261][ T7931] ================================================================== [ 50.710308][ T7931] Disabling lock debugging due to kernel taint [ 50.716491][ T7931] Kernel panic - not syncing: panic_on_warn set ... [ 50.723079][ T7931] CPU: 0 PID: 7931 Comm: syz-executor187 Tainted: G B 5.0.0+ #15 [ 50.732078][ T7931] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.742116][ T7931] Call Trace: [ 50.745403][ T7931] dump_stack+0x172/0x1f0 [ 50.749730][ T7931] panic+0x2cb/0x65c [ 50.753632][ T7931] ? __warn_printk+0xf3/0xf3 [ 50.758226][ T7931] ? retint_kernel+0x2d/0x2d [ 50.762810][ T7931] ? trace_hardirqs_on+0x5e/0x230 [ 50.767830][ T7931] ? x25_device_event+0x296/0x2b0 [ 50.772850][ T7931] end_report+0x47/0x4f [ 50.777001][ T7931] ? x25_device_event+0x296/0x2b0 [ 50.782019][ T7931] kasan_report.cold+0xe/0x40 [ 50.786683][ T7931] ? x25_device_event+0x296/0x2b0 [ 50.791700][ T7931] __asan_report_load8_noabort+0x14/0x20 [ 50.797321][ T7931] x25_device_event+0x296/0x2b0 [ 50.802162][ T7931] notifier_call_chain+0xc7/0x240 [ 50.807218][ T7931] raw_notifier_call_chain+0x2e/0x40 [ 50.812500][ T7931] call_netdevice_notifiers_info+0x3f/0x90 [ 50.818340][ T7931] __dev_notify_flags+0x1e9/0x2c0 [ 50.823363][ T7931] ? dev_change_name+0xa00/0xa00 [ 50.828289][ T7931] ? __dev_change_flags+0x513/0x6e0 [ 50.833485][ T7931] ? dev_set_allmulti+0x30/0x30 [ 50.838326][ T7931] ? mutex_trylock+0x1e0/0x1e0 [ 50.843093][ T7931] ? find_held_lock+0x35/0x130 [ 50.847849][ T7931] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.854090][ T7931] dev_change_flags+0x10d/0x170 [ 50.858935][ T7931] dev_ifsioc+0x5bf/0x990 [ 50.863255][ T7931] ? register_gifconf+0x70/0x70 [ 50.868103][ T7931] dev_ioctl+0x1b8/0xc90 [ 50.872339][ T7931] sock_do_ioctl+0x1bd/0x300 [ 50.876918][ T7931] ? compat_ifr_data_ioctl+0x160/0x160 [ 50.882375][ T7931] ? tomoyo_domain+0xc5/0x160 [ 50.887071][ T7931] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.893308][ T7931] ? tomoyo_path_number_perm+0x263/0x520 [ 50.898968][ T7931] sock_ioctl+0x32b/0x610 [ 50.903290][ T7931] ? dlci_ioctl_set+0x40/0x40 [ 50.907963][ T7931] ? __fget+0x35a/0x550 [ 50.912112][ T7931] ? dlci_ioctl_set+0x40/0x40 [ 50.916794][ T7931] do_vfs_ioctl+0xd6e/0x1390 [ 50.921378][ T7931] ? ioctl_preallocate+0x210/0x210 [ 50.926478][ T7931] ? smack_file_ioctl+0x196/0x310 [ 50.931496][ T7931] ? smack_inode_link+0x2d0/0x2d0 [ 50.936515][ T7931] ? tomoyo_file_ioctl+0x23/0x30 [ 50.941464][ T7931] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 50.947697][ T7931] ? security_file_ioctl+0x93/0xc0 [ 50.952802][ T7931] ksys_ioctl+0xab/0xd0 [ 50.956949][ T7931] __x64_sys_ioctl+0x73/0xb0 [ 50.961538][ T7931] do_syscall_64+0x103/0x610 [ 50.966141][ T7931] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 50.972042][ T7931] RIP: 0033:0x4467c9 [ 50.975938][ T7931] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 50.995531][ T7931] RSP: 002b:00007fd5c7921d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 51.003933][ T7931] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9 [ 51.011913][ T7931] RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003 [ 51.019873][ T7931] RBP: 00000000006dbc50 R08: 00007fd5c7922700 R09: 0000000000000000 [ 51.027835][ T7931] R10: 00007fd5c7922700 R11: 0000000000000246 R12: 00000000006dbc5c [ 51.035797][ T7931] R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669 [ 51.044488][ T7931] Kernel Offset: disabled [ 51.048826][ T7931] Rebooting in 86400 seconds..