[ 69.389492][ T26] audit: type=1800 audit(1564554846.427:27): pid=10004 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 69.418606][ T26] audit: type=1800 audit(1564554846.427:28): pid=10004 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 70.279024][ T26] audit: type=1800 audit(1564554847.377:29): pid=10004 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 70.300801][ T26] audit: type=1800 audit(1564554847.377:30): pid=10004 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.134' (ECDSA) to the list of known hosts. syzkaller login: [ 81.156195][T10157] IPVS: ftp: loaded support on port[0] = 21 [ 81.198298][T10157] chnl_net:caif_netlink_parms(): no params data found [ 81.223371][T10157] bridge0: port 1(bridge_slave_0) entered blocking state [ 81.230551][T10157] bridge0: port 1(bridge_slave_0) entered disabled state [ 81.238001][T10157] device bridge_slave_0 entered promiscuous mode [ 81.245394][T10157] bridge0: port 2(bridge_slave_1) entered blocking state [ 81.252527][T10157] bridge0: port 2(bridge_slave_1) entered disabled state [ 81.260087][T10157] device bridge_slave_1 entered promiscuous mode [ 81.274218][T10157] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 81.284713][T10157] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 81.301022][T10157] team0: Port device team_slave_0 added [ 81.307457][T10157] team0: Port device team_slave_1 added [ 81.380324][T10157] device hsr_slave_0 entered promiscuous mode [ 81.448816][T10157] device hsr_slave_1 entered promiscuous mode [ 81.523907][T10157] bridge0: port 2(bridge_slave_1) entered blocking state [ 81.531098][T10157] bridge0: port 2(bridge_slave_1) entered forwarding state [ 81.538472][T10157] bridge0: port 1(bridge_slave_0) entered blocking state [ 81.545755][T10157] bridge0: port 1(bridge_slave_0) entered forwarding state [ 81.571250][T10157] 8021q: adding VLAN 0 to HW filter on device bond0 [ 81.581909][ T3021] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 81.601307][ T3021] bridge0: port 1(bridge_slave_0) entered disabled state [ 81.609026][ T3021] bridge0: port 2(bridge_slave_1) entered disabled state [ 81.616644][ T3021] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 81.626938][T10157] 8021q: adding VLAN 0 to HW filter on device team0 [ 81.636156][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 81.644854][ T22] bridge0: port 1(bridge_slave_0) entered blocking state [ 81.651903][ T22] bridge0: port 1(bridge_slave_0) entered forwarding state [ 81.661817][ T3021] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 81.670694][ T3021] bridge0: port 2(bridge_slave_1) entered blocking state [ 81.677718][ T3021] bridge0: port 2(bridge_slave_1) entered forwarding state [ 81.700458][ T3517] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 81.709373][ T3517] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 81.717813][ T3517] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready executing program [ 81.726197][ T3517] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 81.734787][ T3517] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 81.744002][T10157] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 81.758616][T10157] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 81.883079][T10169] IPVS: ftp: loaded support on port[0] = 21 [ 82.063599][T10169] IPVS: ftp: loaded support on port[0] = 21 executing program [ 82.203837][T10173] IPVS: ftp: loaded support on port[0] = 21 [ 82.423251][T10174] IPVS: ftp: loaded support on port[0] = 21 executing program [ 82.671961][T10179] IPVS: ftp: loaded support on port[0] = 21 [ 82.937110][T10180] IPVS: ftp: loaded support on port[0] = 21 executing program [ 83.183249][T10184] IPVS: ftp: loaded support on port[0] = 21 [ 83.413833][T10186] IPVS: ftp: loaded support on port[0] = 21 executing program [ 83.613290][T10197] IPVS: ftp: loaded support on port[0] = 21 [ 83.852607][T10198] IPVS: ftp: loaded support on port[0] = 21 executing program [ 84.114211][T10203] IPVS: ftp: loaded support on port[0] = 21 [ 84.343235][T10204] IPVS: ftp: loaded support on port[0] = 21 [ 84.529893][T10205] ================================================================== [ 84.538316][T10205] BUG: KASAN: use-after-free in do_raw_spin_lock+0x28a/0x2e0 [ 84.545889][T10205] Read of size 4 at addr ffff8880a81b540c by task syz-executor143/10205 [ 84.554232][T10205] [ 84.556554][T10205] CPU: 1 PID: 10205 Comm: syz-executor143 Not tainted 5.3.0-rc2+ #90 [ 84.564841][T10205] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 84.574879][T10205] Call Trace: [ 84.578245][T10205] dump_stack+0x172/0x1f0 [ 84.582573][T10205] ? do_raw_spin_lock+0x28a/0x2e0 [ 84.587596][T10205] print_address_description.cold+0xd4/0x306 [ 84.593608][T10205] ? do_raw_spin_lock+0x28a/0x2e0 [ 84.598617][T10205] ? do_raw_spin_lock+0x28a/0x2e0 [ 84.603683][T10205] __kasan_report.cold+0x1b/0x36 [ 84.608646][T10205] ? do_raw_spin_lock+0x28a/0x2e0 [ 84.613658][T10205] kasan_report+0x12/0x17 [ 84.617975][T10205] __asan_report_load4_noabort+0x14/0x20 [ 84.623592][T10205] do_raw_spin_lock+0x28a/0x2e0 [ 84.628733][T10205] ? rwlock_bug.part.0+0x90/0x90 [ 84.633710][T10205] ? lock_acquire+0x190/0x410 [ 84.638379][T10205] ? release_sock+0x20/0x1c0 [ 84.642949][T10205] ? __sk_free+0x100/0x360 [ 84.647458][T10205] _raw_spin_lock_bh+0x3b/0x50 [ 84.652205][T10205] ? release_sock+0x20/0x1c0 [ 84.656782][T10205] release_sock+0x20/0x1c0 [ 84.661244][T10205] nr_release+0x303/0x3e0 [ 84.665561][T10205] __sock_release+0xce/0x280 [ 84.670154][T10205] sock_close+0x1e/0x30 [ 84.674285][T10205] __fput+0x2ff/0x890 [ 84.678241][T10205] ? __sock_release+0x280/0x280 [ 84.683087][T10205] ____fput+0x16/0x20 [ 84.687055][T10205] task_work_run+0x145/0x1c0 [ 84.691631][T10205] do_exit+0x92f/0x2e50 [ 84.695772][T10205] ? task_work_run+0x118/0x1c0 [ 84.700609][T10205] ? __kasan_check_read+0x11/0x20 [ 84.705620][T10205] ? mm_update_next_owner+0x640/0x640 [ 84.710977][T10205] ? __kasan_check_write+0x14/0x20 [ 84.716112][T10205] ? lock_downgrade+0x920/0x920 [ 84.720946][T10205] ? rwlock_bug.part.0+0x90/0x90 [ 84.726060][T10205] ? get_signal+0x20e/0x2500 [ 84.730784][T10205] do_group_exit+0x135/0x360 [ 84.735367][T10205] get_signal+0x47c/0x2500 [ 84.739771][T10205] ? task_work_add+0x9c/0x120 [ 84.744438][T10205] do_signal+0x87/0x1700 [ 84.748663][T10205] ? __sys_accept4+0x482/0x6a0 [ 84.753467][T10205] ? setup_sigcontext+0x7d0/0x7d0 [ 84.758515][T10205] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 84.764751][T10205] ? __kasan_check_write+0x14/0x20 [ 84.769892][T10205] ? switch_fpu_return+0x1fa/0x4f0 [ 84.774990][T10205] ? trace_hardirqs_on+0x67/0x240 [ 84.780055][T10205] exit_to_usermode_loop+0x286/0x380 [ 84.785328][T10205] do_syscall_64+0x5a9/0x6a0 [ 84.789903][T10205] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 84.795770][T10205] RIP: 0033:0x447d09 [ 84.799650][T10205] Code: Bad RIP value. [ 84.803699][T10205] RSP: 002b:00007fca48b63db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002b [ 84.812424][T10205] RAX: fffffffffffffe00 RBX: 00000000006ddc58 RCX: 0000000000447d09 [ 84.820518][T10205] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007 [ 84.828470][T10205] RBP: 00000000006ddc50 R08: 0000000000000000 R09: 0000000000000000 [ 84.836426][T10205] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc5c [ 84.844420][T10205] R13: 00007ffe913f3ebf R14: 00007fca48b649c0 R15: 0000000000000001 [ 84.852386][T10205] [ 84.854847][T10205] Allocated by task 0: [ 84.859332][T10205] save_stack+0x23/0x90 [ 84.863517][T10205] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 84.869131][T10205] kasan_kmalloc+0x9/0x10 [ 84.873439][T10205] __kmalloc+0x163/0x770 [ 84.877659][T10205] sk_prot_alloc+0x23a/0x310 [ 84.882234][T10205] sk_alloc+0x39/0xf70 [ 84.886278][T10205] nr_rx_frame+0x733/0x1e73 [ 84.890796][T10205] nr_loopback_timer+0x7b/0x170 [ 84.895691][T10205] call_timer_fn+0x1ac/0x780 [ 84.900264][T10205] run_timer_softirq+0x697/0x17a0 [ 84.905269][T10205] __do_softirq+0x262/0x98c [ 84.909748][T10205] [ 84.912048][T10205] Freed by task 10205: [ 84.916093][T10205] save_stack+0x23/0x90 [ 84.920269][T10205] __kasan_slab_free+0x102/0x150 [ 84.925250][T10205] kasan_slab_free+0xe/0x10 [ 84.929739][T10205] kfree+0x10a/0x2c0 [ 84.933619][T10205] __sk_destruct+0x4f7/0x6e0 [ 84.938188][T10205] sk_destruct+0x86/0xa0 [ 84.942405][T10205] __sk_free+0xfb/0x360 [ 84.946540][T10205] sk_free+0x42/0x50 [ 84.950416][T10205] nr_destroy_socket+0x3ea/0x4a0 [ 84.955377][T10205] nr_release+0x347/0x3e0 [ 84.959788][T10205] __sock_release+0xce/0x280 [ 84.964448][T10205] sock_close+0x1e/0x30 [ 84.968595][T10205] __fput+0x2ff/0x890 [ 84.972573][T10205] ____fput+0x16/0x20 [ 84.976575][T10205] task_work_run+0x145/0x1c0 [ 84.981151][T10205] do_exit+0x92f/0x2e50 [ 84.985282][T10205] do_group_exit+0x135/0x360 [ 84.989851][T10205] get_signal+0x47c/0x2500 [ 84.994245][T10205] do_signal+0x87/0x1700 [ 84.998463][T10205] exit_to_usermode_loop+0x286/0x380 [ 85.003729][T10205] do_syscall_64+0x5a9/0x6a0 [ 85.008400][T10205] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 85.014261][T10205] [ 85.016604][T10205] The buggy address belongs to the object at ffff8880a81b5380 [ 85.016604][T10205] which belongs to the cache kmalloc-2k of size 2048 [ 85.030689][T10205] The buggy address is located 140 bytes inside of [ 85.030689][T10205] 2048-byte region [ffff8880a81b5380, ffff8880a81b5b80) [ 85.044165][T10205] The buggy address belongs to the page: [ 85.049792][T10205] page:ffffea0002a06d00 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 compound_mapcount: 0 [ 85.060774][T10205] flags: 0x1fffc0000010200(slab|head) [ 85.066143][T10205] raw: 01fffc0000010200 ffffea0002a0ec88 ffffea0002a07708 ffff8880aa400e00 [ 85.074799][T10205] raw: 0000000000000000 ffff8880a81b4280 0000000100000003 0000000000000000 [ 85.083414][T10205] page dumped because: kasan: bad access detected [ 85.089907][T10205] [ 85.092208][T10205] Memory state around the buggy address: [ 85.097871][T10205] ffff8880a81b5300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.105931][T10205] ffff8880a81b5380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.113985][T10205] >ffff8880a81b5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.122236][T10205] ^ [ 85.126582][T10205] ffff8880a81b5480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.134654][T10205] ffff8880a81b5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.142696][T10205] ================================================================== [ 85.150842][T10205] Kernel panic - not syncing: panic_on_warn set ... [ 85.157424][T10205] CPU: 1 PID: 10205 Comm: syz-executor143 Tainted: G B 5.3.0-rc2+ #90 [ 85.166855][T10205] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 85.176887][T10205] Call Trace: [ 85.180268][T10205] dump_stack+0x172/0x1f0 [ 85.184590][T10205] panic+0x2dc/0x755 [ 85.188463][T10205] ? add_taint.cold+0x16/0x16 [ 85.193117][T10205] ? trace_hardirqs_on+0x5e/0x240 [ 85.198117][T10205] ? trace_hardirqs_on+0x5e/0x240 [ 85.203238][T10205] ? do_raw_spin_lock+0x28a/0x2e0 [ 85.208249][T10205] end_report+0x47/0x4f [ 85.212388][T10205] ? do_raw_spin_lock+0x28a/0x2e0 [ 85.217388][T10205] __kasan_report.cold+0xe/0x36 [ 85.222216][T10205] ? do_raw_spin_lock+0x28a/0x2e0 [ 85.227221][T10205] kasan_report+0x12/0x17 [ 85.231837][T10205] __asan_report_load4_noabort+0x14/0x20 [ 85.237601][T10205] do_raw_spin_lock+0x28a/0x2e0 [ 85.242464][T10205] ? rwlock_bug.part.0+0x90/0x90 [ 85.247391][T10205] ? lock_acquire+0x190/0x410 [ 85.252112][T10205] ? release_sock+0x20/0x1c0 [ 85.256922][T10205] ? __sk_free+0x100/0x360 [ 85.261441][T10205] _raw_spin_lock_bh+0x3b/0x50 [ 85.266225][T10205] ? release_sock+0x20/0x1c0 [ 85.271007][T10205] release_sock+0x20/0x1c0 [ 85.275420][T10205] nr_release+0x303/0x3e0 [ 85.279843][T10205] __sock_release+0xce/0x280 [ 85.284420][T10205] sock_close+0x1e/0x30 [ 85.288567][T10205] __fput+0x2ff/0x890 [ 85.292803][T10205] ? __sock_release+0x280/0x280 [ 85.297773][T10205] ____fput+0x16/0x20 [ 85.301793][T10205] task_work_run+0x145/0x1c0 [ 85.306394][T10205] do_exit+0x92f/0x2e50 [ 85.310653][T10205] ? task_work_run+0x118/0x1c0 [ 85.315408][T10205] ? __kasan_check_read+0x11/0x20 [ 85.320527][T10205] ? mm_update_next_owner+0x640/0x640 [ 85.325893][T10205] ? __kasan_check_write+0x14/0x20 [ 85.331004][T10205] ? lock_downgrade+0x920/0x920 [ 85.335859][T10205] ? rwlock_bug.part.0+0x90/0x90 [ 85.340803][T10205] ? get_signal+0x20e/0x2500 [ 85.345506][T10205] do_group_exit+0x135/0x360 [ 85.350094][T10205] get_signal+0x47c/0x2500 [ 85.354510][T10205] ? task_work_add+0x9c/0x120 [ 85.359177][T10205] do_signal+0x87/0x1700 [ 85.363404][T10205] ? __sys_accept4+0x482/0x6a0 [ 85.368160][T10205] ? setup_sigcontext+0x7d0/0x7d0 [ 85.373216][T10205] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 85.379447][T10205] ? __kasan_check_write+0x14/0x20 [ 85.384552][T10205] ? switch_fpu_return+0x1fa/0x4f0 [ 85.389647][T10205] ? trace_hardirqs_on+0x67/0x240 [ 85.394671][T10205] exit_to_usermode_loop+0x286/0x380 [ 85.399949][T10205] do_syscall_64+0x5a9/0x6a0 [ 85.404540][T10205] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 85.410505][T10205] RIP: 0033:0x447d09 [ 85.414384][T10205] Code: Bad RIP value. [ 85.418426][T10205] RSP: 002b:00007fca48b63db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002b [ 85.426931][T10205] RAX: fffffffffffffe00 RBX: 00000000006ddc58 RCX: 0000000000447d09 [ 85.435001][T10205] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007 [ 85.442957][T10205] RBP: 00000000006ddc50 R08: 0000000000000000 R09: 0000000000000000 [ 85.450918][T10205] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc5c [ 85.458936][T10205] R13: 00007ffe913f3ebf R14: 00007fca48b649c0 R15: 0000000000000001 [ 85.468135][T10205] Kernel Offset: disabled [ 85.472474][T10205] Rebooting in 86400 seconds..