[ 43.365835][ T26] audit: type=1800 audit(1571360071.445:27): pid=7576 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 43.387018][ T26] audit: type=1800 audit(1571360071.445:28): pid=7576 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 44.130998][ T26] audit: type=1800 audit(1571360072.275:29): pid=7576 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 44.150403][ T26] audit: type=1800 audit(1571360072.275:30): pid=7576 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts. 2019/10/18 00:55:06 parsed 1 programs 2019/10/18 00:55:07 executed programs: 0 syzkaller login: [ 79.444563][ T7744] IPVS: ftp: loaded support on port[0] = 21 [ 79.493259][ T7744] chnl_net:caif_netlink_parms(): no params data found [ 79.516480][ T7744] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.523842][ T7744] bridge0: port 1(bridge_slave_0) entered disabled state [ 79.531502][ T7744] device bridge_slave_0 entered promiscuous mode [ 79.539267][ T7744] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.546416][ T7744] bridge0: port 2(bridge_slave_1) entered disabled state [ 79.553856][ T7744] device bridge_slave_1 entered promiscuous mode [ 79.570082][ T7744] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 79.580363][ T7744] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 79.596656][ T7744] team0: Port device team_slave_0 added [ 79.603430][ T7744] team0: Port device team_slave_1 added [ 79.657005][ T7744] device hsr_slave_0 entered promiscuous mode [ 79.695606][ T7744] device hsr_slave_1 entered promiscuous mode [ 79.741724][ T7744] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.748866][ T7744] bridge0: port 2(bridge_slave_1) entered forwarding state [ 79.756573][ T7744] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.763599][ T7744] bridge0: port 1(bridge_slave_0) entered forwarding state [ 79.791825][ T7744] 8021q: adding VLAN 0 to HW filter on device bond0 [ 79.804405][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 79.824014][ T22] bridge0: port 1(bridge_slave_0) entered disabled state [ 79.832118][ T22] bridge0: port 2(bridge_slave_1) entered disabled state [ 79.840876][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 79.851930][ T7744] 8021q: adding VLAN 0 to HW filter on device team0 [ 79.861758][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 79.870289][ T5] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.877353][ T5] bridge0: port 1(bridge_slave_0) entered forwarding state [ 79.896706][ T7748] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 79.905581][ T7748] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.912617][ T7748] bridge0: port 2(bridge_slave_1) entered forwarding state [ 79.921220][ T7748] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 79.930206][ T7748] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 79.938585][ T7748] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 79.947516][ T7748] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 79.956875][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 79.967584][ T7744] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 79.983042][ T7744] 8021q: adding VLAN 0 to HW filter on device batadv0 2019/10/18 00:55:12 executed programs: 228 2019/10/18 00:55:17 executed programs: 514 2019/10/18 00:55:22 executed programs: 796 2019/10/18 00:55:27 executed programs: 1075 [ 100.045022][ T7748] ================================================================== [ 100.053293][ T7748] BUG: KASAN: use-after-free in rxrpc_send_keepalive+0xe2/0x3c0 [ 100.060913][ T7748] Read of size 8 at addr ffff88808eed7018 by task kworker/0:3/7748 [ 100.068786][ T7748] [ 100.071106][ T7748] CPU: 0 PID: 7748 Comm: kworker/0:3 Not tainted 5.4.0-rc3+ #0 [ 100.078712][ T7748] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 100.088852][ T7748] Workqueue: krxrpcd rxrpc_peer_keepalive_worker [ 100.095258][ T7748] Call Trace: [ 100.098534][ T7748] dump_stack+0x1d8/0x2f8 [ 100.102849][ T7748] print_address_description+0x75/0x5c0 [ 100.108377][ T7748] ? vprintk_default+0x28/0x30 [ 100.113184][ T7748] ? vprintk_func+0x158/0x170 [ 100.117842][ T7748] ? printk+0x62/0x8d [ 100.121808][ T7748] __kasan_report+0x14b/0x1c0 [ 100.126472][ T7748] ? rxrpc_send_keepalive+0xe2/0x3c0 [ 100.131913][ T7748] kasan_report+0x26/0x50 [ 100.136225][ T7748] __asan_report_load8_noabort+0x14/0x20 [ 100.141837][ T7748] rxrpc_send_keepalive+0xe2/0x3c0 [ 100.146943][ T7748] ? lockdep_hardirqs_on+0x3c5/0x7d0 [ 100.152210][ T7748] ? __local_bh_enable_ip+0x13a/0x240 [ 100.157602][ T7748] ? rxrpc_peer_keepalive_worker+0x6ed/0xb40 [ 100.163564][ T7748] ? trace_hardirqs_on+0x74/0x80 [ 100.168486][ T7748] ? __local_bh_enable_ip+0x13a/0x240 [ 100.173842][ T7748] ? rxrpc_peer_keepalive_worker+0x6ed/0xb40 [ 100.179803][ T7748] rxrpc_peer_keepalive_worker+0x76e/0xb40 [ 100.185600][ T7748] process_one_work+0x7ef/0x10e0 [ 100.190530][ T7748] worker_thread+0xc01/0x1630 [ 100.195237][ T7748] kthread+0x332/0x350 [ 100.199288][ T7748] ? rcu_lock_release+0x30/0x30 [ 100.204117][ T7748] ? kthread_blkcg+0xe0/0xe0 [ 100.208696][ T7748] ret_from_fork+0x24/0x30 [ 100.213102][ T7748] [ 100.215419][ T7748] Allocated by task 7802: [ 100.219734][ T7748] __kasan_kmalloc+0x11c/0x1b0 [ 100.224476][ T7748] kasan_kmalloc+0x9/0x10 [ 100.228789][ T7748] kmem_cache_alloc_trace+0x221/0x2f0 [ 100.234143][ T7748] rxrpc_lookup_local+0x708/0x16f0 [ 100.239232][ T7748] rxrpc_sendmsg+0x493/0x8b0 [ 100.243852][ T7748] ___sys_sendmsg+0x60d/0x910 [ 100.248509][ T7748] __sys_sendmmsg+0x239/0x470 [ 100.253168][ T7748] __x64_sys_sendmmsg+0xa0/0xb0 [ 100.257997][ T7748] do_syscall_64+0xf7/0x1c0 [ 100.262538][ T7748] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 100.268448][ T7748] [ 100.270763][ T7748] Freed by task 7817: [ 100.274726][ T7748] __kasan_slab_free+0x12a/0x1e0 [ 100.279645][ T7748] kasan_slab_free+0xe/0x10 [ 100.284133][ T7748] kfree+0x115/0x200 [ 100.288026][ T7748] rxrpc_local_rcu+0x63/0x80 [ 100.292608][ T7748] rcu_core+0x843/0x1050 [ 100.296843][ T7748] rcu_core_si+0x9/0x10 [ 100.300988][ T7748] __do_softirq+0x333/0x7c4 [ 100.305471][ T7748] [ 100.307785][ T7748] The buggy address belongs to the object at ffff88808eed7000 [ 100.307785][ T7748] which belongs to the cache kmalloc-1k of size 1024 [ 100.321820][ T7748] The buggy address is located 24 bytes inside of [ 100.321820][ T7748] 1024-byte region [ffff88808eed7000, ffff88808eed7400) [ 100.335071][ T7748] The buggy address belongs to the page: [ 100.340686][ T7748] page:ffffea00023bb5c0 refcount:1 mapcount:0 mapping:ffff8880aa400c40 index:0xffff88808eed7000 [ 100.351075][ T7748] flags: 0x1fffc0000000200(slab) [ 100.355999][ T7748] raw: 01fffc0000000200 ffffea00028d2ac8 ffffea000246a208 ffff8880aa400c40 [ 100.364568][ T7748] raw: ffff88808eed7000 ffff88808eed7000 0000000100000001 0000000000000000 [ 100.373167][ T7748] page dumped because: kasan: bad access detected [ 100.379592][ T7748] [ 100.381902][ T7748] Memory state around the buggy address: [ 100.387517][ T7748] ffff88808eed6f00: fc fc fc fc fb fb fb fb fb fb fb fc fc fc fc fb [ 100.395559][ T7748] ffff88808eed6f80: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc [ 100.403651][ T7748] >ffff88808eed7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.411723][ T7748] ^ [ 100.416583][ T7748] ffff88808eed7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.424625][ T7748] ffff88808eed7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.432667][ T7748] ================================================================== [ 100.440706][ T7748] Disabling lock debugging due to kernel taint [ 100.448908][ T7748] Kernel panic - not syncing: panic_on_warn set ... [ 100.455511][ T7748] CPU: 0 PID: 7748 Comm: kworker/0:3 Tainted: G B 5.4.0-rc3+ #0 [ 100.464420][ T7748] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 100.474468][ T7748] Workqueue: krxrpcd rxrpc_peer_keepalive_worker [ 100.480775][ T7748] Call Trace: [ 100.484081][ T7748] dump_stack+0x1d8/0x2f8 [ 100.488400][ T7748] panic+0x264/0x7a9 [ 100.492278][ T7748] ? __kasan_report+0x195/0x1c0 [ 100.497152][ T7748] ? trace_hardirqs_on+0x34/0x80 [ 100.502067][ T7748] ? __kasan_report+0x195/0x1c0 [ 100.506901][ T7748] __kasan_report+0x1bb/0x1c0 [ 100.511565][ T7748] ? rxrpc_send_keepalive+0xe2/0x3c0 [ 100.516828][ T7748] kasan_report+0x26/0x50 [ 100.521141][ T7748] __asan_report_load8_noabort+0x14/0x20 [ 100.526753][ T7748] rxrpc_send_keepalive+0xe2/0x3c0 [ 100.531875][ T7748] ? lockdep_hardirqs_on+0x3c5/0x7d0 [ 100.537145][ T7748] ? __local_bh_enable_ip+0x13a/0x240 [ 100.542493][ T7748] ? rxrpc_peer_keepalive_worker+0x6ed/0xb40 [ 100.548452][ T7748] ? trace_hardirqs_on+0x74/0x80 [ 100.553370][ T7748] ? __local_bh_enable_ip+0x13a/0x240 [ 100.558720][ T7748] ? rxrpc_peer_keepalive_worker+0x6ed/0xb40 [ 100.564683][ T7748] rxrpc_peer_keepalive_worker+0x76e/0xb40 [ 100.570479][ T7748] process_one_work+0x7ef/0x10e0 [ 100.575403][ T7748] worker_thread+0xc01/0x1630 [ 100.580071][ T7748] kthread+0x332/0x350 [ 100.584119][ T7748] ? rcu_lock_release+0x30/0x30 [ 100.588955][ T7748] ? kthread_blkcg+0xe0/0xe0 [ 100.593527][ T7748] ret_from_fork+0x24/0x30 [ 100.599254][ T7748] Kernel Offset: disabled [ 100.603579][ T7748] Rebooting in 86400 seconds..