[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 28.513271] kauditd_printk_skb: 7 callbacks suppressed [ 28.513298] audit: type=1800 audit(1544578016.412:29): pid=5853 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 28.539116] audit: type=1800 audit(1544578016.422:30): pid=5853 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 36.948701] ================================================================== [ 36.956186] BUG: KASAN: use-after-free in tipc_group_bc_cong+0x327/0x3f0 [ 36.963028] Read of size 2 at addr ffff8881d8f62074 by task syz-executor882/6010 [ 36.970542] [ 36.972157] CPU: 1 PID: 6010 Comm: syz-executor882 Not tainted 4.20.0-rc6+ #274 [ 36.979583] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.988923] Call Trace: [ 36.991515] dump_stack+0x244/0x39d [ 36.995132] ? dump_stack_print_info.cold.1+0x20/0x20 [ 37.000307] ? printk+0xa7/0xcf [ 37.003574] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 37.008317] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 37.013408] print_address_description.cold.7+0x9/0x1ff [ 37.018760] kasan_report.cold.8+0x242/0x309 [ 37.023175] ? tipc_group_bc_cong+0x327/0x3f0 [ 37.027672] __asan_report_load2_noabort+0x14/0x20 [ 37.032588] tipc_group_bc_cong+0x327/0x3f0 [ 37.036894] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 37.041985] ? tipc_group_cong+0x5d0/0x5d0 [ 37.046208] ? remove_wait_queue+0x1a6/0x360 [ 37.050607] ? add_wait_queue+0x2b0/0x2b0 [ 37.054740] ? __local_bh_enable_ip+0x160/0x260 [ 37.059446] tipc_send_group_bcast+0x50a/0xd90 [ 37.064027] ? tipc_sk_sock_err.isra.61+0x2f0/0x2f0 [ 37.069038] ? __init_waitqueue_head+0x150/0x150 [ 37.073804] ? mark_held_locks+0x130/0x130 [ 37.078037] ? futex_wake+0x760/0x760 [ 37.081825] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 37.087004] __tipc_sendmsg+0xeec/0x1d40 [ 37.091074] ? futex_wait+0x5ec/0xa50 [ 37.094869] ? tipc_sendmcast+0xf50/0xf50 [ 37.099009] ? zap_class+0x640/0x640 [ 37.102734] ? print_usage_bug+0xc0/0xc0 [ 37.106796] ? find_held_lock+0x36/0x1c0 [ 37.110864] ? mark_held_locks+0xc7/0x130 [ 37.114999] ? __local_bh_enable_ip+0x160/0x260 [ 37.119653] ? __local_bh_enable_ip+0x160/0x260 [ 37.124326] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 37.128898] ? trace_hardirqs_on+0xbd/0x310 [ 37.133206] ? lock_release+0xa00/0xa00 [ 37.137162] ? lock_sock_nested+0xe2/0x120 [ 37.141383] ? trace_hardirqs_off_caller+0x310/0x310 [ 37.146477] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.152002] ? check_preemption_disabled+0x48/0x280 [ 37.157001] ? lock_sock_nested+0x9a/0x120 [ 37.161225] ? lock_sock_nested+0x9a/0x120 [ 37.165446] ? __local_bh_enable_ip+0x160/0x260 [ 37.170108] tipc_sendmsg+0x50/0x70 [ 37.173740] ? __tipc_sendmsg+0x1d40/0x1d40 [ 37.178051] sock_sendmsg+0xd5/0x120 [ 37.181752] ___sys_sendmsg+0x7fd/0x930 [ 37.185711] ? __local_bh_enable_ip+0x160/0x260 [ 37.190368] ? copy_msghdr_from_user+0x580/0x580 [ 37.195111] ? trace_hardirqs_off_caller+0x310/0x310 [ 37.200204] ? check_preemption_disabled+0x48/0x280 [ 37.205208] ? release_sock+0x1ec/0x2c0 [ 37.209171] ? __fget_light+0x2e9/0x430 [ 37.213132] ? fget_raw+0x20/0x20 [ 37.216572] ? __release_sock+0x3a0/0x3a0 [ 37.220712] ? tipc_nametbl_build_group+0x273/0x360 [ 37.225721] ? tipc_setsockopt+0x726/0xd70 [ 37.229964] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.235488] ? sockfd_lookup_light+0xc5/0x160 [ 37.239976] __sys_sendmsg+0x11d/0x280 [ 37.243852] ? __ia32_sys_shutdown+0x80/0x80 [ 37.248263] ? do_fast_syscall_32+0x150/0xfb2 [ 37.252748] ? do_fast_syscall_32+0x150/0xfb2 [ 37.257235] ? trace_hardirqs_off_caller+0x310/0x310 [ 37.262333] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.267860] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 37.272613] do_fast_syscall_32+0x34d/0xfb2 [ 37.276923] ? do_int80_syscall_32+0x890/0x890 [ 37.281496] ? entry_SYSENTER_compat+0x68/0x7f [ 37.286065] ? trace_hardirqs_off_caller+0xbb/0x310 [ 37.291067] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.295894] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.300723] ? trace_hardirqs_on_caller+0x310/0x310 [ 37.305725] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 37.310748] ? prepare_exit_to_usermode+0x291/0x3b0 [ 37.315760] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.320599] entry_SYSENTER_compat+0x70/0x7f [ 37.325012] RIP: 0023:0xf7f63a29 [ 37.328369] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 37.347262] RSP: 002b:00000000f7f5f1fc EFLAGS: 00000297 ORIG_RAX: 0000000000000172 [ 37.354960] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200006c0 [ 37.362216] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 37.369474] RBP: 00000000003d0f00 R08: 0000000000000000 R09: 0000000000000000 [ 37.376728] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 37.383986] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.391261] [ 37.392881] Allocated by task 6010: [ 37.396504] save_stack+0x43/0xd0 [ 37.399951] kasan_kmalloc+0xc7/0xe0 [ 37.403656] kmem_cache_alloc_trace+0x152/0x750 [ 37.408310] tipc_group_create+0x152/0xa70 [ 37.412526] tipc_setsockopt+0x2d1/0xd70 [ 37.416573] __compat_sys_setsockopt+0x329/0x860 [ 37.421314] __ia32_compat_sys_setsockopt+0xbd/0x150 [ 37.426406] do_fast_syscall_32+0x34d/0xfb2 [ 37.430717] entry_SYSENTER_compat+0x70/0x7f [ 37.435106] [ 37.436717] Freed by task 6011: [ 37.439985] save_stack+0x43/0xd0 [ 37.443422] __kasan_slab_free+0x102/0x150 [ 37.447637] kasan_slab_free+0xe/0x10 [ 37.451422] kfree+0xcf/0x230 [ 37.454515] tipc_group_delete+0x2e4/0x3f0 [ 37.458734] tipc_sk_leave+0x113/0x220 [ 37.462622] tipc_setsockopt+0x97d/0xd70 [ 37.466665] __compat_sys_setsockopt+0x329/0x860 [ 37.471408] __ia32_compat_sys_setsockopt+0xbd/0x150 [ 37.476512] do_fast_syscall_32+0x34d/0xfb2 [ 37.480819] entry_SYSENTER_compat+0x70/0x7f [ 37.485206] [ 37.486820] The buggy address belongs to the object at ffff8881d8f62000 [ 37.486820] which belongs to the cache kmalloc-192 of size 192 [ 37.499467] The buggy address is located 116 bytes inside of [ 37.499467] 192-byte region [ffff8881d8f62000, ffff8881d8f620c0) [ 37.511327] The buggy address belongs to the page: [ 37.516268] page:ffffea000763d880 count:1 mapcount:0 mapping:ffff8881da800040 index:0xffff8881d8f62f00 [ 37.525706] flags: 0x2fffc0000000200(slab) [ 37.529927] raw: 02fffc0000000200 ffffea000763dc88 ffffea000763d788 ffff8881da800040 [ 37.537795] raw: ffff8881d8f62f00 ffff8881d8f62000 0000000100000006 0000000000000000 [ 37.545657] page dumped because: kasan: bad access detected [ 37.551344] [ 37.552951] Memory state around the buggy address: [ 37.557862] ffff8881d8f61f00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 37.565212] ffff8881d8f61f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.572570] >ffff8881d8f62000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.579911] ^ [ 37.586905] ffff8881d8f62080: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.594270] ffff8881d8f62100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.601613] ================================================================== [ 37.608953] Disabling lock debugging due to kernel taint [ 37.615714] Kernel panic - not syncing: panic_on_warn set ... [ 37.621629] CPU: 0 PID: 6010 Comm: syz-executor882 Tainted: G B 4.20.0-rc6+ #274 [ 37.630465] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.639827] Call Trace: [ 37.642404] dump_stack+0x244/0x39d [ 37.646015] ? dump_stack_print_info.cold.1+0x20/0x20 [ 37.651194] panic+0x2ad/0x55c [ 37.654370] ? add_taint.cold.5+0x16/0x16 [ 37.658505] ? preempt_schedule+0x4d/0x60 [ 37.662637] ? ___preempt_schedule+0x16/0x18 [ 37.667031] ? trace_hardirqs_on+0xb4/0x310 [ 37.671337] kasan_end_report+0x47/0x4f [ 37.675300] kasan_report.cold.8+0x76/0x309 [ 37.679604] ? tipc_group_bc_cong+0x327/0x3f0 [ 37.684083] __asan_report_load2_noabort+0x14/0x20 [ 37.689043] tipc_group_bc_cong+0x327/0x3f0 [ 37.693352] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 37.698444] ? tipc_group_cong+0x5d0/0x5d0 [ 37.702662] ? remove_wait_queue+0x1a6/0x360 [ 37.707051] ? add_wait_queue+0x2b0/0x2b0 [ 37.711183] ? __local_bh_enable_ip+0x160/0x260 [ 37.715835] tipc_send_group_bcast+0x50a/0xd90 [ 37.720405] ? tipc_sk_sock_err.isra.61+0x2f0/0x2f0 [ 37.725729] ? __init_waitqueue_head+0x150/0x150 [ 37.730473] ? mark_held_locks+0x130/0x130 [ 37.734691] ? futex_wake+0x760/0x760 [ 37.738495] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 37.743672] __tipc_sendmsg+0xeec/0x1d40 [ 37.747714] ? futex_wait+0x5ec/0xa50 [ 37.751517] ? tipc_sendmcast+0xf50/0xf50 [ 37.755652] ? zap_class+0x640/0x640 [ 37.759363] ? print_usage_bug+0xc0/0xc0 [ 37.763411] ? find_held_lock+0x36/0x1c0 [ 37.767457] ? mark_held_locks+0xc7/0x130 [ 37.771587] ? __local_bh_enable_ip+0x160/0x260 [ 37.776236] ? __local_bh_enable_ip+0x160/0x260 [ 37.780894] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 37.785458] ? trace_hardirqs_on+0xbd/0x310 [ 37.789765] ? lock_release+0xa00/0xa00 [ 37.793753] ? lock_sock_nested+0xe2/0x120 [ 37.797974] ? trace_hardirqs_off_caller+0x310/0x310 [ 37.803063] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.808614] ? check_preemption_disabled+0x48/0x280 [ 37.813612] ? lock_sock_nested+0x9a/0x120 [ 37.817826] ? lock_sock_nested+0x9a/0x120 [ 37.822048] ? __local_bh_enable_ip+0x160/0x260 [ 37.826705] tipc_sendmsg+0x50/0x70 [ 37.830315] ? __tipc_sendmsg+0x1d40/0x1d40 [ 37.834623] sock_sendmsg+0xd5/0x120 [ 37.838321] ___sys_sendmsg+0x7fd/0x930 [ 37.842287] ? __local_bh_enable_ip+0x160/0x260 [ 37.846940] ? copy_msghdr_from_user+0x580/0x580 [ 37.851681] ? trace_hardirqs_off_caller+0x310/0x310 [ 37.857094] ? check_preemption_disabled+0x48/0x280 [ 37.862096] ? release_sock+0x1ec/0x2c0 [ 37.866053] ? __fget_light+0x2e9/0x430 [ 37.870008] ? fget_raw+0x20/0x20 [ 37.873447] ? __release_sock+0x3a0/0x3a0 [ 37.877577] ? tipc_nametbl_build_group+0x273/0x360 [ 37.882593] ? tipc_setsockopt+0x726/0xd70 [ 37.886814] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 37.892333] ? sockfd_lookup_light+0xc5/0x160 [ 37.896811] __sys_sendmsg+0x11d/0x280 [ 37.900703] ? __ia32_sys_shutdown+0x80/0x80 [ 37.905099] ? do_fast_syscall_32+0x150/0xfb2 [ 37.909577] ? do_fast_syscall_32+0x150/0xfb2 [ 37.914059] ? trace_hardirqs_off_caller+0x310/0x310 [ 37.919147] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 37.924682] __ia32_compat_sys_sendmsg+0x7a/0xb0 [ 37.929441] do_fast_syscall_32+0x34d/0xfb2 [ 37.933751] ? do_int80_syscall_32+0x890/0x890 [ 37.938316] ? entry_SYSENTER_compat+0x68/0x7f [ 37.942881] ? trace_hardirqs_off_caller+0xbb/0x310 [ 37.947888] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.952724] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.957553] ? trace_hardirqs_on_caller+0x310/0x310 [ 37.962555] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 37.967553] ? prepare_exit_to_usermode+0x291/0x3b0 [ 37.972553] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.977381] entry_SYSENTER_compat+0x70/0x7f [ 37.981773] RIP: 0023:0xf7f63a29 [ 37.985128] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 38.004019] RSP: 002b:00000000f7f5f1fc EFLAGS: 00000297 ORIG_RAX: 0000000000000172 [ 38.011752] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200006c0 [ 38.019007] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 38.026266] RBP: 00000000003d0f00 R08: 0000000000000000 R09: 0000000000000000 [ 38.033523] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 38.040775] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 38.049078] Kernel Offset: disabled [ 38.052704] Rebooting in 86400 seconds..