[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 39.240199][ T27] audit: type=1800 audit(1553079064.744:25): pid=7807 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 39.285858][ T27] audit: type=1800 audit(1553079064.754:26): pid=7807 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 39.308288][ T27] audit: type=1800 audit(1553079064.754:27): pid=7807 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.216' (ECDSA) to the list of known hosts. 2019/03/20 10:51:38 parsed 1 programs 2019/03/20 10:51:41 executed programs: 0 syzkaller login: [ 75.510379][ T7972] IPVS: ftp: loaded support on port[0] = 21 [ 75.564886][ T7972] chnl_net:caif_netlink_parms(): no params data found [ 75.593043][ T7972] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.600630][ T7972] bridge0: port 1(bridge_slave_0) entered disabled state [ 75.608459][ T7972] device bridge_slave_0 entered promiscuous mode [ 75.616587][ T7972] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.623772][ T7972] bridge0: port 2(bridge_slave_1) entered disabled state [ 75.631604][ T7972] device bridge_slave_1 entered promiscuous mode [ 75.647380][ T7972] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 75.656660][ T7972] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 75.673319][ T7972] team0: Port device team_slave_0 added [ 75.681158][ T7972] team0: Port device team_slave_1 added [ 75.732408][ T7972] device hsr_slave_0 entered promiscuous mode [ 75.800902][ T7972] device hsr_slave_1 entered promiscuous mode [ 75.887755][ T7972] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.895341][ T7972] bridge0: port 2(bridge_slave_1) entered forwarding state [ 75.903176][ T7972] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.910222][ T7972] bridge0: port 1(bridge_slave_0) entered forwarding state [ 75.940335][ T7972] 8021q: adding VLAN 0 to HW filter on device bond0 [ 75.953998][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 75.965192][ T5] bridge0: port 1(bridge_slave_0) entered disabled state [ 75.973483][ T5] bridge0: port 2(bridge_slave_1) entered disabled state [ 75.983316][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 75.995946][ T7972] 8021q: adding VLAN 0 to HW filter on device team0 [ 76.006328][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 76.015240][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 76.022739][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 76.042427][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 76.051285][ T5] bridge0: port 2(bridge_slave_1) entered blocking state [ 76.058475][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state [ 76.067104][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 76.075529][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 76.084364][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 76.094322][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 76.102850][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 76.114480][ T7972] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 76.131096][ T7972] 8021q: adding VLAN 0 to HW filter on device batadv0 2019/03/20 10:51:46 executed programs: 311 2019/03/20 10:51:51 executed programs: 645 2019/03/20 10:51:56 executed programs: 995 [ 91.752626][T11959] ================================================================== [ 91.760881][T11959] BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x2166/0x34f0 [ 91.768592][T11959] Read of size 4 at addr ffff8880947dc9f4 by task syz-executor.0/11959 [ 91.776811][T11959] [ 91.779130][T11959] CPU: 0 PID: 11959 Comm: syz-executor.0 Not tainted 5.1.0-rc1-next-20190320 #7 [ 91.788117][T11959] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 91.798172][T11959] Call Trace: [ 91.801442][T11959] dump_stack+0x172/0x1f0 [ 91.805747][T11959] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 91.811097][T11959] print_address_description.cold+0x7c/0x20d [ 91.817054][T11959] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 91.822434][T11959] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 91.827792][T11959] kasan_report.cold+0x1b/0x40 [ 91.832529][T11959] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 91.837876][T11959] __asan_report_load4_noabort+0x14/0x20 [ 91.843499][T11959] tipc_sk_filter_rcv+0x2166/0x34f0 [ 91.848674][T11959] ? debug_check_no_obj_freed+0x211/0x444 [ 91.854372][T11959] ? kasan_check_write+0x14/0x20 [ 91.859288][T11959] ? tipc_sk_overlimit2+0xa0/0xa0 [ 91.864298][T11959] ? __lock_acquire+0x548/0x3fb0 [ 91.869219][T11959] ? __release_sock+0xca/0x3a0 [ 91.873960][T11959] tipc_sk_backlog_rcv+0xeb/0x1e0 [ 91.878979][T11959] ? tipc_sk_mcast_rcv+0x1020/0x1020 [ 91.884241][T11959] ? __local_bh_enable_ip+0x15a/0x270 [ 91.889590][T11959] ? lockdep_hardirqs_on+0x418/0x5d0 [ 91.894851][T11959] ? __release_sock+0xca/0x3a0 [ 91.899588][T11959] ? trace_hardirqs_on+0x67/0x230 [ 91.904584][T11959] ? __release_sock+0xca/0x3a0 [ 91.909342][T11959] ? __local_bh_enable_ip+0x15a/0x270 [ 91.914690][T11959] __release_sock+0x12e/0x3a0 [ 91.919365][T11959] release_sock+0x59/0x1c0 [ 91.923760][T11959] tipc_setsockopt+0x496/0xb60 [ 91.928500][T11959] ? tipc_sk_finish_conn+0x640/0x640 [ 91.933777][T11959] ? apparmor_socket_setsockopt+0x22/0x30 [ 91.939487][T11959] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 91.945711][T11959] ? security_socket_setsockopt+0x93/0xc0 [ 91.951420][T11959] __sys_setsockopt+0x180/0x280 [ 91.956298][T11959] ? kernel_accept+0x310/0x310 [ 91.961043][T11959] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 91.966478][T11959] ? do_syscall_64+0x26/0x610 [ 91.971146][T11959] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 91.977184][T11959] ? do_syscall_64+0x26/0x610 [ 91.981847][T11959] __x64_sys_setsockopt+0xbe/0x150 [ 91.986951][T11959] do_syscall_64+0x103/0x610 [ 91.991516][T11959] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 91.997380][T11959] RIP: 0033:0x458079 [ 92.001254][T11959] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 92.020845][T11959] RSP: 002b:00007f27472e8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 92.029226][T11959] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458079 [ 92.037170][T11959] RDX: 0000000000000087 RSI: 000000000000010f RDI: 0000000000000006 [ 92.045116][T11959] RBP: 000000000073bf00 R08: 0000000000000034 R09: 0000000000000000 [ 92.053077][T11959] R10: 00000000200000c0 R11: 0000000000000246 R12: 00007f27472e96d4 [ 92.061027][T11959] R13: 00000000004c619f R14: 00000000004db210 R15: 00000000ffffffff [ 92.068983][T11959] [ 92.071300][T11959] Allocated by task 3011: [ 92.075633][T11959] save_stack+0x45/0xd0 [ 92.079762][T11959] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 92.085396][T11959] kasan_kmalloc+0x9/0x10 [ 92.089721][T11959] __kmalloc_node_track_caller+0x4e/0x70 [ 92.095354][T11959] __kmalloc_reserve.isra.0+0x40/0xf0 [ 92.100699][T11959] __alloc_skb+0x10b/0x5e0 [ 92.105088][T11959] tipc_buf_acquire+0x2f/0x100 [ 92.109820][T11959] tipc_msg_create+0x38/0x270 [ 92.114469][T11959] tipc_topsrv_kern_evt+0x2a7/0x580 [ 92.119640][T11959] tipc_conn_send_to_sock+0x43e/0x5f0 [ 92.124986][T11959] tipc_conn_send_work+0x65/0x80 [ 92.129901][T11959] process_one_work+0x98e/0x1790 [ 92.134811][T11959] worker_thread+0x98/0xe40 [ 92.139283][T11959] kthread+0x357/0x430 [ 92.143340][T11959] ret_from_fork+0x3a/0x50 [ 92.147723][T11959] [ 92.150025][T11959] Freed by task 11959: [ 92.154069][T11959] save_stack+0x45/0xd0 [ 92.158196][T11959] __kasan_slab_free+0x102/0x150 [ 92.163108][T11959] kasan_slab_free+0xe/0x10 [ 92.167583][T11959] kfree+0xcf/0x230 [ 92.171373][T11959] skb_free_head+0x93/0xb0 [ 92.175758][T11959] skb_release_data+0x576/0x7a0 [ 92.180579][T11959] skb_release_all+0x4d/0x60 [ 92.185164][T11959] kfree_skb+0xe8/0x390 [ 92.189295][T11959] tipc_sk_filter_rcv+0x1e6a/0x34f0 [ 92.194466][T11959] tipc_sk_backlog_rcv+0xeb/0x1e0 [ 92.199476][T11959] __release_sock+0x12e/0x3a0 [ 92.204125][T11959] release_sock+0x59/0x1c0 [ 92.208513][T11959] tipc_setsockopt+0x496/0xb60 [ 92.213251][T11959] __sys_setsockopt+0x180/0x280 [ 92.218071][T11959] __x64_sys_setsockopt+0xbe/0x150 [ 92.223185][T11959] do_syscall_64+0x103/0x610 [ 92.227755][T11959] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.233617][T11959] [ 92.235918][T11959] The buggy address belongs to the object at ffff8880947dc940 [ 92.235918][T11959] which belongs to the cache kmalloc-1k of size 1024 [ 92.249941][T11959] The buggy address is located 180 bytes inside of [ 92.249941][T11959] 1024-byte region [ffff8880947dc940, ffff8880947dcd40) [ 92.263279][T11959] The buggy address belongs to the page: [ 92.268885][T11959] page:ffffea000251f700 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 92.279525][T11959] flags: 0x1fffc0000010200(slab|head) [ 92.284875][T11959] raw: 01fffc0000010200 ffffea0002513c88 ffffea00025f3d08 ffff88812c3f0ac0 [ 92.293435][T11959] raw: 0000000000000000 ffff8880947dc040 0000000100000007 0000000000000000 [ 92.301987][T11959] page dumped because: kasan: bad access detected [ 92.308366][T11959] [ 92.310667][T11959] Memory state around the buggy address: [ 92.316289][T11959] ffff8880947dc880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 92.324324][T11959] ffff8880947dc900: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 92.332358][T11959] >ffff8880947dc980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.340389][T11959] ^ [ 92.348077][T11959] ffff8880947dca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.356111][T11959] ffff8880947dca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.364143][T11959] ================================================================== [ 92.372173][T11959] Disabling lock debugging due to kernel taint [ 92.380081][T11959] Kernel panic - not syncing: panic_on_warn set ... [ 92.386696][T11959] CPU: 0 PID: 11959 Comm: syz-executor.0 Tainted: G B 5.1.0-rc1-next-20190320 #7 [ 92.397416][T11959] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 92.407443][T11959] Call Trace: [ 92.410711][T11959] dump_stack+0x172/0x1f0 [ 92.415018][T11959] panic+0x2cb/0x65c [ 92.418888][T11959] ? __warn_printk+0xf3/0xf3 [ 92.423481][T11959] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 92.428830][T11959] ? preempt_schedule+0x4b/0x60 [ 92.433661][T11959] ? ___preempt_schedule+0x16/0x18 [ 92.438748][T11959] ? trace_hardirqs_on+0x5e/0x230 [ 92.443764][T11959] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 92.449112][T11959] end_report+0x47/0x4f [ 92.453242][T11959] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 92.458611][T11959] kasan_report.cold+0xe/0x40 [ 92.463280][T11959] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 92.468639][T11959] __asan_report_load4_noabort+0x14/0x20 [ 92.474257][T11959] tipc_sk_filter_rcv+0x2166/0x34f0 [ 92.479437][T11959] ? debug_check_no_obj_freed+0x211/0x444 [ 92.485138][T11959] ? kasan_check_write+0x14/0x20 [ 92.490146][T11959] ? tipc_sk_overlimit2+0xa0/0xa0 [ 92.495163][T11959] ? __lock_acquire+0x548/0x3fb0 [ 92.500076][T11959] ? __release_sock+0xca/0x3a0 [ 92.504817][T11959] tipc_sk_backlog_rcv+0xeb/0x1e0 [ 92.509816][T11959] ? tipc_sk_mcast_rcv+0x1020/0x1020 [ 92.515076][T11959] ? __local_bh_enable_ip+0x15a/0x270 [ 92.520423][T11959] ? lockdep_hardirqs_on+0x418/0x5d0 [ 92.525706][T11959] ? __release_sock+0xca/0x3a0 [ 92.530448][T11959] ? trace_hardirqs_on+0x67/0x230 [ 92.535457][T11959] ? __release_sock+0xca/0x3a0 [ 92.540194][T11959] ? __local_bh_enable_ip+0x15a/0x270 [ 92.545555][T11959] __release_sock+0x12e/0x3a0 [ 92.550211][T11959] release_sock+0x59/0x1c0 [ 92.554603][T11959] tipc_setsockopt+0x496/0xb60 [ 92.559345][T11959] ? tipc_sk_finish_conn+0x640/0x640 [ 92.564608][T11959] ? apparmor_socket_setsockopt+0x22/0x30 [ 92.570305][T11959] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 92.576520][T11959] ? security_socket_setsockopt+0x93/0xc0 [ 92.582214][T11959] __sys_setsockopt+0x180/0x280 [ 92.587038][T11959] ? kernel_accept+0x310/0x310 [ 92.591806][T11959] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 92.597249][T11959] ? do_syscall_64+0x26/0x610 [ 92.601913][T11959] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.607952][T11959] ? do_syscall_64+0x26/0x610 [ 92.612605][T11959] __x64_sys_setsockopt+0xbe/0x150 [ 92.617692][T11959] do_syscall_64+0x103/0x610 [ 92.622254][T11959] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.628120][T11959] RIP: 0033:0x458079 [ 92.631991][T11959] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 92.651569][T11959] RSP: 002b:00007f27472e8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 92.659964][T11959] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458079 [ 92.667914][T11959] RDX: 0000000000000087 RSI: 000000000000010f RDI: 0000000000000006 [ 92.675859][T11959] RBP: 000000000073bf00 R08: 0000000000000034 R09: 0000000000000000 [ 92.683816][T11959] R10: 00000000200000c0 R11: 0000000000000246 R12: 00007f27472e96d4 [ 92.691771][T11959] R13: 00000000004c619f R14: 00000000004db210 R15: 00000000ffffffff [ 92.700422][T11959] Kernel Offset: disabled [ 92.704751][T11959] Rebooting in 86400 seconds..