[ 30.010035] audit: type=1800 audit(1543914388.358:27): pid=5992 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 30.041955] audit: type=1800 audit(1543914388.358:28): pid=5992 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 30.664292] audit: type=1800 audit(1543914389.088:29): pid=5992 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 30.691095] audit: type=1800 audit(1543914389.088:30): pid=5992 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts. 2018/12/04 09:07:41 parsed 1 programs 2018/12/04 09:07:43 executed programs: 0 syzkaller login: [ 104.946042] IPVS: ftp: loaded support on port[0] = 21 [ 105.195608] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.202470] bridge0: port 1(bridge_slave_0) entered disabled state [ 105.210486] device bridge_slave_0 entered promiscuous mode [ 105.229125] bridge0: port 2(bridge_slave_1) entered blocking state [ 105.235618] bridge0: port 2(bridge_slave_1) entered disabled state [ 105.242495] device bridge_slave_1 entered promiscuous mode [ 105.259714] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 105.277147] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 105.325941] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 105.347521] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 105.420992] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 105.428348] team0: Port device team_slave_0 added [ 105.446519] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 105.453680] team0: Port device team_slave_1 added [ 105.470901] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 105.490286] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 105.509150] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 105.529024] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 105.674249] bridge0: port 2(bridge_slave_1) entered blocking state [ 105.680793] bridge0: port 2(bridge_slave_1) entered forwarding state [ 105.687833] bridge0: port 1(bridge_slave_0) entered blocking state [ 105.694204] bridge0: port 1(bridge_slave_0) entered forwarding state [ 106.211707] 8021q: adding VLAN 0 to HW filter on device bond0 [ 106.262131] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 106.312610] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 106.318802] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 106.326842] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 106.373709] 8021q: adding VLAN 0 to HW filter on device team0 [ 106.682946] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 106.803267] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 106.910914] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 106.968691] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 107.081854] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 107.151179] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 107.259990] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 107.327140] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 107.429783] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 107.491271] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 108.701636] ================================================================== [ 108.709141] BUG: KASAN: use-after-free in generic_gcmaes_encrypt+0xc6/0x190 [ 108.716253] Read of size 12 at addr ffff8801bf4c8c00 by task kworker/1:0/17 [ 108.723344] [ 108.724971] CPU: 1 PID: 17 Comm: kworker/1:0 Not tainted 4.20.0-rc1-next-20181109+ #110 [ 108.733123] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 108.742468] Workqueue: pencrypt padata_parallel_worker [ 108.747726] Call Trace: [ 108.750317] dump_stack+0x244/0x39d [ 108.753934] ? dump_stack_print_info.cold.1+0x20/0x20 [ 108.759120] ? printk+0xa7/0xcf [ 108.762402] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 108.767148] ? mark_held_locks+0x130/0x130 [ 108.771374] print_address_description.cold.7+0x9/0x1ff [ 108.776732] kasan_report.cold.8+0x242/0x309 [ 108.781209] ? generic_gcmaes_encrypt+0xc6/0x190 [ 108.786165] check_memory_region+0x13e/0x1b0 [ 108.790563] memcpy+0x23/0x50 [ 108.793659] generic_gcmaes_encrypt+0xc6/0x190 [ 108.798259] ? helper_rfc4106_encrypt+0x4a0/0x4a0 [ 108.803088] ? kasan_check_read+0x11/0x20 [ 108.807225] gcmaes_wrapper_encrypt+0x16d/0x3a0 [ 108.811884] pcrypt_aead_enc+0xd6/0x340 [ 108.815852] padata_parallel_worker+0x49d/0x760 [ 108.820511] ? padata_alloc_pd+0xe90/0xe90 [ 108.824732] ? graph_lock+0x270/0x270 [ 108.828533] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 108.834064] ? check_preemption_disabled+0x48/0x280 [ 108.839085] ? __lock_is_held+0xb5/0x140 [ 108.843150] process_one_work+0xc8b/0x1c40 [ 108.847397] ? mark_held_locks+0x130/0x130 [ 108.851629] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 108.856286] ? preempt_notifier_register+0x200/0x200 [ 108.861375] ? __switch_to_asm+0x34/0x70 [ 108.865472] ? __switch_to_asm+0x34/0x70 [ 108.869521] ? __switch_to_asm+0x40/0x70 [ 108.873568] ? __switch_to_asm+0x34/0x70 [ 108.877615] ? __switch_to_asm+0x40/0x70 [ 108.881673] ? __switch_to_asm+0x34/0x70 [ 108.885735] ? __switch_to_asm+0x34/0x70 [ 108.889831] ? __switch_to_asm+0x34/0x70 [ 108.893890] ? __switch_to_asm+0x40/0x70 [ 108.898058] ? __switch_to_asm+0x34/0x70 [ 108.902164] ? __switch_to_asm+0x40/0x70 [ 108.906212] ? __switch_to_asm+0x34/0x70 [ 108.910265] ? __sched_text_start+0x8/0x8 [ 108.914465] ? graph_lock+0x270/0x270 [ 108.918251] ? lock_downgrade+0x900/0x900 [ 108.922399] ? kasan_check_read+0x11/0x20 [ 108.926575] ? do_raw_spin_unlock+0xa7/0x330 [ 108.930983] ? find_held_lock+0x36/0x1c0 [ 108.935050] ? lock_acquire+0x1ed/0x520 [ 108.939024] ? worker_thread+0x3e0/0x1390 [ 108.943171] ? kasan_check_write+0x14/0x20 [ 108.947420] ? do_raw_spin_lock+0x14f/0x350 [ 108.951729] ? __schedule+0x21d0/0x21d0 [ 108.955688] ? rwlock_bug.part.2+0x90/0x90 [ 108.959918] ? trace_hardirqs_on+0x310/0x310 [ 108.964333] worker_thread+0x17f/0x1390 [ 108.968297] ? preempt_notifier_register+0x200/0x200 [ 108.973400] ? process_one_work+0x1c40/0x1c40 [ 108.977915] ? __schedule+0x8d7/0x21d0 [ 108.981806] ? __sched_text_start+0x8/0x8 [ 108.985941] ? __sched_text_start+0x8/0x8 [ 108.990089] ? __kthread_parkme+0xce/0x1a0 [ 108.994318] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 108.999419] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 109.004512] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 109.009087] ? trace_hardirqs_on+0xbd/0x310 [ 109.013419] ? kasan_check_read+0x11/0x20 [ 109.017553] ? __kthread_parkme+0xce/0x1a0 [ 109.021773] ? trace_hardirqs_off_caller+0x300/0x300 [ 109.026898] ? __schedule+0x21d0/0x21d0 [ 109.030884] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 109.035987] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 109.041534] ? __kthread_parkme+0xfb/0x1a0 [ 109.045786] ? process_one_work+0x1c40/0x1c40 [ 109.050267] kthread+0x35a/0x440 [ 109.053619] ? kthread_stop+0x8f0/0x8f0 [ 109.057581] ret_from_fork+0x3a/0x50 [ 109.061298] [ 109.062912] Allocated by task 6788: [ 109.066545] save_stack+0x43/0xd0 [ 109.069985] kasan_kmalloc+0xc7/0xe0 [ 109.073682] kmem_cache_alloc_trace+0x152/0x750 [ 109.078336] tls_set_sw_offload+0xcb3/0x1390 [ 109.082743] tls_setsockopt+0x689/0x770 [ 109.086721] sock_common_setsockopt+0x9a/0xe0 [ 109.091214] __sys_setsockopt+0x1ba/0x3c0 [ 109.095346] __x64_sys_setsockopt+0xbe/0x150 [ 109.099741] do_syscall_64+0x1b9/0x820 [ 109.103622] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 109.108791] [ 109.110411] Freed by task 6783: [ 109.113676] save_stack+0x43/0xd0 [ 109.117153] __kasan_slab_free+0x102/0x150 [ 109.121377] kasan_slab_free+0xe/0x10 [ 109.125170] kfree+0xcf/0x230 [ 109.128259] tls_sk_proto_close+0x5fa/0x750 [ 109.132562] inet_release+0x104/0x1f0 [ 109.136350] inet6_release+0x50/0x70 [ 109.140049] __sock_release+0xd7/0x250 [ 109.143926] sock_close+0x19/0x20 [ 109.147371] __fput+0x3bc/0xa70 [ 109.150647] ____fput+0x15/0x20 [ 109.153915] task_work_run+0x1e8/0x2a0 [ 109.157791] exit_to_usermode_loop+0x318/0x380 [ 109.162362] do_syscall_64+0x6be/0x820 [ 109.166239] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 109.171413] [ 109.173029] The buggy address belongs to the object at ffff8801bf4c8c00 [ 109.173029] which belongs to the cache kmalloc-32 of size 32 [ 109.185501] The buggy address is located 0 bytes inside of [ 109.185501] 32-byte region [ffff8801bf4c8c00, ffff8801bf4c8c20) [ 109.197112] The buggy address belongs to the page: [ 109.202029] page:ffffea0006fd3200 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801bf4c8fc1 [ 109.211459] flags: 0x2fffc0000000200(slab) [ 109.215691] raw: 02fffc0000000200 ffffea00075efd88 ffff8801da801248 ffff8801da8001c0 [ 109.223564] raw: ffff8801bf4c8fc1 ffff8801bf4c8000 000000010000003f 0000000000000000 [ 109.231428] page dumped because: kasan: bad access detected [ 109.237116] [ 109.238722] Memory state around the buggy address: [ 109.243636] ffff8801bf4c8b00: 00 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 109.250977] ffff8801bf4c8b80: 00 01 fc fc fc fc fc fc 00 01 fc fc fc fc fc fc [ 109.258321] >ffff8801bf4c8c00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 109.265674] ^ [ 109.269027] ffff8801bf4c8c80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 109.276367] ffff8801bf4c8d00: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 109.283714] ================================================================== [ 109.291054] Disabling lock debugging due to kernel taint [ 109.296539] Kernel panic - not syncing: panic_on_warn set ... [ 109.302435] CPU: 1 PID: 17 Comm: kworker/1:0 Tainted: G B 4.20.0-rc1-next-20181109+ #110 [ 109.311958] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 109.321304] Workqueue: pencrypt padata_parallel_worker [ 109.326577] Call Trace: [ 109.329153] dump_stack+0x244/0x39d [ 109.332765] ? dump_stack_print_info.cold.1+0x20/0x20 [ 109.337942] panic+0x2ad/0x55c [ 109.341132] ? add_taint.cold.5+0x16/0x16 [ 109.345271] ? trace_hardirqs_on+0xb4/0x310 [ 109.349600] kasan_end_report+0x47/0x4f [ 109.353556] kasan_report.cold.8+0x76/0x309 [ 109.357879] ? generic_gcmaes_encrypt+0xc6/0x190 [ 109.362628] check_memory_region+0x13e/0x1b0 [ 109.367033] memcpy+0x23/0x50 [ 109.370138] generic_gcmaes_encrypt+0xc6/0x190 [ 109.374827] ? helper_rfc4106_encrypt+0x4a0/0x4a0 [ 109.379658] ? kasan_check_read+0x11/0x20 [ 109.383806] gcmaes_wrapper_encrypt+0x16d/0x3a0 [ 109.388461] pcrypt_aead_enc+0xd6/0x340 [ 109.392425] padata_parallel_worker+0x49d/0x760 [ 109.397079] ? padata_alloc_pd+0xe90/0xe90 [ 109.401300] ? graph_lock+0x270/0x270 [ 109.405089] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 109.410614] ? check_preemption_disabled+0x48/0x280 [ 109.415617] ? __lock_is_held+0xb5/0x140 [ 109.419669] process_one_work+0xc8b/0x1c40 [ 109.423886] ? mark_held_locks+0x130/0x130 [ 109.428111] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 109.432764] ? preempt_notifier_register+0x200/0x200 [ 109.437853] ? __switch_to_asm+0x34/0x70 [ 109.441942] ? __switch_to_asm+0x34/0x70 [ 109.446015] ? __switch_to_asm+0x40/0x70 [ 109.450059] ? __switch_to_asm+0x34/0x70 [ 109.454118] ? __switch_to_asm+0x40/0x70 [ 109.458173] ? __switch_to_asm+0x34/0x70 [ 109.462219] ? __switch_to_asm+0x34/0x70 [ 109.466264] ? __switch_to_asm+0x34/0x70 [ 109.470336] ? __switch_to_asm+0x40/0x70 [ 109.474382] ? __switch_to_asm+0x34/0x70 [ 109.478481] ? __switch_to_asm+0x40/0x70 [ 109.482526] ? __switch_to_asm+0x34/0x70 [ 109.486576] ? __sched_text_start+0x8/0x8 [ 109.490705] ? graph_lock+0x270/0x270 [ 109.494491] ? lock_downgrade+0x900/0x900 [ 109.498626] ? kasan_check_read+0x11/0x20 [ 109.502758] ? do_raw_spin_unlock+0xa7/0x330 [ 109.507154] ? find_held_lock+0x36/0x1c0 [ 109.511207] ? lock_acquire+0x1ed/0x520 [ 109.515164] ? worker_thread+0x3e0/0x1390 [ 109.519316] ? kasan_check_write+0x14/0x20 [ 109.523545] ? do_raw_spin_lock+0x14f/0x350 [ 109.527857] ? __schedule+0x21d0/0x21d0 [ 109.531814] ? rwlock_bug.part.2+0x90/0x90 [ 109.536032] ? trace_hardirqs_on+0x310/0x310 [ 109.540427] worker_thread+0x17f/0x1390 [ 109.544411] ? preempt_notifier_register+0x200/0x200 [ 109.549519] ? process_one_work+0x1c40/0x1c40 [ 109.554000] ? __schedule+0x8d7/0x21d0 [ 109.557926] ? __sched_text_start+0x8/0x8 [ 109.562087] ? __sched_text_start+0x8/0x8 [ 109.566241] ? __kthread_parkme+0xce/0x1a0 [ 109.570472] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 109.575558] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 109.580647] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 109.585229] ? trace_hardirqs_on+0xbd/0x310 [ 109.589534] ? kasan_check_read+0x11/0x20 [ 109.593665] ? __kthread_parkme+0xce/0x1a0 [ 109.597884] ? trace_hardirqs_off_caller+0x300/0x300 [ 109.602980] ? __schedule+0x21d0/0x21d0 [ 109.606956] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 109.612043] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 109.617565] ? __kthread_parkme+0xfb/0x1a0 [ 109.621812] ? process_one_work+0x1c40/0x1c40 [ 109.626333] kthread+0x35a/0x440 [ 109.629685] ? kthread_stop+0x8f0/0x8f0 [ 109.633644] ret_from_fork+0x3a/0x50 [ 109.638605] Kernel Offset: disabled [ 109.642231] Rebooting in 86400 seconds..