[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 56.643946][ T27] audit: type=1800 audit(1584501914.388:25): pid=8611 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 56.663466][ T27] audit: type=1800 audit(1584501914.388:26): pid=8611 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 56.710946][ T27] audit: type=1800 audit(1584501914.388:27): pid=8611 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.222' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 79.045187][ T8762] IPVS: ftp: loaded support on port[0] = 21 [ 79.072678][ T8762] ================================================================== [ 79.080869][ T8762] BUG: KASAN: use-after-free in tcindex_change+0x1c61/0x27b0 [ 79.088222][ T8762] Write of size 16 at addr ffff8880a6da36b8 by task syz-executor102/8762 [ 79.096619][ T8762] [ 79.099446][ T8762] CPU: 1 PID: 8762 Comm: syz-executor102 Not tainted 5.6.0-rc6-syzkaller #0 [ 79.108086][ T8762] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.118165][ T8762] Call Trace: [ 79.121455][ T8762] dump_stack+0x1e9/0x30e [ 79.125772][ T8762] print_address_description+0x74/0x5c0 [ 79.131299][ T8762] ? printk+0x62/0x83 [ 79.135521][ T8762] ? vprintk_emit+0x2e6/0x3b0 [ 79.140218][ T8762] __kasan_report+0x14b/0x1c0 [ 79.144890][ T8762] ? tcindex_change+0x1c61/0x27b0 [ 79.149936][ T8762] kasan_report+0x25/0x50 [ 79.154257][ T8762] check_memory_region+0x2a5/0x2e0 [ 79.159365][ T8762] ? tcindex_change+0x1c61/0x27b0 [ 79.164506][ T8762] memcpy+0x38/0x50 [ 79.168327][ T8762] tcindex_change+0x1c61/0x27b0 [ 79.173217][ T8762] ? tcindex_destroy+0x970/0x970 [ 79.178149][ T8762] ? tcindex_lookup+0x13e/0x360 [ 79.183339][ T8762] tc_new_tfilter+0x1490/0x2f50 [ 79.188196][ T8762] ? tcindex_get+0x1c0/0x1c0 [ 79.192815][ T8762] ? tcf_tunnel_encap_put_tunnel+0x20/0x20 [ 79.198602][ T8762] rtnetlink_rcv_msg+0x8fb/0xd40 [ 79.203573][ T8762] ? lock_acquire+0x154/0x250 [ 79.208283][ T8762] ? rcu_lock_acquire+0x5/0x30 [ 79.213029][ T8762] ? check_preemption_disabled+0x40/0x240 [ 79.218742][ T8762] ? debug_smp_processor_id+0x5/0x20 [ 79.224028][ T8762] netlink_rcv_skb+0x190/0x3a0 [ 79.228775][ T8762] ? rtnetlink_bind+0x80/0x80 [ 79.233446][ T8762] netlink_unicast+0x786/0x940 [ 79.238203][ T8762] netlink_sendmsg+0xa57/0xd70 [ 79.242986][ T8762] ? netlink_getsockopt+0x9d0/0x9d0 [ 79.248172][ T8762] ____sys_sendmsg+0x4f9/0x7c0 [ 79.252949][ T8762] __sys_sendmsg+0x1ed/0x290 [ 79.257531][ T8762] ? __might_fault+0xf5/0x150 [ 79.263203][ T8762] ? move_addr_to_user+0x17f/0x1e0 [ 79.268922][ T8762] ? __sys_getsockname+0x1e2/0x220 [ 79.274020][ T8762] ? check_preemption_disabled+0xb0/0x240 [ 79.279748][ T8762] ? debug_smp_processor_id+0x5/0x20 [ 79.285020][ T8762] ? check_preemption_disabled+0xb0/0x240 [ 79.290730][ T8762] ? debug_smp_processor_id+0x5/0x20 [ 79.296085][ T8762] ? trace_irq_disable_rcuidle+0x1f/0x1d0 [ 79.302001][ T8762] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 79.308216][ T8762] ? do_syscall_64+0x19/0x1b0 [ 79.312909][ T8762] do_syscall_64+0xf3/0x1b0 [ 79.317530][ T8762] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.323431][ T8762] RIP: 0033:0x440e79 [ 79.327311][ T8762] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 79.346989][ T8762] RSP: 002b:00007ffd5f6419d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 79.355539][ T8762] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 79.364206][ T8762] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 79.373018][ T8762] RBP: 00007ffd5f6419e0 R08: 0000000120080522 R09: 0000000120080522 [ 79.381351][ T8762] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 79.389931][ T8762] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 79.398353][ T8762] [ 79.400671][ T8762] Allocated by task 5104: [ 79.405067][ T8762] __kasan_kmalloc+0x118/0x1c0 [ 79.410090][ T8762] __kmalloc+0x24b/0x330 [ 79.414939][ T8762] kzalloc+0x1d/0x40 [ 79.419041][ T8762] security_prepare_creds+0x46/0x220 [ 79.424595][ T8762] prepare_creds+0x3dc/0x590 [ 79.429669][ T8762] do_faccessat+0x53/0x780 [ 79.434349][ T8762] do_syscall_64+0xf3/0x1b0 [ 79.438855][ T8762] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.444730][ T8762] [ 79.447142][ T8762] Freed by task 5104: [ 79.451333][ T8762] __kasan_slab_free+0x12e/0x1e0 [ 79.456260][ T8762] kfree+0x10a/0x220 [ 79.460169][ T8762] security_cred_free+0xbf/0x100 [ 79.465280][ T8762] put_cred_rcu+0xca/0x350 [ 79.470869][ T8762] do_faccessat+0x613/0x780 [ 79.475520][ T8762] do_syscall_64+0xf3/0x1b0 [ 79.480163][ T8762] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.486035][ T8762] [ 79.488493][ T8762] The buggy address belongs to the object at ffff8880a6da3600 [ 79.488493][ T8762] which belongs to the cache kmalloc-192 of size 192 [ 79.502650][ T8762] The buggy address is located 184 bytes inside of [ 79.502650][ T8762] 192-byte region [ffff8880a6da3600, ffff8880a6da36c0) [ 79.518890][ T8762] The buggy address belongs to the page: [ 79.524990][ T8762] page:ffffea00029b68c0 refcount:1 mapcount:0 mapping:ffff8880aa400000 index:0x0 [ 79.534214][ T8762] flags: 0xfffe0000000200(slab) [ 79.539079][ T8762] raw: 00fffe0000000200 ffffea0002a55208 ffffea00029dda88 ffff8880aa400000 [ 79.547787][ T8762] raw: 0000000000000000 ffff8880a6da3000 0000000100000010 0000000000000000 [ 79.556538][ T8762] page dumped because: kasan: bad access detected [ 79.563055][ T8762] [ 79.565464][ T8762] Memory state around the buggy address: [ 79.571279][ T8762] ffff8880a6da3580: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 79.579445][ T8762] ffff8880a6da3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 79.587675][ T8762] >ffff8880a6da3680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 79.596894][ T8762] ^ [ 79.602770][ T8762] ffff8880a6da3700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 79.610839][ T8762] ffff8880a6da3780: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 79.619210][ T8762] ================================================================== [ 79.627256][ T8762] Disabling lock debugging due to kernel taint [ 79.634892][ T8762] Kernel panic - not syncing: panic_on_warn set ... [ 79.641729][ T8762] CPU: 1 PID: 8762 Comm: syz-executor102 Tainted: G B 5.6.0-rc6-syzkaller #0 [ 79.651800][ T8762] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.662159][ T8762] Call Trace: [ 79.665700][ T8762] dump_stack+0x1e9/0x30e [ 79.670139][ T8762] panic+0x264/0x7a0 [ 79.674105][ T8762] ? trace_hardirqs_on+0x30/0x70 [ 79.679034][ T8762] __kasan_report+0x1bc/0x1c0 [ 79.683699][ T8762] ? tcindex_change+0x1c61/0x27b0 [ 79.688747][ T8762] kasan_report+0x25/0x50 [ 79.693069][ T8762] check_memory_region+0x2a5/0x2e0 [ 79.698170][ T8762] ? tcindex_change+0x1c61/0x27b0 [ 79.703221][ T8762] memcpy+0x38/0x50 [ 79.707035][ T8762] tcindex_change+0x1c61/0x27b0 [ 79.711918][ T8762] ? tcindex_destroy+0x970/0x970 [ 79.717036][ T8762] ? tcindex_lookup+0x13e/0x360 [ 79.721953][ T8762] tc_new_tfilter+0x1490/0x2f50 [ 79.726943][ T8762] ? tcindex_get+0x1c0/0x1c0 [ 79.731966][ T8762] ? tcf_tunnel_encap_put_tunnel+0x20/0x20 [ 79.738845][ T8762] rtnetlink_rcv_msg+0x8fb/0xd40 [ 79.744176][ T8762] ? lock_acquire+0x154/0x250 [ 79.748847][ T8762] ? rcu_lock_acquire+0x5/0x30 [ 79.753602][ T8762] ? check_preemption_disabled+0x40/0x240 [ 79.759802][ T8762] ? debug_smp_processor_id+0x5/0x20 [ 79.765342][ T8762] netlink_rcv_skb+0x190/0x3a0 [ 79.770107][ T8762] ? rtnetlink_bind+0x80/0x80 [ 79.774885][ T8762] netlink_unicast+0x786/0x940 [ 79.779641][ T8762] netlink_sendmsg+0xa57/0xd70 [ 79.784401][ T8762] ? netlink_getsockopt+0x9d0/0x9d0 [ 79.789795][ T8762] ____sys_sendmsg+0x4f9/0x7c0 [ 79.795962][ T8762] __sys_sendmsg+0x1ed/0x290 [ 79.801336][ T8762] ? __might_fault+0xf5/0x150 [ 79.806562][ T8762] ? move_addr_to_user+0x17f/0x1e0 [ 79.811818][ T8762] ? __sys_getsockname+0x1e2/0x220 [ 79.817443][ T8762] ? check_preemption_disabled+0xb0/0x240 [ 79.823286][ T8762] ? debug_smp_processor_id+0x5/0x20 [ 79.828687][ T8762] ? check_preemption_disabled+0xb0/0x240 [ 79.834545][ T8762] ? debug_smp_processor_id+0x5/0x20 [ 79.840860][ T8762] ? trace_irq_disable_rcuidle+0x1f/0x1d0 [ 79.847741][ T8762] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 79.853976][ T8762] ? do_syscall_64+0x19/0x1b0 [ 79.858751][ T8762] do_syscall_64+0xf3/0x1b0 [ 79.863509][ T8762] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.869724][ T8762] RIP: 0033:0x440e79 [ 79.873606][ T8762] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 79.894992][ T8762] RSP: 002b:00007ffd5f6419d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 79.903681][ T8762] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 79.911925][ T8762] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 79.920158][ T8762] RBP: 00007ffd5f6419e0 R08: 0000000120080522 R09: 0000000120080522 [ 79.928618][ T8762] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 79.937160][ T8762] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 79.947766][ T8762] Kernel Offset: disabled [ 79.952674][ T8762] Rebooting in 86400 seconds..