[ 35.902831][ T26] audit: type=1800 audit(1553056949.426:27): pid=7519 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 35.923403][ T26] audit: type=1800 audit(1553056949.426:28): pid=7519 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 36.678269][ T26] audit: type=1800 audit(1553056950.266:29): pid=7519 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 36.698455][ T26] audit: type=1800 audit(1553056950.266:30): pid=7519 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.121' (ECDSA) to the list of known hosts. 2019/03/20 04:42:42 parsed 1 programs 2019/03/20 04:42:44 executed programs: 0 syzkaller login: [ 50.770815][ T7685] IPVS: ftp: loaded support on port[0] = 21 [ 50.826956][ T7685] chnl_net:caif_netlink_parms(): no params data found [ 50.858136][ T7685] bridge0: port 1(bridge_slave_0) entered blocking state [ 50.865670][ T7685] bridge0: port 1(bridge_slave_0) entered disabled state [ 50.873344][ T7685] device bridge_slave_0 entered promiscuous mode [ 50.881542][ T7685] bridge0: port 2(bridge_slave_1) entered blocking state [ 50.888606][ T7685] bridge0: port 2(bridge_slave_1) entered disabled state [ 50.896355][ T7685] device bridge_slave_1 entered promiscuous mode [ 50.912656][ T7685] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 50.922198][ T7685] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 50.937971][ T7685] team0: Port device team_slave_0 added [ 50.945130][ T7685] team0: Port device team_slave_1 added [ 51.011263][ T7685] device hsr_slave_0 entered promiscuous mode [ 51.079787][ T7685] device hsr_slave_1 entered promiscuous mode [ 51.126475][ T7685] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.133686][ T7685] bridge0: port 2(bridge_slave_1) entered forwarding state [ 51.141541][ T7685] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.148595][ T7685] bridge0: port 1(bridge_slave_0) entered forwarding state [ 51.178862][ T7685] 8021q: adding VLAN 0 to HW filter on device bond0 [ 51.192041][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 51.212470][ T22] bridge0: port 1(bridge_slave_0) entered disabled state [ 51.220581][ T22] bridge0: port 2(bridge_slave_1) entered disabled state [ 51.228428][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 51.240716][ T7685] 8021q: adding VLAN 0 to HW filter on device team0 [ 51.250582][ T2994] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 51.258914][ T2994] bridge0: port 1(bridge_slave_0) entered blocking state [ 51.266101][ T2994] bridge0: port 1(bridge_slave_0) entered forwarding state [ 51.275271][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 51.284026][ T22] bridge0: port 2(bridge_slave_1) entered blocking state [ 51.291131][ T22] bridge0: port 2(bridge_slave_1) entered forwarding state [ 51.307131][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 51.315711][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 51.329658][ T7685] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 51.340788][ T7685] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 51.352993][ T3481] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 51.361415][ T3481] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 51.369952][ T3481] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 51.378499][ T3481] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 51.394280][ T7685] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 53.092044][ T8132] ================================================================== [ 53.100296][ T8132] BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.108192][ T8132] Read of size 4 at addr ffff88808a560574 by task syz-executor.0/8132 [ 53.116315][ T8132] [ 53.118630][ T8132] CPU: 0 PID: 8132 Comm: syz-executor.0 Not tainted 5.0.0+ #101 [ 53.126245][ T8132] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.136308][ T8132] Call Trace: [ 53.139595][ T8132] dump_stack+0x172/0x1f0 [ 53.143947][ T8132] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.149302][ T8132] print_address_description.cold+0x7c/0x20d [ 53.155285][ T8132] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.160638][ T8132] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.165985][ T8132] kasan_report.cold+0x1b/0x40 [ 53.170730][ T8132] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.176087][ T8132] __asan_report_load4_noabort+0x14/0x20 [ 53.181697][ T8132] tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.186874][ T8132] ? debug_object_deactivate+0x1e4/0x360 [ 53.192490][ T8132] ? find_held_lock+0x35/0x130 [ 53.197233][ T8132] ? tipc_sk_overlimit2+0xa0/0xa0 [ 53.202237][ T8132] ? lock_downgrade+0x880/0x880 [ 53.207069][ T8132] ? __lock_acquire+0x548/0x3fb0 [ 53.211994][ T8132] ? __release_sock+0xca/0x3a0 [ 53.216734][ T8132] tipc_sk_backlog_rcv+0xeb/0x1e0 [ 53.221735][ T8132] ? tipc_sk_mcast_rcv+0x1020/0x1020 [ 53.227000][ T8132] ? __local_bh_enable_ip+0x15a/0x270 [ 53.232375][ T8132] ? lockdep_hardirqs_on+0x418/0x5d0 [ 53.237649][ T8132] ? __release_sock+0xca/0x3a0 [ 53.242414][ T8132] ? trace_hardirqs_on+0x67/0x230 [ 53.247423][ T8132] ? __release_sock+0xca/0x3a0 [ 53.252168][ T8132] ? __local_bh_enable_ip+0x15a/0x270 [ 53.257536][ T8132] __release_sock+0x12e/0x3a0 [ 53.262198][ T8132] release_sock+0x59/0x1c0 [ 53.266593][ T8132] tipc_release+0x9ed/0x14d0 [ 53.271170][ T8132] __sock_release+0xd3/0x2b0 [ 53.275740][ T8132] ? __sock_release+0x2b0/0x2b0 [ 53.281017][ T8132] sock_close+0x1b/0x30 [ 53.285178][ T8132] __fput+0x2e5/0x8d0 [ 53.289148][ T8132] ____fput+0x16/0x20 [ 53.293110][ T8132] task_work_run+0x14a/0x1c0 [ 53.297690][ T8132] exit_to_usermode_loop+0x273/0x2c0 [ 53.302982][ T8132] do_syscall_64+0x52d/0x610 [ 53.307553][ T8132] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.313427][ T8132] RIP: 0033:0x411e31 [ 53.317324][ T8132] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 53.336907][ T8132] RSP: 002b:00007fff65f9c720 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 53.345310][ T8132] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000411e31 [ 53.353273][ T8132] RDX: 0000000000000000 RSI: 0000000000740360 RDI: 0000000000000006 [ 53.361222][ T8132] RBP: 0000000000000000 R08: 0000000000740358 R09: 000000000000cf56 [ 53.369189][ T8132] R10: 00007fff65f9c640 R11: 0000000000000293 R12: 0000000000000001 [ 53.377172][ T8132] R13: 00007fff65f9c760 R14: 0000000000000000 R15: 00007fff65f9c770 [ 53.385133][ T8132] [ 53.387439][ T8132] Allocated by task 21: [ 53.391603][ T8132] save_stack+0x45/0xd0 [ 53.395738][ T8132] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 53.401346][ T8132] kasan_kmalloc+0x9/0x10 [ 53.405651][ T8132] __kmalloc_node_track_caller+0x4e/0x70 [ 53.411268][ T8132] __kmalloc_reserve.isra.0+0x40/0xf0 [ 53.416616][ T8132] __alloc_skb+0x10b/0x5e0 [ 53.421034][ T8132] tipc_buf_acquire+0x2f/0x100 [ 53.425771][ T8132] tipc_msg_create+0x38/0x270 [ 53.430450][ T8132] tipc_topsrv_kern_evt+0x2a7/0x580 [ 53.435625][ T8132] tipc_conn_send_to_sock+0x43e/0x5f0 [ 53.441001][ T8132] tipc_conn_send_work+0x65/0x80 [ 53.445916][ T8132] process_one_work+0x98e/0x1790 [ 53.450850][ T8132] worker_thread+0x98/0xe40 [ 53.455330][ T8132] kthread+0x357/0x430 [ 53.459387][ T8132] ret_from_fork+0x3a/0x50 [ 53.463781][ T8132] [ 53.466111][ T8132] Freed by task 8132: [ 53.470152][ T8132] save_stack+0x45/0xd0 [ 53.474319][ T8132] __kasan_slab_free+0x102/0x150 [ 53.479237][ T8132] kasan_slab_free+0xe/0x10 [ 53.483716][ T8132] kfree+0xcf/0x230 [ 53.487586][ T8132] skb_free_head+0x93/0xb0 [ 53.491978][ T8132] skb_release_data+0x576/0x7a0 [ 53.496805][ T8132] skb_release_all+0x4d/0x60 [ 53.501389][ T8132] kfree_skb+0xe8/0x390 [ 53.505521][ T8132] tipc_sk_filter_rcv+0x1e6a/0x34f0 [ 53.510702][ T8132] tipc_sk_backlog_rcv+0xeb/0x1e0 [ 53.515715][ T8132] __release_sock+0x12e/0x3a0 [ 53.520365][ T8132] release_sock+0x59/0x1c0 [ 53.524762][ T8132] tipc_release+0x9ed/0x14d0 [ 53.529329][ T8132] __sock_release+0xd3/0x2b0 [ 53.533902][ T8132] sock_close+0x1b/0x30 [ 53.538051][ T8132] __fput+0x2e5/0x8d0 [ 53.542012][ T8132] ____fput+0x16/0x20 [ 53.545970][ T8132] task_work_run+0x14a/0x1c0 [ 53.550550][ T8132] exit_to_usermode_loop+0x273/0x2c0 [ 53.555833][ T8132] do_syscall_64+0x52d/0x610 [ 53.560399][ T8132] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.566287][ T8132] [ 53.568608][ T8132] The buggy address belongs to the object at ffff88808a5604c0 [ 53.568608][ T8132] which belongs to the cache kmalloc-1k of size 1024 [ 53.582643][ T8132] The buggy address is located 180 bytes inside of [ 53.582643][ T8132] 1024-byte region [ffff88808a5604c0, ffff88808a5608c0) [ 53.595971][ T8132] The buggy address belongs to the page: [ 53.601579][ T8132] page:ffffea0002295800 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 53.612484][ T8132] flags: 0x1fffc0000010200(slab|head) [ 53.617833][ T8132] raw: 01fffc0000010200 ffffea0002a61f08 ffffea00022da888 ffff88812c3f0ac0 [ 53.626393][ T8132] raw: 0000000000000000 ffff88808a560040 0000000100000007 0000000000000000 [ 53.634960][ T8132] page dumped because: kasan: bad access detected [ 53.641344][ T8132] [ 53.643647][ T8132] Memory state around the buggy address: [ 53.649252][ T8132] ffff88808a560400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 53.657292][ T8132] ffff88808a560480: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 53.665343][ T8132] >ffff88808a560500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.673377][ T8132] ^ [ 53.681094][ T8132] ffff88808a560580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.689143][ T8132] ffff88808a560600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 53.697178][ T8132] ================================================================== [ 53.705213][ T8132] Disabling lock debugging due to kernel taint [ 53.715025][ T8132] Kernel panic - not syncing: panic_on_warn set ... [ 53.721653][ T8132] CPU: 0 PID: 8132 Comm: syz-executor.0 Tainted: G B 5.0.0+ #101 [ 53.730663][ T8132] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.740709][ T8132] Call Trace: [ 53.743982][ T8132] dump_stack+0x172/0x1f0 [ 53.748290][ T8132] panic+0x2cb/0x65c [ 53.752181][ T8132] ? __warn_printk+0xf3/0xf3 [ 53.756747][ T8132] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.762105][ T8132] ? preempt_schedule+0x4b/0x60 [ 53.766940][ T8132] ? ___preempt_schedule+0x16/0x18 [ 53.772038][ T8132] ? trace_hardirqs_on+0x5e/0x230 [ 53.777042][ T8132] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.782403][ T8132] end_report+0x47/0x4f [ 53.786535][ T8132] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.791884][ T8132] kasan_report.cold+0xe/0x40 [ 53.796537][ T8132] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.801885][ T8132] __asan_report_load4_noabort+0x14/0x20 [ 53.807492][ T8132] tipc_sk_filter_rcv+0x2166/0x34f0 [ 53.812675][ T8132] ? debug_object_deactivate+0x1e4/0x360 [ 53.818296][ T8132] ? find_held_lock+0x35/0x130 [ 53.823035][ T8132] ? tipc_sk_overlimit2+0xa0/0xa0 [ 53.828035][ T8132] ? lock_downgrade+0x880/0x880 [ 53.832882][ T8132] ? __lock_acquire+0x548/0x3fb0 [ 53.837796][ T8132] ? __release_sock+0xca/0x3a0 [ 53.842536][ T8132] tipc_sk_backlog_rcv+0xeb/0x1e0 [ 53.847533][ T8132] ? tipc_sk_mcast_rcv+0x1020/0x1020 [ 53.852810][ T8132] ? __local_bh_enable_ip+0x15a/0x270 [ 53.858173][ T8132] ? lockdep_hardirqs_on+0x418/0x5d0 [ 53.863437][ T8132] ? __release_sock+0xca/0x3a0 [ 53.868191][ T8132] ? trace_hardirqs_on+0x67/0x230 [ 53.873209][ T8132] ? __release_sock+0xca/0x3a0 [ 53.877949][ T8132] ? __local_bh_enable_ip+0x15a/0x270 [ 53.883311][ T8132] __release_sock+0x12e/0x3a0 [ 53.887966][ T8132] release_sock+0x59/0x1c0 [ 53.892360][ T8132] tipc_release+0x9ed/0x14d0 [ 53.896927][ T8132] __sock_release+0xd3/0x2b0 [ 53.901500][ T8132] ? __sock_release+0x2b0/0x2b0 [ 53.906327][ T8132] sock_close+0x1b/0x30 [ 53.910479][ T8132] __fput+0x2e5/0x8d0 [ 53.914454][ T8132] ____fput+0x16/0x20 [ 53.918425][ T8132] task_work_run+0x14a/0x1c0 [ 53.922998][ T8132] exit_to_usermode_loop+0x273/0x2c0 [ 53.928269][ T8132] do_syscall_64+0x52d/0x610 [ 53.932887][ T8132] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.938754][ T8132] RIP: 0033:0x411e31 [ 53.942644][ T8132] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 e4 1a 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 53.962333][ T8132] RSP: 002b:00007fff65f9c720 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 53.970744][ T8132] RAX: 0000000000000000 RBX: 0000000000000007 RCX: 0000000000411e31 [ 53.978693][ T8132] RDX: 0000000000000000 RSI: 0000000000740360 RDI: 0000000000000006 [ 53.986643][ T8132] RBP: 0000000000000000 R08: 0000000000740358 R09: 000000000000cf56 [ 53.994608][ T8132] R10: 00007fff65f9c640 R11: 0000000000000293 R12: 0000000000000001 [ 54.002575][ T8132] R13: 00007fff65f9c760 R14: 0000000000000000 R15: 00007fff65f9c770 [ 54.011355][ T8132] Kernel Offset: disabled [ 54.015676][ T8132] Rebooting in 86400 seconds..