[ 35.772339][ T26] audit: type=1800 audit(1553581254.727:30): pid=7430 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.60' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 45.569958][ C0] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 45.630612][ C0] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 45.692144][ T7586] ================================================================== [ 45.700838][ T7586] BUG: KASAN: use-after-free in skb_release_data+0x11d/0x7a0 [ 45.708455][ T7586] Write of size 4 at addr ffff88808ae550a0 by task syz-executor973/7586 [ 45.717019][ T7586] [ 45.719337][ T7586] CPU: 1 PID: 7586 Comm: syz-executor973 Not tainted 5.1.0-rc2-next-20190325 #10 [ 45.728440][ T7586] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.738594][ T7586] Call Trace: [ 45.741873][ T7586] dump_stack+0x172/0x1f0 [ 45.746335][ T7586] ? skb_release_data+0x11d/0x7a0 [ 45.751379][ T7586] ? inet_sock_destruct+0x10b/0x830 [ 45.756571][ T7586] print_address_description.cold+0x7c/0x20d [ 45.762534][ T7586] ? skb_release_data+0x11d/0x7a0 [ 45.767557][ T7586] ? skb_release_data+0x11d/0x7a0 [ 45.772694][ T7586] ? inet_sock_destruct+0x10b/0x830 [ 45.777881][ T7586] kasan_report.cold+0x1b/0x40 [ 45.782635][ T7586] ? skb_release_data+0x11d/0x7a0 [ 45.787655][ T7586] check_memory_region+0x123/0x190 [ 45.792935][ T7586] kasan_check_write+0x14/0x20 [ 45.797810][ T7586] skb_release_data+0x11d/0x7a0 [ 45.802650][ T7586] ? sock_rfree+0x121/0x180 [ 45.807136][ T7586] ? inet_sock_destruct+0x10b/0x830 [ 45.812403][ T7586] skb_release_all+0x4d/0x60 [ 45.816991][ T7586] kfree_skb+0xe8/0x390 [ 45.821236][ T7586] inet_sock_destruct+0x10b/0x830 [ 45.826257][ T7586] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.832684][ T7586] ? ipip_gso_segment+0x100/0x100 [ 45.837704][ T7586] __sk_destruct+0x55/0x6d0 [ 45.842415][ T7586] sk_destruct+0x7b/0x90 [ 45.846674][ T7586] __sk_free+0xce/0x300 [ 45.851051][ T7586] sk_free+0x42/0x50 [ 45.855043][ T7586] sk_common_release+0x224/0x330 [ 45.859975][ T7586] rawv6_close+0x68/0x90 [ 45.864395][ T7586] inet_release+0x105/0x1f0 [ 45.869184][ T7586] inet6_release+0x53/0x80 [ 45.873588][ T7586] __sock_release+0xd3/0x2b0 [ 45.878291][ T7586] ? __sock_release+0x2b0/0x2b0 [ 45.883132][ T7586] sock_close+0x1b/0x30 [ 45.887434][ T7586] __fput+0x2e5/0x8d0 [ 45.891420][ T7586] ____fput+0x16/0x20 [ 45.895382][ T7586] task_work_run+0x14a/0x1c0 [ 45.900003][ T7586] do_exit+0x90a/0x2fa0 [ 45.904166][ T7586] ? get_signal+0x331/0x1d50 [ 45.908848][ T7586] ? mm_update_next_owner+0x640/0x640 [ 45.914210][ T7586] ? kasan_check_write+0x14/0x20 [ 45.919145][ T7586] ? _raw_spin_unlock_irq+0x28/0x90 [ 45.924450][ T7586] ? get_signal+0x331/0x1d50 [ 45.929074][ T7586] ? _raw_spin_unlock_irq+0x28/0x90 [ 45.934274][ T7586] do_group_exit+0x135/0x370 [ 45.938942][ T7586] get_signal+0x399/0x1d50 [ 45.943360][ T7586] ? fput+0x1b/0x20 [ 45.947248][ T7586] do_signal+0x87/0x1940 [ 45.951479][ T7586] ? __fdget+0x1b/0x20 [ 45.955531][ T7586] ? setup_sigcontext+0x7d0/0x7d0 [ 45.960615][ T7586] ? exit_to_usermode_loop+0x43/0x2c0 [ 45.966039][ T7586] ? do_syscall_64+0x52d/0x610 [ 45.970799][ T7586] ? exit_to_usermode_loop+0x43/0x2c0 [ 45.976216][ T7586] ? lockdep_hardirqs_on+0x418/0x5d0 [ 45.981585][ T7586] ? trace_hardirqs_on+0x67/0x230 [ 45.986719][ T7586] exit_to_usermode_loop+0x244/0x2c0 [ 45.991989][ T7586] do_syscall_64+0x52d/0x610 [ 45.996647][ T7586] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.002556][ T7586] RIP: 0033:0x4459a9 [ 46.006551][ T7586] Code: Bad RIP value. [ 46.010630][ T7586] RSP: 002b:00007f0608b02da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 46.019054][ T7586] RAX: fffffffffffffe00 RBX: 00000000006dac38 RCX: 00000000004459a9 [ 46.027012][ T7586] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac38 [ 46.034974][ T7586] RBP: 00000000006dac30 R08: 0000000000000000 R09: 0000000000000000 [ 46.042930][ T7586] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac3c [ 46.051419][ T7586] R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf [ 46.059561][ T7586] [ 46.061872][ T7586] Allocated by task 7586: [ 46.066192][ T7586] save_stack+0x45/0xd0 [ 46.070331][ T7586] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 46.075948][ T7586] kasan_kmalloc+0x9/0x10 [ 46.080404][ T7586] __kmalloc_node_track_caller+0x4e/0x70 [ 46.086035][ T7586] __kmalloc_reserve.isra.0+0x40/0xf0 [ 46.091387][ T7586] __alloc_skb+0x10b/0x5e0 [ 46.095915][ T7586] sk_stream_alloc_skb+0x113/0xd10 [ 46.101140][ T7586] tcp_connect+0xfd8/0x4280 [ 46.105638][ T7586] tcp_v6_connect+0x150b/0x20a0 [ 46.110480][ T7586] __inet_stream_connect+0x83f/0xea0 [ 46.115841][ T7586] tcp_sendmsg_locked+0x2314/0x34d0 [ 46.121465][ T7586] tcp_sendmsg+0x30/0x50 [ 46.125706][ T7586] inet_sendmsg+0x147/0x5e0 [ 46.130191][ T7586] sock_sendmsg+0xdd/0x130 [ 46.134768][ T7586] __sys_sendto+0x262/0x380 [ 46.139251][ T7586] __x64_sys_sendto+0xe1/0x1a0 [ 46.144210][ T7586] do_syscall_64+0x103/0x610 [ 46.148789][ T7586] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.154823][ T7586] [ 46.157129][ T7586] Freed by task 7586: [ 46.161157][ T7586] save_stack+0x45/0xd0 [ 46.165293][ T7586] __kasan_slab_free+0x102/0x150 [ 46.170207][ T7586] kasan_slab_free+0xe/0x10 [ 46.174695][ T7586] kfree+0xcf/0x230 [ 46.178564][ T7586] skb_free_head+0x93/0xb0 [ 46.182971][ T7586] skb_release_data+0x576/0x7a0 [ 46.187934][ T7586] skb_release_all+0x4d/0x60 [ 46.192632][ T7586] kfree_skb+0xe8/0x390 [ 46.196775][ T7586] inet_sock_destruct+0x10b/0x830 [ 46.201782][ T7586] __sk_destruct+0x55/0x6d0 [ 46.206272][ T7586] sk_destruct+0x7b/0x90 [ 46.210622][ T7586] __sk_free+0xce/0x300 [ 46.214755][ T7586] sk_free+0x42/0x50 [ 46.218640][ T7586] sk_common_release+0x224/0x330 [ 46.223552][ T7586] rawv6_close+0x68/0x90 [ 46.227888][ T7586] inet_release+0x105/0x1f0 [ 46.232387][ T7586] inet6_release+0x53/0x80 [ 46.237060][ T7586] __sock_release+0xd3/0x2b0 [ 46.241925][ T7586] sock_close+0x1b/0x30 [ 46.246077][ T7586] __fput+0x2e5/0x8d0 [ 46.250067][ T7586] ____fput+0x16/0x20 [ 46.254173][ T7586] task_work_run+0x14a/0x1c0 [ 46.258752][ T7586] do_exit+0x90a/0x2fa0 [ 46.262885][ T7586] do_group_exit+0x135/0x370 [ 46.267455][ T7586] get_signal+0x399/0x1d50 [ 46.271861][ T7586] do_signal+0x87/0x1940 [ 46.276104][ T7586] exit_to_usermode_loop+0x244/0x2c0 [ 46.281448][ T7586] do_syscall_64+0x52d/0x610 [ 46.286179][ T7586] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.292045][ T7586] [ 46.294421][ T7586] The buggy address belongs to the object at ffff88808ae54dc0 [ 46.294421][ T7586] which belongs to the cache kmalloc-1k of size 1024 [ 46.308690][ T7586] The buggy address is located 736 bytes inside of [ 46.308690][ T7586] 1024-byte region [ffff88808ae54dc0, ffff88808ae551c0) [ 46.322143][ T7586] The buggy address belongs to the page: [ 46.327976][ T7586] page:ffffea00022b9500 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 46.338730][ T7586] flags: 0x1fffc0000010200(slab|head) [ 46.344079][ T7586] raw: 01fffc0000010200 ffffea0002379988 ffff88812c3f1848 ffff88812c3f0ac0 [ 46.352773][ T7586] raw: 0000000000000000 ffff88808ae54040 0000000100000007 0000000000000000 [ 46.361347][ T7586] page dumped because: kasan: bad access detected [ 46.367736][ T7586] [ 46.370041][ T7586] Memory state around the buggy address: [ 46.375817][ T7586] ffff88808ae54f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.383886][ T7586] ffff88808ae55000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.392135][ T7586] >ffff88808ae55080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.400266][ T7586] ^ [ 46.405375][ T7586] ffff88808ae55100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.413656][ T7586] ffff88808ae55180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 46.421707][ T7586] ================================================================== [ 46.429885][ T7586] Disabling lock debugging due to kernel taint [ 46.436718][ T7586] Kernel panic - not syncing: panic_on_warn set ... [ 46.443326][ T7586] CPU: 1 PID: 7586 Comm: syz-executor973 Tainted: G B 5.1.0-rc2-next-20190325 #10 [ 46.453955][ T7586] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.463990][ T7586] Call Trace: [ 46.467468][ T7586] dump_stack+0x172/0x1f0 [ 46.471831][ T7586] ? inet_sock_destruct+0x10b/0x830 [ 46.477141][ T7586] panic+0x2cb/0x65c [ 46.481021][ T7586] ? __warn_printk+0xf3/0xf3 [ 46.485699][ T7586] ? skb_release_data+0x11d/0x7a0 [ 46.490827][ T7586] ? inet_sock_destruct+0x10b/0x830 [ 46.496019][ T7586] ? preempt_schedule+0x4b/0x60 [ 46.500855][ T7586] ? ___preempt_schedule+0x16/0x18 [ 46.506079][ T7586] ? trace_hardirqs_on+0x5e/0x230 [ 46.511086][ T7586] ? skb_release_data+0x11d/0x7a0 [ 46.516089][ T7586] ? inet_sock_destruct+0x10b/0x830 [ 46.521495][ T7586] end_report+0x47/0x4f [ 46.525647][ T7586] ? skb_release_data+0x11d/0x7a0 [ 46.530753][ T7586] kasan_report.cold+0xe/0x40 [ 46.535411][ T7586] ? skb_release_data+0x11d/0x7a0 [ 46.540426][ T7586] check_memory_region+0x123/0x190 [ 46.545635][ T7586] kasan_check_write+0x14/0x20 [ 46.550549][ T7586] skb_release_data+0x11d/0x7a0 [ 46.555378][ T7586] ? sock_rfree+0x121/0x180 [ 46.559862][ T7586] ? inet_sock_destruct+0x10b/0x830 [ 46.565043][ T7586] skb_release_all+0x4d/0x60 [ 46.569612][ T7586] kfree_skb+0xe8/0x390 [ 46.573746][ T7586] inet_sock_destruct+0x10b/0x830 [ 46.578813][ T7586] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.585042][ T7586] ? ipip_gso_segment+0x100/0x100 [ 46.590080][ T7586] __sk_destruct+0x55/0x6d0 [ 46.594572][ T7586] sk_destruct+0x7b/0x90 [ 46.598912][ T7586] __sk_free+0xce/0x300 [ 46.603049][ T7586] sk_free+0x42/0x50 [ 46.606920][ T7586] sk_common_release+0x224/0x330 [ 46.611846][ T7586] rawv6_close+0x68/0x90 [ 46.616196][ T7586] inet_release+0x105/0x1f0 [ 46.620680][ T7586] inet6_release+0x53/0x80 [ 46.625083][ T7586] __sock_release+0xd3/0x2b0 [ 46.629873][ T7586] ? __sock_release+0x2b0/0x2b0 [ 46.634711][ T7586] sock_close+0x1b/0x30 [ 46.638975][ T7586] __fput+0x2e5/0x8d0 [ 46.642943][ T7586] ____fput+0x16/0x20 [ 46.646947][ T7586] task_work_run+0x14a/0x1c0 [ 46.651534][ T7586] do_exit+0x90a/0x2fa0 [ 46.655677][ T7586] ? get_signal+0x331/0x1d50 [ 46.660548][ T7586] ? mm_update_next_owner+0x640/0x640 [ 46.665908][ T7586] ? kasan_check_write+0x14/0x20 [ 46.671027][ T7586] ? _raw_spin_unlock_irq+0x28/0x90 [ 46.676268][ T7586] ? get_signal+0x331/0x1d50 [ 46.680871][ T7586] ? _raw_spin_unlock_irq+0x28/0x90 [ 46.686161][ T7586] do_group_exit+0x135/0x370 [ 46.690933][ T7586] get_signal+0x399/0x1d50 [ 46.695703][ T7586] ? fput+0x1b/0x20 [ 46.699523][ T7586] do_signal+0x87/0x1940 [ 46.703877][ T7586] ? __fdget+0x1b/0x20 [ 46.708035][ T7586] ? setup_sigcontext+0x7d0/0x7d0 [ 46.713048][ T7586] ? exit_to_usermode_loop+0x43/0x2c0 [ 46.718411][ T7586] ? do_syscall_64+0x52d/0x610 [ 46.723255][ T7586] ? exit_to_usermode_loop+0x43/0x2c0 [ 46.728625][ T7586] ? lockdep_hardirqs_on+0x418/0x5d0 [ 46.733996][ T7586] ? trace_hardirqs_on+0x67/0x230 [ 46.739005][ T7586] exit_to_usermode_loop+0x244/0x2c0 [ 46.744476][ T7586] do_syscall_64+0x52d/0x610 [ 46.749460][ T7586] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.755431][ T7586] RIP: 0033:0x4459a9 [ 46.759320][ T7586] Code: Bad RIP value. [ 46.763371][ T7586] RSP: 002b:00007f0608b02da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 46.771764][ T7586] RAX: fffffffffffffe00 RBX: 00000000006dac38 RCX: 00000000004459a9 [ 46.779787][ T7586] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dac38 [ 46.787799][ T7586] RBP: 00000000006dac30 R08: 0000000000000000 R09: 0000000000000000 [ 46.795960][ T7586] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac3c [ 46.804162][ T7586] R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf [ 46.813517][ T7586] Kernel Offset: disabled [ 46.817847][ T7586] Rebooting in 86400 seconds..