[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 46.926548][ T23] audit: type=1800 audit(1584497034.869:25): pid=8447 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 46.957607][ T23] audit: type=1800 audit(1584497034.869:26): pid=8447 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 46.991025][ T23] audit: type=1800 audit(1584497034.869:27): pid=8447 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 59.830923][ T8598] IPVS: ftp: loaded support on port[0] = 21 [ 59.859732][ T8598] ================================================================== [ 59.868211][ T8598] BUG: KASAN: use-after-free in tcindex_change+0x1c61/0x27b0 [ 59.875731][ T8598] Write of size 16 at addr ffff88809f3606b8 by task syz-executor170/8598 [ 59.884552][ T8598] [ 59.886881][ T8598] CPU: 0 PID: 8598 Comm: syz-executor170 Not tainted 5.6.0-rc6-syzkaller #0 [ 59.895575][ T8598] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.906192][ T8598] Call Trace: [ 59.909596][ T8598] dump_stack+0x1e9/0x30e [ 59.913925][ T8598] print_address_description+0x74/0x5c0 [ 59.919465][ T8598] ? printk+0x62/0x83 [ 59.923439][ T8598] ? vprintk_emit+0x2e6/0x3b0 [ 59.928145][ T8598] __kasan_report+0x14b/0x1c0 [ 59.932812][ T8598] ? tcindex_change+0x1c61/0x27b0 [ 59.937827][ T8598] kasan_report+0x25/0x50 [ 59.942335][ T8598] check_memory_region+0x2a5/0x2e0 [ 59.947440][ T8598] ? tcindex_change+0x1c61/0x27b0 [ 59.952541][ T8598] memcpy+0x38/0x50 [ 59.956337][ T8598] tcindex_change+0x1c61/0x27b0 [ 59.961406][ T8598] ? tcindex_destroy+0x970/0x970 [ 59.966490][ T8598] ? tcindex_lookup+0x13e/0x360 [ 59.971468][ T8598] tc_new_tfilter+0x1490/0x2f50 [ 59.976515][ T8598] ? tcindex_get+0x1c0/0x1c0 [ 59.981210][ T8598] ? tcf_tunnel_encap_put_tunnel+0x20/0x20 [ 59.987182][ T8598] rtnetlink_rcv_msg+0x8fb/0xd40 [ 59.992770][ T8598] ? lock_acquire+0x154/0x250 [ 59.997728][ T8598] ? rcu_lock_acquire+0x5/0x30 [ 60.002651][ T8598] ? check_preemption_disabled+0x40/0x240 [ 60.008687][ T8598] ? debug_smp_processor_id+0x5/0x20 [ 60.014009][ T8598] netlink_rcv_skb+0x190/0x3a0 [ 60.019072][ T8598] ? rtnetlink_bind+0x80/0x80 [ 60.023754][ T8598] netlink_unicast+0x786/0x940 [ 60.028808][ T8598] netlink_sendmsg+0xa57/0xd70 [ 60.033794][ T8598] ? netlink_getsockopt+0x9d0/0x9d0 [ 60.038990][ T8598] ____sys_sendmsg+0x4f9/0x7c0 [ 60.043843][ T8598] __sys_sendmsg+0x1ed/0x290 [ 60.048431][ T8598] ? __might_fault+0xf5/0x150 [ 60.053109][ T8598] ? move_addr_to_user+0x17f/0x1e0 [ 60.058212][ T8598] ? __sys_getsockname+0x1e2/0x220 [ 60.063401][ T8598] ? check_preemption_disabled+0xb0/0x240 [ 60.069102][ T8598] ? debug_smp_processor_id+0x5/0x20 [ 60.074436][ T8598] ? check_preemption_disabled+0xb0/0x240 [ 60.080146][ T8598] ? debug_smp_processor_id+0x5/0x20 [ 60.085538][ T8598] ? trace_irq_disable_rcuidle+0x1f/0x1d0 [ 60.091242][ T8598] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 60.097452][ T8598] ? do_syscall_64+0x19/0x1b0 [ 60.102213][ T8598] do_syscall_64+0xf3/0x1b0 [ 60.106708][ T8598] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.112763][ T8598] RIP: 0033:0x440e79 [ 60.116656][ T8598] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.136712][ T8598] RSP: 002b:00007ffc4363cf28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 60.145462][ T8598] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 60.153802][ T8598] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 60.162502][ T8598] RBP: 00007ffc4363cf30 R08: 0000000120080522 R09: 0000000120080522 [ 60.171760][ T8598] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 60.181328][ T8598] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 60.189514][ T8598] [ 60.191917][ T8598] Allocated by task 4586: [ 60.196488][ T8598] __kasan_kmalloc+0x118/0x1c0 [ 60.201235][ T8598] __kmalloc+0x24b/0x330 [ 60.205732][ T8598] kzalloc+0x1d/0x40 [ 60.210168][ T8598] security_prepare_creds+0x46/0x220 [ 60.215816][ T8598] prepare_creds+0x3dc/0x590 [ 60.220700][ T8598] copy_creds+0x130/0x6b0 [ 60.225136][ T8598] copy_process+0x8e5/0x5560 [ 60.230058][ T8598] _do_fork+0x134/0x650 [ 60.234424][ T8598] __x64_sys_clone+0x208/0x250 [ 60.241119][ T8598] do_syscall_64+0xf3/0x1b0 [ 60.245908][ T8598] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.251879][ T8598] [ 60.254210][ T8598] Freed by task 8185: [ 60.258541][ T8598] __kasan_slab_free+0x12e/0x1e0 [ 60.264516][ T8598] kfree+0x10a/0x220 [ 60.268542][ T8598] security_cred_free+0xbf/0x100 [ 60.273540][ T8598] put_cred_rcu+0xca/0x350 [ 60.277946][ T8598] rcu_core+0x7e4/0x1080 [ 60.282404][ T8598] __do_softirq+0x268/0x7c5 [ 60.287039][ T8598] [ 60.289367][ T8598] The buggy address belongs to the object at ffff88809f360600 [ 60.289367][ T8598] which belongs to the cache kmalloc-192 of size 192 [ 60.304464][ T8598] The buggy address is located 184 bytes inside of [ 60.304464][ T8598] 192-byte region [ffff88809f360600, ffff88809f3606c0) [ 60.318363][ T8598] The buggy address belongs to the page: [ 60.324024][ T8598] page:ffffea00027cd800 refcount:1 mapcount:0 mapping:ffff8880aa400000 index:0xffff88809f360f00 [ 60.334592][ T8598] flags: 0xfffe0000000200(slab) [ 60.340114][ T8598] raw: 00fffe0000000200 ffffea000266cd48 ffffea0002526b48 ffff8880aa400000 [ 60.349070][ T8598] raw: ffff88809f360f00 ffff88809f360000 0000000100000008 0000000000000000 [ 60.357998][ T8598] page dumped because: kasan: bad access detected [ 60.365199][ T8598] [ 60.367575][ T8598] Memory state around the buggy address: [ 60.373609][ T8598] ffff88809f360580: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.381975][ T8598] ffff88809f360600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.390162][ T8598] >ffff88809f360680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 60.398282][ T8598] ^ [ 60.404538][ T8598] ffff88809f360700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.412790][ T8598] ffff88809f360780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 60.421239][ T8598] ================================================================== [ 60.429605][ T8598] Disabling lock debugging due to kernel taint [ 60.436986][ T8598] Kernel panic - not syncing: panic_on_warn set ... [ 60.443796][ T8598] CPU: 0 PID: 8598 Comm: syz-executor170 Tainted: G B 5.6.0-rc6-syzkaller #0 [ 60.453925][ T8598] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.464511][ T8598] Call Trace: [ 60.467796][ T8598] dump_stack+0x1e9/0x30e [ 60.473330][ T8598] panic+0x264/0x7a0 [ 60.477342][ T8598] ? trace_hardirqs_on+0x30/0x70 [ 60.482778][ T8598] __kasan_report+0x1bc/0x1c0 [ 60.487604][ T8598] ? tcindex_change+0x1c61/0x27b0 [ 60.493045][ T8598] kasan_report+0x25/0x50 [ 60.497546][ T8598] check_memory_region+0x2a5/0x2e0 [ 60.503011][ T8598] ? tcindex_change+0x1c61/0x27b0 [ 60.508145][ T8598] memcpy+0x38/0x50 [ 60.511958][ T8598] tcindex_change+0x1c61/0x27b0 [ 60.517001][ T8598] ? tcindex_destroy+0x970/0x970 [ 60.522082][ T8598] ? tcindex_lookup+0x13e/0x360 [ 60.527221][ T8598] tc_new_tfilter+0x1490/0x2f50 [ 60.532211][ T8598] ? tcindex_get+0x1c0/0x1c0 [ 60.537767][ T8598] ? tcf_tunnel_encap_put_tunnel+0x20/0x20 [ 60.543601][ T8598] rtnetlink_rcv_msg+0x8fb/0xd40 [ 60.548557][ T8598] ? lock_acquire+0x154/0x250 [ 60.553420][ T8598] ? rcu_lock_acquire+0x5/0x30 [ 60.558350][ T8598] ? check_preemption_disabled+0x40/0x240 [ 60.564069][ T8598] ? debug_smp_processor_id+0x5/0x20 [ 60.569898][ T8598] netlink_rcv_skb+0x190/0x3a0 [ 60.574779][ T8598] ? rtnetlink_bind+0x80/0x80 [ 60.579640][ T8598] netlink_unicast+0x786/0x940 [ 60.584519][ T8598] netlink_sendmsg+0xa57/0xd70 [ 60.590561][ T8598] ? netlink_getsockopt+0x9d0/0x9d0 [ 60.595943][ T8598] ____sys_sendmsg+0x4f9/0x7c0 [ 60.600750][ T8598] __sys_sendmsg+0x1ed/0x290 [ 60.605371][ T8598] ? __might_fault+0xf5/0x150 [ 60.610049][ T8598] ? move_addr_to_user+0x17f/0x1e0 [ 60.615623][ T8598] ? __sys_getsockname+0x1e2/0x220 [ 60.620876][ T8598] ? check_preemption_disabled+0xb0/0x240 [ 60.626913][ T8598] ? debug_smp_processor_id+0x5/0x20 [ 60.632201][ T8598] ? check_preemption_disabled+0xb0/0x240 [ 60.639113][ T8598] ? debug_smp_processor_id+0x5/0x20 [ 60.644444][ T8598] ? trace_irq_disable_rcuidle+0x1f/0x1d0 [ 60.650277][ T8598] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 60.656675][ T8598] ? do_syscall_64+0x19/0x1b0 [ 60.661561][ T8598] do_syscall_64+0xf3/0x1b0 [ 60.667016][ T8598] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.672907][ T8598] RIP: 0033:0x440e79 [ 60.677308][ T8598] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 60.697393][ T8598] RSP: 002b:00007ffc4363cf28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 60.705877][ T8598] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 60.714711][ T8598] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 60.723026][ T8598] RBP: 00007ffc4363cf30 R08: 0000000120080522 R09: 0000000120080522 [ 60.731532][ T8598] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 60.739871][ T8598] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 60.749692][ T8598] Kernel Offset: disabled [ 60.754145][ T8598] Rebooting in 86400 seconds..