[ 35.195681][ T26] audit: type=1800 audit(1552236361.407:27): pid=7487 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 35.220740][ T26] audit: type=1800 audit(1552236361.407:28): pid=7487 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 35.767893][ T26] audit: type=1800 audit(1552236362.057:29): pid=7487 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 35.788580][ T26] audit: type=1800 audit(1552236362.057:30): pid=7487 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 46.359813][ T7647] device ifb0 entered promiscuous mode [ 46.380061][ T7647] device ifb0 left promiscuous mode executing program [ 46.563885][ T7654] device ifb0 entered promiscuous mode [ 46.669602][ T7653] device ifb0 left promiscuous mode executing program executing program executing program executing program executing program [ 46.759640][ T7679] device ifb0 entered promiscuous mode [ 46.814720][ T7680] device ifb0 left promiscuous mode executing program [ 46.873957][ T7690] device ifb0 entered promiscuous mode [ 46.927940][ T7696] device ifb0 left promiscuous mode executing program executing program executing program executing program executing program [ 47.005483][ T7707] device ifb0 entered promiscuous mode [ 47.015270][ T7708] device ifb0 left promiscuous mode [ 47.102910][ T7708] ================================================================== [ 47.111198][ T7708] BUG: KASAN: use-after-free in x25_device_event+0x296/0x2b0 [ 47.118568][ T7708] Read of size 8 at addr ffff8880a0356790 by task syz-executor221/7708 [ 47.126794][ T7708] [ 47.129128][ T7708] CPU: 0 PID: 7708 Comm: syz-executor221 Not tainted 5.0.0+ #15 [ 47.136743][ T7708] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.146785][ T7708] Call Trace: [ 47.150084][ T7708] dump_stack+0x172/0x1f0 [ 47.154411][ T7708] ? x25_device_event+0x296/0x2b0 [ 47.159438][ T7708] print_address_description.cold+0x7c/0x20d [ 47.165413][ T7708] ? x25_device_event+0x296/0x2b0 [ 47.170430][ T7708] ? x25_device_event+0x296/0x2b0 [ 47.175452][ T7708] kasan_report.cold+0x1b/0x40 [ 47.180213][ T7708] ? x25_device_event+0x296/0x2b0 [ 47.185231][ T7708] __asan_report_load8_noabort+0x14/0x20 [ 47.190868][ T7708] x25_device_event+0x296/0x2b0 [ 47.195721][ T7708] notifier_call_chain+0xc7/0x240 [ 47.200744][ T7708] raw_notifier_call_chain+0x2e/0x40 [ 47.206030][ T7708] call_netdevice_notifiers_info+0x3f/0x90 [ 47.211840][ T7708] __dev_notify_flags+0x1e9/0x2c0 [ 47.216859][ T7708] ? dev_change_name+0xa00/0xa00 [ 47.221790][ T7708] ? __dev_change_flags+0x513/0x6e0 [ 47.226987][ T7708] ? dev_set_allmulti+0x30/0x30 [ 47.231835][ T7708] ? mutex_trylock+0x1e0/0x1e0 [ 47.236594][ T7708] ? find_held_lock+0x35/0x130 [ 47.241490][ T7708] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.247732][ T7708] dev_change_flags+0x10d/0x170 [ 47.252583][ T7708] dev_ifsioc+0x5bf/0x990 [ 47.256911][ T7708] ? register_gifconf+0x70/0x70 [ 47.261766][ T7708] dev_ioctl+0x1b8/0xc90 [ 47.266010][ T7708] sock_do_ioctl+0x1bd/0x300 [ 47.270591][ T7708] ? compat_ifr_data_ioctl+0x160/0x160 [ 47.276053][ T7708] ? tomoyo_domain+0xc5/0x160 [ 47.280732][ T7708] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.286967][ T7708] ? tomoyo_path_number_perm+0x263/0x520 [ 47.292602][ T7708] sock_ioctl+0x32b/0x610 [ 47.296930][ T7708] ? dlci_ioctl_set+0x40/0x40 [ 47.301602][ T7708] ? __fget+0x35a/0x550 [ 47.305758][ T7708] ? dlci_ioctl_set+0x40/0x40 [ 47.310450][ T7708] do_vfs_ioctl+0xd6e/0x1390 [ 47.315039][ T7708] ? ioctl_preallocate+0x210/0x210 [ 47.320151][ T7708] ? __fget+0x381/0x550 [ 47.324310][ T7708] ? ksys_dup3+0x3e0/0x3e0 [ 47.328736][ T7708] ? tomoyo_file_ioctl+0x23/0x30 [ 47.333664][ T7708] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.339895][ T7708] ? security_file_ioctl+0x93/0xc0 [ 47.345005][ T7708] ksys_ioctl+0xab/0xd0 [ 47.349156][ T7708] __x64_sys_ioctl+0x73/0xb0 [ 47.353752][ T7708] do_syscall_64+0x103/0x610 [ 47.358342][ T7708] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.364231][ T7708] RIP: 0033:0x4467c9 [ 47.368119][ T7708] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 47.387719][ T7708] RSP: 002b:00007fb1a6e04d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 47.396133][ T7708] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9 [ 47.404103][ T7708] RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003 [ 47.412074][ T7708] RBP: 00000000006dbc50 R08: 00007fb1a6e05700 R09: 0000000000000000 [ 47.420042][ T7708] R10: 00007fb1a6e05700 R11: 0000000000000246 R12: 00000000006dbc5c [ 47.428014][ T7708] R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669 [ 47.435997][ T7708] [ 47.438319][ T7708] Allocated by task 7690: [ 47.442648][ T7708] save_stack+0x45/0xd0 [ 47.446802][ T7708] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 47.452423][ T7708] kasan_kmalloc+0x9/0x10 [ 47.456746][ T7708] kmem_cache_alloc_trace+0x151/0x760 [ 47.462111][ T7708] x25_link_device_up+0x46/0x3f0 [ 47.467038][ T7708] x25_device_event+0x116/0x2b0 [ 47.471886][ T7708] notifier_call_chain+0xc7/0x240 [ 47.476907][ T7708] raw_notifier_call_chain+0x2e/0x40 [ 47.482186][ T7708] call_netdevice_notifiers_info+0x3f/0x90 [ 47.487989][ T7708] __dev_notify_flags+0x121/0x2c0 [ 47.493004][ T7708] dev_change_flags+0x10d/0x170 [ 47.497844][ T7708] dev_ifsioc+0x5bf/0x990 [ 47.502165][ T7708] dev_ioctl+0x1b8/0xc90 [ 47.506401][ T7708] sock_do_ioctl+0x1bd/0x300 [ 47.510978][ T7708] sock_ioctl+0x32b/0x610 [ 47.515300][ T7708] do_vfs_ioctl+0xd6e/0x1390 [ 47.519877][ T7708] ksys_ioctl+0xab/0xd0 [ 47.524024][ T7708] __x64_sys_ioctl+0x73/0xb0 [ 47.528614][ T7708] do_syscall_64+0x103/0x610 [ 47.533197][ T7708] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.539074][ T7708] [ 47.541388][ T7708] Freed by task 7696: [ 47.545371][ T7708] save_stack+0x45/0xd0 [ 47.549520][ T7708] __kasan_slab_free+0x102/0x150 [ 47.554452][ T7708] kasan_slab_free+0xe/0x10 [ 47.558944][ T7708] kfree+0xcf/0x230 [ 47.562744][ T7708] __x25_remove_neigh+0x187/0x1f0 [ 47.567759][ T7708] x25_link_device_down+0xc7/0x130 [ 47.572857][ T7708] x25_device_event+0x261/0x2b0 [ 47.577703][ T7708] notifier_call_chain+0xc7/0x240 [ 47.582716][ T7708] raw_notifier_call_chain+0x2e/0x40 [ 47.587991][ T7708] call_netdevice_notifiers_info+0x3f/0x90 [ 47.593796][ T7708] __dev_notify_flags+0x1e9/0x2c0 [ 47.598811][ T7708] dev_change_flags+0x10d/0x170 [ 47.603657][ T7708] dev_ifsioc+0x5bf/0x990 [ 47.607981][ T7708] dev_ioctl+0x1b8/0xc90 [ 47.612214][ T7708] sock_do_ioctl+0x1bd/0x300 [ 47.616794][ T7708] sock_ioctl+0x32b/0x610 [ 47.621112][ T7708] do_vfs_ioctl+0xd6e/0x1390 [ 47.625689][ T7708] ksys_ioctl+0xab/0xd0 [ 47.629838][ T7708] __x64_sys_ioctl+0x73/0xb0 [ 47.634424][ T7708] do_syscall_64+0x103/0x610 [ 47.639008][ T7708] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.644884][ T7708] [ 47.647212][ T7708] The buggy address belongs to the object at ffff8880a0356780 [ 47.647212][ T7708] which belongs to the cache kmalloc-256 of size 256 [ 47.661266][ T7708] The buggy address is located 16 bytes inside of [ 47.661266][ T7708] 256-byte region [ffff8880a0356780, ffff8880a0356880) [ 47.674442][ T7708] The buggy address belongs to the page: [ 47.680088][ T7708] page:ffffea000280d580 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0 [ 47.688929][ T7708] flags: 0x1fffc0000000200(slab) [ 47.693865][ T7708] raw: 01fffc0000000200 ffffea00027d6388 ffffea000280da08 ffff88812c3f07c0 [ 47.702443][ T7708] raw: 0000000000000000 ffff8880a0356000 000000010000000c 0000000000000000 [ 47.711006][ T7708] page dumped because: kasan: bad access detected [ 47.717400][ T7708] [ 47.719716][ T7708] Memory state around the buggy address: [ 47.725337][ T7708] ffff8880a0356680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.733397][ T7708] ffff8880a0356700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 47.741452][ T7708] >ffff8880a0356780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.749502][ T7708] ^ [ 47.754089][ T7708] ffff8880a0356800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.762146][ T7708] ffff8880a0356880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 47.770195][ T7708] ================================================================== [ 47.778240][ T7708] Disabling lock debugging due to kernel taint [ 47.784488][ T7708] Kernel panic - not syncing: panic_on_warn set ... [ 47.791079][ T7708] CPU: 0 PID: 7708 Comm: syz-executor221 Tainted: G B 5.0.0+ #15 [ 47.800083][ T7708] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.810127][ T7708] Call Trace: [ 47.813418][ T7708] dump_stack+0x172/0x1f0 [ 47.817747][ T7708] panic+0x2cb/0x65c [ 47.821631][ T7708] ? __warn_printk+0xf3/0xf3 [ 47.826213][ T7708] ? retint_kernel+0x2d/0x2d [ 47.830799][ T7708] ? trace_hardirqs_on+0x5e/0x230 [ 47.835821][ T7708] ? x25_device_event+0x296/0x2b0 [ 47.840841][ T7708] end_report+0x47/0x4f [ 47.844995][ T7708] ? x25_device_event+0x296/0x2b0 [ 47.850017][ T7708] kasan_report.cold+0xe/0x40 [ 47.854698][ T7708] ? x25_device_event+0x296/0x2b0 [ 47.859723][ T7708] __asan_report_load8_noabort+0x14/0x20 [ 47.865350][ T7708] x25_device_event+0x296/0x2b0 [ 47.870202][ T7708] notifier_call_chain+0xc7/0x240 [ 47.875226][ T7708] raw_notifier_call_chain+0x2e/0x40 [ 47.880505][ T7708] call_netdevice_notifiers_info+0x3f/0x90 [ 47.886303][ T7708] __dev_notify_flags+0x1e9/0x2c0 [ 47.891317][ T7708] ? dev_change_name+0xa00/0xa00 [ 47.896245][ T7708] ? __dev_change_flags+0x513/0x6e0 [ 47.901436][ T7708] ? dev_set_allmulti+0x30/0x30 [ 47.906279][ T7708] ? mutex_trylock+0x1e0/0x1e0 [ 47.911040][ T7708] ? find_held_lock+0x35/0x130 [ 47.915806][ T7708] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.922042][ T7708] dev_change_flags+0x10d/0x170 [ 47.926897][ T7708] dev_ifsioc+0x5bf/0x990 [ 47.931220][ T7708] ? register_gifconf+0x70/0x70 [ 47.936071][ T7708] dev_ioctl+0x1b8/0xc90 [ 47.940307][ T7708] sock_do_ioctl+0x1bd/0x300 [ 47.944891][ T7708] ? compat_ifr_data_ioctl+0x160/0x160 [ 47.950358][ T7708] ? tomoyo_domain+0xc5/0x160 [ 47.955040][ T7708] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.961279][ T7708] ? tomoyo_path_number_perm+0x263/0x520 [ 47.966904][ T7708] sock_ioctl+0x32b/0x610 [ 47.971238][ T7708] ? dlci_ioctl_set+0x40/0x40 [ 47.975910][ T7708] ? __fget+0x35a/0x550 [ 47.980063][ T7708] ? dlci_ioctl_set+0x40/0x40 [ 47.984733][ T7708] do_vfs_ioctl+0xd6e/0x1390 [ 47.989317][ T7708] ? ioctl_preallocate+0x210/0x210 [ 47.994416][ T7708] ? __fget+0x381/0x550 [ 47.998561][ T7708] ? ksys_dup3+0x3e0/0x3e0 [ 48.002973][ T7708] ? tomoyo_file_ioctl+0x23/0x30 [ 48.007901][ T7708] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 48.014135][ T7708] ? security_file_ioctl+0x93/0xc0 [ 48.019241][ T7708] ksys_ioctl+0xab/0xd0 [ 48.023390][ T7708] __x64_sys_ioctl+0x73/0xb0 [ 48.027971][ T7708] do_syscall_64+0x103/0x610 [ 48.032552][ T7708] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 48.038436][ T7708] RIP: 0033:0x4467c9 [ 48.042321][ T7708] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 48.061922][ T7708] RSP: 002b:00007fb1a6e04d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 48.070330][ T7708] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9 [ 48.078293][ T7708] RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003 [ 48.086256][ T7708] RBP: 00000000006dbc50 R08: 00007fb1a6e05700 R09: 0000000000000000 [ 48.094213][ T7708] R10: 00007fb1a6e05700 R11: 0000000000000246 R12: 00000000006dbc5c [ 48.102170][ T7708] R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669 [ 48.110917][ T7708] Kernel Offset: disabled [ 48.115236][ T7708] Rebooting in 86400 seconds..