[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 63.685695][ T9770] sshd (9770) used greatest stack depth: 23480 bytes left [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 63.887630][ T26] kauditd_printk_skb: 7 callbacks suppressed [ 63.887640][ T26] audit: type=1800 audit(1567603547.711:29): pid=9703 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 63.913960][ T26] audit: type=1800 audit(1567603547.711:30): pid=9703 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.114' (ECDSA) to the list of known hosts. 2019/09/04 13:40:20 parsed 1 programs 2019/09/04 13:40:21 executed programs: 0 syzkaller login: [ 938.073956][ T9870] IPVS: ftp: loaded support on port[0] = 21 [ 938.119871][ T9870] chnl_net:caif_netlink_parms(): no params data found [ 938.142944][ T9870] bridge0: port 1(bridge_slave_0) entered blocking state [ 938.150641][ T9870] bridge0: port 1(bridge_slave_0) entered disabled state [ 938.158467][ T9870] device bridge_slave_0 entered promiscuous mode [ 938.166038][ T9870] bridge0: port 2(bridge_slave_1) entered blocking state [ 938.173235][ T9870] bridge0: port 2(bridge_slave_1) entered disabled state [ 938.180714][ T9870] device bridge_slave_1 entered promiscuous mode [ 938.195189][ T9870] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 938.205655][ T9870] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 938.220891][ T9870] team0: Port device team_slave_0 added [ 938.227783][ T9870] team0: Port device team_slave_1 added [ 938.282766][ T9870] device hsr_slave_0 entered promiscuous mode [ 938.331412][ T9870] device hsr_slave_1 entered promiscuous mode [ 938.386199][ T9870] bridge0: port 2(bridge_slave_1) entered blocking state [ 938.393424][ T9870] bridge0: port 2(bridge_slave_1) entered forwarding state [ 938.400681][ T9870] bridge0: port 1(bridge_slave_0) entered blocking state [ 938.407837][ T9870] bridge0: port 1(bridge_slave_0) entered forwarding state [ 938.432638][ T9870] 8021q: adding VLAN 0 to HW filter on device bond0 [ 938.442634][ T9873] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 938.460831][ T9873] bridge0: port 1(bridge_slave_0) entered disabled state [ 938.468829][ T9873] bridge0: port 2(bridge_slave_1) entered disabled state [ 938.476984][ T9873] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 938.487590][ T9870] 8021q: adding VLAN 0 to HW filter on device team0 [ 938.496500][ T3516] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 938.505005][ T3516] bridge0: port 1(bridge_slave_0) entered blocking state [ 938.512122][ T3516] bridge0: port 1(bridge_slave_0) entered forwarding state [ 938.522095][ T9873] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 938.530405][ T9873] bridge0: port 2(bridge_slave_1) entered blocking state [ 938.537929][ T9873] bridge0: port 2(bridge_slave_1) entered forwarding state [ 938.551757][ T3516] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 938.560401][ T3516] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 938.570069][ T9873] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 938.580558][ T3516] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 938.590735][ T9873] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 938.600389][ T9870] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 938.615387][ T9870] 8021q: adding VLAN 0 to HW filter on device batadv0 2019/09/04 13:40:26 executed programs: 262 2019/09/04 13:40:31 executed programs: 565 2019/09/04 13:40:36 executed programs: 870 2019/09/04 13:40:41 executed programs: 1173 [ 960.061067][ T9873] ================================================================== [ 960.069282][ T9873] BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940 [ 960.077001][ T9873] Read of size 8 at addr ffff8880a15afb18 by task kworker/0:1/9873 [ 960.084878][ T9873] [ 960.087193][ T9873] CPU: 0 PID: 9873 Comm: kworker/0:1 Not tainted 5.3.0-rc7+ #0 [ 960.094708][ T9873] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 960.104757][ T9873] Workqueue: krxrpcd rxrpc_peer_keepalive_worker [ 960.111058][ T9873] Call Trace: [ 960.114377][ T9873] dump_stack+0x172/0x1f0 [ 960.118686][ T9873] ? rxrpc_send_keepalive+0x8a2/0x940 [ 960.124040][ T9873] print_address_description.cold+0xd4/0x306 [ 960.130052][ T9873] ? rxrpc_send_keepalive+0x8a2/0x940 [ 960.135414][ T9873] ? rxrpc_send_keepalive+0x8a2/0x940 [ 960.140773][ T9873] __kasan_report.cold+0x1b/0x36 [ 960.145712][ T9873] ? rxrpc_send_keepalive+0x8a2/0x940 [ 960.151062][ T9873] kasan_report+0x12/0x17 [ 960.155383][ T9873] __asan_report_load8_noabort+0x14/0x20 [ 960.160993][ T9873] rxrpc_send_keepalive+0x8a2/0x940 [ 960.166196][ T9873] ? rxrpc_reject_packets+0xab0/0xab0 [ 960.171544][ T9873] ? cpuacct_charge+0x1db/0x360 [ 960.176383][ T9873] ? __kasan_check_read+0x11/0x20 [ 960.181393][ T9873] ? rxrpc_peer_keepalive_worker+0x62e/0xd02 [ 960.187360][ T9873] ? lock_downgrade+0x920/0x920 [ 960.192197][ T9873] ? rxrpc_get_peer_maybe+0x2b0/0x4c0 [ 960.197545][ T9873] ? rxrpc_peer_keepalive_worker+0x62e/0xd02 [ 960.203585][ T9873] ? trace_hardirqs_on+0x67/0x240 [ 960.208591][ T9873] ? rxrpc_peer_keepalive_worker+0x62e/0xd02 [ 960.214550][ T9873] ? __local_bh_enable_ip+0x15a/0x270 [ 960.219900][ T9873] rxrpc_peer_keepalive_worker+0x7be/0xd02 [ 960.225702][ T9873] ? mark_held_locks+0xf0/0xf0 [ 960.230445][ T9873] ? rxrpc_peer_add_rtt+0x650/0x650 [ 960.235711][ T9873] ? trace_hardirqs_on+0x67/0x240 [ 960.240712][ T9873] process_one_work+0x9af/0x1740 [ 960.245626][ T9873] ? pwq_dec_nr_in_flight+0x320/0x320 [ 960.250972][ T9873] ? lock_acquire+0x190/0x410 [ 960.255627][ T9873] worker_thread+0x98/0xe40 [ 960.260107][ T9873] ? trace_hardirqs_on+0x67/0x240 [ 960.265110][ T9873] kthread+0x361/0x430 [ 960.269156][ T9873] ? process_one_work+0x1740/0x1740 [ 960.274327][ T9873] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 960.280578][ T9873] ret_from_fork+0x24/0x30 [ 960.284983][ T9873] [ 960.287299][ T9873] Allocated by task 13773: [ 960.291692][ T9873] save_stack+0x23/0x90 [ 960.295822][ T9873] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 960.301435][ T9873] kasan_kmalloc+0x9/0x10 [ 960.305749][ T9873] kmem_cache_alloc_trace+0x158/0x790 [ 960.311098][ T9873] rxrpc_alloc_connection+0x86/0x5f0 [ 960.316355][ T9873] rxrpc_connect_call+0x648/0x4c00 [ 960.321449][ T9873] rxrpc_new_client_call+0x978/0x19d0 [ 960.326813][ T9873] rxrpc_do_sendmsg+0xff5/0x1d53 [ 960.331727][ T9873] rxrpc_sendmsg+0x4d6/0x5f0 [ 960.336345][ T9873] sock_sendmsg+0xd7/0x130 [ 960.340737][ T9873] ___sys_sendmsg+0x3e2/0x920 [ 960.345407][ T9873] __sys_sendmmsg+0x1bf/0x4d0 [ 960.350059][ T9873] __x64_sys_sendmmsg+0x9d/0x100 [ 960.354971][ T9873] do_syscall_64+0xfd/0x6a0 [ 960.359463][ T9873] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 960.365333][ T9873] [ 960.367638][ T9873] Freed by task 16: [ 960.371434][ T9873] save_stack+0x23/0x90 [ 960.375565][ T9873] __kasan_slab_free+0x102/0x150 [ 960.380486][ T9873] kasan_slab_free+0xe/0x10 [ 960.384962][ T9873] kfree+0x10a/0x2c0 [ 960.388834][ T9873] rxrpc_destroy_connection+0x1f2/0x2d0 [ 960.394355][ T9873] rcu_core+0x67f/0x1580 [ 960.399006][ T9873] rcu_core_si+0x9/0x10 [ 960.403147][ T9873] __do_softirq+0x262/0x98c [ 960.407621][ T9873] [ 960.410015][ T9873] The buggy address belongs to the object at ffff8880a15afb00 [ 960.410015][ T9873] which belongs to the cache kmalloc-1k of size 1024 [ 960.424041][ T9873] The buggy address is located 24 bytes inside of [ 960.424041][ T9873] 1024-byte region [ffff8880a15afb00, ffff8880a15aff00) [ 960.437291][ T9873] The buggy address belongs to the page: [ 960.442909][ T9873] page:ffffea0002856b80 refcount:1 mapcount:0 mapping:ffff8880aa400c40 index:0xffff8880a15af680 compound_mapcount: 0 [ 960.455117][ T9873] flags: 0x1fffc0000010200(slab|head) [ 960.460472][ T9873] raw: 01fffc0000010200 ffffea00025f9608 ffffea0002694408 ffff8880aa400c40 [ 960.469041][ T9873] raw: ffff8880a15af680 ffff8880a15ae000 0000000100000006 0000000000000000 [ 960.477598][ T9873] page dumped because: kasan: bad access detected [ 960.483993][ T9873] [ 960.486296][ T9873] Memory state around the buggy address: [ 960.491901][ T9873] ffff8880a15afa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 960.499937][ T9873] ffff8880a15afa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 960.507994][ T9873] >ffff8880a15afb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 960.516029][ T9873] ^ [ 960.520859][ T9873] ffff8880a15afb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 960.528902][ T9873] ffff8880a15afc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 960.536939][ T9873] ================================================================== [ 960.545386][ T9873] Kernel panic - not syncing: panic_on_warn set ... [ 960.551983][ T9873] CPU: 0 PID: 9873 Comm: kworker/0:1 Tainted: G B 5.3.0-rc7+ #0 [ 960.560896][ T9873] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 960.571045][ T9873] Workqueue: krxrpcd rxrpc_peer_keepalive_worker [ 960.577345][ T9873] Call Trace: [ 960.580613][ T9873] dump_stack+0x172/0x1f0 [ 960.584923][ T9873] panic+0x2dc/0x755 [ 960.588847][ T9873] ? add_taint.cold+0x16/0x16 [ 960.593501][ T9873] ? rxrpc_send_keepalive+0x8a2/0x940 [ 960.598941][ T9873] ? preempt_schedule+0x4b/0x60 [ 960.603952][ T9873] ? ___preempt_schedule+0x16/0x20 [ 960.609037][ T9873] ? trace_hardirqs_on+0x5e/0x240 [ 960.614040][ T9873] ? rxrpc_send_keepalive+0x8a2/0x940 [ 960.619386][ T9873] end_report+0x47/0x4f [ 960.623518][ T9873] ? rxrpc_send_keepalive+0x8a2/0x940 [ 960.629526][ T9873] __kasan_report.cold+0xe/0x36 [ 960.634351][ T9873] ? rxrpc_send_keepalive+0x8a2/0x940 [ 960.639744][ T9873] kasan_report+0x12/0x17 [ 960.644053][ T9873] __asan_report_load8_noabort+0x14/0x20 [ 960.649672][ T9873] rxrpc_send_keepalive+0x8a2/0x940 [ 960.654856][ T9873] ? rxrpc_reject_packets+0xab0/0xab0 [ 960.660290][ T9873] ? cpuacct_charge+0x1db/0x360 [ 960.665115][ T9873] ? __kasan_check_read+0x11/0x20 [ 960.670116][ T9873] ? rxrpc_peer_keepalive_worker+0x62e/0xd02 [ 960.676074][ T9873] ? lock_downgrade+0x920/0x920 [ 960.680900][ T9873] ? rxrpc_get_peer_maybe+0x2b0/0x4c0 [ 960.686249][ T9873] ? rxrpc_peer_keepalive_worker+0x62e/0xd02 [ 960.692205][ T9873] ? trace_hardirqs_on+0x67/0x240 [ 960.697206][ T9873] ? rxrpc_peer_keepalive_worker+0x62e/0xd02 [ 960.703169][ T9873] ? __local_bh_enable_ip+0x15a/0x270 [ 960.708517][ T9873] rxrpc_peer_keepalive_worker+0x7be/0xd02 [ 960.714296][ T9873] ? mark_held_locks+0xf0/0xf0 [ 960.719037][ T9873] ? rxrpc_peer_add_rtt+0x650/0x650 [ 960.724213][ T9873] ? trace_hardirqs_on+0x67/0x240 [ 960.730530][ T9873] process_one_work+0x9af/0x1740 [ 960.735447][ T9873] ? pwq_dec_nr_in_flight+0x320/0x320 [ 960.740791][ T9873] ? lock_acquire+0x190/0x410 [ 960.745456][ T9873] worker_thread+0x98/0xe40 [ 960.749948][ T9873] ? trace_hardirqs_on+0x67/0x240 [ 960.754952][ T9873] kthread+0x361/0x430 [ 960.758998][ T9873] ? process_one_work+0x1740/0x1740 [ 960.764171][ T9873] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 960.770390][ T9873] ret_from_fork+0x24/0x30 [ 960.775647][ T9873] Kernel Offset: disabled [ 960.779970][ T9873] Rebooting in 86400 seconds..