[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 27.122429] kauditd_printk_skb: 7 callbacks suppressed [ 27.122441] audit: type=1800 audit(1540180954.607:29): pid=5422 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 27.149606] audit: type=1800 audit(1540180954.607:30): pid=5422 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts. 2018/10/22 04:14:57 parsed 1 programs 2018/10/22 04:14:58 executed programs: 0 syzkaller login: [ 771.226246] IPVS: ftp: loaded support on port[0] = 21 [ 771.478730] bridge0: port 1(bridge_slave_0) entered blocking state [ 771.485448] bridge0: port 1(bridge_slave_0) entered disabled state [ 771.492911] device bridge_slave_0 entered promiscuous mode [ 771.511192] bridge0: port 2(bridge_slave_1) entered blocking state [ 771.517586] bridge0: port 2(bridge_slave_1) entered disabled state [ 771.524537] device bridge_slave_1 entered promiscuous mode [ 771.542211] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 771.561707] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 771.608752] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 771.628818] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 771.703431] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 771.710866] team0: Port device team_slave_0 added [ 771.727020] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 771.734202] team0: Port device team_slave_1 added [ 771.751156] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 771.773083] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 771.791824] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 771.814115] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 771.965644] bridge0: port 2(bridge_slave_1) entered blocking state [ 771.972179] bridge0: port 2(bridge_slave_1) entered forwarding state [ 771.979139] bridge0: port 1(bridge_slave_0) entered blocking state [ 771.985484] bridge0: port 1(bridge_slave_0) entered forwarding state [ 772.500270] 8021q: adding VLAN 0 to HW filter on device bond0 [ 772.552780] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 772.606471] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 772.613477] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 772.620888] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 772.667112] 8021q: adding VLAN 0 to HW filter on device team0 2018/10/22 04:15:03 executed programs: 225 [ 778.032283] ------------[ cut here ]------------ [ 778.037291] refcount_t: increment on 0; use-after-free. [ 778.043121] WARNING: CPU: 0 PID: 7088 at lib/refcount.c:153 refcount_inc_checked+0x5d/0x70 [ 778.051517] Kernel panic - not syncing: panic_on_warn set ... [ 778.057390] CPU: 0 PID: 7088 Comm: syz-executor0 Not tainted 4.19.0-rc8-next-20181019+ #98 [ 778.065776] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 778.075141] Call Trace: [ 778.077755] dump_stack+0x244/0x39d [ 778.081395] ? dump_stack_print_info.cold.1+0x20/0x20 [ 778.086692] panic+0x2ad/0x55c [ 778.089880] ? add_taint.cold.5+0x16/0x16 [ 778.094019] ? __warn.cold.8+0x5/0x45 [ 778.097815] ? __warn+0xe8/0x1d0 [ 778.101206] ? refcount_inc_checked+0x5d/0x70 [ 778.105690] __warn.cold.8+0x20/0x45 [ 778.109438] ? rcu_softirq_qs+0x20/0x20 [ 778.113400] ? refcount_inc_checked+0x5d/0x70 [ 778.117897] report_bug+0x254/0x2d0 [ 778.121577] do_error_trap+0x11b/0x200 [ 778.125475] do_invalid_op+0x36/0x40 [ 778.129178] ? refcount_inc_checked+0x5d/0x70 [ 778.133743] invalid_op+0x14/0x20 [ 778.137203] RIP: 0010:refcount_inc_checked+0x5d/0x70 [ 778.142417] Code: 1d 9a 08 5d 06 31 ff 89 de e8 0f c9 ec fd 84 db 75 df e8 36 c8 ec fd 48 c7 c7 40 cb 40 88 c6 05 7a 08 5d 06 01 e8 53 70 b6 fd <0f> 0b eb c3 0f 1f 44 00 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 [ 778.161304] RSP: 0018:ffff8801bd2e6ce0 EFLAGS: 00010286 [ 778.166653] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 778.173908] RDX: 0000000000000000 RSI: ffffffff816585a5 RDI: 0000000000000005 [ 778.181162] RBP: ffff8801bd2e6ce8 R08: ffff8801d95a8380 R09: 0000000000000002 [ 778.188427] R10: 0000000000000000 R11: ffff8801d95a8380 R12: 0000000000000000 [ 778.195715] R13: 0000000000000008 R14: ffff8801cd476a00 R15: dffffc0000000000 [ 778.202982] ? vprintk_func+0x85/0x181 [ 778.206909] igmp_start_timer+0xaf/0xe0 [ 778.210885] igmp_rcv+0x190e/0x3020 [ 778.214508] ? ip_mc_leave_group+0x4b0/0x4b0 [ 778.218927] ? raw_rcv_skb+0x43/0x70 [ 778.222677] ? kasan_check_write+0x14/0x20 [ 778.226942] ? do_raw_read_unlock+0x3f/0x70 [ 778.231256] ? _raw_read_unlock+0x2c/0x50 [ 778.235392] ? raw_local_deliver+0x2ca/0xc3a [ 778.239828] ? zap_class+0x640/0x640 [ 778.243574] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 778.249119] ? check_preemption_disabled+0x48/0x280 [ 778.254145] ? __lock_is_held+0xb5/0x140 [ 778.258249] ip_local_deliver_finish+0x2e9/0xda0 [ 778.262997] ? ip_sublist_rcv_finish+0x3a0/0x3a0 [ 778.267751] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 778.272790] ? nf_hook_slow+0x11e/0x1c0 [ 778.276779] ip_local_deliver+0x1e4/0x740 [ 778.280935] ? ip_call_ra_chain+0x730/0x730 [ 778.285393] ? ip_sublist_rcv_finish+0x3a0/0x3a0 [ 778.290158] ? rcu_read_unlock_special+0x1c0/0x1c0 [ 778.295076] ? kasan_check_read+0x11/0x20 [ 778.299225] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 778.304243] ? rcu_softirq_qs+0x20/0x20 [ 778.308207] ip_rcv_finish+0x1f9/0x300 [ 778.312082] ip_rcv+0xe8/0x600 [ 778.315265] ? ip_local_deliver+0x740/0x740 [ 778.319651] ? pvclock_read_flags+0x160/0x160 [ 778.324157] ? ip_rcv_finish_core.isra.16+0x1f40/0x1f40 [ 778.329512] ? lock_acquire+0x1ed/0x520 [ 778.333619] __netif_receive_skb_one_core+0x14d/0x200 [ 778.338813] ? __netif_receive_skb_core+0x3b20/0x3b20 [ 778.343991] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 778.349284] ? rcu_softirq_qs+0x20/0x20 [ 778.353267] __netif_receive_skb+0x27/0x1e0 [ 778.357588] netif_receive_skb_internal+0x11d/0x7f0 [ 778.362609] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 778.368141] ? dev_cpu_dead+0xac0/0xac0 [ 778.372119] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 778.377682] ? eth_type_trans+0x2ea/0x760 [ 778.381825] ? eth_gro_receive+0x920/0x920 [ 778.386074] napi_gro_frags+0x74a/0xc80 [ 778.390051] ? napi_gro_receive+0x5f0/0x5f0 [ 778.394360] ? eth_get_headlen+0x173/0x1f0 [ 778.398653] ? eth_type_trans+0x760/0x760 [ 778.402835] ? tun_get_user+0x3160/0x4250 [ 778.406975] tun_get_user+0x3189/0x4250 [ 778.411009] ? aa_file_perm+0x469/0x1060 [ 778.415099] ? tun_net_xmit+0x1c80/0x1c80 [ 778.419239] ? zap_class+0x640/0x640 [ 778.422946] ? aa_file_perm+0x490/0x1060 [ 778.426995] ? find_held_lock+0x36/0x1c0 [ 778.431045] ? tun_get+0x206/0x370 [ 778.434617] ? lock_downgrade+0x900/0x900 [ 778.438756] ? check_preemption_disabled+0x48/0x280 [ 778.443764] ? rcu_read_unlock_special+0x1c0/0x1c0 [ 778.448685] ? kasan_check_read+0x11/0x20 [ 778.452841] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 778.458109] ? rcu_softirq_qs+0x20/0x20 [ 778.462077] ? tun_get+0x22d/0x370 [ 778.465619] ? tun_chr_close+0x180/0x180 [ 778.469668] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 778.474648] ? common_file_perm+0x236/0x7f0 [ 778.479006] tun_chr_write_iter+0xb9/0x160 [ 778.483275] do_iter_readv_writev+0x8b0/0xa80 [ 778.487767] ? vfs_dedupe_file_range+0x670/0x670 [ 778.492511] ? apparmor_file_permission+0x24/0x30 [ 778.497344] ? rw_verify_area+0x118/0x360 [ 778.501489] do_iter_write+0x185/0x5f0 [ 778.505366] ? dup_iter+0x270/0x270 [ 778.508997] vfs_writev+0x1f1/0x360 [ 778.512625] ? vfs_iter_write+0xb0/0xb0 [ 778.516621] ? lock_release+0xa10/0xa10 [ 778.520662] ? perf_trace_sched_process_exec+0x860/0x860 [ 778.526156] ? posix_ktime_get_ts+0x15/0x20 [ 778.530518] ? trace_hardirqs_off_caller+0x300/0x300 [ 778.535891] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 778.541429] ? __fdget_pos+0xde/0x200 [ 778.545218] ? __fdget_raw+0x20/0x20 [ 778.548925] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 778.554450] ? put_timespec64+0x10f/0x1b0 [ 778.558613] do_writev+0x11a/0x310 [ 778.562167] ? vfs_writev+0x360/0x360 [ 778.565964] ? trace_hardirqs_off_caller+0x300/0x300 [ 778.571091] __x64_sys_writev+0x75/0xb0 [ 778.575129] do_syscall_64+0x1b9/0x820 [ 778.579018] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 778.584389] ? syscall_return_slowpath+0x5e0/0x5e0 [ 778.589307] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 778.594138] ? trace_hardirqs_on_caller+0x310/0x310 [ 778.599156] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 778.604194] ? prepare_exit_to_usermode+0x291/0x3b0 [ 778.609202] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 778.614036] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 778.619209] RIP: 0033:0x457421 [ 778.622397] Code: 75 14 b8 14 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 34 b5 fb ff c3 48 83 ec 08 e8 1a 2d 00 00 48 89 04 24 b8 14 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 63 2d 00 00 48 89 d0 48 83 c4 08 48 3d 01 [ 778.641300] RSP: 002b:00007fc77d512ba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 [ 778.649007] RAX: ffffffffffffffda RBX: 000000000000002a RCX: 0000000000457421 [ 778.656278] RDX: 0000000000000001 RSI: 00007fc77d512bf0 RDI: 00000000000000f0 [ 778.663533] RBP: 0000000020000240 R08: 00000000000000f0 R09: 0000000000000000 [ 778.670795] R10: 0000000000000000 R11: 0000000000000293 R12: 00007fc77d5136d4 [ 778.678049] R13: 00000000004c4890 R14: 00000000004d7b90 R15: 00000000ffffffff [ 778.686379] Kernel Offset: disabled [ 778.690070] Rebooting in 86400 seconds..