[ 40.521124][ T26] audit: type=1800 audit(1573568600.820:26): pid=7704 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 40.555500][ T26] audit: type=1800 audit(1573568600.820:27): pid=7704 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 40.576626][ T26] audit: type=1800 audit(1573568600.820:28): pid=7704 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 41.313002][ T26] audit: type=1800 audit(1573568601.660:29): pid=7704 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.122' (ECDSA) to the list of known hosts. syzkaller login: [ 1067.092645][ T7858] IPVS: ftp: loaded support on port[0] = 21 [ 1067.146330][ T7858] chnl_net:caif_netlink_parms(): no params data found [ 1067.169176][ T7858] bridge0: port 1(bridge_slave_0) entered blocking state [ 1067.178002][ T7858] bridge0: port 1(bridge_slave_0) entered disabled state [ 1067.185914][ T7858] device bridge_slave_0 entered promiscuous mode [ 1067.193892][ T7858] bridge0: port 2(bridge_slave_1) entered blocking state [ 1067.201574][ T7858] bridge0: port 2(bridge_slave_1) entered disabled state [ 1067.209147][ T7858] device bridge_slave_1 entered promiscuous mode [ 1067.225303][ T7858] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1067.236517][ T7858] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1067.254397][ T7858] team0: Port device team_slave_0 added [ 1067.261361][ T7858] team0: Port device team_slave_1 added [ 1067.333359][ T7858] device hsr_slave_0 entered promiscuous mode [ 1067.401277][ T7858] device hsr_slave_1 entered promiscuous mode [ 1067.552477][ T7858] bridge0: port 2(bridge_slave_1) entered blocking state [ 1067.559689][ T7858] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1067.567601][ T7858] bridge0: port 1(bridge_slave_0) entered blocking state [ 1067.574753][ T7858] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1067.745565][ T7858] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1067.782135][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1067.821527][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 1067.851073][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 1067.875021][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1067.896381][ T7858] 8021q: adding VLAN 0 to HW filter on device team0 [ 1067.923910][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1067.943124][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 1067.950323][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1067.993457][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1068.004907][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 1068.012230][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1068.024493][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1068.043484][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1068.051517][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1068.060408][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1068.069351][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1068.078888][ T7858] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready executing program [ 1068.094888][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1068.103257][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1068.114754][ T7858] 8021q: adding VLAN 0 to HW filter on device batadv0 executing program [ 1069.403143][ C0] vcan0: j1939_tp_rxtimer: 0x00000000dbea1061: rx timeout, send abort [ 1069.411892][ C0] vcan0: j1939_xtp_rx_abort_one: 0x00000000dbea1061: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. executing program [ 1070.685235][ C1] vcan0: j1939_tp_rxtimer: 0x00000000748b55e9: rx timeout, send abort [ 1070.694140][ C1] vcan0: j1939_xtp_rx_abort_one: 0x00000000748b55e9: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. executing program [ 1071.965760][ C0] vcan0: j1939_tp_rxtimer: 0x000000005170e792: rx timeout, send abort [ 1071.974176][ C0] vcan0: j1939_xtp_rx_abort_one: 0x000000005170e792: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. executing program [ 1073.245998][ C1] vcan0: j1939_tp_rxtimer: 0x00000000df726704: rx timeout, send abort [ 1073.254353][ C1] vcan0: j1939_xtp_rx_abort_one: 0x00000000df726704: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. executing program [ 1074.525569][ C1] vcan0: j1939_tp_rxtimer: 0x00000000591d5ddc: rx timeout, send abort [ 1074.534258][ C1] vcan0: j1939_xtp_rx_abort_one: 0x00000000591d5ddc: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. executing program [ 1075.806026][ C0] vcan0: j1939_tp_rxtimer: 0x000000009a2b3bde: rx timeout, send abort [ 1075.814493][ C0] vcan0: j1939_xtp_rx_abort_one: 0x000000009a2b3bde: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. executing program [ 1077.084706][ C1] vcan0: j1939_tp_rxtimer: 0x00000000d5d08c33: rx timeout, send abort [ 1077.093178][ C1] vcan0: j1939_xtp_rx_abort_one: 0x00000000d5d08c33: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. executing program [ 1078.365167][ C0] vcan0: j1939_tp_rxtimer: 0x00000000c2d037c0: rx timeout, send abort [ 1078.373660][ C0] vcan0: j1939_xtp_rx_abort_one: 0x00000000c2d037c0: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. executing program [ 1079.644477][ C1] vcan0: j1939_tp_rxtimer: 0x0000000071cc7c66: rx timeout, send abort [ 1079.653189][ C1] vcan0: j1939_xtp_rx_abort_one: 0x0000000071cc7c66: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. executing program [ 1080.925080][ C0] vcan0: j1939_tp_rxtimer: 0x000000009f8ecf50: rx timeout, send abort [ 1080.933458][ C0] vcan0: j1939_xtp_rx_abort_one: 0x000000009f8ecf50: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. executing program [ 1082.204163][ C1] vcan0: j1939_tp_rxtimer: 0x000000004c0aef69: rx timeout, send abort [ 1082.212484][ C1] vcan0: j1939_xtp_rx_abort_one: 0x000000004c0aef69: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. executing program [ 1083.484325][ C0] vcan0: j1939_tp_rxtimer: 0x000000005575dc49: rx timeout, send abort [ 1083.492930][ C0] vcan0: j1939_xtp_rx_abort_one: 0x000000005575dc49: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. executing program [ 1084.764761][ C1] vcan0: j1939_tp_rxtimer: 0x000000000377fab2: rx timeout, send abort [ 1084.773253][ C1] vcan0: j1939_xtp_rx_abort_one: 0x000000000377fab2: 0x00000: (3) A timeout occurred and this is the connection abort to close the session. [ 1084.788113][ C1] ================================================================== [ 1084.796817][ C1] BUG: KASAN: use-after-free in __lock_acquire+0x96/0x1be0 [ 1084.803998][ C1] Read of size 8 at addr ffff888096d4d080 by task ksoftirqd/1/16 [ 1084.811700][ C1] [ 1084.814011][ C1] CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc7+ #0 [ 1084.821871][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1084.831988][ C1] Call Trace: [ 1084.835310][ C1] dump_stack+0x1fb/0x318 [ 1084.839688][ C1] print_address_description+0x75/0x5c0 [ 1084.845224][ C1] ? vprintk_default+0x28/0x30 [ 1084.849982][ C1] ? vprintk_func+0x158/0x170 [ 1084.854733][ C1] ? printk+0x62/0x8d [ 1084.858695][ C1] __kasan_report+0x14b/0x1c0 [ 1084.863409][ C1] ? kfree+0xa0/0x200 [ 1084.867377][ C1] ? __lock_acquire+0x96/0x1be0 [ 1084.872271][ C1] ? __do_softirq+0x333/0x7c4 [ 1084.876936][ C1] kasan_report+0x26/0x50 [ 1084.881297][ C1] ? net_rx_action+0x5ef/0x10d0 [ 1084.886127][ C1] ? __do_softirq+0x333/0x7c4 [ 1084.890780][ C1] __asan_report_load8_noabort+0x14/0x20 [ 1084.896925][ C1] __lock_acquire+0x96/0x1be0 [ 1084.901590][ C1] ? _raw_spin_unlock_irqrestore+0xbc/0xe0 [ 1084.907393][ C1] ? trace_lock_acquire+0x159/0x1d0 [ 1084.912572][ C1] lock_acquire+0x158/0x250 [ 1084.917145][ C1] ? j1939_xtp_rx_abort_one+0x89/0x3f0 [ 1084.922598][ C1] ? j1939_xtp_rx_abort_one+0x89/0x3f0 [ 1084.928045][ C1] _raw_spin_lock_bh+0x34/0x50 [ 1084.932801][ C1] ? j1939_xtp_rx_abort_one+0x89/0x3f0 [ 1084.938246][ C1] j1939_xtp_rx_abort_one+0x89/0x3f0 [ 1084.943515][ C1] j1939_tp_recv+0x648/0xb80 [ 1084.948078][ C1] j1939_can_recv+0x424/0x650 [ 1084.952738][ C1] ? j1939_send_one+0x3e0/0x3e0 [ 1084.957561][ C1] can_rcv_filter+0x3c0/0x8b0 [ 1084.962213][ C1] can_receive+0x2ac/0x3b0 [ 1084.966612][ C1] can_rcv+0xe4/0x220 [ 1084.970565][ C1] ? rcu_lock_release+0x30/0x30 [ 1084.975459][ C1] __netif_receive_skb+0x136/0x370 [ 1084.980551][ C1] process_backlog+0x4d8/0x930 [ 1084.985304][ C1] net_rx_action+0x5ef/0x10d0 [ 1084.989963][ C1] __do_softirq+0x333/0x7c4 [ 1084.994650][ C1] ? run_ksoftirqd+0x64/0xf0 [ 1084.999247][ C1] run_ksoftirqd+0x64/0xf0 [ 1085.003650][ C1] ? ksoftirqd_should_run+0x20/0x20 [ 1085.008928][ C1] smpboot_thread_fn+0x5b3/0x9a0 [ 1085.013890][ C1] kthread+0x332/0x350 [ 1085.017994][ C1] ? cpu_report_death+0x120/0x120 [ 1085.023047][ C1] ? kthread_blkcg+0xe0/0xe0 [ 1085.027621][ C1] ret_from_fork+0x24/0x30 [ 1085.032008][ C1] [ 1085.034312][ C1] Allocated by task 7912: [ 1085.038624][ C1] __kasan_kmalloc+0x11c/0x1b0 [ 1085.043363][ C1] kasan_kmalloc+0x9/0x10 [ 1085.047677][ C1] kmem_cache_alloc_trace+0x221/0x2f0 [ 1085.053024][ C1] j1939_netdev_start+0x177/0x730 [ 1085.058036][ C1] j1939_sk_bind+0x2c0/0xac0 [ 1085.062698][ C1] __sys_bind+0x2c2/0x3a0 [ 1085.067024][ C1] __x64_sys_bind+0x7a/0x90 [ 1085.071569][ C1] do_syscall_64+0xf7/0x1c0 [ 1085.076062][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1085.081930][ C1] [ 1085.084241][ C1] Freed by task 7912: [ 1085.088196][ C1] __kasan_slab_free+0x12a/0x1e0 [ 1085.093106][ C1] kasan_slab_free+0xe/0x10 [ 1085.097579][ C1] kfree+0x115/0x200 [ 1085.101450][ C1] j1939_netdev_stop+0x20c/0x230 [ 1085.106360][ C1] j1939_sk_release+0x61f/0x810 [ 1085.111199][ C1] sock_close+0xe1/0x260 [ 1085.115461][ C1] __fput+0x2e4/0x740 [ 1085.119427][ C1] ____fput+0x15/0x20 [ 1085.123458][ C1] task_work_run+0x17e/0x1b0 [ 1085.128030][ C1] prepare_exit_to_usermode+0x459/0x580 [ 1085.133643][ C1] syscall_return_slowpath+0x113/0x4a0 [ 1085.139072][ C1] do_syscall_64+0x11f/0x1c0 [ 1085.143659][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1085.149569][ C1] [ 1085.151886][ C1] The buggy address belongs to the object at ffff888096d4c000 [ 1085.151886][ C1] which belongs to the cache kmalloc-8k of size 8192 [ 1085.165914][ C1] The buggy address is located 4224 bytes inside of [ 1085.165914][ C1] 8192-byte region [ffff888096d4c000, ffff888096d4e000) [ 1085.179326][ C1] The buggy address belongs to the page: [ 1085.184934][ C1] page:ffffea00025b5300 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0 [ 1085.195851][ C1] flags: 0x1fffc0000010200(slab|head) [ 1085.201200][ C1] raw: 01fffc0000010200 ffffea0002505708 ffffea0002764608 ffff8880aa4021c0 [ 1085.209754][ C1] raw: 0000000000000000 ffff888096d4c000 0000000100000001 0000000000000000 [ 1085.218316][ C1] page dumped because: kasan: bad access detected [ 1085.224709][ C1] [ 1085.227007][ C1] Memory state around the buggy address: [ 1085.232610][ C1] ffff888096d4cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1085.240644][ C1] ffff888096d4d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1085.248706][ C1] >ffff888096d4d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1085.256751][ C1] ^ [ 1085.260790][ C1] ffff888096d4d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1085.268825][ C1] ffff888096d4d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1085.276862][ C1] ================================================================== [ 1085.284896][ C1] Disabling lock debugging due to kernel taint [ 1085.291031][ C1] Kernel panic - not syncing: panic_on_warn set ... [ 1085.297605][ C1] CPU: 1 PID: 16 Comm: ksoftirqd/1 Tainted: G B 5.4.0-rc7+ #0 [ 1085.306348][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1085.316377][ C1] Call Trace: [ 1085.319643][ C1] dump_stack+0x1fb/0x318 [ 1085.323949][ C1] panic+0x264/0x7a9 [ 1085.327892][ C1] ? trace_hardirqs_off+0x1a/0x80 [ 1085.332979][ C1] __kasan_report+0x1bb/0x1c0 [ 1085.337647][ C1] ? kfree+0xa0/0x200 [ 1085.341625][ C1] ? __lock_acquire+0x96/0x1be0 [ 1085.346622][ C1] ? __do_softirq+0x333/0x7c4 [ 1085.351277][ C1] kasan_report+0x26/0x50 [ 1085.355580][ C1] ? net_rx_action+0x5ef/0x10d0 [ 1085.360414][ C1] ? __do_softirq+0x333/0x7c4 [ 1085.365062][ C1] __asan_report_load8_noabort+0x14/0x20 [ 1085.370672][ C1] __lock_acquire+0x96/0x1be0 [ 1085.375342][ C1] ? _raw_spin_unlock_irqrestore+0xbc/0xe0 [ 1085.381212][ C1] ? trace_lock_acquire+0x159/0x1d0 [ 1085.386393][ C1] lock_acquire+0x158/0x250 [ 1085.390880][ C1] ? j1939_xtp_rx_abort_one+0x89/0x3f0 [ 1085.396312][ C1] ? j1939_xtp_rx_abort_one+0x89/0x3f0 [ 1085.401743][ C1] _raw_spin_lock_bh+0x34/0x50 [ 1085.406479][ C1] ? j1939_xtp_rx_abort_one+0x89/0x3f0 [ 1085.411917][ C1] j1939_xtp_rx_abort_one+0x89/0x3f0 [ 1085.417190][ C1] j1939_tp_recv+0x648/0xb80 [ 1085.421904][ C1] j1939_can_recv+0x424/0x650 [ 1085.426561][ C1] ? j1939_send_one+0x3e0/0x3e0 [ 1085.431385][ C1] can_rcv_filter+0x3c0/0x8b0 [ 1085.436059][ C1] can_receive+0x2ac/0x3b0 [ 1085.440465][ C1] can_rcv+0xe4/0x220 [ 1085.444419][ C1] ? rcu_lock_release+0x30/0x30 [ 1085.449264][ C1] __netif_receive_skb+0x136/0x370 [ 1085.454368][ C1] process_backlog+0x4d8/0x930 [ 1085.459103][ C1] net_rx_action+0x5ef/0x10d0 [ 1085.463760][ C1] __do_softirq+0x333/0x7c4 [ 1085.468247][ C1] ? run_ksoftirqd+0x64/0xf0 [ 1085.472842][ C1] run_ksoftirqd+0x64/0xf0 [ 1085.477238][ C1] ? ksoftirqd_should_run+0x20/0x20 [ 1085.482409][ C1] smpboot_thread_fn+0x5b3/0x9a0 [ 1085.487341][ C1] kthread+0x332/0x350 [ 1085.491381][ C1] ? cpu_report_death+0x120/0x120 [ 1085.496375][ C1] ? kthread_blkcg+0xe0/0xe0 [ 1085.500937][ C1] ret_from_fork+0x24/0x30 [ 1085.507283][ C1] Kernel Offset: disabled [ 1085.511613][ C1] Rebooting in 86400 seconds..