[ 67.993580][ T27] audit: type=1800 audit(1585585908.632:24): pid=9625 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="sudo" dev="sda1" ino=2454 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 68.767824][ T27] audit: type=1800 audit(1585585909.492:25): pid=9625 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 68.788356][ T27] audit: type=1800 audit(1585585909.492:26): pid=9625 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.44' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 81.062251][ T9778] IPVS: ftp: loaded support on port[0] = 21 [ 81.096962][ T9778] ================================================================== [ 81.105286][ T9778] BUG: KASAN: use-after-free in tcindex_set_parms+0x17fd/0x1a00 [ 81.113027][ T9778] Write of size 16 at addr ffff8880a0605930 by task syz-executor027/9778 [ 81.121418][ T9778] [ 81.123739][ T9778] CPU: 1 PID: 9778 Comm: syz-executor027 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0 [ 81.133605][ T9778] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.143648][ T9778] Call Trace: [ 81.146925][ T9778] dump_stack+0x188/0x20d [ 81.151257][ T9778] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.156576][ T9778] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.161969][ T9778] print_address_description.constprop.0.cold+0xd3/0x315 [ 81.168986][ T9778] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.174364][ T9778] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.179660][ T9778] __kasan_report.cold+0x1a/0x32 [ 81.184590][ T9778] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.189880][ T9778] kasan_report+0xe/0x20 [ 81.194139][ T9778] tcindex_set_parms+0x17fd/0x1a00 [ 81.199316][ T9778] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 81.207332][ T9778] ? mark_held_locks+0xe0/0xe0 [ 81.212115][ T9778] ? nla_memcpy+0xa0/0xa0 [ 81.216440][ T9778] ? tcindex_change+0x203/0x2e0 [ 81.221272][ T9778] tcindex_change+0x203/0x2e0 [ 81.226115][ T9778] ? tcindex_set_parms+0x1a00/0x1a00 [ 81.231397][ T9778] tc_new_tfilter+0xa59/0x20b0 [ 81.236170][ T9778] ? tcindex_set_parms+0x1a00/0x1a00 [ 81.241987][ T9778] ? is_bpf_image_address+0x1cb/0x280 [ 81.247366][ T9778] ? tc_del_tfilter+0x1430/0x1430 [ 81.252410][ T9778] ? apparmor_capable+0x49c/0x8a0 [ 81.257445][ T9778] ? mark_lock+0xbc/0x1220 [ 81.261868][ T9778] ? rcu_read_lock_held+0x9c/0xb0 [ 81.266881][ T9778] ? tc_del_tfilter+0x1430/0x1430 [ 81.271896][ T9778] rtnetlink_rcv_msg+0x810/0xad0 [ 81.276830][ T9778] ? rtnl_bridge_getlink+0x880/0x880 [ 81.282112][ T9778] ? mark_held_locks+0xe0/0xe0 [ 81.286863][ T9778] ? netlink_deliver_tap+0x146/0xb50 [ 81.292130][ T9778] netlink_rcv_skb+0x15a/0x410 [ 81.296885][ T9778] ? rtnl_bridge_getlink+0x880/0x880 [ 81.302155][ T9778] ? netlink_ack+0xa80/0xa80 [ 81.306737][ T9778] netlink_unicast+0x537/0x740 [ 81.311489][ T9778] ? netlink_attachskb+0x810/0x810 [ 81.316577][ T9778] ? _copy_from_iter_full+0x25c/0x870 [ 81.321934][ T9778] ? __phys_addr_symbol+0x2c/0x70 [ 81.326946][ T9778] ? __check_object_size+0x171/0x437 [ 81.332302][ T9778] netlink_sendmsg+0x882/0xe10 [ 81.337064][ T9778] ? aa_af_perm+0x260/0x260 [ 81.341610][ T9778] ? netlink_unicast+0x740/0x740 [ 81.346595][ T9778] ? netlink_unicast+0x740/0x740 [ 81.351676][ T9778] sock_sendmsg+0xcf/0x120 [ 81.356187][ T9778] ____sys_sendmsg+0x6b9/0x7d0 [ 81.360966][ T9778] ? kernel_sendmsg+0x50/0x50 [ 81.365742][ T9778] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 81.371300][ T9778] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 81.377307][ T9778] ___sys_sendmsg+0x100/0x170 [ 81.382002][ T9778] ? sendmsg_copy_msghdr+0x70/0x70 [ 81.387109][ T9778] ? lock_downgrade+0x7f0/0x7f0 [ 81.391991][ T9778] ? lock_acquire+0x197/0x420 [ 81.396795][ T9778] ? __might_fault+0xef/0x1d0 [ 81.401494][ T9778] ? __might_fault+0x190/0x1d0 [ 81.406370][ T9778] ? _copy_to_user+0x107/0x150 [ 81.412186][ T9778] ? move_addr_to_user+0xb3/0x200 [ 81.417215][ T9778] ? __fget_light+0x1a5/0x270 [ 81.421899][ T9778] __sys_sendmsg+0xec/0x1b0 [ 81.426402][ T9778] ? __sys_sendmsg_sock+0xb0/0xb0 [ 81.431452][ T9778] ? trace_hardirqs_off_caller+0x55/0x230 [ 81.437213][ T9778] ? do_syscall_64+0x21/0x790 [ 81.441916][ T9778] do_syscall_64+0xf6/0x790 [ 81.446545][ T9778] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 81.452438][ T9778] RIP: 0033:0x440fc9 [ 81.456328][ T9778] Code: 26 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 81.476080][ T9778] RSP: 002b:00007ffce9890c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 81.484477][ T9778] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000440fc9 [ 81.492445][ T9778] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 81.500573][ T9778] RBP: 00007ffce9890c80 R08: 0000000120080522 R09: 0000000120080522 [ 81.508544][ T9778] R10: 0000000120080522 R11: 0000000000000246 R12: 0000000000402470 [ 81.516501][ T9778] R13: 0000000000402500 R14: 0000000000000000 R15: 0000000000000000 [ 81.524503][ T9778] [ 81.526865][ T9778] Allocated by task 786: [ 81.531162][ T9778] save_stack+0x1b/0x40 [ 81.535305][ T9778] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 81.541072][ T9778] __kmalloc+0x161/0x7a0 [ 81.545559][ T9778] bio_alloc_bioset+0x3cf/0x600 [ 81.550398][ T9778] bio_map_kern+0xb1/0x2f0 [ 81.554977][ T9778] blk_rq_map_kern+0x215/0x490 [ 81.559739][ T9778] __scsi_execute+0x4a0/0x5d0 [ 81.564503][ T9778] scsi_probe_and_add_lun+0x5a3/0x34d0 [ 81.570025][ T9778] __scsi_scan_target+0x280/0xed0 [ 81.575044][ T9778] scsi_scan_channel.part.0+0x126/0x1a0 [ 81.580684][ T9778] scsi_scan_host_selected+0x30b/0x450 [ 81.586464][ T9778] do_scsi_scan_host+0x1e8/0x260 [ 81.591383][ T9778] do_scan_async+0x40/0x500 [ 81.595877][ T9778] async_run_entry_fn+0x121/0x530 [ 81.600891][ T9778] process_one_work+0x94b/0x1690 [ 81.605866][ T9778] worker_thread+0x96/0xe20 [ 81.610390][ T9778] kthread+0x357/0x430 [ 81.614461][ T9778] ret_from_fork+0x24/0x30 [ 81.618946][ T9778] [ 81.621261][ T9778] Freed by task 0: [ 81.624985][ T9778] save_stack+0x1b/0x40 [ 81.629135][ T9778] __kasan_slab_free+0xf7/0x140 [ 81.634437][ T9778] kfree+0x109/0x2b0 [ 81.638340][ T9778] bio_free+0xfa/0x140 [ 81.642484][ T9778] bio_put+0xcd/0x100 [ 81.646455][ T9778] bio_endio+0x473/0x820 [ 81.650724][ T9778] blk_update_request+0x3e1/0xdc0 [ 81.655740][ T9778] scsi_end_request+0x80/0x7a0 [ 81.660484][ T9778] scsi_io_completion+0x1e7/0x1300 [ 81.665572][ T9778] scsi_softirq_done+0x31e/0x3b0 [ 81.670486][ T9778] blk_done_softirq+0x2db/0x440 [ 81.675377][ T9778] __do_softirq+0x26c/0x99d [ 81.679854][ T9778] [ 81.682161][ T9778] The buggy address belongs to the object at ffff8880a0605900 [ 81.682161][ T9778] which belongs to the cache kmalloc-192 of size 192 [ 81.696353][ T9778] The buggy address is located 48 bytes inside of [ 81.696353][ T9778] 192-byte region [ffff8880a0605900, ffff8880a06059c0) [ 81.709540][ T9778] The buggy address belongs to the page: [ 81.715178][ T9778] page:ffffea0002818140 refcount:1 mapcount:0 mapping:00000000ded8dd1a index:0xffff8880a0605d00 [ 81.725584][ T9778] flags: 0xfffe0000000200(slab) [ 81.730422][ T9778] raw: 00fffe0000000200 ffffea0002815208 ffff8880aa001138 ffff8880aa000000 [ 81.739002][ T9778] raw: ffff8880a0605d00 ffff8880a0605000 000000010000000b 0000000000000000 [ 81.747561][ T9778] page dumped because: kasan: bad access detected [ 81.753947][ T9778] [ 81.756261][ T9778] Memory state around the buggy address: [ 81.761870][ T9778] ffff8880a0605800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 81.769919][ T9778] ffff8880a0605880: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 81.777957][ T9778] >ffff8880a0605900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.785999][ T9778] ^ [ 81.791623][ T9778] ffff8880a0605980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 81.799660][ T9778] ffff8880a0605a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.807880][ T9778] ================================================================== [ 81.815916][ T9778] Disabling lock debugging due to kernel taint [ 81.822748][ T9778] Kernel panic - not syncing: panic_on_warn set ... [ 81.829459][ T9778] CPU: 1 PID: 9778 Comm: syz-executor027 Tainted: G B 5.6.0-rc3-next-20200228-syzkaller #0 [ 81.840717][ T9778] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.850792][ T9778] Call Trace: [ 81.854078][ T9778] dump_stack+0x188/0x20d [ 81.858389][ T9778] panic+0x2e3/0x75c [ 81.862262][ T9778] ? add_taint.cold+0x16/0x16 [ 81.866920][ T9778] ? preempt_schedule_common+0x5e/0xc0 [ 81.872366][ T9778] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.877630][ T9778] ? ___preempt_schedule+0x16/0x18 [ 81.882728][ T9778] ? trace_hardirqs_on+0x55/0x220 [ 81.887729][ T9778] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.892986][ T9778] end_report+0x43/0x49 [ 81.897203][ T9778] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.902461][ T9778] __kasan_report.cold+0xd/0x32 [ 81.907299][ T9778] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.912570][ T9778] kasan_report+0xe/0x20 [ 81.916807][ T9778] tcindex_set_parms+0x17fd/0x1a00 [ 81.921907][ T9778] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 81.927779][ T9778] ? mark_held_locks+0xe0/0xe0 [ 81.932701][ T9778] ? nla_memcpy+0xa0/0xa0 [ 81.937007][ T9778] ? tcindex_change+0x203/0x2e0 [ 81.941830][ T9778] tcindex_change+0x203/0x2e0 [ 81.946486][ T9778] ? tcindex_set_parms+0x1a00/0x1a00 [ 81.951756][ T9778] tc_new_tfilter+0xa59/0x20b0 [ 81.956496][ T9778] ? tcindex_set_parms+0x1a00/0x1a00 [ 81.961760][ T9778] ? is_bpf_image_address+0x1cb/0x280 [ 81.967117][ T9778] ? tc_del_tfilter+0x1430/0x1430 [ 81.972125][ T9778] ? apparmor_capable+0x49c/0x8a0 [ 81.977209][ T9778] ? mark_lock+0xbc/0x1220 [ 81.981624][ T9778] ? rcu_read_lock_held+0x9c/0xb0 [ 81.986641][ T9778] ? tc_del_tfilter+0x1430/0x1430 [ 81.991640][ T9778] rtnetlink_rcv_msg+0x810/0xad0 [ 81.996562][ T9778] ? rtnl_bridge_getlink+0x880/0x880 [ 82.001829][ T9778] ? mark_held_locks+0xe0/0xe0 [ 82.006565][ T9778] ? netlink_deliver_tap+0x146/0xb50 [ 82.011830][ T9778] netlink_rcv_skb+0x15a/0x410 [ 82.016569][ T9778] ? rtnl_bridge_getlink+0x880/0x880 [ 82.021831][ T9778] ? netlink_ack+0xa80/0xa80 [ 82.026399][ T9778] netlink_unicast+0x537/0x740 [ 82.031139][ T9778] ? netlink_attachskb+0x810/0x810 [ 82.036244][ T9778] ? _copy_from_iter_full+0x25c/0x870 [ 82.041595][ T9778] ? __phys_addr_symbol+0x2c/0x70 [ 82.046599][ T9778] ? __check_object_size+0x171/0x437 [ 82.051863][ T9778] netlink_sendmsg+0x882/0xe10 [ 82.056622][ T9778] ? aa_af_perm+0x260/0x260 [ 82.061187][ T9778] ? netlink_unicast+0x740/0x740 [ 82.066102][ T9778] ? netlink_unicast+0x740/0x740 [ 82.071015][ T9778] sock_sendmsg+0xcf/0x120 [ 82.075414][ T9778] ____sys_sendmsg+0x6b9/0x7d0 [ 82.080158][ T9778] ? kernel_sendmsg+0x50/0x50 [ 82.084824][ T9778] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 82.090354][ T9778] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 82.096381][ T9778] ___sys_sendmsg+0x100/0x170 [ 82.101048][ T9778] ? sendmsg_copy_msghdr+0x70/0x70 [ 82.106145][ T9778] ? lock_downgrade+0x7f0/0x7f0 [ 82.110977][ T9778] ? lock_acquire+0x197/0x420 [ 82.115731][ T9778] ? __might_fault+0xef/0x1d0 [ 82.120443][ T9778] ? __might_fault+0x190/0x1d0 [ 82.125185][ T9778] ? _copy_to_user+0x107/0x150 [ 82.129941][ T9778] ? move_addr_to_user+0xb3/0x200 [ 82.134965][ T9778] ? __fget_light+0x1a5/0x270 [ 82.139644][ T9778] __sys_sendmsg+0xec/0x1b0 [ 82.144630][ T9778] ? __sys_sendmsg_sock+0xb0/0xb0 [ 82.149644][ T9778] ? trace_hardirqs_off_caller+0x55/0x230 [ 82.155349][ T9778] ? do_syscall_64+0x21/0x790 [ 82.160012][ T9778] do_syscall_64+0xf6/0x790 [ 82.164588][ T9778] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.170501][ T9778] RIP: 0033:0x440fc9 [ 82.174381][ T9778] Code: 26 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 1b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 82.194070][ T9778] RSP: 002b:00007ffce9890c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 82.202464][ T9778] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000440fc9 [ 82.210774][ T9778] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 82.218739][ T9778] RBP: 00007ffce9890c80 R08: 0000000120080522 R09: 0000000120080522 [ 82.226687][ T9778] R10: 0000000120080522 R11: 0000000000000246 R12: 0000000000402470 [ 82.234684][ T9778] R13: 0000000000402500 R14: 0000000000000000 R15: 0000000000000000 [ 82.244225][ T9778] Kernel Offset: disabled [ 82.248577][ T9778] Rebooting in 86400 seconds..