[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   27.741704] kauditd_printk_skb: 7 callbacks suppressed
[   27.741714] audit: type=1800 audit(1545588893.854:29): pid=5864 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   27.772484] audit: type=1800 audit(1545588893.854:30): pid=5864 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   31.228529] sshd (6002) used greatest stack depth: 15728 bytes left
Warning: Permanently added '10.128.0.181' (ECDSA) to the list of known hosts.
2018/12/23 18:17:29 parsed 1 programs
2018/12/23 18:17:31 executed programs: 0
[  185.101332] IPVS: ftp: loaded support on port[0] = 21
[  185.348197] bridge0: port 1(bridge_slave_0) entered blocking state
[  185.355379] bridge0: port 1(bridge_slave_0) entered disabled state
[  185.362785] device bridge_slave_0 entered promiscuous mode
[  185.382062] bridge0: port 2(bridge_slave_1) entered blocking state
[  185.388727] bridge0: port 2(bridge_slave_1) entered disabled state
[  185.395936] device bridge_slave_1 entered promiscuous mode
[  185.414163] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  185.436035] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  185.485861] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  185.508645] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  185.584956] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  185.592635] team0: Port device team_slave_0 added
[  185.610773] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  185.617958] team0: Port device team_slave_1 added
[  185.635445] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  185.656036] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  185.676374] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  185.697047] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  185.843785] bridge0: port 2(bridge_slave_1) entered blocking state
[  185.850566] bridge0: port 2(bridge_slave_1) entered forwarding state
[  185.857666] bridge0: port 1(bridge_slave_0) entered blocking state
[  185.864004] bridge0: port 1(bridge_slave_0) entered forwarding state
[  186.390420] 8021q: adding VLAN 0 to HW filter on device bond0
[  186.442370] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  186.494163] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  186.500607] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  186.509242] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  186.552702] 8021q: adding VLAN 0 to HW filter on device team0
[  187.668985] ==================================================================
[  187.676469] BUG: KASAN: use-after-free in tipc_mcast_xmit+0xb77/0xdb0
[  187.683260] Read of size 1 at addr ffff8881d4481c4e by task syz-executor0/6293
[  187.690597] 
[  187.692215] CPU: 1 PID: 6293 Comm: syz-executor0 Not tainted 4.20.0-rc6-next-20181217+ #172
[  187.700703] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  187.710127] Call Trace:
[  187.712701]  dump_stack+0x244/0x39d
[  187.716315]  ? dump_stack_print_info.cold.1+0x20/0x20
[  187.721501]  ? printk+0xa7/0xcf
[  187.724763]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  187.729510]  print_address_description.cold.4+0x9/0x1ff
[  187.734861]  ? tipc_mcast_xmit+0xb77/0xdb0
[  187.739089]  kasan_report.cold.5+0x1b/0x39
[  187.743323]  ? tipc_mcast_xmit+0xb77/0xdb0
[  187.747550]  ? tipc_mcast_xmit+0xb77/0xdb0
[  187.751774]  __asan_report_load1_noabort+0x14/0x20
[  187.756770]  tipc_mcast_xmit+0xb77/0xdb0
[  187.760834]  ? tipc_bcast_dec_bearer_dst_cnt+0xa80/0xa80
[  187.766271]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  187.771551]  ? skb_put+0x17b/0x1e0
[  187.775083]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  187.780608]  ? tipc_msg_build+0x4a5/0x12d0
[  187.784837]  ? tipc_msg_assemble+0x6b0/0x6b0
[  187.789248]  ? remove_wait_queue+0x1a6/0x360
[  187.793648]  ? lockdep_init_map+0x105/0x590
[  187.797973]  tipc_send_group_bcast+0xa5f/0xdf0
[  187.802542]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[  187.807641]  ? tipc_sk_sock_err.isra.60+0x2f0/0x2f0
[  187.812648]  ? __init_waitqueue_head+0x150/0x150
[  187.817395]  ? try_to_wake_up+0x11c/0x1440
[  187.821622]  ? graph_lock+0x270/0x270
[  187.825422]  ? mark_held_locks+0x130/0x130
[  187.829663]  __tipc_sendmsg+0xeec/0x1d40
[  187.833720]  ? tipc_sendmcast+0xf50/0xf50
[  187.837857]  ? __sanitizer_cov_trace_switch+0x53/0x90
[  187.843066]  ? graph_lock+0x270/0x270
[  187.846897]  ? print_usage_bug+0xc0/0xc0
[  187.851061]  ? find_held_lock+0x36/0x1c0
[  187.855392]  ? mark_held_locks+0xc7/0x130
[  187.859544]  ? __local_bh_enable_ip+0x160/0x260
[  187.864316]  ? __local_bh_enable_ip+0x160/0x260
[  187.868975]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[  187.873811]  ? trace_hardirqs_on+0xbd/0x310
[  187.878122]  ? lock_release+0xa00/0xa00
[  187.882509]  ? lock_sock_nested+0xe2/0x120
[  187.886756]  ? trace_hardirqs_off_caller+0x310/0x310
[  187.891868]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  187.897396]  ? check_preemption_disabled+0x48/0x280
[  187.902410]  ? lock_sock_nested+0x9a/0x120
[  187.906643]  ? lock_sock_nested+0x9a/0x120
[  187.910864]  ? __local_bh_enable_ip+0x160/0x260
[  187.915523]  tipc_sendmsg+0x50/0x70
[  187.919141]  ? __tipc_sendmsg+0x1d40/0x1d40
[  187.923456]  sock_sendmsg+0xd5/0x120
[  187.927156]  ___sys_sendmsg+0x7fd/0x930
[  187.931139]  ? copy_msghdr_from_user+0x580/0x580
[  187.935887]  ? trace_hardirqs_on+0xbd/0x310
[  187.940208]  ? __fget_light+0x2e9/0x430
[  187.944205]  ? fget_raw+0x20/0x20
[  187.947658]  ? __might_fault+0x12b/0x1e0
[  187.951794]  ? lock_downgrade+0x900/0x900
[  187.956033]  ? lock_release+0xa00/0xa00
[  187.960018]  ? perf_trace_sched_process_exec+0x860/0x860
[  187.965460]  ? posix_ktime_get_ts+0x15/0x20
[  187.969779]  ? trace_hardirqs_off_caller+0x310/0x310
[  187.975179]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  187.980714]  ? sockfd_lookup_light+0xc5/0x160
[  187.985209]  __sys_sendmsg+0x11d/0x280
[  187.989110]  ? __ia32_sys_shutdown+0x80/0x80
[  187.993519]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  187.999071]  ? put_timespec64+0x10f/0x1b0
[  188.003209]  ? do_syscall_64+0x9a/0x820
[  188.007181]  ? do_syscall_64+0x9a/0x820
[  188.011165]  ? trace_hardirqs_off_caller+0x310/0x310
[  188.016366]  __x64_sys_sendmsg+0x78/0xb0
[  188.020414]  do_syscall_64+0x1b9/0x820
[  188.024300]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[  188.029652]  ? syscall_return_slowpath+0x5e0/0x5e0
[  188.034586]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  188.039421]  ? trace_hardirqs_on_caller+0x310/0x310
[  188.044435]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  188.049442]  ? prepare_exit_to_usermode+0x291/0x3b0
[  188.054451]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  188.059290]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  188.064484] RIP: 0033:0x457669
[  188.067669] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  188.087181] RSP: 002b:00007f1e1b867c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  188.094875] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669
[  188.102139] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000004
[  188.109407] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
[  188.116682] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1e1b8686d4
[  188.123941] R13: 00000000004c44f4 R14: 00000000004d7518 R15: 00000000ffffffff
[  188.131308] 
[  188.132929] Allocated by task 6293:
[  188.136544]  save_stack+0x43/0xd0
[  188.139982]  kasan_kmalloc+0xcb/0xd0
[  188.143680]  kmem_cache_alloc_trace+0x154/0x740
[  188.148350]  tipc_group_create+0x152/0xa70
[  188.152685]  tipc_setsockopt+0x2d1/0xd70
[  188.156729]  __sys_setsockopt+0x1ba/0x3c0
[  188.160863]  __x64_sys_setsockopt+0xbe/0x150
[  188.165267]  do_syscall_64+0x1b9/0x820
[  188.169161]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  188.174454] 
[  188.176080] Freed by task 6294:
[  188.179349]  save_stack+0x43/0xd0
[  188.182786]  __kasan_slab_free+0x102/0x150
[  188.187004]  kasan_slab_free+0xe/0x10
[  188.191093]  kfree+0xcf/0x230
[  188.194210]  tipc_group_delete+0x2e4/0x3f0
[  188.198435]  tipc_sk_leave+0x113/0x220
[  188.202307]  tipc_setsockopt+0x97d/0xd70
[  188.206359]  __sys_setsockopt+0x1ba/0x3c0
[  188.210492]  __x64_sys_setsockopt+0xbe/0x150
[  188.214884]  do_syscall_64+0x1b9/0x820
[  188.218769]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  188.223943] 
[  188.225558] The buggy address belongs to the object at ffff8881d4481c00
[  188.225558]  which belongs to the cache kmalloc-192 of size 192
[  188.238200] The buggy address is located 78 bytes inside of
[  188.238200]  192-byte region [ffff8881d4481c00, ffff8881d4481cc0)
[  188.249989] The buggy address belongs to the page:
[  188.254926] page:ffffea0007512040 count:1 mapcount:0 mapping:ffff8881da800040 index:0x0
[  188.263051] flags: 0x2fffc0000000200(slab)
[  188.267277] raw: 02fffc0000000200 ffffea0007511e48 ffffea0007512408 ffff8881da800040
[  188.275149] raw: 0000000000000000 ffff8881d4481000 0000000100000010 0000000000000000
[  188.283010] page dumped because: kasan: bad access detected
[  188.288704] 
[  188.290310] Memory state around the buggy address:
[  188.295231]  ffff8881d4481b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  188.302986]  ffff8881d4481b80: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
[  188.310349] >ffff8881d4481c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  188.317686]                                               ^
[  188.323383]  ffff8881d4481c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  188.330725]  ffff8881d4481d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  188.338062] ==================================================================
[  188.345608] Disabling lock debugging due to kernel taint
[  188.352472] Kernel panic - not syncing: panic_on_warn set ...
[  188.358374] CPU: 0 PID: 6293 Comm: syz-executor0 Tainted: G    B             4.20.0-rc6-next-20181217+ #172
[  188.368387] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  188.377733] Call Trace:
[  188.380327]  dump_stack+0x244/0x39d
[  188.384054]  ? dump_stack_print_info.cold.1+0x20/0x20
[  188.389230]  ? tipc_mcast_xmit+0xb30/0xdb0
[  188.393570]  panic+0x2ad/0x632
[  188.396765]  ? add_taint.cold.5+0x16/0x16
[  188.400930]  ? preempt_schedule+0x4d/0x60
[  188.405063]  ? ___preempt_schedule+0x16/0x18
[  188.409469]  ? trace_hardirqs_on+0xb4/0x310
[  188.413774]  ? tipc_mcast_xmit+0xb77/0xdb0
[  188.418286]  end_report+0x47/0x4f
[  188.421726]  kasan_report.cold.5+0xe/0x39
[  188.425858]  ? tipc_mcast_xmit+0xb77/0xdb0
[  188.430079]  ? tipc_mcast_xmit+0xb77/0xdb0
[  188.434314]  __asan_report_load1_noabort+0x14/0x20
[  188.439229]  tipc_mcast_xmit+0xb77/0xdb0
[  188.443287]  ? tipc_bcast_dec_bearer_dst_cnt+0xa80/0xa80
[  188.448726]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  188.453736]  ? skb_put+0x17b/0x1e0
[  188.457284]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  188.462817]  ? tipc_msg_build+0x4a5/0x12d0
[  188.467216]  ? tipc_msg_assemble+0x6b0/0x6b0
[  188.471605]  ? remove_wait_queue+0x1a6/0x360
[  188.476013]  ? lockdep_init_map+0x105/0x590
[  188.480320]  tipc_send_group_bcast+0xa5f/0xdf0
[  188.484916]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[  188.490015]  ? tipc_sk_sock_err.isra.60+0x2f0/0x2f0
[  188.495017]  ? __init_waitqueue_head+0x150/0x150
[  188.499782]  ? try_to_wake_up+0x11c/0x1440
[  188.504004]  ? graph_lock+0x270/0x270
[  188.507793]  ? mark_held_locks+0x130/0x130
[  188.512019]  __tipc_sendmsg+0xeec/0x1d40
[  188.516066]  ? tipc_sendmcast+0xf50/0xf50
[  188.520210]  ? __sanitizer_cov_trace_switch+0x53/0x90
[  188.525385]  ? graph_lock+0x270/0x270
[  188.529168]  ? print_usage_bug+0xc0/0xc0
[  188.533215]  ? find_held_lock+0x36/0x1c0
[  188.537334]  ? mark_held_locks+0xc7/0x130
[  188.541703]  ? __local_bh_enable_ip+0x160/0x260
[  188.546353]  ? __local_bh_enable_ip+0x160/0x260
[  188.551018]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[  188.555586]  ? trace_hardirqs_on+0xbd/0x310
[  188.559979]  ? lock_release+0xa00/0xa00
[  188.564041]  ? lock_sock_nested+0xe2/0x120
[  188.568268]  ? trace_hardirqs_off_caller+0x310/0x310
[  188.573354]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  188.578873]  ? check_preemption_disabled+0x48/0x280
[  188.583868]  ? lock_sock_nested+0x9a/0x120
[  188.588083]  ? lock_sock_nested+0x9a/0x120
[  188.592307]  ? __local_bh_enable_ip+0x160/0x260
[  188.596962]  tipc_sendmsg+0x50/0x70
[  188.600575]  ? __tipc_sendmsg+0x1d40/0x1d40
[  188.604881]  sock_sendmsg+0xd5/0x120
[  188.608596]  ___sys_sendmsg+0x7fd/0x930
[  188.612553]  ? copy_msghdr_from_user+0x580/0x580
[  188.617412]  ? trace_hardirqs_on+0xbd/0x310
[  188.621723]  ? __fget_light+0x2e9/0x430
[  188.625678]  ? fget_raw+0x20/0x20
[  188.629112]  ? __might_fault+0x12b/0x1e0
[  188.633158]  ? lock_downgrade+0x900/0x900
[  188.637290]  ? lock_release+0xa00/0xa00
[  188.641257]  ? perf_trace_sched_process_exec+0x860/0x860
[  188.646691]  ? posix_ktime_get_ts+0x15/0x20
[  188.650996]  ? trace_hardirqs_off_caller+0x310/0x310
[  188.656355]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  188.661873]  ? sockfd_lookup_light+0xc5/0x160
[  188.666377]  __sys_sendmsg+0x11d/0x280
[  188.670250]  ? __ia32_sys_shutdown+0x80/0x80
[  188.674639]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  188.680176]  ? put_timespec64+0x10f/0x1b0
[  188.684305]  ? do_syscall_64+0x9a/0x820
[  188.688261]  ? do_syscall_64+0x9a/0x820
[  188.692221]  ? trace_hardirqs_off_caller+0x310/0x310
[  188.697324]  __x64_sys_sendmsg+0x78/0xb0
[  188.701366]  do_syscall_64+0x1b9/0x820
[  188.705242]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[  188.710585]  ? syscall_return_slowpath+0x5e0/0x5e0
[  188.715516]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  188.720357]  ? trace_hardirqs_on_caller+0x310/0x310
[  188.725356]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  188.730366]  ? prepare_exit_to_usermode+0x291/0x3b0
[  188.735382]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  188.740216]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  188.745385] RIP: 0033:0x457669
[  188.748560] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  188.767638] RSP: 002b:00007f1e1b867c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  188.775358] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669
[  188.782610] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000004
[  188.789880] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
[  188.797156] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1e1b8686d4
[  188.804427] R13: 00000000004c44f4 R14: 00000000004d7518 R15: 00000000ffffffff
[  188.820573] Kernel Offset: disabled
[  188.824221] Rebooting in 86400 seconds..