[ 34.161024][ T26] audit: type=1800 audit(1553052791.131:27): pid=7379 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 34.182453][ T26] audit: type=1800 audit(1553052791.131:28): pid=7379 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 35.005544][ T26] audit: type=1800 audit(1553052792.051:29): pid=7379 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 35.026786][ T26] audit: type=1800 audit(1553052792.051:30): pid=7379 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.15.201' (ECDSA) to the list of known hosts. 2019/03/20 03:33:30 parsed 1 programs 2019/03/20 03:33:32 executed programs: 0 syzkaller login: [ 55.628003][ T7546] IPVS: ftp: loaded support on port[0] = 21 [ 55.688254][ T7546] chnl_net:caif_netlink_parms(): no params data found [ 55.718619][ T7546] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.728070][ T7546] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.737012][ T7546] device bridge_slave_0 entered promiscuous mode [ 55.745983][ T7546] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.753240][ T7546] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.761360][ T7546] device bridge_slave_1 entered promiscuous mode [ 55.778161][ T7546] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 55.788618][ T7546] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 55.806624][ T7546] team0: Port device team_slave_0 added [ 55.814195][ T7546] team0: Port device team_slave_1 added [ 55.892429][ T7546] device hsr_slave_0 entered promiscuous mode [ 55.961467][ T7546] device hsr_slave_1 entered promiscuous mode [ 56.038475][ T7546] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.045919][ T7546] bridge0: port 2(bridge_slave_1) entered forwarding state [ 56.054213][ T7546] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.062074][ T7546] bridge0: port 1(bridge_slave_0) entered forwarding state [ 56.094712][ T7546] 8021q: adding VLAN 0 to HW filter on device bond0 [ 56.107250][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 56.130227][ T22] bridge0: port 1(bridge_slave_0) entered disabled state [ 56.140323][ T22] bridge0: port 2(bridge_slave_1) entered disabled state [ 56.149892][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 56.161791][ T7546] 8021q: adding VLAN 0 to HW filter on device team0 [ 56.173822][ T7548] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 56.182426][ T7548] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.189775][ T7548] bridge0: port 1(bridge_slave_0) entered forwarding state [ 56.200242][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 56.209013][ T22] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.216593][ T22] bridge0: port 2(bridge_slave_1) entered forwarding state [ 56.233645][ T7548] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 56.242658][ T7548] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 56.254859][ T7549] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 56.266818][ T7548] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 56.279475][ T7546] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 56.292388][ T7546] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 56.300825][ T7549] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 56.318459][ T7546] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 56.434256][ T7576] ================================================================== [ 56.442686][ T7576] BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x2166/0x34f0 [ 56.450509][ T7576] Read of size 4 at addr ffff88809fbe5bf4 by task syz-executor.0/7576 [ 56.458942][ T7576] [ 56.461263][ T7576] CPU: 0 PID: 7576 Comm: syz-executor.0 Not tainted 5.0.0+ #61 [ 56.468945][ T7576] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.479261][ T7576] Call Trace: [ 56.482691][ T7576] dump_stack+0x172/0x1f0 [ 56.487378][ T7576] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 56.492891][ T7576] print_address_description.cold+0x7c/0x20d [ 56.499125][ T7576] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 56.504645][ T7576] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 56.510016][ T7576] kasan_report.cold+0x1b/0x40 [ 56.514986][ T7576] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 56.520435][ T7576] __asan_report_load4_noabort+0x14/0x20 [ 56.526159][ T7576] tipc_sk_filter_rcv+0x2166/0x34f0 [ 56.531563][ T7576] ? debug_check_no_obj_freed+0x200/0x464 [ 56.537951][ T7576] ? kasan_check_write+0x14/0x20 [ 56.543233][ T7576] ? tipc_sk_overlimit2+0xa0/0xa0 [ 56.548370][ T7576] ? __lock_acquire+0x548/0x3fb0 [ 56.553491][ T7576] ? __release_sock+0xca/0x3a0 [ 56.558631][ T7576] tipc_sk_backlog_rcv+0xeb/0x1e0 [ 56.563653][ T7576] ? tipc_sk_mcast_rcv+0x1020/0x1020 [ 56.568925][ T7576] ? __local_bh_enable_ip+0x15a/0x270 [ 56.574310][ T7576] ? lockdep_hardirqs_on+0x418/0x5d0 [ 56.579590][ T7576] ? __release_sock+0xca/0x3a0 [ 56.584371][ T7576] ? trace_hardirqs_on+0x67/0x230 [ 56.589578][ T7576] ? __release_sock+0xca/0x3a0 [ 56.594332][ T7576] ? __local_bh_enable_ip+0x15a/0x270 [ 56.599877][ T7576] __release_sock+0x12e/0x3a0 [ 56.605069][ T7576] release_sock+0x59/0x1c0 [ 56.609588][ T7576] tipc_setsockopt+0x496/0xb60 [ 56.614351][ T7576] ? tipc_sk_finish_conn+0x640/0x640 [ 56.619741][ T7576] ? apparmor_socket_setsockopt+0x22/0x30 [ 56.625712][ T7576] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.632085][ T7576] ? security_socket_setsockopt+0x93/0xc0 [ 56.637811][ T7576] __sys_setsockopt+0x180/0x280 [ 56.642794][ T7576] ? kernel_accept+0x310/0x310 [ 56.647593][ T7576] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 56.653132][ T7576] ? do_syscall_64+0x26/0x610 [ 56.657800][ T7576] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.664002][ T7576] ? do_syscall_64+0x26/0x610 [ 56.668937][ T7576] __x64_sys_setsockopt+0xbe/0x150 [ 56.674047][ T7576] do_syscall_64+0x103/0x610 [ 56.678851][ T7576] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.684895][ T7576] RIP: 0033:0x458079 [ 56.688916][ T7576] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 56.708952][ T7576] RSP: 002b:00007f8d6a3dbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 56.717446][ T7576] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458079 [ 56.725525][ T7576] RDX: 0000000000000087 RSI: 000000000000010f RDI: 0000000000000006 [ 56.733815][ T7576] RBP: 000000000073bf00 R08: 0000000000000034 R09: 0000000000000000 [ 56.742021][ T7576] R10: 00000000200000c0 R11: 0000000000000246 R12: 00007f8d6a3dc6d4 [ 56.750118][ T7576] R13: 00000000004c619f R14: 00000000004db210 R15: 00000000ffffffff [ 56.758234][ T7576] [ 56.760604][ T7576] Allocated by task 202: [ 56.764861][ T7576] save_stack+0x45/0xd0 [ 56.769238][ T7576] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 56.775023][ T7576] kasan_kmalloc+0x9/0x10 [ 56.779769][ T7576] __kmalloc_node_track_caller+0x4e/0x70 [ 56.785397][ T7576] __kmalloc_reserve.isra.0+0x40/0xf0 [ 56.790921][ T7576] __alloc_skb+0x10b/0x5e0 [ 56.795341][ T7576] tipc_buf_acquire+0x2f/0x100 [ 56.800281][ T7576] tipc_msg_create+0x38/0x270 [ 56.805078][ T7576] tipc_topsrv_kern_evt+0x2a7/0x580 [ 56.810367][ T7576] tipc_conn_send_to_sock+0x43e/0x5f0 [ 56.815729][ T7576] tipc_conn_send_work+0x65/0x80 [ 56.820775][ T7576] process_one_work+0x98e/0x1790 [ 56.825706][ T7576] worker_thread+0x98/0xe40 [ 56.830204][ T7576] kthread+0x357/0x430 [ 56.834454][ T7576] ret_from_fork+0x3a/0x50 [ 56.838856][ T7576] [ 56.841290][ T7576] Freed by task 7576: [ 56.845275][ T7576] save_stack+0x45/0xd0 [ 56.849442][ T7576] __kasan_slab_free+0x102/0x150 [ 56.854529][ T7576] kasan_slab_free+0xe/0x10 [ 56.859206][ T7576] kfree+0xcf/0x230 [ 56.863515][ T7576] skb_free_head+0x93/0xb0 [ 56.868059][ T7576] skb_release_data+0x576/0x7a0 [ 56.872917][ T7576] skb_release_all+0x4d/0x60 [ 56.877631][ T7576] kfree_skb+0xe8/0x390 [ 56.881793][ T7576] tipc_sk_filter_rcv+0x1e6a/0x34f0 [ 56.886974][ T7576] tipc_sk_backlog_rcv+0xeb/0x1e0 [ 56.892170][ T7576] __release_sock+0x12e/0x3a0 [ 56.896844][ T7576] release_sock+0x59/0x1c0 [ 56.901263][ T7576] tipc_setsockopt+0x496/0xb60 [ 56.906082][ T7576] __sys_setsockopt+0x180/0x280 [ 56.910929][ T7576] __x64_sys_setsockopt+0xbe/0x150 [ 56.916054][ T7576] do_syscall_64+0x103/0x610 [ 56.920634][ T7576] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.926508][ T7576] [ 56.928821][ T7576] The buggy address belongs to the object at ffff88809fbe5b40 [ 56.928821][ T7576] which belongs to the cache kmalloc-1k of size 1024 [ 56.943311][ T7576] The buggy address is located 180 bytes inside of [ 56.943311][ T7576] 1024-byte region [ffff88809fbe5b40, ffff88809fbe5f40) [ 56.956681][ T7576] The buggy address belongs to the page: [ 56.962484][ T7576] page:ffffea00027ef900 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 56.973825][ T7576] flags: 0x1fffc0000010200(slab|head) [ 56.979909][ T7576] raw: 01fffc0000010200 ffffea00027f7008 ffff88812c3f1848 ffff88812c3f0ac0 [ 56.988504][ T7576] raw: 0000000000000000 ffff88809fbe4040 0000000100000007 0000000000000000 [ 56.997513][ T7576] page dumped because: kasan: bad access detected [ 57.004139][ T7576] [ 57.006514][ T7576] Memory state around the buggy address: [ 57.012163][ T7576] ffff88809fbe5a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.020504][ T7576] ffff88809fbe5b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 57.028702][ T7576] >ffff88809fbe5b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.036841][ T7576] ^ [ 57.045060][ T7576] ffff88809fbe5c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.053241][ T7576] ffff88809fbe5c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.061368][ T7576] ================================================================== [ 57.069584][ T7576] Disabling lock debugging due to kernel taint [ 57.078877][ T7576] Kernel panic - not syncing: panic_on_warn set ... [ 57.085611][ T7576] CPU: 0 PID: 7576 Comm: syz-executor.0 Tainted: G B 5.0.0+ #61 [ 57.095174][ T7576] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.105281][ T7576] Call Trace: [ 57.108645][ T7576] dump_stack+0x172/0x1f0 [ 57.112981][ T7576] panic+0x2cb/0x65c [ 57.117242][ T7576] ? __warn_printk+0xf3/0xf3 [ 57.121885][ T7576] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 57.127272][ T7576] ? preempt_schedule+0x4b/0x60 [ 57.132127][ T7576] ? ___preempt_schedule+0x16/0x18 [ 57.137372][ T7576] ? trace_hardirqs_on+0x5e/0x230 [ 57.142491][ T7576] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 57.147854][ T7576] end_report+0x47/0x4f [ 57.152130][ T7576] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 57.157965][ T7576] kasan_report.cold+0xe/0x40 [ 57.162629][ T7576] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 57.168047][ T7576] __asan_report_load4_noabort+0x14/0x20 [ 57.173683][ T7576] tipc_sk_filter_rcv+0x2166/0x34f0 [ 57.178877][ T7576] ? debug_check_no_obj_freed+0x200/0x464 [ 57.184818][ T7576] ? kasan_check_write+0x14/0x20 [ 57.189945][ T7576] ? tipc_sk_overlimit2+0xa0/0xa0 [ 57.195211][ T7576] ? __lock_acquire+0x548/0x3fb0 [ 57.200341][ T7576] ? __release_sock+0xca/0x3a0 [ 57.205109][ T7576] tipc_sk_backlog_rcv+0xeb/0x1e0 [ 57.210664][ T7576] ? tipc_sk_mcast_rcv+0x1020/0x1020 [ 57.216090][ T7576] ? __local_bh_enable_ip+0x15a/0x270 [ 57.221610][ T7576] ? lockdep_hardirqs_on+0x418/0x5d0 [ 57.226893][ T7576] ? __release_sock+0xca/0x3a0 [ 57.231792][ T7576] ? trace_hardirqs_on+0x67/0x230 [ 57.237099][ T7576] ? __release_sock+0xca/0x3a0 [ 57.241951][ T7576] ? __local_bh_enable_ip+0x15a/0x270 [ 57.247755][ T7576] __release_sock+0x12e/0x3a0 [ 57.252441][ T7576] release_sock+0x59/0x1c0 [ 57.256923][ T7576] tipc_setsockopt+0x496/0xb60 [ 57.261700][ T7576] ? tipc_sk_finish_conn+0x640/0x640 [ 57.267070][ T7576] ? apparmor_socket_setsockopt+0x22/0x30 [ 57.272960][ T7576] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 57.279329][ T7576] ? security_socket_setsockopt+0x93/0xc0 [ 57.285124][ T7576] __sys_setsockopt+0x180/0x280 [ 57.290125][ T7576] ? kernel_accept+0x310/0x310 [ 57.294887][ T7576] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 57.300626][ T7576] ? do_syscall_64+0x26/0x610 [ 57.305547][ T7576] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.311620][ T7576] ? do_syscall_64+0x26/0x610 [ 57.316402][ T7576] __x64_sys_setsockopt+0xbe/0x150 [ 57.321521][ T7576] do_syscall_64+0x103/0x610 [ 57.326161][ T7576] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.332174][ T7576] RIP: 0033:0x458079 [ 57.336164][ T7576] Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 57.356315][ T7576] RSP: 002b:00007f8d6a3dbc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 [ 57.364776][ T7576] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000458079 [ 57.372872][ T7576] RDX: 0000000000000087 RSI: 000000000000010f RDI: 0000000000000006 [ 57.381060][ T7576] RBP: 000000000073bf00 R08: 0000000000000034 R09: 0000000000000000 [ 57.389043][ T7576] R10: 00000000200000c0 R11: 0000000000000246 R12: 00007f8d6a3dc6d4 [ 57.397171][ T7576] R13: 00000000004c619f R14: 00000000004db210 R15: 00000000ffffffff [ 57.406781][ T7576] Kernel Offset: disabled [ 57.411119][ T7576] Rebooting in 86400 seconds..