[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   37.160925][   T26] audit: type=1800 audit(1553077809.023:25): pid=7675 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   37.189368][   T26] audit: type=1800 audit(1553077809.023:26): pid=7675 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   37.224681][   T26] audit: type=1800 audit(1553077809.023:27): pid=7675 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.15.199' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   49.434834][  T116] ==================================================================
[   49.443108][  T116] BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x2166/0x34f0
[   49.450854][  T116] Read of size 4 at addr ffff8880907ca9b4 by task kworker/u4:3/116
[   49.458741][  T116] 
[   49.461083][  T116] CPU: 1 PID: 116 Comm: kworker/u4:3 Not tainted 5.1.0-rc1-next-20190320 #7
[   49.469760][  T116] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   49.479845][  T116] Workqueue: tipc_send tipc_conn_send_work
[   49.485653][  T116] Call Trace:
[   49.488963][  T116]  dump_stack+0x172/0x1f0
[   49.493327][  T116]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   49.498715][  T116]  print_address_description.cold+0x7c/0x20d
[   49.504709][  T116]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   49.510098][  T116]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   49.515489][  T116]  kasan_report.cold+0x1b/0x40
[   49.520272][  T116]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   49.525655][  T116]  __asan_report_load4_noabort+0x14/0x20
[   49.531306][  T116]  tipc_sk_filter_rcv+0x2166/0x34f0
[   49.536531][  T116]  ? tipc_sk_overlimit2+0xa0/0xa0
[   49.541577][  T116]  ? __local_bh_enable_ip+0x15a/0x270
[   49.546964][  T116]  ? lockdep_hardirqs_on+0x19e/0x5d0
[   49.552260][  T116]  ? tipc_sk_rcv+0x562/0x25a0
[   49.556972][  T116]  ? __local_bh_enable_ip+0x15a/0x270
[   49.562360][  T116]  tipc_sk_rcv+0xc45/0x25a0
[   49.566878][  T116]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   49.573141][  T116]  ? tipc_sk_filter_rcv+0x34f0/0x34f0
[   49.578525][  T116]  ? __alloc_skb+0x3cd/0x5e0
[   49.583137][  T116]  ? skb_trim+0x190/0x190
[   49.587534][  T116]  ? memset+0x32/0x40
[   49.591530][  T116]  ? tipc_msg_init+0x190/0x1d0
[   49.596303][  T116]  ? lockdep_init_map+0x1be/0x6d0
[   49.601344][  T116]  tipc_topsrv_kern_evt+0x3b7/0x580
[   49.606555][  T116]  ? tipc_conn_recv_work+0x100/0x100
[   49.611934][  T116]  ? __local_bh_enable_ip+0x15a/0x270
[   49.617322][  T116]  ? tipc_conn_send_to_sock+0x389/0x5f0
[   49.622887][  T116]  tipc_conn_send_to_sock+0x43e/0x5f0
[   49.628289][  T116]  ? tipc_topsrv_kern_evt+0x580/0x580
[   49.633685][  T116]  tipc_conn_send_work+0x65/0x80
[   49.638631][  T116]  process_one_work+0x98e/0x1790
[   49.643607][  T116]  ? pwq_dec_nr_in_flight+0x320/0x320
[   49.648990][  T116]  ? lock_acquire+0x16f/0x3f0
[   49.653689][  T116]  worker_thread+0x98/0xe40
[   49.658208][  T116]  kthread+0x357/0x430
[   49.662284][  T116]  ? process_one_work+0x1790/0x1790
[   49.667489][  T116]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   49.673740][  T116]  ret_from_fork+0x3a/0x50
[   49.678170][  T116] 
[   49.680493][  T116] Allocated by task 116:
[   49.684753][  T116]  save_stack+0x45/0xd0
[   49.688915][  T116]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[   49.694810][  T116]  kasan_kmalloc+0x9/0x10
[   49.699168][  T116]  __kmalloc_node_track_caller+0x4e/0x70
[   49.704810][  T116]  __kmalloc_reserve.isra.0+0x40/0xf0
[   49.710186][  T116]  __alloc_skb+0x10b/0x5e0
[   49.714611][  T116]  tipc_buf_acquire+0x2f/0x100
[   49.719375][  T116]  tipc_msg_create+0x38/0x270
[   49.724054][  T116]  tipc_topsrv_kern_evt+0x2a7/0x580
[   49.729254][  T116]  tipc_conn_send_to_sock+0x43e/0x5f0
[   49.734625][  T116]  tipc_conn_send_work+0x65/0x80
[   49.739563][  T116]  process_one_work+0x98e/0x1790
[   49.744497][  T116]  worker_thread+0x98/0xe40
[   49.748994][  T116]  kthread+0x357/0x430
[   49.753062][  T116]  ret_from_fork+0x3a/0x50
[   49.757469][  T116] 
[   49.759797][  T116] Freed by task 116:
[   49.763694][  T116]  save_stack+0x45/0xd0
[   49.767849][  T116]  __kasan_slab_free+0x102/0x150
[   49.772793][  T116]  kasan_slab_free+0xe/0x10
[   49.777318][  T116]  kfree+0xcf/0x230
[   49.781123][  T116]  skb_free_head+0x93/0xb0
[   49.785550][  T116]  skb_release_data+0x576/0x7a0
[   49.790395][  T116]  skb_release_all+0x4d/0x60
[   49.794982][  T116]  kfree_skb+0xe8/0x390
[   49.799142][  T116]  tipc_sk_filter_rcv+0x1e6a/0x34f0
[   49.804340][  T116]  tipc_sk_rcv+0xc45/0x25a0
[   49.808843][  T116]  tipc_topsrv_kern_evt+0x3b7/0x580
[   49.814039][  T116]  tipc_conn_send_to_sock+0x43e/0x5f0
[   49.819413][  T116]  tipc_conn_send_work+0x65/0x80
[   49.824356][  T116]  process_one_work+0x98e/0x1790
[   49.829331][  T116]  worker_thread+0x98/0xe40
[   49.833829][  T116]  kthread+0x357/0x430
[   49.837891][  T116]  ret_from_fork+0x3a/0x50
[   49.842288][  T116] 
[   49.844630][  T116] The buggy address belongs to the object at ffff8880907ca900
[   49.844630][  T116]  which belongs to the cache kmalloc-1k of size 1024
[   49.859061][  T116] The buggy address is located 180 bytes inside of
[   49.859061][  T116]  1024-byte region [ffff8880907ca900, ffff8880907cad00)
[   49.872414][  T116] The buggy address belongs to the page:
[   49.878058][  T116] page:ffffea000241f280 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0
[   49.888740][  T116] flags: 0x1fffc0000010200(slab|head)
[   49.894133][  T116] raw: 01fffc0000010200 ffffea0002a53088 ffff88812c3f1848 ffff88812c3f0ac0
[   49.902747][  T116] raw: 0000000000000000 ffff8880907ca000 0000000100000007 0000000000000000
[   49.911331][  T116] page dumped because: kasan: bad access detected
[   49.917745][  T116] 
[   49.920093][  T116] Memory state around the buggy address:
[   49.925758][  T116]  ffff8880907ca880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   49.933821][  T116]  ffff8880907ca900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.941888][  T116] >ffff8880907ca980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.949946][  T116]                                      ^
[   49.955677][  T116]  ffff8880907caa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.963868][  T116]  ffff8880907caa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   49.971928][  T116] ==================================================================
[   49.979984][  T116] Disabling lock debugging due to kernel taint
[   49.986195][  T116] Kernel panic - not syncing: panic_on_warn set ...
[   49.992792][  T116] CPU: 1 PID: 116 Comm: kworker/u4:3 Tainted: G    B             5.1.0-rc1-next-20190320 #7
[   50.002842][  T116] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.012917][  T116] Workqueue: tipc_send tipc_conn_send_work
[   50.018716][  T116] Call Trace:
[   50.022004][  T116]  dump_stack+0x172/0x1f0
[   50.026334][  T116]  panic+0x2cb/0x65c
[   50.030228][  T116]  ? __warn_printk+0xf3/0xf3
[   50.034818][  T116]  ? trace_hardirqs_on+0x5e/0x230
[   50.039842][  T116]  ? trace_hardirqs_on+0x5e/0x230
[   50.044875][  T116]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   50.050242][  T116]  end_report+0x47/0x4f
[   50.054396][  T116]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   50.059773][  T116]  kasan_report.cold+0xe/0x40
[   50.064453][  T116]  ? tipc_sk_filter_rcv+0x2166/0x34f0
[   50.069836][  T116]  __asan_report_load4_noabort+0x14/0x20
[   50.075525][  T116]  tipc_sk_filter_rcv+0x2166/0x34f0
[   50.080727][  T116]  ? tipc_sk_overlimit2+0xa0/0xa0
[   50.085755][  T116]  ? __local_bh_enable_ip+0x15a/0x270
[   50.091135][  T116]  ? lockdep_hardirqs_on+0x19e/0x5d0
[   50.096420][  T116]  ? tipc_sk_rcv+0x562/0x25a0
[   50.101097][  T116]  ? __local_bh_enable_ip+0x15a/0x270
[   50.106481][  T116]  tipc_sk_rcv+0xc45/0x25a0
[   50.111006][  T116]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   50.117304][  T116]  ? tipc_sk_filter_rcv+0x34f0/0x34f0
[   50.122671][  T116]  ? __alloc_skb+0x3cd/0x5e0
[   50.127256][  T116]  ? skb_trim+0x190/0x190
[   50.131580][  T116]  ? memset+0x32/0x40
[   50.135557][  T116]  ? tipc_msg_init+0x190/0x1d0
[   50.140317][  T116]  ? lockdep_init_map+0x1be/0x6d0
[   50.145351][  T116]  tipc_topsrv_kern_evt+0x3b7/0x580
[   50.150560][  T116]  ? tipc_conn_recv_work+0x100/0x100
[   50.155850][  T116]  ? __local_bh_enable_ip+0x15a/0x270
[   50.161246][  T116]  ? tipc_conn_send_to_sock+0x389/0x5f0
[   50.166821][  T116]  tipc_conn_send_to_sock+0x43e/0x5f0
[   50.172205][  T116]  ? tipc_topsrv_kern_evt+0x580/0x580
[   50.177596][  T116]  tipc_conn_send_work+0x65/0x80
[   50.182629][  T116]  process_one_work+0x98e/0x1790
[   50.187596][  T116]  ? pwq_dec_nr_in_flight+0x320/0x320
[   50.192972][  T116]  ? lock_acquire+0x16f/0x3f0
[   50.197656][  T116]  worker_thread+0x98/0xe40
[   50.202169][  T116]  kthread+0x357/0x430
[   50.206239][  T116]  ? process_one_work+0x1790/0x1790
[   50.211436][  T116]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[   50.217687][  T116]  ret_from_fork+0x3a/0x50
[   50.222887][  T116] Kernel Offset: disabled
[   50.227211][  T116] Rebooting in 86400 seconds..