[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 72.580916][ T27] audit: type=1800 audit(1584592092.849:25): pid=9439 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 72.615789][ T27] audit: type=1800 audit(1584592092.849:26): pid=9439 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 72.655803][ T27] audit: type=1800 audit(1584592092.849:27): pid=9439 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.25' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 81.006462][ T9598] IPVS: ftp: loaded support on port[0] = 21 [ 81.039625][ T9599] ================================================================== [ 81.048138][ T9599] BUG: KASAN: use-after-free in tcindex_set_parms+0x17fd/0x1a00 [ 81.055918][ T9599] Write of size 16 at addr ffff8880a6d2ac30 by task syz-executor965/9599 [ 81.064315][ T9599] [ 81.066653][ T9599] CPU: 0 PID: 9599 Comm: syz-executor965 Not tainted 5.6.0-rc6-syzkaller #0 [ 81.075325][ T9599] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.085546][ T9599] Call Trace: [ 81.088833][ T9599] dump_stack+0x188/0x20d [ 81.093235][ T9599] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.098539][ T9599] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.103965][ T9599] print_address_description.constprop.0.cold+0xd3/0x315 [ 81.111068][ T9599] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.116348][ T9599] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.121629][ T9599] __kasan_report.cold+0x1a/0x32 [ 81.126557][ T9599] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.131829][ T9599] kasan_report+0xe/0x20 [ 81.136075][ T9599] tcindex_set_parms+0x17fd/0x1a00 [ 81.141210][ T9599] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 81.147109][ T9599] ? mark_held_locks+0xe0/0xe0 [ 81.151877][ T9599] ? nla_memcpy+0xa0/0xa0 [ 81.156372][ T9599] ? tcindex_change+0x203/0x2e0 [ 81.161203][ T9599] tcindex_change+0x203/0x2e0 [ 81.165877][ T9599] ? tcindex_set_parms+0x1a00/0x1a00 [ 81.171360][ T9599] tc_new_tfilter+0xa59/0x20b0 [ 81.176113][ T9599] ? tcindex_set_parms+0x1a00/0x1a00 [ 81.181463][ T9599] ? tc_del_tfilter+0x1430/0x1430 [ 81.186551][ T9599] ? __lock_acquire+0x80b/0x3ca0 [ 81.191548][ T9599] ? apparmor_capable+0x454/0x8a0 [ 81.196595][ T9599] ? rcu_read_lock_held+0x9c/0xb0 [ 81.201618][ T9599] ? tc_del_tfilter+0x1430/0x1430 [ 81.206626][ T9599] rtnetlink_rcv_msg+0x810/0xad0 [ 81.211724][ T9599] ? rtnl_bridge_getlink+0x880/0x880 [ 81.217019][ T9599] ? mark_held_locks+0xe0/0xe0 [ 81.222061][ T9599] ? netlink_deliver_tap+0x146/0xb50 [ 81.227366][ T9599] netlink_rcv_skb+0x15a/0x410 [ 81.232137][ T9599] ? rtnl_bridge_getlink+0x880/0x880 [ 81.237423][ T9599] ? netlink_ack+0xa80/0xa80 [ 81.242102][ T9599] netlink_unicast+0x537/0x740 [ 81.246961][ T9599] ? netlink_attachskb+0x810/0x810 [ 81.252279][ T9599] ? _copy_from_iter_full+0x25c/0x870 [ 81.257676][ T9599] ? __phys_addr_symbol+0x2c/0x70 [ 81.263037][ T9599] ? __check_object_size+0x171/0x437 [ 81.268324][ T9599] netlink_sendmsg+0x882/0xe10 [ 81.273079][ T9599] ? aa_af_perm+0x260/0x260 [ 81.277609][ T9599] ? netlink_unicast+0x740/0x740 [ 81.282549][ T9599] ? netlink_unicast+0x740/0x740 [ 81.287520][ T9599] sock_sendmsg+0xcf/0x120 [ 81.291937][ T9599] ____sys_sendmsg+0x6b9/0x7d0 [ 81.296704][ T9599] ? kernel_sendmsg+0x50/0x50 [ 81.301385][ T9599] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 81.306915][ T9599] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 81.312973][ T9599] ___sys_sendmsg+0x100/0x170 [ 81.317641][ T9599] ? sendmsg_copy_msghdr+0x70/0x70 [ 81.322749][ T9599] ? lock_downgrade+0x7f0/0x7f0 [ 81.327598][ T9599] ? lock_acquire+0x197/0x420 [ 81.332349][ T9599] ? __might_fault+0xef/0x1d0 [ 81.337025][ T9599] ? __might_fault+0x190/0x1d0 [ 81.341777][ T9599] ? _copy_to_user+0x107/0x150 [ 81.346527][ T9599] ? move_addr_to_user+0xb3/0x200 [ 81.351536][ T9599] ? __fget_light+0x1a5/0x270 [ 81.356206][ T9599] __sys_sendmsg+0xec/0x1b0 [ 81.360708][ T9599] ? __sys_sendmsg_sock+0xb0/0xb0 [ 81.365736][ T9599] ? mark_held_locks+0x9f/0xe0 [ 81.370508][ T9599] ? trace_hardirqs_off_caller+0x55/0x230 [ 81.376361][ T9599] ? do_syscall_64+0x21/0x7d0 [ 81.381147][ T9599] do_syscall_64+0xf6/0x7d0 [ 81.385713][ T9599] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 81.391600][ T9599] RIP: 0033:0x4416f9 [ 81.395622][ T9599] Code: e8 5c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 81.415471][ T9599] RSP: 002b:00007ffc859d4398 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 81.423877][ T9599] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004416f9 [ 81.431946][ T9599] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 81.439915][ T9599] RBP: 00007ffc859d43a0 R08: 0000000120080522 R09: 0000000120080522 [ 81.447893][ T9599] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2a30 [ 81.455849][ T9599] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000 [ 81.463993][ T9599] [ 81.466399][ T9599] Allocated by task 1361: [ 81.470718][ T9599] save_stack+0x1b/0x80 [ 81.474853][ T9599] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 81.480569][ T9599] kmem_cache_alloc_trace+0x153/0x7d0 [ 81.486218][ T9599] kthread+0x96/0x430 [ 81.490201][ T9599] ret_from_fork+0x24/0x30 [ 81.494593][ T9599] [ 81.496900][ T9599] Freed by task 1: [ 81.500614][ T9599] save_stack+0x1b/0x80 [ 81.504750][ T9599] __kasan_slab_free+0xf7/0x140 [ 81.509581][ T9599] kfree+0x109/0x2b0 [ 81.513496][ T9599] free_task+0xe3/0x110 [ 81.518070][ T9599] __put_task_struct+0x22d/0x520 [ 81.523003][ T9599] delayed_put_task_struct+0x248/0x3b0 [ 81.528631][ T9599] rcu_core+0x5a4/0x12d0 [ 81.532896][ T9599] __do_softirq+0x26c/0x99d [ 81.537376][ T9599] [ 81.539690][ T9599] The buggy address belongs to the object at ffff8880a6d2ac00 [ 81.539690][ T9599] which belongs to the cache kmalloc-192 of size 192 [ 81.554016][ T9599] The buggy address is located 48 bytes inside of [ 81.554016][ T9599] 192-byte region [ffff8880a6d2ac00, ffff8880a6d2acc0) [ 81.567449][ T9599] The buggy address belongs to the page: [ 81.573069][ T9599] page:ffffea00029b4a80 refcount:1 mapcount:0 mapping:ffff8880aa000000 index:0x0 [ 81.582169][ T9599] flags: 0xfffe0000000200(slab) [ 81.587227][ T9599] raw: 00fffe0000000200 ffffea00029a6c48 ffffea00029972c8 ffff8880aa000000 [ 81.596257][ T9599] raw: 0000000000000000 ffff8880a6d2a000 0000000100000010 0000000000000000 [ 81.605032][ T9599] page dumped because: kasan: bad access detected [ 81.611470][ T9599] [ 81.613792][ T9599] Memory state around the buggy address: [ 81.619415][ T9599] ffff8880a6d2ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 81.627728][ T9599] ffff8880a6d2ab80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 81.636491][ T9599] >ffff8880a6d2ac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.644555][ T9599] ^ [ 81.650169][ T9599] ffff8880a6d2ac80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 81.658474][ T9599] ffff8880a6d2ad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.666513][ T9599] ================================================================== [ 81.674979][ T9599] Disabling lock debugging due to kernel taint [ 81.682086][ T9599] Kernel panic - not syncing: panic_on_warn set ... [ 81.688709][ T9599] CPU: 0 PID: 9599 Comm: syz-executor965 Tainted: G B 5.6.0-rc6-syzkaller #0 [ 81.699644][ T9599] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.709684][ T9599] Call Trace: [ 81.712982][ T9599] dump_stack+0x188/0x20d [ 81.717303][ T9599] panic+0x2e3/0x75c [ 81.721186][ T9599] ? add_taint.cold+0x16/0x16 [ 81.725880][ T9599] ? preempt_schedule_common+0x5e/0xc0 [ 81.731328][ T9599] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.736668][ T9599] ? ___preempt_schedule+0x16/0x18 [ 81.741786][ T9599] ? trace_hardirqs_on+0x55/0x220 [ 81.746806][ T9599] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.752319][ T9599] end_report+0x43/0x49 [ 81.756472][ T9599] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.761748][ T9599] __kasan_report.cold+0xd/0x32 [ 81.766612][ T9599] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.771982][ T9599] kasan_report+0xe/0x20 [ 81.776221][ T9599] tcindex_set_parms+0x17fd/0x1a00 [ 81.781321][ T9599] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 81.787214][ T9599] ? mark_held_locks+0xe0/0xe0 [ 81.791989][ T9599] ? nla_memcpy+0xa0/0xa0 [ 81.796321][ T9599] ? tcindex_change+0x203/0x2e0 [ 81.801167][ T9599] tcindex_change+0x203/0x2e0 [ 81.806662][ T9599] ? tcindex_set_parms+0x1a00/0x1a00 [ 81.812088][ T9599] tc_new_tfilter+0xa59/0x20b0 [ 81.816868][ T9599] ? tcindex_set_parms+0x1a00/0x1a00 [ 81.822263][ T9599] ? tc_del_tfilter+0x1430/0x1430 [ 81.827289][ T9599] ? __lock_acquire+0x80b/0x3ca0 [ 81.832282][ T9599] ? apparmor_capable+0x454/0x8a0 [ 81.837313][ T9599] ? rcu_read_lock_held+0x9c/0xb0 [ 81.842333][ T9599] ? tc_del_tfilter+0x1430/0x1430 [ 81.847583][ T9599] rtnetlink_rcv_msg+0x810/0xad0 [ 81.852511][ T9599] ? rtnl_bridge_getlink+0x880/0x880 [ 81.857884][ T9599] ? mark_held_locks+0xe0/0xe0 [ 81.862756][ T9599] ? netlink_deliver_tap+0x146/0xb50 [ 81.868041][ T9599] netlink_rcv_skb+0x15a/0x410 [ 81.872801][ T9599] ? rtnl_bridge_getlink+0x880/0x880 [ 81.878213][ T9599] ? netlink_ack+0xa80/0xa80 [ 81.882796][ T9599] netlink_unicast+0x537/0x740 [ 81.887560][ T9599] ? netlink_attachskb+0x810/0x810 [ 81.892680][ T9599] ? _copy_from_iter_full+0x25c/0x870 [ 81.898054][ T9599] ? __phys_addr_symbol+0x2c/0x70 [ 81.903104][ T9599] ? __check_object_size+0x171/0x437 [ 81.908549][ T9599] netlink_sendmsg+0x882/0xe10 [ 81.913305][ T9599] ? aa_af_perm+0x260/0x260 [ 81.917802][ T9599] ? netlink_unicast+0x740/0x740 [ 81.922879][ T9599] ? netlink_unicast+0x740/0x740 [ 81.927818][ T9599] sock_sendmsg+0xcf/0x120 [ 81.932238][ T9599] ____sys_sendmsg+0x6b9/0x7d0 [ 81.937009][ T9599] ? kernel_sendmsg+0x50/0x50 [ 81.941678][ T9599] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 81.947223][ T9599] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 81.953479][ T9599] ___sys_sendmsg+0x100/0x170 [ 81.958151][ T9599] ? sendmsg_copy_msghdr+0x70/0x70 [ 81.963262][ T9599] ? lock_downgrade+0x7f0/0x7f0 [ 81.968202][ T9599] ? lock_acquire+0x197/0x420 [ 81.972882][ T9599] ? __might_fault+0xef/0x1d0 [ 81.977689][ T9599] ? __might_fault+0x190/0x1d0 [ 81.982443][ T9599] ? _copy_to_user+0x107/0x150 [ 81.987327][ T9599] ? move_addr_to_user+0xb3/0x200 [ 81.992364][ T9599] ? __fget_light+0x1a5/0x270 [ 81.997056][ T9599] __sys_sendmsg+0xec/0x1b0 [ 82.001670][ T9599] ? __sys_sendmsg_sock+0xb0/0xb0 [ 82.006743][ T9599] ? mark_held_locks+0x9f/0xe0 [ 82.011508][ T9599] ? trace_hardirqs_off_caller+0x55/0x230 [ 82.017257][ T9599] ? do_syscall_64+0x21/0x7d0 [ 82.021941][ T9599] do_syscall_64+0xf6/0x7d0 [ 82.026618][ T9599] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 82.032598][ T9599] RIP: 0033:0x4416f9 [ 82.036479][ T9599] Code: e8 5c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 82.056239][ T9599] RSP: 002b:00007ffc859d4398 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 82.064828][ T9599] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004416f9 [ 82.073142][ T9599] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 82.081323][ T9599] RBP: 00007ffc859d43a0 R08: 0000000120080522 R09: 0000000120080522 [ 82.089566][ T9599] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2a30 [ 82.097706][ T9599] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000 [ 82.107541][ T9599] Kernel Offset: disabled [ 82.111892][ T9599] Rebooting in 86400 seconds..