[ 69.751887][ T27] audit: type=1800 audit(1583953112.881:24): pid=9708 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="sudo" dev="sda1" ino=2454 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 70.509945][ T27] audit: type=1800 audit(1583953113.811:25): pid=9708 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 70.530107][ T27] audit: type=1800 audit(1583953113.811:26): pid=9708 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.4' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 80.590306][ T9863] IPVS: ftp: loaded support on port[0] = 21 [ 80.624692][ T9864] ================================================================== [ 80.632962][ T9864] BUG: KASAN: use-after-free in tcindex_set_parms+0x17fd/0x1a00 [ 80.640592][ T9864] Write of size 16 at addr ffff8880a41d9f30 by task syz-executor553/9864 [ 80.649098][ T9864] [ 80.651449][ T9864] CPU: 0 PID: 9864 Comm: syz-executor553 Not tainted 5.6.0-rc3-syzkaller #0 [ 80.660127][ T9864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.670173][ T9864] Call Trace: [ 80.673460][ T9864] dump_stack+0x188/0x20d [ 80.677809][ T9864] ? tcindex_set_parms+0x17fd/0x1a00 [ 80.683112][ T9864] ? tcindex_set_parms+0x17fd/0x1a00 [ 80.688405][ T9864] print_address_description.constprop.0.cold+0xd3/0x315 [ 80.695420][ T9864] ? tcindex_set_parms+0x17fd/0x1a00 [ 80.700717][ T9864] ? tcindex_set_parms+0x17fd/0x1a00 [ 80.706011][ T9864] __kasan_report.cold+0x1a/0x32 [ 80.710947][ T9864] ? tcindex_set_parms+0x17fd/0x1a00 [ 80.716257][ T9864] kasan_report+0xe/0x20 [ 80.720528][ T9864] tcindex_set_parms+0x17fd/0x1a00 [ 80.725660][ T9864] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 80.731557][ T9864] ? mark_held_locks+0xe0/0xe0 [ 80.736417][ T9864] ? nla_memcpy+0xa0/0xa0 [ 80.740761][ T9864] ? tcindex_change+0x203/0x2e0 [ 80.745635][ T9864] tcindex_change+0x203/0x2e0 [ 80.750321][ T9864] ? tcindex_set_parms+0x1a00/0x1a00 [ 80.755627][ T9864] tc_new_tfilter+0xa59/0x20b0 [ 80.760407][ T9864] ? tcindex_set_parms+0x1a00/0x1a00 [ 80.765707][ T9864] ? tc_del_tfilter+0x1430/0x1430 [ 80.770728][ T9864] ? __lock_acquire+0x80b/0x3ca0 [ 80.775667][ T9864] ? apparmor_capable+0x454/0x8a0 [ 80.780700][ T9864] ? rcu_read_lock_held+0x9c/0xb0 [ 80.785735][ T9864] ? tc_del_tfilter+0x1430/0x1430 [ 80.790774][ T9864] rtnetlink_rcv_msg+0x810/0xad0 [ 80.795717][ T9864] ? rtnl_bridge_getlink+0x880/0x880 [ 80.801065][ T9864] ? mark_held_locks+0xe0/0xe0 [ 80.805863][ T9864] ? netlink_deliver_tap+0x146/0xb50 [ 80.811160][ T9864] netlink_rcv_skb+0x15a/0x410 [ 80.815924][ T9864] ? rtnl_bridge_getlink+0x880/0x880 [ 80.822080][ T9864] ? netlink_ack+0xa80/0xa80 [ 80.826686][ T9864] netlink_unicast+0x537/0x740 [ 80.831514][ T9864] ? netlink_attachskb+0x810/0x810 [ 80.836618][ T9864] ? _copy_from_iter_full+0x25c/0x870 [ 80.841986][ T9864] ? __phys_addr_symbol+0x2c/0x70 [ 80.847001][ T9864] ? __check_object_size+0x171/0x437 [ 80.852281][ T9864] netlink_sendmsg+0x882/0xe10 [ 80.857044][ T9864] ? aa_af_perm+0x260/0x260 [ 80.861542][ T9864] ? netlink_unicast+0x740/0x740 [ 80.866479][ T9864] ? netlink_unicast+0x740/0x740 [ 80.871409][ T9864] sock_sendmsg+0xcf/0x120 [ 80.875830][ T9864] ____sys_sendmsg+0x6b9/0x7d0 [ 80.880591][ T9864] ? kernel_sendmsg+0x50/0x50 [ 80.885283][ T9864] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 80.890835][ T9864] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 80.896856][ T9864] ___sys_sendmsg+0x100/0x170 [ 80.901576][ T9864] ? sendmsg_copy_msghdr+0x70/0x70 [ 80.906690][ T9864] ? lock_downgrade+0x7f0/0x7f0 [ 80.911534][ T9864] ? lock_acquire+0x197/0x420 [ 80.916206][ T9864] ? __might_fault+0xef/0x1d0 [ 80.920908][ T9864] ? __might_fault+0x190/0x1d0 [ 80.925695][ T9864] ? _copy_to_user+0x107/0x150 [ 80.930467][ T9864] ? move_addr_to_user+0xb3/0x200 [ 80.935488][ T9864] ? __fget_light+0x1a5/0x270 [ 80.940166][ T9864] __sys_sendmsg+0xec/0x1b0 [ 80.944663][ T9864] ? __sys_sendmsg_sock+0xb0/0xb0 [ 80.949703][ T9864] ? mark_held_locks+0x9f/0xe0 [ 80.954488][ T9864] ? trace_hardirqs_off_caller+0x55/0x230 [ 80.960223][ T9864] ? do_syscall_64+0x21/0x790 [ 80.964920][ T9864] do_syscall_64+0xf6/0x790 [ 80.969448][ T9864] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 80.975371][ T9864] RIP: 0033:0x4416f9 [ 80.979269][ T9864] Code: e8 5c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 80.998908][ T9864] RSP: 002b:00007fff4044db28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 81.007347][ T9864] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004416f9 [ 81.015345][ T9864] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 81.023323][ T9864] RBP: 00007fff4044db30 R08: 0000000120080522 R09: 0000000120080522 [ 81.031285][ T9864] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2a30 [ 81.039281][ T9864] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000 [ 81.047268][ T9864] [ 81.049607][ T9864] Allocated by task 1: [ 81.053678][ T9864] save_stack+0x1b/0x80 [ 81.057826][ T9864] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 81.063450][ T9864] kmem_cache_alloc_trace+0x153/0x7d0 [ 81.068824][ T9864] call_usermodehelper_setup+0x98/0x300 [ 81.074377][ T9864] __request_module+0x456/0xbab [ 81.079236][ T9864] crypto_probing_notify+0x57/0x80 [ 81.084337][ T9864] crypto_wait_for_test+0xaa/0xe0 [ 81.089355][ T9864] crypto_register_alg+0xa6/0xd0 [ 81.094284][ T9864] crypto_register_shash+0x32/0x50 [ 81.099416][ T9864] crypto_register_shashes+0x58/0xd0 [ 81.104719][ T9864] blake2s_mod_init+0x21b/0x22a [ 81.109563][ T9864] [ 81.111934][ T9864] Freed by task 1: [ 81.115672][ T9864] save_stack+0x1b/0x80 [ 81.119816][ T9864] __kasan_slab_free+0xf7/0x140 [ 81.124698][ T9864] kfree+0x109/0x2b0 [ 81.128642][ T9864] call_usermodehelper_exec+0x242/0x4d0 [ 81.134204][ T9864] __request_module+0x475/0xbab [ 81.139071][ T9864] crypto_probing_notify+0x57/0x80 [ 81.144195][ T9864] crypto_wait_for_test+0xaa/0xe0 [ 81.149216][ T9864] crypto_register_alg+0xa6/0xd0 [ 81.154153][ T9864] crypto_register_shash+0x32/0x50 [ 81.159298][ T9864] crypto_register_shashes+0x58/0xd0 [ 81.164600][ T9864] blake2s_mod_init+0x21b/0x22a [ 81.169436][ T9864] [ 81.171755][ T9864] The buggy address belongs to the object at ffff8880a41d9f00 [ 81.171755][ T9864] which belongs to the cache kmalloc-192 of size 192 [ 81.185794][ T9864] The buggy address is located 48 bytes inside of [ 81.185794][ T9864] 192-byte region [ffff8880a41d9f00, ffff8880a41d9fc0) [ 81.198975][ T9864] The buggy address belongs to the page: [ 81.204610][ T9864] page:ffffea0002907640 refcount:1 mapcount:0 mapping:ffff8880aa000000 index:0xffff8880a41d9600 [ 81.215081][ T9864] flags: 0xfffe0000000200(slab) [ 81.219943][ T9864] raw: 00fffe0000000200 ffffea000290cf48 ffff8880aa001138 ffff8880aa000000 [ 81.228579][ T9864] raw: ffff8880a41d9600 ffff8880a41d9000 000000010000000c 0000000000000000 [ 81.237151][ T9864] page dumped because: kasan: bad access detected [ 81.243589][ T9864] [ 81.245901][ T9864] Memory state around the buggy address: [ 81.251523][ T9864] ffff8880a41d9e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 81.259638][ T9864] ffff8880a41d9e80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 81.267710][ T9864] >ffff8880a41d9f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.275854][ T9864] ^ [ 81.281494][ T9864] ffff8880a41d9f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 81.289564][ T9864] ffff8880a41da000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.297618][ T9864] ================================================================== [ 81.305671][ T9864] Disabling lock debugging due to kernel taint [ 81.313749][ T9864] Kernel panic - not syncing: panic_on_warn set ... [ 81.320341][ T9864] CPU: 0 PID: 9864 Comm: syz-executor553 Tainted: G B 5.6.0-rc3-syzkaller #0 [ 81.330399][ T9864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.340537][ T9864] Call Trace: [ 81.343840][ T9864] dump_stack+0x188/0x20d [ 81.348166][ T9864] panic+0x2e3/0x75c [ 81.352086][ T9864] ? add_taint.cold+0x16/0x16 [ 81.356805][ T9864] ? preempt_schedule_common+0x5e/0xc0 [ 81.362258][ T9864] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.367535][ T9864] ? ___preempt_schedule+0x16/0x18 [ 81.372647][ T9864] ? trace_hardirqs_on+0x55/0x220 [ 81.377697][ T9864] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.382983][ T9864] end_report+0x43/0x49 [ 81.387133][ T9864] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.392409][ T9864] __kasan_report.cold+0xd/0x32 [ 81.397258][ T9864] ? tcindex_set_parms+0x17fd/0x1a00 [ 81.402538][ T9864] kasan_report+0xe/0x20 [ 81.406789][ T9864] tcindex_set_parms+0x17fd/0x1a00 [ 81.411911][ T9864] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 81.417839][ T9864] ? mark_held_locks+0xe0/0xe0 [ 81.422599][ T9864] ? nla_memcpy+0xa0/0xa0 [ 81.426917][ T9864] ? tcindex_change+0x203/0x2e0 [ 81.431783][ T9864] tcindex_change+0x203/0x2e0 [ 81.436485][ T9864] ? tcindex_set_parms+0x1a00/0x1a00 [ 81.441767][ T9864] tc_new_tfilter+0xa59/0x20b0 [ 81.446523][ T9864] ? tcindex_set_parms+0x1a00/0x1a00 [ 81.451801][ T9864] ? tc_del_tfilter+0x1430/0x1430 [ 81.456850][ T9864] ? __lock_acquire+0x80b/0x3ca0 [ 81.461828][ T9864] ? apparmor_capable+0x454/0x8a0 [ 81.466881][ T9864] ? rcu_read_lock_held+0x9c/0xb0 [ 81.471902][ T9864] ? tc_del_tfilter+0x1430/0x1430 [ 81.476925][ T9864] rtnetlink_rcv_msg+0x810/0xad0 [ 81.481902][ T9864] ? rtnl_bridge_getlink+0x880/0x880 [ 81.487259][ T9864] ? mark_held_locks+0xe0/0xe0 [ 81.492057][ T9864] ? netlink_deliver_tap+0x146/0xb50 [ 81.497360][ T9864] netlink_rcv_skb+0x15a/0x410 [ 81.502119][ T9864] ? rtnl_bridge_getlink+0x880/0x880 [ 81.507947][ T9864] ? netlink_ack+0xa80/0xa80 [ 81.512915][ T9864] netlink_unicast+0x537/0x740 [ 81.517867][ T9864] ? netlink_attachskb+0x810/0x810 [ 81.522988][ T9864] ? _copy_from_iter_full+0x25c/0x870 [ 81.528459][ T9864] ? __phys_addr_symbol+0x2c/0x70 [ 81.533493][ T9864] ? __check_object_size+0x171/0x437 [ 81.538776][ T9864] netlink_sendmsg+0x882/0xe10 [ 81.543546][ T9864] ? aa_af_perm+0x260/0x260 [ 81.548041][ T9864] ? netlink_unicast+0x740/0x740 [ 81.552974][ T9864] ? netlink_unicast+0x740/0x740 [ 81.557920][ T9864] sock_sendmsg+0xcf/0x120 [ 81.562344][ T9864] ____sys_sendmsg+0x6b9/0x7d0 [ 81.567116][ T9864] ? kernel_sendmsg+0x50/0x50 [ 81.571864][ T9864] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 81.577434][ T9864] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 81.583442][ T9864] ___sys_sendmsg+0x100/0x170 [ 81.588122][ T9864] ? sendmsg_copy_msghdr+0x70/0x70 [ 81.593320][ T9864] ? lock_downgrade+0x7f0/0x7f0 [ 81.598170][ T9864] ? lock_acquire+0x197/0x420 [ 81.602841][ T9864] ? __might_fault+0xef/0x1d0 [ 81.607511][ T9864] ? __might_fault+0x190/0x1d0 [ 81.612263][ T9864] ? _copy_to_user+0x107/0x150 [ 81.617016][ T9864] ? move_addr_to_user+0xb3/0x200 [ 81.622035][ T9864] ? __fget_light+0x1a5/0x270 [ 81.626728][ T9864] __sys_sendmsg+0xec/0x1b0 [ 81.631227][ T9864] ? __sys_sendmsg_sock+0xb0/0xb0 [ 81.636338][ T9864] ? mark_held_locks+0x9f/0xe0 [ 81.641165][ T9864] ? trace_hardirqs_off_caller+0x55/0x230 [ 81.652829][ T9864] ? do_syscall_64+0x21/0x790 [ 81.657533][ T9864] do_syscall_64+0xf6/0x790 [ 81.662126][ T9864] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 81.668009][ T9864] RIP: 0033:0x4416f9 [ 81.671891][ T9864] Code: e8 5c ad 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 81.691487][ T9864] RSP: 002b:00007fff4044db28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 81.700944][ T9864] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004416f9 [ 81.708944][ T9864] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 81.716928][ T9864] RBP: 00007fff4044db30 R08: 0000000120080522 R09: 0000000120080522 [ 81.724942][ T9864] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2a30 [ 81.733134][ T9864] R13: 0000000000402650 R14: 0000000000000000 R15: 0000000000000000 [ 81.743069][ T9864] Kernel Offset: disabled [ 81.747398][ T9864] Rebooting in 86400 seconds..