[ 45.338746][ T27] audit: type=1800 audit(1584544355.561:25): pid=8297 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 45.362198][ T27] audit: type=1800 audit(1584544355.561:26): pid=8297 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 45.402526][ T27] audit: type=1800 audit(1584544355.561:27): pid=8297 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 45.422666][ T27] audit: type=1800 audit(1584544355.561:28): pid=8297 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.13' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 57.213429][ T8447] IPVS: ftp: loaded support on port[0] = 21 [ 57.239776][ T8447] ================================================================== [ 57.247890][ T8447] BUG: KASAN: use-after-free in tcindex_change+0x1c61/0x27b0 [ 57.255230][ T8447] Write of size 16 at addr ffff8880a7596330 by task syz-executor325/8447 [ 57.263606][ T8447] [ 57.265911][ T8447] CPU: 1 PID: 8447 Comm: syz-executor325 Not tainted 5.6.0-rc6-syzkaller #0 [ 57.274546][ T8447] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.284586][ T8447] Call Trace: [ 57.287851][ T8447] dump_stack+0x1e9/0x30e [ 57.292158][ T8447] print_address_description+0x74/0x5c0 [ 57.297673][ T8447] ? printk+0x62/0x83 [ 57.301625][ T8447] ? vprintk_emit+0x2e6/0x3b0 [ 57.306278][ T8447] __kasan_report+0x14b/0x1c0 [ 57.310925][ T8447] ? tcindex_change+0x1c61/0x27b0 [ 57.315922][ T8447] kasan_report+0x25/0x50 [ 57.320244][ T8447] check_memory_region+0x2a5/0x2e0 [ 57.325324][ T8447] ? tcindex_change+0x1c61/0x27b0 [ 57.330316][ T8447] memcpy+0x38/0x50 [ 57.334094][ T8447] tcindex_change+0x1c61/0x27b0 [ 57.338949][ T8447] ? tcindex_destroy+0x970/0x970 [ 57.343853][ T8447] ? tcindex_lookup+0x13e/0x360 [ 57.348673][ T8447] tc_new_tfilter+0x1490/0x2f50 [ 57.353501][ T8447] ? tcindex_get+0x1c0/0x1c0 [ 57.358091][ T8447] ? tcf_tunnel_encap_put_tunnel+0x20/0x20 [ 57.363867][ T8447] rtnetlink_rcv_msg+0x8fb/0xd40 [ 57.368802][ T8447] ? lock_acquire+0x154/0x250 [ 57.373448][ T8447] ? rcu_lock_acquire+0x5/0x30 [ 57.378195][ T8447] ? check_preemption_disabled+0x40/0x240 [ 57.383882][ T8447] ? debug_smp_processor_id+0x5/0x20 [ 57.389143][ T8447] netlink_rcv_skb+0x190/0x3a0 [ 57.393879][ T8447] ? rtnetlink_bind+0x80/0x80 [ 57.398544][ T8447] netlink_unicast+0x786/0x940 [ 57.403289][ T8447] netlink_sendmsg+0xa57/0xd70 [ 57.408044][ T8447] ? netlink_getsockopt+0x9d0/0x9d0 [ 57.413213][ T8447] ____sys_sendmsg+0x4f9/0x7c0 [ 57.417962][ T8447] __sys_sendmsg+0x1ed/0x290 [ 57.422523][ T8447] ? __might_fault+0xf5/0x150 [ 57.427178][ T8447] ? move_addr_to_user+0x17f/0x1e0 [ 57.432263][ T8447] ? __sys_getsockname+0x1e2/0x220 [ 57.437358][ T8447] ? check_preemption_disabled+0xb0/0x240 [ 57.443052][ T8447] ? debug_smp_processor_id+0x5/0x20 [ 57.448307][ T8447] ? check_preemption_disabled+0xb0/0x240 [ 57.453991][ T8447] ? debug_smp_processor_id+0x5/0x20 [ 57.459259][ T8447] ? trace_irq_disable_rcuidle+0x1f/0x1d0 [ 57.464950][ T8447] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 57.470988][ T8447] ? do_syscall_64+0x19/0x1b0 [ 57.475732][ T8447] do_syscall_64+0xf3/0x1b0 [ 57.480218][ T8447] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.486081][ T8447] RIP: 0033:0x440e79 [ 57.489946][ T8447] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 57.509519][ T8447] RSP: 002b:00007ffe907a5898 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 57.517900][ T8447] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 57.525841][ T8447] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 57.533784][ T8447] RBP: 00007ffe907a58a0 R08: 0000000120080522 R09: 0000000120080522 [ 57.541738][ T8447] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 57.549680][ T8447] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 57.557637][ T8447] [ 57.559937][ T8447] Allocated by task 7368: [ 57.564239][ T8447] __kasan_kmalloc+0x118/0x1c0 [ 57.568970][ T8447] __kmalloc+0x24b/0x330 [ 57.573193][ T8447] kzalloc+0x1d/0x40 [ 57.577055][ T8447] security_prepare_creds+0x46/0x220 [ 57.582321][ T8447] prepare_creds+0x3dc/0x590 [ 57.586887][ T8447] copy_creds+0x130/0x6b0 [ 57.591191][ T8447] copy_process+0x8e5/0x5560 [ 57.595753][ T8447] _do_fork+0x134/0x650 [ 57.599882][ T8447] __x64_sys_clone+0x208/0x250 [ 57.604617][ T8447] do_syscall_64+0xf3/0x1b0 [ 57.609092][ T8447] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 57.614952][ T8447] [ 57.617267][ T8447] Freed by task 7471: [ 57.621226][ T8447] __kasan_slab_free+0x12e/0x1e0 [ 57.626136][ T8447] kfree+0x10a/0x220 [ 57.629999][ T8447] security_cred_free+0xbf/0x100 [ 57.634905][ T8447] put_cred_rcu+0xca/0x350 [ 57.639288][ T8447] rcu_core+0x7e4/0x1080 [ 57.643498][ T8447] __do_softirq+0x268/0x7c5 [ 57.647996][ T8447] [ 57.650299][ T8447] The buggy address belongs to the object at ffff8880a7596300 [ 57.650299][ T8447] which belongs to the cache kmalloc-192 of size 192 [ 57.664331][ T8447] The buggy address is located 48 bytes inside of [ 57.664331][ T8447] 192-byte region [ffff8880a7596300, ffff8880a75963c0) [ 57.677575][ T8447] The buggy address belongs to the page: [ 57.683182][ T8447] page:ffffea00029d6580 refcount:1 mapcount:0 mapping:ffff8880aa400000 index:0xffff8880a7596100 [ 57.693558][ T8447] flags: 0xfffe0000000200(slab) [ 57.698378][ T8447] raw: 00fffe0000000200 ffffea000277cb88 ffffea0002a11948 ffff8880aa400000 [ 57.706933][ T8447] raw: ffff8880a7596100 ffff8880a7596000 0000000100000006 0000000000000000 [ 57.715502][ T8447] page dumped because: kasan: bad access detected [ 57.721881][ T8447] [ 57.724179][ T8447] Memory state around the buggy address: [ 57.729778][ T8447] ffff8880a7596200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 57.737818][ T8447] ffff8880a7596280: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.745849][ T8447] >ffff8880a7596300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.753875][ T8447] ^ [ 57.759485][ T8447] ffff8880a7596380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 57.767515][ T8447] ffff8880a7596400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.775647][ T8447] ================================================================== [ 57.783675][ T8447] Disabling lock debugging due to kernel taint [ 57.790240][ T8447] Kernel panic - not syncing: panic_on_warn set ... [ 57.796819][ T8447] CPU: 1 PID: 8447 Comm: syz-executor325 Tainted: G B 5.6.0-rc6-syzkaller #0 [ 57.806845][ T8447] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.816871][ T8447] Call Trace: [ 57.820134][ T8447] dump_stack+0x1e9/0x30e [ 57.824434][ T8447] panic+0x264/0x7a0 [ 57.828300][ T8447] ? trace_hardirqs_on+0x30/0x70 [ 57.833208][ T8447] __kasan_report+0x1bc/0x1c0 [ 57.837865][ T8447] ? tcindex_change+0x1c61/0x27b0 [ 57.842859][ T8447] kasan_report+0x25/0x50 [ 57.847158][ T8447] check_memory_region+0x2a5/0x2e0 [ 57.852236][ T8447] ? tcindex_change+0x1c61/0x27b0 [ 57.857239][ T8447] memcpy+0x38/0x50 [ 57.861014][ T8447] tcindex_change+0x1c61/0x27b0 [ 57.865849][ T8447] ? tcindex_destroy+0x970/0x970 [ 57.870872][ T8447] ? tcindex_lookup+0x13e/0x360 [ 57.875692][ T8447] tc_new_tfilter+0x1490/0x2f50 [ 57.880511][ T8447] ? tcindex_get+0x1c0/0x1c0 [ 57.885084][ T8447] ? tcf_tunnel_encap_put_tunnel+0x20/0x20 [ 57.890859][ T8447] rtnetlink_rcv_msg+0x8fb/0xd40 [ 57.895782][ T8447] ? lock_acquire+0x154/0x250 [ 57.900516][ T8447] ? rcu_lock_acquire+0x5/0x30 [ 57.905250][ T8447] ? check_preemption_disabled+0x40/0x240 [ 57.910936][ T8447] ? debug_smp_processor_id+0x5/0x20 [ 57.916188][ T8447] netlink_rcv_skb+0x190/0x3a0 [ 57.920918][ T8447] ? rtnetlink_bind+0x80/0x80 [ 57.925568][ T8447] netlink_unicast+0x786/0x940 [ 57.930303][ T8447] netlink_sendmsg+0xa57/0xd70 [ 57.935050][ T8447] ? netlink_getsockopt+0x9d0/0x9d0 [ 57.940243][ T8447] ____sys_sendmsg+0x4f9/0x7c0 [ 57.944980][ T8447] __sys_sendmsg+0x1ed/0x290 [ 57.949547][ T8447] ? __might_fault+0xf5/0x150 [ 57.954193][ T8447] ? move_addr_to_user+0x17f/0x1e0 [ 57.959330][ T8447] ? __sys_getsockname+0x1e2/0x220 [ 57.964528][ T8447] ? check_preemption_disabled+0xb0/0x240 [ 57.970218][ T8447] ? debug_smp_processor_id+0x5/0x20 [ 57.975473][ T8447] ? check_preemption_disabled+0xb0/0x240 [ 57.981161][ T8447] ? debug_smp_processor_id+0x5/0x20 [ 57.986419][ T8447] ? trace_irq_disable_rcuidle+0x1f/0x1d0 [ 57.992111][ T8447] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 57.998151][ T8447] ? do_syscall_64+0x19/0x1b0 [ 58.002801][ T8447] do_syscall_64+0xf3/0x1b0 [ 58.007278][ T8447] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.013149][ T8447] RIP: 0033:0x440e79 [ 58.017019][ T8447] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.036595][ T8447] RSP: 002b:00007ffe907a5898 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 58.044977][ T8447] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 58.052953][ T8447] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 58.060895][ T8447] RBP: 00007ffe907a58a0 R08: 0000000120080522 R09: 0000000120080522 [ 58.068839][ T8447] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 58.076839][ T8447] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 58.086030][ T8447] Kernel Offset: disabled [ 58.090344][ T8447] Rebooting in 86400 seconds..