[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 53.109039][ T27] audit: type=1800 audit(1584478937.878:25): pid=8586 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 53.161545][ T27] audit: type=1800 audit(1584478937.878:26): pid=8586 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 53.185493][ T27] audit: type=1800 audit(1584478937.878:27): pid=8586 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.16' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 61.845150][ T8737] IPVS: ftp: loaded support on port[0] = 21 [ 61.873487][ T8737] ================================================================== [ 61.881653][ T8737] BUG: KASAN: use-after-free in tcindex_change+0x1c61/0x27b0 [ 61.889016][ T8737] Write of size 16 at addr ffff8880a4765830 by task syz-executor577/8737 [ 61.897412][ T8737] [ 61.899736][ T8737] CPU: 1 PID: 8737 Comm: syz-executor577 Not tainted 5.6.0-rc6-syzkaller #0 [ 61.908470][ T8737] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.918637][ T8737] Call Trace: [ 61.921996][ T8737] dump_stack+0x1e9/0x30e [ 61.926402][ T8737] print_address_description+0x74/0x5c0 [ 61.931962][ T8737] ? printk+0x62/0x83 [ 61.936545][ T8737] ? vprintk_emit+0x2e6/0x3b0 [ 61.941229][ T8737] __kasan_report+0x14b/0x1c0 [ 61.945994][ T8737] ? tcindex_change+0x1c61/0x27b0 [ 61.951278][ T8737] kasan_report+0x25/0x50 [ 61.955667][ T8737] check_memory_region+0x2a5/0x2e0 [ 61.960769][ T8737] ? tcindex_change+0x1c61/0x27b0 [ 61.965775][ T8737] memcpy+0x38/0x50 [ 61.970599][ T8737] tcindex_change+0x1c61/0x27b0 [ 61.975490][ T8737] ? tcindex_destroy+0x970/0x970 [ 61.980620][ T8737] ? tcindex_lookup+0x13e/0x360 [ 61.985573][ T8737] tc_new_tfilter+0x1490/0x2f50 [ 61.990952][ T8737] ? tcindex_get+0x1c0/0x1c0 [ 61.995629][ T8737] ? tcf_tunnel_encap_put_tunnel+0x20/0x20 [ 62.001463][ T8737] rtnetlink_rcv_msg+0x8fb/0xd40 [ 62.006719][ T8737] ? lock_acquire+0x154/0x250 [ 62.011398][ T8737] ? rcu_lock_acquire+0x5/0x30 [ 62.016152][ T8737] ? check_preemption_disabled+0x40/0x240 [ 62.021874][ T8737] ? debug_smp_processor_id+0x5/0x20 [ 62.027165][ T8737] netlink_rcv_skb+0x190/0x3a0 [ 62.031934][ T8737] ? rtnetlink_bind+0x80/0x80 [ 62.036620][ T8737] netlink_unicast+0x786/0x940 [ 62.041394][ T8737] netlink_sendmsg+0xa57/0xd70 [ 62.046212][ T8737] ? netlink_getsockopt+0x9d0/0x9d0 [ 62.051502][ T8737] ____sys_sendmsg+0x4f9/0x7c0 [ 62.056265][ T8737] __sys_sendmsg+0x1ed/0x290 [ 62.060909][ T8737] ? __might_fault+0xf5/0x150 [ 62.065813][ T8737] ? move_addr_to_user+0x17f/0x1e0 [ 62.070986][ T8737] ? __sys_getsockname+0x1e2/0x220 [ 62.076111][ T8737] ? check_preemption_disabled+0xb0/0x240 [ 62.081938][ T8737] ? debug_smp_processor_id+0x5/0x20 [ 62.087311][ T8737] ? check_preemption_disabled+0xb0/0x240 [ 62.093025][ T8737] ? debug_smp_processor_id+0x5/0x20 [ 62.098309][ T8737] ? trace_irq_disable_rcuidle+0x1f/0x1d0 [ 62.104058][ T8737] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 62.110135][ T8737] ? do_syscall_64+0x19/0x1b0 [ 62.114801][ T8737] do_syscall_64+0xf3/0x1b0 [ 62.119286][ T8737] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.125160][ T8737] RIP: 0033:0x440e79 [ 62.129031][ T8737] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.148610][ T8737] RSP: 002b:00007ffd720b07b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 62.157027][ T8737] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 62.164983][ T8737] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 62.172933][ T8737] RBP: 00007ffd720b07c0 R08: 0000000120080522 R09: 0000000120080522 [ 62.180883][ T8737] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 62.188841][ T8737] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 62.196902][ T8737] [ 62.199208][ T8737] Allocated by task 4680: [ 62.203515][ T8737] __kasan_kmalloc+0x118/0x1c0 [ 62.208267][ T8737] __kmalloc+0x24b/0x330 [ 62.212496][ T8737] kzalloc+0x1d/0x40 [ 62.216370][ T8737] security_prepare_creds+0x46/0x220 [ 62.221629][ T8737] prepare_creds+0x3dc/0x590 [ 62.226212][ T8737] do_faccessat+0x53/0x780 [ 62.230622][ T8737] do_syscall_64+0xf3/0x1b0 [ 62.235205][ T8737] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.241068][ T8737] [ 62.243388][ T8737] Freed by task 4680: [ 62.247353][ T8737] __kasan_slab_free+0x12e/0x1e0 [ 62.252292][ T8737] kfree+0x10a/0x220 [ 62.256427][ T8737] security_cred_free+0xbf/0x100 [ 62.261431][ T8737] put_cred_rcu+0xca/0x350 [ 62.265831][ T8737] do_faccessat+0x613/0x780 [ 62.270345][ T8737] do_syscall_64+0xf3/0x1b0 [ 62.274919][ T8737] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.280788][ T8737] [ 62.283099][ T8737] The buggy address belongs to the object at ffff8880a4765800 [ 62.283099][ T8737] which belongs to the cache kmalloc-192 of size 192 [ 62.297146][ T8737] The buggy address is located 48 bytes inside of [ 62.297146][ T8737] 192-byte region [ffff8880a4765800, ffff8880a47658c0) [ 62.310318][ T8737] The buggy address belongs to the page: [ 62.315944][ T8737] page:ffffea000291d940 refcount:1 mapcount:0 mapping:ffff8880aa400000 index:0x0 [ 62.325040][ T8737] flags: 0xfffe0000000200(slab) [ 62.329871][ T8737] raw: 00fffe0000000200 ffffea0002a554c8 ffffea000291b188 ffff8880aa400000 [ 62.338449][ T8737] raw: 0000000000000000 ffff8880a4765000 0000000100000010 0000000000000000 [ 62.347026][ T8737] page dumped because: kasan: bad access detected [ 62.353415][ T8737] [ 62.355722][ T8737] Memory state around the buggy address: [ 62.361327][ T8737] ffff8880a4765700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 62.369369][ T8737] ffff8880a4765780: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 62.377407][ T8737] >ffff8880a4765800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.385456][ T8737] ^ [ 62.391424][ T8737] ffff8880a4765880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 62.399482][ T8737] ffff8880a4765900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.407650][ T8737] ================================================================== [ 62.415719][ T8737] Disabling lock debugging due to kernel taint [ 62.422624][ T8737] Kernel panic - not syncing: panic_on_warn set ... [ 62.429226][ T8737] CPU: 1 PID: 8737 Comm: syz-executor577 Tainted: G B 5.6.0-rc6-syzkaller #0 [ 62.439315][ T8737] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.449507][ T8737] Call Trace: [ 62.452799][ T8737] dump_stack+0x1e9/0x30e [ 62.457208][ T8737] panic+0x264/0x7a0 [ 62.461130][ T8737] ? trace_hardirqs_on+0x30/0x70 [ 62.466050][ T8737] __kasan_report+0x1bc/0x1c0 [ 62.470703][ T8737] ? tcindex_change+0x1c61/0x27b0 [ 62.475720][ T8737] kasan_report+0x25/0x50 [ 62.480031][ T8737] check_memory_region+0x2a5/0x2e0 [ 62.485204][ T8737] ? tcindex_change+0x1c61/0x27b0 [ 62.490215][ T8737] memcpy+0x38/0x50 [ 62.494024][ T8737] tcindex_change+0x1c61/0x27b0 [ 62.498988][ T8737] ? tcindex_destroy+0x970/0x970 [ 62.503917][ T8737] ? tcindex_lookup+0x13e/0x360 [ 62.508756][ T8737] tc_new_tfilter+0x1490/0x2f50 [ 62.513592][ T8737] ? tcindex_get+0x1c0/0x1c0 [ 62.518365][ T8737] ? tcf_tunnel_encap_put_tunnel+0x20/0x20 [ 62.524160][ T8737] rtnetlink_rcv_msg+0x8fb/0xd40 [ 62.529105][ T8737] ? lock_acquire+0x154/0x250 [ 62.533844][ T8737] ? rcu_lock_acquire+0x5/0x30 [ 62.538596][ T8737] ? check_preemption_disabled+0x40/0x240 [ 62.544311][ T8737] ? debug_smp_processor_id+0x5/0x20 [ 62.549704][ T8737] netlink_rcv_skb+0x190/0x3a0 [ 62.554449][ T8737] ? rtnetlink_bind+0x80/0x80 [ 62.559288][ T8737] netlink_unicast+0x786/0x940 [ 62.564042][ T8737] netlink_sendmsg+0xa57/0xd70 [ 62.568802][ T8737] ? netlink_getsockopt+0x9d0/0x9d0 [ 62.574000][ T8737] ____sys_sendmsg+0x4f9/0x7c0 [ 62.578771][ T8737] __sys_sendmsg+0x1ed/0x290 [ 62.583349][ T8737] ? __might_fault+0xf5/0x150 [ 62.588039][ T8737] ? move_addr_to_user+0x17f/0x1e0 [ 62.593153][ T8737] ? __sys_getsockname+0x1e2/0x220 [ 62.598254][ T8737] ? check_preemption_disabled+0xb0/0x240 [ 62.605007][ T8737] ? debug_smp_processor_id+0x5/0x20 [ 62.610299][ T8737] ? check_preemption_disabled+0xb0/0x240 [ 62.616131][ T8737] ? debug_smp_processor_id+0x5/0x20 [ 62.621405][ T8737] ? trace_irq_disable_rcuidle+0x1f/0x1d0 [ 62.627250][ T8737] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 62.633331][ T8737] ? do_syscall_64+0x19/0x1b0 [ 62.638025][ T8737] do_syscall_64+0xf3/0x1b0 [ 62.642515][ T8737] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 62.648410][ T8737] RIP: 0033:0x440e79 [ 62.652280][ T8737] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 62.671862][ T8737] RSP: 002b:00007ffd720b07b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 62.680247][ T8737] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79 [ 62.688194][ T8737] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 62.696141][ T8737] RBP: 00007ffd720b07c0 R08: 0000000120080522 R09: 0000000120080522 [ 62.704089][ T8737] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650 [ 62.712047][ T8737] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000 [ 62.721279][ T8737] Kernel Offset: disabled [ 62.725627][ T8737] Rebooting in 86400 seconds..