[   28.596651] audit: type=1800 audit(1544973946.120:27): pid=5880 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[   28.616424] audit: type=1800 audit(1544973946.130:28): pid=5880 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   29.349533] audit: type=1800 audit(1544973946.950:29): pid=5880 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   29.370311] audit: type=1800 audit(1544973946.960:30): pid=5880 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   34.054212] sshd (6019) used greatest stack depth: 15744 bytes left
Warning: Permanently added '10.128.0.126' (ECDSA) to the list of known hosts.
2018/12/16 15:28:19 parsed 1 programs
2018/12/16 15:28:21 executed programs: 0
[  183.838049] IPVS: ftp: loaded support on port[0] = 21
[  184.091052] bridge0: port 1(bridge_slave_0) entered blocking state
[  184.097953] bridge0: port 1(bridge_slave_0) entered disabled state
[  184.104981] device bridge_slave_0 entered promiscuous mode
[  184.123333] bridge0: port 2(bridge_slave_1) entered blocking state
[  184.129721] bridge0: port 2(bridge_slave_1) entered disabled state
[  184.136688] device bridge_slave_1 entered promiscuous mode
[  184.154173] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  184.171998] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  184.223127] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  184.243895] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  184.321029] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  184.328547] team0: Port device team_slave_0 added
[  184.345518] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  184.352843] team0: Port device team_slave_1 added
[  184.370493] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  184.391717] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  184.410504] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  184.430741] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  184.573103] bridge0: port 2(bridge_slave_1) entered blocking state
[  184.579510] bridge0: port 2(bridge_slave_1) entered forwarding state
[  184.586296] bridge0: port 1(bridge_slave_0) entered blocking state
[  184.592665] bridge0: port 1(bridge_slave_0) entered forwarding state
[  185.099416] 8021q: adding VLAN 0 to HW filter on device bond0
[  185.152821] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  185.206240] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  185.212679] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  185.219935] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  185.274025] 8021q: adding VLAN 0 to HW filter on device team0
[  186.391963] ==================================================================
[  186.399404] BUG: KASAN: use-after-free in tipc_mcast_xmit+0xb77/0xdb0
[  186.405969] Read of size 1 at addr ffff8881d219454e by task syz-executor0/6307
[  186.413307] 
[  186.414918] CPU: 0 PID: 6307 Comm: syz-executor0 Not tainted 4.20.0-rc6+ #234
[  186.422170] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  186.431501] Call Trace:
[  186.434072]  dump_stack+0x244/0x39d
[  186.437683]  ? dump_stack_print_info.cold.1+0x20/0x20
[  186.442866]  ? printk+0xa7/0xcf
[  186.446147]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  186.450899]  print_address_description.cold.7+0x9/0x1ff
[  186.456260]  kasan_report.cold.8+0x242/0x309
[  186.460666]  ? tipc_mcast_xmit+0xb77/0xdb0
[  186.464889]  __asan_report_load1_noabort+0x14/0x20
[  186.469805]  tipc_mcast_xmit+0xb77/0xdb0
[  186.473869]  ? tipc_bcast_dec_bearer_dst_cnt+0xa80/0xa80
[  186.479322]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  186.484326]  ? skb_put+0x17b/0x1e0
[  186.487855]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  186.493377]  ? tipc_msg_build+0x4a5/0x12d0
[  186.497602]  ? tipc_msg_assemble+0x6b0/0x6b0
[  186.501999]  ? remove_wait_queue+0x1a6/0x360
[  186.506520]  tipc_send_group_bcast+0xa5f/0xdf0
[  186.511092]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[  186.516189]  ? tipc_sk_sock_err.isra.61+0x2f0/0x2f0
[  186.521197]  ? __init_waitqueue_head+0x150/0x150
[  186.525939]  ? try_to_wake_up+0x11c/0x1440
[  186.530157]  ? zap_class+0x640/0x640
[  186.533869]  ? mark_held_locks+0x130/0x130
[  186.538117]  __tipc_sendmsg+0xeec/0x1d40
[  186.542185]  ? tipc_sendmcast+0xf50/0xf50
[  186.546330]  ? __sanitizer_cov_trace_switch+0x53/0x90
[  186.551535]  ? zap_class+0x640/0x640
[  186.555258]  ? print_usage_bug+0xc0/0xc0
[  186.559349]  ? find_held_lock+0x36/0x1c0
[  186.563397]  ? mark_held_locks+0xc7/0x130
[  186.567548]  ? __local_bh_enable_ip+0x160/0x260
[  186.572201]  ? __local_bh_enable_ip+0x160/0x260
[  186.576873]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[  186.581443]  ? trace_hardirqs_on+0xbd/0x310
[  186.585750]  ? lock_release+0xa00/0xa00
[  186.589711]  ? lock_sock_nested+0xe2/0x120
[  186.593931]  ? trace_hardirqs_off_caller+0x310/0x310
[  186.599022]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  186.604549]  ? check_preemption_disabled+0x48/0x280
[  186.609548]  ? lock_sock_nested+0x9a/0x120
[  186.613767]  ? lock_sock_nested+0x9a/0x120
[  186.618001]  ? __local_bh_enable_ip+0x160/0x260
[  186.622668]  tipc_sendmsg+0x50/0x70
[  186.626282]  ? __tipc_sendmsg+0x1d40/0x1d40
[  186.630600]  sock_sendmsg+0xd5/0x120
[  186.634298]  ___sys_sendmsg+0x7fd/0x930
[  186.638264]  ? copy_msghdr_from_user+0x580/0x580
[  186.643019]  ? trace_hardirqs_on+0xbd/0x310
[  186.647355]  ? __fget_light+0x2e9/0x430
[  186.651343]  ? fget_raw+0x20/0x20
[  186.654792]  ? __might_fault+0x12b/0x1e0
[  186.658840]  ? lock_downgrade+0x900/0x900
[  186.662973]  ? lock_release+0xa00/0xa00
[  186.666938]  ? perf_trace_sched_process_exec+0x860/0x860
[  186.672382]  ? posix_ktime_get_ts+0x15/0x20
[  186.676697]  ? trace_hardirqs_off_caller+0x310/0x310
[  186.681791]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  186.687316]  ? sockfd_lookup_light+0xc5/0x160
[  186.691799]  __sys_sendmsg+0x11d/0x280
[  186.695675]  ? __ia32_sys_shutdown+0x80/0x80
[  186.700069]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  186.705595]  ? put_timespec64+0x10f/0x1b0
[  186.709734]  ? do_syscall_64+0x9a/0x820
[  186.713696]  ? do_syscall_64+0x9a/0x820
[  186.717670]  ? trace_hardirqs_off_caller+0x310/0x310
[  186.722764]  __x64_sys_sendmsg+0x78/0xb0
[  186.726814]  do_syscall_64+0x1b9/0x820
[  186.730696]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[  186.736044]  ? syscall_return_slowpath+0x5e0/0x5e0
[  186.740959]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  186.745804]  ? trace_hardirqs_on_caller+0x310/0x310
[  186.750822]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  186.755825]  ? prepare_exit_to_usermode+0x291/0x3b0
[  186.760829]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  186.765672]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  186.770845] RIP: 0033:0x457669
[  186.774041] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  186.792928] RSP: 002b:00007fbfc19b2c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  186.800621] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669
[  186.807887] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000004
[  186.815139] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
[  186.822400] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbfc19b36d4
[  186.829662] R13: 00000000004c44bd R14: 00000000004d74a8 R15: 00000000ffffffff
[  186.836924] 
[  186.838539] Allocated by task 6307:
[  186.842154]  save_stack+0x43/0xd0
[  186.845592]  kasan_kmalloc+0xc7/0xe0
[  186.849290]  kmem_cache_alloc_trace+0x152/0x750
[  186.853956]  tipc_group_create+0x152/0xa70
[  186.858187]  tipc_setsockopt+0x2d1/0xd70
[  186.862230]  __sys_setsockopt+0x1ba/0x3c0
[  186.866364]  __x64_sys_setsockopt+0xbe/0x150
[  186.870758]  do_syscall_64+0x1b9/0x820
[  186.874627]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  186.879803] 
[  186.881412] Freed by task 6308:
[  186.884675]  save_stack+0x43/0xd0
[  186.888115]  __kasan_slab_free+0x102/0x150
[  186.892333]  kasan_slab_free+0xe/0x10
[  186.896131]  kfree+0xcf/0x230
[  186.899235]  tipc_group_delete+0x2e4/0x3f0
[  186.903453]  tipc_sk_leave+0x113/0x220
[  186.907326]  tipc_setsockopt+0x97d/0xd70
[  186.911372]  __sys_setsockopt+0x1ba/0x3c0
[  186.915506]  __x64_sys_setsockopt+0xbe/0x150
[  186.919896]  do_syscall_64+0x1b9/0x820
[  186.923768]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  186.928932] 
[  186.930542] The buggy address belongs to the object at ffff8881d2194500
[  186.930542]  which belongs to the cache kmalloc-192 of size 192
[  186.943180] The buggy address is located 78 bytes inside of
[  186.943180]  192-byte region [ffff8881d2194500, ffff8881d21945c0)
[  186.954949] The buggy address belongs to the page:
[  186.959863] page:ffffea0007486500 count:1 mapcount:0 mapping:ffff8881da800040 index:0x0
[  186.967991] flags: 0x2fffc0000000200(slab)
[  186.972213] raw: 02fffc0000000200 ffffea00074e6dc8 ffffea000748fa88 ffff8881da800040
[  186.980077] raw: 0000000000000000 ffff8881d2194000 0000000100000010 0000000000000000
[  186.987934] page dumped because: kasan: bad access detected
[  186.993622] 
[  186.995242] Memory state around the buggy address:
[  187.000158]  ffff8881d2194400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  187.007500]  ffff8881d2194480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  187.014846] >ffff8881d2194500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  187.022184]                                               ^
[  187.027876]  ffff8881d2194580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[  187.035234]  ffff8881d2194600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  187.042573] ==================================================================
[  187.049915] Disabling lock debugging due to kernel taint
[  187.057972] Kernel panic - not syncing: panic_on_warn set ...
[  187.063870] CPU: 0 PID: 6307 Comm: syz-executor0 Tainted: G    B             4.20.0-rc6+ #234
[  187.072512] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  187.081847] Call Trace:
[  187.084418]  dump_stack+0x244/0x39d
[  187.088033]  ? dump_stack_print_info.cold.1+0x20/0x20
[  187.093211]  panic+0x2ad/0x55c
[  187.096386]  ? add_taint.cold.5+0x16/0x16
[  187.100520]  ? preempt_schedule+0x4d/0x60
[  187.104665]  ? ___preempt_schedule+0x16/0x18
[  187.109063]  ? trace_hardirqs_on+0xb4/0x310
[  187.113371]  kasan_end_report+0x47/0x4f
[  187.117326]  kasan_report.cold.8+0x76/0x309
[  187.121633]  ? tipc_mcast_xmit+0xb77/0xdb0
[  187.125863]  __asan_report_load1_noabort+0x14/0x20
[  187.130776]  tipc_mcast_xmit+0xb77/0xdb0
[  187.134821]  ? tipc_bcast_dec_bearer_dst_cnt+0xa80/0xa80
[  187.140256]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[  187.145255]  ? skb_put+0x17b/0x1e0
[  187.148783]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  187.154302]  ? tipc_msg_build+0x4a5/0x12d0
[  187.158531]  ? tipc_msg_assemble+0x6b0/0x6b0
[  187.162944]  ? remove_wait_queue+0x1a6/0x360
[  187.167371]  tipc_send_group_bcast+0xa5f/0xdf0
[  187.171943]  ? _raw_spin_unlock_irqrestore+0x82/0xd0
[  187.177034]  ? tipc_sk_sock_err.isra.61+0x2f0/0x2f0
[  187.182034]  ? __init_waitqueue_head+0x150/0x150
[  187.186772]  ? try_to_wake_up+0x11c/0x1440
[  187.190988]  ? zap_class+0x640/0x640
[  187.194687]  ? mark_held_locks+0x130/0x130
[  187.198913]  __tipc_sendmsg+0xeec/0x1d40
[  187.202960]  ? tipc_sendmcast+0xf50/0xf50
[  187.207092]  ? __sanitizer_cov_trace_switch+0x53/0x90
[  187.212282]  ? zap_class+0x640/0x640
[  187.215981]  ? print_usage_bug+0xc0/0xc0
[  187.220027]  ? find_held_lock+0x36/0x1c0
[  187.224076]  ? mark_held_locks+0xc7/0x130
[  187.228205]  ? __local_bh_enable_ip+0x160/0x260
[  187.232857]  ? __local_bh_enable_ip+0x160/0x260
[  187.237509]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[  187.242084]  ? trace_hardirqs_on+0xbd/0x310
[  187.246394]  ? lock_release+0xa00/0xa00
[  187.250351]  ? lock_sock_nested+0xe2/0x120
[  187.254572]  ? trace_hardirqs_off_caller+0x310/0x310
[  187.259675]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  187.265215]  ? check_preemption_disabled+0x48/0x280
[  187.270231]  ? lock_sock_nested+0x9a/0x120
[  187.274463]  ? lock_sock_nested+0x9a/0x120
[  187.278680]  ? __local_bh_enable_ip+0x160/0x260
[  187.283331]  tipc_sendmsg+0x50/0x70
[  187.286955]  ? __tipc_sendmsg+0x1d40/0x1d40
[  187.291261]  sock_sendmsg+0xd5/0x120
[  187.294965]  ___sys_sendmsg+0x7fd/0x930
[  187.298941]  ? copy_msghdr_from_user+0x580/0x580
[  187.303707]  ? trace_hardirqs_on+0xbd/0x310
[  187.308052]  ? __fget_light+0x2e9/0x430
[  187.312047]  ? fget_raw+0x20/0x20
[  187.315484]  ? __might_fault+0x12b/0x1e0
[  187.319544]  ? lock_downgrade+0x900/0x900
[  187.323680]  ? lock_release+0xa00/0xa00
[  187.327636]  ? perf_trace_sched_process_exec+0x860/0x860
[  187.333098]  ? posix_ktime_get_ts+0x15/0x20
[  187.337404]  ? trace_hardirqs_off_caller+0x310/0x310
[  187.342492]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  187.348013]  ? sockfd_lookup_light+0xc5/0x160
[  187.352507]  __sys_sendmsg+0x11d/0x280
[  187.356395]  ? __ia32_sys_shutdown+0x80/0x80
[  187.360816]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  187.366355]  ? put_timespec64+0x10f/0x1b0
[  187.370487]  ? do_syscall_64+0x9a/0x820
[  187.374462]  ? do_syscall_64+0x9a/0x820
[  187.378431]  ? trace_hardirqs_off_caller+0x310/0x310
[  187.383523]  __x64_sys_sendmsg+0x78/0xb0
[  187.387567]  do_syscall_64+0x1b9/0x820
[  187.391447]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[  187.396805]  ? syscall_return_slowpath+0x5e0/0x5e0
[  187.401718]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  187.406542]  ? trace_hardirqs_on_caller+0x310/0x310
[  187.411546]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  187.416548]  ? prepare_exit_to_usermode+0x291/0x3b0
[  187.421551]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  187.426380]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  187.431549] RIP: 0033:0x457669
[  187.434727] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  187.453609] RSP: 002b:00007fbfc19b2c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[  187.461304] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669
[  187.468564] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000004
[  187.475829] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000
[  187.483081] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbfc19b36d4
[  187.490334] R13: 00000000004c44bd R14: 00000000004d74a8 R15: 00000000ffffffff
[  187.498573] Kernel Offset: disabled
[  187.502193] Rebooting in 86400 seconds..