[ 40.464616][ T26] audit: type=1800 audit(1552235211.449:32): pid=7848 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 45.242941][ T26] kauditd_printk_skb: 2 callbacks suppressed [ 45.242956][ T26] audit: type=1400 audit(1552235216.319:35): avc: denied { map } for pid=8024 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 Warning: Permanently added '10.128.0.5' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program [ 66.799069][ T26] audit: type=1400 audit(1552235237.879:36): avc: denied { map } for pid=8036 comm="syz-executor793" path="/root/syz-executor793341267" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 66.813013][ T8046] device ifb0 entered promiscuous mode [ 66.850960][ T8047] device ifb0 left promiscuous mode executing program [ 67.009596][ T8054] device ifb0 entered promiscuous mode [ 67.018205][ T8050] device ifb0 left promiscuous mode executing program executing program executing program executing program executing program [ 67.221446][ T8074] device ifb0 entered promiscuous mode [ 67.240350][ T8075] device ifb0 left promiscuous mode executing program [ 67.366635][ T8081] device ifb0 entered promiscuous mode [ 67.375420][ T8091] device ifb0 left promiscuous mode executing program executing program executing program executing program executing program [ 67.478270][ T8102] device ifb0 entered promiscuous mode [ 67.484903][ T8103] device ifb0 left promiscuous mode executing program [ 67.586617][ T8108] device ifb0 entered promiscuous mode [ 67.595313][ T8115] device ifb0 left promiscuous mode executing program executing program executing program executing program executing program [ 67.666925][ T8124] device ifb0 entered promiscuous mode [ 67.687810][ T8125] device ifb0 left promiscuous mode executing program [ 67.786658][ T8127] device ifb0 entered promiscuous mode [ 67.793439][ T8136] device ifb0 left promiscuous mode executing program executing program executing program executing program executing program [ 67.910226][ T8146] device ifb0 entered promiscuous mode [ 67.961510][ T8147] device ifb0 left promiscuous mode [ 68.026607][ T8147] ================================================================== [ 68.034815][ T8147] BUG: KASAN: use-after-free in x25_device_event+0x296/0x2b0 [ 68.042177][ T8147] Read of size 8 at addr ffff88809beca590 by task syz-executor793/8147 [ 68.050395][ T8147] [ 68.052717][ T8147] CPU: 1 PID: 8147 Comm: syz-executor793 Not tainted 5.0.0+ #15 [ 68.060331][ T8147] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.070371][ T8147] Call Trace: [ 68.073651][ T8147] dump_stack+0x172/0x1f0 [ 68.077973][ T8147] ? x25_device_event+0x296/0x2b0 [ 68.082997][ T8147] print_address_description.cold+0x7c/0x20d [ 68.088965][ T8147] ? x25_device_event+0x296/0x2b0 [ 68.093979][ T8147] ? x25_device_event+0x296/0x2b0 [ 68.098996][ T8147] kasan_report.cold+0x1b/0x40 [ 68.103753][ T8147] ? x25_device_event+0x296/0x2b0 [ 68.108773][ T8147] __asan_report_load8_noabort+0x14/0x20 [ 68.114396][ T8147] x25_device_event+0x296/0x2b0 [ 68.119245][ T8147] notifier_call_chain+0xc7/0x240 [ 68.124269][ T8147] raw_notifier_call_chain+0x2e/0x40 [ 68.129550][ T8147] call_netdevice_notifiers_info+0x3f/0x90 [ 68.135349][ T8147] __dev_notify_flags+0x1e9/0x2c0 [ 68.140456][ T8147] ? dev_change_name+0xa00/0xa00 [ 68.145398][ T8147] ? __dev_change_flags+0x513/0x6e0 [ 68.150619][ T8147] ? dev_set_allmulti+0x30/0x30 [ 68.155467][ T8147] ? mutex_trylock+0x1e0/0x1e0 [ 68.160221][ T8147] ? find_held_lock+0x35/0x130 [ 68.164979][ T8147] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.171217][ T8147] dev_change_flags+0x10d/0x170 [ 68.176067][ T8147] dev_ifsioc+0x5bf/0x990 [ 68.180395][ T8147] ? register_gifconf+0x70/0x70 [ 68.185247][ T8147] dev_ioctl+0x1b8/0xc90 [ 68.189490][ T8147] sock_do_ioctl+0x1bd/0x300 [ 68.194075][ T8147] ? compat_ifr_data_ioctl+0x160/0x160 [ 68.199537][ T8147] ? tomoyo_domain+0xc5/0x160 [ 68.204221][ T8147] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.210482][ T8147] ? tomoyo_path_number_perm+0x263/0x520 [ 68.216111][ T8147] sock_ioctl+0x32b/0x610 [ 68.220446][ T8147] ? dlci_ioctl_set+0x40/0x40 [ 68.225143][ T8147] ? ___might_sleep+0x163/0x280 [ 68.229992][ T8147] ? dlci_ioctl_set+0x40/0x40 [ 68.234663][ T8147] do_vfs_ioctl+0xd6e/0x1390 [ 68.239248][ T8147] ? ioctl_preallocate+0x210/0x210 [ 68.244355][ T8147] ? selinux_file_mprotect+0x620/0x620 [ 68.249802][ T8147] ? __fget+0x381/0x550 [ 68.253951][ T8147] ? ksys_dup3+0x3e0/0x3e0 [ 68.258369][ T8147] ? tomoyo_file_ioctl+0x23/0x30 [ 68.263299][ T8147] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.269535][ T8147] ? security_file_ioctl+0x93/0xc0 [ 68.274641][ T8147] ksys_ioctl+0xab/0xd0 [ 68.278825][ T8147] __x64_sys_ioctl+0x73/0xb0 [ 68.283438][ T8147] do_syscall_64+0x103/0x610 [ 68.288050][ T8147] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.293947][ T8147] RIP: 0033:0x4467c9 [ 68.297833][ T8147] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 68.317428][ T8147] RSP: 002b:00007f8b35e45d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 68.325829][ T8147] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9 [ 68.333791][ T8147] RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003 [ 68.341748][ T8147] RBP: 00000000006dbc50 R08: 00007f8b35e46700 R09: 0000000000000000 [ 68.349707][ T8147] R10: 00007f8b35e46700 R11: 0000000000000246 R12: 00000000006dbc5c [ 68.357666][ T8147] R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669 [ 68.365633][ T8147] [ 68.367949][ T8147] Allocated by task 8127: [ 68.372269][ T8147] save_stack+0x45/0xd0 [ 68.376416][ T8147] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 68.382037][ T8147] kasan_kmalloc+0x9/0x10 [ 68.386366][ T8147] kmem_cache_alloc_trace+0x151/0x760 [ 68.391729][ T8147] x25_link_device_up+0x46/0x3f0 [ 68.396653][ T8147] x25_device_event+0x116/0x2b0 [ 68.401494][ T8147] notifier_call_chain+0xc7/0x240 [ 68.406511][ T8147] raw_notifier_call_chain+0x2e/0x40 [ 68.411819][ T8147] call_netdevice_notifiers_info+0x3f/0x90 [ 68.417613][ T8147] __dev_notify_flags+0x121/0x2c0 [ 68.422633][ T8147] dev_change_flags+0x10d/0x170 [ 68.427494][ T8147] dev_ifsioc+0x5bf/0x990 [ 68.431814][ T8147] dev_ioctl+0x1b8/0xc90 [ 68.436079][ T8147] sock_do_ioctl+0x1bd/0x300 [ 68.440658][ T8147] sock_ioctl+0x32b/0x610 [ 68.444991][ T8147] do_vfs_ioctl+0xd6e/0x1390 [ 68.449566][ T8147] ksys_ioctl+0xab/0xd0 [ 68.453743][ T8147] __x64_sys_ioctl+0x73/0xb0 [ 68.458353][ T8147] do_syscall_64+0x103/0x610 [ 68.462931][ T8147] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.468802][ T8147] [ 68.471115][ T8147] Freed by task 8136: [ 68.475109][ T8147] save_stack+0x45/0xd0 [ 68.479299][ T8147] __kasan_slab_free+0x102/0x150 [ 68.484261][ T8147] kasan_slab_free+0xe/0x10 [ 68.488754][ T8147] kfree+0xcf/0x230 [ 68.492577][ T8147] __x25_remove_neigh+0x187/0x1f0 [ 68.497633][ T8147] x25_link_device_down+0xc7/0x130 [ 68.502757][ T8147] x25_device_event+0x261/0x2b0 [ 68.507595][ T8147] notifier_call_chain+0xc7/0x240 [ 68.512623][ T8147] raw_notifier_call_chain+0x2e/0x40 [ 68.517900][ T8147] call_netdevice_notifiers_info+0x3f/0x90 [ 68.523694][ T8147] __dev_notify_flags+0x1e9/0x2c0 [ 68.528707][ T8147] dev_change_flags+0x10d/0x170 [ 68.533548][ T8147] dev_ifsioc+0x5bf/0x990 [ 68.537865][ T8147] dev_ioctl+0x1b8/0xc90 [ 68.542097][ T8147] sock_do_ioctl+0x1bd/0x300 [ 68.546686][ T8147] sock_ioctl+0x32b/0x610 [ 68.551242][ T8147] do_vfs_ioctl+0xd6e/0x1390 [ 68.555811][ T8147] ksys_ioctl+0xab/0xd0 [ 68.559939][ T8147] __x64_sys_ioctl+0x73/0xb0 [ 68.564504][ T8147] do_syscall_64+0x103/0x610 [ 68.569068][ T8147] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.574927][ T8147] [ 68.577232][ T8147] The buggy address belongs to the object at ffff88809beca580 [ 68.577232][ T8147] which belongs to the cache kmalloc-256 of size 256 [ 68.591256][ T8147] The buggy address is located 16 bytes inside of [ 68.591256][ T8147] 256-byte region [ffff88809beca580, ffff88809beca680) [ 68.604769][ T8147] The buggy address belongs to the page: [ 68.610395][ T8147] page:ffffea00026fb280 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0 [ 68.619229][ T8147] flags: 0x1fffc0000000200(slab) [ 68.624171][ T8147] raw: 01fffc0000000200 ffffea00026d3a08 ffffea00027a96c8 ffff88812c3f07c0 [ 68.632749][ T8147] raw: 0000000000000000 ffff88809beca080 000000010000000c 0000000000000000 [ 68.641313][ T8147] page dumped because: kasan: bad access detected [ 68.647732][ T8147] [ 68.650045][ T8147] Memory state around the buggy address: [ 68.655664][ T8147] ffff88809beca480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.663715][ T8147] ffff88809beca500: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 68.671764][ T8147] >ffff88809beca580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.680360][ T8147] ^ [ 68.684939][ T8147] ffff88809beca600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.692989][ T8147] ffff88809beca680: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 68.701031][ T8147] ================================================================== [ 68.709075][ T8147] Disabling lock debugging due to kernel taint [ 68.715289][ T8147] Kernel panic - not syncing: panic_on_warn set ... [ 68.721902][ T8147] CPU: 1 PID: 8147 Comm: syz-executor793 Tainted: G B 5.0.0+ #15 [ 68.730899][ T8147] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.740937][ T8147] Call Trace: [ 68.744220][ T8147] dump_stack+0x172/0x1f0 [ 68.748544][ T8147] panic+0x2cb/0x65c [ 68.752427][ T8147] ? __warn_printk+0xf3/0xf3 [ 68.757006][ T8147] ? retint_kernel+0x2d/0x2d [ 68.761590][ T8147] ? trace_hardirqs_on+0x5e/0x230 [ 68.766604][ T8147] ? x25_device_event+0x296/0x2b0 [ 68.771638][ T8147] end_report+0x47/0x4f [ 68.775797][ T8147] ? x25_device_event+0x296/0x2b0 [ 68.780837][ T8147] kasan_report.cold+0xe/0x40 [ 68.785505][ T8147] ? x25_device_event+0x296/0x2b0 [ 68.790519][ T8147] __asan_report_load8_noabort+0x14/0x20 [ 68.796148][ T8147] x25_device_event+0x296/0x2b0 [ 68.800991][ T8147] notifier_call_chain+0xc7/0x240 [ 68.806011][ T8147] raw_notifier_call_chain+0x2e/0x40 [ 68.811288][ T8147] call_netdevice_notifiers_info+0x3f/0x90 [ 68.817082][ T8147] __dev_notify_flags+0x1e9/0x2c0 [ 68.822094][ T8147] ? dev_change_name+0xa00/0xa00 [ 68.827024][ T8147] ? __dev_change_flags+0x513/0x6e0 [ 68.832212][ T8147] ? dev_set_allmulti+0x30/0x30 [ 68.837052][ T8147] ? mutex_trylock+0x1e0/0x1e0 [ 68.841803][ T8147] ? find_held_lock+0x35/0x130 [ 68.846559][ T8147] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.852790][ T8147] dev_change_flags+0x10d/0x170 [ 68.857633][ T8147] dev_ifsioc+0x5bf/0x990 [ 68.861964][ T8147] ? register_gifconf+0x70/0x70 [ 68.866820][ T8147] dev_ioctl+0x1b8/0xc90 [ 68.871053][ T8147] sock_do_ioctl+0x1bd/0x300 [ 68.875635][ T8147] ? compat_ifr_data_ioctl+0x160/0x160 [ 68.881093][ T8147] ? tomoyo_domain+0xc5/0x160 [ 68.885764][ T8147] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.891994][ T8147] ? tomoyo_path_number_perm+0x263/0x520 [ 68.897616][ T8147] sock_ioctl+0x32b/0x610 [ 68.901942][ T8147] ? dlci_ioctl_set+0x40/0x40 [ 68.906608][ T8147] ? ___might_sleep+0x163/0x280 [ 68.911458][ T8147] ? dlci_ioctl_set+0x40/0x40 [ 68.916124][ T8147] do_vfs_ioctl+0xd6e/0x1390 [ 68.920728][ T8147] ? ioctl_preallocate+0x210/0x210 [ 68.925833][ T8147] ? selinux_file_mprotect+0x620/0x620 [ 68.931278][ T8147] ? __fget+0x381/0x550 [ 68.935427][ T8147] ? ksys_dup3+0x3e0/0x3e0 [ 68.939838][ T8147] ? tomoyo_file_ioctl+0x23/0x30 [ 68.944769][ T8147] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 68.950998][ T8147] ? security_file_ioctl+0x93/0xc0 [ 68.956096][ T8147] ksys_ioctl+0xab/0xd0 [ 68.960249][ T8147] __x64_sys_ioctl+0x73/0xb0 [ 68.964832][ T8147] do_syscall_64+0x103/0x610 [ 68.969415][ T8147] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 68.975295][ T8147] RIP: 0033:0x4467c9 [ 68.979182][ T8147] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 68.998785][ T8147] RSP: 002b:00007f8b35e45d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 69.007183][ T8147] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9 [ 69.015145][ T8147] RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003 [ 69.023118][ T8147] RBP: 00000000006dbc50 R08: 00007f8b35e46700 R09: 0000000000000000 [ 69.031097][ T8147] R10: 00007f8b35e46700 R11: 0000000000000246 R12: 00000000006dbc5c [ 69.039065][ T8147] R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669 [ 69.047695][ T8147] Kernel Offset: disabled [ 69.052008][ T8147] Rebooting in 86400 seconds..