[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 28.927651] kauditd_printk_skb: 8 callbacks suppressed [ 28.927663] audit: type=1800 audit(1545072909.930:29): pid=5876 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 28.960204] audit: type=1800 audit(1545072909.930:30): pid=5876 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.506634] ================================================================== [ 40.514127] BUG: KASAN: use-after-free in tipc_group_bc_cong+0x327/0x3f0 [ 40.520954] Read of size 2 at addr ffff8881d8adfa74 by task syz-executor710/6030 [ 40.528467] [ 40.530080] CPU: 0 PID: 6030 Comm: syz-executor710 Not tainted 4.20.0-rc7+ #278 [ 40.537504] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.546838] Call Trace: [ 40.549411] dump_stack+0x244/0x39d [ 40.553037] ? dump_stack_print_info.cold.1+0x20/0x20 [ 40.558207] ? printk+0xa7/0xcf [ 40.561485] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 40.566222] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 40.571312] print_address_description.cold.7+0x9/0x1ff [ 40.576674] kasan_report.cold.8+0x242/0x309 [ 40.581064] ? tipc_group_bc_cong+0x327/0x3f0 [ 40.585561] __asan_report_load2_noabort+0x14/0x20 [ 40.590474] tipc_group_bc_cong+0x327/0x3f0 [ 40.594780] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 40.599936] ? tipc_group_cong+0x5d0/0x5d0 [ 40.604156] ? remove_wait_queue+0x1a6/0x360 [ 40.608549] ? add_wait_queue+0x2b0/0x2b0 [ 40.612682] ? __local_bh_enable_ip+0x160/0x260 [ 40.617338] tipc_send_group_bcast+0x50a/0xd90 [ 40.621913] ? tipc_sk_sock_err.isra.61+0x2f0/0x2f0 [ 40.626931] ? __init_waitqueue_head+0x150/0x150 [ 40.631690] ? perf_trace_sched_process_exec+0x860/0x860 [ 40.637129] ? mark_held_locks+0x130/0x130 [ 40.641344] ? __might_sleep+0x95/0x190 [ 40.645331] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.650906] ? futex_wait_queue_me+0x55d/0x840 [ 40.655472] ? refill_pi_state_cache.part.8+0x310/0x310 [ 40.660820] __tipc_sendmsg+0xeec/0x1d40 [ 40.664873] ? get_futex_value_locked+0xcb/0xf0 [ 40.669544] ? futex_wait_setup+0x266/0x3e0 [ 40.673849] ? tipc_sendmcast+0xf50/0xf50 [ 40.677990] ? zap_class+0x640/0x640 [ 40.681688] ? print_usage_bug+0xc0/0xc0 [ 40.685739] ? find_held_lock+0x36/0x1c0 [ 40.689803] ? mark_held_locks+0xc7/0x130 [ 40.693950] ? __local_bh_enable_ip+0x160/0x260 [ 40.698600] ? __local_bh_enable_ip+0x160/0x260 [ 40.703269] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 40.707838] ? trace_hardirqs_on+0xbd/0x310 [ 40.712151] ? lock_release+0xa00/0xa00 [ 40.716106] ? lock_sock_nested+0xe2/0x120 [ 40.720323] ? trace_hardirqs_off_caller+0x310/0x310 [ 40.725406] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.730934] ? check_preemption_disabled+0x48/0x280 [ 40.735944] ? lock_sock_nested+0x9a/0x120 [ 40.740164] ? lock_sock_nested+0x9a/0x120 [ 40.744382] ? __local_bh_enable_ip+0x160/0x260 [ 40.749045] tipc_sendmsg+0x50/0x70 [ 40.752671] ? __tipc_sendmsg+0x1d40/0x1d40 [ 40.757005] sock_sendmsg+0xd5/0x120 [ 40.760720] ___sys_sendmsg+0x51d/0x930 [ 40.764676] ? zap_class+0x640/0x640 [ 40.768382] ? copy_msghdr_from_user+0x580/0x580 [ 40.773125] ? find_held_lock+0x36/0x1c0 [ 40.777174] ? __fget_light+0x2e9/0x430 [ 40.781131] ? fget_raw+0x20/0x20 [ 40.784583] ? trace_hardirqs_on+0xbd/0x310 [ 40.788894] ? _raw_spin_unlock_bh+0x30/0x40 [ 40.793302] ? trace_hardirqs_off_caller+0x310/0x310 [ 40.798393] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.803929] ? check_preemption_disabled+0x48/0x280 [ 40.808952] ? release_sock+0x1ec/0x2c0 [ 40.812928] ? release_sock+0x1ec/0x2c0 [ 40.816934] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 40.822497] ? sockfd_lookup_light+0xc5/0x160 [ 40.827023] __sys_sendmmsg+0x3af/0x6d0 [ 40.831024] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 40.835346] ? tipc_setsockopt+0x726/0xd70 [ 40.839566] ? rcvbuf_limit+0x2c0/0x2c0 [ 40.843557] ? aa_sock_opt_perm.isra.13+0xa1/0x130 [ 40.848485] ? do_fast_syscall_32+0x150/0xfb2 [ 40.852965] ? do_fast_syscall_32+0x150/0xfb2 [ 40.857457] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 40.862034] ? trace_hardirqs_on+0xbd/0x310 [ 40.866336] ? find_vma+0x34/0x190 [ 40.869860] ? entry_SYSENTER_compat+0x70/0x7f [ 40.874430] ? trace_hardirqs_off_caller+0x310/0x310 [ 40.879516] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 40.885037] __ia32_compat_sys_sendmmsg+0x9f/0x100 [ 40.889957] do_fast_syscall_32+0x34d/0xfb2 [ 40.894264] ? do_int80_syscall_32+0x890/0x890 [ 40.898831] ? entry_SYSENTER_compat+0x68/0x7f [ 40.903396] ? trace_hardirqs_off_caller+0xbb/0x310 [ 40.908398] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.913240] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.918068] ? trace_hardirqs_on_caller+0x310/0x310 [ 40.923066] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 40.928065] ? prepare_exit_to_usermode+0x291/0x3b0 [ 40.933067] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 40.937903] entry_SYSENTER_compat+0x70/0x7f [ 40.942305] RIP: 0023:0xf7fe0a29 [ 40.945656] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 40.964584] RSP: 002b:00000000f7fdc1ec EFLAGS: 00000296 ORIG_RAX: 0000000000000159 [ 40.972289] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020000000 [ 40.979543] RDX: 0000000000000142 RSI: 0000000000000000 RDI: 0000000000000010 [ 40.986794] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 [ 40.994046] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 41.001298] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 41.008555] [ 41.010163] Allocated by task 6030: [ 41.013774] save_stack+0x43/0xd0 [ 41.017210] kasan_kmalloc+0xc7/0xe0 [ 41.020908] kmem_cache_alloc_trace+0x152/0x750 [ 41.025573] tipc_group_create+0x152/0xa70 [ 41.029791] tipc_setsockopt+0x2d1/0xd70 [ 41.033834] __compat_sys_setsockopt+0x329/0x860 [ 41.038572] __ia32_compat_sys_setsockopt+0xbd/0x150 [ 41.043657] do_fast_syscall_32+0x34d/0xfb2 [ 41.047975] entry_SYSENTER_compat+0x70/0x7f [ 41.052359] [ 41.053969] Freed by task 6031: [ 41.057231] save_stack+0x43/0xd0 [ 41.060666] __kasan_slab_free+0x102/0x150 [ 41.064889] kasan_slab_free+0xe/0x10 [ 41.068689] kfree+0xcf/0x230 [ 41.071780] tipc_group_delete+0x2e4/0x3f0 [ 41.075996] tipc_sk_leave+0x113/0x220 [ 41.079872] tipc_setsockopt+0x97d/0xd70 [ 41.083925] __compat_sys_setsockopt+0x329/0x860 [ 41.088662] __ia32_compat_sys_setsockopt+0xbd/0x150 [ 41.093745] do_fast_syscall_32+0x34d/0xfb2 [ 41.098050] entry_SYSENTER_compat+0x70/0x7f [ 41.102434] [ 41.104046] The buggy address belongs to the object at ffff8881d8adfa00 [ 41.104046] which belongs to the cache kmalloc-192 of size 192 [ 41.116681] The buggy address is located 116 bytes inside of [ 41.116681] 192-byte region [ffff8881d8adfa00, ffff8881d8adfac0) [ 41.128532] The buggy address belongs to the page: [ 41.133464] page:ffffea000762b7c0 count:1 mapcount:0 mapping:ffff8881da800040 index:0xffff8881d8adfc00 [ 41.142894] flags: 0x2fffc0000000200(slab) [ 41.147117] raw: 02fffc0000000200 ffffea0007479708 ffffea000762af08 ffff8881da800040 [ 41.154981] raw: ffff8881d8adfc00 ffff8881d8adf000 0000000100000005 0000000000000000 [ 41.162839] page dumped because: kasan: bad access detected [ 41.168527] [ 41.170134] Memory state around the buggy address: [ 41.175050] ffff8881d8adf900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.182390] ffff8881d8adf980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 41.189733] >ffff8881d8adfa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.197070] ^ [ 41.204064] ffff8881d8adfa80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 41.211420] ffff8881d8adfb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.218772] ================================================================== [ 41.226108] Disabling lock debugging due to kernel taint [ 41.232061] Kernel panic - not syncing: panic_on_warn set ... [ 41.237958] CPU: 0 PID: 6030 Comm: syz-executor710 Tainted: G B 4.20.0-rc7+ #278 [ 41.246776] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.256108] Call Trace: [ 41.258676] dump_stack+0x244/0x39d [ 41.262283] ? dump_stack_print_info.cold.1+0x20/0x20 [ 41.267662] panic+0x2ad/0x55c [ 41.270836] ? add_taint.cold.5+0x16/0x16 [ 41.274964] ? preempt_schedule+0x4d/0x60 [ 41.279124] ? ___preempt_schedule+0x16/0x18 [ 41.283514] ? trace_hardirqs_on+0xb4/0x310 [ 41.287820] kasan_end_report+0x47/0x4f [ 41.291775] kasan_report.cold.8+0x76/0x309 [ 41.296080] ? tipc_group_bc_cong+0x327/0x3f0 [ 41.300575] __asan_report_load2_noabort+0x14/0x20 [ 41.305486] tipc_group_bc_cong+0x327/0x3f0 [ 41.309819] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 41.314915] ? tipc_group_cong+0x5d0/0x5d0 [ 41.319133] ? remove_wait_queue+0x1a6/0x360 [ 41.323525] ? add_wait_queue+0x2b0/0x2b0 [ 41.327653] ? __local_bh_enable_ip+0x160/0x260 [ 41.332304] tipc_send_group_bcast+0x50a/0xd90 [ 41.336880] ? tipc_sk_sock_err.isra.61+0x2f0/0x2f0 [ 41.341900] ? __init_waitqueue_head+0x150/0x150 [ 41.346637] ? perf_trace_sched_process_exec+0x860/0x860 [ 41.352073] ? mark_held_locks+0x130/0x130 [ 41.356284] ? __might_sleep+0x95/0x190 [ 41.360243] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.365760] ? futex_wait_queue_me+0x55d/0x840 [ 41.370322] ? refill_pi_state_cache.part.8+0x310/0x310 [ 41.375668] __tipc_sendmsg+0xeec/0x1d40 [ 41.379714] ? get_futex_value_locked+0xcb/0xf0 [ 41.384362] ? futex_wait_setup+0x266/0x3e0 [ 41.388669] ? tipc_sendmcast+0xf50/0xf50 [ 41.392800] ? zap_class+0x640/0x640 [ 41.396496] ? print_usage_bug+0xc0/0xc0 [ 41.400571] ? find_held_lock+0x36/0x1c0 [ 41.404635] ? mark_held_locks+0xc7/0x130 [ 41.408767] ? __local_bh_enable_ip+0x160/0x260 [ 41.413415] ? __local_bh_enable_ip+0x160/0x260 [ 41.418063] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 41.422629] ? trace_hardirqs_on+0xbd/0x310 [ 41.426948] ? lock_release+0xa00/0xa00 [ 41.430919] ? lock_sock_nested+0xe2/0x120 [ 41.435136] ? trace_hardirqs_off_caller+0x310/0x310 [ 41.440223] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.445742] ? check_preemption_disabled+0x48/0x280 [ 41.450748] ? lock_sock_nested+0x9a/0x120 [ 41.454971] ? lock_sock_nested+0x9a/0x120 [ 41.459188] ? __local_bh_enable_ip+0x160/0x260 [ 41.463840] tipc_sendmsg+0x50/0x70 [ 41.467462] ? __tipc_sendmsg+0x1d40/0x1d40 [ 41.471764] sock_sendmsg+0xd5/0x120 [ 41.475460] ___sys_sendmsg+0x51d/0x930 [ 41.479414] ? zap_class+0x640/0x640 [ 41.483112] ? copy_msghdr_from_user+0x580/0x580 [ 41.487881] ? find_held_lock+0x36/0x1c0 [ 41.491966] ? __fget_light+0x2e9/0x430 [ 41.495933] ? fget_raw+0x20/0x20 [ 41.499388] ? trace_hardirqs_on+0xbd/0x310 [ 41.503692] ? _raw_spin_unlock_bh+0x30/0x40 [ 41.508096] ? trace_hardirqs_off_caller+0x310/0x310 [ 41.513177] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.518694] ? check_preemption_disabled+0x48/0x280 [ 41.523687] ? release_sock+0x1ec/0x2c0 [ 41.527640] ? release_sock+0x1ec/0x2c0 [ 41.531604] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 41.537122] ? sockfd_lookup_light+0xc5/0x160 [ 41.541600] __sys_sendmmsg+0x3af/0x6d0 [ 41.545555] ? __ia32_sys_sendmsg+0xb0/0xb0 [ 41.549856] ? tipc_setsockopt+0x726/0xd70 [ 41.554082] ? rcvbuf_limit+0x2c0/0x2c0 [ 41.558039] ? aa_sock_opt_perm.isra.13+0xa1/0x130 [ 41.562970] ? do_fast_syscall_32+0x150/0xfb2 [ 41.567450] ? do_fast_syscall_32+0x150/0xfb2 [ 41.571925] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 41.576501] ? trace_hardirqs_on+0xbd/0x310 [ 41.580804] ? find_vma+0x34/0x190 [ 41.584342] ? entry_SYSENTER_compat+0x70/0x7f [ 41.588913] ? trace_hardirqs_off_caller+0x310/0x310 [ 41.593998] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 41.599516] __ia32_compat_sys_sendmmsg+0x9f/0x100 [ 41.604439] do_fast_syscall_32+0x34d/0xfb2 [ 41.608742] ? do_int80_syscall_32+0x890/0x890 [ 41.613320] ? entry_SYSENTER_compat+0x68/0x7f [ 41.617894] ? trace_hardirqs_off_caller+0xbb/0x310 [ 41.622897] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.627736] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.632590] ? trace_hardirqs_on_caller+0x310/0x310 [ 41.637589] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 41.642584] ? prepare_exit_to_usermode+0x291/0x3b0 [ 41.647583] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.652406] entry_SYSENTER_compat+0x70/0x7f [ 41.656795] RIP: 0023:0xf7fe0a29 [ 41.660142] Code: 85 d2 74 02 89 0a 5b 5d c3 8b 04 24 c3 8b 14 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 41.679042] RSP: 002b:00000000f7fdc1ec EFLAGS: 00000296 ORIG_RAX: 0000000000000159 [ 41.686730] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020000000 [ 41.693982] RDX: 0000000000000142 RSI: 0000000000000000 RDI: 0000000000000010 [ 41.701234] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 [ 41.708500] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 41.715748] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 41.723916] Kernel Offset: disabled [ 41.727539] Rebooting in 86400 seconds..