[ 35.539657] audit: type=1800 audit(1552229574.398:28): pid=7548 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 36.358797] audit: type=1800 audit(1552229575.308:29): pid=7548 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 36.378279] audit: type=1800 audit(1552229575.308:30): pid=7548 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 [....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[FAIL8[?25h[?0c failed! Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.44' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program syzkaller login: [ 47.314895] device ifb0 entered promiscuous mode [ 47.330370] device ifb0 left promiscuous mode executing program [ 47.450070] device ifb0 entered promiscuous mode [ 47.550022] device ifb0 left promiscuous mode executing program [ 47.688024] device ifb0 entered promiscuous mode [ 47.747270] device ifb0 left promiscuous mode executing program executing program executing program executing program [ 47.818743] device ifb0 entered promiscuous mode [ 47.861200] device ifb0 left promiscuous mode executing program [ 47.918466] device ifb0 entered promiscuous mode [ 47.924418] device ifb0 left promiscuous mode executing program [ 48.026368] device ifb0 entered promiscuous mode [ 48.072816] device ifb0 left promiscuous mode executing program executing program executing program executing program [ 48.137259] device ifb0 entered promiscuous mode [ 48.145869] device ifb0 left promiscuous mode executing program [ 48.235725] device ifb0 entered promiscuous mode [ 48.241676] device ifb0 left promiscuous mode executing program [ 48.345824] device ifb0 entered promiscuous mode [ 48.351527] device ifb0 left promiscuous mode executing program executing program executing program executing program [ 48.448590] device ifb0 entered promiscuous mode [ 48.501328] device ifb0 left promiscuous mode executing program [ 48.566595] device ifb0 entered promiscuous mode [ 48.605165] device ifb0 left promiscuous mode executing program [ 48.666561] device ifb0 entered promiscuous mode [ 48.713954] device ifb0 left promiscuous mode executing program executing program executing program executing program [ 48.778504] device ifb0 entered promiscuous mode [ 48.785217] device ifb0 left promiscuous mode executing program [ 48.883831] device ifb0 entered promiscuous mode [ 48.928188] device ifb0 left promiscuous mode executing program [ 48.994105] device ifb0 entered promiscuous mode [ 49.035225] device ifb0 left promiscuous mode [ 49.096054] ================================================================== [ 49.103554] BUG: KASAN: use-after-free in x25_device_event+0x296/0x2b0 [ 49.110233] Read of size 8 at addr ffff8880a030edd0 by task syz-executor003/7854 [ 49.117758] [ 49.119385] CPU: 0 PID: 7854 Comm: syz-executor003 Not tainted 5.0.0+ #97 [ 49.126303] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.135652] Call Trace: [ 49.138253] dump_stack+0x172/0x1f0 [ 49.141878] ? x25_device_event+0x296/0x2b0 [ 49.146210] print_address_description.cold+0x7c/0x20d [ 49.151481] ? x25_device_event+0x296/0x2b0 [ 49.155791] ? x25_device_event+0x296/0x2b0 [ 49.160093] kasan_report.cold+0x1b/0x40 [ 49.164133] ? x25_device_event+0x296/0x2b0 [ 49.168439] __asan_report_load8_noabort+0x14/0x20 [ 49.173348] x25_device_event+0x296/0x2b0 [ 49.177478] notifier_call_chain+0xc7/0x240 [ 49.181785] raw_notifier_call_chain+0x2e/0x40 [ 49.186353] call_netdevice_notifiers_info+0x3f/0x90 [ 49.191514] __dev_notify_flags+0x1e9/0x2c0 [ 49.195859] ? dev_change_name+0xa00/0xa00 [ 49.200218] ? __dev_change_flags+0x513/0x6e0 [ 49.204697] ? dev_set_allmulti+0x30/0x30 [ 49.208831] ? mutex_trylock+0x1e0/0x1e0 [ 49.212908] ? find_held_lock+0x35/0x130 [ 49.216983] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.222510] dev_change_flags+0x10d/0x170 [ 49.226654] dev_ifsioc+0x2b0/0x940 [ 49.230266] ? register_gifconf+0x70/0x70 [ 49.234407] dev_ioctl+0x1b8/0xc70 [ 49.237936] sock_do_ioctl+0x1bd/0x300 [ 49.241804] ? compat_ifr_data_ioctl+0x160/0x160 [ 49.246562] ? mark_held_locks+0x100/0x100 [ 49.250781] sock_ioctl+0x32b/0x610 [ 49.254389] ? dlci_ioctl_set+0x40/0x40 [ 49.258344] ? __fget+0x340/0x540 [ 49.261776] ? find_held_lock+0x35/0x130 [ 49.265817] ? __fget+0x340/0x540 [ 49.269253] ? dlci_ioctl_set+0x40/0x40 [ 49.273312] do_vfs_ioctl+0xd6e/0x1390 [ 49.277187] ? ioctl_preallocate+0x210/0x210 [ 49.281577] ? __fget+0x367/0x540 [ 49.285137] ? iterate_fd+0x360/0x360 [ 49.288925] ? calculate_sigpending+0x87/0xa0 [ 49.293404] ? security_file_ioctl+0x93/0xc0 [ 49.297801] ksys_ioctl+0xab/0xd0 [ 49.301238] __x64_sys_ioctl+0x73/0xb0 [ 49.305118] do_syscall_64+0x103/0x610 [ 49.309001] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.314175] RIP: 0033:0x4467c9 [ 49.317365] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 49.336249] RSP: 002b:00007fdbea222d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 49.343952] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9 [ 49.351200] RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003 [ 49.358448] RBP: 00000000006dbc50 R08: 00007fdbea223700 R09: 0000000000000000 [ 49.365714] R10: 00007fdbea223700 R11: 0000000000000246 R12: 00000000006dbc5c [ 49.372962] R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669 [ 49.380217] [ 49.381822] Allocated by task 7843: [ 49.385429] save_stack+0x45/0xd0 [ 49.388870] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 49.393779] kasan_kmalloc+0x9/0x10 [ 49.397384] kmem_cache_alloc_trace+0x151/0x760 [ 49.402031] x25_link_device_up+0x46/0x3f0 [ 49.406244] x25_device_event+0x116/0x2b0 [ 49.410385] notifier_call_chain+0xc7/0x240 [ 49.414686] raw_notifier_call_chain+0x2e/0x40 [ 49.419248] call_netdevice_notifiers_info+0x3f/0x90 [ 49.424330] __dev_notify_flags+0x121/0x2c0 [ 49.428646] dev_change_flags+0x10d/0x170 [ 49.432774] dev_ifsioc+0x2b0/0x940 [ 49.436381] dev_ioctl+0x1b8/0xc70 [ 49.439903] sock_do_ioctl+0x1bd/0x300 [ 49.443769] sock_ioctl+0x32b/0x610 [ 49.447376] do_vfs_ioctl+0xd6e/0x1390 [ 49.451240] ksys_ioctl+0xab/0xd0 [ 49.454669] __x64_sys_ioctl+0x73/0xb0 [ 49.458547] do_syscall_64+0x103/0x610 [ 49.462419] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.467598] [ 49.469204] Freed by task 7865: [ 49.472463] save_stack+0x45/0xd0 [ 49.475895] __kasan_slab_free+0x102/0x150 [ 49.480109] kasan_slab_free+0xe/0x10 [ 49.483887] kfree+0xcf/0x230 [ 49.486995] x25_connect+0x8d8/0xde0 [ 49.490704] __sys_connect+0x266/0x330 [ 49.494572] __x64_sys_connect+0x73/0xb0 [ 49.498614] do_syscall_64+0x103/0x610 [ 49.502482] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.507646] [ 49.509254] The buggy address belongs to the object at ffff8880a030edc0 [ 49.509254] which belongs to the cache kmalloc-256 of size 256 [ 49.521905] The buggy address is located 16 bytes inside of [ 49.521905] 256-byte region [ffff8880a030edc0, ffff8880a030eec0) [ 49.533684] The buggy address belongs to the page: [ 49.538597] page:ffffea000280c380 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0x0 [ 49.546732] flags: 0x1fffc0000000200(slab) [ 49.550948] raw: 01fffc0000000200 ffffea0002806788 ffffea00027f0188 ffff88812c3f07c0 [ 49.558811] raw: 0000000000000000 ffff8880a030e000 000000010000000c 0000000000000000 [ 49.566666] page dumped because: kasan: bad access detected [ 49.572348] [ 49.573948] Memory state around the buggy address: [ 49.578858] ffff8880a030ec80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.586206] ffff8880a030ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.593559] >ffff8880a030ed80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 49.600897] ^ [ 49.606848] ffff8880a030ee00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.614184] ffff8880a030ee80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 49.621519] ================================================================== [ 49.628904] Disabling lock debugging due to kernel taint [ 49.634426] Kernel panic - not syncing: panic_on_warn set ... [ 49.640333] CPU: 0 PID: 7854 Comm: syz-executor003 Tainted: G B 5.0.0+ #97 [ 49.648638] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.657978] Call Trace: [ 49.660571] dump_stack+0x172/0x1f0 [ 49.664195] panic+0x2cb/0x65c [ 49.667379] ? __warn_printk+0xf3/0xf3 [ 49.671257] ? retint_kernel+0x2d/0x2d [ 49.675138] ? trace_hardirqs_on+0x5e/0x230 [ 49.679457] ? x25_device_event+0x296/0x2b0 [ 49.683864] end_report+0x47/0x4f [ 49.687308] ? x25_device_event+0x296/0x2b0 [ 49.691622] kasan_report.cold+0xe/0x40 [ 49.696067] ? x25_device_event+0x296/0x2b0 [ 49.700387] __asan_report_load8_noabort+0x14/0x20 [ 49.705304] x25_device_event+0x296/0x2b0 [ 49.709448] notifier_call_chain+0xc7/0x240 [ 49.713764] raw_notifier_call_chain+0x2e/0x40 [ 49.718342] call_netdevice_notifiers_info+0x3f/0x90 [ 49.723438] __dev_notify_flags+0x1e9/0x2c0 [ 49.727751] ? dev_change_name+0xa00/0xa00 [ 49.731975] ? __dev_change_flags+0x513/0x6e0 [ 49.736464] ? dev_set_allmulti+0x30/0x30 [ 49.740606] ? mutex_trylock+0x1e0/0x1e0 [ 49.744657] ? find_held_lock+0x35/0x130 [ 49.748709] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 49.754239] dev_change_flags+0x10d/0x170 [ 49.758402] dev_ifsioc+0x2b0/0x940 [ 49.762025] ? register_gifconf+0x70/0x70 [ 49.766168] dev_ioctl+0x1b8/0xc70 [ 49.769702] sock_do_ioctl+0x1bd/0x300 [ 49.773598] ? compat_ifr_data_ioctl+0x160/0x160 [ 49.779026] ? mark_held_locks+0x100/0x100 [ 49.783255] sock_ioctl+0x32b/0x610 [ 49.786877] ? dlci_ioctl_set+0x40/0x40 [ 49.790841] ? __fget+0x340/0x540 [ 49.794286] ? find_held_lock+0x35/0x130 [ 49.798340] ? __fget+0x340/0x540 [ 49.801801] ? dlci_ioctl_set+0x40/0x40 [ 49.805772] do_vfs_ioctl+0xd6e/0x1390 [ 49.809655] ? ioctl_preallocate+0x210/0x210 [ 49.814055] ? __fget+0x367/0x540 [ 49.817502] ? iterate_fd+0x360/0x360 [ 49.821299] ? calculate_sigpending+0x87/0xa0 [ 49.826030] ? security_file_ioctl+0x93/0xc0 [ 49.830435] ksys_ioctl+0xab/0xd0 [ 49.833882] __x64_sys_ioctl+0x73/0xb0 [ 49.837768] do_syscall_64+0x103/0x610 [ 49.841656] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.846834] RIP: 0033:0x4467c9 [ 49.850021] Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 49.868911] RSP: 002b:00007fdbea222d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 49.876607] RAX: ffffffffffffffda RBX: 00000000006dbc58 RCX: 00000000004467c9 [ 49.883866] RDX: 0000000020000340 RSI: 0000000000008914 RDI: 0000000000000003 [ 49.891127] RBP: 00000000006dbc50 R08: 00007fdbea223700 R09: 0000000000000000 [ 49.898386] R10: 00007fdbea223700 R11: 0000000000000246 R12: 00000000006dbc5c [ 49.905646] R13: 6000030030626669 R14: 0000000000000000 R15: 0000000030626669 [ 49.913573] Kernel Offset: disabled [ 49.917191] Rebooting in 86400 seconds..