[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 33.786969][ T26] kauditd_printk_skb: 8 callbacks suppressed [ 33.786980][ T26] audit: type=1800 audit(1553054386.271:29): pid=7298 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 33.813997][ T26] audit: type=1800 audit(1553054386.271:30): pid=7298 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.23' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 43.979168][ T7] ================================================================== [ 43.987404][ T7] BUG: KASAN: use-after-free in tipc_sk_filter_rcv+0x2166/0x34f0 [ 43.995218][ T7] Read of size 4 at addr ffff88808ea58534 by task kworker/u4:0/7 [ 44.003005][ T7] [ 44.005320][ T7] CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.0.0+ #61 [ 44.012404][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.022450][ T7] Workqueue: tipc_send tipc_conn_send_work [ 44.028234][ T7] Call Trace: [ 44.031508][ T7] dump_stack+0x172/0x1f0 [ 44.035820][ T7] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 44.041603][ T7] print_address_description.cold+0x7c/0x20d [ 44.047579][ T7] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 44.052956][ T7] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 44.058312][ T7] kasan_report.cold+0x1b/0x40 [ 44.063060][ T7] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 44.068434][ T7] __asan_report_load4_noabort+0x14/0x20 [ 44.074047][ T7] tipc_sk_filter_rcv+0x2166/0x34f0 [ 44.079249][ T7] ? tipc_sk_overlimit2+0xa0/0xa0 [ 44.084296][ T7] ? __local_bh_enable_ip+0x15a/0x270 [ 44.089669][ T7] ? lockdep_hardirqs_on+0x19e/0x5d0 [ 44.094934][ T7] ? tipc_sk_rcv+0x562/0x25a0 [ 44.099595][ T7] ? __local_bh_enable_ip+0x15a/0x270 [ 44.104948][ T7] tipc_sk_rcv+0xc45/0x25a0 [ 44.109438][ T7] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.115661][ T7] ? tipc_sk_filter_rcv+0x34f0/0x34f0 [ 44.121026][ T7] ? __alloc_skb+0x3cd/0x5e0 [ 44.125619][ T7] ? skb_trim+0x190/0x190 [ 44.129933][ T7] ? memset+0x32/0x40 [ 44.133902][ T7] ? tipc_msg_init+0x190/0x1d0 [ 44.138672][ T7] ? lockdep_init_map+0x1be/0x6d0 [ 44.143699][ T7] tipc_topsrv_kern_evt+0x3b7/0x580 [ 44.148891][ T7] ? tipc_conn_recv_work+0x100/0x100 [ 44.154167][ T7] ? __local_bh_enable_ip+0x15a/0x270 [ 44.159537][ T7] ? tipc_conn_send_to_sock+0x389/0x5f0 [ 44.165069][ T7] tipc_conn_send_to_sock+0x43e/0x5f0 [ 44.170427][ T7] ? tipc_topsrv_kern_evt+0x580/0x580 [ 44.175792][ T7] tipc_conn_send_work+0x65/0x80 [ 44.180711][ T7] process_one_work+0x98e/0x1790 [ 44.185635][ T7] ? pwq_dec_nr_in_flight+0x320/0x320 [ 44.190988][ T7] ? lock_acquire+0x16f/0x3f0 [ 44.195665][ T7] worker_thread+0x98/0xe40 [ 44.200169][ T7] kthread+0x357/0x430 [ 44.204228][ T7] ? process_one_work+0x1790/0x1790 [ 44.209404][ T7] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 44.215726][ T7] ret_from_fork+0x3a/0x50 [ 44.220138][ T7] [ 44.222447][ T7] Allocated by task 7: [ 44.226513][ T7] save_stack+0x45/0xd0 [ 44.230659][ T7] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 44.236268][ T7] kasan_kmalloc+0x9/0x10 [ 44.240578][ T7] __kmalloc_node_track_caller+0x4e/0x70 [ 44.246200][ T7] __kmalloc_reserve.isra.0+0x40/0xf0 [ 44.251550][ T7] __alloc_skb+0x10b/0x5e0 [ 44.255944][ T7] tipc_buf_acquire+0x2f/0x100 [ 44.260684][ T7] tipc_msg_create+0x38/0x270 [ 44.265338][ T7] tipc_topsrv_kern_evt+0x2a7/0x580 [ 44.270516][ T7] tipc_conn_send_to_sock+0x43e/0x5f0 [ 44.275869][ T7] tipc_conn_send_work+0x65/0x80 [ 44.280789][ T7] process_one_work+0x98e/0x1790 [ 44.285720][ T7] worker_thread+0x98/0xe40 [ 44.290224][ T7] kthread+0x357/0x430 [ 44.294271][ T7] ret_from_fork+0x3a/0x50 [ 44.298677][ T7] [ 44.300985][ T7] Freed by task 7: [ 44.304701][ T7] save_stack+0x45/0xd0 [ 44.308840][ T7] __kasan_slab_free+0x102/0x150 [ 44.313758][ T7] kasan_slab_free+0xe/0x10 [ 44.318251][ T7] kfree+0xcf/0x230 [ 44.322044][ T7] skb_free_head+0x93/0xb0 [ 44.326448][ T7] skb_release_data+0x576/0x7a0 [ 44.331276][ T7] skb_release_all+0x4d/0x60 [ 44.335846][ T7] kfree_skb+0xe8/0x390 [ 44.339984][ T7] tipc_sk_filter_rcv+0x1e6a/0x34f0 [ 44.345166][ T7] tipc_sk_rcv+0xc45/0x25a0 [ 44.349651][ T7] tipc_topsrv_kern_evt+0x3b7/0x580 [ 44.354831][ T7] tipc_conn_send_to_sock+0x43e/0x5f0 [ 44.360271][ T7] tipc_conn_send_work+0x65/0x80 [ 44.365205][ T7] process_one_work+0x98e/0x1790 [ 44.370222][ T7] worker_thread+0x98/0xe40 [ 44.374706][ T7] kthread+0x357/0x430 [ 44.378753][ T7] ret_from_fork+0x3a/0x50 [ 44.383228][ T7] [ 44.385555][ T7] The buggy address belongs to the object at ffff88808ea58480 [ 44.385555][ T7] which belongs to the cache kmalloc-1k of size 1024 [ 44.399585][ T7] The buggy address is located 180 bytes inside of [ 44.399585][ T7] 1024-byte region [ffff88808ea58480, ffff88808ea58880) [ 44.412925][ T7] The buggy address belongs to the page: [ 44.418541][ T7] page:ffffea00023a9600 count:1 mapcount:0 mapping:ffff88812c3f0ac0 index:0x0 compound_mapcount: 0 [ 44.429193][ T7] flags: 0x1fffc0000010200(slab|head) [ 44.434562][ T7] raw: 01fffc0000010200 ffffea00021bbd88 ffffea00023db488 ffff88812c3f0ac0 [ 44.443178][ T7] raw: 0000000000000000 ffff88808ea58000 0000000100000007 0000000000000000 [ 44.451739][ T7] page dumped because: kasan: bad access detected [ 44.458137][ T7] [ 44.460572][ T7] Memory state around the buggy address: [ 44.466183][ T7] ffff88808ea58400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.474226][ T7] ffff88808ea58480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.482280][ T7] >ffff88808ea58500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.490326][ T7] ^ [ 44.507423][ T7] ffff88808ea58580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.515464][ T7] ffff88808ea58600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.523499][ T7] ================================================================== [ 44.531536][ T7] Disabling lock debugging due to kernel taint [ 44.537729][ T7] Kernel panic - not syncing: panic_on_warn set ... [ 44.544326][ T7] CPU: 0 PID: 7 Comm: kworker/u4:0 Tainted: G B 5.0.0+ #61 [ 44.552845][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.563132][ T7] Workqueue: tipc_send tipc_conn_send_work [ 44.568915][ T7] Call Trace: [ 44.572191][ T7] dump_stack+0x172/0x1f0 [ 44.576515][ T7] panic+0x2cb/0x65c [ 44.580477][ T7] ? __warn_printk+0xf3/0xf3 [ 44.585047][ T7] ? trace_hardirqs_on+0x5e/0x230 [ 44.590048][ T7] ? trace_hardirqs_on+0x5e/0x230 [ 44.595051][ T7] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 44.600401][ T7] end_report+0x47/0x4f [ 44.604535][ T7] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 44.609885][ T7] kasan_report.cold+0xe/0x40 [ 44.614555][ T7] ? tipc_sk_filter_rcv+0x2166/0x34f0 [ 44.619906][ T7] __asan_report_load4_noabort+0x14/0x20 [ 44.625520][ T7] tipc_sk_filter_rcv+0x2166/0x34f0 [ 44.630709][ T7] ? tipc_sk_overlimit2+0xa0/0xa0 [ 44.635719][ T7] ? __local_bh_enable_ip+0x15a/0x270 [ 44.641073][ T7] ? lockdep_hardirqs_on+0x19e/0x5d0 [ 44.646443][ T7] ? tipc_sk_rcv+0x562/0x25a0 [ 44.651111][ T7] ? __local_bh_enable_ip+0x15a/0x270 [ 44.656463][ T7] tipc_sk_rcv+0xc45/0x25a0 [ 44.660956][ T7] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.667175][ T7] ? tipc_sk_filter_rcv+0x34f0/0x34f0 [ 44.672525][ T7] ? __alloc_skb+0x3cd/0x5e0 [ 44.677106][ T7] ? skb_trim+0x190/0x190 [ 44.681418][ T7] ? memset+0x32/0x40 [ 44.685386][ T7] ? tipc_msg_init+0x190/0x1d0 [ 44.690143][ T7] ? lockdep_init_map+0x1be/0x6d0 [ 44.695147][ T7] tipc_topsrv_kern_evt+0x3b7/0x580 [ 44.700330][ T7] ? tipc_conn_recv_work+0x100/0x100 [ 44.705593][ T7] ? __local_bh_enable_ip+0x15a/0x270 [ 44.711033][ T7] ? tipc_conn_send_to_sock+0x389/0x5f0 [ 44.716556][ T7] tipc_conn_send_to_sock+0x43e/0x5f0 [ 44.722281][ T7] ? tipc_topsrv_kern_evt+0x580/0x580 [ 44.727840][ T7] tipc_conn_send_work+0x65/0x80 [ 44.732757][ T7] process_one_work+0x98e/0x1790 [ 44.737780][ T7] ? pwq_dec_nr_in_flight+0x320/0x320 [ 44.743218][ T7] ? lock_acquire+0x16f/0x3f0 [ 44.747875][ T7] worker_thread+0x98/0xe40 [ 44.752363][ T7] kthread+0x357/0x430 [ 44.756500][ T7] ? process_one_work+0x1790/0x1790 [ 44.761674][ T7] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 44.767890][ T7] ret_from_fork+0x3a/0x50 [ 44.773250][ T7] Kernel Offset: disabled [ 44.777565][ T7] Rebooting in 86400 seconds..