[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 83.333190][ T27] audit: type=1800 audit(1583826333.587:25): pid=9348 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 83.361465][ T27] audit: type=1800 audit(1583826333.587:26): pid=9348 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 83.410291][ T27] audit: type=1800 audit(1583826333.597:27): pid=9348 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.247' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 92.200357][ T9506] IPVS: ftp: loaded support on port[0] = 21 [ 92.232566][ T9506] ================================================================== [ 92.240722][ T9506] BUG: KASAN: use-after-free in tcindex_set_parms+0x17fd/0x1a00 [ 92.248340][ T9506] Write of size 16 at addr ffff8880a86d28b8 by task syz-executor352/9506 [ 92.256727][ T9506] [ 92.259040][ T9506] CPU: 0 PID: 9506 Comm: syz-executor352 Not tainted 5.6.0-rc5-syzkaller #0 [ 92.267694][ T9506] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 92.277758][ T9506] Call Trace: [ 92.281039][ T9506] dump_stack+0x188/0x20d [ 92.285348][ T9506] ? tcindex_set_parms+0x17fd/0x1a00 [ 92.290619][ T9506] ? tcindex_set_parms+0x17fd/0x1a00 [ 92.295897][ T9506] print_address_description.constprop.0.cold+0xd3/0x315 [ 92.302923][ T9506] ? tcindex_set_parms+0x17fd/0x1a00 [ 92.308187][ T9506] ? tcindex_set_parms+0x17fd/0x1a00 [ 92.313460][ T9506] __kasan_report.cold+0x1a/0x32 [ 92.318395][ T9506] ? tcindex_set_parms+0x17fd/0x1a00 [ 92.323666][ T9506] kasan_report+0xe/0x20 [ 92.327886][ T9506] tcindex_set_parms+0x17fd/0x1a00 [ 92.332995][ T9506] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 92.338893][ T9506] ? mark_held_locks+0xe0/0xe0 [ 92.343661][ T9506] ? nla_memcpy+0xa0/0xa0 [ 92.347976][ T9506] ? tcindex_change+0x203/0x2e0 [ 92.352812][ T9506] tcindex_change+0x203/0x2e0 [ 92.357473][ T9506] ? tcindex_set_parms+0x1a00/0x1a00 [ 92.362754][ T9506] tc_new_tfilter+0xa59/0x20b0 [ 92.367516][ T9506] ? tcindex_set_parms+0x1a00/0x1a00 [ 92.372793][ T9506] ? tc_del_tfilter+0x1430/0x1430 [ 92.377802][ T9506] ? __lock_acquire+0x80b/0x3ca0 [ 92.382747][ T9506] ? apparmor_capable+0x454/0x8a0 [ 92.387786][ T9506] ? rcu_read_lock_held+0x9c/0xb0 [ 92.392800][ T9506] ? tc_del_tfilter+0x1430/0x1430 [ 92.397821][ T9506] rtnetlink_rcv_msg+0x810/0xad0 [ 92.402742][ T9506] ? rtnl_bridge_getlink+0x880/0x880 [ 92.408014][ T9506] ? mark_held_locks+0xe0/0xe0 [ 92.412757][ T9506] ? netlink_deliver_tap+0x146/0xb50 [ 92.418021][ T9506] netlink_rcv_skb+0x15a/0x410 [ 92.422775][ T9506] ? rtnl_bridge_getlink+0x880/0x880 [ 92.428057][ T9506] ? netlink_ack+0xa80/0xa80 [ 92.432657][ T9506] netlink_unicast+0x537/0x740 [ 92.437425][ T9506] ? netlink_attachskb+0x810/0x810 [ 92.442522][ T9506] ? _copy_from_iter_full+0x25c/0x870 [ 92.447893][ T9506] ? __phys_addr_symbol+0x2c/0x70 [ 92.452958][ T9506] ? __check_object_size+0x171/0x437 [ 92.458261][ T9506] netlink_sendmsg+0x882/0xe10 [ 92.463017][ T9506] ? aa_af_perm+0x260/0x260 [ 92.467506][ T9506] ? netlink_unicast+0x740/0x740 [ 92.472434][ T9506] ? netlink_unicast+0x740/0x740 [ 92.477358][ T9506] sock_sendmsg+0xcf/0x120 [ 92.481767][ T9506] ____sys_sendmsg+0x6b9/0x7d0 [ 92.486528][ T9506] ? kernel_sendmsg+0x50/0x50 [ 92.491188][ T9506] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 92.496712][ T9506] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 92.502680][ T9506] ___sys_sendmsg+0x100/0x170 [ 92.507338][ T9506] ? sendmsg_copy_msghdr+0x70/0x70 [ 92.512439][ T9506] ? lock_downgrade+0x7f0/0x7f0 [ 92.517266][ T9506] ? lock_acquire+0x197/0x420 [ 92.522115][ T9506] ? __might_fault+0xef/0x1d0 [ 92.526777][ T9506] ? __might_fault+0x190/0x1d0 [ 92.531522][ T9506] ? _copy_to_user+0x107/0x150 [ 92.536275][ T9506] ? move_addr_to_user+0xb3/0x200 [ 92.541277][ T9506] ? __fget_light+0x1a5/0x270 [ 92.545945][ T9506] __sys_sendmsg+0xec/0x1b0 [ 92.550427][ T9506] ? __sys_sendmsg_sock+0xb0/0xb0 [ 92.555438][ T9506] ? mark_held_locks+0x9f/0xe0 [ 92.560188][ T9506] ? trace_hardirqs_off_caller+0x55/0x230 [ 92.565886][ T9506] ? do_syscall_64+0x21/0x7d0 [ 92.570545][ T9506] do_syscall_64+0xf6/0x7d0 [ 92.575032][ T9506] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.580917][ T9506] RIP: 0033:0x440eb9 [ 92.584801][ T9506] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 92.604426][ T9506] RSP: 002b:00007ffc66658278 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 92.612822][ T9506] RAX: ffffffffffffffda RBX: 00000000004a2690 RCX: 0000000000440eb9 [ 92.620774][ T9506] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 92.628805][ T9506] RBP: 00000000004a2690 R08: 0000000120080522 R09: 0000000120080522 [ 92.636756][ T9506] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004023c0 [ 92.644705][ T9506] R13: 0000000000402450 R14: 0000000000000000 R15: 0000000000000000 [ 92.652681][ T9506] [ 92.654987][ T9506] Allocated by task 1: [ 92.659039][ T9506] save_stack+0x1b/0x80 [ 92.663186][ T9506] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 92.668797][ T9506] kmem_cache_alloc_trace+0x153/0x7d0 [ 92.674144][ T9506] call_usermodehelper_setup+0x98/0x300 [ 92.679676][ T9506] kobject_uevent_env+0xcfb/0x11f0 [ 92.684766][ T9506] param_sysfs_init+0x3c5/0x430 [ 92.689593][ T9506] do_one_initcall+0x10a/0x7d0 [ 92.694344][ T9506] kernel_init_freeable+0x501/0x5ae [ 92.699526][ T9506] kernel_init+0xd/0x1bb [ 92.703742][ T9506] ret_from_fork+0x24/0x30 [ 92.708141][ T9506] [ 92.710450][ T9506] Freed by task 562: [ 92.714336][ T9506] save_stack+0x1b/0x80 [ 92.718504][ T9506] __kasan_slab_free+0xf7/0x140 [ 92.723337][ T9506] kfree+0x109/0x2b0 [ 92.727212][ T9506] umh_complete+0x81/0x90 [ 92.731545][ T9506] call_usermodehelper_exec_async+0x459/0x710 [ 92.737588][ T9506] ret_from_fork+0x24/0x30 [ 92.741981][ T9506] [ 92.744291][ T9506] The buggy address belongs to the object at ffff8880a86d2800 [ 92.744291][ T9506] which belongs to the cache kmalloc-192 of size 192 [ 92.758327][ T9506] The buggy address is located 184 bytes inside of [ 92.758327][ T9506] 192-byte region [ffff8880a86d2800, ffff8880a86d28c0) [ 92.771671][ T9506] The buggy address belongs to the page: [ 92.777286][ T9506] page:ffffea0002a1b480 refcount:1 mapcount:0 mapping:ffff8880aa000000 index:0x0 [ 92.786383][ T9506] flags: 0xfffe0000000200(slab) [ 92.791216][ T9506] raw: 00fffe0000000200 ffffea00028da348 ffff8880aa001148 ffff8880aa000000 [ 92.799790][ T9506] raw: 0000000000000000 ffff8880a86d2000 0000000100000010 0000000000000000 [ 92.808350][ T9506] page dumped because: kasan: bad access detected [ 92.814746][ T9506] [ 92.817051][ T9506] Memory state around the buggy address: [ 92.822659][ T9506] ffff8880a86d2780: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.830694][ T9506] ffff8880a86d2800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.838730][ T9506] >ffff8880a86d2880: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 92.846764][ T9506] ^ [ 92.852721][ T9506] ffff8880a86d2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.860757][ T9506] ffff8880a86d2980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 92.868800][ T9506] ================================================================== [ 92.876835][ T9506] Disabling lock debugging due to kernel taint [ 92.883482][ T9506] Kernel panic - not syncing: panic_on_warn set ... [ 92.890086][ T9506] CPU: 0 PID: 9506 Comm: syz-executor352 Tainted: G B 5.6.0-rc5-syzkaller #0 [ 92.900130][ T9506] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 92.910168][ T9506] Call Trace: [ 92.913441][ T9506] dump_stack+0x188/0x20d [ 92.917750][ T9506] panic+0x2e3/0x75c [ 92.921631][ T9506] ? add_taint.cold+0x16/0x16 [ 92.926299][ T9506] ? preempt_schedule_common+0x5e/0xc0 [ 92.931737][ T9506] ? tcindex_set_parms+0x17fd/0x1a00 [ 92.936998][ T9506] ? ___preempt_schedule+0x16/0x18 [ 92.942086][ T9506] ? trace_hardirqs_on+0x55/0x220 [ 92.947085][ T9506] ? tcindex_set_parms+0x17fd/0x1a00 [ 92.952349][ T9506] end_report+0x43/0x49 [ 92.956485][ T9506] ? tcindex_set_parms+0x17fd/0x1a00 [ 92.961747][ T9506] __kasan_report.cold+0xd/0x32 [ 92.966572][ T9506] ? tcindex_set_parms+0x17fd/0x1a00 [ 92.971835][ T9506] kasan_report+0xe/0x20 [ 92.976069][ T9506] tcindex_set_parms+0x17fd/0x1a00 [ 92.981158][ T9506] ? tcindex_alloc_perfect_hash+0x320/0x320 [ 92.987124][ T9506] ? mark_held_locks+0xe0/0xe0 [ 92.991871][ T9506] ? nla_memcpy+0xa0/0xa0 [ 92.996175][ T9506] ? tcindex_change+0x203/0x2e0 [ 93.000999][ T9506] tcindex_change+0x203/0x2e0 [ 93.005654][ T9506] ? tcindex_set_parms+0x1a00/0x1a00 [ 93.010942][ T9506] tc_new_tfilter+0xa59/0x20b0 [ 93.015692][ T9506] ? tcindex_set_parms+0x1a00/0x1a00 [ 93.020965][ T9506] ? tc_del_tfilter+0x1430/0x1430 [ 93.025966][ T9506] ? __lock_acquire+0x80b/0x3ca0 [ 93.030889][ T9506] ? apparmor_capable+0x454/0x8a0 [ 93.035895][ T9506] ? rcu_read_lock_held+0x9c/0xb0 [ 93.040918][ T9506] ? tc_del_tfilter+0x1430/0x1430 [ 93.045927][ T9506] rtnetlink_rcv_msg+0x810/0xad0 [ 93.050854][ T9506] ? rtnl_bridge_getlink+0x880/0x880 [ 93.056121][ T9506] ? mark_held_locks+0xe0/0xe0 [ 93.060862][ T9506] ? netlink_deliver_tap+0x146/0xb50 [ 93.066126][ T9506] netlink_rcv_skb+0x15a/0x410 [ 93.070868][ T9506] ? rtnl_bridge_getlink+0x880/0x880 [ 93.076131][ T9506] ? netlink_ack+0xa80/0xa80 [ 93.080708][ T9506] netlink_unicast+0x537/0x740 [ 93.085455][ T9506] ? netlink_attachskb+0x810/0x810 [ 93.090652][ T9506] ? _copy_from_iter_full+0x25c/0x870 [ 93.096099][ T9506] ? __phys_addr_symbol+0x2c/0x70 [ 93.101118][ T9506] ? __check_object_size+0x171/0x437 [ 93.106397][ T9506] netlink_sendmsg+0x882/0xe10 [ 93.111146][ T9506] ? aa_af_perm+0x260/0x260 [ 93.115631][ T9506] ? netlink_unicast+0x740/0x740 [ 93.120548][ T9506] ? netlink_unicast+0x740/0x740 [ 93.125466][ T9506] sock_sendmsg+0xcf/0x120 [ 93.129864][ T9506] ____sys_sendmsg+0x6b9/0x7d0 [ 93.134608][ T9506] ? kernel_sendmsg+0x50/0x50 [ 93.139266][ T9506] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 93.144789][ T9506] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 93.150751][ T9506] ___sys_sendmsg+0x100/0x170 [ 93.155410][ T9506] ? sendmsg_copy_msghdr+0x70/0x70 [ 93.160513][ T9506] ? lock_downgrade+0x7f0/0x7f0 [ 93.165340][ T9506] ? lock_acquire+0x197/0x420 [ 93.169994][ T9506] ? __might_fault+0xef/0x1d0 [ 93.174651][ T9506] ? __might_fault+0x190/0x1d0 [ 93.179401][ T9506] ? _copy_to_user+0x107/0x150 [ 93.184143][ T9506] ? move_addr_to_user+0xb3/0x200 [ 93.189142][ T9506] ? __fget_light+0x1a5/0x270 [ 93.193796][ T9506] __sys_sendmsg+0xec/0x1b0 [ 93.198279][ T9506] ? __sys_sendmsg_sock+0xb0/0xb0 [ 93.203291][ T9506] ? mark_held_locks+0x9f/0xe0 [ 93.208049][ T9506] ? trace_hardirqs_off_caller+0x55/0x230 [ 93.213753][ T9506] ? do_syscall_64+0x21/0x7d0 [ 93.218410][ T9506] do_syscall_64+0xf6/0x7d0 [ 93.222895][ T9506] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 93.228773][ T9506] RIP: 0033:0x440eb9 [ 93.232674][ T9506] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 93.252286][ T9506] RSP: 002b:00007ffc66658278 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 93.260685][ T9506] RAX: ffffffffffffffda RBX: 00000000004a2690 RCX: 0000000000440eb9 [ 93.268643][ T9506] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 [ 93.276599][ T9506] RBP: 00000000004a2690 R08: 0000000120080522 R09: 0000000120080522 [ 93.284549][ T9506] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004023c0 [ 93.292509][ T9506] R13: 0000000000402450 R14: 0000000000000000 R15: 0000000000000000 [ 93.301820][ T9506] Kernel Offset: disabled [ 93.306141][ T9506] Rebooting in 86400 seconds..