[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 29.525623] kauditd_printk_skb: 8 callbacks suppressed [ 29.525650] audit: type=1800 audit(1545346268.018:29): pid=5909 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 29.557922] audit: type=1800 audit(1545346268.018:30): pid=5909 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. 2018/12/20 22:51:20 parsed 1 programs 2018/12/20 22:51:23 executed programs: 0 syzkaller login: [ 44.633931] IPVS: ftp: loaded support on port[0] = 21 [ 44.648657] IPVS: ftp: loaded support on port[0] = 21 [ 44.656227] IPVS: ftp: loaded support on port[0] = 21 [ 44.657379] IPVS: ftp: loaded support on port[0] = 21 [ 44.667921] IPVS: ftp: loaded support on port[0] = 21 [ 44.673780] IPVS: ftp: loaded support on port[0] = 21 [ 46.050838] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.066451] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.080236] device bridge_slave_0 entered promiscuous mode [ 46.106029] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.112460] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.129307] device bridge_slave_0 entered promiscuous mode [ 46.152249] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.160732] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.169327] device bridge_slave_0 entered promiscuous mode [ 46.180189] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.190969] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.198846] device bridge_slave_0 entered promiscuous mode [ 46.207808] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.214180] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.224804] device bridge_slave_1 entered promiscuous mode [ 46.232142] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.239818] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.247992] device bridge_slave_0 entered promiscuous mode [ 46.256905] bridge0: port 1(bridge_slave_0) entered blocking state [ 46.263364] bridge0: port 1(bridge_slave_0) entered disabled state [ 46.271235] device bridge_slave_0 entered promiscuous mode [ 46.281429] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.293197] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.300355] device bridge_slave_1 entered promiscuous mode [ 46.312294] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.319201] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.327194] device bridge_slave_1 entered promiscuous mode [ 46.333947] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.341038] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.348823] device bridge_slave_1 entered promiscuous mode [ 46.358598] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.368937] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.376214] device bridge_slave_1 entered promiscuous mode [ 46.385111] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 46.396114] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 46.409583] bridge0: port 2(bridge_slave_1) entered blocking state [ 46.425061] bridge0: port 2(bridge_slave_1) entered disabled state [ 46.432694] device bridge_slave_1 entered promiscuous mode [ 46.441735] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 46.455454] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 46.464495] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 46.473140] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 46.496714] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 46.504150] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 46.521626] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 46.537056] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 46.547290] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 46.563644] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 46.768635] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 46.781208] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 46.804385] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 46.827496] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 46.840805] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 46.858052] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 46.884355] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 46.896768] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 46.908801] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 46.927190] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 46.939164] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 46.960494] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 46.974799] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 46.990875] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 47.005584] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 47.018959] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 47.031724] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 47.047151] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 47.054763] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 47.069047] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 47.078295] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 47.089106] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 47.102932] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 47.115411] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 47.127552] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 47.146957] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 47.155518] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 47.162615] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 47.349441] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 47.363661] team0: Port device team_slave_0 added [ 47.371021] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 47.387855] team0: Port device team_slave_0 added [ 47.399362] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 47.407404] team0: Port device team_slave_0 added [ 47.444948] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 47.452350] team0: Port device team_slave_0 added [ 47.468483] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 47.480063] team0: Port device team_slave_1 added [ 47.488350] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 47.496384] team0: Port device team_slave_0 added [ 47.501703] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 47.511204] team0: Port device team_slave_1 added [ 47.519933] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 47.541877] team0: Port device team_slave_0 added [ 47.548925] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 47.561782] team0: Port device team_slave_1 added [ 47.572726] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 47.587247] team0: Port device team_slave_1 added [ 47.597692] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 47.616351] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 47.636474] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 47.643838] team0: Port device team_slave_1 added [ 47.662433] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 47.678484] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 47.693916] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 47.705626] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 47.713046] team0: Port device team_slave_1 added [ 47.720707] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 47.738193] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 47.748047] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 47.763956] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 47.777802] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 47.791737] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 47.800201] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 47.812741] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 47.822257] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 47.833410] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 47.841871] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 47.849952] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 47.861276] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 47.869721] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 47.879382] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 47.889537] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 47.898512] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 47.917665] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 47.925245] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 47.933194] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 47.950499] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 47.960087] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 47.968558] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 47.976851] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 47.984531] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 47.996222] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.004381] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 48.012796] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.028595] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.045301] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 48.053288] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 48.070263] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 48.078636] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.086749] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.094424] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.103792] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 48.121283] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.134333] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 48.143930] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 48.152458] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 48.160836] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.170020] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.184589] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 48.200764] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.216101] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.226789] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 48.236602] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 48.262293] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.283338] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.293398] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.324019] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 48.336902] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 48.351516] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 48.890041] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.896596] bridge0: port 2(bridge_slave_1) entered forwarding state [ 48.903565] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.910079] bridge0: port 1(bridge_slave_0) entered forwarding state [ 48.922638] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.936704] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.943072] bridge0: port 2(bridge_slave_1) entered forwarding state [ 48.949808] bridge0: port 1(bridge_slave_0) entered blocking state [ 48.956256] bridge0: port 1(bridge_slave_0) entered forwarding state [ 48.971111] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 48.984261] bridge0: port 2(bridge_slave_1) entered blocking state [ 48.990682] bridge0: port 2(bridge_slave_1) entered forwarding state [ 48.997386] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.003755] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.015451] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 49.061803] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.068248] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.074964] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.081347] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.095681] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 49.150908] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.157341] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.164009] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.170440] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.187050] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 49.261925] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.268368] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.275109] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.281475] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.292810] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 49.804720] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 49.813435] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 49.821342] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 49.828981] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 49.837262] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 49.844252] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 51.807436] 8021q: adding VLAN 0 to HW filter on device bond0 [ 51.910818] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.056392] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.067914] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.075077] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.240684] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.262621] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.287308] 8021q: adding VLAN 0 to HW filter on device bond0 [ 52.298545] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.309480] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.317640] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.373442] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.397399] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.485988] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.492212] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.503969] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.574370] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.596183] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 52.606658] 8021q: adding VLAN 0 to HW filter on device team0 [ 52.678298] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.684603] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.694228] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.717120] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.725074] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.732068] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.806399] 8021q: adding VLAN 0 to HW filter on device team0 [ 52.841754] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.859903] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.875618] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.909071] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 52.926042] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 52.937703] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 52.964217] 8021q: adding VLAN 0 to HW filter on device team0 [ 53.066680] 8021q: adding VLAN 0 to HW filter on device team0 [ 53.161259] 8021q: adding VLAN 0 to HW filter on device team0 [ 53.187811] 8021q: adding VLAN 0 to HW filter on device team0 2018/12/20 22:51:32 executed programs: 6 [ 55.537500] ================================================================== [ 55.545086] BUG: KASAN: use-after-free in __xfrm_policy_unlink+0xa09/0xa20 [ 55.552122] Write of size 8 at addr ffff8881b7071b50 by task syz-executor3/7764 [ 55.559579] [ 55.561236] CPU: 0 PID: 7764 Comm: syz-executor3 Not tainted 4.20.0-rc6+ #355 [ 55.568526] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 55.577965] Call Trace: [ 55.580599] dump_stack+0x244/0x39d [ 55.584240] ? dump_stack_print_info.cold.1+0x20/0x20 [ 55.589435] ? printk+0xa7/0xcf [ 55.592735] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 55.597505] ? xfrm_policy_inexact_insert+0x138/0xee0 [ 55.602769] print_address_description.cold.7+0x9/0x1ff [ 55.608222] kasan_report.cold.8+0x242/0x309 [ 55.612663] ? __xfrm_policy_unlink+0xa09/0xa20 [ 55.617336] __asan_report_store8_noabort+0x17/0x20 [ 55.622369] __xfrm_policy_unlink+0xa09/0xa20 [ 55.626872] ? xfrm_pol_inexact_addr_use_any_list+0xe7/0x1a0 [ 55.632786] ? xfrm_policy_walk_done+0x340/0x340 [ 55.637562] ? refcount_inc_not_zero_checked+0x1e5/0x2f0 [ 55.643039] ? refcount_add_not_zero_checked+0x330/0x330 [ 55.648489] ? xfrm_policy_inexact_insert+0x64f/0xee0 [ 55.653676] ? xfrm_policy_requeue+0x550/0x960 [ 55.658344] ? xfrm_policy_byid+0x490/0x490 [ 55.662676] ? __xfrm_policy_link+0x20d/0x2d0 [ 55.667167] ? xfrm_pol_inexact_addr_use_any_list+0x1a0/0x1a0 [ 55.673065] xfrm_policy_insert+0x20a/0x850 [ 55.677389] ? xfrm_policy_inexact_insert+0xee0/0xee0 [ 55.682578] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 55.687811] pfkey_spdadd+0x10f8/0x19d0 [ 55.691834] ? pfkey_spddelete+0x10e0/0x10e0 [ 55.696336] ? iov_iter_advance+0x306/0x13f0 [ 55.700745] ? pfkey_spddelete+0x10e0/0x10e0 [ 55.705149] pfkey_process+0x851/0x9a0 [ 55.709056] ? pfkey_send_new_mapping+0x11f0/0x11f0 [ 55.714072] ? kasan_check_write+0x14/0x20 [ 55.718317] pfkey_sendmsg+0x5df/0xfb0 [ 55.722205] ? pfkey_spdget+0xb20/0xb20 [ 55.726175] ? apparmor_socket_sendmsg+0x29/0x30 [ 55.730925] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 55.736466] ? security_socket_sendmsg+0x94/0xc0 [ 55.741218] ? pfkey_spdget+0xb20/0xb20 [ 55.745191] sock_sendmsg+0xd5/0x120 [ 55.748902] ___sys_sendmsg+0x7fd/0x930 [ 55.752874] ? copy_msghdr_from_user+0x580/0x580 [ 55.757633] ? __fget_light+0x2e9/0x430 [ 55.761600] ? fget_raw+0x20/0x20 [ 55.765059] ? __might_fault+0x12b/0x1e0 [ 55.769121] ? lock_downgrade+0x900/0x900 [ 55.773378] ? lock_release+0xa00/0xa00 [ 55.777355] ? perf_trace_sched_process_exec+0x860/0x860 [ 55.782811] ? posix_ktime_get_ts+0x15/0x20 [ 55.787146] ? trace_hardirqs_off_caller+0x310/0x310 [ 55.792264] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.797801] ? sockfd_lookup_light+0xc5/0x160 [ 55.802295] __sys_sendmsg+0x11d/0x280 [ 55.806196] ? __ia32_sys_shutdown+0x80/0x80 [ 55.810613] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 55.816145] ? put_timespec64+0x10f/0x1b0 [ 55.820292] ? do_syscall_64+0x9a/0x820 [ 55.824262] ? do_syscall_64+0x9a/0x820 [ 55.828253] ? trace_hardirqs_off_caller+0x310/0x310 [ 55.833378] __x64_sys_sendmsg+0x78/0xb0 [ 55.837446] do_syscall_64+0x1b9/0x820 [ 55.841348] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 55.846723] ? syscall_return_slowpath+0x5e0/0x5e0 [ 55.851666] ? trace_hardirqs_on_caller+0x310/0x310 [ 55.856680] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 55.861694] ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250 [ 55.868358] ? __switch_to_asm+0x40/0x70 [ 55.872424] ? __switch_to_asm+0x34/0x70 [ 55.876489] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 55.881334] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 55.886519] RIP: 0033:0x457669 [ 55.889722] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 55.908630] RSP: 002b:00007fea87c1ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 55.916512] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 55.923775] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 55.931052] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 55.938312] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fea87c1b6d4 [ 55.945582] R13: 00000000004c443a R14: 00000000004d7410 R15: 00000000ffffffff [ 55.952854] [ 55.954475] Allocated by task 7736: [ 55.958104] save_stack+0x43/0xd0 [ 55.961617] kasan_kmalloc+0xc7/0xe0 [ 55.965345] kmem_cache_alloc_trace+0x152/0x750 [ 55.970032] xfrm_policy_alloc+0xfa/0x4f0 [ 55.974176] pfkey_spdadd+0x244/0x19d0 [ 55.978066] pfkey_process+0x851/0x9a0 [ 55.981950] pfkey_sendmsg+0x5df/0xfb0 [ 55.985832] sock_sendmsg+0xd5/0x120 [ 55.989551] ___sys_sendmsg+0x7fd/0x930 [ 55.993537] __sys_sendmsg+0x11d/0x280 [ 55.997419] __x64_sys_sendmsg+0x78/0xb0 [ 56.001522] do_syscall_64+0x1b9/0x820 [ 56.005406] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.010624] [ 56.012243] Freed by task 7753: [ 56.015518] save_stack+0x43/0xd0 [ 56.018966] __kasan_slab_free+0x102/0x150 [ 56.023204] kasan_slab_free+0xe/0x10 [ 56.027028] kfree+0xcf/0x230 [ 56.030194] xfrm_policy_destroy_rcu+0x4a/0x60 [ 56.035029] rcu_process_callbacks+0x100a/0x1ac0 [ 56.039784] __do_softirq+0x308/0xb7e [ 56.043570] [ 56.045192] The buggy address belongs to the object at ffff8881b7071b40 [ 56.045192] which belongs to the cache kmalloc-1k of size 1024 [ 56.057844] The buggy address is located 16 bytes inside of [ 56.057844] 1024-byte region [ffff8881b7071b40, ffff8881b7071f40) [ 56.069711] The buggy address belongs to the page: [ 56.074644] page:ffffea0006dc1c00 count:1 mapcount:0 mapping:ffff8881da800ac0 index:0x0 compound_mapcount: 0 [ 56.084695] flags: 0x2fffc0000010200(slab|head) [ 56.089390] raw: 02fffc0000010200 ffffea0006da2088 ffffea0007624d08 ffff8881da800ac0 [ 56.097282] raw: 0000000000000000 ffff8881b7070040 0000000100000007 0000000000000000 [ 56.105151] page dumped because: kasan: bad access detected [ 56.110851] [ 56.112468] Memory state around the buggy address: [ 56.117398] ffff8881b7071a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.124758] ffff8881b7071a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 56.132217] >ffff8881b7071b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 56.139565] ^ [ 56.145527] ffff8881b7071b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.152877] ffff8881b7071c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.160232] ================================================================== [ 56.167593] Disabling lock debugging due to kernel taint [ 56.173156] Kernel panic - not syncing: panic_on_warn set ... [ 56.179077] CPU: 0 PID: 7764 Comm: syz-executor3 Tainted: G B 4.20.0-rc6+ #355 [ 56.187747] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.197093] Call Trace: [ 56.199685] dump_stack+0x244/0x39d [ 56.203306] ? dump_stack_print_info.cold.1+0x20/0x20 [ 56.208502] panic+0x2ad/0x55c [ 56.211695] ? add_taint.cold.5+0x16/0x16 [ 56.215854] ? trace_hardirqs_on+0x9a/0x310 [ 56.220171] ? trace_hardirqs_on+0xb4/0x310 [ 56.224483] ? trace_hardirqs_on+0xb4/0x310 [ 56.228802] kasan_end_report+0x47/0x4f [ 56.232767] kasan_report.cold.8+0x76/0x309 [ 56.237082] ? __xfrm_policy_unlink+0xa09/0xa20 [ 56.241745] __asan_report_store8_noabort+0x17/0x20 [ 56.246807] __xfrm_policy_unlink+0xa09/0xa20 [ 56.251311] ? xfrm_pol_inexact_addr_use_any_list+0xe7/0x1a0 [ 56.257111] ? xfrm_policy_walk_done+0x340/0x340 [ 56.261881] ? refcount_inc_not_zero_checked+0x1e5/0x2f0 [ 56.267333] ? refcount_add_not_zero_checked+0x330/0x330 [ 56.272825] ? xfrm_policy_inexact_insert+0x64f/0xee0 [ 56.278032] ? xfrm_policy_requeue+0x550/0x960 [ 56.282653] ? xfrm_policy_byid+0x490/0x490 [ 56.286979] ? __xfrm_policy_link+0x20d/0x2d0 [ 56.291511] ? xfrm_pol_inexact_addr_use_any_list+0x1a0/0x1a0 [ 56.297407] xfrm_policy_insert+0x20a/0x850 [ 56.301736] ? xfrm_policy_inexact_insert+0xee0/0xee0 [ 56.306931] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 56.312134] pfkey_spdadd+0x10f8/0x19d0 [ 56.316117] ? pfkey_spddelete+0x10e0/0x10e0 [ 56.320522] ? iov_iter_advance+0x306/0x13f0 [ 56.324928] ? pfkey_spddelete+0x10e0/0x10e0 [ 56.329386] pfkey_process+0x851/0x9a0 [ 56.333274] ? pfkey_send_new_mapping+0x11f0/0x11f0 [ 56.338293] ? kasan_check_write+0x14/0x20 [ 56.342546] pfkey_sendmsg+0x5df/0xfb0 [ 56.346439] ? pfkey_spdget+0xb20/0xb20 [ 56.350414] ? apparmor_socket_sendmsg+0x29/0x30 [ 56.355202] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 56.360734] ? security_socket_sendmsg+0x94/0xc0 [ 56.365482] ? pfkey_spdget+0xb20/0xb20 [ 56.369450] sock_sendmsg+0xd5/0x120 [ 56.373204] ___sys_sendmsg+0x7fd/0x930 [ 56.377191] ? copy_msghdr_from_user+0x580/0x580 [ 56.382000] ? __fget_light+0x2e9/0x430 [ 56.385986] ? fget_raw+0x20/0x20 [ 56.389453] ? __might_fault+0x12b/0x1e0 [ 56.393507] ? lock_downgrade+0x900/0x900 [ 56.397645] ? lock_release+0xa00/0xa00 [ 56.401609] ? perf_trace_sched_process_exec+0x860/0x860 [ 56.407056] ? posix_ktime_get_ts+0x15/0x20 [ 56.411375] ? trace_hardirqs_off_caller+0x310/0x310 [ 56.416485] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 56.422031] ? sockfd_lookup_light+0xc5/0x160 [ 56.426520] __sys_sendmsg+0x11d/0x280 [ 56.430400] ? __ia32_sys_shutdown+0x80/0x80 [ 56.434809] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 56.440387] ? put_timespec64+0x10f/0x1b0 [ 56.444531] ? do_syscall_64+0x9a/0x820 [ 56.448505] ? do_syscall_64+0x9a/0x820 [ 56.452475] ? trace_hardirqs_off_caller+0x310/0x310 [ 56.457589] __x64_sys_sendmsg+0x78/0xb0 [ 56.461647] do_syscall_64+0x1b9/0x820 [ 56.465532] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 56.470902] ? syscall_return_slowpath+0x5e0/0x5e0 [ 56.475843] ? trace_hardirqs_on_caller+0x310/0x310 [ 56.480857] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 56.485871] ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250 [ 56.492536] ? __switch_to_asm+0x40/0x70 [ 56.496603] ? __switch_to_asm+0x34/0x70 [ 56.500674] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 56.505527] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 56.510708] RIP: 0033:0x457669 [ 56.513893] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 56.532788] RSP: 002b:00007fea87c1ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 56.540486] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457669 [ 56.547786] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003 [ 56.555054] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 56.562323] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fea87c1b6d4 [ 56.569604] R13: 00000000004c443a R14: 00000000004d7410 R15: 00000000ffffffff [ 56.578042] Kernel Offset: disabled [ 56.581672] Rebooting in 86400 seconds..