[   45.338746][   T27] audit: type=1800 audit(1584544355.561:25): pid=8297 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   45.362198][   T27] audit: type=1800 audit(1584544355.561:26): pid=8297 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   45.402526][   T27] audit: type=1800 audit(1584544355.561:27): pid=8297 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[   45.422666][   T27] audit: type=1800 audit(1584544355.561:28): pid=8297 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.13' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   57.213429][ T8447] IPVS: ftp: loaded support on port[0] = 21
[   57.239776][ T8447] ==================================================================
[   57.247890][ T8447] BUG: KASAN: use-after-free in tcindex_change+0x1c61/0x27b0
[   57.255230][ T8447] Write of size 16 at addr ffff8880a7596330 by task syz-executor325/8447
[   57.263606][ T8447] 
[   57.265911][ T8447] CPU: 1 PID: 8447 Comm: syz-executor325 Not tainted 5.6.0-rc6-syzkaller #0
[   57.274546][ T8447] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.284586][ T8447] Call Trace:
[   57.287851][ T8447]  dump_stack+0x1e9/0x30e
[   57.292158][ T8447]  print_address_description+0x74/0x5c0
[   57.297673][ T8447]  ? printk+0x62/0x83
[   57.301625][ T8447]  ? vprintk_emit+0x2e6/0x3b0
[   57.306278][ T8447]  __kasan_report+0x14b/0x1c0
[   57.310925][ T8447]  ? tcindex_change+0x1c61/0x27b0
[   57.315922][ T8447]  kasan_report+0x25/0x50
[   57.320244][ T8447]  check_memory_region+0x2a5/0x2e0
[   57.325324][ T8447]  ? tcindex_change+0x1c61/0x27b0
[   57.330316][ T8447]  memcpy+0x38/0x50
[   57.334094][ T8447]  tcindex_change+0x1c61/0x27b0
[   57.338949][ T8447]  ? tcindex_destroy+0x970/0x970
[   57.343853][ T8447]  ? tcindex_lookup+0x13e/0x360
[   57.348673][ T8447]  tc_new_tfilter+0x1490/0x2f50
[   57.353501][ T8447]  ? tcindex_get+0x1c0/0x1c0
[   57.358091][ T8447]  ? tcf_tunnel_encap_put_tunnel+0x20/0x20
[   57.363867][ T8447]  rtnetlink_rcv_msg+0x8fb/0xd40
[   57.368802][ T8447]  ? lock_acquire+0x154/0x250
[   57.373448][ T8447]  ? rcu_lock_acquire+0x5/0x30
[   57.378195][ T8447]  ? check_preemption_disabled+0x40/0x240
[   57.383882][ T8447]  ? debug_smp_processor_id+0x5/0x20
[   57.389143][ T8447]  netlink_rcv_skb+0x190/0x3a0
[   57.393879][ T8447]  ? rtnetlink_bind+0x80/0x80
[   57.398544][ T8447]  netlink_unicast+0x786/0x940
[   57.403289][ T8447]  netlink_sendmsg+0xa57/0xd70
[   57.408044][ T8447]  ? netlink_getsockopt+0x9d0/0x9d0
[   57.413213][ T8447]  ____sys_sendmsg+0x4f9/0x7c0
[   57.417962][ T8447]  __sys_sendmsg+0x1ed/0x290
[   57.422523][ T8447]  ? __might_fault+0xf5/0x150
[   57.427178][ T8447]  ? move_addr_to_user+0x17f/0x1e0
[   57.432263][ T8447]  ? __sys_getsockname+0x1e2/0x220
[   57.437358][ T8447]  ? check_preemption_disabled+0xb0/0x240
[   57.443052][ T8447]  ? debug_smp_processor_id+0x5/0x20
[   57.448307][ T8447]  ? check_preemption_disabled+0xb0/0x240
[   57.453991][ T8447]  ? debug_smp_processor_id+0x5/0x20
[   57.459259][ T8447]  ? trace_irq_disable_rcuidle+0x1f/0x1d0
[   57.464950][ T8447]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   57.470988][ T8447]  ? do_syscall_64+0x19/0x1b0
[   57.475732][ T8447]  do_syscall_64+0xf3/0x1b0
[   57.480218][ T8447]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   57.486081][ T8447] RIP: 0033:0x440e79
[   57.489946][ T8447] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   57.509519][ T8447] RSP: 002b:00007ffe907a5898 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   57.517900][ T8447] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79
[   57.525841][ T8447] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
[   57.533784][ T8447] RBP: 00007ffe907a58a0 R08: 0000000120080522 R09: 0000000120080522
[   57.541738][ T8447] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650
[   57.549680][ T8447] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000
[   57.557637][ T8447] 
[   57.559937][ T8447] Allocated by task 7368:
[   57.564239][ T8447]  __kasan_kmalloc+0x118/0x1c0
[   57.568970][ T8447]  __kmalloc+0x24b/0x330
[   57.573193][ T8447]  kzalloc+0x1d/0x40
[   57.577055][ T8447]  security_prepare_creds+0x46/0x220
[   57.582321][ T8447]  prepare_creds+0x3dc/0x590
[   57.586887][ T8447]  copy_creds+0x130/0x6b0
[   57.591191][ T8447]  copy_process+0x8e5/0x5560
[   57.595753][ T8447]  _do_fork+0x134/0x650
[   57.599882][ T8447]  __x64_sys_clone+0x208/0x250
[   57.604617][ T8447]  do_syscall_64+0xf3/0x1b0
[   57.609092][ T8447]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   57.614952][ T8447] 
[   57.617267][ T8447] Freed by task 7471:
[   57.621226][ T8447]  __kasan_slab_free+0x12e/0x1e0
[   57.626136][ T8447]  kfree+0x10a/0x220
[   57.629999][ T8447]  security_cred_free+0xbf/0x100
[   57.634905][ T8447]  put_cred_rcu+0xca/0x350
[   57.639288][ T8447]  rcu_core+0x7e4/0x1080
[   57.643498][ T8447]  __do_softirq+0x268/0x7c5
[   57.647996][ T8447] 
[   57.650299][ T8447] The buggy address belongs to the object at ffff8880a7596300
[   57.650299][ T8447]  which belongs to the cache kmalloc-192 of size 192
[   57.664331][ T8447] The buggy address is located 48 bytes inside of
[   57.664331][ T8447]  192-byte region [ffff8880a7596300, ffff8880a75963c0)
[   57.677575][ T8447] The buggy address belongs to the page:
[   57.683182][ T8447] page:ffffea00029d6580 refcount:1 mapcount:0 mapping:ffff8880aa400000 index:0xffff8880a7596100
[   57.693558][ T8447] flags: 0xfffe0000000200(slab)
[   57.698378][ T8447] raw: 00fffe0000000200 ffffea000277cb88 ffffea0002a11948 ffff8880aa400000
[   57.706933][ T8447] raw: ffff8880a7596100 ffff8880a7596000 0000000100000006 0000000000000000
[   57.715502][ T8447] page dumped because: kasan: bad access detected
[   57.721881][ T8447] 
[   57.724179][ T8447] Memory state around the buggy address:
[   57.729778][ T8447]  ffff8880a7596200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   57.737818][ T8447]  ffff8880a7596280: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   57.745849][ T8447] >ffff8880a7596300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.753875][ T8447]                                      ^
[   57.759485][ T8447]  ffff8880a7596380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   57.767515][ T8447]  ffff8880a7596400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   57.775647][ T8447] ==================================================================
[   57.783675][ T8447] Disabling lock debugging due to kernel taint
[   57.790240][ T8447] Kernel panic - not syncing: panic_on_warn set ...
[   57.796819][ T8447] CPU: 1 PID: 8447 Comm: syz-executor325 Tainted: G    B             5.6.0-rc6-syzkaller #0
[   57.806845][ T8447] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   57.816871][ T8447] Call Trace:
[   57.820134][ T8447]  dump_stack+0x1e9/0x30e
[   57.824434][ T8447]  panic+0x264/0x7a0
[   57.828300][ T8447]  ? trace_hardirqs_on+0x30/0x70
[   57.833208][ T8447]  __kasan_report+0x1bc/0x1c0
[   57.837865][ T8447]  ? tcindex_change+0x1c61/0x27b0
[   57.842859][ T8447]  kasan_report+0x25/0x50
[   57.847158][ T8447]  check_memory_region+0x2a5/0x2e0
[   57.852236][ T8447]  ? tcindex_change+0x1c61/0x27b0
[   57.857239][ T8447]  memcpy+0x38/0x50
[   57.861014][ T8447]  tcindex_change+0x1c61/0x27b0
[   57.865849][ T8447]  ? tcindex_destroy+0x970/0x970
[   57.870872][ T8447]  ? tcindex_lookup+0x13e/0x360
[   57.875692][ T8447]  tc_new_tfilter+0x1490/0x2f50
[   57.880511][ T8447]  ? tcindex_get+0x1c0/0x1c0
[   57.885084][ T8447]  ? tcf_tunnel_encap_put_tunnel+0x20/0x20
[   57.890859][ T8447]  rtnetlink_rcv_msg+0x8fb/0xd40
[   57.895782][ T8447]  ? lock_acquire+0x154/0x250
[   57.900516][ T8447]  ? rcu_lock_acquire+0x5/0x30
[   57.905250][ T8447]  ? check_preemption_disabled+0x40/0x240
[   57.910936][ T8447]  ? debug_smp_processor_id+0x5/0x20
[   57.916188][ T8447]  netlink_rcv_skb+0x190/0x3a0
[   57.920918][ T8447]  ? rtnetlink_bind+0x80/0x80
[   57.925568][ T8447]  netlink_unicast+0x786/0x940
[   57.930303][ T8447]  netlink_sendmsg+0xa57/0xd70
[   57.935050][ T8447]  ? netlink_getsockopt+0x9d0/0x9d0
[   57.940243][ T8447]  ____sys_sendmsg+0x4f9/0x7c0
[   57.944980][ T8447]  __sys_sendmsg+0x1ed/0x290
[   57.949547][ T8447]  ? __might_fault+0xf5/0x150
[   57.954193][ T8447]  ? move_addr_to_user+0x17f/0x1e0
[   57.959330][ T8447]  ? __sys_getsockname+0x1e2/0x220
[   57.964528][ T8447]  ? check_preemption_disabled+0xb0/0x240
[   57.970218][ T8447]  ? debug_smp_processor_id+0x5/0x20
[   57.975473][ T8447]  ? check_preemption_disabled+0xb0/0x240
[   57.981161][ T8447]  ? debug_smp_processor_id+0x5/0x20
[   57.986419][ T8447]  ? trace_irq_disable_rcuidle+0x1f/0x1d0
[   57.992111][ T8447]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   57.998151][ T8447]  ? do_syscall_64+0x19/0x1b0
[   58.002801][ T8447]  do_syscall_64+0xf3/0x1b0
[   58.007278][ T8447]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   58.013149][ T8447] RIP: 0033:0x440e79
[   58.017019][ T8447] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   58.036595][ T8447] RSP: 002b:00007ffe907a5898 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[   58.044977][ T8447] RAX: ffffffffffffffda RBX: 00000000004a2650 RCX: 0000000000440e79
[   58.052953][ T8447] RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
[   58.060895][ T8447] RBP: 00007ffe907a58a0 R08: 0000000120080522 R09: 0000000120080522
[   58.068839][ T8447] R10: 0000000120080522 R11: 0000000000000246 R12: 00000000004a2650
[   58.076839][ T8447] R13: 0000000000402410 R14: 0000000000000000 R15: 0000000000000000
[   58.086030][ T8447] Kernel Offset: disabled
[   58.090344][ T8447] Rebooting in 86400 seconds..