[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   32.132970] audit: type=1800 audit(1538842436.956:25): pid=5627 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   32.157628] audit: type=1800 audit(1538842436.956:26): pid=5627 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   32.182145] audit: type=1800 audit(1538842436.956:27): pid=5627 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.16' (ECDSA) to the list of known hosts.
2018/10/06 16:14:14 parsed 1 programs
2018/10/06 16:14:15 executed programs: 0
syzkaller login: [   50.792006] IPVS: ftp: loaded support on port[0] = 21
[   50.981137] bridge0: port 1(bridge_slave_0) entered blocking state
[   50.988129] bridge0: port 1(bridge_slave_0) entered disabled state
[   50.995113] device bridge_slave_0 entered promiscuous mode
[   51.010987] bridge0: port 2(bridge_slave_1) entered blocking state
[   51.017590] bridge0: port 2(bridge_slave_1) entered disabled state
[   51.024608] device bridge_slave_1 entered promiscuous mode
[   51.039700] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   51.054993] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   51.094449] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   51.111648] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   51.169119] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   51.176739] team0: Port device team_slave_0 added
[   51.192430] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   51.199541] team0: Port device team_slave_1 added
[   51.213685] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   51.233914] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   51.251107] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   51.267601] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   51.378630] bridge0: port 2(bridge_slave_1) entered blocking state
[   51.385056] bridge0: port 2(bridge_slave_1) entered forwarding state
[   51.391689] bridge0: port 1(bridge_slave_0) entered blocking state
[   51.398015] bridge0: port 1(bridge_slave_0) entered forwarding state
[   51.782356] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   51.788567] 8021q: adding VLAN 0 to HW filter on device bond0
[   51.829872] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   51.872048] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   51.879000] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   51.919099] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   51.925545] 8021q: adding VLAN 0 to HW filter on device team0
[   51.932107] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
2018/10/06 16:14:20 executed programs: 31
[   59.150134] ==================================================================
[   59.157542] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1c0/0x200
[   59.164195] Read of size 4 at addr ffff8801b390ab7c by task syz-executor0/6395
[   59.171587] 
[   59.173253] CPU: 0 PID: 6395 Comm: syz-executor0 Not tainted 4.19.0-rc6+ #270
[   59.180555] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.189899] Call Trace:
[   59.192482]  dump_stack+0x1c4/0x2b4
[   59.196104]  ? dump_stack_print_info.cold.2+0x52/0x52
[   59.201291]  ? printk+0xa7/0xcf
[   59.204558]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   59.209304]  print_address_description.cold.8+0x9/0x1ff
[   59.215266]  kasan_report.cold.9+0x242/0x309
[   59.219729]  ? do_raw_spin_lock+0x1c0/0x200
[   59.224048]  ? vhost_vsock_dev_release+0x720/0x720
[   59.228959]  __asan_report_load4_noabort+0x14/0x20
[   59.233891]  do_raw_spin_lock+0x1c0/0x200
[   59.238041]  ? vhost_vsock_dev_release+0x720/0x720
[   59.243039]  _raw_spin_lock_bh+0x39/0x40
[   59.247111]  ? vhost_transport_cancel_pkt+0x15e/0x910
[   59.252294]  vhost_transport_cancel_pkt+0x15e/0x910
[   59.257317]  ? lock_acquire+0x1ed/0x520
[   59.261290]  ? vhost_vsock_dev_release+0x720/0x720
[   59.266256]  ? trace_hardirqs_on+0xbd/0x310
[   59.270571]  ? lock_release+0x970/0x970
[   59.274536]  ? lock_sock_nested+0xe2/0x120
[   59.278810]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   59.284273]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.289843]  ? check_preemption_disabled+0x48/0x200
[   59.294889]  ? lock_sock_nested+0x9a/0x120
[   59.299487]  ? lock_sock_nested+0x9a/0x120
[   59.303722]  ? __local_bh_enable_ip+0x160/0x260
[   59.308405]  ? vhost_vsock_dev_release+0x720/0x720
[   59.313329]  vsock_stream_connect+0x903/0xe40
[   59.317819]  ? vsock_dgram_connect+0x500/0x500
[   59.322760]  ? finish_wait+0x430/0x430
[   59.326647]  ? aa_af_perm+0x5a0/0x5a0
[   59.330504]  ? apparmor_socket_connect+0xb6/0x160
[   59.335955]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.341486]  ? security_socket_connect+0x94/0xc0
[   59.346232]  __sys_connect+0x37d/0x4c0
[   59.350205]  ? __ia32_sys_accept+0xb0/0xb0
[   59.354695]  ? kasan_check_read+0x11/0x20
[   59.358848]  ? _copy_to_user+0xc8/0x110
[   59.362855]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   59.369310]  ? put_timespec64+0x10f/0x1b0
[   59.373462]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.378921]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   59.384514]  __x64_sys_connect+0x73/0xb0
[   59.388607]  do_syscall_64+0x1b9/0x820
[   59.392529]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   59.397923]  ? syscall_return_slowpath+0x5e0/0x5e0
[   59.402850]  ? trace_hardirqs_on_caller+0x310/0x310
[   59.407856]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   59.413016]  ? recalc_sigpending_tsk+0x180/0x180
[   59.417792]  ? kasan_check_write+0x14/0x20
[   59.422036]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   59.426870]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.432060] RIP: 0033:0x457579
[   59.435331] Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   59.454320] RSP: 002b:00007fd206aefc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   59.462093] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579
[   59.469359] RDX: 0000000000000080 RSI: 0000000020000400 RDI: 0000000000000007
[   59.476895] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000
[   59.484514] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd206af06d4
[   59.491823] R13: 00000000004bda00 R14: 00000000004cc478 R15: 00000000ffffffff
[   59.499303] 
[   59.500921] Allocated by task 6394:
[   59.504542]  save_stack+0x43/0xd0
[   59.508114]  kasan_kmalloc+0xc7/0xe0
[   59.511858]  __kmalloc_node+0x47/0x70
[   59.515646]  kvmalloc_node+0xb9/0xf0
[   59.519374]  vhost_vsock_dev_open+0xa2/0x5a0
[   59.523788]  misc_open+0x3ca/0x560
[   59.527364]  chrdev_open+0x25a/0x710
[   59.531091]  do_dentry_open+0x499/0x1250
[   59.535192]  vfs_open+0xa0/0xd0
[   59.538509]  path_openat+0x12bf/0x5160
[   59.542512]  do_filp_open+0x255/0x380
[   59.546311]  do_sys_open+0x568/0x700
[   59.550022]  __x64_sys_openat+0x9d/0x100
[   59.554066]  do_syscall_64+0x1b9/0x820
[   59.558111]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.563289] 
[   59.564899] Freed by task 6392:
[   59.568167]  save_stack+0x43/0xd0
[   59.571604]  __kasan_slab_free+0x102/0x150
[   59.575833]  kasan_slab_free+0xe/0x10
[   59.579621]  kfree+0xcf/0x230
[   59.582708]  kvfree+0x61/0x70
[   59.585804]  vhost_vsock_dev_release+0x4f4/0x720
[   59.590678]  __fput+0x385/0xa30
[   59.594217]  ____fput+0x15/0x20
[   59.597514]  task_work_run+0x1e8/0x2a0
[   59.601400]  exit_to_usermode_loop+0x318/0x380
[   59.606065]  do_syscall_64+0x6be/0x820
[   59.610002]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.615457] 
[   59.617071] The buggy address belongs to the object at ffff8801b3901e80
[   59.617071]  which belongs to the cache kmalloc-65536 of size 65536
[   59.630123] The buggy address is located 36092 bytes inside of
[   59.630123]  65536-byte region [ffff8801b3901e80, ffff8801b3911e80)
[   59.642552] The buggy address belongs to the page:
[   59.647485] page:ffffea0006ce4000 count:1 mapcount:0 mapping:ffff8801da802500 index:0x0 compound_mapcount: 0
[   59.657446] flags: 0x2fffc0000008100(slab|head)
[   59.662112] raw: 02fffc0000008100 ffffea0006ce3808 ffffea0006ce4808 ffff8801da802500
[   59.669978] raw: 0000000000000000 ffff8801b3901e80 0000000100000001 0000000000000000
[   59.677891] page dumped because: kasan: bad access detected
[   59.683602] 
[   59.685214] Memory state around the buggy address:
[   59.690236]  ffff8801b390aa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.697688]  ffff8801b390aa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.705063] >ffff8801b390ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.712412]                                                                 ^
[   59.719685]  ffff8801b390ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.727110]  ffff8801b390ac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   59.734472] ==================================================================
[   59.741967] Kernel panic - not syncing: panic_on_warn set ...
[   59.741967] 
[   59.749393] CPU: 0 PID: 6395 Comm: syz-executor0 Tainted: G    B             4.19.0-rc6+ #270
[   59.758072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.767423] Call Trace:
[   59.770166]  dump_stack+0x1c4/0x2b4
[   59.773798]  ? dump_stack_print_info.cold.2+0x52/0x52
[   59.778983]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   59.783741]  panic+0x238/0x4e7
[   59.786918]  ? add_taint.cold.5+0x16/0x16
[   59.791062]  ? trace_hardirqs_on+0x9a/0x310
[   59.795384]  ? trace_hardirqs_on+0xb4/0x310
[   59.799695]  ? trace_hardirqs_on+0xb4/0x310
[   59.804010]  kasan_end_report+0x47/0x4f
[   59.808078]  kasan_report.cold.9+0x76/0x309
[   59.812410]  ? do_raw_spin_lock+0x1c0/0x200
[   59.816726]  ? vhost_vsock_dev_release+0x720/0x720
[   59.821653]  __asan_report_load4_noabort+0x14/0x20
[   59.826621]  do_raw_spin_lock+0x1c0/0x200
[   59.830823]  ? vhost_vsock_dev_release+0x720/0x720
[   59.835808]  _raw_spin_lock_bh+0x39/0x40
[   59.839871]  ? vhost_transport_cancel_pkt+0x15e/0x910
[   59.845072]  vhost_transport_cancel_pkt+0x15e/0x910
[   59.850083]  ? lock_acquire+0x1ed/0x520
[   59.854049]  ? vhost_vsock_dev_release+0x720/0x720
[   59.858985]  ? trace_hardirqs_on+0xbd/0x310
[   59.863314]  ? lock_release+0x970/0x970
[   59.867333]  ? lock_sock_nested+0xe2/0x120
[   59.871585]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   59.877034]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.882668]  ? check_preemption_disabled+0x48/0x200
[   59.887942]  ? lock_sock_nested+0x9a/0x120
[   59.892176]  ? lock_sock_nested+0x9a/0x120
[   59.896472]  ? __local_bh_enable_ip+0x160/0x260
[   59.901207]  ? vhost_vsock_dev_release+0x720/0x720
[   59.906188]  vsock_stream_connect+0x903/0xe40
[   59.910688]  ? vsock_dgram_connect+0x500/0x500
[   59.915402]  ? finish_wait+0x430/0x430
[   59.919281]  ? aa_af_perm+0x5a0/0x5a0
[   59.923073]  ? apparmor_socket_connect+0xb6/0x160
[   59.927904]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   59.933452]  ? security_socket_connect+0x94/0xc0
[   59.938244]  __sys_connect+0x37d/0x4c0
[   59.942152]  ? __ia32_sys_accept+0xb0/0xb0
[   59.946384]  ? kasan_check_read+0x11/0x20
[   59.950529]  ? _copy_to_user+0xc8/0x110
[   59.954499]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   59.960189]  ? put_timespec64+0x10f/0x1b0
[   59.964337]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   59.969710]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   59.975316]  __x64_sys_connect+0x73/0xb0
[   59.979376]  do_syscall_64+0x1b9/0x820
[   59.983253]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   59.988604]  ? syscall_return_slowpath+0x5e0/0x5e0
[   59.993534]  ? trace_hardirqs_on_caller+0x310/0x310
[   59.998544]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   60.003661]  ? recalc_sigpending_tsk+0x180/0x180
[   60.008423]  ? kasan_check_write+0x14/0x20
[   60.012667]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   60.017735]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   60.022912] RIP: 0033:0x457579
[   60.026242] Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   60.045162] RSP: 002b:00007fd206aefc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   60.052861] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579
[   60.060124] RDX: 0000000000000080 RSI: 0000000020000400 RDI: 0000000000000007
[   60.067393] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000
[   60.074658] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fd206af06d4
[   60.081928] R13: 00000000004bda00 R14: 00000000004cc478 R15: 00000000ffffffff
[   60.090328] Kernel Offset: disabled
[   60.093956] Rebooting in 86400 seconds..