Warning: Permanently added '10.128.10.55' (ECDSA) to the list of known hosts. 2018/10/14 09:32:53 parsed 1 programs 2018/10/14 09:32:54 executed programs: 0 syzkaller login: [ 81.673004] IPVS: ftp: loaded support on port[0] = 21 [ 81.932133] bridge0: port 1(bridge_slave_0) entered blocking state [ 81.939046] bridge0: port 1(bridge_slave_0) entered disabled state [ 81.946491] device bridge_slave_0 entered promiscuous mode [ 81.965913] bridge0: port 2(bridge_slave_1) entered blocking state [ 81.972304] bridge0: port 2(bridge_slave_1) entered disabled state [ 81.979595] device bridge_slave_1 entered promiscuous mode [ 81.998086] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 82.017086] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 82.068594] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 82.089416] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 82.168719] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 82.176442] team0: Port device team_slave_0 added [ 82.192905] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 82.200362] team0: Port device team_slave_1 added [ 82.217970] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 82.239744] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 82.260930] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 82.280383] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 82.426256] bridge0: port 2(bridge_slave_1) entered blocking state [ 82.432748] bridge0: port 2(bridge_slave_1) entered forwarding state [ 82.439727] bridge0: port 1(bridge_slave_0) entered blocking state [ 82.446104] bridge0: port 1(bridge_slave_0) entered forwarding state [ 82.969032] 8021q: adding VLAN 0 to HW filter on device bond0 [ 83.021749] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 83.076449] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 83.082625] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 83.090279] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 83.137715] 8021q: adding VLAN 0 to HW filter on device team0 2018/10/14 09:32:59 executed programs: 40 2018/10/14 09:33:04 executed programs: 103 2018/10/14 09:33:09 executed programs: 166 2018/10/14 09:33:14 executed programs: 229 2018/10/14 09:33:19 executed programs: 295 2018/10/14 09:33:24 executed programs: 361 2018/10/14 09:33:29 executed programs: 426 2018/10/14 09:33:34 executed programs: 491 [ 125.110491] ================================================================== [ 125.117891] BUG: KASAN: use-after-free in __lock_acquire+0x3747/0x4da0 [ 125.124644] Read of size 8 at addr ffff8801ae470910 by task syz-executor0/8351 [ 125.131987] [ 125.133603] CPU: 0 PID: 8351 Comm: syz-executor0 Not tainted 4.19.0-rc7-next-20181012+ #93 [ 125.141997] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 125.151361] Call Trace: [ 125.153941] dump_stack+0x244/0x3ab [ 125.157607] ? dump_stack_print_info.cold.2+0x52/0x52 [ 125.162792] ? printk+0xa7/0xcf [ 125.166053] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 125.170905] print_address_description.cold.7+0x9/0x1ff [ 125.176275] kasan_report.cold.8+0x242/0x309 [ 125.180822] ? __lock_acquire+0x3747/0x4da0 [ 125.185174] __asan_report_load8_noabort+0x14/0x20 [ 125.190097] __lock_acquire+0x3747/0x4da0 [ 125.194233] ? _raw_spin_unlock_irq+0x27/0x80 [ 125.198760] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 125.203336] ? trace_hardirqs_on+0xbd/0x310 [ 125.207655] ? kasan_check_read+0x11/0x20 [ 125.211797] ? finish_task_switch+0x1f5/0x900 [ 125.216286] ? trace_hardirqs_off_caller+0x300/0x300 [ 125.221381] ? mark_held_locks+0x130/0x130 [ 125.225714] ? _raw_spin_unlock_irq+0x60/0x80 [ 125.230200] ? finish_task_switch+0x1f5/0x900 [ 125.234683] ? finish_task_switch+0x1b5/0x900 [ 125.239218] ? __switch_to_asm+0x34/0x70 [ 125.243271] ? preempt_notifier_register+0x200/0x200 [ 125.248360] ? __switch_to_asm+0x34/0x70 [ 125.252410] ? __switch_to_asm+0x34/0x70 [ 125.256459] ? __switch_to_asm+0x40/0x70 [ 125.260504] ? __switch_to_asm+0x34/0x70 [ 125.264607] ? __switch_to_asm+0x40/0x70 [ 125.268671] ? __switch_to_asm+0x34/0x70 [ 125.272732] ? __switch_to_asm+0x40/0x70 [ 125.276777] ? __switch_to_asm+0x34/0x70 [ 125.280822] ? print_usage_bug+0xc0/0xc0 [ 125.284871] ? __switch_to_asm+0x40/0x70 [ 125.288916] ? __switch_to_asm+0x34/0x70 [ 125.292962] ? __switch_to_asm+0x40/0x70 [ 125.297008] ? __schedule+0x8d7/0x21d0 [ 125.300882] ? __sched_text_start+0x8/0x8 [ 125.305024] ? mark_held_locks+0xc7/0x130 [ 125.309157] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 125.313905] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 125.318477] ? retint_kernel+0x2d/0x2d [ 125.322356] ? trace_hardirqs_on_caller+0xc0/0x310 [ 125.327323] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 125.332072] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 125.337507] ? retint_kernel+0x1b/0x2d [ 125.341381] lock_acquire+0x1ed/0x520 [ 125.345170] ? vhost_transport_send_pkt+0x12e/0x380 [ 125.350170] ? lock_release+0xa10/0xa10 [ 125.354127] ? retint_kernel+0x2d/0x2d [ 125.358005] _raw_spin_lock_bh+0x31/0x40 [ 125.362058] ? vhost_transport_send_pkt+0x12e/0x380 [ 125.367062] vhost_transport_send_pkt+0x12e/0x380 [ 125.371899] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 125.377422] ? vhost_vsock_dev_open+0x5a0/0x5a0 [ 125.382138] ? virtio_transport_send_pkt_info+0x2e7/0x460 [ 125.387686] ? __local_bh_enable_ip+0x160/0x260 [ 125.392342] virtio_transport_send_pkt_info+0x31d/0x460 [ 125.397694] virtio_transport_connect+0x17c/0x220 [ 125.402523] ? virtio_transport_send_pkt_info+0x460/0x460 [ 125.408048] ? vsock_auto_bind+0xa9/0xe0 [ 125.412102] ? __local_bh_enable_ip+0x160/0x260 [ 125.416763] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 125.422289] vsock_stream_connect+0x4ed/0xe40 [ 125.426772] ? vsock_dgram_connect+0x500/0x500 [ 125.431337] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 125.436916] ? aa_label_sk_perm+0x91/0x100 [ 125.441144] ? finish_wait+0x430/0x430 [ 125.445024] ? aa_af_perm+0x5a0/0x5a0 [ 125.448817] ? apparmor_socket_connect+0xb6/0x160 [ 125.453651] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 125.459177] ? security_socket_connect+0x94/0xc0 [ 125.463923] __sys_connect+0x37d/0x4c0 [ 125.467799] ? __ia32_sys_accept+0xb0/0xb0 [ 125.472019] ? kasan_check_read+0x11/0x20 [ 125.476155] ? _copy_to_user+0xc8/0x110 [ 125.480113] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 125.485745] ? put_timespec64+0x10f/0x1b0 [ 125.489880] ? do_syscall_64+0x9a/0x820 [ 125.493836] ? do_syscall_64+0x9a/0x820 [ 125.497801] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 125.502373] ? trace_hardirqs_on+0xbd/0x310 [ 125.506683] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 125.512204] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 125.517554] ? trace_hardirqs_off_caller+0x300/0x300 [ 125.522656] __x64_sys_connect+0x73/0xb0 [ 125.526805] do_syscall_64+0x1b9/0x820 [ 125.530687] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 125.536041] ? syscall_return_slowpath+0x5e0/0x5e0 [ 125.540962] ? trace_hardirqs_on_caller+0x310/0x310 [ 125.545965] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 125.550971] ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250 [ 125.557671] ? __switch_to_asm+0x40/0x70 [ 125.561722] ? __switch_to_asm+0x34/0x70 [ 125.565771] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 125.570601] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 125.575772] RIP: 0033:0x457569 [ 125.578954] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 125.597843] RSP: 002b:00007f3699c24c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 125.605536] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 125.612880] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000005 [ 125.620136] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 125.627394] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3699c256d4 [ 125.634654] R13: 00000000004bdb06 R14: 00000000004cc658 R15: 00000000ffffffff [ 125.641925] [ 125.643535] Allocated by task 8350: [ 125.647146] save_stack+0x43/0xd0 [ 125.650686] kasan_kmalloc+0xc7/0xe0 [ 125.654388] __kmalloc_node+0x50/0x70 [ 125.658175] kvmalloc_node+0xb9/0xf0 [ 125.661873] vhost_vsock_dev_open+0xa2/0x5a0 [ 125.666262] misc_open+0x3ca/0x560 [ 125.669788] chrdev_open+0x25a/0x710 [ 125.673491] do_dentry_open+0x499/0x1250 [ 125.677536] vfs_open+0xa0/0xd0 [ 125.680807] path_openat+0x12bc/0x5150 [ 125.684682] do_filp_open+0x255/0x380 [ 125.688465] do_sys_open+0x568/0x700 [ 125.692158] __x64_sys_openat+0x9d/0x100 [ 125.696212] do_syscall_64+0x1b9/0x820 [ 125.700085] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 125.705251] [ 125.706937] Freed by task 8348: [ 125.710205] save_stack+0x43/0xd0 [ 125.713646] __kasan_slab_free+0x102/0x150 [ 125.717870] kasan_slab_free+0xe/0x10 [ 125.721659] kfree+0xcf/0x230 [ 125.724745] kvfree+0x61/0x70 [ 125.727835] vhost_vsock_dev_release+0x4f4/0x720 [ 125.732676] __fput+0x3bc/0xa70 [ 125.735939] ____fput+0x15/0x20 [ 125.739205] task_work_run+0x1e8/0x2a0 [ 125.743083] exit_to_usermode_loop+0x318/0x380 [ 125.747651] do_syscall_64+0x6be/0x820 [ 125.751524] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 125.756691] [ 125.758311] The buggy address belongs to the object at ffff8801ae467c00 [ 125.758311] which belongs to the cache kmalloc-64k of size 65536 [ 125.771192] The buggy address is located 36112 bytes inside of [ 125.771192] 65536-byte region [ffff8801ae467c00, ffff8801ae477c00) [ 125.783402] The buggy address belongs to the page: [ 125.788317] page:ffffea0006b91800 count:1 mapcount:0 mapping:ffff8801da802500 index:0x0 compound_mapcount: 0 [ 125.798269] flags: 0x2fffc0000010200(slab|head) [ 125.802927] raw: 02fffc0000010200 ffffea0006b91008 ffffea0006b92008 ffff8801da802500 [ 125.810855] raw: 0000000000000000 ffff8801ae467c00 0000000100000001 0000000000000000 [ 125.818719] page dumped because: kasan: bad access detected [ 125.824436] [ 125.826058] Memory state around the buggy address: [ 125.830980] ffff8801ae470800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 125.838326] ffff8801ae470880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 125.845673] >ffff8801ae470900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 125.853143] ^ [ 125.857012] ffff8801ae470980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 125.864396] ffff8801ae470a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 125.871740] ================================================================== [ 125.879148] Disabling lock debugging due to kernel taint [ 125.884594] Kernel panic - not syncing: panic_on_warn set ... [ 125.884594] [ 125.891949] CPU: 0 PID: 8351 Comm: syz-executor0 Tainted: G B 4.19.0-rc7-next-20181012+ #93 [ 125.901722] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 125.911057] Call Trace: [ 125.913634] dump_stack+0x244/0x3ab [ 125.917244] ? dump_stack_print_info.cold.2+0x52/0x52 [ 125.922416] ? lock_downgrade+0x900/0x900 [ 125.926550] panic+0x238/0x4e7 [ 125.929737] ? add_taint.cold.5+0x16/0x16 [ 125.933874] ? add_taint.cold.5+0x5/0x16 [ 125.937926] ? trace_hardirqs_off+0xaf/0x310 [ 125.942390] kasan_end_report+0x47/0x4f [ 125.946415] kasan_report.cold.8+0x76/0x309 [ 125.950727] ? __lock_acquire+0x3747/0x4da0 [ 125.955030] __asan_report_load8_noabort+0x14/0x20 [ 125.959948] __lock_acquire+0x3747/0x4da0 [ 125.964190] ? _raw_spin_unlock_irq+0x27/0x80 [ 125.968675] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 125.973266] ? trace_hardirqs_on+0xbd/0x310 [ 125.977573] ? kasan_check_read+0x11/0x20 [ 125.981770] ? finish_task_switch+0x1f5/0x900 [ 125.986261] ? trace_hardirqs_off_caller+0x300/0x300 [ 125.991349] ? mark_held_locks+0x130/0x130 [ 125.995575] ? _raw_spin_unlock_irq+0x60/0x80 [ 126.000062] ? finish_task_switch+0x1f5/0x900 [ 126.004547] ? finish_task_switch+0x1b5/0x900 [ 126.009036] ? __switch_to_asm+0x34/0x70 [ 126.013081] ? preempt_notifier_register+0x200/0x200 [ 126.018174] ? __switch_to_asm+0x34/0x70 [ 126.022223] ? __switch_to_asm+0x34/0x70 [ 126.026275] ? __switch_to_asm+0x40/0x70 [ 126.030536] ? __switch_to_asm+0x34/0x70 [ 126.034701] ? __switch_to_asm+0x40/0x70 [ 126.038751] ? __switch_to_asm+0x34/0x70 [ 126.042796] ? __switch_to_asm+0x40/0x70 [ 126.046842] ? __switch_to_asm+0x34/0x70 [ 126.050887] ? print_usage_bug+0xc0/0xc0 [ 126.054940] ? __switch_to_asm+0x40/0x70 [ 126.058986] ? __switch_to_asm+0x34/0x70 [ 126.063027] ? __switch_to_asm+0x40/0x70 [ 126.067079] ? __schedule+0x8d7/0x21d0 [ 126.070956] ? __sched_text_start+0x8/0x8 [ 126.075089] ? mark_held_locks+0xc7/0x130 [ 126.079223] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 126.084068] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 126.088635] ? retint_kernel+0x2d/0x2d [ 126.092507] ? trace_hardirqs_on_caller+0xc0/0x310 [ 126.097421] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 126.102158] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 126.107590] ? retint_kernel+0x1b/0x2d [ 126.111468] lock_acquire+0x1ed/0x520 [ 126.115264] ? vhost_transport_send_pkt+0x12e/0x380 [ 126.120267] ? lock_release+0xa10/0xa10 [ 126.124222] ? retint_kernel+0x2d/0x2d [ 126.128094] _raw_spin_lock_bh+0x31/0x40 [ 126.132137] ? vhost_transport_send_pkt+0x12e/0x380 [ 126.137234] vhost_transport_send_pkt+0x12e/0x380 [ 126.142127] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 126.147663] ? vhost_vsock_dev_open+0x5a0/0x5a0 [ 126.152325] ? virtio_transport_send_pkt_info+0x2e7/0x460 [ 126.157853] ? __local_bh_enable_ip+0x160/0x260 [ 126.162514] virtio_transport_send_pkt_info+0x31d/0x460 [ 126.167883] virtio_transport_connect+0x17c/0x220 [ 126.172712] ? virtio_transport_send_pkt_info+0x460/0x460 [ 126.178233] ? vsock_auto_bind+0xa9/0xe0 [ 126.182275] ? __local_bh_enable_ip+0x160/0x260 [ 126.186930] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 126.192455] vsock_stream_connect+0x4ed/0xe40 [ 126.196942] ? vsock_dgram_connect+0x500/0x500 [ 126.201509] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 126.207038] ? aa_label_sk_perm+0x91/0x100 [ 126.211262] ? finish_wait+0x430/0x430 [ 126.215133] ? aa_af_perm+0x5a0/0x5a0 [ 126.218921] ? apparmor_socket_connect+0xb6/0x160 [ 126.224067] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 126.229596] ? security_socket_connect+0x94/0xc0 [ 126.234338] __sys_connect+0x37d/0x4c0 [ 126.238212] ? __ia32_sys_accept+0xb0/0xb0 [ 126.242440] ? kasan_check_read+0x11/0x20 [ 126.246586] ? _copy_to_user+0xc8/0x110 [ 126.250547] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 126.256078] ? put_timespec64+0x10f/0x1b0 [ 126.260212] ? do_syscall_64+0x9a/0x820 [ 126.264173] ? do_syscall_64+0x9a/0x820 [ 126.268136] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 126.272702] ? trace_hardirqs_on+0xbd/0x310 [ 126.277012] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 126.282537] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 126.287890] ? trace_hardirqs_off_caller+0x300/0x300 [ 126.292986] __x64_sys_connect+0x73/0xb0 [ 126.297043] do_syscall_64+0x1b9/0x820 [ 126.300927] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 126.306327] ? syscall_return_slowpath+0x5e0/0x5e0 [ 126.311296] ? trace_hardirqs_on_caller+0x310/0x310 [ 126.316307] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 126.321316] ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250 [ 126.327979] ? __switch_to_asm+0x40/0x70 [ 126.332033] ? __switch_to_asm+0x34/0x70 [ 126.336085] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 126.340913] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 126.346084] RIP: 0033:0x457569 [ 126.349263] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 126.368148] RSP: 002b:00007f3699c24c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 126.375841] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 126.383092] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000005 [ 126.390376] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 126.397640] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3699c256d4 [ 126.404903] R13: 00000000004bdb06 R14: 00000000004cc658 R15: 00000000ffffffff [ 126.412973] Kernel Offset: disabled [ 126.416595] Rebooting in 86400 seconds..