[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 25.482679] kauditd_printk_skb: 7 callbacks suppressed [ 25.482691] audit: type=1800 audit(1540027722.997:29): pid=5441 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 25.514871] audit: type=1800 audit(1540027722.997:30): pid=5441 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.44' (ECDSA) to the list of known hosts. 2018/10/20 09:29:21 parsed 1 programs 2018/10/20 09:29:23 executed programs: 0 syzkaller login: [ 65.522318] IPVS: ftp: loaded support on port[0] = 21 [ 65.771426] bridge0: port 1(bridge_slave_0) entered blocking state [ 65.778088] bridge0: port 1(bridge_slave_0) entered disabled state [ 65.786291] device bridge_slave_0 entered promiscuous mode [ 65.804530] bridge0: port 2(bridge_slave_1) entered blocking state [ 65.810951] bridge0: port 2(bridge_slave_1) entered disabled state [ 65.817877] device bridge_slave_1 entered promiscuous mode [ 65.835546] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 65.853297] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 65.909486] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 65.931032] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 66.007045] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 66.014462] team0: Port device team_slave_0 added [ 66.031565] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 66.038657] team0: Port device team_slave_1 added [ 66.057479] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 66.076302] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 66.096423] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 66.116471] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 66.263552] bridge0: port 2(bridge_slave_1) entered blocking state [ 66.270036] bridge0: port 2(bridge_slave_1) entered forwarding state [ 66.276769] bridge0: port 1(bridge_slave_0) entered blocking state [ 66.283279] bridge0: port 1(bridge_slave_0) entered forwarding state [ 66.800804] 8021q: adding VLAN 0 to HW filter on device bond0 [ 66.852565] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 66.904626] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 66.911053] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 66.917993] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 66.972870] 8021q: adding VLAN 0 to HW filter on device team0 2018/10/20 09:29:28 executed programs: 26 [ 73.802739] ================================================================== [ 73.810150] BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20 [ 73.816808] Read of size 8 at addr ffff8801b14ea890 by task syz-executor0/6184 [ 73.824142] [ 73.825751] CPU: 0 PID: 6184 Comm: syz-executor0 Not tainted 4.19.0-rc8-next-20181019+ #98 [ 73.834128] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.843492] Call Trace: [ 73.846064] dump_stack+0x244/0x39d [ 73.849708] ? dump_stack_print_info.cold.1+0x20/0x20 [ 73.854878] ? printk+0xa7/0xcf [ 73.858138] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 73.862879] print_address_description.cold.7+0x9/0x1ff [ 73.868225] kasan_report.cold.8+0x242/0x309 [ 73.872619] ? __lock_acquire+0x36d9/0x4c20 [ 73.876921] __asan_report_load8_noabort+0x14/0x20 [ 73.881832] __lock_acquire+0x36d9/0x4c20 [ 73.885964] ? __free_pages+0x149/0x190 [ 73.889919] ? free_unref_page+0x960/0x960 [ 73.894138] ? mark_held_locks+0x130/0x130 [ 73.898359] ? kasan_check_write+0x14/0x20 [ 73.902579] ? finish_task_switch+0x658/0x920 [ 73.907070] ? __switch_to_asm+0x40/0x70 [ 73.911123] ? preempt_notifier_register+0x200/0x200 [ 73.916210] ? __switch_to_asm+0x34/0x70 [ 73.920254] ? __switch_to_asm+0x34/0x70 [ 73.924295] ? __switch_to_asm+0x40/0x70 [ 73.928336] ? __switch_to_asm+0x34/0x70 [ 73.932378] ? __switch_to_asm+0x40/0x70 [ 73.936418] ? __switch_to_asm+0x34/0x70 [ 73.940460] ? __switch_to_asm+0x40/0x70 [ 73.944499] ? __switch_to_asm+0x34/0x70 [ 73.948557] ? __switch_to_asm+0x34/0x70 [ 73.952600] ? __switch_to_asm+0x40/0x70 [ 73.956643] ? __switch_to_asm+0x34/0x70 [ 73.960692] ? __switch_to_asm+0x40/0x70 [ 73.964743] ? __switch_to_asm+0x34/0x70 [ 73.968797] ? __switch_to_asm+0x40/0x70 [ 73.972841] ? __schedule+0x8d7/0x21d0 [ 73.976710] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 73.982146] ? __sched_text_start+0x8/0x8 [ 73.986277] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 73.991017] ? find_held_lock+0x36/0x1c0 [ 73.995064] ? mark_held_locks+0xc7/0x130 [ 73.999197] lock_acquire+0x1ed/0x520 [ 74.002982] ? vhost_transport_cancel_pkt+0x15e/0x910 [ 74.008155] ? lock_release+0xa10/0xa10 [ 74.012125] ? preempt_schedule+0x4d/0x60 [ 74.016264] ? ___preempt_schedule+0x16/0x18 [ 74.020851] ? __local_bh_enable_ip+0x1a3/0x260 [ 74.025503] ? vhost_vsock_dev_release+0x720/0x720 [ 74.030421] _raw_spin_lock_bh+0x31/0x40 [ 74.034477] ? vhost_transport_cancel_pkt+0x15e/0x910 [ 74.039649] vhost_transport_cancel_pkt+0x15e/0x910 [ 74.044649] ? vhost_vsock_dev_release+0x720/0x720 [ 74.049562] ? trace_hardirqs_on+0xbd/0x310 [ 74.053866] ? lock_release+0xa10/0xa10 [ 74.057823] ? lock_sock_nested+0xe2/0x120 [ 74.062040] ? trace_hardirqs_off_caller+0x300/0x300 [ 74.067137] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.072657] ? check_preemption_disabled+0x48/0x280 [ 74.077652] ? lock_sock_nested+0x9a/0x120 [ 74.081866] ? lock_sock_nested+0x9a/0x120 [ 74.086088] ? __local_bh_enable_ip+0x160/0x260 [ 74.090759] ? vhost_vsock_dev_release+0x720/0x720 [ 74.095688] vsock_stream_connect+0x903/0xe40 [ 74.100170] ? vsock_dgram_connect+0x500/0x500 [ 74.104736] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 74.110268] ? aa_label_sk_perm+0x91/0x100 [ 74.114498] ? finish_wait+0x430/0x430 [ 74.118367] ? aa_af_perm+0x5a0/0x5a0 [ 74.122162] ? apparmor_socket_connect+0xb6/0x160 [ 74.126997] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.132521] ? security_socket_connect+0x94/0xc0 [ 74.137273] __sys_connect+0x37d/0x4c0 [ 74.141145] ? __ia32_sys_accept+0xb0/0xb0 [ 74.145377] ? kasan_check_read+0x11/0x20 [ 74.149506] ? _copy_to_user+0xc8/0x110 [ 74.153552] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 74.159071] ? put_timespec64+0x10f/0x1b0 [ 74.163209] ? do_syscall_64+0x9a/0x820 [ 74.167172] ? do_syscall_64+0x9a/0x820 [ 74.171140] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 74.175704] ? trace_hardirqs_on+0xbd/0x310 [ 74.180014] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.185541] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.190885] ? trace_hardirqs_off_caller+0x300/0x300 [ 74.195971] __x64_sys_connect+0x73/0xb0 [ 74.200037] do_syscall_64+0x1b9/0x820 [ 74.203933] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 74.209277] ? syscall_return_slowpath+0x5e0/0x5e0 [ 74.214189] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 74.219026] ? trace_hardirqs_on_caller+0x310/0x310 [ 74.224022] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 74.229016] ? prepare_exit_to_usermode+0x291/0x3b0 [ 74.234015] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 74.238838] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.244004] RIP: 0033:0x457569 [ 74.247177] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 74.266056] RSP: 002b:00007f4b0981fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 74.273747] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 74.280999] RDX: 0000000000000010 RSI: 0000000020000080 RDI: 0000000000000006 [ 74.288303] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 74.295555] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4b098206d4 [ 74.302803] R13: 00000000004bdb1a R14: 00000000004cc670 R15: 00000000ffffffff [ 74.310060] [ 74.311678] Allocated by task 6184: [ 74.315287] save_stack+0x43/0xd0 [ 74.318717] kasan_kmalloc+0xc7/0xe0 [ 74.322413] __kmalloc_node+0x50/0x70 [ 74.326195] kvmalloc_node+0xb9/0xf0 [ 74.329888] vhost_vsock_dev_open+0xa2/0x5a0 [ 74.334283] misc_open+0x3ca/0x560 [ 74.337803] chrdev_open+0x25a/0x710 [ 74.341498] do_dentry_open+0x499/0x1250 [ 74.345538] vfs_open+0xa0/0xd0 [ 74.348793] path_openat+0x12bc/0x5150 [ 74.352659] do_filp_open+0x255/0x380 [ 74.356439] do_sys_open+0x568/0x700 [ 74.360131] __x64_sys_openat+0x9d/0x100 [ 74.364176] do_syscall_64+0x1b9/0x820 [ 74.368059] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.373228] [ 74.374843] Freed by task 6183: [ 74.378115] save_stack+0x43/0xd0 [ 74.381549] __kasan_slab_free+0x102/0x150 [ 74.385763] kasan_slab_free+0xe/0x10 [ 74.389540] kfree+0xcf/0x230 [ 74.392625] kvfree+0x61/0x70 [ 74.395713] vhost_vsock_dev_release+0x4f4/0x720 [ 74.400467] __fput+0x3bc/0xa70 [ 74.403727] ____fput+0x15/0x20 [ 74.406986] task_work_run+0x1e8/0x2a0 [ 74.410866] exit_to_usermode_loop+0x318/0x380 [ 74.415452] do_syscall_64+0x6be/0x820 [ 74.419321] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.424482] [ 74.426095] The buggy address belongs to the object at ffff8801b14e1b80 [ 74.426095] which belongs to the cache kmalloc-64k of size 65536 [ 74.438912] The buggy address is located 36112 bytes inside of [ 74.438912] 65536-byte region [ffff8801b14e1b80, ffff8801b14f1b80) [ 74.451111] The buggy address belongs to the page: [ 74.456024] page:ffffea0006c53800 count:1 mapcount:0 mapping:ffff8801da802500 index:0x0 compound_mapcount: 0 [ 74.465973] flags: 0x2fffc0000010200(slab|head) [ 74.470627] raw: 02fffc0000010200 ffffea0006c53008 ffffea0006c54008 ffff8801da802500 [ 74.478491] raw: 0000000000000000 ffff8801b14e1b80 0000000100000001 0000000000000000 [ 74.486348] page dumped because: kasan: bad access detected [ 74.492030] [ 74.493640] Memory state around the buggy address: [ 74.498545] ffff8801b14ea780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.505883] ffff8801b14ea800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.513220] >ffff8801b14ea880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.520553] ^ [ 74.524421] ffff8801b14ea900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.531760] ffff8801b14ea980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.539101] ================================================================== [ 74.546439] Disabling lock debugging due to kernel taint [ 74.551868] Kernel panic - not syncing: panic_on_warn set ... [ 74.557735] CPU: 0 PID: 6184 Comm: syz-executor0 Tainted: G B 4.19.0-rc8-next-20181019+ #98 [ 74.567515] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.576862] Call Trace: [ 74.579435] dump_stack+0x244/0x39d [ 74.583049] ? dump_stack_print_info.cold.1+0x20/0x20 [ 74.588224] panic+0x2ad/0x55c [ 74.591413] ? add_taint.cold.5+0x16/0x16 [ 74.595543] ? add_taint.cold.5+0x5/0x16 [ 74.599583] ? trace_hardirqs_off+0xaf/0x310 [ 74.603975] kasan_end_report+0x47/0x4f [ 74.607932] kasan_report.cold.8+0x76/0x309 [ 74.612250] ? __lock_acquire+0x36d9/0x4c20 [ 74.616556] __asan_report_load8_noabort+0x14/0x20 [ 74.621465] __lock_acquire+0x36d9/0x4c20 [ 74.625593] ? __free_pages+0x149/0x190 [ 74.629546] ? free_unref_page+0x960/0x960 [ 74.633767] ? mark_held_locks+0x130/0x130 [ 74.637983] ? kasan_check_write+0x14/0x20 [ 74.642206] ? finish_task_switch+0x658/0x920 [ 74.646682] ? __switch_to_asm+0x40/0x70 [ 74.650728] ? preempt_notifier_register+0x200/0x200 [ 74.655825] ? __switch_to_asm+0x34/0x70 [ 74.659866] ? __switch_to_asm+0x34/0x70 [ 74.663920] ? __switch_to_asm+0x40/0x70 [ 74.667962] ? __switch_to_asm+0x34/0x70 [ 74.672004] ? __switch_to_asm+0x40/0x70 [ 74.676042] ? __switch_to_asm+0x34/0x70 [ 74.680093] ? __switch_to_asm+0x40/0x70 [ 74.684138] ? __switch_to_asm+0x34/0x70 [ 74.688196] ? __switch_to_asm+0x34/0x70 [ 74.692243] ? __switch_to_asm+0x40/0x70 [ 74.696286] ? __switch_to_asm+0x34/0x70 [ 74.700325] ? __switch_to_asm+0x40/0x70 [ 74.704396] ? __switch_to_asm+0x34/0x70 [ 74.708452] ? __switch_to_asm+0x40/0x70 [ 74.712499] ? __schedule+0x8d7/0x21d0 [ 74.716368] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 74.721799] ? __sched_text_start+0x8/0x8 [ 74.725928] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 74.730677] ? find_held_lock+0x36/0x1c0 [ 74.734719] ? mark_held_locks+0xc7/0x130 [ 74.738846] lock_acquire+0x1ed/0x520 [ 74.742632] ? vhost_transport_cancel_pkt+0x15e/0x910 [ 74.747802] ? lock_release+0xa10/0xa10 [ 74.751756] ? preempt_schedule+0x4d/0x60 [ 74.755885] ? ___preempt_schedule+0x16/0x18 [ 74.760277] ? __local_bh_enable_ip+0x1a3/0x260 [ 74.764926] ? vhost_vsock_dev_release+0x720/0x720 [ 74.769852] _raw_spin_lock_bh+0x31/0x40 [ 74.773894] ? vhost_transport_cancel_pkt+0x15e/0x910 [ 74.779064] vhost_transport_cancel_pkt+0x15e/0x910 [ 74.784067] ? vhost_vsock_dev_release+0x720/0x720 [ 74.788982] ? trace_hardirqs_on+0xbd/0x310 [ 74.793286] ? lock_release+0xa10/0xa10 [ 74.797262] ? lock_sock_nested+0xe2/0x120 [ 74.801481] ? trace_hardirqs_off_caller+0x300/0x300 [ 74.806569] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.812097] ? check_preemption_disabled+0x48/0x280 [ 74.817110] ? lock_sock_nested+0x9a/0x120 [ 74.821325] ? lock_sock_nested+0x9a/0x120 [ 74.825542] ? __local_bh_enable_ip+0x160/0x260 [ 74.830195] ? vhost_vsock_dev_release+0x720/0x720 [ 74.835112] vsock_stream_connect+0x903/0xe40 [ 74.839587] ? vsock_dgram_connect+0x500/0x500 [ 74.844176] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 74.849707] ? aa_label_sk_perm+0x91/0x100 [ 74.853924] ? finish_wait+0x430/0x430 [ 74.857793] ? aa_af_perm+0x5a0/0x5a0 [ 74.861577] ? apparmor_socket_connect+0xb6/0x160 [ 74.866398] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.871921] ? security_socket_connect+0x94/0xc0 [ 74.876660] __sys_connect+0x37d/0x4c0 [ 74.880529] ? __ia32_sys_accept+0xb0/0xb0 [ 74.884749] ? kasan_check_read+0x11/0x20 [ 74.888877] ? _copy_to_user+0xc8/0x110 [ 74.892855] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 74.898376] ? put_timespec64+0x10f/0x1b0 [ 74.902505] ? do_syscall_64+0x9a/0x820 [ 74.906463] ? do_syscall_64+0x9a/0x820 [ 74.910421] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 74.914994] ? trace_hardirqs_on+0xbd/0x310 [ 74.919293] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.924814] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.930165] ? trace_hardirqs_off_caller+0x300/0x300 [ 74.935250] __x64_sys_connect+0x73/0xb0 [ 74.939293] do_syscall_64+0x1b9/0x820 [ 74.943160] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 74.948522] ? syscall_return_slowpath+0x5e0/0x5e0 [ 74.953435] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 74.958257] ? trace_hardirqs_on_caller+0x310/0x310 [ 74.963267] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 74.968265] ? prepare_exit_to_usermode+0x291/0x3b0 [ 74.973264] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 74.978097] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.983270] RIP: 0033:0x457569 [ 74.986444] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 75.005329] RSP: 002b:00007f4b0981fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 75.013014] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 75.020266] RDX: 0000000000000010 RSI: 0000000020000080 RDI: 0000000000000006 [ 75.027516] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 75.034765] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4b098206d4 [ 75.042039] R13: 00000000004bdb1a R14: 00000000004cc670 R15: 00000000ffffffff [ 75.050236] Kernel Offset: disabled [ 75.053859] Rebooting in 86400 seconds..