[ 23.721255] audit: type=1800 audit(1545590218.722:21): pid=5776 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [ 23.763019] audit: type=1800 audit(1545590218.722:22): pid=5776 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="motd" dev="sda1" ino=2447 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 24.630777] sshd (5843) used greatest stack depth: 15000 bytes left [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.64' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 53.233265] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 53.251189] ================================================================== [ 53.258715] BUG: KASAN: slab-out-of-bounds in fpstate_init+0x50/0x160 [ 53.265270] Write of size 832 at addr ffff8881c33ffbc0 by task syz-executor257/5933 [ 53.273036] [ 53.274649] CPU: 0 PID: 5933 Comm: syz-executor257 Not tainted 4.20.0-rc6-next-20181217+ #172 [ 53.283280] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.292614] Call Trace: [ 53.295201] dump_stack+0x244/0x39d [ 53.298898] ? dump_stack_print_info.cold.1+0x20/0x20 [ 53.304073] ? printk+0xa7/0xcf [ 53.307334] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 53.312084] print_address_description.cold.4+0x9/0x1ff [ 53.317568] ? fpstate_init+0x50/0x160 [ 53.321444] kasan_report.cold.5+0x1b/0x39 [ 53.325662] ? fpstate_init+0x50/0x160 [ 53.329547] ? fpstate_init+0x50/0x160 [ 53.333428] check_memory_region+0x13e/0x1b0 [ 53.337827] memset+0x23/0x40 [ 53.340914] fpstate_init+0x50/0x160 [ 53.344702] kvm_arch_vcpu_init+0x3e9/0x870 [ 53.349009] kvm_vcpu_init+0x2fa/0x420 [ 53.352886] ? vcpu_stat_get+0x300/0x300 [ 53.356934] ? kmem_cache_alloc+0x33f/0x730 [ 53.361246] vmx_create_vcpu+0x1b7/0x2695 [ 53.365385] ? lock_downgrade+0x900/0x900 [ 53.369521] ? vmx_exec_control+0x210/0x210 [ 53.373826] ? trace_hardirqs_on+0x310/0x310 [ 53.378217] ? kasan_check_write+0x14/0x20 [ 53.382431] ? __mutex_unlock_slowpath+0x197/0x8c0 [ 53.387342] ? wait_for_completion+0x8a0/0x8a0 [ 53.391909] kvm_arch_vcpu_create+0xe5/0x220 [ 53.396298] ? kvm_arch_vcpu_free+0x90/0x90 [ 53.400599] ? kasan_check_read+0x11/0x20 [ 53.404738] kvm_vm_ioctl+0x526/0x2030 [ 53.408610] ? kvm_unregister_device_ops+0x70/0x70 [ 53.413524] ? get_unused_fd_flags+0x1a0/0x1a0 [ 53.418083] ? kfree+0x11e/0x230 [ 53.421425] ? kfree+0x11e/0x230 [ 53.424779] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 53.429342] ? trace_hardirqs_on+0xbd/0x310 [ 53.433644] ? kvm_uevent_notify_change.part.32+0x300/0x450 [ 53.439349] ? trace_hardirqs_off_caller+0x310/0x310 [ 53.444438] ? __kasan_slab_free+0x119/0x150 [ 53.448830] ? kvm_uevent_notify_change.part.32+0x300/0x450 [ 53.454527] ? fd_install+0x4d/0x60 [ 53.458134] ? kvm_dev_ioctl+0x18a/0x1ae0 [ 53.462257] ? is_bpf_text_address+0xac/0x170 [ 53.466744] ? kvm_debugfs_release+0x90/0x90 [ 53.471130] ? kasan_check_read+0x11/0x20 [ 53.475261] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 53.480517] ? rcu_read_unlock_special+0x370/0x370 [ 53.485424] ? rcu_softirq_qs+0x20/0x20 [ 53.489386] ? unwind_dump+0x190/0x190 [ 53.493256] ? is_bpf_text_address+0xd3/0x170 [ 53.497750] ? kernel_text_address+0x79/0xf0 [ 53.502143] ? __kernel_text_address+0xd/0x40 [ 53.506626] ? unwind_get_return_address+0x61/0xa0 [ 53.511554] ? __save_stack_trace+0x8d/0xf0 [ 53.515865] ? save_stack+0xa9/0xd0 [ 53.519470] ? save_stack+0x43/0xd0 [ 53.523085] ? __kasan_slab_free+0x102/0x150 [ 53.527478] ? kasan_slab_free+0xe/0x10 [ 53.531435] ? putname+0xf2/0x130 [ 53.534869] ? do_sys_open+0x54d/0x780 [ 53.538801] ? __x64_sys_openat+0x9d/0x100 [ 53.543022] ? do_syscall_64+0x1b9/0x820 [ 53.547062] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.552409] ? trace_hardirqs_off+0xb8/0x310 [ 53.556800] ? kasan_check_read+0x11/0x20 [ 53.560927] ? do_raw_spin_unlock+0xa7/0x330 [ 53.565314] ? trace_hardirqs_on+0x310/0x310 [ 53.569729] ? trace_hardirqs_off+0xb8/0x310 [ 53.574122] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.579644] ? kvm_unregister_device_ops+0x70/0x70 [ 53.584557] do_vfs_ioctl+0x1de/0x1790 [ 53.588436] ? rcu_lockdep_current_cpu_online+0x1a4/0x210 [ 53.593956] ? ioctl_preallocate+0x300/0x300 [ 53.598346] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.603863] ? __fget_light+0x2e9/0x430 [ 53.607815] ? fget_raw+0x20/0x20 [ 53.611255] ? putname+0xf2/0x130 [ 53.614693] ? rcu_read_lock_sched_held+0x14f/0x180 [ 53.619692] ? kmem_cache_free+0x24f/0x290 [ 53.623903] ? putname+0xf7/0x130 [ 53.627336] ? do_syscall_64+0x9a/0x820 [ 53.631301] ? do_syscall_64+0x9a/0x820 [ 53.635266] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 53.639847] ? security_file_ioctl+0x94/0xc0 [ 53.644239] ksys_ioctl+0xa9/0xd0 [ 53.647688] __x64_sys_ioctl+0x73/0xb0 [ 53.651558] do_syscall_64+0x1b9/0x820 [ 53.655426] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 53.660833] ? syscall_return_slowpath+0x5e0/0x5e0 [ 53.665744] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.670565] ? trace_hardirqs_on_caller+0x310/0x310 [ 53.675559] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 53.680551] ? prepare_exit_to_usermode+0x291/0x3b0 [ 53.685549] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 53.690496] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.695672] RIP: 0033:0x440039 [ 53.698850] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 53.717878] RSP: 002b:00007ffe8fba9398 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 [ 53.725572] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440039 [ 53.732989] RDX: 0000000000000000 RSI: 000000000000ae41 RDI: 0000000000000004 [ 53.740244] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 53.747495] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018c0 [ 53.754746] R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000 [ 53.762003] [ 53.763611] Allocated by task 5933: [ 53.767223] save_stack+0x43/0xd0 [ 53.770749] kasan_kmalloc+0xcb/0xd0 [ 53.774450] kasan_slab_alloc+0x12/0x20 [ 53.778535] kmem_cache_alloc+0x130/0x730 [ 53.782668] vmx_create_vcpu+0x110/0x2695 [ 53.786797] kvm_arch_vcpu_create+0xe5/0x220 [ 53.791184] kvm_vm_ioctl+0x526/0x2030 [ 53.795049] do_vfs_ioctl+0x1de/0x1790 [ 53.798911] ksys_ioctl+0xa9/0xd0 [ 53.802338] __x64_sys_ioctl+0x73/0xb0 [ 53.806202] do_syscall_64+0x1b9/0x820 [ 53.810066] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 53.815513] [ 53.817129] Freed by task 0: [ 53.820121] (stack is not available) [ 53.823805] [ 53.825413] The buggy address belongs to the object at ffff8881c33ffb80 [ 53.825413] which belongs to the cache x86_fpu of size 832 [ 53.837827] The buggy address is located 64 bytes inside of [ 53.837827] 832-byte region [ffff8881c33ffb80, ffff8881c33ffec0) [ 53.849596] The buggy address belongs to the page: [ 53.854506] page:ffffea00070cffc0 count:1 mapcount:0 mapping:ffff8881d52601c0 index:0x0 [ 53.862632] flags: 0x2fffc0000000200(slab) [ 53.866850] raw: 02fffc0000000200 ffff8881d487b148 ffff8881d487b148 ffff8881d52601c0 [ 53.874720] raw: 0000000000000000 ffff8881c33ff040 0000000100000004 0000000000000000 [ 53.882579] page dumped because: kasan: bad access detected [ 53.888263] [ 53.889872] Memory state around the buggy address: [ 53.894831] ffff8881c33ffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.902196] ffff8881c33ffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 53.909632] >ffff8881c33ffe80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 53.917009] ^ [ 53.922446] ffff8881c33fff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.929797] ffff8881c33fff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 53.937146] ================================================================== [ 53.944484] Disabling lock debugging due to kernel taint [ 53.950452] Kernel panic - not syncing: panic_on_warn set ... [ 53.956324] CPU: 0 PID: 5933 Comm: syz-executor257 Tainted: G B 4.20.0-rc6-next-20181217+ #172 [ 53.966483] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.975815] Call Trace: [ 53.978384] dump_stack+0x244/0x39d [ 53.981989] ? dump_stack_print_info.cold.1+0x20/0x20 [ 53.987176] ? fpstate_init+0x30/0x160 [ 53.991041] panic+0x2ad/0x632 [ 53.994242] ? add_taint.cold.5+0x16/0x16 [ 53.998394] ? preempt_schedule+0x4d/0x60 [ 54.002535] ? ___preempt_schedule+0x16/0x18 [ 54.006922] ? trace_hardirqs_on+0xb4/0x310 [ 54.011382] ? fpstate_init+0x50/0x160 [ 54.015249] end_report+0x47/0x4f [ 54.018678] kasan_report.cold.5+0xe/0x39 [ 54.022926] ? fpstate_init+0x50/0x160 [ 54.026797] ? fpstate_init+0x50/0x160 [ 54.030788] check_memory_region+0x13e/0x1b0 [ 54.035173] memset+0x23/0x40 [ 54.038388] fpstate_init+0x50/0x160 [ 54.042090] kvm_arch_vcpu_init+0x3e9/0x870 [ 54.046470] kvm_vcpu_init+0x2fa/0x420 [ 54.050356] ? vcpu_stat_get+0x300/0x300 [ 54.054397] ? kmem_cache_alloc+0x33f/0x730 [ 54.058723] vmx_create_vcpu+0x1b7/0x2695 [ 54.062847] ? lock_downgrade+0x900/0x900 [ 54.066984] ? vmx_exec_control+0x210/0x210 [ 54.071294] ? trace_hardirqs_on+0x310/0x310 [ 54.075686] ? kasan_check_write+0x14/0x20 [ 54.079900] ? __mutex_unlock_slowpath+0x197/0x8c0 [ 54.084824] ? wait_for_completion+0x8a0/0x8a0 [ 54.089395] kvm_arch_vcpu_create+0xe5/0x220 [ 54.093850] ? kvm_arch_vcpu_free+0x90/0x90 [ 54.098201] ? kasan_check_read+0x11/0x20 [ 54.102336] kvm_vm_ioctl+0x526/0x2030 [ 54.106204] ? kvm_unregister_device_ops+0x70/0x70 [ 54.111112] ? get_unused_fd_flags+0x1a0/0x1a0 [ 54.115667] ? kfree+0x11e/0x230 [ 54.119014] ? kfree+0x11e/0x230 [ 54.122366] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 54.126938] ? trace_hardirqs_on+0xbd/0x310 [ 54.131302] ? kvm_uevent_notify_change.part.32+0x300/0x450 [ 54.137009] ? trace_hardirqs_off_caller+0x310/0x310 [ 54.142089] ? __kasan_slab_free+0x119/0x150 [ 54.146490] ? kvm_uevent_notify_change.part.32+0x300/0x450 [ 54.152177] ? fd_install+0x4d/0x60 [ 54.155797] ? kvm_dev_ioctl+0x18a/0x1ae0 [ 54.160068] ? is_bpf_text_address+0xac/0x170 [ 54.164550] ? kvm_debugfs_release+0x90/0x90 [ 54.168946] ? kasan_check_read+0x11/0x20 [ 54.173078] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 54.178347] ? rcu_read_unlock_special+0x370/0x370 [ 54.183265] ? rcu_softirq_qs+0x20/0x20 [ 54.187263] ? unwind_dump+0x190/0x190 [ 54.191301] ? is_bpf_text_address+0xd3/0x170 [ 54.195786] ? kernel_text_address+0x79/0xf0 [ 54.200316] ? __kernel_text_address+0xd/0x40 [ 54.204920] ? unwind_get_return_address+0x61/0xa0 [ 54.209828] ? __save_stack_trace+0x8d/0xf0 [ 54.214136] ? save_stack+0xa9/0xd0 [ 54.217748] ? save_stack+0x43/0xd0 [ 54.221528] ? __kasan_slab_free+0x102/0x150 [ 54.225990] ? kasan_slab_free+0xe/0x10 [ 54.230077] ? putname+0xf2/0x130 [ 54.233511] ? do_sys_open+0x54d/0x780 [ 54.237469] ? __x64_sys_openat+0x9d/0x100 [ 54.241690] ? do_syscall_64+0x1b9/0x820 [ 54.245732] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.251077] ? trace_hardirqs_off+0xb8/0x310 [ 54.255484] ? kasan_check_read+0x11/0x20 [ 54.259610] ? do_raw_spin_unlock+0xa7/0x330 [ 54.263996] ? trace_hardirqs_on+0x310/0x310 [ 54.268384] ? trace_hardirqs_off+0xb8/0x310 [ 54.272774] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.278287] ? kvm_unregister_device_ops+0x70/0x70 [ 54.283195] do_vfs_ioctl+0x1de/0x1790 [ 54.287063] ? rcu_lockdep_current_cpu_online+0x1a4/0x210 [ 54.292585] ? ioctl_preallocate+0x300/0x300 [ 54.296979] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.302494] ? __fget_light+0x2e9/0x430 [ 54.306570] ? fget_raw+0x20/0x20 [ 54.310002] ? putname+0xf2/0x130 [ 54.313437] ? rcu_read_lock_sched_held+0x14f/0x180 [ 54.318429] ? kmem_cache_free+0x24f/0x290 [ 54.322638] ? putname+0xf7/0x130 [ 54.326066] ? do_syscall_64+0x9a/0x820 [ 54.330066] ? do_syscall_64+0x9a/0x820 [ 54.334026] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 54.338891] ? security_file_ioctl+0x94/0xc0 [ 54.343528] ksys_ioctl+0xa9/0xd0 [ 54.346964] __x64_sys_ioctl+0x73/0xb0 [ 54.350834] do_syscall_64+0x1b9/0x820 [ 54.354710] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 54.360058] ? syscall_return_slowpath+0x5e0/0x5e0 [ 54.365027] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.369860] ? trace_hardirqs_on_caller+0x310/0x310 [ 54.374862] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 54.379881] ? prepare_exit_to_usermode+0x291/0x3b0 [ 54.384875] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.389825] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.395188] RIP: 0033:0x440039 [ 54.398364] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 54.417578] RSP: 002b:00007ffe8fba9398 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 [ 54.425410] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440039 [ 54.432712] RDX: 0000000000000000 RSI: 000000000000ae41 RDI: 0000000000000004 [ 54.439970] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 54.447354] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018c0 [ 54.454620] R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000 [ 54.462949] Kernel Offset: disabled [ 54.466570] Rebooting in 86400 seconds..