Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts. 2018/10/21 10:30:05 parsed 1 programs syzkaller login: [ 55.507990] ld (5371) used greatest stack depth: 15528 bytes left 2018/10/21 10:30:06 executed programs: 0 [ 55.665672] IPVS: ftp: loaded support on port[0] = 21 [ 55.916869] bridge0: port 1(bridge_slave_0) entered blocking state [ 55.923556] bridge0: port 1(bridge_slave_0) entered disabled state [ 55.931170] device bridge_slave_0 entered promiscuous mode [ 55.949956] bridge0: port 2(bridge_slave_1) entered blocking state [ 55.956620] bridge0: port 2(bridge_slave_1) entered disabled state [ 55.964184] device bridge_slave_1 entered promiscuous mode [ 55.983666] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 56.003206] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 56.052859] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 56.074082] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 56.153914] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 56.161540] team0: Port device team_slave_0 added [ 56.178583] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 56.185823] team0: Port device team_slave_1 added [ 56.202811] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 56.222992] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 56.243550] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 56.263780] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 56.407447] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.414094] bridge0: port 2(bridge_slave_1) entered forwarding state [ 56.420912] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.427332] bridge0: port 1(bridge_slave_0) entered forwarding state [ 56.934732] 8021q: adding VLAN 0 to HW filter on device bond0 [ 56.985951] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.037102] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 57.043350] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 57.050451] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.101964] 8021q: adding VLAN 0 to HW filter on device team0 2018/10/21 10:30:11 executed programs: 26 2018/10/21 10:30:16 executed programs: 66 2018/10/21 10:30:21 executed programs: 107 [ 72.068050] ================================================================== [ 72.075559] BUG: KASAN: use-after-free in __lock_acquire+0x37c2/0x4ec0 [ 72.082216] Read of size 8 at addr ffff8801b05ac910 by task syz-executor0/6345 [ 72.089563] [ 72.091189] CPU: 0 PID: 6345 Comm: syz-executor0 Not tainted 4.19.0-rc8+ #71 [ 72.098351] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.107777] Call Trace: [ 72.110365] dump_stack+0x1c4/0x2b6 [ 72.113976] ? dump_stack_print_info.cold.1+0x20/0x20 [ 72.119156] ? printk+0xa7/0xcf [ 72.122421] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 72.127160] print_address_description.cold.8+0x9/0x1ff [ 72.132504] kasan_report.cold.9+0x242/0x309 [ 72.136892] ? __lock_acquire+0x37c2/0x4ec0 [ 72.141215] __asan_report_load8_noabort+0x14/0x20 [ 72.146133] __lock_acquire+0x37c2/0x4ec0 [ 72.150262] ? free_unref_page+0x960/0x960 [ 72.154487] ? mark_held_locks+0x130/0x130 [ 72.158894] ? preempt_notifier_register+0x200/0x200 [ 72.163984] ? __switch_to_asm+0x34/0x70 [ 72.168247] ? __switch_to_asm+0x34/0x70 [ 72.172293] ? __switch_to_asm+0x40/0x70 [ 72.176565] ? __switch_to_asm+0x34/0x70 [ 72.180615] ? __switch_to_asm+0x40/0x70 [ 72.184658] ? __switch_to_asm+0x34/0x70 [ 72.188696] ? __switch_to_asm+0x40/0x70 [ 72.192736] ? __switch_to_asm+0x34/0x70 [ 72.196935] ? print_usage_bug+0xc0/0xc0 [ 72.200981] ? __switch_to_asm+0x40/0x70 [ 72.205028] ? __switch_to_asm+0x34/0x70 [ 72.209073] ? __switch_to_asm+0x40/0x70 [ 72.213135] ? __schedule+0x874/0x1ed0 [ 72.217010] ? graph_lock+0x170/0x170 [ 72.220801] ? lock_downgrade+0x900/0x900 [ 72.224976] ? __sched_text_start+0x8/0x8 [ 72.229113] ? mark_held_locks+0xc7/0x130 [ 72.233597] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 72.238440] ? lockdep_hardirqs_on+0x421/0x5c0 [ 72.243012] ? retint_kernel+0x2d/0x2d [ 72.246888] ? trace_hardirqs_on_caller+0xc0/0x310 [ 72.251803] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 72.256623] ? trace_hardirqs_off+0x310/0x310 [ 72.261110] ? retint_kernel+0x1b/0x2d [ 72.265088] ? trace_hardirqs_on+0x310/0x310 [ 72.269595] lock_acquire+0x1ed/0x520 [ 72.273379] ? vhost_transport_cancel_pkt+0x15e/0x910 [ 72.278556] ? retint_kernel+0x2d/0x2d [ 72.282428] ? lock_release+0x970/0x970 [ 72.286386] ? vhost_vsock_dev_release+0x720/0x720 [ 72.291516] _raw_spin_lock_bh+0x31/0x40 [ 72.295562] ? vhost_transport_cancel_pkt+0x15e/0x910 [ 72.300733] vhost_transport_cancel_pkt+0x15e/0x910 [ 72.305740] ? vhost_vsock_dev_release+0x720/0x720 [ 72.310668] ? trace_hardirqs_on+0xbd/0x310 [ 72.314977] ? lock_release+0x970/0x970 [ 72.318934] ? lock_sock_nested+0xe2/0x120 [ 72.323153] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 72.328586] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.334122] ? check_preemption_disabled+0x48/0x280 [ 72.339131] ? lock_sock_nested+0x9a/0x120 [ 72.343442] ? lock_sock_nested+0x9a/0x120 [ 72.347678] ? __local_bh_enable_ip+0x160/0x260 [ 72.352436] ? vhost_vsock_dev_release+0x720/0x720 [ 72.357352] vsock_stream_connect+0x903/0xe40 [ 72.361837] ? vsock_dgram_connect+0x500/0x500 [ 72.366867] ? lock_downgrade+0x900/0x900 [ 72.371012] ? lock_release+0x970/0x970 [ 72.374973] ? arch_local_save_flags+0x40/0x40 [ 72.379539] ? finish_wait+0x430/0x430 [ 72.383413] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 72.388595] ? smack_socket_connect+0x13f/0x1c0 [ 72.394237] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.399985] ? security_socket_connect+0x94/0xc0 [ 72.406297] __sys_connect+0x37d/0x4c0 [ 72.410181] ? __ia32_sys_accept+0xb0/0xb0 [ 72.414507] ? kasan_check_read+0x11/0x20 [ 72.418646] ? _copy_to_user+0xc8/0x110 [ 72.422619] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 72.428148] ? put_timespec64+0x10f/0x1b0 [ 72.432289] ? do_syscall_64+0x9a/0x820 [ 72.436253] ? do_syscall_64+0x9a/0x820 [ 72.441148] ? lockdep_hardirqs_on+0x421/0x5c0 [ 72.445720] ? trace_hardirqs_on+0xbd/0x310 [ 72.450032] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.455553] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.460901] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 72.466463] __x64_sys_connect+0x73/0xb0 [ 72.470511] do_syscall_64+0x1b9/0x820 [ 72.474379] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 72.479730] ? syscall_return_slowpath+0x5e0/0x5e0 [ 72.484653] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 72.489483] ? trace_hardirqs_on_caller+0x310/0x310 [ 72.494627] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 72.500071] ? prepare_exit_to_usermode+0x291/0x3b0 [ 72.505162] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 72.510054] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.515242] RIP: 0033:0x457569 [ 72.518425] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 72.537336] RSP: 002b:00007fedaf41fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 72.545035] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 72.552290] RDX: 0000000000000010 RSI: 0000000020000080 RDI: 0000000000000006 [ 72.559541] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 72.566789] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fedaf4206d4 [ 72.574045] R13: 00000000004bdb1a R14: 00000000004cc670 R15: 00000000ffffffff [ 72.581306] [ 72.582916] Allocated by task 6345: [ 72.586527] save_stack+0x43/0xd0 [ 72.589958] kasan_kmalloc+0xc7/0xe0 [ 72.593652] __kmalloc_node+0x47/0x70 [ 72.597530] kvmalloc_node+0xb9/0xf0 [ 72.601242] vhost_vsock_dev_open+0xa2/0x5a0 [ 72.605650] misc_open+0x3ca/0x560 [ 72.609171] chrdev_open+0x25a/0x710 [ 72.612872] do_dentry_open+0x499/0x1250 [ 72.616917] vfs_open+0xa0/0xd0 [ 72.621916] path_openat+0x12bf/0x5160 [ 72.625801] do_filp_open+0x255/0x380 [ 72.629595] do_sys_open+0x568/0x700 [ 72.633293] __x64_sys_openat+0x9d/0x100 [ 72.637343] do_syscall_64+0x1b9/0x820 [ 72.642336] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.648767] [ 72.650384] Freed by task 6343: [ 72.653644] save_stack+0x43/0xd0 [ 72.657077] __kasan_slab_free+0x102/0x150 [ 72.661289] kasan_slab_free+0xe/0x10 [ 72.665078] kfree+0xcf/0x230 [ 72.668166] kvfree+0x61/0x70 [ 72.671266] vhost_vsock_dev_release+0x4f4/0x720 [ 72.676109] __fput+0x385/0xa30 [ 72.679368] ____fput+0x15/0x20 [ 72.682633] task_work_run+0x1e8/0x2a0 [ 72.686506] exit_to_usermode_loop+0x318/0x380 [ 72.691070] do_syscall_64+0x6be/0x820 [ 72.695018] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.700193] [ 72.701805] The buggy address belongs to the object at ffff8801b05a3c00 [ 72.701805] which belongs to the cache kmalloc-65536 of size 65536 [ 72.714802] The buggy address is located 36112 bytes inside of [ 72.714802] 65536-byte region [ffff8801b05a3c00, ffff8801b05b3c00) [ 72.727016] The buggy address belongs to the page: [ 72.731935] page:ffffea0006c16800 count:1 mapcount:0 mapping:ffff8801da802500 index:0x0 compound_mapcount: 0 [ 72.741896] flags: 0x2fffc0000008100(slab|head) [ 72.746553] raw: 02fffc0000008100 ffffea0006c16008 ffffea0006c17008 ffff8801da802500 [ 72.754425] raw: 0000000000000000 ffff8801b05a3c00 0000000100000001 0000000000000000 [ 72.762288] page dumped because: kasan: bad access detected [ 72.767983] [ 72.769590] Memory state around the buggy address: [ 72.774507] ffff8801b05ac800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.781849] ffff8801b05ac880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.789193] >ffff8801b05ac900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.796537] ^ [ 72.800408] ffff8801b05ac980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.807854] ffff8801b05aca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.815862] ================================================================== [ 72.823209] Disabling lock debugging due to kernel taint [ 72.828646] Kernel panic - not syncing: panic_on_warn set ... [ 72.828646] [ 72.836005] CPU: 0 PID: 6345 Comm: syz-executor0 Tainted: G B 4.19.0-rc8+ #71 [ 72.844669] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.854016] Call Trace: [ 72.856751] dump_stack+0x1c4/0x2b6 [ 72.860364] ? dump_stack_print_info.cold.1+0x20/0x20 [ 72.865540] ? lock_downgrade+0x900/0x900 [ 72.869778] panic+0x238/0x4e7 [ 72.872953] ? add_taint.cold.5+0x16/0x16 [ 72.877158] ? add_taint.cold.5+0x5/0x16 [ 72.881223] ? trace_hardirqs_off+0xaf/0x310 [ 72.885668] kasan_end_report+0x47/0x4f [ 72.889635] kasan_report.cold.9+0x76/0x309 [ 72.894026] ? __lock_acquire+0x37c2/0x4ec0 [ 72.898343] __asan_report_load8_noabort+0x14/0x20 [ 72.903259] __lock_acquire+0x37c2/0x4ec0 [ 72.907405] ? free_unref_page+0x960/0x960 [ 72.912597] ? mark_held_locks+0x130/0x130 [ 72.916825] ? preempt_notifier_register+0x200/0x200 [ 72.921919] ? __switch_to_asm+0x34/0x70 [ 72.925970] ? __switch_to_asm+0x34/0x70 [ 72.930015] ? __switch_to_asm+0x40/0x70 [ 72.934055] ? __switch_to_asm+0x34/0x70 [ 72.938110] ? __switch_to_asm+0x40/0x70 [ 72.942157] ? __switch_to_asm+0x34/0x70 [ 72.946205] ? __switch_to_asm+0x40/0x70 [ 72.950251] ? __switch_to_asm+0x34/0x70 [ 72.954302] ? print_usage_bug+0xc0/0xc0 [ 72.958399] ? __switch_to_asm+0x40/0x70 [ 72.962494] ? __switch_to_asm+0x34/0x70 [ 72.966541] ? __switch_to_asm+0x40/0x70 [ 72.970588] ? __schedule+0x874/0x1ed0 [ 72.974462] ? graph_lock+0x170/0x170 [ 72.978249] ? lock_downgrade+0x900/0x900 [ 72.982381] ? __sched_text_start+0x8/0x8 [ 72.986509] ? mark_held_locks+0xc7/0x130 [ 72.990641] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 72.995499] ? lockdep_hardirqs_on+0x421/0x5c0 [ 73.000065] ? retint_kernel+0x2d/0x2d [ 73.004052] ? trace_hardirqs_on_caller+0xc0/0x310 [ 73.009015] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 73.013769] ? trace_hardirqs_off+0x310/0x310 [ 73.018537] ? retint_kernel+0x1b/0x2d [ 73.023777] ? trace_hardirqs_on+0x310/0x310 [ 73.028179] lock_acquire+0x1ed/0x520 [ 73.031972] ? vhost_transport_cancel_pkt+0x15e/0x910 [ 73.037148] ? retint_kernel+0x2d/0x2d [ 73.041021] ? lock_release+0x970/0x970 [ 73.044982] ? vhost_vsock_dev_release+0x720/0x720 [ 73.050021] _raw_spin_lock_bh+0x31/0x40 [ 73.054068] ? vhost_transport_cancel_pkt+0x15e/0x910 [ 73.059241] vhost_transport_cancel_pkt+0x15e/0x910 [ 73.064241] ? vhost_vsock_dev_release+0x720/0x720 [ 73.069162] ? trace_hardirqs_on+0xbd/0x310 [ 73.073469] ? lock_release+0x970/0x970 [ 73.077432] ? lock_sock_nested+0xe2/0x120 [ 73.081650] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 73.087085] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 73.092616] ? check_preemption_disabled+0x48/0x280 [ 73.097619] ? lock_sock_nested+0x9a/0x120 [ 73.101833] ? lock_sock_nested+0x9a/0x120 [ 73.106057] ? __local_bh_enable_ip+0x160/0x260 [ 73.110710] ? vhost_vsock_dev_release+0x720/0x720 [ 73.115630] vsock_stream_connect+0x903/0xe40 [ 73.120111] ? vsock_dgram_connect+0x500/0x500 [ 73.124677] ? lock_downgrade+0x900/0x900 [ 73.128805] ? lock_release+0x970/0x970 [ 73.132767] ? arch_local_save_flags+0x40/0x40 [ 73.137343] ? finish_wait+0x430/0x430 [ 73.141218] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 73.146395] ? smack_socket_connect+0x13f/0x1c0 [ 73.151095] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 73.156623] ? security_socket_connect+0x94/0xc0 [ 73.161364] __sys_connect+0x37d/0x4c0 [ 73.165234] ? __ia32_sys_accept+0xb0/0xb0 [ 73.169455] ? kasan_check_read+0x11/0x20 [ 73.173690] ? _copy_to_user+0xc8/0x110 [ 73.177651] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 73.183170] ? put_timespec64+0x10f/0x1b0 [ 73.187310] ? do_syscall_64+0x9a/0x820 [ 73.191272] ? do_syscall_64+0x9a/0x820 [ 73.195233] ? lockdep_hardirqs_on+0x421/0x5c0 [ 73.199799] ? trace_hardirqs_on+0xbd/0x310 [ 73.204119] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 73.209660] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.215362] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 73.220804] __x64_sys_connect+0x73/0xb0 [ 73.224861] do_syscall_64+0x1b9/0x820 [ 73.228733] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 73.234090] ? syscall_return_slowpath+0x5e0/0x5e0 [ 73.239012] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 73.243848] ? trace_hardirqs_on_caller+0x310/0x310 [ 73.248922] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 73.254113] ? prepare_exit_to_usermode+0x291/0x3b0 [ 73.259115] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 73.263942] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.269116] RIP: 0033:0x457569 [ 73.272295] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 73.291274] RSP: 002b:00007fedaf41fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 73.299146] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 73.306403] RDX: 0000000000000010 RSI: 0000000020000080 RDI: 0000000000000006 [ 73.313664] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 73.320918] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fedaf4206d4 [ 73.328393] R13: 00000000004bdb1a R14: 00000000004cc670 R15: 00000000ffffffff [ 73.336601] Kernel Offset: disabled [ 73.340224] Rebooting in 86400 seconds..