[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 35.446437] audit: type=1800 audit(1538910470.934:25): pid=5620 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 35.469508] audit: type=1800 audit(1538910470.944:26): pid=5620 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 35.488515] audit: type=1800 audit(1538910470.944:27): pid=5620 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.7' (ECDSA) to the list of known hosts. net.ipv6.conf.syz_tun.accept_dad = 0 net.ipv6.conf.syz_tun.router_solicitations = 0 syzkaller login: [ 43.838298] IPVS: ftp: loaded support on port[0] = 21 [ 44.004499] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.011178] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.017997] device bridge_slave_0 entered promiscuous mode [ 44.031814] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.038293] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.045004] device bridge_slave_1 entered promiscuous mode [ 44.058926] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 44.073199] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 44.105972] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 44.121968] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 44.170940] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 44.178035] team0: Port device team_slave_0 added [ 44.189527] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 44.196465] team0: Port device team_slave_1 added [ 44.208587] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 44.222783] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 44.237345] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 44.252968] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported [ 44.343340] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.349801] bridge0: port 2(bridge_slave_1) entered forwarding state [ 44.356348] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.362703] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 44.693897] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 44.700142] 8021q: adding VLAN 0 to HW filter on device bond0 [ 44.737218] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 44.772987] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 44.780550] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 44.816433] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 44.823119] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 44.966929] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 45.016255] kauditd_printk_skb: 3 callbacks suppressed [ 45.016266] audit: type=1804 audit(1538910480.504:31): pid=6031 uid=0 auid=4294967295 ses=4294967295 subj=_ op=invalid_pcr cause=open_writers comm="syz-executor597" name="/root/bus" dev="sda1" ino=16482 res=1 [ 45.278698] ================================================================== [ 45.286185] BUG: KASAN: use-after-free in tls_push_record+0x10b9/0x1480 [ 45.292913] Write of size 1 at addr ffff8801c6d3aff2 by task syz-executor597/6032 [ 45.300503] [ 45.302111] CPU: 0 PID: 6032 Comm: syz-executor597 Not tainted 4.19.0-rc6+ #48 [ 45.309482] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.318814] Call Trace: [ 45.321390] dump_stack+0x1c4/0x2b4 [ 45.324998] ? dump_stack_print_info.cold.2+0x52/0x52 [ 45.330167] ? printk+0xa7/0xcf [ 45.333426] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 45.338161] print_address_description.cold.8+0x9/0x1ff [ 45.343501] kasan_report.cold.9+0x242/0x309 [ 45.347894] ? tls_push_record+0x10b9/0x1480 [ 45.352281] __asan_report_store1_noabort+0x17/0x20 [ 45.357298] tls_push_record+0x10b9/0x1480 [ 45.361513] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.367034] ? lock_sock_nested+0x9a/0x120 [ 45.371257] tls_sw_push_pending_record+0x22/0x30 [ 45.376079] tls_sk_proto_close+0x69c/0xbb0 [ 45.380383] ? lock_acquire+0x1ed/0x520 [ 45.384337] ? tcp_check_oom+0x530/0x530 [ 45.388377] ? tls_write_space+0x390/0x390 [ 45.392591] ? arch_local_save_flags+0x40/0x40 [ 45.397154] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.402676] ? ipv6_sock_ac_close+0x34f/0x470 [ 45.407158] ? ipv6_sock_mc_close+0x162/0x1d0 [ 45.411632] ? ip_mc_drop_socket+0x20b/0x270 [ 45.416018] ? down_write+0x8a/0x130 [ 45.419715] inet_release+0x104/0x1f0 [ 45.423503] inet6_release+0x50/0x70 [ 45.427199] __sock_release+0xd7/0x250 [ 45.431068] ? __sock_release+0x250/0x250 [ 45.435194] sock_close+0x19/0x20 [ 45.438626] __fput+0x385/0xa30 [ 45.441885] ? get_max_files+0x20/0x20 [ 45.445884] ? do_raw_spin_lock+0xc1/0x200 [ 45.450101] ? ___might_sleep+0x1ed/0x300 [ 45.454247] ? arch_local_save_flags+0x40/0x40 [ 45.458809] ____fput+0x15/0x20 [ 45.462069] task_work_run+0x1e8/0x2a0 [ 45.465936] ? task_work_cancel+0x240/0x240 [ 45.470242] ? switch_task_namespaces+0xb8/0xd0 [ 45.474892] do_exit+0x1ad7/0x2610 [ 45.478411] ? mm_update_next_owner+0x990/0x990 [ 45.483063] ? ___might_sleep+0x1ed/0x300 [ 45.487190] ? arch_local_save_flags+0x40/0x40 [ 45.491756] ? do_raw_spin_unlock+0xa7/0x2f0 [ 45.496143] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 45.500708] ? lock_acquire+0x1ed/0x520 [ 45.504672] ? __might_sleep+0x95/0x190 [ 45.508627] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.514195] ? futex_wait_queue_me+0x55d/0x840 [ 45.518764] ? refill_pi_state_cache.part.9+0x320/0x320 [ 45.524110] ? futex_wait+0x309/0xa50 [ 45.527891] ? lock_downgrade+0x900/0x900 [ 45.532132] ? kasan_check_write+0x14/0x20 [ 45.536361] ? mark_held_locks+0x130/0x130 [ 45.540578] ? kasan_check_read+0x11/0x20 [ 45.544756] ? do_raw_spin_unlock+0xa7/0x2f0 [ 45.549146] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 45.553708] ? kasan_check_write+0x14/0x20 [ 45.557930] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 45.563374] ? drop_futex_key_refs.isra.15+0x6d/0xe0 [ 45.568461] ? futex_wait+0x5ec/0xa50 [ 45.572256] ? futex_wait_setup+0x3e0/0x3e0 [ 45.576567] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 45.581750] ? drop_futex_key_refs.isra.15+0x6d/0xe0 [ 45.586834] ? futex_wake+0x304/0x760 [ 45.590613] ? memset+0x31/0x40 [ 45.593890] ? __dequeue_signal+0xf9/0x7d0 [ 45.598106] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 45.603636] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.609152] ? get_signal+0x95b/0x1980 [ 45.613018] ? lock_downgrade+0x900/0x900 [ 45.617148] do_group_exit+0x177/0x440 [ 45.621012] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 45.626437] ? __ia32_sys_exit+0x50/0x50 [ 45.630478] ? kasan_check_write+0x14/0x20 [ 45.634692] ? do_raw_spin_lock+0xc1/0x200 [ 45.638912] get_signal+0x8b0/0x1980 [ 45.642603] ? ptrace_notify+0x130/0x130 [ 45.646642] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 45.652163] ? do_tcp_setsockopt.isra.40+0x202/0x2770 [ 45.657337] ? tcp_peek_len+0x2c0/0x2c0 [ 45.661292] ? release_sock+0x1ec/0x2c0 [ 45.665247] do_signal+0x9c/0x21e0 [ 45.668769] ? __fget_light+0x2e9/0x430 [ 45.672731] ? fget_raw+0x20/0x20 [ 45.676162] ? setup_sigcontext+0x7d0/0x7d0 [ 45.680467] ? __local_bh_enable_ip+0x160/0x260 [ 45.685116] ? _raw_spin_unlock_bh+0x30/0x40 [ 45.689522] ? release_sock+0x1ec/0x2c0 [ 45.693484] ? tcp_setsockopt+0x9a/0xe0 [ 45.697444] ? __x64_sys_futex+0x47f/0x6a0 [ 45.701672] exit_to_usermode_loop+0x2e5/0x380 [ 45.706255] ? syscall_slow_exit_work+0x520/0x520 [ 45.711184] do_syscall_64+0x6be/0x820 [ 45.715053] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 45.720396] ? syscall_return_slowpath+0x5e0/0x5e0 [ 45.725305] ? trace_hardirqs_on_caller+0x310/0x310 [ 45.730302] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 45.735298] ? recalc_sigpending_tsk+0x180/0x180 [ 45.740359] ? kasan_check_write+0x14/0x20 [ 45.744588] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.749429] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 45.754595] RIP: 0033:0x446e79 [ 45.757768] Code: 00 2f 75 73 72 2f 6c 69 62 2f 72 73 79 73 6c 6f 67 2f 00 4d 6f 64 75 6c 65 20 27 25 73 27 20 61 6c 72 65 61 64 79 20 6c 6f 61 <64> 65 64 0a 00 6c 6f 61 64 69 6e 67 20 6d 6f 64 75 6c 65 20 27 25 [ 45.776662] RSP: 002b:00007f45c6a35da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 45.784347] RAX: fffffffffffffe00 RBX: 00000000006dcc58 RCX: 0000000000446e79 [ 45.791591] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dcc58 [ 45.798835] RBP: 00000000006dcc50 R08: 0000000000000000 R09: 0000000000000000 [ 45.806078] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc5c [ 45.813324] R13: 4000000000000001 R14: 00007f45c6a369c0 R15: 0000000000000001 [ 45.820575] [ 45.822175] The buggy address belongs to the page: [ 45.827081] page:ffffea00071b4e80 count:0 mapcount:0 mapping:0000000000000000 index:0xffff8801c6d3a480 [ 45.836500] flags: 0x2fffc0000000000() [ 45.840363] raw: 02fffc0000000000 0000000000000000 dead000000000200 0000000000000000 [ 45.848220] raw: ffff8801c6d3a480 0000000000000000 00000000ffffffff 0000000000000000 [ 45.856071] page dumped because: kasan: bad access detected [ 45.861763] [ 45.863364] Memory state around the buggy address: [ 45.868269] ffff8801c6d3ae80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.875601] ffff8801c6d3af00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.882936] >ffff8801c6d3af80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.890280] ^ [ 45.897273] ffff8801c6d3b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.904605] ffff8801c6d3b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 45.911950] ================================================================== [ 45.922037] Kernel panic - not syncing: panic_on_warn set ... [ 45.922037] [ 45.929410] CPU: 0 PID: 6032 Comm: syz-executor597 Tainted: G B 4.19.0-rc6+ #48 [ 45.938134] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.947466] Call Trace: [ 45.950035] dump_stack+0x1c4/0x2b4 [ 45.953639] ? dump_stack_print_info.cold.2+0x52/0x52 [ 45.958827] panic+0x238/0x4e7 [ 45.962001] ? add_taint.cold.5+0x16/0x16 [ 45.966127] ? preempt_schedule+0x4d/0x60 [ 45.970267] ? ___preempt_schedule+0x16/0x18 [ 45.974653] ? trace_hardirqs_on+0xb4/0x310 [ 45.978959] kasan_end_report+0x47/0x4f [ 45.982914] kasan_report.cold.9+0x76/0x309 [ 45.987212] ? tls_push_record+0x10b9/0x1480 [ 45.991597] __asan_report_store1_noabort+0x17/0x20 [ 45.996592] tls_push_record+0x10b9/0x1480 [ 46.000810] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.006327] ? lock_sock_nested+0x9a/0x120 [ 46.010543] tls_sw_push_pending_record+0x22/0x30 [ 46.015366] tls_sk_proto_close+0x69c/0xbb0 [ 46.019666] ? lock_acquire+0x1ed/0x520 [ 46.023638] ? tcp_check_oom+0x530/0x530 [ 46.027682] ? tls_write_space+0x390/0x390 [ 46.031897] ? arch_local_save_flags+0x40/0x40 [ 46.036455] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.041971] ? ipv6_sock_ac_close+0x34f/0x470 [ 46.046460] ? ipv6_sock_mc_close+0x162/0x1d0 [ 46.050934] ? ip_mc_drop_socket+0x20b/0x270 [ 46.055320] ? down_write+0x8a/0x130 [ 46.059014] inet_release+0x104/0x1f0 [ 46.062802] inet6_release+0x50/0x70 [ 46.066494] __sock_release+0xd7/0x250 [ 46.070363] ? __sock_release+0x250/0x250 [ 46.074488] sock_close+0x19/0x20 [ 46.077925] __fput+0x385/0xa30 [ 46.081188] ? get_max_files+0x20/0x20 [ 46.085054] ? do_raw_spin_lock+0xc1/0x200 [ 46.089267] ? ___might_sleep+0x1ed/0x300 [ 46.093392] ? arch_local_save_flags+0x40/0x40 [ 46.097953] ____fput+0x15/0x20 [ 46.101214] task_work_run+0x1e8/0x2a0 [ 46.105078] ? task_work_cancel+0x240/0x240 [ 46.109379] ? switch_task_namespaces+0xb8/0xd0 [ 46.114028] do_exit+0x1ad7/0x2610 [ 46.117547] ? mm_update_next_owner+0x990/0x990 [ 46.122193] ? ___might_sleep+0x1ed/0x300 [ 46.126323] ? arch_local_save_flags+0x40/0x40 [ 46.130884] ? do_raw_spin_unlock+0xa7/0x2f0 [ 46.135268] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 46.139828] ? lock_acquire+0x1ed/0x520 [ 46.143786] ? __might_sleep+0x95/0x190 [ 46.147740] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.153259] ? futex_wait_queue_me+0x55d/0x840 [ 46.157819] ? refill_pi_state_cache.part.9+0x320/0x320 [ 46.163164] ? futex_wait+0x309/0xa50 [ 46.166946] ? lock_downgrade+0x900/0x900 [ 46.171072] ? kasan_check_write+0x14/0x20 [ 46.175431] ? mark_held_locks+0x130/0x130 [ 46.179642] ? kasan_check_read+0x11/0x20 [ 46.183769] ? do_raw_spin_unlock+0xa7/0x2f0 [ 46.188154] ? do_raw_spin_trylock+0x1c0/0x1c0 [ 46.192714] ? kasan_check_write+0x14/0x20 [ 46.196923] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 46.202108] ? drop_futex_key_refs.isra.15+0x6d/0xe0 [ 46.207194] ? futex_wait+0x5ec/0xa50 [ 46.210974] ? futex_wait_setup+0x3e0/0x3e0 [ 46.215267] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 46.220432] ? drop_futex_key_refs.isra.15+0x6d/0xe0 [ 46.225510] ? futex_wake+0x304/0x760 [ 46.229287] ? memset+0x31/0x40 [ 46.232542] ? __dequeue_signal+0xf9/0x7d0 [ 46.236756] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 46.242458] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.247993] ? get_signal+0x95b/0x1980 [ 46.251872] ? lock_downgrade+0x900/0x900 [ 46.256017] do_group_exit+0x177/0x440 [ 46.259882] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 46.265309] ? __ia32_sys_exit+0x50/0x50 [ 46.269349] ? kasan_check_write+0x14/0x20 [ 46.273561] ? do_raw_spin_lock+0xc1/0x200 [ 46.277778] get_signal+0x8b0/0x1980 [ 46.281472] ? ptrace_notify+0x130/0x130 [ 46.285514] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 46.291033] ? do_tcp_setsockopt.isra.40+0x202/0x2770 [ 46.296215] ? tcp_peek_len+0x2c0/0x2c0 [ 46.300186] ? release_sock+0x1ec/0x2c0 [ 46.304136] do_signal+0x9c/0x21e0 [ 46.307669] ? __fget_light+0x2e9/0x430 [ 46.311622] ? fget_raw+0x20/0x20 [ 46.315055] ? setup_sigcontext+0x7d0/0x7d0 [ 46.319380] ? __local_bh_enable_ip+0x160/0x260 [ 46.324031] ? _raw_spin_unlock_bh+0x30/0x40 [ 46.328448] ? release_sock+0x1ec/0x2c0 [ 46.332415] ? tcp_setsockopt+0x9a/0xe0 [ 46.336373] ? __x64_sys_futex+0x47f/0x6a0 [ 46.340589] exit_to_usermode_loop+0x2e5/0x380 [ 46.345153] ? syscall_slow_exit_work+0x520/0x520 [ 46.349982] do_syscall_64+0x6be/0x820 [ 46.353848] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 46.359203] ? syscall_return_slowpath+0x5e0/0x5e0 [ 46.364108] ? trace_hardirqs_on_caller+0x310/0x310 [ 46.369104] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 46.374099] ? recalc_sigpending_tsk+0x180/0x180 [ 46.378855] ? kasan_check_write+0x14/0x20 [ 46.383069] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 46.387897] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 46.393065] RIP: 0033:0x446e79 [ 46.396239] Code: 00 2f 75 73 72 2f 6c 69 62 2f 72 73 79 73 6c 6f 67 2f 00 4d 6f 64 75 6c 65 20 27 25 73 27 20 61 6c 72 65 61 64 79 20 6c 6f 61 <64> 65 64 0a 00 6c 6f 61 64 69 6e 67 20 6d 6f 64 75 6c 65 20 27 25 [ 46.415118] RSP: 002b:00007f45c6a35da8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 46.422806] RAX: fffffffffffffe00 RBX: 00000000006dcc58 RCX: 0000000000446e79 [ 46.430053] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dcc58 [ 46.437311] RBP: 00000000006dcc50 R08: 0000000000000000 R09: 0000000000000000 [ 46.444555] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc5c [ 46.451799] R13: 4000000000000001 R14: 00007f45c6a369c0 R15: 0000000000000001 [ 46.460183] Kernel Offset: disabled [ 46.463804] Rebooting in 86400 seconds..