INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.4' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 31.671086] ================================================================== [ 31.678560] BUG: KASAN: slab-out-of-bounds in process_preds+0x1958/0x19b0 [ 31.685468] Write of size 4 at addr ffff8801cf62f270 by task syzkaller812470/4480 [ 31.693069] [ 31.694686] CPU: 0 PID: 4480 Comm: syzkaller812470 Not tainted 4.16.0+ #2 [ 31.701584] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.710916] Call Trace: [ 31.713512] dump_stack+0x1b9/0x294 [ 31.717126] ? dump_stack_print_info.cold.2+0x52/0x52 [ 31.722293] ? printk+0x9e/0xba [ 31.725554] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 31.730291] ? kasan_check_write+0x14/0x20 [ 31.734511] print_address_description+0x6c/0x20b [ 31.739337] ? process_preds+0x1958/0x19b0 [ 31.743554] kasan_report.cold.7+0x242/0x2fe [ 31.747946] __asan_report_store4_noabort+0x17/0x20 [ 31.752943] process_preds+0x1958/0x19b0 [ 31.756984] ? create_filter_start+0x122/0x2e0 [ 31.761552] ? parse_pred+0x28e0/0x28e0 [ 31.765509] ? create_filter_start+0x55/0x2e0 [ 31.769987] create_filter+0x1a8/0x370 [ 31.773866] ? process_preds+0x19b0/0x19b0 [ 31.778085] ? wait_for_completion+0x870/0x870 [ 31.782653] ftrace_profile_set_filter+0x109/0x2b0 [ 31.787566] ? ftrace_profile_free_filter+0x70/0x70 [ 31.792567] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 31.798086] ? memdup_user+0x6b/0xa0 [ 31.801783] perf_event_set_filter+0x248/0x1230 [ 31.806437] ? mutex_trylock+0x2a0/0x2a0 [ 31.810476] ? __thp_get_unmapped_area+0x180/0x180 [ 31.815388] ? put_ctx+0x140/0x140 [ 31.818909] ? __lock_acquire+0x7f5/0x5140 [ 31.823124] ? debug_mutex_init+0x2d/0x60 [ 31.827265] ? debug_check_no_locks_freed+0x310/0x310 [ 31.832434] ? graph_lock+0x170/0x170 [ 31.836219] ? kasan_check_read+0x11/0x20 [ 31.840345] ? rcu_is_watching+0x85/0x140 [ 31.844473] ? __lock_is_held+0xb5/0x140 [ 31.848513] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 31.853686] _perf_ioctl+0x84c/0x15e0 [ 31.857475] ? SYSC_perf_event_open+0x2fa0/0x2fa0 [ 31.862299] ? lock_downgrade+0x8e0/0x8e0 [ 31.866429] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.871949] ? kasan_check_read+0x11/0x20 [ 31.876087] ? rcu_is_watching+0x85/0x140 [ 31.880223] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 31.885390] ? graph_lock+0x170/0x170 [ 31.889168] ? mark_held_locks+0xc9/0x160 [ 31.893298] ? mutex_lock_nested+0x16/0x20 [ 31.897512] ? mutex_lock_nested+0x16/0x20 [ 31.901730] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 31.906900] ? perf_event_read_event+0x430/0x430 [ 31.911638] ? find_held_lock+0x36/0x1c0 [ 31.915682] perf_ioctl+0x59/0x80 [ 31.919113] ? _perf_ioctl+0x15e0/0x15e0 [ 31.923155] do_vfs_ioctl+0x1cf/0x16a0 [ 31.927027] ? ioctl_preallocate+0x2e0/0x2e0 [ 31.931433] ? fget_raw+0x20/0x20 [ 31.934878] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.940400] ? __do_page_fault+0x441/0xe40 [ 31.944622] ? security_file_ioctl+0x94/0xc0 [ 31.949020] ksys_ioctl+0xa9/0xd0 [ 31.952465] SyS_ioctl+0x24/0x30 [ 31.955809] ? ksys_ioctl+0xd0/0xd0 [ 31.959415] do_syscall_64+0x29e/0x9d0 [ 31.963280] ? vmalloc_sync_all+0x30/0x30 [ 31.967407] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 31.972143] ? syscall_return_slowpath+0x5c0/0x5c0 [ 31.977065] ? syscall_return_slowpath+0x30f/0x5c0 [ 31.981988] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 31.987502] ? retint_user+0x18/0x18 [ 31.991199] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 31.996031] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.001200] RIP: 0033:0x43fdb9 [ 32.004367] RSP: 002b:00007ffe3956f9f8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 32.012053] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 32.019308] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 32.026554] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.033816] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 32.041071] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 32.048332] [ 32.049940] Allocated by task 1: [ 32.053286] save_stack+0x43/0xd0 [ 32.056722] kasan_kmalloc+0xc4/0xe0 [ 32.060414] __kmalloc+0x14e/0x760 [ 32.063942] kobject_get_path+0xc2/0x1a0 [ 32.067978] kobject_uevent_env+0x234/0xea0 [ 32.072279] kobject_uevent+0x1f/0x30 [ 32.076058] netdev_queue_update_kobjects+0x397/0x4e0 [ 32.081231] netdev_register_kobject+0x299/0x380 [ 32.085967] register_netdevice+0x997/0x11c0 [ 32.090365] bond_create+0xf5/0x157 [ 32.093974] bonding_init+0x1666/0x16ff [ 32.097928] do_one_initcall+0x127/0x913 [ 32.101966] kernel_init_freeable+0x49b/0x58e [ 32.106439] kernel_init+0x11/0x1b3 [ 32.110043] ret_from_fork+0x3a/0x50 [ 32.113729] [ 32.115599] Freed by task 1: [ 32.118600] save_stack+0x43/0xd0 [ 32.122029] __kasan_slab_free+0x11a/0x170 [ 32.126257] kasan_slab_free+0xe/0x10 [ 32.130034] kfree+0xd9/0x260 [ 32.133123] kobject_uevent_env+0x275/0xea0 [ 32.137434] kobject_uevent+0x1f/0x30 [ 32.141212] netdev_queue_update_kobjects+0x397/0x4e0 [ 32.146383] netdev_register_kobject+0x299/0x380 [ 32.151648] register_netdevice+0x997/0x11c0 [ 32.156037] bond_create+0xf5/0x157 [ 32.159645] bonding_init+0x1666/0x16ff [ 32.163598] do_one_initcall+0x127/0x913 [ 32.167639] kernel_init_freeable+0x49b/0x58e [ 32.172114] kernel_init+0x11/0x1b3 [ 32.175722] ret_from_fork+0x3a/0x50 [ 32.179408] [ 32.181020] The buggy address belongs to the object at ffff8801cf62f200 [ 32.181020] which belongs to the cache kmalloc-64 of size 64 [ 32.193496] The buggy address is located 48 bytes to the right of [ 32.193496] 64-byte region [ffff8801cf62f200, ffff8801cf62f240) [ 32.205694] The buggy address belongs to the page: [ 32.210606] page:ffffea00073d8bc0 count:1 mapcount:0 mapping:ffff8801cf62f000 index:0xffff8801cf62fc80 [ 32.220037] flags: 0x2fffc0000000100(slab) [ 32.224256] raw: 02fffc0000000100 ffff8801cf62f000 ffff8801cf62fc80 000000010000001c [ 32.232121] raw: ffffea00073c00e0 ffffea00074c0360 ffff8801dac00340 0000000000000000 [ 32.239976] page dumped because: kasan: bad access detected [ 32.245661] [ 32.247262] Memory state around the buggy address: [ 32.252180] ffff8801cf62f100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.259520] ffff8801cf62f180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.266859] >ffff8801cf62f200: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 32.274282] ^ [ 32.281273] ffff8801cf62f280: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 32.288610] ffff8801cf62f300: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 32.295943] ================================================================== [ 32.303275] Disabling lock debugging due to kernel taint [ 32.308833] Kernel panic - not syncing: panic_on_warn set ... [ 32.308833] [ 32.316207] CPU: 0 PID: 4480 Comm: syzkaller812470 Tainted: G B 4.16.0+ #2 [ 32.324513] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.333845] Call Trace: [ 32.336414] dump_stack+0x1b9/0x294 [ 32.340035] ? dump_stack_print_info.cold.2+0x52/0x52 [ 32.345208] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.349943] ? process_preds+0x1900/0x19b0 [ 32.354156] panic+0x22f/0x4de [ 32.357324] ? add_taint.cold.5+0x16/0x16 [ 32.361452] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.365841] ? do_raw_spin_unlock+0x9e/0x2e0 [ 32.370227] ? process_preds+0x1958/0x19b0 [ 32.374449] kasan_end_report+0x47/0x4f [ 32.378399] kasan_report.cold.7+0x76/0x2fe [ 32.382702] __asan_report_store4_noabort+0x17/0x20 [ 32.387703] process_preds+0x1958/0x19b0 [ 32.391741] ? create_filter_start+0x122/0x2e0 [ 32.396302] ? parse_pred+0x28e0/0x28e0 [ 32.400255] ? create_filter_start+0x55/0x2e0 [ 32.404728] create_filter+0x1a8/0x370 [ 32.408594] ? process_preds+0x19b0/0x19b0 [ 32.412807] ? wait_for_completion+0x870/0x870 [ 32.417368] ftrace_profile_set_filter+0x109/0x2b0 [ 32.422287] ? ftrace_profile_free_filter+0x70/0x70 [ 32.427294] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 32.432836] ? memdup_user+0x6b/0xa0 [ 32.436557] perf_event_set_filter+0x248/0x1230 [ 32.441211] ? mutex_trylock+0x2a0/0x2a0 [ 32.445251] ? __thp_get_unmapped_area+0x180/0x180 [ 32.450158] ? put_ctx+0x140/0x140 [ 32.453674] ? __lock_acquire+0x7f5/0x5140 [ 32.457890] ? debug_mutex_init+0x2d/0x60 [ 32.462032] ? debug_check_no_locks_freed+0x310/0x310 [ 32.467212] ? graph_lock+0x170/0x170 [ 32.470990] ? kasan_check_read+0x11/0x20 [ 32.475119] ? rcu_is_watching+0x85/0x140 [ 32.479240] ? __lock_is_held+0xb5/0x140 [ 32.483279] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 32.488448] _perf_ioctl+0x84c/0x15e0 [ 32.492228] ? SYSC_perf_event_open+0x2fa0/0x2fa0 [ 32.497055] ? lock_downgrade+0x8e0/0x8e0 [ 32.501184] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.506700] ? kasan_check_read+0x11/0x20 [ 32.510835] ? rcu_is_watching+0x85/0x140 [ 32.514960] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 32.520126] ? graph_lock+0x170/0x170 [ 32.523901] ? mark_held_locks+0xc9/0x160 [ 32.528030] ? mutex_lock_nested+0x16/0x20 [ 32.532245] ? mutex_lock_nested+0x16/0x20 [ 32.536458] ? perf_event_ctx_lock_nested+0x40d/0x4e0 [ 32.541626] ? perf_event_read_event+0x430/0x430 [ 32.546358] ? find_held_lock+0x36/0x1c0 [ 32.550397] perf_ioctl+0x59/0x80 [ 32.553829] ? _perf_ioctl+0x15e0/0x15e0 [ 32.557869] do_vfs_ioctl+0x1cf/0x16a0 [ 32.561734] ? ioctl_preallocate+0x2e0/0x2e0 [ 32.566119] ? fget_raw+0x20/0x20 [ 32.569550] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.575065] ? __do_page_fault+0x441/0xe40 [ 32.579279] ? security_file_ioctl+0x94/0xc0 [ 32.583668] ksys_ioctl+0xa9/0xd0 [ 32.587104] SyS_ioctl+0x24/0x30 [ 32.590449] ? ksys_ioctl+0xd0/0xd0 [ 32.594057] do_syscall_64+0x29e/0x9d0 [ 32.597929] ? vmalloc_sync_all+0x30/0x30 [ 32.602057] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 32.606798] ? syscall_return_slowpath+0x5c0/0x5c0 [ 32.611707] ? syscall_return_slowpath+0x30f/0x5c0 [ 32.616613] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 32.622126] ? retint_user+0x18/0x18 [ 32.625817] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 32.630635] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 32.635798] RIP: 0033:0x43fdb9 [ 32.638965] RSP: 002b:00007ffe3956f9f8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 [ 32.646651] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9 [ 32.653898] RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003 [ 32.661145] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 [ 32.668389] R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0 [ 32.675635] R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000 [ 32.683364] Dumping ftrace buffer: [ 32.686889] (ftrace buffer empty) [ 32.690572] Kernel Offset: disabled [ 32.694172] Rebooting in 86400 seconds..