[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 38.565076] audit: type=1800 audit(1546008440.261:25): pid=7806 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 38.585962] audit: type=1800 audit(1546008440.261:26): pid=7806 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 38.624794] audit: type=1800 audit(1546008440.261:27): pid=7806 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 43.905016] sshd (7944) used greatest stack depth: 15720 bytes left Warning: Permanently added '10.128.15.222' (ECDSA) to the list of known hosts. 2018/12/28 14:48:26 parsed 1 programs 2018/12/28 14:48:27 executed programs: 0 [ 106.075507] IPVS: ftp: loaded support on port[0] = 21 [ 106.325176] chnl_net:caif_netlink_parms(): no params data found [ 106.432778] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.439411] bridge0: port 1(bridge_slave_0) entered disabled state [ 106.446560] device bridge_slave_0 entered promiscuous mode [ 106.464778] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.471904] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.478895] device bridge_slave_1 entered promiscuous mode [ 106.529700] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 106.551156] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 106.601503] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 106.608823] team0: Port device team_slave_0 added [ 106.625965] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 106.633460] team0: Port device team_slave_1 added [ 106.650336] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 106.668646] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 106.729031] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 106.746834] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 106.894076] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.900526] bridge0: port 2(bridge_slave_1) entered forwarding state [ 106.907433] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.913950] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.331300] bridge0: port 1(bridge_slave_0) entered disabled state [ 107.338788] bridge0: port 2(bridge_slave_1) entered disabled state [ 107.445552] 8021q: adding VLAN 0 to HW filter on device bond0 [ 107.497770] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 107.551857] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 107.557965] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 107.566790] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 107.615687] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 107.622323] 8021q: adding VLAN 0 to HW filter on device team0 [ 107.674755] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 107.682291] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 107.690495] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 107.698193] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.704591] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.748322] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 107.755609] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 107.764674] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 107.772703] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.779057] bridge0: port 2(bridge_slave_1) entered forwarding state [ 107.823101] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 107.830232] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 107.884670] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 107.891561] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 107.946585] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 107.953765] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 107.961953] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 107.969742] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 108.014384] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 108.021415] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 108.029208] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 108.082040] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 108.088878] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 108.097235] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 108.145849] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 108.152637] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 108.160729] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 108.488167] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 108.638584] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 109.052752] ================================================================== [ 109.060189] BUG: KASAN: stack-out-of-bounds in ax25_getname+0x58/0x790 [ 109.066840] Write of size 72 at addr ffff888085c2fb80 by task syz-executor0/8369 [ 109.074355] [ 109.075978] CPU: 1 PID: 8369 Comm: syz-executor0 Not tainted 4.20.0-rc7-next-20181224 #189 [ 109.084364] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 109.093702] Call Trace: [ 109.096311] dump_stack+0x1d3/0x2c6 [ 109.099928] ? dump_stack_print_info.cold.1+0x20/0x20 [ 109.105098] ? printk+0xa7/0xcf [ 109.108377] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 109.113122] print_address_description.cold.5+0x9/0x1ff [ 109.118466] ? ax25_getname+0x58/0x790 [ 109.122336] kasan_report.cold.6+0x1b/0x39 [ 109.126549] ? ax25_getname+0x58/0x790 [ 109.130420] ? ax25_getname+0x58/0x790 [ 109.134306] check_memory_region+0x13e/0x1b0 [ 109.138698] memset+0x23/0x40 [ 109.141793] ax25_getname+0x58/0x790 [ 109.145512] vhost_net_ioctl+0x139c/0x1bf0 [ 109.149733] ? vhost_zerocopy_callback+0x300/0x300 [ 109.154646] ? kasan_check_read+0x11/0x20 [ 109.158777] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 109.164048] ? rcu_read_unlock_special+0x370/0x370 [ 109.168978] ? __fget+0x4d1/0x740 [ 109.172416] ? ksys_dup3+0x680/0x680 [ 109.176112] ? __might_fault+0x12b/0x1e0 [ 109.180162] ? lock_downgrade+0x900/0x900 [ 109.184295] ? lock_release+0xa00/0xa00 [ 109.188268] ? arch_local_save_flags+0x40/0x40 [ 109.192832] ? vhost_zerocopy_callback+0x300/0x300 [ 109.197741] do_vfs_ioctl+0x1de/0x1790 [ 109.201611] ? ioctl_preallocate+0x300/0x300 [ 109.206001] ? __fget_light+0x2e9/0x430 [ 109.209956] ? fget_raw+0x20/0x20 [ 109.213397] ? _copy_to_user+0xc8/0x110 [ 109.217354] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 109.222870] ? put_timespec64+0x10f/0x1b0 [ 109.226997] ? nsecs_to_jiffies+0x30/0x30 [ 109.231135] ? do_syscall_64+0x9a/0x820 [ 109.235118] ? do_syscall_64+0x9a/0x820 [ 109.239119] ? lockdep_hardirqs_on+0x421/0x5c0 [ 109.243688] ? security_file_ioctl+0x94/0xc0 [ 109.248097] ksys_ioctl+0xa9/0xd0 [ 109.251532] __x64_sys_ioctl+0x73/0xb0 [ 109.255403] do_syscall_64+0x1b9/0x820 [ 109.259305] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 109.264654] ? syscall_return_slowpath+0x5e0/0x5e0 [ 109.269573] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 109.274399] ? trace_hardirqs_on_caller+0x310/0x310 [ 109.279572] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 109.284567] ? prepare_exit_to_usermode+0x291/0x3b0 [ 109.289564] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 109.294394] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 109.299581] RIP: 0033:0x4579b9 [ 109.302754] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 109.321635] RSP: 002b:00007fa611f32c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 109.329332] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004579b9 [ 109.336595] RDX: 0000000020f1dff8 RSI: 000000004008af30 RDI: 0000000000000004 [ 109.343846] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 109.351105] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa611f336d4 [ 109.358372] R13: 00000000004c2191 R14: 00000000004d4560 R15: 00000000ffffffff [ 109.365676] [ 109.367289] The buggy address belongs to the page: [ 109.372211] page:ffffea0002170bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 109.380361] flags: 0x1fffc0000000000() [ 109.384259] raw: 01fffc0000000000 0000000000000000 ffffffff02170101 0000000000000000 [ 109.392118] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 109.399975] page dumped because: kasan: bad access detected [ 109.405657] [ 109.407279] Memory state around the buggy address: [ 109.412192] ffff888085c2fa80: 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2 f2 f2 [ 109.419554] ffff888085c2fb00: 00 f2 f2 f2 f2 f2 f2 f2 04 f2 f2 f2 f2 f2 f2 f2 [ 109.426905] >ffff888085c2fb80: 00 00 00 00 00 00 04 f2 00 00 00 00 00 00 00 00 [ 109.434247] ^ [ 109.439171] ffff888085c2fc00: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 [ 109.446515] ffff888085c2fc80: f2 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 [ 109.453853] ================================================================== [ 109.461202] Disabling lock debugging due to kernel taint [ 109.468712] Kernel panic - not syncing: panic_on_warn set ... [ 109.474602] CPU: 0 PID: 8369 Comm: syz-executor0 Tainted: G B 4.20.0-rc7-next-20181224 #189 [ 109.484367] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 109.493696] Call Trace: [ 109.496260] dump_stack+0x1d3/0x2c6 [ 109.499878] ? dump_stack_print_info.cold.1+0x20/0x20 [ 109.505062] ? ax25_sendmsg+0x1540/0x15d0 [ 109.509191] panic+0x2ad/0x632 [ 109.512363] ? add_taint.cold.5+0x16/0x16 [ 109.516487] ? preempt_schedule+0x4d/0x60 [ 109.520612] ? ___preempt_schedule+0x16/0x18 [ 109.524996] ? trace_hardirqs_on+0xb4/0x310 [ 109.529297] ? ax25_getname+0x58/0x790 [ 109.533177] end_report+0x47/0x4f [ 109.536611] kasan_report.cold.6+0xe/0x39 [ 109.540740] ? ax25_getname+0x58/0x790 [ 109.544608] ? ax25_getname+0x58/0x790 [ 109.548489] check_memory_region+0x13e/0x1b0 [ 109.552874] memset+0x23/0x40 [ 109.555961] ax25_getname+0x58/0x790 [ 109.559653] vhost_net_ioctl+0x139c/0x1bf0 [ 109.563872] ? vhost_zerocopy_callback+0x300/0x300 [ 109.568782] ? kasan_check_read+0x11/0x20 [ 109.572907] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 109.578165] ? rcu_read_unlock_special+0x370/0x370 [ 109.583076] ? __fget+0x4d1/0x740 [ 109.586510] ? ksys_dup3+0x680/0x680 [ 109.590206] ? __might_fault+0x12b/0x1e0 [ 109.594245] ? lock_downgrade+0x900/0x900 [ 109.598370] ? lock_release+0xa00/0xa00 [ 109.602324] ? arch_local_save_flags+0x40/0x40 [ 109.606881] ? vhost_zerocopy_callback+0x300/0x300 [ 109.611789] do_vfs_ioctl+0x1de/0x1790 [ 109.615654] ? ioctl_preallocate+0x300/0x300 [ 109.620044] ? __fget_light+0x2e9/0x430 [ 109.623996] ? fget_raw+0x20/0x20 [ 109.627424] ? _copy_to_user+0xc8/0x110 [ 109.631375] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 109.636888] ? put_timespec64+0x10f/0x1b0 [ 109.641015] ? nsecs_to_jiffies+0x30/0x30 [ 109.645181] ? do_syscall_64+0x9a/0x820 [ 109.649136] ? do_syscall_64+0x9a/0x820 [ 109.653093] ? lockdep_hardirqs_on+0x421/0x5c0 [ 109.657655] ? security_file_ioctl+0x94/0xc0 [ 109.662044] ksys_ioctl+0xa9/0xd0 [ 109.665476] __x64_sys_ioctl+0x73/0xb0 [ 109.669338] do_syscall_64+0x1b9/0x820 [ 109.673221] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 109.678563] ? syscall_return_slowpath+0x5e0/0x5e0 [ 109.683489] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 109.688309] ? trace_hardirqs_on_caller+0x310/0x310 [ 109.693306] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 109.698301] ? prepare_exit_to_usermode+0x291/0x3b0 [ 109.703311] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 109.708135] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 109.713309] RIP: 0033:0x4579b9 [ 109.716478] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 109.735357] RSP: 002b:00007fa611f32c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 109.743043] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004579b9 [ 109.750288] RDX: 0000000020f1dff8 RSI: 000000004008af30 RDI: 0000000000000004 [ 109.757532] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 109.764795] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa611f336d4 [ 109.772043] R13: 00000000004c2191 R14: 00000000004d4560 R15: 00000000ffffffff [ 109.780229] Kernel Offset: disabled [ 109.783849] Rebooting in 86400 seconds..