[info] Using makefile-style concurrent boot in runlevel 2. [ 25.487807] audit: type=1800 audit(1543143832.980:21): pid=5822 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [ 25.514211] audit: type=1800 audit(1543143832.980:22): pid=5822 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="motd" dev="sda1" ino=2447 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.103' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 33.846815] ================================================================== [ 33.854275] BUG: KASAN: slab-out-of-bounds in queue_stack_map_push_elem+0x185/0x290 [ 33.862061] Write of size 262146 at addr ffff8881c5fb5e88 by task syz-executor400/5976 [ 33.870223] [ 33.871833] CPU: 1 PID: 5976 Comm: syz-executor400 Not tainted 4.20.0-rc3+ #202 [ 33.879255] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.888586] Call Trace: [ 33.891158] dump_stack+0x244/0x39d [ 33.894775] ? dump_stack_print_info.cold.1+0x20/0x20 [ 33.899944] ? printk+0xa7/0xcf [ 33.903203] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 33.907944] print_address_description.cold.7+0x9/0x1ff [ 33.913293] kasan_report.cold.8+0x242/0x309 [ 33.917689] ? queue_stack_map_push_elem+0x185/0x290 [ 33.922779] check_memory_region+0x13e/0x1b0 [ 33.927169] memcpy+0x37/0x50 [ 33.930262] queue_stack_map_push_elem+0x185/0x290 [ 33.935189] ? queue_map_pop_elem+0x30/0x30 [ 33.939499] map_update_elem+0x605/0xf60 [ 33.943546] __x64_sys_bpf+0x32d/0x520 [ 33.947414] ? bpf_prog_get+0x20/0x20 [ 33.951210] do_syscall_64+0x1b9/0x820 [ 33.955080] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 33.960429] ? syscall_return_slowpath+0x5e0/0x5e0 [ 33.965339] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.970168] ? trace_hardirqs_on_caller+0x310/0x310 [ 33.975182] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 33.980188] ? prepare_exit_to_usermode+0x291/0x3b0 [ 33.985192] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 33.990020] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.995193] RIP: 0033:0x4400e9 [ 33.998373] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 34.017270] RSP: 002b:00007ffc085bd3f8 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 34.024958] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 [ 34.032206] RDX: 0000000000000020 RSI: 0000000020000040 RDI: 0000000000000002 [ 34.039456] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 34.046706] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401970 [ 34.054014] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 34.061327] [ 34.062951] Allocated by task 5976: [ 34.066579] save_stack+0x43/0xd0 [ 34.070014] kasan_kmalloc+0xc7/0xe0 [ 34.073711] __kmalloc_node+0x50/0x70 [ 34.077489] bpf_map_area_alloc+0x3f/0x90 [ 34.081611] queue_stack_map_alloc+0x192/0x290 [ 34.086176] map_create+0x3bd/0x1110 [ 34.089868] __x64_sys_bpf+0x303/0x520 [ 34.093737] do_syscall_64+0x1b9/0x820 [ 34.097605] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.102768] [ 34.104382] Freed by task 3716: [ 34.107643] save_stack+0x43/0xd0 [ 34.111084] __kasan_slab_free+0x102/0x150 [ 34.115319] kasan_slab_free+0xe/0x10 [ 34.119101] kfree+0xcf/0x230 [ 34.122185] kernfs_fop_release+0x12b/0x1a0 [ 34.126486] __fput+0x385/0xa30 [ 34.129742] ____fput+0x15/0x20 [ 34.133003] task_work_run+0x1e8/0x2a0 [ 34.136870] exit_to_usermode_loop+0x318/0x380 [ 34.141434] do_syscall_64+0x6be/0x820 [ 34.145301] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.150462] [ 34.152067] The buggy address belongs to the object at ffff8881c5fb5d40 [ 34.152067] which belongs to the cache kmalloc-512 of size 512 [ 34.164704] The buggy address is located 328 bytes inside of [ 34.164704] 512-byte region [ffff8881c5fb5d40, ffff8881c5fb5f40) [ 34.176677] The buggy address belongs to the page: [ 34.181587] page:ffffea000717ed40 count:1 mapcount:0 mapping:ffff8881da800940 index:0xffff8881c5fb5340 [ 34.191012] flags: 0x2fffc0000000200(slab) [ 34.195241] raw: 02fffc0000000200 ffffea000717ee48 ffffea00072f8f08 ffff8881da800940 [ 34.203113] raw: ffff8881c5fb5340 ffff8881c5fb50c0 0000000100000004 0000000000000000 [ 34.210971] page dumped because: kasan: bad access detected [ 34.216693] [ 34.218297] Memory state around the buggy address: [ 34.223205] ffff8881c5fb5d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.230550] ffff8881c5fb5e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 34.237935] >ffff8881c5fb5e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 34.245272] ^ [ 34.250701] ffff8881c5fb5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.258038] ffff8881c5fb5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.265376] ================================================================== [ 34.272727] Disabling lock debugging due to kernel taint [ 34.278181] Kernel panic - not syncing: panic_on_warn set ... [ 34.284046] CPU: 1 PID: 5976 Comm: syz-executor400 Tainted: G B 4.20.0-rc3+ #202 [ 34.292859] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.302188] Call Trace: [ 34.304765] dump_stack+0x244/0x39d [ 34.308383] ? dump_stack_print_info.cold.1+0x20/0x20 [ 34.313558] panic+0x2ad/0x55c [ 34.316732] ? add_taint.cold.5+0x16/0x16 [ 34.320860] ? add_taint.cold.5+0x5/0x16 [ 34.325010] ? trace_hardirqs_off+0xaf/0x310 [ 34.329482] kasan_end_report+0x47/0x4f [ 34.333439] kasan_report.cold.8+0x76/0x309 [ 34.337740] ? queue_stack_map_push_elem+0x185/0x290 [ 34.342824] check_memory_region+0x13e/0x1b0 [ 34.347212] memcpy+0x37/0x50 [ 34.350301] queue_stack_map_push_elem+0x185/0x290 [ 34.355211] ? queue_map_pop_elem+0x30/0x30 [ 34.359512] map_update_elem+0x605/0xf60 [ 34.363554] __x64_sys_bpf+0x32d/0x520 [ 34.367420] ? bpf_prog_get+0x20/0x20 [ 34.371226] do_syscall_64+0x1b9/0x820 [ 34.375106] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.380454] ? syscall_return_slowpath+0x5e0/0x5e0 [ 34.385364] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.390203] ? trace_hardirqs_on_caller+0x310/0x310 [ 34.395324] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 34.400332] ? prepare_exit_to_usermode+0x291/0x3b0 [ 34.405418] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 34.410238] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.415407] RIP: 0033:0x4400e9 [ 34.418596] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 34.437481] RSP: 002b:00007ffc085bd3f8 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 34.445168] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 [ 34.452416] RDX: 0000000000000020 RSI: 0000000020000040 RDI: 0000000000000002 [ 34.459753] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 34.466999] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401970 [ 34.474250] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 34.482906] Kernel Offset: disabled [ 34.486533] Rebooting in 86400 seconds..