[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   29.812673] kauditd_printk_skb: 7 callbacks suppressed
[   29.812686] audit: type=1800 audit(1545604729.375:29): pid=5988 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   29.845107] audit: type=1800 audit(1545604729.385:30): pid=5988 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   32.835425] sshd (6124) used greatest stack depth: 15728 bytes left
Warning: Permanently added '10.128.0.84' (ECDSA) to the list of known hosts.
executing program
[   39.595669] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details.
[   39.613873] ==================================================================
[   39.621329] BUG: KASAN: slab-out-of-bounds in fpstate_init+0x50/0x160
[   39.627900] Write of size 832 at addr ffff8881bb875bc0 by task syz-executor910/6140
[   39.635672] 
[   39.637305] CPU: 1 PID: 6140 Comm: syz-executor910 Not tainted 4.20.0-rc6-next-20181217+ #172
[   39.645944] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.655290] Call Trace:
[   39.657867]  dump_stack+0x244/0x39d
[   39.661484]  ? dump_stack_print_info.cold.1+0x20/0x20
[   39.666670]  ? printk+0xa7/0xcf
[   39.669941]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   39.674685]  print_address_description.cold.4+0x9/0x1ff
[   39.680033]  ? fpstate_init+0x50/0x160
[   39.683905]  kasan_report.cold.5+0x1b/0x39
[   39.688138]  ? fpstate_init+0x50/0x160
[   39.692013]  ? fpstate_init+0x50/0x160
[   39.695883]  check_memory_region+0x13e/0x1b0
[   39.700277]  memset+0x23/0x40
[   39.703365]  fpstate_init+0x50/0x160
[   39.707064]  kvm_arch_vcpu_init+0x3e9/0x870
[   39.711370]  kvm_vcpu_init+0x2fa/0x420
[   39.715256]  ? vcpu_stat_get+0x300/0x300
[   39.719301]  ? kmem_cache_alloc+0x33f/0x730
[   39.723609]  vmx_create_vcpu+0x1b7/0x2695
[   39.727741]  ? lock_downgrade+0x900/0x900
[   39.731903]  ? vmx_exec_control+0x210/0x210
[   39.736207]  ? trace_hardirqs_on+0x310/0x310
[   39.740596]  ? kasan_check_write+0x14/0x20
[   39.744824]  ? __mutex_unlock_slowpath+0x197/0x8c0
[   39.749735]  ? wait_for_completion+0x8a0/0x8a0
[   39.754303]  kvm_arch_vcpu_create+0xe5/0x220
[   39.758692]  ? kvm_arch_vcpu_free+0x90/0x90
[   39.763016]  ? kasan_check_read+0x11/0x20
[   39.767170]  kvm_vm_ioctl+0x526/0x2030
[   39.771043]  ? kvm_unregister_device_ops+0x70/0x70
[   39.775958]  ? get_unused_fd_flags+0x1a0/0x1a0
[   39.780539]  ? kfree+0x11e/0x230
[   39.783927]  ? kfree+0x11e/0x230
[   39.787278]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   39.791840]  ? trace_hardirqs_on+0xbd/0x310
[   39.796146]  ? kvm_uevent_notify_change.part.32+0x300/0x450
[   39.801844]  ? trace_hardirqs_off_caller+0x310/0x310
[   39.806953]  ? __kasan_slab_free+0x119/0x150
[   39.811374]  ? kvm_uevent_notify_change.part.32+0x300/0x450
[   39.817072]  ? fd_install+0x4d/0x60
[   39.820700]  ? kvm_dev_ioctl+0x18a/0x1ae0
[   39.824832]  ? is_bpf_text_address+0xac/0x170
[   39.829863]  ? kvm_debugfs_release+0x90/0x90
[   39.834287]  ? kasan_check_read+0x11/0x20
[   39.838437]  ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170
[   39.843710]  ? rcu_read_unlock_special+0x370/0x370
[   39.848637]  ? rcu_softirq_qs+0x20/0x20
[   39.852610]  ? unwind_dump+0x190/0x190
[   39.856513]  ? is_bpf_text_address+0xd3/0x170
[   39.861008]  ? kernel_text_address+0x79/0xf0
[   39.865403]  ? __kernel_text_address+0xd/0x40
[   39.869902]  ? unwind_get_return_address+0x61/0xa0
[   39.874821]  ? __save_stack_trace+0x8d/0xf0
[   39.879134]  ? save_stack+0xa9/0xd0
[   39.882754]  ? save_stack+0x43/0xd0
[   39.886373]  ? __kasan_slab_free+0x102/0x150
[   39.890762]  ? kasan_slab_free+0xe/0x10
[   39.894718]  ? putname+0xf2/0x130
[   39.898160]  ? do_sys_open+0x54d/0x780
[   39.902029]  ? __x64_sys_openat+0x9d/0x100
[   39.906244]  ? do_syscall_64+0x1b9/0x820
[   39.910304]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   39.915659]  ? trace_hardirqs_off+0xb8/0x310
[   39.920048]  ? kasan_check_read+0x11/0x20
[   39.924179]  ? do_raw_spin_unlock+0xa7/0x330
[   39.928574]  ? trace_hardirqs_on+0x310/0x310
[   39.932973]  ? trace_hardirqs_off+0xb8/0x310
[   39.937368]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   39.942894]  ? kvm_unregister_device_ops+0x70/0x70
[   39.947820]  do_vfs_ioctl+0x1de/0x1790
[   39.951747]  ? rcu_lockdep_current_cpu_online+0x1a4/0x210
[   39.957272]  ? ioctl_preallocate+0x300/0x300
[   39.961667]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   39.967188]  ? __fget_light+0x2e9/0x430
[   39.971149]  ? fget_raw+0x20/0x20
[   39.974583]  ? putname+0xf2/0x130
[   39.978023]  ? rcu_read_lock_sched_held+0x14f/0x180
[   39.983035]  ? kmem_cache_free+0x24f/0x290
[   39.987255]  ? putname+0xf7/0x130
[   39.990692]  ? do_syscall_64+0x9a/0x820
[   39.994652]  ? do_syscall_64+0x9a/0x820
[   39.998636]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   40.003214]  ? security_file_ioctl+0x94/0xc0
[   40.007608]  ksys_ioctl+0xa9/0xd0
[   40.011050]  __x64_sys_ioctl+0x73/0xb0
[   40.014922]  do_syscall_64+0x1b9/0x820
[   40.018810]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   40.024159]  ? syscall_return_slowpath+0x5e0/0x5e0
[   40.029092]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.033920]  ? trace_hardirqs_on_caller+0x310/0x310
[   40.038950]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   40.043965]  ? prepare_exit_to_usermode+0x291/0x3b0
[   40.048993]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.053838]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.059025] RIP: 0033:0x440039
[   40.062200] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   40.081084] RSP: 002b:00007ffdd6d0fde8 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
[   40.088773] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440039
[   40.096024] RDX: 0000000000000000 RSI: 000000000000ae41 RDI: 0000000000000004
[   40.103276] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   40.110544] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018c0
[   40.117795] R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000
[   40.125048] 
[   40.126666] Allocated by task 6140:
[   40.130285]  save_stack+0x43/0xd0
[   40.133719]  kasan_kmalloc+0xcb/0xd0
[   40.137417]  kasan_slab_alloc+0x12/0x20
[   40.141374]  kmem_cache_alloc+0x130/0x730
[   40.145503]  vmx_create_vcpu+0x110/0x2695
[   40.149643]  kvm_arch_vcpu_create+0xe5/0x220
[   40.154048]  kvm_vm_ioctl+0x526/0x2030
[   40.157916]  do_vfs_ioctl+0x1de/0x1790
[   40.161785]  ksys_ioctl+0xa9/0xd0
[   40.165221]  __x64_sys_ioctl+0x73/0xb0
[   40.169092]  do_syscall_64+0x1b9/0x820
[   40.172966]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.178135] 
[   40.179743] Freed by task 0:
[   40.182750] (stack is not available)
[   40.186437] 
[   40.188044] The buggy address belongs to the object at ffff8881bb875b80
[   40.188044]  which belongs to the cache x86_fpu of size 832
[   40.200334] The buggy address is located 64 bytes inside of
[   40.200334]  832-byte region [ffff8881bb875b80, ffff8881bb875ec0)
[   40.212098] The buggy address belongs to the page:
[   40.217011] page:ffffea0006ee1d40 count:1 mapcount:0 mapping:ffff8881d7b97380 index:0x0
[   40.225132] flags: 0x2fffc0000000200(slab)
[   40.229355] raw: 02fffc0000000200 ffff8881d6797448 ffff8881d6797448 ffff8881d7b97380
[   40.237220] raw: 0000000000000000 ffff8881bb875040 0000000100000004 0000000000000000
[   40.245077] page dumped because: kasan: bad access detected
[   40.250762] 
[   40.252369] Memory state around the buggy address:
[   40.257288]  ffff8881bb875d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   40.264629]  ffff8881bb875e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   40.271971] >ffff8881bb875e80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   40.279340]                                            ^
[   40.284772]  ffff8881bb875f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.292127]  ffff8881bb875f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   40.299468] ==================================================================
[   40.306804] Disabling lock debugging due to kernel taint
[   40.313419] Kernel panic - not syncing: panic_on_warn set ...
[   40.319321] CPU: 1 PID: 6140 Comm: syz-executor910 Tainted: G    B             4.20.0-rc6-next-20181217+ #172
[   40.329366] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.338698] Call Trace:
[   40.341264]  dump_stack+0x244/0x39d
[   40.344876]  ? dump_stack_print_info.cold.1+0x20/0x20
[   40.350057]  ? fpstate_init+0x30/0x160
[   40.353943]  panic+0x2ad/0x632
[   40.357118]  ? add_taint.cold.5+0x16/0x16
[   40.361249]  ? preempt_schedule+0x4d/0x60
[   40.365378]  ? ___preempt_schedule+0x16/0x18
[   40.369768]  ? trace_hardirqs_on+0xb4/0x310
[   40.374096]  ? fpstate_init+0x50/0x160
[   40.378019]  end_report+0x47/0x4f
[   40.381455]  kasan_report.cold.5+0xe/0x39
[   40.385582]  ? fpstate_init+0x50/0x160
[   40.389466]  ? fpstate_init+0x50/0x160
[   40.393370]  check_memory_region+0x13e/0x1b0
[   40.397776]  memset+0x23/0x40
[   40.400865]  fpstate_init+0x50/0x160
[   40.404567]  kvm_arch_vcpu_init+0x3e9/0x870
[   40.408876]  kvm_vcpu_init+0x2fa/0x420
[   40.412752]  ? vcpu_stat_get+0x300/0x300
[   40.416796]  ? kmem_cache_alloc+0x33f/0x730
[   40.421104]  vmx_create_vcpu+0x1b7/0x2695
[   40.425255]  ? lock_downgrade+0x900/0x900
[   40.429390]  ? vmx_exec_control+0x210/0x210
[   40.433693]  ? trace_hardirqs_on+0x310/0x310
[   40.438085]  ? kasan_check_write+0x14/0x20
[   40.442315]  ? __mutex_unlock_slowpath+0x197/0x8c0
[   40.447233]  ? wait_for_completion+0x8a0/0x8a0
[   40.451802]  kvm_arch_vcpu_create+0xe5/0x220
[   40.456191]  ? kvm_arch_vcpu_free+0x90/0x90
[   40.460495]  ? kasan_check_read+0x11/0x20
[   40.464627]  kvm_vm_ioctl+0x526/0x2030
[   40.468502]  ? kvm_unregister_device_ops+0x70/0x70
[   40.473442]  ? get_unused_fd_flags+0x1a0/0x1a0
[   40.478004]  ? kfree+0x11e/0x230
[   40.481368]  ? kfree+0x11e/0x230
[   40.484715]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   40.489279]  ? trace_hardirqs_on+0xbd/0x310
[   40.493601]  ? kvm_uevent_notify_change.part.32+0x300/0x450
[   40.499330]  ? trace_hardirqs_off_caller+0x310/0x310
[   40.504425]  ? __kasan_slab_free+0x119/0x150
[   40.508818]  ? kvm_uevent_notify_change.part.32+0x300/0x450
[   40.514508]  ? fd_install+0x4d/0x60
[   40.518115]  ? kvm_dev_ioctl+0x18a/0x1ae0
[   40.522257]  ? is_bpf_text_address+0xac/0x170
[   40.526736]  ? kvm_debugfs_release+0x90/0x90
[   40.531122]  ? kasan_check_read+0x11/0x20
[   40.535257]  ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170
[   40.540527]  ? rcu_read_unlock_special+0x370/0x370
[   40.545435]  ? rcu_softirq_qs+0x20/0x20
[   40.549389]  ? unwind_dump+0x190/0x190
[   40.553271]  ? is_bpf_text_address+0xd3/0x170
[   40.557744]  ? kernel_text_address+0x79/0xf0
[   40.562132]  ? __kernel_text_address+0xd/0x40
[   40.566620]  ? unwind_get_return_address+0x61/0xa0
[   40.571543]  ? __save_stack_trace+0x8d/0xf0
[   40.575848]  ? save_stack+0xa9/0xd0
[   40.579455]  ? save_stack+0x43/0xd0
[   40.583076]  ? __kasan_slab_free+0x102/0x150
[   40.587460]  ? kasan_slab_free+0xe/0x10
[   40.591413]  ? putname+0xf2/0x130
[   40.594843]  ? do_sys_open+0x54d/0x780
[   40.598712]  ? __x64_sys_openat+0x9d/0x100
[   40.602939]  ? do_syscall_64+0x1b9/0x820
[   40.606989]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.612347]  ? trace_hardirqs_off+0xb8/0x310
[   40.616732]  ? kasan_check_read+0x11/0x20
[   40.620857]  ? do_raw_spin_unlock+0xa7/0x330
[   40.625262]  ? trace_hardirqs_on+0x310/0x310
[   40.629655]  ? trace_hardirqs_off+0xb8/0x310
[   40.634063]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.639582]  ? kvm_unregister_device_ops+0x70/0x70
[   40.644490]  do_vfs_ioctl+0x1de/0x1790
[   40.648359]  ? rcu_lockdep_current_cpu_online+0x1a4/0x210
[   40.653877]  ? ioctl_preallocate+0x300/0x300
[   40.658272]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.663805]  ? __fget_light+0x2e9/0x430
[   40.667761]  ? fget_raw+0x20/0x20
[   40.671192]  ? putname+0xf2/0x130
[   40.674626]  ? rcu_read_lock_sched_held+0x14f/0x180
[   40.679624]  ? kmem_cache_free+0x24f/0x290
[   40.683842]  ? putname+0xf7/0x130
[   40.687280]  ? do_syscall_64+0x9a/0x820
[   40.691234]  ? do_syscall_64+0x9a/0x820
[   40.695204]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   40.699772]  ? security_file_ioctl+0x94/0xc0
[   40.704162]  ksys_ioctl+0xa9/0xd0
[   40.707601]  __x64_sys_ioctl+0x73/0xb0
[   40.711499]  do_syscall_64+0x1b9/0x820
[   40.715368]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   40.720731]  ? syscall_return_slowpath+0x5e0/0x5e0
[   40.725640]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.730471]  ? trace_hardirqs_on_caller+0x310/0x310
[   40.735469]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   40.740542]  ? prepare_exit_to_usermode+0x291/0x3b0
[   40.745540]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.750431]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.755601] RIP: 0033:0x440039
[   40.758775] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   40.777669] RSP: 002b:00007ffdd6d0fde8 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
[   40.785366] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440039
[   40.792613] RDX: 0000000000000000 RSI: 000000000000ae41 RDI: 0000000000000004
[   40.799874] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   40.807125] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018c0
[   40.814373] R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000
[   40.822544] Kernel Offset: disabled
[   40.826167] Rebooting in 86400 seconds..