[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 40.076211] audit: type=1800 audit(1545968474.533:25): pid=7928 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 40.114564] audit: type=1800 audit(1545968474.543:26): pid=7928 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 40.165081] audit: type=1800 audit(1545968474.543:27): pid=7928 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 45.715746] sshd (8068) used greatest stack depth: 15736 bytes left Warning: Permanently added '10.128.0.79' (ECDSA) to the list of known hosts. 2018/12/28 03:54:30 parsed 1 programs 2018/12/28 03:54:32 executed programs: 0 [ 838.340371] IPVS: ftp: loaded support on port[0] = 21 [ 838.582500] chnl_net:caif_netlink_parms(): no params data found [ 838.694473] bridge0: port 1(bridge_slave_0) entered blocking state [ 838.701201] bridge0: port 1(bridge_slave_0) entered disabled state [ 838.708530] device bridge_slave_0 entered promiscuous mode [ 838.728186] bridge0: port 2(bridge_slave_1) entered blocking state [ 838.734551] bridge0: port 2(bridge_slave_1) entered disabled state [ 838.741662] device bridge_slave_1 entered promiscuous mode [ 838.791839] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 838.813024] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 838.864659] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 838.872052] team0: Port device team_slave_0 added [ 838.888686] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 838.895869] team0: Port device team_slave_1 added [ 838.912431] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 838.932194] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 838.992132] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 839.012299] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 839.160801] bridge0: port 2(bridge_slave_1) entered blocking state [ 839.167213] bridge0: port 2(bridge_slave_1) entered forwarding state [ 839.174107] bridge0: port 1(bridge_slave_0) entered blocking state [ 839.180549] bridge0: port 1(bridge_slave_0) entered forwarding state [ 839.559349] bridge0: port 1(bridge_slave_0) entered disabled state [ 839.568158] bridge0: port 2(bridge_slave_1) entered disabled state [ 839.724624] 8021q: adding VLAN 0 to HW filter on device bond0 [ 839.778127] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 839.832112] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 839.838609] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 839.846277] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 839.899705] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 839.905771] 8021q: adding VLAN 0 to HW filter on device team0 [ 839.957645] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 839.964632] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 839.973638] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 839.981609] bridge0: port 1(bridge_slave_0) entered blocking state [ 839.988004] bridge0: port 1(bridge_slave_0) entered forwarding state [ 840.033523] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 840.041485] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 840.049382] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 840.057212] bridge0: port 2(bridge_slave_1) entered blocking state [ 840.063577] bridge0: port 2(bridge_slave_1) entered forwarding state [ 840.110248] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 840.117052] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 840.172750] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 840.179775] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 840.235310] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 840.242959] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 840.252028] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 840.261662] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 840.309176] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 840.315989] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 840.324722] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 840.377197] IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready [ 840.384043] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 840.392398] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 840.444300] IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready [ 840.451702] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 840.461898] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 840.802196] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 840.958429] 8021q: adding VLAN 0 to HW filter on device batadv0 2018/12/28 03:54:37 executed programs: 7 2018/12/28 03:54:43 executed programs: 21 2018/12/28 03:54:48 executed programs: 32 2018/12/28 03:54:53 executed programs: 46 2018/12/28 03:54:59 executed programs: 59 2018/12/28 03:55:04 executed programs: 73 2018/12/28 03:55:09 executed programs: 86 2018/12/28 03:55:14 executed programs: 100 2018/12/28 03:55:19 executed programs: 114 2018/12/28 03:55:24 executed programs: 128 2018/12/28 03:55:29 executed programs: 140 2018/12/28 03:55:35 executed programs: 155 2018/12/28 03:55:40 executed programs: 169 2018/12/28 03:55:45 executed programs: 182 2018/12/28 03:55:50 executed programs: 194 2018/12/28 03:55:55 executed programs: 207 2018/12/28 03:56:00 executed programs: 221 2018/12/28 03:56:06 executed programs: 233 2018/12/28 03:56:11 executed programs: 246 2018/12/28 03:56:16 executed programs: 259 2018/12/28 03:56:21 executed programs: 272 [ 950.070152] ================================================================== [ 950.077756] BUG: KASAN: user-memory-access in n_tty_set_termios+0x106/0xe80 [ 950.084895] Write of size 512 at addr 0000000000001060 by task syz-executor0/15664 [ 950.092601] [ 950.094237] CPU: 0 PID: 15664 Comm: syz-executor0 Not tainted 4.20.0+ #171 [ 950.101250] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 950.110613] Call Trace: [ 950.113252] dump_stack+0x1d3/0x2c6 [ 950.116908] ? dump_stack_print_info.cold.1+0x20/0x20 [ 950.122163] ? vprintk_func+0x85/0x181 [ 950.126135] kasan_report.cold.9+0x6d/0x309 [ 950.130469] ? n_tty_set_termios+0x106/0xe80 [ 950.134908] check_memory_region+0x13e/0x1b0 [ 950.139342] memset+0x23/0x40 [ 950.142504] n_tty_set_termios+0x106/0xe80 [ 950.146752] ? n_tty_receive_signal_char+0x120/0x120 [ 950.151865] tty_set_termios+0x7a0/0xac0 [ 950.155941] ? tty_wait_until_sent+0x5d0/0x5d0 [ 950.160627] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 950.166185] set_termios+0x41e/0x7d0 [ 950.169916] ? tty_perform_flush+0x80/0x80 [ 950.174223] ? drop_futex_key_refs.isra.15+0x6d/0xe0 [ 950.179354] tty_mode_ioctl+0x857/0xb40 [ 950.183340] ? set_termios+0x7d0/0x7d0 [ 950.187277] ? ___might_sleep+0x1ed/0x300 [ 950.191443] ? arch_local_save_flags+0x40/0x40 [ 950.196071] n_tty_ioctl_helper+0x54/0x3b0 [ 950.200327] n_tty_ioctl+0x54/0x360 [ 950.204020] ? ldsem_down_read+0x32/0x40 [ 950.208110] ? ldsem_down_read+0x32/0x40 [ 950.212219] tty_ioctl+0x5c6/0x17d0 [ 950.215858] ? commit_echoes+0x1c0/0x1c0 [ 950.220025] ? tty_vhangup+0x30/0x30 [ 950.223781] ? find_held_lock+0x36/0x1c0 [ 950.227930] ? __fget+0x4aa/0x740 [ 950.231409] ? lock_downgrade+0x900/0x900 [ 950.235624] ? check_preemption_disabled+0x48/0x280 [ 950.240659] ? kasan_check_read+0x11/0x20 [ 950.244850] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 950.250142] ? rcu_read_unlock_special+0x370/0x370 [ 950.255094] ? __fget+0x4d1/0x740 [ 950.258565] ? ksys_dup3+0x680/0x680 [ 950.262334] ? __might_fault+0x12b/0x1e0 [ 950.266420] ? lock_downgrade+0x900/0x900 [ 950.270582] ? lock_release+0xa00/0xa00 [ 950.274564] ? arch_local_save_flags+0x40/0x40 [ 950.279156] ? tty_vhangup+0x30/0x30 [ 950.282878] do_vfs_ioctl+0x1de/0x1790 [ 950.286814] ? ioctl_preallocate+0x300/0x300 [ 950.291236] ? memset+0x31/0x40 [ 950.294532] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 950.300117] ? smack_file_ioctl+0x210/0x3c0 [ 950.304451] ? fget_raw+0x20/0x20 [ 950.307917] ? smack_file_lock+0x2e0/0x2e0 [ 950.312190] ? do_syscall_64+0x9a/0x820 [ 950.316178] ? do_syscall_64+0x9a/0x820 [ 950.320169] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 950.325748] ? security_file_ioctl+0x94/0xc0 [ 950.330171] ksys_ioctl+0xa9/0xd0 [ 950.333637] __x64_sys_ioctl+0x73/0xb0 [ 950.337537] do_syscall_64+0x1b9/0x820 [ 950.341435] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 950.346810] ? syscall_return_slowpath+0x5e0/0x5e0 [ 950.351753] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 950.356630] ? trace_hardirqs_on_caller+0x310/0x310 [ 950.361689] ? prepare_exit_to_usermode+0x291/0x3b0 [ 950.366734] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 950.371596] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 950.376791] RIP: 0033:0x4579b9 [ 950.380008] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 950.398928] RSP: 002b:00007ff646caac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 950.406684] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004579b9 [ 950.413963] RDX: 0000000020000000 RSI: 0000000000005402 RDI: 0000000000000006 [ 950.421277] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 950.428568] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff646cab6d4 [ 950.435848] R13: 00000000004c1acd R14: 00000000004d3c78 R15: 00000000ffffffff [ 950.443144] ================================================================== [ 950.450496] Disabling lock debugging due to kernel taint [ 950.459507] kobject: 'rx-0' (00000000a758c830): kobject_cleanup, parent 000000009adb6880 [ 950.459512] Kernel panic - not syncing: panic_on_warn set ... [ 950.459528] CPU: 0 PID: 15664 Comm: syz-executor0 Tainted: G B 4.20.0+ #171 [ 950.482061] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 950.491409] Call Trace: [ 950.494015] dump_stack+0x1d3/0x2c6 [ 950.497407] kobject: 'rx-0' (00000000a758c830): auto cleanup 'remove' event [ 950.497650] ? dump_stack_print_info.cold.1+0x20/0x20 [ 950.509987] panic+0x2ad/0x55f [ 950.513195] ? add_taint.cold.5+0x16/0x16 [ 950.517347] kobject: 'rx-0' (00000000a758c830): kobject_uevent_env [ 950.517385] kobject: 'rx-0' (00000000a758c830): fill_kobj_path: path = '/devices/virtual/net/sl0/queues/rx-0' [ 950.523677] ? preempt_schedule+0x4d/0x60 [ 950.523692] ? ___preempt_schedule+0x16/0x18 [ 950.523707] ? trace_hardirqs_on+0xb4/0x310 [ 950.546602] kasan_end_report+0x47/0x4f [ 950.550592] kasan_report.cold.9+0x76/0x309 [ 950.554936] ? n_tty_set_termios+0x106/0xe80 [ 950.559362] check_memory_region+0x13e/0x1b0 [ 950.563780] memset+0x23/0x40 [ 950.566897] n_tty_set_termios+0x106/0xe80 [ 950.568166] kobject: 'rx-0' (00000000a758c830): auto cleanup kobject_del [ 950.571141] ? n_tty_receive_signal_char+0x120/0x120 [ 950.571156] tty_set_termios+0x7a0/0xac0 [ 950.571172] ? tty_wait_until_sent+0x5d0/0x5d0 [ 950.583786] kobject: 'rx-0' (00000000a758c830): calling ktype release [ 950.587169] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 950.587186] set_termios+0x41e/0x7d0 [ 950.603840] kobject: 'rx-0': free name [ 950.603868] ? tty_perform_flush+0x80/0x80 [ 950.607732] kobject: 'tx-0' (000000003869a385): kobject_cleanup, parent 000000009adb6880 [ 950.611446] ? drop_futex_key_refs.isra.15+0x6d/0xe0 [ 950.611463] tty_mode_ioctl+0x857/0xb40 [ 950.615726] kobject: 'tx-0' (000000003869a385): auto cleanup 'remove' event [ 950.623916] ? set_termios+0x7d0/0x7d0 [ 950.623935] ? ___might_sleep+0x1ed/0x300 [ 950.623949] ? arch_local_save_flags+0x40/0x40 [ 950.623967] n_tty_ioctl_helper+0x54/0x3b0 [ 950.629214] kobject: 'tx-0' (000000003869a385): kobject_uevent_env [ 950.633025] n_tty_ioctl+0x54/0x360 [ 950.633041] ? ldsem_down_read+0x32/0x40 [ 950.633056] ? ldsem_down_read+0x32/0x40 [ 950.640300] kobject: 'tx-0' (000000003869a385): fill_kobj_path: path = '/devices/virtual/net/sl0/queues/tx-0' [ 950.644038] tty_ioctl+0x5c6/0x17d0 [ 950.644052] ? commit_echoes+0x1c0/0x1c0 [ 950.644066] ? tty_vhangup+0x30/0x30 [ 950.649820] kobject: 'tx-0' (000000003869a385): auto cleanup kobject_del [ 950.652766] ? find_held_lock+0x36/0x1c0 [ 950.652788] ? __fget+0x4aa/0x740 [ 950.652803] ? lock_downgrade+0x900/0x900 [ 950.657092] kobject: 'tx-0' (000000003869a385): calling ktype release [ 950.663363] ? check_preemption_disabled+0x48/0x280 [ 950.663381] ? kasan_check_read+0x11/0x20 [ 950.663397] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 950.663413] ? rcu_read_unlock_special+0x370/0x370 [ 950.667169] kobject: 'tx-0': free name [ 950.671105] ? __fget+0x4d1/0x740 [ 950.671125] ? ksys_dup3+0x680/0x680 [ 950.671140] ? __might_fault+0x12b/0x1e0 [ 950.675303] kobject: 'queues' (000000009adb6880): kobject_cleanup, parent (null) [ 950.685236] ? lock_downgrade+0x900/0x900 [ 950.685251] ? lock_release+0xa00/0xa00 [ 950.685264] ? arch_local_save_flags+0x40/0x40 [ 950.685278] ? tty_vhangup+0x30/0x30 [ 950.689026] kobject: 'queues' (000000009adb6880): calling ktype release [ 950.692945] do_vfs_ioctl+0x1de/0x1790 [ 950.692978] ? ioctl_preallocate+0x300/0x300 [ 950.696698] kobject: 'queues' (000000009adb6880): kset_release [ 950.703503] ? memset+0x31/0x40 [ 950.703521] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 950.703536] ? smack_file_ioctl+0x210/0x3c0 [ 950.703549] ? fget_raw+0x20/0x20 [ 950.707766] kobject: 'queues': free name [ 950.711069] ? smack_file_lock+0x2e0/0x2e0 [ 950.711091] ? do_syscall_64+0x9a/0x820 [ 950.715640] kobject: 'sl0' (000000003033c649): kobject_uevent_env [ 950.721781] ? do_syscall_64+0x9a/0x820 [ 950.721800] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 950.721815] ? security_file_ioctl+0x94/0xc0 [ 950.721828] ksys_ioctl+0xa9/0xd0 [ 950.726994] kobject: 'sl0' (000000003033c649): fill_kobj_path: path = '/devices/virtual/net/sl0' [ 950.730994] __x64_sys_ioctl+0x73/0xb0 [ 950.731011] do_syscall_64+0x1b9/0x820 [ 950.731030] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 950.876423] ? syscall_return_slowpath+0x5e0/0x5e0 [ 950.881360] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 950.886209] ? trace_hardirqs_on_caller+0x310/0x310 [ 950.891234] ? prepare_exit_to_usermode+0x291/0x3b0 [ 950.896348] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 950.901210] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 950.906400] RIP: 0033:0x4579b9 [ 950.909601] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 950.928504] RSP: 002b:00007ff646caac78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 950.936218] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004579b9 [ 950.943512] RDX: 0000000020000000 RSI: 0000000000005402 RDI: 0000000000000006 [ 950.950788] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 950.958065] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff646cab6d4 [ 950.965338] R13: 00000000004c1acd R14: 00000000004d3c78 R15: 00000000ffffffff [ 950.973670] Kernel Offset: disabled [ 950.977291] Rebooting in 86400 seconds..