[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 60.961034][ T24] audit: type=1800 audit(1559685974.912:25): pid=8713 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 60.999232][ T24] audit: type=1800 audit(1559685974.912:26): pid=8713 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 61.023719][ T24] audit: type=1800 audit(1559685974.912:27): pid=8713 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.228' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 72.118423][ T8868] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program [ 72.611423][ T8892] ================================================================== [ 72.634797][ T8892] BUG: KASAN: slab-out-of-bounds in css_task_iter_advance+0x49b/0x540 [ 72.642952][ T8892] Read of size 4 at addr ffff8880a2013d64 by task syz-executor561/8892 [ 72.651317][ T8892] [ 72.653645][ T8892] CPU: 0 PID: 8892 Comm: syz-executor561 Not tainted 5.2.0-rc3-next-20190604 #8 [ 72.662655][ T8892] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.672886][ T8892] Call Trace: [ 72.676169][ T8892] dump_stack+0x172/0x1f0 [ 72.680490][ T8892] ? css_task_iter_advance+0x49b/0x540 [ 72.685938][ T8892] print_address_description.cold+0xd4/0x306 [ 72.691914][ T8892] ? css_task_iter_advance+0x49b/0x540 [ 72.697453][ T8892] ? css_task_iter_advance+0x49b/0x540 [ 72.702919][ T8892] __kasan_report.cold+0x1b/0x36 [ 72.707856][ T8892] ? write_comp_data+0x50/0x70 [ 72.712614][ T8892] ? css_task_iter_advance+0x49b/0x540 [ 72.718212][ T8892] kasan_report+0x12/0x20 [ 72.722578][ T8892] __asan_report_load4_noabort+0x14/0x20 [ 72.728312][ T8892] css_task_iter_advance+0x49b/0x540 [ 72.733611][ T8892] css_task_iter_next+0x101/0x190 [ 72.738977][ T8892] pidlist_array_load+0x1bf/0xa80 [ 72.744006][ T8892] ? cgroup1_tasks_write+0x30/0x30 [ 72.749146][ T8892] ? kernfs_seq_start+0x50/0x190 [ 72.754135][ T8892] cgroup_pidlist_start+0x37e/0x4c0 [ 72.759345][ T8892] cgroup_seqfile_start+0xa4/0xd0 [ 72.764390][ T8892] ? cgroup_file_release+0xb0/0xb0 [ 72.769507][ T8892] kernfs_seq_start+0xdc/0x190 [ 72.774444][ T8892] ? kvmalloc_node+0x70/0x100 [ 72.779141][ T8892] seq_read+0x2a7/0x1110 [ 72.783392][ T8892] kernfs_fop_read+0xed/0x560 [ 72.788115][ T8892] ? rw_verify_area+0x126/0x360 [ 72.792986][ T8892] do_iter_read+0x4a4/0x660 [ 72.799152][ T8892] ? dup_iter+0x260/0x260 [ 72.803662][ T8892] vfs_readv+0xf0/0x160 [ 72.807814][ T8892] ? lock_downgrade+0x880/0x880 [ 72.812671][ T8892] ? compat_rw_copy_check_uvector+0x4c0/0x4c0 [ 72.818751][ T8892] ? kasan_check_read+0x11/0x20 [ 72.823729][ T8892] ? ksys_dup3+0x3e0/0x3e0 [ 72.828137][ T8892] ? rcu_read_lock_sched_held+0x110/0x130 [ 72.833878][ T8892] ? kmem_cache_free+0x26b/0x320 [ 72.838993][ T8892] ? __fget_light+0x1a9/0x230 [ 72.843695][ T8892] do_preadv+0x1c4/0x280 [ 72.848124][ T8892] ? do_readv+0x330/0x330 [ 72.852438][ T8892] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 72.857880][ T8892] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 72.863354][ T8892] ? do_syscall_64+0x26/0x680 [ 72.868259][ T8892] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.874406][ T8892] ? do_syscall_64+0x26/0x680 [ 72.879071][ T8892] __x64_sys_preadv+0x9a/0xf0 [ 72.883904][ T8892] do_syscall_64+0xfd/0x680 [ 72.888483][ T8892] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.894363][ T8892] RIP: 0033:0x4471c9 [ 72.898255][ T8892] Code: e8 4c bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 72.918472][ T8892] RSP: 002b:00007f7fb370bdb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 72.926890][ T8892] RAX: ffffffffffffffda RBX: 00000000006dcc58 RCX: 00000000004471c9 [ 72.934937][ T8892] RDX: 0000000000000001 RSI: 0000000020000100 RDI: 0000000000000004 [ 72.942903][ T8892] RBP: 00000000006dcc50 R08: 0000000000000000 R09: 0000000000000000 [ 72.950995][ T8892] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc5c [ 72.958967][ T8892] R13: 00007fffdb647a6f R14: 00007f7fb370c9c0 R15: 0000000000000001 [ 72.966976][ T8892] [ 72.969450][ T8892] Allocated by task 8773: [ 72.973780][ T8892] save_stack+0x23/0x90 [ 72.977925][ T8892] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 72.983565][ T8892] kasan_kmalloc+0x9/0x10 [ 72.988096][ T8892] __kmalloc+0x15c/0x740 [ 72.992361][ T8892] tomoyo_realpath_from_path+0xcd/0x7a0 [ 72.997913][ T8892] tomoyo_path_number_perm+0x1dd/0x520 [ 73.003536][ T8892] tomoyo_file_ioctl+0x23/0x30 [ 73.008289][ T8892] security_file_ioctl+0x77/0xc0 [ 73.013211][ T8892] ksys_ioctl+0x57/0xd0 [ 73.017350][ T8892] __x64_sys_ioctl+0x73/0xb0 [ 73.021950][ T8892] do_syscall_64+0xfd/0x680 [ 73.026446][ T8892] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.032318][ T8892] [ 73.034652][ T8892] Freed by task 8773: [ 73.038631][ T8892] save_stack+0x23/0x90 [ 73.042771][ T8892] __kasan_slab_free+0x102/0x150 [ 73.047692][ T8892] kasan_slab_free+0xe/0x10 [ 73.052178][ T8892] kfree+0x106/0x2a0 [ 73.056059][ T8892] tomoyo_realpath_from_path+0x1de/0x7a0 [ 73.061683][ T8892] tomoyo_path_number_perm+0x1dd/0x520 [ 73.067136][ T8892] tomoyo_file_ioctl+0x23/0x30 [ 73.071889][ T8892] security_file_ioctl+0x77/0xc0 [ 73.076832][ T8892] ksys_ioctl+0x57/0xd0 [ 73.080979][ T8892] __x64_sys_ioctl+0x73/0xb0 [ 73.085657][ T8892] do_syscall_64+0xfd/0x680 [ 73.090197][ T8892] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.096076][ T8892] [ 73.098413][ T8892] The buggy address belongs to the object at ffff8880a20127c0 [ 73.098413][ T8892] which belongs to the cache kmalloc-4k of size 4096 [ 73.112493][ T8892] The buggy address is located 1444 bytes to the right of [ 73.112493][ T8892] 4096-byte region [ffff8880a20127c0, ffff8880a20137c0) [ 73.126444][ T8892] The buggy address belongs to the page: [ 73.132195][ T8892] page:ffffea0002880480 refcount:1 mapcount:0 mapping:ffff8880aa400dc0 index:0x0 compound_mapcount: 0 [ 73.143208][ T8892] flags: 0x1fffc0000010200(slab|head) [ 73.148708][ T8892] raw: 01fffc0000010200 ffffea0002311108 ffffea0002885488 ffff8880aa400dc0 [ 73.158035][ T8892] raw: 0000000000000000 ffff8880a20127c0 0000000100000001 0000000000000000 [ 73.166829][ T8892] page dumped because: kasan: bad access detected [ 73.173225][ T8892] [ 73.175582][ T8892] Memory state around the buggy address: [ 73.181223][ T8892] ffff8880a2013c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.189287][ T8892] ffff8880a2013c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.197339][ T8892] >ffff8880a2013d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.205398][ T8892] ^ [ 73.212590][ T8892] ffff8880a2013d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.220673][ T8892] ffff8880a2013e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.228722][ T8892] ================================================================== [ 73.236790][ T8892] Disabling lock debugging due to kernel taint [ 73.242928][ T8892] Kernel panic - not syncing: panic_on_warn set ... [ 73.249502][ T8892] CPU: 0 PID: 8892 Comm: syz-executor561 Tainted: G B 5.2.0-rc3-next-20190604 #8 [ 73.259890][ T8892] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.269932][ T8892] Call Trace: [ 73.273220][ T8892] dump_stack+0x172/0x1f0 [ 73.277537][ T8892] panic+0x2cb/0x744 [ 73.281494][ T8892] ? __warn_printk+0xf3/0xf3 [ 73.286066][ T8892] ? lock_downgrade+0x880/0x880 [ 73.291014][ T8892] ? css_task_iter_advance+0x49b/0x540 [ 73.296463][ T8892] ? trace_hardirqs_off+0x62/0x220 [ 73.301556][ T8892] ? trace_hardirqs_off+0x59/0x220 [ 73.306649][ T8892] ? css_task_iter_advance+0x49b/0x540 [ 73.312095][ T8892] end_report+0x47/0x4f [ 73.316237][ T8892] ? css_task_iter_advance+0x49b/0x540 [ 73.321681][ T8892] __kasan_report.cold+0xe/0x36 [ 73.326553][ T8892] ? write_comp_data+0x50/0x70 [ 73.331303][ T8892] ? css_task_iter_advance+0x49b/0x540 [ 73.336775][ T8892] kasan_report+0x12/0x20 [ 73.341101][ T8892] __asan_report_load4_noabort+0x14/0x20 [ 73.346719][ T8892] css_task_iter_advance+0x49b/0x540 [ 73.351991][ T8892] css_task_iter_next+0x101/0x190 [ 73.357004][ T8892] pidlist_array_load+0x1bf/0xa80 [ 73.362042][ T8892] ? cgroup1_tasks_write+0x30/0x30 [ 73.367317][ T8892] ? kernfs_seq_start+0x50/0x190 [ 73.372274][ T8892] cgroup_pidlist_start+0x37e/0x4c0 [ 73.377464][ T8892] cgroup_seqfile_start+0xa4/0xd0 [ 73.382473][ T8892] ? cgroup_file_release+0xb0/0xb0 [ 73.387570][ T8892] kernfs_seq_start+0xdc/0x190 [ 73.392327][ T8892] ? kvmalloc_node+0x70/0x100 [ 73.397136][ T8892] seq_read+0x2a7/0x1110 [ 73.401367][ T8892] kernfs_fop_read+0xed/0x560 [ 73.406137][ T8892] ? rw_verify_area+0x126/0x360 [ 73.410973][ T8892] do_iter_read+0x4a4/0x660 [ 73.415552][ T8892] ? dup_iter+0x260/0x260 [ 73.419891][ T8892] vfs_readv+0xf0/0x160 [ 73.424056][ T8892] ? lock_downgrade+0x880/0x880 [ 73.429034][ T8892] ? compat_rw_copy_check_uvector+0x4c0/0x4c0 [ 73.435125][ T8892] ? kasan_check_read+0x11/0x20 [ 73.439982][ T8892] ? ksys_dup3+0x3e0/0x3e0 [ 73.444548][ T8892] ? rcu_read_lock_sched_held+0x110/0x130 [ 73.450254][ T8892] ? kmem_cache_free+0x26b/0x320 [ 73.455174][ T8892] ? __fget_light+0x1a9/0x230 [ 73.459863][ T8892] do_preadv+0x1c4/0x280 [ 73.464107][ T8892] ? do_readv+0x330/0x330 [ 73.468421][ T8892] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 73.473892][ T8892] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 73.479358][ T8892] ? do_syscall_64+0x26/0x680 [ 73.484019][ T8892] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.490068][ T8892] ? do_syscall_64+0x26/0x680 [ 73.494739][ T8892] __x64_sys_preadv+0x9a/0xf0 [ 73.499433][ T8892] do_syscall_64+0xfd/0x680 [ 73.503929][ T8892] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.509819][ T8892] RIP: 0033:0x4471c9 [ 73.513699][ T8892] Code: e8 4c bb 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 73.533406][ T8892] RSP: 002b:00007f7fb370bdb8 EFLAGS: 00000246 ORIG_RAX: 0000000000000127 [ 73.541808][ T8892] RAX: ffffffffffffffda RBX: 00000000006dcc58 RCX: 00000000004471c9 [ 73.549935][ T8892] RDX: 0000000000000001 RSI: 0000000020000100 RDI: 0000000000000004 [ 73.557891][ T8892] RBP: 00000000006dcc50 R08: 0000000000000000 R09: 0000000000000000 [ 73.565852][ T8892] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc5c [ 73.573992][ T8892] R13: 00007fffdb647a6f R14: 00007f7fb370c9c0 R15: 0000000000000001 [ 73.584170][ T8892] Kernel Offset: disabled [ 73.588542][ T8892] Rebooting in 86400 seconds..