[info] Using makefile-style concurrent boot in runlevel 2. [ 24.818703] audit: type=1800 audit(1541320075.721:21): pid=5514 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [ 24.845876] audit: type=1800 audit(1541320075.721:22): pid=5514 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="motd" dev="sda1" ino=2447 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts. syzkaller login: [ 68.118853] IPVS: ftp: loaded support on port[0] = 21 [ 68.275838] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.282599] bridge0: port 1(bridge_slave_0) entered disabled state [ 68.289776] device bridge_slave_0 entered promiscuous mode [ 68.307247] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.313829] bridge0: port 2(bridge_slave_1) entered disabled state [ 68.321425] device bridge_slave_1 entered promiscuous mode [ 68.338287] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 68.355880] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 68.403132] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 68.422485] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 68.496782] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 68.504262] team0: Port device team_slave_0 added [ 68.521327] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 68.528549] team0: Port device team_slave_1 added [ 68.544887] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 68.566342] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 68.585153] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 68.605017] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 68.744918] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.751378] bridge0: port 2(bridge_slave_1) entered forwarding state [ 68.758263] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.764869] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 69.271094] 8021q: adding VLAN 0 to HW filter on device bond0 [ 69.319708] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 69.370410] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 69.376523] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 69.384247] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 69.429605] 8021q: adding VLAN 0 to HW filter on device team0 executing program executing program [ 69.747622] ================================================================== [ 69.755062] BUG: KASAN: use-after-free in crypto_gcm_init_common+0xe2/0x710 [ 69.762147] Read of size 12 at addr ffff8801cdfae940 by task kworker/1:1/22 [ 69.769227] [ 69.770844] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 4.19.0+ #281 [ 69.777446] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.786800] Workqueue: pencrypt padata_parallel_worker [ 69.792056] Call Trace: [ 69.794631] dump_stack+0x244/0x39d [ 69.798245] ? dump_stack_print_info.cold.1+0x20/0x20 [ 69.803416] ? printk+0xa7/0xcf [ 69.806676] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 69.811424] print_address_description.cold.7+0x9/0x1ff [ 69.816775] kasan_report.cold.8+0x242/0x309 [ 69.821167] ? crypto_gcm_init_common+0xe2/0x710 [ 69.825906] check_memory_region+0x13e/0x1b0 [ 69.830298] memcpy+0x23/0x50 [ 69.833394] crypto_gcm_init_common+0xe2/0x710 [ 69.837963] crypto_gcm_encrypt+0xe2/0x6b0 [ 69.842190] pcrypt_aead_enc+0xd6/0x340 [ 69.846151] padata_parallel_worker+0x49d/0x760 [ 69.850807] ? padata_alloc_pd+0xe90/0xe90 [ 69.855032] ? zap_class+0x640/0x640 [ 69.858739] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 69.864265] ? check_preemption_disabled+0x48/0x280 [ 69.869276] ? __lock_is_held+0xb5/0x140 [ 69.873353] process_one_work+0xc90/0x1c40 [ 69.877579] ? mark_held_locks+0x130/0x130 [ 69.881803] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 69.886456] ? __switch_to_asm+0x40/0x70 [ 69.890498] ? __switch_to_asm+0x34/0x70 [ 69.894538] ? __switch_to_asm+0x34/0x70 [ 69.898578] ? __switch_to_asm+0x40/0x70 [ 69.902621] ? __switch_to_asm+0x34/0x70 [ 69.906664] ? __switch_to_asm+0x40/0x70 [ 69.910777] ? __switch_to_asm+0x34/0x70 [ 69.914826] ? __switch_to_asm+0x40/0x70 [ 69.918874] ? __schedule+0x8d7/0x21d0 [ 69.922760] ? lock_downgrade+0x900/0x900 [ 69.926896] ? zap_class+0x640/0x640 [ 69.930593] ? find_held_lock+0x36/0x1c0 [ 69.934646] ? lock_acquire+0x1ed/0x520 [ 69.938602] ? worker_thread+0x3e0/0x1390 [ 69.942754] ? kasan_check_read+0x11/0x20 [ 69.946890] ? do_raw_spin_lock+0x14f/0x350 [ 69.951204] ? kasan_check_read+0x11/0x20 [ 69.955341] ? rwlock_bug.part.2+0x90/0x90 [ 69.959567] ? trace_hardirqs_on+0x310/0x310 [ 69.964255] worker_thread+0x17f/0x1390 [ 69.968218] ? __switch_to_asm+0x34/0x70 [ 69.972459] ? process_one_work+0x1c40/0x1c40 [ 69.976998] ? zap_class+0x640/0x640 [ 69.980703] ? find_held_lock+0x36/0x1c0 [ 69.984761] ? __kthread_parkme+0xce/0x1a0 [ 69.988988] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 69.994077] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 69.999162] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 70.003728] ? trace_hardirqs_on+0xbd/0x310 [ 70.008077] ? kasan_check_read+0x11/0x20 [ 70.012217] ? __kthread_parkme+0xce/0x1a0 [ 70.016437] ? trace_hardirqs_off_caller+0x310/0x310 [ 70.021641] ? trace_hardirqs_off_caller+0x310/0x310 [ 70.026742] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 70.031846] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 70.037381] ? __kthread_parkme+0xfb/0x1a0 [ 70.041599] ? process_one_work+0x1c40/0x1c40 [ 70.046121] kthread+0x35a/0x440 [ 70.049479] ? kthread_stop+0x900/0x900 [ 70.053440] ret_from_fork+0x3a/0x50 [ 70.057139] [ 70.058745] Allocated by task 5923: [ 70.062362] save_stack+0x43/0xd0 [ 70.065799] kasan_kmalloc+0xc7/0xe0 [ 70.069687] kmem_cache_alloc_trace+0x152/0x750 [ 70.074336] tls_set_sw_offload+0xcb3/0x1390 [ 70.078728] tls_setsockopt+0x689/0x770 [ 70.082688] sock_common_setsockopt+0x9a/0xe0 [ 70.087161] __sys_setsockopt+0x1ba/0x3c0 [ 70.091298] __x64_sys_setsockopt+0xbe/0x150 [ 70.095698] do_syscall_64+0x1b9/0x820 [ 70.099571] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.104736] [ 70.106341] Freed by task 5923: [ 70.109604] save_stack+0x43/0xd0 [ 70.113040] __kasan_slab_free+0x102/0x150 [ 70.117272] kasan_slab_free+0xe/0x10 [ 70.121066] kfree+0xcf/0x230 [ 70.124155] tls_sk_proto_close+0x5fa/0x750 [ 70.128459] inet_release+0x104/0x1f0 [ 70.132250] inet6_release+0x50/0x70 [ 70.135951] __sock_release+0xd7/0x250 [ 70.139824] sock_close+0x19/0x20 [ 70.143262] __fput+0x385/0xa30 [ 70.146522] ____fput+0x15/0x20 [ 70.149783] task_work_run+0x1e8/0x2a0 [ 70.153652] exit_to_usermode_loop+0x318/0x380 [ 70.158262] do_syscall_64+0x6be/0x820 [ 70.162144] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.167310] [ 70.168918] The buggy address belongs to the object at ffff8801cdfae940 [ 70.168918] which belongs to the cache kmalloc-32 of size 32 [ 70.181385] The buggy address is located 0 bytes inside of [ 70.181385] 32-byte region [ffff8801cdfae940, ffff8801cdfae960) [ 70.192986] The buggy address belongs to the page: [ 70.197903] page:ffffea000737eb80 count:1 mapcount:0 mapping:ffff8801da8001c0 index:0xffff8801cdfaefc1 [ 70.207334] flags: 0x2fffc0000000200(slab) [ 70.211555] raw: 02fffc0000000200 ffffea000737a9c8 ffffea000736b608 ffff8801da8001c0 [ 70.219415] raw: ffff8801cdfaefc1 ffff8801cdfae000 0000000100000024 0000000000000000 [ 70.227408] page dumped because: kasan: bad access detected [ 70.233100] [ 70.234707] Memory state around the buggy address: [ 70.239617] ffff8801cdfae800: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 70.246956] ffff8801cdfae880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 70.254301] >ffff8801cdfae900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 70.261749] ^ [ 70.267183] ffff8801cdfae980: 00 00 00 00 fc fc fc fc fb fb fb fb fc fc fc fc [ 70.274904] ffff8801cdfaea00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 70.282501] ================================================================== [ 70.289904] Disabling lock debugging due to kernel taint [ 70.295406] Kernel panic - not syncing: panic_on_warn set ... [ 70.301284] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 4.19.0+ #281 [ 70.309231] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.318572] Workqueue: pencrypt padata_parallel_worker [ 70.323831] Call Trace: [ 70.326408] dump_stack+0x244/0x39d [ 70.330068] ? dump_stack_print_info.cold.1+0x20/0x20 [ 70.335254] panic+0x2ad/0x55c [ 70.338434] ? add_taint.cold.5+0x16/0x16 [ 70.342565] ? trace_hardirqs_on+0x9a/0x310 [ 70.346865] ? trace_hardirqs_on+0xb4/0x310 [ 70.351167] ? trace_hardirqs_on+0xb4/0x310 [ 70.355475] kasan_end_report+0x47/0x4f [ 70.359428] kasan_report.cold.8+0x76/0x309 [ 70.363728] ? crypto_gcm_init_common+0xe2/0x710 [ 70.368513] check_memory_region+0x13e/0x1b0 [ 70.372914] memcpy+0x23/0x50 [ 70.376002] crypto_gcm_init_common+0xe2/0x710 [ 70.380566] crypto_gcm_encrypt+0xe2/0x6b0 [ 70.384787] pcrypt_aead_enc+0xd6/0x340 [ 70.388745] padata_parallel_worker+0x49d/0x760 [ 70.393408] ? padata_alloc_pd+0xe90/0xe90 [ 70.397629] ? zap_class+0x640/0x640 [ 70.401327] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 70.406845] ? check_preemption_disabled+0x48/0x280 [ 70.411846] ? __lock_is_held+0xb5/0x140 [ 70.415894] process_one_work+0xc90/0x1c40 [ 70.420111] ? mark_held_locks+0x130/0x130 [ 70.424329] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 70.428986] ? __switch_to_asm+0x40/0x70 [ 70.433078] ? __switch_to_asm+0x34/0x70 [ 70.437135] ? __switch_to_asm+0x34/0x70 [ 70.441183] ? __switch_to_asm+0x40/0x70 [ 70.445224] ? __switch_to_asm+0x34/0x70 [ 70.449262] ? __switch_to_asm+0x40/0x70 [ 70.453307] ? __switch_to_asm+0x34/0x70 [ 70.457353] ? __switch_to_asm+0x40/0x70 [ 70.461397] ? __schedule+0x8d7/0x21d0 [ 70.465271] ? lock_downgrade+0x900/0x900 [ 70.469400] ? zap_class+0x640/0x640 [ 70.473213] ? find_held_lock+0x36/0x1c0 [ 70.477269] ? lock_acquire+0x1ed/0x520 [ 70.481227] ? worker_thread+0x3e0/0x1390 [ 70.485362] ? kasan_check_read+0x11/0x20 [ 70.489491] ? do_raw_spin_lock+0x14f/0x350 [ 70.493789] ? kasan_check_read+0x11/0x20 [ 70.497917] ? rwlock_bug.part.2+0x90/0x90 [ 70.502138] ? trace_hardirqs_on+0x310/0x310 [ 70.506587] worker_thread+0x17f/0x1390 [ 70.510551] ? __switch_to_asm+0x34/0x70 [ 70.514597] ? process_one_work+0x1c40/0x1c40 [ 70.519077] ? zap_class+0x640/0x640 [ 70.522771] ? find_held_lock+0x36/0x1c0 [ 70.526828] ? __kthread_parkme+0xce/0x1a0 [ 70.531052] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 70.536143] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 70.541233] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 70.545798] ? trace_hardirqs_on+0xbd/0x310 [ 70.550102] ? kasan_check_read+0x11/0x20 [ 70.554232] ? __kthread_parkme+0xce/0x1a0 [ 70.558448] ? trace_hardirqs_off_caller+0x310/0x310 [ 70.563601] ? trace_hardirqs_off_caller+0x310/0x310 [ 70.568699] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 70.573790] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 70.579311] ? __kthread_parkme+0xfb/0x1a0 [ 70.583527] ? process_one_work+0x1c40/0x1c40 [ 70.588001] kthread+0x35a/0x440 [ 70.591355] ? kthread_stop+0x900/0x900 [ 70.595311] ret_from_fork+0x3a/0x50 [ 70.599886] Kernel Offset: disabled [ 70.603509] Rebooting in 86400 seconds..