[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   33.372710] audit: type=1800 audit(1538842266.734:25): pid=5670 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   33.391825] audit: type=1800 audit(1538842266.734:26): pid=5670 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   33.422869] audit: type=1800 audit(1538842266.734:27): pid=5670 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts.
2018/10/06 16:11:48 parsed 1 programs
syzkaller login: [   76.143035] ld (5833) used greatest stack depth: 16656 bytes left
2018/10/06 16:11:49 executed programs: 0
[   76.270627] IPVS: ftp: loaded support on port[0] = 21
[   76.455993] bridge0: port 1(bridge_slave_0) entered blocking state
[   76.462431] bridge0: port 1(bridge_slave_0) entered disabled state
[   76.469670] device bridge_slave_0 entered promiscuous mode
[   76.484589] bridge0: port 2(bridge_slave_1) entered blocking state
[   76.490968] bridge0: port 2(bridge_slave_1) entered disabled state
[   76.498049] device bridge_slave_1 entered promiscuous mode
[   76.513063] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[   76.528020] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[   76.566525] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   76.583799] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   76.640108] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   76.647315] team0: Port device team_slave_0 added
[   76.660649] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   76.667766] team0: Port device team_slave_1 added
[   76.681385] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   76.697550] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   76.714202] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[   76.731030] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[   76.838711] bridge0: port 2(bridge_slave_1) entered blocking state
[   76.845074] bridge0: port 2(bridge_slave_1) entered forwarding state
[   76.851644] bridge0: port 1(bridge_slave_0) entered blocking state
[   76.858018] bridge0: port 1(bridge_slave_0) entered forwarding state
[   77.238198] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   77.244323] 8021q: adding VLAN 0 to HW filter on device bond0
[   77.282587] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   77.324073] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   77.331057] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   77.371906] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   77.378219] 8021q: adding VLAN 0 to HW filter on device team0
[   77.413046] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
2018/10/06 16:11:54 executed programs: 30
2018/10/06 16:11:59 executed programs: 72
[   88.362598] ==================================================================
[   88.370009] BUG: KASAN: use-after-free in do_raw_spin_lock+0x1c0/0x200
[   88.376745] Read of size 4 at addr ffff8801b2eeba7c by task syz-executor0/6617
[   88.384079] 
[   88.385692] CPU: 1 PID: 6617 Comm: syz-executor0 Not tainted 4.19.0-rc6+ #270
[   88.392940] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   88.402273] Call Trace:
[   88.404864]  dump_stack+0x1c4/0x2b4
[   88.408476]  ? dump_stack_print_info.cold.2+0x52/0x52
[   88.413651]  ? printk+0xa7/0xcf
[   88.416925]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   88.421667]  print_address_description.cold.8+0x9/0x1ff
[   88.427015]  kasan_report.cold.9+0x242/0x309
[   88.431492]  ? do_raw_spin_lock+0x1c0/0x200
[   88.435811]  ? vhost_vsock_dev_release+0x720/0x720
[   88.440728]  __asan_report_load4_noabort+0x14/0x20
[   88.445758]  do_raw_spin_lock+0x1c0/0x200
[   88.449892]  ? vhost_vsock_dev_release+0x720/0x720
[   88.454820]  _raw_spin_lock_bh+0x39/0x40
[   88.458863]  ? vhost_transport_cancel_pkt+0x15e/0x910
[   88.464037]  vhost_transport_cancel_pkt+0x15e/0x910
[   88.469035]  ? lock_acquire+0x1ed/0x520
[   88.472990]  ? vhost_vsock_dev_release+0x720/0x720
[   88.477902]  ? trace_hardirqs_on+0xbd/0x310
[   88.482204]  ? lock_release+0x970/0x970
[   88.486163]  ? lock_sock_nested+0xe2/0x120
[   88.490388]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   88.495832]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   88.501368]  ? check_preemption_disabled+0x48/0x200
[   88.506373]  ? lock_sock_nested+0x9a/0x120
[   88.510588]  ? lock_sock_nested+0x9a/0x120
[   88.514805]  ? __local_bh_enable_ip+0x160/0x260
[   88.519457]  ? vhost_vsock_dev_release+0x720/0x720
[   88.524369]  vsock_stream_connect+0x903/0xe40
[   88.528865]  ? vsock_dgram_connect+0x500/0x500
[   88.533602]  ? finish_wait+0x430/0x430
[   88.537474]  ? aa_af_perm+0x5a0/0x5a0
[   88.541284]  ? apparmor_socket_connect+0xb6/0x160
[   88.546111]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   88.551629]  ? security_socket_connect+0x94/0xc0
[   88.556377]  __sys_connect+0x37d/0x4c0
[   88.560248]  ? __ia32_sys_accept+0xb0/0xb0
[   88.564472]  ? kasan_check_read+0x11/0x20
[   88.568606]  ? _copy_to_user+0xc8/0x110
[   88.572563]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   88.578083]  ? put_timespec64+0x10f/0x1b0
[   88.582218]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   88.587675]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   88.593113]  __x64_sys_connect+0x73/0xb0
[   88.597158]  do_syscall_64+0x1b9/0x820
[   88.601027]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   88.606375]  ? syscall_return_slowpath+0x5e0/0x5e0
[   88.611285]  ? trace_hardirqs_on_caller+0x310/0x310
[   88.616284]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   88.621297]  ? recalc_sigpending_tsk+0x180/0x180
[   88.626037]  ? kasan_check_write+0x14/0x20
[   88.630257]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   88.635132]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   88.640308] RIP: 0033:0x457579
[   88.643483] Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   88.662373] RSP: 002b:00007f02d4125c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   88.670339] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579
[   88.677857] RDX: 0000000000000080 RSI: 0000000020000400 RDI: 0000000000000007
[   88.685124] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000
[   88.692377] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f02d41266d4
[   88.699758] R13: 00000000004bda00 R14: 00000000004cc478 R15: 00000000ffffffff
[   88.707885] 
[   88.710020] Allocated by task 6616:
[   88.713632]  save_stack+0x43/0xd0
[   88.717063]  kasan_kmalloc+0xc7/0xe0
[   88.720759]  __kmalloc_node+0x47/0x70
[   88.724542]  kvmalloc_node+0xb9/0xf0
[   88.728248]  vhost_vsock_dev_open+0xa2/0x5a0
[   88.732637]  misc_open+0x3ca/0x560
[   88.736162]  chrdev_open+0x25a/0x710
[   88.739856]  do_dentry_open+0x499/0x1250
[   88.743899]  vfs_open+0xa0/0xd0
[   88.747157]  path_openat+0x12bf/0x5160
[   88.751024]  do_filp_open+0x255/0x380
[   88.754810]  do_sys_open+0x568/0x700
[   88.758502]  __x64_sys_openat+0x9d/0x100
[   88.762660]  do_syscall_64+0x1b9/0x820
[   88.766600]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   88.771818] 
[   88.774029] Freed by task 6614:
[   88.778742]  save_stack+0x43/0xd0
[   88.783733]  __kasan_slab_free+0x102/0x150
[   88.789727]  kasan_slab_free+0xe/0x10
[   88.795012]  kfree+0xcf/0x230
[   88.799348]  kvfree+0x61/0x70
[   88.803980]  vhost_vsock_dev_release+0x4f4/0x720
[   88.810725]  __fput+0x385/0xa30
[   88.815186]  ____fput+0x15/0x20
[   88.819919]  task_work_run+0x1e8/0x2a0
[   88.825281]  exit_to_usermode_loop+0x318/0x380
[   88.831193]  do_syscall_64+0x6be/0x820
[   88.835071]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   88.840237] 
[   88.841843] The buggy address belongs to the object at ffff8801b2ee2d80
[   88.841843]  which belongs to the cache kmalloc-65536 of size 65536
[   88.854832] The buggy address is located 36092 bytes inside of
[   88.854832]  65536-byte region [ffff8801b2ee2d80, ffff8801b2ef2d80)
[   88.867034] The buggy address belongs to the page:
[   88.871947] page:ffffea0006cbb800 count:1 mapcount:0 mapping:ffff8801da802500 index:0x0 compound_mapcount: 0
[   88.881951] flags: 0x2fffc0000008100(slab|head)
[   88.886609] raw: 02fffc0000008100 ffffea0006cbb008 ffffea0006cbc008 ffff8801da802500
[   88.894576] raw: 0000000000000000 ffff8801b2ee2d80 0000000100000001 0000000000000000
[   88.902702] page dumped because: kasan: bad access detected
[   88.908390] 
[   88.910013] Memory state around the buggy address:
[   88.914922]  ffff8801b2eeb900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.922262]  ffff8801b2eeb980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.930210] >ffff8801b2eeba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.939132]                                                                 ^
[   88.946502]  ffff8801b2eeba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.953843]  ffff8801b2eebb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   88.961179] ==================================================================
[   88.968593] Kernel panic - not syncing: panic_on_warn set ...
[   88.968593] 
[   88.975971] CPU: 1 PID: 6617 Comm: syz-executor0 Tainted: G    B             4.19.0-rc6+ #270
[   88.984625] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   88.994222] Call Trace:
[   88.996798]  dump_stack+0x1c4/0x2b4
[   89.000471]  ? dump_stack_print_info.cold.2+0x52/0x52
[   89.005657]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   89.010398]  panic+0x238/0x4e7
[   89.013583]  ? add_taint.cold.5+0x16/0x16
[   89.018325]  ? trace_hardirqs_on+0x9a/0x310
[   89.024299]  ? trace_hardirqs_on+0xb4/0x310
[   89.029390]  ? trace_hardirqs_on+0xb4/0x310
[   89.033705]  kasan_end_report+0x47/0x4f
[   89.037663]  kasan_report.cold.9+0x76/0x309
[   89.041970]  ? do_raw_spin_lock+0x1c0/0x200
[   89.046276]  ? vhost_vsock_dev_release+0x720/0x720
[   89.051192]  __asan_report_load4_noabort+0x14/0x20
[   89.056106]  do_raw_spin_lock+0x1c0/0x200
[   89.060238]  ? vhost_vsock_dev_release+0x720/0x720
[   89.065152]  _raw_spin_lock_bh+0x39/0x40
[   89.069198]  ? vhost_transport_cancel_pkt+0x15e/0x910
[   89.074370]  vhost_transport_cancel_pkt+0x15e/0x910
[   89.079372]  ? lock_acquire+0x1ed/0x520
[   89.083332]  ? vhost_vsock_dev_release+0x720/0x720
[   89.088247]  ? trace_hardirqs_on+0xbd/0x310
[   89.092988]  ? lock_release+0x970/0x970
[   89.098337]  ? lock_sock_nested+0xe2/0x120
[   89.104265]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   89.110225]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   89.117415]  ? check_preemption_disabled+0x48/0x200
[   89.123029]  ? lock_sock_nested+0x9a/0x120
[   89.127246]  ? lock_sock_nested+0x9a/0x120
[   89.131467]  ? __local_bh_enable_ip+0x160/0x260
[   89.136226]  ? vhost_vsock_dev_release+0x720/0x720
[   89.141239]  vsock_stream_connect+0x903/0xe40
[   89.146927]  ? vsock_dgram_connect+0x500/0x500
[   89.153273]  ? finish_wait+0x430/0x430
[   89.158927]  ? aa_af_perm+0x5a0/0x5a0
[   89.164057]  ? apparmor_socket_connect+0xb6/0x160
[   89.168891]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   89.174424]  ? security_socket_connect+0x94/0xc0
[   89.179171]  __sys_connect+0x37d/0x4c0
[   89.183051]  ? __ia32_sys_accept+0xb0/0xb0
[   89.187281]  ? kasan_check_read+0x11/0x20
[   89.191417]  ? _copy_to_user+0xc8/0x110
[   89.195503]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   89.201025]  ? put_timespec64+0x10f/0x1b0
[   89.205159]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   89.211252]  ? __bpf_trace_preemptirq_template+0x30/0x30
[   89.216700]  __x64_sys_connect+0x73/0xb0
[   89.220776]  do_syscall_64+0x1b9/0x820
[   89.224651]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   89.229996]  ? syscall_return_slowpath+0x5e0/0x5e0
[   89.234905]  ? trace_hardirqs_on_caller+0x310/0x310
[   89.239902]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   89.244901]  ? recalc_sigpending_tsk+0x180/0x180
[   89.249643]  ? kasan_check_write+0x14/0x20
[   89.253867]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   89.258716]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   89.263919] RIP: 0033:0x457579
[   89.267099] Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   89.286103] RSP: 002b:00007f02d4125c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   89.293894] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579
[   89.301177] RDX: 0000000000000080 RSI: 0000000020000400 RDI: 0000000000000007
[   89.308601] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000
[   89.318964] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f02d41266d4
[   89.326243] R13: 00000000004bda00 R14: 00000000004cc478 R15: 00000000ffffffff
[   89.334543] Kernel Offset: disabled
[   89.338170] Rebooting in 86400 seconds..