[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 29.733424] kauditd_printk_skb: 8 callbacks suppressed [ 29.733436] audit: type=1800 audit(1542137608.940:29): pid=5896 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 29.758905] audit: type=1800 audit(1542137608.940:30): pid=5896 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 33.339289] sshd (6036) used greatest stack depth: 15632 bytes left Warning: Permanently added '10.128.0.122' (ECDSA) to the list of known hosts. 2018/11/13 19:45:02 parsed 1 programs [ 725.029320] ld (6063) used greatest stack depth: 15328 bytes left 2018/11/13 19:45:04 executed programs: 0 [ 725.196549] IPVS: ftp: loaded support on port[0] = 21 [ 725.451398] bridge0: port 1(bridge_slave_0) entered blocking state [ 725.458360] bridge0: port 1(bridge_slave_0) entered disabled state [ 725.465678] device bridge_slave_0 entered promiscuous mode [ 725.485476] bridge0: port 2(bridge_slave_1) entered blocking state [ 725.492065] bridge0: port 2(bridge_slave_1) entered disabled state [ 725.500341] device bridge_slave_1 entered promiscuous mode [ 725.517539] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 725.535258] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 725.585034] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 725.607031] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 725.684782] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 725.692283] team0: Port device team_slave_0 added [ 725.709107] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 725.716193] team0: Port device team_slave_1 added [ 725.733893] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 725.754030] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 725.773654] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 725.793661] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 725.939743] bridge0: port 2(bridge_slave_1) entered blocking state [ 725.946187] bridge0: port 2(bridge_slave_1) entered forwarding state [ 725.953102] bridge0: port 1(bridge_slave_0) entered blocking state [ 725.959464] bridge0: port 1(bridge_slave_0) entered forwarding state [ 726.486266] 8021q: adding VLAN 0 to HW filter on device bond0 [ 726.540135] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 726.592417] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 726.598542] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 726.606875] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 726.652218] 8021q: adding VLAN 0 to HW filter on device team0 2018/11/13 19:45:09 executed programs: 4 2018/11/13 19:45:15 executed programs: 10 2018/11/13 19:45:20 executed programs: 16 2018/11/13 19:45:25 executed programs: 22 2018/11/13 19:45:31 executed programs: 28 2018/11/13 19:45:36 executed programs: 34 2018/11/13 19:45:42 executed programs: 40 2018/11/13 19:45:47 executed programs: 46 2018/11/13 19:45:53 executed programs: 52 2018/11/13 19:45:58 executed programs: 58 2018/11/13 19:46:04 executed programs: 64 2018/11/13 19:46:09 executed programs: 70 2018/11/13 19:46:14 executed programs: 76 [ 797.350804] ================================================================== [ 797.358381] BUG: KASAN: use-after-free in __list_del_entry_valid+0xf1/0x100 [ 797.365522] Read of size 8 at addr ffff8801b27c7c70 by task syz-executor0/6767 [ 797.372875] [ 797.374626] CPU: 1 PID: 6767 Comm: syz-executor0 Not tainted 4.20.0-rc1-next-20181109+ #110 [ 797.383101] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 797.392457] Call Trace: [ 797.395093] dump_stack+0x244/0x39d [ 797.398719] ? dump_stack_print_info.cold.1+0x20/0x20 [ 797.403927] ? printk+0xa7/0xcf [ 797.407207] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 797.411996] print_address_description.cold.7+0x9/0x1ff [ 797.417355] kasan_report.cold.8+0x242/0x309 [ 797.421747] ? __list_del_entry_valid+0xf1/0x100 [ 797.426488] __asan_report_load8_noabort+0x14/0x20 [ 797.431411] __list_del_entry_valid+0xf1/0x100 [ 797.436013] locks_delete_block+0xce/0x3d0 [ 797.440255] ? schedule+0xf9/0x370 [ 797.443792] ? locks_unlink_lock_ctx+0x740/0x740 [ 797.448588] ? replenish_dl_entity.cold.55+0x36/0x36 [ 797.453716] ? __might_sleep+0x95/0x190 [ 797.457682] locks_mandatory_area+0x48b/0x6a0 [ 797.462170] ? do_lock_file_wait.part.31+0x260/0x260 [ 797.467265] ? finish_wait+0x430/0x430 [ 797.471191] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 797.476741] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 797.482318] ? __sb_start_write+0x1b2/0x370 [ 797.486637] do_sys_ftruncate+0x4b2/0x550 [ 797.490774] __x64_sys_ftruncate+0x59/0x80 [ 797.495136] do_syscall_64+0x1b9/0x820 [ 797.499056] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 797.504413] ? syscall_return_slowpath+0x5e0/0x5e0 [ 797.509373] ? trace_hardirqs_on_caller+0x310/0x310 [ 797.514380] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 797.519421] ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250 [ 797.526083] ? __switch_to_asm+0x40/0x70 [ 797.530128] ? __switch_to_asm+0x34/0x70 [ 797.534189] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 797.539036] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 797.544210] RIP: 0033:0x457569 [ 797.547401] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 797.566318] RSP: 002b:00007f4319e97c78 EFLAGS: 00000246 ORIG_RAX: 000000000000004d [ 797.574071] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000457569 [ 797.581337] RDX: 0000000000000000 RSI: 0000000000000039 RDI: 0000000000000004 [ 797.588591] RBP: 000000000072c040 R08: 0000000000000000 R09: 0000000000000000 [ 797.595845] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4319e986d4 [ 797.603103] R13: 00000000004bde51 R14: 00000000004cd048 R15: 00000000ffffffff [ 797.610378] [ 797.611984] The buggy address belongs to the page: [ 797.616902] page:ffffea0006c9f1c0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 797.625033] flags: 0x2fffc0000000000() [ 797.628907] raw: 02fffc0000000000 0000000000000000 ffffffff06c90101 0000000000000000 [ 797.636774] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 797.644686] page dumped because: kasan: bad access detected [ 797.650385] [ 797.652047] Memory state around the buggy address: [ 797.656970] ffff8801b27c7b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 797.664316] ffff8801b27c7b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 797.671660] >ffff8801b27c7c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 797.679000] ^ [ 797.685994] ffff8801b27c7c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 797.693337] ffff8801b27c7d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 797.700677] ================================================================== [ 797.708024] Disabling lock debugging due to kernel taint [ 797.713595] Kernel panic - not syncing: panic_on_warn set ... [ 797.719771] CPU: 1 PID: 6767 Comm: syz-executor0 Tainted: G B 4.20.0-rc1-next-20181109+ #110 [ 797.729641] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 797.738976] Call Trace: [ 797.741555] dump_stack+0x244/0x39d [ 797.745177] ? dump_stack_print_info.cold.1+0x20/0x20 [ 797.750407] panic+0x2ad/0x55c [ 797.753712] ? add_taint.cold.5+0x16/0x16 [ 797.757849] ? trace_hardirqs_on+0xb4/0x310 [ 797.762166] kasan_end_report+0x47/0x4f [ 797.766178] kasan_report.cold.8+0x76/0x309 [ 797.770495] ? __list_del_entry_valid+0xf1/0x100 [ 797.775238] __asan_report_load8_noabort+0x14/0x20 [ 797.780155] __list_del_entry_valid+0xf1/0x100 [ 797.784723] locks_delete_block+0xce/0x3d0 [ 797.788942] ? schedule+0xf9/0x370 [ 797.792465] ? locks_unlink_lock_ctx+0x740/0x740 [ 797.797210] ? replenish_dl_entity.cold.55+0x36/0x36 [ 797.802299] ? __might_sleep+0x95/0x190 [ 797.806257] locks_mandatory_area+0x48b/0x6a0 [ 797.810738] ? do_lock_file_wait.part.31+0x260/0x260 [ 797.815827] ? finish_wait+0x430/0x430 [ 797.819699] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 797.825241] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 797.830766] ? __sb_start_write+0x1b2/0x370 [ 797.835075] do_sys_ftruncate+0x4b2/0x550 [ 797.839207] __x64_sys_ftruncate+0x59/0x80 [ 797.843587] do_syscall_64+0x1b9/0x820 [ 797.847480] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 797.852909] ? syscall_return_slowpath+0x5e0/0x5e0 [ 797.857833] ? trace_hardirqs_on_caller+0x310/0x310 [ 797.862854] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 797.867877] ? post_copy_siginfo_from_user.isra.25.part.26+0x250/0x250 [ 797.874539] ? __switch_to_asm+0x40/0x70 [ 797.878588] ? __switch_to_asm+0x34/0x70 [ 797.882635] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 797.887476] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 797.892662] RIP: 0033:0x457569 [ 797.895842] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 797.914741] RSP: 002b:00007f4319e97c78 EFLAGS: 00000246 ORIG_RAX: 000000000000004d [ 797.922430] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000457569 [ 797.929688] RDX: 0000000000000000 RSI: 0000000000000039 RDI: 0000000000000004 [ 797.936943] RBP: 000000000072c040 R08: 0000000000000000 R09: 0000000000000000 [ 797.944296] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4319e986d4 [ 797.951549] R13: 00000000004bde51 R14: 00000000004cd048 R15: 00000000ffffffff [ 797.959735] Kernel Offset: disabled [ 797.963358] Rebooting in 86400 seconds..