[info] Using makefile-style concurrent boot in runlevel 2. [ 25.831949] audit: type=1800 audit(1543145136.911:21): pid=5833 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 30.547423] sshd (5972) used greatest stack depth: 15744 bytes left Warning: Permanently added '10.128.0.4' (ECDSA) to the list of known hosts. executing program [ 37.011769] ================================================================== [ 37.019258] BUG: KASAN: slab-out-of-bounds in queue_stack_map_push_elem+0x185/0x290 [ 37.027039] Write of size 262146 at addr ffff8881c2ff2e08 by task syz-executor600/5988 [ 37.035077] [ 37.036696] CPU: 1 PID: 5988 Comm: syz-executor600 Not tainted 4.20.0-rc3+ #348 [ 37.044234] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.053571] Call Trace: [ 37.056151] dump_stack+0x244/0x39d [ 37.059767] ? dump_stack_print_info.cold.1+0x20/0x20 [ 37.064943] ? printk+0xa7/0xcf [ 37.068210] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 37.072957] print_address_description.cold.7+0x9/0x1ff [ 37.078346] kasan_report.cold.8+0x242/0x309 [ 37.082846] ? queue_stack_map_push_elem+0x185/0x290 [ 37.087945] check_memory_region+0x13e/0x1b0 [ 37.092356] memcpy+0x37/0x50 [ 37.095449] queue_stack_map_push_elem+0x185/0x290 [ 37.100362] ? queue_map_pop_elem+0x30/0x30 [ 37.104673] map_update_elem+0x605/0xf60 [ 37.108725] __x64_sys_bpf+0x32d/0x520 [ 37.112596] ? bpf_prog_get+0x20/0x20 [ 37.116397] do_syscall_64+0x1b9/0x820 [ 37.120280] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 37.125628] ? syscall_return_slowpath+0x5e0/0x5e0 [ 37.130545] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.135380] ? trace_hardirqs_on_caller+0x310/0x310 [ 37.140380] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 37.145382] ? prepare_exit_to_usermode+0x291/0x3b0 [ 37.150385] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.155217] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.160479] RIP: 0033:0x4441c9 [ 37.163662] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 37.182564] RSP: 002b:00007fffbf9caf88 EFLAGS: 00000217 ORIG_RAX: 0000000000000141 [ 37.190263] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004441c9 [ 37.197535] RDX: 0000000000000020 RSI: 0000000020000040 RDI: 0000000000000002 [ 37.204789] RBP: 00000000006ce018 R08: 00000000004002e0 R09: 00000000004002e0 [ 37.212058] R10: 00000000004002e0 R11: 0000000000000217 R12: 0000000000401ed0 [ 37.219314] R13: 0000000000401f60 R14: 0000000000000000 R15: 0000000000000000 [ 37.226599] [ 37.228209] Allocated by task 5988: [ 37.231825] save_stack+0x43/0xd0 [ 37.235264] kasan_kmalloc+0xc7/0xe0 [ 37.238964] __kmalloc_node+0x50/0x70 [ 37.242753] bpf_map_area_alloc+0x3f/0x90 [ 37.246901] queue_stack_map_alloc+0x192/0x290 [ 37.251465] map_create+0x3bd/0x1110 [ 37.255160] __x64_sys_bpf+0x303/0x520 [ 37.259056] do_syscall_64+0x1b9/0x820 [ 37.262937] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.268113] [ 37.269721] Freed by task 3716: [ 37.272988] save_stack+0x43/0xd0 [ 37.276442] __kasan_slab_free+0x102/0x150 [ 37.280665] kasan_slab_free+0xe/0x10 [ 37.284454] kfree+0xcf/0x230 [ 37.287546] kernfs_fop_release+0x12b/0x1a0 [ 37.291849] __fput+0x385/0xa30 [ 37.295114] ____fput+0x15/0x20 [ 37.298392] task_work_run+0x1e8/0x2a0 [ 37.302262] exit_to_usermode_loop+0x318/0x380 [ 37.306825] do_syscall_64+0x6be/0x820 [ 37.310694] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.315985] [ 37.317599] The buggy address belongs to the object at ffff8881c2ff2cc0 [ 37.317599] which belongs to the cache kmalloc-512 of size 512 [ 37.330260] The buggy address is located 328 bytes inside of [ 37.330260] 512-byte region [ffff8881c2ff2cc0, ffff8881c2ff2ec0) [ 37.342118] The buggy address belongs to the page: [ 37.347035] page:ffffea00070bfc80 count:1 mapcount:0 mapping:ffff8881da800940 index:0x0 [ 37.355180] flags: 0x2fffc0000000200(slab) [ 37.359404] raw: 02fffc0000000200 ffffea00070bfd88 ffffea00070bbc88 ffff8881da800940 [ 37.367268] raw: 0000000000000000 ffff8881c2ff2040 0000000100000006 0000000000000000 [ 37.375143] page dumped because: kasan: bad access detected [ 37.380833] [ 37.382439] Memory state around the buggy address: [ 37.387349] ffff8881c2ff2d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.394693] ffff8881c2ff2d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.402037] >ffff8881c2ff2e00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 37.409372] ^ [ 37.414804] ffff8881c2ff2e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.422164] ffff8881c2ff2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.429510] ================================================================== [ 37.436851] Disabling lock debugging due to kernel taint [ 37.442280] Kernel panic - not syncing: panic_on_warn set ... [ 37.448162] CPU: 1 PID: 5988 Comm: syz-executor600 Tainted: G B 4.20.0-rc3+ #348 [ 37.456980] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.466314] Call Trace: [ 37.468890] dump_stack+0x244/0x39d [ 37.472522] ? dump_stack_print_info.cold.1+0x20/0x20 [ 37.477710] panic+0x2ad/0x55c [ 37.480891] ? add_taint.cold.5+0x16/0x16 [ 37.485030] ? add_taint.cold.5+0x5/0x16 [ 37.489075] ? trace_hardirqs_off+0xaf/0x310 [ 37.493485] kasan_end_report+0x47/0x4f [ 37.497464] kasan_report.cold.8+0x76/0x309 [ 37.501770] ? queue_stack_map_push_elem+0x185/0x290 [ 37.506858] check_memory_region+0x13e/0x1b0 [ 37.511251] memcpy+0x37/0x50 [ 37.514344] queue_stack_map_push_elem+0x185/0x290 [ 37.519257] ? queue_map_pop_elem+0x30/0x30 [ 37.523560] map_update_elem+0x605/0xf60 [ 37.527607] __x64_sys_bpf+0x32d/0x520 [ 37.531473] ? bpf_prog_get+0x20/0x20 [ 37.535273] do_syscall_64+0x1b9/0x820 [ 37.539142] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 37.544496] ? syscall_return_slowpath+0x5e0/0x5e0 [ 37.549406] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.554235] ? trace_hardirqs_on_caller+0x310/0x310 [ 37.559232] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 37.564233] ? prepare_exit_to_usermode+0x291/0x3b0 [ 37.569233] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.574063] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.579231] RIP: 0033:0x4441c9 [ 37.582421] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b d8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 37.601307] RSP: 002b:00007fffbf9caf88 EFLAGS: 00000217 ORIG_RAX: 0000000000000141 [ 37.609010] RAX: ffffffffffffffda RBX: 00000000004002e0 RCX: 00000000004441c9 [ 37.616261] RDX: 0000000000000020 RSI: 0000000020000040 RDI: 0000000000000002 [ 37.623514] RBP: 00000000006ce018 R08: 00000000004002e0 R09: 00000000004002e0 [ 37.630780] R10: 00000000004002e0 R11: 0000000000000217 R12: 0000000000401ed0 [ 37.638034] R13: 0000000000401f60 R14: 0000000000000000 R15: 0000000000000000 [ 37.646395] Kernel Offset: disabled [ 37.650026] Rebooting in 86400 seconds..