[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 29.687595] kauditd_printk_skb: 7 callbacks suppressed [ 29.687607] audit: type=1800 audit(1542494039.285:29): pid=5904 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 29.713357] audit: type=1800 audit(1542494039.285:30): pid=5904 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.61' (ECDSA) to the list of known hosts. 2018/11/17 22:35:15 parsed 1 programs 2018/11/17 22:35:16 executed programs: 0 syzkaller login: [ 106.682129] IPVS: ftp: loaded support on port[0] = 21 [ 106.931054] bridge0: port 1(bridge_slave_0) entered blocking state [ 106.937886] bridge0: port 1(bridge_slave_0) entered disabled state [ 106.945398] device bridge_slave_0 entered promiscuous mode [ 106.963627] bridge0: port 2(bridge_slave_1) entered blocking state [ 106.970340] bridge0: port 2(bridge_slave_1) entered disabled state [ 106.977691] device bridge_slave_1 entered promiscuous mode [ 106.995116] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 107.014076] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 107.062367] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 107.083161] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 107.157641] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 107.165246] team0: Port device team_slave_0 added [ 107.184267] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 107.191503] team0: Port device team_slave_1 added [ 107.208746] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 107.228787] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 107.248823] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 107.269974] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 107.418978] bridge0: port 2(bridge_slave_1) entered blocking state [ 107.425577] bridge0: port 2(bridge_slave_1) entered forwarding state [ 107.432367] bridge0: port 1(bridge_slave_0) entered blocking state [ 107.438725] bridge0: port 1(bridge_slave_0) entered forwarding state [ 107.969305] 8021q: adding VLAN 0 to HW filter on device bond0 [ 108.021763] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 108.075934] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 108.082564] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 108.092327] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 108.135534] 8021q: adding VLAN 0 to HW filter on device team0 2018/11/17 22:35:21 executed programs: 102 2018/11/17 22:35:26 executed programs: 254 2018/11/17 22:35:31 executed programs: 406 2018/11/17 22:35:36 executed programs: 560 2018/11/17 22:35:41 executed programs: 715 2018/11/17 22:35:46 executed programs: 866 [ 139.257126] ================================================================== [ 139.264692] BUG: KASAN: user-memory-access in n_tty_set_termios+0x106/0xe80 [ 139.271791] Write of size 512 at addr 0000000000001060 by task syz-executor0/11989 [ 139.279499] [ 139.281143] CPU: 0 PID: 11989 Comm: syz-executor0 Not tainted 4.20.0-rc2+ #117 [ 139.288494] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 139.297856] Call Trace: [ 139.300448] dump_stack+0x244/0x39d [ 139.304092] ? dump_stack_print_info.cold.1+0x20/0x20 [ 139.309268] ? vprintk_func+0x85/0x181 [ 139.313142] kasan_report.cold.8+0x6d/0x309 [ 139.317449] ? n_tty_set_termios+0x106/0xe80 [ 139.321847] check_memory_region+0x13e/0x1b0 [ 139.326254] memset+0x23/0x40 [ 139.329347] n_tty_set_termios+0x106/0xe80 [ 139.333568] ? n_tty_receive_signal_char+0x120/0x120 [ 139.338654] tty_set_termios+0x7a0/0xac0 [ 139.342702] ? tty_wait_until_sent+0x5d0/0x5d0 [ 139.347287] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 139.352826] set_termios+0x41e/0x7d0 [ 139.356593] ? tty_perform_flush+0x80/0x80 [ 139.360822] ? drop_futex_key_refs.isra.14+0x6d/0xe0 [ 139.365907] tty_mode_ioctl+0x857/0xb40 [ 139.369867] ? set_termios+0x7d0/0x7d0 [ 139.373743] ? perf_trace_sched_process_exec+0x860/0x860 [ 139.379179] n_tty_ioctl_helper+0x54/0x3b0 [ 139.383397] n_tty_ioctl+0x54/0x360 [ 139.387040] ? ldsem_down_read+0x32/0x40 [ 139.391084] ? ldsem_down_read+0x32/0x40 [ 139.395131] tty_ioctl+0x5c6/0x17d0 [ 139.398743] ? commit_echoes+0x1c0/0x1c0 [ 139.402816] ? tty_vhangup+0x30/0x30 [ 139.406526] ? find_held_lock+0x36/0x1c0 [ 139.410577] ? __fget+0x4aa/0x740 [ 139.414038] ? lock_downgrade+0x900/0x900 [ 139.418172] ? check_preemption_disabled+0x48/0x280 [ 139.423170] ? rcu_read_unlock_special+0x1c0/0x1c0 [ 139.428082] ? kasan_check_read+0x11/0x20 [ 139.432214] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 139.437488] ? rcu_softirq_qs+0x20/0x20 [ 139.441450] ? __fget+0x4d1/0x740 [ 139.444886] ? ksys_dup3+0x680/0x680 [ 139.448586] ? __might_fault+0x12b/0x1e0 [ 139.452644] ? lock_downgrade+0x900/0x900 [ 139.456791] ? lock_release+0xa00/0xa00 [ 139.460766] ? perf_trace_sched_process_exec+0x860/0x860 [ 139.466198] ? tty_vhangup+0x30/0x30 [ 139.469898] do_vfs_ioctl+0x1de/0x1790 [ 139.473772] ? ioctl_preallocate+0x300/0x300 [ 139.478165] ? memset+0x31/0x40 [ 139.481428] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 139.486966] ? smack_file_ioctl+0x210/0x3c0 [ 139.491268] ? fget_raw+0x20/0x20 [ 139.494714] ? smack_file_lock+0x2e0/0x2e0 [ 139.498936] ? do_syscall_64+0x9a/0x820 [ 139.502942] ? do_syscall_64+0x9a/0x820 [ 139.506903] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 139.512420] ? security_file_ioctl+0x94/0xc0 [ 139.516811] ksys_ioctl+0xa9/0xd0 [ 139.520251] __x64_sys_ioctl+0x73/0xb0 [ 139.524140] do_syscall_64+0x1b9/0x820 [ 139.528009] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 139.533368] ? syscall_return_slowpath+0x5e0/0x5e0 [ 139.538294] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 139.543120] ? trace_hardirqs_on_caller+0x310/0x310 [ 139.548307] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 139.553336] ? prepare_exit_to_usermode+0x291/0x3b0 [ 139.558340] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 139.563170] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 139.568341] RIP: 0033:0x457569 [ 139.571515] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 139.590409] RSP: 002b:00007f58360b8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 139.598101] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 139.605360] RDX: 0000000020000100 RSI: 0000000000005402 RDI: 0000000000000005 [ 139.612610] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 139.619862] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f58360b96d4 [ 139.627115] R13: 00000000004c0ffe R14: 00000000004d1d88 R15: 00000000ffffffff [ 139.634374] ================================================================== [ 139.641726] Disabling lock debugging due to kernel taint [ 139.647328] Kernel panic - not syncing: panic_on_warn set ... [ 139.653218] CPU: 0 PID: 11989 Comm: syz-executor0 Tainted: G B 4.20.0-rc2+ #117 [ 139.661944] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 139.671277] Call Trace: [ 139.673847] dump_stack+0x244/0x39d [ 139.677457] ? dump_stack_print_info.cold.1+0x20/0x20 [ 139.682631] panic+0x2ad/0x55c [ 139.685805] ? add_taint.cold.5+0x16/0x16 [ 139.689934] ? preempt_schedule+0x4d/0x60 [ 139.694063] ? ___preempt_schedule+0x16/0x18 [ 139.698453] ? trace_hardirqs_on+0xb4/0x310 [ 139.702777] kasan_end_report+0x47/0x4f [ 139.706734] kasan_report.cold.8+0x76/0x309 [ 139.711056] ? n_tty_set_termios+0x106/0xe80 [ 139.715449] check_memory_region+0x13e/0x1b0 [ 139.719852] memset+0x23/0x40 [ 139.722939] n_tty_set_termios+0x106/0xe80 [ 139.727173] ? n_tty_receive_signal_char+0x120/0x120 [ 139.732256] tty_set_termios+0x7a0/0xac0 [ 139.736298] ? tty_wait_until_sent+0x5d0/0x5d0 [ 139.740862] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 139.746381] set_termios+0x41e/0x7d0 [ 139.750075] ? tty_perform_flush+0x80/0x80 [ 139.754296] ? drop_futex_key_refs.isra.14+0x6d/0xe0 [ 139.759382] tty_mode_ioctl+0x857/0xb40 [ 139.763341] ? set_termios+0x7d0/0x7d0 [ 139.767213] ? perf_trace_sched_process_exec+0x860/0x860 [ 139.772665] n_tty_ioctl_helper+0x54/0x3b0 [ 139.776931] n_tty_ioctl+0x54/0x360 [ 139.780543] ? ldsem_down_read+0x32/0x40 [ 139.784584] ? ldsem_down_read+0x32/0x40 [ 139.788624] tty_ioctl+0x5c6/0x17d0 [ 139.792239] ? commit_echoes+0x1c0/0x1c0 [ 139.796324] ? tty_vhangup+0x30/0x30 [ 139.800051] ? find_held_lock+0x36/0x1c0 [ 139.804093] ? __fget+0x4aa/0x740 [ 139.807544] ? lock_downgrade+0x900/0x900 [ 139.811675] ? check_preemption_disabled+0x48/0x280 [ 139.816673] ? rcu_read_unlock_special+0x1c0/0x1c0 [ 139.821582] ? kasan_check_read+0x11/0x20 [ 139.825708] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 139.830966] ? rcu_softirq_qs+0x20/0x20 [ 139.834924] ? __fget+0x4d1/0x740 [ 139.838362] ? ksys_dup3+0x680/0x680 [ 139.842058] ? __might_fault+0x12b/0x1e0 [ 139.846128] ? lock_downgrade+0x900/0x900 [ 139.850257] ? lock_release+0xa00/0xa00 [ 139.854242] ? perf_trace_sched_process_exec+0x860/0x860 [ 139.859676] ? tty_vhangup+0x30/0x30 [ 139.863370] do_vfs_ioctl+0x1de/0x1790 [ 139.867242] ? ioctl_preallocate+0x300/0x300 [ 139.871628] ? memset+0x31/0x40 [ 139.874885] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 139.880416] ? smack_file_ioctl+0x210/0x3c0 [ 139.884730] ? fget_raw+0x20/0x20 [ 139.888164] ? smack_file_lock+0x2e0/0x2e0 [ 139.892385] ? do_syscall_64+0x9a/0x820 [ 139.896355] ? do_syscall_64+0x9a/0x820 [ 139.900310] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 139.905828] ? security_file_ioctl+0x94/0xc0 [ 139.910216] ksys_ioctl+0xa9/0xd0 [ 139.913666] __x64_sys_ioctl+0x73/0xb0 [ 139.917537] do_syscall_64+0x1b9/0x820 [ 139.921407] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 139.926781] ? syscall_return_slowpath+0x5e0/0x5e0 [ 139.931694] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 139.936534] ? trace_hardirqs_on_caller+0x310/0x310 [ 139.941536] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 139.946535] ? prepare_exit_to_usermode+0x291/0x3b0 [ 139.951538] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 139.956363] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 139.961532] RIP: 0033:0x457569 [ 139.964712] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 139.983593] RSP: 002b:00007f58360b8c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 139.991288] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 139.998560] RDX: 0000000020000100 RSI: 0000000000005402 RDI: 0000000000000005 [ 140.005810] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 140.013075] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f58360b96d4 [ 140.020324] R13: 00000000004c0ffe R14: 00000000004d1d88 R15: 00000000ffffffff [ 140.028584] Kernel Offset: disabled [ 140.032207] Rebooting in 86400 seconds..