[info] Using makefile-style concurrent boot in runlevel 2. [ 25.455853] audit: type=1800 audit(1543142353.254:21): pid=5821 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [ 25.476189] audit: type=1800 audit(1543142353.254:22): pid=5821 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="motd" dev="sda1" ino=2447 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.28' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 37.507834] ================================================================== [ 37.515281] BUG: KASAN: slab-out-of-bounds in queue_stack_map_push_elem+0x185/0x290 [ 37.523058] Write of size 262146 at addr ffff8881d2ec9bc8 by task syz-executor091/5976 [ 37.531087] [ 37.532703] CPU: 1 PID: 5976 Comm: syz-executor091 Not tainted 4.20.0-rc3+ #202 [ 37.540141] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.549486] Call Trace: [ 37.552072] dump_stack+0x244/0x39d [ 37.555692] ? dump_stack_print_info.cold.1+0x20/0x20 [ 37.560878] ? printk+0xa7/0xcf [ 37.564154] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 37.568909] print_address_description.cold.7+0x9/0x1ff [ 37.574312] kasan_report.cold.8+0x242/0x309 [ 37.578728] ? queue_stack_map_push_elem+0x185/0x290 [ 37.583876] check_memory_region+0x13e/0x1b0 [ 37.588276] memcpy+0x37/0x50 [ 37.591367] queue_stack_map_push_elem+0x185/0x290 [ 37.596292] ? queue_map_pop_elem+0x30/0x30 [ 37.600625] map_update_elem+0x605/0xf60 [ 37.604678] __x64_sys_bpf+0x32d/0x520 [ 37.608555] ? bpf_prog_get+0x20/0x20 [ 37.612353] do_syscall_64+0x1b9/0x820 [ 37.616235] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 37.621584] ? syscall_return_slowpath+0x5e0/0x5e0 [ 37.626557] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.631413] ? trace_hardirqs_on_caller+0x310/0x310 [ 37.636425] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 37.641432] ? prepare_exit_to_usermode+0x291/0x3b0 [ 37.646698] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 37.651558] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.656742] RIP: 0033:0x4400e9 [ 37.659921] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 37.678810] RSP: 002b:00007ffcb6e2c308 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 37.686646] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 [ 37.693913] RDX: 0000000000000020 RSI: 0000000020000040 RDI: 0000000000000002 [ 37.701178] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 37.708429] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401970 [ 37.715680] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 37.722995] [ 37.724620] Allocated by task 5976: [ 37.728243] save_stack+0x43/0xd0 [ 37.731683] kasan_kmalloc+0xc7/0xe0 [ 37.735394] __kmalloc_node+0x50/0x70 [ 37.739191] bpf_map_area_alloc+0x3f/0x90 [ 37.743338] queue_stack_map_alloc+0x192/0x290 [ 37.747903] map_create+0x3bd/0x1110 [ 37.751603] __x64_sys_bpf+0x303/0x520 [ 37.755474] do_syscall_64+0x1b9/0x820 [ 37.759346] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.764515] [ 37.766123] Freed by task 3751: [ 37.769386] save_stack+0x43/0xd0 [ 37.773312] __kasan_slab_free+0x102/0x150 [ 37.778109] kasan_slab_free+0xe/0x10 [ 37.781893] kfree+0xcf/0x230 [ 37.784977] kernfs_fop_release+0x12b/0x1a0 [ 37.789282] __fput+0x385/0xa30 [ 37.792713] ____fput+0x15/0x20 [ 37.795989] task_work_run+0x1e8/0x2a0 [ 37.799862] exit_to_usermode_loop+0x318/0x380 [ 37.804425] do_syscall_64+0x6be/0x820 [ 37.808295] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.813572] [ 37.815188] The buggy address belongs to the object at ffff8881d2ec9a80 [ 37.815188] which belongs to the cache kmalloc-512 of size 512 [ 37.827840] The buggy address is located 328 bytes inside of [ 37.827840] 512-byte region [ffff8881d2ec9a80, ffff8881d2ec9c80) [ 37.839705] The buggy address belongs to the page: [ 37.844621] page:ffffea00074bb240 count:1 mapcount:0 mapping:ffff8881da800940 index:0x0 [ 37.852745] flags: 0x2fffc0000000200(slab) [ 37.856965] raw: 02fffc0000000200 ffffea00074d6f88 ffffea000730d288 ffff8881da800940 [ 37.864839] raw: 0000000000000000 ffff8881d2ec9080 0000000100000006 0000000000000000 [ 37.872711] page dumped because: kasan: bad access detected [ 37.878403] [ 37.880019] Memory state around the buggy address: [ 37.884938] ffff8881d2ec9b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.892286] ffff8881d2ec9b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.899630] >ffff8881d2ec9c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.906996] ^ [ 37.910356] ffff8881d2ec9c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.917710] ffff8881d2ec9d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.925053] ================================================================== [ 37.932400] Disabling lock debugging due to kernel taint [ 37.937827] Kernel panic - not syncing: panic_on_warn set ... [ 37.943697] CPU: 1 PID: 5976 Comm: syz-executor091 Tainted: G B 4.20.0-rc3+ #202 [ 37.952519] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.961958] Call Trace: [ 37.964534] dump_stack+0x244/0x39d [ 37.968146] ? dump_stack_print_info.cold.1+0x20/0x20 [ 37.973320] panic+0x2ad/0x55c [ 37.976497] ? add_taint.cold.5+0x16/0x16 [ 37.980629] ? add_taint.cold.5+0x5/0x16 [ 37.984673] ? trace_hardirqs_off+0xaf/0x310 [ 37.989063] kasan_end_report+0x47/0x4f [ 37.993027] kasan_report.cold.8+0x76/0x309 [ 37.997332] ? queue_stack_map_push_elem+0x185/0x290 [ 38.002423] check_memory_region+0x13e/0x1b0 [ 38.006817] memcpy+0x37/0x50 [ 38.009908] queue_stack_map_push_elem+0x185/0x290 [ 38.014819] ? queue_map_pop_elem+0x30/0x30 [ 38.019119] map_update_elem+0x605/0xf60 [ 38.023162] __x64_sys_bpf+0x32d/0x520 [ 38.027047] ? bpf_prog_get+0x20/0x20 [ 38.030840] do_syscall_64+0x1b9/0x820 [ 38.034709] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 38.040052] ? syscall_return_slowpath+0x5e0/0x5e0 [ 38.045095] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.049940] ? trace_hardirqs_on_caller+0x310/0x310 [ 38.054952] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 38.059957] ? prepare_exit_to_usermode+0x291/0x3b0 [ 38.064960] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 38.069791] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.074964] RIP: 0033:0x4400e9 [ 38.078143] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 38.097159] RSP: 002b:00007ffcb6e2c308 EFLAGS: 00000213 ORIG_RAX: 0000000000000141 [ 38.105035] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 [ 38.112296] RDX: 0000000000000020 RSI: 0000000020000040 RDI: 0000000000000002 [ 38.119549] RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 [ 38.126814] R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401970 [ 38.134072] R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 [ 38.142479] Kernel Offset: disabled [ 38.146112] Rebooting in 86400 seconds..