[   40.485215] audit: type=1800 audit(1545708111.984:25): pid=7877 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   40.512739] audit: type=1800 audit(1545708111.984:26): pid=7877 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   40.552109] audit: type=1800 audit(1545708111.984:27): pid=7877 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] startpar: service(s) returned failure: ssh ...[?25l[?1c7[1G[[31mFAIL[39;49m8[?25h[?0c [31mfailed![39;49m

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   44.397358] sshd (8036) used greatest stack depth: 15720 bytes left
Warning: Permanently added '10.128.0.35' (ECDSA) to the list of known hosts.
2018/12/25 03:22:58 parsed 1 programs
[  107.947917] ld (8060) used greatest stack depth: 15512 bytes left
2018/12/25 03:22:59 executed programs: 0
[  108.197299] IPVS: ftp: loaded support on port[0] = 21
[  108.460096] bridge0: port 1(bridge_slave_0) entered blocking state
[  108.467213] bridge0: port 1(bridge_slave_0) entered disabled state
[  108.474629] device bridge_slave_0 entered promiscuous mode
[  108.493080] bridge0: port 2(bridge_slave_1) entered blocking state
[  108.499462] bridge0: port 2(bridge_slave_1) entered disabled state
[  108.506594] device bridge_slave_1 entered promiscuous mode
[  108.523908] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  108.541827] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  108.593688] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  108.614157] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  108.694904] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  108.702631] team0: Port device team_slave_0 added
[  108.719610] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  108.727060] team0: Port device team_slave_1 added
[  108.744406] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  108.766238] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  108.787578] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  108.807423] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  108.957239] bridge0: port 2(bridge_slave_1) entered blocking state
[  108.963805] bridge0: port 2(bridge_slave_1) entered forwarding state
[  108.970549] bridge0: port 1(bridge_slave_0) entered blocking state
[  108.976955] bridge0: port 1(bridge_slave_0) entered forwarding state
[  109.505341] 8021q: adding VLAN 0 to HW filter on device bond0
[  109.560547] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  109.612111] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  109.618250] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  109.626857] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  109.675958] 8021q: adding VLAN 0 to HW filter on device team0
[  110.348114] ==================================================================
[  110.355623] BUG: KASAN: use-after-free in filemap_fault+0x2818/0x2a70
[  110.362186] Read of size 8 at addr ffff8881be3a56b0 by task syz-executor0/8393
[  110.369519] 
[  110.371151] CPU: 1 PID: 8393 Comm: syz-executor0 Not tainted 4.20.0-rc7-next-20181224 #188
[  110.379532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  110.388864] Call Trace:
[  110.391439]  dump_stack+0x1d3/0x2c6
[  110.395056]  ? dump_stack_print_info.cold.1+0x20/0x20
[  110.400228]  ? printk+0xa7/0xcf
[  110.403490]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  110.408239]  print_address_description.cold.5+0x9/0x1ff
[  110.413585]  ? filemap_fault+0x2818/0x2a70
[  110.417804]  kasan_report.cold.6+0x1b/0x39
[  110.422041]  ? filemap_fault+0x2818/0x2a70
[  110.426263]  ? filemap_fault+0x2818/0x2a70
[  110.430479]  __asan_report_load8_noabort+0x14/0x20
[  110.435409]  filemap_fault+0x2818/0x2a70
[  110.439458]  ? grab_cache_page_write_begin+0xa0/0xa0
[  110.444580]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[  110.449684]  ? try_to_wake_up+0x11c/0x1460
[  110.453901]  ? graph_lock+0x270/0x270
[  110.457689]  ? migrate_swap_stop+0x930/0x930
[  110.462082]  ? find_held_lock+0x36/0x1c0
[  110.466132]  ? futex_wake+0x613/0x760
[  110.469929]  ? graph_lock+0x270/0x270
[  110.473715]  ? kasan_check_read+0x11/0x20
[  110.477847]  ? do_raw_spin_unlock+0xa7/0x330
[  110.482239]  ? do_raw_spin_trylock+0x270/0x270
[  110.486806]  ? __lock_is_held+0xb5/0x140
[  110.490853]  ? lock_acquire+0x1ed/0x520
[  110.494809]  ? ext4_filemap_fault+0x7a/0xad
[  110.499116]  ? lock_release+0xa00/0xa00
[  110.503073]  ? arch_local_save_flags+0x40/0x40
[  110.507650]  ? get_futex_key+0x21b0/0x21b0
[  110.511879]  ? down_read+0x8d/0x120
[  110.515486]  ? ext4_filemap_fault+0x7a/0xad
[  110.519793]  ? __down_interruptible+0x700/0x700
[  110.524453]  ext4_filemap_fault+0x82/0xad
[  110.528600]  __do_fault+0x176/0x6f0
[  110.532214]  ? kasan_check_write+0x14/0x20
[  110.536429]  ? lock_page+0x170/0x170
[  110.540141]  ? pmd_val+0x88/0x100
[  110.543576]  ? add_mm_counter_fast+0xd0/0xd0
[  110.547968]  ? add_mm_counter_fast+0xd0/0xd0
[  110.552366]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  110.557888]  __handle_mm_fault+0x373b/0x55f0
[  110.562288]  ? vmf_insert_mixed_mkwrite+0x40/0x40
[  110.567113]  ? graph_lock+0x270/0x270
[  110.570893]  ? find_held_lock+0x36/0x1c0
[  110.574938]  ? print_usage_bug+0xc0/0xc0
[  110.578979]  ? graph_lock+0x270/0x270
[  110.582771]  ? graph_lock+0x270/0x270
[  110.586582]  ? handle_mm_fault+0x42a/0xc70
[  110.590804]  ? lock_downgrade+0x900/0x900
[  110.594938]  ? check_preemption_disabled+0x48/0x280
[  110.599941]  ? kasan_check_read+0x11/0x20
[  110.604077]  ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170
[  110.609355]  ? rcu_read_unlock_special+0x370/0x370
[  110.614269]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  110.619792]  ? check_preemption_disabled+0x48/0x280
[  110.624798]  handle_mm_fault+0x54f/0xc70
[  110.628857]  ? __handle_mm_fault+0x55f0/0x55f0
[  110.633428]  ? find_vma+0x34/0x190
[  110.636955]  __do_page_fault+0x5f6/0xd70
[  110.641006]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  110.646576]  do_page_fault+0xf2/0x7e0
[  110.650366]  ? vmalloc_sync_all+0x30/0x30
[  110.654505]  ? error_entry+0x70/0xd0
[  110.658221]  ? trace_hardirqs_off_caller+0xbb/0x310
[  110.663219]  ? trace_hardirqs_on_caller+0xc0/0x310
[  110.668253]  ? syscall_return_slowpath+0x5e0/0x5e0
[  110.673164]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  110.677993]  ? trace_hardirqs_on_caller+0x310/0x310
[  110.683001]  ? trace_hardirqs_off+0x310/0x310
[  110.687495]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  110.692503]  ? prepare_exit_to_usermode+0x291/0x3b0
[  110.697508]  ? page_fault+0x8/0x30
[  110.701035]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  110.705863]  ? page_fault+0x8/0x30
[  110.709387]  page_fault+0x1e/0x30
[  110.712822] RIP: 0033:0x43ea69
[  110.716007] Code: b7 0e 66 89 0f 48 83 c6 02 48 83 c7 02 0f 1f 40 00 f6 c2 04 74 0c 8b 0e 89 0f 48 83 c6 04 48 83 c7 04 f6 c2 08 74 0e 48 8b 0e <48> 89 0f 48 83 c6 08 48 83 c7 08 81 e2 f0 00 00 00 74 1f 0f 1f 40
[  110.734893] RSP: 002b:00007ffd66c760b8 EFLAGS: 00010202
[  110.740239] RAX: 0000000020008ff8 RBX: 0000000000000005 RCX: 0031656c69662f2e
[  110.747491] RDX: 0000000000000008 RSI: 0000000000740328 RDI: 0000000020008ff8
[  110.754761] RBP: 000000000073bf00 R08: 0000000000740308 R09: 0000000000000000
[  110.762018] R10: 00007ffd66c76170 R11: 0000000000000246 R12: 0000000000000006
[  110.769295] R13: fffffffffffffffe R14: 000000000073bf0c R15: 000000000073bf0c
[  110.776559] 
[  110.778170] Allocated by task 8394:
[  110.781781]  save_stack+0x43/0xd0
[  110.785216]  kasan_kmalloc+0xcb/0xd0
[  110.788908]  kasan_slab_alloc+0x12/0x20
[  110.792876]  kmem_cache_alloc+0x130/0x730
[  110.797013]  vm_area_alloc+0x7a/0x1d0
[  110.800798]  mmap_region+0x9d7/0x1cd0
[  110.804579]  do_mmap+0xa22/0x1230
[  110.808015]  vm_mmap_pgoff+0x213/0x2c0
[  110.811885]  ksys_mmap_pgoff+0x4da/0x660
[  110.815926]  __x64_sys_mmap+0xe9/0x1b0
[  110.819794]  do_syscall_64+0x1b9/0x820
[  110.823667]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  110.828831] 
[  110.830436] Freed by task 8394:
[  110.833696]  save_stack+0x43/0xd0
[  110.837129]  __kasan_slab_free+0x102/0x150
[  110.841345]  kasan_slab_free+0xe/0x10
[  110.845129]  kmem_cache_free+0x83/0x290
[  110.849086]  vm_area_free+0x1c/0x20
[  110.852696]  remove_vma+0x13a/0x180
[  110.856302]  __do_munmap+0x729/0xf50
[  110.860005]  mmap_region+0x6a7/0x1cd0
[  110.863789]  do_mmap+0xa22/0x1230
[  110.867239]  vm_mmap_pgoff+0x213/0x2c0
[  110.871123]  ksys_mmap_pgoff+0x4da/0x660
[  110.875166]  __x64_sys_mmap+0xe9/0x1b0
[  110.879034]  do_syscall_64+0x1b9/0x820
[  110.882903]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  110.888071] 
[  110.889682] The buggy address belongs to the object at ffff8881be3a5670
[  110.889682]  which belongs to the cache vm_area_struct(17:syz0) of size 200
[  110.903362] The buggy address is located 64 bytes inside of
[  110.903362]  200-byte region [ffff8881be3a5670, ffff8881be3a5738)
[  110.915127] The buggy address belongs to the page:
[  110.920038] page:ffffea0006f8e940 count:1 mapcount:0 mapping:ffff8881c11c3cc0 index:0x0
[  110.928166] flags: 0x2fffc0000000200(slab)
[  110.932387] raw: 02fffc0000000200 ffffea0006e88888 ffff8881d1c73648 ffff8881c11c3cc0
[  110.940251] raw: 0000000000000000 ffff8881be3a5040 000000010000000f ffff8881d29f0480
[  110.948107] page dumped because: kasan: bad access detected
[  110.953793] page->mem_cgroup:ffff8881d29f0480
[  110.958263] 
[  110.959887] Memory state around the buggy address:
[  110.964800]  ffff8881be3a5580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  110.972141]  ffff8881be3a5600: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fb fb
[  110.979510] >ffff8881be3a5680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  110.986849]                                      ^
[  110.991763]  ffff8881be3a5700: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fb
[  110.999104]  ffff8881be3a5780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  111.006439] ==================================================================
[  111.013800] Disabling lock debugging due to kernel taint
[  111.024996] Kernel panic - not syncing: panic_on_warn set ...
[  111.030887] CPU: 0 PID: 8393 Comm: syz-executor0 Tainted: G    B             4.20.0-rc7-next-20181224 #188
[  111.040668] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  111.050047] Call Trace:
[  111.052618]  dump_stack+0x1d3/0x2c6
[  111.056230]  ? dump_stack_print_info.cold.1+0x20/0x20
[  111.061406]  ? filemap_fault+0x27a0/0x2a70
[  111.065627]  panic+0x2ad/0x632
[  111.068799]  ? add_taint.cold.5+0x16/0x16
[  111.072931]  ? preempt_schedule+0x4d/0x60
[  111.077059]  ? ___preempt_schedule+0x16/0x18
[  111.081448]  ? trace_hardirqs_on+0xb4/0x310
[  111.085751]  ? filemap_fault+0x2818/0x2a70
[  111.089966]  end_report+0x47/0x4f
[  111.093422]  kasan_report.cold.6+0xe/0x39
[  111.097551]  ? filemap_fault+0x2818/0x2a70
[  111.101779]  ? filemap_fault+0x2818/0x2a70
[  111.106003]  __asan_report_load8_noabort+0x14/0x20
[  111.110914]  filemap_fault+0x2818/0x2a70
[  111.114980]  ? grab_cache_page_write_begin+0xa0/0xa0
[  111.120084]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[  111.125172]  ? try_to_wake_up+0x11c/0x1460
[  111.129383]  ? graph_lock+0x270/0x270
[  111.133169]  ? migrate_swap_stop+0x930/0x930
[  111.137560]  ? find_held_lock+0x36/0x1c0
[  111.141607]  ? futex_wake+0x613/0x760
[  111.145389]  ? graph_lock+0x270/0x270
[  111.149170]  ? kasan_check_read+0x11/0x20
[  111.153302]  ? do_raw_spin_unlock+0xa7/0x330
[  111.157704]  ? do_raw_spin_trylock+0x270/0x270
[  111.162267]  ? __lock_is_held+0xb5/0x140
[  111.166309]  ? lock_acquire+0x1ed/0x520
[  111.170268]  ? ext4_filemap_fault+0x7a/0xad
[  111.174574]  ? lock_release+0xa00/0xa00
[  111.178528]  ? arch_local_save_flags+0x40/0x40
[  111.183094]  ? get_futex_key+0x21b0/0x21b0
[  111.187320]  ? down_read+0x8d/0x120
[  111.190925]  ? ext4_filemap_fault+0x7a/0xad
[  111.195226]  ? __down_interruptible+0x700/0x700
[  111.199879]  ext4_filemap_fault+0x82/0xad
[  111.204015]  __do_fault+0x176/0x6f0
[  111.207640]  ? kasan_check_write+0x14/0x20
[  111.211854]  ? lock_page+0x170/0x170
[  111.215546]  ? pmd_val+0x88/0x100
[  111.218981]  ? add_mm_counter_fast+0xd0/0xd0
[  111.223383]  ? add_mm_counter_fast+0xd0/0xd0
[  111.227774]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  111.233294]  __handle_mm_fault+0x373b/0x55f0
[  111.237685]  ? vmf_insert_mixed_mkwrite+0x40/0x40
[  111.242509]  ? graph_lock+0x270/0x270
[  111.246288]  ? find_held_lock+0x36/0x1c0
[  111.250331]  ? print_usage_bug+0xc0/0xc0
[  111.254375]  ? graph_lock+0x270/0x270
[  111.258171]  ? graph_lock+0x270/0x270
[  111.261960]  ? handle_mm_fault+0x42a/0xc70
[  111.266176]  ? lock_downgrade+0x900/0x900
[  111.270304]  ? check_preemption_disabled+0x48/0x280
[  111.275302]  ? kasan_check_read+0x11/0x20
[  111.279434]  ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170
[  111.284691]  ? rcu_read_unlock_special+0x370/0x370
[  111.289601]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  111.295124]  ? check_preemption_disabled+0x48/0x280
[  111.300121]  handle_mm_fault+0x54f/0xc70
[  111.304182]  ? __handle_mm_fault+0x55f0/0x55f0
[  111.308748]  ? find_vma+0x34/0x190
[  111.312274]  __do_page_fault+0x5f6/0xd70
[  111.316314]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  111.321835]  do_page_fault+0xf2/0x7e0
[  111.325618]  ? vmalloc_sync_all+0x30/0x30
[  111.329743]  ? error_entry+0x70/0xd0
[  111.333441]  ? trace_hardirqs_off_caller+0xbb/0x310
[  111.338434]  ? trace_hardirqs_on_caller+0xc0/0x310
[  111.343347]  ? syscall_return_slowpath+0x5e0/0x5e0
[  111.348260]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  111.353085]  ? trace_hardirqs_on_caller+0x310/0x310
[  111.358082]  ? trace_hardirqs_off+0x310/0x310
[  111.362561]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  111.367563]  ? prepare_exit_to_usermode+0x291/0x3b0
[  111.372564]  ? page_fault+0x8/0x30
[  111.376089]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  111.380916]  ? page_fault+0x8/0x30
[  111.384438]  page_fault+0x1e/0x30
[  111.387871] RIP: 0033:0x43ea69
[  111.391047] Code: b7 0e 66 89 0f 48 83 c6 02 48 83 c7 02 0f 1f 40 00 f6 c2 04 74 0c 8b 0e 89 0f 48 83 c6 04 48 83 c7 04 f6 c2 08 74 0e 48 8b 0e <48> 89 0f 48 83 c6 08 48 83 c7 08 81 e2 f0 00 00 00 74 1f 0f 1f 40
[  111.409931] RSP: 002b:00007ffd66c760b8 EFLAGS: 00010202
[  111.415274] RAX: 0000000020008ff8 RBX: 0000000000000005 RCX: 0031656c69662f2e
[  111.422540] RDX: 0000000000000008 RSI: 0000000000740328 RDI: 0000000020008ff8
[  111.429792] RBP: 000000000073bf00 R08: 0000000000740308 R09: 0000000000000000
[  111.437044] R10: 00007ffd66c76170 R11: 0000000000000246 R12: 0000000000000006
[  111.444293] R13: fffffffffffffffe R14: 000000000073bf0c R15: 000000000073bf0c
[  111.452450] Kernel Offset: disabled
[  111.456076] Rebooting in 86400 seconds..