[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 41.359575][ T26] audit: type=1800 audit(1571740317.692:25): pid=7863 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 41.389520][ T26] audit: type=1800 audit(1571740317.702:26): pid=7863 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 41.409681][ T26] audit: type=1800 audit(1571740317.702:27): pid=7863 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.150' (ECDSA) to the list of known hosts. 2019/10/22 10:47:26 parsed 1 programs 2019/10/22 10:47:27 executed programs: 0 syzkaller login: [ 971.413178][ T8028] IPVS: ftp: loaded support on port[0] = 21 [ 971.469334][ T8028] chnl_net:caif_netlink_parms(): no params data found [ 971.496140][ T8028] bridge0: port 1(bridge_slave_0) entered blocking state [ 971.504058][ T8028] bridge0: port 1(bridge_slave_0) entered disabled state [ 971.512478][ T8028] device bridge_slave_0 entered promiscuous mode [ 971.520725][ T8028] bridge0: port 2(bridge_slave_1) entered blocking state [ 971.527984][ T8028] bridge0: port 2(bridge_slave_1) entered disabled state [ 971.535670][ T8028] device bridge_slave_1 entered promiscuous mode [ 971.551128][ T8028] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 971.561498][ T8028] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 971.579851][ T8028] team0: Port device team_slave_0 added [ 971.586954][ T8028] team0: Port device team_slave_1 added [ 971.633640][ T8028] device hsr_slave_0 entered promiscuous mode [ 971.671578][ T8028] device hsr_slave_1 entered promiscuous mode [ 971.728330][ T8028] bridge0: port 2(bridge_slave_1) entered blocking state [ 971.735674][ T8028] bridge0: port 2(bridge_slave_1) entered forwarding state [ 971.743800][ T8028] bridge0: port 1(bridge_slave_0) entered blocking state [ 971.750853][ T8028] bridge0: port 1(bridge_slave_0) entered forwarding state [ 971.779794][ T8028] 8021q: adding VLAN 0 to HW filter on device bond0 [ 971.792604][ T8032] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 971.803156][ T8032] bridge0: port 1(bridge_slave_0) entered disabled state [ 971.812540][ T8032] bridge0: port 2(bridge_slave_1) entered disabled state [ 971.820551][ T8032] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 971.832536][ T8028] 8021q: adding VLAN 0 to HW filter on device team0 [ 971.842374][ T8031] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 971.850872][ T8031] bridge0: port 1(bridge_slave_0) entered blocking state [ 971.857992][ T8031] bridge0: port 1(bridge_slave_0) entered forwarding state [ 971.868241][ T8032] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 971.877614][ T8032] bridge0: port 2(bridge_slave_1) entered blocking state [ 971.884707][ T8032] bridge0: port 2(bridge_slave_1) entered forwarding state [ 971.903311][ T80] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 971.912170][ T80] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 971.920878][ T80] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 971.932758][ T80] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 971.942833][ T8033] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 971.953716][ T8028] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 971.969006][ T8028] 8021q: adding VLAN 0 to HW filter on device batadv0 2019/10/22 10:47:32 executed programs: 148 2019/10/22 10:47:37 executed programs: 319 2019/10/22 10:47:42 executed programs: 491 2019/10/22 10:47:47 executed programs: 662 [ 992.521068][T10861] ================================================================== [ 992.529594][T10861] BUG: KASAN: use-after-free in fuse_request_end+0x7f/0xfe0 [ 992.536861][T10861] Read of size 8 at addr ffff88809f8b7f68 by task syz-executor.0/10861 [ 992.545097][T10861] [ 992.547430][T10861] CPU: 1 PID: 10861 Comm: syz-executor.0 Not tainted 5.4.0-rc4 #0 [ 992.555206][T10861] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 992.565240][T10861] Call Trace: [ 992.568619][T10861] dump_stack+0x1d8/0x2f8 [ 992.572979][T10861] print_address_description+0x75/0x5c0 [ 992.578546][T10861] ? vprintk_default+0x28/0x30 [ 992.583322][T10861] ? vprintk_func+0x158/0x170 [ 992.587974][T10861] ? printk+0x62/0x8d [ 992.591958][T10861] __kasan_report+0x14b/0x1c0 [ 992.596622][T10861] ? fuse_request_end+0x7f/0xfe0 [ 992.601540][T10861] kasan_report+0x26/0x50 [ 992.605909][T10861] __asan_report_load8_noabort+0x14/0x20 [ 992.611521][T10861] fuse_request_end+0x7f/0xfe0 [ 992.616266][T10861] ? __kasan_check_read+0x11/0x20 [ 992.621331][T10861] ? do_raw_spin_unlock+0x49/0x260 [ 992.626434][T10861] fuse_dev_do_read+0x29ce/0x43a0 [ 992.631447][T10861] fuse_dev_read+0x123/0x1a0 [ 992.636098][T10861] __vfs_read+0x59e/0x730 [ 992.640428][T10861] vfs_read+0x1dd/0x420 [ 992.644618][T10861] ksys_read+0x117/0x220 [ 992.648840][T10861] __x64_sys_read+0x7b/0x90 [ 992.653370][T10861] do_syscall_64+0xf7/0x1c0 [ 992.657906][T10861] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 992.663779][T10861] RIP: 0033:0x459cd9 [ 992.667649][T10861] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 992.687237][T10861] RSP: 002b:00007f9841cefc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 992.695804][T10861] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459cd9 [ 992.703759][T10861] RDX: 00000000fffffed0 RSI: 00000000200030c0 RDI: 0000000000000003 [ 992.711729][T10861] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 992.719758][T10861] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9841cf06d4 [ 992.727728][T10861] R13: 00000000004c7366 R14: 00000000004dce30 R15: 00000000ffffffff [ 992.735760][T10861] [ 992.738071][T10861] Allocated by task 10861: [ 992.742482][T10861] __kasan_kmalloc+0x11c/0x1b0 [ 992.747264][T10861] kasan_kmalloc+0x9/0x10 [ 992.751635][T10861] kmem_cache_alloc_trace+0x221/0x2f0 [ 992.756997][T10861] fuse_send_init+0x54/0x450 [ 992.761568][T10861] fuse_fill_super+0x314/0x450 [ 992.766321][T10861] get_tree_nodev+0xb7/0x170 [ 992.770981][T10861] fuse_get_tree+0x92/0xe0 [ 992.775379][T10861] vfs_get_tree+0x8b/0x2a0 [ 992.779828][T10861] do_mount+0x16c0/0x2510 [ 992.784132][T10861] ksys_mount+0xcc/0x100 [ 992.788522][T10861] __x64_sys_mount+0xbf/0xd0 [ 992.793103][T10861] do_syscall_64+0xf7/0x1c0 [ 992.797580][T10861] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 992.803447][T10861] [ 992.805753][T10861] Freed by task 10860: [ 992.809805][T10861] __kasan_slab_free+0x12a/0x1e0 [ 992.814727][T10861] kasan_slab_free+0xe/0x10 [ 992.819208][T10861] kfree+0x115/0x200 [ 992.823079][T10861] process_init_reply+0x1136/0x1ae0 [ 992.828266][T10861] fuse_request_end+0x3ad/0xfe0 [ 992.833092][T10861] fuse_abort_conn+0x14b5/0x1610 [ 992.838004][T10861] fuse_kill_sb_anon+0x130/0x220 [ 992.842928][T10861] deactivate_locked_super+0xa8/0x100 [ 992.848278][T10861] deactivate_super+0x16c/0x200 [ 992.853117][T10861] cleanup_mnt+0x43b/0x4f0 [ 992.857527][T10861] __cleanup_mnt+0x19/0x20 [ 992.861999][T10861] task_work_run+0x17e/0x1b0 [ 992.866590][T10861] prepare_exit_to_usermode+0x459/0x580 [ 992.872405][T10861] syscall_return_slowpath+0x113/0x4a0 [ 992.877846][T10861] do_syscall_64+0x11f/0x1c0 [ 992.882425][T10861] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 992.888479][T10861] [ 992.890796][T10861] The buggy address belongs to the object at ffff88809f8b7f00 [ 992.890796][T10861] which belongs to the cache kmalloc-192 of size 192 [ 992.904834][T10861] The buggy address is located 104 bytes inside of [ 992.904834][T10861] 192-byte region [ffff88809f8b7f00, ffff88809f8b7fc0) [ 992.918088][T10861] The buggy address belongs to the page: [ 992.923700][T10861] page:ffffea00027e2dc0 refcount:1 mapcount:0 mapping:ffff8880aa400000 index:0xffff88809f8b7200 [ 992.934084][T10861] flags: 0x1fffc0000000200(slab) [ 992.939014][T10861] raw: 01fffc0000000200 ffffea00027a1348 ffffea0002925188 ffff8880aa400000 [ 992.947593][T10861] raw: ffff88809f8b7200 ffff88809f8b7000 0000000100000007 0000000000000000 [ 992.956237][T10861] page dumped because: kasan: bad access detected [ 992.962636][T10861] [ 992.964946][T10861] Memory state around the buggy address: [ 992.970563][T10861] ffff88809f8b7e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 992.978601][T10861] ffff88809f8b7e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 992.986644][T10861] >ffff88809f8b7f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 992.994688][T10861] ^ [ 993.002119][T10861] ffff88809f8b7f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 993.010153][T10861] ffff88809f8b8000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 993.018188][T10861] ================================================================== [ 993.026221][T10861] Disabling lock debugging due to kernel taint [ 993.034948][T10861] Kernel panic - not syncing: panic_on_warn set ... [ 993.041588][T10861] CPU: 1 PID: 10861 Comm: syz-executor.0 Tainted: G B 5.4.0-rc4 #0 [ 993.050837][T10861] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 993.061165][T10861] Call Trace: [ 993.064454][T10861] dump_stack+0x1d8/0x2f8 [ 993.068816][T10861] panic+0x264/0x7a9 [ 993.073140][T10861] ? __kasan_report+0x195/0x1c0 [ 993.078030][T10861] ? trace_hardirqs_on+0x34/0x80 [ 993.082953][T10861] ? __kasan_report+0x195/0x1c0 [ 993.087776][T10861] __kasan_report+0x1bb/0x1c0 [ 993.092457][T10861] ? fuse_request_end+0x7f/0xfe0 [ 993.097371][T10861] kasan_report+0x26/0x50 [ 993.101681][T10861] __asan_report_load8_noabort+0x14/0x20 [ 993.107306][T10861] fuse_request_end+0x7f/0xfe0 [ 993.112059][T10861] ? __kasan_check_read+0x11/0x20 [ 993.117059][T10861] ? do_raw_spin_unlock+0x49/0x260 [ 993.122169][T10861] fuse_dev_do_read+0x29ce/0x43a0 [ 993.127172][T10861] fuse_dev_read+0x123/0x1a0 [ 993.131760][T10861] __vfs_read+0x59e/0x730 [ 993.136081][T10861] vfs_read+0x1dd/0x420 [ 993.140210][T10861] ksys_read+0x117/0x220 [ 993.144430][T10861] __x64_sys_read+0x7b/0x90 [ 993.148909][T10861] do_syscall_64+0xf7/0x1c0 [ 993.153387][T10861] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 993.159256][T10861] RIP: 0033:0x459cd9 [ 993.163126][T10861] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 993.183225][T10861] RSP: 002b:00007f9841cefc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 993.191617][T10861] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459cd9 [ 993.199598][T10861] RDX: 00000000fffffed0 RSI: 00000000200030c0 RDI: 0000000000000003 [ 993.207692][T10861] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 993.215645][T10861] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9841cf06d4 [ 993.223604][T10861] R13: 00000000004c7366 R14: 00000000004dce30 R15: 00000000ffffffff [ 993.233375][T10861] Kernel Offset: disabled [ 993.237703][T10861] Rebooting in 86400 seconds..