Warning: Permanently added '10.128.0.103' (ECDSA) to the list of known hosts. 2018/10/13 13:16:01 parsed 1 programs 2018/10/13 13:16:02 executed programs: 0 syzkaller login: [ 91.127084] IPVS: ftp: loaded support on port[0] = 21 [ 91.376626] bridge0: port 1(bridge_slave_0) entered blocking state [ 91.383236] bridge0: port 1(bridge_slave_0) entered disabled state [ 91.390821] device bridge_slave_0 entered promiscuous mode [ 91.409031] bridge0: port 2(bridge_slave_1) entered blocking state [ 91.415583] bridge0: port 2(bridge_slave_1) entered disabled state [ 91.422481] device bridge_slave_1 entered promiscuous mode [ 91.440293] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 91.458891] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 91.507822] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 91.529477] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 91.608456] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 91.615968] team0: Port device team_slave_0 added [ 91.632896] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 91.640272] team0: Port device team_slave_1 added [ 91.658715] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 91.679112] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 91.697995] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 91.718474] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 91.865580] bridge0: port 2(bridge_slave_1) entered blocking state [ 91.872050] bridge0: port 2(bridge_slave_1) entered forwarding state [ 91.879205] bridge0: port 1(bridge_slave_0) entered blocking state [ 91.885569] bridge0: port 1(bridge_slave_0) entered forwarding state [ 92.412048] 8021q: adding VLAN 0 to HW filter on device bond0 [ 92.466463] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 92.518579] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 92.525412] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 92.532430] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 92.584787] 8021q: adding VLAN 0 to HW filter on device team0 2018/10/13 13:16:07 executed programs: 41 2018/10/13 13:16:12 executed programs: 104 2018/10/13 13:16:17 executed programs: 168 2018/10/13 13:16:22 executed programs: 232 2018/10/13 13:16:27 executed programs: 298 2018/10/13 13:16:32 executed programs: 363 2018/10/13 13:16:38 executed programs: 427 2018/10/13 13:16:43 executed programs: 491 2018/10/13 13:16:48 executed programs: 556 2018/10/13 13:16:53 executed programs: 621 2018/10/13 13:16:58 executed programs: 684 2018/10/13 13:17:03 executed programs: 749 2018/10/13 13:17:08 executed programs: 814 2018/10/13 13:17:13 executed programs: 879 2018/10/13 13:17:18 executed programs: 944 [ 171.437594] ================================================================== [ 171.445064] BUG: KASAN: use-after-free in __lock_acquire+0x37c2/0x4ec0 [ 171.451730] Read of size 8 at addr ffff8801b0b2b910 by task syz-executor0/10365 [ 171.459246] [ 171.460867] CPU: 1 PID: 10365 Comm: syz-executor0 Not tainted 4.19.0-rc7+ #58 [ 171.468116] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 171.477452] Call Trace: [ 171.480033] dump_stack+0x1c4/0x2b4 [ 171.483674] ? dump_stack_print_info.cold.2+0x52/0x52 [ 171.488866] ? printk+0xa7/0xcf [ 171.492161] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 171.496917] print_address_description.cold.8+0x9/0x1ff [ 171.502266] kasan_report.cold.9+0x242/0x309 [ 171.506660] ? __lock_acquire+0x37c2/0x4ec0 [ 171.510973] __asan_report_load8_noabort+0x14/0x20 [ 171.515991] __lock_acquire+0x37c2/0x4ec0 [ 171.520132] ? __free_pages+0x149/0x190 [ 171.524166] ? free_unref_page+0x960/0x960 [ 171.528501] ? mark_held_locks+0x130/0x130 [ 171.532738] ? kasan_check_write+0x14/0x20 [ 171.536961] ? finish_task_switch+0x616/0x900 [ 171.541444] ? __switch_to_asm+0x40/0x70 [ 171.545505] ? preempt_notifier_register+0x200/0x200 [ 171.550606] ? __switch_to_asm+0x34/0x70 [ 171.554652] ? __switch_to_asm+0x34/0x70 [ 171.558696] ? __switch_to_asm+0x40/0x70 [ 171.562744] ? __switch_to_asm+0x34/0x70 [ 171.566789] ? __switch_to_asm+0x40/0x70 [ 171.570849] ? __switch_to_asm+0x34/0x70 [ 171.575002] ? __switch_to_asm+0x40/0x70 [ 171.579052] ? __switch_to_asm+0x34/0x70 [ 171.583097] ? __switch_to_asm+0x34/0x70 [ 171.587148] ? __switch_to_asm+0x40/0x70 [ 171.591200] ? __switch_to_asm+0x34/0x70 [ 171.595246] ? __switch_to_asm+0x40/0x70 [ 171.599292] ? __switch_to_asm+0x34/0x70 [ 171.603337] ? __switch_to_asm+0x40/0x70 [ 171.607395] ? __schedule+0x874/0x1ed0 [ 171.611284] ? trace_hardirqs_off+0x310/0x310 [ 171.615763] ? graph_lock+0x170/0x170 [ 171.619562] ? __sched_text_start+0x8/0x8 [ 171.623696] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 171.628452] ? mark_held_locks+0xc7/0x130 [ 171.632588] lock_acquire+0x1ed/0x520 [ 171.636378] ? vhost_transport_send_pkt+0x12e/0x380 [ 171.641378] ? lock_release+0x970/0x970 [ 171.645345] ? preempt_schedule+0x4d/0x60 [ 171.649489] ? ___preempt_schedule+0x16/0x18 [ 171.653897] ? __local_bh_enable_ip+0x1a3/0x260 [ 171.658551] _raw_spin_lock_bh+0x31/0x40 [ 171.662682] ? vhost_transport_send_pkt+0x12e/0x380 [ 171.667687] vhost_transport_send_pkt+0x12e/0x380 [ 171.672517] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 171.678059] ? vhost_vsock_dev_open+0x5a0/0x5a0 [ 171.682710] ? virtio_transport_send_pkt_info+0x2e7/0x460 [ 171.688242] ? __local_bh_enable_ip+0x160/0x260 [ 171.692923] virtio_transport_send_pkt_info+0x31d/0x460 [ 171.698367] virtio_transport_connect+0x17c/0x220 [ 171.703200] ? virtio_transport_send_pkt_info+0x460/0x460 [ 171.709134] ? vsock_auto_bind+0xa9/0xe0 [ 171.713226] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 171.718766] vsock_stream_connect+0x4ed/0xe40 [ 171.723273] ? vsock_dgram_connect+0x500/0x500 [ 171.727850] ? lock_downgrade+0x900/0x900 [ 171.731980] ? lock_release+0x970/0x970 [ 171.735947] ? arch_local_save_flags+0x40/0x40 [ 171.740567] ? finish_wait+0x430/0x430 [ 171.744481] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 171.749654] ? smack_socket_connect+0x13f/0x1c0 [ 171.754321] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 171.759869] ? security_socket_connect+0x94/0xc0 [ 171.764609] __sys_connect+0x37d/0x4c0 [ 171.768495] ? __ia32_sys_accept+0xb0/0xb0 [ 171.772716] ? kasan_check_read+0x11/0x20 [ 171.776875] ? _copy_to_user+0xc8/0x110 [ 171.780844] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 171.786376] ? put_timespec64+0x10f/0x1b0 [ 171.790545] ? do_syscall_64+0x9a/0x820 [ 171.794522] ? do_syscall_64+0x9a/0x820 [ 171.798481] ? lockdep_hardirqs_on+0x421/0x5c0 [ 171.803077] ? trace_hardirqs_on+0xbd/0x310 [ 171.807383] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 171.812958] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 171.818316] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 171.823764] __x64_sys_connect+0x73/0xb0 [ 171.827928] do_syscall_64+0x1b9/0x820 [ 171.831807] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 171.837155] ? syscall_return_slowpath+0x5e0/0x5e0 [ 171.842068] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 171.846921] ? trace_hardirqs_on_caller+0x310/0x310 [ 171.852039] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 171.857240] ? prepare_exit_to_usermode+0x291/0x3b0 [ 171.862257] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 171.867090] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 171.872266] RIP: 0033:0x457569 [ 171.875446] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 171.894330] RSP: 002b:00007f1c12548c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 171.902074] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 171.909339] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000008 [ 171.916602] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 171.923865] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1c125496d4 [ 171.931121] R13: 00000000004bdb06 R14: 00000000004cc658 R15: 00000000ffffffff [ 171.938387] [ 171.940000] Allocated by task 10365: [ 171.943702] save_stack+0x43/0xd0 [ 171.947237] kasan_kmalloc+0xc7/0xe0 [ 171.950933] __kmalloc_node+0x47/0x70 [ 171.954776] kvmalloc_node+0xb9/0xf0 [ 171.958625] vhost_vsock_dev_open+0xa2/0x5a0 [ 171.963104] misc_open+0x3ca/0x560 [ 171.966695] chrdev_open+0x25a/0x710 [ 171.970528] do_dentry_open+0x499/0x1250 [ 171.974575] vfs_open+0xa0/0xd0 [ 171.977852] path_openat+0x12bf/0x5160 [ 171.981726] do_filp_open+0x255/0x380 [ 171.985651] do_sys_open+0x568/0x700 [ 171.989348] __x64_sys_openat+0x9d/0x100 [ 171.993394] do_syscall_64+0x1b9/0x820 [ 171.997269] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 172.002547] [ 172.004157] Freed by task 10363: [ 172.007530] save_stack+0x43/0xd0 [ 172.010979] __kasan_slab_free+0x102/0x150 [ 172.015201] kasan_slab_free+0xe/0x10 [ 172.019002] kfree+0xcf/0x230 [ 172.022104] kvfree+0x61/0x70 [ 172.025195] vhost_vsock_dev_release+0x4f4/0x720 [ 172.029996] __fput+0x385/0xa30 [ 172.033262] ____fput+0x15/0x20 [ 172.036545] task_work_run+0x1e8/0x2a0 [ 172.040431] exit_to_usermode_loop+0x318/0x380 [ 172.045063] do_syscall_64+0x6be/0x820 [ 172.048945] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 172.054112] [ 172.055728] The buggy address belongs to the object at ffff8801b0b22c00 [ 172.055728] which belongs to the cache kmalloc-65536 of size 65536 [ 172.068719] The buggy address is located 36112 bytes inside of [ 172.068719] 65536-byte region [ffff8801b0b22c00, ffff8801b0b32c00) [ 172.080922] The buggy address belongs to the page: [ 172.085865] page:ffffea0006c2c800 count:1 mapcount:0 mapping:ffff8801da802500 index:0x0 compound_mapcount: 0 [ 172.095819] flags: 0x2fffc0000008100(slab|head) [ 172.100485] raw: 02fffc0000008100 ffffea0006bcd008 ffff8801da801e48 ffff8801da802500 [ 172.108351] raw: 0000000000000000 ffff8801b0b22c00 0000000100000001 0000000000000000 [ 172.116210] page dumped because: kasan: bad access detected [ 172.122023] [ 172.123641] Memory state around the buggy address: [ 172.128555] ffff8801b0b2b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 172.135934] ffff8801b0b2b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 172.143283] >ffff8801b0b2b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 172.150623] ^ [ 172.154503] ffff8801b0b2b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 172.161854] ffff8801b0b2ba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 172.169193] ================================================================== [ 172.176536] Disabling lock debugging due to kernel taint [ 172.181965] Kernel panic - not syncing: panic_on_warn set ... [ 172.181965] [ 172.189316] CPU: 1 PID: 10365 Comm: syz-executor0 Tainted: G B 4.19.0-rc7+ #58 [ 172.197977] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 172.207541] Call Trace: [ 172.210143] dump_stack+0x1c4/0x2b4 [ 172.213772] ? dump_stack_print_info.cold.2+0x52/0x52 [ 172.218980] ? lock_downgrade+0x900/0x900 [ 172.223124] panic+0x238/0x4e7 [ 172.226314] ? add_taint.cold.5+0x16/0x16 [ 172.230453] ? add_taint.cold.5+0x5/0x16 [ 172.234501] ? trace_hardirqs_off+0xaf/0x310 [ 172.238901] kasan_end_report+0x47/0x4f [ 172.242869] kasan_report.cold.9+0x76/0x309 [ 172.247176] ? __lock_acquire+0x37c2/0x4ec0 [ 172.251484] __asan_report_load8_noabort+0x14/0x20 [ 172.256401] __lock_acquire+0x37c2/0x4ec0 [ 172.260555] ? __free_pages+0x149/0x190 [ 172.264569] ? free_unref_page+0x960/0x960 [ 172.268806] ? mark_held_locks+0x130/0x130 [ 172.273152] ? kasan_check_write+0x14/0x20 [ 172.277374] ? finish_task_switch+0x616/0x900 [ 172.281862] ? __switch_to_asm+0x40/0x70 [ 172.285909] ? preempt_notifier_register+0x200/0x200 [ 172.290996] ? __switch_to_asm+0x34/0x70 [ 172.295042] ? __switch_to_asm+0x34/0x70 [ 172.299312] ? __switch_to_asm+0x40/0x70 [ 172.303405] ? __switch_to_asm+0x34/0x70 [ 172.307468] ? __switch_to_asm+0x40/0x70 [ 172.311513] ? __switch_to_asm+0x34/0x70 [ 172.315576] ? __switch_to_asm+0x40/0x70 [ 172.319702] ? __switch_to_asm+0x34/0x70 [ 172.323754] ? __switch_to_asm+0x34/0x70 [ 172.327808] ? __switch_to_asm+0x40/0x70 [ 172.331906] ? __switch_to_asm+0x34/0x70 [ 172.336041] ? __switch_to_asm+0x40/0x70 [ 172.340098] ? __switch_to_asm+0x34/0x70 [ 172.344161] ? __switch_to_asm+0x40/0x70 [ 172.348212] ? __schedule+0x874/0x1ed0 [ 172.352102] ? trace_hardirqs_off+0x310/0x310 [ 172.356587] ? graph_lock+0x170/0x170 [ 172.360377] ? __sched_text_start+0x8/0x8 [ 172.364525] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 172.369284] ? mark_held_locks+0xc7/0x130 [ 172.373421] lock_acquire+0x1ed/0x520 [ 172.377215] ? vhost_transport_send_pkt+0x12e/0x380 [ 172.382242] ? lock_release+0x970/0x970 [ 172.386217] ? preempt_schedule+0x4d/0x60 [ 172.390351] ? ___preempt_schedule+0x16/0x18 [ 172.394770] ? __local_bh_enable_ip+0x1a3/0x260 [ 172.399424] _raw_spin_lock_bh+0x31/0x40 [ 172.403537] ? vhost_transport_send_pkt+0x12e/0x380 [ 172.408539] vhost_transport_send_pkt+0x12e/0x380 [ 172.413370] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 172.418888] ? vhost_vsock_dev_open+0x5a0/0x5a0 [ 172.423543] ? virtio_transport_send_pkt_info+0x2e7/0x460 [ 172.429074] ? __local_bh_enable_ip+0x160/0x260 [ 172.433728] virtio_transport_send_pkt_info+0x31d/0x460 [ 172.439101] virtio_transport_connect+0x17c/0x220 [ 172.444107] ? virtio_transport_send_pkt_info+0x460/0x460 [ 172.449635] ? vsock_auto_bind+0xa9/0xe0 [ 172.453694] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 172.459215] vsock_stream_connect+0x4ed/0xe40 [ 172.463742] ? vsock_dgram_connect+0x500/0x500 [ 172.468413] ? lock_downgrade+0x900/0x900 [ 172.472548] ? lock_release+0x970/0x970 [ 172.476513] ? arch_local_save_flags+0x40/0x40 [ 172.481082] ? finish_wait+0x430/0x430 [ 172.484959] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 172.490139] ? smack_socket_connect+0x13f/0x1c0 [ 172.494796] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 172.500340] ? security_socket_connect+0x94/0xc0 [ 172.505092] __sys_connect+0x37d/0x4c0 [ 172.508962] ? __ia32_sys_accept+0xb0/0xb0 [ 172.513180] ? kasan_check_read+0x11/0x20 [ 172.517328] ? _copy_to_user+0xc8/0x110 [ 172.521307] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 172.526842] ? put_timespec64+0x10f/0x1b0 [ 172.530980] ? do_syscall_64+0x9a/0x820 [ 172.534938] ? do_syscall_64+0x9a/0x820 [ 172.539014] ? lockdep_hardirqs_on+0x421/0x5c0 [ 172.543595] ? trace_hardirqs_on+0xbd/0x310 [ 172.547900] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 172.553523] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 172.558876] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 172.564410] __x64_sys_connect+0x73/0xb0 [ 172.568483] do_syscall_64+0x1b9/0x820 [ 172.572369] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 172.577734] ? syscall_return_slowpath+0x5e0/0x5e0 [ 172.582647] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 172.587486] ? trace_hardirqs_on_caller+0x310/0x310 [ 172.592501] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 172.597503] ? prepare_exit_to_usermode+0x291/0x3b0 [ 172.602504] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 172.607336] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 172.612508] RIP: 0033:0x457569 [ 172.615699] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 172.634743] RSP: 002b:00007f1c12548c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 172.642438] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 172.649762] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000008 [ 172.657020] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 172.664288] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1c125496d4 [ 172.671539] R13: 00000000004bdb06 R14: 00000000004cc658 R15: 00000000ffffffff [ 172.679708] Kernel Offset: disabled [ 172.683328] Rebooting in 86400 seconds..