[ 62.098651][ T25] audit: type=1800 audit(1575342089.465:25): pid=8830 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 62.118510][ T25] audit: type=1800 audit(1575342089.475:26): pid=8830 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 62.180656][ T25] audit: type=1800 audit(1575342089.475:27): pid=8830 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 62.768835][ T8897] sshd (8897) used greatest stack depth: 22888 bytes left [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.149' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 74.008220][ T8984] ================================================================== [ 74.016431][ T8984] BUG: KASAN: slab-out-of-bounds in pipe_write+0xe30/0x1000 [ 74.023702][ T8984] Write of size 8 at addr ffff8880a2cb6b28 by task syz-executor127/8984 [ 74.032000][ T8984] [ 74.034332][ T8984] CPU: 0 PID: 8984 Comm: syz-executor127 Not tainted 5.4.0-syzkaller #0 [ 74.042674][ T8984] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.052715][ T8984] Call Trace: [ 74.056000][ T8984] dump_stack+0x197/0x210 [ 74.060440][ T8984] ? pipe_write+0xe30/0x1000 [ 74.065036][ T8984] print_address_description.constprop.0.cold+0xd4/0x30b [ 74.072180][ T8984] ? pipe_write+0xe30/0x1000 [ 74.076753][ T8984] ? pipe_write+0xe30/0x1000 [ 74.081323][ T8984] __kasan_report.cold+0x1b/0x41 [ 74.086251][ T8984] ? pipe_write+0xe30/0x1000 [ 74.090835][ T8984] kasan_report+0x12/0x20 [ 74.095145][ T8984] __asan_report_store8_noabort+0x17/0x20 [ 74.100846][ T8984] pipe_write+0xe30/0x1000 [ 74.105264][ T8984] new_sync_write+0x4d3/0x770 [ 74.109929][ T8984] ? new_sync_read+0x800/0x800 [ 74.114684][ T8984] ? __fget+0x37f/0x550 [ 74.118837][ T8984] ? apparmor_file_permission+0x25/0x30 [ 74.124370][ T8984] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.130595][ T8984] ? security_file_permission+0x8f/0x380 [ 74.136231][ T8984] __vfs_write+0xe1/0x110 [ 74.140585][ T8984] vfs_write+0x268/0x5d0 [ 74.144826][ T8984] ksys_write+0x220/0x290 [ 74.149132][ T8984] ? __ia32_sys_read+0xb0/0xb0 [ 74.153875][ T8984] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 74.159307][ T8984] ? do_syscall_64+0x26/0x790 [ 74.163973][ T8984] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.170015][ T8984] ? do_syscall_64+0x26/0x790 [ 74.174672][ T8984] __x64_sys_write+0x73/0xb0 [ 74.179241][ T8984] do_syscall_64+0xfa/0x790 [ 74.183727][ T8984] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.189603][ T8984] RIP: 0033:0x4466c9 [ 74.193480][ T8984] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 74.213070][ T8984] RSP: 002b:00007f3fe6a78db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 74.221463][ T8984] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 00000000004466c9 [ 74.229410][ T8984] RDX: 00000000fffffef3 RSI: 00000000200001c0 RDI: 0000000000000004 [ 74.237356][ T8984] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 74.245308][ T8984] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 74.253267][ T8984] R13: 00007ffecc47d9bf R14: 00007f3fe6a799c0 R15: 20c49ba5e353f7cf [ 74.261231][ T8984] [ 74.263536][ T8984] Allocated by task 8986: [ 74.267856][ T8984] save_stack+0x23/0x90 [ 74.271986][ T8984] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 74.277592][ T8984] kasan_kmalloc+0x9/0x10 [ 74.281904][ T8984] __kmalloc+0x163/0x770 [ 74.286131][ T8984] pipe_fcntl+0x3f7/0x8e0 [ 74.290448][ T8984] do_fcntl+0x255/0x1030 [ 74.294669][ T8984] __x64_sys_fcntl+0x16d/0x1e0 [ 74.299495][ T8984] do_syscall_64+0xfa/0x790 [ 74.303980][ T8984] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.309841][ T8984] [ 74.312153][ T8984] Freed by task 0: [ 74.315852][ T8984] (stack is not available) [ 74.320236][ T8984] [ 74.322553][ T8984] The buggy address belongs to the object at ffff8880a2cb6b00 [ 74.322553][ T8984] which belongs to the cache kmalloc-64 of size 64 [ 74.336418][ T8984] The buggy address is located 40 bytes inside of [ 74.336418][ T8984] 64-byte region [ffff8880a2cb6b00, ffff8880a2cb6b40) [ 74.349488][ T8984] The buggy address belongs to the page: [ 74.355098][ T8984] page:ffffea00028b2d80 refcount:1 mapcount:0 mapping:ffff8880aa400380 index:0x0 [ 74.364185][ T8984] raw: 00fffe0000000200 ffffea0002a05188 ffffea0002553c48 ffff8880aa400380 [ 74.372753][ T8984] raw: 0000000000000000 ffff8880a2cb6000 0000000100000020 0000000000000000 [ 74.381309][ T8984] page dumped because: kasan: bad access detected [ 74.387693][ T8984] [ 74.390003][ T8984] Memory state around the buggy address: [ 74.395607][ T8984] ffff8880a2cb6a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.403651][ T8984] ffff8880a2cb6a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.411695][ T8984] >ffff8880a2cb6b00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 74.420159][ T8984] ^ [ 74.425533][ T8984] ffff8880a2cb6b80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 74.433568][ T8984] ffff8880a2cb6c00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 74.441598][ T8984] ================================================================== [ 74.449631][ T8984] Disabling lock debugging due to kernel taint [ 74.455862][ T8984] Kernel panic - not syncing: panic_on_warn set ... [ 74.462449][ T8984] CPU: 0 PID: 8984 Comm: syz-executor127 Tainted: G B 5.4.0-syzkaller #0 [ 74.472148][ T8984] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.482179][ T8984] Call Trace: [ 74.485456][ T8984] dump_stack+0x197/0x210 [ 74.489762][ T8984] panic+0x2e3/0x75c [ 74.493645][ T8984] ? add_taint.cold+0x16/0x16 [ 74.498300][ T8984] ? pipe_write+0xe30/0x1000 [ 74.502867][ T8984] ? preempt_schedule+0x4b/0x60 [ 74.507696][ T8984] ? ___preempt_schedule+0x16/0x18 [ 74.512785][ T8984] ? trace_hardirqs_on+0x5e/0x240 [ 74.517788][ T8984] ? pipe_write+0xe30/0x1000 [ 74.522369][ T8984] end_report+0x47/0x4f [ 74.526500][ T8984] ? pipe_write+0xe30/0x1000 [ 74.531065][ T8984] __kasan_report.cold+0xe/0x41 [ 74.535890][ T8984] ? pipe_write+0xe30/0x1000 [ 74.540458][ T8984] kasan_report+0x12/0x20 [ 74.544774][ T8984] __asan_report_store8_noabort+0x17/0x20 [ 74.550480][ T8984] pipe_write+0xe30/0x1000 [ 74.554877][ T8984] new_sync_write+0x4d3/0x770 [ 74.559541][ T8984] ? new_sync_read+0x800/0x800 [ 74.564306][ T8984] ? __fget+0x37f/0x550 [ 74.568451][ T8984] ? apparmor_file_permission+0x25/0x30 [ 74.573972][ T8984] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 74.580198][ T8984] ? security_file_permission+0x8f/0x380 [ 74.585819][ T8984] __vfs_write+0xe1/0x110 [ 74.590127][ T8984] vfs_write+0x268/0x5d0 [ 74.594358][ T8984] ksys_write+0x220/0x290 [ 74.598663][ T8984] ? __ia32_sys_read+0xb0/0xb0 [ 74.603413][ T8984] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 74.608855][ T8984] ? do_syscall_64+0x26/0x790 [ 74.613518][ T8984] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.619559][ T8984] ? do_syscall_64+0x26/0x790 [ 74.624224][ T8984] __x64_sys_write+0x73/0xb0 [ 74.628803][ T8984] do_syscall_64+0xfa/0x790 [ 74.633292][ T8984] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 74.639158][ T8984] RIP: 0033:0x4466c9 [ 74.643037][ T8984] Code: e8 5c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 74.662620][ T8984] RSP: 002b:00007f3fe6a78db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 74.671014][ T8984] RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 00000000004466c9 [ 74.678962][ T8984] RDX: 00000000fffffef3 RSI: 00000000200001c0 RDI: 0000000000000004 [ 74.686912][ T8984] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 74.694860][ T8984] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 74.702809][ T8984] R13: 00007ffecc47d9bf R14: 00007f3fe6a799c0 R15: 20c49ba5e353f7cf [ 74.712110][ T8984] Kernel Offset: disabled [ 74.716437][ T8984] Rebooting in 86400 seconds..