[ 20.614146] audit: type=1800 audit(1539496900.008:21): pid=5107 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [ 20.650067] audit: type=1800 audit(1539496900.008:22): pid=5107 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="motd" dev="sda1" ino=2447 res=0 [ 20.689465] audit: type=1800 audit(1539496900.008:23): pid=5107 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rsyslog" dev="sda1" ino=2442 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.109' (ECDSA) to the list of known hosts. 2018/10/14 06:09:10 parsed 1 programs 2018/10/14 06:09:12 executed programs: 0 syzkaller login: [ 473.151751] IPVS: ftp: loaded support on port[0] = 21 [ 473.367215] bridge0: port 1(bridge_slave_0) entered blocking state [ 473.374225] bridge0: port 1(bridge_slave_0) entered disabled state [ 473.381905] device bridge_slave_0 entered promiscuous mode [ 473.398353] bridge0: port 2(bridge_slave_1) entered blocking state [ 473.404793] bridge0: port 2(bridge_slave_1) entered disabled state [ 473.412071] device bridge_slave_1 entered promiscuous mode [ 473.428486] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 473.445414] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 473.489463] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 473.497940] ip (5325) used greatest stack depth: 16696 bytes left [ 473.510481] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 473.574106] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 473.581433] team0: Port device team_slave_0 added [ 473.596330] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 473.603723] team0: Port device team_slave_1 added [ 473.619259] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 473.637939] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 473.655512] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 473.673431] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 473.791317] bridge0: port 2(bridge_slave_1) entered blocking state [ 473.798007] bridge0: port 2(bridge_slave_1) entered forwarding state [ 473.804941] bridge0: port 1(bridge_slave_0) entered blocking state [ 473.811290] bridge0: port 1(bridge_slave_0) entered forwarding state [ 474.231892] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 474.238082] 8021q: adding VLAN 0 to HW filter on device bond0 [ 474.281929] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 474.319920] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 474.332817] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 474.338901] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 474.347057] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 474.387281] 8021q: adding VLAN 0 to HW filter on device team0 2018/10/14 06:09:17 executed programs: 46 2018/10/14 06:09:22 executed programs: 112 2018/10/14 06:09:27 executed programs: 179 2018/10/14 06:09:32 executed programs: 246 2018/10/14 06:09:37 executed programs: 313 2018/10/14 06:09:42 executed programs: 378 2018/10/14 06:09:47 executed programs: 445 2018/10/14 06:09:52 executed programs: 511 2018/10/14 06:09:57 executed programs: 576 2018/10/14 06:10:02 executed programs: 643 2018/10/14 06:10:07 executed programs: 708 2018/10/14 06:10:13 executed programs: 774 2018/10/14 06:10:18 executed programs: 840 2018/10/14 06:10:23 executed programs: 907 2018/10/14 06:10:28 executed programs: 973 2018/10/14 06:10:33 executed programs: 1040 2018/10/14 06:10:38 executed programs: 1106 2018/10/14 06:10:43 executed programs: 1172 2018/10/14 06:10:48 executed programs: 1239 2018/10/14 06:10:53 executed programs: 1305 2018/10/14 06:10:58 executed programs: 1372 2018/10/14 06:11:03 executed programs: 1437 2018/10/14 06:11:08 executed programs: 1503 2018/10/14 06:11:13 executed programs: 1570 2018/10/14 06:11:18 executed programs: 1637 2018/10/14 06:11:23 executed programs: 1703 2018/10/14 06:11:28 executed programs: 1769 2018/10/14 06:11:33 executed programs: 1835 2018/10/14 06:11:38 executed programs: 1901 2018/10/14 06:11:43 executed programs: 1966 2018/10/14 06:11:48 executed programs: 2031 2018/10/14 06:11:53 executed programs: 2097 2018/10/14 06:11:58 executed programs: 2162 2018/10/14 06:12:03 executed programs: 2229 2018/10/14 06:12:08 executed programs: 2295 2018/10/14 06:12:14 executed programs: 2362 [ 658.447222] ================================================================== [ 658.455140] BUG: KASAN: use-after-free in vhost_work_queue+0xc3/0xe0 [ 658.461629] Read of size 8 at addr ffff8801b07a5228 by task syz-executor0/16635 [ 658.469121] [ 658.470743] CPU: 1 PID: 16635 Comm: syz-executor0 Not tainted 4.19.0-rc7+ #282 [ 658.478080] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 658.487433] Call Trace: [ 658.490051] dump_stack+0x1c4/0x2b4 [ 658.493655] ? dump_stack_print_info.cold.2+0x52/0x52 [ 658.498949] ? printk+0xa7/0xcf [ 658.502380] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 658.507199] print_address_description.cold.8+0x9/0x1ff [ 658.512680] kasan_report.cold.9+0x242/0x309 [ 658.517085] ? vhost_work_queue+0xc3/0xe0 [ 658.521210] __asan_report_load8_noabort+0x14/0x20 [ 658.526118] vhost_work_queue+0xc3/0xe0 [ 658.530072] vhost_transport_send_pkt+0x28a/0x380 [ 658.534896] ? vhost_vsock_dev_open+0x5a0/0x5a0 [ 658.539575] ? virtio_transport_send_pkt_info+0x2e7/0x460 [ 658.545117] ? __local_bh_enable_ip+0x160/0x260 [ 658.549766] virtio_transport_send_pkt_info+0x31d/0x460 [ 658.555106] virtio_transport_connect+0x17c/0x220 [ 658.559924] ? virtio_transport_send_pkt_info+0x460/0x460 [ 658.565454] ? vsock_auto_bind+0xa9/0xe0 [ 658.569517] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 658.575130] vsock_stream_connect+0x4ed/0xe40 [ 658.579626] ? vsock_dgram_connect+0x500/0x500 [ 658.584224] ? finish_wait+0x430/0x430 [ 658.588149] ? aa_af_perm+0x5a0/0x5a0 [ 658.591945] ? apparmor_socket_connect+0xb6/0x160 [ 658.596784] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 658.602323] ? security_socket_connect+0x94/0xc0 [ 658.607090] __sys_connect+0x37d/0x4c0 [ 658.610954] ? __ia32_sys_accept+0xb0/0xb0 [ 658.615164] ? kasan_check_read+0x11/0x20 [ 658.619325] ? _copy_to_user+0xc8/0x110 [ 658.623291] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 658.628816] ? put_timespec64+0x10f/0x1b0 [ 658.632969] ? do_syscall_64+0x9a/0x820 [ 658.636918] ? do_syscall_64+0x9a/0x820 [ 658.640871] ? lockdep_hardirqs_on+0x421/0x5c0 [ 658.645455] ? trace_hardirqs_on+0xbd/0x310 [ 658.649755] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 658.655301] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 658.660644] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 658.666096] __x64_sys_connect+0x73/0xb0 [ 658.670139] do_syscall_64+0x1b9/0x820 [ 658.674006] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 658.679353] ? syscall_return_slowpath+0x5e0/0x5e0 [ 658.684422] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 658.689266] ? trace_hardirqs_on_caller+0x310/0x310 [ 658.694263] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 658.699279] ? prepare_exit_to_usermode+0x291/0x3b0 [ 658.704280] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 658.709109] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 658.714284] RIP: 0033:0x457569 [ 658.717455] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 658.736329] RSP: 002b:00007f1b2b17ec78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 658.744019] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 658.751267] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000008 [ 658.758512] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 658.765766] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1b2b17f6d4 [ 658.773100] R13: 00000000004bdb06 R14: 00000000004cc658 R15: 00000000ffffffff [ 658.780357] [ 658.782006] Allocated by task 16635: [ 658.785721] save_stack+0x43/0xd0 [ 658.789266] kasan_kmalloc+0xc7/0xe0 [ 658.792992] __kmalloc_node+0x47/0x70 [ 658.796811] kvmalloc_node+0xb9/0xf0 [ 658.800512] vhost_vsock_dev_open+0xa2/0x5a0 [ 658.804946] misc_open+0x3ca/0x560 [ 658.808499] chrdev_open+0x25a/0x710 [ 658.812189] do_dentry_open+0x499/0x1250 [ 658.816223] vfs_open+0xa0/0xd0 [ 658.819493] path_openat+0x12bf/0x5160 [ 658.823367] do_filp_open+0x255/0x380 [ 658.827147] do_sys_open+0x568/0x700 [ 658.830841] __x64_sys_openat+0x9d/0x100 [ 658.834897] do_syscall_64+0x1b9/0x820 [ 658.838960] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 658.844127] [ 658.845731] Freed by task 16634: [ 658.849084] save_stack+0x43/0xd0 [ 658.852516] __kasan_slab_free+0x102/0x150 [ 658.856725] kasan_slab_free+0xe/0x10 [ 658.860506] kfree+0xcf/0x230 [ 658.863589] kvfree+0x61/0x70 [ 658.866676] vhost_vsock_dev_release+0x4f4/0x720 [ 658.871407] __fput+0x385/0xa30 [ 658.874666] ____fput+0x15/0x20 [ 658.877959] task_work_run+0x1e8/0x2a0 [ 658.881828] exit_to_usermode_loop+0x318/0x380 [ 658.886389] do_syscall_64+0x6be/0x820 [ 658.890253] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 658.895412] [ 658.897021] The buggy address belongs to the object at ffff8801b07a5180 [ 658.897021] which belongs to the cache kmalloc-65536 of size 65536 [ 658.910004] The buggy address is located 168 bytes inside of [ 658.910004] 65536-byte region [ffff8801b07a5180, ffff8801b07b5180) [ 658.922028] The buggy address belongs to the page: [ 658.927178] page:ffffea0006c1e800 count:1 mapcount:0 mapping:ffff8801da802500 index:0x0 compound_mapcount: 0 [ 658.937140] flags: 0x2fffc0000008100(slab|head) [ 658.941827] raw: 02fffc0000008100 ffffea0006c13808 ffffea0006c00808 ffff8801da802500 [ 658.949702] raw: 0000000000000000 ffff8801b07a5180 0000000100000001 0000000000000000 [ 658.957553] page dumped because: kasan: bad access detected [ 658.963442] [ 658.965046] Memory state around the buggy address: [ 658.969953] ffff8801b07a5100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 658.977287] ffff8801b07a5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 658.984650] >ffff8801b07a5200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 658.992000] ^ [ 658.996782] ffff8801b07a5280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 659.004128] ffff8801b07a5300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 659.011462] ================================================================== [ 659.018797] Disabling lock debugging due to kernel taint [ 659.024366] Kernel panic - not syncing: panic_on_warn set ... [ 659.024366] [ 659.031714] CPU: 1 PID: 16635 Comm: syz-executor0 Tainted: G B 4.19.0-rc7+ #282 [ 659.040572] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 659.049900] Call Trace: [ 659.052577] dump_stack+0x1c4/0x2b4 [ 659.056181] ? dump_stack_print_info.cold.2+0x52/0x52 [ 659.061347] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 659.066080] panic+0x238/0x4e7 [ 659.069253] ? add_taint.cold.5+0x16/0x16 [ 659.073558] ? preempt_schedule+0x4d/0x60 [ 659.077695] ? ___preempt_schedule+0x16/0x18 [ 659.082281] ? trace_hardirqs_on+0xb4/0x310 [ 659.086582] kasan_end_report+0x47/0x4f [ 659.090533] kasan_report.cold.9+0x76/0x309 [ 659.094831] ? vhost_work_queue+0xc3/0xe0 [ 659.099166] __asan_report_load8_noabort+0x14/0x20 [ 659.104135] vhost_work_queue+0xc3/0xe0 [ 659.108094] vhost_transport_send_pkt+0x28a/0x380 [ 659.112916] ? vhost_vsock_dev_open+0x5a0/0x5a0 [ 659.117561] ? virtio_transport_send_pkt_info+0x2e7/0x460 [ 659.123073] ? __local_bh_enable_ip+0x160/0x260 [ 659.127721] virtio_transport_send_pkt_info+0x31d/0x460 [ 659.133066] virtio_transport_connect+0x17c/0x220 [ 659.137882] ? virtio_transport_send_pkt_info+0x460/0x460 [ 659.143394] ? vsock_auto_bind+0xa9/0xe0 [ 659.147437] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 659.153128] vsock_stream_connect+0x4ed/0xe40 [ 659.157605] ? vsock_dgram_connect+0x500/0x500 [ 659.162166] ? finish_wait+0x430/0x430 [ 659.166029] ? aa_af_perm+0x5a0/0x5a0 [ 659.169805] ? apparmor_socket_connect+0xb6/0x160 [ 659.174622] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 659.180160] ? security_socket_connect+0x94/0xc0 [ 659.184894] __sys_connect+0x37d/0x4c0 [ 659.188763] ? __ia32_sys_accept+0xb0/0xb0 [ 659.192970] ? kasan_check_read+0x11/0x20 [ 659.197100] ? _copy_to_user+0xc8/0x110 [ 659.201077] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 659.206599] ? put_timespec64+0x10f/0x1b0 [ 659.210724] ? do_syscall_64+0x9a/0x820 [ 659.214671] ? do_syscall_64+0x9a/0x820 [ 659.218770] ? lockdep_hardirqs_on+0x421/0x5c0 [ 659.223488] ? trace_hardirqs_on+0xbd/0x310 [ 659.227800] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 659.233333] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 659.238682] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 659.244109] __x64_sys_connect+0x73/0xb0 [ 659.248148] do_syscall_64+0x1b9/0x820 [ 659.252016] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 659.257354] ? syscall_return_slowpath+0x5e0/0x5e0 [ 659.262258] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 659.267075] ? trace_hardirqs_on_caller+0x310/0x310 [ 659.272093] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 659.277100] ? prepare_exit_to_usermode+0x291/0x3b0 [ 659.282095] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 659.286914] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 659.292076] RIP: 0033:0x457569 [ 659.295272] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 659.314153] RSP: 002b:00007f1b2b17ec78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 659.321836] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 659.329085] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000008 [ 659.336330] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 659.343572] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1b2b17f6d4 [ 659.350814] R13: 00000000004bdb06 R14: 00000000004cc658 R15: 00000000ffffffff [ 659.359258] Kernel Offset: disabled [ 659.362883] Rebooting in 86400 seconds..