[ 35.744687] audit: type=1800 audit(1546340165.448:26): pid=7552 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 35.775993] audit: type=1800 audit(1546340165.458:27): pid=7552 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 35.803568] audit: type=1800 audit(1546340165.458:28): pid=7552 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 36.418866] audit: type=1800 audit(1546340166.158:29): pid=7552 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 41.370220] sshd (7690) used greatest stack depth: 19848 bytes left Warning: Permanently added '10.128.0.27' (ECDSA) to the list of known hosts. 2019/01/01 10:56:25 parsed 1 programs 2019/01/01 10:56:26 executed programs: 0 [ 57.123579] IPVS: ftp: loaded support on port[0] = 21 [ 57.188767] chnl_net:caif_netlink_parms(): no params data found [ 57.220172] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.226977] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.234056] device bridge_slave_0 entered promiscuous mode [ 57.241457] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.247902] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.254882] device bridge_slave_1 entered promiscuous mode [ 57.271342] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 57.280389] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 57.297088] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 57.304470] team0: Port device team_slave_0 added [ 57.309952] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 57.317419] team0: Port device team_slave_1 added [ 57.322664] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 57.329973] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 57.397308] device hsr_slave_0 entered promiscuous mode [ 57.455535] device hsr_slave_1 entered promiscuous mode [ 57.505804] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 57.512691] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 57.526306] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.532707] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.539629] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.546020] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.578146] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 57.584456] 8021q: adding VLAN 0 to HW filter on device bond0 [ 57.593159] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 57.602102] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.621794] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.629507] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.637640] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 57.648735] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 57.654902] 8021q: adding VLAN 0 to HW filter on device team0 [ 57.663676] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 57.671342] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.677732] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.695865] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 57.703418] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.709793] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.718432] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 57.727907] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 57.735112] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 57.746313] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 57.757961] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 57.768917] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 57.774932] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 57.782475] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 57.795673] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 57.804701] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 57.847392] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 57.869634] ================================================================== [ 57.877076] BUG: KASAN: slab-out-of-bounds in kvm_clear_dirty_log_protect+0x8cf/0x970 [ 57.885021] Read of size 8 at addr ffff8880a04b6050 by task syz-executor0/7723 [ 57.892365] [ 57.893988] CPU: 0 PID: 7723 Comm: syz-executor0 Not tainted 4.20.0+ #2 [ 57.900731] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.910058] Call Trace: [ 57.912627] dump_stack+0x1db/0x2d0 [ 57.916240] ? dump_stack_print_info.cold+0x20/0x20 [ 57.921247] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 57.926511] print_address_description.cold+0x7c/0x20d [ 57.931767] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 57.937024] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 57.942374] kasan_report.cold+0x1b/0x40 [ 57.946428] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 57.951687] __asan_report_load8_noabort+0x14/0x20 [ 57.956595] kvm_clear_dirty_log_protect+0x8cf/0x970 [ 57.961685] ? vcpu_stat_get_per_vm_open+0x40/0x40 [ 57.966595] ? lock_downgrade+0x910/0x910 [ 57.970720] ? lock_release+0xc40/0xc40 [ 57.974681] kvm_vm_ioctl_clear_dirty_log+0xff/0x260 [ 57.979767] ? kvm_vm_ioctl_get_dirty_log+0x260/0x260 [ 57.985014] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 57.990556] ? _copy_from_user+0xdd/0x150 [ 57.994787] kvm_vm_ioctl+0xc19/0x1fe0 [ 57.998669] ? kvm_unregister_device_ops+0x70/0x70 [ 58.003591] ? print_usage_bug+0xd0/0xd0 [ 58.007639] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 58.012813] ? drop_futex_key_refs.isra.0+0x6f/0xf0 [ 58.017814] ? get_futex_key+0x2050/0x2050 [ 58.022034] ? mark_held_locks+0x100/0x100 [ 58.026270] ? do_futex+0x1b0/0x2910 [ 58.029979] ? do_raw_spin_trylock+0x270/0x270 [ 58.034556] ? add_mm_counter_fast.part.0+0x40/0x40 [ 58.039554] ? add_lock_to_list.isra.0+0x450/0x450 [ 58.044462] ? add_lock_to_list.isra.0+0x450/0x450 [ 58.049371] ? exit_robust_list+0x290/0x290 [ 58.053674] ? __might_fault+0x12b/0x1e0 [ 58.057716] ? find_held_lock+0x35/0x120 [ 58.061759] ? __might_fault+0x12b/0x1e0 [ 58.065799] ? lock_acquire+0x1db/0x570 [ 58.069759] ? lock_downgrade+0x910/0x910 [ 58.073897] ? lock_release+0xc40/0xc40 [ 58.077872] ? kvm_unregister_device_ops+0x70/0x70 [ 58.082780] do_vfs_ioctl+0x107b/0x17d0 [ 58.086753] ? ioctl_preallocate+0x2f0/0x2f0 [ 58.091160] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.096696] ? __fget_light+0x2db/0x420 [ 58.100648] ? fget_raw+0x20/0x20 [ 58.104077] ? put_timespec64+0x115/0x1b0 [ 58.108215] ? nsecs_to_jiffies+0x30/0x30 [ 58.112342] ? do_syscall_64+0x8c/0x800 [ 58.116296] ? do_syscall_64+0x8c/0x800 [ 58.120252] ? lockdep_hardirqs_on+0x415/0x5d0 [ 58.124820] ? security_file_ioctl+0x93/0xc0 [ 58.129218] ksys_ioctl+0xab/0xd0 [ 58.132673] __x64_sys_ioctl+0x73/0xb0 [ 58.136549] do_syscall_64+0x1a3/0x800 [ 58.140455] ? syscall_return_slowpath+0x5f0/0x5f0 [ 58.145361] ? prepare_exit_to_usermode+0x232/0x3b0 [ 58.150358] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 58.155183] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.160353] RIP: 0033:0x457ec9 [ 58.163540] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.182420] RSP: 002b:00007ffcbb8f7a58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.190104] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9 [ 58.197353] RDX: 0000000020000080 RSI: 00000000c018aec0 RDI: 0000000000000004 [ 58.204601] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 58.211845] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000f59914 [ 58.219091] R13: 00000000004c9ef0 R14: 00000000004d2a10 R15: 00000000ffffffff [ 58.226343] [ 58.227964] Allocated by task 7723: [ 58.231585] save_stack+0x45/0xd0 [ 58.235018] kasan_kmalloc+0xcf/0xe0 [ 58.238724] __kmalloc_node+0x4e/0x70 [ 58.242507] kvmalloc_node+0x68/0x100 [ 58.246291] __kvm_set_memory_region+0x1da1/0x2c40 [ 58.251201] kvm_set_memory_region+0x2f/0x60 [ 58.255595] kvm_vm_ioctl+0xafa/0x1fe0 [ 58.259466] do_vfs_ioctl+0x107b/0x17d0 [ 58.263420] ksys_ioctl+0xab/0xd0 [ 58.266853] __x64_sys_ioctl+0x73/0xb0 [ 58.270728] do_syscall_64+0x1a3/0x800 [ 58.274597] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.279758] [ 58.281363] Freed by task 4259: [ 58.284619] save_stack+0x45/0xd0 [ 58.288053] __kasan_slab_free+0x102/0x150 [ 58.292273] kasan_slab_free+0xe/0x10 [ 58.296056] kfree+0xcf/0x230 [ 58.299178] single_release+0x95/0xc0 [ 58.302959] __fput+0x3c5/0xb10 [ 58.306226] ____fput+0x16/0x20 [ 58.309492] task_work_run+0x1f4/0x2b0 [ 58.313361] exit_to_usermode_loop+0x32a/0x3b0 [ 58.317926] do_syscall_64+0x696/0x800 [ 58.321797] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.326965] [ 58.328577] The buggy address belongs to the object at ffff8880a04b6040 [ 58.328577] which belongs to the cache kmalloc-32 of size 32 [ 58.341040] The buggy address is located 16 bytes inside of [ 58.341040] 32-byte region [ffff8880a04b6040, ffff8880a04b6060) [ 58.352714] The buggy address belongs to the page: [ 58.357621] page:ffffea0002812d80 count:1 mapcount:0 mapping:ffff88812c3f01c0 index:0xffff8880a04b6fc1 [ 58.367044] flags: 0x1fffc0000000200(slab) [ 58.371269] raw: 01fffc0000000200 ffffea00027d3e88 ffff88812c3f1238 ffff88812c3f01c0 [ 58.379136] raw: ffff8880a04b6fc1 ffff8880a04b6000 0000000100000036 0000000000000000 [ 58.386990] page dumped because: kasan: bad access detected [ 58.392671] [ 58.394276] Memory state around the buggy address: [ 58.399182] ffff8880a04b5f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 58.406525] ffff8880a04b5f80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 58.413864] >ffff8880a04b6000: fb fb fb fb fc fc fc fc 00 00 fc fc fc fc fc fc [ 58.421196] ^ [ 58.427144] ffff8880a04b6080: fb fb fb fb fc fc fc fc 04 fc fc fc fc fc fc fc [ 58.434479] ffff8880a04b6100: fb fb fb fb fc fc fc fc 00 01 fc fc fc fc fc fc [ 58.441812] ================================================================== [ 58.449146] Disabling lock debugging due to kernel taint [ 58.455141] Kernel panic - not syncing: panic_on_warn set ... [ 58.461016] CPU: 0 PID: 7723 Comm: syz-executor0 Tainted: G B 4.20.0+ #2 [ 58.469144] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.478468] Call Trace: [ 58.481033] dump_stack+0x1db/0x2d0 [ 58.484645] ? dump_stack_print_info.cold+0x20/0x20 [ 58.489646] panic+0x2cb/0x589 [ 58.492815] ? add_taint.cold+0x16/0x16 [ 58.496767] ? trace_hardirqs_on+0xb4/0x310 [ 58.501061] ? trace_hardirqs_on+0xb4/0x310 [ 58.505365] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 58.510647] end_report+0x47/0x4f [ 58.514094] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 58.519343] kasan_report.cold+0xe/0x40 [ 58.523308] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 58.528560] __asan_report_load8_noabort+0x14/0x20 [ 58.533562] kvm_clear_dirty_log_protect+0x8cf/0x970 [ 58.538690] ? vcpu_stat_get_per_vm_open+0x40/0x40 [ 58.543596] ? lock_downgrade+0x910/0x910 [ 58.547717] ? lock_release+0xc40/0xc40 [ 58.551790] kvm_vm_ioctl_clear_dirty_log+0xff/0x260 [ 58.556873] ? kvm_vm_ioctl_get_dirty_log+0x260/0x260 [ 58.562107] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 58.567632] ? _copy_from_user+0xdd/0x150 [ 58.571754] kvm_vm_ioctl+0xc19/0x1fe0 [ 58.575631] ? kvm_unregister_device_ops+0x70/0x70 [ 58.580534] ? print_usage_bug+0xd0/0xd0 [ 58.584586] ? __sanitizer_cov_trace_switch+0x49/0x80 [ 58.589748] ? drop_futex_key_refs.isra.0+0x6f/0xf0 [ 58.595240] ? get_futex_key+0x2050/0x2050 [ 58.599577] ? mark_held_locks+0x100/0x100 [ 58.603789] ? do_futex+0x1b0/0x2910 [ 58.607478] ? do_raw_spin_trylock+0x270/0x270 [ 58.612144] ? add_mm_counter_fast.part.0+0x40/0x40 [ 58.617149] ? add_lock_to_list.isra.0+0x450/0x450 [ 58.622052] ? add_lock_to_list.isra.0+0x450/0x450 [ 58.626973] ? exit_robust_list+0x290/0x290 [ 58.631306] ? __might_fault+0x12b/0x1e0 [ 58.635358] ? find_held_lock+0x35/0x120 [ 58.639410] ? __might_fault+0x12b/0x1e0 [ 58.643449] ? lock_acquire+0x1db/0x570 [ 58.647415] ? lock_downgrade+0x910/0x910 [ 58.651544] ? lock_release+0xc40/0xc40 [ 58.655497] ? kvm_unregister_device_ops+0x70/0x70 [ 58.660404] do_vfs_ioctl+0x107b/0x17d0 [ 58.664360] ? ioctl_preallocate+0x2f0/0x2f0 [ 58.668750] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 58.674283] ? __fget_light+0x2db/0x420 [ 58.678233] ? fget_raw+0x20/0x20 [ 58.681664] ? put_timespec64+0x115/0x1b0 [ 58.685788] ? nsecs_to_jiffies+0x30/0x30 [ 58.689914] ? do_syscall_64+0x8c/0x800 [ 58.693866] ? do_syscall_64+0x8c/0x800 [ 58.697819] ? lockdep_hardirqs_on+0x415/0x5d0 [ 58.702420] ? security_file_ioctl+0x93/0xc0 [ 58.706809] ksys_ioctl+0xab/0xd0 [ 58.710245] __x64_sys_ioctl+0x73/0xb0 [ 58.714117] do_syscall_64+0x1a3/0x800 [ 58.717983] ? syscall_return_slowpath+0x5f0/0x5f0 [ 58.722911] ? prepare_exit_to_usermode+0x232/0x3b0 [ 58.728080] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 58.732931] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 58.738096] RIP: 0033:0x457ec9 [ 58.741284] Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 58.760163] RSP: 002b:00007ffcbb8f7a58 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 58.767847] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9 [ 58.775120] RDX: 0000000020000080 RSI: 00000000c018aec0 RDI: 0000000000000004 [ 58.782364] RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 [ 58.789609] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000f59914 [ 58.796855] R13: 00000000004c9ef0 R14: 00000000004d2a10 R15: 00000000ffffffff [ 58.804996] Kernel Offset: disabled [ 58.808613] Rebooting in 86400 seconds..