[info] Using makefile-style concurrent boot in runlevel 2. [ 57.247278][ T27] audit: type=1800 audit(1564562013.159:21): pid=9186 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [ 57.290509][ T27] audit: type=1800 audit(1564562013.169:22): pid=9186 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="motd" dev="sda1" ino=2447 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.80' (ECDSA) to the list of known hosts. syzkaller login: [ 69.879588][ T9338] IPVS: ftp: loaded support on port[0] = 21 [ 69.916135][ T9338] chnl_net:caif_netlink_parms(): no params data found [ 69.935418][ T9338] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.942952][ T9338] bridge0: port 1(bridge_slave_0) entered disabled state [ 69.950565][ T9338] device bridge_slave_0 entered promiscuous mode [ 69.957887][ T9338] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.965195][ T9338] bridge0: port 2(bridge_slave_1) entered disabled state [ 69.972853][ T9338] device bridge_slave_1 entered promiscuous mode [ 69.985941][ T9338] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 69.996407][ T9338] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 70.011761][ T9338] team0: Port device team_slave_0 added [ 70.018287][ T9338] team0: Port device team_slave_1 added [ 70.099846][ T9338] device hsr_slave_0 entered promiscuous mode [ 70.168787][ T9338] device hsr_slave_1 entered promiscuous mode [ 70.233624][ T9338] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.240898][ T9338] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.248303][ T9338] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.255413][ T9338] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.278177][ T9338] 8021q: adding VLAN 0 to HW filter on device bond0 [ 70.287820][ T3629] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 70.307479][ T3629] bridge0: port 1(bridge_slave_0) entered disabled state [ 70.315408][ T3629] bridge0: port 2(bridge_slave_1) entered disabled state [ 70.323602][ T3629] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 70.333648][ T9338] 8021q: adding VLAN 0 to HW filter on device team0 [ 70.342975][ T2853] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 70.351731][ T2853] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.358972][ T2853] bridge0: port 1(bridge_slave_0) entered forwarding state [ 70.378215][ T3629] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 70.387168][ T3629] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.394260][ T3629] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.402271][ T3629] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 70.410798][ T3629] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 70.419141][ T3629] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready executing program [ 70.427197][ T3629] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 70.435754][ T3629] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 70.444299][ T9338] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 70.459256][ T9338] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 70.581034][ T9349] IPVS: ftp: loaded support on port[0] = 21 [ 70.771937][ T9347] IPVS: ftp: loaded support on port[0] = 21 executing program [ 71.012237][ T9352] IPVS: ftp: loaded support on port[0] = 21 [ 71.212853][ T9353] IPVS: ftp: loaded support on port[0] = 21 executing program [ 71.466401][ T9357] IPVS: ftp: loaded support on port[0] = 21 [ 71.702362][ T9359] IPVS: ftp: loaded support on port[0] = 21 executing program [ 71.906008][ T9363] IPVS: ftp: loaded support on port[0] = 21 [ 72.132416][ T9372] IPVS: ftp: loaded support on port[0] = 21 executing program [ 72.392507][ T9377] IPVS: ftp: loaded support on port[0] = 21 [ 72.642048][ T9378] IPVS: ftp: loaded support on port[0] = 21 executing program [ 72.944796][ T9383] IPVS: ftp: loaded support on port[0] = 21 [ 73.183426][ T9384] IPVS: ftp: loaded support on port[0] = 21 executing program [ 74.322360][ T9394] IPVS: ftp: loaded support on port[0] = 21 [ 74.552749][ T9395] IPVS: ftp: loaded support on port[0] = 21 [ 74.759745][ T9396] ================================================================== [ 74.768173][ T9396] BUG: KASAN: use-after-free in do_raw_spin_lock+0x295/0x3a0 [ 74.775672][ T9396] Read of size 4 at addr ffff88809569a20c by task syz-executor725/9396 [ 74.783888][ T9396] [ 74.786203][ T9396] CPU: 0 PID: 9396 Comm: syz-executor725 Not tainted 5.3.0-rc2+ #56 [ 74.794247][ T9396] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.804458][ T9396] Call Trace: [ 74.807739][ T9396] dump_stack+0x1d8/0x2f8 [ 74.812065][ T9396] print_address_description+0x75/0x5b0 [ 74.817632][ T9396] ? log_buf_vmcoreinfo_setup+0x153/0x153 [ 74.823599][ T9396] __kasan_report+0x14b/0x1c0 [ 74.828270][ T9396] ? do_raw_spin_lock+0x295/0x3a0 [ 74.833344][ T9396] kasan_report+0x26/0x50 [ 74.837891][ T9396] __asan_report_load4_noabort+0x14/0x20 [ 74.843905][ T9396] do_raw_spin_lock+0x295/0x3a0 [ 74.848761][ T9396] ? trace_lock_acquire+0x159/0x1d0 [ 74.854239][ T9396] ? __rwlock_init+0x130/0x130 [ 74.858998][ T9396] ? lock_acquire+0x158/0x250 [ 74.863667][ T9396] ? release_sock+0x30/0x1d0 [ 74.868273][ T9396] ? release_sock+0x30/0x1d0 [ 74.872848][ T9396] ? release_sock+0x30/0x1d0 [ 74.877428][ T9396] _raw_spin_lock_bh+0x40/0x50 [ 74.882238][ T9396] release_sock+0x30/0x1d0 [ 74.886642][ T9396] nr_release+0x1b9/0x390 [ 74.890949][ T9396] sock_close+0xe1/0x260 [ 74.895178][ T9396] ? sock_mmap+0xa0/0xa0 [ 74.899410][ T9396] __fput+0x2e4/0x740 [ 74.903372][ T9396] ____fput+0x15/0x20 [ 74.907378][ T9396] task_work_run+0x17e/0x1b0 [ 74.911963][ T9396] do_exit+0x64c/0x2300 [ 74.916154][ T9396] ? trace_lock_release+0x135/0x1a0 [ 74.921362][ T9396] ? mm_update_next_owner+0x580/0x580 [ 74.926863][ T9396] ? get_signal+0x426/0x1dd0 [ 74.931625][ T9396] ? __lock_acquire+0x4750/0x4750 [ 74.936759][ T9396] do_group_exit+0x15c/0x2b0 [ 74.941385][ T9396] get_signal+0x51c/0x1dd0 [ 74.945804][ T9396] ? trace_lock_acquire+0x159/0x1d0 [ 74.950986][ T9396] ? ptrace_notify+0x370/0x370 [ 74.955731][ T9396] ? __kasan_check_write+0x14/0x20 [ 74.960879][ T9396] ? task_work_add+0xfc/0x120 [ 74.965676][ T9396] do_signal+0x7b/0x720 [ 74.969822][ T9396] ? fput+0x1a/0x20 [ 74.973679][ T9396] ? __sys_accept4+0x711/0x9a0 [ 74.978431][ T9396] ? signal_fault+0x1f0/0x1f0 [ 74.983105][ T9396] ? __ia32_sys_listen+0x70/0x70 [ 74.988231][ T9396] ? prepare_exit_to_usermode+0x258/0x580 [ 74.993998][ T9396] prepare_exit_to_usermode+0x303/0x580 [ 74.999834][ T9396] syscall_return_slowpath+0x113/0x4a0 [ 75.005388][ T9396] do_syscall_64+0x126/0x140 [ 75.009970][ T9396] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.015893][ T9396] RIP: 0033:0x447d09 [ 75.019866][ T9396] Code: Bad RIP value. [ 75.023932][ T9396] RSP: 002b:00007fef01f82db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002b [ 75.032375][ T9396] RAX: fffffffffffffe00 RBX: 00000000006ddc58 RCX: 0000000000447d09 [ 75.040346][ T9396] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007 [ 75.048505][ T9396] RBP: 00000000006ddc50 R08: 0000000000000000 R09: 0000000000000000 [ 75.056577][ T9396] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc5c [ 75.064578][ T9396] R13: 00007ffc493afa4f R14: 00007fef01f839c0 R15: 0000000000000001 [ 75.072873][ T9396] [ 75.075254][ T9396] Allocated by task 0: [ 75.079417][ T9396] __kasan_kmalloc+0x11c/0x1b0 [ 75.084266][ T9396] kasan_kmalloc+0x9/0x10 [ 75.088807][ T9396] __kmalloc+0x254/0x340 [ 75.093336][ T9396] sk_prot_alloc+0xb0/0x290 [ 75.097837][ T9396] sk_alloc+0x38/0x950 [ 75.101892][ T9396] nr_rx_frame+0xabc/0x1e40 [ 75.106385][ T9396] nr_loopback_timer+0x6a/0x140 [ 75.111380][ T9396] call_timer_fn+0xec/0x200 [ 75.116528][ T9396] __run_timers+0x7cd/0x9c0 [ 75.121121][ T9396] run_timer_softirq+0x4a/0x90 [ 75.125885][ T9396] __do_softirq+0x333/0x7c4 [ 75.130368][ T9396] [ 75.132677][ T9396] Freed by task 9396: [ 75.136702][ T9396] __kasan_slab_free+0x12a/0x1e0 [ 75.141817][ T9396] kasan_slab_free+0xe/0x10 [ 75.146570][ T9396] kfree+0x115/0x200 [ 75.150570][ T9396] __sk_destruct+0x567/0x660 [ 75.155550][ T9396] __sk_free+0x317/0x3e0 [ 75.160723][ T9396] sk_free+0x2a/0x40 [ 75.164620][ T9396] nr_destroy_socket+0x3e3/0x460 [ 75.169640][ T9396] nr_release+0x191/0x390 [ 75.174142][ T9396] sock_close+0xe1/0x260 [ 75.178386][ T9396] __fput+0x2e4/0x740 [ 75.182398][ T9396] ____fput+0x15/0x20 [ 75.186375][ T9396] task_work_run+0x17e/0x1b0 [ 75.191075][ T9396] do_exit+0x64c/0x2300 [ 75.195211][ T9396] do_group_exit+0x15c/0x2b0 [ 75.199783][ T9396] get_signal+0x51c/0x1dd0 [ 75.204282][ T9396] do_signal+0x7b/0x720 [ 75.208426][ T9396] prepare_exit_to_usermode+0x303/0x580 [ 75.213964][ T9396] syscall_return_slowpath+0x113/0x4a0 [ 75.219476][ T9396] do_syscall_64+0x126/0x140 [ 75.224077][ T9396] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.229994][ T9396] [ 75.232319][ T9396] The buggy address belongs to the object at ffff88809569a180 [ 75.232319][ T9396] which belongs to the cache kmalloc-2k of size 2048 [ 75.246790][ T9396] The buggy address is located 140 bytes inside of [ 75.246790][ T9396] 2048-byte region [ffff88809569a180, ffff88809569a980) [ 75.260204][ T9396] The buggy address belongs to the page: [ 75.265984][ T9396] page:ffffea000255a680 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 compound_mapcount: 0 [ 75.276935][ T9396] flags: 0x1fffc0000010200(slab|head) [ 75.282382][ T9396] raw: 01fffc0000010200 ffffea0002589408 ffffea000253cf08 ffff8880aa400e00 [ 75.291094][ T9396] raw: 0000000000000000 ffff88809569a180 0000000100000003 0000000000000000 [ 75.299664][ T9396] page dumped because: kasan: bad access detected [ 75.306220][ T9396] [ 75.308544][ T9396] Memory state around the buggy address: [ 75.314508][ T9396] ffff88809569a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.322644][ T9396] ffff88809569a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.331127][ T9396] >ffff88809569a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.339348][ T9396] ^ [ 75.343666][ T9396] ffff88809569a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.351730][ T9396] ffff88809569a300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.359781][ T9396] ================================================================== [ 75.368152][ T9396] Kernel panic - not syncing: panic_on_warn set ... [ 75.374757][ T9396] CPU: 0 PID: 9396 Comm: syz-executor725 Tainted: G B 5.3.0-rc2+ #56 [ 75.384157][ T9396] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.394287][ T9396] Call Trace: [ 75.397586][ T9396] dump_stack+0x1d8/0x2f8 [ 75.401915][ T9396] panic+0x29b/0x7d9 [ 75.405800][ T9396] ? check_preemption_disabled+0x3a/0x2a0 [ 75.411597][ T9396] ? __kasan_report+0x195/0x1c0 [ 75.416596][ T9396] ? trace_hardirqs_on+0x34/0x80 [ 75.421579][ T9396] ? nmi_panic+0x97/0x97 [ 75.425868][ T9396] ? trace_hardirqs_on+0x34/0x80 [ 75.430804][ T9396] ? __kasan_report+0x195/0x1c0 [ 75.435781][ T9396] ? _raw_spin_unlock_irqrestore+0xad/0xe0 [ 75.441594][ T9396] __kasan_report+0x1bb/0x1c0 [ 75.446266][ T9396] ? do_raw_spin_lock+0x295/0x3a0 [ 75.451276][ T9396] kasan_report+0x26/0x50 [ 75.455605][ T9396] __asan_report_load4_noabort+0x14/0x20 [ 75.461264][ T9396] do_raw_spin_lock+0x295/0x3a0 [ 75.466116][ T9396] ? trace_lock_acquire+0x159/0x1d0 [ 75.471344][ T9396] ? __rwlock_init+0x130/0x130 [ 75.476152][ T9396] ? lock_acquire+0x158/0x250 [ 75.480999][ T9396] ? release_sock+0x30/0x1d0 [ 75.485632][ T9396] ? release_sock+0x30/0x1d0 [ 75.490237][ T9396] ? release_sock+0x30/0x1d0 [ 75.494812][ T9396] _raw_spin_lock_bh+0x40/0x50 [ 75.499917][ T9396] release_sock+0x30/0x1d0 [ 75.504734][ T9396] nr_release+0x1b9/0x390 [ 75.509180][ T9396] sock_close+0xe1/0x260 [ 75.513507][ T9396] ? sock_mmap+0xa0/0xa0 [ 75.517787][ T9396] __fput+0x2e4/0x740 [ 75.522682][ T9396] ____fput+0x15/0x20 [ 75.526648][ T9396] task_work_run+0x17e/0x1b0 [ 75.531325][ T9396] do_exit+0x64c/0x2300 [ 75.535824][ T9396] ? trace_lock_release+0x135/0x1a0 [ 75.541192][ T9396] ? mm_update_next_owner+0x580/0x580 [ 75.546556][ T9396] ? get_signal+0x426/0x1dd0 [ 75.551136][ T9396] ? __lock_acquire+0x4750/0x4750 [ 75.556171][ T9396] do_group_exit+0x15c/0x2b0 [ 75.560754][ T9396] get_signal+0x51c/0x1dd0 [ 75.565150][ T9396] ? trace_lock_acquire+0x159/0x1d0 [ 75.570322][ T9396] ? ptrace_notify+0x370/0x370 [ 75.575059][ T9396] ? __kasan_check_write+0x14/0x20 [ 75.580150][ T9396] ? task_work_add+0xfc/0x120 [ 75.584815][ T9396] do_signal+0x7b/0x720 [ 75.588973][ T9396] ? fput+0x1a/0x20 [ 75.592757][ T9396] ? __sys_accept4+0x711/0x9a0 [ 75.597505][ T9396] ? signal_fault+0x1f0/0x1f0 [ 75.602176][ T9396] ? __ia32_sys_listen+0x70/0x70 [ 75.607133][ T9396] ? prepare_exit_to_usermode+0x258/0x580 [ 75.612842][ T9396] prepare_exit_to_usermode+0x303/0x580 [ 75.618365][ T9396] syscall_return_slowpath+0x113/0x4a0 [ 75.623797][ T9396] do_syscall_64+0x126/0x140 [ 75.628362][ T9396] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 75.634228][ T9396] RIP: 0033:0x447d09 [ 75.638111][ T9396] Code: Bad RIP value. [ 75.642152][ T9396] RSP: 002b:00007fef01f82db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002b [ 75.650539][ T9396] RAX: fffffffffffffe00 RBX: 00000000006ddc58 RCX: 0000000000447d09 [ 75.658694][ T9396] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000007 [ 75.668029][ T9396] RBP: 00000000006ddc50 R08: 0000000000000000 R09: 0000000000000000 [ 75.676763][ T9396] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc5c [ 75.684712][ T9396] R13: 00007ffc493afa4f R14: 00007fef01f839c0 R15: 0000000000000001 [ 75.694136][ T9396] Kernel Offset: disabled [ 75.698508][ T9396] Rebooting in 86400 seconds..