[ 24.229247] audit: type=1800 audit(1540091584.456:21): pid=5182 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="bootlogs" dev="sda1" ino=2419 res=0 [ 24.258249] audit: type=1800 audit(1540091584.466:22): pid=5182 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="motd" dev="sda1" ino=2447 res=0 [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [ 25.294044] sshd (5249) used greatest stack depth: 15784 bytes left [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.89' (ECDSA) to the list of known hosts. 2018/10/21 03:13:40 parsed 1 programs 2018/10/21 03:13:42 executed programs: 0 syzkaller login: [ 61.940917] IPVS: ftp: loaded support on port[0] = 21 [ 62.229809] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.236848] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.244464] device bridge_slave_0 entered promiscuous mode [ 62.264109] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.270756] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.277763] device bridge_slave_1 entered promiscuous mode [ 62.295486] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 62.313542] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 62.363144] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 62.383773] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 62.461516] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 62.468842] team0: Port device team_slave_0 added [ 62.485673] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 62.493398] team0: Port device team_slave_1 added [ 62.511884] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 62.532162] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 62.552944] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 62.573076] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 62.718337] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.724946] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.731934] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.738289] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.253361] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.306473] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 63.358466] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 63.364706] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 63.372404] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 63.421832] 8021q: adding VLAN 0 to HW filter on device team0 2018/10/21 03:13:47 executed programs: 26 2018/10/21 03:13:52 executed programs: 67 2018/10/21 03:13:57 executed programs: 107 [ 77.983078] ================================================================== [ 77.990561] BUG: KASAN: use-after-free in __lock_acquire+0x37c2/0x4ec0 [ 77.997321] Read of size 8 at addr ffff8801b0a6c790 by task syz-executor0/6292 [ 78.004661] [ 78.006287] CPU: 0 PID: 6292 Comm: syz-executor0 Not tainted 4.19.0-rc8+ #294 [ 78.013537] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.022871] Call Trace: [ 78.025451] dump_stack+0x1c4/0x2b6 [ 78.029066] ? dump_stack_print_info.cold.1+0x20/0x20 [ 78.034241] ? printk+0xa7/0xcf [ 78.037506] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 78.042262] print_address_description.cold.8+0x9/0x1ff [ 78.047618] kasan_report.cold.9+0x242/0x309 [ 78.052021] ? __lock_acquire+0x37c2/0x4ec0 [ 78.056331] __asan_report_load8_noabort+0x14/0x20 [ 78.061250] __lock_acquire+0x37c2/0x4ec0 [ 78.065383] ? free_unref_page+0x960/0x960 [ 78.069714] ? mark_held_locks+0x130/0x130 [ 78.073940] ? preempt_notifier_register+0x200/0x200 [ 78.079035] ? __switch_to_asm+0x34/0x70 [ 78.083095] ? __switch_to_asm+0x34/0x70 [ 78.087142] ? __switch_to_asm+0x40/0x70 [ 78.091356] ? __switch_to_asm+0x34/0x70 [ 78.095401] ? __switch_to_asm+0x40/0x70 [ 78.099448] ? __switch_to_asm+0x34/0x70 [ 78.103678] ? __switch_to_asm+0x40/0x70 [ 78.107823] ? __switch_to_asm+0x34/0x70 [ 78.111873] ? print_usage_bug+0xc0/0xc0 [ 78.115924] ? __switch_to_asm+0x40/0x70 [ 78.120488] ? __switch_to_asm+0x34/0x70 [ 78.124536] ? __switch_to_asm+0x40/0x70 [ 78.128583] ? __schedule+0x874/0x1ed0 [ 78.132455] ? graph_lock+0x170/0x170 [ 78.136242] ? lock_downgrade+0x900/0x900 [ 78.140377] ? __sched_text_start+0x8/0x8 [ 78.144512] ? mark_held_locks+0xc7/0x130 [ 78.148660] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 78.153407] ? lockdep_hardirqs_on+0x421/0x5c0 [ 78.157974] ? retint_kernel+0x2d/0x2d [ 78.161849] ? trace_hardirqs_on_caller+0xc0/0x310 [ 78.166765] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 78.171505] ? trace_hardirqs_off+0x310/0x310 [ 78.175987] ? retint_kernel+0x1b/0x2d [ 78.179859] ? trace_hardirqs_on+0x310/0x310 [ 78.184278] lock_acquire+0x1ed/0x520 [ 78.188072] ? vhost_transport_cancel_pkt+0x15e/0x910 [ 78.193248] ? retint_kernel+0x2d/0x2d [ 78.197129] ? lock_release+0x970/0x970 [ 78.201095] ? vhost_vsock_dev_release+0x720/0x720 [ 78.206119] _raw_spin_lock_bh+0x31/0x40 [ 78.210265] ? vhost_transport_cancel_pkt+0x15e/0x910 [ 78.215452] vhost_transport_cancel_pkt+0x15e/0x910 [ 78.220454] ? vhost_vsock_dev_release+0x720/0x720 [ 78.225375] ? trace_hardirqs_on+0xbd/0x310 [ 78.229768] ? lock_release+0x970/0x970 [ 78.233734] ? lock_sock_nested+0xe2/0x120 [ 78.237951] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 78.243388] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.248922] ? check_preemption_disabled+0x48/0x280 [ 78.253932] ? lock_sock_nested+0x9a/0x120 [ 78.258319] ? lock_sock_nested+0x9a/0x120 [ 78.262544] ? __local_bh_enable_ip+0x160/0x260 [ 78.267200] ? vhost_vsock_dev_release+0x720/0x720 [ 78.272189] vsock_stream_connect+0x903/0xe40 [ 78.276680] ? vsock_dgram_connect+0x500/0x500 [ 78.281249] ? finish_wait+0x430/0x430 [ 78.285128] ? aa_af_perm+0x5a0/0x5a0 [ 78.288918] ? apparmor_socket_connect+0xb6/0x160 [ 78.293749] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.299281] ? security_socket_connect+0x94/0xc0 [ 78.304025] __sys_connect+0x37d/0x4c0 [ 78.307898] ? __ia32_sys_accept+0xb0/0xb0 [ 78.312121] ? kasan_check_read+0x11/0x20 [ 78.316325] ? _copy_to_user+0xc8/0x110 [ 78.320291] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 78.325821] ? put_timespec64+0x10f/0x1b0 [ 78.329965] ? do_syscall_64+0x9a/0x820 [ 78.333933] ? do_syscall_64+0x9a/0x820 [ 78.337893] ? lockdep_hardirqs_on+0x421/0x5c0 [ 78.342459] ? trace_hardirqs_on+0xbd/0x310 [ 78.346765] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.352337] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.357695] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 78.363140] __x64_sys_connect+0x73/0xb0 [ 78.367192] do_syscall_64+0x1b9/0x820 [ 78.371064] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 78.376422] ? syscall_return_slowpath+0x5e0/0x5e0 [ 78.381340] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 78.386169] ? trace_hardirqs_on_caller+0x310/0x310 [ 78.391169] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 78.396171] ? prepare_exit_to_usermode+0x291/0x3b0 [ 78.401174] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 78.406002] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.411172] RIP: 0033:0x457569 [ 78.414359] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 78.433258] RSP: 002b:00007fe03a533c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 78.440950] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 78.448314] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000006 [ 78.455588] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 78.463076] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe03a5346d4 [ 78.470334] R13: 00000000004bdb06 R14: 00000000004cc658 R15: 00000000ffffffff [ 78.477592] [ 78.479206] Allocated by task 6292: [ 78.482822] save_stack+0x43/0xd0 [ 78.486260] kasan_kmalloc+0xc7/0xe0 [ 78.489959] __kmalloc_node+0x47/0x70 [ 78.493743] kvmalloc_node+0xb9/0xf0 [ 78.497449] vhost_vsock_dev_open+0xa2/0x5a0 [ 78.501841] misc_open+0x3ca/0x560 [ 78.505364] chrdev_open+0x25a/0x710 [ 78.509077] do_dentry_open+0x499/0x1250 [ 78.513140] vfs_open+0xa0/0xd0 [ 78.516403] path_openat+0x12bf/0x5160 [ 78.520276] do_filp_open+0x255/0x380 [ 78.524060] do_sys_open+0x568/0x700 [ 78.527762] __x64_sys_openat+0x9d/0x100 [ 78.531814] do_syscall_64+0x1b9/0x820 [ 78.535689] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.540966] [ 78.542584] Freed by task 6291: [ 78.545860] save_stack+0x43/0xd0 [ 78.549308] __kasan_slab_free+0x102/0x150 [ 78.553650] kasan_slab_free+0xe/0x10 [ 78.557439] kfree+0xcf/0x230 [ 78.560538] kvfree+0x61/0x70 [ 78.563648] vhost_vsock_dev_release+0x4f4/0x720 [ 78.568385] __fput+0x385/0xa30 [ 78.571657] ____fput+0x15/0x20 [ 78.575058] task_work_run+0x1e8/0x2a0 [ 78.578947] exit_to_usermode_loop+0x318/0x380 [ 78.583519] do_syscall_64+0x6be/0x820 [ 78.587392] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.592555] [ 78.594165] The buggy address belongs to the object at ffff8801b0a63a80 [ 78.594165] which belongs to the cache kmalloc-65536 of size 65536 [ 78.607149] The buggy address is located 36112 bytes inside of [ 78.607149] 65536-byte region [ffff8801b0a63a80, ffff8801b0a73a80) [ 78.619612] The buggy address belongs to the page: [ 78.624533] page:ffffea0006c29800 count:1 mapcount:0 mapping:ffff8801da802500 index:0x0 compound_mapcount: 0 [ 78.634496] flags: 0x2fffc0000008100(slab|head) [ 78.639282] raw: 02fffc0000008100 ffffea0006c29008 ffffea0006c2a008 ffff8801da802500 [ 78.647198] raw: 0000000000000000 ffff8801b0a63a80 0000000100000001 0000000000000000 [ 78.655116] page dumped because: kasan: bad access detected [ 78.660810] [ 78.662427] Memory state around the buggy address: [ 78.667349] ffff8801b0a6c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.674695] ffff8801b0a6c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.682126] >ffff8801b0a6c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.689474] ^ [ 78.693355] ffff8801b0a6c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.700715] ffff8801b0a6c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.708070] ================================================================== [ 78.715483] Disabling lock debugging due to kernel taint [ 78.720919] Kernel panic - not syncing: panic_on_warn set ... [ 78.720919] [ 78.728265] CPU: 0 PID: 6292 Comm: syz-executor0 Tainted: G B 4.19.0-rc8+ #294 [ 78.736907] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.746240] Call Trace: [ 78.748814] dump_stack+0x1c4/0x2b6 [ 78.752427] ? dump_stack_print_info.cold.1+0x20/0x20 [ 78.757605] ? lock_downgrade+0x900/0x900 [ 78.761749] panic+0x238/0x4e7 [ 78.764924] ? add_taint.cold.5+0x16/0x16 [ 78.769056] ? add_taint.cold.5+0x5/0x16 [ 78.773104] ? trace_hardirqs_off+0xaf/0x310 [ 78.777500] kasan_end_report+0x47/0x4f [ 78.781461] kasan_report.cold.9+0x76/0x309 [ 78.785770] ? __lock_acquire+0x37c2/0x4ec0 [ 78.790089] __asan_report_load8_noabort+0x14/0x20 [ 78.795016] __lock_acquire+0x37c2/0x4ec0 [ 78.799153] ? free_unref_page+0x960/0x960 [ 78.803386] ? mark_held_locks+0x130/0x130 [ 78.807609] ? preempt_notifier_register+0x200/0x200 [ 78.812708] ? __switch_to_asm+0x34/0x70 [ 78.816805] ? __switch_to_asm+0x34/0x70 [ 78.820862] ? __switch_to_asm+0x40/0x70 [ 78.824913] ? __switch_to_asm+0x34/0x70 [ 78.828969] ? __switch_to_asm+0x40/0x70 [ 78.833029] ? __switch_to_asm+0x34/0x70 [ 78.837133] ? __switch_to_asm+0x40/0x70 [ 78.841180] ? __switch_to_asm+0x34/0x70 [ 78.845229] ? print_usage_bug+0xc0/0xc0 [ 78.849273] ? __switch_to_asm+0x40/0x70 [ 78.853316] ? __switch_to_asm+0x34/0x70 [ 78.857371] ? __switch_to_asm+0x40/0x70 [ 78.861433] ? __schedule+0x874/0x1ed0 [ 78.865307] ? graph_lock+0x170/0x170 [ 78.869091] ? lock_downgrade+0x900/0x900 [ 78.873223] ? __sched_text_start+0x8/0x8 [ 78.877357] ? mark_held_locks+0xc7/0x130 [ 78.881490] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 78.886227] ? lockdep_hardirqs_on+0x421/0x5c0 [ 78.890837] ? retint_kernel+0x2d/0x2d [ 78.894717] ? trace_hardirqs_on_caller+0xc0/0x310 [ 78.899639] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 78.904376] ? trace_hardirqs_off+0x310/0x310 [ 78.908854] ? retint_kernel+0x1b/0x2d [ 78.912723] ? trace_hardirqs_on+0x310/0x310 [ 78.917113] lock_acquire+0x1ed/0x520 [ 78.920902] ? vhost_transport_cancel_pkt+0x15e/0x910 [ 78.926076] ? retint_kernel+0x2d/0x2d [ 78.930004] ? lock_release+0x970/0x970 [ 78.933974] ? vhost_vsock_dev_release+0x720/0x720 [ 78.938890] _raw_spin_lock_bh+0x31/0x40 [ 78.942937] ? vhost_transport_cancel_pkt+0x15e/0x910 [ 78.948120] vhost_transport_cancel_pkt+0x15e/0x910 [ 78.953137] ? vhost_vsock_dev_release+0x720/0x720 [ 78.958067] ? trace_hardirqs_on+0xbd/0x310 [ 78.962376] ? lock_release+0x970/0x970 [ 78.966340] ? lock_sock_nested+0xe2/0x120 [ 78.970573] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 78.976025] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 78.981550] ? check_preemption_disabled+0x48/0x280 [ 78.986550] ? lock_sock_nested+0x9a/0x120 [ 78.990771] ? lock_sock_nested+0x9a/0x120 [ 78.994991] ? __local_bh_enable_ip+0x160/0x260 [ 78.999657] ? vhost_vsock_dev_release+0x720/0x720 [ 79.004572] vsock_stream_connect+0x903/0xe40 [ 79.009056] ? vsock_dgram_connect+0x500/0x500 [ 79.013634] ? finish_wait+0x430/0x430 [ 79.017505] ? aa_af_perm+0x5a0/0x5a0 [ 79.021294] ? apparmor_socket_connect+0xb6/0x160 [ 79.026128] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.031659] ? security_socket_connect+0x94/0xc0 [ 79.036405] __sys_connect+0x37d/0x4c0 [ 79.040278] ? __ia32_sys_accept+0xb0/0xb0 [ 79.044497] ? kasan_check_read+0x11/0x20 [ 79.048637] ? _copy_to_user+0xc8/0x110 [ 79.052606] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 79.058138] ? put_timespec64+0x10f/0x1b0 [ 79.062274] ? do_syscall_64+0x9a/0x820 [ 79.066238] ? do_syscall_64+0x9a/0x820 [ 79.070203] ? lockdep_hardirqs_on+0x421/0x5c0 [ 79.074854] ? trace_hardirqs_on+0xbd/0x310 [ 79.079280] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 79.084811] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.090163] ? __bpf_trace_preemptirq_template+0x30/0x30 [ 79.095716] __x64_sys_connect+0x73/0xb0 [ 79.099779] do_syscall_64+0x1b9/0x820 [ 79.103669] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 79.109021] ? syscall_return_slowpath+0x5e0/0x5e0 [ 79.113939] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 79.118767] ? trace_hardirqs_on_caller+0x310/0x310 [ 79.123769] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 79.128769] ? prepare_exit_to_usermode+0x291/0x3b0 [ 79.133773] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 79.138602] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 79.143790] RIP: 0033:0x457569 [ 79.146983] Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 79.165984] RSP: 002b:00007fe03a533c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 79.173766] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457569 [ 79.181021] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000006 [ 79.188275] RBP: 000000000072bf00 R08: 0000000000000000 R09: 0000000000000000 [ 79.195598] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe03a5346d4 [ 79.202874] R13: 00000000004bdb06 R14: 00000000004cc658 R15: 00000000ffffffff [ 79.211096] Kernel Offset: disabled [ 79.214729] Rebooting in 86400 seconds..