[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 57.038865][ T26] audit: type=1800 audit(1571387021.982:25): pid=8614 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 57.066788][ T26] audit: type=1800 audit(1571387021.982:26): pid=8614 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 57.150359][ T26] audit: type=1800 audit(1571387022.092:27): pid=8614 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.145' (ECDSA) to the list of known hosts. 2019/10/18 08:24:01 parsed 1 programs 2019/10/18 08:24:03 executed programs: 0 syzkaller login: [ 78.759429][ T8781] IPVS: ftp: loaded support on port[0] = 21 [ 78.820997][ T8781] chnl_net:caif_netlink_parms(): no params data found [ 78.846672][ T8781] bridge0: port 1(bridge_slave_0) entered blocking state [ 78.854706][ T8781] bridge0: port 1(bridge_slave_0) entered disabled state [ 78.862530][ T8781] device bridge_slave_0 entered promiscuous mode [ 78.870559][ T8781] bridge0: port 2(bridge_slave_1) entered blocking state [ 78.877758][ T8781] bridge0: port 2(bridge_slave_1) entered disabled state [ 78.885413][ T8781] device bridge_slave_1 entered promiscuous mode [ 78.903128][ T8781] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 78.913941][ T8781] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 78.933181][ T8781] team0: Port device team_slave_0 added [ 78.940269][ T8781] team0: Port device team_slave_1 added [ 79.009124][ T8781] device hsr_slave_0 entered promiscuous mode [ 79.077065][ T8781] device hsr_slave_1 entered promiscuous mode [ 79.134784][ T8781] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.142142][ T8781] bridge0: port 2(bridge_slave_1) entered forwarding state [ 79.150236][ T8781] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.157307][ T8781] bridge0: port 1(bridge_slave_0) entered forwarding state [ 79.190646][ T8781] 8021q: adding VLAN 0 to HW filter on device bond0 [ 79.203537][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 79.214945][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 79.223414][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 79.231503][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 79.244832][ T8781] 8021q: adding VLAN 0 to HW filter on device team0 [ 79.255874][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 79.264588][ T17] bridge0: port 1(bridge_slave_0) entered blocking state [ 79.271683][ T17] bridge0: port 1(bridge_slave_0) entered forwarding state [ 79.282908][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 79.291593][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 79.298895][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 79.318394][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 79.327399][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 79.336071][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 79.348169][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 79.360674][ T8781] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 79.373898][ T8781] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 79.382007][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 79.401074][ T8781] 8021q: adding VLAN 0 to HW filter on device batadv0 2019/10/18 08:24:08 executed programs: 103 2019/10/18 08:24:13 executed programs: 227 2019/10/18 08:24:18 executed programs: 352 2019/10/18 08:24:23 executed programs: 477 [ 103.122743][T11186] ================================================================== [ 103.131029][T11186] BUG: KASAN: use-after-free in fuse_request_end+0x825/0x990 [ 103.138484][T11186] Read of size 8 at addr ffff8880a2862f68 by task syz-executor.0/11186 [ 103.147647][T11186] [ 103.149959][T11186] CPU: 0 PID: 11186 Comm: syz-executor.0 Not tainted 5.4.0-rc3+ #0 [ 103.157998][T11186] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 103.168033][T11186] Call Trace: [ 103.171323][T11186] dump_stack+0x172/0x1f0 [ 103.175697][T11186] ? fuse_request_end+0x825/0x990 [ 103.180841][T11186] print_address_description.constprop.0.cold+0xd4/0x30b [ 103.187844][T11186] ? fuse_request_end+0x825/0x990 [ 103.192847][T11186] ? fuse_request_end+0x825/0x990 [ 103.197876][T11186] __kasan_report.cold+0x1b/0x41 [ 103.202821][T11186] ? fuse_request_end+0x825/0x990 [ 103.207836][T11186] kasan_report+0x12/0x20 [ 103.212154][T11186] __asan_report_load8_noabort+0x14/0x20 [ 103.217803][T11186] fuse_request_end+0x825/0x990 [ 103.222642][T11186] ? __kasan_check_read+0x11/0x20 [ 103.227648][T11186] ? do_raw_spin_unlock+0x57/0x270 [ 103.232746][T11186] fuse_dev_do_read.isra.0+0x115b/0x1df0 [ 103.238355][T11186] ? __lock_acquire+0x8a0/0x4a00 [ 103.243278][T11186] ? fuse_copy_args+0x380/0x380 [ 103.248122][T11186] ? find_held_lock+0x35/0x130 [ 103.252871][T11186] ? aa_file_perm+0x40b/0xeb0 [ 103.257530][T11186] ? lock_downgrade+0x920/0x920 [ 103.262420][T11186] ? memset+0x32/0x40 [ 103.266386][T11186] fuse_dev_read+0x165/0x200 [ 103.270957][T11186] ? fuse_dev_do_read.isra.0+0x1df0/0x1df0 [ 103.276760][T11186] ? aa_file_perm+0x432/0xeb0 [ 103.281419][T11186] ? aa_path_link+0x460/0x460 [ 103.286077][T11186] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 103.292295][T11186] ? iov_iter_init+0xee/0x220 [ 103.296950][T11186] new_sync_read+0x4d7/0x800 [ 103.301522][T11186] ? vfs_dedupe_file_range+0x780/0x780 [ 103.306961][T11186] ? __fget+0x384/0x560 [ 103.311115][T11186] ? security_file_permission+0x8f/0x380 [ 103.316735][T11186] __vfs_read+0xe1/0x110 [ 103.320959][T11186] vfs_read+0x1f0/0x440 [ 103.325091][T11186] ksys_read+0x14f/0x290 [ 103.329315][T11186] ? kernel_write+0x130/0x130 [ 103.333971][T11186] ? do_fast_syscall_32+0xd1/0xdb3 [ 103.339059][T11186] ? entry_SYSENTER_compat+0x70/0x7f [ 103.344335][T11186] ? do_fast_syscall_32+0xd1/0xdb3 [ 103.349437][T11186] __ia32_sys_read+0x71/0xb0 [ 103.354017][T11186] do_fast_syscall_32+0x27b/0xdb3 [ 103.359043][T11186] entry_SYSENTER_compat+0x70/0x7f [ 103.364129][T11186] RIP: 0023:0xf7fdba29 [ 103.368178][T11186] Code: b8 80 96 98 00 eb cc 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 103.387911][T11186] RSP: 002b:00000000f7fb60cc EFLAGS: 00000296 ORIG_RAX: 0000000000000003 [ 103.396335][T11186] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200030c0 [ 103.404760][T11186] RDX: 00000000fffffed0 RSI: 0000000000000000 RDI: 0000000000000000 [ 103.412728][T11186] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 103.420684][T11186] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 103.428639][T11186] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 103.436598][T11186] [ 103.438912][T11186] Allocated by task 11186: [ 103.443324][T11186] save_stack+0x23/0x90 [ 103.447466][T11186] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 103.453856][T11186] kasan_kmalloc+0x9/0x10 [ 103.458162][T11186] kmem_cache_alloc_trace+0x158/0x790 [ 103.463508][T11186] fuse_send_init+0x48/0x440 [ 103.468075][T11186] fuse_fill_super+0x2a6/0x3a0 [ 103.472815][T11186] vfs_get_super+0x13e/0x2e0 [ 103.477405][T11186] get_tree_nodev+0x23/0x30 [ 103.481897][T11186] fuse_get_tree+0x12e/0x190 [ 103.486482][T11186] vfs_get_tree+0x8e/0x300 [ 103.490881][T11186] do_mount+0x143d/0x1d10 [ 103.495190][T11186] __ia32_compat_sys_mount+0x664/0x790 [ 103.500626][T11186] do_fast_syscall_32+0x27b/0xdb3 [ 103.505636][T11186] entry_SYSENTER_compat+0x70/0x7f [ 103.510726][T11186] [ 103.513031][T11186] Freed by task 11184: [ 103.517083][T11186] save_stack+0x23/0x90 [ 103.521217][T11186] __kasan_slab_free+0x102/0x150 [ 103.526130][T11186] kasan_slab_free+0xe/0x10 [ 103.530607][T11186] kfree+0x10a/0x2c0 [ 103.534479][T11186] process_init_reply+0xfb/0x1620 [ 103.539485][T11186] fuse_request_end+0x388/0x990 [ 103.544325][T11186] end_requests+0x16c/0x240 [ 103.548810][T11186] fuse_abort_conn+0xa4d/0xdb0 [ 103.553733][T11186] fuse_sb_destroy+0xa3/0x120 [ 103.558394][T11186] fuse_kill_sb_anon+0x16/0x30 [ 103.563152][T11186] deactivate_locked_super+0x95/0x100 [ 103.568501][T11186] deactivate_super+0x1b2/0x1d0 [ 103.573328][T11186] cleanup_mnt+0x351/0x4c0 [ 103.577719][T11186] __cleanup_mnt+0x16/0x20 [ 103.582114][T11186] task_work_run+0x145/0x1c0 [ 103.586689][T11186] exit_to_usermode_loop+0x316/0x380 [ 103.591972][T11186] do_fast_syscall_32+0xb87/0xdb3 [ 103.599853][T11186] entry_SYSENTER_compat+0x70/0x7f [ 103.604934][T11186] [ 103.607242][T11186] The buggy address belongs to the object at ffff8880a2862f00 [ 103.607242][T11186] which belongs to the cache kmalloc-192 of size 192 [ 103.621300][T11186] The buggy address is located 104 bytes inside of [ 103.621300][T11186] 192-byte region [ffff8880a2862f00, ffff8880a2862fc0) [ 103.634544][T11186] The buggy address belongs to the page: [ 103.640164][T11186] page:ffffea00028a1880 refcount:1 mapcount:0 mapping:ffff8880aa400000 index:0x0 [ 103.649249][T11186] flags: 0x1fffc0000000200(slab) [ 103.654175][T11186] raw: 01fffc0000000200 ffffea00028d4bc8 ffffea00028a2dc8 ffff8880aa400000 [ 103.662746][T11186] raw: 0000000000000000 ffff8880a2862000 0000000100000010 0000000000000000 [ 103.671307][T11186] page dumped because: kasan: bad access detected [ 103.677954][T11186] [ 103.680261][T11186] Memory state around the buggy address: [ 103.685870][T11186] ffff8880a2862e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.693919][T11186] ffff8880a2862e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 103.701958][T11186] >ffff8880a2862f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.710005][T11186] ^ [ 103.717526][T11186] ffff8880a2862f80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 103.725565][T11186] ffff8880a2863000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.733609][T11186] ================================================================== [ 103.741643][T11186] Disabling lock debugging due to kernel taint [ 103.749644][T11186] Kernel panic - not syncing: panic_on_warn set ... [ 103.756383][T11186] CPU: 0 PID: 11186 Comm: syz-executor.0 Tainted: G B 5.4.0-rc3+ #0 [ 103.765647][T11186] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 103.775702][T11186] Call Trace: [ 103.778984][T11186] dump_stack+0x172/0x1f0 [ 103.783298][T11186] panic+0x2e3/0x75c [ 103.787200][T11186] ? add_taint.cold+0x16/0x16 [ 103.791858][T11186] ? fuse_request_end+0x825/0x990 [ 103.796861][T11186] ? preempt_schedule+0x4b/0x60 [ 103.801698][T11186] ? ___preempt_schedule+0x16/0x20 [ 103.807222][T11186] ? trace_hardirqs_on+0x5e/0x240 [ 103.812222][T11186] ? fuse_request_end+0x825/0x990 [ 103.817309][T11186] end_report+0x47/0x4f [ 103.821451][T11186] ? fuse_request_end+0x825/0x990 [ 103.826450][T11186] __kasan_report.cold+0xe/0x41 [ 103.831281][T11186] ? fuse_request_end+0x825/0x990 [ 103.836281][T11186] kasan_report+0x12/0x20 [ 103.840595][T11186] __asan_report_load8_noabort+0x14/0x20 [ 103.846204][T11186] fuse_request_end+0x825/0x990 [ 103.851028][T11186] ? __kasan_check_read+0x11/0x20 [ 103.856031][T11186] ? do_raw_spin_unlock+0x57/0x270 [ 103.861139][T11186] fuse_dev_do_read.isra.0+0x115b/0x1df0 [ 103.866765][T11186] ? __lock_acquire+0x8a0/0x4a00 [ 103.871684][T11186] ? fuse_copy_args+0x380/0x380 [ 103.876510][T11186] ? find_held_lock+0x35/0x130 [ 103.881262][T11186] ? aa_file_perm+0x40b/0xeb0 [ 103.885917][T11186] ? lock_downgrade+0x920/0x920 [ 103.890752][T11186] ? memset+0x32/0x40 [ 103.894737][T11186] fuse_dev_read+0x165/0x200 [ 103.899308][T11186] ? fuse_dev_do_read.isra.0+0x1df0/0x1df0 [ 103.905093][T11186] ? aa_file_perm+0x432/0xeb0 [ 103.909774][T11186] ? aa_path_link+0x460/0x460 [ 103.914642][T11186] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 103.920869][T11186] ? iov_iter_init+0xee/0x220 [ 103.925528][T11186] new_sync_read+0x4d7/0x800 [ 103.930130][T11186] ? vfs_dedupe_file_range+0x780/0x780 [ 103.935581][T11186] ? __fget+0x384/0x560 [ 103.939743][T11186] ? security_file_permission+0x8f/0x380 [ 103.945354][T11186] __vfs_read+0xe1/0x110 [ 103.950273][T11186] vfs_read+0x1f0/0x440 [ 103.954431][T11186] ksys_read+0x14f/0x290 [ 103.958663][T11186] ? kernel_write+0x130/0x130 [ 103.963321][T11186] ? do_fast_syscall_32+0xd1/0xdb3 [ 103.968411][T11186] ? entry_SYSENTER_compat+0x70/0x7f [ 103.973678][T11186] ? do_fast_syscall_32+0xd1/0xdb3 [ 103.978776][T11186] __ia32_sys_read+0x71/0xb0 [ 103.983356][T11186] do_fast_syscall_32+0x27b/0xdb3 [ 103.988533][T11186] entry_SYSENTER_compat+0x70/0x7f [ 103.993645][T11186] RIP: 0023:0xf7fdba29 [ 103.997693][T11186] Code: b8 80 96 98 00 eb cc 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 104.017285][T11186] RSP: 002b:00000000f7fb60cc EFLAGS: 00000296 ORIG_RAX: 0000000000000003 [ 104.025716][T11186] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200030c0 [ 104.033770][T11186] RDX: 00000000fffffed0 RSI: 0000000000000000 RDI: 0000000000000000 [ 104.041823][T11186] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 104.049780][T11186] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 104.057850][T11186] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 104.067246][T11186] Kernel Offset: disabled [ 104.071577][T11186] Rebooting in 86400 seconds..