[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 33.375178] audit: type=1800 audit(1538099984.998:25): pid=5875 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 33.405554] audit: type=1800 audit(1538099984.998:26): pid=5875 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 33.432777] audit: type=1800 audit(1538099984.998:27): pid=5875 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts. 2018/09/28 02:12:16 parsed 1 programs 2018/09/28 02:12:18 executed programs: 0 syzkaller login: [ 786.536231] IPVS: ftp: loaded support on port[0] = 21 [ 786.731149] bridge0: port 1(bridge_slave_0) entered blocking state [ 786.737900] bridge0: port 1(bridge_slave_0) entered disabled state [ 786.745009] device bridge_slave_0 entered promiscuous mode [ 786.760570] bridge0: port 2(bridge_slave_1) entered blocking state [ 786.766967] bridge0: port 2(bridge_slave_1) entered disabled state [ 786.773911] device bridge_slave_1 entered promiscuous mode [ 786.788447] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 786.804077] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 786.844483] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 786.862370] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 786.921189] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 786.928995] team0: Port device team_slave_0 added [ 786.942961] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 786.950485] team0: Port device team_slave_1 added [ 786.965183] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 786.980592] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 786.998130] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 787.015304] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 787.127329] bridge0: port 2(bridge_slave_1) entered blocking state [ 787.134033] bridge0: port 2(bridge_slave_1) entered forwarding state [ 787.140656] bridge0: port 1(bridge_slave_0) entered blocking state [ 787.146993] bridge0: port 1(bridge_slave_0) entered forwarding state [ 787.539346] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 787.545542] 8021q: adding VLAN 0 to HW filter on device bond0 [ 787.586934] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 787.627511] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 787.634459] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 787.668130] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 787.674658] 8021q: adding VLAN 0 to HW filter on device team0 [ 787.681032] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 788.024420] hrtimer: interrupt took 11995 ns [ 788.737132] ================================================================== [ 788.744669] BUG: KASAN: use-after-free in vhost_work_queue+0xc3/0xe0 [ 788.751157] Read of size 8 at addr ffff8801c7ce07a8 by task syz-executor0/6349 [ 788.758502] [ 788.760127] CPU: 0 PID: 6349 Comm: syz-executor0 Not tainted 4.19.0-rc5-next-20180927+ #82 [ 788.768739] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 788.778173] Call Trace: [ 788.780770] dump_stack+0x1d3/0x2c4 [ 788.784399] ? dump_stack_print_info.cold.2+0x52/0x52 [ 788.789730] ? printk+0xa7/0xcf [ 788.793042] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 788.798077] print_address_description.cold.8+0x9/0x1ff [ 788.803443] kasan_report.cold.9+0x242/0x309 [ 788.807848] ? vhost_work_queue+0xc3/0xe0 [ 788.812155] __asan_report_load8_noabort+0x14/0x20 [ 788.817335] vhost_work_queue+0xc3/0xe0 [ 788.821628] vhost_transport_send_pkt+0x28a/0x380 [ 788.826469] ? vhost_vsock_dev_open+0x5a0/0x5a0 [ 788.831133] ? virtio_transport_send_pkt_info+0x2e7/0x460 [ 788.836664] ? __local_bh_enable_ip+0x160/0x260 [ 788.841491] virtio_transport_send_pkt_info+0x31d/0x460 [ 788.846853] virtio_transport_connect+0x17c/0x220 [ 788.851831] ? virtio_transport_send_pkt_info+0x460/0x460 [ 788.857875] ? vsock_auto_bind+0xa9/0xe0 [ 788.861939] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 788.867489] vsock_stream_connect+0x4ed/0xe40 [ 788.871987] ? vsock_dgram_connect+0x500/0x500 [ 788.876651] ? __might_sleep+0x95/0x190 [ 788.880706] ? finish_wait+0x430/0x430 [ 788.884597] ? aa_af_perm+0x5a0/0x5a0 [ 788.888561] ? apparmor_socket_connect+0xb6/0x160 [ 788.893408] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 788.899421] ? security_socket_connect+0x94/0xc0 [ 788.904181] __sys_connect+0x37d/0x4c0 [ 788.908219] ? __ia32_sys_accept+0xb0/0xb0 [ 788.912481] ? kasan_check_read+0x11/0x20 [ 788.916745] ? _copy_to_user+0xc8/0x110 [ 788.920728] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 788.926294] ? put_timespec64+0x10f/0x1b0 [ 788.930456] ? trace_hardirqs_on+0xbd/0x310 [ 788.934783] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 788.940478] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 788.945972] ? trace_hardirqs_off_caller+0x300/0x300 [ 788.951076] __x64_sys_connect+0x73/0xb0 [ 788.955137] do_syscall_64+0x1b9/0x820 [ 788.959246] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 788.964784] ? syscall_return_slowpath+0x5e0/0x5e0 [ 788.969719] ? trace_hardirqs_off+0x310/0x310 [ 788.974470] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 788.979634] ? recalc_sigpending_tsk+0x180/0x180 [ 788.984691] ? kasan_check_write+0x14/0x20 [ 788.989057] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 788.994045] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 788.999363] RIP: 0033:0x457579 [ 789.002672] Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 789.022043] RSP: 002b:00007f21ce36ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 789.029755] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579 [ 789.037180] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000008 [ 789.044447] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 789.051833] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f21ce36b6d4 [ 789.059231] R13: 00000000004bdb1a R14: 00000000004cc658 R15: 00000000ffffffff [ 789.066536] [ 789.068156] Allocated by task 6348: [ 789.071780] save_stack+0x43/0xd0 [ 789.075404] kasan_kmalloc+0xc7/0xe0 [ 789.079120] __kmalloc_node+0x47/0x70 [ 789.082916] kvmalloc_node+0xb9/0xf0 [ 789.086799] vhost_vsock_dev_open+0xa2/0x5a0 [ 789.091203] misc_open+0x3ca/0x560 [ 789.094981] chrdev_open+0x25a/0x710 [ 789.098845] do_dentry_open+0x499/0x1250 [ 789.102904] vfs_open+0xa0/0xd0 [ 789.106338] path_openat+0x12bc/0x5160 [ 789.110228] do_filp_open+0x255/0x380 [ 789.114025] do_sys_open+0x568/0x700 [ 789.117862] __x64_sys_openat+0x9d/0x100 [ 789.122053] do_syscall_64+0x1b9/0x820 [ 789.126032] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 789.131216] [ 789.132835] Freed by task 6346: [ 789.136110] save_stack+0x43/0xd0 [ 789.139555] __kasan_slab_free+0x102/0x150 [ 789.143793] kasan_slab_free+0xe/0x10 [ 789.147984] kfree+0xcf/0x230 [ 789.151377] kvfree+0x61/0x70 [ 789.154729] vhost_vsock_dev_release+0x4f4/0x720 [ 789.159636] __fput+0x3bc/0xa70 [ 789.162909] ____fput+0x15/0x20 [ 789.166341] task_work_run+0x1e8/0x2a0 [ 789.170391] exit_to_usermode_loop+0x318/0x380 [ 789.174970] do_syscall_64+0x6be/0x820 [ 789.178852] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 789.184156] [ 789.185928] The buggy address belongs to the object at ffff8801c7ce0700 [ 789.185928] which belongs to the cache kmalloc-64k of size 65536 [ 789.198869] The buggy address is located 168 bytes inside of [ 789.198869] 65536-byte region [ffff8801c7ce0700, ffff8801c7cf0700) [ 789.211090] The buggy address belongs to the page: [ 789.216107] page:ffffea00071f3800 count:1 mapcount:0 mapping:ffff8801da802500 index:0x0 compound_mapcount: 0 [ 789.228134] flags: 0x2fffc0000010200(slab|head) [ 789.233110] raw: 02fffc0000010200 ffffea00071f3008 ffffea00071f4008 ffff8801da802500 [ 789.240994] raw: 0000000000000000 ffff8801c7ce0700 0000000100000001 0000000000000000 [ 789.249124] page dumped because: kasan: bad access detected [ 789.254831] [ 789.256451] Memory state around the buggy address: [ 789.261378] ffff8801c7ce0680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 789.268738] ffff8801c7ce0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 789.276103] >ffff8801c7ce0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 789.283822] ^ [ 789.288513] ffff8801c7ce0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 789.296035] ffff8801c7ce0880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 789.303409] ================================================================== [ 789.316471] Kernel panic - not syncing: panic_on_warn set ... [ 789.316471] [ 789.324052] CPU: 1 PID: 6349 Comm: syz-executor0 Tainted: G B 4.19.0-rc5-next-20180927+ #82 [ 789.333967] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 789.343319] Call Trace: [ 789.345910] dump_stack+0x1d3/0x2c4 [ 789.349537] ? dump_stack_print_info.cold.2+0x52/0x52 [ 789.354724] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 789.359477] panic+0x238/0x4e7 [ 789.362667] ? add_taint.cold.5+0x16/0x16 [ 789.366810] ? preempt_schedule+0x4d/0x60 [ 789.370953] ? ___preempt_schedule+0x16/0x18 [ 789.375358] ? trace_hardirqs_on+0xb4/0x310 [ 789.379686] kasan_end_report+0x47/0x4f [ 789.383829] kasan_report.cold.9+0x76/0x309 [ 789.388304] ? vhost_work_queue+0xc3/0xe0 [ 789.392458] __asan_report_load8_noabort+0x14/0x20 [ 789.397385] vhost_work_queue+0xc3/0xe0 [ 789.401356] vhost_transport_send_pkt+0x28a/0x380 [ 789.406195] ? vhost_vsock_dev_open+0x5a0/0x5a0 [ 789.411003] ? virtio_transport_send_pkt_info+0x2e7/0x460 [ 789.416544] ? __local_bh_enable_ip+0x160/0x260 [ 789.421209] virtio_transport_send_pkt_info+0x31d/0x460 [ 789.426571] virtio_transport_connect+0x17c/0x220 [ 789.431410] ? virtio_transport_send_pkt_info+0x460/0x460 [ 789.436939] ? vsock_auto_bind+0xa9/0xe0 [ 789.440997] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 789.446528] vsock_stream_connect+0x4ed/0xe40 [ 789.451020] ? vsock_dgram_connect+0x500/0x500 [ 789.455777] ? __might_sleep+0x95/0x190 [ 789.459753] ? finish_wait+0x430/0x430 [ 789.463767] ? aa_af_perm+0x5a0/0x5a0 [ 789.467570] ? apparmor_socket_connect+0xb6/0x160 [ 789.472409] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 789.477943] ? security_socket_connect+0x94/0xc0 [ 789.482693] __sys_connect+0x37d/0x4c0 [ 789.486575] ? __ia32_sys_accept+0xb0/0xb0 [ 789.490808] ? kasan_check_read+0x11/0x20 [ 789.494948] ? _copy_to_user+0xc8/0x110 [ 789.499062] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 789.504605] ? put_timespec64+0x10f/0x1b0 [ 789.508884] ? trace_hardirqs_on+0xbd/0x310 [ 789.513210] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 789.518743] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 789.524105] ? trace_hardirqs_off_caller+0x300/0x300 [ 789.529204] __x64_sys_connect+0x73/0xb0 [ 789.533406] do_syscall_64+0x1b9/0x820 [ 789.537311] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 789.542667] ? syscall_return_slowpath+0x5e0/0x5e0 [ 789.547689] ? trace_hardirqs_off+0x310/0x310 [ 789.552186] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 789.557198] ? recalc_sigpending_tsk+0x180/0x180 [ 789.561951] ? kasan_check_write+0x14/0x20 [ 789.566221] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 789.571229] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 789.576446] RIP: 0033:0x457579 [ 789.579777] Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 789.599073] RSP: 002b:00007f21ce36ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 789.606985] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579 [ 789.614280] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000008 [ 789.621644] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000 [ 789.629179] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f21ce36b6d4 [ 789.636731] R13: 00000000004bdb1a R14: 00000000004cc658 R15: 00000000ffffffff [ 789.645211] Kernel Offset: disabled [ 789.648848] Rebooting in 86400 seconds..