[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   33.375178] audit: type=1800 audit(1538099984.998:25): pid=5875 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   33.405554] audit: type=1800 audit(1538099984.998:26): pid=5875 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   33.432777] audit: type=1800 audit(1538099984.998:27): pid=5875 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
2018/09/28 02:12:16 parsed 1 programs
2018/09/28 02:12:18 executed programs: 0
syzkaller login: [  786.536231] IPVS: ftp: loaded support on port[0] = 21
[  786.731149] bridge0: port 1(bridge_slave_0) entered blocking state
[  786.737900] bridge0: port 1(bridge_slave_0) entered disabled state
[  786.745009] device bridge_slave_0 entered promiscuous mode
[  786.760570] bridge0: port 2(bridge_slave_1) entered blocking state
[  786.766967] bridge0: port 2(bridge_slave_1) entered disabled state
[  786.773911] device bridge_slave_1 entered promiscuous mode
[  786.788447] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  786.804077] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  786.844483] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  786.862370] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  786.921189] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  786.928995] team0: Port device team_slave_0 added
[  786.942961] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  786.950485] team0: Port device team_slave_1 added
[  786.965183] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  786.980592] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  786.998130] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  787.015304] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  787.127329] bridge0: port 2(bridge_slave_1) entered blocking state
[  787.134033] bridge0: port 2(bridge_slave_1) entered forwarding state
[  787.140656] bridge0: port 1(bridge_slave_0) entered blocking state
[  787.146993] bridge0: port 1(bridge_slave_0) entered forwarding state
[  787.539346] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[  787.545542] 8021q: adding VLAN 0 to HW filter on device bond0
[  787.586934] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  787.627511] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  787.634459] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  787.668130] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[  787.674658] 8021q: adding VLAN 0 to HW filter on device team0
[  787.681032] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  788.024420] hrtimer: interrupt took 11995 ns
[  788.737132] ==================================================================
[  788.744669] BUG: KASAN: use-after-free in vhost_work_queue+0xc3/0xe0
[  788.751157] Read of size 8 at addr ffff8801c7ce07a8 by task syz-executor0/6349
[  788.758502] 
[  788.760127] CPU: 0 PID: 6349 Comm: syz-executor0 Not tainted 4.19.0-rc5-next-20180927+ #82
[  788.768739] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  788.778173] Call Trace:
[  788.780770]  dump_stack+0x1d3/0x2c4
[  788.784399]  ? dump_stack_print_info.cold.2+0x52/0x52
[  788.789730]  ? printk+0xa7/0xcf
[  788.793042]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  788.798077]  print_address_description.cold.8+0x9/0x1ff
[  788.803443]  kasan_report.cold.9+0x242/0x309
[  788.807848]  ? vhost_work_queue+0xc3/0xe0
[  788.812155]  __asan_report_load8_noabort+0x14/0x20
[  788.817335]  vhost_work_queue+0xc3/0xe0
[  788.821628]  vhost_transport_send_pkt+0x28a/0x380
[  788.826469]  ? vhost_vsock_dev_open+0x5a0/0x5a0
[  788.831133]  ? virtio_transport_send_pkt_info+0x2e7/0x460
[  788.836664]  ? __local_bh_enable_ip+0x160/0x260
[  788.841491]  virtio_transport_send_pkt_info+0x31d/0x460
[  788.846853]  virtio_transport_connect+0x17c/0x220
[  788.851831]  ? virtio_transport_send_pkt_info+0x460/0x460
[  788.857875]  ? vsock_auto_bind+0xa9/0xe0
[  788.861939]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  788.867489]  vsock_stream_connect+0x4ed/0xe40
[  788.871987]  ? vsock_dgram_connect+0x500/0x500
[  788.876651]  ? __might_sleep+0x95/0x190
[  788.880706]  ? finish_wait+0x430/0x430
[  788.884597]  ? aa_af_perm+0x5a0/0x5a0
[  788.888561]  ? apparmor_socket_connect+0xb6/0x160
[  788.893408]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  788.899421]  ? security_socket_connect+0x94/0xc0
[  788.904181]  __sys_connect+0x37d/0x4c0
[  788.908219]  ? __ia32_sys_accept+0xb0/0xb0
[  788.912481]  ? kasan_check_read+0x11/0x20
[  788.916745]  ? _copy_to_user+0xc8/0x110
[  788.920728]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  788.926294]  ? put_timespec64+0x10f/0x1b0
[  788.930456]  ? trace_hardirqs_on+0xbd/0x310
[  788.934783]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  788.940478]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  788.945972]  ? trace_hardirqs_off_caller+0x300/0x300
[  788.951076]  __x64_sys_connect+0x73/0xb0
[  788.955137]  do_syscall_64+0x1b9/0x820
[  788.959246]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[  788.964784]  ? syscall_return_slowpath+0x5e0/0x5e0
[  788.969719]  ? trace_hardirqs_off+0x310/0x310
[  788.974470]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  788.979634]  ? recalc_sigpending_tsk+0x180/0x180
[  788.984691]  ? kasan_check_write+0x14/0x20
[  788.989057]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  788.994045]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  788.999363] RIP: 0033:0x457579
[  789.002672] Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  789.022043] RSP: 002b:00007f21ce36ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[  789.029755] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579
[  789.037180] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000008
[  789.044447] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000
[  789.051833] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f21ce36b6d4
[  789.059231] R13: 00000000004bdb1a R14: 00000000004cc658 R15: 00000000ffffffff
[  789.066536] 
[  789.068156] Allocated by task 6348:
[  789.071780]  save_stack+0x43/0xd0
[  789.075404]  kasan_kmalloc+0xc7/0xe0
[  789.079120]  __kmalloc_node+0x47/0x70
[  789.082916]  kvmalloc_node+0xb9/0xf0
[  789.086799]  vhost_vsock_dev_open+0xa2/0x5a0
[  789.091203]  misc_open+0x3ca/0x560
[  789.094981]  chrdev_open+0x25a/0x710
[  789.098845]  do_dentry_open+0x499/0x1250
[  789.102904]  vfs_open+0xa0/0xd0
[  789.106338]  path_openat+0x12bc/0x5160
[  789.110228]  do_filp_open+0x255/0x380
[  789.114025]  do_sys_open+0x568/0x700
[  789.117862]  __x64_sys_openat+0x9d/0x100
[  789.122053]  do_syscall_64+0x1b9/0x820
[  789.126032]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  789.131216] 
[  789.132835] Freed by task 6346:
[  789.136110]  save_stack+0x43/0xd0
[  789.139555]  __kasan_slab_free+0x102/0x150
[  789.143793]  kasan_slab_free+0xe/0x10
[  789.147984]  kfree+0xcf/0x230
[  789.151377]  kvfree+0x61/0x70
[  789.154729]  vhost_vsock_dev_release+0x4f4/0x720
[  789.159636]  __fput+0x3bc/0xa70
[  789.162909]  ____fput+0x15/0x20
[  789.166341]  task_work_run+0x1e8/0x2a0
[  789.170391]  exit_to_usermode_loop+0x318/0x380
[  789.174970]  do_syscall_64+0x6be/0x820
[  789.178852]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  789.184156] 
[  789.185928] The buggy address belongs to the object at ffff8801c7ce0700
[  789.185928]  which belongs to the cache kmalloc-64k of size 65536
[  789.198869] The buggy address is located 168 bytes inside of
[  789.198869]  65536-byte region [ffff8801c7ce0700, ffff8801c7cf0700)
[  789.211090] The buggy address belongs to the page:
[  789.216107] page:ffffea00071f3800 count:1 mapcount:0 mapping:ffff8801da802500 index:0x0 compound_mapcount: 0
[  789.228134] flags: 0x2fffc0000010200(slab|head)
[  789.233110] raw: 02fffc0000010200 ffffea00071f3008 ffffea00071f4008 ffff8801da802500
[  789.240994] raw: 0000000000000000 ffff8801c7ce0700 0000000100000001 0000000000000000
[  789.249124] page dumped because: kasan: bad access detected
[  789.254831] 
[  789.256451] Memory state around the buggy address:
[  789.261378]  ffff8801c7ce0680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[  789.268738]  ffff8801c7ce0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  789.276103] >ffff8801c7ce0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  789.283822]                                   ^
[  789.288513]  ffff8801c7ce0800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  789.296035]  ffff8801c7ce0880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  789.303409] ==================================================================
[  789.316471] Kernel panic - not syncing: panic_on_warn set ...
[  789.316471] 
[  789.324052] CPU: 1 PID: 6349 Comm: syz-executor0 Tainted: G    B             4.19.0-rc5-next-20180927+ #82
[  789.333967] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  789.343319] Call Trace:
[  789.345910]  dump_stack+0x1d3/0x2c4
[  789.349537]  ? dump_stack_print_info.cold.2+0x52/0x52
[  789.354724]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[  789.359477]  panic+0x238/0x4e7
[  789.362667]  ? add_taint.cold.5+0x16/0x16
[  789.366810]  ? preempt_schedule+0x4d/0x60
[  789.370953]  ? ___preempt_schedule+0x16/0x18
[  789.375358]  ? trace_hardirqs_on+0xb4/0x310
[  789.379686]  kasan_end_report+0x47/0x4f
[  789.383829]  kasan_report.cold.9+0x76/0x309
[  789.388304]  ? vhost_work_queue+0xc3/0xe0
[  789.392458]  __asan_report_load8_noabort+0x14/0x20
[  789.397385]  vhost_work_queue+0xc3/0xe0
[  789.401356]  vhost_transport_send_pkt+0x28a/0x380
[  789.406195]  ? vhost_vsock_dev_open+0x5a0/0x5a0
[  789.411003]  ? virtio_transport_send_pkt_info+0x2e7/0x460
[  789.416544]  ? __local_bh_enable_ip+0x160/0x260
[  789.421209]  virtio_transport_send_pkt_info+0x31d/0x460
[  789.426571]  virtio_transport_connect+0x17c/0x220
[  789.431410]  ? virtio_transport_send_pkt_info+0x460/0x460
[  789.436939]  ? vsock_auto_bind+0xa9/0xe0
[  789.440997]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  789.446528]  vsock_stream_connect+0x4ed/0xe40
[  789.451020]  ? vsock_dgram_connect+0x500/0x500
[  789.455777]  ? __might_sleep+0x95/0x190
[  789.459753]  ? finish_wait+0x430/0x430
[  789.463767]  ? aa_af_perm+0x5a0/0x5a0
[  789.467570]  ? apparmor_socket_connect+0xb6/0x160
[  789.472409]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  789.477943]  ? security_socket_connect+0x94/0xc0
[  789.482693]  __sys_connect+0x37d/0x4c0
[  789.486575]  ? __ia32_sys_accept+0xb0/0xb0
[  789.490808]  ? kasan_check_read+0x11/0x20
[  789.494948]  ? _copy_to_user+0xc8/0x110
[  789.499062]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  789.504605]  ? put_timespec64+0x10f/0x1b0
[  789.508884]  ? trace_hardirqs_on+0xbd/0x310
[  789.513210]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  789.518743]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  789.524105]  ? trace_hardirqs_off_caller+0x300/0x300
[  789.529204]  __x64_sys_connect+0x73/0xb0
[  789.533406]  do_syscall_64+0x1b9/0x820
[  789.537311]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[  789.542667]  ? syscall_return_slowpath+0x5e0/0x5e0
[  789.547689]  ? trace_hardirqs_off+0x310/0x310
[  789.552186]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  789.557198]  ? recalc_sigpending_tsk+0x180/0x180
[  789.561951]  ? kasan_check_write+0x14/0x20
[  789.566221]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  789.571229]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  789.576446] RIP: 0033:0x457579
[  789.579777] Code: 1d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  789.599073] RSP: 002b:00007f21ce36ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[  789.606985] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457579
[  789.614280] RDX: 0000000000000010 RSI: 0000000020000200 RDI: 0000000000000008
[  789.621644] RBP: 000000000072bfa0 R08: 0000000000000000 R09: 0000000000000000
[  789.629179] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f21ce36b6d4
[  789.636731] R13: 00000000004bdb1a R14: 00000000004cc658 R15: 00000000ffffffff
[  789.645211] Kernel Offset: disabled
[  789.648848] Rebooting in 86400 seconds..