[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 81.426479][ T27] audit: type=1800 audit(1583509298.782:25): pid=9432 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 81.446291][ T27] audit: type=1800 audit(1583509298.782:26): pid=9432 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 81.482725][ T27] audit: type=1800 audit(1583509298.782:27): pid=9432 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.116' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 96.790204][ T9589] ================================================================== [ 96.798936][ T9589] BUG: KASAN: slab-out-of-bounds in cgroup_file_notify+0x16a/0x1b0 [ 96.807309][ T9589] Read of size 8 at addr ffff88821b77c4c8 by task syz-executor540/9589 [ 96.815882][ T9589] [ 96.818207][ T9589] CPU: 0 PID: 9589 Comm: syz-executor540 Not tainted 5.6.0-rc3-next-20200225-syzkaller #0 [ 96.830309][ T9589] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 96.842383][ T9589] Call Trace: [ 96.846172][ T9589] dump_stack+0x197/0x210 [ 96.850596][ T9589] ? cgroup_file_notify+0x16a/0x1b0 [ 96.856736][ T9589] print_address_description.constprop.0.cold+0xd4/0x30b [ 96.865788][ T9589] ? cgroup_file_notify+0x16a/0x1b0 [ 96.871681][ T9589] ? cgroup_file_notify+0x16a/0x1b0 [ 96.877340][ T9589] __kasan_report.cold+0x1b/0x32 [ 96.883950][ T9589] ? cgroup_file_notify+0x16a/0x1b0 [ 96.889514][ T9589] kasan_report+0x12/0x20 [ 96.893836][ T9589] __asan_report_load8_noabort+0x14/0x20 [ 96.899637][ T9589] cgroup_file_notify+0x16a/0x1b0 [ 96.904672][ T9589] __hugetlb_cgroup_charge_cgroup+0x88c/0xf10 [ 96.911145][ T9589] ? __hugetlb_cgroup_uncharge_page+0x750/0x750 [ 96.918901][ T9589] ? do_raw_spin_unlock+0x181/0x270 [ 96.924195][ T9589] hugetlb_cgroup_charge_cgroup_rsvd+0x2b/0x40 [ 96.930442][ T9589] hugetlb_reserve_pages+0x2c2/0xce0 [ 96.936798][ T9589] ? hugetlb_mcopy_atomic_pte+0xc10/0xc10 [ 96.945152][ T9589] ? lockdep_init_map+0x1be/0x6d0 [ 96.951965][ T9589] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 96.960608][ T9589] ? __kasan_check_write+0x14/0x20 [ 96.966968][ T9589] hugetlb_file_setup+0x26a/0x671 [ 96.971997][ T9589] newseg+0x4a3/0xf40 [ 96.975972][ T9589] ? shm_mmap+0x240/0x240 [ 96.980851][ T9589] ? ksys_unshare+0x664/0x980 [ 96.985531][ T9589] ipcget+0x105/0xd40 [ 96.989553][ T9589] ? lock_downgrade+0x920/0x920 [ 96.995135][ T9589] ? rwlock_bug.part.0+0x90/0x90 [ 97.001473][ T9589] ? ipc_obtain_object_check+0x130/0x130 [ 97.007875][ T9589] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 97.015099][ T9589] ? perf_event_namespaces+0x45/0x50 [ 97.021143][ T9589] ? ksys_unshare+0x2ba/0x980 [ 97.026902][ T9589] __x64_sys_shmget+0x146/0x1d0 [ 97.031914][ T9589] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 97.037477][ T9589] ? ksys_shmget+0x150/0x150 [ 97.042051][ T9589] ? do_syscall_64+0x26/0x790 [ 97.047330][ T9589] ? lockdep_hardirqs_on+0x421/0x5e0 [ 97.053135][ T9589] ? trace_hardirqs_on+0x67/0x240 [ 97.058180][ T9589] do_syscall_64+0xfa/0x790 [ 97.062795][ T9589] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 97.069369][ T9589] RIP: 0033:0x440119 [ 97.073797][ T9589] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 97.095950][ T9589] RSP: 002b:00007ffd5e1db3e8 EFLAGS: 00000246 ORIG_RAX: 000000000000001d [ 97.105440][ T9589] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440119 [ 97.113410][ T9589] RDX: 0000000000004800 RSI: fffffffffeffffff RDI: 0000000000000000 [ 97.121382][ T9589] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 97.129370][ T9589] R10: 0000000020ffc000 R11: 0000000000000246 R12: 00000000004019a0 [ 97.137337][ T9589] R13: 0000000000401a30 R14: 0000000000000000 R15: 0000000000000000 [ 97.145667][ T9589] [ 97.147982][ T9589] Allocated by task 0: [ 97.152058][ T9589] save_stack+0x23/0x90 [ 97.156208][ T9589] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 97.161848][ T9589] kasan_kmalloc+0x9/0x10 [ 97.166200][ T9589] kmem_cache_alloc_trace+0x158/0x790 [ 97.171582][ T9589] hugetlb_cgroup_css_alloc+0x4f/0x320 [ 97.177022][ T9589] cgroup_init_subsys+0x1d9/0x4a7 [ 97.182035][ T9589] cgroup_init+0x34a/0xa4c [ 97.186446][ T9589] start_kernel+0xe2d/0xe8f [ 97.190936][ T9589] x86_64_start_reservations+0x29/0x2b [ 97.196396][ T9589] x86_64_start_kernel+0x77/0x7b [ 97.201328][ T9589] secondary_startup_64+0xa4/0xb0 [ 97.206338][ T9589] [ 97.208647][ T9589] Freed by task 0: [ 97.212338][ T9589] (stack is not available) [ 97.216738][ T9589] [ 97.219740][ T9589] The buggy address belongs to the object at ffff88821b77c000 [ 97.219740][ T9589] which belongs to the cache kmalloc-2k of size 2048 [ 97.233781][ T9589] The buggy address is located 1224 bytes inside of [ 97.233781][ T9589] 2048-byte region [ffff88821b77c000, ffff88821b77c800) [ 97.247242][ T9589] The buggy address belongs to the page: [ 97.252966][ T9589] page:ffffea00086ddf00 refcount:1 mapcount:0 mapping:000000005a8512d0 index:0x0 [ 97.262256][ T9589] flags: 0x57ffe0000000200(slab) [ 97.267325][ T9589] raw: 057ffe0000000200 ffffea00086dde48 ffffea00086ddf88 ffff8880aa400e00 [ 97.276093][ T9589] raw: 0000000000000000 ffff88821b77c000 0000000100000001 0000000000000000 [ 97.285728][ T9589] page dumped because: kasan: bad access detected [ 97.292918][ T9589] [ 97.295491][ T9589] Memory state around the buggy address: [ 97.301310][ T9589] ffff88821b77c380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 97.309472][ T9589] ffff88821b77c400: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 97.317623][ T9589] >ffff88821b77c480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 97.325713][ T9589] ^ [ 97.332402][ T9589] ffff88821b77c500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 97.340469][ T9589] ffff88821b77c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 97.348528][ T9589] ================================================================== [ 97.356587][ T9589] Disabling lock debugging due to kernel taint [ 97.362720][ T9589] Kernel panic - not syncing: panic_on_warn set ... [ 97.369475][ T9589] CPU: 0 PID: 9589 Comm: syz-executor540 Tainted: G B 5.6.0-rc3-next-20200225-syzkaller #0 [ 97.383493][ T9589] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 97.393746][ T9589] Call Trace: [ 97.397081][ T9589] dump_stack+0x197/0x210 [ 97.402207][ T9589] panic+0x2e3/0x75c [ 97.406343][ T9589] ? add_taint.cold+0x16/0x16 [ 97.411380][ T9589] ? cgroup_file_notify+0x16a/0x1b0 [ 97.417204][ T9589] ? trace_hardirqs_off+0x62/0x240 [ 97.423198][ T9589] ? trace_hardirqs_off+0x59/0x240 [ 97.428517][ T9589] ? cgroup_file_notify+0x16a/0x1b0 [ 97.434224][ T9589] end_report+0x47/0x4f [ 97.439695][ T9589] ? cgroup_file_notify+0x16a/0x1b0 [ 97.445142][ T9589] __kasan_report.cold+0xe/0x32 [ 97.449980][ T9589] ? cgroup_file_notify+0x16a/0x1b0 [ 97.455352][ T9589] kasan_report+0x12/0x20 [ 97.459752][ T9589] __asan_report_load8_noabort+0x14/0x20 [ 97.465818][ T9589] cgroup_file_notify+0x16a/0x1b0 [ 97.471210][ T9589] __hugetlb_cgroup_charge_cgroup+0x88c/0xf10 [ 97.477266][ T9589] ? __hugetlb_cgroup_uncharge_page+0x750/0x750 [ 97.483491][ T9589] ? do_raw_spin_unlock+0x181/0x270 [ 97.489206][ T9589] hugetlb_cgroup_charge_cgroup_rsvd+0x2b/0x40 [ 97.495344][ T9589] hugetlb_reserve_pages+0x2c2/0xce0 [ 97.500625][ T9589] ? hugetlb_mcopy_atomic_pte+0xc10/0xc10 [ 97.506507][ T9589] ? lockdep_init_map+0x1be/0x6d0 [ 97.512390][ T9589] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 97.518723][ T9589] ? __kasan_check_write+0x14/0x20 [ 97.524782][ T9589] hugetlb_file_setup+0x26a/0x671 [ 97.529982][ T9589] newseg+0x4a3/0xf40 [ 97.534251][ T9589] ? shm_mmap+0x240/0x240 [ 97.538921][ T9589] ? ksys_unshare+0x664/0x980 [ 97.545393][ T9589] ipcget+0x105/0xd40 [ 97.549367][ T9589] ? lock_downgrade+0x920/0x920 [ 97.556492][ T9589] ? rwlock_bug.part.0+0x90/0x90 [ 97.561948][ T9589] ? ipc_obtain_object_check+0x130/0x130 [ 97.567938][ T9589] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 97.576013][ T9589] ? perf_event_namespaces+0x45/0x50 [ 97.581381][ T9589] ? ksys_unshare+0x2ba/0x980 [ 97.586078][ T9589] __x64_sys_shmget+0x146/0x1d0 [ 97.591180][ T9589] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 97.596810][ T9589] ? ksys_shmget+0x150/0x150 [ 97.601398][ T9589] ? do_syscall_64+0x26/0x790 [ 97.606356][ T9589] ? lockdep_hardirqs_on+0x421/0x5e0 [ 97.611628][ T9589] ? trace_hardirqs_on+0x67/0x240 [ 97.616644][ T9589] do_syscall_64+0xfa/0x790 [ 97.621134][ T9589] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 97.627090][ T9589] RIP: 0033:0x440119 [ 97.631434][ T9589] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 97.652268][ T9589] RSP: 002b:00007ffd5e1db3e8 EFLAGS: 00000246 ORIG_RAX: 000000000000001d [ 97.660677][ T9589] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440119 [ 97.668643][ T9589] RDX: 0000000000004800 RSI: fffffffffeffffff RDI: 0000000000000000 [ 97.676601][ T9589] RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 [ 97.684556][ T9589] R10: 0000000020ffc000 R11: 0000000000000246 R12: 00000000004019a0 [ 97.692517][ T9589] R13: 0000000000401a30 R14: 0000000000000000 R15: 0000000000000000 [ 97.701860][ T9589] Kernel Offset: disabled [ 97.706195][ T9589] Rebooting in 86400 seconds..