[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   30.718066] kauditd_printk_skb: 8 callbacks suppressed
[   30.718078] audit: type=1800 audit(1545532930.544:29): pid=6029 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0
[   30.751127] audit: type=1800 audit(1545532930.544:30): pid=6029 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [   32.532381] sshd (6168) used greatest stack depth: 15728 bytes left
Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts.
executing program
[   39.071820] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details.
[   39.090443] ==================================================================
[   39.097898] BUG: KASAN: slab-out-of-bounds in fpstate_init+0x50/0x160
[   39.104464] Write of size 832 at addr ffff8881bba4bbc0 by task syz-executor233/6184
[   39.112230] 
[   39.113846] CPU: 1 PID: 6184 Comm: syz-executor233 Not tainted 4.20.0-rc6-next-20181217+ #172
[   39.122517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.131870] Call Trace:
[   39.134443]  dump_stack+0x244/0x39d
[   39.138057]  ? dump_stack_print_info.cold.1+0x20/0x20
[   39.143227]  ? printk+0xa7/0xcf
[   39.146501]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[   39.151244]  print_address_description.cold.4+0x9/0x1ff
[   39.156591]  ? fpstate_init+0x50/0x160
[   39.160467]  kasan_report.cold.5+0x1b/0x39
[   39.164685]  ? fpstate_init+0x50/0x160
[   39.168567]  ? fpstate_init+0x50/0x160
[   39.172435]  check_memory_region+0x13e/0x1b0
[   39.176828]  memset+0x23/0x40
[   39.179934]  fpstate_init+0x50/0x160
[   39.183635]  kvm_arch_vcpu_init+0x3e9/0x870
[   39.187945]  kvm_vcpu_init+0x2fa/0x420
[   39.191815]  ? vcpu_stat_get+0x300/0x300
[   39.195873]  ? kmem_cache_alloc+0x33f/0x730
[   39.200198]  vmx_create_vcpu+0x1b7/0x2695
[   39.204332]  ? lock_downgrade+0x900/0x900
[   39.208468]  ? vmx_exec_control+0x210/0x210
[   39.212781]  ? trace_hardirqs_on+0x310/0x310
[   39.217174]  ? kasan_check_write+0x14/0x20
[   39.221410]  ? __mutex_unlock_slowpath+0x197/0x8c0
[   39.226341]  ? wait_for_completion+0x8a0/0x8a0
[   39.230910]  kvm_arch_vcpu_create+0xe5/0x220
[   39.235318]  ? kvm_arch_vcpu_free+0x90/0x90
[   39.239624]  ? kasan_check_read+0x11/0x20
[   39.243755]  kvm_vm_ioctl+0x526/0x2030
[   39.247634]  ? kvm_unregister_device_ops+0x70/0x70
[   39.252555]  ? get_unused_fd_flags+0x1a0/0x1a0
[   39.257118]  ? kfree+0x11e/0x230
[   39.260464]  ? kfree+0x11e/0x230
[   39.263814]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   39.268436]  ? trace_hardirqs_on+0xbd/0x310
[   39.272756]  ? kvm_uevent_notify_change.part.32+0x300/0x450
[   39.278474]  ? trace_hardirqs_off_caller+0x310/0x310
[   39.283559]  ? __kasan_slab_free+0x119/0x150
[   39.287972]  ? kvm_uevent_notify_change.part.32+0x300/0x450
[   39.293691]  ? fd_install+0x4d/0x60
[   39.297306]  ? kvm_dev_ioctl+0x18a/0x1ae0
[   39.301464]  ? is_bpf_text_address+0xac/0x170
[   39.306206]  ? kvm_debugfs_release+0x90/0x90
[   39.310596]  ? kasan_check_read+0x11/0x20
[   39.314731]  ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170
[   39.319988]  ? rcu_read_unlock_special+0x370/0x370
[   39.324914]  ? rcu_softirq_qs+0x20/0x20
[   39.328871]  ? unwind_dump+0x190/0x190
[   39.332747]  ? is_bpf_text_address+0xd3/0x170
[   39.337228]  ? kernel_text_address+0x79/0xf0
[   39.341623]  ? __kernel_text_address+0xd/0x40
[   39.346101]  ? unwind_get_return_address+0x61/0xa0
[   39.351013]  ? __save_stack_trace+0x8d/0xf0
[   39.355324]  ? save_stack+0xa9/0xd0
[   39.358934]  ? save_stack+0x43/0xd0
[   39.362538]  ? __kasan_slab_free+0x102/0x150
[   39.366929]  ? kasan_slab_free+0xe/0x10
[   39.370888]  ? putname+0xf2/0x130
[   39.374325]  ? do_sys_open+0x54d/0x780
[   39.378242]  ? __x64_sys_openat+0x9d/0x100
[   39.382456]  ? do_syscall_64+0x1b9/0x820
[   39.386502]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   39.391850]  ? trace_hardirqs_off+0xb8/0x310
[   39.396242]  ? kasan_check_read+0x11/0x20
[   39.400373]  ? do_raw_spin_unlock+0xa7/0x330
[   39.404770]  ? trace_hardirqs_on+0x310/0x310
[   39.409190]  ? trace_hardirqs_off+0xb8/0x310
[   39.413599]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   39.419125]  ? kvm_unregister_device_ops+0x70/0x70
[   39.424053]  do_vfs_ioctl+0x1de/0x1790
[   39.427949]  ? rcu_lockdep_current_cpu_online+0x1a4/0x210
[   39.433472]  ? ioctl_preallocate+0x300/0x300
[   39.437896]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   39.443430]  ? __fget_light+0x2e9/0x430
[   39.447406]  ? fget_raw+0x20/0x20
[   39.450847]  ? putname+0xf2/0x130
[   39.454283]  ? rcu_read_lock_sched_held+0x14f/0x180
[   39.459281]  ? kmem_cache_free+0x24f/0x290
[   39.463497]  ? putname+0xf7/0x130
[   39.466935]  ? do_syscall_64+0x9a/0x820
[   39.470899]  ? do_syscall_64+0x9a/0x820
[   39.474902]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   39.479470]  ? security_file_ioctl+0x94/0xc0
[   39.483870]  ksys_ioctl+0xa9/0xd0
[   39.487313]  __x64_sys_ioctl+0x73/0xb0
[   39.491183]  do_syscall_64+0x1b9/0x820
[   39.495071]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   39.500417]  ? syscall_return_slowpath+0x5e0/0x5e0
[   39.505344]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   39.510172]  ? trace_hardirqs_on_caller+0x310/0x310
[   39.515173]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   39.520193]  ? prepare_exit_to_usermode+0x291/0x3b0
[   39.525197]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   39.530027]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   39.535197] RIP: 0033:0x440039
[   39.538370] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   39.557255] RSP: 002b:00007ffe478aae78 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
[   39.564961] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440039
[   39.572209] RDX: 0000000000000000 RSI: 000000000000ae41 RDI: 0000000000000004
[   39.579563] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   39.586817] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018c0
[   39.594066] R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000
[   39.601337] 
[   39.602945] Allocated by task 6184:
[   39.606575]  save_stack+0x43/0xd0
[   39.610027]  kasan_kmalloc+0xcb/0xd0
[   39.613853]  kasan_slab_alloc+0x12/0x20
[   39.617814]  kmem_cache_alloc+0x130/0x730
[   39.621941]  vmx_create_vcpu+0x110/0x2695
[   39.626074]  kvm_arch_vcpu_create+0xe5/0x220
[   39.630461]  kvm_vm_ioctl+0x526/0x2030
[   39.634331]  do_vfs_ioctl+0x1de/0x1790
[   39.638199]  ksys_ioctl+0xa9/0xd0
[   39.641634]  __x64_sys_ioctl+0x73/0xb0
[   39.645547]  do_syscall_64+0x1b9/0x820
[   39.649415]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   39.654579] 
[   39.656187] Freed by task 0:
[   39.659182] (stack is not available)
[   39.662871] 
[   39.664481] The buggy address belongs to the object at ffff8881bba4bb80
[   39.664481]  which belongs to the cache x86_fpu of size 832
[   39.676771] The buggy address is located 64 bytes inside of
[   39.676771]  832-byte region [ffff8881bba4bb80, ffff8881bba4bec0)
[   39.688538] The buggy address belongs to the page:
[   39.693450] page:ffffea0006ee92c0 count:1 mapcount:0 mapping:ffff8881d7a9d380 index:0x0
[   39.701571] flags: 0x2fffc0000000200(slab)
[   39.705790] raw: 02fffc0000000200 ffff8881d6780448 ffff8881d6780448 ffff8881d7a9d380
[   39.713651] raw: 0000000000000000 ffff8881bba4b040 0000000100000004 0000000000000000
[   39.721521] page dumped because: kasan: bad access detected
[   39.727209] 
[   39.728816] Memory state around the buggy address:
[   39.733732]  ffff8881bba4bd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   39.741304]  ffff8881bba4be00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   39.748682] >ffff8881bba4be80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   39.756018]                                            ^
[   39.761449]  ffff8881bba4bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   39.768790]  ffff8881bba4bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   39.776126] ==================================================================
[   39.783462] Disabling lock debugging due to kernel taint
[   39.789397] Kernel panic - not syncing: panic_on_warn set ...
[   39.795307] CPU: 1 PID: 6184 Comm: syz-executor233 Tainted: G    B             4.20.0-rc6-next-20181217+ #172
[   39.805337] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.814671] Call Trace:
[   39.817237]  dump_stack+0x244/0x39d
[   39.820850]  ? dump_stack_print_info.cold.1+0x20/0x20
[   39.826030]  ? fpstate_init+0x30/0x160
[   39.829901]  panic+0x2ad/0x632
[   39.833076]  ? add_taint.cold.5+0x16/0x16
[   39.837207]  ? preempt_schedule+0x4d/0x60
[   39.841342]  ? ___preempt_schedule+0x16/0x18
[   39.845742]  ? trace_hardirqs_on+0xb4/0x310
[   39.850044]  ? fpstate_init+0x50/0x160
[   39.853911]  end_report+0x47/0x4f
[   39.857344]  kasan_report.cold.5+0xe/0x39
[   39.861517]  ? fpstate_init+0x50/0x160
[   39.865405]  ? fpstate_init+0x50/0x160
[   39.869274]  check_memory_region+0x13e/0x1b0
[   39.873663]  memset+0x23/0x40
[   39.876761]  fpstate_init+0x50/0x160
[   39.880457]  kvm_arch_vcpu_init+0x3e9/0x870
[   39.884764]  kvm_vcpu_init+0x2fa/0x420
[   39.888633]  ? vcpu_stat_get+0x300/0x300
[   39.892674]  ? kmem_cache_alloc+0x33f/0x730
[   39.896983]  vmx_create_vcpu+0x1b7/0x2695
[   39.901115]  ? lock_downgrade+0x900/0x900
[   39.905247]  ? vmx_exec_control+0x210/0x210
[   39.909551]  ? trace_hardirqs_on+0x310/0x310
[   39.913940]  ? kasan_check_write+0x14/0x20
[   39.918156]  ? __mutex_unlock_slowpath+0x197/0x8c0
[   39.923066]  ? wait_for_completion+0x8a0/0x8a0
[   39.927639]  kvm_arch_vcpu_create+0xe5/0x220
[   39.932027]  ? kvm_arch_vcpu_free+0x90/0x90
[   39.936332]  ? kasan_check_read+0x11/0x20
[   39.940474]  kvm_vm_ioctl+0x526/0x2030
[   39.944362]  ? kvm_unregister_device_ops+0x70/0x70
[   39.949278]  ? get_unused_fd_flags+0x1a0/0x1a0
[   39.953836]  ? kfree+0x11e/0x230
[   39.957184]  ? kfree+0x11e/0x230
[   39.960532]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   39.965098]  ? trace_hardirqs_on+0xbd/0x310
[   39.969413]  ? kvm_uevent_notify_change.part.32+0x300/0x450
[   39.975106]  ? trace_hardirqs_off_caller+0x310/0x310
[   39.980191]  ? __kasan_slab_free+0x119/0x150
[   39.984594]  ? kvm_uevent_notify_change.part.32+0x300/0x450
[   39.990323]  ? fd_install+0x4d/0x60
[   39.993932]  ? kvm_dev_ioctl+0x18a/0x1ae0
[   39.998062]  ? is_bpf_text_address+0xac/0x170
[   40.002538]  ? kvm_debugfs_release+0x90/0x90
[   40.006925]  ? kasan_check_read+0x11/0x20
[   40.011054]  ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170
[   40.016311]  ? rcu_read_unlock_special+0x370/0x370
[   40.021218]  ? rcu_softirq_qs+0x20/0x20
[   40.025171]  ? unwind_dump+0x190/0x190
[   40.029040]  ? is_bpf_text_address+0xd3/0x170
[   40.033517]  ? kernel_text_address+0x79/0xf0
[   40.037920]  ? __kernel_text_address+0xd/0x40
[   40.042398]  ? unwind_get_return_address+0x61/0xa0
[   40.047312]  ? __save_stack_trace+0x8d/0xf0
[   40.051639]  ? save_stack+0xa9/0xd0
[   40.055246]  ? save_stack+0x43/0xd0
[   40.058849]  ? __kasan_slab_free+0x102/0x150
[   40.063278]  ? kasan_slab_free+0xe/0x10
[   40.067233]  ? putname+0xf2/0x130
[   40.070665]  ? do_sys_open+0x54d/0x780
[   40.074532]  ? __x64_sys_openat+0x9d/0x100
[   40.078746]  ? do_syscall_64+0x1b9/0x820
[   40.082790]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.088136]  ? trace_hardirqs_off+0xb8/0x310
[   40.092521]  ? kasan_check_read+0x11/0x20
[   40.096652]  ? do_raw_spin_unlock+0xa7/0x330
[   40.101057]  ? trace_hardirqs_on+0x310/0x310
[   40.105453]  ? trace_hardirqs_off+0xb8/0x310
[   40.109845]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.115394]  ? kvm_unregister_device_ops+0x70/0x70
[   40.120308]  do_vfs_ioctl+0x1de/0x1790
[   40.124186]  ? rcu_lockdep_current_cpu_online+0x1a4/0x210
[   40.129719]  ? ioctl_preallocate+0x300/0x300
[   40.134108]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   40.139636]  ? __fget_light+0x2e9/0x430
[   40.143589]  ? fget_raw+0x20/0x20
[   40.147029]  ? putname+0xf2/0x130
[   40.150464]  ? rcu_read_lock_sched_held+0x14f/0x180
[   40.155459]  ? kmem_cache_free+0x24f/0x290
[   40.159705]  ? putname+0xf7/0x130
[   40.163139]  ? do_syscall_64+0x9a/0x820
[   40.167097]  ? do_syscall_64+0x9a/0x820
[   40.171051]  ? lockdep_hardirqs_on+0x3bb/0x5b0
[   40.175621]  ? security_file_ioctl+0x94/0xc0
[   40.180009]  ksys_ioctl+0xa9/0xd0
[   40.183443]  __x64_sys_ioctl+0x73/0xb0
[   40.187313]  do_syscall_64+0x1b9/0x820
[   40.191181]  ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe
[   40.196551]  ? syscall_return_slowpath+0x5e0/0x5e0
[   40.201460]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.206288]  ? trace_hardirqs_on_caller+0x310/0x310
[   40.211301]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[   40.216328]  ? prepare_exit_to_usermode+0x291/0x3b0
[   40.221339]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[   40.226180]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.231348] RIP: 0033:0x440039
[   40.234526] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   40.253405] RSP: 002b:00007ffe478aae78 EFLAGS: 00000217 ORIG_RAX: 0000000000000010
[   40.261091] RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440039
[   40.268344] RDX: 0000000000000000 RSI: 000000000000ae41 RDI: 0000000000000004
[   40.275614] RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
[   40.282863] R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004018c0
[   40.290113] R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000
[   40.298320] Kernel Offset: disabled
[   40.301939] Rebooting in 86400 seconds..