[ 34.064317] audit: type=1800 audit(1546340267.422:27): pid=7481 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 34.089906] audit: type=1800 audit(1546340267.422:28): pid=7481 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 34.873596] audit: type=1800 audit(1546340268.282:29): pid=7481 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 34.898329] audit: type=1800 audit(1546340268.292:30): pid=7481 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts. syzkaller login: [ 46.779395] IPVS: ftp: loaded support on port[0] = 21 executing program [ 46.837343] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html for details. [ 46.857705] ================================================================== [ 46.865144] BUG: KASAN: slab-out-of-bounds in kvm_clear_dirty_log_protect+0x8cf/0x970 [ 46.873117] Read of size 8 at addr ffff88809e631290 by task syz-executor007/7635 [ 46.880623] [ 46.882229] CPU: 0 PID: 7635 Comm: syz-executor007 Not tainted 4.20.0+ #2 [ 46.889129] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.898699] Call Trace: [ 46.901365] dump_stack+0x1db/0x2d0 [ 46.905230] ? dump_stack_print_info.cold+0x20/0x20 [ 46.910239] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 46.915805] print_address_description.cold+0x7c/0x20d [ 46.921084] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 46.926762] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 46.932024] kasan_report.cold+0x1b/0x40 [ 46.936070] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 46.941492] __asan_report_load8_noabort+0x14/0x20 [ 46.946603] kvm_clear_dirty_log_protect+0x8cf/0x970 [ 46.951695] ? vcpu_stat_get_per_vm_open+0x40/0x40 [ 46.956625] ? lock_downgrade+0x910/0x910 [ 46.960751] ? lock_release+0xc40/0xc40 [ 46.964713] kvm_vm_ioctl_clear_dirty_log+0xff/0x260 [ 46.969926] ? kvm_vm_ioctl_get_dirty_log+0x260/0x260 [ 46.975320] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 46.980937] ? _copy_from_user+0xdd/0x150 [ 46.985071] kvm_vm_ioctl+0xc19/0x1fe0 [ 46.988932] ? lock_downgrade+0x910/0x910 [ 46.993055] ? kasan_check_read+0x11/0x20 [ 46.997180] ? kvm_unregister_device_ops+0x70/0x70 [ 47.002103] ? rcu_softirq_qs+0x20/0x20 [ 47.006064] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.011831] ? __fd_install+0x2e4/0x8c0 [ 47.015794] ? lockdep_hardirqs_on+0x415/0x5d0 [ 47.020358] ? get_unused_fd_flags+0x1a0/0x1a0 [ 47.024926] ? kvm_uevent_notify_change.part.0+0x2de/0x440 [ 47.030529] ? trace_hardirqs_off_caller+0x300/0x300 [ 47.035616] ? __kasan_slab_free+0x119/0x150 [ 47.040263] ? kvm_uevent_notify_change.part.0+0x2de/0x440 [ 47.045997] ? fd_install+0x4d/0x60 [ 47.049607] ? kvm_dev_ioctl+0x10e/0x1a60 [ 47.053871] ? kvm_debugfs_release+0x90/0x90 [ 47.058266] ? __handle_mm_fault+0x955/0x5690 [ 47.062908] ? add_lock_to_list.isra.0+0x450/0x450 [ 47.067821] ? vmf_insert_mixed_mkwrite+0x40/0x40 [ 47.072727] ? check_preemption_disabled+0x48/0x290 [ 47.077720] ? __do_page_fault+0x610/0xd60 [ 47.081933] ? find_held_lock+0x35/0x120 [ 47.085970] ? __do_page_fault+0x610/0xd60 [ 47.090192] ? kvm_unregister_device_ops+0x70/0x70 [ 47.095277] do_vfs_ioctl+0x107b/0x17d0 [ 47.099250] ? rcu_read_unlock_special+0x380/0x380 [ 47.104167] ? ioctl_preallocate+0x2f0/0x2f0 [ 47.108562] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.114249] ? __fget_light+0x2db/0x420 [ 47.118215] ? fget_raw+0x20/0x20 [ 47.121651] ? up_read_non_owner+0x100/0x100 [ 47.126040] ? do_syscall_64+0x8c/0x800 [ 47.129994] ? do_syscall_64+0x8c/0x800 [ 47.133971] ? lockdep_hardirqs_on+0x415/0x5d0 [ 47.138538] ? security_file_ioctl+0x93/0xc0 [ 47.142926] ksys_ioctl+0xab/0xd0 [ 47.146363] __x64_sys_ioctl+0x73/0xb0 [ 47.150228] do_syscall_64+0x1a3/0x800 [ 47.154092] ? syscall_return_slowpath+0x5f0/0x5f0 [ 47.159004] ? prepare_exit_to_usermode+0x232/0x3b0 [ 47.164011] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 47.168841] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.174007] RIP: 0033:0x440b09 [ 47.177199] Code: 23 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 47.196077] RSP: 002b:00000000007dff68 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 [ 47.203970] RAX: ffffffffffffffda RBX: 00000000004a28d8 RCX: 0000000000440b09 [ 47.211391] RDX: 0000000020000080 RSI: 00000000c018aec0 RDI: 0000000000000004 [ 47.218640] RBP: 00000000004a28d8 R08: 0000000120080522 R09: 0000000120080522 [ 47.226005] R10: 0000000120080522 R11: 0000000000000217 R12: 00000000004022a0 [ 47.233262] R13: 0000000000402330 R14: 0000000000000000 R15: 0000000000000000 [ 47.240519] [ 47.242125] Allocated by task 7635: [ 47.245735] save_stack+0x45/0xd0 [ 47.249273] kasan_kmalloc+0xcf/0xe0 [ 47.252961] __kmalloc_node+0x4e/0x70 [ 47.256763] kvmalloc_node+0x68/0x100 [ 47.260556] __kvm_set_memory_region+0x1da1/0x2c40 [ 47.265464] kvm_set_memory_region+0x2f/0x60 [ 47.269847] kvm_vm_ioctl+0xafa/0x1fe0 [ 47.273710] do_vfs_ioctl+0x107b/0x17d0 [ 47.277749] ksys_ioctl+0xab/0xd0 [ 47.281181] __x64_sys_ioctl+0x73/0xb0 [ 47.285488] do_syscall_64+0x1a3/0x800 [ 47.289495] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.294676] [ 47.296280] Freed by task 4427: [ 47.299811] save_stack+0x45/0xd0 [ 47.303249] __kasan_slab_free+0x102/0x150 [ 47.307476] kasan_slab_free+0xe/0x10 [ 47.311434] kfree+0xcf/0x230 [ 47.314529] single_release+0x95/0xc0 [ 47.318311] __fput+0x3c5/0xb10 [ 47.321583] ____fput+0x16/0x20 [ 47.324839] task_work_run+0x1f4/0x2b0 [ 47.328703] exit_to_usermode_loop+0x32a/0x3b0 [ 47.333281] do_syscall_64+0x696/0x800 [ 47.337141] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.342319] [ 47.343935] The buggy address belongs to the object at ffff88809e631280 [ 47.343935] which belongs to the cache kmalloc-32 of size 32 [ 47.356392] The buggy address is located 16 bytes inside of [ 47.356392] 32-byte region [ffff88809e631280, ffff88809e6312a0) [ 47.368244] The buggy address belongs to the page: [ 47.373156] page:ffffea0002798c40 count:1 mapcount:0 mapping:ffff88812c3f01c0 index:0xffff88809e631fc1 [ 47.382579] flags: 0x1fffc0000000200(slab) [ 47.386795] raw: 01fffc0000000200 ffffea0002763388 ffff88812c3f1238 ffff88812c3f01c0 [ 47.394667] raw: ffff88809e631fc1 ffff88809e631000 000000010000001c 0000000000000000 [ 47.402520] page dumped because: kasan: bad access detected [ 47.408201] [ 47.409803] Memory state around the buggy address: [ 47.414704] ffff88809e631180: 00 01 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 47.422038] ffff88809e631200: fb fb fb fb fc fc fc fc 04 fc fc fc fc fc fc fc [ 47.429368] >ffff88809e631280: 00 00 fc fc fc fc fc fc fb fb fb fb fc fc fc fc [ 47.436698] ^ [ 47.440559] ffff88809e631300: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 47.447908] ffff88809e631380: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 47.455246] ================================================================== [ 47.462580] Disabling lock debugging due to kernel taint [ 47.468118] Kernel panic - not syncing: panic_on_warn set ... [ 47.473995] CPU: 0 PID: 7635 Comm: syz-executor007 Tainted: G B 4.20.0+ #2 [ 47.482304] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.491770] Call Trace: [ 47.494403] dump_stack+0x1db/0x2d0 [ 47.498007] ? dump_stack_print_info.cold+0x20/0x20 [ 47.503023] panic+0x2cb/0x589 [ 47.506203] ? add_taint.cold+0x16/0x16 [ 47.510158] ? trace_hardirqs_on+0xb4/0x310 [ 47.514452] ? trace_hardirqs_on+0xb4/0x310 [ 47.518755] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 47.524005] end_report+0x47/0x4f [ 47.527589] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 47.532844] kasan_report.cold+0xe/0x40 [ 47.536818] ? kvm_clear_dirty_log_protect+0x8cf/0x970 [ 47.542077] __asan_report_load8_noabort+0x14/0x20 [ 47.547007] kvm_clear_dirty_log_protect+0x8cf/0x970 [ 47.552092] ? vcpu_stat_get_per_vm_open+0x40/0x40 [ 47.557000] ? lock_downgrade+0x910/0x910 [ 47.561122] ? lock_release+0xc40/0xc40 [ 47.565090] kvm_vm_ioctl_clear_dirty_log+0xff/0x260 [ 47.570170] ? kvm_vm_ioctl_get_dirty_log+0x260/0x260 [ 47.575340] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 47.580870] ? _copy_from_user+0xdd/0x150 [ 47.584990] kvm_vm_ioctl+0xc19/0x1fe0 [ 47.588855] ? lock_downgrade+0x910/0x910 [ 47.592984] ? kasan_check_read+0x11/0x20 [ 47.597124] ? kvm_unregister_device_ops+0x70/0x70 [ 47.602033] ? rcu_softirq_qs+0x20/0x20 [ 47.605991] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.611505] ? __fd_install+0x2e4/0x8c0 [ 47.615459] ? lockdep_hardirqs_on+0x415/0x5d0 [ 47.620015] ? get_unused_fd_flags+0x1a0/0x1a0 [ 47.624573] ? kvm_uevent_notify_change.part.0+0x2de/0x440 [ 47.630171] ? trace_hardirqs_off_caller+0x300/0x300 [ 47.635264] ? __kasan_slab_free+0x119/0x150 [ 47.639646] ? kvm_uevent_notify_change.part.0+0x2de/0x440 [ 47.645253] ? fd_install+0x4d/0x60 [ 47.648861] ? kvm_dev_ioctl+0x10e/0x1a60 [ 47.652989] ? kvm_debugfs_release+0x90/0x90 [ 47.657378] ? __handle_mm_fault+0x955/0x5690 [ 47.661856] ? add_lock_to_list.isra.0+0x450/0x450 [ 47.666764] ? vmf_insert_mixed_mkwrite+0x40/0x40 [ 47.671774] ? check_preemption_disabled+0x48/0x290 [ 47.676776] ? __do_page_fault+0x610/0xd60 [ 47.681120] ? find_held_lock+0x35/0x120 [ 47.685161] ? __do_page_fault+0x610/0xd60 [ 47.689386] ? kvm_unregister_device_ops+0x70/0x70 [ 47.694296] do_vfs_ioctl+0x107b/0x17d0 [ 47.698247] ? rcu_read_unlock_special+0x380/0x380 [ 47.703157] ? ioctl_preallocate+0x2f0/0x2f0 [ 47.707554] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 47.713064] ? __fget_light+0x2db/0x420 [ 47.717014] ? fget_raw+0x20/0x20 [ 47.720444] ? up_read_non_owner+0x100/0x100 [ 47.724831] ? do_syscall_64+0x8c/0x800 [ 47.728788] ? do_syscall_64+0x8c/0x800 [ 47.732898] ? lockdep_hardirqs_on+0x415/0x5d0 [ 47.737465] ? security_file_ioctl+0x93/0xc0 [ 47.741856] ksys_ioctl+0xab/0xd0 [ 47.745294] __x64_sys_ioctl+0x73/0xb0 [ 47.749169] do_syscall_64+0x1a3/0x800 [ 47.753034] ? syscall_return_slowpath+0x5f0/0x5f0 [ 47.758102] ? prepare_exit_to_usermode+0x232/0x3b0 [ 47.763100] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 47.767927] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 47.773093] RIP: 0033:0x440b09 [ 47.776281] Code: 23 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 0b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 47.795162] RSP: 002b:00000000007dff68 EFLAGS: 00000217 ORIG_RAX: 0000000000000010 [ 47.802851] RAX: ffffffffffffffda RBX: 00000000004a28d8 RCX: 0000000000440b09 [ 47.810113] RDX: 0000000020000080 RSI: 00000000c018aec0 RDI: 0000000000000004 [ 47.817447] RBP: 00000000004a28d8 R08: 0000000120080522 R09: 0000000120080522 [ 47.824693] R10: 0000000120080522 R11: 0000000000000217 R12: 00000000004022a0 [ 47.832036] R13: 0000000000402330 R14: 0000000000000000 R15: 0000000000000000 [ 47.840493] Kernel Offset: disabled [ 47.844110] Rebooting in 86400 seconds..