[  OK  ] Reached target Login Prompts.
[  OK  ] Reached target Multi-User System.
[  OK  ] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[  OK  ] Started Update UTMP about System Runlevel Changes.


Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.1.12' (ECDSA) to the list of known hosts.
2020/08/21 05:16:15 parsed 1 programs
2020/08/21 05:16:16 executed programs: 0
syzkaller login: [ 1050.779644][ T6845] IPVS: ftp: loaded support on port[0] = 21
[ 1050.930194][ T6845] chnl_net:caif_netlink_parms(): no params data found
[ 1050.982592][ T6845] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1050.990721][ T6845] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1050.999622][ T6845] device bridge_slave_0 entered promiscuous mode
[ 1051.008662][ T6845] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1051.016416][ T6845] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1051.024144][ T6845] device bridge_slave_1 entered promiscuous mode
[ 1051.044473][ T6845] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1051.056474][ T6845] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1051.077716][ T6845] team0: Port device team_slave_0 added
[ 1051.085717][ T6845] team0: Port device team_slave_1 added
[ 1051.102666][ T6845] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 1051.109716][ T6845] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1051.136833][ T6845] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 1051.149522][ T6845] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 1051.157227][ T6845] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1051.183960][ T6845] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 1051.209091][ T6845] device hsr_slave_0 entered promiscuous mode
[ 1051.215862][ T6845] device hsr_slave_1 entered promiscuous mode
[ 1051.302683][ T6845] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 1051.312541][ T6845] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 1051.323217][ T6845] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 1051.332406][ T6845] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 1051.355252][ T6845] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1051.362406][ T6845] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1051.370361][ T6845] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1051.377510][ T6845] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1051.419807][ T6845] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1051.432452][ T6815] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1051.443254][ T6815] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1051.451923][ T6815] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1051.460174][ T6815] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1051.473276][ T6845] 8021q: adding VLAN 0 to HW filter on device team0
[ 1051.485314][ T6815] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1051.493894][ T6815] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1051.501050][ T6815] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1051.515897][ T6903] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1051.525782][ T6903] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1051.532850][ T6903] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1051.555804][ T6815] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1051.565737][ T6815] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1051.574174][ T6815] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1051.582829][ T6815] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1051.591384][ T6815] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1051.602963][ T6845] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1051.620928][ T2586] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 1051.629122][ T2586] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 1051.641925][ T6845] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1051.660645][ T2586] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 1051.680312][ T6845] device veth0_vlan entered promiscuous mode
[ 1051.687854][ T7066] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 1051.697701][ T7066] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 1051.706205][ T7066] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 1051.718492][ T6845] device veth1_vlan entered promiscuous mode
[ 1051.727574][ T6815] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 1051.748265][ T2586] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 1051.756952][ T2586] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 1051.769433][ T6845] device veth0_macvtap entered promiscuous mode
[ 1051.778945][ T6845] device veth1_macvtap entered promiscuous mode
[ 1051.795653][ T6845] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 1051.803080][ T6815] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 1051.813456][ T6815] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 1051.825469][ T6845] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 1051.835053][ T7066] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 1051.845278][ T6845] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 1051.854123][ T6845] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 1051.863037][ T6845] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 1051.871863][ T6845] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 1052.825134][ T2586] Bluetooth: hci0: command 0x0409 tx timeout
2020/08/21 05:16:21 executed programs: 82
[ 1054.894874][ T7068] Bluetooth: hci0: command 0x041b tx timeout
[ 1056.984256][ T7068] Bluetooth: hci0: command 0x040f tx timeout
[ 1059.054376][ T3083] Bluetooth: hci0: command 0x0419 tx timeout
2020/08/21 05:16:26 executed programs: 238
2020/08/21 05:16:31 executed programs: 493
2020/08/21 05:16:36 executed programs: 789
2020/08/21 05:16:41 executed programs: 1088
2020/08/21 05:16:46 executed programs: 1373
2020/08/21 05:16:51 executed programs: 1647
2020/08/21 05:16:56 executed programs: 1934
2020/08/21 05:17:01 executed programs: 2228
2020/08/21 05:17:06 executed programs: 2518
2020/08/21 05:17:11 executed programs: 2808
2020/08/21 05:17:16 executed programs: 3093
2020/08/21 05:17:21 executed programs: 3368
2020/08/21 05:17:26 executed programs: 3655
[ 1120.521241][ T5134] ==================================================================
[ 1120.529713][ T5134] BUG: KASAN: use-after-free in do_madvise+0x11f1/0x2130
[ 1120.536801][ T5134] Read of size 8 at addr ffff88808992da90 by task syz-executor.0/5134
[ 1120.544936][ T5134] 
[ 1120.547267][ T5134] CPU: 1 PID: 5134 Comm: syz-executor.0 Not tainted 5.9.0-rc1-syzkaller #0
[ 1120.555855][ T5134] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1120.565930][ T5134] Call Trace:
[ 1120.569307][ T5134]  dump_stack+0x1f0/0x31e
[ 1120.573695][ T5134]  print_address_description+0x66/0x620
[ 1120.579310][ T5134]  ? vprintk_emit+0x342/0x3c0
[ 1120.584004][ T5134]  ? printk+0x62/0x83
[ 1120.587991][ T5134]  ? vprintk_emit+0x339/0x3c0
[ 1120.592655][ T5134]  kasan_report+0x132/0x1d0
[ 1120.597235][ T5134]  ? do_madvise+0x11f1/0x2130
[ 1120.601921][ T5134]  do_madvise+0x11f1/0x2130
[ 1120.606483][ T5134]  ? trace_lock_release+0x137/0x1a0
[ 1120.611772][ T5134]  ? __might_fault+0xf5/0x150
[ 1120.616545][ T5134]  ? lock_is_held_type+0xb3/0xe0
[ 1120.621474][ T5134]  ? syscall_enter_from_user_mode+0x24/0x190
[ 1120.627463][ T5134]  __x64_sys_madvise+0x76/0x80
[ 1120.632322][ T5134]  do_syscall_64+0x31/0x70
[ 1120.636823][ T5134]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1120.642731][ T5134] RIP: 0033:0x45d4d9
[ 1120.646615][ T5134] Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1120.666228][ T5134] RSP: 002b:00007f91704cec78 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
[ 1120.674636][ T5134] RAX: ffffffffffffffda RBX: 0000000000020800 RCX: 000000000045d4d9
[ 1120.682622][ T5134] RDX: 0000000000000003 RSI: 0000000000600003 RDI: 0000000020000000
[ 1120.690672][ T5134] RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000
[ 1120.698753][ T5134] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec
[ 1120.706732][ T5134] R13: 00007ffc189f0dbf R14: 00007f91704cf9c0 R15: 000000000118cfec
[ 1120.714846][ T5134] 
[ 1120.717169][ T5134] Allocated by task 5130:
[ 1120.721551][ T5134]  __kasan_kmalloc+0x100/0x130
[ 1120.726323][ T5134]  slab_post_alloc_hook+0x3e/0x290
[ 1120.731422][ T5134]  kmem_cache_alloc+0x1d2/0x2d0
[ 1120.736336][ T5134]  vm_area_alloc+0x20/0xf0
[ 1120.740740][ T5134]  mmap_region+0x8a3/0x1bc0
[ 1120.746371][ T5134]  do_mmap+0xaa8/0x10e0
[ 1120.750584][ T5134]  vm_mmap_pgoff+0x12c/0x1c0
[ 1120.755170][ T5134]  ksys_mmap_pgoff+0x358/0x4c0
[ 1120.759929][ T5134]  do_syscall_64+0x31/0x70
[ 1120.764333][ T5134]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1120.770216][ T5134] 
[ 1120.772533][ T5134] Freed by task 5130:
[ 1120.776506][ T5134]  kasan_set_track+0x3d/0x70
[ 1120.781091][ T5134]  kasan_set_free_info+0x17/0x30
[ 1120.786013][ T5134]  __kasan_slab_free+0xdd/0x110
[ 1120.790863][ T5134]  kmem_cache_free+0x79/0xf0
[ 1120.795453][ T5134]  __do_munmap+0x1148/0x1530
[ 1120.800026][ T5134]  mmap_region+0x6dc/0x1bc0
[ 1120.804594][ T5134]  do_mmap+0xaa8/0x10e0
[ 1120.808727][ T5134]  vm_mmap_pgoff+0x12c/0x1c0
[ 1120.813307][ T5134]  ksys_mmap_pgoff+0x358/0x4c0
[ 1120.818057][ T5134]  do_syscall_64+0x31/0x70
[ 1120.822450][ T5134]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1120.828314][ T5134] 
[ 1120.830620][ T5134] The buggy address belongs to the object at ffff88808992da90
[ 1120.830620][ T5134]  which belongs to the cache vm_area_struct of size 200
[ 1120.844922][ T5134] The buggy address is located 0 bytes inside of
[ 1120.844922][ T5134]  200-byte region [ffff88808992da90, ffff88808992db58)
[ 1120.858009][ T5134] The buggy address belongs to the page:
[ 1120.863628][ T5134] page:000000005705f591 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8992d
[ 1120.873755][ T5134] flags: 0xfffe0000000200(slab)
[ 1120.878596][ T5134] raw: 00fffe0000000200 ffffea00027aef88 ffffea0002a5c908 ffff8880aa46f600
[ 1120.887168][ T5134] raw: 0000000000000000 ffff88808992d040 000000010000000f 0000000000000000
[ 1120.895727][ T5134] page dumped because: kasan: bad access detected
[ 1120.902134][ T5134] 
[ 1120.904435][ T5134] Memory state around the buggy address:
[ 1120.910041][ T5134]  ffff88808992d980: fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1120.918107][ T5134]  ffff88808992da00: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[ 1120.926152][ T5134] >ffff88808992da80: fc fc fa fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1120.934201][ T5134]                          ^
[ 1120.938768][ T5134]  ffff88808992db00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[ 1120.946832][ T5134]  ffff88808992db80: fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1120.954981][ T5134] ==================================================================
[ 1120.963165][ T5134] Disabling lock debugging due to kernel taint
[ 1120.974952][ T5134] Kernel panic - not syncing: panic_on_warn set ...
[ 1120.981564][ T5134] CPU: 1 PID: 5134 Comm: syz-executor.0 Tainted: G    B             5.9.0-rc1-syzkaller #0
[ 1120.993353][ T5134] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1121.003406][ T5134] Call Trace:
[ 1121.006699][ T5134]  dump_stack+0x1f0/0x31e
[ 1121.011007][ T5134]  panic+0x264/0x7a0
[ 1121.014946][ T5134]  ? trace_hardirqs_on+0x30/0x80
[ 1121.019866][ T5134]  kasan_report+0x1c9/0x1d0
[ 1121.024365][ T5134]  ? do_madvise+0x11f1/0x2130
[ 1121.029043][ T5134]  do_madvise+0x11f1/0x2130
[ 1121.033544][ T5134]  ? trace_lock_release+0x137/0x1a0
[ 1121.038762][ T5134]  ? __might_fault+0xf5/0x150
[ 1121.043437][ T5134]  ? lock_is_held_type+0xb3/0xe0
[ 1121.048373][ T5134]  ? syscall_enter_from_user_mode+0x24/0x190
[ 1121.054341][ T5134]  __x64_sys_madvise+0x76/0x80
[ 1121.059093][ T5134]  do_syscall_64+0x31/0x70
[ 1121.063491][ T5134]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1121.069377][ T5134] RIP: 0033:0x45d4d9
[ 1121.073437][ T5134] Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1121.093023][ T5134] RSP: 002b:00007f91704cec78 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
[ 1121.101419][ T5134] RAX: ffffffffffffffda RBX: 0000000000020800 RCX: 000000000045d4d9
[ 1121.109388][ T5134] RDX: 0000000000000003 RSI: 0000000000600003 RDI: 0000000020000000
[ 1121.117353][ T5134] RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000
[ 1121.125312][ T5134] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec
[ 1121.133273][ T5134] R13: 00007ffc189f0dbf R14: 00007f91704cf9c0 R15: 000000000118cfec
[ 1121.142446][ T5134] Kernel Offset: disabled
[ 1121.146767][ T5134] Rebooting in 86400 seconds..