[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   40.193894] audit: type=1800 audit(1545705635.713:25): pid=7892 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   40.231354] audit: type=1800 audit(1545705635.713:26): pid=7892 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   40.254625] audit: type=1800 audit(1545705635.713:27): pid=7892 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.8' (ECDSA) to the list of known hosts.
2018/12/25 02:41:57 parsed 1 programs
2018/12/25 02:41:59 executed programs: 0
syzkaller login: [  123.933766] IPVS: ftp: loaded support on port[0] = 21
[  124.189573] bridge0: port 1(bridge_slave_0) entered blocking state
[  124.196445] bridge0: port 1(bridge_slave_0) entered disabled state
[  124.203568] device bridge_slave_0 entered promiscuous mode
[  124.222633] bridge0: port 2(bridge_slave_1) entered blocking state
[  124.229040] bridge0: port 2(bridge_slave_1) entered disabled state
[  124.236186] device bridge_slave_1 entered promiscuous mode
[  124.254050] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready
[  124.272698] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready
[  124.322490] bond0: Enslaving bond_slave_0 as an active interface with an up link
[  124.345865] bond0: Enslaving bond_slave_1 as an active interface with an up link
[  124.426076] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[  124.433638] team0: Port device team_slave_0 added
[  124.450520] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[  124.458034] team0: Port device team_slave_1 added
[  124.475405] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  124.498483] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  124.518487] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready
[  124.537408] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready
[  124.688676] bridge0: port 2(bridge_slave_1) entered blocking state
[  124.695143] bridge0: port 2(bridge_slave_1) entered forwarding state
[  124.701944] bridge0: port 1(bridge_slave_0) entered blocking state
[  124.708295] bridge0: port 1(bridge_slave_0) entered forwarding state
[  125.248286] 8021q: adding VLAN 0 to HW filter on device bond0
[  125.303734] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[  125.356518] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
[  125.363173] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
[  125.370317] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  125.425349] 8021q: adding VLAN 0 to HW filter on device team0
[  125.754787] ==================================================================
[  125.762345] BUG: KASAN: use-after-free in filemap_fault+0x2818/0x2a70
[  125.769018] Read of size 8 at addr ffff8881d205fad0 by task syz-executor0/8328
[  125.776369] 
[  125.777985] CPU: 0 PID: 8328 Comm: syz-executor0 Not tainted 4.20.0-rc7-next-20181224 #188
[  125.786373] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  125.795704] Call Trace:
[  125.798277]  dump_stack+0x1d3/0x2c6
[  125.801906]  ? dump_stack_print_info.cold.1+0x20/0x20
[  125.807094]  ? printk+0xa7/0xcf
[  125.810360]  ? kmsg_dump_rewind_nolock+0xe4/0xe4
[  125.815106]  print_address_description.cold.5+0x9/0x1ff
[  125.820457]  ? filemap_fault+0x2818/0x2a70
[  125.824677]  kasan_report.cold.6+0x1b/0x39
[  125.828893]  ? filemap_fault+0x2818/0x2a70
[  125.833127]  ? filemap_fault+0x2818/0x2a70
[  125.837360]  __asan_report_load8_noabort+0x14/0x20
[  125.842364]  filemap_fault+0x2818/0x2a70
[  125.846428]  ? grab_cache_page_write_begin+0xa0/0xa0
[  125.851534]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[  125.856633]  ? try_to_wake_up+0x11c/0x1460
[  125.860859]  ? graph_lock+0x270/0x270
[  125.864660]  ? migrate_swap_stop+0x930/0x930
[  125.869073]  ? find_held_lock+0x36/0x1c0
[  125.873122]  ? futex_wake+0x613/0x760
[  125.876912]  ? graph_lock+0x270/0x270
[  125.880703]  ? kasan_check_read+0x11/0x20
[  125.884835]  ? do_raw_spin_unlock+0xa7/0x330
[  125.889228]  ? do_raw_spin_trylock+0x270/0x270
[  125.893797]  ? __lock_is_held+0xb5/0x140
[  125.897843]  ? lock_acquire+0x1ed/0x520
[  125.901821]  ? ext4_filemap_fault+0x7a/0xad
[  125.906134]  ? lock_release+0xa00/0xa00
[  125.910091]  ? arch_local_save_flags+0x40/0x40
[  125.914675]  ? get_futex_key+0x21b0/0x21b0
[  125.918904]  ? down_read+0x8d/0x120
[  125.922517]  ? ext4_filemap_fault+0x7a/0xad
[  125.926838]  ? __down_interruptible+0x700/0x700
[  125.931519]  ext4_filemap_fault+0x82/0xad
[  125.935667]  __do_fault+0x176/0x6f0
[  125.939312]  ? kasan_check_write+0x14/0x20
[  125.943535]  ? lock_page+0x170/0x170
[  125.947233]  ? pmd_val+0x88/0x100
[  125.950670]  ? add_mm_counter_fast+0xd0/0xd0
[  125.955061]  ? add_mm_counter_fast+0xd0/0xd0
[  125.959486]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  125.965041]  __handle_mm_fault+0x373b/0x55f0
[  125.969489]  ? vmf_insert_mixed_mkwrite+0x40/0x40
[  125.974340]  ? graph_lock+0x270/0x270
[  125.978126]  ? find_held_lock+0x36/0x1c0
[  125.982168]  ? print_usage_bug+0xc0/0xc0
[  125.986215]  ? graph_lock+0x270/0x270
[  125.990008]  ? graph_lock+0x270/0x270
[  125.993806]  ? handle_mm_fault+0x42a/0xc70
[  125.998031]  ? lock_downgrade+0x900/0x900
[  126.002177]  ? check_preemption_disabled+0x48/0x280
[  126.007179]  ? kasan_check_read+0x11/0x20
[  126.011312]  ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170
[  126.016572]  ? rcu_read_unlock_special+0x370/0x370
[  126.021483]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  126.027014]  ? check_preemption_disabled+0x48/0x280
[  126.032049]  handle_mm_fault+0x54f/0xc70
[  126.036113]  ? __handle_mm_fault+0x55f0/0x55f0
[  126.040676]  ? find_vma+0x34/0x190
[  126.044205]  __do_page_fault+0x5f6/0xd70
[  126.048247]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  126.053767]  do_page_fault+0xf2/0x7e0
[  126.057558]  ? vmalloc_sync_all+0x30/0x30
[  126.061720]  ? error_entry+0x70/0xd0
[  126.065420]  ? trace_hardirqs_off_caller+0xbb/0x310
[  126.070416]  ? trace_hardirqs_on_caller+0xc0/0x310
[  126.075329]  ? syscall_return_slowpath+0x5e0/0x5e0
[  126.080245]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  126.085085]  ? trace_hardirqs_on_caller+0x310/0x310
[  126.090100]  ? trace_hardirqs_off+0x310/0x310
[  126.094608]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  126.099611]  ? prepare_exit_to_usermode+0x291/0x3b0
[  126.104616]  ? page_fault+0x8/0x30
[  126.108164]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  126.112999]  ? page_fault+0x8/0x30
[  126.116537]  page_fault+0x1e/0x30
[  126.119974] RIP: 0033:0x43ea69
[  126.123149] Code: b7 0e 66 89 0f 48 83 c6 02 48 83 c7 02 0f 1f 40 00 f6 c2 04 74 0c 8b 0e 89 0f 48 83 c6 04 48 83 c7 04 f6 c2 08 74 0e 48 8b 0e <48> 89 0f 48 83 c6 08 48 83 c7 08 81 e2 f0 00 00 00 74 1f 0f 1f 40
[  126.142035] RSP: 002b:00007ffe3feb4198 EFLAGS: 00010202
[  126.147377] RAX: 0000000020008ff8 RBX: 0000000000000003 RCX: 0031656c69662f2e
[  126.154624] RDX: 0000000000000008 RSI: 0000000000740238 RDI: 0000000020008ff8
[  126.161874] RBP: 000000000073bf00 R08: 0000000000740218 R09: 0000000000000000
[  126.169123] R10: 00007ffe3feb4250 R11: 0000000000000246 R12: 0000000000000006
[  126.176387] R13: fffffffffffffffe R14: 000000000073bf0c R15: 000000000073bf0c
[  126.183662] 
[  126.185270] Allocated by task 8329:
[  126.188883]  save_stack+0x43/0xd0
[  126.192319]  kasan_kmalloc+0xcb/0xd0
[  126.196030]  kasan_slab_alloc+0x12/0x20
[  126.199984]  kmem_cache_alloc+0x130/0x730
[  126.204123]  vm_area_alloc+0x7a/0x1d0
[  126.207903]  mmap_region+0x9d7/0x1cd0
[  126.211684]  do_mmap+0xa22/0x1230
[  126.215153]  vm_mmap_pgoff+0x213/0x2c0
[  126.219052]  ksys_mmap_pgoff+0x4da/0x660
[  126.223112]  __x64_sys_mmap+0xe9/0x1b0
[  126.226978]  do_syscall_64+0x1b9/0x820
[  126.230855]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  126.236028] 
[  126.237636] Freed by task 8329:
[  126.240895]  save_stack+0x43/0xd0
[  126.244329]  __kasan_slab_free+0x102/0x150
[  126.248544]  kasan_slab_free+0xe/0x10
[  126.252345]  kmem_cache_free+0x83/0x290
[  126.256313]  vm_area_free+0x1c/0x20
[  126.259923]  remove_vma+0x13a/0x180
[  126.263540]  __do_munmap+0x729/0xf50
[  126.267250]  mmap_region+0x6a7/0x1cd0
[  126.271036]  do_mmap+0xa22/0x1230
[  126.274475]  vm_mmap_pgoff+0x213/0x2c0
[  126.278358]  ksys_mmap_pgoff+0x4da/0x660
[  126.282400]  __x64_sys_mmap+0xe9/0x1b0
[  126.286273]  do_syscall_64+0x1b9/0x820
[  126.290156]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  126.295319] 
[  126.296942] The buggy address belongs to the object at ffff8881d205fa90
[  126.296942]  which belongs to the cache vm_area_struct(17:syz0) of size 200
[  126.310630] The buggy address is located 64 bytes inside of
[  126.310630]  200-byte region [ffff8881d205fa90, ffff8881d205fb58)
[  126.322415] The buggy address belongs to the page:
[  126.327341] page:ffffea00074817c0 count:1 mapcount:0 mapping:ffff8881b810fd80 index:0x0
[  126.335463] flags: 0x2fffc0000000200(slab)
[  126.339683] raw: 02fffc0000000200 ffff8881d179c548 ffffea0007602248 ffff8881b810fd80
[  126.347547] raw: 0000000000000000 ffff8881d205f040 000000010000000f ffff8881d1c8c4c0
[  126.355404] page dumped because: kasan: bad access detected
[  126.361093] page->mem_cgroup:ffff8881d1c8c4c0
[  126.365564] 
[  126.367169] Memory state around the buggy address:
[  126.372110]  ffff8881d205f980: fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  126.379464]  ffff8881d205fa00: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
[  126.386818] >ffff8881d205fa80: fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[  126.394172]                                                  ^
[  126.400135]  ffff8881d205fb00: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[  126.407475]  ffff8881d205fb80: fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb fb
[  126.414813] ==================================================================
[  126.422146] Disabling lock debugging due to kernel taint
[  126.431961] Kernel panic - not syncing: panic_on_warn set ...
[  126.437889] CPU: 0 PID: 8328 Comm: syz-executor0 Tainted: G    B             4.20.0-rc7-next-20181224 #188
[  126.447655] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  126.456986] Call Trace:
[  126.459594]  dump_stack+0x1d3/0x2c6
[  126.463235]  ? dump_stack_print_info.cold.1+0x20/0x20
[  126.468409]  ? filemap_fault+0x27a0/0x2a70
[  126.472628]  panic+0x2ad/0x632
[  126.475803]  ? add_taint.cold.5+0x16/0x16
[  126.479936]  ? preempt_schedule+0x4d/0x60
[  126.484067]  ? ___preempt_schedule+0x16/0x18
[  126.488455]  ? trace_hardirqs_on+0xb4/0x310
[  126.492761]  ? filemap_fault+0x2818/0x2a70
[  126.496976]  end_report+0x47/0x4f
[  126.500432]  kasan_report.cold.6+0xe/0x39
[  126.504563]  ? filemap_fault+0x2818/0x2a70
[  126.508782]  ? filemap_fault+0x2818/0x2a70
[  126.512998]  __asan_report_load8_noabort+0x14/0x20
[  126.517918]  filemap_fault+0x2818/0x2a70
[  126.521965]  ? grab_cache_page_write_begin+0xa0/0xa0
[  126.527060]  ? _raw_spin_unlock_irqrestore+0x6d/0xd0
[  126.532159]  ? try_to_wake_up+0x11c/0x1460
[  126.536373]  ? graph_lock+0x270/0x270
[  126.540172]  ? migrate_swap_stop+0x930/0x930
[  126.544578]  ? find_held_lock+0x36/0x1c0
[  126.548624]  ? futex_wake+0x613/0x760
[  126.552408]  ? graph_lock+0x270/0x270
[  126.556203]  ? kasan_check_read+0x11/0x20
[  126.560333]  ? do_raw_spin_unlock+0xa7/0x330
[  126.564723]  ? do_raw_spin_trylock+0x270/0x270
[  126.569297]  ? __lock_is_held+0xb5/0x140
[  126.573340]  ? lock_acquire+0x1ed/0x520
[  126.577337]  ? ext4_filemap_fault+0x7a/0xad
[  126.581644]  ? lock_release+0xa00/0xa00
[  126.585598]  ? arch_local_save_flags+0x40/0x40
[  126.590159]  ? get_futex_key+0x21b0/0x21b0
[  126.594379]  ? down_read+0x8d/0x120
[  126.598010]  ? ext4_filemap_fault+0x7a/0xad
[  126.602356]  ? __down_interruptible+0x700/0x700
[  126.607049]  ext4_filemap_fault+0x82/0xad
[  126.611178]  __do_fault+0x176/0x6f0
[  126.614785]  ? kasan_check_write+0x14/0x20
[  126.618999]  ? lock_page+0x170/0x170
[  126.622701]  ? pmd_val+0x88/0x100
[  126.626141]  ? add_mm_counter_fast+0xd0/0xd0
[  126.630544]  ? add_mm_counter_fast+0xd0/0xd0
[  126.634953]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  126.640480]  __handle_mm_fault+0x373b/0x55f0
[  126.644875]  ? vmf_insert_mixed_mkwrite+0x40/0x40
[  126.649697]  ? graph_lock+0x270/0x270
[  126.653475]  ? find_held_lock+0x36/0x1c0
[  126.657518]  ? print_usage_bug+0xc0/0xc0
[  126.661561]  ? graph_lock+0x270/0x270
[  126.665341]  ? graph_lock+0x270/0x270
[  126.669128]  ? handle_mm_fault+0x42a/0xc70
[  126.673346]  ? lock_downgrade+0x900/0x900
[  126.677503]  ? check_preemption_disabled+0x48/0x280
[  126.682515]  ? kasan_check_read+0x11/0x20
[  126.686652]  ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170
[  126.691945]  ? rcu_read_unlock_special+0x370/0x370
[  126.696857]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  126.702375]  ? check_preemption_disabled+0x48/0x280
[  126.707372]  handle_mm_fault+0x54f/0xc70
[  126.711415]  ? __handle_mm_fault+0x55f0/0x55f0
[  126.715982]  ? find_vma+0x34/0x190
[  126.719516]  __do_page_fault+0x5f6/0xd70
[  126.723558]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  126.729078]  do_page_fault+0xf2/0x7e0
[  126.732861]  ? vmalloc_sync_all+0x30/0x30
[  126.736992]  ? error_entry+0x70/0xd0
[  126.740717]  ? trace_hardirqs_off_caller+0xbb/0x310
[  126.745712]  ? trace_hardirqs_on_caller+0xc0/0x310
[  126.750623]  ? syscall_return_slowpath+0x5e0/0x5e0
[  126.755536]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  126.760364]  ? trace_hardirqs_on_caller+0x310/0x310
[  126.765358]  ? trace_hardirqs_off+0x310/0x310
[  126.769835]  ? prepare_exit_to_usermode+0x3b0/0x3b0
[  126.774833]  ? prepare_exit_to_usermode+0x291/0x3b0
[  126.779833]  ? page_fault+0x8/0x30
[  126.783367]  ? trace_hardirqs_off_thunk+0x1a/0x1c
[  126.788201]  ? page_fault+0x8/0x30
[  126.791724]  page_fault+0x1e/0x30
[  126.795159] RIP: 0033:0x43ea69
[  126.798361] Code: b7 0e 66 89 0f 48 83 c6 02 48 83 c7 02 0f 1f 40 00 f6 c2 04 74 0c 8b 0e 89 0f 48 83 c6 04 48 83 c7 04 f6 c2 08 74 0e 48 8b 0e <48> 89 0f 48 83 c6 08 48 83 c7 08 81 e2 f0 00 00 00 74 1f 0f 1f 40
[  126.817242] RSP: 002b:00007ffe3feb4198 EFLAGS: 00010202
[  126.822621] RAX: 0000000020008ff8 RBX: 0000000000000003 RCX: 0031656c69662f2e
[  126.829900] RDX: 0000000000000008 RSI: 0000000000740238 RDI: 0000000020008ff8
[  126.837148] RBP: 000000000073bf00 R08: 0000000000740218 R09: 0000000000000000
[  126.844407] R10: 00007ffe3feb4250 R11: 0000000000000246 R12: 0000000000000006
[  126.851670] R13: fffffffffffffffe R14: 000000000073bf0c R15: 000000000073bf0c
[  126.859876] Kernel Offset: disabled
[  126.863495] Rebooting in 86400 seconds..