[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   87.267920][   T27] audit: type=1800 audit(1581501054.600:25): pid=9592 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   87.297180][   T27] audit: type=1800 audit(1581501054.600:26): pid=9592 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   87.338038][   T27] audit: type=1800 audit(1581501054.600:27): pid=9592 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.1.13' (ECDSA) to the list of known hosts.
2020/02/12 10:06:01 parsed 1 programs
2020/02/12 10:06:03 executed programs: 0
syzkaller login: [  996.399776][ T9760] IPVS: ftp: loaded support on port[0] = 21
[  996.453954][ T9760] chnl_net:caif_netlink_parms(): no params data found
[  996.501073][ T9760] bridge0: port 1(bridge_slave_0) entered blocking state
[  996.508477][ T9760] bridge0: port 1(bridge_slave_0) entered disabled state
[  996.516416][ T9760] device bridge_slave_0 entered promiscuous mode
[  996.526296][ T9760] bridge0: port 2(bridge_slave_1) entered blocking state
[  996.533735][ T9760] bridge0: port 2(bridge_slave_1) entered disabled state
[  996.541983][ T9760] device bridge_slave_1 entered promiscuous mode
[  996.558652][ T9760] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  996.569435][ T9760] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  996.588346][ T9760] team0: Port device team_slave_0 added
[  996.596035][ T9760] team0: Port device team_slave_1 added
[  996.610020][ T9760] batman_adv: batadv0: Adding interface: batadv_slave_0
[  996.617419][ T9760] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[  996.643465][ T9760] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[  996.656188][ T9760] batman_adv: batadv0: Adding interface: batadv_slave_1
[  996.663312][ T9760] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[  996.689642][ T9760] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[  996.748987][ T9760] device hsr_slave_0 entered promiscuous mode
[  996.797573][ T9760] device hsr_slave_1 entered promiscuous mode
[  996.909935][ T9760] netdevsim netdevsim0 netdevsim0: renamed from eth0
[  996.970768][ T9760] netdevsim netdevsim0 netdevsim1: renamed from eth1
[  997.029023][ T9760] netdevsim netdevsim0 netdevsim2: renamed from eth2
[  997.069136][ T9760] netdevsim netdevsim0 netdevsim3: renamed from eth3
[  997.129475][ T9760] bridge0: port 2(bridge_slave_1) entered blocking state
[  997.136630][ T9760] bridge0: port 2(bridge_slave_1) entered forwarding state
[  997.144608][ T9760] bridge0: port 1(bridge_slave_0) entered blocking state
[  997.151697][ T9760] bridge0: port 1(bridge_slave_0) entered forwarding state
[  997.195222][ T9760] 8021q: adding VLAN 0 to HW filter on device bond0
[  997.209485][ T9765] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  997.230352][ T9765] bridge0: port 1(bridge_slave_0) entered disabled state
[  997.249184][ T9765] bridge0: port 2(bridge_slave_1) entered disabled state
[  997.258248][ T9765] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  997.271785][ T9760] 8021q: adding VLAN 0 to HW filter on device team0
[  997.282558][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  997.291888][ T9766] bridge0: port 1(bridge_slave_0) entered blocking state
[  997.299071][ T9766] bridge0: port 1(bridge_slave_0) entered forwarding state
[  997.311364][ T9765] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  997.320276][ T9765] bridge0: port 2(bridge_slave_1) entered blocking state
[  997.327453][ T9765] bridge0: port 2(bridge_slave_1) entered forwarding state
[  997.348769][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  997.358481][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  997.373879][ T9760] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  997.384681][ T9760] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  997.398194][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  997.406115][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  997.415022][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  997.423684][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  997.442647][ T9765] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[  997.450184][ T9765] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[  997.465168][ T9760] 8021q: adding VLAN 0 to HW filter on device batadv0
[  997.485303][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[  997.494626][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[  997.516492][ T9760] device veth0_vlan entered promiscuous mode
[  997.524156][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[  997.533322][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[  997.543241][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[  997.551344][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[  997.565274][ T9760] device veth1_vlan entered promiscuous mode
[  997.586236][ T9765] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[  997.594375][ T9765] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[  997.602583][ T9765] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[  997.611201][ T9765] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[  997.622774][ T9760] device veth0_macvtap entered promiscuous mode
[  997.633632][ T9760] device veth1_macvtap entered promiscuous mode
[  997.650900][ T9760] batman_adv: batadv0: Interface activated: batadv_slave_0
[  997.658584][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[  997.666636][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[  997.674876][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[  997.683627][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[  997.696635][ T9760] batman_adv: batadv0: Interface activated: batadv_slave_1
[  997.705324][ T9765] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[  997.714122][ T9765] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
2020/02/12 10:06:08 executed programs: 134
2020/02/12 10:06:13 executed programs: 348
[ 1006.597744][T11078] ==================================================================
[ 1006.606284][T11078] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x238/0x250
[ 1006.613993][T11078] Read of size 8 at addr ffff888094c7c108 by task syz-executor.0/11078
[ 1006.622218][T11078] 
[ 1006.624544][T11078] CPU: 1 PID: 11078 Comm: syz-executor.0 Not tainted 5.6.0-rc1-syzkaller #0
[ 1006.633205][T11078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1006.643265][T11078] Call Trace:
[ 1006.646694][T11078]  dump_stack+0x197/0x210
[ 1006.651020][T11078]  ? vgem_gem_dumb_create+0x238/0x250
[ 1006.656477][T11078]  print_address_description.constprop.0.cold+0xd4/0x30b
[ 1006.663499][T11078]  ? vgem_gem_dumb_create+0x238/0x250
[ 1006.668876][T11078]  ? vgem_gem_dumb_create+0x238/0x250
[ 1006.674236][T11078]  __kasan_report.cold+0x1b/0x32
[ 1006.679166][T11078]  ? vgem_gem_dumb_create+0x238/0x250
[ 1006.684552][T11078]  kasan_report+0x12/0x20
[ 1006.688884][T11078]  __asan_report_load8_noabort+0x14/0x20
[ 1006.694563][T11078]  vgem_gem_dumb_create+0x238/0x250
[ 1006.699870][T11078]  drm_mode_create_dumb+0x282/0x310
[ 1006.705061][T11078]  drm_mode_create_dumb_ioctl+0x26/0x30
[ 1006.710698][T11078]  drm_ioctl_kernel+0x244/0x300
[ 1006.715546][T11078]  ? drm_mode_create_dumb+0x310/0x310
[ 1006.720912][T11078]  ? drm_setversion+0x8c0/0x8c0
[ 1006.725826][T11078]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 1006.732097][T11078]  ? _copy_from_user+0x12c/0x1a0
[ 1006.737031][T11078]  drm_ioctl+0x54e/0xa60
[ 1006.741266][T11078]  ? drm_mode_create_dumb+0x310/0x310
[ 1006.746738][T11078]  ? drm_ioctl_kernel+0x300/0x300
[ 1006.751826][T11078]  ? ksys_dup3+0x3e0/0x3e0
[ 1006.756322][T11078]  ? ns_to_kernel_old_timeval+0x100/0x100
[ 1006.762121][T11078]  ? tomoyo_file_ioctl+0x23/0x30
[ 1006.767051][T11078]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 1006.773354][T11078]  ? security_file_ioctl+0x8d/0xc0
[ 1006.778471][T11078]  ? drm_ioctl_kernel+0x300/0x300
[ 1006.783508][T11078]  ksys_ioctl+0x123/0x180
[ 1006.787939][T11078]  __x64_sys_ioctl+0x73/0xb0
[ 1006.792589][T11078]  do_syscall_64+0xfa/0x790
[ 1006.797138][T11078]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1006.803033][T11078] RIP: 0033:0x45b3b9
[ 1006.806922][T11078] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1006.826631][T11078] RSP: 002b:00007fe691d2dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1006.829953][    T0] NOHZ: local_softirq_pending 08
[ 1006.835041][T11078] RAX: ffffffffffffffda RBX: 00007fe691d2e6d4 RCX: 000000000045b3b9
[ 1006.847942][T11078] RDX: 0000000020000140 RSI: 00000000c02064b2 RDI: 0000000000000003
[ 1006.856001][T11078] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[ 1006.863966][T11078] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 1006.872105][T11078] R13: 0000000000000285 R14: 00000000004d15b0 R15: 000000000075bf2c
[ 1006.880082][T11078] 
[ 1006.882402][T11078] Allocated by task 11078:
[ 1006.886813][T11078]  save_stack+0x23/0x90
[ 1006.890972][T11078]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 1006.896620][T11078]  kasan_kmalloc+0x9/0x10
[ 1006.900955][T11078]  kmem_cache_alloc_trace+0x158/0x790
[ 1006.906328][T11078]  __vgem_gem_create+0x49/0x100
[ 1006.911181][T11078]  vgem_gem_dumb_create+0xd7/0x250
[ 1006.916297][T11078]  drm_mode_create_dumb+0x282/0x310
[ 1006.921541][T11078]  drm_mode_create_dumb_ioctl+0x26/0x30
[ 1006.927089][T11078]  drm_ioctl_kernel+0x244/0x300
[ 1006.931937][T11078]  drm_ioctl+0x54e/0xa60
[ 1006.936228][T11078]  ksys_ioctl+0x123/0x180
[ 1006.940592][T11078]  __x64_sys_ioctl+0x73/0xb0
[ 1006.945187][T11078]  do_syscall_64+0xfa/0x790
[ 1006.949691][T11078]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1006.955563][T11078] 
[ 1006.957888][T11078] Freed by task 11078:
[ 1006.961966][T11078]  save_stack+0x23/0x90
[ 1006.966107][T11078]  __kasan_slab_free+0x102/0x150
[ 1006.971043][T11078]  kasan_slab_free+0xe/0x10
[ 1006.975531][T11078]  kfree+0x10a/0x2c0
[ 1006.979418][T11078]  vgem_gem_free_object+0xbe/0xe0
[ 1006.984459][T11078]  drm_gem_object_free+0x100/0x220
[ 1006.989560][T11078]  drm_gem_object_put_unlocked+0x196/0x1c0
[ 1006.995361][T11078]  vgem_gem_dumb_create+0x115/0x250
[ 1007.000567][T11078]  drm_mode_create_dumb+0x282/0x310
[ 1007.005756][T11078]  drm_mode_create_dumb_ioctl+0x26/0x30
[ 1007.011317][T11078]  drm_ioctl_kernel+0x244/0x300
[ 1007.016169][T11078]  drm_ioctl+0x54e/0xa60
[ 1007.020392][T11078]  ksys_ioctl+0x123/0x180
[ 1007.024707][T11078]  __x64_sys_ioctl+0x73/0xb0
[ 1007.029279][T11078]  do_syscall_64+0xfa/0x790
[ 1007.033786][T11078]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1007.039657][T11078] 
[ 1007.041976][T11078] The buggy address belongs to the object at ffff888094c7c000
[ 1007.041976][T11078]  which belongs to the cache kmalloc-1k of size 1024
[ 1007.056019][T11078] The buggy address is located 264 bytes inside of
[ 1007.056019][T11078]  1024-byte region [ffff888094c7c000, ffff888094c7c400)
[ 1007.069422][T11078] The buggy address belongs to the page:
[ 1007.075041][T11078] page:ffffea0002531f00 refcount:1 mapcount:0 mapping:ffff8880aa400c40 index:0x0
[ 1007.084139][T11078] flags: 0xfffe0000000200(slab)
[ 1007.088979][T11078] raw: 00fffe0000000200 ffffea00029f5b48 ffffea00024a6088 ffff8880aa400c40
[ 1007.097559][T11078] raw: 0000000000000000 ffff888094c7c000 0000000100000002 0000000000000000
[ 1007.106126][T11078] page dumped because: kasan: bad access detected
[ 1007.112544][T11078] 
[ 1007.114900][T11078] Memory state around the buggy address:
[ 1007.120567][T11078]  ffff888094c7c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1007.129152][T11078]  ffff888094c7c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1007.137205][T11078] >ffff888094c7c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1007.145440][T11078]                       ^
[ 1007.149770][T11078]  ffff888094c7c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1007.157893][T11078]  ffff888094c7c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1007.165950][T11078] ==================================================================
[ 1007.174104][T11078] Disabling lock debugging due to kernel taint
[ 1007.181059][T11078] Kernel panic - not syncing: panic_on_warn set ...
[ 1007.187653][T11078] CPU: 1 PID: 11078 Comm: syz-executor.0 Tainted: G    B             5.6.0-rc1-syzkaller #0
[ 1007.197695][T11078] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1007.207796][T11078] Call Trace:
[ 1007.211145][T11078]  dump_stack+0x197/0x210
[ 1007.215541][T11078]  panic+0x2e3/0x75c
[ 1007.219433][T11078]  ? add_taint.cold+0x16/0x16
[ 1007.224205][T11078]  ? vgem_gem_dumb_create+0x238/0x250
[ 1007.229710][T11078]  ? preempt_schedule+0x4b/0x60
[ 1007.234682][T11078]  ? ___preempt_schedule+0x16/0x18
[ 1007.239909][T11078]  ? trace_hardirqs_on+0x5e/0x240
[ 1007.244940][T11078]  ? vgem_gem_dumb_create+0x238/0x250
[ 1007.250324][T11078]  end_report+0x47/0x4f
[ 1007.254468][T11078]  ? vgem_gem_dumb_create+0x238/0x250
[ 1007.259827][T11078]  __kasan_report.cold+0xe/0x32
[ 1007.264719][T11078]  ? vgem_gem_dumb_create+0x238/0x250
[ 1007.270094][T11078]  kasan_report+0x12/0x20
[ 1007.274413][T11078]  __asan_report_load8_noabort+0x14/0x20
[ 1007.280068][T11078]  vgem_gem_dumb_create+0x238/0x250
[ 1007.285280][T11078]  drm_mode_create_dumb+0x282/0x310
[ 1007.290499][T11078]  drm_mode_create_dumb_ioctl+0x26/0x30
[ 1007.296058][T11078]  drm_ioctl_kernel+0x244/0x300
[ 1007.300900][T11078]  ? drm_mode_create_dumb+0x310/0x310
[ 1007.306305][T11078]  ? drm_setversion+0x8c0/0x8c0
[ 1007.311213][T11078]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[ 1007.317456][T11078]  ? _copy_from_user+0x12c/0x1a0
[ 1007.322527][T11078]  drm_ioctl+0x54e/0xa60
[ 1007.326763][T11078]  ? drm_mode_create_dumb+0x310/0x310
[ 1007.332222][T11078]  ? drm_ioctl_kernel+0x300/0x300
[ 1007.337249][T11078]  ? ksys_dup3+0x3e0/0x3e0
[ 1007.341715][T11078]  ? ns_to_kernel_old_timeval+0x100/0x100
[ 1007.347464][T11078]  ? tomoyo_file_ioctl+0x23/0x30
[ 1007.352542][T11078]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 1007.358776][T11078]  ? security_file_ioctl+0x8d/0xc0
[ 1007.363888][T11078]  ? drm_ioctl_kernel+0x300/0x300
[ 1007.368901][T11078]  ksys_ioctl+0x123/0x180
[ 1007.373254][T11078]  __x64_sys_ioctl+0x73/0xb0
[ 1007.377901][T11078]  do_syscall_64+0xfa/0x790
[ 1007.382396][T11078]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1007.388340][T11078] RIP: 0033:0x45b3b9
[ 1007.392236][T11078] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1007.411826][T11078] RSP: 002b:00007fe691d2dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1007.420428][T11078] RAX: ffffffffffffffda RBX: 00007fe691d2e6d4 RCX: 000000000045b3b9
[ 1007.428538][T11078] RDX: 0000000020000140 RSI: 00000000c02064b2 RDI: 0000000000000003
[ 1007.436608][T11078] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[ 1007.445531][T11078] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 1007.453535][T11078] R13: 0000000000000285 R14: 00000000004d15b0 R15: 000000000075bf2c
[ 1007.463265][T11078] Kernel Offset: disabled
[ 1007.467640][T11078] Rebooting in 86400 seconds..