[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 56.799578][ T24] audit: type=1800 audit(1563504823.620:25): pid=8673 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 56.830287][ T24] audit: type=1800 audit(1563504823.630:26): pid=8673 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 56.870362][ T24] audit: type=1800 audit(1563504823.630:27): pid=8673 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.240' (ECDSA) to the list of known hosts. 2019/07/19 03:09:16 parsed 1 programs 2019/07/19 03:09:18 executed programs: 0 syzkaller login: [ 991.997795][ T8843] IPVS: ftp: loaded support on port[0] = 21 [ 992.063503][ T8843] chnl_net:caif_netlink_parms(): no params data found [ 992.089858][ T8843] bridge0: port 1(bridge_slave_0) entered blocking state [ 992.098543][ T8843] bridge0: port 1(bridge_slave_0) entered disabled state [ 992.107001][ T8843] device bridge_slave_0 entered promiscuous mode [ 992.115463][ T8843] bridge0: port 2(bridge_slave_1) entered blocking state [ 992.122664][ T8843] bridge0: port 2(bridge_slave_1) entered disabled state [ 992.130512][ T8843] device bridge_slave_1 entered promiscuous mode [ 992.148103][ T8843] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 992.158989][ T8843] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 992.178228][ T8843] team0: Port device team_slave_0 added [ 992.185617][ T8843] team0: Port device team_slave_1 added [ 992.252336][ T8843] device hsr_slave_0 entered promiscuous mode [ 992.301058][ T8843] device hsr_slave_1 entered promiscuous mode [ 992.378042][ T8843] bridge0: port 2(bridge_slave_1) entered blocking state [ 992.385338][ T8843] bridge0: port 2(bridge_slave_1) entered forwarding state [ 992.393393][ T8843] bridge0: port 1(bridge_slave_0) entered blocking state [ 992.400495][ T8843] bridge0: port 1(bridge_slave_0) entered forwarding state [ 992.434499][ T8843] 8021q: adding VLAN 0 to HW filter on device bond0 [ 992.445781][ T3506] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 992.466452][ T3506] bridge0: port 1(bridge_slave_0) entered disabled state [ 992.475123][ T3506] bridge0: port 2(bridge_slave_1) entered disabled state [ 992.484226][ T3506] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 992.497440][ T8843] 8021q: adding VLAN 0 to HW filter on device team0 [ 992.507995][ T8847] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 992.516535][ T8847] bridge0: port 1(bridge_slave_0) entered blocking state [ 992.523601][ T8847] bridge0: port 1(bridge_slave_0) entered forwarding state [ 992.535046][ T3506] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 992.544339][ T3506] bridge0: port 2(bridge_slave_1) entered blocking state [ 992.551438][ T3506] bridge0: port 2(bridge_slave_1) entered forwarding state [ 992.568651][ T8847] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 992.578059][ T8847] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 992.588565][ T3506] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 992.602818][ T8847] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 992.614856][ T8843] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 992.628273][ T8843] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 992.636799][ T3506] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 992.654679][ T8843] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 996.090491][ T8843] BUG: Bad rss-counter state mm:0000000070c7a99c idx:0 val:241 [ 996.098073][ T8843] BUG: Bad rss-counter state mm:0000000070c7a99c idx:1 val:544 [ 996.105703][ T8843] BUG: non-zero pgtables_bytes on freeing mm: 69632 [ 996.112603][ T8886] ================================================================== [ 996.122182][ T8886] BUG: KASAN: use-after-free in exit_mmap+0xb2/0x530 [ 996.129290][ T8886] Read of size 8 at addr ffff8880a1d4f228 by task syz-executor.0/8886 [ 996.137416][ T8886] [ 996.139732][ T8886] CPU: 1 PID: 8886 Comm: syz-executor.0 Not tainted 5.2.0+ #68 [ 996.147268][ T8886] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 996.157511][ T8886] Call Trace: [ 996.160843][ T8886] dump_stack+0x172/0x1f0 [ 996.165180][ T8886] ? exit_mmap+0xb2/0x530 [ 996.169496][ T8886] print_address_description.cold+0xd4/0x306 [ 996.175460][ T8886] ? exit_mmap+0xb2/0x530 [ 996.179768][ T8886] ? exit_mmap+0xb2/0x530 [ 996.184092][ T8886] __kasan_report.cold+0x1b/0x36 [ 996.189012][ T8886] ? synchronize_srcu+0x1b0/0x3e8 [ 996.194040][ T8886] ? exit_mmap+0xb2/0x530 [ 996.198386][ T8886] kasan_report+0x12/0x17 [ 996.202734][ T8886] check_memory_region+0x134/0x1a0 [ 996.207828][ T8886] __kasan_check_read+0x11/0x20 [ 996.212685][ T8886] exit_mmap+0xb2/0x530 [ 996.216841][ T8886] ? __ia32_sys_munmap+0x80/0x80 [ 996.222821][ T8886] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 996.232881][ T8886] ? __khugepaged_exit+0x2eb/0x410 [ 996.237983][ T8886] ? __khugepaged_exit+0x2eb/0x410 [ 996.243097][ T8886] ? rcu_read_lock_sched_held+0x110/0x130 [ 996.249497][ T8886] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 996.255727][ T8886] ? __khugepaged_exit+0xcf/0x410 [ 996.260738][ T8886] mmput+0x179/0x4d0 [ 996.264617][ T8886] do_exit+0x84e/0x2ea0 [ 996.269840][ T8886] ? mm_update_next_owner+0x640/0x640 [ 996.275198][ T8886] ? lock_downgrade+0x920/0x920 [ 996.280095][ T8886] ? _raw_spin_unlock_irq+0x28/0x90 [ 996.285277][ T8886] ? get_signal+0x392/0x2500 [ 996.289847][ T8886] ? _raw_spin_unlock_irq+0x28/0x90 [ 996.295054][ T8886] do_group_exit+0x135/0x360 [ 996.299629][ T8886] get_signal+0x47c/0x2500 [ 996.304049][ T8886] ? do_vfs_ioctl+0x120/0x1380 [ 996.308814][ T8886] do_signal+0x87/0x1670 [ 996.313039][ T8886] ? __fget+0x384/0x560 [ 996.317190][ T8886] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 996.323420][ T8886] ? setup_sigcontext+0x7d0/0x7d0 [ 996.328442][ T8886] ? kick_process+0xef/0x180 [ 996.333040][ T8886] ? exit_to_usermode_loop+0x43/0x380 [ 996.338795][ T8886] ? do_syscall_64+0x5a9/0x6a0 [ 996.343555][ T8886] ? exit_to_usermode_loop+0x43/0x380 [ 996.348910][ T8886] ? lockdep_hardirqs_on+0x418/0x5d0 [ 996.354183][ T8886] ? trace_hardirqs_on+0x67/0x240 [ 996.359203][ T8886] exit_to_usermode_loop+0x286/0x380 [ 996.364673][ T8886] do_syscall_64+0x5a9/0x6a0 [ 996.369275][ T8886] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 996.375320][ T8886] RIP: 0033:0x459819 [ 996.379209][ T8886] Code: Bad RIP value. [ 996.383510][ T8886] RSP: 002b:00007fa415336c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 996.391910][ T8886] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000459819 [ 996.399866][ T8886] RDX: 00000000200023c0 RSI: 000000004028af11 RDI: 0000000000000003 [ 996.407916][ T8886] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 996.415880][ T8886] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa4153376d4 [ 996.423831][ T8886] R13: 00000000004c4722 R14: 00000000004d87d0 R15: 00000000ffffffff [ 996.431900][ T8886] [ 996.434217][ T8886] Allocated by task 8843: [ 996.438536][ T8886] save_stack+0x23/0x90 [ 996.442765][ T8886] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 996.448377][ T8886] kasan_slab_alloc+0xf/0x20 [ 996.452963][ T8886] kmem_cache_alloc+0x121/0x710 [ 996.457798][ T8886] dup_mm+0x8a/0x1430 [ 996.461757][ T8886] copy_process+0x28b7/0x6b00 [ 996.466411][ T8886] _do_fork+0x146/0xfa0 [ 996.470545][ T8886] __x64_sys_clone+0x18d/0x250 [ 996.475312][ T8886] do_syscall_64+0xfd/0x6a0 [ 996.479798][ T8886] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 996.485664][ T8886] [ 996.487969][ T8886] Freed by task 8843: [ 996.491934][ T8886] save_stack+0x23/0x90 [ 996.496081][ T8886] __kasan_slab_free+0x102/0x150 [ 996.501000][ T8886] kasan_slab_free+0xe/0x10 [ 996.505583][ T8886] kmem_cache_free+0x86/0x320 [ 996.510248][ T8886] __mmdrop+0x238/0x320 [ 996.514590][ T8886] finish_task_switch+0x457/0x720 [ 996.519603][ T8886] __schedule+0x75d/0x1580 [ 996.524027][ T8886] schedule+0xa8/0x270 [ 996.528102][ T8886] do_nanosleep+0x201/0x6a0 [ 996.532612][ T8886] hrtimer_nanosleep+0x2a6/0x570 [ 996.537541][ T8886] __x64_sys_nanosleep+0x1a6/0x220 [ 996.542651][ T8886] do_syscall_64+0xfd/0x6a0 [ 996.547146][ T8886] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 996.553024][ T8886] [ 996.555342][ T8886] The buggy address belongs to the object at ffff8880a1d4ed40 [ 996.555342][ T8886] which belongs to the cache mm_struct(17:syz0) of size 1496 [ 996.570133][ T8886] The buggy address is located 1256 bytes inside of [ 996.570133][ T8886] 1496-byte region [ffff8880a1d4ed40, ffff8880a1d4f318) [ 996.583828][ T8886] The buggy address belongs to the page: [ 996.589446][ T8886] page:ffffea0002875380 refcount:1 mapcount:0 mapping:ffff8880a1c691c0 index:0x0 compound_mapcount: 0 [ 996.600377][ T8886] flags: 0x1fffc0000010200(slab|head) [ 996.605921][ T8886] raw: 01fffc0000010200 ffff8880a0ddb948 ffffea000292fb88 ffff8880a1c691c0 [ 996.614713][ T8886] raw: 0000000000000000 ffff8880a1d4e040 0000000100000004 0000000000000000 [ 996.623796][ T8886] page dumped because: kasan: bad access detected [ 996.630362][ T8886] [ 996.632667][ T8886] Memory state around the buggy address: [ 996.638295][ T8886] ffff8880a1d4f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 996.646429][ T8886] ffff8880a1d4f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 996.654473][ T8886] >ffff8880a1d4f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 996.663034][ T8886] ^ [ 996.668387][ T8886] ffff8880a1d4f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 996.676436][ T8886] ffff8880a1d4f300: fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc [ 996.684479][ T8886] ================================================================== [ 996.692516][ T8886] Disabling lock debugging due to kernel taint [ 996.700352][ T8886] Kernel panic - not syncing: panic_on_warn set ... [ 996.706957][ T8886] CPU: 1 PID: 8886 Comm: syz-executor.0 Tainted: G B 5.2.0+ #68 [ 996.716038][ T8886] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 996.726072][ T8886] Call Trace: [ 996.729346][ T8886] dump_stack+0x172/0x1f0 [ 996.735098][ T8886] panic+0x2dc/0x755 [ 996.738973][ T8886] ? add_taint.cold+0x16/0x16 [ 996.743634][ T8886] ? exit_mmap+0xb2/0x530 [ 996.747942][ T8886] ? preempt_schedule+0x4b/0x60 [ 996.752774][ T8886] ? ___preempt_schedule+0x16/0x18 [ 996.757889][ T8886] ? trace_hardirqs_on+0x5e/0x240 [ 996.762922][ T8886] ? exit_mmap+0xb2/0x530 [ 996.767233][ T8886] end_report+0x47/0x4f [ 996.771370][ T8886] ? exit_mmap+0xb2/0x530 [ 996.775676][ T8886] __kasan_report.cold+0xe/0x36 [ 996.780510][ T8886] ? synchronize_srcu+0x1b0/0x3e8 [ 996.785517][ T8886] ? exit_mmap+0xb2/0x530 [ 996.789839][ T8886] kasan_report+0x12/0x17 [ 996.794170][ T8886] check_memory_region+0x134/0x1a0 [ 996.799262][ T8886] __kasan_check_read+0x11/0x20 [ 996.804094][ T8886] exit_mmap+0xb2/0x530 [ 996.808249][ T8886] ? __ia32_sys_munmap+0x80/0x80 [ 996.813189][ T8886] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 996.819475][ T8886] ? __khugepaged_exit+0x2eb/0x410 [ 996.825291][ T8886] ? __khugepaged_exit+0x2eb/0x410 [ 996.830389][ T8886] ? rcu_read_lock_sched_held+0x110/0x130 [ 996.836101][ T8886] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 996.842318][ T8886] ? __khugepaged_exit+0xcf/0x410 [ 996.847321][ T8886] mmput+0x179/0x4d0 [ 996.851214][ T8886] do_exit+0x84e/0x2ea0 [ 996.855350][ T8886] ? mm_update_next_owner+0x640/0x640 [ 996.860807][ T8886] ? lock_downgrade+0x920/0x920 [ 996.865643][ T8886] ? _raw_spin_unlock_irq+0x28/0x90 [ 996.870990][ T8886] ? get_signal+0x392/0x2500 [ 996.875570][ T8886] ? _raw_spin_unlock_irq+0x28/0x90 [ 996.880749][ T8886] do_group_exit+0x135/0x360 [ 996.885321][ T8886] get_signal+0x47c/0x2500 [ 996.889719][ T8886] ? do_vfs_ioctl+0x120/0x1380 [ 996.894469][ T8886] do_signal+0x87/0x1670 [ 996.898689][ T8886] ? __fget+0x384/0x560 [ 996.902825][ T8886] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 996.909395][ T8886] ? setup_sigcontext+0x7d0/0x7d0 [ 996.914400][ T8886] ? kick_process+0xef/0x180 [ 996.919022][ T8886] ? exit_to_usermode_loop+0x43/0x380 [ 996.924461][ T8886] ? do_syscall_64+0x5a9/0x6a0 [ 996.929297][ T8886] ? exit_to_usermode_loop+0x43/0x380 [ 996.934648][ T8886] ? lockdep_hardirqs_on+0x418/0x5d0 [ 996.939909][ T8886] ? trace_hardirqs_on+0x67/0x240 [ 996.945003][ T8886] exit_to_usermode_loop+0x286/0x380 [ 996.950269][ T8886] do_syscall_64+0x5a9/0x6a0 [ 996.954842][ T8886] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 996.962380][ T8886] RIP: 0033:0x459819 [ 996.966352][ T8886] Code: Bad RIP value. [ 996.970411][ T8886] RSP: 002b:00007fa415336c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 996.978804][ T8886] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000459819 [ 996.987020][ T8886] RDX: 00000000200023c0 RSI: 000000004028af11 RDI: 0000000000000003 [ 996.995014][ T8886] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 [ 997.003070][ T8886] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa4153376d4 [ 997.011478][ T8886] R13: 00000000004c4722 R14: 00000000004d87d0 R15: 00000000ffffffff [ 997.020750][ T8886] Kernel Offset: disabled [ 997.025252][ T8886] Rebooting in 86400 seconds..