[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   59.605746][   T26] audit: type=1800 audit(1580957862.812:25): pid=8798 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   59.625358][   T26] audit: type=1800 audit(1580957862.812:26): pid=8798 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   59.657298][   T26] audit: type=1800 audit(1580957862.812:27): pid=8798 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts.
2020/02/06 03:13:29 parsed 1 programs
2020/02/06 03:13:31 executed programs: 0
syzkaller login: [ 1008.079072][ T8966] IPVS: ftp: loaded support on port[0] = 21
[ 1008.133468][ T8966] chnl_net:caif_netlink_parms(): no params data found
[ 1008.170760][ T8966] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1008.181578][ T8966] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1008.195081][ T8966] device bridge_slave_0 entered promiscuous mode
[ 1008.204179][ T8966] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1008.215136][ T8966] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1008.223879][ T8966] device bridge_slave_1 entered promiscuous mode
[ 1008.242275][ T8966] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1008.253758][ T8966] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1008.272535][ T8966] team0: Port device team_slave_0 added
[ 1008.280988][ T8966] team0: Port device team_slave_1 added
[ 1008.296666][ T8966] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 1008.304424][ T8966] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1008.333063][ T8966] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 1008.347978][ T8966] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 1008.356026][ T8966] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1008.387166][ T8966] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 1008.447708][ T8966] device hsr_slave_0 entered promiscuous mode
[ 1008.485855][ T8966] device hsr_slave_1 entered promiscuous mode
[ 1008.589207][ T8966] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 1008.648286][ T8966] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 1008.707900][ T8966] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 1008.767863][ T8966] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 1008.836796][ T8966] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1008.844572][ T8966] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1008.852911][ T8966] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1008.861931][ T8966] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1008.901708][ T8966] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1008.918053][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1008.931666][ T2833] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1008.953155][ T2833] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1008.966268][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1008.982649][ T8966] 8021q: adding VLAN 0 to HW filter on device team0
[ 1009.006583][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1009.019335][ T2833] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1009.028932][ T2833] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1009.039236][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1009.048083][ T2833] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1009.055546][ T2833] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1009.067343][ T2702] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1009.078122][ T2702] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1009.090748][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1009.104289][ T2702] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1009.117981][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1009.132155][ T8966] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1009.151174][ T2702] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 1009.163769][ T2702] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 1009.178570][ T8966] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1009.196188][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[ 1009.207397][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 1009.225319][ T2702] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[ 1009.237606][ T2702] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 1009.250680][ T8966] device veth0_vlan entered promiscuous mode
[ 1009.260072][ T8970] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 1009.268617][ T8970] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 1009.280260][ T8966] device veth1_vlan entered promiscuous mode
[ 1009.298338][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 1009.307563][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 1009.316609][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[ 1009.325100][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 1009.335984][ T8966] device veth0_macvtap entered promiscuous mode
[ 1009.346485][ T8966] device veth1_macvtap entered promiscuous mode
[ 1009.363664][ T8966] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 1009.371433][ T8970] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 1009.382374][ T8970] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[ 1009.395220][ T8970] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 1009.405818][ T8970] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 1009.419573][ T8966] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 1009.430936][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 1009.440664][ T2833] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
2020/02/06 03:13:36 executed programs: 158
2020/02/06 03:13:41 executed programs: 406
2020/02/06 03:13:46 executed programs: 662
2020/02/06 03:13:51 executed programs: 923
2020/02/06 03:13:56 executed programs: 1191
2020/02/06 03:14:01 executed programs: 1454
2020/02/06 03:14:06 executed programs: 1716
2020/02/06 03:14:11 executed programs: 1985
2020/02/06 03:14:16 executed programs: 2249
2020/02/06 03:14:21 executed programs: 2506
2020/02/06 03:14:26 executed programs: 2771
2020/02/06 03:14:31 executed programs: 3025
2020/02/06 03:14:36 executed programs: 3281
2020/02/06 03:14:41 executed programs: 3540
2020/02/06 03:14:46 executed programs: 3796
2020/02/06 03:14:51 executed programs: 4045
2020/02/06 03:14:56 executed programs: 4291
2020/02/06 03:15:01 executed programs: 4550
2020/02/06 03:15:06 executed programs: 4805
2020/02/06 03:15:11 executed programs: 5063
2020/02/06 03:15:16 executed programs: 5321
2020/02/06 03:15:21 executed programs: 5576
2020/02/06 03:15:26 executed programs: 5838
2020/02/06 03:15:31 executed programs: 6093
2020/02/06 03:15:36 executed programs: 6340
2020/02/06 03:15:41 executed programs: 6600
2020/02/06 03:15:46 executed programs: 6851
2020/02/06 03:15:51 executed programs: 7094
2020/02/06 03:15:56 executed programs: 7339
2020/02/06 03:16:01 executed programs: 7591
2020/02/06 03:16:06 executed programs: 7836
2020/02/06 03:16:11 executed programs: 8096
[ 1170.649563][ T8872] ==================================================================
[ 1170.658964][ T8872] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x178/0x320
[ 1170.666678][ T8872] Read of size 8 at addr ffff888099b78908 by task syz-executor.0/8872
[ 1170.675191][ T8872] 
[ 1170.677647][ T8872] CPU: 1 PID: 8872 Comm: syz-executor.0 Not tainted 5.5.0-syzkaller #0
[ 1170.686183][ T8872] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1170.699586][ T8872] Call Trace:
[ 1170.703120][ T8872]  dump_stack+0x1fb/0x318
[ 1170.707637][ T8872]  print_address_description+0x74/0x5c0
[ 1170.713256][ T8872]  ? vprintk_default+0x28/0x30
[ 1170.718035][ T8872]  ? vprintk_func+0x158/0x170
[ 1170.722715][ T8872]  ? printk+0x62/0x8d
[ 1170.726759][ T8872]  __kasan_report+0x149/0x1c0
[ 1170.731586][ T8872]  ? vgem_gem_dumb_create+0x178/0x320
[ 1170.736964][ T8872]  kasan_report+0x26/0x50
[ 1170.741302][ T8872]  __asan_report_load8_noabort+0x14/0x20
[ 1170.747055][ T8872]  vgem_gem_dumb_create+0x178/0x320
[ 1170.752451][ T8872]  drm_mode_create_dumb_ioctl+0x22e/0x2a0
[ 1170.758221][ T8872]  drm_ioctl_kernel+0x2cf/0x410
[ 1170.763077][ T8872]  ? drm_mode_create_dumb+0x2a0/0x2a0
[ 1170.768443][ T8872]  drm_ioctl+0x52f/0x890
[ 1170.772723][ T8872]  ? drm_mode_create_dumb+0x2a0/0x2a0
[ 1170.778216][ T8872]  ? do_vfs_ioctl+0x68f/0x1900
[ 1170.783076][ T8872]  ? tomoyo_file_ioctl+0x23/0x30
[ 1170.788005][ T8872]  ? drm_ioctl_kernel+0x410/0x410
[ 1170.793035][ T8872]  __se_sys_ioctl+0x113/0x190
[ 1170.798258][ T8872]  __x64_sys_ioctl+0x7b/0x90
[ 1170.803040][ T8872]  do_syscall_64+0xf7/0x1c0
[ 1170.807604][ T8872]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1170.813494][ T8872] RIP: 0033:0x45b399
[ 1170.817389][ T8872] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1170.837379][ T8872] RSP: 002b:00007f1a03b68c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1170.845860][ T8872] RAX: ffffffffffffffda RBX: 00007f1a03b696d4 RCX: 000000000045b399
[ 1170.853870][ T8872] RDX: 0000000020000000 RSI: 00000000c02064b2 RDI: 0000000000000003
[ 1170.862565][ T8872] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[ 1170.870552][ T8872] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 1170.878536][ T8872] R13: 0000000000000285 R14: 00000000004d1588 R15: 000000000075bf2c
[ 1170.886545][ T8872] 
[ 1170.888870][ T8872] Allocated by task 8872:
[ 1170.893275][ T8872]  __kasan_kmalloc+0x118/0x1c0
[ 1170.898036][ T8872]  kasan_kmalloc+0x9/0x10
[ 1170.902367][ T8872]  kmem_cache_alloc_trace+0x221/0x2f0
[ 1170.907872][ T8872]  vgem_gem_dumb_create+0xd8/0x320
[ 1170.913002][ T8872]  drm_mode_create_dumb_ioctl+0x22e/0x2a0
[ 1170.919116][ T8872]  drm_ioctl_kernel+0x2cf/0x410
[ 1170.924867][ T8872]  drm_ioctl+0x52f/0x890
[ 1170.929468][ T8872]  __se_sys_ioctl+0x113/0x190
[ 1170.934159][ T8872]  __x64_sys_ioctl+0x7b/0x90
[ 1170.938841][ T8872]  do_syscall_64+0xf7/0x1c0
[ 1170.943354][ T8872]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1170.949430][ T8872] 
[ 1170.951740][ T8872] Freed by task 8872:
[ 1170.955702][ T8872]  __kasan_slab_free+0x12e/0x1e0
[ 1170.960622][ T8872]  kasan_slab_free+0xe/0x10
[ 1170.965123][ T8872]  kfree+0x10d/0x220
[ 1170.969001][ T8872]  vgem_gem_free_object+0xb5/0xc0
[ 1170.974019][ T8872]  drm_gem_object_put_unlocked+0x33a/0x4b0
[ 1170.980053][ T8872]  vgem_gem_dumb_create+0x265/0x320
[ 1170.985647][ T8872]  drm_mode_create_dumb_ioctl+0x22e/0x2a0
[ 1170.991503][ T8872]  drm_ioctl_kernel+0x2cf/0x410
[ 1170.996339][ T8872]  drm_ioctl+0x52f/0x890
[ 1171.000575][ T8872]  __se_sys_ioctl+0x113/0x190
[ 1171.005294][ T8872]  __x64_sys_ioctl+0x7b/0x90
[ 1171.010318][ T8872]  do_syscall_64+0xf7/0x1c0
[ 1171.015266][ T8872]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1171.021149][ T8872] 
[ 1171.023466][ T8872] The buggy address belongs to the object at ffff888099b78800
[ 1171.023466][ T8872]  which belongs to the cache kmalloc-1k of size 1024
[ 1171.037688][ T8872] The buggy address is located 264 bytes inside of
[ 1171.037688][ T8872]  1024-byte region [ffff888099b78800, ffff888099b78c00)
[ 1171.051045][ T8872] The buggy address belongs to the page:
[ 1171.057495][ T8872] page:ffffea000266de00 refcount:1 mapcount:0 mapping:ffff8880aa400c40 index:0xffff888099b78000
[ 1171.068440][ T8872] flags: 0xfffe0000000200(slab)
[ 1171.074335][ T8872] raw: 00fffe0000000200 ffffea0002487708 ffffea00029ff388 ffff8880aa400c40
[ 1171.085949][ T8872] raw: ffff888099b78000 ffff888099b78000 0000000100000001 0000000000000000
[ 1171.094833][ T8872] page dumped because: kasan: bad access detected
[ 1171.101460][ T8872] 
[ 1171.103785][ T8872] Memory state around the buggy address:
[ 1171.109404][ T8872]  ffff888099b78800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1171.117647][ T8872]  ffff888099b78880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1171.125705][ T8872] >ffff888099b78900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1171.133760][ T8872]                       ^
[ 1171.138123][ T8872]  ffff888099b78980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1171.146163][ T8872]  ffff888099b78a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1171.155339][ T8872] ==================================================================
[ 1171.163771][ T8872] Disabling lock debugging due to kernel taint
[ 1171.173591][ T8872] Kernel panic - not syncing: panic_on_warn set ...
[ 1171.180219][ T8872] CPU: 1 PID: 8872 Comm: syz-executor.0 Tainted: G    B             5.5.0-syzkaller #0
[ 1171.189951][ T8872] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1171.199989][ T8872] Call Trace:
[ 1171.203789][ T8872]  dump_stack+0x1fb/0x318
[ 1171.208610][ T8872]  panic+0x264/0x7a9
[ 1171.212496][ T8872]  ? __kasan_report+0x193/0x1c0
[ 1171.217394][ T8872]  ? trace_hardirqs_on+0x34/0x80
[ 1171.222311][ T8872]  ? __kasan_report+0x193/0x1c0
[ 1171.227513][ T8872]  __kasan_report+0x1b9/0x1c0
[ 1171.232188][ T8872]  ? vgem_gem_dumb_create+0x178/0x320
[ 1171.237553][ T8872]  kasan_report+0x26/0x50
[ 1171.241860][ T8872]  __asan_report_load8_noabort+0x14/0x20
[ 1171.247471][ T8872]  vgem_gem_dumb_create+0x178/0x320
[ 1171.252667][ T8872]  drm_mode_create_dumb_ioctl+0x22e/0x2a0
[ 1171.258417][ T8872]  drm_ioctl_kernel+0x2cf/0x410
[ 1171.263288][ T8872]  ? drm_mode_create_dumb+0x2a0/0x2a0
[ 1171.268639][ T8872]  drm_ioctl+0x52f/0x890
[ 1171.272899][ T8872]  ? drm_mode_create_dumb+0x2a0/0x2a0
[ 1171.278255][ T8872]  ? do_vfs_ioctl+0x68f/0x1900
[ 1171.285880][ T8872]  ? tomoyo_file_ioctl+0x23/0x30
[ 1171.290811][ T8872]  ? drm_ioctl_kernel+0x410/0x410
[ 1171.295825][ T8872]  __se_sys_ioctl+0x113/0x190
[ 1171.300489][ T8872]  __x64_sys_ioctl+0x7b/0x90
[ 1171.305075][ T8872]  do_syscall_64+0xf7/0x1c0
[ 1171.309559][ T8872]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1171.315859][ T8872] RIP: 0033:0x45b399
[ 1171.320050][ T8872] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1171.340817][ T8872] RSP: 002b:00007f1a03b68c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1171.349847][ T8872] RAX: ffffffffffffffda RBX: 00007f1a03b696d4 RCX: 000000000045b399
[ 1171.357832][ T8872] RDX: 0000000020000000 RSI: 00000000c02064b2 RDI: 0000000000000003
[ 1171.365785][ T8872] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[ 1171.373823][ T8872] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 1171.381775][ T8872] R13: 0000000000000285 R14: 00000000004d1588 R15: 000000000075bf2c
[ 1171.391369][ T8872] Kernel Offset: disabled
[ 1171.395874][ T8872] Rebooting in 86400 seconds..