[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.43' (ECDSA) to the list of known hosts. 2020/09/06 20:23:11 parsed 1 programs 2020/09/06 20:23:11 executed programs: 0 syzkaller login: [ 35.837973] audit: type=1400 audit(1599423791.420:8): avc: denied { execmem } for pid=6380 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 36.997685] IPVS: ftp: loaded support on port[0] = 21 [ 37.071606] chnl_net:caif_netlink_parms(): no params data found [ 37.173607] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.180333] bridge0: port 1(bridge_slave_0) entered disabled state [ 37.188375] device bridge_slave_0 entered promiscuous mode [ 37.196206] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.202650] bridge0: port 2(bridge_slave_1) entered disabled state [ 37.209663] device bridge_slave_1 entered promiscuous mode [ 37.225729] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 37.234821] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 37.252445] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 37.259840] team0: Port device team_slave_0 added [ 37.265865] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 37.273300] team0: Port device team_slave_1 added [ 37.287455] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 37.293755] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 37.318979] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 37.330308] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 37.336599] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 37.362105] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 37.372996] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 37.380339] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 37.399047] device hsr_slave_0 entered promiscuous mode [ 37.404816] device hsr_slave_1 entered promiscuous mode [ 37.410719] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 37.417942] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 37.479497] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.486017] bridge0: port 2(bridge_slave_1) entered forwarding state [ 37.492961] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.499338] bridge0: port 1(bridge_slave_0) entered forwarding state [ 37.527456] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 37.534594] 8021q: adding VLAN 0 to HW filter on device bond0 [ 37.542963] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 37.550994] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 37.560223] bridge0: port 1(bridge_slave_0) entered disabled state [ 37.568647] bridge0: port 2(bridge_slave_1) entered disabled state [ 37.578337] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 37.584619] 8021q: adding VLAN 0 to HW filter on device team0 [ 37.592882] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 37.600432] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.606868] bridge0: port 1(bridge_slave_0) entered forwarding state [ 37.623869] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 37.631585] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.638088] bridge0: port 2(bridge_slave_1) entered forwarding state [ 37.646142] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 37.653875] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 37.667658] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 37.677633] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 37.688992] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 37.696086] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 37.704030] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 37.711514] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 37.720302] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 37.732158] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 37.739358] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 37.747298] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 37.757623] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 37.808733] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 37.818484] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 37.847626] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 37.854855] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 37.861253] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 37.871367] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 37.879285] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 37.886790] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 37.896196] device veth0_vlan entered promiscuous mode [ 37.905315] device veth1_vlan entered promiscuous mode [ 37.911099] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 37.919736] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 37.930422] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 37.939774] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 37.947082] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 37.954342] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 37.964405] device veth0_macvtap entered promiscuous mode [ 37.970395] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 37.978980] device veth1_macvtap entered promiscuous mode [ 37.988715] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 37.998335] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 38.008360] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 38.016679] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 38.025305] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 38.035400] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 38.042204] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 38.062888] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 39.012533] Bluetooth: hci0 command 0x0409 tx timeout [ 40.541201] ================================================================== [ 40.548906] BUG: KASAN: use-after-free in seq_release_private+0x10c/0x120 [ 40.560937] Read of size 8 at addr ffff8880a0101798 by task syz-executor.0/7153 [ 40.568631] [ 40.570248] CPU: 0 PID: 7153 Comm: syz-executor.0 Not tainted 4.14.196-syzkaller #0 [ 40.578040] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.587375] Call Trace: [ 40.589955] dump_stack+0x1b2/0x283 [ 40.593584] ? mounts_poll+0x190/0x190 [ 40.597458] print_address_description.cold+0x54/0x1d3 [ 40.602718] ? mounts_poll+0x190/0x190 [ 40.606859] kasan_report_error.cold+0x8a/0x194 [ 40.611521] ? seq_release_private+0x10c/0x120 [ 40.616096] __asan_report_load8_noabort+0x68/0x70 [ 40.621048] ? seq_release_private+0x10c/0x120 [ 40.625616] seq_release_private+0x10c/0x120 [ 40.630013] __fput+0x25f/0x7a0 [ 40.633275] task_work_run+0x11f/0x190 [ 40.637146] exit_to_usermode_loop+0x1ad/0x200 [ 40.641735] do_syscall_64+0x4a3/0x640 [ 40.645607] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 40.650776] RIP: 0033:0x416f01 [ 40.653960] RSP: 002b:00007ffd05b98a50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 40.661658] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01 [ 40.668914] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003 [ 40.676172] RBP: 0000000000000000 R08: 0000000001190760 R09: 0000000000000000 [ 40.683423] R10: 00007ffd05b98b30 R11: 0000000000000293 R12: 0000000001190768 [ 40.691221] R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c [ 40.698476] [ 40.700167] Allocated by task 7154: [ 40.703791] kasan_kmalloc+0xeb/0x160 [ 40.707569] kmem_cache_alloc_trace+0x131/0x3d0 [ 40.712215] seq_open+0x7b/0x1f0 [ 40.715568] __seq_open_private+0x37/0xc0 [ 40.719699] seq_open_private+0x21/0x40 [ 40.723746] mounts_open_common+0x1d8/0x470 [ 40.728057] do_dentry_open+0x44b/0xec0 [ 40.732017] vfs_open+0x105/0x220 [ 40.735445] path_openat+0x628/0x2970 [ 40.739232] do_filp_open+0x179/0x3c0 [ 40.743007] do_sys_open+0x296/0x410 [ 40.746695] do_syscall_64+0x1d5/0x640 [ 40.750559] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 40.755727] [ 40.757336] Freed by task 7154: [ 40.760605] kasan_slab_free+0xc3/0x1a0 [ 40.764562] kfree+0xc9/0x250 [ 40.767656] seq_release_private+0xcd/0x120 [ 40.771962] __fput+0x25f/0x7a0 [ 40.775218] task_work_run+0x11f/0x190 [ 40.779093] exit_to_usermode_loop+0x1ad/0x200 [ 40.783673] do_syscall_64+0x4a3/0x640 [ 40.787550] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 40.792736] [ 40.794345] The buggy address belongs to the object at ffff8880a01016c0 [ 40.794345] which belongs to the cache kmalloc-256 of size 256 [ 40.807012] The buggy address is located 216 bytes inside of [ 40.807012] 256-byte region [ffff8880a01016c0, ffff8880a01017c0) [ 40.818865] The buggy address belongs to the page: [ 40.823796] page:ffffea0002804040 count:1 mapcount:0 mapping:ffff8880a0101080 index:0x0 [ 40.831974] flags: 0xfffe0000000100(slab) [ 40.836134] raw: 00fffe0000000100 ffff8880a0101080 0000000000000000 000000010000000c [ 40.844001] raw: ffffea0002413c60 ffffea00028044e0 ffff88812fe527c0 0000000000000000 [ 40.851875] page dumped because: kasan: bad access detected [ 40.857604] [ 40.859244] Memory state around the buggy address: [ 40.864149] ffff8880a0101680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 40.871584] ffff8880a0101700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.878934] >ffff8880a0101780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 40.886287] ^ [ 40.890411] ffff8880a0101800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 40.897746] ffff8880a0101880: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc [ 40.905084] ================================================================== [ 40.912415] Disabling lock debugging due to kernel taint [ 40.922709] Kernel panic - not syncing: panic_on_warn set ... [ 40.922709] [ 40.930084] CPU: 1 PID: 7153 Comm: syz-executor.0 Tainted: G B 4.14.196-syzkaller #0 [ 40.939075] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.948401] Call Trace: [ 40.950965] dump_stack+0x1b2/0x283 [ 40.954565] panic+0x1f9/0x42d [ 40.957737] ? add_taint.cold+0x16/0x16 [ 40.961693] ? ___preempt_schedule+0x16/0x18 [ 40.966076] ? mounts_poll+0x190/0x190 [ 40.969934] kasan_end_report+0x43/0x49 [ 40.974075] kasan_report_error.cold+0xa7/0x194 [ 40.978728] ? seq_release_private+0x10c/0x120 [ 40.983294] __asan_report_load8_noabort+0x68/0x70 [ 40.988215] ? seq_release_private+0x10c/0x120 [ 40.992834] seq_release_private+0x10c/0x120 [ 40.997221] __fput+0x25f/0x7a0 [ 41.000480] task_work_run+0x11f/0x190 [ 41.004364] exit_to_usermode_loop+0x1ad/0x200 [ 41.009009] do_syscall_64+0x4a3/0x640 [ 41.012886] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 41.018046] RIP: 0033:0x416f01 [ 41.021208] RSP: 002b:00007ffd05b98a50 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 41.028887] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01 [ 41.036575] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003 [ 41.043817] RBP: 0000000000000000 R08: 0000000001190760 R09: 0000000000000000 [ 41.051319] R10: 00007ffd05b98b30 R11: 0000000000000293 R12: 0000000001190768 [ 41.058560] R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c [ 41.067148] Kernel Offset: disabled [ 41.070767] Rebooting in 86400 seconds..