[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   58.663180][   T27] audit: type=1800 audit(1581195388.021:25): pid=8801 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   58.682214][   T27] audit: type=1800 audit(1581195388.031:26): pid=8801 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   58.738395][   T27] audit: type=1800 audit(1581195388.031:27): pid=8801 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.223' (ECDSA) to the list of known hosts.
2020/02/08 21:12:17 parsed 1 programs
2020/02/08 21:12:18 executed programs: 0
syzkaller login: [ 1009.256002][ T8970] IPVS: ftp: loaded support on port[0] = 21
[ 1009.318833][ T8970] chnl_net:caif_netlink_parms(): no params data found
[ 1009.351765][ T8970] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1009.359121][ T8970] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1009.367880][ T8970] device bridge_slave_0 entered promiscuous mode
[ 1009.376337][ T8970] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1009.383571][ T8970] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1009.391826][ T8970] device bridge_slave_1 entered promiscuous mode
[ 1009.407071][ T8970] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1009.418131][ T8970] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1009.435533][ T8970] team0: Port device team_slave_0 added
[ 1009.442701][ T8970] team0: Port device team_slave_1 added
[ 1009.455659][ T8970] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 1009.462646][ T8970] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1009.489207][ T8970] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 1009.501518][ T8970] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 1009.508825][ T8970] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1009.535250][ T8970] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 1009.566739][ T8970] device hsr_slave_0 entered promiscuous mode
[ 1009.634811][ T8970] device hsr_slave_1 entered promiscuous mode
[ 1009.738082][ T8970] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 1009.787172][ T8970] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 1009.856486][ T8970] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 1009.916685][ T8970] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 1009.975518][ T8970] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1009.982902][ T8970] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1009.990750][ T8970] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1009.997919][ T8970] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1010.036247][ T8970] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1010.051863][ T8975] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1010.062500][ T8975] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1010.081163][ T8975] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1010.090182][ T8975] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1010.102222][ T8970] 8021q: adding VLAN 0 to HW filter on device team0
[ 1010.113123][ T8974] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1010.122170][ T8974] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1010.129472][ T8974] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1010.146446][ T8977] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1010.156017][ T8977] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1010.163256][ T8977] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1010.181599][ T8970] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 1010.192479][ T8970] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 1010.205888][ T2903] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1010.215094][ T2903] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1010.223416][ T2903] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1010.232625][ T2903] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1010.241686][ T2903] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1010.249463][ T2903] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1010.265221][ T8977] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 1010.272704][ T8977] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 1010.286099][ T8970] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1010.303637][ T2903] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 1010.322454][ T8970] device veth0_vlan entered promiscuous mode
[ 1010.330089][ T8975] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[ 1010.338773][ T8975] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 1010.349061][ T8975] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 1010.357457][ T8975] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 1010.368529][ T8970] device veth1_vlan entered promiscuous mode
[ 1010.387708][ T2903] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 1010.395905][ T2903] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 1010.403874][ T2903] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[ 1010.413126][ T2903] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 1010.423593][ T8970] device veth0_macvtap entered promiscuous mode
[ 1010.433676][ T8970] device veth1_macvtap entered promiscuous mode
[ 1010.449443][ T8970] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 1010.457425][ T8975] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 1010.466386][ T8975] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[ 1010.474169][ T8975] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 1010.483093][ T8975] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 1010.493756][ T8970] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 1010.501654][ T8974] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 1010.511362][ T8974] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
2020/02/08 21:12:23 executed programs: 195
[ 1015.266908][ T9915] ==================================================================
[ 1015.275335][ T9915] BUG: KASAN: use-after-free in vgem_gem_dumb_create+0x178/0x320
[ 1015.283060][ T9915] Read of size 8 at addr ffff8880a7d37108 by task syz-executor.0/9915
[ 1015.291233][ T9915] 
[ 1015.293558][ T9915] CPU: 1 PID: 9915 Comm: syz-executor.0 Not tainted 5.5.0-syzkaller #0
[ 1015.301779][ T9915] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1015.311949][ T9915] Call Trace:
[ 1015.315398][ T9915]  dump_stack+0x1fb/0x318
[ 1015.319881][ T9915]  print_address_description+0x74/0x5c0
[ 1015.325582][ T9915]  ? vprintk_default+0x28/0x30
[ 1015.330355][ T9915]  ? vprintk_func+0x158/0x170
[ 1015.335201][ T9915]  ? printk+0x62/0x8d
[ 1015.339188][ T9915]  __kasan_report+0x149/0x1c0
[ 1015.344087][ T9915]  ? vgem_gem_dumb_create+0x178/0x320
[ 1015.349466][ T9915]  kasan_report+0x26/0x50
[ 1015.353857][ T9915]  __asan_report_load8_noabort+0x14/0x20
[ 1015.359485][ T9915]  vgem_gem_dumb_create+0x178/0x320
[ 1015.364758][ T9915]  drm_mode_create_dumb_ioctl+0x22e/0x2a0
[ 1015.370589][ T9915]  drm_ioctl_kernel+0x2cf/0x410
[ 1015.375450][ T9915]  ? drm_mode_create_dumb+0x2a0/0x2a0
[ 1015.381028][ T9915]  drm_ioctl+0x52f/0x890
[ 1015.385322][ T9915]  ? drm_mode_create_dumb+0x2a0/0x2a0
[ 1015.390763][ T9915]  ? do_vfs_ioctl+0x68f/0x1900
[ 1015.395612][ T9915]  ? tomoyo_file_ioctl+0x23/0x30
[ 1015.400557][ T9915]  ? drm_ioctl_kernel+0x410/0x410
[ 1015.405574][ T9915]  __se_sys_ioctl+0x113/0x190
[ 1015.410508][ T9915]  __x64_sys_ioctl+0x7b/0x90
[ 1015.415183][ T9915]  do_syscall_64+0xf7/0x1c0
[ 1015.419834][ T9915]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1015.425765][ T9915] RIP: 0033:0x45b399
[ 1015.429664][ T9915] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1015.449542][ T9915] RSP: 002b:00007f8bdfeacc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1015.457943][ T9915] RAX: ffffffffffffffda RBX: 00007f8bdfead6d4 RCX: 000000000045b399
[ 1015.465898][ T9915] RDX: 0000000020000280 RSI: 00000000c02064b2 RDI: 0000000000000003
[ 1015.473866][ T9915] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[ 1015.481928][ T9915] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 1015.489900][ T9915] R13: 0000000000000285 R14: 00000000004d1598 R15: 000000000075bf2c
[ 1015.497883][ T9915] 
[ 1015.500199][ T9915] Allocated by task 9915:
[ 1015.504707][ T9915]  __kasan_kmalloc+0x118/0x1c0
[ 1015.509578][ T9915]  kasan_kmalloc+0x9/0x10
[ 1015.513900][ T9915]  kmem_cache_alloc_trace+0x221/0x2f0
[ 1015.519254][ T9915]  vgem_gem_dumb_create+0xd8/0x320
[ 1015.524490][ T9915]  drm_mode_create_dumb_ioctl+0x22e/0x2a0
[ 1015.530214][ T9915]  drm_ioctl_kernel+0x2cf/0x410
[ 1015.535050][ T9915]  drm_ioctl+0x52f/0x890
[ 1015.539301][ T9915]  __se_sys_ioctl+0x113/0x190
[ 1015.543972][ T9915]  __x64_sys_ioctl+0x7b/0x90
[ 1015.548564][ T9915]  do_syscall_64+0xf7/0x1c0
[ 1015.553066][ T9915]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1015.558946][ T9915] 
[ 1015.561276][ T9915] Freed by task 9915:
[ 1015.565510][ T9915]  __kasan_slab_free+0x12e/0x1e0
[ 1015.570470][ T9915]  kasan_slab_free+0xe/0x10
[ 1015.574964][ T9915]  kfree+0x10d/0x220
[ 1015.578864][ T9915]  vgem_gem_free_object+0xb5/0xc0
[ 1015.584317][ T9915]  drm_gem_object_put_unlocked+0x33a/0x4b0
[ 1015.590140][ T9915]  vgem_gem_dumb_create+0x265/0x320
[ 1015.595341][ T9915]  drm_mode_create_dumb_ioctl+0x22e/0x2a0
[ 1015.601158][ T9915]  drm_ioctl_kernel+0x2cf/0x410
[ 1015.606146][ T9915]  drm_ioctl+0x52f/0x890
[ 1015.610396][ T9915]  __se_sys_ioctl+0x113/0x190
[ 1015.615320][ T9915]  __x64_sys_ioctl+0x7b/0x90
[ 1015.619912][ T9915]  do_syscall_64+0xf7/0x1c0
[ 1015.624470][ T9915]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1015.630368][ T9915] 
[ 1015.632697][ T9915] The buggy address belongs to the object at ffff8880a7d37000
[ 1015.632697][ T9915]  which belongs to the cache kmalloc-1k of size 1024
[ 1015.646764][ T9915] The buggy address is located 264 bytes inside of
[ 1015.646764][ T9915]  1024-byte region [ffff8880a7d37000, ffff8880a7d37400)
[ 1015.660121][ T9915] The buggy address belongs to the page:
[ 1015.665984][ T9915] page:ffffea00029f4dc0 refcount:1 mapcount:0 mapping:ffff8880aa400c40 index:0x0
[ 1015.675085][ T9915] flags: 0xfffe0000000200(slab)
[ 1015.679957][ T9915] raw: 00fffe0000000200 ffffea00029e9648 ffffea0002434c48 ffff8880aa400c40
[ 1015.688864][ T9915] raw: 0000000000000000 ffff8880a7d37000 0000000100000002 0000000000000000
[ 1015.697590][ T9915] page dumped because: kasan: bad access detected
[ 1015.703989][ T9915] 
[ 1015.706591][ T9915] Memory state around the buggy address:
[ 1015.712426][ T9915]  ffff8880a7d37000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1015.720488][ T9915]  ffff8880a7d37080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1015.728618][ T9915] >ffff8880a7d37100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1015.736695][ T9915]                       ^
[ 1015.741022][ T9915]  ffff8880a7d37180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1015.749082][ T9915]  ffff8880a7d37200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1015.757197][ T9915] ==================================================================
[ 1015.765377][ T9915] Disabling lock debugging due to kernel taint
[ 1015.774468][ T9915] Kernel panic - not syncing: panic_on_warn set ...
[ 1015.781190][ T9915] CPU: 1 PID: 9915 Comm: syz-executor.0 Tainted: G    B             5.5.0-syzkaller #0
[ 1015.790867][ T9915] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1015.801038][ T9915] Call Trace:
[ 1015.804326][ T9915]  dump_stack+0x1fb/0x318
[ 1015.808740][ T9915]  panic+0x264/0x7a9
[ 1015.812653][ T9915]  ? __kasan_report+0x193/0x1c0
[ 1015.817557][ T9915]  ? trace_hardirqs_on+0x34/0x80
[ 1015.822505][ T9915]  ? __kasan_report+0x193/0x1c0
[ 1015.827481][ T9915]  __kasan_report+0x1b9/0x1c0
[ 1015.832175][ T9915]  ? vgem_gem_dumb_create+0x178/0x320
[ 1015.837567][ T9915]  kasan_report+0x26/0x50
[ 1015.841883][ T9915]  __asan_report_load8_noabort+0x14/0x20
[ 1015.847599][ T9915]  vgem_gem_dumb_create+0x178/0x320
[ 1015.852793][ T9915]  drm_mode_create_dumb_ioctl+0x22e/0x2a0
[ 1015.858732][ T9915]  drm_ioctl_kernel+0x2cf/0x410
[ 1015.863583][ T9915]  ? drm_mode_create_dumb+0x2a0/0x2a0
[ 1015.868945][ T9915]  drm_ioctl+0x52f/0x890
[ 1015.873170][ T9915]  ? drm_mode_create_dumb+0x2a0/0x2a0
[ 1015.878640][ T9915]  ? do_vfs_ioctl+0x68f/0x1900
[ 1015.883403][ T9915]  ? tomoyo_file_ioctl+0x23/0x30
[ 1015.888465][ T9915]  ? drm_ioctl_kernel+0x410/0x410
[ 1015.893509][ T9915]  __se_sys_ioctl+0x113/0x190
[ 1015.898252][ T9915]  __x64_sys_ioctl+0x7b/0x90
[ 1015.902861][ T9915]  do_syscall_64+0xf7/0x1c0
[ 1015.907357][ T9915]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1015.913366][ T9915] RIP: 0033:0x45b399
[ 1015.917274][ T9915] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1015.937093][ T9915] RSP: 002b:00007f8bdfeacc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 1015.945505][ T9915] RAX: ffffffffffffffda RBX: 00007f8bdfead6d4 RCX: 000000000045b399
[ 1015.953483][ T9915] RDX: 0000000020000280 RSI: 00000000c02064b2 RDI: 0000000000000003
[ 1015.961579][ T9915] RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
[ 1015.969548][ T9915] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 1015.977521][ T9915] R13: 0000000000000285 R14: 00000000004d1598 R15: 000000000075bf2c
[ 1015.987041][ T9915] Kernel Offset: disabled
[ 1015.991385][ T9915] Rebooting in 86400 seconds..