[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   64.491088][   T27] audit: type=1800 audit(1563506684.665:25): pid=8927 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   64.519893][   T27] audit: type=1800 audit(1563506684.665:26): pid=8927 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   64.588445][   T27] audit: type=1800 audit(1563506684.665:27): pid=8927 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.244' (ECDSA) to the list of known hosts.
2019/07/19 03:31:23 parsed 1 programs
2019/07/19 03:31:25 executed programs: 0
syzkaller login: [  465.538250][ T9094] IPVS: ftp: loaded support on port[0] = 21
[  465.603303][ T9094] chnl_net:caif_netlink_parms(): no params data found
[  465.631961][ T9094] bridge0: port 1(bridge_slave_0) entered blocking state
[  465.640201][ T9094] bridge0: port 1(bridge_slave_0) entered disabled state
[  465.648761][ T9094] device bridge_slave_0 entered promiscuous mode
[  465.656994][ T9094] bridge0: port 2(bridge_slave_1) entered blocking state
[  465.664254][ T9094] bridge0: port 2(bridge_slave_1) entered disabled state
[  465.671997][ T9094] device bridge_slave_1 entered promiscuous mode
[  465.689823][ T9094] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  465.701222][ T9094] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  465.720303][ T9094] team0: Port device team_slave_0 added
[  465.727605][ T9094] team0: Port device team_slave_1 added
[  465.790445][ T9094] device hsr_slave_0 entered promiscuous mode
[  465.828252][ T9094] device hsr_slave_1 entered promiscuous mode
[  465.876280][ T9094] bridge0: port 2(bridge_slave_1) entered blocking state
[  465.883451][ T9094] bridge0: port 2(bridge_slave_1) entered forwarding state
[  465.891252][ T9094] bridge0: port 1(bridge_slave_0) entered blocking state
[  465.898477][ T9094] bridge0: port 1(bridge_slave_0) entered forwarding state
[  465.934342][ T9094] 8021q: adding VLAN 0 to HW filter on device bond0
[  465.948969][ T9096] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  465.969903][ T9096] bridge0: port 1(bridge_slave_0) entered disabled state
[  465.978598][ T9096] bridge0: port 2(bridge_slave_1) entered disabled state
[  465.986682][ T9096] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  465.999699][ T9094] 8021q: adding VLAN 0 to HW filter on device team0
[  466.011448][ T3506] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  466.020401][ T3506] bridge0: port 1(bridge_slave_0) entered blocking state
[  466.027611][ T3506] bridge0: port 1(bridge_slave_0) entered forwarding state
[  466.039410][ T9096] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  466.048456][ T9096] bridge0: port 2(bridge_slave_1) entered blocking state
[  466.055530][ T9096] bridge0: port 2(bridge_slave_1) entered forwarding state
[  466.072073][ T3506] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  466.082798][ T3506] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  466.100310][ T9094] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  466.111342][ T9094] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  466.124279][ T9096] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  466.133188][ T9096] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  466.142068][ T9096] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  466.150735][ T9096] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  466.172144][ T9094] 8021q: adding VLAN 0 to HW filter on device batadv0
[  466.929095][ T9094] BUG: Bad rss-counter state mm:000000008aba76df idx:1 val:10
[  466.929179][ T9109] ==================================================================
[  466.936604][ T9094] BUG: non-zero pgtables_bytes on freeing mm: 69632
[  466.951378][ T9109] BUG: KASAN: use-after-free in unmap_page_range+0x1e1c/0x2170
[  466.959013][ T9109] Read of size 8 at addr ffff888089ee4550 by task syz-executor.0/9109
[  466.967370][ T9109] 
[  466.969704][ T9109] CPU: 1 PID: 9109 Comm: syz-executor.0 Not tainted 5.2.0+ #87
[  466.977236][ T9109] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  466.987286][ T9109] Call Trace:
[  466.990668][ T9109]  dump_stack+0x172/0x1f0
[  466.994995][ T9109]  ? unmap_page_range+0x1e1c/0x2170
[  467.000462][ T9109]  print_address_description.cold+0xd4/0x306
[  467.006431][ T9109]  ? unmap_page_range+0x1e1c/0x2170
[  467.011619][ T9109]  ? unmap_page_range+0x1e1c/0x2170
[  467.016836][ T9109]  __kasan_report.cold+0x1b/0x36
[  467.021803][ T9109]  ? unmap_page_range+0x1e1c/0x2170
[  467.027096][ T9109]  kasan_report+0x12/0x17
[  467.031418][ T9109]  __asan_report_load8_noabort+0x14/0x20
[  467.037246][ T9109]  unmap_page_range+0x1e1c/0x2170
[  467.043014][ T9109]  ? vm_normal_page_pmd+0x510/0x510
[  467.048920][ T9109]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  467.055158][ T9109]  ? uprobe_munmap+0xad/0x320
[  467.059827][ T9109]  unmap_single_vma+0x19d/0x300
[  467.064669][ T9109]  unmap_vmas+0x135/0x280
[  467.068993][ T9109]  ? zap_vma_ptes+0x110/0x110
[  467.073665][ T9109]  ? pagevec_lru_move_fn+0x215/0x2a0
[  467.078940][ T9109]  ? __kasan_check_write+0x14/0x20
[  467.084052][ T9109]  exit_mmap+0x2ba/0x530
[  467.088332][ T9109]  ? __ia32_sys_munmap+0x80/0x80
[  467.093272][ T9109]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  467.099508][ T9109]  ? __khugepaged_exit+0xcf/0x410
[  467.104521][ T9109]  mmput+0x179/0x4d0
[  467.108408][ T9109]  do_exit+0x84e/0x2ea0
[  467.112755][ T9109]  ? mm_update_next_owner+0x640/0x640
[  467.118146][ T9109]  ? lock_downgrade+0x920/0x920
[  467.123006][ T9109]  ? _raw_spin_unlock_irq+0x28/0x90
[  467.128197][ T9109]  ? get_signal+0x392/0x2500
[  467.132783][ T9109]  ? _raw_spin_unlock_irq+0x28/0x90
[  467.137974][ T9109]  do_group_exit+0x135/0x360
[  467.142555][ T9109]  get_signal+0x47c/0x2500
[  467.146965][ T9109]  ? do_vfs_ioctl+0x120/0x1380
[  467.151823][ T9109]  do_signal+0x87/0x1670
[  467.156122][ T9109]  ? __fget+0x384/0x560
[  467.160340][ T9109]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  467.166573][ T9109]  ? setup_sigcontext+0x7d0/0x7d0
[  467.171583][ T9109]  ? kick_process+0xef/0x180
[  467.176283][ T9109]  ? exit_to_usermode_loop+0x43/0x380
[  467.181733][ T9109]  ? do_syscall_64+0x5a9/0x6a0
[  467.186673][ T9109]  ? exit_to_usermode_loop+0x43/0x380
[  467.192227][ T9109]  ? lockdep_hardirqs_on+0x418/0x5d0
[  467.197510][ T9109]  ? trace_hardirqs_on+0x67/0x240
[  467.202531][ T9109]  exit_to_usermode_loop+0x286/0x380
[  467.207804][ T9109]  do_syscall_64+0x5a9/0x6a0
[  467.212385][ T9109]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  467.218254][ T9109] RIP: 0033:0x459819
[  467.222134][ T9109] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  467.241823][ T9109] RSP: 002b:00007f04fe1a2c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  467.250219][ T9109] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000459819
[  467.258185][ T9109] RDX: 00000000200023c0 RSI: 000000004028af11 RDI: 0000000000000003
[  467.266151][ T9109] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
[  467.274853][ T9109] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f04fe1a36d4
[  467.282816][ T9109] R13: 00000000004c4722 R14: 00000000004d87d0 R15: 00000000ffffffff
[  467.290948][ T9109] 
[  467.293268][ T9109] The buggy address belongs to the page:
[  467.298894][ T9109] page:ffffea000227b900 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
[  467.308523][ T9109] flags: 0x1fffc0000000000()
[  467.313106][ T9109] raw: 01fffc0000000000 ffffea00021b9608 ffffea0002852588 0000000000000000
[  467.321805][ T9109] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[  467.330409][ T9109] page dumped because: kasan: bad access detected
[  467.336805][ T9109] 
[  467.339122][ T9109] Memory state around the buggy address:
[  467.344898][ T9109]  ffff888089ee4400: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  467.353133][ T9109]  ffff888089ee4480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  467.361193][ T9109] >ffff888089ee4500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  467.369247][ T9109]                                                  ^
[  467.375921][ T9109]  ffff888089ee4580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  467.383973][ T9109]  ffff888089ee4600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  467.392113][ T9109] ==================================================================
[  467.400220][ T9109] Disabling lock debugging due to kernel taint
[  467.409768][ T9109] Kernel panic - not syncing: panic_on_warn set ...
[  467.416369][ T9109] CPU: 1 PID: 9109 Comm: syz-executor.0 Tainted: G    B             5.2.0+ #87
[  467.425398][ T9109] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[  467.435581][ T9109] Call Trace:
[  467.438906][ T9109]  dump_stack+0x172/0x1f0
[  467.443225][ T9109]  panic+0x2dc/0x755
[  467.447115][ T9109]  ? add_taint.cold+0x16/0x16
[  467.451778][ T9109]  ? unmap_page_range+0x1e1c/0x2170
[  467.456967][ T9109]  ? preempt_schedule+0x4b/0x60
[  467.461811][ T9109]  ? ___preempt_schedule+0x16/0x18
[  467.467078][ T9109]  ? trace_hardirqs_on+0x5e/0x240
[  467.472133][ T9109]  ? unmap_page_range+0x1e1c/0x2170
[  467.477315][ T9109]  end_report+0x47/0x4f
[  467.481451][ T9109]  ? unmap_page_range+0x1e1c/0x2170
[  467.486627][ T9109]  __kasan_report.cold+0xe/0x36
[  467.491564][ T9109]  ? unmap_page_range+0x1e1c/0x2170
[  467.496767][ T9109]  kasan_report+0x12/0x17
[  467.501098][ T9109]  __asan_report_load8_noabort+0x14/0x20
[  467.506735][ T9109]  unmap_page_range+0x1e1c/0x2170
[  467.511897][ T9109]  ? vm_normal_page_pmd+0x510/0x510
[  467.517085][ T9109]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[  467.523314][ T9109]  ? uprobe_munmap+0xad/0x320
[  467.527973][ T9109]  unmap_single_vma+0x19d/0x300
[  467.533002][ T9109]  unmap_vmas+0x135/0x280
[  467.537320][ T9109]  ? zap_vma_ptes+0x110/0x110
[  467.541981][ T9109]  ? pagevec_lru_move_fn+0x215/0x2a0
[  467.547256][ T9109]  ? __kasan_check_write+0x14/0x20
[  467.552353][ T9109]  exit_mmap+0x2ba/0x530
[  467.556781][ T9109]  ? __ia32_sys_munmap+0x80/0x80
[  467.561713][ T9109]  ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20
[  467.567949][ T9109]  ? __khugepaged_exit+0xcf/0x410
[  467.573057][ T9109]  mmput+0x179/0x4d0
[  467.576950][ T9109]  do_exit+0x84e/0x2ea0
[  467.581108][ T9109]  ? mm_update_next_owner+0x640/0x640
[  467.586471][ T9109]  ? lock_downgrade+0x920/0x920
[  467.591312][ T9109]  ? _raw_spin_unlock_irq+0x28/0x90
[  467.596491][ T9109]  ? get_signal+0x392/0x2500
[  467.601061][ T9109]  ? _raw_spin_unlock_irq+0x28/0x90
[  467.606246][ T9109]  do_group_exit+0x135/0x360
[  467.610976][ T9109]  get_signal+0x47c/0x2500
[  467.615395][ T9109]  ? do_vfs_ioctl+0x120/0x1380
[  467.620143][ T9109]  do_signal+0x87/0x1670
[  467.624379][ T9109]  ? __fget+0x384/0x560
[  467.628635][ T9109]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[  467.634866][ T9109]  ? setup_sigcontext+0x7d0/0x7d0
[  467.640158][ T9109]  ? kick_process+0xef/0x180
[  467.644760][ T9109]  ? exit_to_usermode_loop+0x43/0x380
[  467.650177][ T9109]  ? do_syscall_64+0x5a9/0x6a0
[  467.654935][ T9109]  ? exit_to_usermode_loop+0x43/0x380
[  467.660310][ T9109]  ? lockdep_hardirqs_on+0x418/0x5d0
[  467.665618][ T9109]  ? trace_hardirqs_on+0x67/0x240
[  467.670642][ T9109]  exit_to_usermode_loop+0x286/0x380
[  467.675928][ T9109]  do_syscall_64+0x5a9/0x6a0
[  467.680516][ T9109]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  467.686612][ T9109] RIP: 0033:0x459819
[  467.690576][ T9109] Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[  467.710276][ T9109] RSP: 002b:00007f04fe1a2c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  467.718881][ T9109] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000459819
[  467.726841][ T9109] RDX: 00000000200023c0 RSI: 000000004028af11 RDI: 0000000000000003
[  467.734800][ T9109] RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
[  467.742936][ T9109] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f04fe1a36d4
[  467.750994][ T9109] R13: 00000000004c4722 R14: 00000000004d87d0 R15: 00000000ffffffff
[  467.760146][ T9109] Kernel Offset: disabled
[  467.764475][ T9109] Rebooting in 86400 seconds..