[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.120' (ECDSA) to the list of known hosts. 2020/09/08 00:29:51 parsed 1 programs 2020/09/08 00:29:51 executed programs: 0 syzkaller login: [ 150.149797] audit: type=1400 audit(1599524991.437:8): avc: denied { execmem } for pid=6480 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 151.258220] IPVS: ftp: loaded support on port[0] = 21 [ 151.367594] chnl_net:caif_netlink_parms(): no params data found [ 151.465201] bridge0: port 1(bridge_slave_0) entered blocking state [ 151.472082] bridge0: port 1(bridge_slave_0) entered disabled state [ 151.479177] device bridge_slave_0 entered promiscuous mode [ 151.487514] bridge0: port 2(bridge_slave_1) entered blocking state [ 151.494208] bridge0: port 2(bridge_slave_1) entered disabled state [ 151.501996] device bridge_slave_1 entered promiscuous mode [ 151.519357] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 151.528473] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 151.548577] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 151.556523] team0: Port device team_slave_0 added [ 151.562540] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 151.569803] team0: Port device team_slave_1 added [ 151.585627] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 151.591919] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 151.617991] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 151.629738] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 151.636221] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 151.661574] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 151.672550] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 151.679915] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 151.699665] device hsr_slave_0 entered promiscuous mode [ 151.705477] device hsr_slave_1 entered promiscuous mode [ 151.712054] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 151.719147] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 151.782305] bridge0: port 2(bridge_slave_1) entered blocking state [ 151.788710] bridge0: port 2(bridge_slave_1) entered forwarding state [ 151.795727] bridge0: port 1(bridge_slave_0) entered blocking state [ 151.802132] bridge0: port 1(bridge_slave_0) entered forwarding state [ 151.834792] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 151.842155] 8021q: adding VLAN 0 to HW filter on device bond0 [ 151.850009] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 151.859710] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 151.870604] bridge0: port 1(bridge_slave_0) entered disabled state [ 151.877682] bridge0: port 2(bridge_slave_1) entered disabled state [ 151.884960] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 151.895556] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 151.902806] 8021q: adding VLAN 0 to HW filter on device team0 [ 151.911875] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 151.919473] bridge0: port 1(bridge_slave_0) entered blocking state [ 151.925889] bridge0: port 1(bridge_slave_0) entered forwarding state [ 151.942175] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 151.949973] bridge0: port 2(bridge_slave_1) entered blocking state [ 151.956376] bridge0: port 2(bridge_slave_1) entered forwarding state [ 151.965376] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 151.974847] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 151.984157] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 151.997250] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 152.007974] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 152.019220] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 152.026383] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 152.034379] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 152.042579] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 152.055356] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 152.062622] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 152.069251] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 152.081494] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 152.093939] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 152.103729] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 152.138155] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 152.146234] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 152.153836] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 152.163705] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 152.171436] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 152.178270] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 152.188273] device veth0_vlan entered promiscuous mode [ 152.197226] device veth1_vlan entered promiscuous mode [ 152.203479] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 152.213139] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 152.224432] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 152.233780] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 152.241557] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 152.248809] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 152.258304] device veth0_macvtap entered promiscuous mode [ 152.264895] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 152.273184] device veth1_macvtap entered promiscuous mode [ 152.282179] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 152.291471] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 152.302111] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 152.309161] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 152.318210] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 152.328295] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 152.335074] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 153.302806] Bluetooth: hci0: command 0x0409 tx timeout 2020/09/08 00:29:56 executed programs: 138 [ 155.371245] Bluetooth: hci0: command 0x041b tx timeout [ 157.450274] Bluetooth: hci0: command 0x040f tx timeout [ 159.540077] Bluetooth: hci0: command 0x0419 tx timeout 2020/09/08 00:30:01 executed programs: 605 [ 162.771721] ================================================================== [ 162.779452] BUG: KASAN: use-after-free in seq_release_private+0x117/0x120 [ 162.786412] Read of size 8 at addr ffff88809e9321f8 by task syz-executor.0/9416 [ 162.793838] [ 162.795491] CPU: 0 PID: 9416 Comm: syz-executor.0 Not tainted 4.19.143-syzkaller #0 [ 162.803270] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 162.812610] Call Trace: [ 162.815258] dump_stack+0x1fc/0x2fe [ 162.818961] ? mounts_poll+0x1a0/0x1a0 [ 162.822842] print_address_description.cold+0x54/0x219 [ 162.828111] ? mounts_poll+0x1a0/0x1a0 [ 162.831999] kasan_report_error.cold+0x8a/0x1c7 [ 162.836650] ? seq_release_private+0x117/0x120 [ 162.841213] __asan_report_load8_noabort+0x88/0x90 [ 162.846130] ? seq_release_private+0x117/0x120 [ 162.850695] seq_release_private+0x117/0x120 [ 162.855096] __fput+0x2ce/0x890 [ 162.858372] task_work_run+0x148/0x1c0 [ 162.862254] exit_to_usermode_loop+0x251/0x2a0 [ 162.866827] do_syscall_64+0x538/0x620 [ 162.870771] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 162.876000] RIP: 0033:0x45d5b9 [ 162.879258] Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 162.898392] RSP: 002b:00007f0c9e4a6c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 162.906171] RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 [ 162.913424] RDX: 0000000000000005 RSI: 0000000000000001 RDI: 0000000000000006 [ 162.920868] RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000 [ 162.928118] R10: 000000002050aff4 R11: 0000000000000246 R12: 000000000118cf4c [ 162.935386] R13: 00007ffc8ebcf2cf R14: 00007f0c9e4a79c0 R15: 000000000118cf4c [ 162.942666] [ 162.944282] Allocated by task 9416: [ 162.948009] kmem_cache_alloc+0x122/0x370 [ 162.952162] seq_open+0x57/0x1a0 [ 162.955510] __seq_open_private+0x37/0xd0 [ 162.959636] seq_open_private+0x21/0x40 [ 162.963608] mounts_open_common+0x21e/0x520 [ 162.967909] do_dentry_open+0x4aa/0x1160 [ 162.971971] path_openat+0x793/0x2df0 [ 162.975751] do_filp_open+0x18c/0x3f0 [ 162.979531] do_sys_open+0x3b3/0x520 [ 162.983313] do_syscall_64+0xf9/0x620 [ 162.987118] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 162.992298] [ 162.994005] Freed by task 9415: [ 162.997265] kmem_cache_free+0x7f/0x260 [ 163.001673] seq_release_private+0xd8/0x120 [ 163.005990] __fput+0x2ce/0x890 [ 163.009354] task_work_run+0x148/0x1c0 [ 163.013285] exit_to_usermode_loop+0x251/0x2a0 [ 163.018350] do_syscall_64+0x538/0x620 [ 163.022348] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 163.027796] [ 163.029415] The buggy address belongs to the object at ffff88809e932120 [ 163.029415] which belongs to the cache seq_file of size 224 [ 163.041841] The buggy address is located 216 bytes inside of [ 163.041841] 224-byte region [ffff88809e932120, ffff88809e932200) [ 163.053796] The buggy address belongs to the page: [ 163.058727] page:ffffea00027a4c80 count:1 mapcount:0 mapping:ffff8880aa00a6c0 index:0xffff88809e932000 [ 163.068523] flags: 0xfffe0000000100(slab) [ 163.072682] raw: 00fffe0000000100 ffffea00027cac88 ffffea00027abe08 ffff8880aa00a6c0 [ 163.080633] raw: ffff88809e932000 ffff88809e932000 0000000100000008 0000000000000000 [ 163.088493] page dumped because: kasan: bad access detected [ 163.094190] [ 163.096142] Memory state around the buggy address: [ 163.101573] ffff88809e932080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 163.109154] ffff88809e932100: fc fc fc fc fb fb fb fb fb fb fb fb fb fb fb fb [ 163.116494] >ffff88809e932180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 163.123863] ^ [ 163.131131] ffff88809e932200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 163.138469] ffff88809e932280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 163.145820] ================================================================== [ 163.153174] Disabling lock debugging due to kernel taint [ 163.161299] Kernel panic - not syncing: panic_on_warn set ... [ 163.161299] [ 163.168678] CPU: 0 PID: 9416 Comm: syz-executor.0 Tainted: G B 4.19.143-syzkaller #0 [ 163.177855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 163.187198] Call Trace: [ 163.189769] dump_stack+0x1fc/0x2fe [ 163.193380] panic+0x26a/0x50e [ 163.196563] ? __warn_printk+0xf3/0xf3 [ 163.200429] ? preempt_schedule_common+0x45/0xc0 [ 163.205166] ? ___preempt_schedule+0x16/0x18 [ 163.209556] ? trace_hardirqs_on+0x55/0x210 [ 163.213857] ? mounts_poll+0x1a0/0x1a0 [ 163.217725] kasan_end_report+0x43/0x49 [ 163.221680] kasan_report_error.cold+0xa7/0x1c7 [ 163.226330] ? seq_release_private+0x117/0x120 [ 163.230895] __asan_report_load8_noabort+0x88/0x90 [ 163.235823] ? seq_release_private+0x117/0x120 [ 163.240411] seq_release_private+0x117/0x120 [ 163.244807] __fput+0x2ce/0x890 [ 163.248070] task_work_run+0x148/0x1c0 [ 163.251962] exit_to_usermode_loop+0x251/0x2a0 [ 163.256681] do_syscall_64+0x538/0x620 [ 163.260669] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 163.265874] RIP: 0033:0x45d5b9 [ 163.269074] Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 163.287962] RSP: 002b:00007f0c9e4a6c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 163.295700] RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 [ 163.302955] RDX: 0000000000000005 RSI: 0000000000000001 RDI: 0000000000000006 [ 163.310220] RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000 [ 163.317476] R10: 000000002050aff4 R11: 0000000000000246 R12: 000000000118cf4c [ 163.324729] R13: 00007ffc8ebcf2cf R14: 00007f0c9e4a79c0 R15: 000000000118cf4c [ 163.333549] Kernel Offset: disabled [ 163.337167] Rebooting in 86400 seconds..