[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c.
[   44.774273][   T26] audit: type=1800 audit(1563500618.486:25): pid=8051 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   44.794777][   T26] audit: type=1800 audit(1563500618.486:26): pid=8051 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   44.839707][   T26] audit: type=1800 audit(1563500618.486:27): pid=8051 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.223' (ECDSA) to the list of known hosts.
2019/07/19 01:43:49 parsed 1 programs
2019/07/19 01:43:51 executed programs: 0
syzkaller login: [   57.777984][ T8218] IPVS: ftp: loaded support on port[0] = 21
[   57.830755][ T8218] chnl_net:caif_netlink_parms(): no params data found
[   57.854792][ T8218] bridge0: port 1(bridge_slave_0) entered blocking state
[   57.863135][ T8218] bridge0: port 1(bridge_slave_0) entered disabled state
[   57.870725][ T8218] device bridge_slave_0 entered promiscuous mode
[   57.878263][ T8218] bridge0: port 2(bridge_slave_1) entered blocking state
[   57.885425][ T8218] bridge0: port 2(bridge_slave_1) entered disabled state
[   57.892964][ T8218] device bridge_slave_1 entered promiscuous mode
[   57.907696][ T8218] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   57.918407][ T8218] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   57.935995][ T8218] team0: Port device team_slave_0 added
[   57.942994][ T8218] team0: Port device team_slave_1 added
[   58.021385][ T8218] device hsr_slave_0 entered promiscuous mode
[   58.090079][ T8218] device hsr_slave_1 entered promiscuous mode
[   58.166880][ T8218] bridge0: port 2(bridge_slave_1) entered blocking state
[   58.174052][ T8218] bridge0: port 2(bridge_slave_1) entered forwarding state
[   58.181718][ T8218] bridge0: port 1(bridge_slave_0) entered blocking state
[   58.188746][ T8218] bridge0: port 1(bridge_slave_0) entered forwarding state
[   58.217651][ T8218] 8021q: adding VLAN 0 to HW filter on device bond0
[   58.230694][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   58.240733][   T22] bridge0: port 1(bridge_slave_0) entered disabled state
[   58.248581][   T22] bridge0: port 2(bridge_slave_1) entered disabled state
[   58.256738][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   58.267914][ T8218] 8021q: adding VLAN 0 to HW filter on device team0
[   58.277896][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   58.286429][    T5] bridge0: port 1(bridge_slave_0) entered blocking state
[   58.293524][    T5] bridge0: port 1(bridge_slave_0) entered forwarding state
[   58.310165][ T8220] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   58.318670][ T8220] bridge0: port 2(bridge_slave_1) entered blocking state
[   58.325784][ T8220] bridge0: port 2(bridge_slave_1) entered forwarding state
[   58.333610][ T8220] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   58.342613][ T8220] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   58.352906][    T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   58.366465][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   58.374803][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   58.386153][ T8218] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   58.402802][ T8218] 8021q: adding VLAN 0 to HW filter on device batadv0
[   60.612437][ T8218] ==================================================================
[   60.620618][ T8218] BUG: KASAN: use-after-free in finish_task_switch+0x331/0x550
[   60.628135][ T8218] Read of size 4 at addr ffff88808e6c18f8 by task syz-executor.0/8218
[   60.636248][ T8218] 
[   60.638566][ T8218] CPU: 0 PID: 8218 Comm: syz-executor.0 Not tainted 5.2.0+ #34
[   60.646091][ T8218] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   60.656122][ T8218] Call Trace:
[   60.659399][ T8218]  dump_stack+0x1d8/0x2f8
[   60.663707][ T8218]  print_address_description+0x75/0x5b0
[   60.669224][ T8218]  ? log_buf_vmcoreinfo_setup+0x153/0x153
[   60.674918][ T8218]  __kasan_report+0x14b/0x1c0
[   60.679593][ T8218]  ? finish_task_switch+0x331/0x550
[   60.684762][ T8218]  kasan_report+0x26/0x50
[   60.689061][ T8218]  check_memory_region+0x2cf/0x2e0
[   60.694143][ T8218]  __kasan_check_read+0x11/0x20
[   60.698966][ T8218]  finish_task_switch+0x331/0x550
[   60.703963][ T8218]  __schedule+0x8be/0xcd0
[   60.708269][ T8218]  ? is_mmconf_reserved+0x410/0x410
[   60.713440][ T8218]  ? hrtimer_start_range_ns+0x565/0x690
[   60.718964][ T8218]  schedule+0x131/0x1e0
[   60.723095][ T8218]  do_nanosleep+0x295/0x7d0
[   60.727573][ T8218]  ? usleep_range+0x180/0x180
[   60.732222][ T8218]  ? __lock_acquire+0x4750/0x4750
[   60.737232][ T8218]  ? lock_acquire+0x158/0x250
[   60.741884][ T8218]  hrtimer_nanosleep+0x3c2/0x5d0
[   60.746793][ T8218]  ? nanosleep_copyout+0x120/0x120
[   60.751877][ T8218]  ? hrtimer_init_sleeper+0x70/0x70
[   60.757047][ T8218]  ? timespec64_add_safe+0x210/0x210
[   60.762304][ T8218]  ? debug_smp_processor_id+0x1c/0x20
[   60.767644][ T8218]  ? fpregs_assert_state_consistent+0xb7/0xe0
[   60.773683][ T8218]  __x64_sys_nanosleep+0x1ef/0x230
[   60.778767][ T8218]  ? hrtimer_nanosleep+0x5d0/0x5d0
[   60.783849][ T8218]  ? trace_irq_disable_rcuidle+0x23/0x1e0
[   60.789544][ T8218]  ? do_syscall_64+0x1d/0x140
[   60.794207][ T8218]  do_syscall_64+0xfe/0x140
[   60.798683][ T8218]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   60.804549][ T8218] RIP: 0033:0x457cc0
[   60.808416][ T8218] Code: c0 5b 5d c3 66 0f 1f 44 00 00 8b 04 24 48 83 c4 18 5b 5d c3 66 0f 1f 44 00 00 83 3d 91 ea 61 00 00 75 14 b8 23 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 24 d3 fb ff c3 48 83 ec 08 e8 ea 46 00 00
[   60.828004][ T8218] RSP: 002b:00007ffc89355738 EFLAGS: 00000246 ORIG_RAX: 0000000000000023
[   60.836396][ T8218] RAX: ffffffffffffffda RBX: 000000000000ea43 RCX: 0000000000457cc0
[   60.844360][ T8218] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffc89355740
[   60.852308][ T8218] RBP: 000000000000000b R08: 0000000000000001 R09: 00005555559bf940
[   60.860252][ T8218] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007
[   60.868210][ T8218] R13: 00007ffc89355790 R14: 000000000000e9c0 R15: 00007ffc893557a0
[   60.876164][ T8218] 
[   60.878488][ T8218] Allocated by task 8218:
[   60.882794][ T8218]  __kasan_kmalloc+0x11c/0x1b0
[   60.888006][ T8218]  kasan_slab_alloc+0xf/0x20
[   60.892570][ T8218]  kmem_cache_alloc+0x1f5/0x2e0
[   60.897389][ T8218]  dup_mm+0x29/0x340
[   60.901255][ T8218]  copy_process+0x25ef/0x5bc0
[   60.905902][ T8218]  _do_fork+0x179/0x630
[   60.910047][ T8218]  __x64_sys_clone+0x247/0x2b0
[   60.914796][ T8218]  do_syscall_64+0xfe/0x140
[   60.919269][ T8218]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   60.925129][ T8218] 
[   60.927426][ T8218] Freed by task 8244:
[   60.931381][ T8218]  __kasan_slab_free+0x12a/0x1e0
[   60.936289][ T8218]  kasan_slab_free+0xe/0x10
[   60.940765][ T8218]  kmem_cache_free+0x81/0xf0
[   60.945337][ T8218]  __mmdrop+0x2c4/0x3b0
[   60.949471][ T8218]  __mmput+0x373/0x3a0
[   60.953519][ T8218]  mmput+0x5d/0x70
[   60.957212][ T8218]  exit_mm+0x585/0x640
[   60.961251][ T8218]  do_exit+0x5d0/0x2310
[   60.965394][ T8218]  do_group_exit+0x15c/0x2b0
[   60.970010][ T8218]  get_signal+0x51c/0x1dd0
[   60.974398][ T8218]  do_signal+0x7b/0x720
[   60.978524][ T8218]  prepare_exit_to_usermode+0x303/0x580
[   60.984041][ T8218]  syscall_return_slowpath+0x113/0x4a0
[   60.989490][ T8218]  do_syscall_64+0x126/0x140
[   60.994051][ T8218]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   60.999905][ T8218] 
[   61.002205][ T8218] The buggy address belongs to the object at ffff88808e6c1400
[   61.002205][ T8218]  which belongs to the cache mm_struct(17:syz0) of size 1496
[   61.016923][ T8218] The buggy address is located 1272 bytes inside of
[   61.016923][ T8218]  1496-byte region [ffff88808e6c1400, ffff88808e6c19d8)
[   61.030934][ T8218] The buggy address belongs to the page:
[   61.036538][ T8218] page:ffffea000239b000 refcount:1 mapcount:0 mapping:ffff8880867de8c0 index:0x0 compound_mapcount: 0
[   61.047437][ T8218] flags: 0x1fffc0000010200(slab|head)
[   61.052781][ T8218] raw: 01fffc0000010200 ffffea0002331108 ffff8880a380ff48 ffff8880867de8c0
[   61.061335][ T8218] raw: 0000000000000000 ffff88808e6c0080 0000000100000004 0000000000000000
[   61.069893][ T8218] page dumped because: kasan: bad access detected
[   61.076270][ T8218] 
[   61.078565][ T8218] Memory state around the buggy address:
[   61.084166][ T8218]  ffff88808e6c1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.092202][ T8218]  ffff88808e6c1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.100234][ T8218] >ffff88808e6c1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.108266][ T8218]                                                                 ^
[   61.116209][ T8218]  ffff88808e6c1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.124239][ T8218]  ffff88808e6c1980: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc
[   61.132267][ T8218] ==================================================================
[   61.140310][ T8218] Disabling lock debugging due to kernel taint
[   61.146841][ T8218] Kernel panic - not syncing: panic_on_warn set ...
[   61.153517][ T8218] CPU: 0 PID: 8218 Comm: syz-executor.0 Tainted: G    B             5.2.0+ #34
[   61.162435][ T8218] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   61.172466][ T8218] Call Trace:
[   61.175726][ T8218]  dump_stack+0x1d8/0x2f8
[   61.180041][ T8218]  panic+0x29b/0x7d9
[   61.183928][ T8218]  ? __kasan_report+0x195/0x1c0
[   61.188750][ T8218]  ? trace_hardirqs_on+0x34/0x80
[   61.193792][ T8218]  ? nmi_panic+0x97/0x97
[   61.198005][ T8218]  ? __kasan_report+0x195/0x1c0
[   61.202842][ T8218]  ? _raw_spin_unlock_irqrestore+0xad/0xe0
[   61.208617][ T8218]  __kasan_report+0x1bb/0x1c0
[   61.213263][ T8218]  ? finish_task_switch+0x331/0x550
[   61.218430][ T8218]  kasan_report+0x26/0x50
[   61.222730][ T8218]  check_memory_region+0x2cf/0x2e0
[   61.227809][ T8218]  __kasan_check_read+0x11/0x20
[   61.232629][ T8218]  finish_task_switch+0x331/0x550
[   61.237625][ T8218]  __schedule+0x8be/0xcd0
[   61.241924][ T8218]  ? is_mmconf_reserved+0x410/0x410
[   61.247091][ T8218]  ? hrtimer_start_range_ns+0x565/0x690
[   61.252621][ T8218]  schedule+0x131/0x1e0
[   61.256750][ T8218]  do_nanosleep+0x295/0x7d0
[   61.261225][ T8218]  ? usleep_range+0x180/0x180
[   61.265871][ T8218]  ? __lock_acquire+0x4750/0x4750
[   61.270862][ T8218]  ? lock_acquire+0x158/0x250
[   61.275509][ T8218]  hrtimer_nanosleep+0x3c2/0x5d0
[   61.280442][ T8218]  ? nanosleep_copyout+0x120/0x120
[   61.285523][ T8218]  ? hrtimer_init_sleeper+0x70/0x70
[   61.290715][ T8218]  ? timespec64_add_safe+0x210/0x210
[   61.295968][ T8218]  ? debug_smp_processor_id+0x1c/0x20
[   61.301329][ T8218]  ? fpregs_assert_state_consistent+0xb7/0xe0
[   61.307379][ T8218]  __x64_sys_nanosleep+0x1ef/0x230
[   61.312721][ T8218]  ? hrtimer_nanosleep+0x5d0/0x5d0
[   61.317803][ T8218]  ? trace_irq_disable_rcuidle+0x23/0x1e0
[   61.323505][ T8218]  ? do_syscall_64+0x1d/0x140
[   61.328154][ T8218]  do_syscall_64+0xfe/0x140
[   61.332646][ T8218]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   61.338506][ T8218] RIP: 0033:0x457cc0
[   61.342370][ T8218] Code: c0 5b 5d c3 66 0f 1f 44 00 00 8b 04 24 48 83 c4 18 5b 5d c3 66 0f 1f 44 00 00 83 3d 91 ea 61 00 00 75 14 b8 23 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 24 d3 fb ff c3 48 83 ec 08 e8 ea 46 00 00
[   61.361944][ T8218] RSP: 002b:00007ffc89355738 EFLAGS: 00000246 ORIG_RAX: 0000000000000023
[   61.370339][ T8218] RAX: ffffffffffffffda RBX: 000000000000ea43 RCX: 0000000000457cc0
[   61.378305][ T8218] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffc89355740
[   61.386250][ T8218] RBP: 000000000000000b R08: 0000000000000001 R09: 00005555559bf940
[   61.394213][ T8218] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007
[   61.402190][ T8218] R13: 00007ffc89355790 R14: 000000000000e9c0 R15: 00007ffc893557a0
[   61.411203][ T8218] Kernel Offset: disabled
[   61.415528][ T8218] Rebooting in 86400 seconds..