[ 39.280162] audit: type=1800 audit(1547426254.115:30): pid=7710 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.100' (ECDSA) to the list of known hosts.
syzkaller login: [ 49.912769] IPVS: ftp: loaded support on port[0] = 21
[ 49.971917] chnl_net:caif_netlink_parms(): no params data found
[ 50.004007] bridge0: port 1(bridge_slave_0) entered blocking state
[ 50.010912] bridge0: port 1(bridge_slave_0) entered disabled state
[ 50.017867] device bridge_slave_0 entered promiscuous mode
[ 50.024966] bridge0: port 2(bridge_slave_1) entered blocking state
[ 50.031433] bridge0: port 2(bridge_slave_1) entered disabled state
[ 50.038288] device bridge_slave_1 entered promiscuous mode
[ 50.053958] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 50.062816] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 50.078093] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 50.085704] team0: Port device team_slave_0 added
[ 50.091046] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 50.098089] team0: Port device team_slave_1 added
[ 50.103428] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[ 50.110736] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[ 50.191261] device hsr_slave_0 entered promiscuous mode
[ 50.239758] device hsr_slave_1 entered promiscuous mode
[ 50.279803] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[ 50.286664] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[ 50.299848] bridge0: port 2(bridge_slave_1) entered blocking state
[ 50.306265] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 50.313181] bridge0: port 1(bridge_slave_0) entered blocking state
[ 50.319553] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 50.348785] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 50.356345] 8021q: adding VLAN 0 to HW filter on device bond0
[ 50.364396] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 50.372722] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 50.381836] bridge0: port 1(bridge_slave_0) entered disabled state
[ 50.389191] bridge0: port 2(bridge_slave_1) entered disabled state
[ 50.396468] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 50.406721] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[ 50.412869] 8021q: adding VLAN 0 to HW filter on device team0
[ 50.421078] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 50.428655] bridge0: port 1(bridge_slave_0) entered blocking state
[ 50.435053] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 50.450405] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 50.458101] bridge0: port 2(bridge_slave_1) entered blocking state
[ 50.464485] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 50.471671] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 50.487512] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 50.497752] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 50.508627] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[ 50.515478] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 50.522754] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 50.530476] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 50.537970] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 50.545722] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 50.557971] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
[ 50.567732] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 50.579472] ==================================================================
[ 50.587004] BUG: KASAN: slab-out-of-bounds in tick_sched_handle+0x16f/0x190
[ 50.594088] Read of size 8 at addr ffff88809aa37ea0 by task syz-executor404/7863
[ 50.601596]
[ 50.603207] CPU: 0 PID: 7863 Comm: syz-executor404 Not tainted 5.0.0-rc1+ #24
[ 50.610454] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 50.619790] Call Trace:
[ 50.622358]
[ 50.624493] dump_stack+0x1db/0x2d0
[ 50.628116] ? dump_stack_print_info.cold+0x20/0x20
[ 50.633119] ? tick_sched_handle+0x16f/0x190
[ 50.637509] print_address_description.cold+0x7c/0x20d
[ 50.642769] ? tick_sched_handle+0x16f/0x190
[ 50.647158] ? tick_sched_handle+0x16f/0x190
[ 50.651552] kasan_report.cold+0x1b/0x40
[ 50.655597] ? tick_sched_handle+0x16f/0x190
[ 50.660002] __asan_report_load8_noabort+0x14/0x20
[ 50.664922] tick_sched_handle+0x16f/0x190
[ 50.669145] tick_sched_timer+0x47/0x130
[ 50.673190] __hrtimer_run_queues+0x3a7/0x1050
[ 50.677757] ? tick_sched_do_timer+0x1b0/0x1b0
[ 50.682323] ? hrtimer_start_range_ns+0xda0/0xda0
[ 50.687290] ? kvm_clock_read+0x18/0x30
[ 50.691250] ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 50.696247] ? ktime_get_update_offsets_now+0x3d5/0x5e0
[ 50.701593] ? do_timer+0x50/0x50
[ 50.705027] ? add_lock_to_list.isra.0+0x450/0x450
[ 50.709946] ? rcu_softirq_qs+0x20/0x20
[ 50.713903] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 50.719531] hrtimer_interrupt+0x314/0x770
[ 50.723803] smp_apic_timer_interrupt+0x18d/0x760
[ 50.728628] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 50.733448] ? smp_call_function_single_interrupt+0x640/0x640
[ 50.739308] ? trace_hardirqs_off+0x310/0x310
[ 50.743798] ? task_prio+0x50/0x50
[ 50.747322] ? check_preemption_disabled+0x48/0x290
[ 50.752324] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 50.757170] apic_timer_interrupt+0xf/0x20
[ 50.761383]
[ 50.763606]
[ 50.765218] Allocated by task 1:
[ 50.768564] save_stack+0x45/0xd0
[ 50.772000] __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 50.776956] kasan_kmalloc+0x9/0x10
[ 50.780574] kmem_cache_alloc_trace+0x151/0x760
[ 50.785220] device_create_groups_vargs+0x8e/0x270
[ 50.790127] device_create_with_groups+0xe3/0x120
[ 50.794950] misc_register+0x51e/0x780
[ 50.798816] binder_init+0x3f8/0x6e6
[ 50.802508] do_one_initcall+0x129/0x937
[ 50.806552] kernel_init_freeable+0x4d5/0x5c4
[ 50.811181] kernel_init+0x12/0x1c5
[ 50.814785] ret_from_fork+0x3a/0x50
[ 50.818477]
[ 50.820087] Freed by task 0:
[ 50.823103] (stack is not available)
[ 50.826791]
[ 50.828397] The buggy address belongs to the object at ffff88809aa372c0
[ 50.828397] which belongs to the cache kmalloc-2k of size 2048
[ 50.841077] The buggy address is located 992 bytes to the right of
[ 50.841077] 2048-byte region [ffff88809aa372c0, ffff88809aa37ac0)
[ 50.853533] The buggy address belongs to the page:
[ 50.858443] page:ffffea00026a8d80 count:1 mapcount:0 mapping:ffff88812c3f0c40 index:0x0 compound_mapcount: 0
[ 50.868402] flags: 0x1fffc0000010200(slab|head)
[ 50.873076] raw: 01fffc0000010200 ffffea00026a7c88 ffffea00026a9408 ffff88812c3f0c40
[ 50.880943] raw: 0000000000000000 ffff88809aa361c0 0000000100000003 0000000000000000
[ 50.888802] page dumped because: kasan: bad access detected
[ 50.894490]
[ 50.896105] Memory state around the buggy address:
[ 50.901019] ffff88809aa37d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 50.908357] ffff88809aa37e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 50.915723] >ffff88809aa37e80: fc fc fc fc fc fc fc fc 00 f1 f1 f1 f1 00 f3 f3
[ 50.923075] ^
[ 50.927460] ffff88809aa37f00: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1
[ 50.934792] ffff88809aa37f80: f1 f1 f1 f8 f3 f3 f3 fc fc 00 00 00 00 00 00 00
[ 50.942128] ==================================================================
[ 50.949471] Disabling lock debugging due to kernel taint
[ 50.954909] Kernel panic - not syncing: panic_on_warn set ...
[ 50.960777] CPU: 0 PID: 7863 Comm: syz-executor404 Tainted: G B 5.0.0-rc1+ #24
[ 50.969418] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 50.978760] Call Trace:
[ 50.981323]
[ 50.983458] dump_stack+0x1db/0x2d0
[ 50.987065] ? dump_stack_print_info.cold+0x20/0x20
[ 50.992068] panic+0x2cb/0x65c
[ 50.995246] ? add_taint.cold+0x16/0x16
[ 50.999202] ? kasan_check_read+0x11/0x20
[ 51.003332] ? trace_hardirqs_on_caller+0x310/0x310
[ 51.008328] ? do_raw_spin_trylock+0x270/0x270
[ 51.012908] ? add_taint.cold+0x5/0x16
[ 51.016780] ? trace_hardirqs_off+0xaf/0x310
[ 51.021177] ? tick_sched_handle+0x16f/0x190
[ 51.025567] end_report+0x47/0x4f
[ 51.029005] ? tick_sched_handle+0x16f/0x190
[ 51.033395] kasan_report.cold+0xe/0x40
[ 51.037349] ? tick_sched_handle+0x16f/0x190
[ 51.041743] __asan_report_load8_noabort+0x14/0x20
[ 51.046663] tick_sched_handle+0x16f/0x190
[ 51.050894] tick_sched_timer+0x47/0x130
[ 51.054936] __hrtimer_run_queues+0x3a7/0x1050
[ 51.059508] ? tick_sched_do_timer+0x1b0/0x1b0
[ 51.064080] ? hrtimer_start_range_ns+0xda0/0xda0
[ 51.068905] ? kvm_clock_read+0x18/0x30
[ 51.072999] ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 51.077995] ? ktime_get_update_offsets_now+0x3d5/0x5e0
[ 51.083335] ? do_timer+0x50/0x50
[ 51.086765] ? add_lock_to_list.isra.0+0x450/0x450
[ 51.091673] ? rcu_softirq_qs+0x20/0x20
[ 51.095625] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 51.101170] hrtimer_interrupt+0x314/0x770
[ 51.105386] smp_apic_timer_interrupt+0x18d/0x760
[ 51.110212] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 51.115036] ? smp_call_function_single_interrupt+0x640/0x640
[ 51.120912] ? trace_hardirqs_off+0x310/0x310
[ 51.125403] ? task_prio+0x50/0x50
[ 51.128940] ? check_preemption_disabled+0x48/0x290
[ 51.133943] ? trace_hardirqs_off_thunk+0x1a/0x1c
[ 51.138788] apic_timer_interrupt+0xf/0x20
[ 51.142998]
[ 51.146352] Kernel Offset: disabled
[ 51.149970] Rebooting in 86400 seconds..