[ *] A start job is running for dev-ttyS0.device (1min 29s / 1min 30s) [ **] A start job is running for dev-ttyS0.device (1min 29s / 1min 30s) [ ***] A start job is running for dev-ttyS0.device (1min 30s / 1min 30s) [ TIME ] Timed out waiting for device dev-ttyS0.device. [DEPEND] Dependency failed for Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Warning: Permanently added '10.128.0.124' (ECDSA) to the list of known hosts. 2020/07/05 09:41:13 parsed 1 programs 2020/07/05 09:41:13 executed programs: 0 [ 823.143932][ T22] audit: type=1400 audit(1593942073.369:8): avc: denied { execmem } for pid=372 comm="syz-executor.3" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 823.164599][ T375] cgroup1: Unknown subsys name 'perf_event' [ 823.173631][ T380] cgroup1: Unknown subsys name 'perf_event' [ 823.175089][ T376] cgroup1: Unknown subsys name 'perf_event' [ 823.180058][ T380] cgroup1: Unknown subsys name 'net_cls' [ 823.189644][ T378] cgroup1: Unknown subsys name 'perf_event' [ 823.193025][ T382] cgroup1: Unknown subsys name 'perf_event' [ 823.197361][ T375] cgroup1: Unknown subsys name 'net_cls' [ 823.203429][ T382] cgroup1: Unknown subsys name 'net_cls' [ 823.212613][ T378] cgroup1: Unknown subsys name 'net_cls' [ 823.220223][ T376] cgroup1: Unknown subsys name 'net_cls' [ 823.226905][ T385] cgroup1: Unknown subsys name 'perf_event' [ 823.234678][ T385] cgroup1: Unknown subsys name 'net_cls' 2020/07/05 09:41:18 executed programs: 36 2020/07/05 09:41:23 executed programs: 182 2020/07/05 09:41:28 executed programs: 328 2020/07/05 09:41:33 executed programs: 481 2020/07/05 09:41:38 executed programs: 631 2020/07/05 09:41:43 executed programs: 791 2020/07/05 09:41:48 executed programs: 945 2020/07/05 09:41:53 executed programs: 1095 2020/07/05 09:41:58 executed programs: 1249 2020/07/05 09:42:03 executed programs: 1413 2020/07/05 09:42:08 executed programs: 1558 2020/07/05 09:42:13 executed programs: 1699 2020/07/05 09:42:18 executed programs: 1839 2020/07/05 09:42:23 executed programs: 1978 2020/07/05 09:42:28 executed programs: 2126 2020/07/05 09:42:33 executed programs: 2279 2020/07/05 09:42:38 executed programs: 2424 2020/07/05 09:42:43 executed programs: 2572 2020/07/05 09:42:48 executed programs: 2725 2020/07/05 09:42:53 executed programs: 2877 2020/07/05 09:42:58 executed programs: 3027 2020/07/05 09:43:03 executed programs: 3179 2020/07/05 09:43:08 executed programs: 3335 2020/07/05 09:43:14 executed programs: 3486 2020/07/05 09:43:19 executed programs: 3635 2020/07/05 09:43:24 executed programs: 3777 2020/07/05 09:43:29 executed programs: 3930 2020/07/05 09:43:34 executed programs: 4077 2020/07/05 09:43:39 executed programs: 4235 [ 969.792608][T22157] ================================================================== [ 969.800707][T22157] BUG: KASAN: use-after-free in try_to_del_timer_sync+0x3ee/0x480 [ 969.808492][T22157] Write of size 8 at addr ffff8881ca35f188 by task syz-executor.0/22157 [ 969.818272][T22157] [ 969.820576][T22157] CPU: 1 PID: 22157 Comm: syz-executor.0 Not tainted 5.4.50-syzkaller-01110-g45217b91eaaa #0 [ 969.830698][T22157] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 969.840737][T22157] Call Trace: [ 969.844004][T22157] dump_stack+0x14a/0x1ce [ 969.848318][T22157] ? show_regs_print_info+0x12/0x12 [ 969.853483][T22157] ? printk+0xd2/0x114 [ 969.857521][T22157] print_address_description+0x93/0x620 [ 969.863035][T22157] ? devkmsg_release+0x11c/0x11c [ 969.867942][T22157] ? try_to_wake_up+0xbf8/0xd90 [ 969.872775][T22157] ? _raw_spin_lock_irqsave+0xfc/0x1e0 [ 969.878225][T22157] __kasan_report+0x16d/0x1e0 [ 969.882875][T22157] ? try_to_del_timer_sync+0x3ee/0x480 [ 969.888303][T22157] kasan_report+0x36/0x60 [ 969.892608][T22157] try_to_del_timer_sync+0x3ee/0x480 [ 969.897871][T22157] del_timer_sync+0x74/0xe0 [ 969.903301][T22157] tun_free_netdev+0x99/0x3a0 [ 969.907949][T22157] ? find_next_bit+0xd8/0x120 [ 969.912592][T22157] ? tun_xdp+0x3d0/0x3d0 [ 969.916811][T22157] netdev_run_todo+0xbe3/0xe90 [ 969.921564][T22157] ? slab_free_freelist_hook+0xd0/0x150 [ 969.927077][T22157] ? netdev_refcnt_read+0x1a0/0x1a0 [ 969.932243][T22157] ? __sk_destruct+0x3f9/0x480 [ 969.936995][T22157] ? kfree+0x12b/0x600 [ 969.941044][T22157] ? netdev_state_change+0xa2/0x210 [ 969.946207][T22157] ? netdev_features_change+0x150/0x150 [ 969.951720][T22157] ? __module_put_and_exit+0x20/0x20 [ 969.956986][T22157] ? __sk_destruct+0x3f9/0x480 [ 969.961720][T22157] ? __sk_free+0x325/0x410 [ 969.966115][T22157] tun_chr_close+0xc0/0xd0 [ 969.970498][T22157] ? tun_chr_open+0x4a0/0x4a0 [ 969.975154][T22157] __fput+0x27d/0x6c0 [ 969.979106][T22157] task_work_run+0x176/0x1a0 [ 969.983673][T22157] prepare_exit_to_usermode+0x286/0x2e0 [ 969.989200][T22157] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 969.995064][T22157] RIP: 0033:0x416721 [ 969.998927][T22157] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 970.018507][T22157] RSP: 002b:00007ffcbb4b8c80 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 970.026898][T22157] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416721 [ 970.034845][T22157] RDX: 0000000000000001 RSI: 0000000000790300 RDI: 0000000000000003 [ 970.043058][T22157] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 970.051004][T22157] R10: 00007ffcbb4b8d70 R11: 0000000000000293 R12: 0000000000791548 [ 970.058964][T22157] R13: 00000000000ecb36 R14: ffffffffffffffff R15: 000000000078bfac [ 970.066924][T22157] [ 970.069223][T22157] The buggy address belongs to the page: [ 970.074835][T22157] page:ffffea000728d7c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 970.083926][T22157] flags: 0x8000000000000000() [ 970.088616][T22157] raw: 8000000000000000 0000000000000000 ffffea000759ff08 0000000000000000 [ 970.097177][T22157] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 970.105746][T22157] page dumped because: kasan: bad access detected [ 970.112127][T22157] [ 970.114425][T22157] Memory state around the buggy address: [ 970.120058][T22157] ffff8881ca35f080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 970.128110][T22157] ffff8881ca35f100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 970.136156][T22157] >ffff8881ca35f180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 970.144535][T22157] ^ [ 970.148835][T22157] ffff8881ca35f200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 970.156882][T22157] ffff8881ca35f280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 970.164919][T22157] ================================================================== [ 970.172948][T22157] Disabling lock debugging due to kernel taint 2020/07/05 09:43:44 executed programs: 4379 [ 978.771535][ C0] kasan: CONFIG_KASAN_INLINE enabled [ 978.776836][ C0] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 978.784885][ C0] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 978.792407][ C0] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G B 5.4.50-syzkaller-01110-g45217b91eaaa #0 [ 978.803179][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 978.814206][ C0] RIP: 0010:expire_timers+0x284/0x470 [ 978.819555][ C0] Code: 89 e7 e8 3f 30 3d 00 4d 89 3c 24 4d 85 ff 74 36 e8 31 02 0f 00 49 83 c7 08 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ff e8 0e 30 3d 00 4d 89 27 eb 0e 66 0f 1f [ 978.839134][ C0] RSP: 0018:ffff8881db809c50 EFLAGS: 00010802 [ 978.845175][ C0] RAX: 1bd5a00000000025 RBX: ffff8881db823708 RCX: dffffc0000000000 [ 978.853131][ C0] RDX: 0000000080000102 RSI: 0000000000000008 RDI: ffff8881ca35f188 [ 978.861079][ C0] RBP: 1ffff1103946be31 R08: ffffffff8132fb49 R09: ffffed103b7046e8 [ 978.869034][ C0] R10: ffffed103b7046e8 R11: 0000000000000000 R12: ffff8881db809d80 [ 978.876997][ C0] R13: ffff8881ca35f180 R14: ffff8881ca35f188 R15: dead00000000012a [ 978.884958][ C0] FS: 0000000000000000(0000) GS:ffff8881db800000(0000) knlGS:0000000000000000 [ 978.893865][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 978.900434][ C0] CR2: 000055da932d18f8 CR3: 00000001d0f43006 CR4: 00000000001606f0 [ 978.908421][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 978.916376][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 978.924330][ C0] Call Trace: [ 978.927621][ C0] [ 978.930458][ C0] __run_timers+0x662/0x7b0 [ 978.934943][ C0] ? enqueue_hrtimer+0x1cf/0x230 [ 978.939875][ C0] ? detach_timer+0x260/0x260 [ 978.944564][ C0] ? __run_hrtimer+0x601/0x7a0 [ 978.949326][ C0] ? clockevents_program_event+0x214/0x2d0 [ 978.955127][ C0] ? hrtimer_interrupt+0xe75/0x10a0 [ 978.960302][ C0] run_timer_softirq+0x19/0x30 [ 978.965064][ C0] __do_softirq+0x2d5/0x725 [ 978.969546][ C0] ? __irqentry_text_end+0x1fc47b/0x1fc47b [ 978.975329][ C0] ? hrtimer_init+0x340/0x340 [ 978.979982][ C0] ? kvm_sched_clock_read+0x15/0x40 [ 978.985158][ C0] ? sched_clock_cpu+0x18/0x380 [ 978.990005][ C0] irq_exit+0x16d/0x180 [ 978.994159][ C0] smp_apic_timer_interrupt+0x281/0x3f0 [ 978.999702][ C0] apic_timer_interrupt+0xf/0x20 [ 979.004614][ C0] [ 979.007563][ C0] RIP: 0010:default_idle+0x1f/0x30 [ 979.012652][ C0] Code: ff e8 55 15 42 fd 90 90 90 90 90 65 8b 35 d1 44 2a 7c bf 01 00 00 00 e8 4f a1 30 fd e9 07 00 00 00 0f 00 2d ab 31 49 00 fb f4 <65> 8b 35 b2 44 2a 7c bf ff ff ff ff e9 30 a1 30 fd 41 57 41 56 53 [ 979.032281][ C0] RSP: 0018:ffffffff84c07d18 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 [ 979.040670][ C0] RAX: d88f868605609b01 RBX: ffffffff84c14980 RCX: ffffffff8124c720 [ 979.048621][ C0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 [ 979.056604][ C0] RBP: ffffffff84c07e20 R08: dffffc0000000000 R09: fffffbfff0982931 [ 979.064560][ C0] R10: fffffbfff0982931 R11: 0000000000000000 R12: ffffffff84d900a0 [ 979.072531][ C0] R13: 0000000000000000 R14: dffffc0000000000 R15: 1ffffffff0982930 [ 979.080493][ C0] ? do_idle+0x1f0/0x5e0 [ 979.084734][ C0] ? default_idle+0x11/0x30 [ 979.089212][ C0] do_idle+0x209/0x5e0 [ 979.093276][ C0] ? idle_inject_timer_fn+0x60/0x60 [ 979.098470][ C0] ? schedule_idle+0x69/0x90 [ 979.103036][ C0] ? do_idle+0x5d2/0x5e0 [ 979.107273][ C0] cpu_startup_entry+0x15/0x20 [ 979.112029][ C0] start_kernel+0x7a3/0x873 [ 979.116521][ C0] ? __early_make_pgtable+0x157/0x1a2 [ 979.121868][ C0] ? arch_call_rest_init+0xa/0xa [ 979.126801][ C0] ? kasan_early_init+0x2c5/0x31f [ 979.131802][ C0] ? check_loader_disabled_bsp+0x92/0x131 [ 979.137510][ C0] ? load_ucode_bsp+0xef/0x105 [ 979.142271][ C0] secondary_startup_64+0xa4/0xb0 [ 979.147262][ C0] Modules linked in: [ 979.151134][ C0] ---[ end trace 261bf34ad4b7bfd6 ]--- [ 979.156587][ C0] RIP: 0010:expire_timers+0x284/0x470 [ 979.161935][ C0] Code: 89 e7 e8 3f 30 3d 00 4d 89 3c 24 4d 85 ff 74 36 e8 31 02 0f 00 49 83 c7 08 4c 89 f8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ff e8 0e 30 3d 00 4d 89 27 eb 0e 66 0f 1f [ 979.181526][ C0] RSP: 0018:ffff8881db809c50 EFLAGS: 00010802 [ 979.187574][ C0] RAX: 1bd5a00000000025 RBX: ffff8881db823708 RCX: dffffc0000000000 [ 979.195543][ C0] RDX: 0000000080000102 RSI: 0000000000000008 RDI: ffff8881ca35f188 [ 979.203494][ C0] RBP: 1ffff1103946be31 R08: ffffffff8132fb49 R09: ffffed103b7046e8 [ 979.211458][ C0] R10: ffffed103b7046e8 R11: 0000000000000000 R12: ffff8881db809d80 [ 979.219421][ C0] R13: ffff8881ca35f180 R14: ffff8881ca35f188 R15: dead00000000012a [ 979.227384][ C0] FS: 0000000000000000(0000) GS:ffff8881db800000(0000) knlGS:0000000000000000 [ 979.236295][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 979.242856][ C0] CR2: 000055da932d18f8 CR3: 00000001d0f43006 CR4: 00000000001606f0 [ 979.250812][ C0] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 979.258760][ C0] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 979.266721][ C0] Kernel panic - not syncing: Fatal exception in interrupt [ 979.274337][ C0] Kernel Offset: disabled [ 979.278660][ C0] Rebooting in 86400 seconds..