[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.30' (ECDSA) to the list of known hosts. 2020/05/16 18:04:44 parsed 1 programs 2020/05/16 18:04:45 executed programs: 0 syzkaller login: [ 66.543457][ T27] audit: type=1400 audit(1589652285.000:8): avc: denied { execmem } for pid=7057 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 66.590617][ T7058] IPVS: ftp: loaded support on port[0] = 21 [ 66.688034][ T7058] chnl_net:caif_netlink_parms(): no params data found [ 66.742178][ T7058] bridge0: port 1(bridge_slave_0) entered blocking state [ 66.750637][ T7058] bridge0: port 1(bridge_slave_0) entered disabled state [ 66.759142][ T7058] device bridge_slave_0 entered promiscuous mode [ 66.769830][ T7058] bridge0: port 2(bridge_slave_1) entered blocking state [ 66.777111][ T7058] bridge0: port 2(bridge_slave_1) entered disabled state [ 66.784841][ T7058] device bridge_slave_1 entered promiscuous mode [ 66.806580][ T7058] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 66.818743][ T7058] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 66.842045][ T7058] team0: Port device team_slave_0 added [ 66.849662][ T7058] team0: Port device team_slave_1 added [ 66.868126][ T7058] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 66.877403][ T7058] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 66.903547][ T7058] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 66.916490][ T7058] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 66.923445][ T7058] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 66.950600][ T7058] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 67.018800][ T7058] device hsr_slave_0 entered promiscuous mode [ 67.066407][ T7058] device hsr_slave_1 entered promiscuous mode [ 67.198304][ T7058] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 67.239267][ T7058] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 67.288965][ T7058] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 67.349599][ T7058] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 67.432819][ T7058] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.440808][ T7058] bridge0: port 2(bridge_slave_1) entered forwarding state [ 67.449235][ T7058] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.456456][ T7058] bridge0: port 1(bridge_slave_0) entered forwarding state [ 67.505220][ T7058] 8021q: adding VLAN 0 to HW filter on device bond0 [ 67.520840][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 67.531874][ T2882] bridge0: port 1(bridge_slave_0) entered disabled state [ 67.540892][ T2882] bridge0: port 2(bridge_slave_1) entered disabled state [ 67.550472][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 67.564379][ T7058] 8021q: adding VLAN 0 to HW filter on device team0 [ 67.576834][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 67.586348][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 67.593470][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 67.606133][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 67.614618][ T2882] bridge0: port 2(bridge_slave_1) entered blocking state [ 67.621931][ T2882] bridge0: port 2(bridge_slave_1) entered forwarding state [ 67.646148][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 67.654988][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 67.673026][ T7058] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 67.684887][ T7058] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 67.698651][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 67.708504][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 67.717627][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 67.726808][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 67.747016][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 67.754396][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 67.769653][ T7058] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 67.795163][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 67.805284][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 67.826983][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 67.835412][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 67.847855][ T7058] device veth0_vlan entered promiscuous mode [ 67.854697][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 67.863948][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 67.879964][ T7058] device veth1_vlan entered promiscuous mode [ 67.902777][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 67.911688][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 67.920015][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 67.929298][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 67.940541][ T7058] device veth0_macvtap entered promiscuous mode [ 67.952781][ T7058] device veth1_macvtap entered promiscuous mode [ 67.971808][ T7058] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 67.980850][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 67.989348][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 67.997449][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 68.006267][ T2882] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 68.019761][ T7058] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 68.027569][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 68.037965][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 68.287936][ T27] audit: type=1800 audit(1589652286.750:9): pid=7268 uid=0 auid=0 ses=5 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.0" name="file0" dev="sda1" ino=15718 res=0 [ 68.319538][ T7268] MINIX-fs: mounting unchecked file system, running fsck is recommended [ 68.357556][ T7273] Process accounting resumed [ 68.367972][ T7273] Process accounting resumed [ 68.470558][ T27] audit: type=1800 audit(1589652286.930:10): pid=7277 uid=0 auid=0 ses=5 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.0" name="file0" dev="sda1" ino=15718 res=0 [ 68.507025][ T7277] MINIX-fs: mounting unchecked file system, running fsck is recommended [ 68.526980][ T7281] Process accounting resumed [ 68.548841][ T7281] Process accounting resumed [ 68.583150][ T27] audit: type=1800 audit(1589652287.040:11): pid=7283 uid=0 auid=0 ses=5 subj=system_u:system_r:kernel_t:s0 op=collect_data cause=failed(directio) comm="syz-executor.0" name="file0" dev="sda1" ino=15718 res=0 [ 68.612396][ T7283] MINIX-fs: mounting unchecked file system, running fsck is recommended [ 68.635672][ T7287] Process accounting resumed [ 68.656403][ T7287] Process accounting resumed [ 68.666656][ T7058] ================================================================== [ 68.675193][ T7058] BUG: KASAN: use-after-free in get_block+0x1202/0x1380 [ 68.682202][ T7058] Write of size 2 at addr ffff8880820a47b8 by task syz-executor.0/7058 [ 68.690436][ T7058] [ 68.692773][ T7058] CPU: 1 PID: 7058 Comm: syz-executor.0 Not tainted 5.7.0-rc5-syzkaller #0 [ 68.701355][ T7058] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.711410][ T7058] Call Trace: [ 68.718704][ T7058] dump_stack+0x188/0x20d [ 68.723050][ T7058] print_address_description.constprop.0.cold+0xd3/0x413 [ 68.730083][ T7058] ? vprintk_func+0x81/0x17e [ 68.734678][ T7058] ? get_block+0x1202/0x1380 [ 68.739266][ T7058] __kasan_report.cold+0x20/0x38 [ 68.744996][ T7058] ? get_block+0x1202/0x1380 [ 68.749569][ T7058] ? get_block+0x1202/0x1380 [ 68.754162][ T7058] kasan_report+0x33/0x50 [ 68.758475][ T7058] get_block+0x1202/0x1380 [ 68.762882][ T7058] ? block_to_path.isra.0+0x300/0x300 [ 68.768253][ T7058] ? lock_downgrade+0x840/0x840 [ 68.773106][ T7058] minix_get_block+0xe5/0x110 [ 68.777782][ T7058] __block_write_begin_int+0x490/0x1b00 [ 68.783305][ T7058] ? minix_rename+0x8c0/0x8c0 [ 68.787966][ T7058] ? remove_inode_buffers+0x1c0/0x1c0 [ 68.793316][ T7058] ? pagecache_get_page+0x204/0xa10 [ 68.798507][ T7058] ? wait_for_stable_page+0x11c/0x1e0 [ 68.803970][ T7058] ? minix_rename+0x8c0/0x8c0 [ 68.808648][ T7058] block_write_begin+0x58/0x2e0 [ 68.813489][ T7058] minix_write_begin+0x35/0xe0 [ 68.818236][ T7058] generic_perform_write+0x20a/0x4e0 [ 68.823602][ T7058] ? trace_event_raw_event_file_check_and_advance_wb_err+0x4a0/0x4a0 [ 68.831747][ T7058] ? update_time+0xc0/0xc0 [ 68.836149][ T7058] ? down_write+0xdb/0x150 [ 68.840546][ T7058] __generic_file_write_iter+0x24c/0x610 [ 68.846188][ T7058] generic_file_write_iter+0x3f3/0x630 [ 68.851678][ T7058] ? __generic_file_write_iter+0x610/0x610 [ 68.857506][ T7058] new_sync_write+0x4a2/0x700 [ 68.862177][ T7058] ? new_sync_read+0x7a0/0x7a0 [ 68.866938][ T7058] __vfs_write+0xc9/0x100 [ 68.871254][ T7058] __kernel_write+0x11c/0x3a0 [ 68.876189][ T7058] do_acct_process+0xcdc/0x10e0 [ 68.881019][ T7058] ? acct_on+0x770/0x770 [ 68.885278][ T7058] ? pin_kill+0x12e/0x7c0 [ 68.889606][ T7058] ? do_raw_spin_lock+0x129/0x2e0 [ 68.894605][ T7058] ? rwlock_bug.part.0+0x90/0x90 [ 68.899529][ T7058] acct_pin_kill+0x29/0xf0 [ 68.903931][ T7058] pin_kill+0x175/0x7c0 [ 68.908066][ T7058] ? pin_insert+0x260/0x260 [ 68.912547][ T7058] ? lock_release+0x800/0x800 [ 68.917267][ T7058] ? finish_wait+0x260/0x260 [ 68.921869][ T7058] ? mnt_pin_kill+0x6c/0x1c0 [ 68.926532][ T7058] mnt_pin_kill+0x6c/0x1c0 [ 68.930960][ T7058] cleanup_mnt+0x3c4/0x4b0 [ 68.935386][ T7058] task_work_run+0xf4/0x1b0 [ 68.939885][ T7058] exit_to_usermode_loop+0x2fa/0x360 [ 68.945152][ T7058] do_syscall_64+0x6b1/0x7d0 [ 68.949733][ T7058] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 68.956047][ T7058] RIP: 0033:0x45f457 [ 68.959917][ T7058] Code: 64 89 04 25 d0 02 00 00 58 5f ff d0 48 89 c7 e8 8f be ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ad 8c fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 68.979636][ T7058] RSP: 002b:00007fffabd151c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 68.988118][ T7058] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000045f457 [ 68.996159][ T7058] RDX: 00000000004031d8 RSI: 0000000000000002 RDI: 00007fffabd15270 [ 69.004282][ T7058] RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000009 [ 69.012249][ T7058] R10: 0000000000000005 R11: 0000000000000246 R12: 00007fffabd16300 [ 69.020198][ T7058] R13: 0000000002036940 R14: 0000000000000000 R15: 00007fffabd16300 [ 69.028184][ T7058] [ 69.030492][ T7058] The buggy address belongs to the page: [ 69.036207][ T7058] page:ffffea0002082900 refcount:0 mapcount:0 mapping:000000008f43b10e index:0x1 [ 69.045387][ T7058] flags: 0xfffe0000000000() [ 69.049867][ T7058] raw: 00fffe0000000000 ffffea0002082688 ffffea0002082788 0000000000000000 [ 69.059553][ T7058] raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 [ 69.068116][ T7058] page dumped because: kasan: bad access detected [ 69.074513][ T7058] [ 69.076818][ T7058] Memory state around the buggy address: [ 69.082425][ T7058] ffff8880820a4680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.090472][ T7058] ffff8880820a4700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.098598][ T7058] >ffff8880820a4780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.106696][ T7058] ^ [ 69.112715][ T7058] ffff8880820a4800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.120788][ T7058] ffff8880820a4880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 69.128853][ T7058] ================================================================== [ 69.137211][ T7058] Disabling lock debugging due to kernel taint [ 69.149405][ T7058] Kernel panic - not syncing: panic_on_warn set ... [ 69.157551][ T7058] CPU: 1 PID: 7058 Comm: syz-executor.0 Tainted: G B 5.7.0-rc5-syzkaller #0 [ 69.167692][ T7058] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.177954][ T7058] Call Trace: [ 69.181350][ T7058] dump_stack+0x188/0x20d [ 69.185668][ T7058] panic+0x2e3/0x75c [ 69.190504][ T7058] ? add_taint.cold+0x16/0x16 [ 69.195183][ T7058] ? preempt_schedule_common+0x5e/0xc0 [ 69.200620][ T7058] ? get_block+0x1202/0x1380 [ 69.205198][ T7058] ? preempt_schedule_thunk+0x16/0x18 [ 69.210563][ T7058] ? trace_hardirqs_on+0x55/0x220 [ 69.215563][ T7058] ? get_block+0x1202/0x1380 [ 69.220573][ T7058] end_report+0x4d/0x53 [ 69.224742][ T7058] __kasan_report.cold+0xd/0x38 [ 69.229587][ T7058] ? get_block+0x1202/0x1380 [ 69.234160][ T7058] ? get_block+0x1202/0x1380 [ 69.238726][ T7058] kasan_report+0x33/0x50 [ 69.243033][ T7058] get_block+0x1202/0x1380 [ 69.247977][ T7058] ? block_to_path.isra.0+0x300/0x300 [ 69.253326][ T7058] ? lock_downgrade+0x840/0x840 [ 69.258256][ T7058] minix_get_block+0xe5/0x110 [ 69.262911][ T7058] __block_write_begin_int+0x490/0x1b00 [ 69.268465][ T7058] ? minix_rename+0x8c0/0x8c0 [ 69.273120][ T7058] ? remove_inode_buffers+0x1c0/0x1c0 [ 69.278466][ T7058] ? pagecache_get_page+0x204/0xa10 [ 69.283637][ T7058] ? wait_for_stable_page+0x11c/0x1e0 [ 69.289092][ T7058] ? minix_rename+0x8c0/0x8c0 [ 69.293829][ T7058] block_write_begin+0x58/0x2e0 [ 69.298664][ T7058] minix_write_begin+0x35/0xe0 [ 69.303415][ T7058] generic_perform_write+0x20a/0x4e0 [ 69.308681][ T7058] ? trace_event_raw_event_file_check_and_advance_wb_err+0x4a0/0x4a0 [ 69.316760][ T7058] ? update_time+0xc0/0xc0 [ 69.321160][ T7058] ? down_write+0xdb/0x150 [ 69.325552][ T7058] __generic_file_write_iter+0x24c/0x610 [ 69.331296][ T7058] generic_file_write_iter+0x3f3/0x630 [ 69.337163][ T7058] ? __generic_file_write_iter+0x610/0x610 [ 69.342952][ T7058] new_sync_write+0x4a2/0x700 [ 69.347617][ T7058] ? new_sync_read+0x7a0/0x7a0 [ 69.352446][ T7058] __vfs_write+0xc9/0x100 [ 69.356966][ T7058] __kernel_write+0x11c/0x3a0 [ 69.361807][ T7058] do_acct_process+0xcdc/0x10e0 [ 69.366685][ T7058] ? acct_on+0x770/0x770 [ 69.370905][ T7058] ? pin_kill+0x12e/0x7c0 [ 69.375219][ T7058] ? do_raw_spin_lock+0x129/0x2e0 [ 69.380241][ T7058] ? rwlock_bug.part.0+0x90/0x90 [ 69.385150][ T7058] acct_pin_kill+0x29/0xf0 [ 69.389563][ T7058] pin_kill+0x175/0x7c0 [ 69.393710][ T7058] ? pin_insert+0x260/0x260 [ 69.398189][ T7058] ? lock_release+0x800/0x800 [ 69.402855][ T7058] ? finish_wait+0x260/0x260 [ 69.407440][ T7058] ? mnt_pin_kill+0x6c/0x1c0 [ 69.412002][ T7058] mnt_pin_kill+0x6c/0x1c0 [ 69.416399][ T7058] cleanup_mnt+0x3c4/0x4b0 [ 69.420802][ T7058] task_work_run+0xf4/0x1b0 [ 69.425280][ T7058] exit_to_usermode_loop+0x2fa/0x360 [ 69.430573][ T7058] do_syscall_64+0x6b1/0x7d0 [ 69.435187][ T7058] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 69.441059][ T7058] RIP: 0033:0x45f457 [ 69.444925][ T7058] Code: 64 89 04 25 d0 02 00 00 58 5f ff d0 48 89 c7 e8 8f be ff ff 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 a6 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 ad 8c fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 69.464525][ T7058] RSP: 002b:00007fffabd151c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [ 69.473140][ T7058] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000045f457 [ 69.481120][ T7058] RDX: 00000000004031d8 RSI: 0000000000000002 RDI: 00007fffabd15270 [ 69.489095][ T7058] RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000009 [ 69.497162][ T7058] R10: 0000000000000005 R11: 0000000000000246 R12: 00007fffabd16300 [ 69.505218][ T7058] R13: 0000000002036940 R14: 0000000000000000 R15: 00007fffabd16300 [ 69.514760][ T7058] Kernel Offset: disabled [ 69.519111][ T7058] Rebooting in 86400 seconds..