[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.251' (ECDSA) to the list of known hosts.
2020/08/23 04:26:25 parsed 1 programs
2020/08/23 04:26:25 executed programs: 0
syzkaller login: [ 1050.287514][ T6858] IPVS: ftp: loaded support on port[0] = 21
[ 1050.464879][ T6858] chnl_net:caif_netlink_parms(): no params data found
[ 1050.517843][ T6858] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1050.526619][ T6858] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1050.535344][ T6858] device bridge_slave_0 entered promiscuous mode
[ 1050.544388][ T6858] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1050.552017][ T6858] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1050.560479][ T6858] device bridge_slave_1 entered promiscuous mode
[ 1050.581737][ T6858] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1050.592522][ T6858] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1050.615304][ T6858] team0: Port device team_slave_0 added
[ 1050.622567][ T6858] team0: Port device team_slave_1 added
[ 1050.640684][ T6858] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 1050.647616][ T6858] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1050.674306][ T6858] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 1050.686856][ T6858] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 1050.694306][ T6858] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1050.720799][ T6858] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 1050.748160][ T6858] device hsr_slave_0 entered promiscuous mode
[ 1050.755381][ T6858] device hsr_slave_1 entered promiscuous mode
[ 1050.850645][ T6858] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 1050.864060][ T6858] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 1050.874427][ T6858] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 1050.891338][ T6858] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 1050.918395][ T6858] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1050.925549][ T6858] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1050.933317][ T6858] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1050.940457][ T6858] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1050.986230][ T6858] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1051.000765][ T6999] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1051.012387][ T6999] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1051.020632][ T6999] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1051.028340][ T6999] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1051.041445][ T6858] 8021q: adding VLAN 0 to HW filter on device team0
[ 1051.053224][ T6828] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1051.061607][ T6828] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1051.068737][ T6828] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1051.089519][ T6999] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1051.097941][ T6999] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1051.105065][ T6999] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1051.113866][ T6999] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1051.132610][ T6858] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 1051.143168][ T6858] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 1051.157486][ T6999] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1051.165939][ T6999] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1051.174599][ T6999] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1051.183291][ T6999] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1051.192989][ T6999] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1051.211397][ T6828] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 1051.218929][ T6828] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 1051.234954][ T6858] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1051.253552][ T7079] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 1051.273668][ T6828] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 1051.281920][ T6828] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 1051.290486][ T6828] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 1051.303212][ T6858] device veth0_vlan entered promiscuous mode
[ 1051.314154][ T6858] device veth1_vlan entered promiscuous mode
[ 1051.334918][ T7079] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 1051.343435][ T7079] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 1051.352269][ T7079] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 1051.363549][ T6858] device veth0_macvtap entered promiscuous mode
[ 1051.373327][ T6858] device veth1_macvtap entered promiscuous mode
[ 1051.391370][ T6858] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 1051.398938][ T6828] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 1051.408237][ T6828] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 1051.423345][ T6858] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 1051.430879][ T7079] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 1051.443605][ T6858] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 1051.452636][ T6858] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 1051.461821][ T6858] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 1051.471271][ T6858] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 1051.627393][ T7104] ==================================================================
[ 1051.635625][ T7104] BUG: KASAN: use-after-free in do_madvise.part.0+0x1771/0x1890
[ 1051.643266][ T7104] Read of size 8 at addr ffff888092c7d148 by task syz-executor.0/7104
[ 1051.651404][ T7104] 
[ 1051.653737][ T7104] CPU: 0 PID: 7104 Comm: syz-executor.0 Not tainted 5.9.0-rc1-next-20200821-syzkaller #0
[ 1051.663531][ T7104] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1051.673587][ T7104] Call Trace:
[ 1051.676884][ T7104]  dump_stack+0x18f/0x20d
[ 1051.681220][ T7104]  ? do_madvise.part.0+0x1771/0x1890
[ 1051.686509][ T7104]  ? do_madvise.part.0+0x1771/0x1890
[ 1051.691847][ T7104]  print_address_description.constprop.0.cold+0xae/0x497
[ 1051.698863][ T7104]  ? __up_read+0x338/0x7b0
[ 1051.703261][ T7104]  ? vprintk_func+0x97/0x1a6
[ 1051.707873][ T7104]  ? do_madvise.part.0+0x1771/0x1890
[ 1051.713136][ T7104]  ? do_madvise.part.0+0x1771/0x1890
[ 1051.718405][ T7104]  kasan_report.cold+0x1f/0x37
[ 1051.723290][ T7104]  ? do_madvise.part.0+0x1771/0x1890
[ 1051.728559][ T7104]  do_madvise.part.0+0x1771/0x1890
[ 1051.733880][ T7104]  ? __might_fault+0x190/0x1d0
[ 1051.738647][ T7104]  ? _copy_to_user+0x126/0x160
[ 1051.743414][ T7104]  ? swapin_walk_pmd_entry+0x7b0/0x7b0
[ 1051.748859][ T7104]  ? ns_to_timespec64+0xc0/0xc0
[ 1051.753753][ T7104]  ? lock_is_held_type+0xbb/0xf0
[ 1051.758707][ T7104]  ? syscall_enter_from_user_mode+0x20/0x290
[ 1051.764676][ T7104]  __x64_sys_madvise+0x117/0x150
[ 1051.769697][ T7104]  do_syscall_64+0x2d/0x70
[ 1051.774127][ T7104]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1051.780033][ T7104] RIP: 0033:0x45d4d9
[ 1051.783953][ T7104] Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1051.803545][ T7104] RSP: 002b:00007f634719ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
[ 1051.811956][ T7104] RAX: ffffffffffffffda RBX: 0000000000020800 RCX: 000000000045d4d9
[ 1051.819928][ T7104] RDX: 0000000000000003 RSI: 0000000000600003 RDI: 0000000020000000
[ 1051.827912][ T7104] RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000
[ 1051.835875][ T7104] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec
[ 1051.843844][ T7104] R13: 00007ffdd1f531cf R14: 00007f634719b9c0 R15: 000000000118cfec
[ 1051.851884][ T7104] 
[ 1051.854203][ T7104] Allocated by task 7100:
[ 1051.858521][ T7104]  kasan_save_stack+0x1b/0x40
[ 1051.863197][ T7104]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 1051.868883][ T7104]  kmem_cache_alloc+0x138/0x3a0
[ 1051.873724][ T7104]  vm_area_alloc+0x1c/0x110
[ 1051.878246][ T7104]  mmap_region+0x9a4/0x1760
[ 1051.882736][ T7104]  do_mmap+0xcf9/0x11d0
[ 1051.886878][ T7104]  vm_mmap_pgoff+0x195/0x200
[ 1051.891659][ T7104]  ksys_mmap_pgoff+0x43a/0x560
[ 1051.896410][ T7104]  do_syscall_64+0x2d/0x70
[ 1051.900847][ T7104]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1051.906746][ T7104] 
[ 1051.909065][ T7104] Freed by task 7100:
[ 1051.913038][ T7104]  kasan_save_stack+0x1b/0x40
[ 1051.917734][ T7104]  kasan_set_track+0x1c/0x30
[ 1051.922312][ T7104]  kasan_set_free_info+0x1b/0x30
[ 1051.927281][ T7104]  __kasan_slab_free+0xd8/0x120
[ 1051.932129][ T7104]  kmem_cache_free.part.0+0x67/0x1f0
[ 1051.937417][ T7104]  remove_vma+0x132/0x170
[ 1051.941735][ T7104]  __do_munmap+0x743/0x1170
[ 1051.946262][ T7104]  mmap_region+0x85a/0x1760
[ 1051.950757][ T7104]  do_mmap+0xcf9/0x11d0
[ 1051.954913][ T7104]  vm_mmap_pgoff+0x195/0x200
[ 1051.959517][ T7104]  ksys_mmap_pgoff+0x43a/0x560
[ 1051.964338][ T7104]  do_syscall_64+0x2d/0x70
[ 1051.968748][ T7104]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1051.974685][ T7104] 
[ 1051.977012][ T7104] The buggy address belongs to the object at ffff888092c7d148
[ 1051.977012][ T7104]  which belongs to the cache vm_area_struct of size 200
[ 1051.991499][ T7104] The buggy address is located 0 bytes inside of
[ 1051.991499][ T7104]  200-byte region [ffff888092c7d148, ffff888092c7d210)
[ 1052.004825][ T7104] The buggy address belongs to the page:
[ 1052.010526][ T7104] page:00000000e55343e1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x92c7d
[ 1052.020666][ T7104] flags: 0xfffe0000000200(slab)
[ 1052.025549][ T7104] raw: 00fffe0000000200 ffffea00029f9748 ffffea0002a37488 ffff8880aa06f500
[ 1052.034294][ T7104] raw: 0000000000000000 ffff888092c7d040 000000010000000f 0000000000000000
[ 1052.042917][ T7104] page dumped because: kasan: bad access detected
[ 1052.049373][ T7104] 
[ 1052.051726][ T7104] Memory state around the buggy address:
[ 1052.057393][ T7104]  ffff888092c7d000: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[ 1052.065533][ T7104]  ffff888092c7d080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1052.073629][ T7104] >ffff888092c7d100: 00 fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb
[ 1052.081882][ T7104]                                               ^
[ 1052.088287][ T7104]  ffff888092c7d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1052.096402][ T7104]  ffff888092c7d200: fb fb fc fc fc fc fc fc fc fc fa fb fb fb fb fb
[ 1052.104455][ T7104] ==================================================================
[ 1052.112616][ T7104] Disabling lock debugging due to kernel taint
[ 1052.129918][ T7104] Kernel panic - not syncing: panic_on_warn set ...
[ 1052.136602][ T7104] CPU: 0 PID: 7104 Comm: syz-executor.0 Tainted: G    B             5.9.0-rc1-next-20200821-syzkaller #0
[ 1052.147793][ T7104] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1052.157858][ T7104] Call Trace:
[ 1052.161209][ T7104]  dump_stack+0x18f/0x20d
[ 1052.165533][ T7104]  ? do_madvise.part.0+0x1770/0x1890
[ 1052.170861][ T7104]  panic+0x2e3/0x75c
[ 1052.174757][ T7104]  ? __warn_printk+0xf3/0xf3
[ 1052.179344][ T7104]  ? preempt_schedule_common+0x59/0xc0
[ 1052.184936][ T7104]  ? do_madvise.part.0+0x1771/0x1890
[ 1052.190230][ T7104]  ? preempt_schedule_thunk+0x16/0x18
[ 1052.196035][ T7104]  ? trace_hardirqs_on+0x55/0x220
[ 1052.201119][ T7104]  ? do_madvise.part.0+0x1771/0x1890
[ 1052.206402][ T7104]  ? do_madvise.part.0+0x1771/0x1890
[ 1052.211804][ T7104]  end_report+0x4d/0x53
[ 1052.216040][ T7104]  kasan_report.cold+0xd/0x37
[ 1052.220711][ T7104]  ? do_madvise.part.0+0x1771/0x1890
[ 1052.225994][ T7104]  do_madvise.part.0+0x1771/0x1890
[ 1052.231158][ T7104]  ? __might_fault+0x190/0x1d0
[ 1052.235921][ T7104]  ? _copy_to_user+0x126/0x160
[ 1052.240691][ T7104]  ? swapin_walk_pmd_entry+0x7b0/0x7b0
[ 1052.246657][ T7104]  ? ns_to_timespec64+0xc0/0xc0
[ 1052.251634][ T7104]  ? lock_is_held_type+0xbb/0xf0
[ 1052.256574][ T7104]  ? syscall_enter_from_user_mode+0x20/0x290
[ 1052.262691][ T7104]  __x64_sys_madvise+0x117/0x150
[ 1052.267624][ T7104]  do_syscall_64+0x2d/0x70
[ 1052.272035][ T7104]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1052.277920][ T7104] RIP: 0033:0x45d4d9
[ 1052.281810][ T7104] Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 1052.301722][ T7104] RSP: 002b:00007f634719ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000001c
[ 1052.310214][ T7104] RAX: ffffffffffffffda RBX: 0000000000020800 RCX: 000000000045d4d9
[ 1052.318189][ T7104] RDX: 0000000000000003 RSI: 0000000000600003 RDI: 0000000020000000
[ 1052.326525][ T7104] RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000
[ 1052.334616][ T7104] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec
[ 1052.342721][ T7104] R13: 00007ffdd1f531cf R14: 00007f634719b9c0 R15: 000000000118cfec
[ 1052.352302][ T7104] Kernel Offset: disabled
[ 1052.356635][ T7104] Rebooting in 86400 seconds..