[  OK  ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
[  OK  ] Started Getty on tty6.
[  OK  ] Started Getty on tty5.
[  OK  ] Started Getty on tty4.
[  OK  ] Started Getty on tty3.
[  OK  ] Started Getty on tty2.
[  OK  ] Started Getty on tty1.
[  OK  ] Started Serial Getty on ttyS0.
[  OK  ] Reached target Login Prompts.
[  OK  ] Reached target Multi-User System.
[  OK  ] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[  OK  ] Started Update UTMP about System Runlevel Changes.
[  OK  ] Started Load/Save RF Kill Switch Status.


Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.10.31' (ECDSA) to the list of known hosts.
syzkaller login: [   68.641030][ T7190] IPVS: ftp: loaded support on port[0] = 21
[   68.727015][ T7190] chnl_net:caif_netlink_parms(): no params data found
[   68.784874][ T7190] bridge0: port 1(bridge_slave_0) entered blocking state
[   68.792602][ T7190] bridge0: port 1(bridge_slave_0) entered disabled state
[   68.800553][ T7190] device bridge_slave_0 entered promiscuous mode
[   68.810345][ T7190] bridge0: port 2(bridge_slave_1) entered blocking state
[   68.819117][ T7190] bridge0: port 2(bridge_slave_1) entered disabled state
[   68.827544][ T7190] device bridge_slave_1 entered promiscuous mode
[   68.850130][ T7190] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   68.862667][ T7190] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   68.886123][ T7190] team0: Port device team_slave_0 added
[   68.893702][ T7190] team0: Port device team_slave_1 added
[   68.912509][ T7190] batman_adv: batadv0: Adding interface: batadv_slave_0
[   68.919469][ T7190] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   68.946261][ T7190] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   68.959346][ T7190] batman_adv: batadv0: Adding interface: batadv_slave_1
[   68.967267][ T7190] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   68.993839][ T7190] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   69.075451][ T7190] device hsr_slave_0 entered promiscuous mode
[   69.131601][ T7190] device hsr_slave_1 entered promiscuous mode
[   69.266210][ T7190] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   69.324687][ T7190] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   69.374491][ T7190] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   69.433587][ T7190] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   69.488227][ T7190] bridge0: port 2(bridge_slave_1) entered blocking state
[   69.495457][ T7190] bridge0: port 2(bridge_slave_1) entered forwarding state
[   69.503503][ T7190] bridge0: port 1(bridge_slave_0) entered blocking state
[   69.510575][ T7190] bridge0: port 1(bridge_slave_0) entered forwarding state
[   69.562081][ T7190] 8021q: adding VLAN 0 to HW filter on device bond0
[   69.577389][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   69.587780][ T2720] bridge0: port 1(bridge_slave_0) entered disabled state
[   69.597143][ T2720] bridge0: port 2(bridge_slave_1) entered disabled state
[   69.606050][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   69.619663][ T7190] 8021q: adding VLAN 0 to HW filter on device team0
[   69.632434][ T3092] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   69.640842][ T3092] bridge0: port 1(bridge_slave_0) entered blocking state
[   69.648014][ T3092] bridge0: port 1(bridge_slave_0) entered forwarding state
[   69.659524][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   69.669212][ T2720] bridge0: port 2(bridge_slave_1) entered blocking state
[   69.676492][ T2720] bridge0: port 2(bridge_slave_1) entered forwarding state
[   69.702063][ T3092] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   69.712121][ T3092] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   69.728191][ T7190] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   69.740314][ T7190] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   69.754456][ T2991] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   69.762983][ T2991] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   69.772500][ T2991] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   69.783736][ T2991] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   69.792837][ T2991] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   69.803199][ T2991] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   69.826167][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   69.835631][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   69.859598][ T7190] 8021q: adding VLAN 0 to HW filter on device batadv0
[   69.908151][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   69.917852][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   69.940417][ T7190] device veth0_vlan entered promiscuous mode
[   69.948127][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   69.957616][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   69.972747][ T7190] device veth1_vlan entered promiscuous mode
[   69.981555][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   69.989327][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   69.998020][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   70.022476][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   70.030546][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   70.041377][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   70.053780][ T7190] device veth0_macvtap entered promiscuous mode
[   70.066097][ T7190] device veth1_macvtap entered promiscuous mode
[   70.085098][ T7190] batman_adv: batadv0: Interface activated: batadv_slave_0
[   70.093471][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   70.101802][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   70.109836][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   70.119264][ T2692] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   70.133155][ T7190] batman_adv: batadv0: Interface activated: batadv_slave_1
[   70.141684][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   70.151810][ T2693] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
[   71.579073][    C1] vxcan0: j1939_tp_rxtimer: 0x0000000019733e16: rx timeout, send abort
[   72.087919][    C1] vxcan0: j1939_tp_rxtimer: 0x0000000019733e16: abort rx timeout. Force session deactivation
[   72.098915][    C1] ==================================================================
[   72.107301][    C1] BUG: KASAN: use-after-free in __hrtimer_run_queues+0xe18/0xf10
[   72.115007][    C1] Read of size 1 at addr ffff8880a8a94973 by task swapper/1/0
[   72.122574][    C1] 
[   72.124894][    C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-syzkaller #0
[   72.132425][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   72.142462][    C1] Call Trace:
[   72.145739][    C1]  <IRQ>
[   72.148674][    C1]  dump_stack+0x188/0x20d
[   72.152991][    C1]  ? __hrtimer_run_queues+0xe18/0xf10
[   72.158368][    C1]  ? __hrtimer_run_queues+0xe18/0xf10
[   72.164418][    C1]  print_address_description.constprop.0.cold+0xd3/0x315
[   72.171421][    C1]  ? __hrtimer_run_queues+0xe18/0xf10
[   72.176787][    C1]  ? __hrtimer_run_queues+0xe18/0xf10
[   72.183106][    C1]  __kasan_report.cold+0x1a/0x32
[   72.188165][    C1]  ? __hrtimer_run_queues+0xe18/0xf10
[   72.193537][    C1]  kasan_report+0xe/0x20
[   72.197767][    C1]  __hrtimer_run_queues+0xe18/0xf10
[   72.202973][    C1]  ? j1939_xtp_abort_to_errno.isra.0.cold+0x42/0x42
[   72.209575][    C1]  ? hrtimer_init+0x320/0x320
[   72.214246][    C1]  ? ktime_get_update_offsets_now+0x2d6/0x450
[   72.220314][    C1]  hrtimer_run_softirq+0x16d/0x250
[   72.225431][    C1]  __do_softirq+0x26c/0x9f7
[   72.229926][    C1]  irq_exit+0x192/0x1d0
[   72.234149][    C1]  smp_apic_timer_interrupt+0x19e/0x600
[   72.241946][    C1]  apic_timer_interrupt+0xf/0x20
[   72.246872][    C1]  </IRQ>
[   72.249816][    C1] RIP: 0010:native_safe_halt+0xe/0x10
[   72.255177][    C1] Code: cc cc cc cc cc cc cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 94 59 4c 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 84 59 4c 00 fb f4 <c3> cc 41 56 41 55 41 54 55 53 e8 63 8d a4 f9 e8 9e 9f d7 fb 0f 1f
[   72.274782][    C1] RSP: 0018:ffffc90000d3fdb8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
[   72.283186][    C1] RAX: 1ffffffff12e90e7 RBX: ffff8880a9646340 RCX: 0000000000000000
[   72.291138][    C1] RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffff8880a9646bfc
[   72.299195][    C1] RBP: dffffc0000000000 R08: ffff8880a9646340 R09: 0000000000000000
[   72.307147][    C1] R10: 0000000000000000 R11: 0000000000000000 R12: ffffed10152c8c68
[   72.315115][    C1] R13: 0000000000000001 R14: ffffffff8a673000 R15: 0000000000000000
[   72.323103][    C1]  default_idle+0x49/0x350
[   72.327503][    C1]  do_idle+0x393/0x690
[   72.331575][    C1]  ? arch_cpu_idle_exit+0x70/0x70
[   72.336577][    C1]  ? _raw_spin_unlock_irqrestore+0x62/0xe0
[   72.342363][    C1]  ? lockdep_hardirqs_on+0x463/0x620
[   72.347630][    C1]  cpu_startup_entry+0x14/0x20
[   72.352561][    C1]  start_secondary+0x2f3/0x400
[   72.357306][    C1]  ? set_cpu_sibling_map+0x1ed0/0x1ed0
[   72.362751][    C1]  secondary_startup_64+0xa4/0xb0
[   72.367776][    C1] 
[   72.370083][    C1] Allocated by task 7190:
[   72.374405][    C1]  save_stack+0x1b/0x80
[   72.378546][    C1]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   72.384179][    C1]  kmem_cache_alloc_trace+0x153/0x7d0
[   72.389527][    C1]  j1939_session_new+0x7c/0x3f0
[   72.394357][    C1]  j1939_tp_send+0x22f/0x800
[   72.398935][    C1]  j1939_sk_sendmsg+0xabf/0x1360
[   72.403866][    C1]  sock_sendmsg+0xcf/0x120
[   72.408258][    C1]  ____sys_sendmsg+0x6bf/0x7e0
[   72.413013][    C1]  ___sys_sendmsg+0x100/0x170
[   72.417685][    C1]  __sys_sendmsg+0xec/0x1b0
[   72.422178][    C1]  do_syscall_64+0xf6/0x7d0
[   72.426681][    C1]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   72.432597][    C1] 
[   72.434909][    C1] Freed by task 0:
[   72.438656][    C1]  save_stack+0x1b/0x80
[   72.442795][    C1]  __kasan_slab_free+0xf7/0x140
[   72.447661][    C1]  kfree+0x109/0x2b0
[   72.451537][    C1]  j1939_session_put+0x25c/0x330
[   72.456450][    C1]  j1939_tp_rxtimer+0x2e9/0x2f4
[   72.461278][    C1]  __hrtimer_run_queues+0x3a2/0xf10
[   72.466454][    C1]  hrtimer_run_softirq+0x16d/0x250
[   72.471561][    C1]  __do_softirq+0x26c/0x9f7
[   72.476034][    C1] 
[   72.478466][    C1] The buggy address belongs to the object at ffff8880a8a94800
[   72.478466][    C1]  which belongs to the cache kmalloc-512 of size 512
[   72.492506][    C1] The buggy address is located 371 bytes inside of
[   72.492506][    C1]  512-byte region [ffff8880a8a94800, ffff8880a8a94a00)
[   72.505756][    C1] The buggy address belongs to the page:
[   72.511370][    C1] page:ffffea0002a2a500 refcount:1 mapcount:0 mapping:ffff8880aa000a80 index:0x0
[   72.520453][    C1] flags: 0xfffe0000000200(slab)
[   72.525298][    C1] raw: 00fffe0000000200 ffffea0002785688 ffffea00027905c8 ffff8880aa000a80
[   72.533867][    C1] raw: 0000000000000000 ffff8880a8a94000 0000000100000004 0000000000000000
[   72.542426][    C1] page dumped because: kasan: bad access detected
[   72.548826][    C1] 
[   72.551131][    C1] Memory state around the buggy address:
[   72.556803][    C1]  ffff8880a8a94800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   72.564977][    C1]  ffff8880a8a94880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   72.573033][    C1] >ffff8880a8a94900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   72.581091][    C1]                                                              ^
[   72.588799][    C1]  ffff8880a8a94980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   72.596854][    C1]  ffff8880a8a94a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   72.604906][    C1] ==================================================================
[   72.612956][    C1] Disabling lock debugging due to kernel taint
[   72.619123][    C1] Kernel panic - not syncing: panic_on_warn set ...
[   72.625727][    C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G    B             5.6.0-syzkaller #0
[   72.634650][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   72.644699][    C1] Call Trace:
[   72.647971][    C1]  <IRQ>
[   72.650806][    C1]  dump_stack+0x188/0x20d
[   72.655115][    C1]  panic+0x2e3/0x75c
[   72.658989][    C1]  ? add_taint.cold+0x16/0x16
[   72.663643][    C1]  ? __hrtimer_run_queues+0xe18/0xf10
[   72.669001][    C1]  ? trace_hardirqs_on+0x55/0x220
[   72.674003][    C1]  ? __hrtimer_run_queues+0xe18/0xf10
[   72.679364][    C1]  end_report+0x43/0x49
[   72.683496][    C1]  ? __hrtimer_run_queues+0xe18/0xf10
[   72.688839][    C1]  __kasan_report.cold+0xd/0x32
[   72.693667][    C1]  ? __hrtimer_run_queues+0xe18/0xf10
[   72.699026][    C1]  kasan_report+0xe/0x20
[   72.703244][    C1]  __hrtimer_run_queues+0xe18/0xf10
[   72.708421][    C1]  ? j1939_xtp_abort_to_errno.isra.0.cold+0x42/0x42
[   72.714992][    C1]  ? hrtimer_init+0x320/0x320
[   72.719655][    C1]  ? ktime_get_update_offsets_now+0x2d6/0x450
[   72.725704][    C1]  hrtimer_run_softirq+0x16d/0x250
[   72.730797][    C1]  __do_softirq+0x26c/0x9f7
[   72.735278][    C1]  irq_exit+0x192/0x1d0
[   72.739419][    C1]  smp_apic_timer_interrupt+0x19e/0x600
[   72.744942][    C1]  apic_timer_interrupt+0xf/0x20
[   72.749851][    C1]  </IRQ>
[   72.752769][    C1] RIP: 0010:native_safe_halt+0xe/0x10
[   72.758117][    C1] Code: cc cc cc cc cc cc cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 94 59 4c 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 84 59 4c 00 fb f4 <c3> cc 41 56 41 55 41 54 55 53 e8 63 8d a4 f9 e8 9e 9f d7 fb 0f 1f
[   72.777702][    C1] RSP: 0018:ffffc90000d3fdb8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
[   72.786879][    C1] RAX: 1ffffffff12e90e7 RBX: ffff8880a9646340 RCX: 0000000000000000
[   72.794843][    C1] RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffff8880a9646bfc
[   72.802798][    C1] RBP: dffffc0000000000 R08: ffff8880a9646340 R09: 0000000000000000
[   72.810758][    C1] R10: 0000000000000000 R11: 0000000000000000 R12: ffffed10152c8c68
[   72.818702][    C1] R13: 0000000000000001 R14: ffffffff8a673000 R15: 0000000000000000
[   72.826677][    C1]  default_idle+0x49/0x350
[   72.831082][    C1]  do_idle+0x393/0x690
[   72.835151][    C1]  ? arch_cpu_idle_exit+0x70/0x70
[   72.840147][    C1]  ? _raw_spin_unlock_irqrestore+0x62/0xe0
[   72.845942][    C1]  ? lockdep_hardirqs_on+0x463/0x620
[   72.851204][    C1]  cpu_startup_entry+0x14/0x20
[   72.855943][    C1]  start_secondary+0x2f3/0x400
[   72.860687][    C1]  ? set_cpu_sibling_map+0x1ed0/0x1ed0
[   72.866156][    C1]  secondary_startup_64+0xa4/0xb0
[   72.872574][    C1] Kernel Offset: disabled
[   72.876895][    C1] Rebooting in 86400 seconds..