[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 44.774273][ T26] audit: type=1800 audit(1563500618.486:25): pid=8051 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 44.794777][ T26] audit: type=1800 audit(1563500618.486:26): pid=8051 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 44.839707][ T26] audit: type=1800 audit(1563500618.486:27): pid=8051 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.223' (ECDSA) to the list of known hosts. 2019/07/19 01:43:49 parsed 1 programs 2019/07/19 01:43:51 executed programs: 0 syzkaller login: [ 57.777984][ T8218] IPVS: ftp: loaded support on port[0] = 21 [ 57.830755][ T8218] chnl_net:caif_netlink_parms(): no params data found [ 57.854792][ T8218] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.863135][ T8218] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.870725][ T8218] device bridge_slave_0 entered promiscuous mode [ 57.878263][ T8218] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.885425][ T8218] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.892964][ T8218] device bridge_slave_1 entered promiscuous mode [ 57.907696][ T8218] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 57.918407][ T8218] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 57.935995][ T8218] team0: Port device team_slave_0 added [ 57.942994][ T8218] team0: Port device team_slave_1 added [ 58.021385][ T8218] device hsr_slave_0 entered promiscuous mode [ 58.090079][ T8218] device hsr_slave_1 entered promiscuous mode [ 58.166880][ T8218] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.174052][ T8218] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.181718][ T8218] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.188746][ T8218] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.217651][ T8218] 8021q: adding VLAN 0 to HW filter on device bond0 [ 58.230694][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.240733][ T22] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.248581][ T22] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.256738][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 58.267914][ T8218] 8021q: adding VLAN 0 to HW filter on device team0 [ 58.277896][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 58.286429][ T5] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.293524][ T5] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.310165][ T8220] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 58.318670][ T8220] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.325784][ T8220] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.333610][ T8220] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 58.342613][ T8220] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 58.352906][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 58.366465][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 58.374803][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 58.386153][ T8218] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 58.402802][ T8218] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 60.612437][ T8218] ================================================================== [ 60.620618][ T8218] BUG: KASAN: use-after-free in finish_task_switch+0x331/0x550 [ 60.628135][ T8218] Read of size 4 at addr ffff88808e6c18f8 by task syz-executor.0/8218 [ 60.636248][ T8218] [ 60.638566][ T8218] CPU: 0 PID: 8218 Comm: syz-executor.0 Not tainted 5.2.0+ #34 [ 60.646091][ T8218] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.656122][ T8218] Call Trace: [ 60.659399][ T8218] dump_stack+0x1d8/0x2f8 [ 60.663707][ T8218] print_address_description+0x75/0x5b0 [ 60.669224][ T8218] ? log_buf_vmcoreinfo_setup+0x153/0x153 [ 60.674918][ T8218] __kasan_report+0x14b/0x1c0 [ 60.679593][ T8218] ? finish_task_switch+0x331/0x550 [ 60.684762][ T8218] kasan_report+0x26/0x50 [ 60.689061][ T8218] check_memory_region+0x2cf/0x2e0 [ 60.694143][ T8218] __kasan_check_read+0x11/0x20 [ 60.698966][ T8218] finish_task_switch+0x331/0x550 [ 60.703963][ T8218] __schedule+0x8be/0xcd0 [ 60.708269][ T8218] ? is_mmconf_reserved+0x410/0x410 [ 60.713440][ T8218] ? hrtimer_start_range_ns+0x565/0x690 [ 60.718964][ T8218] schedule+0x131/0x1e0 [ 60.723095][ T8218] do_nanosleep+0x295/0x7d0 [ 60.727573][ T8218] ? usleep_range+0x180/0x180 [ 60.732222][ T8218] ? __lock_acquire+0x4750/0x4750 [ 60.737232][ T8218] ? lock_acquire+0x158/0x250 [ 60.741884][ T8218] hrtimer_nanosleep+0x3c2/0x5d0 [ 60.746793][ T8218] ? nanosleep_copyout+0x120/0x120 [ 60.751877][ T8218] ? hrtimer_init_sleeper+0x70/0x70 [ 60.757047][ T8218] ? timespec64_add_safe+0x210/0x210 [ 60.762304][ T8218] ? debug_smp_processor_id+0x1c/0x20 [ 60.767644][ T8218] ? fpregs_assert_state_consistent+0xb7/0xe0 [ 60.773683][ T8218] __x64_sys_nanosleep+0x1ef/0x230 [ 60.778767][ T8218] ? hrtimer_nanosleep+0x5d0/0x5d0 [ 60.783849][ T8218] ? trace_irq_disable_rcuidle+0x23/0x1e0 [ 60.789544][ T8218] ? do_syscall_64+0x1d/0x140 [ 60.794207][ T8218] do_syscall_64+0xfe/0x140 [ 60.798683][ T8218] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.804549][ T8218] RIP: 0033:0x457cc0 [ 60.808416][ T8218] Code: c0 5b 5d c3 66 0f 1f 44 00 00 8b 04 24 48 83 c4 18 5b 5d c3 66 0f 1f 44 00 00 83 3d 91 ea 61 00 00 75 14 b8 23 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 24 d3 fb ff c3 48 83 ec 08 e8 ea 46 00 00 [ 60.828004][ T8218] RSP: 002b:00007ffc89355738 EFLAGS: 00000246 ORIG_RAX: 0000000000000023 [ 60.836396][ T8218] RAX: ffffffffffffffda RBX: 000000000000ea43 RCX: 0000000000457cc0 [ 60.844360][ T8218] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffc89355740 [ 60.852308][ T8218] RBP: 000000000000000b R08: 0000000000000001 R09: 00005555559bf940 [ 60.860252][ T8218] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 60.868210][ T8218] R13: 00007ffc89355790 R14: 000000000000e9c0 R15: 00007ffc893557a0 [ 60.876164][ T8218] [ 60.878488][ T8218] Allocated by task 8218: [ 60.882794][ T8218] __kasan_kmalloc+0x11c/0x1b0 [ 60.888006][ T8218] kasan_slab_alloc+0xf/0x20 [ 60.892570][ T8218] kmem_cache_alloc+0x1f5/0x2e0 [ 60.897389][ T8218] dup_mm+0x29/0x340 [ 60.901255][ T8218] copy_process+0x25ef/0x5bc0 [ 60.905902][ T8218] _do_fork+0x179/0x630 [ 60.910047][ T8218] __x64_sys_clone+0x247/0x2b0 [ 60.914796][ T8218] do_syscall_64+0xfe/0x140 [ 60.919269][ T8218] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.925129][ T8218] [ 60.927426][ T8218] Freed by task 8244: [ 60.931381][ T8218] __kasan_slab_free+0x12a/0x1e0 [ 60.936289][ T8218] kasan_slab_free+0xe/0x10 [ 60.940765][ T8218] kmem_cache_free+0x81/0xf0 [ 60.945337][ T8218] __mmdrop+0x2c4/0x3b0 [ 60.949471][ T8218] __mmput+0x373/0x3a0 [ 60.953519][ T8218] mmput+0x5d/0x70 [ 60.957212][ T8218] exit_mm+0x585/0x640 [ 60.961251][ T8218] do_exit+0x5d0/0x2310 [ 60.965394][ T8218] do_group_exit+0x15c/0x2b0 [ 60.970010][ T8218] get_signal+0x51c/0x1dd0 [ 60.974398][ T8218] do_signal+0x7b/0x720 [ 60.978524][ T8218] prepare_exit_to_usermode+0x303/0x580 [ 60.984041][ T8218] syscall_return_slowpath+0x113/0x4a0 [ 60.989490][ T8218] do_syscall_64+0x126/0x140 [ 60.994051][ T8218] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 60.999905][ T8218] [ 61.002205][ T8218] The buggy address belongs to the object at ffff88808e6c1400 [ 61.002205][ T8218] which belongs to the cache mm_struct(17:syz0) of size 1496 [ 61.016923][ T8218] The buggy address is located 1272 bytes inside of [ 61.016923][ T8218] 1496-byte region [ffff88808e6c1400, ffff88808e6c19d8) [ 61.030934][ T8218] The buggy address belongs to the page: [ 61.036538][ T8218] page:ffffea000239b000 refcount:1 mapcount:0 mapping:ffff8880867de8c0 index:0x0 compound_mapcount: 0 [ 61.047437][ T8218] flags: 0x1fffc0000010200(slab|head) [ 61.052781][ T8218] raw: 01fffc0000010200 ffffea0002331108 ffff8880a380ff48 ffff8880867de8c0 [ 61.061335][ T8218] raw: 0000000000000000 ffff88808e6c0080 0000000100000004 0000000000000000 [ 61.069893][ T8218] page dumped because: kasan: bad access detected [ 61.076270][ T8218] [ 61.078565][ T8218] Memory state around the buggy address: [ 61.084166][ T8218] ffff88808e6c1780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.092202][ T8218] ffff88808e6c1800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.100234][ T8218] >ffff88808e6c1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.108266][ T8218] ^ [ 61.116209][ T8218] ffff88808e6c1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.124239][ T8218] ffff88808e6c1980: fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc [ 61.132267][ T8218] ================================================================== [ 61.140310][ T8218] Disabling lock debugging due to kernel taint [ 61.146841][ T8218] Kernel panic - not syncing: panic_on_warn set ... [ 61.153517][ T8218] CPU: 0 PID: 8218 Comm: syz-executor.0 Tainted: G B 5.2.0+ #34 [ 61.162435][ T8218] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.172466][ T8218] Call Trace: [ 61.175726][ T8218] dump_stack+0x1d8/0x2f8 [ 61.180041][ T8218] panic+0x29b/0x7d9 [ 61.183928][ T8218] ? __kasan_report+0x195/0x1c0 [ 61.188750][ T8218] ? trace_hardirqs_on+0x34/0x80 [ 61.193792][ T8218] ? nmi_panic+0x97/0x97 [ 61.198005][ T8218] ? __kasan_report+0x195/0x1c0 [ 61.202842][ T8218] ? _raw_spin_unlock_irqrestore+0xad/0xe0 [ 61.208617][ T8218] __kasan_report+0x1bb/0x1c0 [ 61.213263][ T8218] ? finish_task_switch+0x331/0x550 [ 61.218430][ T8218] kasan_report+0x26/0x50 [ 61.222730][ T8218] check_memory_region+0x2cf/0x2e0 [ 61.227809][ T8218] __kasan_check_read+0x11/0x20 [ 61.232629][ T8218] finish_task_switch+0x331/0x550 [ 61.237625][ T8218] __schedule+0x8be/0xcd0 [ 61.241924][ T8218] ? is_mmconf_reserved+0x410/0x410 [ 61.247091][ T8218] ? hrtimer_start_range_ns+0x565/0x690 [ 61.252621][ T8218] schedule+0x131/0x1e0 [ 61.256750][ T8218] do_nanosleep+0x295/0x7d0 [ 61.261225][ T8218] ? usleep_range+0x180/0x180 [ 61.265871][ T8218] ? __lock_acquire+0x4750/0x4750 [ 61.270862][ T8218] ? lock_acquire+0x158/0x250 [ 61.275509][ T8218] hrtimer_nanosleep+0x3c2/0x5d0 [ 61.280442][ T8218] ? nanosleep_copyout+0x120/0x120 [ 61.285523][ T8218] ? hrtimer_init_sleeper+0x70/0x70 [ 61.290715][ T8218] ? timespec64_add_safe+0x210/0x210 [ 61.295968][ T8218] ? debug_smp_processor_id+0x1c/0x20 [ 61.301329][ T8218] ? fpregs_assert_state_consistent+0xb7/0xe0 [ 61.307379][ T8218] __x64_sys_nanosleep+0x1ef/0x230 [ 61.312721][ T8218] ? hrtimer_nanosleep+0x5d0/0x5d0 [ 61.317803][ T8218] ? trace_irq_disable_rcuidle+0x23/0x1e0 [ 61.323505][ T8218] ? do_syscall_64+0x1d/0x140 [ 61.328154][ T8218] do_syscall_64+0xfe/0x140 [ 61.332646][ T8218] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 61.338506][ T8218] RIP: 0033:0x457cc0 [ 61.342370][ T8218] Code: c0 5b 5d c3 66 0f 1f 44 00 00 8b 04 24 48 83 c4 18 5b 5d c3 66 0f 1f 44 00 00 83 3d 91 ea 61 00 00 75 14 b8 23 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 24 d3 fb ff c3 48 83 ec 08 e8 ea 46 00 00 [ 61.361944][ T8218] RSP: 002b:00007ffc89355738 EFLAGS: 00000246 ORIG_RAX: 0000000000000023 [ 61.370339][ T8218] RAX: ffffffffffffffda RBX: 000000000000ea43 RCX: 0000000000457cc0 [ 61.378305][ T8218] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffc89355740 [ 61.386250][ T8218] RBP: 000000000000000b R08: 0000000000000001 R09: 00005555559bf940 [ 61.394213][ T8218] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000007 [ 61.402190][ T8218] R13: 00007ffc89355790 R14: 000000000000e9c0 R15: 00007ffc893557a0 [ 61.411203][ T8218] Kernel Offset: disabled [ 61.415528][ T8218] Rebooting in 86400 seconds..