Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts.
syzkaller login: [ 58.765949][ T7030] IPVS: ftp: loaded support on port[0] = 21
[ 58.847396][ T7030] chnl_net:caif_netlink_parms(): no params data found
[ 58.901058][ T7030] bridge0: port 1(bridge_slave_0) entered blocking state
[ 58.909195][ T7030] bridge0: port 1(bridge_slave_0) entered disabled state
[ 58.918446][ T7030] device bridge_slave_0 entered promiscuous mode
[ 58.927619][ T7030] bridge0: port 2(bridge_slave_1) entered blocking state
[ 58.934816][ T7030] bridge0: port 2(bridge_slave_1) entered disabled state
[ 58.943713][ T7030] device bridge_slave_1 entered promiscuous mode
[ 58.963829][ T7030] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 58.974643][ T7030] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 58.996151][ T7030] team0: Port device team_slave_0 added
[ 59.003730][ T7030] team0: Port device team_slave_1 added
[ 59.022698][ T7030] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 59.029812][ T7030] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 59.056012][ T7030] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 59.068371][ T7030] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 59.075493][ T7030] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 59.101997][ T7030] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 59.168120][ T7030] device hsr_slave_0 entered promiscuous mode
[ 59.216061][ T7030] device hsr_slave_1 entered promiscuous mode
[ 59.359226][ T7030] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 59.408635][ T7030] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 59.457701][ T7030] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 59.507900][ T7030] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 59.580521][ T7030] bridge0: port 2(bridge_slave_1) entered blocking state
[ 59.587931][ T7030] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 59.596024][ T7030] bridge0: port 1(bridge_slave_0) entered blocking state
[ 59.603106][ T7030] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 59.650347][ T7030] 8021q: adding VLAN 0 to HW filter on device bond0
[ 59.663118][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 59.674046][ T3413] bridge0: port 1(bridge_slave_0) entered disabled state
[ 59.683137][ T3413] bridge0: port 2(bridge_slave_1) entered disabled state
[ 59.692141][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 59.706153][ T7030] 8021q: adding VLAN 0 to HW filter on device team0
[ 59.718700][ T2726] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 59.727687][ T2726] bridge0: port 1(bridge_slave_0) entered blocking state
[ 59.734760][ T2726] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 59.757576][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 59.767365][ T3413] bridge0: port 2(bridge_slave_1) entered blocking state
[ 59.774475][ T3413] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 59.783161][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 59.792903][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 59.805390][ T2726] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 59.821792][ T7030] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 59.832586][ T7030] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 59.847405][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 59.856591][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 59.876656][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 59.884848][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 59.892831][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 59.905497][ T7030] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 59.926144][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[ 59.936855][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 59.955371][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[ 59.963830][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 59.973654][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 59.981740][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 59.990539][ T7030] device veth0_vlan entered promiscuous mode
[ 60.002837][ T7030] device veth1_vlan entered promiscuous mode
[ 60.023505][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 60.032465][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 60.041545][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[ 60.051198][ T2725] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 60.062104][ T7030] device veth0_macvtap entered promiscuous mode
[ 60.073390][ T7030] device veth1_macvtap entered promiscuous mode
[ 60.091037][ T7030] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 60.100614][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 60.108989][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[ 60.117290][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 60.126468][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 60.139086][ T7030] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 60.146614][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 60.155997][ T3413] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
[ 61.543110][ C1] vxcan0: j1939_tp_rxtimer: 0x00000000008c9d66: rx timeout, send abort
[ 62.051615][ C1] vxcan0: j1939_tp_rxtimer: 0x00000000008c9d66: abort rx timeout. Force session deactivation
[ 62.062457][ C1] ==================================================================
[ 62.070927][ C1] BUG: KASAN: use-after-free in __hrtimer_run_queues+0xe18/0xf10
[ 62.078631][ C1] Read of size 1 at addr ffff8880934d1d73 by task swapper/1/0
[ 62.086062][ C1]
[ 62.088428][ C1] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-syzkaller #0
[ 62.095948][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 62.105987][ C1] Call Trace:
[ 62.109252][ C1]
[ 62.112087][ C1] dump_stack+0x188/0x20d
[ 62.116410][ C1] ? __hrtimer_run_queues+0xe18/0xf10
[ 62.121779][ C1] ? __hrtimer_run_queues+0xe18/0xf10
[ 62.127149][ C1] print_address_description.constprop.0.cold+0xd3/0x315
[ 62.134154][ C1] ? __hrtimer_run_queues+0xe18/0xf10
[ 62.139514][ C1] ? __hrtimer_run_queues+0xe18/0xf10
[ 62.144868][ C1] __kasan_report.cold+0x1a/0x32
[ 62.149798][ C1] ? __hrtimer_run_queues+0xe18/0xf10
[ 62.155164][ C1] kasan_report+0xe/0x20
[ 62.159429][ C1] __hrtimer_run_queues+0xe18/0xf10
[ 62.164613][ C1] ? j1939_xtp_abort_to_errno.isra.0.cold+0x42/0x42
[ 62.171185][ C1] ? hrtimer_init+0x320/0x320
[ 62.175876][ C1] ? ktime_get_update_offsets_now+0x2d6/0x450
[ 62.181929][ C1] hrtimer_run_softirq+0x16d/0x250
[ 62.187029][ C1] __do_softirq+0x26c/0x9f7
[ 62.191532][ C1] irq_exit+0x192/0x1d0
[ 62.195673][ C1] smp_apic_timer_interrupt+0x19e/0x600
[ 62.201201][ C1] apic_timer_interrupt+0xf/0x20
[ 62.206114][ C1]
[ 62.209052][ C1] RIP: 0010:native_safe_halt+0xe/0x10
[ 62.215294][ C1] Code: cc cc cc cc cc cc cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 94 59 4c 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 84 59 4c 00 fb f4 cc 41 56 41 55 41 54 55 53 e8 63 8d a4 f9 e8 9e 9f d7 fb 0f 1f
[ 62.234877][ C1] RSP: 0018:ffffc90000d3fdb8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
[ 62.243290][ C1] RAX: 1ffffffff12e90e7 RBX: ffff8880a9638340 RCX: 0000000000000000
[ 62.251248][ C1] RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffff8880a9638bfc
[ 62.259210][ C1] RBP: dffffc0000000000 R08: ffff8880a9638340 R09: 0000000000000000
[ 62.267168][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: ffffed10152c7068
[ 62.275129][ C1] R13: 0000000000000001 R14: ffffffff8a673000 R15: 0000000000000000
[ 62.283243][ C1] default_idle+0x49/0x350
[ 62.287710][ C1] do_idle+0x393/0x690
[ 62.291784][ C1] ? arch_cpu_idle_exit+0x70/0x70
[ 62.296834][ C1] ? _raw_spin_unlock_irqrestore+0x62/0xe0
[ 62.302627][ C1] ? lockdep_hardirqs_on+0x463/0x620
[ 62.307936][ C1] cpu_startup_entry+0x14/0x20
[ 62.312847][ C1] start_secondary+0x2f3/0x400
[ 62.317675][ C1] ? set_cpu_sibling_map+0x1ed0/0x1ed0
[ 62.323129][ C1] secondary_startup_64+0xa4/0xb0
[ 62.328146][ C1]
[ 62.330476][ C1] Allocated by task 7030:
[ 62.334801][ C1] save_stack+0x1b/0x80
[ 62.338950][ C1] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 62.344565][ C1] kmem_cache_alloc_trace+0x153/0x7d0
[ 62.349957][ C1] j1939_session_new+0x7c/0x3f0
[ 62.354786][ C1] j1939_tp_send+0x22f/0x800
[ 62.359352][ C1] j1939_sk_sendmsg+0xabf/0x1360
[ 62.364433][ C1] sock_sendmsg+0xcf/0x120
[ 62.368910][ C1] ____sys_sendmsg+0x6bf/0x7e0
[ 62.373672][ C1] ___sys_sendmsg+0x100/0x170
[ 62.378336][ C1] __sys_sendmsg+0xec/0x1b0
[ 62.382826][ C1] do_fast_syscall_32+0x270/0xe8f
[ 62.387833][ C1] entry_SYSENTER_compat+0x70/0x7f
[ 62.392985][ C1]
[ 62.395301][ C1] Freed by task 0:
[ 62.399010][ C1] save_stack+0x1b/0x80
[ 62.403148][ C1] __kasan_slab_free+0xf7/0x140
[ 62.407985][ C1] kfree+0x109/0x2b0
[ 62.412555][ C1] j1939_session_put+0x25c/0x330
[ 62.417483][ C1] j1939_tp_rxtimer+0x2e9/0x2f4
[ 62.422327][ C1] __hrtimer_run_queues+0x3a2/0xf10
[ 62.427509][ C1] hrtimer_run_softirq+0x16d/0x250
[ 62.432626][ C1] __do_softirq+0x26c/0x9f7
[ 62.437117][ C1]
[ 62.439427][ C1] The buggy address belongs to the object at ffff8880934d1c00
[ 62.439427][ C1] which belongs to the cache kmalloc-512 of size 512
[ 62.453459][ C1] The buggy address is located 371 bytes inside of
[ 62.453459][ C1] 512-byte region [ffff8880934d1c00, ffff8880934d1e00)
[ 62.466728][ C1] The buggy address belongs to the page:
[ 62.473409][ C1] page:ffffea00024d3440 refcount:1 mapcount:0 mapping:ffff8880aa000a80 index:0x0
[ 62.482596][ C1] flags: 0xfffe0000000200(slab)
[ 62.487434][ C1] raw: 00fffe0000000200 ffffea00024fbd48 ffffea00024fb888 ffff8880aa000a80
[ 62.496073][ C1] raw: 0000000000000000 ffff8880934d1000 0000000100000004 0000000000000000
[ 62.504672][ C1] page dumped because: kasan: bad access detected
[ 62.511101][ C1]
[ 62.513407][ C1] Memory state around the buggy address:
[ 62.519156][ C1] ffff8880934d1c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.527208][ C1] ffff8880934d1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.535314][ C1] >ffff8880934d1d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.543402][ C1] ^
[ 62.551149][ C1] ffff8880934d1d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 62.559391][ C1] ffff8880934d1e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 62.567429][ C1] ==================================================================
[ 62.575465][ C1] Disabling lock debugging due to kernel taint
[ 62.581693][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 62.588296][ C1] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G B 5.6.0-syzkaller #0
[ 62.597227][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 62.607305][ C1] Call Trace:
[ 62.610583][ C1]
[ 62.613529][ C1] dump_stack+0x188/0x20d
[ 62.617907][ C1] panic+0x2e3/0x75c
[ 62.621790][ C1] ? add_taint.cold+0x16/0x16
[ 62.626492][ C1] ? __hrtimer_run_queues+0xe18/0xf10
[ 62.631842][ C1] ? trace_hardirqs_on+0x55/0x220
[ 62.636895][ C1] ? __hrtimer_run_queues+0xe18/0xf10
[ 62.642251][ C1] end_report+0x43/0x49
[ 62.646382][ C1] ? __hrtimer_run_queues+0xe18/0xf10
[ 62.651740][ C1] __kasan_report.cold+0xd/0x32
[ 62.656585][ C1] ? __hrtimer_run_queues+0xe18/0xf10
[ 62.661940][ C1] kasan_report+0xe/0x20
[ 62.666175][ C1] __hrtimer_run_queues+0xe18/0xf10
[ 62.671364][ C1] ? j1939_xtp_abort_to_errno.isra.0.cold+0x42/0x42
[ 62.677934][ C1] ? hrtimer_init+0x320/0x320
[ 62.682587][ C1] ? ktime_get_update_offsets_now+0x2d6/0x450
[ 62.688649][ C1] hrtimer_run_softirq+0x16d/0x250
[ 62.693758][ C1] __do_softirq+0x26c/0x9f7
[ 62.698258][ C1] irq_exit+0x192/0x1d0
[ 62.702405][ C1] smp_apic_timer_interrupt+0x19e/0x600
[ 62.708289][ C1] apic_timer_interrupt+0xf/0x20
[ 62.713199][ C1]
[ 62.716118][ C1] RIP: 0010:native_safe_halt+0xe/0x10
[ 62.722508][ C1] Code: cc cc cc cc cc cc cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 94 59 4c 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 84 59 4c 00 fb f4 cc 41 56 41 55 41 54 55 53 e8 63 8d a4 f9 e8 9e 9f d7 fb 0f 1f
[ 62.742108][ C1] RSP: 0018:ffffc90000d3fdb8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13
[ 62.750498][ C1] RAX: 1ffffffff12e90e7 RBX: ffff8880a9638340 RCX: 0000000000000000
[ 62.758447][ C1] RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffff8880a9638bfc
[ 62.766410][ C1] RBP: dffffc0000000000 R08: ffff8880a9638340 R09: 0000000000000000
[ 62.774456][ C1] R10: 0000000000000000 R11: 0000000000000000 R12: ffffed10152c7068
[ 62.782413][ C1] R13: 0000000000000001 R14: ffffffff8a673000 R15: 0000000000000000
[ 62.790827][ C1] default_idle+0x49/0x350
[ 62.795235][ C1] do_idle+0x393/0x690
[ 62.799308][ C1] ? arch_cpu_idle_exit+0x70/0x70
[ 62.804333][ C1] ? _raw_spin_unlock_irqrestore+0x62/0xe0
[ 62.810289][ C1] ? lockdep_hardirqs_on+0x463/0x620
[ 62.815673][ C1] cpu_startup_entry+0x14/0x20
[ 62.820425][ C1] start_secondary+0x2f3/0x400
[ 62.825231][ C1] ? set_cpu_sibling_map+0x1ed0/0x1ed0
[ 62.830673][ C1] secondary_startup_64+0xa4/0xb0
[ 62.836967][ C1] Kernel Offset: disabled
[ 62.841291][ C1] Rebooting in 86400 seconds..