[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 40.916240][ T26] audit: type=1800 audit(1572989086.249:25): pid=7696 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[ 40.958063][ T26] audit: type=1800 audit(1572989086.249:26): pid=7696 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[ 40.996114][ T26] audit: type=1800 audit(1572989086.249:27): pid=7696 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.178' (ECDSA) to the list of known hosts.
syzkaller login: [ 152.250611][ T7849] IPVS: ftp: loaded support on port[0] = 21
[ 152.296221][ T7849] chnl_net:caif_netlink_parms(): no params data found
[ 152.318379][ T7849] bridge0: port 1(bridge_slave_0) entered blocking state
[ 152.326118][ T7849] bridge0: port 1(bridge_slave_0) entered disabled state
[ 152.333721][ T7849] device bridge_slave_0 entered promiscuous mode
[ 152.341428][ T7849] bridge0: port 2(bridge_slave_1) entered blocking state
[ 152.348489][ T7849] bridge0: port 2(bridge_slave_1) entered disabled state
[ 152.356165][ T7849] device bridge_slave_1 entered promiscuous mode
[ 152.370855][ T7849] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 152.382435][ T7849] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 152.398795][ T7849] team0: Port device team_slave_0 added
[ 152.405975][ T7849] team0: Port device team_slave_1 added
[ 152.471323][ T7849] device hsr_slave_0 entered promiscuous mode
[ 152.520129][ T7849] device hsr_slave_1 entered promiscuous mode
[ 152.621236][ T7849] bridge0: port 2(bridge_slave_1) entered blocking state
[ 152.628414][ T7849] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 152.636144][ T7849] bridge0: port 1(bridge_slave_0) entered blocking state
[ 152.643259][ T7849] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 152.700473][ T7849] 8021q: adding VLAN 0 to HW filter on device bond0
[ 152.714818][ T3015] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 152.740991][ T3015] bridge0: port 1(bridge_slave_0) entered disabled state
[ 152.759865][ T3015] bridge0: port 2(bridge_slave_1) entered disabled state
[ 152.800212][ T3015] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 152.835681][ T7849] 8021q: adding VLAN 0 to HW filter on device team0
[ 152.864133][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 152.880004][ T12] bridge0: port 1(bridge_slave_0) entered blocking state
[ 152.887088][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 152.953254][ T3015] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 152.962893][ T3015] bridge0: port 2(bridge_slave_1) entered blocking state
[ 152.970010][ T3015] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 153.000449][ T3015] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 153.038675][ T7849] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 153.058504][ T7849] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 153.095310][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 153.106123][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 153.122977][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 153.134840][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 153.155509][ T3015] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 153.163987][ T3015] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 153.172056][ T3015] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 153.181111][ T7849] 8021q: adding VLAN 0 to HW filter on device batadv0
executing program
executing program
[ 154.536042][ C0] vcan0: j1939_tp_rxtimer: 0x00000000fea697ec: rx timeout, send abort
[ 154.544720][ C0] vcan0: j1939_xtp_rx_abort_one: 0x00000000fea697ec: 0x00000: (3) A timeout occurred and this is the connection abort to close the session.
[ 155.819143][ C1] vcan0: j1939_tp_rxtimer: 0x00000000533cdfdb: rx timeout, send abort
[ 155.827503][ C1] vcan0: j1939_xtp_rx_abort_one: 0x00000000533cdfdb: 0x00000: (3) A timeout occurred and this is the connection abort to close the session.
[ 155.842274][ C1] ==================================================================
[ 155.850363][ C1] BUG: KASAN: use-after-free in __lock_acquire+0x96/0x1be0
[ 155.858336][ C1] Read of size 8 at addr ffff888097f09080 by task ksoftirqd/1/16
[ 155.866039][ C1]
[ 155.868368][ C1] CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc6 #0
[ 155.875619][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 155.885648][ C1] Call Trace:
[ 155.888914][ C1] dump_stack+0x1d8/0x2f8
[ 155.893740][ C1] print_address_description+0x75/0x5c0
[ 155.899286][ C1] ? vprintk_default+0x28/0x30
[ 155.904033][ C1] ? vprintk_func+0x158/0x170
[ 155.908694][ C1] ? printk+0x62/0x8d
[ 155.912651][ C1] __kasan_report+0x14b/0x1c0
[ 155.917300][ C1] ? kfree+0x70/0x200
[ 155.921256][ C1] ? __lock_acquire+0x96/0x1be0
[ 155.926113][ C1] ? __do_softirq+0x333/0x7c4
[ 155.930769][ C1] kasan_report+0x26/0x50
[ 155.935071][ C1] ? net_rx_action+0x5ef/0x10d0
[ 155.939897][ C1] ? __do_softirq+0x333/0x7c4
[ 155.944552][ C1] __asan_report_load8_noabort+0x14/0x20
[ 155.950163][ C1] __lock_acquire+0x96/0x1be0
[ 155.954824][ C1] ? trace_hardirqs_on_thunk+0x1a/0x20
[ 155.960273][ C1] ? retint_kernel+0x2b/0x2b
[ 155.964838][ C1] ? trace_hardirqs_on_caller+0x74/0x80
[ 155.970356][ C1] ? trace_hardirqs_on_thunk+0x1a/0x20
[ 155.975801][ C1] ? scheduler_ipi+0x28b/0x4a0
[ 155.980554][ C1] ? trace_lock_acquire+0x159/0x1d0
[ 155.985725][ C1] lock_acquire+0x158/0x250
[ 155.990225][ C1] ? j1939_xtp_rx_abort_one+0x89/0x3f0
[ 155.995719][ C1] ? j1939_xtp_rx_abort_one+0x89/0x3f0
[ 156.001148][ C1] _raw_spin_lock_bh+0x34/0x50
[ 156.005897][ C1] ? j1939_xtp_rx_abort_one+0x89/0x3f0
[ 156.011346][ C1] j1939_xtp_rx_abort_one+0x89/0x3f0
[ 156.016621][ C1] j1939_tp_recv+0x648/0xb80
[ 156.021184][ C1] j1939_can_recv+0x424/0x650
[ 156.025837][ C1] ? j1939_send_one+0x3e0/0x3e0
[ 156.030659][ C1] can_rcv_filter+0x3c0/0x8b0
[ 156.035310][ C1] can_receive+0x2ac/0x3b0
[ 156.039703][ C1] can_rcv+0xe4/0x220
[ 156.043682][ C1] ? rcu_lock_release+0x30/0x30
[ 156.048509][ C1] __netif_receive_skb+0x136/0x370
[ 156.053596][ C1] process_backlog+0x4d8/0x930
[ 156.058339][ C1] net_rx_action+0x5ef/0x10d0
[ 156.062993][ C1] __do_softirq+0x333/0x7c4
[ 156.067470][ C1] ? run_ksoftirqd+0x64/0xf0
[ 156.072046][ C1] run_ksoftirqd+0x64/0xf0
[ 156.076434][ C1] ? ksoftirqd_should_run+0x20/0x20
[ 156.081606][ C1] smpboot_thread_fn+0x5b3/0x9a0
[ 156.086519][ C1] kthread+0x332/0x350
[ 156.090570][ C1] ? cpu_report_death+0x120/0x120
[ 156.095572][ C1] ? kthread_blkcg+0xe0/0xe0
[ 156.100148][ C1] ret_from_fork+0x24/0x30
[ 156.104544][ C1]
[ 156.106846][ C1] Allocated by task 7892:
[ 156.111335][ C1] __kasan_kmalloc+0x11c/0x1b0
[ 156.116088][ C1] kasan_kmalloc+0x9/0x10
[ 156.120397][ C1] kmem_cache_alloc_trace+0x221/0x2f0
[ 156.125756][ C1] j1939_netdev_start+0x177/0x730
[ 156.130769][ C1] j1939_sk_bind+0x2c0/0xac0
[ 156.135344][ C1] __sys_bind+0x2c2/0x3a0
[ 156.139646][ C1] __x64_sys_bind+0x7a/0x90
[ 156.144122][ C1] do_syscall_64+0xf7/0x1c0
[ 156.148606][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 156.154465][ C1]
[ 156.156766][ C1] Freed by task 7891:
[ 156.160738][ C1] __kasan_slab_free+0x12a/0x1e0
[ 156.165819][ C1] kasan_slab_free+0xe/0x10
[ 156.170293][ C1] kfree+0x115/0x200
[ 156.174257][ C1] j1939_netdev_stop+0x20c/0x230
[ 156.179178][ C1] j1939_sk_release+0x61f/0x7e0
[ 156.184002][ C1] sock_close+0xe1/0x260
[ 156.188213][ C1] __fput+0x2e4/0x740
[ 156.192171][ C1] ____fput+0x15/0x20
[ 156.196150][ C1] task_work_run+0x17e/0x1b0
[ 156.200712][ C1] prepare_exit_to_usermode+0x459/0x580
[ 156.206228][ C1] syscall_return_slowpath+0x113/0x4a0
[ 156.214524][ C1] do_syscall_64+0x11f/0x1c0
[ 156.219103][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 156.224962][ C1]
[ 156.227283][ C1] The buggy address belongs to the object at ffff888097f08000
[ 156.227283][ C1] which belongs to the cache kmalloc-8k of size 8192
[ 156.241310][ C1] The buggy address is located 4224 bytes inside of
[ 156.241310][ C1] 8192-byte region [ffff888097f08000, ffff888097f0a000)
[ 156.254736][ C1] The buggy address belongs to the page:
[ 156.260343][ C1] page:ffffea00025fc200 refcount:1 mapcount:0 mapping:ffff8880aa4021c0 index:0x0 compound_mapcount: 0
[ 156.271258][ C1] flags: 0x1fffc0000010200(slab|head)
[ 156.276604][ C1] raw: 01fffc0000010200 ffffea000251a608 ffffea0002500e08 ffff8880aa4021c0
[ 156.285173][ C1] raw: 0000000000000000 ffff888097f08000 0000000100000001 0000000000000000
[ 156.293824][ C1] page dumped because: kasan: bad access detected
[ 156.300205][ C1]
[ 156.302505][ C1] Memory state around the buggy address:
[ 156.308112][ C1] ffff888097f08f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 156.316158][ C1] ffff888097f09000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 156.324191][ C1] >ffff888097f09080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 156.332237][ C1] ^
[ 156.336288][ C1] ffff888097f09100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 156.344328][ C1] ffff888097f09180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 156.352377][ C1] ==================================================================
[ 156.360422][ C1] Disabling lock debugging due to kernel taint
[ 156.366545][ C1] Kernel panic - not syncing: panic_on_warn set ...
[ 156.373108][ C1] CPU: 1 PID: 16 Comm: ksoftirqd/1 Tainted: G B 5.4.0-rc6 #0
[ 156.381748][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 156.391788][ C1] Call Trace:
[ 156.395068][ C1] dump_stack+0x1d8/0x2f8
[ 156.399372][ C1] panic+0x264/0x7a9
[ 156.403253][ C1] ? trace_hardirqs_off+0x1a/0x80
[ 156.408253][ C1] __kasan_report+0x1bb/0x1c0
[ 156.412906][ C1] ? kfree+0x70/0x200
[ 156.416863][ C1] ? __lock_acquire+0x96/0x1be0
[ 156.421688][ C1] ? __do_softirq+0x333/0x7c4
[ 156.426343][ C1] kasan_report+0x26/0x50
[ 156.430647][ C1] ? net_rx_action+0x5ef/0x10d0
[ 156.435469][ C1] ? __do_softirq+0x333/0x7c4
[ 156.440129][ C1] __asan_report_load8_noabort+0x14/0x20
[ 156.445732][ C1] __lock_acquire+0x96/0x1be0
[ 156.450398][ C1] ? trace_hardirqs_on_thunk+0x1a/0x20
[ 156.455917][ C1] ? retint_kernel+0x2b/0x2b
[ 156.460490][ C1] ? trace_hardirqs_on_caller+0x74/0x80
[ 156.466021][ C1] ? trace_hardirqs_on_thunk+0x1a/0x20
[ 156.472063][ C1] ? scheduler_ipi+0x28b/0x4a0
[ 156.476815][ C1] ? trace_lock_acquire+0x159/0x1d0
[ 156.481996][ C1] lock_acquire+0x158/0x250
[ 156.486488][ C1] ? j1939_xtp_rx_abort_one+0x89/0x3f0
[ 156.491919][ C1] ? j1939_xtp_rx_abort_one+0x89/0x3f0
[ 156.497359][ C1] _raw_spin_lock_bh+0x34/0x50
[ 156.502096][ C1] ? j1939_xtp_rx_abort_one+0x89/0x3f0
[ 156.507538][ C1] j1939_xtp_rx_abort_one+0x89/0x3f0
[ 156.512796][ C1] j1939_tp_recv+0x648/0xb80
[ 156.517372][ C1] j1939_can_recv+0x424/0x650
[ 156.522019][ C1] ? j1939_send_one+0x3e0/0x3e0
[ 156.526841][ C1] can_rcv_filter+0x3c0/0x8b0
[ 156.531502][ C1] can_receive+0x2ac/0x3b0
[ 156.535892][ C1] can_rcv+0xe4/0x220
[ 156.539845][ C1] ? rcu_lock_release+0x30/0x30
[ 156.544671][ C1] __netif_receive_skb+0x136/0x370
[ 156.549758][ C1] process_backlog+0x4d8/0x930
[ 156.555195][ C1] net_rx_action+0x5ef/0x10d0
[ 156.559846][ C1] __do_softirq+0x333/0x7c4
[ 156.564321][ C1] ? run_ksoftirqd+0x64/0xf0
[ 156.568883][ C1] run_ksoftirqd+0x64/0xf0
[ 156.573273][ C1] ? ksoftirqd_should_run+0x20/0x20
[ 156.578441][ C1] smpboot_thread_fn+0x5b3/0x9a0
[ 156.583354][ C1] kthread+0x332/0x350
[ 156.587394][ C1] ? cpu_report_death+0x120/0x120
[ 156.592402][ C1] ? kthread_blkcg+0xe0/0xe0
[ 156.596982][ C1] ret_from_fork+0x24/0x30
[ 156.602683][ C1] Kernel Offset: disabled
[ 156.607002][ C1] Rebooting in 86400 seconds..