[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   57.474771][   T26] audit: type=1800 audit(1567600921.994:25): pid=8719 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   57.519634][   T26] audit: type=1800 audit(1567600921.994:26): pid=8719 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   57.550687][   T26] audit: type=1800 audit(1567600922.004:27): pid=8719 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.52' (ECDSA) to the list of known hosts.
2019/09/04 12:57:21 parsed 1 programs
2019/09/04 12:57:22 executed programs: 0
syzkaller login: [  978.374073][ T8889] IPVS: ftp: loaded support on port[0] = 21
[  978.444841][ T8889] chnl_net:caif_netlink_parms(): no params data found
[  978.487536][ T8889] bridge0: port 1(bridge_slave_0) entered blocking state
[  978.506448][ T8889] bridge0: port 1(bridge_slave_0) entered disabled state
[  978.517924][ T8889] device bridge_slave_0 entered promiscuous mode
[  978.528104][ T8889] bridge0: port 2(bridge_slave_1) entered blocking state
[  978.538114][ T8889] bridge0: port 2(bridge_slave_1) entered disabled state
[  978.546386][ T8889] device bridge_slave_1 entered promiscuous mode
[  978.569077][ T8889] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  978.592109][ T8889] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  978.620466][ T8889] team0: Port device team_slave_0 added
[  978.633948][ T8889] team0: Port device team_slave_1 added
[  978.704788][ T8889] device hsr_slave_0 entered promiscuous mode
[  978.742431][ T8889] device hsr_slave_1 entered promiscuous mode
[  978.790764][ T8889] bridge0: port 2(bridge_slave_1) entered blocking state
[  978.797975][ T8889] bridge0: port 2(bridge_slave_1) entered forwarding state
[  978.806214][ T8889] bridge0: port 1(bridge_slave_0) entered blocking state
[  978.813851][ T8889] bridge0: port 1(bridge_slave_0) entered forwarding state
[  978.850449][ T8889] 8021q: adding VLAN 0 to HW filter on device bond0
[  978.865012][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  978.875872][   T22] bridge0: port 1(bridge_slave_0) entered disabled state
[  978.885193][   T22] bridge0: port 2(bridge_slave_1) entered disabled state
[  978.893827][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  978.906732][ T8889] 8021q: adding VLAN 0 to HW filter on device team0
[  978.917990][ T3504] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  978.927302][ T3504] bridge0: port 1(bridge_slave_0) entered blocking state
[  978.934736][ T3504] bridge0: port 1(bridge_slave_0) entered forwarding state
[  978.953866][ T3504] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  978.963047][ T3504] bridge0: port 2(bridge_slave_1) entered blocking state
[  978.970328][ T3504] bridge0: port 2(bridge_slave_1) entered forwarding state
[  978.980561][ T3504] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  978.989795][ T3504] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  979.006820][ T8889] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  979.017879][ T8889] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  979.030875][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  979.040581][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  979.050039][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  979.058992][   T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  979.075885][ T8889] 8021q: adding VLAN 0 to HW filter on device batadv0
2019/09/04 12:57:27 executed programs: 173
2019/09/04 12:57:32 executed programs: 388
2019/09/04 12:57:37 executed programs: 613
2019/09/04 12:57:42 executed programs: 839
[ 1001.052849][ T3504] ==================================================================
[ 1001.061305][ T3504] BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940
[ 1001.069031][ T3504] Read of size 8 at addr ffff888098d5c018 by task kworker/0:2/3504
[ 1001.076912][ T3504] 
[ 1001.079334][ T3504] CPU: 0 PID: 3504 Comm: kworker/0:2 Not tainted 5.3.0-rc6-next-20190830 #75
[ 1001.088085][ T3504] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1001.098171][ T3504] Workqueue: krxrpcd rxrpc_peer_keepalive_worker
[ 1001.104594][ T3504] Call Trace:
[ 1001.107964][ T3504]  dump_stack+0x172/0x1f0
[ 1001.112311][ T3504]  ? rxrpc_send_keepalive+0x8a2/0x940
[ 1001.117695][ T3504]  print_address_description.constprop.0.cold+0xd4/0x30b
[ 1001.124724][ T3504]  ? rxrpc_send_keepalive+0x8a2/0x940
[ 1001.130100][ T3504]  ? rxrpc_send_keepalive+0x8a2/0x940
[ 1001.135480][ T3504]  __kasan_report.cold+0x1b/0x41
[ 1001.140459][ T3504]  ? rxrpc_send_keepalive+0x8a2/0x940
[ 1001.145839][ T3504]  kasan_report+0x12/0x20
[ 1001.150175][ T3504]  __asan_report_load8_noabort+0x14/0x20
[ 1001.155813][ T3504]  rxrpc_send_keepalive+0x8a2/0x940
[ 1001.161203][ T3504]  ? rxrpc_reject_packets+0xab0/0xab0
[ 1001.166583][ T3504]  ? __kasan_check_read+0x11/0x20
[ 1001.171620][ T3504]  ? mark_lock+0xc2/0x1220
[ 1001.176043][ T3504]  ? find_held_lock+0x35/0x130
[ 1001.180820][ T3504]  ? mark_held_locks+0xa4/0xf0
[ 1001.185689][ T3504]  ? _raw_spin_unlock_bh+0x31/0x40
[ 1001.190816][ T3504]  ? __local_bh_enable_ip+0x15a/0x270
[ 1001.196221][ T3504]  ? lockdep_hardirqs_on+0x418/0x5d0
[ 1001.201511][ T3504]  ? rxrpc_peer_keepalive_worker+0x62e/0xd02
[ 1001.207500][ T3504]  ? trace_hardirqs_on+0x67/0x240
[ 1001.212546][ T3504]  ? rxrpc_peer_keepalive_worker+0x62e/0xd02
[ 1001.218689][ T3504]  ? __local_bh_enable_ip+0x15a/0x270
[ 1001.224088][ T3504]  rxrpc_peer_keepalive_worker+0x7be/0xd02
[ 1001.229910][ T3504]  ? rxrpc_peer_add_rtt+0x650/0x650
[ 1001.235114][ T3504]  ? rcu_read_lock_sched_held+0x9c/0xd0
[ 1001.240757][ T3504]  ? rcu_read_lock_any_held.part.0+0x50/0x50
[ 1001.246740][ T3504]  ? trace_hardirqs_on+0x67/0x240
[ 1001.251798][ T3504]  process_one_work+0x9af/0x1740
[ 1001.256747][ T3504]  ? __schedule+0x776/0x17a0
[ 1001.261354][ T3504]  ? pwq_dec_nr_in_flight+0x320/0x320
[ 1001.266753][ T3504]  ? lock_acquire+0x190/0x410
[ 1001.271455][ T3504]  worker_thread+0x98/0xe40
[ 1001.275986][ T3504]  ? trace_hardirqs_on+0x67/0x240
[ 1001.281031][ T3504]  kthread+0x361/0x430
[ 1001.285106][ T3504]  ? process_one_work+0x1740/0x1740
[ 1001.290315][ T3504]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 1001.296569][ T3504]  ret_from_fork+0x24/0x30
[ 1001.300990][ T3504] 
[ 1001.303333][ T3504] Allocated by task 8758:
[ 1001.307911][ T3504]  save_stack+0x23/0x90
[ 1001.312069][ T3504]  __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 1001.317703][ T3504]  kasan_kmalloc+0x9/0x10
[ 1001.322057][ T3504]  kmem_cache_alloc_trace+0x158/0x790
[ 1001.327431][ T3504]  do_syslog+0x5fa/0x1820
[ 1001.331759][ T3504]  kmsg_read+0x8f/0xc0
[ 1001.335831][ T3504]  proc_reg_read+0x1fc/0x2c0
[ 1001.340429][ T3504]  __vfs_read+0x8a/0x110
[ 1001.344675][ T3504]  vfs_read+0x1f0/0x440
[ 1001.348833][ T3504]  ksys_read+0x14f/0x290
[ 1001.353102][ T3504]  __x64_sys_read+0x73/0xb0
[ 1001.357607][ T3504]  do_syscall_64+0xfa/0x760
[ 1001.362116][ T3504]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1001.368001][ T3504] 
[ 1001.370350][ T3504] Freed by task 8758:
[ 1001.374336][ T3504]  save_stack+0x23/0x90
[ 1001.378493][ T3504]  __kasan_slab_free+0x102/0x150
[ 1001.383432][ T3504]  kasan_slab_free+0xe/0x10
[ 1001.387934][ T3504]  kfree+0x10a/0x2c0
[ 1001.391847][ T3504]  do_syslog+0x918/0x1820
[ 1001.396181][ T3504]  kmsg_read+0x8f/0xc0
[ 1001.400382][ T3504]  proc_reg_read+0x1fc/0x2c0
[ 1001.404981][ T3504]  __vfs_read+0x8a/0x110
[ 1001.409243][ T3504]  vfs_read+0x1f0/0x440
[ 1001.413419][ T3504]  ksys_read+0x14f/0x290
[ 1001.417663][ T3504]  __x64_sys_read+0x73/0xb0
[ 1001.422174][ T3504]  do_syscall_64+0xfa/0x760
[ 1001.426719][ T3504]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1001.432604][ T3504] 
[ 1001.434936][ T3504] The buggy address belongs to the object at ffff888098d5c000
[ 1001.434936][ T3504]  which belongs to the cache kmalloc-1k of size 1024
[ 1001.448991][ T3504] The buggy address is located 24 bytes inside of
[ 1001.448991][ T3504]  1024-byte region [ffff888098d5c000, ffff888098d5c400)
[ 1001.462273][ T3504] The buggy address belongs to the page:
[ 1001.468068][ T3504] page:ffffea0002635700 refcount:1 mapcount:0 mapping:ffff8880aa400c40 index:0x0
[ 1001.477177][ T3504] flags: 0x1fffc0000000200(slab)
[ 1001.482132][ T3504] raw: 01fffc0000000200 ffffea0002454bc8 ffffea00024adb08 ffff8880aa400c40
[ 1001.490737][ T3504] raw: 0000000000000000 ffff888098d5c000 0000000100000002 0000000000000000
[ 1001.499526][ T3504] page dumped because: kasan: bad access detected
[ 1001.506199][ T3504] 
[ 1001.508525][ T3504] Memory state around the buggy address:
[ 1001.514168][ T3504]  ffff888098d5bf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1001.522248][ T3504]  ffff888098d5bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1001.530337][ T3504] >ffff888098d5c000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1001.538409][ T3504]                             ^
[ 1001.543288][ T3504]  ffff888098d5c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1001.551352][ T3504]  ffff888098d5c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1001.559561][ T3504] ==================================================================
[ 1001.567640][ T3504] Disabling lock debugging due to kernel taint
[ 1001.577229][ T3504] Kernel panic - not syncing: panic_on_warn set ...
[ 1001.583873][ T3504] CPU: 0 PID: 3504 Comm: kworker/0:2 Tainted: G    B             5.3.0-rc6-next-20190830 #75
[ 1001.594461][ T3504] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1001.604532][ T3504] Workqueue: krxrpcd rxrpc_peer_keepalive_worker
[ 1001.610842][ T3504] Call Trace:
[ 1001.614141][ T3504]  dump_stack+0x172/0x1f0
[ 1001.618769][ T3504]  panic+0x2dc/0x755
[ 1001.622655][ T3504]  ? add_taint.cold+0x16/0x16
[ 1001.627322][ T3504]  ? rxrpc_send_keepalive+0x8a2/0x940
[ 1001.632710][ T3504]  ? preempt_schedule+0x4b/0x60
[ 1001.637735][ T3504]  ? ___preempt_schedule+0x16/0x20
[ 1001.643292][ T3504]  ? trace_hardirqs_on+0x5e/0x240
[ 1001.648308][ T3504]  ? rxrpc_send_keepalive+0x8a2/0x940
[ 1001.654092][ T3504]  end_report+0x47/0x4f
[ 1001.658766][ T3504]  ? rxrpc_send_keepalive+0x8a2/0x940
[ 1001.664223][ T3504]  __kasan_report.cold+0xe/0x41
[ 1001.669325][ T3504]  ? rxrpc_send_keepalive+0x8a2/0x940
[ 1001.674850][ T3504]  kasan_report+0x12/0x20
[ 1001.679265][ T3504]  __asan_report_load8_noabort+0x14/0x20
[ 1001.685205][ T3504]  rxrpc_send_keepalive+0x8a2/0x940
[ 1001.690559][ T3504]  ? rxrpc_reject_packets+0xab0/0xab0
[ 1001.696242][ T3504]  ? __kasan_check_read+0x11/0x20
[ 1001.701398][ T3504]  ? mark_lock+0xc2/0x1220
[ 1001.705972][ T3504]  ? find_held_lock+0x35/0x130
[ 1001.711022][ T3504]  ? mark_held_locks+0xa4/0xf0
[ 1001.715786][ T3504]  ? _raw_spin_unlock_bh+0x31/0x40
[ 1001.720887][ T3504]  ? __local_bh_enable_ip+0x15a/0x270
[ 1001.726464][ T3504]  ? lockdep_hardirqs_on+0x418/0x5d0
[ 1001.731906][ T3504]  ? rxrpc_peer_keepalive_worker+0x62e/0xd02
[ 1001.738160][ T3504]  ? trace_hardirqs_on+0x67/0x240
[ 1001.743335][ T3504]  ? rxrpc_peer_keepalive_worker+0x62e/0xd02
[ 1001.749378][ T3504]  ? __local_bh_enable_ip+0x15a/0x270
[ 1001.755080][ T3504]  rxrpc_peer_keepalive_worker+0x7be/0xd02
[ 1001.761479][ T3504]  ? rxrpc_peer_add_rtt+0x650/0x650
[ 1001.766671][ T3504]  ? rcu_read_lock_sched_held+0x9c/0xd0
[ 1001.772763][ T3504]  ? rcu_read_lock_any_held.part.0+0x50/0x50
[ 1001.778738][ T3504]  ? trace_hardirqs_on+0x67/0x240
[ 1001.783930][ T3504]  process_one_work+0x9af/0x1740
[ 1001.788857][ T3504]  ? __schedule+0x776/0x17a0
[ 1001.793439][ T3504]  ? pwq_dec_nr_in_flight+0x320/0x320
[ 1001.798799][ T3504]  ? lock_acquire+0x190/0x410
[ 1001.803467][ T3504]  worker_thread+0x98/0xe40
[ 1001.807959][ T3504]  ? trace_hardirqs_on+0x67/0x240
[ 1001.812975][ T3504]  kthread+0x361/0x430
[ 1001.817034][ T3504]  ? process_one_work+0x1740/0x1740
[ 1001.822403][ T3504]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 1001.828811][ T3504]  ret_from_fork+0x24/0x30
[ 1001.834937][ T3504] Kernel Offset: disabled
[ 1001.839278][ T3504] Rebooting in 86400 seconds..