[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   55.185992][   T27] audit: type=1800 audit(1579353590.298:25): pid=8356 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   55.210658][   T27] audit: type=1800 audit(1579353590.298:26): pid=8356 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   55.254481][   T27] audit: type=1800 audit(1579353590.308:27): pid=8356 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.64' (ECDSA) to the list of known hosts.
syzkaller login: [   64.052457][ T8512] IPVS: ftp: loaded support on port[0] = 21
[   64.099385][ T8512] chnl_net:caif_netlink_parms(): no params data found
[   64.123207][ T8512] bridge0: port 1(bridge_slave_0) entered blocking state
[   64.130495][ T8512] bridge0: port 1(bridge_slave_0) entered disabled state
[   64.138157][ T8512] device bridge_slave_0 entered promiscuous mode
[   64.146697][ T8512] bridge0: port 2(bridge_slave_1) entered blocking state
[   64.153878][ T8512] bridge0: port 2(bridge_slave_1) entered disabled state
[   64.161575][ T8512] device bridge_slave_1 entered promiscuous mode
[   64.176360][ T8512] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   64.186775][ T8512] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   64.203670][ T8512] team0: Port device team_slave_0 added
[   64.210654][ T8512] team0: Port device team_slave_1 added
[   64.252185][ T8512] device hsr_slave_0 entered promiscuous mode
[   64.311098][ T8512] device hsr_slave_1 entered promiscuous mode
[   64.419954][ T8512] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   64.472997][ T8512] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   64.542382][ T8512] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   64.592978][ T8512] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   64.670106][ T8512] bridge0: port 2(bridge_slave_1) entered blocking state
[   64.677317][ T8512] bridge0: port 2(bridge_slave_1) entered forwarding state
[   64.685110][ T8512] bridge0: port 1(bridge_slave_0) entered blocking state
[   64.692206][ T8512] bridge0: port 1(bridge_slave_0) entered forwarding state
[   64.725949][ T8512] 8021q: adding VLAN 0 to HW filter on device bond0
[   64.737984][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   64.748252][ T2681] bridge0: port 1(bridge_slave_0) entered disabled state
[   64.756389][ T2681] bridge0: port 2(bridge_slave_1) entered disabled state
[   64.764118][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   64.775768][ T8512] 8021q: adding VLAN 0 to HW filter on device team0
[   64.786227][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   64.795389][ T2681] bridge0: port 1(bridge_slave_0) entered blocking state
[   64.802650][ T2681] bridge0: port 1(bridge_slave_0) entered forwarding state
[   64.813859][ T2958] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   64.822609][ T2958] bridge0: port 2(bridge_slave_1) entered blocking state
[   64.829713][ T2958] bridge0: port 2(bridge_slave_1) entered forwarding state
[   64.852374][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   64.861930][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   64.870250][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   64.878796][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   64.887545][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   64.897328][ T8512] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   64.912730][ T2958] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   64.920092][ T2958] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   64.932240][ T8512] 8021q: adding VLAN 0 to HW filter on device batadv0
[   64.948002][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   64.965830][ T8512] device veth0_vlan entered promiscuous mode
executing program
[   64.973857][ T2906] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   64.982454][ T2906] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   64.990108][ T2906] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   65.002436][ T8512] device veth1_vlan entered promiscuous mode
[   65.110928][ T2906] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   65.119340][ T2906] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   65.384874][ T8514] ==================================================================
[   65.393068][ T8514] BUG: KASAN: use-after-free in tcp_fastretrans_alert+0x4e5c/0x5560
[   65.401028][ T8514] Read of size 4 at addr ffff8880979b75e8 by task syz-executor634/8514
[   65.409248][ T8514] 
[   65.411556][ T8514] CPU: 1 PID: 8514 Comm: syz-executor634 Not tainted 5.5.0-rc6-syzkaller #0
[   65.420201][ T8514] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   65.430238][ T8514] Call Trace:
[   65.433512][ T8514]  dump_stack+0x1fb/0x318
[   65.437818][ T8514]  print_address_description+0x74/0x5c0
[   65.443407][ T8514]  ? vprintk_func+0x158/0x170
[   65.448110][ T8514]  ? printk+0x62/0x8d
[   65.452126][ T8514]  ? vprintk_emit+0x2d4/0x3a0
[   65.456799][ T8514]  __kasan_report+0x149/0x1c0
[   65.461456][ T8514]  ? tcp_fastretrans_alert+0x4e5c/0x5560
[   65.467059][ T8514]  ? tcp_rto_min_us+0x198/0x1d0
[   65.471936][ T8514]  kasan_report+0x26/0x50
[   65.476242][ T8514]  ? tcp_rto_min_us+0x198/0x1d0
[   65.481067][ T8514]  __asan_report_load4_noabort+0x14/0x20
[   65.486679][ T8514]  tcp_fastretrans_alert+0x4e5c/0x5560
[   65.492126][ T8514]  tcp_ack+0x3cfc/0x6a20
[   65.496356][ T8514]  ? tcp_ack+0x2a31/0x6a20
[   65.500770][ T8514]  tcp_rcv_established+0x6da/0x2030
[   65.505955][ T8514]  tcp_v4_do_rcv+0x3ba/0x8d0
[   65.510535][ T8514]  __release_sock+0x1c1/0x4b0
[   65.515204][ T8514]  release_sock+0x65/0x1c0
[   65.519617][ T8514]  sk_stream_wait_memory+0x70e/0xe60
[   65.524885][ T8514]  ? wait_woken+0x230/0x230
[   65.529364][ T8514]  tcp_sendmsg_locked+0xbc8/0x3eb0
[   65.534472][ T8514]  tcp_sendmsg+0x2f/0x50
[   65.538687][ T8514]  inet_sendmsg+0x147/0x310
[   65.543164][ T8514]  ? security_socket_sendmsg+0xb0/0xd0
[   65.548594][ T8514]  ? inet_send_prepare+0x250/0x250
[   65.553680][ T8514]  __sys_sendto+0x43c/0x5e0
[   65.558163][ T8514]  ? switch_fpu_return+0xe/0x10
[   65.562986][ T8514]  ? prepare_exit_to_usermode+0x221/0x5b0
[   65.568712][ T8514]  ? trace_irq_disable_rcuidle+0x23/0x1e0
[   65.574407][ T8514]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   65.579840][ T8514]  __x64_sys_sendto+0xe5/0x100
[   65.584593][ T8514]  do_syscall_64+0xf7/0x1c0
[   65.589072][ T8514]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   65.594942][ T8514] RIP: 0033:0x448889
[   65.598819][ T8514] Code: e8 ec 1a 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0c fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   65.618408][ T8514] RSP: 002b:00007f42708f8cd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   65.626794][ T8514] RAX: ffffffffffffffda RBX: 00000000006dfc48 RCX: 0000000000448889
[   65.634743][ T8514] RDX: ffffffffffffff67 RSI: 0000000020000640 RDI: 0000000000000003
[   65.642694][ T8514] RBP: 00000000006dfc40 R08: 0000000000000000 R09: ffffffffffffff4f
[   65.650649][ T8514] R10: 00000000040007bd R11: 0000000000000246 R12: 00000000006dfc4c
[   65.658614][ T8514] R13: 00007ffff271017f R14: 00007f42708f99c0 R15: 000000000000002d
[   65.666571][ T8514] 
[   65.668875][ T8514] Allocated by task 8514:
[   65.673179][ T8514]  __kasan_kmalloc+0x118/0x1c0
[   65.677911][ T8514]  kasan_slab_alloc+0xf/0x20
[   65.682475][ T8514]  kmem_cache_alloc_node+0x235/0x280
[   65.687732][ T8514]  __alloc_skb+0x9f/0x500
[   65.692035][ T8514]  sk_stream_alloc_skb+0x40a/0xa50
[   65.697118][ T8514]  tcp_sendmsg_locked+0xe1b/0x3eb0
[   65.702199][ T8514]  tcp_sendmsg+0x2f/0x50
[   65.706411][ T8514]  inet_sendmsg+0x147/0x310
[   65.710987][ T8514]  __sys_sendto+0x43c/0x5e0
[   65.715478][ T8514]  __x64_sys_sendto+0xe5/0x100
[   65.720211][ T8514]  do_syscall_64+0xf7/0x1c0
[   65.724700][ T8514]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   65.731000][ T8514] 
[   65.733313][ T8514] Freed by task 8516:
[   65.737266][ T8514]  __kasan_slab_free+0x12e/0x1e0
[   65.742173][ T8514]  kasan_slab_free+0xe/0x10
[   65.746647][ T8514]  kmem_cache_free+0x81/0xf0
[   65.751213][ T8514]  __kfree_skb+0x13e/0x1c0
[   65.755611][ T8514]  tcp_recvmsg+0x15f9/0x3530
[   65.760182][ T8514]  inet_recvmsg+0xf5/0x1d0
[   65.764570][ T8514]  __sys_recvfrom+0x328/0x4b0
[   65.769216][ T8514]  __x64_sys_recvfrom+0xe5/0x100
[   65.774129][ T8514]  do_syscall_64+0xf7/0x1c0
[   65.778604][ T8514]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   65.784469][ T8514] 
[   65.786772][ T8514] The buggy address belongs to the object at ffff8880979b75c0
[   65.786772][ T8514]  which belongs to the cache skbuff_fclone_cache of size 456
[   65.801493][ T8514] The buggy address is located 40 bytes inside of
[   65.801493][ T8514]  456-byte region [ffff8880979b75c0, ffff8880979b7788)
[   65.814656][ T8514] The buggy address belongs to the page:
[   65.820259][ T8514] page:ffffea00025e6dc0 refcount:1 mapcount:0 mapping:ffff8880a9d2d700 index:0x0
[   65.829351][ T8514] raw: 00fffe0000000200 ffffea00028adc88 ffffea00024be2c8 ffff8880a9d2d700
[   65.837931][ T8514] raw: 0000000000000000 ffff8880979b70c0 0000000100000006 0000000000000000
[   65.846499][ T8514] page dumped because: kasan: bad access detected
[   65.852884][ T8514] 
[   65.855190][ T8514] Memory state around the buggy address:
[   65.860792][ T8514]  ffff8880979b7480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   65.868823][ T8514]  ffff8880979b7500: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   65.876864][ T8514] >ffff8880979b7580: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   65.884901][ T8514]                                                           ^
[   65.892332][ T8514]  ffff8880979b7600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   65.900372][ T8514]  ffff8880979b7680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   65.908402][ T8514] ==================================================================
[   65.916447][ T8514] Disabling lock debugging due to kernel taint
[   65.924525][ T8514] Kernel panic - not syncing: panic_on_warn set ...
[   65.931131][ T8514] CPU: 1 PID: 8514 Comm: syz-executor634 Tainted: G    B             5.5.0-rc6-syzkaller #0
[   65.941159][ T8514] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   65.951191][ T8514] Call Trace:
[   65.954466][ T8514]  dump_stack+0x1fb/0x318
[   65.958770][ T8514]  panic+0x264/0x7a9
[   65.962647][ T8514]  ? __kasan_report+0x193/0x1c0
[   65.967480][ T8514]  ? trace_hardirqs_on+0x34/0x80
[   65.972390][ T8514]  ? __kasan_report+0x193/0x1c0
[   65.977211][ T8514]  __kasan_report+0x1b9/0x1c0
[   65.981860][ T8514]  ? tcp_fastretrans_alert+0x4e5c/0x5560
[   65.987472][ T8514]  ? tcp_rto_min_us+0x198/0x1d0
[   65.992296][ T8514]  kasan_report+0x26/0x50
[   65.996600][ T8514]  ? tcp_rto_min_us+0x198/0x1d0
[   66.001422][ T8514]  __asan_report_load4_noabort+0x14/0x20
[   66.007027][ T8514]  tcp_fastretrans_alert+0x4e5c/0x5560
[   66.012468][ T8514]  tcp_ack+0x3cfc/0x6a20
[   66.016692][ T8514]  ? tcp_ack+0x2a31/0x6a20
[   66.021082][ T8514]  tcp_rcv_established+0x6da/0x2030
[   66.026255][ T8514]  tcp_v4_do_rcv+0x3ba/0x8d0
[   66.030833][ T8514]  __release_sock+0x1c1/0x4b0
[   66.035499][ T8514]  release_sock+0x65/0x1c0
[   66.039905][ T8514]  sk_stream_wait_memory+0x70e/0xe60
[   66.045436][ T8514]  ? wait_woken+0x230/0x230
[   66.049909][ T8514]  tcp_sendmsg_locked+0xbc8/0x3eb0
[   66.055002][ T8514]  tcp_sendmsg+0x2f/0x50
[   66.059216][ T8514]  inet_sendmsg+0x147/0x310
[   66.063780][ T8514]  ? security_socket_sendmsg+0xb0/0xd0
[   66.069209][ T8514]  ? inet_send_prepare+0x250/0x250
[   66.074323][ T8514]  __sys_sendto+0x43c/0x5e0
[   66.078810][ T8514]  ? switch_fpu_return+0xe/0x10
[   66.083643][ T8514]  ? prepare_exit_to_usermode+0x221/0x5b0
[   66.089332][ T8514]  ? trace_irq_disable_rcuidle+0x23/0x1e0
[   66.095035][ T8514]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   66.100482][ T8514]  __x64_sys_sendto+0xe5/0x100
[   66.105233][ T8514]  do_syscall_64+0xf7/0x1c0
[   66.109715][ T8514]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   66.115731][ T8514] RIP: 0033:0x448889
[   66.119601][ T8514] Code: e8 ec 1a 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0c fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   66.139182][ T8514] RSP: 002b:00007f42708f8cd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   66.147575][ T8514] RAX: ffffffffffffffda RBX: 00000000006dfc48 RCX: 0000000000448889
[   66.155545][ T8514] RDX: ffffffffffffff67 RSI: 0000000020000640 RDI: 0000000000000003
[   66.163958][ T8514] RBP: 00000000006dfc40 R08: 0000000000000000 R09: ffffffffffffff4f
[   66.171923][ T8514] R10: 00000000040007bd R11: 0000000000000246 R12: 00000000006dfc4c
[   66.179871][ T8514] R13: 00007ffff271017f R14: 00007f42708f99c0 R15: 000000000000002d
[   66.189342][ T8514] Kernel Offset: disabled
[   66.193670][ T8514] Rebooting in 86400 seconds..