[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   76.976984][   T26] audit: type=1800 audit(1584619126.688:25): pid=9188 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   76.996825][   T26] audit: type=1800 audit(1584619126.688:26): pid=9188 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   77.017734][   T26] audit: type=1800 audit(1584619126.688:27): pid=9188 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts.
2020/03/19 11:58:59 parsed 1 programs
2020/03/19 11:59:01 executed programs: 0
syzkaller login: [   91.389673][ T9357] IPVS: ftp: loaded support on port[0] = 21
[   91.449134][ T9357] chnl_net:caif_netlink_parms(): no params data found
[   91.486953][ T9357] bridge0: port 1(bridge_slave_0) entered blocking state
[   91.494210][ T9357] bridge0: port 1(bridge_slave_0) entered disabled state
[   91.502358][ T9357] device bridge_slave_0 entered promiscuous mode
[   91.510439][ T9357] bridge0: port 2(bridge_slave_1) entered blocking state
[   91.517602][ T9357] bridge0: port 2(bridge_slave_1) entered disabled state
[   91.525353][ T9357] device bridge_slave_1 entered promiscuous mode
[   91.544046][ T9357] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   91.555252][ T9357] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   91.574140][ T9357] team0: Port device team_slave_0 added
[   91.581914][ T9357] team0: Port device team_slave_1 added
[   91.596796][ T9357] batman_adv: batadv0: Adding interface: batadv_slave_0
[   91.603724][ T9357] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   91.629762][ T9357] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   91.641834][ T9357] batman_adv: batadv0: Adding interface: batadv_slave_1
[   91.648929][ T9357] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   91.674796][ T9357] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   91.737834][ T9357] device hsr_slave_0 entered promiscuous mode
[   91.775784][ T9357] device hsr_slave_1 entered promiscuous mode
[   91.880476][ T9357] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   91.938122][ T9357] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   91.977980][ T9357] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   92.027648][ T9357] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   92.080945][ T9357] bridge0: port 2(bridge_slave_1) entered blocking state
[   92.088126][ T9357] bridge0: port 2(bridge_slave_1) entered forwarding state
[   92.096014][ T9357] bridge0: port 1(bridge_slave_0) entered blocking state
[   92.103064][ T9357] bridge0: port 1(bridge_slave_0) entered forwarding state
[   92.144766][ T9357] 8021q: adding VLAN 0 to HW filter on device bond0
[   92.158576][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   92.168801][ T3233] bridge0: port 1(bridge_slave_0) entered disabled state
[   92.176955][ T3233] bridge0: port 2(bridge_slave_1) entered disabled state
[   92.184721][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   92.197548][ T9357] 8021q: adding VLAN 0 to HW filter on device team0
[   92.208253][ T2756] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   92.216789][ T2756] bridge0: port 1(bridge_slave_0) entered blocking state
[   92.223832][ T2756] bridge0: port 1(bridge_slave_0) entered forwarding state
[   92.234893][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   92.244053][ T3233] bridge0: port 2(bridge_slave_1) entered blocking state
[   92.251141][ T3233] bridge0: port 2(bridge_slave_1) entered forwarding state
[   92.277801][ T2756] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   92.286766][ T2756] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   92.295019][ T2756] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   92.304288][ T2756] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   92.312790][ T2756] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   92.323022][ T9357] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   92.340900][ T3231] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   92.348373][ T3231] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   92.361293][ T9357] 8021q: adding VLAN 0 to HW filter on device batadv0
[   92.379903][ T2756] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   92.400674][ T9357] device veth0_vlan entered promiscuous mode
[   92.408288][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   92.417373][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   92.424982][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   92.437087][ T9357] device veth1_vlan entered promiscuous mode
[   92.447591][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   92.468050][ T2756] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   92.476689][ T2756] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   92.489317][ T9357] device veth0_macvtap entered promiscuous mode
[   92.498684][ T9357] device veth1_macvtap entered promiscuous mode
[   92.514472][ T9357] batman_adv: batadv0: Interface activated: batadv_slave_0
[   92.522138][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   92.530935][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   92.539231][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   92.547711][ T3233] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   92.560287][ T9357] batman_adv: batadv0: Interface activated: batadv_slave_1
[   92.568798][ T2756] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   92.577410][ T2756] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   93.391791][ T9451] ==================================================================
[   93.399964][ T9451] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0
[   93.407159][ T9451] Read of size 8 at addr ffff8880902f81e0 by task syz-executor.0/9451
[   93.415276][ T9451] 
[   93.417584][ T9451] CPU: 1 PID: 9451 Comm: syz-executor.0 Not tainted 5.6.0-rc6-syzkaller #0
[   93.426138][ T9451] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   93.436173][ T9451] Call Trace:
[   93.439454][ T9451]  dump_stack+0x188/0x20d
[   93.443780][ T9451]  ? __list_add_valid+0x93/0xa0
[   93.448604][ T9451]  ? __list_add_valid+0x93/0xa0
[   93.453432][ T9451]  print_address_description.constprop.0.cold+0xd3/0x315
[   93.460428][ T9451]  ? __list_add_valid+0x93/0xa0
[   93.465259][ T9451]  ? __list_add_valid+0x93/0xa0
[   93.470085][ T9451]  __kasan_report.cold+0x1a/0x32
[   93.475000][ T9451]  ? __list_add_valid+0x93/0xa0
[   93.479829][ T9451]  kasan_report+0xe/0x20
[   93.484051][ T9451]  __list_add_valid+0x93/0xa0
[   93.488712][ T9451]  rdma_listen+0x681/0x910
[   93.493110][ T9451]  ucma_listen+0x14d/0x1c0
[   93.497503][ T9451]  ? ucma_notify+0x190/0x190
[   93.502071][ T9451]  ? __might_fault+0x190/0x1d0
[   93.506814][ T9451]  ? _copy_from_user+0x123/0x190
[   93.511728][ T9451]  ? ucma_notify+0x190/0x190
[   93.516310][ T9451]  ucma_write+0x285/0x350
[   93.520627][ T9451]  ? ucma_open+0x270/0x270
[   93.525022][ T9451]  ? security_file_permission+0x8a/0x370
[   93.530636][ T9451]  ? ucma_open+0x270/0x270
[   93.535029][ T9451]  __vfs_write+0x76/0x100
[   93.539339][ T9451]  vfs_write+0x262/0x5c0
[   93.543600][ T9451]  ksys_write+0x1e8/0x250
[   93.547909][ T9451]  ? __ia32_sys_read+0xb0/0xb0
[   93.552648][ T9451]  ? __ia32_sys_clock_settime+0x260/0x260
[   93.558389][ T9451]  ? trace_hardirqs_off_caller+0x55/0x230
[   93.564109][ T9451]  do_syscall_64+0xf6/0x7d0
[   93.568617][ T9451]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.574496][ T9451] RIP: 0033:0x45c849
[   93.578366][ T9451] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   93.598185][ T9451] RSP: 002b:00007f6907715c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   93.606573][ T9451] RAX: ffffffffffffffda RBX: 00007f69077166d4 RCX: 000000000045c849
[   93.614520][ T9451] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000004
[   93.622465][ T9451] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
[   93.630447][ T9451] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   93.638408][ T9451] R13: 0000000000000cc0 R14: 00000000004cee66 R15: 000000000076bf0c
[   93.646387][ T9451] 
[   93.648704][ T9451] Allocated by task 9445:
[   93.653011][ T9451]  save_stack+0x1b/0x80
[   93.657151][ T9451]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   93.662767][ T9451]  kmem_cache_alloc_trace+0x153/0x7d0
[   93.668114][ T9451]  __rdma_create_id+0x5b/0x850
[   93.672850][ T9451]  ucma_create_id+0x1cb/0x580
[   93.677506][ T9451]  ucma_write+0x285/0x350
[   93.681811][ T9451]  __vfs_write+0x76/0x100
[   93.686124][ T9451]  vfs_write+0x262/0x5c0
[   93.690340][ T9451]  ksys_write+0x1e8/0x250
[   93.694641][ T9451]  do_syscall_64+0xf6/0x7d0
[   93.699114][ T9451]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.704970][ T9451] 
[   93.707276][ T9451] Freed by task 9444:
[   93.711245][ T9451]  save_stack+0x1b/0x80
[   93.715374][ T9451]  __kasan_slab_free+0xf7/0x140
[   93.720194][ T9451]  kfree+0x109/0x2b0
[   93.724065][ T9451]  ucma_close+0x10b/0x300
[   93.728374][ T9451]  __fput+0x2da/0x850
[   93.732342][ T9451]  task_work_run+0x13f/0x1b0
[   93.736906][ T9451]  exit_to_usermode_loop+0x2fa/0x360
[   93.742166][ T9451]  do_syscall_64+0x6b1/0x7d0
[   93.746733][ T9451]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.752632][ T9451] 
[   93.754948][ T9451] The buggy address belongs to the object at ffff8880902f8000
[   93.754948][ T9451]  which belongs to the cache kmalloc-2k of size 2048
[   93.768979][ T9451] The buggy address is located 480 bytes inside of
[   93.768979][ T9451]  2048-byte region [ffff8880902f8000, ffff8880902f8800)
[   93.782315][ T9451] The buggy address belongs to the page:
[   93.787929][ T9451] page:ffffea000240be00 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0
[   93.797008][ T9451] flags: 0xfffe0000000200(slab)
[   93.801834][ T9451] raw: 00fffe0000000200 ffffea00023d0d08 ffffea00027f5448 ffff8880aa000e00
[   93.810404][ T9451] raw: 0000000000000000 ffff8880902f8000 0000000100000001 0000000000000000
[   93.818965][ T9451] page dumped because: kasan: bad access detected
[   93.825348][ T9451] 
[   93.827650][ T9451] Memory state around the buggy address:
[   93.833254][ T9451]  ffff8880902f8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   93.841305][ T9451]  ffff8880902f8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   93.849388][ T9451] >ffff8880902f8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   93.857426][ T9451]                                                        ^
[   93.864597][ T9451]  ffff8880902f8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   93.872637][ T9451]  ffff8880902f8280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   93.880680][ T9451] ==================================================================
[   93.888839][ T9451] Disabling lock debugging due to kernel taint
[   93.895995][ T9451] Kernel panic - not syncing: panic_on_warn set ...
[   93.902584][ T9451] CPU: 0 PID: 9451 Comm: syz-executor.0 Tainted: G    B             5.6.0-rc6-syzkaller #0
[   93.912538][ T9451] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   93.922565][ T9451] Call Trace:
[   93.925894][ T9451]  dump_stack+0x188/0x20d
[   93.930200][ T9451]  panic+0x2e3/0x75c
[   93.934069][ T9451]  ? add_taint.cold+0x16/0x16
[   93.938722][ T9451]  ? preempt_schedule_common+0x5e/0xc0
[   93.944151][ T9451]  ? __list_add_valid+0x93/0xa0
[   93.948978][ T9451]  ? ___preempt_schedule+0x16/0x18
[   93.954065][ T9451]  ? trace_hardirqs_on+0x55/0x220
[   93.959063][ T9451]  ? __list_add_valid+0x93/0xa0
[   93.963888][ T9451]  end_report+0x43/0x49
[   93.968019][ T9451]  ? __list_add_valid+0x93/0xa0
[   93.972841][ T9451]  __kasan_report.cold+0xd/0x32
[   93.977664][ T9451]  ? __list_add_valid+0x93/0xa0
[   93.982492][ T9451]  kasan_report+0xe/0x20
[   93.986714][ T9451]  __list_add_valid+0x93/0xa0
[   93.991364][ T9451]  rdma_listen+0x681/0x910
[   93.995758][ T9451]  ucma_listen+0x14d/0x1c0
[   94.000152][ T9451]  ? ucma_notify+0x190/0x190
[   94.004725][ T9451]  ? __might_fault+0x190/0x1d0
[   94.009464][ T9451]  ? _copy_from_user+0x123/0x190
[   94.014379][ T9451]  ? ucma_notify+0x190/0x190
[   94.018944][ T9451]  ucma_write+0x285/0x350
[   94.023250][ T9451]  ? ucma_open+0x270/0x270
[   94.027645][ T9451]  ? security_file_permission+0x8a/0x370
[   94.033251][ T9451]  ? ucma_open+0x270/0x270
[   94.037640][ T9451]  __vfs_write+0x76/0x100
[   94.041950][ T9451]  vfs_write+0x262/0x5c0
[   94.046171][ T9451]  ksys_write+0x1e8/0x250
[   94.050472][ T9451]  ? __ia32_sys_read+0xb0/0xb0
[   94.055209][ T9451]  ? __ia32_sys_clock_settime+0x260/0x260
[   94.060904][ T9451]  ? trace_hardirqs_off_caller+0x55/0x230
[   94.066598][ T9451]  do_syscall_64+0xf6/0x7d0
[   94.071074][ T9451]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   94.076940][ T9451] RIP: 0033:0x45c849
[   94.080809][ T9451] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   94.100382][ T9451] RSP: 002b:00007f6907715c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   94.108760][ T9451] RAX: ffffffffffffffda RBX: 00007f69077166d4 RCX: 000000000045c849
[   94.116701][ T9451] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000004
[   94.124674][ T9451] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
[   94.132638][ T9451] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   94.140590][ T9451] R13: 0000000000000cc0 R14: 00000000004cee66 R15: 000000000076bf0c
[   94.149755][ T9451] Kernel Offset: disabled
[   94.154073][ T9451] Rebooting in 86400 seconds..