[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 54.679637][ T26] audit: type=1800 audit(1583473729.849:25): pid=8815 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 54.708583][ T26] audit: type=1800 audit(1583473729.849:26): pid=8815 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 54.760104][ T26] audit: type=1800 audit(1583473729.849:27): pid=8815 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.1.45' (ECDSA) to the list of known hosts. 2020/03/06 05:49:02 parsed 1 programs 2020/03/06 05:49:04 executed programs: 0 syzkaller login: [ 68.902056][ T8983] IPVS: ftp: loaded support on port[0] = 21 [ 68.951071][ T8983] chnl_net:caif_netlink_parms(): no params data found [ 68.984272][ T8983] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.991827][ T8983] bridge0: port 1(bridge_slave_0) entered disabled state [ 68.999600][ T8983] device bridge_slave_0 entered promiscuous mode [ 69.008464][ T8983] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.015701][ T8983] bridge0: port 2(bridge_slave_1) entered disabled state [ 69.023625][ T8983] device bridge_slave_1 entered promiscuous mode [ 69.039249][ T8983] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 69.050981][ T8983] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 69.068067][ T8983] team0: Port device team_slave_0 added [ 69.075443][ T8983] team0: Port device team_slave_1 added [ 69.088735][ T8983] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 69.096277][ T8983] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 69.122361][ T8983] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 69.134545][ T8983] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 69.141597][ T8983] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 69.167576][ T8983] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 69.221813][ T8983] device hsr_slave_0 entered promiscuous mode [ 69.260423][ T8983] device hsr_slave_1 entered promiscuous mode [ 69.352760][ T8983] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 69.392878][ T8983] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 69.432595][ T8983] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 69.472638][ T8983] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 69.512892][ T8983] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.520088][ T8983] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.527748][ T8983] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.534879][ T8983] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.569421][ T8983] 8021q: adding VLAN 0 to HW filter on device bond0 [ 69.584455][ T3144] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 69.595558][ T3144] bridge0: port 1(bridge_slave_0) entered disabled state [ 69.603710][ T3144] bridge0: port 2(bridge_slave_1) entered disabled state [ 69.611648][ T3144] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 69.624393][ T8983] 8021q: adding VLAN 0 to HW filter on device team0 [ 69.634450][ T2819] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 69.643842][ T2819] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.651031][ T2819] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.671075][ T3144] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 69.679433][ T3144] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.686555][ T3144] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.694613][ T3144] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 69.705250][ T3148] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 69.713324][ T3148] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 69.725534][ T2819] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 69.736669][ T3148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 69.747023][ T8983] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 69.765028][ T2819] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 69.773032][ T2819] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 69.784662][ T8983] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 69.802507][ T2819] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 69.821710][ T3155] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 69.830338][ T3155] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 69.838085][ T3155] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 69.847030][ T8983] device veth0_vlan entered promiscuous mode [ 69.858499][ T8983] device veth1_vlan entered promiscuous mode [ 69.878211][ T2819] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 69.886697][ T2819] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 69.895376][ T2819] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 69.906899][ T8983] device veth0_macvtap entered promiscuous mode [ 69.917043][ T8983] device veth1_macvtap entered promiscuous mode [ 69.932758][ T8983] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 69.941068][ T3155] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 69.951315][ T3155] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 69.962429][ T8983] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 69.969730][ T2819] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 69.979365][ T2819] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 70.243167][ T8995] ================================================================== [ 70.251414][ T8995] BUG: KASAN: use-after-free in __list_add_valid+0x58/0xc0 [ 70.258615][ T8995] Read of size 8 at addr ffff8880a7bd11e0 by task syz-executor.0/8995 [ 70.266754][ T8995] [ 70.269064][ T8995] CPU: 1 PID: 8995 Comm: syz-executor.0 Not tainted 5.6.0-rc3-syzkaller #0 [ 70.277627][ T8995] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.287711][ T8995] Call Trace: [ 70.290988][ T8995] dump_stack+0x1fb/0x318 [ 70.295301][ T8995] print_address_description+0x74/0x5c0 [ 70.300835][ T8995] ? vprintk_default+0x28/0x30 [ 70.305608][ T8995] ? vprintk_func+0x158/0x170 [ 70.310288][ T8995] ? printk+0x62/0x8d [ 70.314270][ T8995] __kasan_report+0x149/0x1c0 [ 70.318926][ T8995] ? __list_add_valid+0x58/0xc0 [ 70.323769][ T8995] kasan_report+0x26/0x50 [ 70.328084][ T8995] __asan_report_load8_noabort+0x14/0x20 [ 70.333719][ T8995] __list_add_valid+0x58/0xc0 [ 70.338392][ T8995] rdma_listen+0x322/0x9a0 [ 70.342817][ T8995] ucma_listen+0x245/0x300 [ 70.347234][ T8995] ? __kasan_check_write+0x14/0x20 [ 70.352332][ T8995] ? ucma_connect+0x7e0/0x7e0 [ 70.356997][ T8995] ucma_write+0x2da/0x360 [ 70.361321][ T8995] ? ucma_get_global_nl_info+0x70/0x70 [ 70.366784][ T8995] __vfs_write+0xb8/0x740 [ 70.371206][ T8995] ? security_file_permission+0x147/0x340 [ 70.376928][ T8995] ? rw_verify_area+0x1c2/0x360 [ 70.381776][ T8995] vfs_write+0x270/0x580 [ 70.386014][ T8995] ksys_write+0x117/0x220 [ 70.390346][ T8995] __x64_sys_write+0x7b/0x90 [ 70.395002][ T8995] do_syscall_64+0xf7/0x1c0 [ 70.399486][ T8995] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.405358][ T8995] RIP: 0033:0x45c479 [ 70.409229][ T8995] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 70.428826][ T8995] RSP: 002b:00007f275034cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 70.437271][ T8995] RAX: ffffffffffffffda RBX: 00007f275034d6d4 RCX: 000000000045c479 [ 70.445235][ T8995] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 70.453195][ T8995] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 70.461156][ T8995] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 70.469124][ T8995] R13: 0000000000000cbe R14: 00000000004cea34 R15: 000000000076bf2c [ 70.477119][ T8995] [ 70.479447][ T8995] Allocated by task 8993: [ 70.483759][ T8995] __kasan_kmalloc+0x118/0x1c0 [ 70.488505][ T8995] kasan_kmalloc+0x9/0x10 [ 70.492827][ T8995] kmem_cache_alloc_trace+0x221/0x2f0 [ 70.498187][ T8995] __rdma_create_id+0x66/0x4f0 [ 70.502951][ T8995] ucma_create_id+0x253/0x540 [ 70.507628][ T8995] ucma_write+0x2da/0x360 [ 70.511947][ T8995] __vfs_write+0xb8/0x740 [ 70.516420][ T8995] vfs_write+0x270/0x580 [ 70.520658][ T8995] ksys_write+0x117/0x220 [ 70.524987][ T8995] __x64_sys_write+0x7b/0x90 [ 70.529564][ T8995] do_syscall_64+0xf7/0x1c0 [ 70.534049][ T8995] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.539911][ T8995] [ 70.542215][ T8995] Freed by task 8989: [ 70.546176][ T8995] __kasan_slab_free+0x12e/0x1e0 [ 70.551089][ T8995] kasan_slab_free+0xe/0x10 [ 70.555612][ T8995] kfree+0x10d/0x220 [ 70.559501][ T8995] rdma_destroy_id+0xf72/0x1160 [ 70.564337][ T8995] ucma_close+0x1eb/0x2d0 [ 70.568647][ T8995] __fput+0x2e4/0x740 [ 70.572605][ T8995] ____fput+0x15/0x20 [ 70.576561][ T8995] task_work_run+0x176/0x1b0 [ 70.581130][ T8995] prepare_exit_to_usermode+0x480/0x5b0 [ 70.586650][ T8995] syscall_return_slowpath+0x113/0x4a0 [ 70.592084][ T8995] do_syscall_64+0x11f/0x1c0 [ 70.596660][ T8995] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.602525][ T8995] [ 70.604857][ T8995] The buggy address belongs to the object at ffff8880a7bd1000 [ 70.604857][ T8995] which belongs to the cache kmalloc-2k of size 2048 [ 70.618917][ T8995] The buggy address is located 480 bytes inside of [ 70.618917][ T8995] 2048-byte region [ffff8880a7bd1000, ffff8880a7bd1800) [ 70.632261][ T8995] The buggy address belongs to the page: [ 70.638019][ T8995] page:ffffea00029ef440 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 70.647110][ T8995] flags: 0xfffe0000000200(slab) [ 70.651943][ T8995] raw: 00fffe0000000200 ffffea0002605e08 ffffea00029d73c8 ffff8880aa400e00 [ 70.660523][ T8995] raw: 0000000000000000 ffff8880a7bd1000 0000000100000001 0000000000000000 [ 70.669093][ T8995] page dumped because: kasan: bad access detected [ 70.675509][ T8995] [ 70.677811][ T8995] Memory state around the buggy address: [ 70.683427][ T8995] ffff8880a7bd1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.691480][ T8995] ffff8880a7bd1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.699630][ T8995] >ffff8880a7bd1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.707670][ T8995] ^ [ 70.714864][ T8995] ffff8880a7bd1200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.722933][ T8995] ffff8880a7bd1280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.730995][ T8995] ================================================================== [ 70.739035][ T8995] Disabling lock debugging due to kernel taint [ 70.749160][ T8995] Kernel panic - not syncing: panic_on_warn set ... [ 70.755769][ T8995] CPU: 1 PID: 8995 Comm: syz-executor.0 Tainted: G B 5.6.0-rc3-syzkaller #0 [ 70.765739][ T8995] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.775796][ T8995] Call Trace: [ 70.779079][ T8995] dump_stack+0x1fb/0x318 [ 70.783511][ T8995] panic+0x264/0x7a9 [ 70.787692][ T8995] ? __kasan_report+0x193/0x1c0 [ 70.793383][ T8995] ? trace_hardirqs_on+0x34/0x80 [ 70.798961][ T8995] ? __kasan_report+0x193/0x1c0 [ 70.803815][ T8995] __kasan_report+0x1b9/0x1c0 [ 70.808641][ T8995] ? __list_add_valid+0x58/0xc0 [ 70.813573][ T8995] kasan_report+0x26/0x50 [ 70.817895][ T8995] __asan_report_load8_noabort+0x14/0x20 [ 70.824642][ T8995] __list_add_valid+0x58/0xc0 [ 70.829486][ T8995] rdma_listen+0x322/0x9a0 [ 70.833994][ T8995] ucma_listen+0x245/0x300 [ 70.838416][ T8995] ? __kasan_check_write+0x14/0x20 [ 70.843622][ T8995] ? ucma_connect+0x7e0/0x7e0 [ 70.848293][ T8995] ucma_write+0x2da/0x360 [ 70.852617][ T8995] ? ucma_get_global_nl_info+0x70/0x70 [ 70.858062][ T8995] __vfs_write+0xb8/0x740 [ 70.862393][ T8995] ? security_file_permission+0x147/0x340 [ 70.868113][ T8995] ? rw_verify_area+0x1c2/0x360 [ 70.872949][ T8995] vfs_write+0x270/0x580 [ 70.877182][ T8995] ksys_write+0x117/0x220 [ 70.881516][ T8995] __x64_sys_write+0x7b/0x90 [ 70.886093][ T8995] do_syscall_64+0xf7/0x1c0 [ 70.890580][ T8995] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.896453][ T8995] RIP: 0033:0x45c479 [ 70.900332][ T8995] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 70.919949][ T8995] RSP: 002b:00007f275034cc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 70.932365][ T8995] RAX: ffffffffffffffda RBX: 00007f275034d6d4 RCX: 000000000045c479 [ 70.940342][ T8995] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 70.948315][ T8995] RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000 [ 70.956271][ T8995] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 70.964249][ T8995] R13: 0000000000000cbe R14: 00000000004cea34 R15: 000000000076bf2c [ 70.973443][ T8995] Kernel Offset: disabled [ 70.977793][ T8995] Rebooting in 86400 seconds..