[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   76.758890][   T27] audit: type=1800 audit(1584085763.918:25): pid=9521 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   76.779598][   T27] audit: type=1800 audit(1584085763.918:26): pid=9521 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   76.814341][   T27] audit: type=1800 audit(1584085763.928:27): pid=9521 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.10.2' (ECDSA) to the list of known hosts.
2020/03/13 07:49:35 parsed 1 programs
2020/03/13 07:49:37 executed programs: 0
syzkaller login: [   90.539345][ T9689] IPVS: ftp: loaded support on port[0] = 21
[   90.604115][ T9689] chnl_net:caif_netlink_parms(): no params data found
[   90.656785][ T9689] bridge0: port 1(bridge_slave_0) entered blocking state
[   90.664621][ T9689] bridge0: port 1(bridge_slave_0) entered disabled state
[   90.672515][ T9689] device bridge_slave_0 entered promiscuous mode
[   90.681254][ T9689] bridge0: port 2(bridge_slave_1) entered blocking state
[   90.688734][ T9689] bridge0: port 2(bridge_slave_1) entered disabled state
[   90.696624][ T9689] device bridge_slave_1 entered promiscuous mode
[   90.716306][ T9689] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   90.727661][ T9689] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   90.748467][ T9689] team0: Port device team_slave_0 added
[   90.756649][ T9689] team0: Port device team_slave_1 added
[   90.773381][ T9689] batman_adv: batadv0: Adding interface: batadv_slave_0
[   90.780476][ T9689] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   90.806667][ T9689] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   90.819207][ T9689] batman_adv: batadv0: Adding interface: batadv_slave_1
[   90.826449][ T9689] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   90.852762][ T9689] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   90.936717][ T9689] device hsr_slave_0 entered promiscuous mode
[   90.974660][ T9689] device hsr_slave_1 entered promiscuous mode
[   91.126282][ T9689] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   91.168167][ T9689] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   91.237667][ T9689] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   91.317143][ T9689] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   91.400887][ T9689] bridge0: port 2(bridge_slave_1) entered blocking state
[   91.408252][ T9689] bridge0: port 2(bridge_slave_1) entered forwarding state
[   91.416255][ T9689] bridge0: port 1(bridge_slave_0) entered blocking state
[   91.423333][ T9689] bridge0: port 1(bridge_slave_0) entered forwarding state
[   91.471424][ T9689] 8021q: adding VLAN 0 to HW filter on device bond0
[   91.487055][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   91.497645][ T3134] bridge0: port 1(bridge_slave_0) entered disabled state
[   91.506240][ T3134] bridge0: port 2(bridge_slave_1) entered disabled state
[   91.514625][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   91.528659][ T9689] 8021q: adding VLAN 0 to HW filter on device team0
[   91.539965][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   91.549464][ T2797] bridge0: port 1(bridge_slave_0) entered blocking state
[   91.556967][ T2797] bridge0: port 1(bridge_slave_0) entered forwarding state
[   91.576247][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   91.585379][ T3134] bridge0: port 2(bridge_slave_1) entered blocking state
[   91.592434][ T3134] bridge0: port 2(bridge_slave_1) entered forwarding state
[   91.614331][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[   91.623057][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   91.631997][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[   91.641060][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   91.649940][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[   91.658895][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   91.667360][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[   91.676193][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   91.684954][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   91.696270][ T9689] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   91.718684][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   91.727456][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   91.739780][ T9689] 8021q: adding VLAN 0 to HW filter on device batadv0
[   91.760081][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   91.769659][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   91.789087][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   91.797743][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   91.807360][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   91.815629][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   91.826087][ T9689] device veth0_vlan entered promiscuous mode
[   91.837783][ T9689] device veth1_vlan entered promiscuous mode
[   91.860634][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   91.870028][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   91.878706][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   91.887482][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   91.898322][ T9689] device veth0_macvtap entered promiscuous mode
[   91.910016][ T9689] device veth1_macvtap entered promiscuous mode
[   91.927758][ T9689] batman_adv: batadv0: Interface activated: batadv_slave_0
[   91.937056][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   91.946125][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   91.954010][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   91.962875][ T2797] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   91.975971][ T9689] batman_adv: batadv0: Interface activated: batadv_slave_1
[   91.984579][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   91.993268][ T3134] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   92.321215][ T9705] ==================================================================
[   92.329557][ T9705] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0
[   92.336813][ T9705] Read of size 8 at addr ffff88808f45d1e0 by task syz-executor.0/9705
[   92.344948][ T9705] 
[   92.347276][ T9705] CPU: 0 PID: 9705 Comm: syz-executor.0 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0
[   92.357058][ T9705] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   92.367129][ T9705] Call Trace:
[   92.370428][ T9705]  dump_stack+0x188/0x20d
[   92.374755][ T9705]  ? __list_add_valid+0x93/0xa0
[   92.379618][ T9705]  ? __list_add_valid+0x93/0xa0
[   92.384458][ T9705]  print_address_description.constprop.0.cold+0xd3/0x315
[   92.391481][ T9705]  ? __list_add_valid+0x93/0xa0
[   92.396323][ T9705]  ? __list_add_valid+0x93/0xa0
[   92.401160][ T9705]  __kasan_report.cold+0x1a/0x32
[   92.406099][ T9705]  ? __list_add_valid+0x93/0xa0
[   92.410954][ T9705]  kasan_report+0xe/0x20
[   92.415202][ T9705]  __list_add_valid+0x93/0xa0
[   92.419875][ T9705]  rdma_listen+0x681/0x910
[   92.424296][ T9705]  ucma_listen+0x14d/0x1c0
[   92.428708][ T9705]  ? ucma_notify+0x190/0x190
[   92.433289][ T9705]  ? __might_fault+0x190/0x1d0
[   92.438040][ T9705]  ? _copy_from_user+0x123/0x190
[   92.442981][ T9705]  ? ucma_notify+0x190/0x190
[   92.447681][ T9705]  ucma_write+0x285/0x350
[   92.452005][ T9705]  ? ucma_open+0x270/0x270
[   92.456436][ T9705]  ? security_file_permission+0x8a/0x370
[   92.462096][ T9705]  ? ucma_open+0x270/0x270
[   92.466507][ T9705]  __vfs_write+0x76/0x100
[   92.470871][ T9705]  vfs_write+0x262/0x5c0
[   92.475128][ T9705]  ksys_write+0x1e8/0x250
[   92.479463][ T9705]  ? __ia32_sys_read+0xb0/0xb0
[   92.484222][ T9705]  ? __ia32_sys_clock_settime+0x260/0x260
[   92.489966][ T9705]  ? trace_hardirqs_off_caller+0x55/0x230
[   92.495690][ T9705]  do_syscall_64+0xf6/0x790
[   92.500209][ T9705]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   92.506086][ T9705] RIP: 0033:0x45c679
[   92.509992][ T9705] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   92.529615][ T9705] RSP: 002b:00007f9860c45c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   92.538033][ T9705] RAX: ffffffffffffffda RBX: 00007f9860c466d4 RCX: 000000000045c679
[   92.546014][ T9705] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003
[   92.553990][ T9705] RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
[   92.562028][ T9705] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   92.570082][ T9705] R13: 0000000000000cbe R14: 00000000004cec51 R15: 000000000076bfac
[   92.578109][ T9705] 
[   92.580433][ T9705] Allocated by task 9696:
[   92.584810][ T9705]  save_stack+0x1b/0x40
[   92.588958][ T9705]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   92.594599][ T9705]  kmem_cache_alloc_trace+0x153/0x7d0
[   92.599956][ T9705]  __rdma_create_id+0x5b/0x850
[   92.604713][ T9705]  ucma_create_id+0x1cb/0x580
[   92.609382][ T9705]  ucma_write+0x285/0x350
[   92.613696][ T9705]  __vfs_write+0x76/0x100
[   92.618083][ T9705]  vfs_write+0x262/0x5c0
[   92.622379][ T9705]  ksys_write+0x1e8/0x250
[   92.626741][ T9705]  do_syscall_64+0xf6/0x790
[   92.631358][ T9705]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   92.637251][ T9705] 
[   92.639567][ T9705] Freed by task 9696:
[   92.643597][ T9705]  save_stack+0x1b/0x40
[   92.647751][ T9705]  __kasan_slab_free+0xf7/0x140
[   92.652594][ T9705]  kfree+0x109/0x2b0
[   92.656478][ T9705]  ucma_close+0x10b/0x300
[   92.660798][ T9705]  __fput+0x2da/0x850
[   92.664765][ T9705]  task_work_run+0x13f/0x1b0
[   92.669400][ T9705]  exit_to_usermode_loop+0x2fa/0x360
[   92.674677][ T9705]  do_syscall_64+0x672/0x790
[   92.679261][ T9705]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   92.685187][ T9705] 
[   92.687501][ T9705] The buggy address belongs to the object at ffff88808f45d000
[   92.687501][ T9705]  which belongs to the cache kmalloc-2k of size 2048
[   92.701599][ T9705] The buggy address is located 480 bytes inside of
[   92.701599][ T9705]  2048-byte region [ffff88808f45d000, ffff88808f45d800)
[   92.714951][ T9705] The buggy address belongs to the page:
[   92.720761][ T9705] page:ffffea00023d1740 refcount:1 mapcount:0 mapping:00000000da5e565a index:0x0
[   92.729934][ T9705] flags: 0xfffe0000000200(slab)
[   92.734836][ T9705] raw: 00fffe0000000200 ffffea0002557808 ffffea00023648c8 ffff8880aa000e00
[   92.743653][ T9705] raw: 0000000000000000 ffff88808f45d000 0000000100000001 0000000000000000
[   92.752294][ T9705] page dumped because: kasan: bad access detected
[   92.758689][ T9705] 
[   92.760998][ T9705] Memory state around the buggy address:
[   92.766661][ T9705]  ffff88808f45d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.774712][ T9705]  ffff88808f45d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.782763][ T9705] >ffff88808f45d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.790809][ T9705]                                                        ^
[   92.798016][ T9705]  ffff88808f45d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.806080][ T9705]  ffff88808f45d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   92.814212][ T9705] ==================================================================
[   92.822285][ T9705] Disabling lock debugging due to kernel taint
[   92.833812][ T9705] Kernel panic - not syncing: panic_on_warn set ...
[   92.840525][ T9705] CPU: 0 PID: 9705 Comm: syz-executor.0 Tainted: G    B             5.6.0-rc3-next-20200228-syzkaller #0
[   92.851724][ T9705] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   92.861779][ T9705] Call Trace:
[   92.865064][ T9705]  dump_stack+0x188/0x20d
[   92.869391][ T9705]  panic+0x2e3/0x75c
[   92.873292][ T9705]  ? add_taint.cold+0x16/0x16
[   92.877952][ T9705]  ? preempt_schedule_common+0x5e/0xc0
[   92.883394][ T9705]  ? __list_add_valid+0x93/0xa0
[   92.888242][ T9705]  ? ___preempt_schedule+0x16/0x18
[   92.893335][ T9705]  ? trace_hardirqs_on+0x55/0x220
[   92.898346][ T9705]  ? __list_add_valid+0x93/0xa0
[   92.903179][ T9705]  end_report+0x43/0x49
[   92.907335][ T9705]  ? __list_add_valid+0x93/0xa0
[   92.912168][ T9705]  __kasan_report.cold+0xd/0x32
[   92.917020][ T9705]  ? __list_add_valid+0x93/0xa0
[   92.921854][ T9705]  kasan_report+0xe/0x20
[   92.926080][ T9705]  __list_add_valid+0x93/0xa0
[   92.930754][ T9705]  rdma_listen+0x681/0x910
[   92.935156][ T9705]  ucma_listen+0x14d/0x1c0
[   92.939571][ T9705]  ? ucma_notify+0x190/0x190
[   92.944163][ T9705]  ? __might_fault+0x190/0x1d0
[   92.948930][ T9705]  ? _copy_from_user+0x123/0x190
[   92.953850][ T9705]  ? ucma_notify+0x190/0x190
[   92.958428][ T9705]  ucma_write+0x285/0x350
[   92.962749][ T9705]  ? ucma_open+0x270/0x270
[   92.967158][ T9705]  ? security_file_permission+0x8a/0x370
[   92.972789][ T9705]  ? ucma_open+0x270/0x270
[   92.977262][ T9705]  __vfs_write+0x76/0x100
[   92.981580][ T9705]  vfs_write+0x262/0x5c0
[   92.985949][ T9705]  ksys_write+0x1e8/0x250
[   92.990311][ T9705]  ? __ia32_sys_read+0xb0/0xb0
[   92.995125][ T9705]  ? __ia32_sys_clock_settime+0x260/0x260
[   93.000908][ T9705]  ? trace_hardirqs_off_caller+0x55/0x230
[   93.006776][ T9705]  do_syscall_64+0xf6/0x790
[   93.011326][ T9705]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   93.017206][ T9705] RIP: 0033:0x45c679
[   93.021131][ T9705] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   93.040720][ T9705] RSP: 002b:00007f9860c45c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   93.049246][ T9705] RAX: ffffffffffffffda RBX: 00007f9860c466d4 RCX: 000000000045c679
[   93.057204][ T9705] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003
[   93.065186][ T9705] RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
[   93.073188][ T9705] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   93.081261][ T9705] R13: 0000000000000cbe R14: 00000000004cec51 R15: 000000000076bfac
[   93.090681][ T9705] Kernel Offset: disabled
[   93.095014][ T9705] Rebooting in 86400 seconds..