[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts.
2020/04/02 04:38:53 parsed 1 programs
2020/04/02 04:38:55 executed programs: 0
syzkaller login: [   61.093640][ T7038] IPVS: ftp: loaded support on port[0] = 21
[   61.182580][ T7038] chnl_net:caif_netlink_parms(): no params data found
[   61.233340][ T7038] bridge0: port 1(bridge_slave_0) entered blocking state
[   61.241097][ T7038] bridge0: port 1(bridge_slave_0) entered disabled state
[   61.249517][ T7038] device bridge_slave_0 entered promiscuous mode
[   61.258877][ T7038] bridge0: port 2(bridge_slave_1) entered blocking state
[   61.266843][ T7038] bridge0: port 2(bridge_slave_1) entered disabled state
[   61.275184][ T7038] device bridge_slave_1 entered promiscuous mode
[   61.295612][ T7038] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   61.306713][ T7038] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   61.331083][ T7038] team0: Port device team_slave_0 added
[   61.339145][ T7038] team0: Port device team_slave_1 added
[   61.356768][ T7038] batman_adv: batadv0: Adding interface: batadv_slave_0
[   61.363701][ T7038] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   61.391400][ T7038] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   61.403986][ T7038] batman_adv: batadv0: Adding interface: batadv_slave_1
[   61.411326][ T7038] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   61.437367][ T7038] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   61.517862][ T7038] device hsr_slave_0 entered promiscuous mode
[   61.584756][ T7038] device hsr_slave_1 entered promiscuous mode
[   61.719711][ T7038] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   61.757042][ T7038] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   61.807518][ T7038] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   61.856328][ T7038] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   61.909355][ T7038] bridge0: port 2(bridge_slave_1) entered blocking state
[   61.916620][ T7038] bridge0: port 2(bridge_slave_1) entered forwarding state
[   61.924417][ T7038] bridge0: port 1(bridge_slave_0) entered blocking state
[   61.931477][ T7038] bridge0: port 1(bridge_slave_0) entered forwarding state
[   61.976373][ T7038] 8021q: adding VLAN 0 to HW filter on device bond0
[   61.990808][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   62.002470][ T2684] bridge0: port 1(bridge_slave_0) entered disabled state
[   62.011506][ T2684] bridge0: port 2(bridge_slave_1) entered disabled state
[   62.020117][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   62.033346][ T7038] 8021q: adding VLAN 0 to HW filter on device team0
[   62.043562][   T37] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   62.053256][   T37] bridge0: port 1(bridge_slave_0) entered blocking state
[   62.060405][   T37] bridge0: port 1(bridge_slave_0) entered forwarding state
[   62.072354][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   62.081727][ T2684] bridge0: port 2(bridge_slave_1) entered blocking state
[   62.088837][ T2684] bridge0: port 2(bridge_slave_1) entered forwarding state
[   62.115193][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   62.123710][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   62.134633][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   62.142927][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   62.156591][   T37] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   62.167124][ T7038] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   62.187627][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   62.195201][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   62.208888][ T7038] 8021q: adding VLAN 0 to HW filter on device batadv0
[   62.226827][   T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   62.236002][   T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   62.255801][ T2836] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   62.266265][ T2836] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   62.277080][   T37] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   62.285061][   T37] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   62.296618][ T7038] device veth0_vlan entered promiscuous mode
[   62.308178][ T7038] device veth1_vlan entered promiscuous mode
[   62.329715][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   62.339262][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   62.348535][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   62.357866][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   62.368948][ T7038] device veth0_macvtap entered promiscuous mode
[   62.380512][ T7038] device veth1_macvtap entered promiscuous mode
[   62.397393][ T7038] batman_adv: batadv0: Interface activated: batadv_slave_0
[   62.406111][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   62.414424][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   62.422819][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   62.436052][ T2684] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   62.448761][ T7038] batman_adv: batadv0: Interface activated: batadv_slave_1
[   62.456157][   T37] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   62.466470][   T37] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   62.745665][ T7260] ==================================================================
[   62.753944][ T7260] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0
[   62.761153][ T7260] Read of size 8 at addr ffff8880a84b41e0 by task syz-executor.0/7260
[   62.769301][ T7260] 
[   62.771643][ T7260] CPU: 0 PID: 7260 Comm: syz-executor.0 Not tainted 5.6.0-syzkaller #0
[   62.779877][ T7260] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   62.789965][ T7260] Call Trace:
[   62.793272][ T7260]  dump_stack+0x188/0x20d
[   62.797637][ T7260]  ? __list_add_valid+0x93/0xa0
[   62.802533][ T7260]  ? __list_add_valid+0x93/0xa0
[   62.807413][ T7260]  print_address_description.constprop.0.cold+0xd3/0x315
[   62.814435][ T7260]  ? __list_add_valid+0x93/0xa0
[   62.819290][ T7260]  ? __list_add_valid+0x93/0xa0
[   62.824132][ T7260]  __kasan_report.cold+0x1a/0x32
[   62.829068][ T7260]  ? __list_add_valid+0x93/0xa0
[   62.833913][ T7260]  kasan_report+0xe/0x20
[   62.838166][ T7260]  __list_add_valid+0x93/0xa0
[   62.842851][ T7260]  rdma_listen+0x681/0x910
[   62.847282][ T7260]  ucma_listen+0x14d/0x1c0
[   62.851708][ T7260]  ? ucma_notify+0x190/0x190
[   62.856301][ T7260]  ? __might_fault+0x190/0x1d0
[   62.861074][ T7260]  ? _copy_from_user+0x13c/0x1a0
[   62.866027][ T7260]  ? ucma_notify+0x190/0x190
[   62.870630][ T7260]  ucma_write+0x285/0x350
[   62.874968][ T7260]  ? ucma_open+0x270/0x270
[   62.879401][ T7260]  ? security_file_permission+0x8a/0x380
[   62.885058][ T7260]  ? ucma_open+0x270/0x270
[   62.889488][ T7260]  __vfs_write+0x76/0x100
[   62.893866][ T7260]  vfs_write+0x268/0x5d0
[   62.898110][ T7260]  ksys_write+0x1ee/0x250
[   62.902424][ T7260]  ? __ia32_sys_read+0xb0/0xb0
[   62.907198][ T7260]  ? __x64_sys_clock_gettime32+0x240/0x240
[   62.913002][ T7260]  ? trace_hardirqs_off_caller+0x55/0x230
[   62.918738][ T7260]  do_fast_syscall_32+0x270/0xe90
[   62.923761][ T7260]  entry_SYSENTER_compat+0x70/0x7f
[   62.928884][ T7260] 
[   62.931208][ T7260] Allocated by task 7255:
[   62.935525][ T7260]  save_stack+0x1b/0x80
[   62.939698][ T7260]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   62.945340][ T7260]  kmem_cache_alloc_trace+0x153/0x7d0
[   62.950703][ T7260]  __rdma_create_id+0x5b/0x850
[   62.955450][ T7260]  ucma_create_id+0x1d1/0x590
[   62.960114][ T7260]  ucma_write+0x285/0x350
[   62.964433][ T7260]  __vfs_write+0x76/0x100
[   62.968755][ T7260]  vfs_write+0x268/0x5d0
[   62.972990][ T7260]  ksys_write+0x1ee/0x250
[   62.977306][ T7260]  do_fast_syscall_32+0x270/0xe90
[   62.982309][ T7260]  entry_SYSENTER_compat+0x70/0x7f
[   62.987395][ T7260] 
[   62.989700][ T7260] Freed by task 7255:
[   62.993677][ T7260]  save_stack+0x1b/0x80
[   62.997812][ T7260]  __kasan_slab_free+0xf7/0x140
[   63.002637][ T7260]  kfree+0x109/0x2b0
[   63.006510][ T7260]  ucma_close+0x111/0x300
[   63.010828][ T7260]  __fput+0x2e9/0x860
[   63.014787][ T7260]  task_work_run+0xf4/0x1b0
[   63.019281][ T7260]  exit_to_usermode_loop+0x2fa/0x360
[   63.024559][ T7260]  do_fast_syscall_32+0xbef/0xe90
[   63.029572][ T7260]  entry_SYSENTER_compat+0x70/0x7f
[   63.034668][ T7260] 
[   63.036977][ T7260] The buggy address belongs to the object at ffff8880a84b4000
[   63.036977][ T7260]  which belongs to the cache kmalloc-2k of size 2048
[   63.051015][ T7260] The buggy address is located 480 bytes inside of
[   63.051015][ T7260]  2048-byte region [ffff8880a84b4000, ffff8880a84b4800)
[   63.064361][ T7260] The buggy address belongs to the page:
[   63.069995][ T7260] page:ffffea0002a12d00 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0
[   63.079077][ T7260] flags: 0xfffe0000000200(slab)
[   63.083920][ T7260] raw: 00fffe0000000200 ffffea00023c6388 ffffea00024c2948 ffff8880aa000e00
[   63.092495][ T7260] raw: 0000000000000000 ffff8880a84b4000 0000000100000001 0000000000000000
[   63.101072][ T7260] page dumped because: kasan: bad access detected
[   63.107457][ T7260] 
[   63.109768][ T7260] Memory state around the buggy address:
[   63.115381][ T7260]  ffff8880a84b4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.123450][ T7260]  ffff8880a84b4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.131498][ T7260] >ffff8880a84b4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.139541][ T7260]                                                        ^
[   63.146731][ T7260]  ffff8880a84b4200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.154799][ T7260]  ffff8880a84b4280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.162832][ T7260] ==================================================================
[   63.170865][ T7260] Disabling lock debugging due to kernel taint
[   63.185679][ T7260] Kernel panic - not syncing: panic_on_warn set ...
[   63.192289][ T7260] CPU: 0 PID: 7260 Comm: syz-executor.0 Tainted: G    B             5.6.0-syzkaller #0
[   63.201909][ T7260] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   63.211954][ T7260] Call Trace:
[   63.215223][ T7260]  dump_stack+0x188/0x20d
[   63.219534][ T7260]  panic+0x2e3/0x75c
[   63.223408][ T7260]  ? add_taint.cold+0x16/0x16
[   63.228101][ T7260]  ? preempt_schedule_common+0x5e/0xc0
[   63.233542][ T7260]  ? __list_add_valid+0x93/0xa0
[   63.238427][ T7260]  ? preempt_schedule_thunk+0x16/0x18
[   63.243951][ T7260]  ? trace_hardirqs_on+0x55/0x220
[   63.248968][ T7260]  ? __list_add_valid+0x93/0xa0
[   63.253818][ T7260]  end_report+0x43/0x49
[   63.257956][ T7260]  ? __list_add_valid+0x93/0xa0
[   63.262786][ T7260]  __kasan_report.cold+0xd/0x32
[   63.267621][ T7260]  ? __list_add_valid+0x93/0xa0
[   63.272450][ T7260]  kasan_report+0xe/0x20
[   63.276684][ T7260]  __list_add_valid+0x93/0xa0
[   63.281381][ T7260]  rdma_listen+0x681/0x910
[   63.285776][ T7260]  ucma_listen+0x14d/0x1c0
[   63.290169][ T7260]  ? ucma_notify+0x190/0x190
[   63.294750][ T7260]  ? __might_fault+0x190/0x1d0
[   63.299491][ T7260]  ? _copy_from_user+0x13c/0x1a0
[   63.304416][ T7260]  ? ucma_notify+0x190/0x190
[   63.309002][ T7260]  ucma_write+0x285/0x350
[   63.313310][ T7260]  ? ucma_open+0x270/0x270
[   63.317707][ T7260]  ? security_file_permission+0x8a/0x380
[   63.323315][ T7260]  ? ucma_open+0x270/0x270
[   63.327740][ T7260]  __vfs_write+0x76/0x100
[   63.332047][ T7260]  vfs_write+0x268/0x5d0
[   63.336268][ T7260]  ksys_write+0x1ee/0x250
[   63.340577][ T7260]  ? __ia32_sys_read+0xb0/0xb0
[   63.345326][ T7260]  ? __x64_sys_clock_gettime32+0x240/0x240
[   63.351159][ T7260]  ? trace_hardirqs_off_caller+0x55/0x230
[   63.356861][ T7260]  do_fast_syscall_32+0x270/0xe90
[   63.361874][ T7260]  entry_SYSENTER_compat+0x70/0x7f
[   63.368025][ T7260] Kernel Offset: disabled
[   63.372358][ T7260] Rebooting in 86400 seconds..