[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   83.787899][   T27] audit: type=1800 audit(1584016238.092:25): pid=9304 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   83.824034][   T27] audit: type=1800 audit(1584016238.092:26): pid=9304 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   83.859828][   T27] audit: type=1800 audit(1584016238.092:27): pid=9304 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.232' (ECDSA) to the list of known hosts.
2020/03/12 12:30:47 parsed 1 programs
2020/03/12 12:30:49 executed programs: 0
syzkaller login: [   95.008642][ T9474] IPVS: ftp: loaded support on port[0] = 21
[   95.071039][ T9474] chnl_net:caif_netlink_parms(): no params data found
[   95.112937][ T9474] bridge0: port 1(bridge_slave_0) entered blocking state
[   95.120988][ T9474] bridge0: port 1(bridge_slave_0) entered disabled state
[   95.129092][ T9474] device bridge_slave_0 entered promiscuous mode
[   95.137620][ T9474] bridge0: port 2(bridge_slave_1) entered blocking state
[   95.144982][ T9474] bridge0: port 2(bridge_slave_1) entered disabled state
[   95.152688][ T9474] device bridge_slave_1 entered promiscuous mode
[   95.171132][ T9474] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   95.182367][ T9474] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   95.202749][ T9474] team0: Port device team_slave_0 added
[   95.210219][ T9474] team0: Port device team_slave_1 added
[   95.226052][ T9474] batman_adv: batadv0: Adding interface: batadv_slave_0
[   95.233023][ T9474] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   95.259111][ T9474] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   95.271615][ T9474] batman_adv: batadv0: Adding interface: batadv_slave_1
[   95.278711][ T9474] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   95.304839][ T9474] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   95.376207][ T9474] device hsr_slave_0 entered promiscuous mode
[   95.414244][ T9474] device hsr_slave_1 entered promiscuous mode
[   95.524218][ T9474] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   95.606765][ T9474] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   95.657113][ T9474] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   95.716923][ T9474] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   95.790535][ T9474] bridge0: port 2(bridge_slave_1) entered blocking state
[   95.798358][ T9474] bridge0: port 2(bridge_slave_1) entered forwarding state
[   95.806308][ T9474] bridge0: port 1(bridge_slave_0) entered blocking state
[   95.813387][ T9474] bridge0: port 1(bridge_slave_0) entered forwarding state
[   95.861919][ T9474] 8021q: adding VLAN 0 to HW filter on device bond0
[   95.875936][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   95.886889][ T2687] bridge0: port 1(bridge_slave_0) entered disabled state
[   95.895677][ T2687] bridge0: port 2(bridge_slave_1) entered disabled state
[   95.904379][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   95.917773][ T9474] 8021q: adding VLAN 0 to HW filter on device team0
[   95.929238][ T2706] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   95.938019][ T2706] bridge0: port 1(bridge_slave_0) entered blocking state
[   95.945150][ T2706] bridge0: port 1(bridge_slave_0) entered forwarding state
[   95.957047][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   95.966395][ T2687] bridge0: port 2(bridge_slave_1) entered blocking state
[   95.973634][ T2687] bridge0: port 2(bridge_slave_1) entered forwarding state
[   95.995417][ T2706] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   96.004558][ T2706] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   96.015506][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   96.032233][ T9474] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   96.042971][ T9474] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   96.057067][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   96.066770][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   96.075908][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   96.093272][ T2706] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   96.101259][ T2706] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   96.114057][ T9474] 8021q: adding VLAN 0 to HW filter on device batadv0
[   96.134927][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   96.143596][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   96.168213][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   96.177538][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   96.188690][ T9474] device veth0_vlan entered promiscuous mode
[   96.196312][ T2688] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   96.205482][ T2688] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   96.218044][ T9474] device veth1_vlan entered promiscuous mode
[   96.240147][ T2688] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   96.249217][ T2688] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   96.258863][ T2688] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   96.269799][ T2688] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   96.281139][ T9474] device veth0_macvtap entered promiscuous mode
[   96.293714][ T9474] device veth1_macvtap entered promiscuous mode
[   96.316049][ T9474] batman_adv: batadv0: Interface activated: batadv_slave_0
[   96.325268][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   96.333330][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   96.343404][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   96.352699][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   96.365677][ T9474] batman_adv: batadv0: Interface activated: batadv_slave_1
[   96.374855][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   96.383784][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   97.929596][ T9670] ==================================================================
[   97.938228][ T9670] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0
[   97.945569][ T9670] Read of size 8 at addr ffff8880975121e0 by task syz-executor.0/9670
[   97.953730][ T9670] 
[   97.956330][ T9670] CPU: 0 PID: 9670 Comm: syz-executor.0 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0
[   97.967505][ T9670] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   97.977724][ T9670] Call Trace:
[   97.981010][ T9670]  dump_stack+0x188/0x20d
[   97.985362][ T9670]  ? __list_add_valid+0x93/0xa0
[   97.990811][ T9670]  ? __list_add_valid+0x93/0xa0
[   97.996574][ T9670]  print_address_description.constprop.0.cold+0xd3/0x315
[   98.004257][ T9670]  ? __list_add_valid+0x93/0xa0
[   98.009107][ T9670]  ? __list_add_valid+0x93/0xa0
[   98.014051][ T9670]  __kasan_report.cold+0x1a/0x32
[   98.019065][ T9670]  ? __list_add_valid+0x93/0xa0
[   98.024171][ T9670]  kasan_report+0xe/0x20
[   98.028424][ T9670]  __list_add_valid+0x93/0xa0
[   98.033538][ T9670]  rdma_listen+0x681/0x910
[   98.038077][ T9670]  ucma_listen+0x14d/0x1c0
[   98.042675][ T9670]  ? ucma_notify+0x190/0x190
[   98.047255][ T9670]  ? __might_fault+0x190/0x1d0
[   98.052382][ T9670]  ? _copy_from_user+0x123/0x190
[   98.057601][ T9670]  ? ucma_notify+0x190/0x190
[   98.062186][ T9670]  ucma_write+0x285/0x350
[   98.067025][ T9670]  ? ucma_open+0x270/0x270
[   98.071447][ T9670]  ? security_file_permission+0x8a/0x370
[   98.077106][ T9670]  ? ucma_open+0x270/0x270
[   98.081526][ T9670]  __vfs_write+0x76/0x100
[   98.085851][ T9670]  vfs_write+0x262/0x5c0
[   98.090454][ T9670]  ksys_write+0x1e8/0x250
[   98.094855][ T9670]  ? __ia32_sys_read+0xb0/0xb0
[   98.099707][ T9670]  ? __ia32_sys_clock_settime+0x260/0x260
[   98.105566][ T9670]  ? trace_hardirqs_off_caller+0x55/0x230
[   98.111302][ T9670]  do_syscall_64+0xf6/0x790
[   98.115806][ T9670]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   98.122724][ T9670] RIP: 0033:0x45c679
[   98.126618][ T9670] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   98.146846][ T9670] RSP: 002b:00007f18d52a0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   98.155767][ T9670] RAX: ffffffffffffffda RBX: 00007f18d52a16d4 RCX: 000000000045c679
[   98.163725][ T9670] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003
[   98.171687][ T9670] RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
[   98.179715][ T9670] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   98.187704][ T9670] R13: 0000000000000cbe R14: 00000000004cec51 R15: 000000000076bfac
[   98.195701][ T9670] 
[   98.198023][ T9670] Allocated by task 9571:
[   98.202338][ T9670]  save_stack+0x1b/0x40
[   98.206482][ T9670]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   98.212096][ T9670]  kmem_cache_alloc_trace+0x153/0x7d0
[   98.217534][ T9670]  __rdma_create_id+0x5b/0x850
[   98.222289][ T9670]  ucma_create_id+0x1cb/0x580
[   98.227052][ T9670]  ucma_write+0x285/0x350
[   98.231384][ T9670]  __vfs_write+0x76/0x100
[   98.235693][ T9670]  vfs_write+0x262/0x5c0
[   98.239931][ T9670]  ksys_write+0x1e8/0x250
[   98.244241][ T9670]  do_syscall_64+0xf6/0x790
[   98.248773][ T9670]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   98.254656][ T9670] 
[   98.256984][ T9670] Freed by task 9571:
[   98.260958][ T9670]  save_stack+0x1b/0x40
[   98.265095][ T9670]  __kasan_slab_free+0xf7/0x140
[   98.269922][ T9670]  kfree+0x109/0x2b0
[   98.273796][ T9670]  ucma_close+0x10b/0x300
[   98.278099][ T9670]  __fput+0x2da/0x850
[   98.282063][ T9670]  task_work_run+0x13f/0x1b0
[   98.286641][ T9670]  exit_to_usermode_loop+0x2fa/0x360
[   98.291902][ T9670]  do_syscall_64+0x672/0x790
[   98.296475][ T9670]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   98.302336][ T9670] 
[   98.304646][ T9670] The buggy address belongs to the object at ffff888097512000
[   98.304646][ T9670]  which belongs to the cache kmalloc-2k of size 2048
[   98.319031][ T9670] The buggy address is located 480 bytes inside of
[   98.319031][ T9670]  2048-byte region [ffff888097512000, ffff888097512800)
[   98.332493][ T9670] The buggy address belongs to the page:
[   98.338122][ T9670] page:ffffea00025d4480 refcount:1 mapcount:0 mapping:0000000008bef093 index:0x0
[   98.347479][ T9670] flags: 0xfffe0000000200(slab)
[   98.352310][ T9670] raw: 00fffe0000000200 ffffea000266f6c8 ffffea00023d6588 ffff8880aa000e00
[   98.360881][ T9670] raw: 0000000000000000 ffff888097512000 0000000100000001 0000000000000000
[   98.369893][ T9670] page dumped because: kasan: bad access detected
[   98.376294][ T9670] 
[   98.378619][ T9670] Memory state around the buggy address:
[   98.384254][ T9670]  ffff888097512080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   98.392296][ T9670]  ffff888097512100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   98.400352][ T9670] >ffff888097512180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   98.408399][ T9670]                                                        ^
[   98.415584][ T9670]  ffff888097512200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   98.423629][ T9670]  ffff888097512280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   98.431667][ T9670] ==================================================================
[   98.439704][ T9670] Disabling lock debugging due to kernel taint
[   98.450854][ T9670] Kernel panic - not syncing: panic_on_warn set ...
[   98.457499][ T9670] CPU: 0 PID: 9670 Comm: syz-executor.0 Tainted: G    B             5.6.0-rc3-next-20200228-syzkaller #0
[   98.468770][ T9670] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   98.478829][ T9670] Call Trace:
[   98.482102][ T9670]  dump_stack+0x188/0x20d
[   98.486432][ T9670]  panic+0x2e3/0x75c
[   98.490304][ T9670]  ? add_taint.cold+0x16/0x16
[   98.494960][ T9670]  ? preempt_schedule_common+0x5e/0xc0
[   98.500403][ T9670]  ? __list_add_valid+0x93/0xa0
[   98.505247][ T9670]  ? ___preempt_schedule+0x16/0x18
[   98.510339][ T9670]  ? trace_hardirqs_on+0x55/0x220
[   98.515357][ T9670]  ? __list_add_valid+0x93/0xa0
[   98.520190][ T9670]  end_report+0x43/0x49
[   98.524323][ T9670]  ? __list_add_valid+0x93/0xa0
[   98.529158][ T9670]  __kasan_report.cold+0xd/0x32
[   98.533988][ T9670]  ? __list_add_valid+0x93/0xa0
[   98.538820][ T9670]  kasan_report+0xe/0x20
[   98.543052][ T9670]  __list_add_valid+0x93/0xa0
[   98.547710][ T9670]  rdma_listen+0x681/0x910
[   98.552129][ T9670]  ucma_listen+0x14d/0x1c0
[   98.556521][ T9670]  ? ucma_notify+0x190/0x190
[   98.561100][ T9670]  ? __might_fault+0x190/0x1d0
[   98.565849][ T9670]  ? _copy_from_user+0x123/0x190
[   98.570764][ T9670]  ? ucma_notify+0x190/0x190
[   98.575360][ T9670]  ucma_write+0x285/0x350
[   98.579678][ T9670]  ? ucma_open+0x270/0x270
[   98.584071][ T9670]  ? security_file_permission+0x8a/0x370
[   98.589682][ T9670]  ? ucma_open+0x270/0x270
[   98.594087][ T9670]  __vfs_write+0x76/0x100
[   98.598402][ T9670]  vfs_write+0x262/0x5c0
[   98.602647][ T9670]  ksys_write+0x1e8/0x250
[   98.606967][ T9670]  ? __ia32_sys_read+0xb0/0xb0
[   98.611745][ T9670]  ? __ia32_sys_clock_settime+0x260/0x260
[   98.617446][ T9670]  ? trace_hardirqs_off_caller+0x55/0x230
[   98.623151][ T9670]  do_syscall_64+0xf6/0x790
[   98.627865][ T9670]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   98.633820][ T9670] RIP: 0033:0x45c679
[   98.637798][ T9670] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   98.657393][ T9670] RSP: 002b:00007f18d52a0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   98.665831][ T9670] RAX: ffffffffffffffda RBX: 00007f18d52a16d4 RCX: 000000000045c679
[   98.673792][ T9670] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003
[   98.681865][ T9670] RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
[   98.689820][ T9670] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   98.697829][ T9670] R13: 0000000000000cbe R14: 00000000004cec51 R15: 000000000076bfac
[   98.707327][ T9670] Kernel Offset: disabled
[   98.711665][ T9670] Rebooting in 86400 seconds..