[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.229' (ECDSA) to the list of known hosts.
2020/03/29 13:32:27 parsed 1 programs
2020/03/29 13:32:28 executed programs: 0
syzkaller login: [   56.640623][ T7033] IPVS: ftp: loaded support on port[0] = 21
[   56.733091][ T7033] chnl_net:caif_netlink_parms(): no params data found
[   56.797479][ T7033] bridge0: port 1(bridge_slave_0) entered blocking state
[   56.805783][ T7033] bridge0: port 1(bridge_slave_0) entered disabled state
[   56.814198][ T7033] device bridge_slave_0 entered promiscuous mode
[   56.823914][ T7033] bridge0: port 2(bridge_slave_1) entered blocking state
[   56.831374][ T7033] bridge0: port 2(bridge_slave_1) entered disabled state
[   56.839306][ T7033] device bridge_slave_1 entered promiscuous mode
[   56.857853][ T7033] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   56.868501][ T7033] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   56.889801][ T7033] team0: Port device team_slave_0 added
[   56.897009][ T7033] team0: Port device team_slave_1 added
[   56.913693][ T7033] batman_adv: batadv0: Adding interface: batadv_slave_0
[   56.920696][ T7033] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   56.947365][ T7033] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   56.959729][ T7033] batman_adv: batadv0: Adding interface: batadv_slave_1
[   56.967085][ T7033] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   56.993354][ T7033] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   57.057292][ T7033] device hsr_slave_0 entered promiscuous mode
[   57.094936][ T7033] device hsr_slave_1 entered promiscuous mode
[   57.221287][ T7033] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   57.268203][ T7033] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   57.347265][ T7033] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   57.397135][ T7033] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   57.449437][ T7033] bridge0: port 2(bridge_slave_1) entered blocking state
[   57.456773][ T7033] bridge0: port 2(bridge_slave_1) entered forwarding state
[   57.464729][ T7033] bridge0: port 1(bridge_slave_0) entered blocking state
[   57.471874][ T7033] bridge0: port 1(bridge_slave_0) entered forwarding state
[   57.515405][ T7033] 8021q: adding VLAN 0 to HW filter on device bond0
[   57.528651][ T3993] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   57.539655][ T3993] bridge0: port 1(bridge_slave_0) entered disabled state
[   57.548438][ T3993] bridge0: port 2(bridge_slave_1) entered disabled state
[   57.557044][ T3993] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   57.570103][ T7033] 8021q: adding VLAN 0 to HW filter on device team0
[   57.580710][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   57.589682][ T2695] bridge0: port 1(bridge_slave_0) entered blocking state
[   57.596814][ T2695] bridge0: port 1(bridge_slave_0) entered forwarding state
[   57.608924][ T3993] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   57.617802][ T3993] bridge0: port 2(bridge_slave_1) entered blocking state
[   57.624930][ T3993] bridge0: port 2(bridge_slave_1) entered forwarding state
[   57.646005][ T3993] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   57.654874][ T3993] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   57.663666][ T2683] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   57.676618][ T2723] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   57.689701][ T7033] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   57.702002][ T7033] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   57.711656][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   57.730566][ T3993] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   57.738681][ T3993] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   57.752184][ T7033] 8021q: adding VLAN 0 to HW filter on device batadv0
[   57.769767][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[   57.779874][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   57.800083][ T7033] device veth0_vlan entered promiscuous mode
[   57.809049][ T2723] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   57.819068][ T2723] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   57.834895][ T7033] device veth1_vlan entered promiscuous mode
[   57.841929][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   57.849708][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   57.857796][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   57.879656][ T3993] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   57.887677][ T3993] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   57.897266][ T3993] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   57.908779][ T7033] device veth0_macvtap entered promiscuous mode
[   57.918610][ T7033] device veth1_macvtap entered promiscuous mode
[   57.935905][ T7033] batman_adv: batadv0: Interface activated: batadv_slave_0
[   57.943579][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   57.951906][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   57.960084][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   57.969004][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   57.983101][ T7033] batman_adv: batadv0: Interface activated: batadv_slave_1
[   57.990518][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   57.999803][ T2695] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   58.375226][ T7275] ==================================================================
[   58.383565][ T7275] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0
[   58.390742][ T7275] Read of size 8 at addr ffff8880913141e0 by task syz-executor.0/7275
[   58.398865][ T7275] 
[   58.401210][ T7275] CPU: 0 PID: 7275 Comm: syz-executor.0 Not tainted 5.6.0-rc7-syzkaller #0
[   58.409764][ T7275] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   58.419849][ T7275] Call Trace:
[   58.423127][ T7275]  dump_stack+0x188/0x20d
[   58.427488][ T7275]  ? __list_add_valid+0x93/0xa0
[   58.432332][ T7275]  ? __list_add_valid+0x93/0xa0
[   58.437168][ T7275]  print_address_description.constprop.0.cold+0xd3/0x315
[   58.444177][ T7275]  ? __list_add_valid+0x93/0xa0
[   58.449022][ T7275]  ? __list_add_valid+0x93/0xa0
[   58.453890][ T7275]  __kasan_report.cold+0x1a/0x32
[   58.458816][ T7275]  ? __list_add_valid+0x93/0xa0
[   58.463647][ T7275]  kasan_report+0xe/0x20
[   58.467871][ T7275]  __list_add_valid+0x93/0xa0
[   58.472528][ T7275]  rdma_listen+0x681/0x910
[   58.476932][ T7275]  ucma_listen+0x14d/0x1c0
[   58.481326][ T7275]  ? ucma_notify+0x190/0x190
[   58.485900][ T7275]  ? __might_fault+0x190/0x1d0
[   58.490644][ T7275]  ? _copy_from_user+0x123/0x190
[   58.495561][ T7275]  ? ucma_notify+0x190/0x190
[   58.500143][ T7275]  ucma_write+0x285/0x350
[   58.504473][ T7275]  ? ucma_open+0x270/0x270
[   58.508907][ T7275]  ? security_file_permission+0x8a/0x370
[   58.514547][ T7275]  ? ucma_open+0x270/0x270
[   58.518958][ T7275]  __vfs_write+0x76/0x100
[   58.523290][ T7275]  vfs_write+0x262/0x5c0
[   58.527532][ T7275]  ksys_write+0x1e8/0x250
[   58.531853][ T7275]  ? __ia32_sys_read+0xb0/0xb0
[   58.536597][ T7275]  ? __x64_sys_clock_gettime32+0x240/0x240
[   58.542434][ T7275]  ? trace_hardirqs_off_caller+0x55/0x230
[   58.548164][ T7275]  do_fast_syscall_32+0x270/0xe8f
[   58.553178][ T7275]  entry_SYSENTER_compat+0x70/0x7f
[   58.558285][ T7275] 
[   58.560599][ T7275] Allocated by task 7270:
[   58.564917][ T7275]  save_stack+0x1b/0x80
[   58.569063][ T7275]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   58.574710][ T7275]  kmem_cache_alloc_trace+0x153/0x7d0
[   58.580076][ T7275]  __rdma_create_id+0x5b/0x850
[   58.584829][ T7275]  ucma_create_id+0x1cb/0x580
[   58.589498][ T7275]  ucma_write+0x285/0x350
[   58.593808][ T7275]  __vfs_write+0x76/0x100
[   58.598118][ T7275]  vfs_write+0x262/0x5c0
[   58.602382][ T7275]  ksys_write+0x1e8/0x250
[   58.606692][ T7275]  do_fast_syscall_32+0x270/0xe8f
[   58.611692][ T7275]  entry_SYSENTER_compat+0x70/0x7f
[   58.616784][ T7275] 
[   58.619104][ T7275] Freed by task 7270:
[   58.623065][ T7275]  save_stack+0x1b/0x80
[   58.627197][ T7275]  __kasan_slab_free+0xf7/0x140
[   58.632066][ T7275]  kfree+0x109/0x2b0
[   58.635949][ T7275]  ucma_close+0x10b/0x300
[   58.640254][ T7275]  __fput+0x2da/0x850
[   58.644215][ T7275]  task_work_run+0x13f/0x1b0
[   58.648790][ T7275]  exit_to_usermode_loop+0x2fa/0x360
[   58.654052][ T7275]  do_fast_syscall_32+0xbef/0xe8f
[   58.659054][ T7275]  entry_SYSENTER_compat+0x70/0x7f
[   58.664140][ T7275] 
[   58.666461][ T7275] The buggy address belongs to the object at ffff888091314000
[   58.666461][ T7275]  which belongs to the cache kmalloc-2k of size 2048
[   58.680584][ T7275] The buggy address is located 480 bytes inside of
[   58.680584][ T7275]  2048-byte region [ffff888091314000, ffff888091314800)
[   58.693924][ T7275] The buggy address belongs to the page:
[   58.699552][ T7275] page:ffffea000244c500 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0
[   58.708648][ T7275] flags: 0xfffe0000000200(slab)
[   58.713479][ T7275] raw: 00fffe0000000200 ffffea00024ede88 ffffea00024c6388 ffff8880aa000e00
[   58.722079][ T7275] raw: 0000000000000000 ffff888091314000 0000000100000001 0000000000000000
[   58.730672][ T7275] page dumped because: kasan: bad access detected
[   58.737058][ T7275] 
[   58.739404][ T7275] Memory state around the buggy address:
[   58.745021][ T7275]  ffff888091314080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.753111][ T7275]  ffff888091314100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.761159][ T7275] >ffff888091314180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.769208][ T7275]                                                        ^
[   58.776407][ T7275]  ffff888091314200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.784449][ T7275]  ffff888091314280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.792486][ T7275] ==================================================================
[   58.800523][ T7275] Disabling lock debugging due to kernel taint
[   58.812741][ T7275] Kernel panic - not syncing: panic_on_warn set ...
[   58.819370][ T7275] CPU: 0 PID: 7275 Comm: syz-executor.0 Tainted: G    B             5.6.0-rc7-syzkaller #0
[   58.829352][ T7275] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   58.839410][ T7275] Call Trace:
[   58.842685][ T7275]  dump_stack+0x188/0x20d
[   58.847002][ T7275]  panic+0x2e3/0x75c
[   58.850890][ T7275]  ? add_taint.cold+0x16/0x16
[   58.855576][ T7275]  ? preempt_schedule_common+0x5e/0xc0
[   58.861026][ T7275]  ? __list_add_valid+0x93/0xa0
[   58.865863][ T7275]  ? ___preempt_schedule+0x16/0x18
[   58.870956][ T7275]  ? trace_hardirqs_on+0x55/0x220
[   58.875962][ T7275]  ? __list_add_valid+0x93/0xa0
[   58.880788][ T7275]  end_report+0x43/0x49
[   58.884918][ T7275]  ? __list_add_valid+0x93/0xa0
[   58.889757][ T7275]  __kasan_report.cold+0xd/0x32
[   58.894586][ T7275]  ? __list_add_valid+0x93/0xa0
[   58.899412][ T7275]  kasan_report+0xe/0x20
[   58.903627][ T7275]  __list_add_valid+0x93/0xa0
[   58.908279][ T7275]  rdma_listen+0x681/0x910
[   58.912672][ T7275]  ucma_listen+0x14d/0x1c0
[   58.917166][ T7275]  ? ucma_notify+0x190/0x190
[   58.921782][ T7275]  ? __might_fault+0x190/0x1d0
[   58.926544][ T7275]  ? _copy_from_user+0x123/0x190
[   58.931475][ T7275]  ? ucma_notify+0x190/0x190
[   58.936050][ T7275]  ucma_write+0x285/0x350
[   58.940360][ T7275]  ? ucma_open+0x270/0x270
[   58.944800][ T7275]  ? security_file_permission+0x8a/0x370
[   58.950414][ T7275]  ? ucma_open+0x270/0x270
[   58.954806][ T7275]  __vfs_write+0x76/0x100
[   58.959157][ T7275]  vfs_write+0x262/0x5c0
[   58.963398][ T7275]  ksys_write+0x1e8/0x250
[   58.967710][ T7275]  ? __ia32_sys_read+0xb0/0xb0
[   58.972453][ T7275]  ? __x64_sys_clock_gettime32+0x240/0x240
[   58.978259][ T7275]  ? trace_hardirqs_off_caller+0x55/0x230
[   58.984090][ T7275]  do_fast_syscall_32+0x270/0xe8f
[   58.989109][ T7275]  entry_SYSENTER_compat+0x70/0x7f
[   58.995472][ T7275] Kernel Offset: disabled
[   58.999794][ T7275] Rebooting in 86400 seconds..