[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   80.520586][   T27] audit: type=1800 audit(1584826945.531:25): pid=9396 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   80.551841][   T27] audit: type=1800 audit(1584826945.531:26): pid=9396 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   80.595827][   T27] audit: type=1800 audit(1584826945.531:27): pid=9396 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts.
2020/03/21 21:42:35 parsed 1 programs
2020/03/21 21:42:37 executed programs: 0
syzkaller login: [   92.676404][ T9566] IPVS: ftp: loaded support on port[0] = 21
[   92.740356][ T9566] chnl_net:caif_netlink_parms(): no params data found
[   92.783683][ T9566] bridge0: port 1(bridge_slave_0) entered blocking state
[   92.791177][ T9566] bridge0: port 1(bridge_slave_0) entered disabled state
[   92.799296][ T9566] device bridge_slave_0 entered promiscuous mode
[   92.807706][ T9566] bridge0: port 2(bridge_slave_1) entered blocking state
[   92.815079][ T9566] bridge0: port 2(bridge_slave_1) entered disabled state
[   92.822948][ T9566] device bridge_slave_1 entered promiscuous mode
[   92.842135][ T9566] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   92.854680][ T9566] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   92.875701][ T9566] team0: Port device team_slave_0 added
[   92.883503][ T9566] team0: Port device team_slave_1 added
[   92.899258][ T9566] batman_adv: batadv0: Adding interface: batadv_slave_0
[   92.906251][ T9566] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   92.932304][ T9566] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   92.944603][ T9566] batman_adv: batadv0: Adding interface: batadv_slave_1
[   92.951547][ T9566] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   92.977605][ T9566] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   93.035032][ T9566] device hsr_slave_0 entered promiscuous mode
[   93.072247][ T9566] device hsr_slave_1 entered promiscuous mode
[   93.180018][ T9566] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   93.235172][ T9566] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   93.295103][ T9566] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   93.354601][ T9566] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   93.407359][ T9566] bridge0: port 2(bridge_slave_1) entered blocking state
[   93.414701][ T9566] bridge0: port 2(bridge_slave_1) entered forwarding state
[   93.422729][ T9566] bridge0: port 1(bridge_slave_0) entered blocking state
[   93.429836][ T9566] bridge0: port 1(bridge_slave_0) entered forwarding state
[   93.475432][ T9566] 8021q: adding VLAN 0 to HW filter on device bond0
[   93.488536][ T3224] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   93.498747][ T3224] bridge0: port 1(bridge_slave_0) entered disabled state
[   93.507178][ T3224] bridge0: port 2(bridge_slave_1) entered disabled state
[   93.515685][ T3224] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   93.529280][ T9566] 8021q: adding VLAN 0 to HW filter on device team0
[   93.540412][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   93.549202][ T2941] bridge0: port 1(bridge_slave_0) entered blocking state
[   93.556281][ T2941] bridge0: port 1(bridge_slave_0) entered forwarding state
[   93.568151][ T3224] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   93.577974][ T3224] bridge0: port 2(bridge_slave_1) entered blocking state
[   93.585138][ T3224] bridge0: port 2(bridge_slave_1) entered forwarding state
[   93.605294][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   93.615055][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   93.633780][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   93.643192][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   93.651557][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   93.664408][ T9566] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   93.683535][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   93.691110][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   93.707620][ T9566] 8021q: adding VLAN 0 to HW filter on device batadv0
[   93.727995][ T3224] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   93.747187][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   93.756000][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   93.766623][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   93.774623][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   93.786109][ T9566] device veth0_vlan entered promiscuous mode
[   93.798379][ T9566] device veth1_vlan entered promiscuous mode
[   93.819672][ T3224] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   93.828588][ T3224] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   93.837272][ T3224] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   93.846782][ T3224] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   93.858869][ T9566] device veth0_macvtap entered promiscuous mode
[   93.871876][ T9566] device veth1_macvtap entered promiscuous mode
[   93.888843][ T9566] batman_adv: batadv0: Interface activated: batadv_slave_0
[   93.896523][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   93.904781][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   93.913219][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   93.921658][ T2941] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   93.934384][ T9566] batman_adv: batadv0: Interface activated: batadv_slave_1
[   93.941881][ T3224] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   93.950473][ T3224] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   94.393172][ T9598] ==================================================================
[   94.401398][ T9598] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0
[   94.408591][ T9598] Read of size 8 at addr ffff88808cb9f1e0 by task syz-executor.0/9598
[   94.416715][ T9598] 
[   94.419027][ T9598] CPU: 1 PID: 9598 Comm: syz-executor.0 Not tainted 5.6.0-rc6-syzkaller #0
[   94.427585][ T9598] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   94.437830][ T9598] Call Trace:
[   94.441115][ T9598]  dump_stack+0x188/0x20d
[   94.445506][ T9598]  ? __list_add_valid+0x93/0xa0
[   94.450354][ T9598]  ? __list_add_valid+0x93/0xa0
[   94.455304][ T9598]  print_address_description.constprop.0.cold+0xd3/0x315
[   94.463121][ T9598]  ? __list_add_valid+0x93/0xa0
[   94.467995][ T9598]  ? __list_add_valid+0x93/0xa0
[   94.473331][ T9598]  __kasan_report.cold+0x1a/0x32
[   94.478320][ T9598]  ? __list_add_valid+0x93/0xa0
[   94.483159][ T9598]  kasan_report+0xe/0x20
[   94.487436][ T9598]  __list_add_valid+0x93/0xa0
[   94.492103][ T9598]  rdma_listen+0x681/0x910
[   94.496505][ T9598]  ucma_listen+0x14d/0x1c0
[   94.500914][ T9598]  ? ucma_notify+0x190/0x190
[   94.505546][ T9598]  ? __might_fault+0x190/0x1d0
[   94.510312][ T9598]  ? _copy_from_user+0x123/0x190
[   94.515519][ T9598]  ? ucma_notify+0x190/0x190
[   94.520099][ T9598]  ucma_write+0x285/0x350
[   94.524495][ T9598]  ? ucma_open+0x270/0x270
[   94.528914][ T9598]  ? security_file_permission+0x8a/0x370
[   94.534657][ T9598]  ? ucma_open+0x270/0x270
[   94.539077][ T9598]  __vfs_write+0x76/0x100
[   94.543399][ T9598]  vfs_write+0x262/0x5c0
[   94.547652][ T9598]  ksys_write+0x1e8/0x250
[   94.551979][ T9598]  ? __ia32_sys_read+0xb0/0xb0
[   94.556735][ T9598]  ? __ia32_sys_clock_settime+0x260/0x260
[   94.562454][ T9598]  ? trace_hardirqs_off_caller+0x55/0x230
[   94.568175][ T9598]  do_syscall_64+0xf6/0x7d0
[   94.572673][ T9598]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   94.579402][ T9598] RIP: 0033:0x45c849
[   94.583281][ T9598] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   94.602927][ T9598] RSP: 002b:00007fa3abca9c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   94.611713][ T9598] RAX: ffffffffffffffda RBX: 00007fa3abcaa6d4 RCX: 000000000045c849
[   94.619684][ T9598] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
[   94.627652][ T9598] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
[   94.635797][ T9598] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   94.643766][ T9598] R13: 0000000000000cc0 R14: 00000000004cee66 R15: 000000000076bf0c
[   94.652787][ T9598] 
[   94.655106][ T9598] Allocated by task 9592:
[   94.659507][ T9598]  save_stack+0x1b/0x80
[   94.663658][ T9598]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   94.669268][ T9598]  kmem_cache_alloc_trace+0x153/0x7d0
[   94.674626][ T9598]  __rdma_create_id+0x5b/0x850
[   94.679460][ T9598]  ucma_create_id+0x1cb/0x580
[   94.684121][ T9598]  ucma_write+0x285/0x350
[   94.688446][ T9598]  __vfs_write+0x76/0x100
[   94.692770][ T9598]  vfs_write+0x262/0x5c0
[   94.696992][ T9598]  ksys_write+0x1e8/0x250
[   94.701305][ T9598]  do_syscall_64+0xf6/0x7d0
[   94.705963][ T9598]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   94.711917][ T9598] 
[   94.714240][ T9598] Freed by task 9592:
[   94.718393][ T9598]  save_stack+0x1b/0x80
[   94.722620][ T9598]  __kasan_slab_free+0xf7/0x140
[   94.729243][ T9598]  kfree+0x109/0x2b0
[   94.733129][ T9598]  ucma_close+0x10b/0x300
[   94.737555][ T9598]  __fput+0x2da/0x850
[   94.741523][ T9598]  task_work_run+0x13f/0x1b0
[   94.746094][ T9598]  exit_to_usermode_loop+0x2fa/0x360
[   94.751362][ T9598]  do_syscall_64+0x6b1/0x7d0
[   94.755937][ T9598]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   94.762016][ T9598] 
[   94.764404][ T9598] The buggy address belongs to the object at ffff88808cb9f000
[   94.764404][ T9598]  which belongs to the cache kmalloc-2k of size 2048
[   94.778502][ T9598] The buggy address is located 480 bytes inside of
[   94.778502][ T9598]  2048-byte region [ffff88808cb9f000, ffff88808cb9f800)
[   94.792146][ T9598] The buggy address belongs to the page:
[   94.797783][ T9598] page:ffffea000232e7c0 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0
[   94.806905][ T9598] flags: 0xfffe0000000200(slab)
[   94.811776][ T9598] raw: 00fffe0000000200 ffffea0002629088 ffffea0002368388 ffff8880aa000e00
[   94.820366][ T9598] raw: 0000000000000000 ffff88808cb9f000 0000000100000001 0000000000000000
[   94.829002][ T9598] page dumped because: kasan: bad access detected
[   94.835408][ T9598] 
[   94.837848][ T9598] Memory state around the buggy address:
[   94.843471][ T9598]  ffff88808cb9f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   94.851520][ T9598]  ffff88808cb9f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   94.859832][ T9598] >ffff88808cb9f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   94.867885][ T9598]                                                        ^
[   94.875112][ T9598]  ffff88808cb9f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   94.883214][ T9598]  ffff88808cb9f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   94.891259][ T9598] ==================================================================
[   94.899306][ T9598] Disabling lock debugging due to kernel taint
[   94.913393][ T9598] Kernel panic - not syncing: panic_on_warn set ...
[   94.920196][ T9598] CPU: 1 PID: 9598 Comm: syz-executor.0 Tainted: G    B             5.6.0-rc6-syzkaller #0
[   94.930464][ T9598] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   94.940681][ T9598] Call Trace:
[   94.943995][ T9598]  dump_stack+0x188/0x20d
[   94.948317][ T9598]  panic+0x2e3/0x75c
[   94.952260][ T9598]  ? add_taint.cold+0x16/0x16
[   94.956938][ T9598]  ? preempt_schedule_common+0x5e/0xc0
[   94.962383][ T9598]  ? __list_add_valid+0x93/0xa0
[   94.967229][ T9598]  ? ___preempt_schedule+0x16/0x18
[   94.972328][ T9598]  ? trace_hardirqs_on+0x55/0x220
[   94.977350][ T9598]  ? __list_add_valid+0x93/0xa0
[   94.982184][ T9598]  end_report+0x43/0x49
[   94.986320][ T9598]  ? __list_add_valid+0x93/0xa0
[   94.991149][ T9598]  __kasan_report.cold+0xd/0x32
[   94.995980][ T9598]  ? __list_add_valid+0x93/0xa0
[   95.000825][ T9598]  kasan_report+0xe/0x20
[   95.005050][ T9598]  __list_add_valid+0x93/0xa0
[   95.009708][ T9598]  rdma_listen+0x681/0x910
[   95.014111][ T9598]  ucma_listen+0x14d/0x1c0
[   95.018523][ T9598]  ? ucma_notify+0x190/0x190
[   95.023109][ T9598]  ? __might_fault+0x190/0x1d0
[   95.027861][ T9598]  ? _copy_from_user+0x123/0x190
[   95.032832][ T9598]  ? ucma_notify+0x190/0x190
[   95.037452][ T9598]  ucma_write+0x285/0x350
[   95.041776][ T9598]  ? ucma_open+0x270/0x270
[   95.046196][ T9598]  ? security_file_permission+0x8a/0x370
[   95.051812][ T9598]  ? ucma_open+0x270/0x270
[   95.056221][ T9598]  __vfs_write+0x76/0x100
[   95.060535][ T9598]  vfs_write+0x262/0x5c0
[   95.064776][ T9598]  ksys_write+0x1e8/0x250
[   95.069099][ T9598]  ? __ia32_sys_read+0xb0/0xb0
[   95.073857][ T9598]  ? __ia32_sys_clock_settime+0x260/0x260
[   95.079564][ T9598]  ? trace_hardirqs_off_caller+0x55/0x230
[   95.085282][ T9598]  do_syscall_64+0xf6/0x7d0
[   95.089785][ T9598]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   95.095697][ T9598] RIP: 0033:0x45c849
[   95.099579][ T9598] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   95.119171][ T9598] RSP: 002b:00007fa3abca9c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   95.127597][ T9598] RAX: ffffffffffffffda RBX: 00007fa3abcaa6d4 RCX: 000000000045c849
[   95.135682][ T9598] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
[   95.143646][ T9598] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
[   95.151596][ T9598] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   95.159568][ T9598] R13: 0000000000000cc0 R14: 00000000004cee66 R15: 000000000076bf0c
[   95.169215][ T9598] Kernel Offset: disabled
[   95.173554][ T9598] Rebooting in 86400 seconds..