[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 62.545611][ T27] audit: type=1800 audit(1584747283.111:25): pid=9361 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 62.565738][ T27] audit: type=1800 audit(1584747283.121:26): pid=9361 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 62.618941][ T27] audit: type=1800 audit(1584747283.121:27): pid=9361 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.212' (ECDSA) to the list of known hosts. 2020/03/20 23:34:54 parsed 1 programs 2020/03/20 23:34:56 executed programs: 0 syzkaller login: [ 75.751907][ T9531] IPVS: ftp: loaded support on port[0] = 21 [ 75.812294][ T9531] chnl_net:caif_netlink_parms(): no params data found [ 75.851332][ T9531] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.858967][ T9531] bridge0: port 1(bridge_slave_0) entered disabled state [ 75.866781][ T9531] device bridge_slave_0 entered promiscuous mode [ 75.875179][ T9531] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.882482][ T9531] bridge0: port 2(bridge_slave_1) entered disabled state [ 75.890290][ T9531] device bridge_slave_1 entered promiscuous mode [ 75.909297][ T9531] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 75.920163][ T9531] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 75.940047][ T9531] team0: Port device team_slave_0 added [ 75.948074][ T9531] team0: Port device team_slave_1 added [ 75.963650][ T9531] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 75.970814][ T9531] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 75.996814][ T9531] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 76.009082][ T9531] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 76.016192][ T9531] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 76.042121][ T9531] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 76.099866][ T9531] device hsr_slave_0 entered promiscuous mode [ 76.127693][ T9531] device hsr_slave_1 entered promiscuous mode [ 76.234608][ T9531] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 76.280229][ T9531] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 76.330978][ T9531] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 76.380532][ T9531] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 76.463390][ T9531] bridge0: port 2(bridge_slave_1) entered blocking state [ 76.470579][ T9531] bridge0: port 2(bridge_slave_1) entered forwarding state [ 76.478354][ T9531] bridge0: port 1(bridge_slave_0) entered blocking state [ 76.485413][ T9531] bridge0: port 1(bridge_slave_0) entered forwarding state [ 76.529886][ T9531] 8021q: adding VLAN 0 to HW filter on device bond0 [ 76.543330][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 76.553494][ T2779] bridge0: port 1(bridge_slave_0) entered disabled state [ 76.571952][ T2779] bridge0: port 2(bridge_slave_1) entered disabled state [ 76.580856][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 76.593799][ T9531] 8021q: adding VLAN 0 to HW filter on device team0 [ 76.604402][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 76.613124][ T2793] bridge0: port 1(bridge_slave_0) entered blocking state [ 76.620212][ T2793] bridge0: port 1(bridge_slave_0) entered forwarding state [ 76.632060][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 76.641203][ T2779] bridge0: port 2(bridge_slave_1) entered blocking state [ 76.648287][ T2779] bridge0: port 2(bridge_slave_1) entered forwarding state [ 76.668501][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 76.676984][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 76.688398][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 76.702498][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 76.714448][ T9531] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 76.726683][ T9531] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 76.735345][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 76.754449][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 76.762104][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 76.774928][ T9531] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 76.793955][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 76.813619][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 76.822053][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 76.831670][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 76.842077][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 76.851490][ T9531] device veth0_vlan entered promiscuous mode [ 76.863682][ T9531] device veth1_vlan entered promiscuous mode [ 76.884232][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 76.892812][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 76.900989][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 76.909437][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 76.920432][ T9531] device veth0_macvtap entered promiscuous mode [ 76.930770][ T9531] device veth1_macvtap entered promiscuous mode [ 76.946479][ T9531] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 76.954030][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 76.962583][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 76.970823][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 76.979728][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 76.993252][ T9531] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 77.000800][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 77.010195][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 77.796144][ T9629] ================================================================== [ 77.804387][ T9629] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0 [ 77.811561][ T9629] Read of size 8 at addr ffff88809796f1e0 by task syz-executor.0/9629 [ 77.819775][ T9629] [ 77.822086][ T9629] CPU: 1 PID: 9629 Comm: syz-executor.0 Not tainted 5.6.0-rc6-syzkaller #0 [ 77.830645][ T9629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.840678][ T9629] Call Trace: [ 77.843951][ T9629] dump_stack+0x188/0x20d [ 77.848264][ T9629] ? __list_add_valid+0x93/0xa0 [ 77.853099][ T9629] ? __list_add_valid+0x93/0xa0 [ 77.857929][ T9629] print_address_description.constprop.0.cold+0xd3/0x315 [ 77.864924][ T9629] ? __list_add_valid+0x93/0xa0 [ 77.869753][ T9629] ? __list_add_valid+0x93/0xa0 [ 77.874580][ T9629] __kasan_report.cold+0x1a/0x32 [ 77.879509][ T9629] ? __list_add_valid+0x93/0xa0 [ 77.884369][ T9629] kasan_report+0xe/0x20 [ 77.888605][ T9629] __list_add_valid+0x93/0xa0 [ 77.893258][ T9629] rdma_listen+0x681/0x910 [ 77.897660][ T9629] ucma_listen+0x14d/0x1c0 [ 77.902050][ T9629] ? ucma_notify+0x190/0x190 [ 77.906620][ T9629] ? __might_fault+0x190/0x1d0 [ 77.911367][ T9629] ? _copy_from_user+0x123/0x190 [ 77.916331][ T9629] ? ucma_notify+0x190/0x190 [ 77.920903][ T9629] ucma_write+0x285/0x350 [ 77.925210][ T9629] ? ucma_open+0x270/0x270 [ 77.929612][ T9629] ? security_file_permission+0x8a/0x370 [ 77.935225][ T9629] ? ucma_open+0x270/0x270 [ 77.939622][ T9629] __vfs_write+0x76/0x100 [ 77.943933][ T9629] vfs_write+0x262/0x5c0 [ 77.948175][ T9629] ksys_write+0x1e8/0x250 [ 77.952493][ T9629] ? __ia32_sys_read+0xb0/0xb0 [ 77.957230][ T9629] ? __ia32_sys_clock_settime+0x260/0x260 [ 77.962933][ T9629] ? trace_hardirqs_off_caller+0x55/0x230 [ 77.968643][ T9629] do_syscall_64+0xf6/0x7d0 [ 77.973129][ T9629] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.979037][ T9629] RIP: 0033:0x45c849 [ 77.982907][ T9629] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 78.002486][ T9629] RSP: 002b:00007fb9cfd55c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 78.012140][ T9629] RAX: ffffffffffffffda RBX: 00007fb9cfd566d4 RCX: 000000000045c849 [ 78.020112][ T9629] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 78.028069][ T9629] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 78.036080][ T9629] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 78.044050][ T9629] R13: 0000000000000cc0 R14: 00000000004cee66 R15: 000000000076bf0c [ 78.052017][ T9629] [ 78.054323][ T9629] Allocated by task 9623: [ 78.058633][ T9629] save_stack+0x1b/0x80 [ 78.062765][ T9629] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 78.068384][ T9629] kmem_cache_alloc_trace+0x153/0x7d0 [ 78.073734][ T9629] __rdma_create_id+0x5b/0x850 [ 78.078473][ T9629] ucma_create_id+0x1cb/0x580 [ 78.083214][ T9629] ucma_write+0x285/0x350 [ 78.087536][ T9629] __vfs_write+0x76/0x100 [ 78.091900][ T9629] vfs_write+0x262/0x5c0 [ 78.096120][ T9629] ksys_write+0x1e8/0x250 [ 78.100428][ T9629] do_syscall_64+0xf6/0x7d0 [ 78.104908][ T9629] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.110770][ T9629] [ 78.113094][ T9629] Freed by task 9622: [ 78.117145][ T9629] save_stack+0x1b/0x80 [ 78.121287][ T9629] __kasan_slab_free+0xf7/0x140 [ 78.126113][ T9629] kfree+0x109/0x2b0 [ 78.129987][ T9629] ucma_close+0x10b/0x300 [ 78.134293][ T9629] __fput+0x2da/0x850 [ 78.138287][ T9629] task_work_run+0x13f/0x1b0 [ 78.142856][ T9629] exit_to_usermode_loop+0x2fa/0x360 [ 78.148125][ T9629] do_syscall_64+0x6b1/0x7d0 [ 78.152702][ T9629] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.158563][ T9629] [ 78.160871][ T9629] The buggy address belongs to the object at ffff88809796f000 [ 78.160871][ T9629] which belongs to the cache kmalloc-2k of size 2048 [ 78.174915][ T9629] The buggy address is located 480 bytes inside of [ 78.174915][ T9629] 2048-byte region [ffff88809796f000, ffff88809796f800) [ 78.188256][ T9629] The buggy address belongs to the page: [ 78.194036][ T9629] page:ffffea00025e5bc0 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0 [ 78.203119][ T9629] flags: 0xfffe0000000200(slab) [ 78.207960][ T9629] raw: 00fffe0000000200 ffffea0002541d08 ffffea00028c9d08 ffff8880aa000e00 [ 78.216531][ T9629] raw: 0000000000000000 ffff88809796f000 0000000100000001 0000000000000000 [ 78.225086][ T9629] page dumped because: kasan: bad access detected [ 78.231471][ T9629] [ 78.233778][ T9629] Memory state around the buggy address: [ 78.239385][ T9629] ffff88809796f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.247540][ T9629] ffff88809796f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.255603][ T9629] >ffff88809796f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.263771][ T9629] ^ [ 78.270943][ T9629] ffff88809796f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.278985][ T9629] ffff88809796f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.287019][ T9629] ================================================================== [ 78.295056][ T9629] Disabling lock debugging due to kernel taint [ 78.306441][ T9629] Kernel panic - not syncing: panic_on_warn set ... [ 78.313025][ T9629] CPU: 1 PID: 9629 Comm: syz-executor.0 Tainted: G B 5.6.0-rc6-syzkaller #0 [ 78.322971][ T9629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.333003][ T9629] Call Trace: [ 78.336274][ T9629] dump_stack+0x188/0x20d [ 78.340621][ T9629] panic+0x2e3/0x75c [ 78.344494][ T9629] ? add_taint.cold+0x16/0x16 [ 78.349200][ T9629] ? preempt_schedule_common+0x5e/0xc0 [ 78.354637][ T9629] ? __list_add_valid+0x93/0xa0 [ 78.359470][ T9629] ? ___preempt_schedule+0x16/0x18 [ 78.364568][ T9629] ? trace_hardirqs_on+0x55/0x220 [ 78.369572][ T9629] ? __list_add_valid+0x93/0xa0 [ 78.374399][ T9629] end_report+0x43/0x49 [ 78.378529][ T9629] ? __list_add_valid+0x93/0xa0 [ 78.383486][ T9629] __kasan_report.cold+0xd/0x32 [ 78.388318][ T9629] ? __list_add_valid+0x93/0xa0 [ 78.393191][ T9629] kasan_report+0xe/0x20 [ 78.397417][ T9629] __list_add_valid+0x93/0xa0 [ 78.402072][ T9629] rdma_listen+0x681/0x910 [ 78.406467][ T9629] ucma_listen+0x14d/0x1c0 [ 78.410867][ T9629] ? ucma_notify+0x190/0x190 [ 78.415446][ T9629] ? __might_fault+0x190/0x1d0 [ 78.420280][ T9629] ? _copy_from_user+0x123/0x190 [ 78.425195][ T9629] ? ucma_notify+0x190/0x190 [ 78.429819][ T9629] ucma_write+0x285/0x350 [ 78.434150][ T9629] ? ucma_open+0x270/0x270 [ 78.438568][ T9629] ? security_file_permission+0x8a/0x370 [ 78.444225][ T9629] ? ucma_open+0x270/0x270 [ 78.448628][ T9629] __vfs_write+0x76/0x100 [ 78.452945][ T9629] vfs_write+0x262/0x5c0 [ 78.457168][ T9629] ksys_write+0x1e8/0x250 [ 78.461482][ T9629] ? __ia32_sys_read+0xb0/0xb0 [ 78.466227][ T9629] ? __ia32_sys_clock_settime+0x260/0x260 [ 78.471935][ T9629] ? trace_hardirqs_off_caller+0x55/0x230 [ 78.477637][ T9629] do_syscall_64+0xf6/0x7d0 [ 78.482120][ T9629] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 78.488031][ T9629] RIP: 0033:0x45c849 [ 78.491899][ T9629] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 78.511595][ T9629] RSP: 002b:00007fb9cfd55c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 78.519986][ T9629] RAX: ffffffffffffffda RBX: 00007fb9cfd566d4 RCX: 000000000045c849 [ 78.527941][ T9629] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 78.535895][ T9629] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 78.543844][ T9629] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 78.551800][ T9629] R13: 0000000000000cc0 R14: 00000000004cee66 R15: 000000000076bf0c [ 78.560915][ T9629] Kernel Offset: disabled [ 78.565232][ T9629] Rebooting in 86400 seconds..