[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   62.545611][   T27] audit: type=1800 audit(1584747283.111:25): pid=9361 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   62.565738][   T27] audit: type=1800 audit(1584747283.121:26): pid=9361 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   62.618941][   T27] audit: type=1800 audit(1584747283.121:27): pid=9361 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.212' (ECDSA) to the list of known hosts.
2020/03/20 23:34:54 parsed 1 programs
2020/03/20 23:34:56 executed programs: 0
syzkaller login: [   75.751907][ T9531] IPVS: ftp: loaded support on port[0] = 21
[   75.812294][ T9531] chnl_net:caif_netlink_parms(): no params data found
[   75.851332][ T9531] bridge0: port 1(bridge_slave_0) entered blocking state
[   75.858967][ T9531] bridge0: port 1(bridge_slave_0) entered disabled state
[   75.866781][ T9531] device bridge_slave_0 entered promiscuous mode
[   75.875179][ T9531] bridge0: port 2(bridge_slave_1) entered blocking state
[   75.882482][ T9531] bridge0: port 2(bridge_slave_1) entered disabled state
[   75.890290][ T9531] device bridge_slave_1 entered promiscuous mode
[   75.909297][ T9531] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   75.920163][ T9531] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   75.940047][ T9531] team0: Port device team_slave_0 added
[   75.948074][ T9531] team0: Port device team_slave_1 added
[   75.963650][ T9531] batman_adv: batadv0: Adding interface: batadv_slave_0
[   75.970814][ T9531] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   75.996814][ T9531] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   76.009082][ T9531] batman_adv: batadv0: Adding interface: batadv_slave_1
[   76.016192][ T9531] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   76.042121][ T9531] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   76.099866][ T9531] device hsr_slave_0 entered promiscuous mode
[   76.127693][ T9531] device hsr_slave_1 entered promiscuous mode
[   76.234608][ T9531] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   76.280229][ T9531] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   76.330978][ T9531] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   76.380532][ T9531] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   76.463390][ T9531] bridge0: port 2(bridge_slave_1) entered blocking state
[   76.470579][ T9531] bridge0: port 2(bridge_slave_1) entered forwarding state
[   76.478354][ T9531] bridge0: port 1(bridge_slave_0) entered blocking state
[   76.485413][ T9531] bridge0: port 1(bridge_slave_0) entered forwarding state
[   76.529886][ T9531] 8021q: adding VLAN 0 to HW filter on device bond0
[   76.543330][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   76.553494][ T2779] bridge0: port 1(bridge_slave_0) entered disabled state
[   76.571952][ T2779] bridge0: port 2(bridge_slave_1) entered disabled state
[   76.580856][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   76.593799][ T9531] 8021q: adding VLAN 0 to HW filter on device team0
[   76.604402][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   76.613124][ T2793] bridge0: port 1(bridge_slave_0) entered blocking state
[   76.620212][ T2793] bridge0: port 1(bridge_slave_0) entered forwarding state
[   76.632060][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   76.641203][ T2779] bridge0: port 2(bridge_slave_1) entered blocking state
[   76.648287][ T2779] bridge0: port 2(bridge_slave_1) entered forwarding state
[   76.668501][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   76.676984][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   76.688398][   T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   76.702498][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   76.714448][ T9531] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   76.726683][ T9531] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   76.735345][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   76.754449][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   76.762104][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   76.774928][ T9531] 8021q: adding VLAN 0 to HW filter on device batadv0
[   76.793955][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   76.813619][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   76.822053][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   76.831670][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   76.842077][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   76.851490][ T9531] device veth0_vlan entered promiscuous mode
[   76.863682][ T9531] device veth1_vlan entered promiscuous mode
[   76.884232][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   76.892812][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   76.900989][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   76.909437][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   76.920432][ T9531] device veth0_macvtap entered promiscuous mode
[   76.930770][ T9531] device veth1_macvtap entered promiscuous mode
[   76.946479][ T9531] batman_adv: batadv0: Interface activated: batadv_slave_0
[   76.954030][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   76.962583][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   76.970823][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   76.979728][ T2793] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   76.993252][ T9531] batman_adv: batadv0: Interface activated: batadv_slave_1
[   77.000800][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   77.010195][ T2779] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   77.796144][ T9629] ==================================================================
[   77.804387][ T9629] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0
[   77.811561][ T9629] Read of size 8 at addr ffff88809796f1e0 by task syz-executor.0/9629
[   77.819775][ T9629] 
[   77.822086][ T9629] CPU: 1 PID: 9629 Comm: syz-executor.0 Not tainted 5.6.0-rc6-syzkaller #0
[   77.830645][ T9629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   77.840678][ T9629] Call Trace:
[   77.843951][ T9629]  dump_stack+0x188/0x20d
[   77.848264][ T9629]  ? __list_add_valid+0x93/0xa0
[   77.853099][ T9629]  ? __list_add_valid+0x93/0xa0
[   77.857929][ T9629]  print_address_description.constprop.0.cold+0xd3/0x315
[   77.864924][ T9629]  ? __list_add_valid+0x93/0xa0
[   77.869753][ T9629]  ? __list_add_valid+0x93/0xa0
[   77.874580][ T9629]  __kasan_report.cold+0x1a/0x32
[   77.879509][ T9629]  ? __list_add_valid+0x93/0xa0
[   77.884369][ T9629]  kasan_report+0xe/0x20
[   77.888605][ T9629]  __list_add_valid+0x93/0xa0
[   77.893258][ T9629]  rdma_listen+0x681/0x910
[   77.897660][ T9629]  ucma_listen+0x14d/0x1c0
[   77.902050][ T9629]  ? ucma_notify+0x190/0x190
[   77.906620][ T9629]  ? __might_fault+0x190/0x1d0
[   77.911367][ T9629]  ? _copy_from_user+0x123/0x190
[   77.916331][ T9629]  ? ucma_notify+0x190/0x190
[   77.920903][ T9629]  ucma_write+0x285/0x350
[   77.925210][ T9629]  ? ucma_open+0x270/0x270
[   77.929612][ T9629]  ? security_file_permission+0x8a/0x370
[   77.935225][ T9629]  ? ucma_open+0x270/0x270
[   77.939622][ T9629]  __vfs_write+0x76/0x100
[   77.943933][ T9629]  vfs_write+0x262/0x5c0
[   77.948175][ T9629]  ksys_write+0x1e8/0x250
[   77.952493][ T9629]  ? __ia32_sys_read+0xb0/0xb0
[   77.957230][ T9629]  ? __ia32_sys_clock_settime+0x260/0x260
[   77.962933][ T9629]  ? trace_hardirqs_off_caller+0x55/0x230
[   77.968643][ T9629]  do_syscall_64+0xf6/0x7d0
[   77.973129][ T9629]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   77.979037][ T9629] RIP: 0033:0x45c849
[   77.982907][ T9629] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   78.002486][ T9629] RSP: 002b:00007fb9cfd55c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   78.012140][ T9629] RAX: ffffffffffffffda RBX: 00007fb9cfd566d4 RCX: 000000000045c849
[   78.020112][ T9629] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
[   78.028069][ T9629] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
[   78.036080][ T9629] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   78.044050][ T9629] R13: 0000000000000cc0 R14: 00000000004cee66 R15: 000000000076bf0c
[   78.052017][ T9629] 
[   78.054323][ T9629] Allocated by task 9623:
[   78.058633][ T9629]  save_stack+0x1b/0x80
[   78.062765][ T9629]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   78.068384][ T9629]  kmem_cache_alloc_trace+0x153/0x7d0
[   78.073734][ T9629]  __rdma_create_id+0x5b/0x850
[   78.078473][ T9629]  ucma_create_id+0x1cb/0x580
[   78.083214][ T9629]  ucma_write+0x285/0x350
[   78.087536][ T9629]  __vfs_write+0x76/0x100
[   78.091900][ T9629]  vfs_write+0x262/0x5c0
[   78.096120][ T9629]  ksys_write+0x1e8/0x250
[   78.100428][ T9629]  do_syscall_64+0xf6/0x7d0
[   78.104908][ T9629]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   78.110770][ T9629] 
[   78.113094][ T9629] Freed by task 9622:
[   78.117145][ T9629]  save_stack+0x1b/0x80
[   78.121287][ T9629]  __kasan_slab_free+0xf7/0x140
[   78.126113][ T9629]  kfree+0x109/0x2b0
[   78.129987][ T9629]  ucma_close+0x10b/0x300
[   78.134293][ T9629]  __fput+0x2da/0x850
[   78.138287][ T9629]  task_work_run+0x13f/0x1b0
[   78.142856][ T9629]  exit_to_usermode_loop+0x2fa/0x360
[   78.148125][ T9629]  do_syscall_64+0x6b1/0x7d0
[   78.152702][ T9629]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   78.158563][ T9629] 
[   78.160871][ T9629] The buggy address belongs to the object at ffff88809796f000
[   78.160871][ T9629]  which belongs to the cache kmalloc-2k of size 2048
[   78.174915][ T9629] The buggy address is located 480 bytes inside of
[   78.174915][ T9629]  2048-byte region [ffff88809796f000, ffff88809796f800)
[   78.188256][ T9629] The buggy address belongs to the page:
[   78.194036][ T9629] page:ffffea00025e5bc0 refcount:1 mapcount:0 mapping:ffff8880aa000e00 index:0x0
[   78.203119][ T9629] flags: 0xfffe0000000200(slab)
[   78.207960][ T9629] raw: 00fffe0000000200 ffffea0002541d08 ffffea00028c9d08 ffff8880aa000e00
[   78.216531][ T9629] raw: 0000000000000000 ffff88809796f000 0000000100000001 0000000000000000
[   78.225086][ T9629] page dumped because: kasan: bad access detected
[   78.231471][ T9629] 
[   78.233778][ T9629] Memory state around the buggy address:
[   78.239385][ T9629]  ffff88809796f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   78.247540][ T9629]  ffff88809796f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   78.255603][ T9629] >ffff88809796f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   78.263771][ T9629]                                                        ^
[   78.270943][ T9629]  ffff88809796f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   78.278985][ T9629]  ffff88809796f280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   78.287019][ T9629] ==================================================================
[   78.295056][ T9629] Disabling lock debugging due to kernel taint
[   78.306441][ T9629] Kernel panic - not syncing: panic_on_warn set ...
[   78.313025][ T9629] CPU: 1 PID: 9629 Comm: syz-executor.0 Tainted: G    B             5.6.0-rc6-syzkaller #0
[   78.322971][ T9629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   78.333003][ T9629] Call Trace:
[   78.336274][ T9629]  dump_stack+0x188/0x20d
[   78.340621][ T9629]  panic+0x2e3/0x75c
[   78.344494][ T9629]  ? add_taint.cold+0x16/0x16
[   78.349200][ T9629]  ? preempt_schedule_common+0x5e/0xc0
[   78.354637][ T9629]  ? __list_add_valid+0x93/0xa0
[   78.359470][ T9629]  ? ___preempt_schedule+0x16/0x18
[   78.364568][ T9629]  ? trace_hardirqs_on+0x55/0x220
[   78.369572][ T9629]  ? __list_add_valid+0x93/0xa0
[   78.374399][ T9629]  end_report+0x43/0x49
[   78.378529][ T9629]  ? __list_add_valid+0x93/0xa0
[   78.383486][ T9629]  __kasan_report.cold+0xd/0x32
[   78.388318][ T9629]  ? __list_add_valid+0x93/0xa0
[   78.393191][ T9629]  kasan_report+0xe/0x20
[   78.397417][ T9629]  __list_add_valid+0x93/0xa0
[   78.402072][ T9629]  rdma_listen+0x681/0x910
[   78.406467][ T9629]  ucma_listen+0x14d/0x1c0
[   78.410867][ T9629]  ? ucma_notify+0x190/0x190
[   78.415446][ T9629]  ? __might_fault+0x190/0x1d0
[   78.420280][ T9629]  ? _copy_from_user+0x123/0x190
[   78.425195][ T9629]  ? ucma_notify+0x190/0x190
[   78.429819][ T9629]  ucma_write+0x285/0x350
[   78.434150][ T9629]  ? ucma_open+0x270/0x270
[   78.438568][ T9629]  ? security_file_permission+0x8a/0x370
[   78.444225][ T9629]  ? ucma_open+0x270/0x270
[   78.448628][ T9629]  __vfs_write+0x76/0x100
[   78.452945][ T9629]  vfs_write+0x262/0x5c0
[   78.457168][ T9629]  ksys_write+0x1e8/0x250
[   78.461482][ T9629]  ? __ia32_sys_read+0xb0/0xb0
[   78.466227][ T9629]  ? __ia32_sys_clock_settime+0x260/0x260
[   78.471935][ T9629]  ? trace_hardirqs_off_caller+0x55/0x230
[   78.477637][ T9629]  do_syscall_64+0xf6/0x7d0
[   78.482120][ T9629]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   78.488031][ T9629] RIP: 0033:0x45c849
[   78.491899][ T9629] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[   78.511595][ T9629] RSP: 002b:00007fb9cfd55c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   78.519986][ T9629] RAX: ffffffffffffffda RBX: 00007fb9cfd566d4 RCX: 000000000045c849
[   78.527941][ T9629] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003
[   78.535895][ T9629] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000
[   78.543844][ T9629] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[   78.551800][ T9629] R13: 0000000000000cc0 R14: 00000000004cee66 R15: 000000000076bf0c
[   78.560915][ T9629] Kernel Offset: disabled
[   78.565232][ T9629] Rebooting in 86400 seconds..