[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 57.194440][ T26] audit: type=1800 audit(1570327113.446:25): pid=8507 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 57.215922][ T26] audit: type=1800 audit(1570327113.446:26): pid=8507 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 57.278786][ T26] audit: type=1800 audit(1570327113.446:27): pid=8507 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.83' (ECDSA) to the list of known hosts. syzkaller login: [ 72.197340][ T8660] IPVS: ftp: loaded support on port[0] = 21 [ 72.252614][ T8660] chnl_net:caif_netlink_parms(): no params data found [ 72.279074][ T8660] bridge0: port 1(bridge_slave_0) entered blocking state [ 72.286560][ T8660] bridge0: port 1(bridge_slave_0) entered disabled state [ 72.294851][ T8660] device bridge_slave_0 entered promiscuous mode [ 72.302874][ T8660] bridge0: port 2(bridge_slave_1) entered blocking state [ 72.310159][ T8660] bridge0: port 2(bridge_slave_1) entered disabled state [ 72.317851][ T8660] device bridge_slave_1 entered promiscuous mode [ 72.333524][ T8660] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 72.344241][ T8660] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 72.363274][ T8660] team0: Port device team_slave_0 added [ 72.370216][ T8660] team0: Port device team_slave_1 added [ 72.420059][ T8660] device hsr_slave_0 entered promiscuous mode [ 72.488012][ T8660] device hsr_slave_1 entered promiscuous mode [ 72.565671][ T8660] bridge0: port 2(bridge_slave_1) entered blocking state [ 72.572880][ T8660] bridge0: port 2(bridge_slave_1) entered forwarding state [ 72.580691][ T8660] bridge0: port 1(bridge_slave_0) entered blocking state [ 72.587858][ T8660] bridge0: port 1(bridge_slave_0) entered forwarding state [ 72.622198][ T8660] 8021q: adding VLAN 0 to HW filter on device bond0 [ 72.633384][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 72.653249][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 72.661303][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 72.670684][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 72.682039][ T8660] 8021q: adding VLAN 0 to HW filter on device team0 [ 72.692548][ T3760] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 72.701161][ T3760] bridge0: port 1(bridge_slave_0) entered blocking state [ 72.708256][ T3760] bridge0: port 1(bridge_slave_0) entered forwarding state [ 72.728745][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 72.737105][ T12] bridge0: port 2(bridge_slave_1) entered blocking state [ 72.744213][ T12] bridge0: port 2(bridge_slave_1) entered forwarding state [ 72.752264][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 72.760874][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 72.769751][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready executing program [ 72.778367][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 72.789358][ T3760] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 72.801349][ T8660] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 72.819230][ T8660] 8021q: adding VLAN 0 to HW filter on device batadv0 executing program [ 73.108076][ T3760] ================================================================== [ 73.116333][ T3760] BUG: KASAN: use-after-free in cbq_enqueue+0xecd/0xef0 [ 73.123248][ T3760] Read of size 8 at addr ffff888097b5b770 by task kworker/1:2/3760 [ 73.131111][ T3760] [ 73.133787][ T3760] CPU: 1 PID: 3760 Comm: kworker/1:2 Not tainted 5.3.0+ #0 [ 73.140969][ T3760] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.151014][ T3760] Workqueue: ipv6_addrconf addrconf_dad_work [ 73.156983][ T3760] Call Trace: [ 73.160282][ T3760] dump_stack+0x172/0x1f0 [ 73.164593][ T3760] ? cbq_enqueue+0xecd/0xef0 [ 73.169165][ T3760] print_address_description.constprop.0.cold+0xd4/0x30b [ 73.176207][ T3760] ? cbq_enqueue+0xecd/0xef0 [ 73.180798][ T3760] ? cbq_enqueue+0xecd/0xef0 [ 73.186326][ T3760] __kasan_report.cold+0x1b/0x41 [ 73.191246][ T3760] ? cbq_enqueue+0xecd/0xef0 [ 73.195816][ T3760] kasan_report+0x12/0x20 [ 73.200136][ T3760] __asan_report_load8_noabort+0x14/0x20 [ 73.205741][ T3760] cbq_enqueue+0xecd/0xef0 [ 73.210136][ T3760] ? do_raw_spin_lock+0x12a/0x2e0 [ 73.215137][ T3760] ? cbq_delete+0xd30/0xd30 [ 73.219812][ T3760] __dev_queue_xmit+0x157e/0x3720 [ 73.224815][ T3760] ? __kasan_check_read+0x11/0x20 [ 73.229834][ T3760] ? netdev_core_pick_tx+0x2f0/0x2f0 [ 73.235117][ T3760] ? ip6_finish_output2+0x1034/0x2550 [ 73.243524][ T3760] ? __kasan_check_read+0x11/0x20 [ 73.248620][ T3760] ? mark_held_locks+0xa4/0xf0 [ 73.253378][ T3760] dev_queue_xmit+0x18/0x20 [ 73.257866][ T3760] ? dev_queue_xmit+0x18/0x20 [ 73.262541][ T3760] neigh_resolve_output+0x5a5/0x970 [ 73.267732][ T3760] ip6_finish_output2+0x1034/0x2550 [ 73.272917][ T3760] ? ip6_sk_dst_lookup_flow+0xb90/0xb90 [ 73.278448][ T3760] ? lock_downgrade+0x920/0x920 [ 73.283300][ T3760] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 73.289526][ T3760] ? __kasan_check_read+0x11/0x20 [ 73.294533][ T3760] __ip6_finish_output+0x444/0xaa0 [ 73.299630][ T3760] ? __ip6_finish_output+0x444/0xaa0 [ 73.304897][ T3760] ip6_finish_output+0x38/0x1f0 [ 73.309740][ T3760] ip6_output+0x235/0x7f0 [ 73.314057][ T3760] ? ip6_finish_output+0x1f0/0x1f0 [ 73.319164][ T3760] ? __ip6_finish_output+0xaa0/0xaa0 [ 73.324444][ T3760] ndisc_send_skb+0xf29/0x14a0 [ 73.329194][ T3760] ? nf_hook.constprop.0+0x560/0x560 [ 73.334463][ T3760] ? skb_set_owner_w+0x21b/0x320 [ 73.339380][ T3760] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 73.345079][ T3760] ndisc_send_ns+0x3a9/0x850 [ 73.349649][ T3760] ? mark_held_locks+0xa4/0xf0 [ 73.354404][ T3760] ? ndisc_netdev_event+0x4e0/0x4e0 [ 73.359581][ T3760] ? lockdep_hardirqs_on+0x421/0x5e0 [ 73.364864][ T3760] ? addrconf_dad_work+0xac4/0x1150 [ 73.370061][ T3760] ? trace_hardirqs_on+0x67/0x240 [ 73.375076][ T3760] ? addrconf_dad_work+0xac4/0x1150 [ 73.380262][ T3760] addrconf_dad_work+0xb88/0x1150 [ 73.385357][ T3760] ? addrconf_dad_completed+0xbb0/0xbb0 [ 73.390882][ T3760] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 73.396853][ T3760] ? trace_hardirqs_on+0x67/0x240 [ 73.401875][ T3760] process_one_work+0x9af/0x1740 [ 73.406806][ T3760] ? pwq_dec_nr_in_flight+0x320/0x320 [ 73.412162][ T3760] ? lock_acquire+0x190/0x410 [ 73.416826][ T3760] worker_thread+0x98/0xe40 [ 73.421312][ T3760] ? trace_hardirqs_on+0x67/0x240 [ 73.426324][ T3760] kthread+0x361/0x430 [ 73.430462][ T3760] ? process_one_work+0x1740/0x1740 [ 73.435650][ T3760] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 73.441869][ T3760] ret_from_fork+0x24/0x30 [ 73.446268][ T3760] [ 73.448585][ T3760] Allocated by task 8669: [ 73.452900][ T3760] save_stack+0x23/0x90 [ 73.457298][ T3760] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 73.463810][ T3760] kasan_kmalloc+0x9/0x10 [ 73.468126][ T3760] __kmalloc_node_track_caller+0x4e/0x70 [ 73.473767][ T3760] __kmalloc_reserve.isra.0+0x40/0xf0 [ 73.479120][ T3760] __alloc_skb+0x10b/0x5e0 [ 73.483604][ T3760] netlink_sendmsg+0x972/0xd60 [ 73.488498][ T3760] sock_sendmsg+0xd7/0x130 [ 73.492893][ T3760] ___sys_sendmsg+0x803/0x920 [ 73.497744][ T3760] __sys_sendmsg+0x105/0x1d0 [ 73.502339][ T3760] __x64_sys_sendmsg+0x78/0xb0 [ 73.507101][ T3760] do_syscall_64+0xfa/0x760 [ 73.511587][ T3760] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.517460][ T3760] [ 73.519779][ T3760] Freed by task 8669: [ 73.523745][ T3760] save_stack+0x23/0x90 [ 73.527880][ T3760] __kasan_slab_free+0x102/0x150 [ 73.533420][ T3760] kasan_slab_free+0xe/0x10 [ 73.537907][ T3760] kfree+0x10a/0x2c0 [ 73.541790][ T3760] skb_free_head+0x93/0xb0 [ 73.546181][ T3760] skb_release_data+0x42d/0x7c0 [ 73.551010][ T3760] skb_release_all+0x4d/0x60 [ 73.555596][ T3760] consume_skb+0xfb/0x3b0 [ 73.559916][ T3760] netlink_unicast+0x539/0x710 [ 73.564659][ T3760] netlink_sendmsg+0x8a5/0xd60 [ 73.569407][ T3760] sock_sendmsg+0xd7/0x130 [ 73.573818][ T3760] ___sys_sendmsg+0x803/0x920 [ 73.578489][ T3760] __sys_sendmsg+0x105/0x1d0 [ 73.583072][ T3760] __x64_sys_sendmsg+0x78/0xb0 [ 73.587823][ T3760] do_syscall_64+0xfa/0x760 [ 73.592314][ T3760] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 73.598444][ T3760] [ 73.600766][ T3760] The buggy address belongs to the object at ffff888097b5b700 [ 73.600766][ T3760] which belongs to the cache kmalloc-2k of size 2048 [ 73.614795][ T3760] The buggy address is located 112 bytes inside of [ 73.614795][ T3760] 2048-byte region [ffff888097b5b700, ffff888097b5bf00) [ 73.628569][ T3760] The buggy address belongs to the page: [ 73.634384][ T3760] page:ffffea00025ed680 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 compound_mapcount: 0 [ 73.645298][ T3760] flags: 0x1fffc0000010200(slab|head) [ 73.650670][ T3760] raw: 01fffc0000010200 ffffea0002153f88 ffffea00025dd208 ffff8880aa400e00 [ 73.659269][ T3760] raw: 0000000000000000 ffff888097b5a600 0000000100000003 0000000000000000 [ 73.667824][ T3760] page dumped because: kasan: bad access detected [ 73.674215][ T3760] [ 73.676525][ T3760] Memory state around the buggy address: [ 73.682134][ T3760] ffff888097b5b600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.690179][ T3760] ffff888097b5b680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.698313][ T3760] >ffff888097b5b700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.706357][ T3760] ^ [ 73.714074][ T3760] ffff888097b5b780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.722122][ T3760] ffff888097b5b800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.730172][ T3760] ================================================================== [ 73.738211][ T3760] Disabling lock debugging due to kernel taint [ 73.744395][ T3760] Kernel panic - not syncing: panic_on_warn set ... [ 73.750975][ T3760] CPU: 1 PID: 3760 Comm: kworker/1:2 Tainted: G B 5.3.0+ #0 [ 73.759547][ T3760] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.769605][ T3760] Workqueue: ipv6_addrconf addrconf_dad_work [ 73.775565][ T3760] Call Trace: [ 73.778848][ T3760] dump_stack+0x172/0x1f0 [ 73.783167][ T3760] panic+0x2dc/0x755 [ 73.787044][ T3760] ? add_taint.cold+0x16/0x16 [ 73.791706][ T3760] ? trace_hardirqs_on+0x5e/0x240 [ 73.796712][ T3760] ? trace_hardirqs_on+0x5e/0x240 [ 73.801716][ T3760] ? cbq_enqueue+0xecd/0xef0 [ 73.806316][ T3760] end_report+0x47/0x4f [ 73.810450][ T3760] ? cbq_enqueue+0xecd/0xef0 [ 73.815055][ T3760] __kasan_report.cold+0xe/0x41 [ 73.819884][ T3760] ? cbq_enqueue+0xecd/0xef0 [ 73.824453][ T3760] kasan_report+0x12/0x20 [ 73.828763][ T3760] __asan_report_load8_noabort+0x14/0x20 [ 73.834369][ T3760] cbq_enqueue+0xecd/0xef0 [ 73.838762][ T3760] ? do_raw_spin_lock+0x12a/0x2e0 [ 73.843766][ T3760] ? cbq_delete+0xd30/0xd30 [ 73.848259][ T3760] __dev_queue_xmit+0x157e/0x3720 [ 73.853261][ T3760] ? __kasan_check_read+0x11/0x20 [ 73.858263][ T3760] ? netdev_core_pick_tx+0x2f0/0x2f0 [ 73.863553][ T3760] ? ip6_finish_output2+0x1034/0x2550 [ 73.868901][ T3760] ? __kasan_check_read+0x11/0x20 [ 73.873905][ T3760] ? mark_held_locks+0xa4/0xf0 [ 73.878648][ T3760] dev_queue_xmit+0x18/0x20 [ 73.883128][ T3760] ? dev_queue_xmit+0x18/0x20 [ 73.887855][ T3760] neigh_resolve_output+0x5a5/0x970 [ 73.893058][ T3760] ip6_finish_output2+0x1034/0x2550 [ 73.899318][ T3760] ? ip6_sk_dst_lookup_flow+0xb90/0xb90 [ 73.904844][ T3760] ? lock_downgrade+0x920/0x920 [ 73.909675][ T3760] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 73.915892][ T3760] ? __kasan_check_read+0x11/0x20 [ 73.920904][ T3760] __ip6_finish_output+0x444/0xaa0 [ 73.926006][ T3760] ? __ip6_finish_output+0x444/0xaa0 [ 73.931282][ T3760] ip6_finish_output+0x38/0x1f0 [ 73.936112][ T3760] ip6_output+0x235/0x7f0 [ 73.940422][ T3760] ? ip6_finish_output+0x1f0/0x1f0 [ 73.945508][ T3760] ? __ip6_finish_output+0xaa0/0xaa0 [ 73.950770][ T3760] ndisc_send_skb+0xf29/0x14a0 [ 73.955542][ T3760] ? nf_hook.constprop.0+0x560/0x560 [ 73.960809][ T3760] ? skb_set_owner_w+0x21b/0x320 [ 73.965727][ T3760] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 73.971427][ T3760] ndisc_send_ns+0x3a9/0x850 [ 73.975995][ T3760] ? mark_held_locks+0xa4/0xf0 [ 73.980736][ T3760] ? ndisc_netdev_event+0x4e0/0x4e0 [ 73.985918][ T3760] ? lockdep_hardirqs_on+0x421/0x5e0 [ 73.991180][ T3760] ? addrconf_dad_work+0xac4/0x1150 [ 73.996364][ T3760] ? trace_hardirqs_on+0x67/0x240 [ 74.002063][ T3760] ? addrconf_dad_work+0xac4/0x1150 [ 74.007256][ T3760] addrconf_dad_work+0xb88/0x1150 [ 74.012260][ T3760] ? addrconf_dad_completed+0xbb0/0xbb0 [ 74.017792][ T3760] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 74.023756][ T3760] ? trace_hardirqs_on+0x67/0x240 [ 74.028784][ T3760] process_one_work+0x9af/0x1740 [ 74.033703][ T3760] ? pwq_dec_nr_in_flight+0x320/0x320 [ 74.039060][ T3760] ? lock_acquire+0x190/0x410 [ 74.043718][ T3760] worker_thread+0x98/0xe40 [ 74.048198][ T3760] ? trace_hardirqs_on+0x67/0x240 [ 74.053204][ T3760] kthread+0x361/0x430 [ 74.057271][ T3760] ? process_one_work+0x1740/0x1740 [ 74.062461][ T3760] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 74.068685][ T3760] ret_from_fork+0x24/0x30 [ 74.074493][ T3760] Kernel Offset: disabled [ 74.078849][ T3760] Rebooting in 86400 seconds..