[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[   71.619334][   T27] audit: type=1800 audit(1578336259.713:25): pid=9552 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   71.640878][   T27] audit: type=1800 audit(1578336259.713:26): pid=9552 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   71.696975][   T27] audit: type=1800 audit(1578336259.713:27): pid=9552 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[1G[[32m ok [39;49m8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.31' (ECDSA) to the list of known hosts.
syzkaller login: [   83.772195][ T9706] IPVS: ftp: loaded support on port[0] = 21
[   83.833373][ T9706] chnl_net:caif_netlink_parms(): no params data found
[   83.864629][ T9706] bridge0: port 1(bridge_slave_0) entered blocking state
[   83.872650][ T9706] bridge0: port 1(bridge_slave_0) entered disabled state
[   83.881205][ T9706] device bridge_slave_0 entered promiscuous mode
[   83.889685][ T9706] bridge0: port 2(bridge_slave_1) entered blocking state
[   83.896781][ T9706] bridge0: port 2(bridge_slave_1) entered disabled state
[   83.905230][ T9706] device bridge_slave_1 entered promiscuous mode
[   83.923739][ T9706] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   83.935301][ T9706] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   83.955597][ T9706] team0: Port device team_slave_0 added
[   83.964081][ T9706] team0: Port device team_slave_1 added
[   84.021570][ T9706] device hsr_slave_0 entered promiscuous mode
[   84.079304][ T9706] device hsr_slave_1 entered promiscuous mode
[   84.193892][ T9706] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   84.252001][ T9706] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   84.321625][ T9706] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   84.361133][ T9706] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   84.451770][ T9706] bridge0: port 2(bridge_slave_1) entered blocking state
[   84.459113][ T9706] bridge0: port 2(bridge_slave_1) entered forwarding state
[   84.466855][ T9706] bridge0: port 1(bridge_slave_0) entered blocking state
[   84.473986][ T9706] bridge0: port 1(bridge_slave_0) entered forwarding state
[   84.514969][ T9706] 8021q: adding VLAN 0 to HW filter on device bond0
[   84.528204][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   84.538023][   T17] bridge0: port 1(bridge_slave_0) entered disabled state
[   84.557083][   T17] bridge0: port 2(bridge_slave_1) entered disabled state
[   84.566723][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   84.580370][ T9706] 8021q: adding VLAN 0 to HW filter on device team0
[   84.591119][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   84.600257][ T2681] bridge0: port 1(bridge_slave_0) entered blocking state
[   84.607382][ T2681] bridge0: port 1(bridge_slave_0) entered forwarding state
[   84.629810][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   84.638144][   T17] bridge0: port 2(bridge_slave_1) entered blocking state
[   84.645249][   T17] bridge0: port 2(bridge_slave_1) entered forwarding state
[   84.653289][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   84.661998][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   84.671230][   T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   84.682045][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   84.695166][ T2884] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   84.705975][ T9706] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   84.723850][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   84.732036][ T2681] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   84.744642][ T9706] 8021q: adding VLAN 0 to HW filter on device batadv0
[   84.763686][ T2884] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   84.781867][ T3399] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   84.790305][ T3399] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   84.797929][ T3399] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   84.810022][ T9706] device veth0_vlan entered promiscuous mode
[   84.821839][ T9706] device veth1_vlan entered promiscuous mode
executing program
[   84.830298][ T3399] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   84.869667][ T9706] ==================================================================
[   84.877918][ T9706] BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620
[   84.885391][ T9706] Read of size 4 at addr ffff888090682001 by task syz-executor824/9706
[   84.893613][ T9706] 
[   84.895934][ T9706] CPU: 1 PID: 9706 Comm: syz-executor824 Not tainted 5.5.0-rc4-syzkaller #0
[   84.904580][ T9706] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   84.914612][ T9706] Call Trace:
[   84.917889][ T9706]  dump_stack+0x197/0x210
[   84.922200][ T9706]  ? macvlan_broadcast+0x547/0x620
[   84.927292][ T9706]  print_address_description.constprop.0.cold+0xd4/0x30b
[   84.934336][ T9706]  ? macvlan_broadcast+0x547/0x620
[   84.939444][ T9706]  ? macvlan_broadcast+0x547/0x620
[   84.944557][ T9706]  __kasan_report.cold+0x1b/0x41
[   84.949521][ T9706]  ? validate_xmit_xfrm+0x3e0/0xf10
[   84.954713][ T9706]  ? macvlan_broadcast+0x547/0x620
[   84.959863][ T9706]  kasan_report+0x12/0x20
[   84.964194][ T9706]  __asan_report_load_n_noabort+0xf/0x20
[   84.969830][ T9706]  macvlan_broadcast+0x547/0x620
[   84.974759][ T9706]  ? validate_xmit_skb+0x81f/0xe50
[   84.979874][ T9706]  macvlan_start_xmit+0x402/0x77f
[   84.984880][ T9706]  dev_direct_xmit+0x419/0x630
[   84.989625][ T9706]  ? __check_heap_object+0x61/0xb3
[   84.994715][ T9706]  ? validate_xmit_skb_list+0x150/0x150
[   85.000376][ T9706]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   85.006613][ T9706]  ? netdev_pick_tx+0x14e/0xb00
[   85.011458][ T9706]  packet_direct_xmit+0x1a9/0x250
[   85.016469][ T9706]  packet_sendmsg+0x260d/0x6220
[   85.021300][ T9706]  ? ___might_sleep+0x163/0x2c0
[   85.026130][ T9706]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   85.032356][ T9706]  ? aa_label_sk_perm+0x91/0xf0
[   85.037196][ T9706]  ? packet_notifier+0x880/0x880
[   85.042114][ T9706]  ? aa_sock_msg_perm.isra.0+0xba/0x170
[   85.047651][ T9706]  ? apparmor_socket_sendmsg+0x2a/0x30
[   85.053099][ T9706]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   85.059320][ T9706]  ? security_socket_sendmsg+0x8d/0xc0
[   85.064763][ T9706]  ? packet_notifier+0x880/0x880
[   85.069691][ T9706]  sock_sendmsg+0xd7/0x130
[   85.074085][ T9706]  __sys_sendto+0x262/0x380
[   85.078579][ T9706]  ? __ia32_sys_getpeername+0xb0/0xb0
[   85.084102][ T9706]  ? __ia32_sys_socketpair+0xf0/0xf0
[   85.089402][ T9706]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   85.094904][ T9706]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   85.100403][ T9706]  ? do_syscall_64+0x26/0x790
[   85.105067][ T9706]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   85.111123][ T9706]  __x64_sys_sendto+0xe1/0x1a0
[   85.115909][ T9706]  do_syscall_64+0xfa/0x790
[   85.120427][ T9706]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   85.126332][ T9706] RIP: 0033:0x442bd9
[   85.130209][ T9706] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   85.149792][ T9706] RSP: 002b:00007ffcd0931318 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   85.158230][ T9706] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442bd9
[   85.166200][ T9706] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
[   85.174179][ T9706] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
[   85.182135][ T9706] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   85.190091][ T9706] R13: 0000000000404150 R14: 0000000000000000 R15: 0000000000000000
[   85.198050][ T9706] 
[   85.200368][ T9706] The buggy address belongs to the page:
[   85.205979][ T9706] page:ffffea000241a080 refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888090682000
[   85.216365][ T9706] raw: 00fffe0000000000 dead000000000100 dead000000000122 0000000000000000
[   85.224937][ T9706] raw: ffff888090682000 0000000000000000 00000000ffffffff 0000000000000000
[   85.233498][ T9706] page dumped because: kasan: bad access detected
[   85.239884][ T9706] 
[   85.242199][ T9706] Memory state around the buggy address:
[   85.247818][ T9706]  ffff888090681f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   85.255856][ T9706]  ffff888090681f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   85.263903][ T9706] >ffff888090682000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   85.271941][ T9706]                    ^
[   85.275996][ T9706]  ffff888090682080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   85.284046][ T9706]  ffff888090682100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[   85.292085][ T9706] ==================================================================
[   85.300119][ T9706] Disabling lock debugging due to kernel taint
[   85.306307][ T9706] Kernel panic - not syncing: panic_on_warn set ...
[   85.312904][ T9706] CPU: 1 PID: 9706 Comm: syz-executor824 Tainted: G    B             5.5.0-rc4-syzkaller #0
[   85.322962][ T9706] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   85.333084][ T9706] Call Trace:
[   85.336373][ T9706]  dump_stack+0x197/0x210
[   85.340701][ T9706]  panic+0x2e3/0x75c
[   85.344594][ T9706]  ? add_taint.cold+0x16/0x16
[   85.349312][ T9706]  ? trace_hardirqs_on+0x5e/0x240
[   85.354358][ T9706]  ? trace_hardirqs_on+0x5e/0x240
[   85.359366][ T9706]  ? macvlan_broadcast+0x547/0x620
[   85.364457][ T9706]  end_report+0x47/0x4f
[   85.368591][ T9706]  ? macvlan_broadcast+0x547/0x620
[   85.373682][ T9706]  __kasan_report.cold+0xe/0x41
[   85.378638][ T9706]  ? validate_xmit_xfrm+0x3e0/0xf10
[   85.383819][ T9706]  ? macvlan_broadcast+0x547/0x620
[   85.388941][ T9706]  kasan_report+0x12/0x20
[   85.393250][ T9706]  __asan_report_load_n_noabort+0xf/0x20
[   85.399030][ T9706]  macvlan_broadcast+0x547/0x620
[   85.403957][ T9706]  ? validate_xmit_skb+0x81f/0xe50
[   85.409044][ T9706]  macvlan_start_xmit+0x402/0x77f
[   85.414054][ T9706]  dev_direct_xmit+0x419/0x630
[   85.418804][ T9706]  ? __check_heap_object+0x61/0xb3
[   85.423892][ T9706]  ? validate_xmit_skb_list+0x150/0x150
[   85.429414][ T9706]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   85.435629][ T9706]  ? netdev_pick_tx+0x14e/0xb00
[   85.440457][ T9706]  packet_direct_xmit+0x1a9/0x250
[   85.445458][ T9706]  packet_sendmsg+0x260d/0x6220
[   85.450287][ T9706]  ? ___might_sleep+0x163/0x2c0
[   85.455114][ T9706]  ? __sanitizer_cov_trace_const_cmp8+0x18/0x20
[   85.461329][ T9706]  ? aa_label_sk_perm+0x91/0xf0
[   85.466178][ T9706]  ? packet_notifier+0x880/0x880
[   85.471094][ T9706]  ? aa_sock_msg_perm.isra.0+0xba/0x170
[   85.476614][ T9706]  ? apparmor_socket_sendmsg+0x2a/0x30
[   85.482049][ T9706]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[   85.488263][ T9706]  ? security_socket_sendmsg+0x8d/0xc0
[   85.493698][ T9706]  ? packet_notifier+0x880/0x880
[   85.498615][ T9706]  sock_sendmsg+0xd7/0x130
[   85.503023][ T9706]  __sys_sendto+0x262/0x380
[   85.507502][ T9706]  ? __ia32_sys_getpeername+0xb0/0xb0
[   85.512854][ T9706]  ? __ia32_sys_socketpair+0xf0/0xf0
[   85.518296][ T9706]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   85.523792][ T9706]  ? trace_hardirqs_on_thunk+0x1a/0x1c
[   85.529235][ T9706]  ? do_syscall_64+0x26/0x790
[   85.533902][ T9706]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   85.539956][ T9706]  __x64_sys_sendto+0xe1/0x1a0
[   85.544755][ T9706]  do_syscall_64+0xfa/0x790
[   85.549241][ T9706]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   85.555215][ T9706] RIP: 0033:0x442bd9
[   85.559105][ T9706] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
[   85.578689][ T9706] RSP: 002b:00007ffcd0931318 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   85.587079][ T9706] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442bd9
[   85.595035][ T9706] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
[   85.602993][ T9706] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
[   85.610951][ T9706] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   85.618911][ T9706] R13: 0000000000404150 R14: 0000000000000000 R15: 0000000000000000
[   85.628094][ T9706] Kernel Offset: disabled
[   85.632423][ T9706] Rebooting in 86400 seconds..