[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 55.910104][ T26] audit: type=1800 audit(1570341458.754:25): pid=8598 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 55.956641][ T26] audit: type=1800 audit(1570341458.754:26): pid=8598 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 55.996847][ T26] audit: type=1800 audit(1570341458.754:27): pid=8598 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.95' (ECDSA) to the list of known hosts. syzkaller login: [ 80.359460][ T8751] IPVS: ftp: loaded support on port[0] = 21 [ 80.415600][ T8751] chnl_net:caif_netlink_parms(): no params data found [ 80.444104][ T8751] bridge0: port 1(bridge_slave_0) entered blocking state [ 80.452059][ T8751] bridge0: port 1(bridge_slave_0) entered disabled state [ 80.460113][ T8751] device bridge_slave_0 entered promiscuous mode [ 80.468397][ T8751] bridge0: port 2(bridge_slave_1) entered blocking state [ 80.475536][ T8751] bridge0: port 2(bridge_slave_1) entered disabled state [ 80.483415][ T8751] device bridge_slave_1 entered promiscuous mode [ 80.500397][ T8751] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 80.510913][ T8751] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 80.529548][ T8751] team0: Port device team_slave_0 added [ 80.536653][ T8751] team0: Port device team_slave_1 added [ 80.619938][ T8751] device hsr_slave_0 entered promiscuous mode [ 80.698192][ T8751] device hsr_slave_1 entered promiscuous mode [ 80.776996][ T8751] bridge0: port 2(bridge_slave_1) entered blocking state [ 80.786810][ T8751] bridge0: port 2(bridge_slave_1) entered forwarding state [ 80.795022][ T8751] bridge0: port 1(bridge_slave_0) entered blocking state [ 80.802244][ T8751] bridge0: port 1(bridge_slave_0) entered forwarding state [ 80.834790][ T8751] 8021q: adding VLAN 0 to HW filter on device bond0 [ 80.847735][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 80.868109][ T22] bridge0: port 1(bridge_slave_0) entered disabled state [ 80.876425][ T22] bridge0: port 2(bridge_slave_1) entered disabled state [ 80.885959][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 80.897416][ T8751] 8021q: adding VLAN 0 to HW filter on device team0 [ 80.908622][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 80.917141][ T22] bridge0: port 1(bridge_slave_0) entered blocking state [ 80.924259][ T22] bridge0: port 1(bridge_slave_0) entered forwarding state [ 80.935150][ T2847] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 80.945036][ T2847] bridge0: port 2(bridge_slave_1) entered blocking state [ 80.952146][ T2847] bridge0: port 2(bridge_slave_1) entered forwarding state [ 80.973746][ T8751] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 80.984528][ T8751] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 80.998352][ T2847] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 81.007220][ T2847] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 81.016248][ T2847] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 81.024966][ T2847] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready executing program [ 81.033214][ T2847] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 81.040889][ T2847] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 81.056662][ T8751] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 81.298321][ T22] ================================================================== [ 81.308792][ T22] BUG: KASAN: use-after-free in cbq_enqueue+0xecd/0xef0 [ 81.316160][ T22] Read of size 8 at addr ffff888088b393f0 by task kworker/1:1/22 [ 81.324599][ T22] [ 81.326919][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.3.0+ #0 [ 81.333931][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.343985][ T22] Workqueue: ipv6_addrconf addrconf_dad_work [ 81.349949][ T22] Call Trace: [ 81.353239][ T22] dump_stack+0x172/0x1f0 [ 81.357548][ T22] ? cbq_enqueue+0xecd/0xef0 [ 81.362230][ T22] print_address_description.constprop.0.cold+0xd4/0x30b [ 81.369239][ T22] ? cbq_enqueue+0xecd/0xef0 [ 81.373824][ T22] ? cbq_enqueue+0xecd/0xef0 [ 81.378711][ T22] __kasan_report.cold+0x1b/0x41 [ 81.383773][ T22] ? cbq_enqueue+0xecd/0xef0 [ 81.388373][ T22] kasan_report+0x12/0x20 [ 81.392714][ T22] __asan_report_load8_noabort+0x14/0x20 [ 81.398344][ T22] cbq_enqueue+0xecd/0xef0 [ 81.402808][ T22] ? do_raw_spin_lock+0x12a/0x2e0 [ 81.407857][ T22] ? cbq_delete+0xd30/0xd30 [ 81.412378][ T22] __dev_queue_xmit+0x157e/0x3720 [ 81.417387][ T22] ? __kasan_check_read+0x11/0x20 [ 81.422396][ T22] ? netdev_core_pick_tx+0x2f0/0x2f0 [ 81.427756][ T22] ? ip6_finish_output2+0x1034/0x2550 [ 81.433133][ T22] ? __kasan_check_read+0x11/0x20 [ 81.438236][ T22] ? mark_held_locks+0xa4/0xf0 [ 81.443078][ T22] dev_queue_xmit+0x18/0x20 [ 81.447558][ T22] ? dev_queue_xmit+0x18/0x20 [ 81.452389][ T22] neigh_resolve_output+0x5a5/0x970 [ 81.457576][ T22] ip6_finish_output2+0x1034/0x2550 [ 81.462762][ T22] ? ip6_sk_dst_lookup_flow+0xb90/0xb90 [ 81.468292][ T22] ? lock_downgrade+0x920/0x920 [ 81.473167][ T22] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 81.479578][ T22] ? __kasan_check_read+0x11/0x20 [ 81.484596][ T22] __ip6_finish_output+0x444/0xaa0 [ 81.489820][ T22] ? __ip6_finish_output+0x444/0xaa0 [ 81.495273][ T22] ip6_finish_output+0x38/0x1f0 [ 81.500113][ T22] ip6_output+0x235/0x7f0 [ 81.504434][ T22] ? ip6_finish_output+0x1f0/0x1f0 [ 81.509591][ T22] ? __ip6_finish_output+0xaa0/0xaa0 [ 81.514875][ T22] ndisc_send_skb+0xf29/0x14a0 [ 81.519637][ T22] ? nf_hook.constprop.0+0x560/0x560 [ 81.525074][ T22] ? skb_set_owner_w+0x21b/0x320 [ 81.530090][ T22] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 81.535999][ T22] ndisc_send_ns+0x3a9/0x850 [ 81.540654][ T22] ? mark_held_locks+0xa4/0xf0 [ 81.545409][ T22] ? ndisc_netdev_event+0x4e0/0x4e0 [ 81.550592][ T22] ? lockdep_hardirqs_on+0x421/0x5e0 [ 81.556004][ T22] ? addrconf_dad_work+0xac4/0x1150 [ 81.561283][ T22] ? trace_hardirqs_on+0x67/0x240 [ 81.566357][ T22] ? addrconf_dad_work+0xac4/0x1150 [ 81.571548][ T22] addrconf_dad_work+0xb88/0x1150 [ 81.578031][ T22] ? addrconf_dad_completed+0xbb0/0xbb0 [ 81.583567][ T22] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 81.589528][ T22] ? trace_hardirqs_on+0x67/0x240 [ 81.594557][ T22] process_one_work+0x9af/0x1740 [ 81.599483][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 81.604834][ T22] ? lock_acquire+0x190/0x410 [ 81.609493][ T22] worker_thread+0x98/0xe40 [ 81.613984][ T22] kthread+0x361/0x430 [ 81.618038][ T22] ? process_one_work+0x1740/0x1740 [ 81.623214][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 81.629442][ T22] ret_from_fork+0x24/0x30 [ 81.633873][ T22] [ 81.636180][ T22] Allocated by task 8751: [ 81.640486][ T22] save_stack+0x23/0x90 [ 81.644618][ T22] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 81.650232][ T22] kasan_kmalloc+0x9/0x10 [ 81.654541][ T22] __kmalloc_node_track_caller+0x4e/0x70 [ 81.660412][ T22] __kmalloc_reserve.isra.0+0x40/0xf0 [ 81.665966][ T22] __alloc_skb+0x10b/0x5e0 [ 81.670382][ T22] netlink_sendmsg+0x972/0xd60 [ 81.675262][ T22] sock_sendmsg+0xd7/0x130 [ 81.679660][ T22] ___sys_sendmsg+0x803/0x920 [ 81.684331][ T22] __sys_sendmsg+0x105/0x1d0 [ 81.688910][ T22] __x64_sys_sendmsg+0x78/0xb0 [ 81.693678][ T22] do_syscall_64+0xfa/0x760 [ 81.698164][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 81.704033][ T22] [ 81.706359][ T22] Freed by task 8751: [ 81.710336][ T22] save_stack+0x23/0x90 [ 81.717346][ T22] __kasan_slab_free+0x102/0x150 [ 81.722266][ T22] kasan_slab_free+0xe/0x10 [ 81.726748][ T22] kfree+0x10a/0x2c0 [ 81.730722][ T22] skb_free_head+0x93/0xb0 [ 81.735118][ T22] skb_release_data+0x42d/0x7c0 [ 81.739956][ T22] skb_release_all+0x4d/0x60 [ 81.744552][ T22] consume_skb+0xfb/0x3b0 [ 81.748871][ T22] netlink_unicast+0x539/0x710 [ 81.753784][ T22] netlink_sendmsg+0x8a5/0xd60 [ 81.758533][ T22] sock_sendmsg+0xd7/0x130 [ 81.762926][ T22] ___sys_sendmsg+0x803/0x920 [ 81.769829][ T22] __sys_sendmsg+0x105/0x1d0 [ 81.775687][ T22] __x64_sys_sendmsg+0x78/0xb0 [ 81.781041][ T22] do_syscall_64+0xfa/0x760 [ 81.785543][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 81.791777][ T22] [ 81.794201][ T22] The buggy address belongs to the object at ffff888088b39380 [ 81.794201][ T22] which belongs to the cache kmalloc-2k of size 2048 [ 81.808517][ T22] The buggy address is located 112 bytes inside of [ 81.808517][ T22] 2048-byte region [ffff888088b39380, ffff888088b39b80) [ 81.822306][ T22] The buggy address belongs to the page: [ 81.830586][ T22] page:ffffea000222ce00 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 compound_mapcount: 0 [ 81.842553][ T22] flags: 0x1fffc0000010200(slab|head) [ 81.847912][ T22] raw: 01fffc0000010200 ffffea00029bef88 ffffea0002387d08 ffff8880aa400e00 [ 81.856608][ T22] raw: 0000000000000000 ffff888088b38280 0000000100000003 0000000000000000 [ 81.865356][ T22] page dumped because: kasan: bad access detected [ 81.871749][ T22] [ 81.874057][ T22] Memory state around the buggy address: [ 81.881490][ T22] ffff888088b39280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 81.889535][ T22] ffff888088b39300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 81.897578][ T22] >ffff888088b39380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.905613][ T22] ^ [ 81.913575][ T22] ffff888088b39400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.921705][ T22] ffff888088b39480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 81.929739][ T22] ================================================================== [ 81.937774][ T22] Disabling lock debugging due to kernel taint [ 81.943953][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 81.950537][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.3.0+ #0 [ 81.959025][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 81.969071][ T22] Workqueue: ipv6_addrconf addrconf_dad_work [ 81.975033][ T22] Call Trace: [ 81.978317][ T22] dump_stack+0x172/0x1f0 [ 81.982627][ T22] panic+0x2dc/0x755 [ 81.986771][ T22] ? add_taint.cold+0x16/0x16 [ 81.991517][ T22] ? trace_hardirqs_on+0x5e/0x240 [ 81.996529][ T22] ? trace_hardirqs_on+0x5e/0x240 [ 82.001538][ T22] ? cbq_enqueue+0xecd/0xef0 [ 82.006128][ T22] end_report+0x47/0x4f [ 82.010376][ T22] ? cbq_enqueue+0xecd/0xef0 [ 82.014947][ T22] __kasan_report.cold+0xe/0x41 [ 82.019893][ T22] ? cbq_enqueue+0xecd/0xef0 [ 82.024464][ T22] kasan_report+0x12/0x20 [ 82.028783][ T22] __asan_report_load8_noabort+0x14/0x20 [ 82.034488][ T22] cbq_enqueue+0xecd/0xef0 [ 82.038885][ T22] ? do_raw_spin_lock+0x12a/0x2e0 [ 82.043912][ T22] ? cbq_delete+0xd30/0xd30 [ 82.048404][ T22] __dev_queue_xmit+0x157e/0x3720 [ 82.053406][ T22] ? __kasan_check_read+0x11/0x20 [ 82.059367][ T22] ? netdev_core_pick_tx+0x2f0/0x2f0 [ 82.064642][ T22] ? ip6_finish_output2+0x1034/0x2550 [ 82.069996][ T22] ? __kasan_check_read+0x11/0x20 [ 82.075006][ T22] ? mark_held_locks+0xa4/0xf0 [ 82.079749][ T22] dev_queue_xmit+0x18/0x20 [ 82.084267][ T22] ? dev_queue_xmit+0x18/0x20 [ 82.088923][ T22] neigh_resolve_output+0x5a5/0x970 [ 82.094123][ T22] ip6_finish_output2+0x1034/0x2550 [ 82.099417][ T22] ? ip6_sk_dst_lookup_flow+0xb90/0xb90 [ 82.105297][ T22] ? lock_downgrade+0x920/0x920 [ 82.110136][ T22] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 82.116708][ T22] ? __kasan_check_read+0x11/0x20 [ 82.121721][ T22] __ip6_finish_output+0x444/0xaa0 [ 82.126812][ T22] ? __ip6_finish_output+0x444/0xaa0 [ 82.132079][ T22] ip6_finish_output+0x38/0x1f0 [ 82.136910][ T22] ip6_output+0x235/0x7f0 [ 82.141481][ T22] ? ip6_finish_output+0x1f0/0x1f0 [ 82.146579][ T22] ? __ip6_finish_output+0xaa0/0xaa0 [ 82.151934][ T22] ndisc_send_skb+0xf29/0x14a0 [ 82.156681][ T22] ? nf_hook.constprop.0+0x560/0x560 [ 82.161950][ T22] ? skb_set_owner_w+0x21b/0x320 [ 82.166871][ T22] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 82.172586][ T22] ndisc_send_ns+0x3a9/0x850 [ 82.177157][ T22] ? mark_held_locks+0xa4/0xf0 [ 82.181899][ T22] ? ndisc_netdev_event+0x4e0/0x4e0 [ 82.187079][ T22] ? lockdep_hardirqs_on+0x421/0x5e0 [ 82.192343][ T22] ? addrconf_dad_work+0xac4/0x1150 [ 82.197520][ T22] ? trace_hardirqs_on+0x67/0x240 [ 82.202526][ T22] ? addrconf_dad_work+0xac4/0x1150 [ 82.207707][ T22] addrconf_dad_work+0xb88/0x1150 [ 82.212729][ T22] ? addrconf_dad_completed+0xbb0/0xbb0 [ 82.218276][ T22] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 82.224234][ T22] ? trace_hardirqs_on+0x67/0x240 [ 82.229513][ T22] process_one_work+0x9af/0x1740 [ 82.234448][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 82.239802][ T22] ? lock_acquire+0x190/0x410 [ 82.244474][ T22] worker_thread+0x98/0xe40 [ 82.249048][ T22] kthread+0x361/0x430 [ 82.253099][ T22] ? process_one_work+0x1740/0x1740 [ 82.258280][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 82.264501][ T22] ret_from_fork+0x24/0x30 [ 82.270677][ T22] Kernel Offset: disabled [ 82.275107][ T22] Rebooting in 86400 seconds..