[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 55.192550][ T26] audit: type=1800 audit(1570450664.502:25): pid=8415 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 55.226721][ T26] audit: type=1800 audit(1570450664.502:26): pid=8415 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 55.247332][ T26] audit: type=1800 audit(1570450664.512:27): pid=8415 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts. syzkaller login: [ 74.668198][ T8568] IPVS: ftp: loaded support on port[0] = 21 [ 74.727677][ T8568] chnl_net:caif_netlink_parms(): no params data found [ 74.754155][ T8568] bridge0: port 1(bridge_slave_0) entered blocking state [ 74.762009][ T8568] bridge0: port 1(bridge_slave_0) entered disabled state [ 74.769677][ T8568] device bridge_slave_0 entered promiscuous mode [ 74.777870][ T8568] bridge0: port 2(bridge_slave_1) entered blocking state [ 74.785372][ T8568] bridge0: port 2(bridge_slave_1) entered disabled state [ 74.793171][ T8568] device bridge_slave_1 entered promiscuous mode [ 74.809279][ T8568] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 74.819612][ T8568] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 74.837488][ T8568] team0: Port device team_slave_0 added [ 74.844144][ T8568] team0: Port device team_slave_1 added [ 74.919160][ T8568] device hsr_slave_0 entered promiscuous mode [ 74.967046][ T8568] device hsr_slave_1 entered promiscuous mode [ 75.055097][ T8568] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.062314][ T8568] bridge0: port 2(bridge_slave_1) entered forwarding state [ 75.070052][ T8568] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.077151][ T8568] bridge0: port 1(bridge_slave_0) entered forwarding state [ 75.110382][ T8568] 8021q: adding VLAN 0 to HW filter on device bond0 [ 75.121609][ T3008] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 75.141562][ T3008] bridge0: port 1(bridge_slave_0) entered disabled state [ 75.149855][ T3008] bridge0: port 2(bridge_slave_1) entered disabled state [ 75.158716][ T3008] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 75.171058][ T8568] 8021q: adding VLAN 0 to HW filter on device team0 [ 75.180954][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 75.189537][ T22] bridge0: port 1(bridge_slave_0) entered blocking state [ 75.196584][ T22] bridge0: port 1(bridge_slave_0) entered forwarding state [ 75.209073][ T3771] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 75.217680][ T3771] bridge0: port 2(bridge_slave_1) entered blocking state [ 75.224712][ T3771] bridge0: port 2(bridge_slave_1) entered forwarding state [ 75.245873][ T8568] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 75.257278][ T8568] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 75.269641][ T3008] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 75.278595][ T3008] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 75.287582][ T3008] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 75.295988][ T3008] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 75.304450][ T3008] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready executing program [ 75.312029][ T3008] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 75.328903][ T8568] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 75.620579][ T3008] ================================================================== [ 75.628924][ T3008] BUG: KASAN: use-after-free in cbq_enqueue+0xecd/0xef0 [ 75.635840][ T3008] Read of size 8 at addr ffff88808c8bf670 by task kworker/0:2/3008 [ 75.643705][ T3008] [ 75.646022][ T3008] CPU: 0 PID: 3008 Comm: kworker/0:2 Not tainted 5.4.0-rc1+ #0 [ 75.653542][ T3008] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.663717][ T3008] Workqueue: ipv6_addrconf addrconf_dad_work [ 75.669805][ T3008] Call Trace: [ 75.673081][ T3008] dump_stack+0x172/0x1f0 [ 75.677405][ T3008] ? cbq_enqueue+0xecd/0xef0 [ 75.682109][ T3008] print_address_description.constprop.0.cold+0xd4/0x30b [ 75.689373][ T3008] ? cbq_enqueue+0xecd/0xef0 [ 75.693947][ T3008] ? cbq_enqueue+0xecd/0xef0 [ 75.698522][ T3008] __kasan_report.cold+0x1b/0x41 [ 75.703444][ T3008] ? cbq_enqueue+0xecd/0xef0 [ 75.708018][ T3008] kasan_report+0x12/0x20 [ 75.712329][ T3008] __asan_report_load8_noabort+0x14/0x20 [ 75.717947][ T3008] cbq_enqueue+0xecd/0xef0 [ 75.722460][ T3008] ? do_raw_spin_lock+0x12a/0x2e0 [ 75.727473][ T3008] ? cbq_delete+0xd30/0xd30 [ 75.731966][ T3008] __dev_queue_xmit+0x157e/0x3720 [ 75.736976][ T3008] ? __kasan_check_read+0x11/0x20 [ 75.742030][ T3008] ? netdev_core_pick_tx+0x2f0/0x2f0 [ 75.747301][ T3008] ? ip6_finish_output2+0x1034/0x2550 [ 75.752655][ T3008] ? __kasan_check_read+0x11/0x20 [ 75.757669][ T3008] ? mark_held_locks+0xa4/0xf0 [ 75.762685][ T3008] dev_queue_xmit+0x18/0x20 [ 75.767172][ T3008] ? dev_queue_xmit+0x18/0x20 [ 75.771834][ T3008] neigh_resolve_output+0x5a5/0x970 [ 75.777025][ T3008] ip6_finish_output2+0x1034/0x2550 [ 75.782275][ T3008] ? ip6_mtu+0x2e6/0x460 [ 75.786561][ T3008] ? ip6_sk_dst_lookup_flow+0xb90/0xb90 [ 75.792091][ T3008] ? lock_downgrade+0x920/0x920 [ 75.796991][ T3008] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 75.803214][ T3008] ? __kasan_check_read+0x11/0x20 [ 75.808226][ T3008] __ip6_finish_output+0x444/0xaa0 [ 75.813319][ T3008] ? __ip6_finish_output+0x444/0xaa0 [ 75.818590][ T3008] ip6_finish_output+0x38/0x1f0 [ 75.823544][ T3008] ip6_output+0x235/0x7f0 [ 75.827861][ T3008] ? ip6_finish_output+0x1f0/0x1f0 [ 75.832957][ T3008] ? __ip6_finish_output+0xaa0/0xaa0 [ 75.838293][ T3008] ndisc_send_skb+0xf29/0x14a0 [ 75.843045][ T3008] ? nf_hook.constprop.0+0x560/0x560 [ 75.848320][ T3008] ? skb_set_owner_w+0x21b/0x320 [ 75.853260][ T3008] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 75.859003][ T3008] ndisc_send_ns+0x3a9/0x850 [ 75.863577][ T3008] ? mark_held_locks+0xa4/0xf0 [ 75.868329][ T3008] ? ndisc_netdev_event+0x4e0/0x4e0 [ 75.873511][ T3008] ? lockdep_hardirqs_on+0x421/0x5e0 [ 75.878782][ T3008] ? addrconf_dad_work+0xac4/0x1150 [ 75.883963][ T3008] ? trace_hardirqs_on+0x67/0x240 [ 75.888971][ T3008] ? addrconf_dad_work+0xac4/0x1150 [ 75.894157][ T3008] addrconf_dad_work+0xb88/0x1150 [ 75.899199][ T3008] ? addrconf_dad_completed+0xbb0/0xbb0 [ 75.904730][ T3008] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 75.910694][ T3008] ? trace_hardirqs_on+0x67/0x240 [ 75.915705][ T3008] process_one_work+0x9af/0x1740 [ 75.920632][ T3008] ? pwq_dec_nr_in_flight+0x320/0x320 [ 75.925988][ T3008] ? lock_acquire+0x190/0x410 [ 75.930659][ T3008] worker_thread+0x98/0xe40 [ 75.935146][ T3008] ? trace_hardirqs_on+0x67/0x240 [ 75.940162][ T3008] kthread+0x361/0x430 [ 75.944211][ T3008] ? process_one_work+0x1740/0x1740 [ 75.949489][ T3008] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 75.955714][ T3008] ret_from_fork+0x24/0x30 [ 75.960118][ T3008] [ 75.962425][ T3008] Allocated by task 8568: [ 75.966743][ T3008] save_stack+0x23/0x90 [ 75.970889][ T3008] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 75.976502][ T3008] kasan_kmalloc+0x9/0x10 [ 75.980897][ T3008] __kmalloc_node_track_caller+0x4e/0x70 [ 75.986508][ T3008] __kmalloc_reserve.isra.0+0x40/0xf0 [ 75.991858][ T3008] __alloc_skb+0x10b/0x5e0 [ 75.996257][ T3008] netlink_sendmsg+0x972/0xd60 [ 76.001003][ T3008] sock_sendmsg+0xd7/0x130 [ 76.005399][ T3008] ___sys_sendmsg+0x803/0x920 [ 76.010056][ T3008] __sys_sendmsg+0x105/0x1d0 [ 76.014624][ T3008] __x64_sys_sendmsg+0x78/0xb0 [ 76.019366][ T3008] do_syscall_64+0xfa/0x760 [ 76.023872][ T3008] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.029736][ T3008] [ 76.032065][ T3008] Freed by task 8568: [ 76.036026][ T3008] save_stack+0x23/0x90 [ 76.040160][ T3008] __kasan_slab_free+0x102/0x150 [ 76.045074][ T3008] kasan_slab_free+0xe/0x10 [ 76.049551][ T3008] kfree+0x10a/0x2c0 [ 76.053453][ T3008] skb_free_head+0x93/0xb0 [ 76.057849][ T3008] skb_release_data+0x42d/0x7c0 [ 76.062693][ T3008] skb_release_all+0x4d/0x60 [ 76.067283][ T3008] consume_skb+0xfb/0x3b0 [ 76.071594][ T3008] netlink_unicast+0x539/0x710 [ 76.076334][ T3008] netlink_sendmsg+0x8a5/0xd60 [ 76.081082][ T3008] sock_sendmsg+0xd7/0x130 [ 76.085488][ T3008] ___sys_sendmsg+0x803/0x920 [ 76.090198][ T3008] __sys_sendmsg+0x105/0x1d0 [ 76.094766][ T3008] __x64_sys_sendmsg+0x78/0xb0 [ 76.099560][ T3008] do_syscall_64+0xfa/0x760 [ 76.104040][ T3008] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 76.109904][ T3008] [ 76.112214][ T3008] The buggy address belongs to the object at ffff88808c8bf600 [ 76.112214][ T3008] which belongs to the cache kmalloc-2k of size 2048 [ 76.126246][ T3008] The buggy address is located 112 bytes inside of [ 76.126246][ T3008] 2048-byte region [ffff88808c8bf600, ffff88808c8bfe00) [ 76.139575][ T3008] The buggy address belongs to the page: [ 76.145184][ T3008] page:ffffea0002322f80 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 compound_mapcount: 0 [ 76.156096][ T3008] flags: 0x1fffc0000010200(slab|head) [ 76.161450][ T3008] raw: 01fffc0000010200 ffffea0002322f08 ffffea0002325588 ffff8880aa400e00 [ 76.170009][ T3008] raw: 0000000000000000 ffff88808c8be500 0000000100000003 0000000000000000 [ 76.178572][ T3008] page dumped because: kasan: bad access detected [ 76.184953][ T3008] [ 76.187254][ T3008] Memory state around the buggy address: [ 76.192859][ T3008] ffff88808c8bf500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.200895][ T3008] ffff88808c8bf580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.208939][ T3008] >ffff88808c8bf600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.216969][ T3008] ^ [ 76.224653][ T3008] ffff88808c8bf680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.232689][ T3008] ffff88808c8bf700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.240724][ T3008] ================================================================== [ 76.248754][ T3008] Disabling lock debugging due to kernel taint [ 76.254934][ T3008] Kernel panic - not syncing: panic_on_warn set ... [ 76.261519][ T3008] CPU: 0 PID: 3008 Comm: kworker/0:2 Tainted: G B 5.4.0-rc1+ #0 [ 76.270422][ T3008] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.280459][ T3008] Workqueue: ipv6_addrconf addrconf_dad_work [ 76.286408][ T3008] Call Trace: [ 76.289675][ T3008] dump_stack+0x172/0x1f0 [ 76.293977][ T3008] panic+0x2dc/0x755 [ 76.297844][ T3008] ? add_taint.cold+0x16/0x16 [ 76.302495][ T3008] ? trace_hardirqs_on+0x5e/0x240 [ 76.307491][ T3008] ? trace_hardirqs_on+0x5e/0x240 [ 76.312490][ T3008] ? cbq_enqueue+0xecd/0xef0 [ 76.317053][ T3008] end_report+0x47/0x4f [ 76.321180][ T3008] ? cbq_enqueue+0xecd/0xef0 [ 76.325739][ T3008] __kasan_report.cold+0xe/0x41 [ 76.330561][ T3008] ? cbq_enqueue+0xecd/0xef0 [ 76.335132][ T3008] kasan_report+0x12/0x20 [ 76.339438][ T3008] __asan_report_load8_noabort+0x14/0x20 [ 76.345038][ T3008] cbq_enqueue+0xecd/0xef0 [ 76.349427][ T3008] ? do_raw_spin_lock+0x12a/0x2e0 [ 76.354423][ T3008] ? cbq_delete+0xd30/0xd30 [ 76.358901][ T3008] __dev_queue_xmit+0x157e/0x3720 [ 76.363896][ T3008] ? __kasan_check_read+0x11/0x20 [ 76.368893][ T3008] ? netdev_core_pick_tx+0x2f0/0x2f0 [ 76.374150][ T3008] ? ip6_finish_output2+0x1034/0x2550 [ 76.379495][ T3008] ? __kasan_check_read+0x11/0x20 [ 76.384493][ T3008] ? mark_held_locks+0xa4/0xf0 [ 76.389230][ T3008] dev_queue_xmit+0x18/0x20 [ 76.393704][ T3008] ? dev_queue_xmit+0x18/0x20 [ 76.398354][ T3008] neigh_resolve_output+0x5a5/0x970 [ 76.403526][ T3008] ip6_finish_output2+0x1034/0x2550 [ 76.408697][ T3008] ? ip6_mtu+0x2e6/0x460 [ 76.412915][ T3008] ? ip6_sk_dst_lookup_flow+0xb90/0xb90 [ 76.418432][ T3008] ? lock_downgrade+0x920/0x920 [ 76.423267][ T3008] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 76.429477][ T3008] ? __kasan_check_read+0x11/0x20 [ 76.434478][ T3008] __ip6_finish_output+0x444/0xaa0 [ 76.439561][ T3008] ? __ip6_finish_output+0x444/0xaa0 [ 76.444820][ T3008] ip6_finish_output+0x38/0x1f0 [ 76.449642][ T3008] ip6_output+0x235/0x7f0 [ 76.453944][ T3008] ? ip6_finish_output+0x1f0/0x1f0 [ 76.459031][ T3008] ? __ip6_finish_output+0xaa0/0xaa0 [ 76.464291][ T3008] ndisc_send_skb+0xf29/0x14a0 [ 76.469032][ T3008] ? nf_hook.constprop.0+0x560/0x560 [ 76.474289][ T3008] ? skb_set_owner_w+0x21b/0x320 [ 76.479212][ T3008] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 76.484905][ T3008] ndisc_send_ns+0x3a9/0x850 [ 76.489467][ T3008] ? mark_held_locks+0xa4/0xf0 [ 76.494202][ T3008] ? ndisc_netdev_event+0x4e0/0x4e0 [ 76.499372][ T3008] ? lockdep_hardirqs_on+0x421/0x5e0 [ 76.504627][ T3008] ? addrconf_dad_work+0xac4/0x1150 [ 76.509801][ T3008] ? trace_hardirqs_on+0x67/0x240 [ 76.514800][ T3008] ? addrconf_dad_work+0xac4/0x1150 [ 76.519972][ T3008] addrconf_dad_work+0xb88/0x1150 [ 76.524969][ T3008] ? addrconf_dad_completed+0xbb0/0xbb0 [ 76.530490][ T3008] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 76.536440][ T3008] ? trace_hardirqs_on+0x67/0x240 [ 76.541442][ T3008] process_one_work+0x9af/0x1740 [ 76.546357][ T3008] ? pwq_dec_nr_in_flight+0x320/0x320 [ 76.551699][ T3008] ? lock_acquire+0x190/0x410 [ 76.556355][ T3008] worker_thread+0x98/0xe40 [ 76.560842][ T3008] ? trace_hardirqs_on+0x67/0x240 [ 76.565843][ T3008] kthread+0x361/0x430 [ 76.569897][ T3008] ? process_one_work+0x1740/0x1740 [ 76.575065][ T3008] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 76.581286][ T3008] ret_from_fork+0x24/0x30 [ 76.586878][ T3008] Kernel Offset: disabled [ 76.591199][ T3008] Rebooting in 86400 seconds..