[....] Starting enhanced syslogd: rsyslogd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[ 83.787899][ T27] audit: type=1800 audit(1584016238.092:25): pid=9304 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[ 83.824034][ T27] audit: type=1800 audit(1584016238.092:26): pid=9304 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[ 83.859828][ T27] audit: type=1800 audit(1584016238.092:27): pid=9304 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
[....] Starting OpenBSD Secure Shell server: sshd�[?25l�[?1c�7�[1G[�[32m ok �[39;49m�8�[?25h�[?0c.
Debian GNU/Linux 7 syzkaller ttyS0
Warning: Permanently added '10.128.0.232' (ECDSA) to the list of known hosts.
2020/03/12 12:30:47 parsed 1 programs
2020/03/12 12:30:49 executed programs: 0
syzkaller login: [ 95.008642][ T9474] IPVS: ftp: loaded support on port[0] = 21
[ 95.071039][ T9474] chnl_net:caif_netlink_parms(): no params data found
[ 95.112937][ T9474] bridge0: port 1(bridge_slave_0) entered blocking state
[ 95.120988][ T9474] bridge0: port 1(bridge_slave_0) entered disabled state
[ 95.129092][ T9474] device bridge_slave_0 entered promiscuous mode
[ 95.137620][ T9474] bridge0: port 2(bridge_slave_1) entered blocking state
[ 95.144982][ T9474] bridge0: port 2(bridge_slave_1) entered disabled state
[ 95.152688][ T9474] device bridge_slave_1 entered promiscuous mode
[ 95.171132][ T9474] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 95.182367][ T9474] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 95.202749][ T9474] team0: Port device team_slave_0 added
[ 95.210219][ T9474] team0: Port device team_slave_1 added
[ 95.226052][ T9474] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 95.233023][ T9474] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 95.259111][ T9474] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 95.271615][ T9474] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 95.278711][ T9474] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 95.304839][ T9474] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 95.376207][ T9474] device hsr_slave_0 entered promiscuous mode
[ 95.414244][ T9474] device hsr_slave_1 entered promiscuous mode
[ 95.524218][ T9474] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 95.606765][ T9474] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 95.657113][ T9474] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 95.716923][ T9474] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 95.790535][ T9474] bridge0: port 2(bridge_slave_1) entered blocking state
[ 95.798358][ T9474] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 95.806308][ T9474] bridge0: port 1(bridge_slave_0) entered blocking state
[ 95.813387][ T9474] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 95.861919][ T9474] 8021q: adding VLAN 0 to HW filter on device bond0
[ 95.875936][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 95.886889][ T2687] bridge0: port 1(bridge_slave_0) entered disabled state
[ 95.895677][ T2687] bridge0: port 2(bridge_slave_1) entered disabled state
[ 95.904379][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 95.917773][ T9474] 8021q: adding VLAN 0 to HW filter on device team0
[ 95.929238][ T2706] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 95.938019][ T2706] bridge0: port 1(bridge_slave_0) entered blocking state
[ 95.945150][ T2706] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 95.957047][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 95.966395][ T2687] bridge0: port 2(bridge_slave_1) entered blocking state
[ 95.973634][ T2687] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 95.995417][ T2706] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 96.004558][ T2706] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 96.015506][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 96.032233][ T9474] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 96.042971][ T9474] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 96.057067][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 96.066770][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 96.075908][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 96.093272][ T2706] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 96.101259][ T2706] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 96.114057][ T9474] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 96.134927][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[ 96.143596][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 96.168213][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[ 96.177538][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 96.188690][ T9474] device veth0_vlan entered promiscuous mode
[ 96.196312][ T2688] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 96.205482][ T2688] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 96.218044][ T9474] device veth1_vlan entered promiscuous mode
[ 96.240147][ T2688] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 96.249217][ T2688] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 96.258863][ T2688] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[ 96.269799][ T2688] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 96.281139][ T9474] device veth0_macvtap entered promiscuous mode
[ 96.293714][ T9474] device veth1_macvtap entered promiscuous mode
[ 96.316049][ T9474] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 96.325268][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 96.333330][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[ 96.343404][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 96.352699][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 96.365677][ T9474] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 96.374855][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 96.383784][ T2687] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 97.929596][ T9670] ==================================================================
[ 97.938228][ T9670] BUG: KASAN: use-after-free in __list_add_valid+0x93/0xa0
[ 97.945569][ T9670] Read of size 8 at addr ffff8880975121e0 by task syz-executor.0/9670
[ 97.953730][ T9670]
[ 97.956330][ T9670] CPU: 0 PID: 9670 Comm: syz-executor.0 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0
[ 97.967505][ T9670] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 97.977724][ T9670] Call Trace:
[ 97.981010][ T9670] dump_stack+0x188/0x20d
[ 97.985362][ T9670] ? __list_add_valid+0x93/0xa0
[ 97.990811][ T9670] ? __list_add_valid+0x93/0xa0
[ 97.996574][ T9670] print_address_description.constprop.0.cold+0xd3/0x315
[ 98.004257][ T9670] ? __list_add_valid+0x93/0xa0
[ 98.009107][ T9670] ? __list_add_valid+0x93/0xa0
[ 98.014051][ T9670] __kasan_report.cold+0x1a/0x32
[ 98.019065][ T9670] ? __list_add_valid+0x93/0xa0
[ 98.024171][ T9670] kasan_report+0xe/0x20
[ 98.028424][ T9670] __list_add_valid+0x93/0xa0
[ 98.033538][ T9670] rdma_listen+0x681/0x910
[ 98.038077][ T9670] ucma_listen+0x14d/0x1c0
[ 98.042675][ T9670] ? ucma_notify+0x190/0x190
[ 98.047255][ T9670] ? __might_fault+0x190/0x1d0
[ 98.052382][ T9670] ? _copy_from_user+0x123/0x190
[ 98.057601][ T9670] ? ucma_notify+0x190/0x190
[ 98.062186][ T9670] ucma_write+0x285/0x350
[ 98.067025][ T9670] ? ucma_open+0x270/0x270
[ 98.071447][ T9670] ? security_file_permission+0x8a/0x370
[ 98.077106][ T9670] ? ucma_open+0x270/0x270
[ 98.081526][ T9670] __vfs_write+0x76/0x100
[ 98.085851][ T9670] vfs_write+0x262/0x5c0
[ 98.090454][ T9670] ksys_write+0x1e8/0x250
[ 98.094855][ T9670] ? __ia32_sys_read+0xb0/0xb0
[ 98.099707][ T9670] ? __ia32_sys_clock_settime+0x260/0x260
[ 98.105566][ T9670] ? trace_hardirqs_off_caller+0x55/0x230
[ 98.111302][ T9670] do_syscall_64+0xf6/0x790
[ 98.115806][ T9670] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 98.122724][ T9670] RIP: 0033:0x45c679
[ 98.126618][ T9670] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 98.146846][ T9670] RSP: 002b:00007f18d52a0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 98.155767][ T9670] RAX: ffffffffffffffda RBX: 00007f18d52a16d4 RCX: 000000000045c679
[ 98.163725][ T9670] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003
[ 98.171687][ T9670] RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
[ 98.179715][ T9670] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 98.187704][ T9670] R13: 0000000000000cbe R14: 00000000004cec51 R15: 000000000076bfac
[ 98.195701][ T9670]
[ 98.198023][ T9670] Allocated by task 9571:
[ 98.202338][ T9670] save_stack+0x1b/0x40
[ 98.206482][ T9670] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 98.212096][ T9670] kmem_cache_alloc_trace+0x153/0x7d0
[ 98.217534][ T9670] __rdma_create_id+0x5b/0x850
[ 98.222289][ T9670] ucma_create_id+0x1cb/0x580
[ 98.227052][ T9670] ucma_write+0x285/0x350
[ 98.231384][ T9670] __vfs_write+0x76/0x100
[ 98.235693][ T9670] vfs_write+0x262/0x5c0
[ 98.239931][ T9670] ksys_write+0x1e8/0x250
[ 98.244241][ T9670] do_syscall_64+0xf6/0x790
[ 98.248773][ T9670] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 98.254656][ T9670]
[ 98.256984][ T9670] Freed by task 9571:
[ 98.260958][ T9670] save_stack+0x1b/0x40
[ 98.265095][ T9670] __kasan_slab_free+0xf7/0x140
[ 98.269922][ T9670] kfree+0x109/0x2b0
[ 98.273796][ T9670] ucma_close+0x10b/0x300
[ 98.278099][ T9670] __fput+0x2da/0x850
[ 98.282063][ T9670] task_work_run+0x13f/0x1b0
[ 98.286641][ T9670] exit_to_usermode_loop+0x2fa/0x360
[ 98.291902][ T9670] do_syscall_64+0x672/0x790
[ 98.296475][ T9670] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 98.302336][ T9670]
[ 98.304646][ T9670] The buggy address belongs to the object at ffff888097512000
[ 98.304646][ T9670] which belongs to the cache kmalloc-2k of size 2048
[ 98.319031][ T9670] The buggy address is located 480 bytes inside of
[ 98.319031][ T9670] 2048-byte region [ffff888097512000, ffff888097512800)
[ 98.332493][ T9670] The buggy address belongs to the page:
[ 98.338122][ T9670] page:ffffea00025d4480 refcount:1 mapcount:0 mapping:0000000008bef093 index:0x0
[ 98.347479][ T9670] flags: 0xfffe0000000200(slab)
[ 98.352310][ T9670] raw: 00fffe0000000200 ffffea000266f6c8 ffffea00023d6588 ffff8880aa000e00
[ 98.360881][ T9670] raw: 0000000000000000 ffff888097512000 0000000100000001 0000000000000000
[ 98.369893][ T9670] page dumped because: kasan: bad access detected
[ 98.376294][ T9670]
[ 98.378619][ T9670] Memory state around the buggy address:
[ 98.384254][ T9670] ffff888097512080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.392296][ T9670] ffff888097512100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.400352][ T9670] >ffff888097512180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.408399][ T9670] ^
[ 98.415584][ T9670] ffff888097512200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.423629][ T9670] ffff888097512280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 98.431667][ T9670] ==================================================================
[ 98.439704][ T9670] Disabling lock debugging due to kernel taint
[ 98.450854][ T9670] Kernel panic - not syncing: panic_on_warn set ...
[ 98.457499][ T9670] CPU: 0 PID: 9670 Comm: syz-executor.0 Tainted: G B 5.6.0-rc3-next-20200228-syzkaller #0
[ 98.468770][ T9670] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 98.478829][ T9670] Call Trace:
[ 98.482102][ T9670] dump_stack+0x188/0x20d
[ 98.486432][ T9670] panic+0x2e3/0x75c
[ 98.490304][ T9670] ? add_taint.cold+0x16/0x16
[ 98.494960][ T9670] ? preempt_schedule_common+0x5e/0xc0
[ 98.500403][ T9670] ? __list_add_valid+0x93/0xa0
[ 98.505247][ T9670] ? ___preempt_schedule+0x16/0x18
[ 98.510339][ T9670] ? trace_hardirqs_on+0x55/0x220
[ 98.515357][ T9670] ? __list_add_valid+0x93/0xa0
[ 98.520190][ T9670] end_report+0x43/0x49
[ 98.524323][ T9670] ? __list_add_valid+0x93/0xa0
[ 98.529158][ T9670] __kasan_report.cold+0xd/0x32
[ 98.533988][ T9670] ? __list_add_valid+0x93/0xa0
[ 98.538820][ T9670] kasan_report+0xe/0x20
[ 98.543052][ T9670] __list_add_valid+0x93/0xa0
[ 98.547710][ T9670] rdma_listen+0x681/0x910
[ 98.552129][ T9670] ucma_listen+0x14d/0x1c0
[ 98.556521][ T9670] ? ucma_notify+0x190/0x190
[ 98.561100][ T9670] ? __might_fault+0x190/0x1d0
[ 98.565849][ T9670] ? _copy_from_user+0x123/0x190
[ 98.570764][ T9670] ? ucma_notify+0x190/0x190
[ 98.575360][ T9670] ucma_write+0x285/0x350
[ 98.579678][ T9670] ? ucma_open+0x270/0x270
[ 98.584071][ T9670] ? security_file_permission+0x8a/0x370
[ 98.589682][ T9670] ? ucma_open+0x270/0x270
[ 98.594087][ T9670] __vfs_write+0x76/0x100
[ 98.598402][ T9670] vfs_write+0x262/0x5c0
[ 98.602647][ T9670] ksys_write+0x1e8/0x250
[ 98.606967][ T9670] ? __ia32_sys_read+0xb0/0xb0
[ 98.611745][ T9670] ? __ia32_sys_clock_settime+0x260/0x260
[ 98.617446][ T9670] ? trace_hardirqs_off_caller+0x55/0x230
[ 98.623151][ T9670] do_syscall_64+0xf6/0x790
[ 98.627865][ T9670] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 98.633820][ T9670] RIP: 0033:0x45c679
[ 98.637798][ T9670] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
[ 98.657393][ T9670] RSP: 002b:00007f18d52a0c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 98.665831][ T9670] RAX: ffffffffffffffda RBX: 00007f18d52a16d4 RCX: 000000000045c679
[ 98.673792][ T9670] RDX: 0000000000000010 RSI: 0000000020000140 RDI: 0000000000000003
[ 98.681865][ T9670] RBP: 000000000076bfa0 R08: 0000000000000000 R09: 0000000000000000
[ 98.689820][ T9670] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
[ 98.697829][ T9670] R13: 0000000000000cbe R14: 00000000004cec51 R15: 000000000076bfac
[ 98.707327][ T9670] Kernel Offset: disabled
[ 98.711665][ T9670] Rebooting in 86400 seconds..