[ 81.059797][ T27] audit: type=1800 audit(1581872405.525:25): pid=9824 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 82.009926][ T27] kauditd_printk_skb: 3 callbacks suppressed [ 82.009938][ T27] audit: type=1800 audit(1581872406.475:29): pid=9824 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 82.036554][ T27] audit: type=1800 audit(1581872406.475:30): pid=9824 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.155' (ECDSA) to the list of known hosts. 2020/02/16 17:00:15 parsed 1 programs 2020/02/16 17:00:17 executed programs: 0 syzkaller login: [ 92.806409][ T9997] IPVS: ftp: loaded support on port[0] = 21 [ 92.864653][ T9997] chnl_net:caif_netlink_parms(): no params data found [ 92.903132][ T9997] bridge0: port 1(bridge_slave_0) entered blocking state [ 92.910954][ T9997] bridge0: port 1(bridge_slave_0) entered disabled state [ 92.919793][ T9997] device bridge_slave_0 entered promiscuous mode [ 92.928744][ T9997] bridge0: port 2(bridge_slave_1) entered blocking state [ 92.936349][ T9997] bridge0: port 2(bridge_slave_1) entered disabled state [ 92.944703][ T9997] device bridge_slave_1 entered promiscuous mode [ 92.962608][ T9997] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 92.974830][ T9997] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 92.998659][ T9997] team0: Port device team_slave_0 added [ 93.009175][ T9997] team0: Port device team_slave_1 added [ 93.024658][ T9997] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 93.032176][ T9997] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 93.061605][ T9997] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 93.074012][ T9997] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 93.081114][ T9997] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 93.107129][ T9997] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 93.164476][ T9997] device hsr_slave_0 entered promiscuous mode [ 93.203203][ T9997] device hsr_slave_1 entered promiscuous mode [ 93.305493][ T9997] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 93.354603][ T9997] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 93.414687][ T9997] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 93.454139][ T9997] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 93.558012][ T9997] bridge0: port 2(bridge_slave_1) entered blocking state [ 93.566017][ T9997] bridge0: port 2(bridge_slave_1) entered forwarding state [ 93.574023][ T9997] bridge0: port 1(bridge_slave_0) entered blocking state [ 93.581615][ T9997] bridge0: port 1(bridge_slave_0) entered forwarding state [ 93.626058][ T9997] 8021q: adding VLAN 0 to HW filter on device bond0 [ 93.640336][ T2691] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 93.650710][ T2691] bridge0: port 1(bridge_slave_0) entered disabled state [ 93.659607][ T2691] bridge0: port 2(bridge_slave_1) entered disabled state [ 93.668212][ T2691] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 93.681377][ T9997] 8021q: adding VLAN 0 to HW filter on device team0 [ 93.693112][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 93.701578][ T2894] bridge0: port 1(bridge_slave_0) entered blocking state [ 93.708766][ T2894] bridge0: port 1(bridge_slave_0) entered forwarding state [ 93.719875][ T2691] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 93.729285][ T2691] bridge0: port 2(bridge_slave_1) entered blocking state [ 93.736490][ T2691] bridge0: port 2(bridge_slave_1) entered forwarding state [ 93.762924][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 93.771718][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 93.780842][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 93.794661][ T9997] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 93.806386][ T9997] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 93.814689][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 93.822552][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 93.842884][ T2780] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 93.850310][ T2780] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 93.865730][ T9997] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 93.884360][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 93.893868][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 93.912366][ T2780] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 93.920929][ T2780] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 93.931113][ T2780] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 93.939158][ T2780] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 93.948633][ T9997] device veth0_vlan entered promiscuous mode [ 93.960041][ T9997] device veth1_vlan entered promiscuous mode [ 93.985307][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 93.993945][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 94.002280][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 94.010659][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 94.020873][ T9997] device veth0_macvtap entered promiscuous mode [ 94.032656][ T9997] device veth1_macvtap entered promiscuous mode [ 94.049777][ T9997] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 94.057803][ T2780] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 94.066432][ T2780] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 94.074878][ T2780] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 94.083628][ T2780] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 94.096617][ T9997] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 94.104994][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 94.114652][ T2894] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 94.372732][ T2894] ================================================================== [ 94.381000][ T2894] BUG: KASAN: use-after-free in l3mdev_master_ifindex_rcu+0x132/0x150 [ 94.389160][ T2894] Read of size 4 at addr ffff88809136a21c by task kworker/0:42/2894 [ 94.397127][ T2894] [ 94.399473][ T2894] CPU: 0 PID: 2894 Comm: kworker/0:42 Not tainted 5.6.0-rc1-syzkaller #0 [ 94.407879][ T2894] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 94.418105][ T2894] Workqueue: ipv6_addrconf addrconf_dad_work [ 94.424092][ T2894] Call Trace: [ 94.427393][ T2894] dump_stack+0x197/0x210 [ 94.432083][ T2894] ? l3mdev_master_ifindex_rcu+0x132/0x150 [ 94.437916][ T2894] print_address_description.constprop.0.cold+0xd4/0x30b [ 94.444946][ T2894] ? l3mdev_master_ifindex_rcu+0x132/0x150 [ 94.450864][ T2894] ? l3mdev_master_ifindex_rcu+0x132/0x150 [ 94.456681][ T2894] __kasan_report.cold+0x1b/0x32 [ 94.461672][ T2894] ? l3mdev_master_ifindex_rcu+0x132/0x150 [ 94.467498][ T2894] kasan_report+0x12/0x20 [ 94.471867][ T