[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 70.596995][ T27] audit: type=1800 audit(1584231009.552:25): pid=9391 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 70.621941][ T27] audit: type=1800 audit(1584231009.552:26): pid=9391 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 70.675885][ T27] audit: type=1800 audit(1584231009.552:27): pid=9391 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.48' (ECDSA) to the list of known hosts. 2020/03/15 00:10:21 parsed 1 programs 2020/03/15 00:10:23 executed programs: 0 syzkaller login: [ 84.514592][ T9563] IPVS: ftp: loaded support on port[0] = 21 [ 84.575357][ T9563] chnl_net:caif_netlink_parms(): no params data found [ 84.617766][ T9563] bridge0: port 1(bridge_slave_0) entered blocking state [ 84.625546][ T9563] bridge0: port 1(bridge_slave_0) entered disabled state [ 84.634065][ T9563] device bridge_slave_0 entered promiscuous mode [ 84.643479][ T9563] bridge0: port 2(bridge_slave_1) entered blocking state [ 84.650621][ T9563] bridge0: port 2(bridge_slave_1) entered disabled state [ 84.658658][ T9563] device bridge_slave_1 entered promiscuous mode [ 84.676946][ T9563] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 84.687957][ T9563] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 84.708142][ T9563] team0: Port device team_slave_0 added [ 84.715552][ T9563] team0: Port device team_slave_1 added [ 84.730986][ T9563] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 84.737998][ T9563] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 84.764350][ T9563] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 84.776698][ T9563] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 84.783900][ T9563] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 84.809835][ T9563] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 84.884144][ T9563] device hsr_slave_0 entered promiscuous mode [ 84.941464][ T9563] device hsr_slave_1 entered promiscuous mode [ 85.093353][ T9563] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 85.134291][ T9563] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 85.214236][ T9563] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 85.274391][ T9563] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 85.347237][ T9563] bridge0: port 2(bridge_slave_1) entered blocking state [ 85.354663][ T9563] bridge0: port 2(bridge_slave_1) entered forwarding state [ 85.362609][ T9563] bridge0: port 1(bridge_slave_0) entered blocking state [ 85.369673][ T9563] bridge0: port 1(bridge_slave_0) entered forwarding state [ 85.417513][ T9563] 8021q: adding VLAN 0 to HW filter on device bond0 [ 85.430882][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 85.442487][ T3561] bridge0: port 1(bridge_slave_0) entered disabled state [ 85.450345][ T3561] bridge0: port 2(bridge_slave_1) entered disabled state [ 85.458936][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 85.472581][ T9563] 8021q: adding VLAN 0 to HW filter on device team0 [ 85.483598][ T2831] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 85.492961][ T2831] bridge0: port 1(bridge_slave_0) entered blocking state [ 85.500033][ T2831] bridge0: port 1(bridge_slave_0) entered forwarding state [ 85.511822][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 85.520296][ T3561] bridge0: port 2(bridge_slave_1) entered blocking state [ 85.527416][ T3561] bridge0: port 2(bridge_slave_1) entered forwarding state [ 85.546128][ T2831] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 85.555185][ T2831] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 85.566645][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 85.576367][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 85.591548][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 85.600060][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 85.609262][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 85.617733][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 85.627852][ T9563] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 85.646809][ T2831] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 85.655037][ T2831] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 85.670272][ T9563] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 85.689819][ T2831] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 85.699763][ T2831] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 85.721812][ T2831] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 85.730171][ T2831] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 85.739885][ T9563] device veth0_vlan entered promiscuous mode [ 85.748173][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 85.756375][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 85.770752][ T9563] device veth1_vlan entered promiscuous mode [ 85.791951][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 85.800143][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 85.809935][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 85.818836][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 85.830035][ T9563] device veth0_macvtap entered promiscuous mode [ 85.841952][ T9563] device veth1_macvtap entered promiscuous mode [ 85.859838][ T9563] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 85.869252][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 85.877825][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 85.886595][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 85.895865][ T3561] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 85.908519][ T9563] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 85.916368][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 85.925261][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 86.379559][ T9594] netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'. [ 86.652414][ T9632] netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'. [ 86.822100][ T9656] ------------[ cut here ]------------ [ 86.827681][ T9656] refcount_t: addition on 0; use-after-free. [ 86.834494][ T9656] WARNING: CPU: 0 PID: 9656 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0 [ 86.843882][ T9656] Kernel panic - not syncing: panic_on_warn set ... [ 86.850474][ T9656] CPU: 0 PID: 9656 Comm: syz-executor.0 Not tainted 5.6.0-rc5-syzkaller #0 [ 86.859056][ T9656] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 86.869106][ T9656] Call Trace: [ 86.872396][ T9656] dump_stack+0x188/0x20d [ 86.876730][ T9656] ? refcount_warn_saturate+0xd0/0x1e0 [ 86.882185][ T9656] panic+0x2e3/0x75c [ 86.886075][ T9656] ? add_taint.cold+0x16/0x16 [ 86.890758][ T9656] ? __probe_kernel_read+0x188/0x1d0 [ 86.896123][ T9656] ? __warn.cold+0x14/0x35 [ 86.900621][ T9656] ? __warn+0xd5/0x1c8 [ 86.904690][ T9656] ? refcount_warn_saturate+0x169/0x1e0 [ 86.910247][ T9656] __warn.cold+0x2f/0x35 [ 86.914509][ T9656] ? irq_work_queue+0xc3/0x100 [ 86.918427][ T7] ------------[ cut here ]------------ [ 86.919279][ T9656] ? refcount_warn_saturate+0x169/0x1e0 [ 86.919298][ T9656] report_bug+0x27b/0x2f0 [ 86.924930][ T7] refcount_t: saturated; leaking memory. [ 86.930443][ T9656] do_error_trap+0x12b/0x220 [ 86.935609][ T7] WARNING: CPU: 1 PID: 7 at lib/refcount.c:19 refcount_warn_saturate+0xf4/0x1e0 [ 86.940393][ T9656] ? refcount_warn_saturate+0x169/0x1e0 [ 86.944964][ T7] Modules linked in: [ 86.954055][ T9656] do_invalid_op+0x32/0x40 [ 86.959585][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.6.0-rc5-syzkaller #0 [ 86.963467][ T9656] ? refcount_warn_saturate+0x169/0x1e0 [ 86.968291][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 86.968305][ T7] Workqueue: netns cleanup_net [ 86.976433][ T9656] invalid_op+0x23/0x30 [ 86.981958][ T7] RIP: 0010:refcount_warn_saturate+0xf4/0x1e0 [ 86.991990][ T9656] RIP: 0010:refcount_warn_saturate+0x169/0x1e0 [ 86.996727][ T7] Code: 1d a8 7f d2 06 31 ff 89 de e8 38 3b e3 fd 84 db 75 ab e8 ff 39 e3 fd 48 c7 c7 00 b0 51 88 c6 05 88 7f d2 06 01 e8 64 4a b5 fd <0f> 0b eb 8f e8 e3 39 e3 fd 0f b6 1d 72 7f d2 06 31 ff 89 de e8 03 [ 87.000860][ T9656] Code: 06 31 ff 89 de e8 c7 3a e3 fd 84 db 0f 85 36 ff ff ff e8 8a 39 e3 fd 48 c7 c7 a0 b0 51 88 c6 05 11 7f d2 06 01 e8 ef 49 b5 fd <0f> 0b e9 17 ff ff ff e8 6b 39 e3 fd 0f b6 1d f6 7e d2 06 31 ff 89 [ 87.006897][ T7] RSP: 0018:ffffc90000cdf510 EFLAGS: 00010286 [ 87.013039][ T9656] RSP: 0018:ffffc90002447d20 EFLAGS: 00010286 [ 87.032632][ T7] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 87.052208][ T9656] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 87.052220][ T9656] RDX: 0000000000000000 RSI: ffffffff815bfe61 RDI: fffff52000488f96 [ 87.058280][ T7] RDX: 0000000000000000 RSI: ffffffff815bfe61 RDI: fffff5200019be94 [ 87.064320][ T9656] RBP: 0000000000000002 R08: ffff88809e9e6500 R09: ffffed1015cc6659 [ 87.072406][ T7] RBP: 0000000000000000 R08: ffff8880a95de1c0 R09: ffffed1015ce6659 [ 87.080386][ T9656] R10: ffffed1015cc6658 R11: ffff8880ae6332c7 R12: ffff888098fda000 [ 87.088368][ T7] R10: ffffed1015ce6658 R11: ffff8880ae7332c7 R12: ffff8880a6888044 [ 87.096428][ T9656] R13: ffff8880a6888044 R14: 0000000000000010 R15: ffff888098fda0c8 [ 87.104415][ T7] R13: 1ffff9200019bea8 R14: 00000000c0000001 R15: ffffc90000cdf560 [ 87.112394][ T9656] ? vprintk_func+0x81/0x17e [ 87.120564][ T7] FS: 0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000 [ 87.128544][ T9656] sk_alloc+0xe86/0xfa0 [ 87.136486][ T7] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 87.144445][ T9656] __netlink_create+0x63/0x280 [ 87.149004][ T7] CR2: 00007fae31fa0ea0 CR3: 00000000a9331000 CR4: 00000000001406e0 [ 87.157934][ T9656] netlink_create+0x3a1/0x5d0 [ 87.162060][ T7] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 87.168626][ T9656] ? do_set_master+0x230/0x230 [ 87.173355][ T7] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 87.173364][ T7] Call Trace: [ 87.181324][ T9656] __sock_create+0x3cb/0x730 [ 87.185984][ T7] masq_inet6_event+0x56c/0x650 [ 87.193937][ T9656] __sys_socket+0xef/0x200 [ 87.198680][ T7] ? nf_nat_masquerade_ipv4+0x650/0x650 [ 87.207603][ T9656] ? move_addr_to_kernel+0x70/0x70 [ 87.210867][ T7] ? __fib6_clean_all+0x2a0/0x2a0 [ 87.215520][ T9656] ? __x64_sys_clock_gettime+0x165/0x240 [ 87.215533][ T9656] ? __ia32_sys_clock_settime+0x260/0x260 [ 87.215555][ T9656] ? trace_hardirqs_off_caller+0x55/0x230 [ 87.220398][ T7] ? ieee80211_ifa6_changed+0xea/0x810 [ 87.224916][ T9656] __x64_sys_socket+0x6f/0xb0 [ 87.230415][ T7] notifier_call_chain+0xc0/0x230 [ 87.235525][ T9656] ? lockdep_hardirqs_on+0x417/0x5d0 [ 87.240534][ T7] __atomic_notifier_call_chain+0x95/0x180 [ 87.246239][ T9656] do_syscall_64+0xf6/0x7d0 [ 87.251937][ T7] addrconf_ifdown+0x8df/0x12f0 [ 87.257636][ T9656] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.263087][ T7] addrconf_notify+0x5cd/0x2310 [ 87.267732][ T9656] RIP: 0033:0x45c849 [ 87.272736][ T7] ? mark_lock+0xbc/0x1220 [ 87.278039][ T9656] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 87.283841][ T7] ? lock_downgrade+0x7f0/0x7f0 [ 87.288409][ T9656] RSP: 002b:00007fc233186c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 [ 87.293242][ T7] ? tls_dev_event+0x100/0xc60 [ 87.299105][ T9656] RAX: ffffffffffffffda RBX: 00007fc2331876d4 RCX: 000000000045c849 [ 87.303934][ T7] ? mark_held_locks+0x9f/0xe0 [ 87.307814][ T9656] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000010 [ 87.312221][ T7] ? inet6_ifinfo_notify+0x150/0x150 [ 87.331822][ T9656] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 87.331838][ T9656] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 87.336912][ T7] ? clusterip_netdev_event+0x465/0x640 [ 87.345297][ T9656] R13: 0000000000000b8b R14: 00000000004cdbcf R15: 000000000076bf0c [ 87.350050][ T7] ? __local_bh_enable_ip+0x159/0x270 [ 87.410702][ T7] ? clusterip_netdev_event+0x465/0x640 [ 87.416246][ T7] ? tee_netdev_event+0x431/0x5d0 [ 87.421279][ T7] ? notifier_call_chain+0xc0/0x230 [ 87.426464][ T7] notifier_call_chain+0xc0/0x230 [ 87.431487][ T7] call_netdevice_notifiers_info+0xb5/0x130 [ 87.437401][ T7] dev_close_many+0x2f5/0x620 [ 87.442085][ T7] ? netdev_master_upper_dev_link+0x40/0x40 [ 87.447967][ T7] ? find_held_lock+0x2d/0x110 [ 87.452736][ T7] rollback_registered_many+0x3ad/0xe70 [ 87.458272][ T7] ? netif_set_real_num_tx_queues+0x700/0x700 [ 87.464332][ T7] ? __mutex_lock+0x458/0x13c0 [ 87.469095][ T7] ? trace_hardirqs_off+0x50/0x220 [ 87.474195][ T7] ? nsim_destroy+0x2b/0x60 [ 87.478685][ T7] ? _raw_spin_unlock_irqrestore+0x9b/0xe0 [ 87.484476][ T7] ? add_timer+0x3b1/0x830 [ 87.488882][ T7] ? mutex_trylock+0x2c0/0x2c0 [ 87.493633][ T7] rollback_registered+0xf2/0x1c0 [ 87.498674][ T7] ? rollback_registered_many+0xe70/0xe70 [ 87.504381][ T7] ? mark_held_locks+0x9f/0xe0 [ 87.509132][ T7] ? queue_delayed_work_on+0xee/0x210 [ 87.514493][ T7] unregister_netdevice_queue+0x1d7/0x2b0 [ 87.520202][ T7] nsim_destroy+0x35/0x60 [ 87.524537][ T7] __nsim_dev_port_del+0x144/0x1e0 [ 87.529636][ T7] nsim_dev_port_del_all+0x86/0xe0 [ 87.534735][ T7] nsim_dev_reload_destroy+0x77/0x110 [ 87.540092][ T7] nsim_dev_reload_down+0x6e/0xd0 [ 87.545105][ T7] devlink_reload+0xbd/0x3b0 [ 87.549846][ T7] devlink_pernet_pre_exit+0xfb/0x190 [ 87.555223][ T7] ? devlink_nl_cmd_reload+0x7c0/0x7c0 [ 87.560690][ T7] cleanup_net+0x47a/0xa50 [ 87.565105][ T7] ? unregister_pernet_device+0x70/0x70 [ 87.570676][ T7] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 87.576671][ T7] process_one_work+0x94b/0x1690 [ 87.581612][ T7] ? pwq_dec_nr_in_flight+0x310/0x310 [ 87.586997][ T7] ? do_raw_spin_lock+0x129/0x2e0 [ 87.592018][ T7] worker_thread+0x96/0xe20 [ 87.596517][ T7] ? process_one_work+0x1690/0x1690 [ 87.601703][ T7] kthread+0x357/0x430 [ 87.605763][ T7] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 87.611732][ T7] ret_from_fork+0x24/0x30 [ 87.616145][ T7] irq event stamp: 425794 [ 87.620479][ T7] hardirqs last enabled at (425793): [] _raw_spin_unlock_irq+0x1f/0x80 [ 87.630366][ T7] hardirqs last disabled at (425794): [] trace_hardirqs_off_thunk+0x1a/0x1c [ 87.640586][ T7] softirqs last enabled at (425790): [] __do_softirq+0x6df/0x99d [ 87.649945][ T7] softirqs last disabled at (425783): [] irq_exit+0x192/0x1d0 [ 87.658941][ T7] ---[ end trace 1df433f5085bc7e9 ]--- [ 87.665832][ T9656] Kernel Offset: disabled [ 87.670225][ T9656] Rebooting in 86400 seconds..