[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c.
[   63.713789][   T27] audit: type=1800 audit(1581649117.728:25): pid=8935 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0
[   63.740941][   T27] audit: type=1800 audit(1581649117.728:26): pid=8935 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0
[   63.784857][   T27] audit: type=1800 audit(1581649117.728:27): pid=8935 uid=0 auid=4294967295 ses=4294967295 subj=_ op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0
[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c.
[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c.

Debian GNU/Linux 7 syzkaller ttyS0

Warning: Permanently added '10.128.0.63' (ECDSA) to the list of known hosts.
syzkaller login: [   77.168453][ T9089] IPVS: ftp: loaded support on port[0] = 21
[   77.219010][ T9089] chnl_net:caif_netlink_parms(): no params data found
[   77.253621][ T9089] bridge0: port 1(bridge_slave_0) entered blocking state
[   77.261070][ T9089] bridge0: port 1(bridge_slave_0) entered disabled state
[   77.268996][ T9089] device bridge_slave_0 entered promiscuous mode
[   77.277734][ T9089] bridge0: port 2(bridge_slave_1) entered blocking state
[   77.285083][ T9089] bridge0: port 2(bridge_slave_1) entered disabled state
[   77.292836][ T9089] device bridge_slave_1 entered promiscuous mode
[   77.308320][ T9089] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   77.319601][ T9089] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   77.338403][ T9089] team0: Port device team_slave_0 added
[   77.346184][ T9089] team0: Port device team_slave_1 added
[   77.359592][ T9089] batman_adv: batadv0: Adding interface: batadv_slave_0
[   77.367323][ T9089] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   77.394211][ T9089] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   77.406791][ T9089] batman_adv: batadv0: Adding interface: batadv_slave_1
[   77.413966][ T9089] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   77.440084][ T9089] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   77.482709][ T9089] device hsr_slave_0 entered promiscuous mode
[   77.561221][ T9089] device hsr_slave_1 entered promiscuous mode
[   77.684370][ T9089] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   77.743471][ T9089] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   77.803121][ T9089] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   77.863228][ T9089] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   77.913977][ T9089] bridge0: port 2(bridge_slave_1) entered blocking state
[   77.921336][ T9089] bridge0: port 2(bridge_slave_1) entered forwarding state
[   77.929009][ T9089] bridge0: port 1(bridge_slave_0) entered blocking state
[   77.936137][ T9089] bridge0: port 1(bridge_slave_0) entered forwarding state
[   77.973879][ T9089] 8021q: adding VLAN 0 to HW filter on device bond0
[   77.987867][ T2738] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   77.998469][ T2738] bridge0: port 1(bridge_slave_0) entered disabled state
[   78.006681][ T2738] bridge0: port 2(bridge_slave_1) entered disabled state
[   78.015174][ T2738] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   78.028081][ T9089] 8021q: adding VLAN 0 to HW filter on device team0
[   78.038717][ T2800] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   78.047877][ T2800] bridge0: port 1(bridge_slave_0) entered blocking state
[   78.055127][ T2800] bridge0: port 1(bridge_slave_0) entered forwarding state
[   78.066130][ T2738] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   78.074987][ T2738] bridge0: port 2(bridge_slave_1) entered blocking state
[   78.082219][ T2738] bridge0: port 2(bridge_slave_1) entered forwarding state
[   78.102131][ T2738] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   78.111959][ T2738] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   78.123082][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   78.131492][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   78.144229][ T2800] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   78.154718][ T9089] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   78.172033][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   78.179654][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   78.192982][ T9089] 8021q: adding VLAN 0 to HW filter on device batadv0
[   78.210266][ T2800] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   78.230167][ T9089] device veth0_vlan entered promiscuous mode
[   78.237046][ T3011] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[   78.246926][ T3011] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   78.257057][ T3011] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   78.265258][ T3011] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   78.275911][ T9089] device veth1_vlan entered promiscuous mode
[   78.294466][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   78.303453][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   78.312027][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   78.320377][   T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   78.333074][ T9089] device veth0_macvtap entered promiscuous mode
[   78.343645][ T9089] device veth1_macvtap entered promiscuous mode
[   78.358118][ T9089] batman_adv: batadv0: Interface activated: batadv_slave_0
[   78.365789][ T3011] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   78.374769][ T3011] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   78.382783][ T3011] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   78.391667][ T3011] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   78.403231][ T9089] batman_adv: batadv0: Interface activated: batadv_slave_1
[   78.411258][ T2690] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   78.419777][ T2690] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
[   78.711423][    C1] ==================================================================
[   78.719797][    C1] BUG: KASAN: use-after-free in l3mdev_master_ifindex_rcu+0xfa/0x130
[   78.727950][    C1] Read of size 4 at addr ffff888097c7821c by task kworker/1:4/2690
[   78.735985][    C1] 
[   78.738304][    C1] CPU: 1 PID: 2690 Comm: kworker/1:4 Not tainted 5.6.0-rc1-syzkaller #0
[   78.746608][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   78.756667][    C1] Workqueue: events iterate_cleanup_work
[   78.762292][    C1] Call Trace:
[   78.765568][    C1]  <IRQ>
[   78.768426][    C1]  dump_stack+0x1fb/0x318
[   78.772741][    C1]  print_address_description+0x74/0x5c0
[   78.778297][    C1]  ? vprintk_default+0x28/0x30
[   78.783064][    C1]  ? vprintk_func+0x158/0x170
[   78.787748][    C1]  ? printk+0x62/0x8d
[   78.791896][    C1]  __kasan_report+0x149/0x1c0
[   78.796575][    C1]  ? l3mdev_master_ifindex_rcu+0xfa/0x130
[   78.802280][    C1]  kasan_report+0x26/0x50
[   78.806598][    C1]  ? __ipv6_dev_get_saddr+0x41f/0x440
[   78.811960][    C1]  __asan_report_load4_noabort+0x14/0x20
[   78.817607][    C1]  l3mdev_master_ifindex_rcu+0xfa/0x130
[   78.823225][    C1]  ipv6_dev_get_saddr+0x229/0x9f0
[   78.828300][    C1]  ? __kasan_check_read+0x11/0x20
[   78.833318][    C1]  ip6_dst_lookup_tail+0xe52/0x12b0
[   78.838525][    C1]  ip6_dst_lookup_flow+0x6e/0x110
[   78.843806][    C1]  ? ip6_dst_lookup_tail+0x12b0/0x12b0
[   78.849376][    C1]  geneve_get_v6_dst+0x459/0x660
[   78.854308][    C1]  geneve_xmit+0x71f/0x1f70
[   78.858823][    C1]  dev_hard_start_xmit+0x1b1/0x3f0
[   78.864109][    C1]  __dev_queue_xmit+0x1e1f/0x2e70
[   78.869130][    C1]  ? ip6_finish_output2+0xcb5/0x13e0
[   78.874424][    C1]  ? ip6_finish_output2+0xde9/0x13e0
[   78.879720][    C1]  dev_queue_xmit+0x17/0x20
[   78.884227][    C1]  ip6_finish_output2+0x101d/0x13e0
[   78.889464][    C1]  __ip6_finish_output+0x693/0x8c0
[   78.894576][    C1]  ip6_finish_output+0x52/0x1e0
[   78.899437][    C1]  ? ip6_output+0x2ad/0x3c0
[   78.903932][    C1]  ip6_output+0x2c2/0x3c0
[   78.908260][    C1]  mld_sendpack+0x770/0xb80
[   78.913017][    C1]  mld_ifc_timer_expire+0x85b/0xc60
[   78.918653][    C1]  ? rcu_read_lock_sched_held+0x10b/0x170
[   78.924374][    C1]  ? mld_gq_timer_expire+0xe0/0xe0
[   78.929486][    C1]  call_timer_fn+0x95/0x170
[   78.933989][    C1]  ? mld_gq_timer_expire+0xe0/0xe0
[   78.939099][    C1]  __run_timers+0x776/0x970
[   78.943665][    C1]  ? check_preemption_disabled+0x44/0x260
[   78.949519][    C1]  ? debug_smp_processor_id+0x9/0x20
[   78.954804][    C1]  run_timer_softirq+0x4a/0x90
[   78.959557][    C1]  __do_softirq+0x283/0x7bd
[   78.964043][    C1]  ? do_softirq_own_stack+0x2a/0x40
[   78.969241][    C1]  do_softirq_own_stack+0x2a/0x40
[   78.974290][    C1]  </IRQ>
[   78.977225][    C1]  do_softirq+0xfd/0x190
[   78.981475][    C1]  ? local_bh_enable+0x9/0x30
[   78.986146][    C1]  __local_bh_enable_ip+0x194/0x240
[   78.991343][    C1]  local_bh_enable+0x1f/0x30
[   78.996024][    C1]  nf_ct_iterate_cleanup+0x2fa/0x3a0
[   79.001332][    C1]  ? nf_ct_iterate_cleanup+0x3a0/0x3a0
[   79.006919][    C1]  ? iterate_cleanup_work+0x100/0x100
[   79.012413][    C1]  nf_ct_iterate_cleanup_net+0xf9/0x150
[   79.017969][    C1]  ? iterate_cleanup_work+0x100/0x100
[   79.023351][    C1]  iterate_cleanup_work+0x4f/0x100
[   79.028482][    C1]  process_one_work+0x7f5/0x10f0
[   79.033538][    C1]  worker_thread+0xbbc/0x1630
[   79.038232][    C1]  kthread+0x332/0x350
[   79.042446][    C1]  ? rcu_lock_release+0x30/0x30
[   79.047310][    C1]  ? kthread_blkcg+0xe0/0xe0
[   79.051914][    C1]  ret_from_fork+0x24/0x30
[   79.056394][    C1] 
[   79.058852][    C1] Allocated by task 9089:
[   79.063181][    C1]  __kasan_kmalloc+0x118/0x1c0
[   79.067954][    C1]  kasan_kmalloc+0x9/0x10
[   79.072265][    C1]  __kmalloc_node+0x4d/0x60
[   79.076836][    C1]  kvmalloc_node+0x85/0x110
[   79.081365][    C1]  alloc_netdev_mqs+0x8e/0xd40
[   79.086128][    C1]  rtnl_create_link+0x238/0x940
[   79.090972][    C1]  rtnl_newlink+0x12a2/0x1c00
[   79.095724][    C1]  rtnetlink_rcv_msg+0x889/0xd40
[   79.100656][    C1]  netlink_rcv_skb+0x19e/0x3e0
[   79.105418][    C1]  rtnetlink_rcv+0x1c/0x20
[   79.109818][    C1]  netlink_unicast+0x766/0x920
[   79.114567][    C1]  netlink_sendmsg+0xa2b/0xd40
[   79.119327][    C1]  __sys_sendto+0x43c/0x5e0
[   79.123976][    C1]  __x64_sys_sendto+0xe5/0x100
[   79.128775][    C1]  do_syscall_64+0xf7/0x1c0
[   79.133288][    C1]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   79.139179][    C1] 
[   79.141501][    C1] Freed by task 9089:
[   79.145508][    C1]  __kasan_slab_free+0x12e/0x1e0
[   79.150433][    C1]  kasan_slab_free+0xe/0x10
[   79.154972][    C1]  kfree+0x10d/0x220
[   79.158959][    C1]  netdev_name_node_alt_destroy+0x35c/0x380
[   79.164841][    C1]  rtnl_linkprop+0x42d/0x680
[   79.169466][    C1]  rtnl_dellinkprop+0x2a/0x40
[   79.174133][    C1]  rtnetlink_rcv_msg+0x889/0xd40
[   79.179052][    C1]  netlink_rcv_skb+0x19e/0x3e0
[   79.183802][    C1]  rtnetlink_rcv+0x1c/0x20
[   79.188206][    C1]  netlink_unicast+0x766/0x920
[   79.193063][    C1]  netlink_sendmsg+0xa2b/0xd40
[   79.198053][    C1]  ____sys_sendmsg+0x4f7/0x7f0
[   79.202805][    C1]  __sys_sendmsg+0x1ed/0x290
[   79.207496][    C1]  __x64_sys_sendmsg+0x7f/0x90
[   79.212247][    C1]  do_syscall_64+0xf7/0x1c0
[   79.216748][    C1]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   79.222622][    C1] 
[   79.224944][    C1] The buggy address belongs to the object at ffff888097c78000
[   79.224944][    C1]  which belongs to the cache kmalloc-4k of size 4096
[   79.239479][    C1] The buggy address is located 540 bytes inside of
[   79.239479][    C1]  4096-byte region [ffff888097c78000, ffff888097c79000)
[   79.252895][    C1] The buggy address belongs to the page:
[   79.258743][    C1] page:ffffea00025f1e00 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
[   79.270099][    C1] flags: 0xfffe0000010200(slab|head)
[   79.275397][    C1] raw: 00fffe0000010200 ffffea00023a5e88 ffffea00020f9808 ffff8880aa402000
[   79.284122][    C1] raw: 0000000000000000 ffff888097c78000 0000000100000001 0000000000000000
[   79.292690][    C1] page dumped because: kasan: bad access detected
[   79.299091][    C1] 
[   79.301413][    C1] Memory state around the buggy address:
[   79.307168][    C1]  ffff888097c78100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   79.315222][    C1]  ffff888097c78180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   79.323381][    C1] >ffff888097c78200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   79.331438][    C1]                             ^
[   79.336391][    C1]  ffff888097c78280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   79.344746][    C1]  ffff888097c78300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   79.352909][    C1] ==================================================================
[   79.360966][    C1] Disabling lock debugging due to kernel taint
[   79.367163][    C1] Kernel panic - not syncing: panic_on_warn set ...
[   79.373964][    C1] CPU: 1 PID: 2690 Comm: kworker/1:4 Tainted: G    B             5.6.0-rc1-syzkaller #0
[   79.383657][    C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   79.393860][    C1] Workqueue: events iterate_cleanup_work
[   79.399850][    C1] Call Trace:
[   79.403130][    C1]  <IRQ>
[   79.405973][    C1]  dump_stack+0x1fb/0x318
[   79.410412][    C1]  panic+0x264/0x7a9
[   79.414418][    C1]  ? __kasan_report+0x193/0x1c0
[   79.419259][    C1]  ? trace_hardirqs_on+0x34/0x80
[   79.424186][    C1]  ? _raw_spin_unlock_irqrestore+0xa8/0xe0
[   79.430122][    C1]  __kasan_report+0x1b9/0x1c0
[   79.434800][    C1]  ? l3mdev_master_ifindex_rcu+0xfa/0x130
[   79.440742][    C1]  kasan_report+0x26/0x50
[   79.445063][    C1]  ? __ipv6_dev_get_saddr+0x41f/0x440
[   79.450425][    C1]  __asan_report_load4_noabort+0x14/0x20
[   79.456194][    C1]  l3mdev_master_ifindex_rcu+0xfa/0x130
[   79.461731][    C1]  ipv6_dev_get_saddr+0x229/0x9f0
[   79.466742][    C1]  ? __kasan_check_read+0x11/0x20
[   79.471756][    C1]  ip6_dst_lookup_tail+0xe52/0x12b0
[   79.477003][    C1]  ip6_dst_lookup_flow+0x6e/0x110
[   79.482212][    C1]  ? ip6_dst_lookup_tail+0x12b0/0x12b0
[   79.488204][    C1]  geneve_get_v6_dst+0x459/0x660
[   79.493133][    C1]  geneve_xmit+0x71f/0x1f70
[   79.497824][    C1]  dev_hard_start_xmit+0x1b1/0x3f0
[   79.502971][    C1]  __dev_queue_xmit+0x1e1f/0x2e70
[   79.507994][    C1]  ? ip6_finish_output2+0xcb5/0x13e0
[   79.513343][    C1]  ? ip6_finish_output2+0xde9/0x13e0
[   79.518624][    C1]  dev_queue_xmit+0x17/0x20
[   79.523130][    C1]  ip6_finish_output2+0x101d/0x13e0
[   79.528385][    C1]  __ip6_finish_output+0x693/0x8c0
[   79.533601][    C1]  ip6_finish_output+0x52/0x1e0
[   79.538479][    C1]  ? ip6_output+0x2ad/0x3c0
[   79.543042][    C1]  ip6_output+0x2c2/0x3c0
[   79.547453][    C1]  mld_sendpack+0x770/0xb80
[   79.552495][    C1]  mld_ifc_timer_expire+0x85b/0xc60
[   79.557754][    C1]  ? rcu_read_lock_sched_held+0x10b/0x170
[   79.563836][    C1]  ? mld_gq_timer_expire+0xe0/0xe0
[   79.568941][    C1]  call_timer_fn+0x95/0x170
[   79.573429][    C1]  ? mld_gq_timer_expire+0xe0/0xe0
[   79.578532][    C1]  __run_timers+0x776/0x970
[   79.583125][    C1]  ? check_preemption_disabled+0x44/0x260
[   79.589030][    C1]  ? debug_smp_processor_id+0x9/0x20
[   79.594576][    C1]  run_timer_softirq+0x4a/0x90
[   79.599418][    C1]  __do_softirq+0x283/0x7bd
[   79.603902][    C1]  ? do_softirq_own_stack+0x2a/0x40
[   79.609497][    C1]  do_softirq_own_stack+0x2a/0x40
[   79.614512][    C1]  </IRQ>
[   79.617612][    C1]  do_softirq+0xfd/0x190
[   79.621867][    C1]  ? local_bh_enable+0x9/0x30
[   79.626536][    C1]  __local_bh_enable_ip+0x194/0x240
[   79.631856][    C1]  local_bh_enable+0x1f/0x30
[   79.636548][    C1]  nf_ct_iterate_cleanup+0x2fa/0x3a0
[   79.642055][    C1]  ? nf_ct_iterate_cleanup+0x3a0/0x3a0
[   79.647606][    C1]  ? iterate_cleanup_work+0x100/0x100
[   79.653047][    C1]  nf_ct_iterate_cleanup_net+0xf9/0x150
[   79.658778][    C1]  ? iterate_cleanup_work+0x100/0x100
[   79.664436][    C1]  iterate_cleanup_work+0x4f/0x100
[   79.669546][    C1]  process_one_work+0x7f5/0x10f0
[   79.674488][    C1]  worker_thread+0xbbc/0x1630
[   79.679396][    C1]  kthread+0x332/0x350
[   79.683530][    C1]  ? rcu_lock_release+0x30/0x30
[   79.688471][    C1]  ? kthread_blkcg+0xe0/0xe0
[   79.693053][    C1]  ret_from_fork+0x24/0x30
[   79.699162][    C1] Kernel Offset: disabled
[   79.703585][    C1] Rebooting in 86400 seconds..