[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.50' (ECDSA) to the list of known hosts. syzkaller login: [ 56.665967][ T7019] IPVS: ftp: loaded support on port[0] = 21 [ 56.761135][ T7019] chnl_net:caif_netlink_parms(): no params data found [ 56.812662][ T7019] bridge0: port 1(bridge_slave_0) entered blocking state [ 56.820203][ T7019] bridge0: port 1(bridge_slave_0) entered disabled state [ 56.829806][ T7019] device bridge_slave_0 entered promiscuous mode [ 56.840318][ T7019] bridge0: port 2(bridge_slave_1) entered blocking state [ 56.848615][ T7019] bridge0: port 2(bridge_slave_1) entered disabled state [ 56.856845][ T7019] device bridge_slave_1 entered promiscuous mode [ 56.878191][ T7019] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 56.889916][ T7019] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 56.912479][ T7019] team0: Port device team_slave_0 added [ 56.919785][ T7019] team0: Port device team_slave_1 added [ 56.937900][ T7019] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 56.944990][ T7019] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 56.972818][ T7019] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 56.985719][ T7019] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 56.993203][ T7019] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 57.019773][ T7019] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 57.094974][ T7019] device hsr_slave_0 entered promiscuous mode [ 57.151606][ T7019] device hsr_slave_1 entered promiscuous mode [ 57.279855][ T7019] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 57.314756][ T7019] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 57.365038][ T7019] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 57.423950][ T7019] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 57.477722][ T7019] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.484969][ T7019] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.492983][ T7019] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.500151][ T7019] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.548044][ T7019] 8021q: adding VLAN 0 to HW filter on device bond0 [ 57.561614][ T3471] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 57.572456][ T3471] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.580256][ T3471] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.589228][ T3471] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 57.603017][ T7019] 8021q: adding VLAN 0 to HW filter on device team0 [ 57.614761][ T2686] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 57.623879][ T2686] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.630934][ T2686] bridge0: port 1(bridge_slave_0) entered forwarding state [ 57.653657][ T3471] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 57.663048][ T3471] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.670103][ T3471] bridge0: port 2(bridge_slave_1) entered forwarding state [ 57.678932][ T3471] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 57.688055][ T3471] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 57.700928][ T2697] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 57.714009][ T3471] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 57.728299][ T7019] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 57.740852][ T7019] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 57.749484][ T2697] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 57.772318][ T2697] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 57.780222][ T2697] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 57.794783][ T7019] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 57.818187][ T3471] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 57.829137][ T3471] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 57.850270][ T7019] device veth0_vlan entered promiscuous mode [ 57.857881][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 57.867255][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 57.877049][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 57.885779][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 57.898959][ T7019] device veth1_vlan entered promiscuous mode [ 57.921532][ T2697] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 57.929618][ T2697] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 57.938843][ T2697] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 57.948168][ T2697] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 57.958988][ T7019] device veth0_macvtap entered promiscuous mode [ 57.970000][ T7019] device veth1_macvtap entered promiscuous mode [ 57.987740][ T7019] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 57.996272][ T2697] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 58.005158][ T2697] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 58.014266][ T2697] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 58.023461][ T2697] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 58.036976][ T7019] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 58.046361][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 58.056026][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 61.321450][ C1] ================================================================== [ 61.329751][ C1] BUG: KASAN: use-after-free in ip_icmp_error+0x52a/0x5a0 [ 61.336858][ C1] Read of size 1 at addr ffff888091e687ff by task ksoftirqd/1/16 [ 61.344560][ C1] [ 61.346880][ C1] CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.7.0-rc6-syzkaller #0 [ 61.355710][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.365846][ C1] Call Trace: [ 61.369196][ C1] dump_stack+0x188/0x20d [ 61.373534][ C1] print_address_description.constprop.0.cold+0xd3/0x413 [ 61.380682][ C1] ? skb_splice_bits+0x1a0/0x1a0 [ 61.385803][ C1] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.391615][ C1] ? vprintk_func+0x81/0x17e [ 61.396236][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 61.401042][ C1] __kasan_report.cold+0x20/0x38 [ 61.406115][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 61.410869][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 61.415716][ C1] kasan_report+0x33/0x50 [ 61.420297][ C1] ip_icmp_error+0x52a/0x5a0 [ 61.424977][ C1] tcp_v4_err+0x9b2/0x1d00 [ 61.429384][ C1] ? tcp_v4_do_rcv+0x8b0/0x8b0 [ 61.434341][ C1] icmp_socket_deliver+0x1e4/0x360 [ 61.439559][ C1] icmp_unreach+0x33b/0xab0 [ 61.444453][ C1] icmp_rcv+0xee6/0x15f0 [ 61.448746][ C1] ip_protocol_deliver_rcu+0x57/0x880 [ 61.454120][ C1] ip_local_deliver_finish+0x220/0x360 [ 61.459620][ C1] ip_local_deliver+0x1c8/0x4e0 [ 61.464460][ C1] ? ip_local_deliver_finish+0x360/0x360 [ 61.470083][ C1] ? ip_rcv+0x24e/0x3c0 [ 61.474227][ C1] ? ip_protocol_deliver_rcu+0x880/0x880 [ 61.479854][ C1] ? lock_downgrade+0x840/0x840 [ 61.484694][ C1] ? ip_rcv_finish_core.isra.0+0x606/0x1ec0 [ 61.490579][ C1] ip_rcv_finish+0x1da/0x2f0 [ 61.495354][ C1] ip_rcv+0xd0/0x3c0 [ 61.499386][ C1] ? ip_local_deliver+0x4e0/0x4e0 [ 61.504648][ C1] ? ip_rcv_finish_core.isra.0+0x1ec0/0x1ec0 [ 61.510669][ C1] ? ip_local_deliver+0x4e0/0x4e0 [ 61.515849][ C1] __netif_receive_skb_one_core+0x114/0x180 [ 61.521866][ C1] ? __netif_receive_skb_core+0x31c0/0x31c0 [ 61.527846][ C1] ? do_raw_spin_lock+0x129/0x2e0 [ 61.532862][ C1] ? rwlock_bug.part.0+0x90/0x90 [ 61.537985][ C1] __netif_receive_skb+0x27/0x1c0 [ 61.543017][ C1] process_backlog+0x21e/0x7a0 [ 61.547903][ C1] ? net_rx_action+0x25f/0x1070 [ 61.552799][ C1] net_rx_action+0x4c2/0x1070 [ 61.557533][ C1] ? napi_busy_loop+0x9e0/0x9e0 [ 61.562565][ C1] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.568553][ C1] __do_softirq+0x26c/0x9f7 [ 61.573060][ C1] ? takeover_tasklets+0x810/0x810 [ 61.578211][ C1] run_ksoftirqd+0x89/0x100 [ 61.582988][ C1] smpboot_thread_fn+0x653/0x9e0 [ 61.588056][ C1] ? __smpboot_create_thread.part.0+0x340/0x340 [ 61.594288][ C1] ? __kthread_parkme+0x13f/0x1e0 [ 61.599321][ C1] ? __smpboot_create_thread.part.0+0x340/0x340 [ 61.605547][ C1] kthread+0x388/0x470 [ 61.609605][ C1] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.615328][ C1] ret_from_fork+0x24/0x30 [ 61.619735][ C1] [ 61.622052][ C1] Allocated by task 1: [ 61.626157][ C1] save_stack+0x1b/0x40 [ 61.632997][ C1] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.638614][ C1] kmem_cache_alloc+0x11b/0x740 [ 61.643447][ C1] getname_flags+0xd2/0x5b0 [ 61.647944][ C1] do_sys_openat2+0x3fc/0x7d0 [ 61.652961][ C1] do_sys_open+0xc3/0x140 [ 61.657274][ C1] do_syscall_64+0xf6/0x7d0 [ 61.661810][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 61.667805][ C1] [ 61.670125][ C1] Freed by task 1: [ 61.673831][ C1] save_stack+0x1b/0x40 [ 61.678015][ C1] __kasan_slab_free+0xf7/0x140 [ 61.682853][ C1] kmem_cache_free+0x7f/0x320 [ 61.687513][ C1] putname+0xe1/0x120 [ 61.691617][ C1] do_sys_openat2+0x467/0x7d0 [ 61.696275][ C1] do_sys_open+0xc3/0x140 [ 61.700591][ C1] do_syscall_64+0xf6/0x7d0 [ 61.705077][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 61.710951][ C1] [ 61.713265][ C1] The buggy address belongs to the object at ffff888091e68000 [ 61.713265][ C1] which belongs to the cache names_cache of size 4096 [ 61.727389][ C1] The buggy address is located 2047 bytes inside of [ 61.727389][ C1] 4096-byte region [ffff888091e68000, ffff888091e69000) [ 61.741437][ C1] The buggy address belongs to the page: [ 61.747327][ C1] page:ffffea0002479a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea0002479a00 order:1 compound_mapcount:0 [ 61.761206][ C1] flags: 0xfffe0000010200(slab|head) [ 61.766506][ C1] raw: 00fffe0000010200 ffffea0002a49b88 ffffea0002a3fe08 ffff8880aa1ec000 [ 61.775391][ C1] raw: 0000000000000000 ffff888091e68000 0000000100000001 0000000000000000 [ 61.784163][ C1] page dumped because: kasan: bad access detected [ 61.790930][ C1] [ 61.793256][ C1] Memory state around the buggy address: [ 61.799189][ C1] ffff888091e68680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.807441][ C1] ffff888091e68700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.815623][ C1] >ffff888091e68780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.823759][ C1] ^ [ 61.831824][ C1] ffff888091e68800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.840133][ C1] ffff888091e68880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.848708][ C1] ================================================================== [ 61.857175][ C1] Disabling lock debugging due to kernel taint [ 61.863387][ C1] Kernel panic - not syncing: panic_on_warn set ... [ 61.869993][ C1] CPU: 1 PID: 16 Comm: ksoftirqd/1 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 61.879914][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.890069][ C1] Call Trace: [ 61.893373][ C1] dump_stack+0x188/0x20d [ 61.897709][ C1] panic+0x2e3/0x75c [ 61.901595][ C1] ? add_taint.cold+0x16/0x16 [ 61.906259][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 61.911071][ C1] ? trace_hardirqs_on+0x55/0x220 [ 61.916196][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 61.921725][ C1] end_report+0x4d/0x53 [ 61.926068][ C1] __kasan_report.cold+0xd/0x38 [ 61.931476][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 61.936483][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 61.941620][ C1] kasan_report+0x33/0x50 [ 61.946046][ C1] ip_icmp_error+0x52a/0x5a0 [ 61.950639][ C1] tcp_v4_err+0x9b2/0x1d00 [ 61.955326][ C1] ? tcp_v4_do_rcv+0x8b0/0x8b0 [ 61.960214][ C1] icmp_socket_deliver+0x1e4/0x360 [ 61.965486][ C1] icmp_unreach+0x33b/0xab0 [ 61.970103][ C1] icmp_rcv+0xee6/0x15f0 [ 61.974487][ C1] ip_protocol_deliver_rcu+0x57/0x880 [ 61.980075][ C1] ip_local_deliver_finish+0x220/0x360 [ 61.985569][ C1] ip_local_deliver+0x1c8/0x4e0 [ 61.990519][ C1] ? ip_local_deliver_finish+0x360/0x360 [ 61.996165][ C1] ? ip_rcv+0x24e/0x3c0 [ 62.000461][ C1] ? ip_protocol_deliver_rcu+0x880/0x880 [ 62.006083][ C1] ? lock_downgrade+0x840/0x840 [ 62.010979][ C1] ? ip_rcv_finish_core.isra.0+0x606/0x1ec0 [ 62.017274][ C1] ip_rcv_finish+0x1da/0x2f0 [ 62.022044][ C1] ip_rcv+0xd0/0x3c0 [ 62.025933][ C1] ? ip_local_deliver+0x4e0/0x4e0 [ 62.031568][ C1] ? ip_rcv_finish_core.isra.0+0x1ec0/0x1ec0 [ 62.037627][ C1] ? ip_local_deliver+0x4e0/0x4e0 [ 62.043030][ C1] __netif_receive_skb_one_core+0x114/0x180 [ 62.049212][ C1] ? __netif_receive_skb_core+0x31c0/0x31c0 [ 62.055096][ C1] ? do_raw_spin_lock+0x129/0x2e0 [ 62.060104][ C1] ? rwlock_bug.part.0+0x90/0x90 [ 62.065160][ C1] __netif_receive_skb+0x27/0x1c0 [ 62.070229][ C1] process_backlog+0x21e/0x7a0 [ 62.074975][ C1] ? net_rx_action+0x25f/0x1070 [ 62.079821][ C1] net_rx_action+0x4c2/0x1070 [ 62.084828][ C1] ? napi_busy_loop+0x9e0/0x9e0 [ 62.089869][ C1] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 62.095926][ C1] __do_softirq+0x26c/0x9f7 [ 62.100420][ C1] ? takeover_tasklets+0x810/0x810 [ 62.105555][ C1] run_ksoftirqd+0x89/0x100 [ 62.110044][ C1] smpboot_thread_fn+0x653/0x9e0 [ 62.114968][ C1] ? __smpboot_create_thread.part.0+0x340/0x340 [ 62.121375][ C1] ? __kthread_parkme+0x13f/0x1e0 [ 62.126583][ C1] ? __smpboot_create_thread.part.0+0x340/0x340 [ 62.132995][ C1] kthread+0x388/0x470 [ 62.137054][ C1] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.143098][ C1] ret_from_fork+0x24/0x30 [ 62.149175][ C1] Kernel Offset: disabled [ 62.153511][ C1] Rebooting in 86400 seconds..