[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts. syzkaller login: [ 34.875999] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.973766] netlink: 20 bytes leftover after parsing attributes in process `syz-executor332'. [ 35.037132] ================================================================== [ 35.044633] BUG: KASAN: slab-out-of-bounds in netif_napi_del+0x301/0x380 [ 35.051457] Read of size 8 at addr ffff8880b06f0658 by task syz-executor332/8134 [ 35.058983] [ 35.060597] CPU: 0 PID: 8134 Comm: syz-executor332 Not tainted 4.19.211-syzkaller #0 [ 35.068495] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 35.077828] Call Trace: [ 35.080422] dump_stack+0x1fc/0x2ef [ 35.084038] print_address_description.cold+0x54/0x219 [ 35.089298] kasan_report_error.cold+0x8a/0x1b9 [ 35.093947] ? netif_napi_del+0x301/0x380 [ 35.098077] __asan_report_load8_noabort+0x88/0x90 [ 35.102991] ? netif_napi_del+0x301/0x380 [ 35.107118] netif_napi_del+0x301/0x380 [ 35.111071] free_netdev+0x21f/0x410 [ 35.114766] netdev_run_todo+0x89b/0xab0 [ 35.118926] ? default_device_exit_batch+0x3c0/0x3c0 [ 35.124012] ? rtnl_newlink+0x15c0/0x15c0 [ 35.128148] rtnetlink_rcv_msg+0x460/0xb80 [ 35.132376] ? rtnl_calcit.isra.0+0x430/0x430 [ 35.136860] ? __netlink_lookup+0x3fc/0x730 [ 35.141173] ? lock_downgrade+0x720/0x720 [ 35.145302] ? check_preemption_disabled+0x41/0x280 [ 35.150498] netlink_rcv_skb+0x160/0x440 [ 35.154557] ? rtnl_calcit.isra.0+0x430/0x430 [ 35.159072] ? netlink_ack+0xae0/0xae0 [ 35.162965] netlink_unicast+0x4d5/0x690 [ 35.167009] ? netlink_sendskb+0x110/0x110 [ 35.171221] ? _copy_from_iter_full+0x229/0x7c0 [ 35.175872] ? __phys_addr_symbol+0x2c/0x70 [ 35.180174] ? __check_object_size+0x17b/0x3e0 [ 35.184745] netlink_sendmsg+0x6c3/0xc50 [ 35.188789] ? aa_af_perm+0x230/0x230 [ 35.192572] ? nlmsg_notify+0x1f0/0x1f0 [ 35.196546] ? kernel_recvmsg+0x220/0x220 [ 35.200678] ? nlmsg_notify+0x1f0/0x1f0 [ 35.204634] sock_sendmsg+0xc3/0x120 [ 35.208329] ___sys_sendmsg+0x7bb/0x8e0 [ 35.212447] ? copy_msghdr_from_user+0x440/0x440 [ 35.217192] ? __fget+0x32f/0x510 [ 35.220726] ? lock_downgrade+0x720/0x720 [ 35.224860] ? check_preemption_disabled+0x41/0x280 [ 35.229872] ? check_preemption_disabled+0x41/0x280 [ 35.234883] ? __fget+0x356/0x510 [ 35.238346] ? do_dup2+0x450/0x450 [ 35.241866] ? lock_downgrade+0x720/0x720 [ 35.245993] ? check_preemption_disabled+0x41/0x280 [ 35.251002] ? __fdget+0x1d0/0x230 [ 35.254528] __x64_sys_sendmsg+0x132/0x220 [ 35.258742] ? __sys_sendmsg+0x1b0/0x1b0 [ 35.262782] ? __se_sys_futex+0x298/0x3b0 [ 35.266919] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.272265] ? trace_hardirqs_off_caller+0x6e/0x210 [ 35.277263] ? do_syscall_64+0x21/0x620 [ 35.281216] do_syscall_64+0xf9/0x620 [ 35.284998] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.290172] RIP: 0033:0x7f6975742c19 [ 35.293868] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 35.312839] RSP: 002b:00007f6974ef2308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.321005] RAX: ffffffffffffffda RBX: 00007f69757cc4e8 RCX: 00007f6975742c19 [ 35.328258] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 35.335506] RBP: 00007f69757cc4e0 R08: 0000000000000000 R09: 0000000000000000 [ 35.342752] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f69757cc4ec [ 35.350087] R13: 00007f6975799004 R14: 74656e2f7665642f R15: 0000000000022000 [ 35.357340] [ 35.358971] Allocated by task 8139: [ 35.362579] __kmalloc_node+0x4c/0x70 [ 35.366362] kvmalloc_node+0xb4/0xf0 [ 35.370053] alloc_netdev_mqs+0x97/0xd50 [ 35.374092] __tun_chr_ioctl.isra.0+0x2184/0x3d00 [ 35.378911] do_vfs_ioctl+0xcdb/0x12e0 [ 35.382775] ksys_ioctl+0x9b/0xc0 [ 35.386204] __x64_sys_ioctl+0x6f/0xb0 [ 35.390078] do_syscall_64+0xf9/0x620 [ 35.393857] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.399032] [ 35.400638] Freed by task 0: [ 35.403631] (stack is not available) [ 35.407316] [ 35.408924] The buggy address belongs to the object at ffff8880b06f0700 [ 35.408924] which belongs to the cache kmalloc-16384 of size 16384 [ 35.421905] The buggy address is located 168 bytes to the left of [ 35.421905] 16384-byte region [ffff8880b06f0700, ffff8880b06f4700) [ 35.434361] The buggy address belongs to the page: [ 35.439269] page:ffffea0002c1bc00 count:1 mapcount:0 mapping:ffff88813bff2200 index:0x0 compound_mapcount: 0 [ 35.449214] flags: 0xfff00000008100(slab|head) [ 35.453777] raw: 00fff00000008100 ffffea00028c0a08 ffff88813bff1c48 ffff88813bff2200 [ 35.461738] raw: 0000000000000000 ffff8880b06f0700 0000000100000001 0000000000000000 [ 35.469598] page dumped because: kasan: bad access detected [ 35.475284] [ 35.477039] Memory state around the buggy address: [ 35.481968] ffff8880b06f0500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.489406] ffff8880b06f0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.496753] >ffff8880b06f0600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.504090] ^ [ 35.510299] ffff8880b06f0680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.517637] ffff8880b06f0700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.524969] ================================================================== [ 35.532317] Disabling lock debugging due to kernel taint [ 35.546008] Kernel panic - not syncing: panic_on_warn set ... [ 35.546008] [ 35.553396] CPU: 0 PID: 8134 Comm: syz-executor332 Tainted: G B 4.19.211-syzkaller #0 [ 35.562663] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 35.572008] Call Trace: [ 35.574579] dump_stack+0x1fc/0x2ef [ 35.578188] panic+0x26a/0x50e [ 35.581359] ? __warn_printk+0xf3/0xf3 [ 35.585235] ? preempt_schedule_common+0x45/0xc0 [ 35.590067] ? ___preempt_schedule+0x16/0x18 [ 35.594478] ? trace_hardirqs_on+0x55/0x210 [ 35.598793] kasan_end_report+0x43/0x49 [ 35.602756] kasan_report_error.cold+0xa7/0x1b9 [ 35.607439] ? netif_napi_del+0x301/0x380 [ 35.611564] __asan_report_load8_noabort+0x88/0x90 [ 35.616491] ? netif_napi_del+0x301/0x380 [ 35.620617] netif_napi_del+0x301/0x380 [ 35.624575] free_netdev+0x21f/0x410 [ 35.628269] netdev_run_todo+0x89b/0xab0 [ 35.632322] ? default_device_exit_batch+0x3c0/0x3c0 [ 35.637420] ? rtnl_newlink+0x15c0/0x15c0 [ 35.641547] rtnetlink_rcv_msg+0x460/0xb80 [ 35.645759] ? rtnl_calcit.isra.0+0x430/0x430 [ 35.650240] ? __netlink_lookup+0x3fc/0x730 [ 35.654543] ? lock_downgrade+0x720/0x720 [ 35.661362] ? check_preemption_disabled+0x41/0x280 [ 35.666368] netlink_rcv_skb+0x160/0x440 [ 35.670408] ? rtnl_calcit.isra.0+0x430/0x430 [ 35.674879] ? netlink_ack+0xae0/0xae0 [ 35.678746] netlink_unicast+0x4d5/0x690 [ 35.682788] ? netlink_sendskb+0x110/0x110 [ 35.687000] ? _copy_from_iter_full+0x229/0x7c0 [ 35.691664] ? __phys_addr_symbol+0x2c/0x70 [ 35.695980] ? __check_object_size+0x17b/0x3e0 [ 35.700547] netlink_sendmsg+0x6c3/0xc50 [ 35.705326] ? aa_af_perm+0x230/0x230 [ 35.709107] ? nlmsg_notify+0x1f0/0x1f0 [ 35.713069] ? kernel_recvmsg+0x220/0x220 [ 35.717212] ? nlmsg_notify+0x1f0/0x1f0 [ 35.721175] sock_sendmsg+0xc3/0x120 [ 35.724866] ___sys_sendmsg+0x7bb/0x8e0 [ 35.728818] ? copy_msghdr_from_user+0x440/0x440 [ 35.733658] ? __fget+0x32f/0x510 [ 35.737092] ? lock_downgrade+0x720/0x720 [ 35.741219] ? check_preemption_disabled+0x41/0x280 [ 35.746287] ? check_preemption_disabled+0x41/0x280 [ 35.751307] ? __fget+0x356/0x510 [ 35.754782] ? do_dup2+0x450/0x450 [ 35.758424] ? lock_downgrade+0x720/0x720 [ 35.762560] ? check_preemption_disabled+0x41/0x280 [ 35.767658] ? __fdget+0x1d0/0x230 [ 35.771182] __x64_sys_sendmsg+0x132/0x220 [ 35.775408] ? __sys_sendmsg+0x1b0/0x1b0 [ 35.779478] ? __se_sys_futex+0x298/0x3b0 [ 35.783634] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.788991] ? trace_hardirqs_off_caller+0x6e/0x210 [ 35.793987] ? do_syscall_64+0x21/0x620 [ 35.797945] do_syscall_64+0xf9/0x620 [ 35.801741] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.806922] RIP: 0033:0x7f6975742c19 [ 35.810618] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 35.829592] RSP: 002b:00007f6974ef2308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.837291] RAX: ffffffffffffffda RBX: 00007f69757cc4e8 RCX: 00007f6975742c19 [ 35.844660] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 35.851911] RBP: 00007f69757cc4e0 R08: 0000000000000000 R09: 0000000000000000 [ 35.859275] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f69757cc4ec [ 35.866530] R13: 00007f6975799004 R14: 74656e2f7665642f R15: 0000000000022000 [ 35.873997] Kernel Offset: disabled [ 35.877642] Rebooting in 86400 seconds..