Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.92' (ECDSA) to the list of known hosts. syzkaller login: [ 26.517146] IPVS: ftp: loaded support on port[0] = 21 [ 26.577949] chnl_net:caif_netlink_parms(): no params data found [ 26.657650] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.664257] bridge0: port 1(bridge_slave_0) entered disabled state [ 26.671745] device bridge_slave_0 entered promiscuous mode [ 26.678709] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.685052] bridge0: port 2(bridge_slave_1) entered disabled state [ 26.692460] device bridge_slave_1 entered promiscuous mode [ 26.708291] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 26.716743] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 26.733087] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 26.740180] team0: Port device team_slave_0 added [ 26.746234] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 26.753184] team0: Port device team_slave_1 added [ 26.766864] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 26.773083] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 26.799031] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 26.810259] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 26.816539] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 26.841781] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 26.855751] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 26.862940] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 26.879936] device hsr_slave_0 entered promiscuous mode [ 26.885596] device hsr_slave_1 entered promiscuous mode [ 26.891339] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 26.898360] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 26.952697] bridge0: port 2(bridge_slave_1) entered blocking state [ 26.959118] bridge0: port 2(bridge_slave_1) entered forwarding state [ 26.966050] bridge0: port 1(bridge_slave_0) entered blocking state [ 26.972395] bridge0: port 1(bridge_slave_0) entered forwarding state [ 26.999290] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 27.006143] 8021q: adding VLAN 0 to HW filter on device bond0 [ 27.013456] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 27.021976] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 27.040440] bridge0: port 1(bridge_slave_0) entered disabled state [ 27.047590] bridge0: port 2(bridge_slave_1) entered disabled state [ 27.056870] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 27.062970] 8021q: adding VLAN 0 to HW filter on device team0 [ 27.071630] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 27.079613] bridge0: port 1(bridge_slave_0) entered blocking state [ 27.085978] bridge0: port 1(bridge_slave_0) entered forwarding state [ 27.094382] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 27.102903] bridge0: port 2(bridge_slave_1) entered blocking state [ 27.109269] bridge0: port 2(bridge_slave_1) entered forwarding state [ 27.126267] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 27.133884] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 27.142092] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 27.149958] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 27.157493] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 27.166232] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 27.172207] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 27.184676] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 27.192010] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 27.198985] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 27.209481] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 27.256313] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 27.265797] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 27.294032] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 27.301666] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 27.308648] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 27.317747] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 27.325849] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 27.332591] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 27.342145] device veth0_vlan entered promiscuous mode [ 27.350241] device veth1_vlan entered promiscuous mode [ 27.356143] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 27.363943] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 27.373753] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 27.382876] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 27.390080] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 27.397299] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 27.406721] device veth0_macvtap entered promiscuous mode [ 27.412613] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 27.420820] device veth1_macvtap entered promiscuous mode [ 27.428789] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 27.437294] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 27.446513] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 27.453136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 27.462129] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 27.471589] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 27.478349] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 27.550557] netlink: 12 bytes leftover after parsing attributes in process `syz-executor192'. [ 27.562662] ================================================================== [ 27.570101] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x89f/0x8c0 [ 27.577171] Read of size 8 at addr ffff8880b075d148 by task syz-executor192/7972 [ 27.584678] [ 27.586288] CPU: 1 PID: 7972 Comm: syz-executor192 Not tainted 4.14.300-syzkaller #0 [ 27.594137] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 27.603459] Call Trace: [ 27.606024] dump_stack+0x1b2/0x281 [ 27.609626] print_address_description.cold+0x54/0x1d3 [ 27.614881] kasan_report_error.cold+0x8a/0x191 [ 27.619530] ? radix_tree_next_chunk+0x89f/0x8c0 [ 27.624262] __asan_report_load8_noabort+0x68/0x70 [ 27.629169] ? radix_tree_next_chunk+0x89f/0x8c0 [ 27.633898] radix_tree_next_chunk+0x89f/0x8c0 [ 27.638458] ida_remove+0x9b/0x210 [ 27.641972] ? ida_destroy+0x1b0/0x1b0 [ 27.645841] ? lock_acquire+0x170/0x3f0 [ 27.649792] ida_simple_remove+0x31/0x50 [ 27.653827] ipvlan_link_new+0x50c/0xfa0 [ 27.657864] rtnl_newlink+0xf7c/0x1830 [ 27.661723] ? __lock_acquire+0x5fc/0x3f20 [ 27.665944] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 27.670498] ? kasan_slab_free+0xc3/0x1a0 [ 27.674627] ? rtnl_dellink+0x6a0/0x6a0 [ 27.678578] ? trace_hardirqs_on+0x10/0x10 [ 27.682784] ? __dev_queue_xmit+0x1d7f/0x2480 [ 27.687252] ? netlink_deliver_tap+0x61b/0x860 [ 27.691805] ? netlink_unicast+0x485/0x610 [ 27.696009] ? sock_sendmsg+0x40/0x100 [ 27.699866] ? ___sys_sendmsg+0x6c8/0x800 [ 27.703985] ? __sys_sendmsg+0xa3/0x120 [ 27.707956] ? lock_acquire+0x170/0x3f0 [ 27.711903] ? lock_downgrade+0x740/0x740 [ 27.716027] ? rtnl_dellink+0x6a0/0x6a0 [ 27.719972] rtnetlink_rcv_msg+0x3be/0xb10 [ 27.724182] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 27.728648] ? do_raw_spin_unlock+0x164/0x220 [ 27.733117] ? netdev_pick_tx+0x2e0/0x2e0 [ 27.737239] netlink_rcv_skb+0x125/0x390 [ 27.741272] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 27.745740] ? netlink_ack+0x9a0/0x9a0 [ 27.749603] netlink_unicast+0x437/0x610 [ 27.753635] ? netlink_sendskb+0xd0/0xd0 [ 27.757669] ? __check_object_size+0x179/0x230 [ 27.762222] netlink_sendmsg+0x648/0xbc0 [ 27.766258] ? nlmsg_notify+0x1b0/0x1b0 [ 27.770204] ? kernel_recvmsg+0x210/0x210 [ 27.774326] ? security_socket_sendmsg+0x83/0xb0 [ 27.779054] ? nlmsg_notify+0x1b0/0x1b0 [ 27.783001] sock_sendmsg+0xb5/0x100 [ 27.786688] ___sys_sendmsg+0x6c8/0x800 [ 27.790638] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 27.795364] ? trace_hardirqs_on+0x10/0x10 [ 27.799571] ? lock_acquire+0x170/0x3f0 [ 27.803515] ? lock_downgrade+0x740/0x740 [ 27.807635] ? __might_fault+0x104/0x1b0 [ 27.811669] ? lock_acquire+0x170/0x3f0 [ 27.815614] ? lock_downgrade+0x740/0x740 [ 27.819734] ? __might_fault+0x177/0x1b0 [ 27.823766] ? _copy_to_user+0x82/0xd0 [ 27.827634] ? move_addr_to_user+0x13f/0x180 [ 27.832014] ? __fdget+0x167/0x1f0 [ 27.835526] ? sockfd_lookup_light+0xb2/0x160 [ 27.839994] __sys_sendmsg+0xa3/0x120 [ 27.843765] ? SyS_shutdown+0x160/0x160 [ 27.847716] ? move_addr_to_kernel+0x60/0x60 [ 27.852096] SyS_sendmsg+0x27/0x40 [ 27.855606] ? __sys_sendmsg+0x120/0x120 [ 27.859638] do_syscall_64+0x1d5/0x640 [ 27.863500] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.868663] [ 27.870263] Allocated by task 7972: [ 27.873865] kasan_kmalloc+0xeb/0x160 [ 27.877639] kmem_cache_alloc_trace+0x131/0x3d0 [ 27.882280] ipvlan_link_new+0x64f/0xfa0 [ 27.886314] rtnl_newlink+0xf7c/0x1830 [ 27.890171] rtnetlink_rcv_msg+0x3be/0xb10 [ 27.894414] netlink_rcv_skb+0x125/0x390 [ 27.898444] netlink_unicast+0x437/0x610 [ 27.902478] netlink_sendmsg+0x648/0xbc0 [ 27.906514] sock_sendmsg+0xb5/0x100 [ 27.910200] ___sys_sendmsg+0x6c8/0x800 [ 27.914147] __sys_sendmsg+0xa3/0x120 [ 27.917920] SyS_sendmsg+0x27/0x40 [ 27.921432] do_syscall_64+0x1d5/0x640 [ 27.925292] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.930449] [ 27.932051] Freed by task 7972: [ 27.935305] kasan_slab_free+0xc3/0x1a0 [ 27.939253] kfree+0xc9/0x250 [ 27.942328] ipvlan_uninit+0xb6/0xe0 [ 27.946017] register_netdevice+0x7fd/0xe50 [ 27.950308] ipvlan_link_new+0x499/0xfa0 [ 27.954338] rtnl_newlink+0xf7c/0x1830 [ 27.958194] rtnetlink_rcv_msg+0x3be/0xb10 [ 27.962398] netlink_rcv_skb+0x125/0x390 [ 27.966428] netlink_unicast+0x437/0x610 [ 27.970459] netlink_sendmsg+0x648/0xbc0 [ 27.974493] sock_sendmsg+0xb5/0x100 [ 27.978178] ___sys_sendmsg+0x6c8/0x800 [ 27.982126] __sys_sendmsg+0xa3/0x120 [ 27.985903] SyS_sendmsg+0x27/0x40 [ 27.989418] do_syscall_64+0x1d5/0x640 [ 27.993277] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 27.998435] [ 28.000036] The buggy address belongs to the object at ffff8880b075c880 [ 28.000036] which belongs to the cache kmalloc-4096 of size 4096 [ 28.012836] The buggy address is located 2248 bytes inside of [ 28.012836] 4096-byte region [ffff8880b075c880, ffff8880b075d880) [ 28.024851] The buggy address belongs to the page: [ 28.029750] page:ffffea0002c1d700 count:1 mapcount:0 mapping:ffff8880b075c880 index:0x0 compound_mapcount: 0 [ 28.039687] flags: 0xfff00000008100(slab|head) [ 28.044243] raw: 00fff00000008100 ffff8880b075c880 0000000000000000 0000000100000001 [ 28.052093] raw: ffffea000254dea0 ffff88813fe64a48 ffff88813fe74dc0 0000000000000000 [ 28.059942] page dumped because: kasan: bad access detected [ 28.065629] [ 28.067236] Memory state around the buggy address: [ 28.072142] ffff8880b075d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.079478] ffff8880b075d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.086812] >ffff8880b075d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.094148] ^ [ 28.099837] ffff8880b075d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.107168] ffff8880b075d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.114500] ================================================================== [ 28.121828] Disabling lock debugging due to kernel taint [ 28.127248] Kernel panic - not syncing: panic_on_warn set ... [ 28.127248] [ 28.134582] CPU: 1 PID: 7972 Comm: syz-executor192 Tainted: G B 4.14.300-syzkaller #0 [ 28.143646] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 28.152974] Call Trace: [ 28.155541] dump_stack+0x1b2/0x281 [ 28.159162] panic+0x1f9/0x42d [ 28.162328] ? add_taint.cold+0x16/0x16 [ 28.166277] ? lock_downgrade+0x740/0x740 [ 28.170396] kasan_end_report+0x43/0x49 [ 28.174344] kasan_report_error.cold+0xa7/0x191 [ 28.178994] ? radix_tree_next_chunk+0x89f/0x8c0 [ 28.183727] __asan_report_load8_noabort+0x68/0x70 [ 28.188633] ? radix_tree_next_chunk+0x89f/0x8c0 [ 28.193383] radix_tree_next_chunk+0x89f/0x8c0 [ 28.197942] ida_remove+0x9b/0x210 [ 28.201458] ? ida_destroy+0x1b0/0x1b0 [ 28.205321] ? lock_acquire+0x170/0x3f0 [ 28.209275] ida_simple_remove+0x31/0x50 [ 28.213312] ipvlan_link_new+0x50c/0xfa0 [ 28.217350] rtnl_newlink+0xf7c/0x1830 [ 28.221232] ? __lock_acquire+0x5fc/0x3f20 [ 28.225447] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 28.230003] ? kasan_slab_free+0xc3/0x1a0 [ 28.234126] ? rtnl_dellink+0x6a0/0x6a0 [ 28.238073] ? trace_hardirqs_on+0x10/0x10 [ 28.242284] ? __dev_queue_xmit+0x1d7f/0x2480 [ 28.246752] ? netlink_deliver_tap+0x61b/0x860 [ 28.251310] ? netlink_unicast+0x485/0x610 [ 28.255517] ? sock_sendmsg+0x40/0x100 [ 28.259378] ? ___sys_sendmsg+0x6c8/0x800 [ 28.263499] ? __sys_sendmsg+0xa3/0x120 [ 28.267461] ? lock_acquire+0x170/0x3f0 [ 28.271413] ? lock_downgrade+0x740/0x740 [ 28.275536] ? rtnl_dellink+0x6a0/0x6a0 [ 28.279482] rtnetlink_rcv_msg+0x3be/0xb10 [ 28.283693] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 28.288164] ? do_raw_spin_unlock+0x164/0x220 [ 28.292633] ? netdev_pick_tx+0x2e0/0x2e0 [ 28.296756] netlink_rcv_skb+0x125/0x390 [ 28.300883] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 28.305352] ? netlink_ack+0x9a0/0x9a0 [ 28.309215] netlink_unicast+0x437/0x610 [ 28.313249] ? netlink_sendskb+0xd0/0xd0 [ 28.317287] ? __check_object_size+0x179/0x230 [ 28.321843] netlink_sendmsg+0x648/0xbc0 [ 28.325884] ? nlmsg_notify+0x1b0/0x1b0 [ 28.329832] ? kernel_recvmsg+0x210/0x210 [ 28.333954] ? security_socket_sendmsg+0x83/0xb0 [ 28.338681] ? nlmsg_notify+0x1b0/0x1b0 [ 28.342635] sock_sendmsg+0xb5/0x100 [ 28.346323] ___sys_sendmsg+0x6c8/0x800 [ 28.350270] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 28.355002] ? trace_hardirqs_on+0x10/0x10 [ 28.359214] ? lock_acquire+0x170/0x3f0 [ 28.363163] ? lock_downgrade+0x740/0x740 [ 28.367286] ? __might_fault+0x104/0x1b0 [ 28.371324] ? lock_acquire+0x170/0x3f0 [ 28.375270] ? lock_downgrade+0x740/0x740 [ 28.379391] ? __might_fault+0x177/0x1b0 [ 28.383428] ? _copy_to_user+0x82/0xd0 [ 28.387289] ? move_addr_to_user+0x13f/0x180 [ 28.391672] ? __fdget+0x167/0x1f0 [ 28.395185] ? sockfd_lookup_light+0xb2/0x160 [ 28.399652] __sys_sendmsg+0xa3/0x120 [ 28.403427] ? SyS_shutdown+0x160/0x160 [ 28.407377] ? move_addr_to_kernel+0x60/0x60 [ 28.411762] SyS_sendmsg+0x27/0x40 [ 28.415274] ? __sys_sendmsg+0x120/0x120 [ 28.419309] do_syscall_64+0x1d5/0x640 [ 28.423703] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 28.429042] Kernel Offset: disabled [ 28.432644] Rebooting in 86400 seconds..