[ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.12' (ECDSA) to the list of known hosts. syzkaller login: [ 44.245971][ T6849] IPVS: ftp: loaded support on port[0] = 21 [ 44.333298][ T6849] chnl_net:caif_netlink_parms(): no params data found [ 44.391007][ T6849] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.399191][ T6849] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.406729][ T6849] device bridge_slave_0 entered promiscuous mode [ 44.414971][ T6849] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.422793][ T6849] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.430716][ T6849] device bridge_slave_1 entered promiscuous mode [ 44.447834][ T6849] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 44.458696][ T6849] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 44.478992][ T6849] team0: Port device team_slave_0 added [ 44.485972][ T6849] team0: Port device team_slave_1 added [ 44.501943][ T6849] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 44.509025][ T6849] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 44.534894][ T6849] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 44.546794][ T6849] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 44.553895][ T6849] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 44.579795][ T6849] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 44.604090][ T6849] device hsr_slave_0 entered promiscuous mode [ 44.610699][ T6849] device hsr_slave_1 entered promiscuous mode [ 44.692968][ T6849] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 44.702810][ T6849] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 44.712143][ T6849] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 44.721275][ T6849] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 44.742591][ T6849] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.749710][ T6849] bridge0: port 2(bridge_slave_1) entered forwarding state [ 44.757282][ T6849] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.764373][ T6849] bridge0: port 1(bridge_slave_0) entered forwarding state [ 44.803883][ T6849] 8021q: adding VLAN 0 to HW filter on device bond0 [ 44.816804][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 44.826331][ T5] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.834619][ T5] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.843222][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 44.854804][ T6849] 8021q: adding VLAN 0 to HW filter on device team0 [ 44.866179][ T3925] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 44.875196][ T3925] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.882316][ T3925] bridge0: port 1(bridge_slave_0) entered forwarding state [ 44.898927][ T2636] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 44.907200][ T2636] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.914300][ T2636] bridge0: port 2(bridge_slave_1) entered forwarding state [ 44.934140][ T6849] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 44.944822][ T6849] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 44.958023][ T3925] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 44.967028][ T3925] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 44.975559][ T3925] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 44.984176][ T3925] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 44.992706][ T3925] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 45.000534][ T3925] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 45.018183][ T2468] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 45.025601][ T2468] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 45.035830][ T6849] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 45.054126][ T2636] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 45.073865][ T2468] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 45.082099][ T2468] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 45.090771][ T2468] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 45.100645][ T6849] device veth0_vlan entered promiscuous mode [ 45.111610][ T6849] device veth1_vlan entered promiscuous mode [ 45.131307][ T2636] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 45.139551][ T2636] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 45.147475][ T2636] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 45.158127][ T6849] device veth0_macvtap entered promiscuous mode [ 45.166611][ T6849] device veth1_macvtap entered promiscuous mode [ 45.183001][ T6849] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 45.190357][ T2468] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 45.201122][ T2468] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 45.212853][ T6849] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 45.220943][ T2468] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 45.232184][ T6849] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 45.241184][ T6849] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 45.250075][ T6849] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 45.259005][ T6849] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 executing program [ 45.316090][ T224] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 45.334588][ T224] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 45.344138][ T96] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 45.354485][ T96] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 45.363912][ T2468] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 45.374909][ T2468] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 45.391954][ T7086] netlink: 32 bytes leftover after parsing attributes in process `syz-executor211'. [ 45.445821][ T7086] ================================================================== [ 45.453943][ T7086] BUG: KASAN: use-after-free in tcf_action_init+0x231/0x3d0 [ 45.461194][ T7086] Read of size 8 at addr ffff888097225c00 by task syz-executor211/7086 [ 45.469395][ T7086] [ 45.471697][ T7086] CPU: 0 PID: 7086 Comm: syz-executor211 Not tainted 5.9.0-rc6-syzkaller #0 [ 45.480330][ T7086] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.490353][ T7086] Call Trace: [ 45.493612][ T7086] dump_stack+0x1d6/0x29e [ 45.497921][ T7086] print_address_description+0x66/0x620 [ 45.503443][ T7086] ? printk+0x62/0x83 [ 45.507398][ T7086] ? _raw_spin_lock_irqsave+0x84/0xd0 [ 45.512740][ T7086] ? vprintk_emit+0x2f0/0x370 [ 45.517394][ T7086] kasan_report+0x132/0x1d0 [ 45.521868][ T7086] ? tcf_action_init+0x231/0x3d0 [ 45.526780][ T7086] tcf_action_init+0x231/0x3d0 [ 45.531535][ T7086] tc_ctl_action+0x2c7/0x7e0 [ 45.536117][ T7086] ? tcf_free_cookie_rcu+0x40/0x40 [ 45.541247][ T7086] rtnetlink_rcv_msg+0x889/0xd40 [ 45.546159][ T7086] ? rcu_read_lock_sched_held+0x2f/0xa0 [ 45.546836][ T6849] syz-executor211 (6849) used greatest stack depth: 24576 bytes left [ 45.551697][ T7086] ? trace_lock_release+0x149/0x1a0 [ 45.551712][ T7086] ? rcu_lock_release+0x9/0x20 [ 45.551728][ T7086] ? check_preemption_disabled+0x51/0x140 [ 45.575361][ T7086] ? __local_bh_enable_ip+0x126/0x1c0 [ 45.580746][ T7086] ? lockdep_hardirqs_on+0x79/0x100 [ 45.585926][ T7086] ? local_bh_enable+0x5/0x20 [ 45.590615][ T7086] ? __local_bh_enable_ip+0x126/0x1c0 [ 45.595956][ T7086] ? __dev_queue_xmit+0x1846/0x2940 [ 45.601127][ T7086] ? lock_is_held_type+0xb3/0xe0 [ 45.606040][ T7086] netlink_rcv_skb+0x190/0x3a0 [ 45.610777][ T7086] ? rtnetlink_bind+0x80/0x80 [ 45.615454][ T7086] netlink_unicast+0x786/0x940 [ 45.620189][ T7086] netlink_sendmsg+0xa57/0xd70 [ 45.624925][ T7086] ? netlink_getsockopt+0x9e0/0x9e0 [ 45.630155][ T7086] ____sys_sendmsg+0x519/0x800 [ 45.634904][ T7086] ? import_iovec+0x12a/0x2c0 [ 45.639706][ T7086] __sys_sendmsg+0x2b1/0x360 [ 45.644282][ T7086] ? rcu_read_lock_sched_held+0x2f/0xa0 [ 45.649805][ T7086] ? __up_read+0x1f1/0x6f0 [ 45.654286][ T7086] ? do_user_addr_fault+0x6b4/0xa90 [ 45.659458][ T7086] ? lock_is_held_type+0xb3/0xe0 [ 45.664364][ T7086] ? check_preemption_disabled+0x51/0x140 [ 45.670081][ T7086] ? syscall_enter_from_user_mode+0x24/0x180 [ 45.676025][ T7086] ? lockdep_hardirqs_on+0x79/0x100 [ 45.681193][ T7086] ? syscall_enter_from_user_mode+0x24/0x180 [ 45.687291][ T7086] do_syscall_64+0x31/0x70 [ 45.691677][ T7086] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 45.697544][ T7086] RIP: 0033:0x44abe9 [ 45.701426][ T7086] Code: e8 dc 13 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 0b fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 45.721017][ T7086] RSP: 002b:00007f842a305ce8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 45.729402][ T7086] RAX: ffffffffffffffda RBX: 00000000006e0c48 RCX: 000000000044abe9 [ 45.737342][ T7086] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 45.745285][ T7086] RBP: 00000000006e0c40 R08: 0000000000000000 R09: 0000000000000000 [ 45.753225][ T7086] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e0c4c [ 45.761290][ T7086] R13: 00007ffcf73121ef R14: 00007f842a3069c0 R15: 00000000006e0c4c [ 45.769281][ T7086] [ 45.771584][ T7086] Allocated by task 7086: [ 45.775911][ T7086] __kasan_kmalloc+0x100/0x130 [ 45.780646][ T7086] __kmalloc+0x205/0x300 [ 45.784871][ T7086] kzalloc+0x16/0x30 [ 45.788745][ T7086] tcf_idr_create+0x56/0x5e0 [ 45.793299][ T7086] tcf_connmark_init+0x230/0x7d0 [ 45.798203][ T7086] tcf_action_init_1+0x7dc/0xce0 [ 45.803106][ T7086] tcf_action_init+0x114/0x3d0 [ 45.807848][ T7086] tc_ctl_action+0x2c7/0x7e0 [ 45.812415][ T7086] rtnetlink_rcv_msg+0x889/0xd40 [ 45.817322][ T7086] netlink_rcv_skb+0x190/0x3a0 [ 45.822054][ T7086] netlink_unicast+0x786/0x940 [ 45.826782][ T7086] netlink_sendmsg+0xa57/0xd70 [ 45.831512][ T7086] ____sys_sendmsg+0x519/0x800 [ 45.836276][ T7086] __sys_sendmsg+0x2b1/0x360 [ 45.840833][ T7086] do_syscall_64+0x31/0x70 [ 45.845217][ T7086] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 45.851070][ T7086] [ 45.853366][ T7086] Freed by task 7088: [ 45.857316][ T7086] kasan_set_track+0x3d/0x70 [ 45.861881][ T7086] kasan_set_free_info+0x17/0x30 [ 45.866781][ T7086] __kasan_slab_free+0xdd/0x110 [ 45.871594][ T7086] kfree+0x113/0x200 [ 45.875455][ T7086] tcf_generic_walker+0x6f8/0xbc0 [ 45.880446][ T7086] tca_action_gd+0x135a/0x18f0 [ 45.885177][ T7086] tc_ctl_action+0x395/0x7e0 [ 45.889738][ T7086] rtnetlink_rcv_msg+0x889/0xd40 [ 45.894725][ T7086] netlink_rcv_skb+0x190/0x3a0 [ 45.899616][ T7086] netlink_unicast+0x786/0x940 [ 45.904343][ T7086] netlink_sendmsg+0xa57/0xd70 [ 45.909076][ T7086] ____sys_sendmsg+0x519/0x800 [ 45.913825][ T7086] __sys_sendmsg+0x2b1/0x360 [ 45.918384][ T7086] do_syscall_64+0x31/0x70 [ 45.922784][ T7086] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 45.928673][ T7086] [ 45.930969][ T7086] The buggy address belongs to the object at ffff888097225c00 [ 45.930969][ T7086] which belongs to the cache kmalloc-512 of size 512 [ 45.944984][ T7086] The buggy address is located 0 bytes inside of [ 45.944984][ T7086] 512-byte region [ffff888097225c00, ffff888097225e00) [ 45.958045][ T7086] The buggy address belongs to the page: [ 45.963646][ T7086] page:00000000598892c8 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x97225 [ 45.973761][ T7086] flags: 0xfffe0000000200(slab) [ 45.978583][ T7086] raw: 00fffe0000000200 ffffea00028423c8 ffffea00028bbc48 ffff8880aa440600 [ 45.987132][ T7086] raw: 0000000000000000 ffff888097225000 0000000100000004 0000000000000000 [ 45.995681][ T7086] page dumped because: kasan: bad access detected [ 46.002057][ T7086] [ 46.004362][ T7086] Memory state around the buggy address: [ 46.009986][ T7086] ffff888097225b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.018018][ T7086] ffff888097225b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 46.026045][ T7086] >ffff888097225c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.034070][ T7086] ^ [ 46.038108][ T7086] ffff888097225c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.046135][ T7086] ffff888097225d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 46.054162][ T7086] ================================================================== [ 46.062188][ T7086] Disabling lock debugging due to kernel taint [ 46.070337][ T7086] Kernel panic - not syncing: panic_on_warn set ... [ 46.076927][ T7086] CPU: 0 PID: 7086 Comm: syz-executor211 Tainted: G B 5.9.0-rc6-syzkaller #0 [ 46.086964][ T7086] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 46.097000][ T7086] Call Trace: [ 46.100276][ T7086] dump_stack+0x1d6/0x29e [ 46.104589][ T7086] panic+0x2c0/0x800 [ 46.108460][ T7086] ? trace_hardirqs_on+0x30/0x80 [ 46.113364][ T7086] kasan_report+0x1c9/0x1d0 [ 46.117836][ T7086] ? tcf_action_init+0x231/0x3d0 [ 46.122756][ T7086] tcf_action_init+0x231/0x3d0 [ 46.127491][ T7086] tc_ctl_action+0x2c7/0x7e0 [ 46.132053][ T7086] ? tcf_free_cookie_rcu+0x40/0x40 [ 46.137129][ T7086] rtnetlink_rcv_msg+0x889/0xd40 [ 46.142030][ T7086] ? rcu_read_lock_sched_held+0x2f/0xa0 [ 46.147541][ T7086] ? trace_lock_release+0x149/0x1a0 [ 46.152703][ T7086] ? rcu_lock_release+0x9/0x20 [ 46.157432][ T7086] ? check_preemption_disabled+0x51/0x140 [ 46.163111][ T7086] ? __local_bh_enable_ip+0x126/0x1c0 [ 46.168443][ T7086] ? lockdep_hardirqs_on+0x79/0x100 [ 46.173631][ T7086] ? local_bh_enable+0x5/0x20 [ 46.178271][ T7086] ? __local_bh_enable_ip+0x126/0x1c0 [ 46.183605][ T7086] ? __dev_queue_xmit+0x1846/0x2940 [ 46.188766][ T7086] ? lock_is_held_type+0xb3/0xe0 [ 46.193664][ T7086] netlink_rcv_skb+0x190/0x3a0 [ 46.198394][ T7086] ? rtnetlink_bind+0x80/0x80 [ 46.203038][ T7086] netlink_unicast+0x786/0x940 [ 46.207776][ T7086] netlink_sendmsg+0xa57/0xd70 [ 46.212502][ T7086] ? netlink_getsockopt+0x9e0/0x9e0 [ 46.217667][ T7086] ____sys_sendmsg+0x519/0x800 [ 46.222397][ T7086] ? import_iovec+0x12a/0x2c0 [ 46.227036][ T7086] __sys_sendmsg+0x2b1/0x360 [ 46.231592][ T7086] ? rcu_read_lock_sched_held+0x2f/0xa0 [ 46.237101][ T7086] ? __up_read+0x1f1/0x6f0 [ 46.241483][ T7086] ? do_user_addr_fault+0x6b4/0xa90 [ 46.246643][ T7086] ? lock_is_held_type+0xb3/0xe0 [ 46.251542][ T7086] ? check_preemption_disabled+0x51/0x140 [ 46.257223][ T7086] ? syscall_enter_from_user_mode+0x24/0x180 [ 46.263163][ T7086] ? lockdep_hardirqs_on+0x79/0x100 [ 46.268326][ T7086] ? syscall_enter_from_user_mode+0x24/0x180 [ 46.274267][ T7086] do_syscall_64+0x31/0x70 [ 46.278645][ T7086] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 46.284498][ T7086] RIP: 0033:0x44abe9 [ 46.288356][ T7086] Code: e8 dc 13 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb 0b fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 46.307923][ T7086] RSP: 002b:00007f842a305ce8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 46.316295][ T7086] RAX: ffffffffffffffda RBX: 00000000006e0c48 RCX: 000000000044abe9 [ 46.324231][ T7086] RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003 [ 46.332168][ T7086] RBP: 00000000006e0c40 R08: 0000000000000000 R09: 0000000000000000 [ 46.340123][ T7086] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e0c4c [ 46.348061][ T7086] R13: 00007ffcf73121ef R14: 00007f842a3069c0 R15: 00000000006e0c4c [ 46.357100][ T7086] Kernel Offset: disabled [ 46.361418][ T7086] Rebooting in 86400 seconds..