Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.92' (ECDSA) to the list of known hosts. syzkaller login: [ 33.180239] IPVS: ftp: loaded support on port[0] = 21 executing program [ 33.297867] netlink: 20 bytes leftover after parsing attributes in process `syz-executor319'. [ 33.361616] ================================================================== [ 33.369065] BUG: KASAN: slab-out-of-bounds in netif_napi_del+0x301/0x380 [ 33.375886] Read of size 8 at addr ffff8880b3898598 by task syz-executor319/8137 [ 33.383396] [ 33.385010] CPU: 1 PID: 8137 Comm: syz-executor319 Not tainted 4.19.211-syzkaller #0 [ 33.392869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.402207] Call Trace: [ 33.404787] dump_stack+0x1fc/0x2ef [ 33.408400] print_address_description.cold+0x54/0x219 [ 33.413660] kasan_report_error.cold+0x8a/0x1b9 [ 33.418315] ? netif_napi_del+0x301/0x380 [ 33.422458] __asan_report_load8_noabort+0x88/0x90 [ 33.427369] ? netif_napi_del+0x301/0x380 [ 33.431512] netif_napi_del+0x301/0x380 [ 33.435464] free_netdev+0x21f/0x410 [ 33.439166] netdev_run_todo+0x89b/0xab0 [ 33.443209] ? default_device_exit_batch+0x3c0/0x3c0 [ 33.448296] ? rtnl_newlink+0x15c0/0x15c0 [ 33.452434] rtnetlink_rcv_msg+0x460/0xb80 [ 33.456679] ? rtnl_calcit.isra.0+0x430/0x430 [ 33.461155] ? __netlink_lookup+0x3fc/0x730 [ 33.465473] ? lock_downgrade+0x720/0x720 [ 33.469601] ? check_preemption_disabled+0x41/0x280 [ 33.474616] netlink_rcv_skb+0x160/0x440 [ 33.478665] ? rtnl_calcit.isra.0+0x430/0x430 [ 33.483142] ? netlink_ack+0xae0/0xae0 [ 33.487019] netlink_unicast+0x4d5/0x690 [ 33.491079] ? netlink_sendskb+0x110/0x110 [ 33.495296] ? _copy_from_iter_full+0x229/0x7c0 [ 33.499948] ? __phys_addr_symbol+0x2c/0x70 [ 33.504254] ? __check_object_size+0x17b/0x3e0 [ 33.508816] netlink_sendmsg+0x6c3/0xc50 [ 33.512865] ? aa_af_perm+0x230/0x230 [ 33.516657] ? nlmsg_notify+0x1f0/0x1f0 [ 33.520610] ? kernel_recvmsg+0x220/0x220 [ 33.524746] ? nlmsg_notify+0x1f0/0x1f0 [ 33.528700] sock_sendmsg+0xc3/0x120 [ 33.532391] ___sys_sendmsg+0x7bb/0x8e0 [ 33.536345] ? copy_msghdr_from_user+0x440/0x440 [ 33.541094] ? __fget+0x32f/0x510 [ 33.544541] ? lock_downgrade+0x720/0x720 [ 33.548681] ? check_preemption_disabled+0x41/0x280 [ 33.553691] ? check_preemption_disabled+0x41/0x280 [ 33.558686] ? __fget+0x356/0x510 [ 33.562120] ? do_dup2+0x450/0x450 [ 33.565646] ? lock_downgrade+0x720/0x720 [ 33.569771] ? check_preemption_disabled+0x41/0x280 [ 33.574766] ? __fdget+0x1d0/0x230 [ 33.578289] __x64_sys_sendmsg+0x132/0x220 [ 33.582500] ? __sys_sendmsg+0x1b0/0x1b0 [ 33.586555] ? __se_sys_futex+0x298/0x3b0 [ 33.590696] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 33.596042] ? trace_hardirqs_off_caller+0x6e/0x210 [ 33.601042] ? do_syscall_64+0x21/0x620 [ 33.604994] do_syscall_64+0xf9/0x620 [ 33.608785] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.613964] RIP: 0033:0x7f51c12a5459 [ 33.617656] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 33.636554] RSP: 002b:00007f51c124e308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 33.644253] RAX: ffffffffffffffda RBX: 00007f51c13264c8 RCX: 00007f51c12a5459 [ 33.651505] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 33.658761] RBP: 00007f51c13264c0 R08: 0000000000000000 R09: 0000000000000000 [ 33.666011] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f51c13264cc [ 33.673258] R13: 00007f51c12f34a0 R14: 74656e2f7665642f R15: 0000000000022000 [ 33.680529] [ 33.682142] Allocated by task 8142: [ 33.685763] __kmalloc_node+0x4c/0x70 [ 33.689542] kvmalloc_node+0xb4/0xf0 [ 33.693234] alloc_netdev_mqs+0x97/0xd50 [ 33.697273] __tun_chr_ioctl.isra.0+0x2184/0x3d00 [ 33.702101] do_vfs_ioctl+0xcdb/0x12e0 [ 33.706055] ksys_ioctl+0x9b/0xc0 [ 33.709495] __x64_sys_ioctl+0x6f/0xb0 [ 33.713372] do_syscall_64+0xf9/0x620 [ 33.717153] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.722322] [ 33.723928] Freed by task 0: [ 33.726917] (stack is not available) [ 33.730619] [ 33.732231] The buggy address belongs to the object at ffff8880b3898640 [ 33.732231] which belongs to the cache kmalloc-16384 of size 16384 [ 33.745213] The buggy address is located 168 bytes to the left of [ 33.745213] 16384-byte region [ffff8880b3898640, ffff8880b389c640) [ 33.757667] The buggy address belongs to the page: [ 33.762574] page:ffffea0002ce2600 count:1 mapcount:0 mapping:ffff88813bff2200 index:0x0 compound_mapcount: 0 [ 33.772518] flags: 0xfff00000008100(slab|head) [ 33.777077] raw: 00fff00000008100 ffffea000288f208 ffff88813bff1c48 ffff88813bff2200 [ 33.784937] raw: 0000000000000000 ffff8880b3898640 0000000100000001 0000000000000000 [ 33.792791] page dumped because: kasan: bad access detected [ 33.798471] [ 33.800072] Memory state around the buggy address: [ 33.804975] ffff8880b3898480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.812310] ffff8880b3898500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.819645] >ffff8880b3898580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.826977] ^ [ 33.831100] ffff8880b3898600: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 33.838434] ffff8880b3898680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.845763] ================================================================== [ 33.853095] Disabling lock debugging due to kernel taint [ 33.861697] kasan: CONFIG_KASAN_INLINE enabled [ 33.866283] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 33.870796] Kernel panic - not syncing: panic_on_warn set ... [ 33.870796] [ 33.873672] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 33.887223] CPU: 0 PID: 8108 Comm: syz-executor319 Tainted: G B 4.19.211-syzkaller #0 [ 33.896473] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.905820] RIP: 0010:unlist_netdevice+0x169/0x3e0 [ 33.910741] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 04 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 18 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 ce 01 00 00 48 85 ed 49 89 2c 24 74 28 e8 df 12 [ 33.929628] RSP: 0018:ffff8880b3337b30 EFLAGS: 00010246 [ 33.934975] RAX: dffffc0000000000 RBX: ffff8880b3898640 RCX: ffffffff86747162 [ 33.942229] RDX: 0000000000000000 RSI: ffffffff867471f9 RDI: ffff8880b3898658 [ 33.949479] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 [ 33.956732] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 [ 33.963995] R13: ffff8880b3e0c1f0 R14: ffff8880b3337ba0 R15: dffffc0000000000 [ 33.971259] FS: 00005555566f9300(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000 [ 33.979471] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 33.985346] CR2: 00007f91e803b148 CR3: 000000009bcec000 CR4: 00000000003406f0 [ 33.992620] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 33.999879] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 34.007133] Call Trace: [ 34.009718] rollback_registered_many+0x336/0xe70 [ 34.014549] ? generic_xdp_install+0x550/0x550 [ 34.019205] ? do_raw_spin_unlock+0x171/0x230 [ 34.023686] ? _raw_spin_unlock+0x29/0x40 [ 34.027821] ? __queue_work+0x5f1/0x1100 [ 34.031871] rollback_registered+0xe9/0x1b0 [ 34.036178] ? rollback_registered_many+0xe70/0xe70 [ 34.041183] ? linkwatch_schedule_work+0x135/0x170 [ 34.046099] unregister_netdevice_queue+0x1de/0x3e0 [ 34.051104] __tun_detach+0x100d/0x1320 [ 34.055070] ? __tun_detach+0x1320/0x1320 [ 34.059200] tun_chr_close+0xd9/0x180 [ 34.062987] __fput+0x2ce/0x890 [ 34.066257] task_work_run+0x148/0x1c0 [ 34.070132] exit_to_usermode_loop+0x251/0x2a0 [ 34.074703] do_syscall_64+0x538/0x620 [ 34.078578] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.083756] RIP: 0033:0x7f51c125e54b [ 34.087454] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 03 fd ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 41 fd ff ff 8b 44 [ 34.106339] RSP: 002b:00007ffc711f71d0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 34.114033] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f51c125e54b [ 34.121287] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 34.128539] RBP: 00007f51c13264dc R08: 0000000000000000 R09: 00007ffc711f7210 [ 34.135803] R10: 0000000000000000 R11: 0000000000000293 R12: 00007f51c1259d90 [ 34.143057] R13: 00007ffc711f7220 R14: 00007ffc711f72a0 R15: 0000000000000008 [ 34.150312] Modules linked in: [ 34.153653] Kernel Offset: disabled [ 34.157269] Rebooting in 86400 seconds..