[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.27' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 67.997842][ T8468] ================================================================== [ 68.006034][ T8468] BUG: KASAN: use-after-free in __gtp_encap_destroy+0x194/0x1b0 [ 68.013666][ T8468] Read of size 8 at addr ffff88801a106bd0 by task syz-executor495/8468 [ 68.021886][ T8468] [ 68.024282][ T8468] CPU: 1 PID: 8468 Comm: syz-executor495 Not tainted 5.11.0-rc3-syzkaller #0 [ 68.033026][ T8468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.043067][ T8468] Call Trace: [ 68.046361][ T8468] dump_stack+0x107/0x163 [ 68.050683][ T8468] ? __gtp_encap_destroy+0x194/0x1b0 [ 68.055954][ T8468] ? __gtp_encap_destroy+0x194/0x1b0 [ 68.061224][ T8468] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 68.068238][ T8468] ? __gtp_encap_destroy+0x194/0x1b0 [ 68.073515][ T8468] ? __gtp_encap_destroy+0x194/0x1b0 [ 68.078785][ T8468] kasan_report.cold+0x79/0xd5 [ 68.083545][ T8468] ? __gtp_encap_destroy+0x194/0x1b0 [ 68.088817][ T8468] ? udpv6_pre_connect+0x180/0x180 [ 68.093917][ T8468] __gtp_encap_destroy+0x194/0x1b0 [ 68.099012][ T8468] ? gtp_dev_uninit+0x50/0x50 [ 68.103676][ T8468] gtp_encap_destroy+0x16/0x20 [ 68.108432][ T8468] udpv6_destroy_sock+0x1df/0x220 [ 68.113444][ T8468] sk_common_release+0x64/0x390 [ 68.118286][ T8468] inet_release+0x12e/0x280 [ 68.122777][ T8468] inet6_release+0x4c/0x70 [ 68.127181][ T8468] __sock_release+0xcd/0x280 [ 68.131765][ T8468] sock_close+0x18/0x20 [ 68.135909][ T8468] __fput+0x283/0x920 [ 68.139884][ T8468] ? __sock_release+0x280/0x280 [ 68.144766][ T8468] task_work_run+0xdd/0x190 [ 68.149263][ T8468] do_exit+0xc5c/0x2ae0 [ 68.153406][ T8468] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 68.159684][ T8468] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.165045][ T8468] ? __sys_sendmsg_sock+0xb0/0xb0 [ 68.170057][ T8468] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 68.176294][ T8468] do_group_exit+0x125/0x310 [ 68.180872][ T8468] __x64_sys_exit_group+0x3a/0x50 [ 68.185881][ T8468] do_syscall_64+0x2d/0x70 [ 68.190291][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.196174][ T8468] RIP: 0033:0x43f078 [ 68.200054][ T8468] Code: Unable to access opcode bytes at RIP 0x43f04e. [ 68.206877][ T8468] RSP: 002b:00007ffd4a550178 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.215302][ T8468] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f078 [ 68.223270][ T8468] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 68.231240][ T8468] RBP: 00000000004be888 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 68.239207][ T8468] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000001 [ 68.247174][ T8468] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 68.255144][ T8468] [ 68.257464][ T8468] Allocated by task 8468: [ 68.261770][ T8468] kasan_save_stack+0x1b/0x40 [ 68.266434][ T8468] ____kasan_kmalloc.constprop.0+0x82/0xa0 [ 68.272239][ T8468] kvmalloc_node+0x61/0xf0 [ 68.276642][ T8468] alloc_netdev_mqs+0x97/0xea0 [ 68.281390][ T8468] rtnl_create_link+0x219/0xad0 [ 68.286252][ T8468] __rtnl_newlink+0xf9b/0x16e0 [ 68.291003][ T8468] rtnl_newlink+0x64/0xa0 [ 68.295335][ T8468] rtnetlink_rcv_msg+0x44e/0xad0 [ 68.300258][ T8468] netlink_rcv_skb+0x153/0x420 [ 68.305005][ T8468] netlink_unicast+0x533/0x7d0 [ 68.309751][ T8468] netlink_sendmsg+0x856/0xd90 [ 68.314511][ T8468] sock_sendmsg+0xcf/0x120 [ 68.318907][ T8468] ____sys_sendmsg+0x6e8/0x810 [ 68.323663][ T8468] ___sys_sendmsg+0xf3/0x170 [ 68.328236][ T8468] __sys_sendmsg+0xe5/0x1b0 [ 68.332722][ T8468] do_syscall_64+0x2d/0x70 [ 68.337124][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.343007][ T8468] [ 68.345313][ T8468] Freed by task 8468: [ 68.349389][ T8468] kasan_save_stack+0x1b/0x40 [ 68.354052][ T8468] kasan_set_track+0x1c/0x30 [ 68.358624][ T8468] kasan_set_free_info+0x20/0x30 [ 68.363547][ T8468] ____kasan_slab_free+0xe1/0x110 [ 68.368554][ T8468] slab_free_freelist_hook+0x5d/0x150 [ 68.373908][ T8468] kfree+0xdb/0x3b0 [ 68.377697][ T8468] kvfree+0x42/0x50 [ 68.381525][ T8468] free_netdev+0x4a9/0x5e0 [ 68.385928][ T8468] __rtnl_newlink+0x1484/0x16e0 [ 68.390764][ T8468] rtnl_newlink+0x64/0xa0 [ 68.395077][ T8468] rtnetlink_rcv_msg+0x44e/0xad0 [ 68.400004][ T8468] netlink_rcv_skb+0x153/0x420 [ 68.404751][ T8468] netlink_unicast+0x533/0x7d0 [ 68.409496][ T8468] netlink_sendmsg+0x856/0xd90 [ 68.414242][ T8468] sock_sendmsg+0xcf/0x120 [ 68.418642][ T8468] ____sys_sendmsg+0x6e8/0x810 [ 68.423386][ T8468] ___sys_sendmsg+0xf3/0x170 [ 68.427961][ T8468] __sys_sendmsg+0xe5/0x1b0 [ 68.432461][ T8468] do_syscall_64+0x2d/0x70 [ 68.436861][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.442756][ T8468] [ 68.445076][ T8468] The buggy address belongs to the object at ffff88801a106000 [ 68.445076][ T8468] which belongs to the cache kmalloc-4k of size 4096 [ 68.459118][ T8468] The buggy address is located 3024 bytes inside of [ 68.459118][ T8468] 4096-byte region [ffff88801a106000, ffff88801a107000) [ 68.472548][ T8468] The buggy address belongs to the page: [ 68.478157][ T8468] page:0000000052ee4c3d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1a100 [ 68.488288][ T8468] head:0000000052ee4c3d order:3 compound_mapcount:0 compound_pincount:0 [ 68.496594][ T8468] flags: 0xfff00000010200(slab|head) [ 68.501866][ T8468] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010042140 [ 68.510447][ T8468] raw: 0000000000000000 0000000080040004 00000001ffffffff 0000000000000000 [ 68.519006][ T8468] page dumped because: kasan: bad access detected [ 68.525395][ T8468] [ 68.527701][ T8468] Memory state around the buggy address: [ 68.533306][ T8468] ffff88801a106a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.541348][ T8468] ffff88801a106b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.549391][ T8468] >ffff88801a106b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.557447][ T8468] ^ [ 68.564101][ T8468] ffff88801a106c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.572171][ T8468] ffff88801a106c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.580224][ T8468] ================================================================== [ 68.588276][ T8468] Disabling lock debugging due to kernel taint [ 68.597156][ T8468] Kernel panic - not syncing: panic_on_warn set ... [ 68.603757][ T8468] CPU: 1 PID: 8468 Comm: syz-executor495 Tainted: G B 5.11.0-rc3-syzkaller #0 [ 68.613914][ T8468] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.623969][ T8468] Call Trace: [ 68.627234][ T8468] dump_stack+0x107/0x163 [ 68.631549][ T8468] ? __gtp_encap_destroy+0xe0/0x1b0 [ 68.636727][ T8468] panic+0x306/0x73d [ 68.640603][ T8468] ? __warn_printk+0xf3/0xf3 [ 68.645173][ T8468] ? preempt_schedule_common+0x59/0xc0 [ 68.650612][ T8468] ? __gtp_encap_destroy+0x194/0x1b0 [ 68.655883][ T8468] ? preempt_schedule_thunk+0x16/0x18 [ 68.661245][ T8468] ? trace_hardirqs_on+0x38/0x1c0 [ 68.666255][ T8468] ? trace_hardirqs_on+0x51/0x1c0 [ 68.671269][ T8468] ? __gtp_encap_destroy+0x194/0x1b0 [ 68.676539][ T8468] ? __gtp_encap_destroy+0x194/0x1b0 [ 68.681809][ T8468] end_report+0x58/0x5e [ 68.685951][ T8468] kasan_report.cold+0x67/0xd5 [ 68.690696][ T8468] ? __gtp_encap_destroy+0x194/0x1b0 [ 68.695961][ T8468] ? udpv6_pre_connect+0x180/0x180 [ 68.701055][ T8468] __gtp_encap_destroy+0x194/0x1b0 [ 68.706194][ T8468] ? gtp_dev_uninit+0x50/0x50 [ 68.710850][ T8468] gtp_encap_destroy+0x16/0x20 [ 68.715591][ T8468] udpv6_destroy_sock+0x1df/0x220 [ 68.720595][ T8468] sk_common_release+0x64/0x390 [ 68.725429][ T8468] inet_release+0x12e/0x280 [ 68.729913][ T8468] inet6_release+0x4c/0x70 [ 68.734313][ T8468] __sock_release+0xcd/0x280 [ 68.738885][ T8468] sock_close+0x18/0x20 [ 68.743019][ T8468] __fput+0x283/0x920 [ 68.747068][ T8468] ? __sock_release+0x280/0x280 [ 68.751900][ T8468] task_work_run+0xdd/0x190 [ 68.756387][ T8468] do_exit+0xc5c/0x2ae0 [ 68.760521][ T8468] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 68.766787][ T8468] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.772172][ T8468] ? __sys_sendmsg_sock+0xb0/0xb0 [ 68.777177][ T8468] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 68.783411][ T8468] do_group_exit+0x125/0x310 [ 68.787981][ T8468] __x64_sys_exit_group+0x3a/0x50 [ 68.792985][ T8468] do_syscall_64+0x2d/0x70 [ 68.797381][ T8468] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.803256][ T8468] RIP: 0033:0x43f078 [ 68.807142][ T8468] Code: Unable to access opcode bytes at RIP 0x43f04e. [ 68.813959][ T8468] RSP: 002b:00007ffd4a550178 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.822360][ T8468] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f078 [ 68.830324][ T8468] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 68.838277][ T8468] RBP: 00000000004be888 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 68.846266][ T8468] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000001 [ 68.854352][ T8468] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 68.863067][ T8468] Kernel Offset: disabled [ 68.867381][ T8468] Rebooting in 86400 seconds..