[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.149' (ECDSA) to the list of known hosts. syzkaller login: [ 279.987114][ T6510] chnl_net:caif_netlink_parms(): no params data found [ 280.083470][ T6510] bridge0: port 1(bridge_slave_0) entered blocking state [ 280.092077][ T6510] bridge0: port 1(bridge_slave_0) entered disabled state [ 280.100641][ T6510] device bridge_slave_0 entered promiscuous mode [ 280.110186][ T6510] bridge0: port 2(bridge_slave_1) entered blocking state [ 280.118289][ T6510] bridge0: port 2(bridge_slave_1) entered disabled state [ 280.127093][ T6510] device bridge_slave_1 entered promiscuous mode [ 280.157011][ T6510] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 280.168614][ T6510] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 280.202865][ T6510] team0: Port device team_slave_0 added [ 280.211346][ T6510] team0: Port device team_slave_1 added [ 280.241368][ T6510] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 280.248737][ T6510] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 280.277634][ T6510] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 280.291244][ T6510] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 280.299009][ T6510] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 280.325887][ T6510] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 280.363297][ T6510] device hsr_slave_0 entered promiscuous mode [ 280.370005][ T6510] device hsr_slave_1 entered promiscuous mode [ 280.488000][ T6510] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 280.498492][ T6510] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 280.507372][ T6510] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 280.517709][ T6510] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 280.539265][ T6510] bridge0: port 2(bridge_slave_1) entered blocking state [ 280.546407][ T6510] bridge0: port 2(bridge_slave_1) entered forwarding state [ 280.553925][ T6510] bridge0: port 1(bridge_slave_0) entered blocking state [ 280.561046][ T6510] bridge0: port 1(bridge_slave_0) entered forwarding state [ 280.603622][ T6510] 8021q: adding VLAN 0 to HW filter on device bond0 [ 280.616258][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 280.628499][ T1054] bridge0: port 1(bridge_slave_0) entered disabled state [ 280.636792][ T1054] bridge0: port 2(bridge_slave_1) entered disabled state [ 280.644488][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 280.658890][ T6510] 8021q: adding VLAN 0 to HW filter on device team0 [ 280.669762][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 280.678500][ T1054] bridge0: port 1(bridge_slave_0) entered blocking state [ 280.685545][ T1054] bridge0: port 1(bridge_slave_0) entered forwarding state [ 280.707005][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 280.715287][ T1054] bridge0: port 2(bridge_slave_1) entered blocking state [ 280.722408][ T1054] bridge0: port 2(bridge_slave_1) entered forwarding state [ 280.730669][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 280.739624][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 280.750649][ T6836] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 280.762772][ T6835] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 280.775733][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 280.785373][ T6510] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 280.804449][ T6835] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 280.812693][ T6835] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 280.825556][ T6510] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 280.849087][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 280.863385][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 280.873362][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 280.883003][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 280.892929][ T6510] device veth0_vlan entered promiscuous mode [ 280.904159][ T6510] device veth1_vlan entered promiscuous mode [ 280.924071][ T6835] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 280.932046][ T6835] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 280.940713][ T6835] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 280.951910][ T6510] device veth0_macvtap entered promiscuous mode [ 280.961727][ T6510] device veth1_macvtap entered promiscuous mode [ 280.970058][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 280.987601][ T6510] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 280.994992][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 281.005161][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 281.018987][ T6510] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 281.026886][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 281.037603][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 281.050585][ T6510] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 281.059643][ T6510] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 281.072723][ T6510] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 281.082118][ T6510] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 281.165651][ T8] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 281.195846][ T8] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 281.227975][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 281.228614][ T10] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 281.255983][ T10] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 281.269680][ T6836] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready executing program [ 281.318400][ C1] hrtimer: interrupt took 62414 ns [ 286.382960][ T6857] ================================================================== [ 286.391313][ T6857] BUG: KASAN: use-after-free in nr_release+0x5c/0x430 [ 286.398152][ T6857] Write of size 4 at addr ffff88801b5d4080 by task syz-executor240/6857 [ 286.406463][ T6857] [ 286.408780][ T6857] CPU: 1 PID: 6857 Comm: syz-executor240 Not tainted 5.15.0-rc1-syzkaller #0 [ 286.417522][ T6857] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 286.427577][ T6857] Call Trace: [ 286.430931][ T6857] dump_stack_lvl+0x1dc/0x2d8 [ 286.435661][ T6857] ? show_regs_print_info+0x12/0x12 [ 286.440858][ T6857] ? _printk+0xcf/0x118 [ 286.445062][ T6857] ? wake_up_klogd+0xb2/0xf0 [ 286.449634][ T6857] ? log_buf_vmcoreinfo_setup+0x498/0x498 [ 286.455350][ T6857] ? _raw_spin_lock_irqsave+0xdd/0x120 [ 286.460862][ T6857] print_address_description+0x66/0x3e0 [ 286.466431][ T6857] ? nr_release+0x5c/0x430 [ 286.470862][ T6857] kasan_report+0x19a/0x1f0 [ 286.475348][ T6857] ? nr_release+0x5c/0x430 [ 286.479858][ T6857] ? down_write+0x10f/0x170 [ 286.484364][ T6857] kasan_check_range+0x2b5/0x2f0 [ 286.489316][ T6857] nr_release+0x5c/0x430 [ 286.493567][ T6857] sock_close+0xd8/0x260 [ 286.497903][ T6857] ? sock_mmap+0x90/0x90 [ 286.502136][ T6857] __fput+0x3fe/0x870 [ 286.506166][ T6857] task_work_run+0x146/0x1c0 [ 286.510836][ T6857] do_exit+0x6fc/0x2580 [ 286.515115][ T6857] ? print_irqtrace_events+0x220/0x220 [ 286.520580][ T6857] ? mm_update_next_owner+0x6d0/0x6d0 [ 286.525959][ T6857] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 286.532110][ T6857] ? lockdep_hardirqs_on+0x95/0x140 [ 286.537349][ T6857] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 286.543512][ T6857] do_group_exit+0x168/0x2d0 [ 286.548111][ T6857] get_signal+0x16e0/0x20c0 [ 286.552667][ T6857] ? ptrace_notify+0x340/0x340 [ 286.557429][ T6857] ? lockdep_hardirqs_on_prepare+0x412/0x780 [ 286.563409][ T6857] arch_do_signal_or_restart+0x9c/0x730 [ 286.568985][ T6857] ? get_sigframe_size+0x10/0x10 [ 286.573910][ T6857] ? lockdep_hardirqs_on_prepare+0x412/0x780 [ 286.579918][ T6857] ? exit_to_user_mode_prepare+0x12e/0x220 [ 286.585759][ T6857] exit_to_user_mode_prepare+0x191/0x220 [ 286.591378][ T6857] ? trace_irq_disable_rcuidle+0x11/0x170 [ 286.597133][ T6857] syscall_exit_to_user_mode+0x2e/0x70 [ 286.602761][ T6857] do_syscall_64+0x53/0xd0 [ 286.607253][ T6857] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 286.613140][ T6857] RIP: 0033:0x7f50e35fb3c9 [ 286.617544][ T6857] Code: Unable to access opcode bytes at RIP 0x7f50e35fb39f. [ 286.624893][ T6857] RSP: 002b:00007ffde62917a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002b [ 286.633293][ T6857] RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 00007f50e35fb3c9 [ 286.641253][ T6857] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 286.649208][ T6857] RBP: 0000000000000004 R08: 00007ffde62917d0 R09: 00007ffde62917d0 [ 286.657164][ T6857] R10: 00007ffde62917d0 R11: 0000000000000246 R12: 000055555635f2c0 [ 286.665119][ T6857] R13: 000000000000000b R14: 00007ffde6291820 R15: 0000000000000000 [ 286.673093][ T6857] [ 286.675404][ T6857] Allocated by task 6857: [ 286.679798][ T6857] ____kasan_kmalloc+0xdc/0x110 [ 286.684699][ T6857] __kmalloc+0x24d/0x370 [ 286.688933][ T6857] sk_prot_alloc+0xf4/0x230 [ 286.693431][ T6857] sk_alloc+0x35/0x300 [ 286.697500][ T6857] nr_create+0x9f/0x4e0 [ 286.701646][ T6857] __sock_create+0x580/0x8d0 [ 286.706221][ T6857] __sys_socket+0x133/0x380 [ 286.710707][ T6857] __x64_sys_socket+0x76/0x80 [ 286.715364][ T6857] do_syscall_64+0x44/0xd0 [ 286.719764][ T6857] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 286.725644][ T6857] [ 286.727972][ T6857] Freed by task 6857: [ 286.731932][ T6857] kasan_set_track+0x4c/0x80 [ 286.736511][ T6857] kasan_set_free_info+0x1f/0x40 [ 286.741446][ T6857] ____kasan_slab_free+0x10d/0x150 [ 286.746556][ T6857] slab_free_freelist_hook+0x129/0x1a0 [ 286.752016][ T6857] kfree+0xcf/0x2f0 [ 286.755820][ T6857] __sk_destruct+0x575/0x820 [ 286.760396][ T6857] call_timer_fn+0xf6/0x210 [ 286.764951][ T6857] __run_timers+0x71a/0x910 [ 286.769447][ T6857] run_timer_softirq+0x63/0xf0 [ 286.774197][ T6857] __do_softirq+0x392/0x7a3 [ 286.778684][ T6857] [ 286.781007][ T6857] The buggy address belongs to the object at ffff88801b5d4000 [ 286.781007][ T6857] which belongs to the cache kmalloc-2k of size 2048 [ 286.795055][ T6857] The buggy address is located 128 bytes inside of [ 286.795055][ T6857] 2048-byte region [ffff88801b5d4000, ffff88801b5d4800) [ 286.808413][ T6857] The buggy address belongs to the page: [ 286.814033][ T6857] page:ffffea00006d7400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b5d0 [ 286.824256][ T6857] head:ffffea00006d7400 order:3 compound_mapcount:0 compound_pincount:0 [ 286.832575][ T6857] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 286.840542][ T6857] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011042000 [ 286.849107][ T6857] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 286.857671][ T6857] page dumped because: kasan: bad access detected [ 286.864063][ T6857] page_owner tracks the page as allocated [ 286.869760][ T6857] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd28c0(GFP_NOWAIT|__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 20, ts 281243236047, free_ts 281237310240 [ 286.889795][ T6857] get_page_from_freelist+0x779/0xa30 [ 286.895243][ T6857] __alloc_pages+0x255/0x580 [ 286.899819][ T6857] allocate_slab+0xcc/0x4d0 [ 286.904315][ T6857] ___slab_alloc+0x41e/0xc40 [ 286.908890][ T6857] __kmalloc_node_track_caller+0x2d9/0x3e0 [ 286.914683][ T6857] pskb_expand_head+0x118/0x10f0 [ 286.919606][ T6857] netlink_trim+0x17f/0x210 [ 286.924157][ T6857] netlink_broadcast_filtered+0x6c/0x1110 [ 286.929974][ T6857] nlmsg_notify+0x100/0x1c0 [ 286.934483][ T6857] netdev_state_change+0x1c5/0x270 [ 286.939655][ T6857] linkwatch_do_dev+0x10a/0x160 [ 286.944540][ T6857] __linkwatch_run_queue+0x4f5/0x800 [ 286.949818][ T6857] linkwatch_event+0x48/0x50 [ 286.954399][ T6857] process_one_work+0x853/0x1140 [ 286.959323][ T6857] worker_thread+0xac1/0x1320 [ 286.964071][ T6857] kthread+0x453/0x480 [ 286.968184][ T6857] page last free stack trace: [ 286.972836][ T6857] free_pcp_prepare+0xc29/0xd20 [ 286.977674][ T6857] free_unref_page+0x7d/0x580 [ 286.982334][ T6857] __unfreeze_partials+0x1ab/0x200 [ 286.987445][ T6857] put_cpu_partial+0x132/0x1a0 [ 286.992206][ T6857] ___cache_free+0xe6/0x120 [ 286.996712][ T6857] kasan_quarantine_reduce+0x151/0x1c0 [ 287.002167][ T6857] __kasan_slab_alloc+0x2f/0xe0 [ 287.007016][ T6857] kmem_cache_alloc+0x1c3/0x300 [ 287.011873][ T6857] getname_flags+0xba/0x650 [ 287.016429][ T6857] do_sys_openat2+0xd2/0x500 [ 287.021009][ T6857] __x64_sys_open+0x221/0x270 [ 287.025674][ T6857] do_syscall_64+0x44/0xd0 [ 287.030075][ T6857] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 287.035961][ T6857] [ 287.038273][ T6857] Memory state around the buggy address: [ 287.043894][ T6857] ffff88801b5d3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 287.051946][ T6857] ffff88801b5d4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 287.059990][ T6857] >ffff88801b5d4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 287.068047][ T6857] ^ [ 287.072109][ T6857] ffff88801b5d4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 287.080152][ T6857] ffff88801b5d4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 287.088191][ T6857] ================================================================== [ 287.096235][ T6857] Disabling lock debugging due to kernel taint [ 287.110293][ T6857] Kernel panic - not syncing: panic_on_warn set ... [ 287.116894][ T6857] CPU: 1 PID: 6857 Comm: syz-executor240 Tainted: G B 5.15.0-rc1-syzkaller #0 [ 287.127043][ T6857] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 287.137097][ T6857] Call Trace: [ 287.140377][ T6857] dump_stack_lvl+0x1dc/0x2d8 [ 287.145057][ T6857] ? show_regs_print_info+0x12/0x12 [ 287.150252][ T6857] ? log_buf_vmcoreinfo_setup+0x498/0x498 [ 287.155975][ T6857] ? preempt_schedule+0x16b/0x190 [ 287.160983][ T6857] ? schedule_preempt_disabled+0x20/0x20 [ 287.166596][ T6857] panic+0x2d6/0x810 [ 287.170576][ T6857] ? trace_hardirqs_on+0x30/0x80 [ 287.175506][ T6857] ? nmi_panic+0x90/0x90 [ 287.179746][ T6857] ? _raw_spin_unlock_irqrestore+0x128/0x130 [ 287.185708][ T6857] ? print_memory_metadata+0xe0/0x140 [ 287.191066][ T6857] ? nr_release+0x5c/0x430 [ 287.195469][ T6857] end_report+0x83/0x90 [ 287.199609][ T6857] kasan_report+0x1bf/0x1f0 [ 287.204097][ T6857] ? nr_release+0x5c/0x430 [ 287.208500][ T6857] ? down_write+0x10f/0x170 [ 287.212987][ T6857] kasan_check_range+0x2b5/0x2f0 [ 287.217922][ T6857] nr_release+0x5c/0x430 [ 287.222148][ T6857] sock_close+0xd8/0x260 [ 287.226376][ T6857] ? sock_mmap+0x90/0x90 [ 287.230602][ T6857] __fput+0x3fe/0x870 [ 287.234569][ T6857] task_work_run+0x146/0x1c0 [ 287.239231][ T6857] do_exit+0x6fc/0x2580 [ 287.243375][ T6857] ? print_irqtrace_events+0x220/0x220 [ 287.248817][ T6857] ? mm_update_next_owner+0x6d0/0x6d0 [ 287.254170][ T6857] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 287.260308][ T6857] ? lockdep_hardirqs_on+0x95/0x140 [ 287.265491][ T6857] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 287.271629][ T6857] do_group_exit+0x168/0x2d0 [ 287.276209][ T6857] get_signal+0x16e0/0x20c0 [ 287.280707][ T6857] ? ptrace_notify+0x340/0x340 [ 287.285450][ T6857] ? lockdep_hardirqs_on_prepare+0x412/0x780 [ 287.291510][ T6857] arch_do_signal_or_restart+0x9c/0x730 [ 287.297041][ T6857] ? get_sigframe_size+0x10/0x10 [ 287.301959][ T6857] ? lockdep_hardirqs_on_prepare+0x412/0x780 [ 287.307924][ T6857] ? exit_to_user_mode_prepare+0x12e/0x220 [ 287.313714][ T6857] exit_to_user_mode_prepare+0x191/0x220 [ 287.319328][ T6857] ? trace_irq_disable_rcuidle+0x11/0x170 [ 287.325032][ T6857] syscall_exit_to_user_mode+0x2e/0x70 [ 287.330472][ T6857] do_syscall_64+0x53/0xd0 [ 287.334912][ T6857] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 287.340807][ T6857] RIP: 0033:0x7f50e35fb3c9 [ 287.345205][ T6857] Code: Unable to access opcode bytes at RIP 0x7f50e35fb39f. [ 287.352548][ T6857] RSP: 002b:00007ffde62917a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002b [ 287.360942][ T6857] RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 00007f50e35fb3c9 [ 287.368891][ T6857] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 287.376847][ T6857] RBP: 0000000000000004 R08: 00007ffde62917d0 R09: 00007ffde62917d0 [ 287.384798][ T6857] R10: 00007ffde62917d0 R11: 0000000000000246 R12: 000055555635f2c0 [ 287.392749][ T6857] R13: 000000000000000b R14: 00007ffde6291820 R15: 0000000000000000 [ 287.400941][ T6857] Kernel Offset: disabled [ 287.405248][ T6857] Rebooting in 86400 seconds..