[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.200' (ECDSA) to the list of known hosts. syzkaller login: [ 64.353386][ T6818] IPVS: ftp: loaded support on port[0] = 21 [ 64.452692][ T6818] chnl_net:caif_netlink_parms(): no params data found [ 64.505909][ T6818] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.513903][ T6818] bridge0: port 1(bridge_slave_0) entered disabled state [ 64.526233][ T6818] device bridge_slave_0 entered promiscuous mode [ 64.536523][ T6818] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.543990][ T6818] bridge0: port 2(bridge_slave_1) entered disabled state [ 64.552266][ T6818] device bridge_slave_1 entered promiscuous mode [ 64.573767][ T6818] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 64.585896][ T6818] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 64.610323][ T6818] team0: Port device team_slave_0 added [ 64.619118][ T6818] team0: Port device team_slave_1 added [ 64.638446][ T6818] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 64.646844][ T6818] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 64.673201][ T6818] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 64.685913][ T6818] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 64.693494][ T6818] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 64.719802][ T6818] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 64.799826][ T6818] device hsr_slave_0 entered promiscuous mode [ 64.857362][ T6818] device hsr_slave_1 entered promiscuous mode [ 65.005508][ T6818] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 65.061110][ T6818] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 65.119497][ T6818] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 65.178996][ T6818] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 65.235388][ T6818] bridge0: port 2(bridge_slave_1) entered blocking state [ 65.242750][ T6818] bridge0: port 2(bridge_slave_1) entered forwarding state [ 65.250990][ T6818] bridge0: port 1(bridge_slave_0) entered blocking state [ 65.258498][ T6818] bridge0: port 1(bridge_slave_0) entered forwarding state [ 65.303715][ T6818] 8021q: adding VLAN 0 to HW filter on device bond0 [ 65.323974][ T6818] 8021q: adding VLAN 0 to HW filter on device team0 [ 65.331905][ T3789] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 65.343943][ T3789] bridge0: port 1(bridge_slave_0) entered disabled state [ 65.352637][ T3789] bridge0: port 2(bridge_slave_1) entered disabled state [ 65.361470][ T3789] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 65.376216][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 65.385822][ T2514] bridge0: port 1(bridge_slave_0) entered blocking state [ 65.393113][ T2514] bridge0: port 1(bridge_slave_0) entered forwarding state [ 65.405772][ T3789] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 65.414970][ T3789] bridge0: port 2(bridge_slave_1) entered blocking state [ 65.422272][ T3789] bridge0: port 2(bridge_slave_1) entered forwarding state [ 65.447487][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 65.458382][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 65.468346][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 65.478412][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 65.488002][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 65.497526][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 65.506214][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 65.515272][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 65.526421][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 65.534826][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 65.543671][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 65.559736][ T6818] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 65.581981][ T3789] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 65.590137][ T3789] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 65.603668][ T6818] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 65.624789][ T3789] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 65.634502][ T3789] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 65.657820][ T2515] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 65.667614][ T2515] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 65.678197][ T2515] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 65.686238][ T2515] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 65.696103][ T6818] device veth0_vlan entered promiscuous mode [ 65.710220][ T6818] device veth1_vlan entered promiscuous mode [ 65.733659][ T2515] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 65.741996][ T2515] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 65.751147][ T2515] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 65.760714][ T2515] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 65.774085][ T6818] device veth0_macvtap entered promiscuous mode [ 65.785093][ T6818] device veth1_macvtap entered promiscuous mode [ 65.804098][ T6818] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 65.812464][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 65.822831][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 65.831451][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 65.841595][ T2514] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 65.855416][ T6818] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 65.863054][ T2515] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 65.872814][ T2515] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 69.147844][ C1] ================================================================== [ 69.157011][ C1] BUG: KASAN: use-after-free in ip_icmp_error+0x52a/0x5a0 [ 69.164499][ C1] Read of size 1 at addr ffff8880a7f9c7ff by task ksoftirqd/1/16 [ 69.172521][ C1] [ 69.175285][ C1] CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.7.0-rc7-next-20200526-syzkaller #0 [ 69.184894][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.195160][ C1] Call Trace: [ 69.198509][ C1] dump_stack+0x18f/0x20d [ 69.202895][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 69.207840][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 69.214021][ C1] print_address_description.constprop.0.cold+0xd3/0x413 [ 69.222329][ C1] ? memcpy+0x39/0x60 [ 69.226975][ C1] ? vprintk_func+0x97/0x1a6 [ 69.231743][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 69.237441][ C1] kasan_report.cold+0x1f/0x37 [ 69.242456][ C1] ? skb_clone+0x190/0x3c0 [ 69.246924][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 69.252034][ C1] ip_icmp_error+0x52a/0x5a0 [ 69.257099][ C1] tcp_v4_err+0x99e/0x1ce0 [ 69.261788][ C1] ? tcp_v4_do_rcv+0x8b0/0x8b0 [ 69.266820][ C1] icmp_socket_deliver+0x1e1/0x360 [ 69.272264][ C1] icmp_unreach+0x33b/0xab0 [ 69.276832][ C1] icmp_rcv+0xee6/0x15f0 [ 69.282385][ C1] ip_protocol_deliver_rcu+0x57/0x880 [ 69.288420][ C1] ? check_preemption_disabled+0x38/0x220 [ 69.294527][ C1] ip_local_deliver_finish+0x220/0x360 [ 69.300148][ C1] ip_local_deliver+0x1c8/0x4e0 [ 69.305079][ C1] ? ip_local_deliver_finish+0x360/0x360 [ 69.311206][ C1] ? ip_rcv+0x244/0x3c0 [ 69.315891][ C1] ? ip_protocol_deliver_rcu+0x880/0x880 [ 69.321878][ C1] ? lock_downgrade+0x840/0x840 [ 69.326916][ C1] ? ip_rcv_finish_core.isra.0+0x606/0x1ea0 [ 69.332902][ C1] ip_rcv_finish+0x1da/0x2f0 [ 69.337617][ C1] ip_rcv+0xd0/0x3c0 [ 69.341537][ C1] ? ip_local_deliver+0x4e0/0x4e0 [ 69.347255][ C1] ? ip_rcv_finish_core.isra.0+0x1ea0/0x1ea0 [ 69.353356][ C1] ? ip_local_deliver+0x4e0/0x4e0 [ 69.358378][ C1] __netif_receive_skb_one_core+0x114/0x180 [ 69.364736][ C1] ? __netif_receive_skb_core+0x33f0/0x33f0 [ 69.370738][ C1] ? do_raw_spin_lock+0x120/0x2d0 [ 69.376455][ C1] ? rwlock_bug.part.0+0x90/0x90 [ 69.381615][ C1] __netif_receive_skb+0x27/0x1c0 [ 69.386647][ C1] process_backlog+0x21e/0x7a0 [ 69.391416][ C1] ? lockdep_hardirqs_on_prepare+0x1bc/0x590 [ 69.397483][ C1] net_rx_action+0x4e1/0x10d0 [ 69.402314][ C1] ? napi_busy_loop+0x9e0/0x9e0 [ 69.407180][ C1] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 69.413149][ C1] ? lockdep_hardirqs_on_prepare+0x1bc/0x590 [ 69.419377][ C1] __do_softirq+0x268/0x9ee [ 69.423963][ C1] ? takeover_tasklets+0x810/0x810 [ 69.429293][ C1] run_ksoftirqd+0x89/0x100 [ 69.433797][ C1] smpboot_thread_fn+0x653/0x9e0 [ 69.438985][ C1] ? smpboot_register_percpu_thread+0x370/0x370 [ 69.445657][ C1] ? __kthread_parkme+0x13f/0x1e0 [ 69.450675][ C1] ? smpboot_register_percpu_thread+0x370/0x370 [ 69.457286][ C1] kthread+0x3b5/0x4a0 [ 69.461435][ C1] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 69.467142][ C1] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 69.472864][ C1] ret_from_fork+0x1f/0x30 [ 69.477370][ C1] [ 69.479748][ C1] Allocated by task 3877: [ 69.484375][ C1] save_stack+0x1b/0x40 [ 69.488669][ C1] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 69.494646][ C1] __kmalloc+0x161/0x7a0 [ 69.499225][ C1] tomoyo_realpath_from_path+0xc2/0x620 [ 69.505399][ C1] tomoyo_check_open_permission+0x26d/0x370 [ 69.511636][ C1] tomoyo_file_open+0xa3/0xd0 [ 69.516583][ C1] security_file_open+0x6e/0x3d0 [ 69.521815][ C1] do_dentry_open+0x355/0x11a0 [ 69.527025][ C1] path_openat+0x1e9e/0x27d0 [ 69.531964][ C1] do_filp_open+0x192/0x260 [ 69.536460][ C1] do_sys_openat2+0x585/0x7a0 [ 69.541539][ C1] do_sys_open+0xc3/0x140 [ 69.546205][ C1] do_syscall_64+0x60/0xe0 [ 69.551048][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.557478][ C1] [ 69.559798][ C1] Freed by task 3877: [ 69.563873][ C1] save_stack+0x1b/0x40 [ 69.568019][ C1] __kasan_slab_free+0xf7/0x140 [ 69.572874][ C1] kfree+0x109/0x2b0 [ 69.577054][ C1] tomoyo_realpath_from_path+0x18f/0x620 [ 69.583394][ C1] tomoyo_check_open_permission+0x26d/0x370 [ 69.589906][ C1] tomoyo_file_open+0xa3/0xd0 [ 69.594585][ C1] security_file_open+0x6e/0x3d0 [ 69.599917][ C1] do_dentry_open+0x355/0x11a0 [ 69.604765][ C1] path_openat+0x1e9e/0x27d0 [ 69.609498][ C1] do_filp_open+0x192/0x260 [ 69.614096][ C1] do_sys_openat2+0x585/0x7a0 [ 69.618779][ C1] do_sys_open+0xc3/0x140 [ 69.623279][ C1] do_syscall_64+0x60/0xe0 [ 69.627792][ C1] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.633936][ C1] [ 69.636313][ C1] The buggy address belongs to the object at ffff8880a7f9c000 [ 69.636313][ C1] which belongs to the cache kmalloc-4k of size 4096 [ 69.651429][ C1] The buggy address is located 2047 bytes inside of [ 69.651429][ C1] 4096-byte region [ffff8880a7f9c000, ffff8880a7f9d000) [ 69.666163][ C1] The buggy address belongs to the page: [ 69.672007][ C1] page:ffffea00029fe700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00029fe700 order:1 compound_mapcount:0 [ 69.688621][ C1] flags: 0xfffe0000010200(slab|head) [ 69.694677][ C1] raw: 00fffe0000010200 ffffea0002a28588 ffffea000253d508 ffff8880aa002000 [ 69.703770][ C1] raw: 0000000000000000 ffff8880a7f9c000 0000000100000001 0000000000000000 [ 69.712979][ C1] page dumped because: kasan: bad access detected [ 69.719779][ C1] [ 69.722109][ C1] Memory state around the buggy address: [ 69.728343][ C1] ffff8880a7f9c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.736539][ C1] ffff8880a7f9c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.744903][ C1] >ffff8880a7f9c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.753214][ C1] ^ [ 69.762393][ C1] ffff8880a7f9c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.771725][ C1] ffff8880a7f9c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.781498][ C1] ================================================================== [ 69.798968][ C1] Disabling lock debugging due to kernel taint [ 69.805497][ C1] Kernel panic - not syncing: panic_on_warn set ... [ 69.812265][ C1] CPU: 1 PID: 16 Comm: ksoftirqd/1 Tainted: G B 5.7.0-rc7-next-20200526-syzkaller #0 [ 69.823935][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.834437][ C1] Call Trace: [ 69.838194][ C1] dump_stack+0x18f/0x20d [ 69.842627][ C1] ? ip_icmp_error+0x4f0/0x5a0 [ 69.847493][ C1] panic+0x2e3/0x75c [ 69.852247][ C1] ? __warn_printk+0xf3/0xf3 [ 69.856957][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 69.862271][ C1] ? trace_hardirqs_on+0x55/0x220 [ 69.867725][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 69.872999][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 69.878765][ C1] end_report+0x4d/0x53 [ 69.883009][ C1] kasan_report.cold+0xd/0x37 [ 69.888090][ C1] ? skb_clone+0x190/0x3c0 [ 69.892587][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 69.897400][ C1] ip_icmp_error+0x52a/0x5a0 [ 69.901983][ C1] tcp_v4_err+0x99e/0x1ce0 [ 69.906557][ C1] ? tcp_v4_do_rcv+0x8b0/0x8b0 [ 69.911818][ C1] icmp_socket_deliver+0x1e1/0x360 [ 69.918012][ C1] icmp_unreach+0x33b/0xab0 [ 69.923077][ C1] icmp_rcv+0xee6/0x15f0 [ 69.927487][ C1] ip_protocol_deliver_rcu+0x57/0x880 [ 69.933147][ C1] ? check_preemption_disabled+0x38/0x220 [ 69.939231][ C1] ip_local_deliver_finish+0x220/0x360 [ 69.944863][ C1] ip_local_deliver+0x1c8/0x4e0 [ 69.950065][ C1] ? ip_local_deliver_finish+0x360/0x360 [ 69.955863][ C1] ? ip_rcv+0x244/0x3c0 [ 69.960064][ C1] ? ip_protocol_deliver_rcu+0x880/0x880 [ 69.965925][ C1] ? lock_downgrade+0x840/0x840 [ 69.971521][ C1] ? ip_rcv_finish_core.isra.0+0x606/0x1ea0 [ 69.979693][ C1] ip_rcv_finish+0x1da/0x2f0 [ 69.984448][ C1] ip_rcv+0xd0/0x3c0 [ 69.988460][ C1] ? ip_local_deliver+0x4e0/0x4e0 [ 69.993910][ C1] ? ip_rcv_finish_core.isra.0+0x1ea0/0x1ea0 [ 70.000035][ C1] ? ip_local_deliver+0x4e0/0x4e0 [ 70.006387][ C1] __netif_receive_skb_one_core+0x114/0x180 [ 70.012817][ C1] ? __netif_receive_skb_core+0x33f0/0x33f0 [ 70.019493][ C1] ? do_raw_spin_lock+0x120/0x2d0 [ 70.024599][ C1] ? rwlock_bug.part.0+0x90/0x90 [ 70.029618][ C1] __netif_receive_skb+0x27/0x1c0 [ 70.034683][ C1] process_backlog+0x21e/0x7a0 [ 70.039963][ C1] ? lockdep_hardirqs_on_prepare+0x1bc/0x590 [ 70.046101][ C1] net_rx_action+0x4e1/0x10d0 [ 70.050818][ C1] ? napi_busy_loop+0x9e0/0x9e0 [ 70.055841][ C1] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 70.062095][ C1] ? lockdep_hardirqs_on_prepare+0x1bc/0x590 [ 70.068245][ C1] __do_softirq+0x268/0x9ee [ 70.073003][ C1] ? takeover_tasklets+0x810/0x810 [ 70.078335][ C1] run_ksoftirqd+0x89/0x100 [ 70.082876][ C1] smpboot_thread_fn+0x653/0x9e0 [ 70.087976][ C1] ? smpboot_register_percpu_thread+0x370/0x370 [ 70.094730][ C1] ? __kthread_parkme+0x13f/0x1e0 [ 70.099808][ C1] ? smpboot_register_percpu_thread+0x370/0x370 [ 70.106349][ C1] kthread+0x3b5/0x4a0 [ 70.111071][ C1] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 70.117175][ C1] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 70.123213][ C1] ret_from_fork+0x1f/0x30 [ 70.129791][ C1] Kernel Offset: disabled [ 70.134122][ C1] Rebooting in 86400 seconds..