[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. 2021/08/04 01:07:58 parsed 1 programs 2021/08/04 01:07:58 executed programs: 0 syzkaller login: [ 424.371742][ T8444] chnl_net:caif_netlink_parms(): no params data found [ 424.421622][ T8444] bridge0: port 1(bridge_slave_0) entered blocking state [ 424.429486][ T8444] bridge0: port 1(bridge_slave_0) entered disabled state [ 424.439039][ T8444] device bridge_slave_0 entered promiscuous mode [ 424.448224][ T8444] bridge0: port 2(bridge_slave_1) entered blocking state [ 424.456184][ T8444] bridge0: port 2(bridge_slave_1) entered disabled state [ 424.463777][ T8444] device bridge_slave_1 entered promiscuous mode [ 424.484476][ T8444] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 424.496730][ T8444] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 424.518477][ T8444] team0: Port device team_slave_0 added [ 424.526458][ T8444] team0: Port device team_slave_1 added [ 424.545152][ T8444] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 424.552171][ T8444] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 424.578474][ T8444] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 424.592585][ T8444] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 424.599602][ T8444] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 424.626122][ T8444] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 424.653247][ T8444] device hsr_slave_0 entered promiscuous mode [ 424.660148][ T8444] device hsr_slave_1 entered promiscuous mode [ 424.755603][ T8444] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 424.766169][ T8444] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 424.774902][ T8444] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 424.783409][ T8444] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 424.809226][ T8444] bridge0: port 2(bridge_slave_1) entered blocking state [ 424.816416][ T8444] bridge0: port 2(bridge_slave_1) entered forwarding state [ 424.824263][ T8444] bridge0: port 1(bridge_slave_0) entered blocking state [ 424.831350][ T8444] bridge0: port 1(bridge_slave_0) entered forwarding state [ 424.870223][ T8444] 8021q: adding VLAN 0 to HW filter on device bond0 [ 424.882314][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 424.894099][ T26] bridge0: port 1(bridge_slave_0) entered disabled state [ 424.902407][ T26] bridge0: port 2(bridge_slave_1) entered disabled state [ 424.910627][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 424.923442][ T8444] 8021q: adding VLAN 0 to HW filter on device team0 [ 424.935959][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 424.945159][ T5] bridge0: port 1(bridge_slave_0) entered blocking state [ 424.952208][ T5] bridge0: port 1(bridge_slave_0) entered forwarding state [ 424.974897][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 424.983174][ T5] bridge0: port 2(bridge_slave_1) entered blocking state [ 424.990439][ T5] bridge0: port 2(bridge_slave_1) entered forwarding state [ 424.999350][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 425.008964][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 425.019812][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 425.027703][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 425.041123][ T4842] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 425.051663][ T8444] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 425.069116][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 425.077260][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 425.088842][ T8444] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 425.114234][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 425.123689][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 425.133382][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 425.142309][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 425.153169][ T8444] device veth0_vlan entered promiscuous mode [ 425.163821][ T8444] device veth1_vlan entered promiscuous mode [ 425.183547][ T4842] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 425.192190][ T4842] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 425.200958][ T4842] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 425.212072][ T8444] device veth0_macvtap entered promiscuous mode [ 425.222793][ T8444] device veth1_macvtap entered promiscuous mode [ 425.238525][ T8444] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 425.246501][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 425.256563][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 425.267420][ T8444] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 425.276855][ T8667] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 425.288020][ T8444] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 425.297233][ T8444] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 425.306369][ T8444] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 425.317896][ T8444] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 425.394428][ T8] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 425.402492][ T8] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 425.429700][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 425.456581][ T8594] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 425.465067][ T8594] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 425.473882][ T8667] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 425.513523][ C1] hrtimer: interrupt took 57172 ns [ 426.225718][ T5] Bluetooth: hci0: command 0x0409 tx timeout 2021/08/04 01:08:03 executed programs: 63 [ 428.304683][ T5] Bluetooth: hci0: command 0x041b tx timeout [ 430.386587][ T4842] Bluetooth: hci0: command 0x040f tx timeout [ 432.463896][ T5] Bluetooth: hci0: command 0x0419 tx timeout 2021/08/04 01:08:08 executed programs: 186 [ 434.035255][ T9601] ================================================================== [ 434.044084][ T9601] BUG: KASAN: use-after-free in get_ucounts+0x28/0x160 [ 434.051056][ T9601] Write of size 4 at addr ffff8880149c631c by task syz-executor.0/9601 [ 434.059305][ T9601] [ 434.061618][ T9601] CPU: 0 PID: 9601 Comm: syz-executor.0 Not tainted 5.14.0-rc4-syzkaller #0 [ 434.070269][ T9601] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 434.080323][ T9601] Call Trace: [ 434.083587][ T9601] dump_stack_lvl+0x1ae/0x29f [ 434.088335][ T9601] ? show_regs_print_info+0x12/0x12 [ 434.093556][ T9601] ? printk+0xc0/0x108 [ 434.097697][ T9601] ? wake_up_klogd+0xb2/0xf0 [ 434.102288][ T9601] ? log_buf_vmcoreinfo_setup+0x498/0x498 [ 434.107993][ T9601] ? _raw_spin_lock_irqsave+0xbf/0x100 [ 434.113485][ T9601] ? preempt_schedule+0x14a/0x170 [ 434.118611][ T9601] print_address_description+0x66/0x3b0 [ 434.124189][ T9601] kasan_report+0x163/0x210 [ 434.128673][ T9601] ? asan.module_dtor+0x11/0x20 [ 434.133517][ T9601] ? get_ucounts+0x28/0x160 [ 434.138000][ T9601] kasan_check_range+0x2b5/0x2f0 [ 434.142920][ T9601] get_ucounts+0x28/0x160 [ 434.147229][ T9601] set_cred_ucounts+0x220/0x2d0 [ 434.152060][ T9601] __sys_setresuid+0x6d5/0x920 [ 434.156856][ T9601] do_syscall_64+0x3d/0xb0 [ 434.161281][ T9601] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 434.167152][ T9601] RIP: 0033:0x4665e9 [ 434.171023][ T9601] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 434.190603][ T9601] RSP: 002b:00007f1ddba3c188 EFLAGS: 00000246 ORIG_RAX: 0000000000000075 [ 434.198995][ T9601] RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9 [ 434.206948][ T9601] RDX: 0000000000000000 RSI: 000000000000ee00 RDI: 000000000000ee01 [ 434.214900][ T9601] RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 [ 434.222866][ T9601] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 [ 434.230950][ T9601] R13: 00007ffcddd8c8df R14: 00007f1ddba3c300 R15: 0000000000022000 [ 434.238925][ T9601] [ 434.241232][ T9601] Allocated by task 9301: [ 434.245535][ T9601] ____kasan_kmalloc+0xc4/0xf0 [ 434.250284][ T9601] kmem_cache_alloc_trace+0x96/0x340 [ 434.255546][ T9601] alloc_ucounts+0x176/0x420 [ 434.260116][ T9601] set_cred_ucounts+0x220/0x2d0 [ 434.264953][ T9601] __sys_setresuid+0x6d5/0x920 [ 434.269717][ T9601] do_syscall_64+0x3d/0xb0 [ 434.274111][ T9601] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 434.280035][ T9601] [ 434.282341][ T9601] Freed by task 9601: [ 434.286295][ T9601] kasan_set_track+0x3d/0x70 [ 434.290862][ T9601] kasan_set_free_info+0x1f/0x40 [ 434.295784][ T9601] ____kasan_slab_free+0x109/0x150 [ 434.300901][ T9601] slab_free_freelist_hook+0x1d8/0x290 [ 434.306364][ T9601] kfree+0xd0/0x1f0 [ 434.310278][ T9601] put_cred_rcu+0x221/0x400 [ 434.314772][ T9601] rcu_core+0x906/0x14b0 [ 434.319074][ T9601] __do_softirq+0x372/0x783 [ 434.323590][ T9601] [ 434.325897][ T9601] Last potentially related work creation: [ 434.331589][ T9601] kasan_save_stack+0x27/0x50 [ 434.336249][ T9601] kasan_record_aux_stack+0xee/0x120 [ 434.341511][ T9601] insert_work+0x54/0x400 [ 434.346019][ T9601] __queue_work+0x928/0xc60 [ 434.350531][ T9601] queue_work_on+0x111/0x200 [ 434.355137][ T9601] call_usermodehelper_exec+0x283/0x470 [ 434.360679][ T9601] kobject_uevent_env+0x1337/0x1700 [ 434.366232][ T9601] kobject_synth_uevent+0x3bf/0x900 [ 434.371424][ T9601] uevent_store+0x20/0x60 [ 434.376084][ T9601] kernfs_fop_write_iter+0x3b6/0x510 [ 434.381393][ T9601] vfs_write+0xa39/0xc90 [ 434.385656][ T9601] ksys_write+0x171/0x2a0 [ 434.389966][ T9601] do_syscall_64+0x3d/0xb0 [ 434.394360][ T9601] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 434.400230][ T9601] [ 434.402532][ T9601] Second to last potentially related work creation: [ 434.409112][ T9601] kasan_save_stack+0x27/0x50 [ 434.413780][ T9601] kasan_record_aux_stack+0xee/0x120 [ 434.419041][ T9601] insert_work+0x54/0x400 [ 434.423347][ T9601] __queue_work+0x928/0xc60 [ 434.427840][ T9601] queue_work_on+0x111/0x200 [ 434.432409][ T9601] call_usermodehelper_exec+0x283/0x470 [ 434.437941][ T9601] kobject_uevent_env+0x1337/0x1700 [ 434.443115][ T9601] kobject_synth_uevent+0x3bf/0x900 [ 434.448289][ T9601] uevent_store+0x20/0x60 [ 434.452593][ T9601] kernfs_fop_write_iter+0x3b6/0x510 [ 434.457854][ T9601] vfs_write+0xa39/0xc90 [ 434.462071][ T9601] ksys_write+0x171/0x2a0 [ 434.466374][ T9601] do_syscall_64+0x3d/0xb0 [ 434.470766][ T9601] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 434.476638][ T9601] [ 434.478942][ T9601] The buggy address belongs to the object at ffff8880149c6300 [ 434.478942][ T9601] which belongs to the cache kmalloc-192 of size 192 [ 434.492967][ T9601] The buggy address is located 28 bytes inside of [ 434.492967][ T9601] 192-byte region [ffff8880149c6300, ffff8880149c63c0) [ 434.506126][ T9601] The buggy address belongs to the page: [ 434.511731][ T9601] page:ffffea0000527180 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x149c6 [ 434.521859][ T9601] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 434.529395][ T9601] raw: 00fff00000000200 ffffea00005db940 0000000c0000000c ffff888011041a00 [ 434.537953][ T9601] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 434.546506][ T9601] page dumped because: kasan: bad access detected [ 434.552891][ T9601] page_owner tracks the page as allocated [ 434.558585][ T9601] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 2026668314, free_ts 2026024162 [ 434.574186][ T9601] get_page_from_freelist+0x779/0xa30 [ 434.579586][ T9601] __alloc_pages+0x26c/0x5f0 [ 434.584167][ T9601] alloc_page_interleave+0x22/0x1c0 [ 434.589431][ T9601] allocate_slab+0xf1/0x540 [ 434.593913][ T9601] ___slab_alloc+0x1cf/0x350 [ 434.598477][ T9601] kmem_cache_alloc_trace+0x29d/0x340 [ 434.603825][ T9601] call_usermodehelper_setup+0x8a/0x260 [ 434.609349][ T9601] kobject_uevent_env+0x1311/0x1700 [ 434.614528][ T9601] kernel_add_sysfs_param+0x106/0x126 [ 434.619925][ T9601] param_sysfs_builtin+0x145/0x1b9 [ 434.625112][ T9601] param_sysfs_init+0x68/0x6c [ 434.629788][ T9601] do_one_initcall+0x197/0x3f0 [ 434.634537][ T9601] do_initcall_level+0x14a/0x1f5 [ 434.639453][ T9601] do_initcalls+0x4b/0x8c [ 434.643759][ T9601] kernel_init_freeable+0x3f1/0x57e [ 434.648934][ T9601] kernel_init+0x19/0x2a0 [ 434.653239][ T9601] page last free stack trace: [ 434.657885][ T9601] free_pcp_prepare+0xc29/0xd20 [ 434.662758][ T9601] free_unref_page+0x7e/0x550 [ 434.667412][ T9601] __vunmap+0x926/0xa70 [ 434.671544][ T9601] free_work+0x66/0x90 [ 434.675605][ T9601] process_one_work+0x833/0x10c0 [ 434.680532][ T9601] worker_thread+0xac1/0x1320 [ 434.685188][ T9601] kthread+0x453/0x480 [ 434.689237][ T9601] ret_from_fork+0x1f/0x30 [ 434.693633][ T9601] [ 434.695947][ T9601] Memory state around the buggy address: [ 434.701555][ T9601] ffff8880149c6200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 434.709678][ T9601] ffff8880149c6280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 434.717717][ T9601] >ffff8880149c6300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 434.725755][ T9601] ^ [ 434.730581][ T9601] ffff8880149c6380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 434.738703][ T9601] ffff8880149c6400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 434.746741][ T9601] ================================================================== [ 434.754861][ T9601] Disabling lock debugging due to kernel taint [ 434.765932][ T9601] Kernel panic - not syncing: panic_on_warn set ... [ 434.772528][ T9601] CPU: 0 PID: 9601 Comm: syz-executor.0 Tainted: G B 5.14.0-rc4-syzkaller #0 [ 434.782678][ T9601] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 434.792755][ T9601] Call Trace: [ 434.796035][ T9601] dump_stack_lvl+0x1ae/0x29f [ 434.800718][ T9601] ? show_regs_print_info+0x12/0x12 [ 434.805913][ T9601] ? log_buf_vmcoreinfo_setup+0x498/0x498 [ 434.811615][ T9601] ? preempt_schedule+0x14a/0x170 [ 434.816629][ T9601] ? schedule_preempt_disabled+0x20/0x20 [ 434.822255][ T9601] panic+0x2e1/0x850 [ 434.826201][ T9601] ? trace_hardirqs_on+0x30/0x80 [ 434.831157][ T9601] ? nmi_panic+0x90/0x90 [ 434.835388][ T9601] ? _raw_spin_unlock_irqrestore+0x110/0x120 [ 434.841358][ T9601] ? print_memory_metadata+0xa7/0x100 [ 434.846813][ T9601] kasan_report+0x206/0x210 [ 434.851306][ T9601] ? asan.module_dtor+0x11/0x20 [ 434.856154][ T9601] ? get_ucounts+0x28/0x160 [ 434.860645][ T9601] kasan_check_range+0x2b5/0x2f0 [ 434.865566][ T9601] get_ucounts+0x28/0x160 [ 434.869879][ T9601] set_cred_ucounts+0x220/0x2d0 [ 434.874714][ T9601] __sys_setresuid+0x6d5/0x920 [ 434.879466][ T9601] do_syscall_64+0x3d/0xb0 [ 434.883876][ T9601] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 434.889758][ T9601] RIP: 0033:0x4665e9 [ 434.893640][ T9601] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 434.913248][ T9601] RSP: 002b:00007f1ddba3c188 EFLAGS: 00000246 ORIG_RAX: 0000000000000075 [ 434.921660][ T9601] RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9 [ 434.929612][ T9601] RDX: 0000000000000000 RSI: 000000000000ee00 RDI: 000000000000ee01 [ 434.937562][ T9601] RBP: 00000000004bfcc4 R08: 0000000000000000 R09: 0000000000000000 [ 434.945515][ T9601] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 [ 434.953468][ T9601] R13: 00007ffcddd8c8df R14: 00007f1ddba3c300 R15: 0000000000022000 [ 434.961478][ T9601] Kernel Offset: disabled [ 434.965791][ T9601] Rebooting in 86400 seconds..