[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.37' (ECDSA) to the list of known hosts. syzkaller login: [ 61.403353][ T7035] IPVS: ftp: loaded support on port[0] = 21 [ 61.498668][ T7035] chnl_net:caif_netlink_parms(): no params data found [ 61.552612][ T7035] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.561356][ T7035] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.570036][ T7035] device bridge_slave_0 entered promiscuous mode [ 61.579299][ T7035] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.587256][ T7035] bridge0: port 2(bridge_slave_1) entered disabled state [ 61.595532][ T7035] device bridge_slave_1 entered promiscuous mode [ 61.617145][ T7035] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 61.628251][ T7035] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 61.651432][ T7035] team0: Port device team_slave_0 added [ 61.659948][ T7035] team0: Port device team_slave_1 added [ 61.679044][ T7035] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 61.686356][ T7035] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 61.712521][ T7035] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 61.725135][ T7035] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 61.732270][ T7035] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 61.762031][ T7035] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 61.836724][ T7035] device hsr_slave_0 entered promiscuous mode [ 61.883265][ T7035] device hsr_slave_1 entered promiscuous mode [ 62.063040][ T7035] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 62.117008][ T7035] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 62.175783][ T7035] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 62.235435][ T7035] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 62.289119][ T7035] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.296314][ T7035] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.304435][ T7035] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.311952][ T7035] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.361544][ T7035] 8021q: adding VLAN 0 to HW filter on device bond0 [ 62.378241][ T2857] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 62.387807][ T2857] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.397406][ T2857] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.405948][ T2857] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 62.420762][ T7035] 8021q: adding VLAN 0 to HW filter on device team0 [ 62.432120][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 62.441355][ T5] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.448875][ T5] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.460911][ T2857] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 62.470367][ T2857] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.477510][ T2857] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.492861][ T2690] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 62.501601][ T2690] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 62.523885][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 62.536528][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 62.545920][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 62.555596][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 62.564923][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready [ 62.574573][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 62.584151][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 62.596113][ T7035] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 62.608526][ T7035] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 62.617117][ T2690] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 62.627022][ T2690] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 62.650353][ T7035] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 62.658635][ T2690] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 62.667306][ T2690] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 62.688848][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 62.698468][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 62.720999][ T7035] device veth0_vlan entered promiscuous mode [ 62.729472][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 62.738887][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 62.751480][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 62.762112][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 62.776312][ T7035] device veth1_vlan entered promiscuous mode [ 62.800248][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 62.809526][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 62.818900][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 62.828369][ T2843] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 62.840386][ T7035] device veth0_macvtap entered promiscuous mode [ 62.852349][ T7035] device veth1_macvtap entered promiscuous mode [ 62.871761][ T7035] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 62.880639][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 62.889946][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 62.898568][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 62.908767][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 62.921573][ T7035] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 62.929613][ T2690] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 62.939525][ T2690] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 66.222689][ C0] ================================================================== [ 66.230911][ C0] BUG: KASAN: use-after-free in ip_icmp_error+0x52a/0x5a0 [ 66.238027][ C0] Read of size 1 at addr ffff888093c8c7ff by task ksoftirqd/0/9 [ 66.245645][ C0] [ 66.247992][ C0] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.7.0-rc6-syzkaller #0 [ 66.256053][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.266115][ C0] Call Trace: [ 66.269401][ C0] dump_stack+0x188/0x20d [ 66.273727][ C0] print_address_description.constprop.0.cold+0xd3/0x413 [ 66.281255][ C0] ? skb_splice_bits+0x1a0/0x1a0 [ 66.286187][ C0] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 66.291988][ C0] ? vprintk_func+0x81/0x17e [ 66.296586][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 66.301332][ C0] __kasan_report.cold+0x20/0x38 [ 66.306288][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 66.311039][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 66.315853][ C0] kasan_report+0x33/0x50 [ 66.320209][ C0] ip_icmp_error+0x52a/0x5a0 [ 66.324808][ C0] tcp_v4_err+0x9b2/0x1d00 [ 66.329211][ C0] ? tcp_v4_do_rcv+0x8b0/0x8b0 [ 66.333965][ C0] icmp_socket_deliver+0x1e4/0x360 [ 66.339063][ C0] icmp_unreach+0x33b/0xab0 [ 66.344007][ C0] icmp_rcv+0xee6/0x15f0 [ 66.348250][ C0] ip_protocol_deliver_rcu+0x57/0x880 [ 66.353611][ C0] ip_local_deliver_finish+0x220/0x360 [ 66.359063][ C0] ip_local_deliver+0x1c8/0x4e0 [ 66.363917][ C0] ? ip_local_deliver_finish+0x360/0x360 [ 66.369534][ C0] ? ip_rcv+0x24e/0x3c0 [ 66.373671][ C0] ? ip_protocol_deliver_rcu+0x880/0x880 [ 66.379279][ C0] ? lock_downgrade+0x840/0x840 [ 66.384715][ C0] ? ip_rcv_finish_core.isra.0+0x606/0x1ec0 [ 66.390733][ C0] ip_rcv_finish+0x1da/0x2f0 [ 66.395305][ C0] ip_rcv+0xd0/0x3c0 [ 66.399177][ C0] ? ip_local_deliver+0x4e0/0x4e0 [ 66.404199][ C0] ? ip_rcv_finish_core.isra.0+0x1ec0/0x1ec0 [ 66.410169][ C0] ? ip_local_deliver+0x4e0/0x4e0 [ 66.415191][ C0] __netif_receive_skb_one_core+0x114/0x180 [ 66.421062][ C0] ? __netif_receive_skb_core+0x31c0/0x31c0 [ 66.426990][ C0] ? do_raw_spin_lock+0x129/0x2e0 [ 66.432020][ C0] ? rwlock_bug.part.0+0x90/0x90 [ 66.436958][ C0] __netif_receive_skb+0x27/0x1c0 [ 66.441988][ C0] process_backlog+0x21e/0x7a0 [ 66.446737][ C0] ? net_rx_action+0x25f/0x1070 [ 66.451580][ C0] net_rx_action+0x4c2/0x1070 [ 66.456527][ C0] ? napi_busy_loop+0x9e0/0x9e0 [ 66.461371][ C0] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 66.470126][ C0] __do_softirq+0x26c/0x9f7 [ 66.474650][ C0] ? takeover_tasklets+0x810/0x810 [ 66.480104][ C0] run_ksoftirqd+0x89/0x100 [ 66.484586][ C0] smpboot_thread_fn+0x653/0x9e0 [ 66.489503][ C0] ? __smpboot_create_thread.part.0+0x340/0x340 [ 66.495741][ C0] ? __kthread_parkme+0x13f/0x1e0 [ 66.500760][ C0] ? __smpboot_create_thread.part.0+0x340/0x340 [ 66.507007][ C0] kthread+0x388/0x470 [ 66.511089][ C0] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 66.516813][ C0] ret_from_fork+0x24/0x30 [ 66.521218][ C0] [ 66.523529][ C0] Allocated by task 7035: [ 66.527840][ C0] save_stack+0x1b/0x40 [ 66.532018][ C0] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 66.537658][ C0] __kmalloc_reserve.isra.0+0x39/0xe0 [ 66.543021][ C0] __alloc_skb+0xef/0x5a0 [ 66.547344][ C0] rtmsg_ifinfo_build_skb+0x72/0x1a0 [ 66.552619][ C0] rtmsg_ifinfo_event.part.0+0x49/0xe0 [ 66.558063][ C0] rtnetlink_event+0x11e/0x150 [ 66.562818][ C0] notifier_call_chain+0xc0/0x230 [ 66.567945][ C0] call_netdevice_notifiers_info+0xb5/0x130 [ 66.573823][ C0] dev_set_mac_address+0x2ef/0x3f0 [ 66.578912][ C0] do_setlink+0x5d2/0x3680 [ 66.583311][ C0] __rtnl_newlink+0xad5/0x1590 [ 66.588067][ C0] rtnl_newlink+0x64/0xa0 [ 66.592415][ C0] rtnetlink_rcv_msg+0x44e/0xad0 [ 66.597363][ C0] netlink_rcv_skb+0x15a/0x410 [ 66.602118][ C0] netlink_unicast+0x537/0x740 [ 66.606872][ C0] netlink_sendmsg+0x882/0xe10 [ 66.611628][ C0] sock_sendmsg+0xcf/0x120 [ 66.616035][ C0] __sys_sendto+0x219/0x330 [ 66.620514][ C0] __x64_sys_sendto+0xdd/0x1b0 [ 66.625274][ C0] do_syscall_64+0xf6/0x7d0 [ 66.629774][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 66.635851][ C0] [ 66.638165][ C0] Freed by task 7035: [ 66.642129][ C0] save_stack+0x1b/0x40 [ 66.646382][ C0] __kasan_slab_free+0xf7/0x140 [ 66.651239][ C0] kfree+0x109/0x2b0 [ 66.655152][ C0] skb_free_head+0x8b/0xa0 [ 66.659588][ C0] pskb_expand_head+0x2b1/0x1020 [ 66.664554][ C0] netlink_trim+0x1ea/0x240 [ 66.669241][ C0] netlink_broadcast_filtered+0x5f/0xd40 [ 66.674875][ C0] nlmsg_notify+0x90/0x250 [ 66.679563][ C0] rtmsg_ifinfo_event.part.0+0xb6/0xe0 [ 66.685015][ C0] rtnetlink_event+0x11e/0x150 [ 66.689759][ C0] notifier_call_chain+0xc0/0x230 [ 66.694765][ C0] call_netdevice_notifiers_info+0xb5/0x130 [ 66.700659][ C0] dev_set_mac_address+0x2ef/0x3f0 [ 66.705778][ C0] do_setlink+0x5d2/0x3680 [ 66.710181][ C0] __rtnl_newlink+0xad5/0x1590 [ 66.714926][ C0] rtnl_newlink+0x64/0xa0 [ 66.719840][ C0] rtnetlink_rcv_msg+0x44e/0xad0 [ 66.724757][ C0] netlink_rcv_skb+0x15a/0x410 [ 66.729543][ C0] netlink_unicast+0x537/0x740 [ 66.734390][ C0] netlink_sendmsg+0x882/0xe10 [ 66.739266][ C0] sock_sendmsg+0xcf/0x120 [ 66.743679][ C0] __sys_sendto+0x219/0x330 [ 66.748193][ C0] __x64_sys_sendto+0xdd/0x1b0 [ 66.753069][ C0] do_syscall_64+0xf6/0x7d0 [ 66.757772][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 66.763832][ C0] [ 66.766143][ C0] The buggy address belongs to the object at ffff888093c8c000 [ 66.766143][ C0] which belongs to the cache kmalloc-4k of size 4096 [ 66.780191][ C0] The buggy address is located 2047 bytes inside of [ 66.780191][ C0] 4096-byte region [ffff888093c8c000, ffff888093c8d000) [ 66.793851][ C0] The buggy address belongs to the page: [ 66.799484][ C0] page:ffffea00024f2300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00024f2300 order:1 compound_mapcount:0 [ 66.812923][ C0] flags: 0xfffe0000010200(slab|head) [ 66.818204][ C0] raw: 00fffe0000010200 ffffea0002500208 ffffea0002505d88 ffff8880aa002000 [ 66.826792][ C0] raw: 0000000000000000 ffff888093c8c000 0000000100000001 0000000000000000 [ 66.835610][ C0] page dumped because: kasan: bad access detected [ 66.842048][ C0] [ 66.844381][ C0] Memory state around the buggy address: [ 66.849989][ C0] ffff888093c8c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.858052][ C0] ffff888093c8c700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.866119][ C0] >ffff888093c8c780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.874257][ C0] ^ [ 66.882518][ C0] ffff888093c8c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.890598][ C0] ffff888093c8c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.898670][ C0] ================================================================== [ 66.906728][ C0] Disabling lock debugging due to kernel taint [ 66.912947][ C0] Kernel panic - not syncing: panic_on_warn set ... [ 66.919539][ C0] CPU: 0 PID: 9 Comm: ksoftirqd/0 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 66.928988][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.939042][ C0] Call Trace: [ 66.942340][ C0] dump_stack+0x188/0x20d [ 66.946674][ C0] panic+0x2e3/0x75c [ 66.950682][ C0] ? add_taint.cold+0x16/0x16 [ 66.955361][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 66.960101][ C0] ? trace_hardirqs_on+0x55/0x220 [ 66.965175][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 66.970043][ C0] end_report+0x4d/0x53 [ 66.974242][ C0] __kasan_report.cold+0xd/0x38 [ 66.979145][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 66.983917][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 66.988659][ C0] kasan_report+0x33/0x50 [ 66.993127][ C0] ip_icmp_error+0x52a/0x5a0 [ 66.998416][ C0] tcp_v4_err+0x9b2/0x1d00 [ 67.002836][ C0] ? tcp_v4_do_rcv+0x8b0/0x8b0 [ 67.007601][ C0] icmp_socket_deliver+0x1e4/0x360 [ 67.012707][ C0] icmp_unreach+0x33b/0xab0 [ 67.017225][ C0] icmp_rcv+0xee6/0x15f0 [ 67.021465][ C0] ip_protocol_deliver_rcu+0x57/0x880 [ 67.026835][ C0] ip_local_deliver_finish+0x220/0x360 [ 67.032293][ C0] ip_local_deliver+0x1c8/0x4e0 [ 67.037140][ C0] ? ip_local_deliver_finish+0x360/0x360 [ 67.042764][ C0] ? ip_rcv+0x24e/0x3c0 [ 67.047270][ C0] ? ip_protocol_deliver_rcu+0x880/0x880 [ 67.052890][ C0] ? lock_downgrade+0x840/0x840 [ 67.057734][ C0] ? ip_rcv_finish_core.isra.0+0x606/0x1ec0 [ 67.063607][ C0] ip_rcv_finish+0x1da/0x2f0 [ 67.068213][ C0] ip_rcv+0xd0/0x3c0 [ 67.072113][ C0] ? ip_local_deliver+0x4e0/0x4e0 [ 67.077131][ C0] ? ip_rcv_finish_core.isra.0+0x1ec0/0x1ec0 [ 67.083101][ C0] ? ip_local_deliver+0x4e0/0x4e0 [ 67.088136][ C0] __netif_receive_skb_one_core+0x114/0x180 [ 67.094132][ C0] ? __netif_receive_skb_core+0x31c0/0x31c0 [ 67.100134][ C0] ? do_raw_spin_lock+0x129/0x2e0 [ 67.105143][ C0] ? rwlock_bug.part.0+0x90/0x90 [ 67.110088][ C0] __netif_receive_skb+0x27/0x1c0 [ 67.115106][ C0] process_backlog+0x21e/0x7a0 [ 67.119870][ C0] ? net_rx_action+0x25f/0x1070 [ 67.124830][ C0] net_rx_action+0x4c2/0x1070 [ 67.129656][ C0] ? napi_busy_loop+0x9e0/0x9e0 [ 67.134793][ C0] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 67.140750][ C0] __do_softirq+0x26c/0x9f7 [ 67.145496][ C0] ? takeover_tasklets+0x810/0x810 [ 67.150594][ C0] run_ksoftirqd+0x89/0x100 [ 67.155085][ C0] smpboot_thread_fn+0x653/0x9e0 [ 67.159997][ C0] ? __smpboot_create_thread.part.0+0x340/0x340 [ 67.166215][ C0] ? __kthread_parkme+0x13f/0x1e0 [ 67.171263][ C0] ? __smpboot_create_thread.part.0+0x340/0x340 [ 67.177500][ C0] kthread+0x388/0x470 [ 67.181683][ C0] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 67.187398][ C0] ret_from_fork+0x24/0x30 [ 67.193257][ C0] Kernel Offset: disabled [ 67.197640][ C0] Rebooting in 86400 seconds..