Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.108' (ECDSA) to the list of known hosts. syzkaller login: [ 32.540044] IPVS: ftp: loaded support on port[0] = 21 executing program [ 32.623663] netlink: 20 bytes leftover after parsing attributes in process `syz-executor177'. [ 32.686004] ================================================================== [ 32.693441] BUG: KASAN: slab-out-of-bounds in netif_napi_del+0x301/0x380 [ 32.700262] Read of size 8 at addr ffff8880a1a485d8 by task syz-executor177/8140 [ 32.707773] [ 32.709392] CPU: 1 PID: 8140 Comm: syz-executor177 Not tainted 4.19.211-syzkaller #0 [ 32.717248] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.726849] Call Trace: [ 32.729420] dump_stack+0x1fc/0x2ef [ 32.733032] print_address_description.cold+0x54/0x219 [ 32.738566] kasan_report_error.cold+0x8a/0x1b9 [ 32.743238] ? netif_napi_del+0x301/0x380 [ 32.747392] __asan_report_load8_noabort+0x88/0x90 [ 32.752306] ? netif_napi_del+0x301/0x380 [ 32.756436] netif_napi_del+0x301/0x380 [ 32.760406] free_netdev+0x21f/0x410 [ 32.764101] netdev_run_todo+0x89b/0xab0 [ 32.768151] ? default_device_exit_batch+0x3c0/0x3c0 [ 32.773243] ? rtnl_newlink+0x15c0/0x15c0 [ 32.777375] rtnetlink_rcv_msg+0x460/0xb80 [ 32.781590] ? rtnl_calcit.isra.0+0x430/0x430 [ 32.786070] ? __netlink_lookup+0x3fc/0x730 [ 32.790374] ? lock_downgrade+0x720/0x720 [ 32.794513] ? check_preemption_disabled+0x41/0x280 [ 32.799516] netlink_rcv_skb+0x160/0x440 [ 32.803555] ? rtnl_calcit.isra.0+0x430/0x430 [ 32.808028] ? netlink_ack+0xae0/0xae0 [ 32.811900] netlink_unicast+0x4d5/0x690 [ 32.815952] ? netlink_sendskb+0x110/0x110 [ 32.820165] ? _copy_from_iter_full+0x229/0x7c0 [ 32.824827] ? __phys_addr_symbol+0x2c/0x70 [ 32.829135] ? __check_object_size+0x17b/0x3e0 [ 32.833695] netlink_sendmsg+0x6c3/0xc50 [ 32.837741] ? aa_af_perm+0x230/0x230 [ 32.841521] ? nlmsg_notify+0x1f0/0x1f0 [ 32.845471] ? kernel_recvmsg+0x220/0x220 [ 32.849598] ? nlmsg_notify+0x1f0/0x1f0 [ 32.853550] sock_sendmsg+0xc3/0x120 [ 32.857244] ___sys_sendmsg+0x7bb/0x8e0 [ 32.861210] ? copy_msghdr_from_user+0x440/0x440 [ 32.865944] ? __fget+0x32f/0x510 [ 32.869378] ? lock_downgrade+0x720/0x720 [ 32.873503] ? check_preemption_disabled+0x41/0x280 [ 32.878509] ? check_preemption_disabled+0x41/0x280 [ 32.883514] ? __fget+0x356/0x510 [ 32.886945] ? do_dup2+0x450/0x450 [ 32.890462] ? lock_downgrade+0x720/0x720 [ 32.894598] ? check_preemption_disabled+0x41/0x280 [ 32.899591] ? __fdget+0x1d0/0x230 [ 32.903114] __x64_sys_sendmsg+0x132/0x220 [ 32.907325] ? __sys_sendmsg+0x1b0/0x1b0 [ 32.911376] ? __se_sys_futex+0x298/0x3b0 [ 32.915507] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 32.920851] ? trace_hardirqs_off_caller+0x6e/0x210 [ 32.925847] ? do_syscall_64+0x21/0x620 [ 32.929800] do_syscall_64+0xf9/0x620 [ 32.933579] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 32.938748] RIP: 0033:0x7f8761f70b09 [ 32.942439] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 32.961314] RSP: 002b:00007f8761f1a308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 32.968999] RAX: ffffffffffffffda RBX: 00007f8761ff24c8 RCX: 00007f8761f70b09 [ 32.976341] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 32.983600] RBP: 00007f8761ff24c0 R08: 0000000000000000 R09: 0000000000000000 [ 32.990847] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8761ff24cc [ 32.998100] R13: 00007f8761fbf370 R14: 74656e2f7665642f R15: 0000000000022000 [ 33.005527] [ 33.007143] Allocated by task 8145: [ 33.010751] __kmalloc_node+0x4c/0x70 [ 33.014531] kvmalloc_node+0xb4/0xf0 [ 33.018226] alloc_netdev_mqs+0x97/0xd50 [ 33.022266] __tun_chr_ioctl.isra.0+0x2184/0x3d00 [ 33.027091] do_vfs_ioctl+0xcdb/0x12e0 [ 33.030953] ksys_ioctl+0x9b/0xc0 [ 33.034395] __x64_sys_ioctl+0x6f/0xb0 [ 33.038277] do_syscall_64+0xf9/0x620 [ 33.042057] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.047215] [ 33.048823] Freed by task 4678: [ 33.052087] kfree+0xcc/0x210 [ 33.055173] devkmsg_release+0xd6/0x110 [ 33.059128] __fput+0x2ce/0x890 [ 33.062405] task_work_run+0x148/0x1c0 [ 33.066267] do_exit+0xbf3/0x2be0 [ 33.069797] do_group_exit+0x125/0x310 [ 33.073747] __x64_sys_exit_group+0x3a/0x50 [ 33.078135] do_syscall_64+0xf9/0x620 [ 33.081935] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.087107] [ 33.088734] The buggy address belongs to the object at ffff8880a1a48680 [ 33.088734] which belongs to the cache kmalloc-16384 of size 16384 [ 33.101729] The buggy address is located 168 bytes to the left of [ 33.101729] 16384-byte region [ffff8880a1a48680, ffff8880a1a4c680) [ 33.114197] The buggy address belongs to the page: [ 33.119143] page:ffffea0002869200 count:1 mapcount:0 mapping:ffff88813bff2200 index:0x0 compound_mapcount: 0 [ 33.129179] flags: 0xfff00000008100(slab|head) [ 33.133756] raw: 00fff00000008100 ffffea000286fc08 ffff88813bff1c48 ffff88813bff2200 [ 33.141617] raw: 0000000000000000 ffff8880a1a48680 0000000100000001 0000000000000000 [ 33.149497] page dumped because: kasan: bad access detected [ 33.155179] [ 33.156782] Memory state around the buggy address: [ 33.161685] ffff8880a1a48480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.169023] ffff8880a1a48500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.176369] >ffff8880a1a48580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.183701] ^ [ 33.189918] ffff8880a1a48600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.197254] ffff8880a1a48680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 33.204598] ================================================================== [ 33.211930] Disabling lock debugging due to kernel taint [ 33.220539] kasan: CONFIG_KASAN_INLINE enabled [ 33.224578] Kernel panic - not syncing: panic_on_warn set ... [ 33.224578] [ 33.225151] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 33.232479] CPU: 1 PID: 8140 Comm: syz-executor177 Tainted: G B 4.19.211-syzkaller #0 [ 33.239840] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 33.249053] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.255293] CPU: 0 PID: 8113 Comm: syz-executor177 Tainted: G B 4.19.211-syzkaller #0 [ 33.264621] Call Trace: [ 33.273867] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.276524] dump_stack+0x1fc/0x2ef [ 33.285853] RIP: 0010:unlist_netdevice+0x169/0x3e0 [ 33.289450] panic+0x26a/0x50e [ 33.294364] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 04 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 18 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 ce 01 00 00 48 85 ed 49 89 2c 24 74 28 e8 df 12 [ 33.297545] ? __warn_printk+0xf3/0xf3 [ 33.316417] RSP: 0018:ffff88809525fb30 EFLAGS: 00010246 [ 33.320286] ? preempt_schedule_common+0x45/0xc0 [ 33.325616] RAX: dffffc0000000000 RBX: ffff8880a1a48680 RCX: ffffffff86747162 [ 33.330360] ? ___preempt_schedule+0x16/0x18 [ 33.337601] RDX: 0000000000000000 RSI: ffffffff867471f9 RDI: ffff8880a1a48698 [ 33.341988] ? trace_hardirqs_on+0x55/0x210 [ 33.349316] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 [ 33.353630] kasan_end_report+0x43/0x49 [ 33.360867] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 [ 33.364821] kasan_report_error.cold+0xa7/0x1b9 [ 33.372072] R13: ffff888094e501f0 R14: ffff88809525fba0 R15: dffffc0000000000 [ 33.376721] ? netif_napi_del+0x301/0x380 [ 33.383963] FS: 0000555556e9d300(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000 [ 33.388106] __asan_report_load8_noabort+0x88/0x90 [ 33.396300] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 33.401210] ? netif_napi_del+0x301/0x380 [ 33.407065] CR2: 00007f8d906fd6c0 CR3: 00000000a993b000 CR4: 00000000003406f0 [ 33.411191] netif_napi_del+0x301/0x380 [ 33.418433] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 33.422396] free_netdev+0x21f/0x410 [ 33.429637] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 33.433328] netdev_run_todo+0x89b/0xab0 [ 33.440574] Call Trace: [ 33.444630] ? default_device_exit_batch+0x3c0/0x3c0 [ 33.447183] rollback_registered_many+0x336/0xe70 [ 33.452260] ? rtnl_newlink+0x15c0/0x15c0 [ 33.457079] ? generic_xdp_install+0x550/0x550 [ 33.461288] rtnetlink_rcv_msg+0x460/0xb80 [ 33.465848] ? do_raw_spin_unlock+0x171/0x230 [ 33.470057] ? rtnl_calcit.isra.0+0x430/0x430 [ 33.474524] ? _raw_spin_unlock+0x29/0x40 [ 33.478991] ? __netlink_lookup+0x3fc/0x730 [ 33.483112] ? __queue_work+0x5f1/0x1100 [ 33.487408] ? lock_downgrade+0x720/0x720 [ 33.491457] rollback_registered+0xe9/0x1b0 [ 33.495579] ? check_preemption_disabled+0x41/0x280 [ 33.499872] ? rollback_registered_many+0xe70/0xe70 [ 33.504864] netlink_rcv_skb+0x160/0x440 [ 33.509856] ? linkwatch_schedule_work+0x135/0x170 [ 33.513897] ? rtnl_calcit.isra.0+0x430/0x430 [ 33.518886] unregister_netdevice_queue+0x1de/0x3e0 [ 33.523363] ? netlink_ack+0xae0/0xae0 [ 33.528352] __tun_detach+0x100d/0x1320 [ 33.532215] netlink_unicast+0x4d5/0x690 [ 33.536248] ? __tun_detach+0x1320/0x1320 [ 33.540283] ? netlink_sendskb+0x110/0x110 [ 33.544407] tun_chr_close+0xd9/0x180 [ 33.548615] ? _copy_from_iter_full+0x229/0x7c0 [ 33.552388] __fput+0x2ce/0x890 [ 33.557048] ? __phys_addr_symbol+0x2c/0x70 [ 33.560298] task_work_run+0x148/0x1c0 [ 33.564724] ? __check_object_size+0x17b/0x3e0 [ 33.568601] exit_to_usermode_loop+0x251/0x2a0 [ 33.573167] netlink_sendmsg+0x6c3/0xc50 [ 33.577733] do_syscall_64+0x538/0x620 [ 33.581779] ? aa_af_perm+0x230/0x230 [ 33.585643] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.589416] ? nlmsg_notify+0x1f0/0x1f0 [ 33.594577] RIP: 0033:0x7f8761f2a07b [ 33.598532] ? kernel_recvmsg+0x220/0x220 [ 33.602214] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 03 fd ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 41 fd ff ff 8b 44 [ 33.606340] ? nlmsg_notify+0x1f0/0x1f0 [ 33.625210] RSP: 002b:00007ffcd0034da0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 33.629202] sock_sendmsg+0xc3/0x120 [ 33.636884] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f8761f2a07b [ 33.640583] ___sys_sendmsg+0x7bb/0x8e0 [ 33.647821] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 33.651777] ? copy_msghdr_from_user+0x440/0x440 [ 33.659017] RBP: 00007ffcd0034e60 R08: 0000000000000000 R09: 000000000000000a [ 33.663761] ? __fget+0x32f/0x510 [ 33.671003] R10: 0000000000000000 R11: 0000000000000293 R12: 00007f8761ff24dc [ 33.674437] ? lock_downgrade+0x720/0x720 [ 33.681683] R13: 0000000000000032 R14: 0000000000000008 R15: 00007ffcd0034df0 [ 33.685823] ? check_preemption_disabled+0x41/0x280 [ 33.693061] Modules linked in: [ 33.698058] ? check_preemption_disabled+0x41/0x280 [ 33.701317] ---[ end trace af8f1fb470e67a0d ]--- [ 33.706257] ? __fget+0x356/0x510 [ 33.706268] ? do_dup2+0x450/0x450 [ 33.706284] ? lock_downgrade+0x720/0x720 [ 33.711014] RIP: 0010:unlist_netdevice+0x169/0x3e0 [ 33.714446] ? check_preemption_disabled+0x41/0x280 [ 33.714459] ? __fdget+0x1d0/0x230 [ 33.714478] __x64_sys_sendmsg+0x132/0x220 [ 33.718003] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 04 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 18 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 ce 01 00 00 48 85 ed 49 89 2c 24 74 28 e8 df 12 [ 33.722124] ? __sys_sendmsg+0x1b0/0x1b0 [ 33.727051] RSP: 0018:ffff88809525fb30 EFLAGS: 00010246 [ 33.732035] ? __se_sys_futex+0x298/0x3b0 [ 33.735559] RAX: dffffc0000000000 RBX: ffff8880a1a48680 RCX: ffffffff86747162 [ 33.739760] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 33.758648] RDX: 0000000000000000 RSI: ffffffff867471f9 RDI: ffff8880a1a48698 [ 33.762688] ? trace_hardirqs_off_caller+0x6e/0x210 [ 33.768033] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 [ 33.772145] ? do_syscall_64+0x21/0x620 [ 33.779405] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 [ 33.784732] do_syscall_64+0xf9/0x620 [ 33.784753] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.791995] R13: ffff888094e501f0 R14: ffff88809525fba0 R15: dffffc0000000000 [ 33.796984] RIP: 0033:0x7f8761f70b09 [ 33.796996] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 33.797006] RSP: 002b:00007f8761f1a308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 33.804272] FS: 0000555556e9d300(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000 [ 33.808206] RAX: ffffffffffffffda RBX: 00007f8761ff24c8 RCX: 00007f8761f70b09 [ 33.815465] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 33.819231] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 33.824407] CR2: 00007f8d906fd6c0 CR3: 00000000a993b000 CR4: 00000000003406f0 [ 33.831643] RBP: 00007f8761ff24c0 R08: 0000000000000000 R09: 0000000000000000 [ 33.835347] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 33.854201] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8761ff24cc [ 33.854208] R13: 00007f8761fbf370 R14: 74656e2f7665642f R15: 0000000000022000 [ 33.862039] Kernel Offset: disabled [ 33.930416] Rebooting in 86400 seconds..