[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.202' (ECDSA) to the list of known hosts. syzkaller login: [ 35.489114] IPVS: ftp: loaded support on port[0] = 21 executing program [ 35.576110] netlink: 20 bytes leftover after parsing attributes in process `syz-executor266'. [ 35.640593] ================================================================== [ 35.648040] BUG: KASAN: slab-out-of-bounds in netif_napi_del+0x301/0x380 [ 35.654866] Read of size 8 at addr ffff888095f305d8 by task syz-executor266/8112 [ 35.662385] [ 35.664000] CPU: 1 PID: 8112 Comm: syz-executor266 Not tainted 4.19.211-syzkaller #0 [ 35.671858] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.681194] Call Trace: [ 35.683786] dump_stack+0x1fc/0x2ef [ 35.687428] print_address_description.cold+0x54/0x219 [ 35.692721] kasan_report_error.cold+0x8a/0x1b9 [ 35.697374] ? netif_napi_del+0x301/0x380 [ 35.701527] __asan_report_load8_noabort+0x88/0x90 [ 35.706441] ? netif_napi_del+0x301/0x380 [ 35.710578] netif_napi_del+0x301/0x380 [ 35.714546] free_netdev+0x21f/0x410 [ 35.718268] netdev_run_todo+0x89b/0xab0 [ 35.722425] ? default_device_exit_batch+0x3c0/0x3c0 [ 35.727514] ? rtnl_newlink+0x15c0/0x15c0 [ 35.731645] rtnetlink_rcv_msg+0x460/0xb80 [ 35.735866] ? rtnl_calcit.isra.0+0x430/0x430 [ 35.740345] ? __netlink_lookup+0x3fc/0x730 [ 35.744656] ? lock_downgrade+0x720/0x720 [ 35.748794] ? check_preemption_disabled+0x41/0x280 [ 35.753802] netlink_rcv_skb+0x160/0x440 [ 35.757854] ? rtnl_calcit.isra.0+0x430/0x430 [ 35.762344] ? netlink_ack+0xae0/0xae0 [ 35.766229] netlink_unicast+0x4d5/0x690 [ 35.770280] ? netlink_sendskb+0x110/0x110 [ 35.774501] ? _copy_from_iter_full+0x229/0x7c0 [ 35.779225] ? __phys_addr_symbol+0x2c/0x70 [ 35.783564] ? __check_object_size+0x17b/0x3e0 [ 35.788146] netlink_sendmsg+0x6c3/0xc50 [ 35.792225] ? aa_af_perm+0x230/0x230 [ 35.796034] ? nlmsg_notify+0x1f0/0x1f0 [ 35.799989] ? kernel_recvmsg+0x220/0x220 [ 35.804126] ? nlmsg_notify+0x1f0/0x1f0 [ 35.809647] sock_sendmsg+0xc3/0x120 [ 35.813344] ___sys_sendmsg+0x7bb/0x8e0 [ 35.817315] ? copy_msghdr_from_user+0x440/0x440 [ 35.822072] ? __fget+0x32f/0x510 [ 35.825513] ? lock_downgrade+0x720/0x720 [ 35.829663] ? check_preemption_disabled+0x41/0x280 [ 35.834666] ? check_preemption_disabled+0x41/0x280 [ 35.839671] ? __fget+0x356/0x510 [ 35.843106] ? do_dup2+0x450/0x450 [ 35.846629] ? lock_downgrade+0x720/0x720 [ 35.850775] ? check_preemption_disabled+0x41/0x280 [ 35.855777] ? __fdget+0x1d0/0x230 [ 35.859300] __x64_sys_sendmsg+0x132/0x220 [ 35.863518] ? __sys_sendmsg+0x1b0/0x1b0 [ 35.867563] ? __se_sys_futex+0x298/0x3b0 [ 35.871710] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 35.877080] ? trace_hardirqs_off_caller+0x6e/0x210 [ 35.882080] ? do_syscall_64+0x21/0x620 [ 35.886036] do_syscall_64+0xf9/0x620 [ 35.889854] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 35.895026] RIP: 0033:0x7f76c2ef8da9 [ 35.898720] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 35.917606] RSP: 002b:00007f76c2eaa308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.925569] RAX: ffffffffffffffda RBX: 00007f76c2f82428 RCX: 00007f76c2ef8da9 [ 35.932834] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 35.940086] RBP: 00007f76c2f82420 R08: 0000000000000000 R09: 0000000000000000 [ 35.947336] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f76c2f8242c [ 35.954589] R13: 00007f76c2f4f174 R14: 74656e2f7665642f R15: 0000000000022000 [ 35.961851] [ 35.963484] Allocated by task 8117: [ 35.967103] __kmalloc_node+0x4c/0x70 [ 35.970886] kvmalloc_node+0xb4/0xf0 [ 35.974592] alloc_netdev_mqs+0x97/0xd50 [ 35.978637] __tun_chr_ioctl.isra.0+0x2184/0x3d00 [ 35.983474] do_vfs_ioctl+0xcdb/0x12e0 [ 35.987353] ksys_ioctl+0x9b/0xc0 [ 35.990834] __x64_sys_ioctl+0x6f/0xb0 [ 35.994725] do_syscall_64+0xf9/0x620 [ 35.998534] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.003716] [ 36.005324] Freed by task 0: [ 36.008322] (stack is not available) [ 36.012016] [ 36.013628] The buggy address belongs to the object at ffff888095f30680 [ 36.013628] which belongs to the cache kmalloc-16384 of size 16384 [ 36.026616] The buggy address is located 168 bytes to the left of [ 36.026616] 16384-byte region [ffff888095f30680, ffff888095f34680) [ 36.039078] The buggy address belongs to the page: [ 36.043992] page:ffffea000257cc00 count:1 mapcount:0 mapping:ffff88813bff2200 index:0x0 compound_mapcount: 0 [ 36.054026] flags: 0xfff00000008100(slab|head) [ 36.058613] raw: 00fff00000008100 ffffea000255ea08 ffff88813bff1c48 ffff88813bff2200 [ 36.066479] raw: 0000000000000000 ffff888095f30680 0000000100000001 0000000000000000 [ 36.074355] page dumped because: kasan: bad access detected [ 36.080126] [ 36.081749] Memory state around the buggy address: [ 36.086657] ffff888095f30480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.093999] ffff888095f30500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.101362] >ffff888095f30580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.108718] ^ [ 36.115023] ffff888095f30600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.122378] ffff888095f30680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 36.129716] ================================================================== [ 36.137051] Disabling lock debugging due to kernel taint [ 36.146468] kasan: CONFIG_KASAN_INLINE enabled [ 36.149802] Kernel panic - not syncing: panic_on_warn set ... [ 36.149802] [ 36.151081] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 36.158423] CPU: 1 PID: 8112 Comm: syz-executor266 Tainted: G B 4.19.211-syzkaller #0 [ 36.165805] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 36.175018] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.181319] CPU: 0 PID: 8111 Comm: syz-executor266 Tainted: G B 4.19.211-syzkaller #0 [ 36.190645] Call Trace: [ 36.199893] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.202466] dump_stack+0x1fc/0x2ef [ 36.211799] RIP: 0010:unlist_netdevice+0x169/0x3e0 [ 36.215402] panic+0x26a/0x50e [ 36.220314] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 04 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 18 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 ce 01 00 00 48 85 ed 49 89 2c 24 74 28 e8 df 12 [ 36.223495] ? __warn_printk+0xf3/0xf3 [ 36.242371] RSP: 0018:ffff8880a8937b30 EFLAGS: 00010246 [ 36.246243] ? preempt_schedule_common+0x45/0xc0 [ 36.251580] RAX: dffffc0000000000 RBX: ffff888095f30680 RCX: ffffffff86747162 [ 36.256332] ? ___preempt_schedule+0x16/0x18 [ 36.263575] RDX: 0000000000000000 RSI: ffffffff867471f9 RDI: ffff888095f30698 [ 36.267964] ? trace_hardirqs_on+0x55/0x210 [ 36.275212] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 [ 36.279533] kasan_end_report+0x43/0x49 [ 36.286860] R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 [ 36.290830] kasan_report_error.cold+0xa7/0x1b9 [ 36.298066] R13: ffff888093f4c1f0 R14: ffff8880a8937ba0 R15: dffffc0000000000 [ 36.298079] FS: 0000555556021300(0000) GS:ffff8880ba000000(0000) knlGS:0000000000000000 [ 36.302727] ? netif_napi_del+0x301/0x380 [ 36.309970] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 36.318181] __asan_report_load8_noabort+0x88/0x90 [ 36.322315] CR2: 00007fdfd003a0e8 CR3: 000000009aebc000 CR4: 00000000003406f0 [ 36.328187] ? netif_napi_del+0x301/0x380 [ 36.333101] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 36.340354] netif_napi_del+0x301/0x380 [ 36.344476] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 36.351727] free_netdev+0x21f/0x410 [ 36.355672] Call Trace: [ 36.362933] netdev_run_todo+0x89b/0xab0 [ 36.366625] rollback_registered_many+0x336/0xe70 [ 36.369189] ? default_device_exit_batch+0x3c0/0x3c0 [ 36.373247] ? generic_xdp_install+0x550/0x550 [ 36.378069] ? rtnl_newlink+0x15c0/0x15c0 [ 36.383149] ? do_raw_spin_unlock+0x171/0x230 [ 36.387710] rtnetlink_rcv_msg+0x460/0xb80 [ 36.391852] ? _raw_spin_unlock+0x29/0x40 [ 36.396323] ? rtnl_calcit.isra.0+0x430/0x430 [ 36.400538] ? __queue_work+0x5f1/0x1100 [ 36.404663] ? __netlink_lookup+0x3fc/0x730 [ 36.409140] rollback_registered+0xe9/0x1b0 [ 36.413174] ? lock_downgrade+0x720/0x720 [ 36.417478] ? rollback_registered_many+0xe70/0xe70 [ 36.421778] ? check_preemption_disabled+0x41/0x280 [ 36.425904] ? linkwatch_schedule_work+0x135/0x170 [ 36.430892] netlink_rcv_skb+0x160/0x440 [ 36.435887] unregister_netdevice_queue+0x1de/0x3e0 [ 36.440800] ? rtnl_calcit.isra.0+0x430/0x430 [ 36.444852] __tun_detach+0x100d/0x1320 [ 36.449844] ? netlink_ack+0xae0/0xae0 [ 36.454409] ? __tun_detach+0x1320/0x1320 [ 36.458361] netlink_unicast+0x4d5/0x690 [ 36.462225] tun_chr_close+0xd9/0x180 [ 36.466350] ? netlink_sendskb+0x110/0x110 [ 36.470387] __fput+0x2ce/0x890 [ 36.474162] ? _copy_from_iter_full+0x229/0x7c0 [ 36.478421] task_work_run+0x148/0x1c0 [ 36.481682] ? __phys_addr_symbol+0x2c/0x70 [ 36.486324] exit_to_usermode_loop+0x251/0x2a0 [ 36.490190] ? __check_object_size+0x17b/0x3e0 [ 36.494484] do_syscall_64+0x538/0x620 [ 36.499043] netlink_sendmsg+0x6c3/0xc50 [ 36.503604] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.507463] ? aa_af_perm+0x230/0x230 [ 36.511498] RIP: 0033:0x7f76c2eb9bdb [ 36.516665] ? nlmsg_notify+0x1f0/0x1f0 [ 36.520528] Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 03 fd ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 41 fd ff ff 8b 44 [ 36.524222] ? kernel_recvmsg+0x220/0x220 [ 36.528191] RSP: 002b:00007ffd24720160 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 36.547254] ? nlmsg_notify+0x1f0/0x1f0 [ 36.551388] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f76c2eb9bdb [ 36.559077] sock_sendmsg+0xc3/0x120 [ 36.563022] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 36.570794] ___sys_sendmsg+0x7bb/0x8e0 [ 36.574493] RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000064 [ 36.581747] ? copy_msghdr_from_user+0x440/0x440 [ 36.585694] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000008b25 [ 36.592950] ? __fget+0x32f/0x510 [ 36.597680] R13: 00007f76c2f8243c R14: 00007ffd247201c0 R15: 00007f76c2f82420 [ 36.604948] ? lock_downgrade+0x720/0x720 [ 36.608370] Modules linked in: [ 36.615630] ? check_preemption_disabled+0x41/0x280 [ 36.619789] ---[ end trace 340a29ada3046312 ]--- [ 36.622947] ? check_preemption_disabled+0x41/0x280 [ 36.627957] RIP: 0010:unlist_netdevice+0x169/0x3e0 [ 36.632697] ? __fget+0x356/0x510 [ 36.632709] ? do_dup2+0x450/0x450 [ 36.632725] ? lock_downgrade+0x720/0x720 [ 36.637718] Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 04 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 18 4c 89 e2 48 c1 ea 03 <80> 3c 02 00 0f 85 ce 01 00 00 48 85 ed 49 89 2c 24 74 28 e8 df 12 [ 36.642636] ? check_preemption_disabled+0x41/0x280 [ 36.642648] ? __fdget+0x1d0/0x230 [ 36.642666] __x64_sys_sendmsg+0x132/0x220 [ 36.646090] RSP: 0018:ffff8880a8937b30 EFLAGS: 00010246 [ 36.649631] ? __sys_sendmsg+0x1b0/0x1b0 [ 36.649645] ? __se_sys_futex+0x298/0x3b0 [ 36.649664] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 36.653802] RAX: dffffc0000000000 RBX: ffff888095f30680 RCX: ffffffff86747162 [ 36.672892] ? trace_hardirqs_off_caller+0x6e/0x210 [ 36.672904] ? do_syscall_64+0x21/0x620 [ 36.672915] do_syscall_64+0xf9/0x620 [ 36.672934] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 36.677929] RDX: 0000000000000000 RSI: ffffffff867471f9 RDI: ffff888095f30698 [ 36.681456] RIP: 0033:0x7f76c2ef8da9 [ 36.681467] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 36.681473] RSP: 002b:00007f76c2eaa308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 36.681483] RAX: ffffffffffffffda RBX: 00007f76c2f82428 RCX: 00007f76c2ef8da9 [ 36.681494] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 36.685721] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000 [ 36.691059] RBP: 00007f76c2f82420 R08: 0000000000000000 R09: 0000000000000000 [ 36.691065] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f76c2f8242c [ 36.691081] R13: 00007f76c2f4f174 R14: 74656e2f7665642f R15: 0000000000022000 [ 36.695333] Kernel Offset: disabled [ 36.814993] Rebooting in 86400 seconds..