[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.128' (ECDSA) to the list of known hosts. syzkaller login: [ 36.416075] IPVS: ftp: loaded support on port[0] = 21 [ 36.487784] chnl_net:caif_netlink_parms(): no params data found [ 36.546206] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.553731] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.562343] device bridge_slave_0 entered promiscuous mode [ 36.570192] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.578440] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.586186] device bridge_slave_1 entered promiscuous mode [ 36.604452] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 36.613558] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 36.632153] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 36.640457] team0: Port device team_slave_0 added [ 36.647093] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 36.656390] team0: Port device team_slave_1 added [ 36.672234] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 36.678626] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 36.706462] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 36.721312] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 36.727769] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 36.756783] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 36.768384] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 36.777117] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 36.796533] device hsr_slave_0 entered promiscuous mode [ 36.803062] device hsr_slave_1 entered promiscuous mode [ 36.809107] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 36.816395] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 36.882836] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.889610] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.896849] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.904392] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.937101] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 36.947213] 8021q: adding VLAN 0 to HW filter on device bond0 [ 36.956631] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 36.965683] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.975033] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.982899] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.989789] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 37.002148] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 37.008503] 8021q: adding VLAN 0 to HW filter on device team0 [ 37.017701] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 37.026395] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.033437] bridge0: port 1(bridge_slave_0) entered forwarding state [ 37.044252] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 37.052052] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.058645] bridge0: port 2(bridge_slave_1) entered forwarding state [ 37.080481] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 37.091834] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 37.105830] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 37.114021] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 37.122494] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 37.130192] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 37.138769] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 37.146658] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 37.153673] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 37.166227] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 37.174726] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 37.184225] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 37.196991] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 37.210369] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 37.221591] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 37.257143] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 37.264478] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 37.271920] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 37.281432] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 37.288835] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 37.296805] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 37.305735] device veth0_vlan entered promiscuous mode [ 37.314690] device veth1_vlan entered promiscuous mode [ 37.320827] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 37.329298] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 37.342322] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 37.352375] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 37.359746] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 37.367792] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 37.378131] device veth0_macvtap entered promiscuous mode [ 37.385480] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 37.394000] device veth1_macvtap entered promiscuous mode [ 37.403611] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 37.412849] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 37.423898] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 37.431406] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 37.441840] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 37.452236] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 37.462862] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 37.558742] ================================================================== [ 37.566418] BUG: KASAN: slab-out-of-bounds in ipvlan_queue_xmit+0x9d2/0x18e0 [ 37.573594] Read of size 4 at addr ffff888099e45a7f by task syz-executor408/8329 [ 37.581151] [ 37.582802] CPU: 1 PID: 8329 Comm: syz-executor408 Not tainted 4.19.160-syzkaller #0 [ 37.590669] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.600101] Call Trace: [ 37.602681] dump_stack+0x1fc/0x2fe [ 37.606295] print_address_description.cold+0x54/0x219 [ 37.611559] kasan_report_error.cold+0x8a/0x1c7 [ 37.616227] ? ipvlan_queue_xmit+0x9d2/0x18e0 [ 37.620728] __asan_report_load4_noabort+0x88/0x90 [ 37.625652] ? __sanitizer_cov_trace_cmp4+0x20/0x20 [ 37.630661] ? ipvlan_queue_xmit+0x9d2/0x18e0 [ 37.635145] ipvlan_queue_xmit+0x9d2/0x18e0 [ 37.639456] ? skb_network_protocol+0x14b/0x570 [ 37.644135] ? ipvlan_process_multicast+0xcb0/0xcb0 [ 37.649156] ? skb_crc32c_csum_help+0x70/0x70 [ 37.653668] ? __alloc_skb+0x34f/0x560 [ 37.658323] ? netif_skb_features+0x5c1/0xb30 [ 37.662909] ? lock_downgrade+0x720/0x720 [ 37.667219] ? __skb_gso_segment+0x720/0x720 [ 37.672107] ? validate_xmit_xfrm+0x3dc/0xe30 [ 37.676606] ipvlan_start_xmit+0x4f/0x190 [ 37.680884] dev_direct_xmit+0x3f9/0x6d0 [ 37.685474] ? validate_xmit_skb_list+0x120/0x120 [ 37.690507] ? check_preemption_disabled+0x30/0x280 [ 37.695514] ? dev_pick_tx_cpu_id+0xd/0x70 [ 37.699747] packet_sendmsg+0x2474/0x6aff [ 37.703896] ? aa_sk_perm+0x534/0x930 [ 37.707693] ? compat_packet_setsockopt+0x160/0x160 [ 37.712696] ? aa_af_perm+0x230/0x230 [ 37.716485] ? packet_do_bind+0x459/0xc00 [ 37.720619] ? compat_packet_setsockopt+0x160/0x160 [ 37.725764] sock_sendmsg+0xc3/0x120 [ 37.738280] __sys_sendto+0x21a/0x320 [ 37.742170] ? __ia32_sys_getpeername+0xb0/0xb0 [ 37.747004] ? packet_do_bind+0x459/0xc00 [ 37.751147] ? __sys_bind+0x111/0x250 [ 37.754942] ? __ia32_sys_socketpair+0xf0/0xf0 [ 37.759527] ? __sys_socket+0x16d/0x200 [ 37.764012] ? move_addr_to_kernel+0x70/0x70 [ 37.768440] __x64_sys_sendto+0xdd/0x1b0 [ 37.772493] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 37.777059] do_syscall_64+0xf9/0x620 [ 37.780854] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.786029] RIP: 0033:0x4441e9 [ 37.789295] Code: e8 6c 05 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 37.808387] RSP: 002b:00007ffd06f42758 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 37.816269] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004441e9 [ 37.823523] RDX: 000000000000000e RSI: 0000000020000000 RDI: 0000000000000004 [ 37.830777] RBP: 00316e616c767069 R08: 0000000000000000 R09: ffffffffffffff09 [ 37.838321] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd06f42780 [ 37.845660] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 37.852930] [ 37.854553] Allocated by task 1: [ 37.857905] kmem_cache_alloc+0x122/0x370 [ 37.862053] getname_flags+0xce/0x590 [ 37.865835] user_path_at_empty+0x2a/0x50 [ 37.869965] vfs_statx+0x113/0x210 [ 37.873484] __se_sys_newlstat+0x96/0x120 [ 37.877616] do_syscall_64+0xf9/0x620 [ 37.881416] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.886688] [ 37.888296] Freed by task 1: [ 37.891295] kmem_cache_free+0x7f/0x260 [ 37.895265] putname+0xe1/0x120 [ 37.898554] filename_lookup+0x3d0/0x5a0 [ 37.902613] vfs_statx+0x113/0x210 [ 37.906134] __se_sys_newlstat+0x96/0x120 [ 37.910267] do_syscall_64+0xf9/0x620 [ 37.914050] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.919227] [ 37.920838] The buggy address belongs to the object at ffff888099e44a40 [ 37.920838] which belongs to the cache names_cache of size 4096 [ 37.933564] The buggy address is located 63 bytes to the right of [ 37.933564] 4096-byte region [ffff888099e44a40, ffff888099e45a40) [ 37.945952] The buggy address belongs to the page: [ 37.950864] page:ffffea0002679100 count:1 mapcount:0 mapping:ffff88813be83e40 index:0x0 compound_mapcount: 0 [ 37.961159] flags: 0xfff00000008100(slab|head) [ 37.965727] raw: 00fff00000008100 ffffea000267ee88 ffffea0002679308 ffff88813be83e40 [ 37.973620] raw: 0000000000000000 ffff888099e44a40 0000000100000001 0000000000000000 [ 37.981481] page dumped because: kasan: bad access detected [ 37.987167] [ 37.988772] Memory state around the buggy address: [ 37.993682] ffff888099e45900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.001020] ffff888099e45980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.008360] >ffff888099e45a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 38.015697] ^ [ 38.022962] ffff888099e45a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.030312] ffff888099e45b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.037677] ================================================================== [ 38.045041] Disabling lock debugging due to kernel taint [ 38.050568] Kernel panic - not syncing: panic_on_warn set ... [ 38.050568] [ 38.057939] CPU: 1 PID: 8329 Comm: syz-executor408 Tainted: G B 4.19.160-syzkaller #0 [ 38.067390] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.076743] Call Trace: [ 38.079341] dump_stack+0x1fc/0x2fe [ 38.082977] panic+0x26a/0x50e [ 38.086206] ? __warn_printk+0xf3/0xf3 [ 38.090096] ? trace_hardirqs_on+0x55/0x210 [ 38.094397] kasan_end_report+0x43/0x49 [ 38.098377] kasan_report_error.cold+0xa7/0x1c7 [ 38.103036] ? ipvlan_queue_xmit+0x9d2/0x18e0 [ 38.107522] __asan_report_load4_noabort+0x88/0x90 [ 38.112568] ? __sanitizer_cov_trace_cmp4+0x20/0x20 [ 38.117576] ? ipvlan_queue_xmit+0x9d2/0x18e0 [ 38.122245] ipvlan_queue_xmit+0x9d2/0x18e0 [ 38.126825] ? skb_network_protocol+0x14b/0x570 [ 38.131567] ? ipvlan_process_multicast+0xcb0/0xcb0 [ 38.136592] ? skb_crc32c_csum_help+0x70/0x70 [ 38.141547] ? __alloc_skb+0x34f/0x560 [ 38.145547] ? netif_skb_features+0x5c1/0xb30 [ 38.150033] ? lock_downgrade+0x720/0x720 [ 38.154195] ? __skb_gso_segment+0x720/0x720 [ 38.158590] ? validate_xmit_xfrm+0x3dc/0xe30 [ 38.163089] ipvlan_start_xmit+0x4f/0x190 [ 38.167221] dev_direct_xmit+0x3f9/0x6d0 [ 38.171714] ? validate_xmit_skb_list+0x120/0x120 [ 38.176550] ? check_preemption_disabled+0x30/0x280 [ 38.181558] ? dev_pick_tx_cpu_id+0xd/0x70 [ 38.185780] packet_sendmsg+0x2474/0x6aff [ 38.189933] ? aa_sk_perm+0x534/0x930 [ 38.193734] ? compat_packet_setsockopt+0x160/0x160 [ 38.198753] ? aa_af_perm+0x230/0x230 [ 38.202569] ? packet_do_bind+0x459/0xc00 [ 38.206701] ? compat_packet_setsockopt+0x160/0x160 [ 38.211716] sock_sendmsg+0xc3/0x120 [ 38.215418] __sys_sendto+0x21a/0x320 [ 38.219337] ? __ia32_sys_getpeername+0xb0/0xb0 [ 38.224000] ? packet_do_bind+0x459/0xc00 [ 38.228159] ? __sys_bind+0x111/0x250 [ 38.231959] ? __ia32_sys_socketpair+0xf0/0xf0 [ 38.236541] ? __sys_socket+0x16d/0x200 [ 38.240504] ? move_addr_to_kernel+0x70/0x70 [ 38.244900] __x64_sys_sendto+0xdd/0x1b0 [ 38.248951] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 38.253529] do_syscall_64+0xf9/0x620 [ 38.257312] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 38.262481] RIP: 0033:0x4441e9 [ 38.265682] Code: e8 6c 05 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 38.284760] RSP: 002b:00007ffd06f42758 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 38.292457] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004441e9 [ 38.299962] RDX: 000000000000000e RSI: 0000000020000000 RDI: 0000000000000004 [ 38.307334] RBP: 00316e616c767069 R08: 0000000000000000 R09: ffffffffffffff09 [ 38.314624] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd06f42780 [ 38.321885] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 38.329442] Kernel Offset: disabled [ 38.333057] Rebooting in 86400 seconds..