[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.61' (ECDSA) to the list of known hosts. syzkaller login: [ 63.382217][ T8474] IPVS: ftp: loaded support on port[0] = 21 [ 63.472796][ T8474] chnl_net:caif_netlink_parms(): no params data found [ 63.525196][ T8474] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.534117][ T8474] bridge0: port 1(bridge_slave_0) entered disabled state [ 63.543112][ T8474] device bridge_slave_0 entered promiscuous mode [ 63.553043][ T8474] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.560134][ T8474] bridge0: port 2(bridge_slave_1) entered disabled state [ 63.568803][ T8474] device bridge_slave_1 entered promiscuous mode [ 63.589358][ T8474] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 63.600487][ T8474] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 63.623730][ T8474] team0: Port device team_slave_0 added [ 63.632149][ T8474] team0: Port device team_slave_1 added [ 63.649835][ T8474] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 63.656957][ T8474] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 63.684178][ T8474] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 63.697389][ T8474] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 63.705065][ T8474] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 63.731590][ T8474] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 63.759636][ T8474] device hsr_slave_0 entered promiscuous mode [ 63.766757][ T8474] device hsr_slave_1 entered promiscuous mode [ 63.867445][ T8474] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 63.877764][ T8474] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 63.893790][ T8474] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 63.906193][ T8474] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 63.931802][ T8474] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.939039][ T8474] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.947092][ T8474] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.954400][ T8474] bridge0: port 1(bridge_slave_0) entered forwarding state [ 64.002793][ T8474] 8021q: adding VLAN 0 to HW filter on device bond0 [ 64.017033][ T8156] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 64.028104][ T8156] bridge0: port 1(bridge_slave_0) entered disabled state [ 64.037682][ T8156] bridge0: port 2(bridge_slave_1) entered disabled state [ 64.046303][ T8156] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 64.058949][ T8474] 8021q: adding VLAN 0 to HW filter on device team0 [ 64.071243][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 64.080114][ T42] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.087330][ T42] bridge0: port 1(bridge_slave_0) entered forwarding state [ 64.103043][ T8156] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 64.112178][ T8156] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.119332][ T8156] bridge0: port 2(bridge_slave_1) entered forwarding state [ 64.142244][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 64.150833][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 64.159749][ T42] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 64.173662][ T8474] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 64.185821][ T8474] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 64.196718][ T8680] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 64.204702][ T8680] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 64.224851][ T8156] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 64.232488][ T8156] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 64.246473][ T8474] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 64.265846][ T8680] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 64.287119][ T8156] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 64.296153][ T8156] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 64.305286][ T8156] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 64.317191][ T8474] device veth0_vlan entered promiscuous mode [ 64.329434][ T8474] device veth1_vlan entered promiscuous mode [ 64.350962][ T8680] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 64.360619][ T8680] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 64.369172][ T8680] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 64.380097][ T8474] device veth0_macvtap entered promiscuous mode [ 64.392299][ T8474] device veth1_macvtap entered promiscuous mode [ 64.410344][ T8474] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 64.418529][ T8156] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 64.430296][ T8156] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 64.442808][ T8474] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 64.451731][ T8680] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 64.462591][ T8474] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.471935][ T8474] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.480617][ T8474] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.490900][ T8474] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.533545][ T8474] ================================================================== [ 64.541906][ T8474] BUG: KASAN: slab-out-of-bounds in ipvlan_queue_xmit+0x1588/0x18a0 [ 64.550178][ T8474] Read of size 4 at addr ffff8881416697ff by task syz-executor069/8474 [ 64.558419][ T8474] [ 64.560758][ T8474] CPU: 1 PID: 8474 Comm: syz-executor069 Not tainted 5.10.0-rc1-syzkaller #0 [ 64.569505][ T8474] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.580014][ T8474] Call Trace: [ 64.583383][ T8474] dump_stack+0x107/0x163 [ 64.587709][ T8474] ? ipvlan_queue_xmit+0x1588/0x18a0 [ 64.592984][ T8474] ? ipvlan_queue_xmit+0x1588/0x18a0 [ 64.598278][ T8474] print_address_description.constprop.0.cold+0xae/0x4c8 [ 64.605303][ T8474] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 64.610847][ T8474] ? vprintk_func+0x95/0x1e0 [ 64.615438][ T8474] ? ipvlan_queue_xmit+0x1588/0x18a0 [ 64.620721][ T8474] ? ipvlan_queue_xmit+0x1588/0x18a0 [ 64.626233][ T8474] kasan_report.cold+0x1f/0x37 [ 64.631067][ T8474] ? ipvlan_queue_xmit+0x1588/0x18a0 [ 64.636498][ T8474] ipvlan_queue_xmit+0x1588/0x18a0 [ 64.641617][ T8474] ? ipvlan_handle_mode_l3+0x140/0x140 [ 64.647228][ T8474] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 64.653121][ T8474] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 64.659093][ T8474] ? skb_crc32c_csum_help+0x70/0x70 [ 64.664289][ T8474] ? validate_xmit_xfrm+0x460/0x1040 [ 64.669595][ T8474] ? netif_skb_features+0x55f/0xaa0 [ 64.674916][ T8474] ipvlan_start_xmit+0x45/0x190 [ 64.679788][ T8474] dev_direct_xmit+0x54f/0x750 [ 64.684545][ T8474] ? validate_xmit_skb_list+0x120/0x120 [ 64.690170][ T8474] ? prb_fill_curr_block+0x5d0/0x5d0 [ 64.695490][ T8474] packet_sendmsg+0x2413/0x52b0 [ 64.700497][ T8474] ? aa_sk_perm+0x316/0xaa0 [ 64.704996][ T8474] ? packet_cached_dev_get+0x250/0x250 [ 64.710440][ T8474] ? aa_af_perm+0x230/0x230 [ 64.714953][ T8474] ? find_held_lock+0x2d/0x110 [ 64.719732][ T8474] ? bpf_lsm_socket_sendmsg+0x5/0x10 [ 64.725013][ T8474] ? packet_cached_dev_get+0x250/0x250 [ 64.730459][ T8474] sock_sendmsg+0xcf/0x120 [ 64.734866][ T8474] __sys_sendto+0x21c/0x320 [ 64.739360][ T8474] ? __ia32_sys_getpeername+0xb0/0xb0 [ 64.744729][ T8474] ? packet_do_bind+0x454/0xc00 [ 64.749582][ T8474] ? __sys_bind+0x111/0x250 [ 64.754248][ T8474] ? __ia32_sys_socketpair+0xf0/0xf0 [ 64.759532][ T8474] ? __sys_socket+0x16d/0x200 [ 64.764247][ T8474] __x64_sys_sendto+0xdd/0x1b0 [ 64.769004][ T8474] ? lockdep_hardirqs_on+0x85/0x110 [ 64.774262][ T8474] ? syscall_enter_from_user_mode+0x1d/0x50 [ 64.780454][ T8474] do_syscall_64+0x2d/0x70 [ 64.785102][ T8474] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.791065][ T8474] RIP: 0033:0x443959 [ 64.794970][ T8474] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 0d fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 64.814834][ T8474] RSP: 002b:00007fff701885c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 64.823263][ T8474] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000443959 [ 64.831381][ T8474] RDX: 000000000000000e RSI: 0000000020000000 RDI: 0000000000000004 [ 64.839362][ T8474] RBP: 00316e616c767069 R08: 0000000000000000 R09: ffffffffffffff09 [ 64.847798][ T8474] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff701885f0 [ 64.855773][ T8474] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 64.863749][ T8474] [ 64.866068][ T8474] Allocated by task 1: [ 64.870207][ T8474] kasan_save_stack+0x1b/0x40 [ 64.875010][ T8474] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 64.880636][ T8474] tomoyo_realpath_from_path+0xc3/0x620 [ 64.886342][ T8474] tomoyo_path_perm+0x21b/0x400 [ 64.891201][ T8474] security_inode_getattr+0xcf/0x140 [ 64.896619][ T8474] vfs_statx+0x164/0x390 [ 64.900854][ T8474] __do_sys_newlstat+0x91/0x110 [ 64.906000][ T8474] do_syscall_64+0x2d/0x70 [ 64.910483][ T8474] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.916498][ T8474] [ 64.918816][ T8474] Freed by task 1: [ 64.922549][ T8474] kasan_save_stack+0x1b/0x40 [ 64.927260][ T8474] kasan_set_track+0x1c/0x30 [ 64.931841][ T8474] kasan_set_free_info+0x1b/0x30 [ 64.936854][ T8474] __kasan_slab_free+0x102/0x140 [ 64.941793][ T8474] slab_free_freelist_hook+0x5d/0x150 [ 64.947173][ T8474] kfree+0xdb/0x360 [ 64.951010][ T8474] tomoyo_realpath_from_path+0x191/0x620 [ 64.956733][ T8474] tomoyo_path_perm+0x21b/0x400 [ 64.961674][ T8474] security_inode_getattr+0xcf/0x140 [ 64.967265][ T8474] vfs_statx+0x164/0x390 [ 64.971518][ T8474] __do_sys_newlstat+0x91/0x110 [ 64.976502][ T8474] do_syscall_64+0x2d/0x70 [ 64.980917][ T8474] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.986957][ T8474] [ 64.989344][ T8474] The buggy address belongs to the object at ffff888141668000 [ 64.989344][ T8474] which belongs to the cache kmalloc-4k of size 4096 [ 65.003631][ T8474] The buggy address is located 2047 bytes to the right of [ 65.003631][ T8474] 4096-byte region [ffff888141668000, ffff888141669000) [ 65.017953][ T8474] The buggy address belongs to the page: [ 65.023869][ T8474] page:00000000a9c48326 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x141668 [ 65.034103][ T8474] head:00000000a9c48326 order:3 compound_mapcount:0 compound_pincount:0 [ 65.042696][ T8474] flags: 0x57ff00000010200(slab|head) [ 65.048078][ T8474] raw: 057ff00000010200 dead000000000100 dead000000000122 ffff888010042140 [ 65.056871][ T8474] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 65.065445][ T8474] page dumped because: kasan: bad access detected [ 65.071865][ T8474] [ 65.074215][ T8474] Memory state around the buggy address: [ 65.079880][ T8474] ffff888141669680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.087932][ T8474] ffff888141669700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.096157][ T8474] >ffff888141669780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.104214][ T8474] ^ [ 65.112194][ T8474] ffff888141669800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.120259][ T8474] ffff888141669880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.128308][ T8474] ================================================================== [ 65.136396][ T8474] Disabling lock debugging due to kernel taint [ 65.142583][ T8474] Kernel panic - not syncing: panic_on_warn set ... [ 65.149178][ T8474] CPU: 1 PID: 8474 Comm: syz-executor069 Tainted: G B 5.10.0-rc1-syzkaller #0 [ 65.159416][ T8474] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.169470][ T8474] Call Trace: [ 65.173002][ T8474] dump_stack+0x107/0x163 [ 65.177324][ T8474] ? ipvlan_queue_xmit+0x14a0/0x18a0 [ 65.182725][ T8474] panic+0x306/0x73d [ 65.186681][ T8474] ? __warn_printk+0xf3/0xf3 [ 65.191267][ T8474] ? ipvlan_queue_xmit+0x1588/0x18a0 [ 65.196726][ T8474] ? trace_hardirqs_on+0x51/0x1c0 [ 65.201785][ T8474] ? ipvlan_queue_xmit+0x1588/0x18a0 [ 65.207060][ T8474] ? ipvlan_queue_xmit+0x1588/0x18a0 [ 65.212332][ T8474] end_report+0x58/0x5e [ 65.216475][ T8474] kasan_report.cold+0xd/0x37 [ 65.221144][ T8474] ? ipvlan_queue_xmit+0x1588/0x18a0 [ 65.226475][ T8474] ipvlan_queue_xmit+0x1588/0x18a0 [ 65.231572][ T8474] ? ipvlan_handle_mode_l3+0x140/0x140 [ 65.237016][ T8474] ? __sanitizer_cov_trace_switch+0x45/0x70 [ 65.242931][ T8474] ? lockdep_hardirqs_on_prepare+0x410/0x410 [ 65.248896][ T8474] ? skb_crc32c_csum_help+0x70/0x70 [ 65.254131][ T8474] ? validate_xmit_xfrm+0x460/0x1040 [ 65.259495][ T8474] ? netif_skb_features+0x55f/0xaa0 [ 65.264948][ T8474] ipvlan_start_xmit+0x45/0x190 [ 65.269794][ T8474] dev_direct_xmit+0x54f/0x750 [ 65.274552][ T8474] ? validate_xmit_skb_list+0x120/0x120 [ 65.280086][ T8474] ? prb_fill_curr_block+0x5d0/0x5d0 [ 65.285361][ T8474] packet_sendmsg+0x2413/0x52b0 [ 65.290201][ T8474] ? aa_sk_perm+0x316/0xaa0 [ 65.294703][ T8474] ? packet_cached_dev_get+0x250/0x250 [ 65.300426][ T8474] ? aa_af_perm+0x230/0x230 [ 65.305088][ T8474] ? find_held_lock+0x2d/0x110 [ 65.309844][ T8474] ? bpf_lsm_socket_sendmsg+0x5/0x10 [ 65.315534][ T8474] ? packet_cached_dev_get+0x250/0x250 [ 65.320992][ T8474] sock_sendmsg+0xcf/0x120 [ 65.325549][ T8474] __sys_sendto+0x21c/0x320 [ 65.330039][ T8474] ? __ia32_sys_getpeername+0xb0/0xb0 [ 65.335711][ T8474] ? packet_do_bind+0x454/0xc00 [ 65.340554][ T8474] ? __sys_bind+0x111/0x250 [ 65.345209][ T8474] ? __ia32_sys_socketpair+0xf0/0xf0 [ 65.350490][ T8474] ? __sys_socket+0x16d/0x200 [ 65.355163][ T8474] __x64_sys_sendto+0xdd/0x1b0 [ 65.359917][ T8474] ? lockdep_hardirqs_on+0x85/0x110 [ 65.365393][ T8474] ? syscall_enter_from_user_mode+0x1d/0x50 [ 65.371278][ T8474] do_syscall_64+0x2d/0x70 [ 65.375956][ T8474] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.381838][ T8474] RIP: 0033:0x443959 [ 65.385738][ T8474] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 0d fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 65.405659][ T8474] RSP: 002b:00007fff701885c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 65.414185][ T8474] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000443959 [ 65.422211][ T8474] RDX: 000000000000000e RSI: 0000000020000000 RDI: 0000000000000004 [ 65.430206][ T8474] RBP: 00316e616c767069 R08: 0000000000000000 R09: ffffffffffffff09 [ 65.438168][ T8474] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff701885f0 [ 65.446128][ T8474] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 65.455010][ T8474] Kernel Offset: disabled [ 65.459335][ T8474] Rebooting in 86400 seconds..