[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.205' (ECDSA) to the list of known hosts. syzkaller login: [ 41.743807] audit: type=1400 audit(1592289405.690:8): avc: denied { execmem } for pid=6461 comm="syz-executor577" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 41.767270] IPVS: ftp: loaded support on port[0] = 21 [ 41.840483] chnl_net:caif_netlink_parms(): no params data found [ 41.959102] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.966081] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.973114] device bridge_slave_0 entered promiscuous mode [ 41.982078] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.988714] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.996257] device bridge_slave_1 entered promiscuous mode [ 42.014370] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 42.023111] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 42.041819] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 42.049298] team0: Port device team_slave_0 added [ 42.055275] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 42.062490] team0: Port device team_slave_1 added [ 42.079434] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 42.085823] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 42.111098] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 42.122575] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 42.128993] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 42.154231] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 42.165239] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 42.172627] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 42.226868] device hsr_slave_0 entered promiscuous mode [ 42.264076] device hsr_slave_1 entered promiscuous mode [ 42.324438] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 42.333161] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 42.403601] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.410096] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.416977] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.423389] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.456330] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 42.462496] 8021q: adding VLAN 0 to HW filter on device bond0 [ 42.471979] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 42.481274] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.500221] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.507486] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.515418] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 42.526233] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 42.532348] 8021q: adding VLAN 0 to HW filter on device team0 [ 42.545979] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 42.553510] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.559917] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.567104] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 42.574868] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.581225] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.596688] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 42.604458] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 42.616430] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 42.629553] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 42.640112] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 42.651215] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 42.659332] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 42.666983] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 42.675682] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 42.688174] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 42.696021] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 42.702650] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 42.716317] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 42.728869] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 42.739053] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 42.771806] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 42.779665] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 42.786523] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 42.796192] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 42.804143] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 42.811123] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 42.820541] device veth0_vlan entered promiscuous mode [ 42.829790] device veth1_vlan entered promiscuous mode [ 42.843480] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 42.852812] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 42.861110] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 42.870129] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 42.879810] device veth0_macvtap entered promiscuous mode [ 42.886444] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 42.894899] device veth1_macvtap entered promiscuous mode [ 42.901032] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 42.909881] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 42.919923] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 42.929174] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 42.936487] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 42.943188] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 42.950852] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 42.958093] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 42.966065] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 42.977026] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 42.984424] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 42.990952] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 42.999730] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 43.095938] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 43.126743] FAULT_INJECTION: forcing a failure. [ 43.126743] name failslab, interval 1, probability 0, space 0, times 1 [ 43.139345] CPU: 1 PID: 6684 Comm: syz-executor577 Not tainted 4.19.128-syzkaller #0 [ 43.147214] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.156548] Call Trace: [ 43.159123] dump_stack+0x1fc/0x2fe [ 43.162731] should_fail.cold+0xa/0x14 [ 43.166600] ? setup_fault_attr+0x200/0x200 [ 43.170904] ? __bpf_address_lookup+0x2f0/0x2f0 [ 43.175569] ? check_preemption_disabled+0x41/0x280 [ 43.180584] ? depot_save_stack+0x1d6/0x444 [ 43.184892] __should_failslab+0x115/0x180 [ 43.189108] should_failslab+0x5/0xf [ 43.192802] __kmalloc+0x6d/0x3c0 [ 43.196238] ? gcmaes_encrypt.constprop.0+0x6bf/0xd90 [ 43.201417] ? mark_held_locks+0xa6/0xf0 [ 43.205469] gcmaes_encrypt.constprop.0+0x6bf/0xd90 [ 43.210529] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 43.215107] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 43.220206] ? gcmaes_crypt_by_sg.constprop.0+0x1730/0x1730 [ 43.225904] ? __kmalloc+0x15a/0x3c0 [ 43.229600] ? tls_push_record+0xff/0x13b0 [ 43.233826] ? tls_sw_sendmsg+0xd00/0x1150 [ 43.238057] ? inet_sendmsg+0x12e/0x590 [ 43.242021] ? sock_sendmsg+0xc3/0x120 [ 43.245890] ? __sys_sendto+0x21a/0x330 [ 43.249852] ? __x64_sys_sendto+0xdd/0x1b0 [ 43.254077] ? do_syscall_64+0xf9/0x620 [ 43.258053] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.263453] ? mark_held_locks+0xf0/0xf0 [ 43.267511] ? mark_held_locks+0xf0/0xf0 [ 43.271559] ? mark_held_locks+0xa6/0xf0 [ 43.275612] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.280439] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 43.285068] ? generic_gcmaes_encrypt+0x108/0x160 [ 43.289897] ? generic_gcmaes_encrypt+0x108/0x160 [ 43.294730] ? helper_rfc4106_encrypt+0x390/0x390 [ 43.299563] ? gcmaes_wrapper_encrypt+0x157/0x1f0 [ 43.304454] ? tls_push_record+0x998/0x13b0 [ 43.309200] ? __check_object_size+0x17b/0x421 [ 43.313780] ? tls_sw_sendmsg+0xd00/0x1150 [ 43.318041] ? tls_sw_push_pending_record+0x30/0x30 [ 43.323113] ? get_pid_task+0xf4/0x190 [ 43.326993] ? proc_fail_nth_write+0x95/0x1d0 [ 43.331475] ? proc_tid_io_accounting+0x20/0x20 [ 43.336135] ? inet_sendmsg+0x12e/0x590 [ 43.340094] ? inet_recvmsg+0x5b0/0x5b0 [ 43.344056] ? sock_sendmsg+0xc3/0x120 [ 43.347941] ? __sys_sendto+0x21a/0x330 [ 43.351937] ? __ia32_sys_getpeername+0xb0/0xb0 [ 43.356596] ? lock_downgrade+0x740/0x740 [ 43.360734] ? check_preemption_disabled+0x41/0x280 [ 43.365762] ? wait_for_completion_io+0x10/0x10 [ 43.370463] ? vfs_write+0x393/0x540 [ 43.374199] ? fput+0x2b/0x190 [ 43.377386] ? ksys_write+0x1c8/0x2a0 [ 43.381168] ? __ia32_sys_read+0xb0/0xb0 [ 43.385278] ? __x64_sys_sendto+0xdd/0x1b0 [ 43.389498] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 43.394075] ? do_syscall_64+0xf9/0x620 [ 43.398072] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.474987] ================================================================== [ 43.482463] BUG: KASAN: use-after-free in tls_push_record+0x103a/0x13b0 [ 43.489241] Write of size 1 at addr ffff888085ad0000 by task syz-executor577/6684 [ 43.496868] [ 43.498484] CPU: 1 PID: 6684 Comm: syz-executor577 Not tainted 4.19.128-syzkaller #0 [ 43.506357] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.515690] Call Trace: [ 43.518263] dump_stack+0x1fc/0x2fe [ 43.521875] ? tls_push_record+0x103a/0x13b0 [ 43.526264] print_address_description.cold+0x54/0x222 [ 43.531522] ? tls_push_record+0x103a/0x13b0 [ 43.535946] kasan_report.cold+0x88/0x2b9 [ 43.540075] tls_push_record+0x103a/0x13b0 [ 43.544297] ? mark_held_locks+0xa6/0xf0 [ 43.548372] ? __local_bh_enable_ip+0x159/0x250 [ 43.553022] tls_push_pending_closed_record+0xd1/0x100 [ 43.558282] tls_sk_proto_close+0x7ad/0xb30 [ 43.562585] ? tcp_check_oom+0x520/0x520 [ 43.566630] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 43.571731] ? tls_write_space+0x2f0/0x2f0 [ 43.575954] ? ip_mc_drop_socket+0x16/0x260 [ 43.580261] inet_release+0xd7/0x1e0 [ 43.583979] inet6_release+0x4c/0x70 [ 43.587673] __sock_release+0xcd/0x2a0 [ 43.591547] ? __sock_release+0x2a0/0x2a0 [ 43.595679] sock_close+0x15/0x20 [ 43.599129] __fput+0x2cd/0x890 [ 43.602393] task_work_run+0x13f/0x1b0 [ 43.606263] do_exit+0xbcb/0x2f00 [ 43.609699] ? tls_sw_sendmsg+0xbd5/0x1150 [ 43.613927] ? mm_update_next_owner+0x650/0x650 [ 43.618601] ? get_signal+0x38b/0x1f30 [ 43.622470] ? lock_downgrade+0x740/0x740 [ 43.626596] ? lock_acquire+0x170/0x3c0 [ 43.630555] ? check_preemption_disabled+0x41/0x280 [ 43.635557] do_group_exit+0x125/0x310 [ 43.639426] get_signal+0x3f5/0x1f30 [ 43.643146] ? inet_sendmsg+0x136/0x590 [ 43.647103] ? inet_recvmsg+0x5b0/0x5b0 [ 43.651061] do_signal+0x8f/0x1620 [ 43.654599] ? __ia32_sys_getpeername+0xb0/0xb0 [ 43.659258] ? lock_downgrade+0x740/0x740 [ 43.663410] ? setup_sigcontext+0x820/0x820 [ 43.667714] ? check_preemption_disabled+0x41/0x280 [ 43.672726] ? wait_for_completion_io+0x10/0x10 [ 43.677394] ? vfs_write+0x393/0x540 [ 43.681088] ? fput+0x2b/0x190 [ 43.684261] ? ksys_write+0x1c8/0x2a0 [ 43.688045] ? exit_to_usermode_loop+0x36/0x2a0 [ 43.692697] exit_to_usermode_loop+0x204/0x2a0 [ 43.697265] do_syscall_64+0x538/0x620 [ 43.701133] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.706300] RIP: 0033:0x449319 [ 43.709481] Code: Bad RIP value. [ 43.712824] RSP: 002b:00007f19588e9ca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 43.720534] RAX: 0000000000004000 RBX: 00007f19588e9cc0 RCX: 0000000000449319 [ 43.727785] RDX: 00000000e0ffffff RSI: 00000000200005c0 RDI: 0000000000000003 [ 43.742779] RBP: 0000000000000006 R08: 0000000000000000 R09: 00000000000000d8 [ 43.750047] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dfc4c [ 43.757300] R13: 00007ffc970c403f R14: 00007f19588ea9c0 R15: 00000000006dfc4c [ 43.764557] [ 43.766159] The buggy address belongs to the page: [ 43.771069] page:ffffea000216b400 count:0 mapcount:-128 mapping:0000000000000000 index:0x0 [ 43.779898] flags: 0xfffe0000000000() [ 43.783711] raw: 00fffe0000000000 ffffea000222a008 ffffea0002210408 0000000000000000 [ 43.791572] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 [ 43.799428] page dumped because: kasan: bad access detected [ 43.805114] [ 43.806717] Memory state around the buggy address: [ 43.811626] ffff888085acff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.818985] ffff888085acff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.826326] >ffff888085ad0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.833687] ^ [ 43.837039] ffff888085ad0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.844377] ffff888085ad0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.851728] ================================================================== [ 43.859082] Disabling lock debugging due to kernel taint [ 43.868261] Kernel panic - not syncing: panic_on_warn set ... [ 43.868261] [ 43.875644] CPU: 1 PID: 6684 Comm: syz-executor577 Tainted: G B 4.19.128-syzkaller #0 [ 43.884906] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.894253] Call Trace: [ 43.896835] dump_stack+0x1fc/0x2fe [ 43.900444] panic+0x26a/0x50e [ 43.903615] ? __warn_printk+0xf3/0xf3 [ 43.907496] ? preempt_schedule_common+0x4a/0xc0 [ 43.912250] ? tls_push_record+0x103a/0x13b0 [ 43.916640] ? ___preempt_schedule+0x16/0x18 [ 43.921044] ? trace_hardirqs_on+0x55/0x210 [ 43.925345] ? tls_push_record+0x103a/0x13b0 [ 43.929733] kasan_end_report+0x43/0x49 [ 43.933687] kasan_report.cold+0xa4/0x2b9 [ 43.937815] tls_push_record+0x103a/0x13b0 [ 43.942047] ? mark_held_locks+0xa6/0xf0 [ 43.946088] ? __local_bh_enable_ip+0x159/0x250 [ 43.950735] tls_push_pending_closed_record+0xd1/0x100 [ 43.955992] tls_sk_proto_close+0x7ad/0xb30 [ 43.960292] ? tcp_check_oom+0x520/0x520 [ 43.964347] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 43.969428] ? tls_write_space+0x2f0/0x2f0 [ 43.973654] ? ip_mc_drop_socket+0x16/0x260 [ 43.977977] inet_release+0xd7/0x1e0 [ 43.981672] inet6_release+0x4c/0x70 [ 43.985375] __sock_release+0xcd/0x2a0 [ 43.989240] ? __sock_release+0x2a0/0x2a0 [ 43.993373] sock_close+0x15/0x20 [ 43.996813] __fput+0x2cd/0x890 [ 44.000074] task_work_run+0x13f/0x1b0 [ 44.003938] do_exit+0xbcb/0x2f00 [ 44.007400] ? tls_sw_sendmsg+0xbd5/0x1150 [ 44.011628] ? mm_update_next_owner+0x650/0x650 [ 44.016278] ? get_signal+0x38b/0x1f30 [ 44.020143] ? lock_downgrade+0x740/0x740 [ 44.024268] ? lock_acquire+0x170/0x3c0 [ 44.028222] ? check_preemption_disabled+0x41/0x280 [ 44.033225] do_group_exit+0x125/0x310 [ 44.037100] get_signal+0x3f5/0x1f30 [ 44.040818] ? inet_sendmsg+0x136/0x590 [ 44.044771] ? inet_recvmsg+0x5b0/0x5b0 [ 44.048737] do_signal+0x8f/0x1620 [ 44.052258] ? __ia32_sys_getpeername+0xb0/0xb0 [ 44.056912] ? lock_downgrade+0x740/0x740 [ 44.061071] ? setup_sigcontext+0x820/0x820 [ 44.065395] ? check_preemption_disabled+0x41/0x280 [ 44.070410] ? wait_for_completion_io+0x10/0x10 [ 44.075059] ? vfs_write+0x393/0x540 [ 44.078749] ? fput+0x2b/0x190 [ 44.081918] ? ksys_write+0x1c8/0x2a0 [ 44.085699] ? exit_to_usermode_loop+0x36/0x2a0 [ 44.090362] exit_to_usermode_loop+0x204/0x2a0 [ 44.094924] do_syscall_64+0x538/0x620 [ 44.098792] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.103956] RIP: 0033:0x449319 [ 44.107136] Code: Bad RIP value. [ 44.110476] RSP: 002b:00007f19588e9ca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 44.118164] RAX: 0000000000004000 RBX: 00007f19588e9cc0 RCX: 0000000000449319 [ 44.125411] RDX: 00000000e0ffffff RSI: 00000000200005c0 RDI: 0000000000000003 [ 44.132673] RBP: 0000000000000006 R08: 0000000000000000 R09: 00000000000000d8 [ 44.139937] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dfc4c [ 44.147302] R13: 00007ffc970c403f R14: 00007f19588ea9c0 R15: 00000000006dfc4c [ 44.155581] Kernel Offset: disabled [ 44.159195] Rebooting in 86400 seconds..