[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.50' (ECDSA) to the list of known hosts. syzkaller login: [ 31.375415] IPVS: ftp: loaded support on port[0] = 21 [ 31.456500] chnl_net:caif_netlink_parms(): no params data found [ 31.531582] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.538435] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.546216] device bridge_slave_0 entered promiscuous mode [ 31.555463] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.562825] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.570807] device bridge_slave_1 entered promiscuous mode [ 31.587641] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 31.596474] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 31.616176] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 31.624532] team0: Port device team_slave_0 added [ 31.630979] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 31.638204] team0: Port device team_slave_1 added [ 31.653723] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 31.660439] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 31.686917] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 31.699064] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 31.705893] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 31.731577] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 31.742540] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.750709] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.770163] device hsr_slave_0 entered promiscuous mode [ 31.776494] device hsr_slave_1 entered promiscuous mode [ 31.783179] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 31.791507] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 31.853654] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.860136] bridge0: port 2(bridge_slave_1) entered forwarding state [ 31.866956] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.873397] bridge0: port 1(bridge_slave_0) entered forwarding state [ 31.904437] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 31.911657] 8021q: adding VLAN 0 to HW filter on device bond0 [ 31.920582] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 31.928630] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 31.937834] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.956098] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.966424] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 31.973088] 8021q: adding VLAN 0 to HW filter on device team0 [ 31.983814] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 31.991992] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.998366] bridge0: port 1(bridge_slave_0) entered forwarding state [ 32.021526] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.030521] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.037002] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.045385] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 32.053913] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 32.062530] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 32.070369] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 32.078623] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 32.087660] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 32.094739] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 32.107667] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 32.115827] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 32.123050] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 32.133555] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 32.184041] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 32.193978] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 32.223742] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 32.231461] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 32.238204] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 32.247794] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 32.255627] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 32.263412] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 32.272133] device veth0_vlan entered promiscuous mode [ 32.280922] device veth1_vlan entered promiscuous mode [ 32.286830] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 32.297255] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 32.308080] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 32.317751] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 32.325346] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 32.333112] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 32.342345] device veth0_macvtap entered promiscuous mode [ 32.348511] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 32.358721] device veth1_macvtap entered promiscuous mode [ 32.367296] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 32.380097] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 32.393449] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 32.400729] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 32.410134] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 32.420666] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 32.430591] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 32.437952] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 32.516521] ================================================================== [ 32.524314] BUG: KASAN: use-after-free in ipvlan_queue_xmit+0x1323/0x15a0 [ 32.531508] Read of size 4 at addr ffff8880b08e4abf by task syz-executor717/7972 [ 32.539026] [ 32.540666] CPU: 0 PID: 7972 Comm: syz-executor717 Not tainted 4.14.212-syzkaller #0 [ 32.548555] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.557939] Call Trace: [ 32.560571] dump_stack+0x1b2/0x283 [ 32.564197] print_address_description.cold+0x54/0x1d3 [ 32.569481] kasan_report_error.cold+0x8a/0x194 [ 32.574135] ? ipvlan_queue_xmit+0x1323/0x15a0 [ 32.578792] __asan_report_load4_noabort+0x68/0x70 [ 32.583720] ? ipvlan_queue_xmit+0x1323/0x15a0 [ 32.588298] ipvlan_queue_xmit+0x1323/0x15a0 [ 32.592834] ? ipvlan_process_multicast+0xb80/0xb80 [ 32.597851] ? skb_crc32c_csum_help+0x70/0x70 [ 32.602348] ? netif_skb_features+0x4ed/0x9f0 [ 32.606831] ? __skb_gso_segment+0x600/0x600 [ 32.611223] ? validate_xmit_xfrm+0x346/0x4d0 [ 32.615722] ? validate_xmit_skb+0x669/0x9f0 [ 32.620135] ipvlan_start_xmit+0x4f/0x180 [ 32.624417] ? packet_direct_xmit+0x1f0/0x610 [ 32.629361] packet_direct_xmit+0x410/0x610 [ 32.633688] packet_snd+0x1393/0x21e0 [ 32.637509] ? prb_retire_rx_blk_timer_expired+0x630/0x630 [ 32.643205] ? __lock_acquire+0x5fc/0x3f20 [ 32.647449] ? trace_hardirqs_on+0x10/0x10 [ 32.651690] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 32.657663] packet_sendmsg+0x1139/0x2aca [ 32.661801] ? unwind_next_frame+0xe54/0x17d0 [ 32.666298] ? lock_acquire+0x170/0x3f0 [ 32.670262] ? lock_downgrade+0x740/0x740 [ 32.674560] ? aa_file_perm+0x304/0xab0 [ 32.678556] ? compat_packet_setsockopt+0x140/0x140 [ 32.683569] ? lock_acquire+0x170/0x3f0 [ 32.687621] ? lock_downgrade+0x740/0x740 [ 32.691775] ? aa_path_link+0x3a0/0x3a0 [ 32.695752] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 32.701180] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 32.706186] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 32.711717] ? depot_save_stack+0x1d3/0x3e3 [ 32.716162] ? security_socket_sendmsg+0x83/0xb0 [ 32.720912] ? compat_packet_setsockopt+0x140/0x140 [ 32.725950] sock_sendmsg+0xb5/0x100 [ 32.729677] sock_write_iter+0x22c/0x370 [ 32.734247] ? sock_sendmsg+0x100/0x100 [ 32.738244] ? rw_verify_area+0xe1/0x2a0 [ 32.742329] aio_write+0x2ed/0x560 [ 32.745868] ? trace_hardirqs_on+0x10/0x10 [ 32.750483] ? aio_read+0x390/0x390 [ 32.754124] ? cache_alloc_refill+0x2fa/0x350 [ 32.758642] ? lock_acquire+0x170/0x3f0 [ 32.762730] ? lock_downgrade+0x740/0x740 [ 32.766953] do_io_submit+0x847/0x1570 [ 32.770834] ? aio_write+0x560/0x560 [ 32.774550] ? lock_acquire+0x170/0x3f0 [ 32.778524] ? do_syscall_64+0x4c/0x640 [ 32.782500] ? SyS_io_destroy+0x340/0x340 [ 32.786640] do_syscall_64+0x1d5/0x640 [ 32.790570] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 32.795745] RIP: 0033:0x449669 [ 32.799157] RSP: 002b:00007fff4ee97858 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 [ 32.807261] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000449669 [ 32.814616] RDX: 0000000020000080 RSI: 0000000000000001 RDI: 00007facdef08000 [ 32.821885] RBP: 00316e616c767069 R08: 00000000000000ff R09: 00000000000000ff [ 32.829144] R10: 00000000000000ff R11: 0000000000000246 R12: 00007fff4ee978e0 [ 32.836768] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 32.844037] [ 32.845656] The buggy address belongs to the page: [ 32.850664] page:ffffea0002c23900 count:0 mapcount:0 mapping: (null) index:0xffff8880b08e4400 [ 32.860263] flags: 0xfff00000000000() [ 32.864393] raw: 00fff00000000000 0000000000000000 ffff8880b08e4400 00000000ffffffff [ 32.872259] raw: dead000000000100 dead000000000200 ffff88823f8bb200 0000000000000000 [ 32.880119] page dumped because: kasan: bad access detected [ 32.885826] [ 32.887529] Memory state around the buggy address: [ 32.892468] ffff8880b08e4980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.899822] ffff8880b08e4a00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.907332] >ffff8880b08e4a80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.915215] ^ [ 32.920573] ffff8880b08e4b00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.927933] ffff8880b08e4b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 32.935283] ================================================================== [ 32.942868] Disabling lock debugging due to kernel taint [ 32.948415] Kernel panic - not syncing: panic_on_warn set ... [ 32.948415] [ 32.955778] CPU: 0 PID: 7972 Comm: syz-executor717 Tainted: G B 4.14.212-syzkaller #0 [ 32.964881] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 32.974264] Call Trace: [ 32.977557] dump_stack+0x1b2/0x283 [ 32.981272] panic+0x1f9/0x42d [ 32.984541] ? add_taint.cold+0x16/0x16 [ 32.988721] kasan_end_report+0x43/0x49 [ 32.992908] kasan_report_error.cold+0xa7/0x194 [ 32.997691] ? ipvlan_queue_xmit+0x1323/0x15a0 [ 33.002268] __asan_report_load4_noabort+0x68/0x70 [ 33.007228] ? ipvlan_queue_xmit+0x1323/0x15a0 [ 33.011905] ipvlan_queue_xmit+0x1323/0x15a0 [ 33.016732] ? ipvlan_process_multicast+0xb80/0xb80 [ 33.021766] ? skb_crc32c_csum_help+0x70/0x70 [ 33.026247] ? netif_skb_features+0x4ed/0x9f0 [ 33.030984] ? __skb_gso_segment+0x600/0x600 [ 33.035498] ? validate_xmit_xfrm+0x346/0x4d0 [ 33.040180] ? validate_xmit_skb+0x669/0x9f0 [ 33.044754] ipvlan_start_xmit+0x4f/0x180 [ 33.049720] ? packet_direct_xmit+0x1f0/0x610 [ 33.054493] packet_direct_xmit+0x410/0x610 [ 33.059116] packet_snd+0x1393/0x21e0 [ 33.063129] ? prb_retire_rx_blk_timer_expired+0x630/0x630 [ 33.069411] ? __lock_acquire+0x5fc/0x3f20 [ 33.073654] ? trace_hardirqs_on+0x10/0x10 [ 33.078431] ? __read_once_size_nocheck.constprop.0+0x10/0x10 [ 33.084665] packet_sendmsg+0x1139/0x2aca [ 33.088942] ? unwind_next_frame+0xe54/0x17d0 [ 33.093542] ? lock_acquire+0x170/0x3f0 [ 33.097551] ? lock_downgrade+0x740/0x740 [ 33.101821] ? aa_file_perm+0x304/0xab0 [ 33.105794] ? compat_packet_setsockopt+0x140/0x140 [ 33.110835] ? lock_acquire+0x170/0x3f0 [ 33.114814] ? lock_downgrade+0x740/0x740 [ 33.118959] ? aa_path_link+0x3a0/0x3a0 [ 33.122926] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 33.128174] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 33.133232] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 33.138592] ? depot_save_stack+0x1d3/0x3e3 [ 33.142969] ? security_socket_sendmsg+0x83/0xb0 [ 33.147723] ? compat_packet_setsockopt+0x140/0x140 [ 33.152726] sock_sendmsg+0xb5/0x100 [ 33.156506] sock_write_iter+0x22c/0x370 [ 33.160567] ? sock_sendmsg+0x100/0x100 [ 33.164525] ? rw_verify_area+0xe1/0x2a0 [ 33.168663] aio_write+0x2ed/0x560 [ 33.172201] ? trace_hardirqs_on+0x10/0x10 [ 33.176444] ? aio_read+0x390/0x390 [ 33.180143] ? cache_alloc_refill+0x2fa/0x350 [ 33.185554] ? lock_acquire+0x170/0x3f0 [ 33.189541] ? lock_downgrade+0x740/0x740 [ 33.193768] do_io_submit+0x847/0x1570 [ 33.197748] ? aio_write+0x560/0x560 [ 33.201450] ? lock_acquire+0x170/0x3f0 [ 33.205424] ? do_syscall_64+0x4c/0x640 [ 33.210082] ? SyS_io_destroy+0x340/0x340 [ 33.214210] do_syscall_64+0x1d5/0x640 [ 33.218173] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.223353] RIP: 0033:0x449669 [ 33.226521] RSP: 002b:00007fff4ee97858 EFLAGS: 00000246 ORIG_RAX: 00000000000000d1 [ 33.234233] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000449669 [ 33.241689] RDX: 0000000020000080 RSI: 0000000000000001 RDI: 00007facdef08000 [ 33.248952] RBP: 00316e616c767069 R08: 00000000000000ff R09: 00000000000000ff [ 33.256221] R10: 00000000000000ff R11: 0000000000000246 R12: 00007fff4ee978e0 [ 33.263511] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 33.272245] Kernel Offset: disabled [ 33.275862] Rebooting in 86400 seconds..