[ OK ] Started Getty on tty5. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.216' (ECDSA) to the list of known hosts. 2022/12/08 22:04:46 ignoring optional flag "sandboxArg"="0" 2022/12/08 22:04:46 parsed 1 programs 2022/12/08 22:04:46 executed programs: 0 syzkaller login: [ 1603.636097] IPVS: ftp: loaded support on port[0] = 21 [ 1603.765121] chnl_net:caif_netlink_parms(): no params data found [ 1603.807924] bridge0: port 1(bridge_slave_0) entered blocking state [ 1603.814813] bridge0: port 1(bridge_slave_0) entered disabled state [ 1603.822638] device bridge_slave_0 entered promiscuous mode [ 1603.829861] bridge0: port 2(bridge_slave_1) entered blocking state [ 1603.837331] bridge0: port 2(bridge_slave_1) entered disabled state [ 1603.844821] device bridge_slave_1 entered promiscuous mode [ 1603.862376] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1603.872061] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1603.890903] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1603.899123] team0: Port device team_slave_0 added [ 1603.905475] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1603.913343] team0: Port device team_slave_1 added [ 1603.929119] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1603.935436] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1603.961507] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1603.973348] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1603.979605] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1604.005554] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1604.019835] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1604.027925] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1604.047358] device hsr_slave_0 entered promiscuous mode [ 1604.053178] device hsr_slave_1 entered promiscuous mode [ 1604.059267] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1604.067218] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1604.132223] bridge0: port 2(bridge_slave_1) entered blocking state [ 1604.138673] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1604.145560] bridge0: port 1(bridge_slave_0) entered blocking state [ 1604.151963] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1604.183696] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1604.189777] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1604.198367] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1604.207547] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1604.216274] bridge0: port 1(bridge_slave_0) entered disabled state [ 1604.224066] bridge0: port 2(bridge_slave_1) entered disabled state [ 1604.231432] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1604.241916] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1604.247998] 8021q: adding VLAN 0 to HW filter on device team0 [ 1604.257917] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1604.265678] bridge0: port 1(bridge_slave_0) entered blocking state [ 1604.272102] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1604.281840] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1604.289586] bridge0: port 2(bridge_slave_1) entered blocking state [ 1604.295994] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1604.313476] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1604.321757] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1604.329343] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1604.337889] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1604.349046] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1604.359578] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1604.365738] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1604.373135] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1604.402882] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1604.411899] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1604.418589] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1604.429019] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1604.462800] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1604.472756] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1604.506514] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1604.513513] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1604.519931] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1604.529735] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1604.537637] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1604.545329] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1604.554120] device veth0_vlan entered promiscuous mode [ 1604.563776] device veth1_vlan entered promiscuous mode [ 1604.569658] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1604.579161] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1604.591310] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1604.600329] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1604.609216] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1604.617014] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1604.627074] device veth0_macvtap entered promiscuous mode [ 1604.633291] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1604.643001] device veth1_macvtap entered promiscuous mode [ 1604.652247] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1604.661831] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1604.671700] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1604.678404] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1604.686888] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1604.696483] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1604.703846] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1604.810978] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 1604.817822] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1604.831784] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1604.839301] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 1604.846776] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 1604.857031] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1604.864388] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1604.872239] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 1605.611260] Bluetooth: hci0: command 0x0409 tx timeout [ 1607.691332] Bluetooth: hci0: command 0x041b tx timeout [ 1608.492182] ieee802154 phy0 wpan0: encryption failed: -22 [ 1608.497889] ieee802154 phy1 wpan1: encryption failed: -22 2022/12/08 22:04:51 executed programs: 98 [ 1609.770979] Bluetooth: hci0: command 0x040f tx timeout [ 1611.853144] Bluetooth: hci0: command 0x0419 tx timeout 2022/12/08 22:04:56 executed programs: 233 2022/12/08 22:05:01 executed programs: 368 2022/12/08 22:05:06 executed programs: 501 2022/12/08 22:05:11 executed programs: 633 2022/12/08 22:05:16 executed programs: 765 2022/12/08 22:05:21 executed programs: 902 2022/12/08 22:05:26 executed programs: 1031 2022/12/08 22:05:31 executed programs: 1169 2022/12/08 22:05:36 executed programs: 1301 2022/12/08 22:05:41 executed programs: 1428 2022/12/08 22:05:46 executed programs: 1558 2022/12/08 22:05:51 executed programs: 1696 [ 1669.927715] ieee802154 phy0 wpan0: encryption failed: -22 [ 1669.933408] ieee802154 phy1 wpan1: encryption failed: -22 2022/12/08 22:05:56 executed programs: 1826 2022/12/08 22:06:01 executed programs: 1956 2022/12/08 22:06:06 executed programs: 2083 2022/12/08 22:06:11 executed programs: 2219 2022/12/08 22:06:16 executed programs: 2354 2022/12/08 22:06:21 executed programs: 2489 2022/12/08 22:06:26 executed programs: 2699 2022/12/08 22:06:31 executed programs: 3073 2022/12/08 22:06:36 executed programs: 3460 2022/12/08 22:06:42 executed programs: 3811 [ 1719.892566] ================================================================== [ 1719.900343] BUG: KASAN: use-after-free in tasklet_action_common.constprop.0+0x29e/0x360 [ 1719.908476] Read of size 8 at addr ffff88808f6d72d0 by task ksoftirqd/1/18 [ 1719.915557] [ 1719.917176] CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.211-syzkaller #0 [ 1719.924515] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 1719.933856] Call Trace: [ 1719.936435] dump_stack+0x1fc/0x2ef [ 1719.940085] print_address_description.cold+0x54/0x219 [ 1719.945354] kasan_report_error.cold+0x8a/0x1b9 [ 1719.950016] ? tasklet_action_common.constprop.0+0x29e/0x360 [ 1719.955806] __asan_report_load8_noabort+0x88/0x90 [ 1719.960725] ? tasklet_action_common.constprop.0+0x29e/0x360 [ 1719.966512] tasklet_action_common.constprop.0+0x29e/0x360 [ 1719.972160] __do_softirq+0x265/0x980 [ 1719.975973] ? __local_bh_enable_ip+0x270/0x270 [ 1719.980631] run_ksoftirqd+0x57/0x110 [ 1719.984429] smpboot_thread_fn+0x655/0x9e0 [ 1719.988656] ? __kthread_parkme+0x4c/0x1e0 [ 1719.992875] ? sort_range+0x30/0x30 [ 1719.996663] ? __kthread_parkme+0x133/0x1e0 [ 1720.000971] ? sort_range+0x30/0x30 [ 1720.004593] kthread+0x33f/0x460 [ 1720.007951] ? kthread_park+0x180/0x180 [ 1720.011921] ret_from_fork+0x24/0x30 [ 1720.015627] [ 1720.017324] Allocated by task 21291: [ 1720.021032] kmem_cache_alloc_trace+0x12f/0x380 [ 1720.025692] bcm_sendmsg+0x25d7/0x4150 [ 1720.029658] sock_sendmsg+0xc3/0x120 [ 1720.033355] ___sys_sendmsg+0x7bb/0x8e0 [ 1720.037313] __x64_sys_sendmsg+0x132/0x220 [ 1720.041530] do_syscall_64+0xf9/0x620 [ 1720.045318] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1720.050484] [ 1720.052096] Freed by task 21290: [ 1720.055443] kfree+0xcc/0x210 [ 1720.058529] bcm_release+0x260/0x950 [ 1720.062223] __sock_release+0xcd/0x2a0 [ 1720.066212] sock_close+0x15/0x20 [ 1720.069820] __fput+0x2ce/0x890 [ 1720.073083] task_work_run+0x148/0x1c0 [ 1720.077082] exit_to_usermode_loop+0x251/0x2a0 [ 1720.081765] do_syscall_64+0x538/0x620 [ 1720.085641] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1720.090808] [ 1720.092424] The buggy address belongs to the object at ffff88808f6d7200 [ 1720.092424] which belongs to the cache kmalloc-1024 of size 1024 [ 1720.105239] The buggy address is located 208 bytes inside of [ 1720.105239] 1024-byte region [ffff88808f6d7200, ffff88808f6d7600) [ 1720.117568] The buggy address belongs to the page: [ 1720.122520] page:ffffea00023db580 count:1 mapcount:0 mapping:ffff88813bff0ac0 index:0xffff88808f6d6900 compound_mapcount: 0 [ 1720.133771] flags: 0xfff00000008100(slab|head) [ 1720.138348] raw: 00fff00000008100 ffffea0002425a08 ffffea0002b8fd88 ffff88813bff0ac0 [ 1720.146225] raw: ffff88808f6d6900 ffff88808f6d6000 0000000100000003 0000000000000000 [ 1720.154088] page dumped because: kasan: bad access detected [ 1720.159776] [ 1720.161391] Memory state around the buggy address: [ 1720.166338] ffff88808f6d7180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1720.173700] ffff88808f6d7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1720.181062] >ffff88808f6d7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1720.188415] ^ [ 1720.194375] ffff88808f6d7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1720.201724] ffff88808f6d7380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1720.209103] ================================================================== [ 1720.216442] Disabling lock debugging due to kernel taint [ 1720.221933] Kernel panic - not syncing: panic_on_warn set ... [ 1720.221933] [ 1720.229302] CPU: 1 PID: 18 Comm: ksoftirqd/1 Tainted: G B 4.19.211-syzkaller #0 [ 1720.238056] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 1720.247393] Call Trace: [ 1720.249977] dump_stack+0x1fc/0x2ef [ 1720.253596] panic+0x26a/0x50e [ 1720.256787] ? __warn_printk+0xf3/0xf3 [ 1720.260669] ? trace_hardirqs_on+0x55/0x210 [ 1720.264985] kasan_end_report+0x43/0x49 [ 1720.268961] kasan_report_error.cold+0xa7/0x1b9 [ 1720.273620] ? tasklet_action_common.constprop.0+0x29e/0x360 [ 1720.279407] __asan_report_load8_noabort+0x88/0x90 [ 1720.284323] ? tasklet_action_common.constprop.0+0x29e/0x360 [ 1720.290110] tasklet_action_common.constprop.0+0x29e/0x360 [ 1720.295722] __do_softirq+0x265/0x980 [ 1720.299514] ? __local_bh_enable_ip+0x270/0x270 [ 1720.304170] run_ksoftirqd+0x57/0x110 [ 1720.307959] smpboot_thread_fn+0x655/0x9e0 [ 1720.312180] ? __kthread_parkme+0x4c/0x1e0 [ 1720.316401] ? sort_range+0x30/0x30 [ 1720.320013] ? __kthread_parkme+0x133/0x1e0 [ 1720.324320] ? sort_range+0x30/0x30 [ 1720.327933] kthread+0x33f/0x460 [ 1720.331287] ? kthread_park+0x180/0x180 [ 1720.335250] ret_from_fork+0x24/0x30 [ 1720.339016] Kernel Offset: disabled [ 1720.342630] Rebooting in 86400 seconds..