[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.88' (ECDSA) to the list of known hosts. syzkaller login: [ 40.333270] IPVS: ftp: loaded support on port[0] = 21 executing program [ 40.414970] netlink: 20 bytes leftover after parsing attributes in process `syz-executor362'. executing program [ 40.511409] netlink: 20 bytes leftover after parsing attributes in process `syz-executor362'. [ 40.564155] ================================================================== [ 40.571590] BUG: KASAN: slab-out-of-bounds in netif_napi_del+0x301/0x380 [ 40.578412] Read of size 8 at addr ffff8880957906d8 by task syz-executor362/8148 [ 40.585920] [ 40.587535] CPU: 1 PID: 8148 Comm: syz-executor362 Not tainted 4.19.211-syzkaller #0 [ 40.595477] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.604806] Call Trace: [ 40.607380] dump_stack+0x1fc/0x2ef [ 40.610992] print_address_description.cold+0x54/0x219 [ 40.616251] kasan_report_error.cold+0x8a/0x1b9 [ 40.620913] ? netif_napi_del+0x301/0x380 [ 40.625060] __asan_report_load8_noabort+0x88/0x90 [ 40.629980] ? netif_napi_del+0x301/0x380 [ 40.634110] netif_napi_del+0x301/0x380 [ 40.638082] free_netdev+0x21f/0x410 [ 40.641781] netdev_run_todo+0x89b/0xab0 [ 40.645824] ? default_device_exit_batch+0x3c0/0x3c0 [ 40.650910] ? rtnl_newlink+0x15c0/0x15c0 [ 40.655040] rtnetlink_rcv_msg+0x460/0xb80 [ 40.659256] ? rtnl_calcit.isra.0+0x430/0x430 [ 40.663733] ? __netlink_lookup+0x3fc/0x730 [ 40.668039] ? lock_downgrade+0x720/0x720 [ 40.672187] ? check_preemption_disabled+0x41/0x280 [ 40.677197] netlink_rcv_skb+0x160/0x440 [ 40.681245] ? rtnl_calcit.isra.0+0x430/0x430 [ 40.685732] ? netlink_ack+0xae0/0xae0 [ 40.689694] netlink_unicast+0x4d5/0x690 [ 40.693749] ? netlink_sendskb+0x110/0x110 [ 40.697964] ? _copy_from_iter_full+0x229/0x7c0 [ 40.702620] ? __phys_addr_symbol+0x2c/0x70 [ 40.706938] ? __check_object_size+0x17b/0x3e0 [ 40.711504] netlink_sendmsg+0x6c3/0xc50 [ 40.715553] ? aa_af_perm+0x230/0x230 [ 40.719345] ? nlmsg_notify+0x1f0/0x1f0 [ 40.723312] ? kernel_recvmsg+0x220/0x220 [ 40.727452] ? nlmsg_notify+0x1f0/0x1f0 [ 40.731408] sock_sendmsg+0xc3/0x120 [ 40.735114] ___sys_sendmsg+0x7bb/0x8e0 [ 40.739067] ? copy_msghdr_from_user+0x440/0x440 [ 40.743804] ? __fget+0x32f/0x510 [ 40.747250] ? lock_downgrade+0x720/0x720 [ 40.751465] ? check_preemption_disabled+0x41/0x280 [ 40.756468] ? check_preemption_disabled+0x41/0x280 [ 40.761472] ? __fget+0x356/0x510 [ 40.764909] ? do_dup2+0x450/0x450 [ 40.768444] ? lock_downgrade+0x720/0x720 [ 40.772573] ? check_preemption_disabled+0x41/0x280 [ 40.777572] ? __fdget+0x1d0/0x230 [ 40.781096] __x64_sys_sendmsg+0x132/0x220 [ 40.785316] ? __sys_sendmsg+0x1b0/0x1b0 [ 40.789372] ? __se_sys_futex+0x298/0x3b0 [ 40.793504] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 40.798845] ? trace_hardirqs_off_caller+0x6e/0x210 [ 40.803849] ? do_syscall_64+0x21/0x620 [ 40.807813] do_syscall_64+0xf9/0x620 [ 40.811605] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.816791] RIP: 0033:0x7fbf88a6fdb9 [ 40.820548] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 40.839641] RSP: 002b:00007fbf88a21308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 40.847332] RAX: ffffffffffffffda RBX: 00007fbf88af9428 RCX: 00007fbf88a6fdb9 [ 40.854756] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 40.862006] RBP: 00007fbf88af9420 R08: 0000000000000000 R09: 0000000000000000 [ 40.869277] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbf88af942c [ 40.876527] R13: 00007fbf88ac61a4 R14: 74656e2f7665642f R15: 0000000000022000 [ 40.883779] [ 40.885385] Allocated by task 8153: [ 40.888994] __kmalloc_node+0x4c/0x70 [ 40.892905] kvmalloc_node+0xb4/0xf0 [ 40.896602] alloc_netdev_mqs+0x97/0xd50 [ 40.900644] __tun_chr_ioctl.isra.0+0x2184/0x3d00 [ 40.905470] do_vfs_ioctl+0xcdb/0x12e0 [ 40.909360] ksys_ioctl+0x9b/0xc0 [ 40.912811] __x64_sys_ioctl+0x6f/0xb0 [ 40.916678] do_syscall_64+0xf9/0x620 [ 40.920464] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.925629] [ 40.927291] Freed by task 0: [ 40.930376] (stack is not available) [ 40.934159] [ 40.935780] The buggy address belongs to the object at ffff888095790780 [ 40.935780] which belongs to the cache kmalloc-16384 of size 16384 [ 40.948768] The buggy address is located 168 bytes to the left of [ 40.948768] 16384-byte region [ffff888095790780, ffff888095794780) [ 40.961231] The buggy address belongs to the page: [ 40.966163] page:ffffea000255e400 count:1 mapcount:0 mapping:ffff88813bff2200 index:0x0 compound_mapcount: 0 [ 40.976109] flags: 0xfff00000008100(slab|head) [ 40.980670] raw: 00fff00000008100 ffffea00027cce08 ffff88813bff1c48 ffff88813bff2200 [ 40.988539] raw: 0000000000000000 ffff888095790780 0000000100000001 0000000000000000 [ 40.996576] page dumped because: kasan: bad access detected [ 41.002264] [ 41.003868] Memory state around the buggy address: [ 41.008773] ffff888095790580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.016113] ffff888095790600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.023451] >ffff888095790680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.030927] ^ [ 41.037143] ffff888095790700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.044481] ffff888095790780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.051835] ================================================================== [ 41.059524] Disabling lock debugging due to kernel taint [ 41.070098] Kernel panic - not syncing: panic_on_warn set ... [ 41.070098] [ 41.077479] CPU: 0 PID: 8148 Comm: syz-executor362 Tainted: G B 4.19.211-syzkaller #0 [ 41.086766] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.096129] Call Trace: [ 41.098709] dump_stack+0x1fc/0x2ef [ 41.102313] panic+0x26a/0x50e [ 41.105481] ? __warn_printk+0xf3/0xf3 [ 41.109373] ? preempt_schedule_common+0x45/0xc0 [ 41.114124] ? ___preempt_schedule+0x16/0x18 [ 41.118521] ? trace_hardirqs_on+0x55/0x210 [ 41.122830] kasan_end_report+0x43/0x49 [ 41.126780] kasan_report_error.cold+0xa7/0x1b9 [ 41.131426] ? netif_napi_del+0x301/0x380 [ 41.135554] __asan_report_load8_noabort+0x88/0x90 [ 41.140460] ? netif_napi_del+0x301/0x380 [ 41.144582] netif_napi_del+0x301/0x380 [ 41.148532] free_netdev+0x21f/0x410 [ 41.152224] netdev_run_todo+0x89b/0xab0 [ 41.156284] ? default_device_exit_batch+0x3c0/0x3c0 [ 41.161377] ? rtnl_newlink+0x15c0/0x15c0 [ 41.165502] rtnetlink_rcv_msg+0x460/0xb80 [ 41.169711] ? rtnl_calcit.isra.0+0x430/0x430 [ 41.174183] ? __netlink_lookup+0x3fc/0x730 [ 41.178484] ? lock_downgrade+0x720/0x720 [ 41.182622] ? check_preemption_disabled+0x41/0x280 [ 41.187614] netlink_rcv_skb+0x160/0x440 [ 41.191656] ? rtnl_calcit.isra.0+0x430/0x430 [ 41.196140] ? netlink_ack+0xae0/0xae0 [ 41.200437] netlink_unicast+0x4d5/0x690 [ 41.204472] ? netlink_sendskb+0x110/0x110 [ 41.208692] ? _copy_from_iter_full+0x229/0x7c0 [ 41.213334] ? __phys_addr_symbol+0x2c/0x70 [ 41.217628] ? __check_object_size+0x17b/0x3e0 [ 41.222200] netlink_sendmsg+0x6c3/0xc50 [ 41.226239] ? aa_af_perm+0x230/0x230 [ 41.230013] ? nlmsg_notify+0x1f0/0x1f0 [ 41.233960] ? kernel_recvmsg+0x220/0x220 [ 41.238086] ? nlmsg_notify+0x1f0/0x1f0 [ 41.242037] sock_sendmsg+0xc3/0x120 [ 41.245727] ___sys_sendmsg+0x7bb/0x8e0 [ 41.249678] ? copy_msghdr_from_user+0x440/0x440 [ 41.254410] ? __fget+0x32f/0x510 [ 41.257841] ? lock_downgrade+0x720/0x720 [ 41.261966] ? check_preemption_disabled+0x41/0x280 [ 41.266957] ? check_preemption_disabled+0x41/0x280 [ 41.271949] ? __fget+0x356/0x510 [ 41.275376] ? do_dup2+0x450/0x450 [ 41.278894] ? lock_downgrade+0x720/0x720 [ 41.283015] ? check_preemption_disabled+0x41/0x280 [ 41.288025] ? __fdget+0x1d0/0x230 [ 41.291542] __x64_sys_sendmsg+0x132/0x220 [ 41.295750] ? __sys_sendmsg+0x1b0/0x1b0 [ 41.299784] ? __se_sys_futex+0x298/0x3b0 [ 41.303911] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 41.309254] ? trace_hardirqs_off_caller+0x6e/0x210 [ 41.314257] ? do_syscall_64+0x21/0x620 [ 41.318208] do_syscall_64+0xf9/0x620 [ 41.321985] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.327149] RIP: 0033:0x7fbf88a6fdb9 [ 41.330835] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 41.349710] RSP: 002b:00007fbf88a21308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 41.357393] RAX: ffffffffffffffda RBX: 00007fbf88af9428 RCX: 00007fbf88a6fdb9 [ 41.364638] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 41.371885] RBP: 00007fbf88af9420 R08: 0000000000000000 R09: 0000000000000000 [ 41.379129] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fbf88af942c [ 41.386372] R13: 00007fbf88ac61a4 R14: 74656e2f7665642f R15: 0000000000022000 [ 41.393692] Kernel Offset: disabled [ 41.397298] Rebooting in 86400 seconds..