[ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.68' (ECDSA) to the list of known hosts. syzkaller login: [ 33.497309] IPVS: ftp: loaded support on port[0] = 21 executing program [ 33.563310] netlink: 20 bytes leftover after parsing attributes in process `syz-executor326'. [ 33.645770] ================================================================== [ 33.653445] BUG: KASAN: use-after-free in free_netdev+0x3a7/0x410 [ 33.659688] Read of size 8 at addr ffff8880b2644f20 by task syz-executor326/8136 [ 33.667201] [ 33.668829] CPU: 0 PID: 8136 Comm: syz-executor326 Not tainted 4.19.211-syzkaller #0 [ 33.676722] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 33.686074] Call Trace: [ 33.688660] dump_stack+0x1fc/0x2ef [ 33.692282] print_address_description.cold+0x54/0x219 [ 33.697547] kasan_report_error.cold+0x8a/0x1b9 [ 33.702202] ? free_netdev+0x3a7/0x410 [ 33.706076] __asan_report_load8_noabort+0x88/0x90 [ 33.710991] ? free_netdev+0x3a7/0x410 [ 33.714862] free_netdev+0x3a7/0x410 [ 33.718581] netdev_run_todo+0x89b/0xab0 [ 33.722637] ? default_device_exit_batch+0x3c0/0x3c0 [ 33.727822] ? rtnl_newlink+0x15c0/0x15c0 [ 33.731963] rtnetlink_rcv_msg+0x460/0xb80 [ 33.736282] ? rtnl_calcit.isra.0+0x430/0x430 [ 33.740785] ? __netlink_lookup+0x3fc/0x730 [ 33.745116] ? lock_downgrade+0x720/0x720 [ 33.749271] ? check_preemption_disabled+0x41/0x280 [ 33.754284] netlink_rcv_skb+0x160/0x440 [ 33.758341] ? rtnl_calcit.isra.0+0x430/0x430 [ 33.762833] ? netlink_ack+0xae0/0xae0 [ 33.766721] netlink_unicast+0x4d5/0x690 [ 33.770770] ? netlink_sendskb+0x110/0x110 [ 33.774992] ? _copy_from_iter_full+0x229/0x7c0 [ 33.779643] ? __phys_addr_symbol+0x2c/0x70 [ 33.783951] ? __check_object_size+0x17b/0x3e0 [ 33.788541] netlink_sendmsg+0x6c3/0xc50 [ 33.792596] ? aa_af_perm+0x230/0x230 [ 33.796380] ? nlmsg_notify+0x1f0/0x1f0 [ 33.800339] ? kernel_recvmsg+0x220/0x220 [ 33.804483] ? nlmsg_notify+0x1f0/0x1f0 [ 33.808443] sock_sendmsg+0xc3/0x120 [ 33.812143] ___sys_sendmsg+0x7bb/0x8e0 [ 33.816102] ? copy_msghdr_from_user+0x440/0x440 [ 33.820844] ? __fget+0x32f/0x510 [ 33.824293] ? lock_downgrade+0x720/0x720 [ 33.828426] ? check_preemption_disabled+0x41/0x280 [ 33.833443] ? check_preemption_disabled+0x41/0x280 [ 33.838458] ? __fget+0x356/0x510 [ 33.841897] ? do_dup2+0x450/0x450 [ 33.845419] ? lock_downgrade+0x720/0x720 [ 33.849566] ? check_preemption_disabled+0x41/0x280 [ 33.854580] ? __fdget+0x1d0/0x230 [ 33.858107] __x64_sys_sendmsg+0x132/0x220 [ 33.862493] ? __sys_sendmsg+0x1b0/0x1b0 [ 33.866548] ? __se_sys_futex+0x298/0x3b0 [ 33.870688] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 33.876055] ? trace_hardirqs_off_caller+0x6e/0x210 [ 33.881057] ? do_syscall_64+0x21/0x620 [ 33.885019] do_syscall_64+0xf9/0x620 [ 33.888818] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 33.893998] RIP: 0033:0x7f1f5be06dd9 [ 33.897693] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 33.916580] RSP: 002b:00007f1f5bdb8308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 33.924292] RAX: ffffffffffffffda RBX: 00007f1f5be90428 RCX: 00007f1f5be06dd9 [ 33.931635] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 33.938974] RBP: 00007f1f5be90420 R08: 0000000000000000 R09: 0000000000000000 [ 33.946226] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f5be9042c [ 33.953479] R13: 00007f1f5be5d174 R14: 74656e2f7665642f R15: 0000000000022000 [ 33.960738] [ 33.962349] Allocated by task 8136: [ 33.965959] __kmalloc+0x15a/0x3c0 [ 33.969570] sk_prot_alloc+0x1e2/0x2d0 [ 33.973438] sk_alloc+0x36/0xec0 [ 33.976786] tun_chr_open+0x7b/0x560 [ 33.980581] misc_open+0x372/0x4a0 [ 33.984277] chrdev_open+0x266/0x770 [ 33.987987] do_dentry_open+0x4aa/0x1160 [ 33.992029] path_openat+0x793/0x2df0 [ 33.995808] do_filp_open+0x18c/0x3f0 [ 33.999588] do_sys_open+0x3b3/0x520 [ 34.003283] do_syscall_64+0xf9/0x620 [ 34.007074] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.012239] [ 34.013845] Freed by task 8141: [ 34.017215] kfree+0xcc/0x210 [ 34.020301] __sk_destruct+0x684/0x8a0 [ 34.024167] __sk_free+0x165/0x3b0 [ 34.027709] sk_free+0x3b/0x50 [ 34.030885] __tun_detach+0xccb/0x1320 [ 34.035186] tun_chr_close+0x10e/0x180 [ 34.039055] __fput+0x2ce/0x890 [ 34.042324] task_work_run+0x148/0x1c0 [ 34.046191] exit_to_usermode_loop+0x251/0x2a0 [ 34.050780] do_syscall_64+0x538/0x620 [ 34.054681] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.059869] [ 34.061477] The buggy address belongs to the object at ffff8880b2644880 [ 34.061477] which belongs to the cache kmalloc-4096 of size 4096 [ 34.074290] The buggy address is located 1696 bytes inside of [ 34.074290] 4096-byte region [ffff8880b2644880, ffff8880b2645880) [ 34.086401] The buggy address belongs to the page: [ 34.091330] page:ffffea0002c99100 count:1 mapcount:0 mapping:ffff88813bff0dc0 index:0x0 compound_mapcount: 0 [ 34.101283] flags: 0xfff00000008100(slab|head) [ 34.105847] raw: 00fff00000008100 ffffea0002559d08 ffffea0002c5b008 ffff88813bff0dc0 [ 34.113712] raw: 0000000000000000 ffff8880b2644880 0000000100000001 0000000000000000 [ 34.121569] page dumped because: kasan: bad access detected [ 34.127277] [ 34.128884] Memory state around the buggy address: [ 34.133806] ffff8880b2644e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.141156] ffff8880b2644e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.148860] >ffff8880b2644f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.156197] ^ [ 34.160585] ffff8880b2644f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.167927] ffff8880b2645000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 34.175264] ================================================================== [ 34.182620] Disabling lock debugging due to kernel taint [ 34.188630] Kernel panic - not syncing: panic_on_warn set ... [ 34.188630] [ 34.196008] CPU: 0 PID: 8136 Comm: syz-executor326 Tainted: G B 4.19.211-syzkaller #0 [ 34.205359] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.214747] Call Trace: [ 34.217341] dump_stack+0x1fc/0x2ef [ 34.221059] panic+0x26a/0x50e [ 34.224341] ? __warn_printk+0xf3/0xf3 [ 34.228230] ? preempt_schedule_common+0x45/0xc0 [ 34.232980] ? ___preempt_schedule+0x16/0x18 [ 34.237373] ? trace_hardirqs_on+0x55/0x210 [ 34.241680] kasan_end_report+0x43/0x49 [ 34.245634] kasan_report_error.cold+0xa7/0x1b9 [ 34.250296] ? free_netdev+0x3a7/0x410 [ 34.254269] __asan_report_load8_noabort+0x88/0x90 [ 34.259182] ? free_netdev+0x3a7/0x410 [ 34.263080] free_netdev+0x3a7/0x410 [ 34.266790] netdev_run_todo+0x89b/0xab0 [ 34.270836] ? default_device_exit_batch+0x3c0/0x3c0 [ 34.275942] ? rtnl_newlink+0x15c0/0x15c0 [ 34.280069] rtnetlink_rcv_msg+0x460/0xb80 [ 34.284314] ? rtnl_calcit.isra.0+0x430/0x430 [ 34.288789] ? __netlink_lookup+0x3fc/0x730 [ 34.293095] ? lock_downgrade+0x720/0x720 [ 34.297267] ? check_preemption_disabled+0x41/0x280 [ 34.302268] netlink_rcv_skb+0x160/0x440 [ 34.306312] ? rtnl_calcit.isra.0+0x430/0x430 [ 34.310788] ? netlink_ack+0xae0/0xae0 [ 34.314677] netlink_unicast+0x4d5/0x690 [ 34.318806] ? netlink_sendskb+0x110/0x110 [ 34.323040] ? _copy_from_iter_full+0x229/0x7c0 [ 34.327836] ? __phys_addr_symbol+0x2c/0x70 [ 34.332154] ? __check_object_size+0x17b/0x3e0 [ 34.336719] netlink_sendmsg+0x6c3/0xc50 [ 34.340761] ? aa_af_perm+0x230/0x230 [ 34.344546] ? nlmsg_notify+0x1f0/0x1f0 [ 34.348497] ? kernel_recvmsg+0x220/0x220 [ 34.352627] ? nlmsg_notify+0x1f0/0x1f0 [ 34.356584] sock_sendmsg+0xc3/0x120 [ 34.360285] ___sys_sendmsg+0x7bb/0x8e0 [ 34.364238] ? copy_msghdr_from_user+0x440/0x440 [ 34.368976] ? __fget+0x32f/0x510 [ 34.372432] ? lock_downgrade+0x720/0x720 [ 34.376582] ? check_preemption_disabled+0x41/0x280 [ 34.381579] ? check_preemption_disabled+0x41/0x280 [ 34.386793] ? __fget+0x356/0x510 [ 34.390240] ? do_dup2+0x450/0x450 [ 34.393761] ? lock_downgrade+0x720/0x720 [ 34.397887] ? check_preemption_disabled+0x41/0x280 [ 34.402881] ? __fdget+0x1d0/0x230 [ 34.406404] __x64_sys_sendmsg+0x132/0x220 [ 34.410617] ? __sys_sendmsg+0x1b0/0x1b0 [ 34.414674] ? __se_sys_futex+0x298/0x3b0 [ 34.418808] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 34.424154] ? trace_hardirqs_off_caller+0x6e/0x210 [ 34.429164] ? do_syscall_64+0x21/0x620 [ 34.433119] do_syscall_64+0xf9/0x620 [ 34.436923] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 34.442096] RIP: 0033:0x7f1f5be06dd9 [ 34.445789] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 34.464689] RSP: 002b:00007f1f5bdb8308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 34.472404] RAX: ffffffffffffffda RBX: 00007f1f5be90428 RCX: 00007f1f5be06dd9 [ 34.479656] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 34.486910] RBP: 00007f1f5be90420 R08: 0000000000000000 R09: 0000000000000000 [ 34.494181] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1f5be9042c [ 34.501429] R13: 00007f1f5be5d174 R14: 74656e2f7665642f R15: 0000000000022000 [ 34.508903] Kernel Offset: disabled [ 34.512516] Rebooting in 86400 seconds..