[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.15' (ECDSA) to the list of known hosts. syzkaller login: [ 68.328837][ T8395] chnl_net:caif_netlink_parms(): no params data found [ 68.380657][ T8395] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.388856][ T8395] bridge0: port 1(bridge_slave_0) entered disabled state [ 68.397657][ T8395] device bridge_slave_0 entered promiscuous mode [ 68.407826][ T8395] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.415356][ T8395] bridge0: port 2(bridge_slave_1) entered disabled state [ 68.423006][ T8395] device bridge_slave_1 entered promiscuous mode [ 68.443748][ T8395] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 68.455632][ T8395] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 68.478435][ T8395] team0: Port device team_slave_0 added [ 68.485969][ T8395] team0: Port device team_slave_1 added [ 68.504558][ T8395] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 68.511502][ T8395] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.538795][ T8395] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 68.551816][ T8395] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 68.559503][ T8395] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 68.586000][ T8395] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 68.612798][ T8395] device hsr_slave_0 entered promiscuous mode [ 68.620022][ T8395] device hsr_slave_1 entered promiscuous mode [ 68.721326][ T8395] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 68.736046][ T8395] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 68.746860][ T8395] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 68.757411][ T8395] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 68.785553][ T8395] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.792799][ T8395] bridge0: port 2(bridge_slave_1) entered forwarding state [ 68.800879][ T8395] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.808093][ T8395] bridge0: port 1(bridge_slave_0) entered forwarding state [ 68.856427][ T8395] 8021q: adding VLAN 0 to HW filter on device bond0 [ 68.870490][ T3548] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 68.881639][ T3548] bridge0: port 1(bridge_slave_0) entered disabled state [ 68.891282][ T3548] bridge0: port 2(bridge_slave_1) entered disabled state [ 68.900179][ T3548] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 68.915840][ T8395] 8021q: adding VLAN 0 to HW filter on device team0 [ 68.935703][ T3548] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 68.944249][ T3548] bridge0: port 1(bridge_slave_0) entered blocking state [ 68.951359][ T3548] bridge0: port 1(bridge_slave_0) entered forwarding state [ 68.959778][ T3548] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 68.968955][ T3548] bridge0: port 2(bridge_slave_1) entered blocking state [ 68.976118][ T3548] bridge0: port 2(bridge_slave_1) entered forwarding state [ 68.992347][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 69.003074][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 69.024062][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 69.032789][ T7] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 69.046241][ T3548] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 69.058868][ T8395] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 69.077943][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 69.086487][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 69.100688][ T8395] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 69.122332][ T4817] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 69.146064][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 69.155714][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 69.164174][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 69.175298][ T8395] device veth0_vlan entered promiscuous mode [ 69.189418][ T8395] device veth1_vlan entered promiscuous mode [ 69.213040][ T4817] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 69.222065][ T4817] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 69.232570][ T4817] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 69.246226][ T8395] device veth0_macvtap entered promiscuous mode [ 69.259270][ T8395] device veth1_macvtap entered promiscuous mode [ 69.280585][ T8395] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 69.289210][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 69.299986][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 69.312693][ T8395] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 69.320973][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 69.330096][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 69.342919][ T8395] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.352718][ T8395] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.361993][ T8395] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 69.371544][ T8395] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 executing program executing program [ 69.437590][ T8604] ================================================================== [ 69.445907][ T8604] BUG: KASAN: slab-out-of-bounds in ipvlan_queue_xmit+0x158f/0x18a0 [ 69.453957][ T8604] Read of size 4 at addr ffff888023e137ff by task syz-executor749/8604 [ 69.462265][ T8604] [ 69.464609][ T8604] CPU: 0 PID: 8604 Comm: syz-executor749 Not tainted 5.12.0-rc4-syzkaller #0 [ 69.473393][ T8604] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.483449][ T8604] Call Trace: [ 69.486730][ T8604] dump_stack+0x141/0x1d7 [ 69.491070][ T8604] ? ipvlan_queue_xmit+0x158f/0x18a0 [ 69.496386][ T8604] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 69.503439][ T8604] ? ipvlan_queue_xmit+0x158f/0x18a0 [ 69.508762][ T8604] ? ipvlan_queue_xmit+0x158f/0x18a0 [ 69.514070][ T8604] kasan_report.cold+0x7c/0xd8 [ 69.518851][ T8604] ? ipvlan_queue_xmit+0x158f/0x18a0 [ 69.524172][ T8604] ipvlan_queue_xmit+0x158f/0x18a0 [ 69.529291][ T8604] ? ipvlan_handle_mode_l3+0x140/0x140 [ 69.534754][ T8604] ? skb_network_protocol+0x148/0x580 [ 69.540134][ T8604] ? skb_crc32c_csum_help+0x70/0x70 [ 69.545336][ T8604] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 69.551324][ T8604] ? __might_fault+0xd3/0x180 [ 69.556028][ T8604] ? lock_downgrade+0x6e0/0x6e0 [ 69.560882][ T8604] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.567143][ T8604] ? validate_xmit_xfrm+0x498/0x1080 [ 69.572444][ T8604] ? netif_skb_features+0x38d/0xb90 [ 69.577673][ T8604] ipvlan_start_xmit+0x45/0x190 [ 69.582550][ T8604] __dev_direct_xmit+0x527/0x730 [ 69.587505][ T8604] ? validate_xmit_skb_list+0x120/0x120 [ 69.593067][ T8604] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.599315][ T8604] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.605587][ T8604] ? netdev_pick_tx+0x14f/0xb00 [ 69.610455][ T8604] packet_direct_xmit+0x1a5/0x280 [ 69.615581][ T8604] packet_sendmsg+0x241c/0x5300 [ 69.620449][ T8604] ? aa_sk_perm+0x31b/0xab0 [ 69.624995][ T8604] ? packet_create+0xac0/0xac0 [ 69.629774][ T8604] ? aa_af_perm+0x230/0x230 [ 69.634300][ T8604] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.640548][ T8604] ? packet_create+0xac0/0xac0 [ 69.645315][ T8604] sock_sendmsg+0xcf/0x120 [ 69.649751][ T8604] __sys_sendto+0x21c/0x320 [ 69.654258][ T8604] ? __ia32_sys_getpeername+0xb0/0xb0 [ 69.659629][ T8604] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 69.665628][ T8604] ? lock_downgrade+0x6e0/0x6e0 [ 69.670490][ T8604] __x64_sys_sendto+0xdd/0x1b0 [ 69.675259][ T8604] ? lockdep_hardirqs_on+0x79/0x100 [ 69.680464][ T8604] ? syscall_enter_from_user_mode+0x27/0x70 [ 69.687292][ T8604] do_syscall_64+0x2d/0x70 [ 69.691821][ T8604] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 69.697757][ T8604] RIP: 0033:0x443aa9 [ 69.701679][ T8604] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 69.721288][ T8604] RSP: 002b:00007ffcc0f427a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 69.729758][ T8604] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443aa9 [ 69.737726][ T8604] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000005 [ 69.745711][ T8604] RBP: 0000000000000000 R08: 0000000020000040 R09: 0000000000000014 [ 69.753677][ T8604] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcc0f427d0 [ 69.761662][ T8604] R13: 00000000000f4240 R14: 0000000000010f36 R15: 00007ffcc0f427c4 [ 69.769641][ T8604] [ 69.771952][ T8604] Allocated by task 6372: [ 69.776261][ T8604] kasan_save_stack+0x1b/0x40 [ 69.780927][ T8604] __kasan_slab_alloc+0x75/0x90 [ 69.785776][ T8604] kmem_cache_alloc+0x155/0x370 [ 69.790622][ T8604] shmem_alloc_inode+0x18/0x40 [ 69.795375][ T8604] alloc_inode+0x61/0x230 [ 69.799708][ T8604] new_inode+0x27/0x2f0 [ 69.803989][ T8604] shmem_get_inode+0x195/0xc20 [ 69.808746][ T8604] shmem_mknod+0x5a/0x1f0 [ 69.813112][ T8604] lookup_open.isra.0+0xfef/0x13d0 [ 69.818247][ T8604] path_openat+0x9b4/0x27e0 [ 69.822759][ T8604] do_filp_open+0x17e/0x3c0 [ 69.827251][ T8604] do_sys_openat2+0x16d/0x420 [ 69.831918][ T8604] __x64_sys_open+0x119/0x1c0 [ 69.836599][ T8604] do_syscall_64+0x2d/0x70 [ 69.841032][ T8604] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 69.847006][ T8604] [ 69.849315][ T8604] The buggy address belongs to the object at ffff888023e132a0 [ 69.849315][ T8604] which belongs to the cache shmem_inode_cache of size 1312 [ 69.864082][ T8604] The buggy address is located 63 bytes to the right of [ 69.864082][ T8604] 1312-byte region [ffff888023e132a0, ffff888023e137c0) [ 69.877909][ T8604] The buggy address belongs to the page: [ 69.883569][ T8604] page:ffffea00008f8400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23e10 [ 69.893819][ T8604] head:ffffea00008f8400 order:3 compound_mapcount:0 compound_pincount:0 [ 69.902247][ T8604] flags: 0xfff00000010200(slab|head) [ 69.907742][ T8604] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff8880109bda00 [ 69.916467][ T8604] raw: 0000000000000000 0000000000160016 00000001ffffffff 0000000000000000 [ 69.925069][ T8604] page dumped because: kasan: bad access detected [ 69.931486][ T8604] [ 69.933809][ T8604] Memory state around the buggy address: [ 69.939445][ T8604] ffff888023e13680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 69.947617][ T8604] ffff888023e13700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 69.955793][ T8604] >ffff888023e13780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 69.963871][ T8604] ^ [ 69.971868][ T8604] ffff888023e13800: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 69.979957][ T8604] ffff888023e13880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 69.988042][ T8604] ================================================================== [ 69.996115][ T8604] Disabling lock debugging due to kernel taint [ 70.002495][ T8604] Kernel panic - not syncing: panic_on_warn set ... [ 70.009131][ T8604] CPU: 0 PID: 8604 Comm: syz-executor749 Tainted: G B 5.12.0-rc4-syzkaller #0 [ 70.019436][ T8604] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.029521][ T8604] Call Trace: [ 70.032829][ T8604] dump_stack+0x141/0x1d7 [ 70.037201][ T8604] panic+0x306/0x73d [ 70.041122][ T8604] ? __warn_printk+0xf3/0xf3 [ 70.045742][ T8604] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 70.051909][ T8604] ? trace_hardirqs_on+0x38/0x1c0 [ 70.056949][ T8604] ? trace_hardirqs_on+0x51/0x1c0 [ 70.062013][ T8604] ? ipvlan_queue_xmit+0x158f/0x18a0 [ 70.067330][ T8604] ? ipvlan_queue_xmit+0x158f/0x18a0 [ 70.072624][ T8604] end_report.cold+0x5a/0x5a [ 70.077540][ T8604] kasan_report.cold+0x6a/0xd8 [ 70.082314][ T8604] ? ipvlan_queue_xmit+0x158f/0x18a0 [ 70.087635][ T8604] ipvlan_queue_xmit+0x158f/0x18a0 [ 70.092776][ T8604] ? ipvlan_handle_mode_l3+0x140/0x140 [ 70.098265][ T8604] ? skb_network_protocol+0x148/0x580 [ 70.103649][ T8604] ? skb_crc32c_csum_help+0x70/0x70 [ 70.108980][ T8604] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 70.115163][ T8604] ? __might_fault+0xd3/0x180 [ 70.119989][ T8604] ? lock_downgrade+0x6e0/0x6e0 [ 70.125106][ T8604] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 70.131494][ T8604] ? validate_xmit_xfrm+0x498/0x1080 [ 70.136956][ T8604] ? netif_skb_features+0x38d/0xb90 [ 70.142181][ T8604] ipvlan_start_xmit+0x45/0x190 [ 70.147087][ T8604] __dev_direct_xmit+0x527/0x730 [ 70.152056][ T8604] ? validate_xmit_skb_list+0x120/0x120 [ 70.157736][ T8604] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 70.164262][ T8604] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.170514][ T8604] ? netdev_pick_tx+0x14f/0xb00 [ 70.175463][ T8604] packet_direct_xmit+0x1a5/0x280 [ 70.180495][ T8604] packet_sendmsg+0x241c/0x5300 [ 70.185376][ T8604] ? aa_sk_perm+0x31b/0xab0 [ 70.189891][ T8604] ? packet_create+0xac0/0xac0 [ 70.194674][ T8604] ? aa_af_perm+0x230/0x230 [ 70.199206][ T8604] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.205451][ T8604] ? packet_create+0xac0/0xac0 [ 70.210233][ T8604] sock_sendmsg+0xcf/0x120 [ 70.214663][ T8604] __sys_sendto+0x21c/0x320 [ 70.219197][ T8604] ? __ia32_sys_getpeername+0xb0/0xb0 [ 70.224601][ T8604] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 70.230600][ T8604] ? lock_downgrade+0x6e0/0x6e0 [ 70.235470][ T8604] __x64_sys_sendto+0xdd/0x1b0 [ 70.240242][ T8604] ? lockdep_hardirqs_on+0x79/0x100 [ 70.245450][ T8604] ? syscall_enter_from_user_mode+0x27/0x70 [ 70.251368][ T8604] do_syscall_64+0x2d/0x70 [ 70.255799][ T8604] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 70.261727][ T8604] RIP: 0033:0x443aa9 [ 70.265688][ T8604] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 70.285452][ T8604] RSP: 002b:00007ffcc0f427a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 70.293948][ T8604] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443aa9 [ 70.301931][ T8604] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000005 [ 70.309911][ T8604] RBP: 0000000000000000 R08: 0000000020000040 R09: 0000000000000014 [ 70.318221][ T8604] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcc0f427d0 [ 70.326203][ T8604] R13: 00000000000f4240 R14: 0000000000010f36 R15: 00007ffcc0f427c4 [ 70.334670][ T8604] Kernel Offset: disabled [ 70.339004][ T8604] Rebooting in 86400 seconds..