./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3717445882 <...> forked to background, child pid 3183 no interfaces have a carri[ 21.001039][ T3184] 8021q: adding VLAN 0 to HW filter on device bond0 er [ 21.017859][ T3184] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.99' (ECDSA) to the list of known hosts. execve("./syz-executor3717445882", ["./syz-executor3717445882"], 0x7ffcf24217f0 /* 10 vars */) = 0 brk(NULL) = 0x55555723f000 brk(0x55555723fc40) = 0x55555723fc40 arch_prctl(ARCH_SET_FS, 0x55555723f300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 set_tid_address(0x55555723f5d0) = 3612 set_robust_list(0x55555723f5e0, 24) = 0 rt_sigaction(SIGRTMIN, {sa_handler=0x7fe866b48630, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7fe866b48d00}, NULL, 8) = 0 rt_sigaction(SIGRT_1, {sa_handler=0x7fe866b486d0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fe866b48d00}, NULL, 8) = 0 rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor3717445882", 4096) = 28 brk(0x555557260c40) = 0x555557260c40 brk(0x555557261000) = 0x555557261000 mprotect(0x7fe866c08000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3613 attached , child_tidptr=0x55555723f5d0) = 3613 [pid 3613] set_robust_list(0x55555723f5e0, 24) = 0 [pid 3613] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3613] setpgid(0, 0) = 0 [pid 3613] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3613] write(3, "1000", 4) = 4 [pid 3613] close(3) = 0 [pid 3613] futex(0x7fe866c0e42c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3613] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fe866b18000 [pid 3613] mprotect(0x7fe866b19000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3613] clone(child_stack=0x7fe866b383f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID./strace-static-x86_64: Process 3614 attached [pid 3614] set_robust_list(0x7fe866b389e0, 24 [pid 3613] <... clone resumed>, parent_tid=[3614], tls=0x7fe866b38700, child_tidptr=0x7fe866b389d0) = 3614 [pid 3614] <... set_robust_list resumed>) = 0 [pid 3613] futex(0x7fe866c0e428, FUTEX_WAKE_PRIVATE, 1000000 [pid 3614] socket(AF_CAN, SOCK_RAW, CAN_RAW [pid 3613] <... futex resumed>) = 0 [pid 3613] futex(0x7fe866c0e42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3614] <... socket resumed>) = 3 [pid 3614] futex(0x7fe866c0e42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3614] futex(0x7fe866c0e428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3613] <... futex resumed>) = 0 [pid 3613] futex(0x7fe866c0e428, FUTEX_WAKE_PRIVATE, 1000000 [pid 3614] <... futex resumed>) = 0 [pid 3613] <... futex resumed>) = 1 [pid 3614] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE [pid 3613] futex(0x7fe866c0e42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3614] <... socket resumed>) = 4 [pid 3614] futex(0x7fe866c0e42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3614] futex(0x7fe866c0e428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3613] <... futex resumed>) = 0 [pid 3613] futex(0x7fe866c0e428, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3613] futex(0x7fe866c0e42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3614] <... futex resumed>) = 0 [pid 3614] socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 5 [pid 3614] futex(0x7fe866c0e42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3613] <... futex resumed>) = 0 [pid 3613] futex(0x7fe866c0e428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3613] futex(0x7fe866c0e42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3614] socket(AF_NETLINK, SOCK_RAW|SOCK_NONBLOCK, NETLINK_ROUTE) = 6 [pid 3614] futex(0x7fe866c0e42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3613] <... futex resumed>) = 0 [pid 3613] futex(0x7fe866c0e428, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3613] futex(0x7fe866c0e42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3614] sendmsg(6, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base=NULL, iov_len=28}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = -1 EFAULT (Bad address) [pid 3614] futex(0x7fe866c0e42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3613] <... futex resumed>) = 0 [pid 3614] futex(0x7fe866c0e428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3613] futex(0x7fe866c0e428, FUTEX_WAKE_PRIVATE, 1000000 [pid 3614] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3613] <... futex resumed>) = 0 [pid 3614] getsockname(6, [pid 3613] futex(0x7fe866c0e42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 3614] <... getsockname resumed>{sa_family=AF_NETLINK, nl_pid=3613, nl_groups=00000000}, [20 => 12]) = 0 [pid 3614] futex(0x7fe866c0e42c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3613] <... futex resumed>) = 0 [pid 3614] futex(0x7fe866c0e428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3613] futex(0x7fe866c0e428, FUTEX_WAKE_PRIVATE, 1000000 [pid 3614] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 3613] <... futex resumed>) = 0 [pid 3614] sendmsg(5, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x3c\x00\x00\x00\x10\x00\x85\x06\x00\x00\x00\x00\xfe\x61\x22\x31\x4a\x00\x08\x00\x1d\x0e\x00\x00\x23\x77\xf2\x92\x25\x21\x55\xb2\x1c\x00\x12\x00\x0c\x00\x01\x00\x62\x6f\x6e\x64\x00\x00\x00\x00\x0c\x00\x02\x00\x08\x00\x01\x00\x01\x00\x00\x00", iov_len=60}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 3613] futex(0x7fe866c0e42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) syzkaller login: [ 36.798596][ T3614] netlink: 'syz-executor371': attribute type 1 has an invalid length. [ 36.816353][ T3614] device bond1 entered promiscuous mode [pid 3613] futex(0x7fe866c0e43c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3613] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fe866af7000 [pid 3613] mprotect(0x7fe866af8000, 131072, PROT_READ|PROT_WRITE [pid 3614] <... sendmsg resumed>) = 60 [pid 3614] futex(0x7fe866c0e42c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3614] futex(0x7fe866c0e428, FUTEX_WAIT_PRIVATE, 0, NULL [pid 3613] <... mprotect resumed>) = 0 [pid 3613] clone(child_stack=0x7fe866b173f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3624], tls=0x7fe866b17700, child_tidptr=0x7fe866b179d0) = 3624 [pid 3613] futex(0x7fe866c0e438, FUTEX_WAKE_PRIVATE, 1000000) = 0 ./strace-static-x86_64: Process 3624 attached [pid 3624] set_robust_list(0x7fe866b179e0, 24) = 0 [pid 3624] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x50\x00\x00\x00\x10\x00\x1f\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x28\x00\x12\x80\x0a\x00\x01\x00\x76\x78\x63\x61\x6e\x00\x00\x00\x18\x00\x02\x80\x14\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x0a\x00\x1d\x0e\x00\x00", iov_len=80}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [ 36.842809][ T3614] 8021q: adding VLAN 0 to HW filter on device bond1 [pid 3613] futex(0x7fe866c0e43c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3613] futex(0x7fe866c0e428, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 3614] <... futex resumed>) = 0 [pid 3614] bind(3, {sa_family=AF_CAN, sa_data="\x00\x00\x1d\x0e\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"}, 16 [ 36.886733][ T3624] bond1: (slave vxcan1): The slave device specified does not support setting the MAC address [ 36.908259][ T3624] bond1: (slave vxcan1): Setting fail_over_mac to active for active-backup mode [ 36.918580][ T3624] bond1: (slave vxcan1): Error -22 calling dev_set_mtu [ 36.927397][ T3614] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN [ 36.939138][ T3614] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] [ 36.947641][ T3614] CPU: 0 PID: 3614 Comm: syz-executor371 Not tainted 5.19.0-rc4-syzkaller-00187-g089866061428 #0 [ 36.958153][ T3614] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 36.968217][ T3614] RIP: 0010:can_rx_register+0x365/0x6a0 [ 36.973797][ T3614] Code: ee 03 49 89 4f 30 80 3c 16 00 0f 85 e3 02 00 00 48 8b 4c 24 18 48 89 c6 48 ba 00 00 00 00 00 fc ff df 48 c1 ee 03 49 89 4f 38 <80> 3c 16 00 0f 85 aa 02 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 [ 36.993403][ T3614] RSP: 0018:ffffc900033cfc10 EFLAGS: 00010212 [ 36.999550][ T3614] RAX: 0000000000000008 RBX: 0000000000000000 RCX: ffff888017483000 [ 37.007511][ T3614] RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff88801c466038 [ 37.015470][ T3614] RBP: ffff88814a512ec0 R08: 0000000000000005 R09: 0000000000000000 [ 37.023524][ T3614] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 37.031486][ T3614] R13: 1ffff92000679f87 R14: ffffffff912cc2c8 R15: ffff88801c466000 [ 37.039464][ T3614] FS: 00007fe866b38700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 [ 37.048469][ T3614] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.055128][ T3614] CR2: 00007fff2db40e30 CR3: 0000000018247000 CR4: 0000000000350ef0 [ 37.063086][ T3614] Call Trace: [ 37.066351][ T3614] [ 37.069268][ T3614] ? raw_enable_filters+0x200/0x200 [ 37.074464][ T3614] ? can_sock_destruct+0x30/0x30 [ 37.079385][ T3614] ? find_held_lock+0x2d/0x110 [ 37.084150][ T3614] ? dev_get_by_index+0x1f0/0x340 [ 37.089165][ T3614] raw_enable_filters+0xe2/0x200 [ 37.094101][ T3614] raw_enable_allfilters+0x82/0x290 [ 37.099292][ T3614] raw_bind+0x2ba/0xb50 [ 37.103437][ T3614] ? bpf_lsm_socket_bind+0x5/0x10 [ 37.108449][ T3614] ? security_socket_bind+0x83/0xb0 [ 37.113635][ T3614] __sys_bind+0x1e9/0x250 [ 37.117959][ T3614] ? __ia32_sys_socketpair+0xf0/0xf0 [ 37.123239][ T3614] ? _raw_spin_unlock_irq+0x1f/0x40 [ 37.128435][ T3614] ? _raw_spin_unlock_irq+0x1f/0x40 [ 37.133624][ T3614] ? lockdep_hardirqs_on+0x79/0x100 [ 37.138815][ T3614] ? _raw_spin_unlock_irq+0x2a/0x40 [ 37.144011][ T3614] __x64_sys_bind+0x6f/0xb0 [ 37.148506][ T3614] do_syscall_64+0x35/0xb0 [ 37.152914][ T3614] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 37.158803][ T3614] RIP: 0033:0x7fe866b86d19 [ 37.163205][ T3614] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [pid 3613] futex(0x7fe866c0e42c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 3613] futex(0x7fe866c0e44c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 3613] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fe866ad6000 [pid 3613] mprotect(0x7fe866ad7000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 3613] clone(child_stack=0x7fe866af63f0, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, parent_tid=[3634], tls=0x7fe866af6700, child_tidptr=0x7fe866af69d0) = 3634 [pid 3613] futex(0x7fe866c0e448, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 37.182807][ T3614] RSP: 002b:00007fe866b38318 EFLAGS: 00000246 ORIG_RAX: 0000000000000031 [ 37.191209][ T3614] RAX: ffffffffffffffda RBX: 00007fe866c0e428 RCX: 00007fe866b86d19 [ 37.199168][ T3614] RDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003 [ 37.207127][ T3614] RBP: 00007fe866c0e420 R08: 0000000000000000 R09: 0000000000000000 [ 37.215084][ T3614] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe866bdc064 [ 37.223040][ T3614] R13: 00007ffdbdd3656f R14: 00007fe866b38400 R15: 0000000000022000 [ 37.231007][ T3614] [ 37.234012][ T3614] Modules linked in: [pid 3613] futex(0x7fe866c0e44c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) ./strace-static-x86_64: Process 3634 attached [pid 3634] set_robust_list(0x7fe866af69e0, 24) = 0 [pid 3634] splice(-1, NULL, -1, NULL, 32768, 0) = -1 EBADF (Bad file descriptor) [pid 3634] futex(0x7fe866c0e44c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [ 37.237952][ T3614] ---[ end trace 0000000000000000 ]--- [ 37.243428][ T3614] RIP: 0010:can_rx_register+0x365/0x6a0 [ 37.249176][ T3614] Code: ee 03 49 89 4f 30 80 3c 16 00 0f 85 e3 02 00 00 48 8b 4c 24 18 48 89 c6 48 ba 00 00 00 00 00 fc ff df 48 c1 ee 03 49 89 4f 38 <80> 3c 16 00 0f 85 aa 02 00 00 48 ba 00 00 00 00 00 fc ff df 4c 89 [ 37.268829][ T3614] RSP: 0018:ffffc900033cfc10 EFLAGS: 00010212 [ 37.274923][ T3614] RAX: 0000000000000008 RBX: 0000000000000000 RCX: ffff888017483000 [ 37.282908][ T3614] RDX: dffffc0000000000 RSI: 0000000000000001 RDI: ffff88801c466038 [ 37.290932][ T3614] RBP: ffff88814a512ec0 R08: 0000000000000005 R09: 0000000000000000 [ 37.298917][ T3614] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 37.306943][ T3614] R13: 1ffff92000679f87 R14: ffffffff912cc2c8 R15: ffff88801c466000 [ 37.314961][ T3614] FS: 00007fe866b38700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 [ 37.323941][ T3614] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.330626][ T3614] CR2: 00007fff2db40e30 CR3: 0000000018247000 CR4: 0000000000350ef0 [ 37.338637][ T3614] Kernel panic - not syncing: Fatal exception in interrupt [ 37.346515][ T3614] Kernel Offset: disabled [ 37.350827][ T3614] Rebooting in 86400 seconds..