[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.215' (ECDSA) to the list of known hosts. syzkaller login: [ 61.529324][ T7059] IPVS: ftp: loaded support on port[0] = 21 [ 61.626993][ T7059] chnl_net:caif_netlink_parms(): no params data found [ 61.679231][ T7059] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.687248][ T7059] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.698814][ T7059] device bridge_slave_0 entered promiscuous mode [ 61.708178][ T7059] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.716744][ T7059] bridge0: port 2(bridge_slave_1) entered disabled state [ 61.724567][ T7059] device bridge_slave_1 entered promiscuous mode [ 61.746756][ T7059] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 61.758169][ T7059] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 61.781593][ T7059] team0: Port device team_slave_0 added [ 61.789280][ T7059] team0: Port device team_slave_1 added [ 61.808363][ T7059] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 61.815894][ T7059] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 61.844191][ T7059] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 61.858026][ T7059] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 61.865925][ T7059] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 61.893177][ T7059] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 61.959381][ T7059] device hsr_slave_0 entered promiscuous mode [ 62.016728][ T7059] device hsr_slave_1 entered promiscuous mode [ 62.151046][ T7059] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 62.209338][ T7059] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 62.267938][ T7059] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 62.328494][ T7059] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 62.402971][ T7059] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.410484][ T7059] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.419074][ T7059] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.426312][ T7059] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.475190][ T7059] 8021q: adding VLAN 0 to HW filter on device bond0 [ 62.490522][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 62.500878][ T2700] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.509892][ T2700] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.519616][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 62.533865][ T7059] 8021q: adding VLAN 0 to HW filter on device team0 [ 62.546612][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 62.556934][ T3458] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.564121][ T3458] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.587294][ T2691] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 62.597738][ T2691] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.604975][ T2691] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.613159][ T2691] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 62.635251][ T7059] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 62.646765][ T7059] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 62.660839][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 62.669069][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 62.677893][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 62.687564][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 62.697361][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 62.717890][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 62.726141][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 62.741847][ T7059] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 62.762171][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 62.771737][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 62.792790][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 62.801797][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 62.811780][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 62.820023][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 62.830524][ T7059] device veth0_vlan entered promiscuous mode [ 62.843537][ T7059] device veth1_vlan entered promiscuous mode [ 62.864639][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 62.873492][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 62.881968][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 62.890837][ T3458] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 62.901906][ T7059] device veth0_macvtap entered promiscuous mode [ 62.913510][ T7059] device veth1_macvtap entered promiscuous mode [ 62.932423][ T7059] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 62.940387][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 62.950662][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 62.959229][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 62.968151][ T2700] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 62.980315][ T7059] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 62.988787][ T7267] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 62.998234][ T7267] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 66.265672][ C1] ================================================================== [ 66.274183][ C1] BUG: KASAN: slab-out-of-bounds in ip_icmp_error+0x52a/0x5a0 [ 66.282350][ C1] Read of size 1 at addr ffff888094a5c7ff by task ksoftirqd/1/16 [ 66.290059][ C1] [ 66.292381][ C1] CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.7.0-rc6-syzkaller #0 [ 66.300534][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.310616][ C1] Call Trace: [ 66.313912][ C1] dump_stack+0x188/0x20d [ 66.318410][ C1] print_address_description.constprop.0.cold+0xd3/0x413 [ 66.325436][ C1] ? skb_splice_bits+0x1a0/0x1a0 [ 66.330399][ C1] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 66.336211][ C1] ? vprintk_func+0x81/0x17e [ 66.340807][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 66.345575][ C1] __kasan_report.cold+0x20/0x38 [ 66.351989][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 66.356755][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 66.361533][ C1] kasan_report+0x33/0x50 [ 66.365860][ C1] ip_icmp_error+0x52a/0x5a0 [ 66.370470][ C1] tcp_v4_err+0x9b2/0x1d00 [ 66.375002][ C1] ? tcp_v4_do_rcv+0x8b0/0x8b0 [ 66.379782][ C1] icmp_socket_deliver+0x1e4/0x360 [ 66.384892][ C1] icmp_unreach+0x33b/0xab0 [ 66.389407][ C1] icmp_rcv+0xee6/0x15f0 [ 66.393661][ C1] ip_protocol_deliver_rcu+0x57/0x880 [ 66.399043][ C1] ip_local_deliver_finish+0x220/0x360 [ 66.404507][ C1] ip_local_deliver+0x1c8/0x4e0 [ 66.409377][ C1] ? ip_local_deliver_finish+0x360/0x360 [ 66.415008][ C1] ? ip_rcv+0x24e/0x3c0 [ 66.419166][ C1] ? ip_protocol_deliver_rcu+0x880/0x880 [ 66.424807][ C1] ? lock_downgrade+0x840/0x840 [ 66.429776][ C1] ? ip_rcv_finish_core.isra.0+0x606/0x1ec0 [ 66.435782][ C1] ip_rcv_finish+0x1da/0x2f0 [ 66.440658][ C1] ip_rcv+0xd0/0x3c0 [ 66.444718][ C1] ? ip_local_deliver+0x4e0/0x4e0 [ 66.449747][ C1] ? ip_rcv_finish_core.isra.0+0x1ec0/0x1ec0 [ 66.456543][ C1] ? ip_local_deliver+0x4e0/0x4e0 [ 66.461768][ C1] __netif_receive_skb_one_core+0x114/0x180 [ 66.468544][ C1] ? __netif_receive_skb_core+0x31c0/0x31c0 [ 66.474453][ C1] ? do_raw_spin_lock+0x129/0x2e0 [ 66.480011][ C1] ? rwlock_bug.part.0+0x90/0x90 [ 66.485156][ C1] __netif_receive_skb+0x27/0x1c0 [ 66.490321][ C1] process_backlog+0x21e/0x7a0 [ 66.495346][ C1] ? net_rx_action+0x25f/0x1070 [ 66.500345][ C1] net_rx_action+0x4c2/0x1070 [ 66.505119][ C1] ? napi_busy_loop+0x9e0/0x9e0 [ 66.509976][ C1] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 66.516399][ C1] __do_softirq+0x26c/0x9f7 [ 66.521249][ C1] ? takeover_tasklets+0x810/0x810 [ 66.526359][ C1] run_ksoftirqd+0x89/0x100 [ 66.531045][ C1] smpboot_thread_fn+0x653/0x9e0 [ 66.535994][ C1] ? __smpboot_create_thread.part.0+0x340/0x340 [ 66.542316][ C1] ? __kthread_parkme+0x13f/0x1e0 [ 66.548383][ C1] ? __smpboot_create_thread.part.0+0x340/0x340 [ 66.554979][ C1] kthread+0x388/0x470 [ 66.559054][ C1] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 66.564792][ C1] ret_from_fork+0x24/0x30 [ 66.569201][ C1] [ 66.571514][ C1] Allocated by task 4121: [ 66.575834][ C1] save_stack+0x1b/0x40 [ 66.579990][ C1] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 66.585612][ C1] __kmalloc_reserve.isra.0+0x39/0xe0 [ 66.591071][ C1] __alloc_skb+0xef/0x5a0 [ 66.595406][ C1] netlink_sendmsg+0x97b/0xe10 [ 66.600162][ C1] sock_sendmsg+0xcf/0x120 [ 66.604576][ C1] ____sys_sendmsg+0x6e6/0x810 [ 66.609773][ C1] ___sys_sendmsg+0x100/0x170 [ 66.614441][ C1] __sys_sendmsg+0xe5/0x1b0 [ 66.618945][ C1] do_syscall_64+0xf6/0x7d0 [ 66.623440][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 66.629314][ C1] [ 66.631630][ C1] Freed by task 7004: [ 66.635609][ C1] save_stack+0x1b/0x40 [ 66.639763][ C1] __kasan_slab_free+0xf7/0x140 [ 66.645215][ C1] kfree+0x109/0x2b0 [ 66.649111][ C1] skb_free_head+0x8b/0xa0 [ 66.653516][ C1] skb_release_data+0x42e/0x8b0 [ 66.658357][ C1] skb_release_all+0x46/0x60 [ 66.662951][ C1] consume_skb+0xf3/0x400 [ 66.667271][ C1] skb_free_datagram+0x16/0xf0 [ 66.672304][ C1] netlink_recvmsg+0x65e/0xee0 [ 66.677058][ C1] sock_recvmsg+0xca/0x110 [ 66.681466][ C1] ____sys_recvmsg+0x208/0x580 [ 66.686224][ C1] ___sys_recvmsg+0xe4/0x150 [ 66.690891][ C1] __sys_recvmsg+0xe2/0x1a0 [ 66.695385][ C1] do_syscall_64+0xf6/0x7d0 [ 66.699881][ C1] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 66.705765][ C1] [ 66.708096][ C1] The buggy address belongs to the object at ffff888094a5c400 [ 66.708096][ C1] which belongs to the cache kmalloc-512 of size 512 [ 66.722246][ C1] The buggy address is located 511 bytes to the right of [ 66.722246][ C1] 512-byte region [ffff888094a5c400, ffff888094a5c600) [ 66.736305][ C1] The buggy address belongs to the page: [ 66.742209][ C1] page:ffffea0002529700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 66.751323][ C1] flags: 0xfffe0000000200(slab) [ 66.756164][ C1] raw: 00fffe0000000200 ffffea0002791a08 ffffea00027b3008 ffff8880aa000a80 [ 66.764909][ C1] raw: 0000000000000000 ffff888094a5c000 0000000100000004 0000000000000000 [ 66.773489][ C1] page dumped because: kasan: bad access detected [ 66.779892][ C1] [ 66.782222][ C1] Memory state around the buggy address: [ 66.787837][ C1] ffff888094a5c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.795896][ C1] ffff888094a5c700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.804654][ C1] >ffff888094a5c780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.812735][ C1] ^ [ 66.821967][ C1] ffff888094a5c800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.830298][ C1] ffff888094a5c880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.838369][ C1] ================================================================== [ 66.846433][ C1] Disabling lock debugging due to kernel taint [ 66.852669][ C1] Kernel panic - not syncing: panic_on_warn set ... [ 66.859279][ C1] CPU: 1 PID: 16 Comm: ksoftirqd/1 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 66.868823][ C1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.878899][ C1] Call Trace: [ 66.882195][ C1] dump_stack+0x188/0x20d [ 66.886532][ C1] panic+0x2e3/0x75c [ 66.890446][ C1] ? add_taint.cold+0x16/0x16 [ 66.895141][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 66.899934][ C1] ? trace_hardirqs_on+0x55/0x220 [ 66.905073][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 66.909823][ C1] end_report+0x4d/0x53 [ 66.914000][ C1] __kasan_report.cold+0xd/0x38 [ 66.918843][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 66.923601][ C1] ? ip_icmp_error+0x52a/0x5a0 [ 66.928352][ C1] kasan_report+0x33/0x50 [ 66.932758][ C1] ip_icmp_error+0x52a/0x5a0 [ 66.937377][ C1] tcp_v4_err+0x9b2/0x1d00 [ 66.941806][ C1] ? tcp_v4_do_rcv+0x8b0/0x8b0 [ 66.946560][ C1] icmp_socket_deliver+0x1e4/0x360 [ 66.951683][ C1] icmp_unreach+0x33b/0xab0 [ 66.956460][ C1] icmp_rcv+0xee6/0x15f0 [ 66.960713][ C1] ip_protocol_deliver_rcu+0x57/0x880 [ 66.966090][ C1] ip_local_deliver_finish+0x220/0x360 [ 66.971545][ C1] ip_local_deliver+0x1c8/0x4e0 [ 66.976455][ C1] ? ip_local_deliver_finish+0x360/0x360 [ 66.982075][ C1] ? ip_rcv+0x24e/0x3c0 [ 66.986218][ C1] ? ip_protocol_deliver_rcu+0x880/0x880 [ 66.991915][ C1] ? lock_downgrade+0x840/0x840 [ 66.996772][ C1] ? ip_rcv_finish_core.isra.0+0x606/0x1ec0 [ 67.002668][ C1] ip_rcv_finish+0x1da/0x2f0 [ 67.007359][ C1] ip_rcv+0xd0/0x3c0 [ 67.011244][ C1] ? ip_local_deliver+0x4e0/0x4e0 [ 67.016257][ C1] ? ip_rcv_finish_core.isra.0+0x1ec0/0x1ec0 [ 67.022218][ C1] ? ip_local_deliver+0x4e0/0x4e0 [ 67.027239][ C1] __netif_receive_skb_one_core+0x114/0x180 [ 67.033131][ C1] ? __netif_receive_skb_core+0x31c0/0x31c0 [ 67.039042][ C1] ? do_raw_spin_lock+0x129/0x2e0 [ 67.044064][ C1] ? rwlock_bug.part.0+0x90/0x90 [ 67.049020][ C1] __netif_receive_skb+0x27/0x1c0 [ 67.054038][ C1] process_backlog+0x21e/0x7a0 [ 67.058807][ C1] ? net_rx_action+0x25f/0x1070 [ 67.063652][ C1] net_rx_action+0x4c2/0x1070 [ 67.068318][ C1] ? napi_busy_loop+0x9e0/0x9e0 [ 67.073160][ C1] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 67.079136][ C1] __do_softirq+0x26c/0x9f7 [ 67.083686][ C1] ? takeover_tasklets+0x810/0x810 [ 67.088799][ C1] run_ksoftirqd+0x89/0x100 [ 67.093419][ C1] smpboot_thread_fn+0x653/0x9e0 [ 67.098351][ C1] ? __smpboot_create_thread.part.0+0x340/0x340 [ 67.104578][ C1] ? __kthread_parkme+0x13f/0x1e0 [ 67.109593][ C1] ? __smpboot_create_thread.part.0+0x340/0x340 [ 67.115836][ C1] kthread+0x388/0x470 [ 67.120186][ C1] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 67.125904][ C1] ret_from_fork+0x24/0x30 [ 67.131674][ C1] Kernel Offset: disabled [ 67.136615][ C1] Rebooting in 86400 seconds..