[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.14' (ECDSA) to the list of known hosts. syzkaller login: [ 57.712486][ T7068] IPVS: ftp: loaded support on port[0] = 21 [ 57.804403][ T7068] chnl_net:caif_netlink_parms(): no params data found [ 57.855880][ T7068] bridge0: port 1(bridge_slave_0) entered blocking state [ 57.864213][ T7068] bridge0: port 1(bridge_slave_0) entered disabled state [ 57.873157][ T7068] device bridge_slave_0 entered promiscuous mode [ 57.882385][ T7068] bridge0: port 2(bridge_slave_1) entered blocking state [ 57.890319][ T7068] bridge0: port 2(bridge_slave_1) entered disabled state [ 57.898708][ T7068] device bridge_slave_1 entered promiscuous mode [ 57.919972][ T7068] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 57.930930][ T7068] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 57.954122][ T7068] team0: Port device team_slave_0 added [ 57.961580][ T7068] team0: Port device team_slave_1 added [ 57.979235][ T7068] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 57.986282][ T7068] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 58.013082][ T7068] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 58.026176][ T7068] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 58.033767][ T7068] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 58.060693][ T7068] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 58.130349][ T7068] device hsr_slave_0 entered promiscuous mode [ 58.187363][ T7068] device hsr_slave_1 entered promiscuous mode [ 58.312708][ T7068] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 58.359833][ T7068] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 58.409316][ T7068] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 58.449187][ T7068] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 58.532495][ T7068] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.539884][ T7068] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.548035][ T7068] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.555111][ T7068] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.601378][ T7068] 8021q: adding VLAN 0 to HW filter on device bond0 [ 58.614894][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 58.625197][ T2720] bridge0: port 1(bridge_slave_0) entered disabled state [ 58.633469][ T2720] bridge0: port 2(bridge_slave_1) entered disabled state [ 58.642496][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 58.655427][ T7068] 8021q: adding VLAN 0 to HW filter on device team0 [ 58.666900][ T2949] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 58.675345][ T2949] bridge0: port 1(bridge_slave_0) entered blocking state [ 58.682585][ T2949] bridge0: port 1(bridge_slave_0) entered forwarding state [ 58.694806][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 58.704454][ T2720] bridge0: port 2(bridge_slave_1) entered blocking state [ 58.711622][ T2720] bridge0: port 2(bridge_slave_1) entered forwarding state [ 58.733145][ T2949] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 58.742225][ T2949] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 58.754814][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 58.772110][ T7068] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 58.783664][ T7068] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 58.797490][ T2949] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 58.806303][ T2949] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 58.815579][ T2949] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 58.833868][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 58.842440][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 58.859960][ T7068] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 58.880478][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 58.890132][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 58.911340][ T2949] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 58.919633][ T2949] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 58.928813][ T2949] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 58.936551][ T2949] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 58.948033][ T7068] device veth0_vlan entered promiscuous mode [ 58.960855][ T7068] device veth1_vlan entered promiscuous mode [ 58.983470][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 58.992532][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 59.001837][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 59.010867][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 59.021984][ T7068] device veth0_macvtap entered promiscuous mode [ 59.033297][ T7068] device veth1_macvtap entered promiscuous mode [ 59.050598][ T7068] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 59.059083][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 59.067688][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 59.075611][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 59.089544][ T2720] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 59.102543][ T7068] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 59.110449][ T2949] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 59.119460][ T2949] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 62.357553][ C0] ================================================================== [ 62.365723][ C0] BUG: KASAN: use-after-free in ip_icmp_error+0x52a/0x5a0 [ 62.372818][ C0] Read of size 1 at addr ffff88809334afff by task ksoftirqd/0/9 [ 62.380421][ C0] [ 62.382746][ C0] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 5.7.0-rc6-syzkaller #0 [ 62.390783][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.400819][ C0] Call Trace: [ 62.404094][ C0] dump_stack+0x188/0x20d [ 62.408407][ C0] print_address_description.constprop.0.cold+0xd3/0x413 [ 62.415452][ C0] ? skb_splice_bits+0x1a0/0x1a0 [ 62.420374][ C0] ? __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.426166][ C0] ? vprintk_func+0x81/0x17e [ 62.430745][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 62.435488][ C0] __kasan_report.cold+0x20/0x38 [ 62.440405][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 62.445142][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 62.449914][ C0] kasan_report+0x33/0x50 [ 62.454230][ C0] ip_icmp_error+0x52a/0x5a0 [ 62.458805][ C0] tcp_v4_err+0x9b2/0x1d00 [ 62.463204][ C0] ? tcp_v4_do_rcv+0x8b0/0x8b0 [ 62.467962][ C0] icmp_socket_deliver+0x1e4/0x360 [ 62.473050][ C0] icmp_unreach+0x33b/0xab0 [ 62.477537][ C0] icmp_rcv+0xee6/0x15f0 [ 62.481760][ C0] ip_protocol_deliver_rcu+0x57/0x880 [ 62.487123][ C0] ip_local_deliver_finish+0x220/0x360 [ 62.492670][ C0] ip_local_deliver+0x1c8/0x4e0 [ 62.497782][ C0] ? ip_local_deliver_finish+0x360/0x360 [ 62.503400][ C0] ? ip_rcv+0x24e/0x3c0 [ 62.507537][ C0] ? ip_protocol_deliver_rcu+0x880/0x880 [ 62.513154][ C0] ? lock_downgrade+0x840/0x840 [ 62.517987][ C0] ? ip_rcv_finish_core.isra.0+0x606/0x1ec0 [ 62.523858][ C0] ip_rcv_finish+0x1da/0x2f0 [ 62.528428][ C0] ip_rcv+0xd0/0x3c0 [ 62.532322][ C0] ? ip_local_deliver+0x4e0/0x4e0 [ 62.537335][ C0] ? ip_rcv_finish_core.isra.0+0x1ec0/0x1ec0 [ 62.543289][ C0] ? ip_local_deliver+0x4e0/0x4e0 [ 62.548289][ C0] __netif_receive_skb_one_core+0x114/0x180 [ 62.554154][ C0] ? __netif_receive_skb_core+0x31c0/0x31c0 [ 62.560020][ C0] ? do_raw_spin_lock+0x129/0x2e0 [ 62.565016][ C0] ? rwlock_bug.part.0+0x90/0x90 [ 62.569931][ C0] __netif_receive_skb+0x27/0x1c0 [ 62.574928][ C0] process_backlog+0x21e/0x7a0 [ 62.579686][ C0] ? net_rx_action+0x25f/0x1070 [ 62.584510][ C0] net_rx_action+0x4c2/0x1070 [ 62.589298][ C0] ? napi_busy_loop+0x9e0/0x9e0 [ 62.594162][ C0] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 62.600135][ C0] __do_softirq+0x26c/0x9f7 [ 62.604625][ C0] ? takeover_tasklets+0x810/0x810 [ 62.609711][ C0] run_ksoftirqd+0x89/0x100 [ 62.614203][ C0] smpboot_thread_fn+0x653/0x9e0 [ 62.619132][ C0] ? __smpboot_create_thread.part.0+0x340/0x340 [ 62.625348][ C0] ? __kthread_parkme+0x13f/0x1e0 [ 62.630351][ C0] ? __smpboot_create_thread.part.0+0x340/0x340 [ 62.636574][ C0] kthread+0x388/0x470 [ 62.640629][ C0] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.646437][ C0] ret_from_fork+0x24/0x30 [ 62.650871][ C0] [ 62.653179][ C0] Allocated by task 5110: [ 62.657495][ C0] save_stack+0x1b/0x40 [ 62.661629][ C0] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.667238][ C0] kmem_cache_alloc+0x11b/0x740 [ 62.672080][ C0] getname_flags+0xd2/0x5b0 [ 62.676566][ C0] user_path_at_empty+0x2a/0x50 [ 62.681414][ C0] vfs_statx+0x119/0x1e0 [ 62.685629][ C0] __do_sys_newlstat+0x96/0x120 [ 62.690469][ C0] do_syscall_64+0xf6/0x7d0 [ 62.695234][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 62.701094][ C0] [ 62.703407][ C0] Freed by task 5110: [ 62.707363][ C0] save_stack+0x1b/0x40 [ 62.711491][ C0] __kasan_slab_free+0xf7/0x140 [ 62.716320][ C0] kmem_cache_free+0x7f/0x320 [ 62.720980][ C0] putname+0xe1/0x120 [ 62.724945][ C0] filename_lookup+0x282/0x3e0 [ 62.729694][ C0] vfs_statx+0x119/0x1e0 [ 62.733919][ C0] __do_sys_newlstat+0x96/0x120 [ 62.738745][ C0] do_syscall_64+0xf6/0x7d0 [ 62.743220][ C0] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 62.749087][ C0] [ 62.751391][ C0] The buggy address belongs to the object at ffff88809334a680 [ 62.751391][ C0] which belongs to the cache names_cache of size 4096 [ 62.765949][ C0] The buggy address is located 2431 bytes inside of [ 62.765949][ C0] 4096-byte region [ffff88809334a680, ffff88809334b680) [ 62.779389][ C0] The buggy address belongs to the page: [ 62.785015][ C0] page:ffffea00024cd280 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00024cd280 order:1 compound_mapcount:0 [ 62.798444][ C0] flags: 0xfffe0000010200(slab|head) [ 62.803711][ C0] raw: 00fffe0000010200 ffffea0002a09588 ffffea00029ef988 ffff8880aa1ec000 [ 62.812268][ C0] raw: 0000000000000000 ffff88809334a680 0000000100000001 0000000000000000 [ 62.820823][ C0] page dumped because: kasan: bad access detected [ 62.827294][ C0] [ 62.829595][ C0] Memory state around the buggy address: [ 62.835200][ C0] ffff88809334ae80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.843239][ C0] ffff88809334af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.851365][ C0] >ffff88809334af80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.859410][ C0] ^ [ 62.868939][ C0] ffff88809334b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.876974][ C0] ffff88809334b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.885012][ C0] ================================================================== [ 62.893081][ C0] Disabling lock debugging due to kernel taint [ 62.899265][ C0] Kernel panic - not syncing: panic_on_warn set ... [ 62.905846][ C0] CPU: 0 PID: 9 Comm: ksoftirqd/0 Tainted: G B 5.7.0-rc6-syzkaller #0 [ 62.915294][ C0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.925342][ C0] Call Trace: [ 62.928631][ C0] dump_stack+0x188/0x20d [ 62.933029][ C0] panic+0x2e3/0x75c [ 62.936950][ C0] ? add_taint.cold+0x16/0x16 [ 62.941600][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 62.946351][ C0] ? trace_hardirqs_on+0x55/0x220 [ 62.951357][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 62.956100][ C0] end_report+0x4d/0x53 [ 62.960237][ C0] __kasan_report.cold+0xd/0x38 [ 62.965078][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 62.969834][ C0] ? ip_icmp_error+0x52a/0x5a0 [ 62.974577][ C0] kasan_report+0x33/0x50 [ 62.978878][ C0] ip_icmp_error+0x52a/0x5a0 [ 62.983440][ C0] tcp_v4_err+0x9b2/0x1d00 [ 62.987829][ C0] ? tcp_v4_do_rcv+0x8b0/0x8b0 [ 62.992575][ C0] icmp_socket_deliver+0x1e4/0x360 [ 62.997660][ C0] icmp_unreach+0x33b/0xab0 [ 63.002145][ C0] icmp_rcv+0xee6/0x15f0 [ 63.006363][ C0] ip_protocol_deliver_rcu+0x57/0x880 [ 63.012747][ C0] ip_local_deliver_finish+0x220/0x360 [ 63.018823][ C0] ip_local_deliver+0x1c8/0x4e0 [ 63.023644][ C0] ? ip_local_deliver_finish+0x360/0x360 [ 63.029246][ C0] ? ip_rcv+0x24e/0x3c0 [ 63.033463][ C0] ? ip_protocol_deliver_rcu+0x880/0x880 [ 63.039065][ C0] ? lock_downgrade+0x840/0x840 [ 63.043892][ C0] ? ip_rcv_finish_core.isra.0+0x606/0x1ec0 [ 63.049758][ C0] ip_rcv_finish+0x1da/0x2f0 [ 63.054320][ C0] ip_rcv+0xd0/0x3c0 [ 63.058286][ C0] ? ip_local_deliver+0x4e0/0x4e0 [ 63.063290][ C0] ? ip_rcv_finish_core.isra.0+0x1ec0/0x1ec0 [ 63.069265][ C0] ? ip_local_deliver+0x4e0/0x4e0 [ 63.074291][ C0] __netif_receive_skb_one_core+0x114/0x180 [ 63.080169][ C0] ? __netif_receive_skb_core+0x31c0/0x31c0 [ 63.086041][ C0] ? do_raw_spin_lock+0x129/0x2e0 [ 63.091844][ C0] ? rwlock_bug.part.0+0x90/0x90 [ 63.096951][ C0] __netif_receive_skb+0x27/0x1c0 [ 63.102001][ C0] process_backlog+0x21e/0x7a0 [ 63.106746][ C0] ? net_rx_action+0x25f/0x1070 [ 63.111573][ C0] net_rx_action+0x4c2/0x1070 [ 63.116235][ C0] ? napi_busy_loop+0x9e0/0x9e0 [ 63.121080][ C0] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 63.127052][ C0] __do_softirq+0x26c/0x9f7 [ 63.131528][ C0] ? takeover_tasklets+0x810/0x810 [ 63.136697][ C0] run_ksoftirqd+0x89/0x100 [ 63.141258][ C0] smpboot_thread_fn+0x653/0x9e0 [ 63.146184][ C0] ? __smpboot_create_thread.part.0+0x340/0x340 [ 63.152392][ C0] ? __kthread_parkme+0x13f/0x1e0 [ 63.157417][ C0] ? __smpboot_create_thread.part.0+0x340/0x340 [ 63.163627][ C0] kthread+0x388/0x470 [ 63.167769][ C0] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 63.173480][ C0] ret_from_fork+0x24/0x30 [ 63.179168][ C0] Kernel Offset: disabled [ 63.183481][ C0] Rebooting in 86400 seconds..