[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 27.172313] kauditd_printk_skb: 7 callbacks suppressed [ 27.172325] audit: type=1800 audit(1541023965.811:29): pid=5528 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 27.199507] audit: type=1800 audit(1541023965.811:30): pid=5528 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 42.685170] sshd (5670) used greatest stack depth: 15744 bytes left Warning: Permanently added '10.128.0.96' (ECDSA) to the list of known hosts. [ 69.649712] IPVS: ftp: loaded support on port[0] = 21 [ 69.810555] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.817411] bridge0: port 1(bridge_slave_0) entered disabled state [ 69.824936] device bridge_slave_0 entered promiscuous mode [ 69.843294] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.849927] bridge0: port 2(bridge_slave_1) entered disabled state [ 69.856880] device bridge_slave_1 entered promiscuous mode [ 69.875263] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 69.892862] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 69.941924] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 69.961631] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 70.038469] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 70.045900] team0: Port device team_slave_0 added [ 70.063709] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 70.070937] team0: Port device team_slave_1 added [ 70.087444] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 70.107669] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 70.127258] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 70.145634] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 70.285752] bridge0: port 2(bridge_slave_1) entered blocking state [ 70.292204] bridge0: port 2(bridge_slave_1) entered forwarding state [ 70.299059] bridge0: port 1(bridge_slave_0) entered blocking state [ 70.305390] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 70.804329] 8021q: adding VLAN 0 to HW filter on device bond0 [ 70.856377] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 70.909259] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 70.915404] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 70.924270] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 70.966939] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 71.244024] ================================================================== [ 71.251615] BUG: KASAN: slab-out-of-bounds in ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 71.259410] Read of size 1 at addr ffff8801cd4d1287 by task syz-executor163/5685 [ 71.266976] [ 71.268598] CPU: 0 PID: 5685 Comm: syz-executor163 Not tainted 4.19.0+ #73 [ 71.275681] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.285020] Call Trace: [ 71.287595] dump_stack+0x244/0x39d [ 71.291212] ? dump_stack_print_info.cold.1+0x20/0x20 [ 71.296393] ? printk+0xa7/0xcf [ 71.299675] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 71.304417] print_address_description.cold.7+0x9/0x1ff [ 71.309766] kasan_report.cold.8+0x242/0x309 [ 71.314159] ? ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 71.319247] __asan_report_load1_noabort+0x14/0x20 [ 71.324166] ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 71.329168] ip6_tnl_start_xmit+0x49f/0x25a0 [ 71.333572] ? ip6_tnl_xmit+0x3730/0x3730 [ 71.337708] ? mark_held_locks+0x130/0x130 [ 71.341922] ? zap_class+0x640/0x640 [ 71.345637] ? __lock_acquire+0x62f/0x4c20 [ 71.349855] ? zap_class+0x640/0x640 [ 71.353546] ? zap_class+0x640/0x640 [ 71.357247] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 71.362770] ? check_preemption_disabled+0x48/0x280 [ 71.367816] ? __lock_is_held+0xb5/0x140 [ 71.371889] dev_hard_start_xmit+0x295/0xc90 [ 71.376288] ? dev_direct_xmit+0x6b0/0x6b0 [ 71.380513] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 71.386035] ? netif_skb_features+0x690/0xb70 [ 71.390513] ? rcu_softirq_qs+0x20/0x20 [ 71.394489] ? validate_xmit_xfrm+0x1ef/0xda0 [ 71.398977] ? validate_xmit_skb+0x80c/0xf30 [ 71.403373] ? netif_skb_features+0xb70/0xb70 [ 71.407863] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 71.413389] ? check_preemption_disabled+0x48/0x280 [ 71.418391] ? check_preemption_disabled+0x48/0x280 [ 71.423397] __dev_queue_xmit+0x2f71/0x3ad0 [ 71.427708] ? save_stack+0x43/0xd0 [ 71.431320] ? kasan_kmalloc+0xc7/0xe0 [ 71.435192] ? __kmalloc_node_track_caller+0x50/0x70 [ 71.440296] ? netdev_pick_tx+0x310/0x310 [ 71.444448] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 71.449977] ? check_preemption_disabled+0x48/0x280 [ 71.454982] ? __lock_is_held+0xb5/0x140 [ 71.459502] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 71.464504] ? skb_release_data+0x1c4/0x880 [ 71.468823] ? kmem_cache_alloc_node_trace+0x34b/0x740 [ 71.474092] ? kasan_unpoison_shadow+0x35/0x50 [ 71.478756] ? skb_tx_error+0x2f0/0x2f0 [ 71.482730] ? __kmalloc_node_track_caller+0x50/0x70 [ 71.487827] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 71.493351] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 71.498877] ? kasan_check_write+0x14/0x20 [ 71.503093] ? pskb_expand_head+0x6b3/0x10f0 [ 71.507488] ? find_held_lock+0x36/0x1c0 [ 71.511536] ? skb_release_data+0x880/0x880 [ 71.515841] ? __alloc_skb+0x770/0x770 [ 71.519721] ? __lock_is_held+0xb5/0x140 [ 71.523779] ? kasan_check_write+0x14/0x20 [ 71.527999] ? __skb_clone+0x6c7/0xa00 [ 71.531875] ? __copy_skb_header+0x6b0/0x6b0 [ 71.536507] ? kmem_cache_alloc+0x33a/0x730 [ 71.540817] ? depot_save_stack+0x292/0x470 [ 71.545124] ? skb_ensure_writable+0x15e/0x640 [ 71.549810] dev_queue_xmit+0x17/0x20 [ 71.553599] ? dev_queue_xmit+0x17/0x20 [ 71.557567] __bpf_redirect+0x5cf/0xb20 [ 71.561537] bpf_clone_redirect+0x2f6/0x490 [ 71.565857] bpf_prog_759a992c578a3894+0xcbd/0x1000 [ 71.570875] ? bpf_test_run+0x175/0x780 [ 71.574844] ? lock_downgrade+0x900/0x900 [ 71.578982] ? ktime_get+0x332/0x400 [ 71.582685] ? find_held_lock+0x36/0x1c0 [ 71.586735] ? lock_acquire+0x1ed/0x520 [ 71.590695] ? bpf_test_run+0x3cb/0x780 [ 71.594706] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 71.600238] ? check_preemption_disabled+0x48/0x280 [ 71.605241] ? kasan_check_read+0x11/0x20 [ 71.609378] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 71.614649] ? rcu_softirq_qs+0x20/0x20 [ 71.618811] ? bpf_cgroup_storage_release+0x220/0x220 [ 71.623990] ? skb_try_coalesce+0x1b70/0x1b70 [ 71.628483] ? bpf_test_run+0x25d/0x780 [ 71.632452] ? netlink_diag_dump+0x2a0/0x2a0 [ 71.636856] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 71.642378] ? bpf_test_init.isra.10+0x70/0x100 [ 71.647032] ? bpf_prog_test_run_skb+0x73b/0xcb0 [ 71.651795] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 71.656637] ? bpf_prog_add+0x69/0xd0 [ 71.660432] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 71.665956] ? __bpf_prog_get+0x9b/0x290 [ 71.670052] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 71.674894] ? bpf_prog_test_run+0x130/0x1a0 [ 71.679339] ? __x64_sys_bpf+0x3d8/0x520 [ 71.683398] ? bpf_prog_get+0x20/0x20 [ 71.687196] ? do_syscall_64+0x1b9/0x820 [ 71.691288] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 71.696652] ? syscall_return_slowpath+0x5e0/0x5e0 [ 71.701570] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 71.706404] ? trace_hardirqs_on_caller+0x310/0x310 [ 71.711413] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 71.716420] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 71.721950] ? prepare_exit_to_usermode+0x291/0x3b0 [ 71.726955] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 71.731839] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 71.737198] [ 71.738816] Allocated by task 5685: [ 71.742431] save_stack+0x43/0xd0 [ 71.745871] kasan_kmalloc+0xc7/0xe0 [ 71.749574] __kmalloc_node_track_caller+0x50/0x70 [ 71.754496] __kmalloc_reserve.isra.40+0x41/0xe0 [ 71.759281] pskb_expand_head+0x230/0x10f0 [ 71.763503] skb_ensure_writable+0x3dd/0x640 [ 71.767895] bpf_clone_redirect+0x14a/0x490 [ 71.772200] bpf_prog_759a992c578a3894+0xcbd/0x1000 [ 71.777194] [ 71.778801] Freed by task 4256: [ 71.782098] save_stack+0x43/0xd0 [ 71.785540] __kasan_slab_free+0x102/0x150 [ 71.789765] kasan_slab_free+0xe/0x10 [ 71.793552] kfree+0xcf/0x230 [ 71.796644] load_elf_binary+0x25b4/0x5620 [ 71.800863] search_binary_handler+0x17d/0x570 [ 71.805428] __do_execve_file.isra.33+0x1661/0x25d0 [ 71.810426] __x64_sys_execve+0x8f/0xc0 [ 71.814382] do_syscall_64+0x1b9/0x820 [ 71.818254] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 71.823420] [ 71.825033] The buggy address belongs to the object at ffff8801cd4d1080 [ 71.825033] which belongs to the cache kmalloc-512 of size 512 [ 71.837679] The buggy address is located 7 bytes to the right of [ 71.837679] 512-byte region [ffff8801cd4d1080, ffff8801cd4d1280) [ 71.849929] The buggy address belongs to the page: [ 71.854891] page:ffffea0007353440 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 71.863084] flags: 0x2fffc0000000200(slab) [ 71.867316] raw: 02fffc0000000200 ffffea000738c748 ffffea00073232c8 ffff8801da800940 [ 71.875189] raw: 0000000000000000 ffff8801cd4d1080 0000000100000006 0000000000000000 [ 71.883049] page dumped because: kasan: bad access detected [ 71.888917] [ 71.890530] Memory state around the buggy address: [ 71.895442] ffff8801cd4d1180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 71.903740] ffff8801cd4d1200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 71.911087] >ffff8801cd4d1280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 71.918562] ^ [ 71.921913] ffff8801cd4d1300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.929257] ffff8801cd4d1380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 71.936594] ================================================================== [ 71.943934] Disabling lock debugging due to kernel taint [ 71.949435] Kernel panic - not syncing: panic_on_warn set ... [ 71.949435] [ 71.956806] CPU: 0 PID: 5685 Comm: syz-executor163 Tainted: G B 4.19.0+ #73 [ 71.965210] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.974552] Call Trace: [ 71.977132] dump_stack+0x244/0x39d [ 71.980750] ? dump_stack_print_info.cold.1+0x20/0x20 [ 71.985924] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 71.990665] panic+0x238/0x4e7 [ 71.993843] ? add_taint.cold.5+0x16/0x16 [ 71.997978] ? trace_hardirqs_on+0xb4/0x310 [ 72.002286] kasan_end_report+0x47/0x4f [ 72.006242] kasan_report.cold.8+0x76/0x309 [ 72.010550] ? ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 72.015648] __asan_report_load1_noabort+0x14/0x20 [ 72.020564] ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 72.025483] ip6_tnl_start_xmit+0x49f/0x25a0 [ 72.029879] ? ip6_tnl_xmit+0x3730/0x3730 [ 72.034011] ? mark_held_locks+0x130/0x130 [ 72.038229] ? zap_class+0x640/0x640 [ 72.041926] ? __lock_acquire+0x62f/0x4c20 [ 72.046146] ? zap_class+0x640/0x640 [ 72.049843] ? zap_class+0x640/0x640 [ 72.053541] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.059072] ? check_preemption_disabled+0x48/0x280 [ 72.064075] ? __lock_is_held+0xb5/0x140 [ 72.068134] dev_hard_start_xmit+0x295/0xc90 [ 72.072534] ? dev_direct_xmit+0x6b0/0x6b0 [ 72.076764] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 72.082294] ? netif_skb_features+0x690/0xb70 [ 72.086775] ? rcu_softirq_qs+0x20/0x20 [ 72.090737] ? validate_xmit_xfrm+0x1ef/0xda0 [ 72.095221] ? validate_xmit_skb+0x80c/0xf30 [ 72.099631] ? netif_skb_features+0xb70/0xb70 [ 72.104119] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.110029] ? check_preemption_disabled+0x48/0x280 [ 72.115031] ? check_preemption_disabled+0x48/0x280 [ 72.120036] __dev_queue_xmit+0x2f71/0x3ad0 [ 72.124340] ? save_stack+0x43/0xd0 [ 72.127945] ? kasan_kmalloc+0xc7/0xe0 [ 72.131816] ? __kmalloc_node_track_caller+0x50/0x70 [ 72.136907] ? netdev_pick_tx+0x310/0x310 [ 72.141041] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.146557] ? check_preemption_disabled+0x48/0x280 [ 72.151572] ? __lock_is_held+0xb5/0x140 [ 72.155623] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 72.160642] ? skb_release_data+0x1c4/0x880 [ 72.164961] ? kmem_cache_alloc_node_trace+0x34b/0x740 [ 72.170219] ? kasan_unpoison_shadow+0x35/0x50 [ 72.174783] ? skb_tx_error+0x2f0/0x2f0 [ 72.178741] ? __kmalloc_node_track_caller+0x50/0x70 [ 72.183830] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 72.189363] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 72.194884] ? kasan_check_write+0x14/0x20 [ 72.199103] ? pskb_expand_head+0x6b3/0x10f0 [ 72.203506] ? find_held_lock+0x36/0x1c0 [ 72.207549] ? skb_release_data+0x880/0x880 [ 72.211851] ? __alloc_skb+0x770/0x770 [ 72.215719] ? __lock_is_held+0xb5/0x140 [ 72.219762] ? kasan_check_write+0x14/0x20 [ 72.223973] ? __skb_clone+0x6c7/0xa00 [ 72.227843] ? __copy_skb_header+0x6b0/0x6b0 [ 72.232231] ? kmem_cache_alloc+0x33a/0x730 [ 72.236534] ? depot_save_stack+0x292/0x470 [ 72.240841] ? skb_ensure_writable+0x15e/0x640 [ 72.245410] dev_queue_xmit+0x17/0x20 [ 72.249192] ? dev_queue_xmit+0x17/0x20 [ 72.253153] __bpf_redirect+0x5cf/0xb20 [ 72.257109] bpf_clone_redirect+0x2f6/0x490 [ 72.261417] bpf_prog_759a992c578a3894+0xcbd/0x1000 [ 72.266414] ? bpf_test_run+0x175/0x780 [ 72.270370] ? lock_downgrade+0x900/0x900 [ 72.274499] ? ktime_get+0x332/0x400 [ 72.278197] ? find_held_lock+0x36/0x1c0 [ 72.282242] ? lock_acquire+0x1ed/0x520 [ 72.286197] ? bpf_test_run+0x3cb/0x780 [ 72.290154] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.295673] ? check_preemption_disabled+0x48/0x280 [ 72.300673] ? kasan_check_read+0x11/0x20 [ 72.304807] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 72.310065] ? rcu_softirq_qs+0x20/0x20 [ 72.314021] ? bpf_cgroup_storage_release+0x220/0x220 [ 72.319192] ? skb_try_coalesce+0x1b70/0x1b70 [ 72.323669] ? bpf_test_run+0x25d/0x780 [ 72.327630] ? netlink_diag_dump+0x2a0/0x2a0 [ 72.332025] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 72.337539] ? bpf_test_init.isra.10+0x70/0x100 [ 72.342188] ? bpf_prog_test_run_skb+0x73b/0xcb0 [ 72.346929] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 72.351751] ? bpf_prog_add+0x69/0xd0 [ 72.355533] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.361053] ? __bpf_prog_get+0x9b/0x290 [ 72.365093] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 72.369918] ? bpf_prog_test_run+0x130/0x1a0 [ 72.374311] ? __x64_sys_bpf+0x3d8/0x520 [ 72.378353] ? bpf_prog_get+0x20/0x20 [ 72.382139] ? do_syscall_64+0x1b9/0x820 [ 72.386197] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 72.391574] ? syscall_return_slowpath+0x5e0/0x5e0 [ 72.396485] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 72.401310] ? trace_hardirqs_on_caller+0x310/0x310 [ 72.406308] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 72.411326] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 72.416847] ? prepare_exit_to_usermode+0x291/0x3b0 [ 72.421865] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 72.426693] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 72.432961] Kernel Offset: disabled [ 72.436583] Rebooting in 86400 seconds..