[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.147' (ECDSA) to the list of known hosts. syzkaller login: [ 31.632943] IPVS: ftp: loaded support on port[0] = 21 [ 31.697548] chnl_net:caif_netlink_parms(): no params data found [ 31.769190] bridge0: port 1(bridge_slave_0) entered blocking state [ 31.776804] bridge0: port 1(bridge_slave_0) entered disabled state [ 31.783759] device bridge_slave_0 entered promiscuous mode [ 31.791348] bridge0: port 2(bridge_slave_1) entered blocking state [ 31.798057] bridge0: port 2(bridge_slave_1) entered disabled state [ 31.804872] device bridge_slave_1 entered promiscuous mode [ 31.820767] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 31.829328] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 31.846427] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 31.853578] team0: Port device team_slave_0 added [ 31.860234] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 31.867485] team0: Port device team_slave_1 added [ 31.881014] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 31.887293] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 31.912503] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 31.923657] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 31.929949] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 31.955223] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 31.965938] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 31.973209] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 31.991072] device hsr_slave_0 entered promiscuous mode [ 31.996999] device hsr_slave_1 entered promiscuous mode [ 32.002801] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 32.009880] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 32.066780] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.073199] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.080088] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.086582] bridge0: port 1(bridge_slave_0) entered forwarding state [ 32.113341] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 32.120275] 8021q: adding VLAN 0 to HW filter on device bond0 [ 32.129301] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.137831] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.156274] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.163219] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.173756] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 32.180137] 8021q: adding VLAN 0 to HW filter on device team0 [ 32.188361] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 32.196802] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.203125] bridge0: port 1(bridge_slave_0) entered forwarding state [ 32.221872] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 32.232385] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 32.243951] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 32.250810] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.258488] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.264826] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.272633] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 32.280402] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 32.288136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 32.296052] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 32.304147] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 32.311053] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 32.322497] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 32.329582] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 32.336446] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 32.345899] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 32.391823] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 32.401622] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 32.431122] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 32.438264] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 32.444659] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 32.453688] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 32.461473] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 32.468612] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 32.477738] device veth0_vlan entered promiscuous mode [ 32.485962] device veth1_vlan entered promiscuous mode [ 32.491689] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 32.500726] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 32.511407] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 32.520226] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 32.527417] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 32.534506] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 32.543624] device veth0_macvtap entered promiscuous mode [ 32.549998] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 32.559045] device veth1_macvtap entered promiscuous mode [ 32.567670] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 32.577382] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 32.586866] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 32.593509] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 32.602547] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 32.612037] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 32.619271] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 32.735715] ================================================================== [ 32.743169] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x89f/0x8c0 [ 32.750251] Read of size 8 at addr ffff888094eb3088 by task syz-executor607/7995 [ 32.757760] [ 32.759372] CPU: 1 PID: 7995 Comm: syz-executor607 Not tainted 4.14.290-syzkaller #0 [ 32.767243] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 32.776573] Call Trace: [ 32.779143] dump_stack+0x1b2/0x281 [ 32.782753] print_address_description.cold+0x54/0x1d3 [ 32.788008] kasan_report_error.cold+0x8a/0x191 [ 32.792656] ? radix_tree_next_chunk+0x89f/0x8c0 [ 32.797392] __asan_report_load8_noabort+0x68/0x70 [ 32.802305] ? lock_downgrade+0x6b0/0x740 [ 32.806433] ? radix_tree_next_chunk+0x89f/0x8c0 [ 32.811167] radix_tree_next_chunk+0x89f/0x8c0 [ 32.815749] ? wake_up_q+0xd0/0xd0 [ 32.819290] ida_remove+0x9b/0x210 [ 32.822817] ? ida_destroy+0x1b0/0x1b0 [ 32.826683] ? lock_acquire+0x170/0x3f0 [ 32.830638] ida_simple_remove+0x31/0x50 [ 32.834677] ipvlan_link_new+0x50c/0xfa0 [ 32.838721] rtnl_newlink+0xf7c/0x1830 [ 32.842586] ? __lock_acquire+0x5fc/0x3f20 [ 32.846801] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 32.851359] ? kasan_slab_free+0xc3/0x1a0 [ 32.855485] ? rtnl_dellink+0x6a0/0x6a0 [ 32.859455] ? trace_hardirqs_on+0x10/0x10 [ 32.863668] ? __dev_queue_xmit+0x1d7f/0x2480 [ 32.868174] ? netlink_deliver_tap+0x61b/0x860 [ 32.872746] ? netlink_unicast+0x485/0x610 [ 32.876960] ? ___sys_sendmsg+0x6c8/0x800 [ 32.881082] ? __sys_sendmsg+0xa3/0x120 [ 32.885052] ? lock_acquire+0x170/0x3f0 [ 32.889244] ? lock_downgrade+0x740/0x740 [ 32.893375] ? rtnl_dellink+0x6a0/0x6a0 [ 32.897424] rtnetlink_rcv_msg+0x3be/0xb10 [ 32.901743] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 32.906237] ? __netlink_lookup+0x345/0x5d0 [ 32.910554] ? netdev_pick_tx+0x2e0/0x2e0 [ 32.914690] netlink_rcv_skb+0x125/0x390 [ 32.918737] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 32.923215] ? netlink_ack+0x9a0/0x9a0 [ 32.927083] netlink_unicast+0x437/0x610 [ 32.931124] ? netlink_sendskb+0xd0/0xd0 [ 32.935175] ? __check_object_size+0x179/0x230 [ 32.939734] netlink_sendmsg+0x648/0xbc0 [ 32.943777] ? nlmsg_notify+0x1b0/0x1b0 [ 32.947726] ? kernel_recvmsg+0x210/0x210 [ 32.951868] ? security_socket_sendmsg+0x83/0xb0 [ 32.956602] ? nlmsg_notify+0x1b0/0x1b0 [ 32.960573] sock_sendmsg+0xb5/0x100 [ 32.964263] ___sys_sendmsg+0x6c8/0x800 [ 32.968214] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 32.972964] ? trace_hardirqs_on+0x10/0x10 [ 32.977176] ? trace_hardirqs_on+0x10/0x10 [ 32.981391] ? trace_hardirqs_on+0x10/0x10 [ 32.985611] ? __might_fault+0x104/0x1b0 [ 32.989665] ? lock_acquire+0x170/0x3f0 [ 32.993620] ? lock_downgrade+0x740/0x740 [ 32.997747] ? __might_fault+0x177/0x1b0 [ 33.001786] ? _copy_to_user+0x82/0xd0 [ 33.005651] ? move_addr_to_user+0x13f/0x180 [ 33.010036] ? __fdget+0x167/0x1f0 [ 33.013553] ? sockfd_lookup_light+0xb2/0x160 [ 33.018022] __sys_sendmsg+0xa3/0x120 [ 33.021802] ? SyS_shutdown+0x160/0x160 [ 33.025755] ? move_addr_to_kernel+0x60/0x60 [ 33.030142] SyS_sendmsg+0x27/0x40 [ 33.033656] ? __sys_sendmsg+0x120/0x120 [ 33.037696] do_syscall_64+0x1d5/0x640 [ 33.041562] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.046729] RIP: 0033:0x7f2007a945e9 [ 33.050415] RSP: 002b:00007ffc91110ec8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 33.058110] RAX: ffffffffffffffda RBX: 00007f2007b08ed0 RCX: 00007f2007a945e9 [ 33.065356] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000005 [ 33.072617] RBP: 00007ffc91110f00 R08: 00007ffc91110ef7 R09: 00007ffc91110ef7 [ 33.079896] R10: 00007ffc91110ef7 R11: 0000000000000246 R12: 00007ffc91110ee0 [ 33.087168] R13: 00007ffc91110ed8 R14: 0000000000000000 R15: 0000000000000003 [ 33.094427] [ 33.096032] Allocated by task 7995: [ 33.099640] kasan_kmalloc+0xeb/0x160 [ 33.103427] kmem_cache_alloc_trace+0x131/0x3d0 [ 33.108073] ipvlan_link_new+0x64f/0xfa0 [ 33.112115] rtnl_newlink+0xf7c/0x1830 [ 33.115976] rtnetlink_rcv_msg+0x3be/0xb10 [ 33.120191] netlink_rcv_skb+0x125/0x390 [ 33.124227] netlink_unicast+0x437/0x610 [ 33.128263] netlink_sendmsg+0x648/0xbc0 [ 33.132300] sock_sendmsg+0xb5/0x100 [ 33.136001] ___sys_sendmsg+0x6c8/0x800 [ 33.139950] __sys_sendmsg+0xa3/0x120 [ 33.143729] SyS_sendmsg+0x27/0x40 [ 33.147249] do_syscall_64+0x1d5/0x640 [ 33.151111] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.156270] [ 33.157874] Freed by task 7995: [ 33.161131] kasan_slab_free+0xc3/0x1a0 [ 33.165087] kfree+0xc9/0x250 [ 33.168170] ipvlan_uninit+0xb6/0xe0 [ 33.171869] rollback_registered_many+0x649/0xbb0 [ 33.176688] rollback_registered+0xca/0x170 [ 33.180985] register_netdevice+0xb63/0xe50 [ 33.185284] ipvlan_link_new+0x499/0xfa0 [ 33.189320] rtnl_newlink+0xf7c/0x1830 [ 33.193181] rtnetlink_rcv_msg+0x3be/0xb10 [ 33.197416] netlink_rcv_skb+0x125/0x390 [ 33.201480] netlink_unicast+0x437/0x610 [ 33.205516] netlink_sendmsg+0x648/0xbc0 [ 33.209552] sock_sendmsg+0xb5/0x100 [ 33.213239] ___sys_sendmsg+0x6c8/0x800 [ 33.217186] __sys_sendmsg+0xa3/0x120 [ 33.220960] SyS_sendmsg+0x27/0x40 [ 33.224490] do_syscall_64+0x1d5/0x640 [ 33.228353] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.233515] [ 33.235125] The buggy address belongs to the object at ffff888094eb27c0 [ 33.235125] which belongs to the cache kmalloc-4096 of size 4096 [ 33.247931] The buggy address is located 2248 bytes inside of [ 33.247931] 4096-byte region [ffff888094eb27c0, ffff888094eb37c0) [ 33.259956] The buggy address belongs to the page: [ 33.264888] page:ffffea000253ac80 count:1 mapcount:0 mapping:ffff888094eb27c0 index:0x0 compound_mapcount: 0 [ 33.274834] flags: 0xfff00000008100(slab|head) [ 33.279407] raw: 00fff00000008100 ffff888094eb27c0 0000000000000000 0000000100000001 [ 33.287275] raw: ffffea0002c2e420 ffffea0002bf8020 ffff88813fe74dc0 0000000000000000 [ 33.295149] page dumped because: kasan: bad access detected [ 33.300843] [ 33.302456] Memory state around the buggy address: [ 33.307370] ffff888094eb2f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.314707] ffff888094eb3000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.322047] >ffff888094eb3080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.329381] ^ [ 33.332985] ffff888094eb3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.340321] ffff888094eb3180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.347653] ================================================================== [ 33.354983] Disabling lock debugging due to kernel taint [ 33.360405] Kernel panic - not syncing: panic_on_warn set ... [ 33.360405] [ 33.367757] CPU: 1 PID: 7995 Comm: syz-executor607 Tainted: G B 4.14.290-syzkaller #0 [ 33.376825] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 33.386155] Call Trace: [ 33.388722] dump_stack+0x1b2/0x281 [ 33.393203] panic+0x1f9/0x42d [ 33.396373] ? add_taint.cold+0x16/0x16 [ 33.400326] ? lock_downgrade+0x740/0x740 [ 33.404456] kasan_end_report+0x43/0x49 [ 33.408424] kasan_report_error.cold+0xa7/0x191 [ 33.413075] ? radix_tree_next_chunk+0x89f/0x8c0 [ 33.417816] __asan_report_load8_noabort+0x68/0x70 [ 33.422732] ? lock_downgrade+0x6b0/0x740 [ 33.426900] ? radix_tree_next_chunk+0x89f/0x8c0 [ 33.431638] radix_tree_next_chunk+0x89f/0x8c0 [ 33.436198] ? wake_up_q+0xd0/0xd0 [ 33.439879] ida_remove+0x9b/0x210 [ 33.443422] ? ida_destroy+0x1b0/0x1b0 [ 33.447303] ? lock_acquire+0x170/0x3f0 [ 33.451259] ida_simple_remove+0x31/0x50 [ 33.455302] ipvlan_link_new+0x50c/0xfa0 [ 33.459349] rtnl_newlink+0xf7c/0x1830 [ 33.463290] ? __lock_acquire+0x5fc/0x3f20 [ 33.467510] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 33.472071] ? kasan_slab_free+0xc3/0x1a0 [ 33.476197] ? rtnl_dellink+0x6a0/0x6a0 [ 33.480157] ? trace_hardirqs_on+0x10/0x10 [ 33.484368] ? __dev_queue_xmit+0x1d7f/0x2480 [ 33.488859] ? netlink_deliver_tap+0x61b/0x860 [ 33.493422] ? netlink_unicast+0x485/0x610 [ 33.497635] ? ___sys_sendmsg+0x6c8/0x800 [ 33.501755] ? __sys_sendmsg+0xa3/0x120 [ 33.505712] ? lock_acquire+0x170/0x3f0 [ 33.509661] ? lock_downgrade+0x740/0x740 [ 33.513868] ? rtnl_dellink+0x6a0/0x6a0 [ 33.517822] rtnetlink_rcv_msg+0x3be/0xb10 [ 33.522051] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 33.526528] ? __netlink_lookup+0x345/0x5d0 [ 33.530841] ? netdev_pick_tx+0x2e0/0x2e0 [ 33.534975] netlink_rcv_skb+0x125/0x390 [ 33.539025] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 33.543673] ? netlink_ack+0x9a0/0x9a0 [ 33.547539] netlink_unicast+0x437/0x610 [ 33.551601] ? netlink_sendskb+0xd0/0xd0 [ 33.555651] ? __check_object_size+0x179/0x230 [ 33.560214] netlink_sendmsg+0x648/0xbc0 [ 33.564266] ? nlmsg_notify+0x1b0/0x1b0 [ 33.568214] ? kernel_recvmsg+0x210/0x210 [ 33.572437] ? security_socket_sendmsg+0x83/0xb0 [ 33.577177] ? nlmsg_notify+0x1b0/0x1b0 [ 33.581125] sock_sendmsg+0xb5/0x100 [ 33.584813] ___sys_sendmsg+0x6c8/0x800 [ 33.588758] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 33.593541] ? trace_hardirqs_on+0x10/0x10 [ 33.597771] ? trace_hardirqs_on+0x10/0x10 [ 33.601993] ? trace_hardirqs_on+0x10/0x10 [ 33.606208] ? __might_fault+0x104/0x1b0 [ 33.610250] ? lock_acquire+0x170/0x3f0 [ 33.614202] ? lock_downgrade+0x740/0x740 [ 33.618337] ? __might_fault+0x177/0x1b0 [ 33.622383] ? _copy_to_user+0x82/0xd0 [ 33.626261] ? move_addr_to_user+0x13f/0x180 [ 33.630647] ? __fdget+0x167/0x1f0 [ 33.634176] ? sockfd_lookup_light+0xb2/0x160 [ 33.638671] __sys_sendmsg+0xa3/0x120 [ 33.642588] ? SyS_shutdown+0x160/0x160 [ 33.646544] ? move_addr_to_kernel+0x60/0x60 [ 33.650931] SyS_sendmsg+0x27/0x40 [ 33.654465] ? __sys_sendmsg+0x120/0x120 [ 33.658508] do_syscall_64+0x1d5/0x640 [ 33.662379] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 33.667549] RIP: 0033:0x7f2007a945e9 [ 33.671239] RSP: 002b:00007ffc91110ec8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 33.679006] RAX: ffffffffffffffda RBX: 00007f2007b08ed0 RCX: 00007f2007a945e9 [ 33.686277] RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000005 [ 33.693529] RBP: 00007ffc91110f00 R08: 00007ffc91110ef7 R09: 00007ffc91110ef7 [ 33.700780] R10: 00007ffc91110ef7 R11: 0000000000000246 R12: 00007ffc91110ee0 [ 33.708025] R13: 00007ffc91110ed8 R14: 0000000000000000 R15: 0000000000000003 [ 33.715446] Kernel Offset: disabled [ 33.719057] Rebooting in 86400 seconds..