Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.18' (ECDSA) to the list of known hosts. syzkaller login: [ 27.890807] IPVS: ftp: loaded support on port[0] = 21 [ 27.957397] chnl_net:caif_netlink_parms(): no params data found [ 28.026218] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.032770] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.040357] device bridge_slave_0 entered promiscuous mode [ 28.047688] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.054044] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.061414] device bridge_slave_1 entered promiscuous mode [ 28.077704] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 28.086281] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 28.103268] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 28.110429] team0: Port device team_slave_0 added [ 28.116183] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 28.123192] team0: Port device team_slave_1 added [ 28.138595] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 28.144878] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 28.170120] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 28.181280] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 28.187744] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 28.213235] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 28.223728] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 28.231200] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 28.249063] device hsr_slave_0 entered promiscuous mode [ 28.255002] device hsr_slave_1 entered promiscuous mode [ 28.260802] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 28.268017] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 28.326751] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.333141] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.339987] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.346385] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.372721] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 28.378845] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.388015] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 28.397975] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.416847] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.423764] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.433599] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 28.439998] 8021q: adding VLAN 0 to HW filter on device team0 [ 28.448149] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.455998] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.462332] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.474964] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 28.482506] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.488897] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.503082] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 28.514402] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 28.526580] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 28.533265] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 28.541515] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 28.549764] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 28.557378] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 28.565024] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 28.571722] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 28.583911] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 28.592088] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 28.599319] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 28.609228] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 28.656806] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 28.667792] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 28.696436] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 28.703291] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 28.711191] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 28.719904] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 28.727851] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 28.735095] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 28.743325] device veth0_vlan entered promiscuous mode [ 28.751444] device veth1_vlan entered promiscuous mode [ 28.757461] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 28.766231] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 28.776797] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 28.786259] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 28.793369] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 28.800860] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 28.809959] device veth0_macvtap entered promiscuous mode [ 28.816679] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 28.825663] device veth1_macvtap entered promiscuous mode [ 28.833537] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 28.842720] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 28.852699] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 28.860040] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 28.868398] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 28.878211] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 28.885016] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 28.944556] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 28.971743] ================================================================== [ 28.979179] BUG: KASAN: slab-out-of-bounds in ipvlan_queue_xmit+0x1323/0x15a0 [ 28.986434] Read of size 4 at addr ffff8880b024dc7f by task syz-executor308/7955 [ 28.993946] [ 28.995561] CPU: 1 PID: 7955 Comm: syz-executor308 Not tainted 4.14.291-syzkaller #0 [ 29.003427] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 29.012773] Call Trace: [ 29.015353] dump_stack+0x1b2/0x281 [ 29.018981] print_address_description.cold+0x54/0x1d3 [ 29.024278] kasan_report_error.cold+0x8a/0x191 [ 29.028929] ? ipvlan_queue_xmit+0x1323/0x15a0 [ 29.033596] __asan_report_load4_noabort+0x68/0x70 [ 29.038530] ? ipvlan_queue_xmit+0x1323/0x15a0 [ 29.043098] ipvlan_queue_xmit+0x1323/0x15a0 [ 29.047487] ? ipvlan_process_multicast+0xb80/0xb80 [ 29.052494] ? skb_crc32c_csum_help+0x70/0x70 [ 29.056971] ? netif_skb_features+0x4ed/0x9f0 [ 29.061458] ? __skb_gso_segment+0x600/0x600 [ 29.065840] ? sock_alloc_send_pskb+0x4ca/0x6d0 [ 29.070499] ? validate_xmit_xfrm+0x346/0x4d0 [ 29.074970] ? validate_xmit_skb+0x669/0x9f0 [ 29.079356] ipvlan_start_xmit+0x4f/0x180 [ 29.083601] ? packet_direct_xmit+0x1f0/0x610 [ 29.088084] packet_direct_xmit+0x410/0x610 [ 29.092383] packet_snd+0x13aa/0x26f0 [ 29.096166] ? __lock_acquire+0x5fc/0x3f20 [ 29.100377] ? prb_retire_rx_blk_timer_expired+0x630/0x630 [ 29.105979] ? __lock_acquire+0x5fc/0x3f20 [ 29.110204] ? SyS_socket+0x108/0x1b0 [ 29.113979] ? do_syscall_64+0x1d5/0x640 [ 29.118040] ? entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.123400] packet_sendmsg+0x12ed/0x33a0 [ 29.127538] ? lock_acquire+0x170/0x3f0 [ 29.131503] ? lock_downgrade+0x740/0x740 [ 29.135644] ? __might_fault+0x104/0x1b0 [ 29.139682] ? __might_fault+0x104/0x1b0 [ 29.143721] ? compat_packet_setsockopt+0x140/0x140 [ 29.148712] ? lock_acquire+0x170/0x3f0 [ 29.152660] ? lock_downgrade+0x740/0x740 [ 29.156782] ? __might_fault+0x177/0x1b0 [ 29.160818] ? security_socket_sendmsg+0x83/0xb0 [ 29.165567] ? compat_packet_setsockopt+0x140/0x140 [ 29.170567] sock_sendmsg+0xb5/0x100 [ 29.174273] SyS_sendto+0x1c7/0x2c0 [ 29.177885] ? SyS_getpeername+0x220/0x220 [ 29.182100] ? do_vfs_ioctl+0xe2/0xff0 [ 29.185965] ? __fdget+0x167/0x1f0 [ 29.189480] ? security_socket_setsockopt+0x83/0xb0 [ 29.194473] ? SyS_setsockopt+0x130/0x1e0 [ 29.198602] ? SyS_recv+0x40/0x40 [ 29.202031] ? security_file_ioctl+0x83/0xb0 [ 29.206416] ? do_syscall_64+0x4c/0x640 [ 29.210366] ? SyS_getpeername+0x220/0x220 [ 29.214585] do_syscall_64+0x1d5/0x640 [ 29.218452] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.223616] RIP: 0033:0x7f66a6a59d79 [ 29.227333] RSP: 002b:00007ffcdf89c728 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 29.235016] RAX: ffffffffffffffda RBX: 00007ffcdf89c748 RCX: 00007f66a6a59d79 [ 29.242259] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 29.249505] RBP: 0000000000000003 R08: 00000000200000c0 R09: 0000000000000014 [ 29.256772] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcdf89c770 [ 29.264055] R13: 00007ffcdf89c770 R14: 00007f66a6a9c3be R15: 00007ffcdf89c750 [ 29.271314] [ 29.272928] Allocated by task 6222: [ 29.276593] kasan_kmalloc+0xeb/0x160 [ 29.280373] kmem_cache_alloc+0x124/0x3c0 [ 29.284500] getname_flags+0xc8/0x550 [ 29.288281] SyS_renameat2+0x17b/0xad0 [ 29.292162] do_syscall_64+0x1d5/0x640 [ 29.296042] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.301217] [ 29.302823] Freed by task 6222: [ 29.306091] kasan_slab_free+0xc3/0x1a0 [ 29.310041] kmem_cache_free+0x7c/0x2b0 [ 29.313988] putname+0xcd/0x110 [ 29.317251] SyS_renameat2+0x214/0xad0 [ 29.321111] do_syscall_64+0x1d5/0x640 [ 29.324974] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.330167] [ 29.331775] The buggy address belongs to the object at ffff8880b024c340 [ 29.331775] which belongs to the cache names_cache of size 4096 [ 29.344497] The buggy address is located 2367 bytes to the right of [ 29.344497] 4096-byte region [ffff8880b024c340, ffff8880b024d340) [ 29.357044] The buggy address belongs to the page: [ 29.361952] page:ffffea0002c09300 count:1 mapcount:0 mapping:ffff8880b024c340 index:0x0 compound_mapcount: 0 [ 29.371894] flags: 0xfff00000008100(slab|head) [ 29.376467] raw: 00fff00000008100 ffff8880b024c340 0000000000000000 0000000100000001 [ 29.384323] raw: ffffea0002cd0c20 ffffea0002bd3020 ffff88823f8c1200 0000000000000000 [ 29.392175] page dumped because: kasan: bad access detected [ 29.397864] [ 29.399470] Memory state around the buggy address: [ 29.404372] ffff8880b024db00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.411705] ffff8880b024db80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.419045] >ffff8880b024dc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.426377] ^ [ 29.433622] ffff8880b024dc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.440969] ffff8880b024dd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 29.448311] ================================================================== [ 29.455657] Disabling lock debugging due to kernel taint [ 29.461122] Kernel panic - not syncing: panic_on_warn set ... [ 29.461122] [ 29.468499] CPU: 1 PID: 7955 Comm: syz-executor308 Tainted: G B 4.14.291-syzkaller #0 [ 29.477585] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 29.486928] Call Trace: [ 29.489505] dump_stack+0x1b2/0x281 [ 29.493124] panic+0x1f9/0x42d [ 29.496304] ? add_taint.cold+0x16/0x16 [ 29.500261] kasan_end_report+0x43/0x49 [ 29.504322] kasan_report_error.cold+0xa7/0x191 [ 29.508993] ? ipvlan_queue_xmit+0x1323/0x15a0 [ 29.513547] __asan_report_load4_noabort+0x68/0x70 [ 29.518452] ? ipvlan_queue_xmit+0x1323/0x15a0 [ 29.523008] ipvlan_queue_xmit+0x1323/0x15a0 [ 29.527392] ? ipvlan_process_multicast+0xb80/0xb80 [ 29.532382] ? skb_crc32c_csum_help+0x70/0x70 [ 29.536962] ? netif_skb_features+0x4ed/0x9f0 [ 29.541432] ? __skb_gso_segment+0x600/0x600 [ 29.545902] ? sock_alloc_send_pskb+0x4ca/0x6d0 [ 29.550544] ? validate_xmit_xfrm+0x346/0x4d0 [ 29.555029] ? validate_xmit_skb+0x669/0x9f0 [ 29.559410] ipvlan_start_xmit+0x4f/0x180 [ 29.563532] ? packet_direct_xmit+0x1f0/0x610 [ 29.568000] packet_direct_xmit+0x410/0x610 [ 29.572296] packet_snd+0x13aa/0x26f0 [ 29.576164] ? __lock_acquire+0x5fc/0x3f20 [ 29.580375] ? prb_retire_rx_blk_timer_expired+0x630/0x630 [ 29.585990] ? __lock_acquire+0x5fc/0x3f20 [ 29.590198] ? SyS_socket+0x108/0x1b0 [ 29.593971] ? do_syscall_64+0x1d5/0x640 [ 29.598023] ? entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.603361] packet_sendmsg+0x12ed/0x33a0 [ 29.607483] ? lock_acquire+0x170/0x3f0 [ 29.611451] ? lock_downgrade+0x740/0x740 [ 29.615754] ? __might_fault+0x104/0x1b0 [ 29.619788] ? __might_fault+0x104/0x1b0 [ 29.623823] ? compat_packet_setsockopt+0x140/0x140 [ 29.632231] ? lock_acquire+0x170/0x3f0 [ 29.638187] ? lock_downgrade+0x740/0x740 [ 29.642404] ? __might_fault+0x177/0x1b0 [ 29.646439] ? security_socket_sendmsg+0x83/0xb0 [ 29.651167] ? compat_packet_setsockopt+0x140/0x140 [ 29.656170] sock_sendmsg+0xb5/0x100 [ 29.659868] SyS_sendto+0x1c7/0x2c0 [ 29.663470] ? SyS_getpeername+0x220/0x220 [ 29.667680] ? do_vfs_ioctl+0xe2/0xff0 [ 29.671548] ? __fdget+0x167/0x1f0 [ 29.675060] ? security_socket_setsockopt+0x83/0xb0 [ 29.680050] ? SyS_setsockopt+0x130/0x1e0 [ 29.684171] ? SyS_recv+0x40/0x40 [ 29.687601] ? security_file_ioctl+0x83/0xb0 [ 29.691982] ? do_syscall_64+0x4c/0x640 [ 29.695927] ? SyS_getpeername+0x220/0x220 [ 29.700173] do_syscall_64+0x1d5/0x640 [ 29.704040] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.709405] RIP: 0033:0x7f66a6a59d79 [ 29.713100] RSP: 002b:00007ffcdf89c728 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 29.720796] RAX: ffffffffffffffda RBX: 00007ffcdf89c748 RCX: 00007f66a6a59d79 [ 29.728044] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 29.735295] RBP: 0000000000000003 R08: 00000000200000c0 R09: 0000000000000014 [ 29.742608] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcdf89c770 [ 29.749852] R13: 00007ffcdf89c770 R14: 00007f66a6a9c3be R15: 00007ffcdf89c750 [ 29.757274] Kernel Offset: disabled [ 29.761017] Rebooting in 86400 seconds..