[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.30' (ECDSA) to the list of known hosts. syzkaller login: [ 38.152730] audit: type=1400 audit(1594824208.987:8): avc: denied { execmem } for pid=6449 comm="syz-executor980" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 38.171303] IPVS: ftp: loaded support on port[0] = 21 [ 38.247071] chnl_net:caif_netlink_parms(): no params data found [ 38.368474] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.375292] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.383024] device bridge_slave_0 entered promiscuous mode [ 38.390656] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.397024] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.404572] device bridge_slave_1 entered promiscuous mode [ 38.423184] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 38.431970] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 38.450511] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 38.457917] team0: Port device team_slave_0 added [ 38.463328] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 38.471251] team0: Port device team_slave_1 added [ 38.486530] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 38.492823] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 38.518089] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 38.529591] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 38.535819] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 38.561104] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 38.571756] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 38.579416] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 38.640277] device hsr_slave_0 entered promiscuous mode [ 38.677246] device hsr_slave_1 entered promiscuous mode [ 38.717621] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 38.724666] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 38.790493] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.797090] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.803840] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.810244] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.842542] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 38.849198] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.858842] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 38.867663] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 38.875822] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.893384] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.901151] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 38.911757] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 38.918154] 8021q: adding VLAN 0 to HW filter on device team0 [ 38.927186] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 38.935047] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.941436] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.951442] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 38.959514] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.965853] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.981960] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 38.990065] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 39.000991] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 39.011172] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 39.022379] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 39.031588] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 39.038558] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 39.052017] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 39.059962] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 39.066587] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 39.077895] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 39.091834] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 39.101371] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 39.136376] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 39.143960] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 39.151110] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 39.160729] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 39.168272] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 39.175129] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 39.183863] device veth0_vlan entered promiscuous mode [ 39.193655] device veth1_vlan entered promiscuous mode [ 39.199901] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 39.209465] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 39.221345] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 39.231776] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 39.240400] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 39.247878] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 39.257748] device veth0_macvtap entered promiscuous mode [ 39.265895] device veth1_macvtap entered promiscuous mode [ 39.275204] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 39.285407] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 39.295624] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 39.303353] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 39.310664] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 39.319105] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 39.329371] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 39.336235] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 39.343248] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 39.351213] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 39.443880] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 39.467512] FAULT_INJECTION: forcing a failure. [ 39.467512] name failslab, interval 1, probability 0, space 0, times 1 [ 39.479064] CPU: 1 PID: 6669 Comm: syz-executor980 Not tainted 4.19.132-syzkaller #0 [ 39.479084] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.479088] Call Trace: [ 39.479108] dump_stack+0x1fc/0x2fe [ 39.479126] should_fail.cold+0xa/0x14 [ 39.479141] ? setup_fault_attr+0x200/0x200 [ 39.479156] ? depot_save_stack+0x258/0x40a [ 39.515172] __should_failslab+0x115/0x180 [ 39.519391] should_failslab+0x5/0xf [ 39.523084] __kmalloc+0x6d/0x3c0 [ 39.526534] ? gcmaes_encrypt.constprop.0+0x6c2/0xd90 [ 39.531758] gcmaes_encrypt.constprop.0+0x6c2/0xd90 [ 39.536803] ? depot_save_stack+0x258/0x40a [ 39.541113] ? gcmaes_crypt_by_sg.constprop.0+0x1790/0x1790 [ 39.547685] ? sock_sendmsg+0xc3/0x120 [ 39.551556] ? __sys_sendto+0x21a/0x320 [ 39.555517] ? __x64_sys_sendto+0xdd/0x1b0 [ 39.559753] ? do_syscall_64+0xf9/0x620 [ 39.563721] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.569072] ? mark_held_locks+0xf0/0xf0 [ 39.573119] ? up_read+0x17/0x110 [ 39.576552] ? mark_held_locks+0xf0/0xf0 [ 39.580592] ? mark_held_locks+0xa6/0xf0 [ 39.584632] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 39.589370] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 39.593936] ? generic_gcmaes_encrypt+0x108/0x160 [ 39.598759] ? generic_gcmaes_encrypt+0x108/0x160 [ 39.603670] ? helper_rfc4106_encrypt+0x310/0x310 [ 39.608583] ? gcmaes_wrapper_encrypt+0x157/0x1f0 [ 39.613405] ? tls_push_record+0x9d7/0x1370 [ 39.617711] ? tls_sw_sendmsg+0xbf0/0x1210 [ 39.621931] ? tls_read_size+0x640/0x640 [ 39.625972] ? proc_fail_nth_write+0x95/0x1d0 [ 39.630449] ? inet_sendmsg+0x132/0x5a0 [ 39.634400] ? security_socket_sendmsg+0x83/0xb0 [ 39.639147] ? inet_recvmsg+0x5c0/0x5c0 [ 39.643274] ? sock_sendmsg+0xc3/0x120 [ 39.647139] ? __sys_sendto+0x21a/0x320 [ 39.651186] ? __ia32_sys_getpeername+0xb0/0xb0 [ 39.655834] ? lock_downgrade+0x720/0x720 [ 39.659962] ? vfs_write+0x3d7/0x540 [ 39.663659] ? check_preemption_disabled+0x41/0x280 [ 39.668655] ? wait_for_completion_io+0x10/0x10 [ 39.673304] ? vfs_write+0x393/0x540 [ 39.676996] ? fput+0x2b/0x190 [ 39.680166] ? ksys_write+0x1c8/0x2a0 [ 39.683947] ? __ia32_sys_read+0xb0/0xb0 [ 39.687989] ? __x64_sys_sendto+0xdd/0x1b0 [ 39.692214] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 39.696949] ? do_syscall_64+0xf9/0x620 [ 39.700904] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.907793] ================================================================== [ 39.915232] BUG: KASAN: use-after-free in tls_push_record+0x104c/0x1370 [ 39.921981] Write of size 1 at addr ffff888088ef8000 by task syz-executor980/6669 [ 39.929577] [ 39.931186] CPU: 0 PID: 6669 Comm: syz-executor980 Not tainted 4.19.132-syzkaller #0 [ 39.939047] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.948389] Call Trace: [ 39.950962] dump_stack+0x1fc/0x2fe [ 39.954589] print_address_description.cold+0x54/0x219 [ 39.959950] kasan_report_error.cold+0x8a/0x1c7 [ 39.964613] ? tls_push_record+0x104c/0x1370 [ 39.969001] __asan_report_store1_noabort+0x88/0x90 [ 39.973999] ? tls_push_record+0x104c/0x1370 [ 39.978404] tls_push_record+0x104c/0x1370 [ 39.982641] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 39.987210] tls_sk_proto_close+0x907/0xc20 [ 39.991512] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 39.996611] ? tcp_check_oom+0x520/0x520 [ 40.000683] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 40.005245] ? tls_write_space+0x320/0x320 [ 40.009463] ? ip_mc_drop_socket+0x16/0x260 [ 40.013864] inet_release+0xd7/0x1e0 [ 40.017559] inet6_release+0x4c/0x70 [ 40.021517] __sock_release+0xcd/0x2a0 [ 40.025398] ? __sock_release+0x2a0/0x2a0 [ 40.029526] sock_close+0x15/0x20 [ 40.032969] __fput+0x2ce/0x890 [ 40.036233] task_work_run+0x148/0x1c0 [ 40.040104] do_exit+0xbb2/0x2b70 [ 40.043538] ? mm_update_next_owner+0x650/0x650 [ 40.048188] ? get_signal+0x388/0x1f70 [ 40.052060] ? lock_downgrade+0x720/0x720 [ 40.056187] ? lock_acquire+0x170/0x3c0 [ 40.060144] do_group_exit+0x125/0x310 [ 40.064020] get_signal+0x3f2/0x1f70 [ 40.067738] ? inet_sendmsg+0x13a/0x5a0 [ 40.071874] ? security_socket_sendmsg+0x83/0xb0 [ 40.076625] do_signal+0x8f/0x1670 [ 40.080157] ? __ia32_sys_getpeername+0xb0/0xb0 [ 40.085068] ? lock_downgrade+0x720/0x720 [ 40.089215] ? setup_sigcontext+0x820/0x820 [ 40.093519] ? check_preemption_disabled+0x41/0x280 [ 40.098516] ? wait_for_completion_io+0x10/0x10 [ 40.103171] ? vfs_write+0x393/0x540 [ 40.106875] ? fput+0x2b/0x190 [ 40.110073] ? ksys_write+0x1c8/0x2a0 [ 40.113959] ? exit_to_usermode_loop+0x36/0x2a0 [ 40.118622] exit_to_usermode_loop+0x204/0x2a0 [ 40.123191] do_syscall_64+0x538/0x620 [ 40.127067] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.132239] RIP: 0033:0x448e19 [ 40.135420] Code: Bad RIP value. [ 40.138765] RSP: 002b:00007f4784f73d68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 40.146456] RAX: 0000000000004000 RBX: 00000000006dfc28 RCX: 0000000000448e19 [ 40.153732] RDX: 00000000e0ffffff RSI: 00000000200005c0 RDI: 0000000000000003 [ 40.160988] RBP: 00000000006dfc20 R08: 0000000000000000 R09: 00000000000000d8 [ 40.168240] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4784f73d80 [ 40.175507] R13: 0000000000000005 R14: 008f60cc2a9f2fbd R15: af00182a00000000 [ 40.182851] [ 40.184453] The buggy address belongs to the page: [ 40.189364] page:ffffea000223be00 count:0 mapcount:-128 mapping:0000000000000000 index:0x0 [ 40.198277] flags: 0xfffe0000000000() [ 40.202083] raw: 00fffe0000000000 ffffea000290bc08 ffffea000227ca08 0000000000000000 [ 40.209943] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 [ 40.217816] page dumped because: kasan: bad access detected [ 40.223511] [ 40.225112] Memory state around the buggy address: [ 40.230024] ffff888088ef7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.237363] ffff888088ef7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.244705] >ffff888088ef8000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.253081] ^ [ 40.256426] ffff888088ef8080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.263803] ffff888088ef8100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 40.271153] ================================================================== [ 40.278492] Disabling lock debugging due to kernel taint [ 40.288213] Kernel panic - not syncing: panic_on_warn set ... [ 40.288213] [ 40.295610] CPU: 1 PID: 6669 Comm: syz-executor980 Tainted: G B 4.19.132-syzkaller #0 [ 40.304887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.314235] Call Trace: [ 40.316962] dump_stack+0x1fc/0x2fe [ 40.320600] panic+0x26a/0x50e [ 40.323789] ? __warn_printk+0xf3/0xf3 [ 40.327730] ? preempt_schedule_common+0x45/0xc0 [ 40.332506] ? ___preempt_schedule+0x16/0x18 [ 40.336898] ? trace_hardirqs_on+0x55/0x210 [ 40.341204] kasan_end_report+0x43/0x49 [ 40.345160] kasan_report_error.cold+0xa7/0x1c7 [ 40.349814] ? tls_push_record+0x104c/0x1370 [ 40.354205] __asan_report_store1_noabort+0x88/0x90 [ 40.359201] ? tls_push_record+0x104c/0x1370 [ 40.363595] tls_push_record+0x104c/0x1370 [ 40.367814] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 40.372372] tls_sk_proto_close+0x907/0xc20 [ 40.376671] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 40.381752] ? tcp_check_oom+0x520/0x520 [ 40.385791] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 40.390358] ? tls_write_space+0x320/0x320 [ 40.394572] ? ip_mc_drop_socket+0x16/0x260 [ 40.398894] inet_release+0xd7/0x1e0 [ 40.402605] inet6_release+0x4c/0x70 [ 40.406303] __sock_release+0xcd/0x2a0 [ 40.410169] ? __sock_release+0x2a0/0x2a0 [ 40.414367] sock_close+0x15/0x20 [ 40.417818] __fput+0x2ce/0x890 [ 40.421084] task_work_run+0x148/0x1c0 [ 40.424955] do_exit+0xbb2/0x2b70 [ 40.428390] ? mm_update_next_owner+0x650/0x650 [ 40.433219] ? get_signal+0x388/0x1f70 [ 40.437107] ? lock_downgrade+0x720/0x720 [ 40.441233] ? lock_acquire+0x170/0x3c0 [ 40.445183] do_group_exit+0x125/0x310 [ 40.449058] get_signal+0x3f2/0x1f70 [ 40.452849] ? inet_sendmsg+0x13a/0x5a0 [ 40.456800] ? security_socket_sendmsg+0x83/0xb0 [ 40.461535] do_signal+0x8f/0x1670 [ 40.465055] ? __ia32_sys_getpeername+0xb0/0xb0 [ 40.469804] ? lock_downgrade+0x720/0x720 [ 40.474031] ? setup_sigcontext+0x820/0x820 [ 40.478335] ? check_preemption_disabled+0x41/0x280 [ 40.483328] ? wait_for_completion_io+0x10/0x10 [ 40.487975] ? vfs_write+0x393/0x540 [ 40.491665] ? fput+0x2b/0x190 [ 40.494962] ? ksys_write+0x1c8/0x2a0 [ 40.498830] ? exit_to_usermode_loop+0x36/0x2a0 [ 40.503504] exit_to_usermode_loop+0x204/0x2a0 [ 40.508066] do_syscall_64+0x538/0x620 [ 40.511948] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 40.517115] RIP: 0033:0x448e19 [ 40.520295] Code: Bad RIP value. [ 40.523640] RSP: 002b:00007f4784f73d68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 40.531410] RAX: 0000000000004000 RBX: 00000000006dfc28 RCX: 0000000000448e19 [ 40.538670] RDX: 00000000e0ffffff RSI: 00000000200005c0 RDI: 0000000000000003 [ 40.545926] RBP: 00000000006dfc20 R08: 0000000000000000 R09: 00000000000000d8 [ 40.553186] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f4784f73d80 [ 40.561230] R13: 0000000000000005 R14: 008f60cc2a9f2fbd R15: af00182a00000000 [ 40.570004] Kernel Offset: disabled [ 40.573639] Rebooting in 86400 seconds..