[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.101' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 69.992168][ T8443] ================================================================== [ 70.000320][ T8443] BUG: KASAN: slab-out-of-bounds in add_del_if+0x13a/0x140 [ 70.007528][ T8443] Read of size 8 at addr ffff888019118c88 by task syz-executor790/8443 [ 70.015746][ T8443] [ 70.018051][ T8443] CPU: 0 PID: 8443 Comm: syz-executor790 Not tainted 5.14.0-rc2-syzkaller #0 [ 70.026793][ T8443] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.036874][ T8443] Call Trace: [ 70.040175][ T8443] dump_stack_lvl+0xcd/0x134 [ 70.044752][ T8443] print_address_description.constprop.0.cold+0x6c/0x309 [ 70.051760][ T8443] ? add_del_if+0x13a/0x140 [ 70.056245][ T8443] ? add_del_if+0x13a/0x140 [ 70.060732][ T8443] kasan_report.cold+0x83/0xdf [ 70.065491][ T8443] ? add_del_if+0x13a/0x140 [ 70.069987][ T8443] add_del_if+0x13a/0x140 [ 70.074300][ T8443] br_ioctl_stub+0x1c6/0x7f0 [ 70.078876][ T8443] ? br_dev_siocdevprivate+0x15c0/0x15c0 [ 70.084496][ T8443] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.090718][ T8443] ? full_name_hash+0xb5/0xf0 [ 70.095382][ T8443] ? br_dev_siocdevprivate+0x15c0/0x15c0 [ 70.100994][ T8443] br_ioctl_call+0x5e/0xa0 [ 70.105393][ T8443] dev_ifsioc+0xc1f/0xf60 [ 70.109711][ T8443] ? dev_load+0x79/0x200 [ 70.113936][ T8443] ? sock_diag_broadcast_destroy+0x1a0/0x1a0 [ 70.119907][ T8443] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.126142][ T8443] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.132365][ T8443] ? netdev_name_node_lookup_rcu+0x108/0x150 [ 70.138341][ T8443] dev_ioctl+0x1b9/0xee0 [ 70.142611][ T8443] sock_do_ioctl+0x18b/0x210 [ 70.147190][ T8443] ? put_user_ifreq+0x140/0x140 [ 70.152071][ T8443] sock_ioctl+0x2f1/0x640 [ 70.156389][ T8443] ? br_ioctl_call+0xa0/0xa0 [ 70.160963][ T8443] ? lock_downgrade+0x6e0/0x6e0 [ 70.165799][ T8443] ? lock_downgrade+0x6e0/0x6e0 [ 70.170637][ T8443] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.176860][ T8443] ? br_ioctl_call+0xa0/0xa0 [ 70.181433][ T8443] __x64_sys_ioctl+0x193/0x200 [ 70.186186][ T8443] do_syscall_64+0x35/0xb0 [ 70.190589][ T8443] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 70.196467][ T8443] RIP: 0033:0x43ee49 [ 70.200348][ T8443] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 70.219960][ T8443] RSP: 002b:00007ffc164ff518 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 70.228361][ T8443] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043ee49 [ 70.236314][ T8443] RDX: 0000000020000180 RSI: 00000000000089a3 RDI: 0000000000000003 [ 70.244274][ T8443] RBP: 0000000000402e30 R08: 0000000000000000 R09: 0000000000400488 [ 70.252239][ T8443] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402ec0 [ 70.260200][ T8443] R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488 [ 70.268168][ T8443] [ 70.270475][ T8443] Allocated by task 1: [ 70.274522][ T8443] kasan_save_stack+0x1b/0x40 [ 70.279198][ T8443] __kasan_kmalloc+0x9b/0xd0 [ 70.283771][ T8443] kvmalloc_node+0x61/0xf0 [ 70.288170][ T8443] alloc_netdev_mqs+0x98/0xe80 [ 70.292918][ T8443] loopback_net_init+0x31/0x160 [ 70.297760][ T8443] ops_init+0xaf/0x470 [ 70.301821][ T8443] register_pernet_operations+0x35a/0x850 [ 70.307522][ T8443] register_pernet_device+0x26/0x70 [ 70.312703][ T8443] net_dev_init+0x566/0x612 [ 70.317188][ T8443] do_one_initcall+0x103/0x650 [ 70.321936][ T8443] kernel_init_freeable+0x6b8/0x741 [ 70.327115][ T8443] kernel_init+0x1a/0x1d0 [ 70.331426][ T8443] ret_from_fork+0x1f/0x30 [ 70.335820][ T8443] [ 70.338124][ T8443] The buggy address belongs to the object at ffff888019118000 [ 70.338124][ T8443] which belongs to the cache kmalloc-cg-4k of size 4096 [ 70.352412][ T8443] The buggy address is located 3208 bytes inside of [ 70.352412][ T8443] 4096-byte region [ffff888019118000, ffff888019119000) [ 70.365853][ T8443] The buggy address belongs to the page: [ 70.371460][ T8443] page:ffffea0000644600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19118 [ 70.381590][ T8443] head:ffffea0000644600 order:3 compound_mapcount:0 compound_pincount:0 [ 70.389891][ T8443] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 70.397923][ T8443] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff88801084c280 [ 70.406503][ T8443] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 70.415090][ T8443] page dumped because: kasan: bad access detected [ 70.421481][ T8443] page_owner tracks the page as allocated [ 70.427170][ T8443] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd60c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_RETRY_MAYFAIL|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 3473484541, free_ts 0 [ 70.446769][ T8443] get_page_from_freelist+0xa72/0x2f80 [ 70.452218][ T8443] __alloc_pages+0x1b2/0x500 [ 70.456822][ T8443] alloc_page_interleave+0x1e/0x200 [ 70.462005][ T8443] alloc_pages+0x238/0x2a0 [ 70.466489][ T8443] allocate_slab+0x32e/0x4b0 [ 70.471062][ T8443] ___slab_alloc+0x4ba/0x820 [ 70.475635][ T8443] __slab_alloc.constprop.0+0xa7/0xf0 [ 70.481001][ T8443] __kmalloc_node+0x2df/0x380 [ 70.485659][ T8443] kvmalloc_node+0x61/0xf0 [ 70.490057][ T8443] alloc_netdev_mqs+0x98/0xe80 [ 70.494816][ T8443] loopback_net_init+0x31/0x160 [ 70.499646][ T8443] ops_init+0xaf/0x470 [ 70.503782][ T8443] register_pernet_operations+0x35a/0x850 [ 70.509573][ T8443] register_pernet_device+0x26/0x70 [ 70.514840][ T8443] net_dev_init+0x566/0x612 [ 70.519323][ T8443] do_one_initcall+0x103/0x650 [ 70.524068][ T8443] page_owner free stack trace missing [ 70.529410][ T8443] [ 70.531720][ T8443] Memory state around the buggy address: [ 70.537328][ T8443] ffff888019118b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 70.545367][ T8443] ffff888019118c00: 00 00 00 07 fc fc fc fc fc fc fc fc fc fc fc fc [ 70.553405][ T8443] >ffff888019118c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.561448][ T8443] ^ [ 70.565749][ T8443] ffff888019118d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.573883][ T8443] ffff888019118d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.581919][ T8443] ================================================================== [ 70.589993][ T8443] Disabling lock debugging due to kernel taint [ 70.597169][ T8443] Kernel panic - not syncing: panic_on_warn set ... [ 70.603748][ T8443] CPU: 0 PID: 8443 Comm: syz-executor790 Tainted: G B 5.14.0-rc2-syzkaller #0 [ 70.613890][ T8443] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.623929][ T8443] Call Trace: [ 70.627204][ T8443] dump_stack_lvl+0xcd/0x134 [ 70.631787][ T8443] panic+0x306/0x73d [ 70.635674][ T8443] ? __warn_printk+0xf3/0xf3 [ 70.640265][ T8443] ? preempt_schedule_common+0x59/0xc0 [ 70.645722][ T8443] ? add_del_if+0x13a/0x140 [ 70.650475][ T8443] ? preempt_schedule_thunk+0x16/0x18 [ 70.655848][ T8443] ? trace_hardirqs_on+0x38/0x1c0 [ 70.660864][ T8443] ? trace_hardirqs_on+0x51/0x1c0 [ 70.665893][ T8443] ? add_del_if+0x13a/0x140 [ 70.670404][ T8443] ? add_del_if+0x13a/0x140 [ 70.674901][ T8443] end_report.cold+0x5a/0x5a [ 70.679491][ T8443] kasan_report.cold+0x71/0xdf [ 70.684256][ T8443] ? add_del_if+0x13a/0x140 [ 70.688758][ T8443] add_del_if+0x13a/0x140 [ 70.693084][ T8443] br_ioctl_stub+0x1c6/0x7f0 [ 70.697667][ T8443] ? br_dev_siocdevprivate+0x15c0/0x15c0 [ 70.703293][ T8443] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.709530][ T8443] ? full_name_hash+0xb5/0xf0 [ 70.714198][ T8443] ? br_dev_siocdevprivate+0x15c0/0x15c0 [ 70.719819][ T8443] br_ioctl_call+0x5e/0xa0 [ 70.724224][ T8443] dev_ifsioc+0xc1f/0xf60 [ 70.728542][ T8443] ? dev_load+0x79/0x200 [ 70.732786][ T8443] ? sock_diag_broadcast_destroy+0x1a0/0x1a0 [ 70.742922][ T8443] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.749154][ T8443] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.755384][ T8443] ? netdev_name_node_lookup_rcu+0x108/0x150 [ 70.761361][ T8443] dev_ioctl+0x1b9/0xee0 [ 70.765599][ T8443] sock_do_ioctl+0x18b/0x210 [ 70.770201][ T8443] ? put_user_ifreq+0x140/0x140 [ 70.775045][ T8443] sock_ioctl+0x2f1/0x640 [ 70.779362][ T8443] ? br_ioctl_call+0xa0/0xa0 [ 70.783942][ T8443] ? lock_downgrade+0x6e0/0x6e0 [ 70.788780][ T8443] ? lock_downgrade+0x6e0/0x6e0 [ 70.793620][ T8443] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.799864][ T8443] ? br_ioctl_call+0xa0/0xa0 [ 70.804444][ T8443] __x64_sys_ioctl+0x193/0x200 [ 70.809203][ T8443] do_syscall_64+0x35/0xb0 [ 70.813613][ T8443] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 70.819509][ T8443] RIP: 0033:0x43ee49 [ 70.823398][ T8443] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 70.842992][ T8443] RSP: 002b:00007ffc164ff518 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 70.851391][ T8443] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043ee49 [ 70.859435][ T8443] RDX: 0000000020000180 RSI: 00000000000089a3 RDI: 0000000000000003 [ 70.867566][ T8443] RBP: 0000000000402e30 R08: 0000000000000000 R09: 0000000000400488 [ 70.875535][ T8443] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402ec0 [ 70.883504][ T8443] R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488 [ 70.892747][ T8443] Kernel Offset: disabled [ 70.897053][ T8443] Rebooting in 86400 seconds..