[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. Starting mcstransd: [ 9.781689] random: sshd: uninitialized urandom read (32 bytes read) [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 16.444720] random: crng init done Warning: Permanently added '10.128.0.54' (ECDSA) to the list of known hosts. RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bridge0" is wrong: Device does not exist Error: argument "bridge0" is wrong: Device does not exist Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "bond0" is wrong: Device does not exist Error: argument "bond0" is wrong: Device does not exist Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported Error: argument "team0" is wrong: Device does not exist Error: argument "team0" is wrong: Device does not exist Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "bridge_slave_0" Cannot find device "bridge_slave_1" RTNETLINK answers: Operation not supported Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "bridge0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "vcan0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "tunl0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gre0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" Cannot find device "gretap0" RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gre0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "ip6gretap0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "erspan0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "bond0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth0" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "veth1" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "team0" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth0_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth1_to_bridge" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth0_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth1_to_bond" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth0_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" Cannot find device "veth1_to_team" executing program executing program executing program executing program [ 44.712374] ================================================================== [ 44.719829] BUG: KASAN: use-after-free in ip6_tnl_start_xmit+0x14db/0x1680 [ 44.726827] Read of size 2 at addr ffff8801c9a51298 by task syz-executor017/2489 [ 44.734403] [ 44.736022] CPU: 1 PID: 2489 Comm: syz-executor017 Not tainted 4.9.128+ #45 [ 44.743107] ffff8801c9ab7048 ffffffff81af2469 ffffea0007269400 ffff8801c9a51298 [ 44.751111] 0000000000000000 ffff8801c9a51298 ffff8801c9a51298 ffff8801c9ab7080 [ 44.759113] ffffffff814e13cb ffff8801c9a51298 0000000000000002 0000000000000000 [ 44.767131] Call Trace: [ 44.769743] [] dump_stack+0xc1/0x128 [ 44.775097] [] print_address_description+0x6c/0x234 [ 44.781745] [] kasan_report.cold.6+0x242/0x2fe [ 44.787954] [] ? ip6_tnl_start_xmit+0x14db/0x1680 [ 44.794535] [] __asan_report_load2_noabort+0x14/0x20 [ 44.801267] [] ip6_tnl_start_xmit+0x14db/0x1680 [ 44.807565] [] ? ip6_tnl_create2+0x2d0/0x2d0 [ 44.813745] [] ? check_preemption_disabled+0x3b/0x170 [ 44.820566] [] dev_hard_start_xmit+0x197/0x8b0 [ 44.826778] [] __dev_queue_xmit+0x117f/0x1b90 [ 44.832903] [] ? __dev_queue_xmit+0x1d4/0x1b90 [ 44.839110] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 44.845057] [] ? mark_held_locks+0xc7/0x130 [ 44.851006] [] ? check_preemption_disabled+0x3b/0x170 [ 44.857825] [] ? do_softirq.part.1+0x32/0x70 [ 44.863861] [] ? check_preemption_disabled+0x3b/0x170 [ 44.870679] [] dev_queue_xmit+0x17/0x20 [ 44.876284] [] neigh_direct_output+0x15/0x20 [ 44.882320] [] ip6_finish_output2+0xb0e/0x1d10 [ 44.888532] [] ? ip6_finish_output2+0x177/0x1d10 [ 44.894917] [] ? ip6_forward_finish+0x4a0/0x4a0 [ 44.901217] [] ? check_preemption_disabled+0x3b/0x170 [ 44.908069] [] ? netif_rx_ni+0x310/0x310 [ 44.913764] [] ip6_finish_output+0x334/0x980 [ 44.919803] [] ip6_output+0x1ea/0x6d0 [ 44.925233] [] ? ip6_output+0x2e7/0x6d0 [ 44.930842] [] ? ip6_finish_output+0x980/0x980 [ 44.937059] [] ? ip6_output+0x63a/0x6d0 [ 44.942667] [] ? ip6_fragment+0x3160/0x3160 [ 44.948626] [] ip6_local_out+0x9b/0x180 [ 44.954242] [] ip6_send_skb+0xa1/0x340 [ 44.959781] [] ? csum_ipv6_magic+0x2e/0x90 [ 44.965652] [] udp_v6_send_skb+0x843/0xe70 [ 44.971521] [] udp_v6_push_pending_frames+0x22d/0x340 [ 44.978344] [] ? udp_v6_send_skb+0xe70/0xe70 [ 44.984401] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 44.990545] [] udpv6_sendmsg+0x1dc1/0x2430 [ 44.996413] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 45.002550] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 45.009461] [] ? trace_hardirqs_on+0x10/0x10 [ 45.015505] [] ? sock_has_perm+0x1c1/0x3e0 [ 45.021427] [] ? sock_has_perm+0x293/0x3e0 [ 45.027359] [] ? sock_has_perm+0x9f/0x3e0 [ 45.033156] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 45.040672] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 45.047411] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 45.054152] [] ? check_preemption_disabled+0x3b/0x170 [ 45.060977] [] ? check_preemption_disabled+0x3b/0x170 [ 45.067803] [] ? inet_sendmsg+0x143/0x4d0 [ 45.073706] [] inet_sendmsg+0x203/0x4d0 [ 45.079311] [] ? inet_sendmsg+0x73/0x4d0 [ 45.085004] [] ? inet_recvmsg+0x4c0/0x4c0 [ 45.090788] [] sock_sendmsg+0xbb/0x110 [ 45.096312] [] sock_write_iter+0x223/0x3b0 [ 45.102194] [] ? sock_sendmsg+0x110/0x110 [ 45.107987] [] ? iov_iter_init+0xaf/0x1d0 [ 45.113768] [] __vfs_write+0x3d7/0x580 [ 45.119340] [] ? __vfs_read+0x560/0x560 [ 45.124954] [] ? selinux_file_permission+0x82/0x470 [ 45.131605] [] ? rw_verify_area+0xe5/0x2a0 [ 45.137473] [] vfs_write+0x187/0x520 [ 45.142821] [] SyS_write+0xd9/0x1c0 [ 45.148085] [] ? SyS_read+0x1c0/0x1c0 [ 45.153524] [] ? do_fast_syscall_32+0xcf/0x860 [ 45.159743] [] ? SyS_read+0x1c0/0x1c0 [ 45.165173] [] do_fast_syscall_32+0x2f1/0x860 [ 45.171304] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.177967] [] entry_SYSENTER_compat+0x90/0xa2 [ 45.184175] [ 45.185781] Allocated by task 2489: [ 45.189397] save_stack_trace+0x16/0x20 [ 45.193361] kasan_kmalloc.part.1+0x62/0xf0 [ 45.197681] kasan_kmalloc+0xaf/0xc0 [ 45.201375] kasan_slab_alloc+0x12/0x20 [ 45.205337] __kmalloc_track_caller+0xf0/0x2d0 [ 45.210407] __kmalloc_reserve.isra.5+0x33/0xc0 [ 45.215057] __alloc_skb+0x11a/0x5b0 [ 45.218750] alloc_skb_with_frags+0xaf/0x4e0 [ 45.223142] sock_alloc_send_pskb+0x59e/0x740 [ 45.227617] sock_alloc_send_skb+0x32/0x40 [ 45.231888] __ip6_append_data.isra.3+0x1fd2/0x3460 [ 45.236904] ip6_append_data+0x1c1/0x2f0 [ 45.240945] udpv6_sendmsg+0x88b/0x2430 [ 45.244898] inet_sendmsg+0x203/0x4d0 [ 45.248678] sock_sendmsg+0xbb/0x110 [ 45.252371] SyS_sendto+0x220/0x370 [ 45.255984] do_fast_syscall_32+0x2f1/0x860 [ 45.260460] entry_SYSENTER_compat+0x90/0xa2 [ 45.264849] [ 45.266457] Freed by task 2489: [ 45.269722] save_stack_trace+0x16/0x20 [ 45.273679] kasan_slab_free+0xac/0x190 [ 45.277632] kfree+0xfb/0x310 [ 45.280726] skb_free_head+0x8b/0xb0 [ 45.284437] pskb_expand_head+0x457/0x8a0 [ 45.288567] iptunnel_handle_offloads+0x3f0/0x520 [ 45.293396] ip6_tnl_start_xmit+0x4ca/0x1680 [ 45.297851] dev_hard_start_xmit+0x197/0x8b0 [ 45.302245] __dev_queue_xmit+0x117f/0x1b90 [ 45.306544] dev_queue_xmit+0x17/0x20 [ 45.310351] neigh_direct_output+0x15/0x20 [ 45.314567] ip6_finish_output2+0xb0e/0x1d10 [ 45.318963] ip6_finish_output+0x334/0x980 [ 45.323180] ip6_output+0x1ea/0x6d0 [ 45.326782] ip6_local_out+0x9b/0x180 [ 45.330560] ip6_send_skb+0xa1/0x340 [ 45.334251] udp_v6_send_skb+0x843/0xe70 [ 45.338289] udp_v6_push_pending_frames+0x22d/0x340 [ 45.343308] udpv6_sendmsg+0x1dc1/0x2430 [ 45.347363] inet_sendmsg+0x203/0x4d0 [ 45.351259] sock_sendmsg+0xbb/0x110 [ 45.354953] sock_write_iter+0x223/0x3b0 [ 45.358991] __vfs_write+0x3d7/0x580 [ 45.362681] vfs_write+0x187/0x520 [ 45.366204] SyS_write+0xd9/0x1c0 [ 45.369638] do_fast_syscall_32+0x2f1/0x860 [ 45.373946] entry_SYSENTER_compat+0x90/0xa2 [ 45.378326] [ 45.379932] The buggy address belongs to the object at ffff8801c9a51200 [ 45.379932] which belongs to the cache kmalloc-1024 of size 1024 [ 45.392746] The buggy address is located 152 bytes inside of [ 45.392746] 1024-byte region [ffff8801c9a51200, ffff8801c9a51600) [ 45.404700] The buggy address belongs to the page: [ 45.409611] page:ffffea0007269400 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 45.419800] flags: 0x4000000000004080(slab|head) [ 45.424527] page dumped because: kasan: bad access detected [ 45.430214] [ 45.431824] Memory state around the buggy address: [ 45.436734] ffff8801c9a51180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.444072] ffff8801c9a51200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.451457] >ffff8801c9a51280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.458798] ^ [ 45.462925] ffff8801c9a51300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.470264] ffff8801c9a51380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.477596] ================================================================== [ 45.484929] Disabling lock debugging due to kernel taint [ 45.490421] Kernel panic - not syncing: panic_on_warn set ... [ 45.490421] [ 45.497784] CPU: 1 PID: 2489 Comm: syz-executor017 Tainted: G B 4.9.128+ #45 [ 45.506081] ffff8801c9ab6fa8 ffffffff81af2469 ffffffff82c34968 00000000ffffffff [ 45.514079] 0000000000000000 0000000000000001 ffff8801c9a51298 ffff8801c9ab7068 [ 45.522073] ffffffff813df985 0000000041b58ab3 ffffffff82c2896b ffffffff813df7c6 [ 45.530172] Call Trace: [ 45.532744] [] dump_stack+0xc1/0x128 [ 45.538097] [] panic+0x1bf/0x39f [ 45.543104] [] ? add_taint.cold.6+0x16/0x16 [ 45.549063] [] kasan_end_report+0x47/0x4f [ 45.554841] [] kasan_report.cold.6+0x76/0x2fe [ 45.560970] [] ? ip6_tnl_start_xmit+0x14db/0x1680 [ 45.567453] [] __asan_report_load2_noabort+0x14/0x20 [ 45.574265] [] ip6_tnl_start_xmit+0x14db/0x1680 [ 45.580578] [] ? ip6_tnl_create2+0x2d0/0x2d0 [ 45.586623] [] ? check_preemption_disabled+0x3b/0x170 [ 45.593445] [] dev_hard_start_xmit+0x197/0x8b0 [ 45.599654] [] __dev_queue_xmit+0x117f/0x1b90 [ 45.605782] [] ? __dev_queue_xmit+0x1d4/0x1b90 [ 45.611995] [] ? netdev_pick_tx+0x2c0/0x2c0 [ 45.617945] [] ? mark_held_locks+0xc7/0x130 [ 45.624355] [] ? check_preemption_disabled+0x3b/0x170 [ 45.631193] [] ? do_softirq.part.1+0x32/0x70 [ 45.637232] [] ? check_preemption_disabled+0x3b/0x170 [ 45.644051] [] dev_queue_xmit+0x17/0x20 [ 45.649653] [] neigh_direct_output+0x15/0x20 [ 45.655688] [] ip6_finish_output2+0xb0e/0x1d10 [ 45.661903] [] ? ip6_finish_output2+0x177/0x1d10 [ 45.668289] [] ? ip6_forward_finish+0x4a0/0x4a0 [ 45.674587] [] ? check_preemption_disabled+0x3b/0x170 [ 45.681407] [] ? netif_rx_ni+0x310/0x310 [ 45.687098] [] ip6_finish_output+0x334/0x980 [ 45.693135] [] ip6_output+0x1ea/0x6d0 [ 45.698563] [] ? ip6_output+0x2e7/0x6d0 [ 45.704162] [] ? ip6_finish_output+0x980/0x980 [ 45.710367] [] ? ip6_output+0x63a/0x6d0 [ 45.715976] [] ? ip6_fragment+0x3160/0x3160 [ 45.721927] [] ip6_local_out+0x9b/0x180 [ 45.727529] [] ip6_send_skb+0xa1/0x340 [ 45.733053] [] ? csum_ipv6_magic+0x2e/0x90 [ 45.738915] [] udp_v6_send_skb+0x843/0xe70 [ 45.744780] [] udp_v6_push_pending_frames+0x22d/0x340 [ 45.751595] [] ? udp_v6_send_skb+0xe70/0xe70 [ 45.757631] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 45.763755] [] udpv6_sendmsg+0x1dc1/0x2430 [ 45.769622] [] ? ip_reply_glue_bits+0xb0/0xb0 [ 45.775748] [] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 45.782655] [] ? trace_hardirqs_on+0x10/0x10 [ 45.788702] [] ? sock_has_perm+0x1c1/0x3e0 [ 45.794579] [] ? sock_has_perm+0x293/0x3e0 [ 45.800444] [] ? sock_has_perm+0x9f/0x3e0 [ 45.806224] [] ? selinux_msg_queue_alloc_security+0x2e0/0x2e0 [ 45.813735] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 45.820466] [] ? debug_lockdep_rcu_enabled+0x77/0x90 [ 45.827200] [] ? check_preemption_disabled+0x3b/0x170 [ 45.834027] [] ? check_preemption_disabled+0x3b/0x170 [ 45.840898] [] ? inet_sendmsg+0x143/0x4d0 [ 45.846681] [] inet_sendmsg+0x203/0x4d0 [ 45.852281] [] ? inet_sendmsg+0x73/0x4d0 [ 45.857982] [] ? inet_recvmsg+0x4c0/0x4c0 [ 45.863762] [] sock_sendmsg+0xbb/0x110 [ 45.869280] [] sock_write_iter+0x223/0x3b0 [ 45.875152] [] ? sock_sendmsg+0x110/0x110 [ 45.880930] [] ? iov_iter_init+0xaf/0x1d0 [ 45.886713] [] __vfs_write+0x3d7/0x580 [ 45.892229] [] ? __vfs_read+0x560/0x560 [ 45.897832] [] ? selinux_file_permission+0x82/0x470 [ 45.904482] [] ? rw_verify_area+0xe5/0x2a0 [ 45.910343] [] vfs_write+0x187/0x520 [ 45.915686] [] SyS_write+0xd9/0x1c0 [ 45.920940] [] ? SyS_read+0x1c0/0x1c0 [ 45.926369] [] ? do_fast_syscall_32+0xcf/0x860 [ 45.932742] [] ? SyS_read+0x1c0/0x1c0 [ 45.938172] [] do_fast_syscall_32+0x2f1/0x860 [ 45.944295] [] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 45.950936] [] entry_SYSENTER_compat+0x90/0xa2 [ 45.957518] Kernel Offset: disabled [ 45.961130] Rebooting in 86400 seconds..