[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.73' (ECDSA) to the list of known hosts. syzkaller login: [ 36.031052] IPVS: ftp: loaded support on port[0] = 21 [ 36.100466] chnl_net:caif_netlink_parms(): no params data found [ 36.164018] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.170804] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.178476] device bridge_slave_0 entered promiscuous mode [ 36.186212] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.193123] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.200066] device bridge_slave_1 entered promiscuous mode [ 36.216848] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 36.225809] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 36.244270] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 36.251937] team0: Port device team_slave_0 added [ 36.257411] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 36.265694] team0: Port device team_slave_1 added [ 36.281514] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 36.288783] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 36.314178] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 36.325597] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 36.331918] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 36.357229] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 36.371124] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 36.378762] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 36.397596] device hsr_slave_0 entered promiscuous mode [ 36.403362] device hsr_slave_1 entered promiscuous mode [ 36.409300] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 36.416545] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 36.480077] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.486514] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.493426] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.499786] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.530872] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 36.538942] 8021q: adding VLAN 0 to HW filter on device bond0 [ 36.547480] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 36.557251] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.565740] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.573391] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.580293] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 36.590535] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 36.596896] 8021q: adding VLAN 0 to HW filter on device team0 [ 36.606053] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 36.613774] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.620116] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.641274] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 36.652546] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 36.663723] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 36.670898] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 36.678674] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.685083] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.692442] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 36.700087] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 36.708535] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 36.716421] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 36.724907] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 36.731899] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 36.744804] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 36.752361] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 36.758995] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 36.769754] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 36.800954] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 36.810737] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 36.840853] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 36.848284] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 36.855384] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 36.864337] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 36.872672] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 36.879531] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 36.889214] device veth0_vlan entered promiscuous mode [ 36.897885] device veth1_vlan entered promiscuous mode [ 36.904322] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 36.910801] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 36.921578] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 36.933139] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 36.943499] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 36.950902] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 36.961006] device veth0_macvtap entered promiscuous mode [ 36.967157] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 36.975562] device veth1_macvtap entered promiscuous mode [ 36.985650] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 36.994991] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 37.005005] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 37.012359] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 37.020533] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 37.030564] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 37.037774] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program executing program [ 37.210060] hrtimer: interrupt took 41328 ns [ 37.232828] ================================================================== [ 37.240317] BUG: KASAN: use-after-free in bcm_can_tx+0x726/0x800 [ 37.246447] Read of size 4 at addr ffff88809495cf04 by task kworker/u4:5/3570 [ 37.253704] [ 37.255337] CPU: 0 PID: 3570 Comm: kworker/u4:5 Not tainted 4.19.211-syzkaller #0 [ 37.262934] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 37.272286] Workqueue: bat_events batadv_nc_worker [ 37.277262] Call Trace: [ 37.279825] [ 37.281963] dump_stack+0x1fc/0x2ef [ 37.285588] print_address_description.cold+0x54/0x219 [ 37.290860] kasan_report_error.cold+0x8a/0x1b9 [ 37.295525] ? bcm_can_tx+0x726/0x800 [ 37.299310] __asan_report_load4_noabort+0x88/0x90 [ 37.304224] ? bcm_can_tx+0x726/0x800 [ 37.308017] bcm_can_tx+0x726/0x800 [ 37.311645] ? mark_held_locks+0xa6/0xf0 [ 37.315695] ? canbcm_pernet_init+0x90/0x90 [ 37.320002] ? check_preemption_disabled+0x41/0x280 [ 37.325002] ? check_preemption_disabled+0x41/0x280 [ 37.330009] bcm_tx_timeout_tsklet+0x1f0/0x3a0 [ 37.334576] ? bcm_tx_start_timer+0x1b0/0x1b0 [ 37.339051] ? net_rx_action+0x8d7/0xfb0 [ 37.343098] ? mark_held_locks+0xa6/0xf0 [ 37.347140] ? tasklet_action_common.constprop.0+0xa2/0x360 [ 37.352836] tasklet_action_common.constprop.0+0x265/0x360 [ 37.358443] __do_softirq+0x265/0x980 [ 37.362242] ? batadv_nc_to_purge_nc_path_decoding+0x150/0x150 [ 37.368199] do_softirq_own_stack+0x2a/0x40 [ 37.372509] [ 37.374755] do_softirq.part.0+0x160/0x1c0 [ 37.378985] ? batadv_nc_purge_paths+0x22d/0x310 [ 37.383731] __local_bh_enable_ip+0x20e/0x270 [ 37.388210] batadv_nc_purge_paths+0x22d/0x310 [ 37.392784] batadv_nc_worker+0x6fa/0xd50 [ 37.396919] process_one_work+0x864/0x1570 [ 37.401154] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 37.405821] worker_thread+0x64c/0x1130 [ 37.409781] ? __kthread_parkme+0x133/0x1e0 [ 37.414219] ? process_one_work+0x1570/0x1570 [ 37.418705] kthread+0x33f/0x460 [ 37.422159] ? kthread_park+0x180/0x180 [ 37.426132] ret_from_fork+0x24/0x30 [ 37.429831] [ 37.431441] Allocated by task 8339: [ 37.435058] kmem_cache_alloc_trace+0x12f/0x380 [ 37.439818] bcm_sendmsg+0x25d7/0x4150 [ 37.443704] sock_sendmsg+0xc3/0x120 [ 37.447397] ___sys_sendmsg+0x7bb/0x8e0 [ 37.451350] __x64_sys_sendmsg+0x132/0x220 [ 37.455579] do_syscall_64+0xf9/0x620 [ 37.459508] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.464680] [ 37.466287] Freed by task 8339: [ 37.469550] kfree+0xcc/0x210 [ 37.472640] bcm_release+0x260/0x950 [ 37.476335] __sock_release+0xcd/0x2a0 [ 37.480220] sock_close+0x15/0x20 [ 37.483659] __fput+0x2ce/0x890 [ 37.486919] task_work_run+0x148/0x1c0 [ 37.490794] exit_to_usermode_loop+0x251/0x2a0 [ 37.495363] do_syscall_64+0x538/0x620 [ 37.499240] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.504409] [ 37.506023] The buggy address belongs to the object at ffff88809495cdc0 [ 37.506023] which belongs to the cache kmalloc-1024 of size 1024 [ 37.518838] The buggy address is located 324 bytes inside of [ 37.518838] 1024-byte region [ffff88809495cdc0, ffff88809495d1c0) [ 37.530786] The buggy address belongs to the page: [ 37.535701] page:ffffea0002525700 count:1 mapcount:0 mapping:ffff88813bff0ac0 index:0x0 compound_mapcount: 0 [ 37.545670] flags: 0xfff00000008100(slab|head) [ 37.550235] raw: 00fff00000008100 ffffea00024fec08 ffff88813bff1848 ffff88813bff0ac0 [ 37.558098] raw: 0000000000000000 ffff88809495c040 0000000100000007 0000000000000000 [ 37.566061] page dumped because: kasan: bad access detected [ 37.571764] [ 37.573373] Memory state around the buggy address: [ 37.578292] ffff88809495ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.585632] ffff88809495ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.592978] >ffff88809495cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.600334] ^ [ 37.603681] ffff88809495cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.611022] ffff88809495d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.618357] ================================================================== [ 37.625705] Disabling lock debugging due to kernel taint [ 37.631190] Kernel panic - not syncing: panic_on_warn set ... [ 37.631190] [ 37.638555] CPU: 0 PID: 3570 Comm: kworker/u4:5 Tainted: G B 4.19.211-syzkaller #0 [ 37.647557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 [ 37.656917] Workqueue: bat_events batadv_nc_worker [ 37.661842] Call Trace: [ 37.664403] [ 37.666543] dump_stack+0x1fc/0x2ef [ 37.670150] panic+0x26a/0x50e [ 37.673320] ? __warn_printk+0xf3/0xf3 [ 37.677189] ? trace_hardirqs_on+0x55/0x210 [ 37.681491] kasan_end_report+0x43/0x49 [ 37.685446] kasan_report_error.cold+0xa7/0x1b9 [ 37.690098] ? bcm_can_tx+0x726/0x800 [ 37.693879] __asan_report_load4_noabort+0x88/0x90 [ 37.698788] ? bcm_can_tx+0x726/0x800 [ 37.702572] bcm_can_tx+0x726/0x800 [ 37.706181] ? mark_held_locks+0xa6/0xf0 [ 37.710221] ? canbcm_pernet_init+0x90/0x90 [ 37.714524] ? check_preemption_disabled+0x41/0x280 [ 37.719520] ? check_preemption_disabled+0x41/0x280 [ 37.724515] bcm_tx_timeout_tsklet+0x1f0/0x3a0 [ 37.729075] ? bcm_tx_start_timer+0x1b0/0x1b0 [ 37.733548] ? net_rx_action+0x8d7/0xfb0 [ 37.737591] ? mark_held_locks+0xa6/0xf0 [ 37.741641] ? tasklet_action_common.constprop.0+0xa2/0x360 [ 37.747333] tasklet_action_common.constprop.0+0x265/0x360 [ 37.752959] __do_softirq+0x265/0x980 [ 37.756742] ? batadv_nc_to_purge_nc_path_decoding+0x150/0x150 [ 37.762769] do_softirq_own_stack+0x2a/0x40 [ 37.767064] [ 37.769282] do_softirq.part.0+0x160/0x1c0 [ 37.773496] ? batadv_nc_purge_paths+0x22d/0x310 [ 37.778228] __local_bh_enable_ip+0x20e/0x270 [ 37.782781] batadv_nc_purge_paths+0x22d/0x310 [ 37.787356] batadv_nc_worker+0x6fa/0xd50 [ 37.791489] process_one_work+0x864/0x1570 [ 37.795725] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 37.800377] worker_thread+0x64c/0x1130 [ 37.804334] ? __kthread_parkme+0x133/0x1e0 [ 37.808654] ? process_one_work+0x1570/0x1570 [ 37.813129] kthread+0x33f/0x460 [ 37.816474] ? kthread_park+0x180/0x180 [ 37.820532] ret_from_fork+0x24/0x30 [ 37.824523] Kernel Offset: disabled [ 37.828130] Rebooting in 86400 seconds..