[[0;32m OK [0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[[0;32m OK [0m] Started Update UTMP about System Runlevel Changes.
Starting Load/Save RF Kill Switch Status...
[[0;32m OK [0m] Started Load/Save RF Kill Switch Status.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.73' (ECDSA) to the list of known hosts.
syzkaller login: [ 36.031052] IPVS: ftp: loaded support on port[0] = 21
[ 36.100466] chnl_net:caif_netlink_parms(): no params data found
[ 36.164018] bridge0: port 1(bridge_slave_0) entered blocking state
[ 36.170804] bridge0: port 1(bridge_slave_0) entered disabled state
[ 36.178476] device bridge_slave_0 entered promiscuous mode
[ 36.186212] bridge0: port 2(bridge_slave_1) entered blocking state
[ 36.193123] bridge0: port 2(bridge_slave_1) entered disabled state
[ 36.200066] device bridge_slave_1 entered promiscuous mode
[ 36.216848] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 36.225809] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 36.244270] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 36.251937] team0: Port device team_slave_0 added
[ 36.257411] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 36.265694] team0: Port device team_slave_1 added
[ 36.281514] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 36.288783] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 36.314178] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 36.325597] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 36.331918] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 36.357229] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 36.371124] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[ 36.378762] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[ 36.397596] device hsr_slave_0 entered promiscuous mode
[ 36.403362] device hsr_slave_1 entered promiscuous mode
[ 36.409300] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[ 36.416545] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[ 36.480077] bridge0: port 2(bridge_slave_1) entered blocking state
[ 36.486514] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 36.493426] bridge0: port 1(bridge_slave_0) entered blocking state
[ 36.499786] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 36.530872] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 36.538942] 8021q: adding VLAN 0 to HW filter on device bond0
[ 36.547480] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 36.557251] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 36.565740] bridge0: port 1(bridge_slave_0) entered disabled state
[ 36.573391] bridge0: port 2(bridge_slave_1) entered disabled state
[ 36.580293] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 36.590535] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[ 36.596896] 8021q: adding VLAN 0 to HW filter on device team0
[ 36.606053] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 36.613774] bridge0: port 1(bridge_slave_0) entered blocking state
[ 36.620116] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 36.641274] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[ 36.652546] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 36.663723] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[ 36.670898] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 36.678674] bridge0: port 2(bridge_slave_1) entered blocking state
[ 36.685083] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 36.692442] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 36.700087] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 36.708535] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 36.716421] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 36.724907] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 36.731899] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 36.744804] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[ 36.752361] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 36.758995] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 36.769754] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 36.800954] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[ 36.810737] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 36.840853] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[ 36.848284] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[ 36.855384] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[ 36.864337] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 36.872672] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 36.879531] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 36.889214] device veth0_vlan entered promiscuous mode
[ 36.897885] device veth1_vlan entered promiscuous mode
[ 36.904322] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[ 36.910801] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 36.921578] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[ 36.933139] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[ 36.943499] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 36.950902] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 36.961006] device veth0_macvtap entered promiscuous mode
[ 36.967157] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
[ 36.975562] device veth1_macvtap entered promiscuous mode
[ 36.985650] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[ 36.994991] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[ 37.005005] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 37.012359] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 37.020533] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 37.030564] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 37.037774] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
executing program
[ 37.210060] hrtimer: interrupt took 41328 ns
[ 37.232828] ==================================================================
[ 37.240317] BUG: KASAN: use-after-free in bcm_can_tx+0x726/0x800
[ 37.246447] Read of size 4 at addr ffff88809495cf04 by task kworker/u4:5/3570
[ 37.253704]
[ 37.255337] CPU: 0 PID: 3570 Comm: kworker/u4:5 Not tainted 4.19.211-syzkaller #0
[ 37.262934] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
[ 37.272286] Workqueue: bat_events batadv_nc_worker
[ 37.277262] Call Trace:
[ 37.279825]
[ 37.281963] dump_stack+0x1fc/0x2ef
[ 37.285588] print_address_description.cold+0x54/0x219
[ 37.290860] kasan_report_error.cold+0x8a/0x1b9
[ 37.295525] ? bcm_can_tx+0x726/0x800
[ 37.299310] __asan_report_load4_noabort+0x88/0x90
[ 37.304224] ? bcm_can_tx+0x726/0x800
[ 37.308017] bcm_can_tx+0x726/0x800
[ 37.311645] ? mark_held_locks+0xa6/0xf0
[ 37.315695] ? canbcm_pernet_init+0x90/0x90
[ 37.320002] ? check_preemption_disabled+0x41/0x280
[ 37.325002] ? check_preemption_disabled+0x41/0x280
[ 37.330009] bcm_tx_timeout_tsklet+0x1f0/0x3a0
[ 37.334576] ? bcm_tx_start_timer+0x1b0/0x1b0
[ 37.339051] ? net_rx_action+0x8d7/0xfb0
[ 37.343098] ? mark_held_locks+0xa6/0xf0
[ 37.347140] ? tasklet_action_common.constprop.0+0xa2/0x360
[ 37.352836] tasklet_action_common.constprop.0+0x265/0x360
[ 37.358443] __do_softirq+0x265/0x980
[ 37.362242] ? batadv_nc_to_purge_nc_path_decoding+0x150/0x150
[ 37.368199] do_softirq_own_stack+0x2a/0x40
[ 37.372509]
[ 37.374755] do_softirq.part.0+0x160/0x1c0
[ 37.378985] ? batadv_nc_purge_paths+0x22d/0x310
[ 37.383731] __local_bh_enable_ip+0x20e/0x270
[ 37.388210] batadv_nc_purge_paths+0x22d/0x310
[ 37.392784] batadv_nc_worker+0x6fa/0xd50
[ 37.396919] process_one_work+0x864/0x1570
[ 37.401154] ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[ 37.405821] worker_thread+0x64c/0x1130
[ 37.409781] ? __kthread_parkme+0x133/0x1e0
[ 37.414219] ? process_one_work+0x1570/0x1570
[ 37.418705] kthread+0x33f/0x460
[ 37.422159] ? kthread_park+0x180/0x180
[ 37.426132] ret_from_fork+0x24/0x30
[ 37.429831]
[ 37.431441] Allocated by task 8339:
[ 37.435058] kmem_cache_alloc_trace+0x12f/0x380
[ 37.439818] bcm_sendmsg+0x25d7/0x4150
[ 37.443704] sock_sendmsg+0xc3/0x120
[ 37.447397] ___sys_sendmsg+0x7bb/0x8e0
[ 37.451350] __x64_sys_sendmsg+0x132/0x220
[ 37.455579] do_syscall_64+0xf9/0x620
[ 37.459508] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 37.464680]
[ 37.466287] Freed by task 8339:
[ 37.469550] kfree+0xcc/0x210
[ 37.472640] bcm_release+0x260/0x950
[ 37.476335] __sock_release+0xcd/0x2a0
[ 37.480220] sock_close+0x15/0x20
[ 37.483659] __fput+0x2ce/0x890
[ 37.486919] task_work_run+0x148/0x1c0
[ 37.490794] exit_to_usermode_loop+0x251/0x2a0
[ 37.495363] do_syscall_64+0x538/0x620
[ 37.499240] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 37.504409]
[ 37.506023] The buggy address belongs to the object at ffff88809495cdc0
[ 37.506023] which belongs to the cache kmalloc-1024 of size 1024
[ 37.518838] The buggy address is located 324 bytes inside of
[ 37.518838] 1024-byte region [ffff88809495cdc0, ffff88809495d1c0)
[ 37.530786] The buggy address belongs to the page:
[ 37.535701] page:ffffea0002525700 count:1 mapcount:0 mapping:ffff88813bff0ac0 index:0x0 compound_mapcount: 0
[ 37.545670] flags: 0xfff00000008100(slab|head)
[ 37.550235] raw: 00fff00000008100 ffffea00024fec08 ffff88813bff1848 ffff88813bff0ac0
[ 37.558098] raw: 0000000000000000 ffff88809495c040 0000000100000007 0000000000000000
[ 37.566061] page dumped because: kasan: bad access detected
[ 37.571764]
[ 37.573373] Memory state around the buggy address:
[ 37.578292] ffff88809495ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 37.585632] ffff88809495ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 37.592978] >ffff88809495cf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 37.600334] ^
[ 37.603681] ffff88809495cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 37.611022] ffff88809495d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 37.618357] ==================================================================
[ 37.625705] Disabling lock debugging due to kernel taint
[ 37.631190] Kernel panic - not syncing: panic_on_warn set ...
[ 37.631190]
[ 37.638555] CPU: 0 PID: 3570 Comm: kworker/u4:5 Tainted: G B 4.19.211-syzkaller #0
[ 37.647557] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
[ 37.656917] Workqueue: bat_events batadv_nc_worker
[ 37.661842] Call Trace:
[ 37.664403]
[ 37.666543] dump_stack+0x1fc/0x2ef
[ 37.670150] panic+0x26a/0x50e
[ 37.673320] ? __warn_printk+0xf3/0xf3
[ 37.677189] ? trace_hardirqs_on+0x55/0x210
[ 37.681491] kasan_end_report+0x43/0x49
[ 37.685446] kasan_report_error.cold+0xa7/0x1b9
[ 37.690098] ? bcm_can_tx+0x726/0x800
[ 37.693879] __asan_report_load4_noabort+0x88/0x90
[ 37.698788] ? bcm_can_tx+0x726/0x800
[ 37.702572] bcm_can_tx+0x726/0x800
[ 37.706181] ? mark_held_locks+0xa6/0xf0
[ 37.710221] ? canbcm_pernet_init+0x90/0x90
[ 37.714524] ? check_preemption_disabled+0x41/0x280
[ 37.719520] ? check_preemption_disabled+0x41/0x280
[ 37.724515] bcm_tx_timeout_tsklet+0x1f0/0x3a0
[ 37.729075] ? bcm_tx_start_timer+0x1b0/0x1b0
[ 37.733548] ? net_rx_action+0x8d7/0xfb0
[ 37.737591] ? mark_held_locks+0xa6/0xf0
[ 37.741641] ? tasklet_action_common.constprop.0+0xa2/0x360
[ 37.747333] tasklet_action_common.constprop.0+0x265/0x360
[ 37.752959] __do_softirq+0x265/0x980
[ 37.756742] ? batadv_nc_to_purge_nc_path_decoding+0x150/0x150
[ 37.762769] do_softirq_own_stack+0x2a/0x40
[ 37.767064]
[ 37.769282] do_softirq.part.0+0x160/0x1c0
[ 37.773496] ? batadv_nc_purge_paths+0x22d/0x310
[ 37.778228] __local_bh_enable_ip+0x20e/0x270
[ 37.782781] batadv_nc_purge_paths+0x22d/0x310
[ 37.787356] batadv_nc_worker+0x6fa/0xd50
[ 37.791489] process_one_work+0x864/0x1570
[ 37.795725] ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[ 37.800377] worker_thread+0x64c/0x1130
[ 37.804334] ? __kthread_parkme+0x133/0x1e0
[ 37.808654] ? process_one_work+0x1570/0x1570
[ 37.813129] kthread+0x33f/0x460
[ 37.816474] ? kthread_park+0x180/0x180
[ 37.820532] ret_from_fork+0x24/0x30
[ 37.824523] Kernel Offset: disabled
[ 37.828130] Rebooting in 86400 seconds..