Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.38' (ECDSA) to the list of known hosts. syzkaller login: [ 76.626780][ T8474] chnl_net:caif_netlink_parms(): no params data found [ 76.696702][ T8474] bridge0: port 1(bridge_slave_0) entered blocking state [ 76.705353][ T8474] bridge0: port 1(bridge_slave_0) entered disabled state [ 76.714680][ T8474] device bridge_slave_0 entered promiscuous mode [ 76.724977][ T8474] bridge0: port 2(bridge_slave_1) entered blocking state [ 76.732665][ T8474] bridge0: port 2(bridge_slave_1) entered disabled state [ 76.740796][ T8474] device bridge_slave_1 entered promiscuous mode [ 76.769361][ T8474] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 76.780504][ T8474] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 76.815171][ T8474] team0: Port device team_slave_0 added [ 76.823301][ T8474] team0: Port device team_slave_1 added [ 76.852947][ T8474] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 76.860077][ T8474] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 76.889957][ T8474] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 76.904505][ T8474] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 76.912742][ T8474] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 76.939626][ T8474] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 76.980245][ T8474] device hsr_slave_0 entered promiscuous mode [ 76.988738][ T8474] device hsr_slave_1 entered promiscuous mode [ 77.120454][ T8474] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 77.135576][ T8474] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 77.146994][ T8474] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 77.157293][ T8474] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 77.195602][ T8474] bridge0: port 2(bridge_slave_1) entered blocking state [ 77.203099][ T8474] bridge0: port 2(bridge_slave_1) entered forwarding state [ 77.212055][ T8474] bridge0: port 1(bridge_slave_0) entered blocking state [ 77.219270][ T8474] bridge0: port 1(bridge_slave_0) entered forwarding state [ 77.266328][ T8474] 8021q: adding VLAN 0 to HW filter on device bond0 [ 77.280452][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 77.294486][ T5] bridge0: port 1(bridge_slave_0) entered disabled state [ 77.304123][ T5] bridge0: port 2(bridge_slave_1) entered disabled state [ 77.313612][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 77.327107][ T8474] 8021q: adding VLAN 0 to HW filter on device team0 [ 77.339163][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 77.349003][ T20] bridge0: port 1(bridge_slave_0) entered blocking state [ 77.356159][ T20] bridge0: port 1(bridge_slave_0) entered forwarding state [ 77.372051][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 77.380872][ T20] bridge0: port 2(bridge_slave_1) entered blocking state [ 77.387977][ T20] bridge0: port 2(bridge_slave_1) entered forwarding state [ 77.405884][ T8794] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 77.415578][ T8794] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 77.430773][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 77.448695][ T8474] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 77.461560][ T8474] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 77.474516][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 77.484075][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 77.493144][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 77.511473][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 77.519004][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 77.534408][ T8474] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 77.553610][ T8794] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 77.573029][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 77.582174][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 77.590319][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 77.602055][ T8474] device veth0_vlan entered promiscuous mode [ 77.616906][ T8474] device veth1_vlan entered promiscuous mode [ 77.639243][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 77.648060][ T20] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 77.659924][ T8474] device veth0_macvtap entered promiscuous mode [ 77.670941][ T8474] device veth1_macvtap entered promiscuous mode [ 77.688428][ T8474] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 77.696109][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 77.706473][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 77.715975][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 77.725600][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 77.737703][ T8474] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 77.750518][ T8474] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 77.763473][ T8474] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 77.775080][ T8474] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 executing program [ 77.786388][ T8474] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 77.803252][ T8794] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 77.812639][ T8794] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 77.847726][ T8474] ================================================================== [ 77.856348][ T8474] BUG: KASAN: slab-out-of-bounds in add_del_if+0x13a/0x140 [ 77.864256][ T8474] Read of size 8 at addr ffff888018a3ec88 by task syz-executor054/8474 [ 77.872938][ T8474] [ 77.875268][ T8474] CPU: 1 PID: 8474 Comm: syz-executor054 Not tainted 5.14.0-rc2-syzkaller #0 [ 77.884018][ T8474] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.894248][ T8474] Call Trace: [ 77.897521][ T8474] dump_stack_lvl+0xcd/0x134 [ 77.902101][ T8474] print_address_description.constprop.0.cold+0x6c/0x309 [ 77.909284][ T8474] ? add_del_if+0x13a/0x140 [ 77.913887][ T8474] ? add_del_if+0x13a/0x140 [ 77.918486][ T8474] kasan_report.cold+0x83/0xdf [ 77.923373][ T8474] ? add_del_if+0x13a/0x140 [ 77.927881][ T8474] add_del_if+0x13a/0x140 [ 77.932318][ T8474] br_ioctl_stub+0x1c6/0x7f0 [ 77.937064][ T8474] ? br_dev_siocdevprivate+0x15c0/0x15c0 [ 77.942714][ T8474] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 77.949041][ T8474] ? full_name_hash+0xb5/0xf0 [ 77.953729][ T8474] ? br_dev_siocdevprivate+0x15c0/0x15c0 [ 77.959356][ T8474] br_ioctl_call+0x5e/0xa0 [ 77.964309][ T8474] dev_ifsioc+0xc1f/0xf60 [ 77.968666][ T8474] ? dev_load+0x79/0x200 [ 77.973210][ T8474] ? sock_diag_broadcast_destroy+0x1a0/0x1a0 [ 77.979291][ T8474] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 77.985697][ T8474] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 77.992144][ T8474] ? netdev_name_node_lookup_rcu+0x108/0x150 [ 77.998221][ T8474] dev_ioctl+0x1b9/0xee0 [ 78.002460][ T8474] sock_do_ioctl+0x18b/0x210 [ 78.007044][ T8474] ? put_user_ifreq+0x140/0x140 [ 78.011894][ T8474] sock_ioctl+0x2f1/0x640 [ 78.016388][ T8474] ? br_ioctl_call+0xa0/0xa0 [ 78.020970][ T8474] ? lock_downgrade+0x6e0/0x6e0 [ 78.025990][ T8474] ? lock_downgrade+0x6e0/0x6e0 [ 78.030923][ T8474] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 78.037504][ T8474] ? br_ioctl_call+0xa0/0xa0 [ 78.042779][ T8474] __x64_sys_ioctl+0x193/0x200 [ 78.047634][ T8474] do_syscall_64+0x35/0xb0 [ 78.052065][ T8474] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 78.058118][ T8474] RIP: 0033:0x4430a9 [ 78.062019][ T8474] Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 78.081817][ T8474] RSP: 002b:00007ffecc472ee8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 78.090564][ T8474] RAX: ffffffffffffffda RBX: 00007ffecc472ef8 RCX: 00000000004430a9 [ 78.098803][ T8474] RDX: 0000000020000000 RSI: 00000000000089a2 RDI: 0000000000000003 [ 78.106775][ T8474] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 78.115089][ T8474] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffecc472f00 [ 78.123118][ T8474] R13: 00007ffecc472f20 R14: 00000000004b8018 R15: 00000000004004b8 [ 78.131509][ T8474] [ 78.133822][ T8474] Allocated by task 8474: [ 78.138132][ T8474] kasan_save_stack+0x1b/0x40 [ 78.142802][ T8474] __kasan_kmalloc+0x9b/0xd0 [ 78.147378][ T8474] kvmalloc_node+0x61/0xf0 [ 78.151782][ T8474] alloc_netdev_mqs+0x98/0xe80 [ 78.156551][ T8474] rtnl_create_link+0x95a/0xb80 [ 78.161385][ T8474] veth_newlink+0x207/0xb20 [ 78.165875][ T8474] __rtnl_newlink+0x106e/0x1760 [ 78.170718][ T8474] rtnl_newlink+0x64/0xa0 [ 78.175223][ T8474] rtnetlink_rcv_msg+0x413/0xb80 [ 78.180141][ T8474] netlink_rcv_skb+0x153/0x420 [ 78.184923][ T8474] netlink_unicast+0x533/0x7d0 [ 78.189779][ T8474] netlink_sendmsg+0x86d/0xdb0 [ 78.194527][ T8474] sock_sendmsg+0xcf/0x120 [ 78.198928][ T8474] __sys_sendto+0x21c/0x320 [ 78.203413][ T8474] __x64_sys_sendto+0xdd/0x1b0 [ 78.209574][ T8474] do_syscall_64+0x35/0xb0 [ 78.214757][ T8474] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 78.220936][ T8474] [ 78.223248][ T8474] The buggy address belongs to the object at ffff888018a3e000 [ 78.223248][ T8474] which belongs to the cache kmalloc-cg-4k of size 4096 [ 78.237919][ T8474] The buggy address is located 3208 bytes inside of [ 78.237919][ T8474] 4096-byte region [ffff888018a3e000, ffff888018a3f000) [ 78.251620][ T8474] The buggy address belongs to the page: [ 78.257335][ T8474] page:ffffea0000628e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x18a38 [ 78.267603][ T8474] head:ffffea0000628e00 order:3 compound_mapcount:0 compound_pincount:0 [ 78.276010][ T8474] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 78.284208][ T8474] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88801084c280 [ 78.293106][ T8474] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 78.301782][ T8474] page dumped because: kasan: bad access detected [ 78.308809][ T8474] page_owner tracks the page as allocated [ 78.314690][ T8474] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4866, ts 59996577923, free_ts 59983663330 [ 78.334469][ T8474] get_page_from_freelist+0xa72/0x2f80 [ 78.339929][ T8474] __alloc_pages+0x1b2/0x500 [ 78.344533][ T8474] alloc_pages+0x18c/0x2a0 [ 78.349209][ T8474] allocate_slab+0x32e/0x4b0 [ 78.353787][ T8474] ___slab_alloc+0x4ba/0x820 [ 78.358452][ T8474] __slab_alloc.constprop.0+0xa7/0xf0 [ 78.363815][ T8474] __kmalloc_node+0x2df/0x380 [ 78.369529][ T8474] kvmalloc_node+0x61/0xf0 [ 78.373931][ T8474] seq_read_iter+0x7e7/0x1240 [ 78.379105][ T8474] seq_read+0x3dd/0x5b0 [ 78.383346][ T8474] vfs_read+0x1b5/0x570 [ 78.387585][ T8474] ksys_read+0x12d/0x250 [ 78.391916][ T8474] do_syscall_64+0x35/0xb0 [ 78.396379][ T8474] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 78.402758][ T8474] page last free stack trace: [ 78.407489][ T8474] free_pcp_prepare+0x2c5/0x780 [ 78.412340][ T8474] free_unref_page+0x19/0x690 [ 78.417023][ T8474] unfreeze_partials+0x17c/0x1d0 [ 78.422040][ T8474] put_cpu_partial+0x13d/0x230 [ 78.427172][ T8474] qlist_free_all+0x5a/0xc0 [ 78.432036][ T8474] kasan_quarantine_reduce+0x180/0x200 [ 78.437683][ T8474] __kasan_slab_alloc+0x8e/0xa0 [ 78.443063][ T8474] kmem_cache_alloc+0x285/0x4a0 [ 78.449363][ T8474] getname_flags.part.0+0x50/0x4f0 [ 78.454579][ T8474] user_path_at_empty+0xa1/0x100 [ 78.459718][ T8474] vfs_statx+0x142/0x390 [ 78.463989][ T8474] __do_sys_newlstat+0x91/0x110 [ 78.469118][ T8474] do_syscall_64+0x35/0xb0 [ 78.473535][ T8474] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 78.479617][ T8474] [ 78.481925][ T8474] Memory state around the buggy address: [ 78.487624][ T8474] ffff888018a3eb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 78.496107][ T8474] ffff888018a3ec00: 00 00 00 00 00 00 00 00 07 fc fc fc fc fc fc fc [ 78.504393][ T8474] >ffff888018a3ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.512453][ T8474] ^ [ 78.516760][ T8474] ffff888018a3ed00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.525059][ T8474] ffff888018a3ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.533362][ T8474] ================================================================== [ 78.541572][ T8474] Disabling lock debugging due to kernel taint [ 78.555688][ T8474] Kernel panic - not syncing: panic_on_warn set ... [ 78.562475][ T8474] CPU: 1 PID: 8474 Comm: syz-executor054 Tainted: G B 5.14.0-rc2-syzkaller #0 [ 78.572718][ T8474] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.582863][ T8474] Call Trace: [ 78.586172][ T8474] dump_stack_lvl+0xcd/0x134 [ 78.591371][ T8474] panic+0x306/0x73d [ 78.595423][ T8474] ? __warn_printk+0xf3/0xf3 [ 78.600093][ T8474] ? preempt_schedule_common+0x59/0xc0 [ 78.605568][ T8474] ? add_del_if+0x13a/0x140 [ 78.610144][ T8474] ? preempt_schedule_thunk+0x16/0x18 [ 78.615532][ T8474] ? trace_hardirqs_on+0x38/0x1c0 [ 78.620551][ T8474] ? trace_hardirqs_on+0x51/0x1c0 [ 78.625572][ T8474] ? add_del_if+0x13a/0x140 [ 78.630150][ T8474] ? add_del_if+0x13a/0x140 [ 78.635309][ T8474] end_report.cold+0x5a/0x5a [ 78.640013][ T8474] kasan_report.cold+0x71/0xdf [ 78.644865][ T8474] ? add_del_if+0x13a/0x140 [ 78.649358][ T8474] add_del_if+0x13a/0x140 [ 78.653681][ T8474] br_ioctl_stub+0x1c6/0x7f0 [ 78.658255][ T8474] ? br_dev_siocdevprivate+0x15c0/0x15c0 [ 78.663875][ T8474] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 78.670185][ T8474] ? full_name_hash+0xb5/0xf0 [ 78.674865][ T8474] ? br_dev_siocdevprivate+0x15c0/0x15c0 [ 78.680476][ T8474] br_ioctl_call+0x5e/0xa0 [ 78.684875][ T8474] dev_ifsioc+0xc1f/0xf60 [ 78.689281][ T8474] ? dev_load+0x79/0x200 [ 78.693544][ T8474] ? sock_diag_broadcast_destroy+0x1a0/0x1a0 [ 78.699960][ T8474] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 78.706218][ T8474] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 78.712535][ T8474] ? netdev_name_node_lookup_rcu+0x108/0x150 [ 78.718762][ T8474] dev_ioctl+0x1b9/0xee0 [ 78.722993][ T8474] sock_do_ioctl+0x18b/0x210 [ 78.727671][ T8474] ? put_user_ifreq+0x140/0x140 [ 78.732789][ T8474] sock_ioctl+0x2f1/0x640 [ 78.737192][ T8474] ? br_ioctl_call+0xa0/0xa0 [ 78.741851][ T8474] ? lock_downgrade+0x6e0/0x6e0 [ 78.746683][ T8474] ? lock_downgrade+0x6e0/0x6e0 [ 78.751604][ T8474] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 78.757859][ T8474] ? br_ioctl_call+0xa0/0xa0 [ 78.762452][ T8474] __x64_sys_ioctl+0x193/0x200 [ 78.767238][ T8474] do_syscall_64+0x35/0xb0 [ 78.771854][ T8474] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 78.777746][ T8474] RIP: 0033:0x4430a9 [ 78.781650][ T8474] Code: 28 c3 e8 4a 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 78.801411][ T8474] RSP: 002b:00007ffecc472ee8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 78.809914][ T8474] RAX: ffffffffffffffda RBX: 00007ffecc472ef8 RCX: 00000000004430a9 [ 78.817898][ T8474] RDX: 0000000020000000 RSI: 00000000000089a2 RDI: 0000000000000003 [ 78.826039][ T8474] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 78.834084][ T8474] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffecc472f00 [ 78.842043][ T8474] R13: 00007ffecc472f20 R14: 00000000004b8018 R15: 00000000004004b8 [ 78.851807][ T8474] Kernel Offset: disabled [ 78.856295][ T8474] Rebooting in 86400 seconds..