[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts.
syzkaller login: [   29.646479] IPVS: ftp: loaded support on port[0] = 21
[   29.716390] chnl_net:caif_netlink_parms(): no params data found
[   29.795168] bridge0: port 1(bridge_slave_0) entered blocking state
[   29.802355] bridge0: port 1(bridge_slave_0) entered disabled state
[   29.810668] device bridge_slave_0 entered promiscuous mode
[   29.817681] bridge0: port 2(bridge_slave_1) entered blocking state
[   29.825461] bridge0: port 2(bridge_slave_1) entered disabled state
[   29.833437] device bridge_slave_1 entered promiscuous mode
[   29.851156] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   29.860250] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   29.879465] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   29.886786] team0: Port device team_slave_0 added
[   29.892844] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   29.900581] team0: Port device team_slave_1 added
[   29.915646] batman_adv: batadv0: Adding interface: batadv_slave_0
[   29.922487] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   29.949112] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   29.960751] batman_adv: batadv0: Adding interface: batadv_slave_1
[   29.967101] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   29.992442] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   30.003119] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   30.011792] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   30.029987] device hsr_slave_0 entered promiscuous mode
[   30.035894] device hsr_slave_1 entered promiscuous mode
[   30.042155] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   30.049447] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   30.111992] bridge0: port 2(bridge_slave_1) entered blocking state
[   30.118638] bridge0: port 2(bridge_slave_1) entered forwarding state
[   30.125660] bridge0: port 1(bridge_slave_0) entered blocking state
[   30.132085] bridge0: port 1(bridge_slave_0) entered forwarding state
[   30.160531] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   30.166810] 8021q: adding VLAN 0 to HW filter on device bond0
[   30.176312] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   30.185285] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   30.204755] bridge0: port 1(bridge_slave_0) entered disabled state
[   30.212273] bridge0: port 2(bridge_slave_1) entered disabled state
[   30.223604] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   30.229921] 8021q: adding VLAN 0 to HW filter on device team0
[   30.238694] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   30.246669] bridge0: port 1(bridge_slave_0) entered blocking state
[   30.253944] bridge0: port 1(bridge_slave_0) entered forwarding state
[   30.264978] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   30.273196] bridge0: port 2(bridge_slave_1) entered blocking state
[   30.279940] bridge0: port 2(bridge_slave_1) entered forwarding state
[   30.298337] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   30.309694] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   30.320290] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[   30.327279] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   30.335727] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   30.344176] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   30.352277] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   30.360031] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   30.368094] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   30.382460] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[   30.390002] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   30.396964] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   30.407774] 8021q: adding VLAN 0 to HW filter on device batadv0
[   30.461200] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[   30.472321] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   30.501836] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[   30.510140] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[   30.516704] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[   30.526715] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   30.535350] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   30.543071] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   30.552860] device veth0_vlan entered promiscuous mode
[   30.562378] device veth1_vlan entered promiscuous mode
[   30.569640] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[   30.578215] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[   30.590973] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[   30.600514] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   30.607775] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   30.615513] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   30.624733] device veth0_macvtap entered promiscuous mode
[   30.631283] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
[   30.640715] device veth1_macvtap entered promiscuous mode
[   30.650539] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[   30.659982] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[   30.671018] batman_adv: batadv0: Interface activated: batadv_slave_0
[   30.677871] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   30.688048] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   30.699846] batman_adv: batadv0: Interface activated: batadv_slave_1
[   30.708786] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   30.715815] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
[   30.847810] ==================================================================
[   30.855462] BUG: KASAN: use-after-free in ip_tunnel_xmit+0x246f/0x3390
[   30.862645] Read of size 4 at addr ffff8880b0622330 by task syz-executor015/8191
[   30.870219] 
[   30.871844] CPU: 1 PID: 8191 Comm: syz-executor015 Not tainted 4.14.222-syzkaller #0
[   30.879725] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   30.889184] Call Trace:
[   30.891760]  dump_stack+0x1b2/0x281
[   30.895426]  print_address_description.cold+0x54/0x1d3
[   30.900698]  kasan_report_error.cold+0x8a/0x191
[   30.905563]  ? ip_tunnel_xmit+0x246f/0x3390
[   30.909964]  __asan_report_load4_noabort+0x68/0x70
[   30.916320]  ? kasan_kmalloc+0x130/0x160
[   30.921308]  ? ip_tunnel_xmit+0x246f/0x3390
[   30.925943]  ip_tunnel_xmit+0x246f/0x3390
[   30.930186]  ? _raw_spin_unlock_irqrestore+0x66/0xe0
[   30.935615]  ? ip_md_tunnel_xmit+0x1020/0x1020
[   30.940426]  ? skb_release_data+0x5f6/0x820
[   30.944785]  ? skb_push+0x9d/0xc0
[   30.948267]  ? __gre_xmit+0x445/0x7c0
[   30.952762]  ipgre_xmit+0x398/0x6d0
[   30.956400]  dev_hard_start_xmit+0x188/0x890
[   30.960812]  __dev_queue_xmit+0x1d7f/0x2480
[   30.965210]  ? netdev_pick_tx+0x2e0/0x2e0
[   30.969342]  ? __check_object_size+0x179/0x230
[   30.973918]  ? skb_copy_datagram_from_iter+0x3c1/0x5f0
[   30.979375]  packet_snd+0x1393/0x21e0
[   30.983168]  ? prb_retire_rx_blk_timer_expired+0x630/0x630
[   30.988793]  packet_sendmsg+0x1139/0x2ad0
[   30.992934]  ? __lock_acquire+0x5fc/0x3f20
[   30.997153]  ? compat_packet_setsockopt+0x140/0x140
[   31.002565]  ? security_socket_sendmsg+0x83/0xb0
[   31.007320]  ? compat_packet_setsockopt+0x140/0x140
[   31.012356]  sock_sendmsg+0xb5/0x100
[   31.016260]  sock_no_sendpage+0xe2/0x110
[   31.020450]  ? __sk_mem_schedule+0xd0/0xd0
[   31.024883]  ? __sk_mem_schedule+0xd0/0xd0
[   31.029326]  sock_sendpage+0xdf/0x140
[   31.033141]  pipe_to_sendpage+0x226/0x2d0
[   31.037278]  ? sockfs_setattr+0x140/0x140
[   31.041441]  ? direct_splice_actor+0x160/0x160
[   31.046062]  __splice_from_pipe+0x326/0x7a0
[   31.050483]  ? direct_splice_actor+0x160/0x160
[   31.055089]  generic_splice_sendpage+0xc1/0x110
[   31.064016]  ? vmsplice_to_user+0x1b0/0x1b0
[   31.069002]  ? rw_verify_area+0xe1/0x2a0
[   31.073049]  ? vmsplice_to_user+0x1b0/0x1b0
[   31.077535]  SyS_splice+0xd59/0x1380
[   31.082309]  ? _raw_spin_unlock_irq+0x24/0x80
[   31.087602]  ? compat_SyS_vmsplice+0x150/0x150
[   31.092282]  ? do_syscall_64+0x4c/0x640
[   31.096243]  ? compat_SyS_vmsplice+0x150/0x150
[   31.100918]  do_syscall_64+0x1d5/0x640
[   31.104969]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   31.110507] RIP: 0033:0x448ec9
[   31.113694] RSP: 002b:00007f353af152f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
[   31.122559] RAX: ffffffffffffffda RBX: 00000000004cf518 RCX: 0000000000448ec9
[   31.129817] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
[   31.137324] RBP: 00000000004cf510 R08: 00000000ffffffff R09: 0000000000000000
[   31.144589] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cf51c
[   31.152291] R13: 000000000049e004 R14: 6d32cc5e8ead0600 R15: 0000000000022000
[   31.159936] 
[   31.161589] Allocated by task 8191:
[   31.182795]  kasan_kmalloc+0xeb/0x160
[   31.186602]  __kmalloc_node_track_caller+0x4c/0x70
[   31.191609]  __alloc_skb+0x96/0x510
[   31.195255]  skb_segment+0x677/0x2e60
[   31.199096]  udp4_ufo_fragment+0x40b/0x690
[   31.203919]  inet_gso_segment+0x470/0x10c0
[   31.208326]  skb_mac_gso_segment+0x240/0x4c0
[   31.212728]  __skb_gso_segment+0x302/0x600
[   31.216951]  validate_xmit_skb+0x49c/0x9f0
[   31.221174]  __dev_queue_xmit+0x816/0x2480
[   31.225406]  packet_snd+0x1393/0x21e0
[   31.229455]  packet_sendmsg+0x1139/0x2ad0
[   31.233608]  sock_sendmsg+0xb5/0x100
[   31.237490]  sock_no_sendpage+0xe2/0x110
[   31.249134]  sock_sendpage+0xdf/0x140
[   31.252937]  pipe_to_sendpage+0x226/0x2d0
[   31.257089]  __splice_from_pipe+0x326/0x7a0
[   31.263004]  generic_splice_sendpage+0xc1/0x110
[   31.267679]  SyS_splice+0xd59/0x1380
[   31.271491]  do_syscall_64+0x1d5/0x640
[   31.275369]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   31.280556] 
[   31.282233] Freed by task 8191:
[   31.285585]  kasan_slab_free+0xc3/0x1a0
[   31.290656]  kfree+0xc9/0x250
[   31.294090]  pskb_expand_head+0x895/0xd30
[   31.298317]  __pskb_pull_tail+0xd9/0x14a0
[   31.302467]  ip_tunnel_xmit+0x142c/0x3390
[   31.306719]  ipgre_xmit+0x398/0x6d0
[   31.310429]  dev_hard_start_xmit+0x188/0x890
[   31.314824]  __dev_queue_xmit+0x1d7f/0x2480
[   31.319128]  packet_snd+0x1393/0x21e0
[   31.322927]  packet_sendmsg+0x1139/0x2ad0
[   31.327087]  sock_sendmsg+0xb5/0x100
[   31.330797]  sock_no_sendpage+0xe2/0x110
[   31.334838]  sock_sendpage+0xdf/0x140
[   31.338670]  pipe_to_sendpage+0x226/0x2d0
[   31.342813]  __splice_from_pipe+0x326/0x7a0
[   31.347377]  generic_splice_sendpage+0xc1/0x110
[   31.352039]  SyS_splice+0xd59/0x1380
[   31.355753]  do_syscall_64+0x1d5/0x640
[   31.359852]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   31.365196] 
[   31.366831] The buggy address belongs to the object at ffff8880b0622280
[   31.366831]  which belongs to the cache kmalloc-512 of size 512
[   31.379568] The buggy address is located 176 bytes inside of
[   31.379568]  512-byte region [ffff8880b0622280, ffff8880b0622480)
[   31.391427] The buggy address belongs to the page:
[   31.396345] page:ffffea0002c18880 count:1 mapcount:0 mapping:ffff8880b0622000 index:0x0
[   31.404482] flags: 0xfff00000000100(slab)
[   31.408796] raw: 00fff00000000100 ffff8880b0622000 0000000000000000 0000000100000006
[   31.417646] raw: ffffea0002c69ee0 ffffea0002862460 ffff88813fe80940 0000000000000000
[   31.425619] page dumped because: kasan: bad access detected
[   31.431339] 
[   31.433034] Memory state around the buggy address:
[   31.438083]  ffff8880b0622200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   31.445611]  ffff8880b0622280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.452963] >ffff8880b0622300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.460311]                                      ^
[   31.465236]  ffff8880b0622380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.472707]  ffff8880b0622400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   31.480050] ==================================================================
[   31.487393] Disabling lock debugging due to kernel taint
[   31.492941] Kernel panic - not syncing: panic_on_warn set ...
[   31.492941] 
[   31.500314] CPU: 1 PID: 8191 Comm: syz-executor015 Tainted: G    B           4.14.222-syzkaller #0
[   31.510712] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   31.520069] Call Trace:
[   31.522660]  dump_stack+0x1b2/0x281
[   31.526287]  panic+0x1f9/0x42d
[   31.529474]  ? add_taint.cold+0x16/0x16
[   31.533449]  kasan_end_report+0x43/0x49
[   31.537422]  kasan_report_error.cold+0xa7/0x191
[   31.542081]  ? ip_tunnel_xmit+0x246f/0x3390
[   31.546393]  __asan_report_load4_noabort+0x68/0x70
[   31.551305]  ? kasan_kmalloc+0x130/0x160
[   31.555365]  ? ip_tunnel_xmit+0x246f/0x3390
[   31.559686]  ip_tunnel_xmit+0x246f/0x3390
[   31.563830]  ? _raw_spin_unlock_irqrestore+0x66/0xe0
[   31.568929]  ? ip_md_tunnel_xmit+0x1020/0x1020
[   31.573643]  ? skb_release_data+0x5f6/0x820
[   31.578135]  ? skb_push+0x9d/0xc0
[   31.581843]  ? __gre_xmit+0x445/0x7c0
[   31.585638]  ipgre_xmit+0x398/0x6d0
[   31.589250]  dev_hard_start_xmit+0x188/0x890
[   31.593685]  __dev_queue_xmit+0x1d7f/0x2480
[   31.598005]  ? netdev_pick_tx+0x2e0/0x2e0
[   31.602146]  ? __check_object_size+0x179/0x230
[   31.606716]  ? skb_copy_datagram_from_iter+0x3c1/0x5f0
[   31.611974]  packet_snd+0x1393/0x21e0
[   31.615768]  ? prb_retire_rx_blk_timer_expired+0x630/0x630
[   31.621374]  packet_sendmsg+0x1139/0x2ad0
[   31.625521]  ? __lock_acquire+0x5fc/0x3f20
[   31.629824]  ? compat_packet_setsockopt+0x140/0x140
[   31.634874]  ? security_socket_sendmsg+0x83/0xb0
[   31.639644]  ? compat_packet_setsockopt+0x140/0x140
[   31.644641]  sock_sendmsg+0xb5/0x100
[   31.648332]  sock_no_sendpage+0xe2/0x110
[   31.652379]  ? __sk_mem_schedule+0xd0/0xd0
[   31.656605]  ? __sk_mem_schedule+0xd0/0xd0
[   31.660824]  sock_sendpage+0xdf/0x140
[   31.664606]  pipe_to_sendpage+0x226/0x2d0
[   31.668737]  ? sockfs_setattr+0x140/0x140
[   31.672888]  ? direct_splice_actor+0x160/0x160
[   31.677468]  __splice_from_pipe+0x326/0x7a0
[   31.681804]  ? direct_splice_actor+0x160/0x160
[   31.686391]  generic_splice_sendpage+0xc1/0x110
[   31.691067]  ? vmsplice_to_user+0x1b0/0x1b0
[   31.695383]  ? rw_verify_area+0xe1/0x2a0
[   31.699455]  ? vmsplice_to_user+0x1b0/0x1b0
[   31.703766]  SyS_splice+0xd59/0x1380
[   31.707466]  ? _raw_spin_unlock_irq+0x24/0x80
[   31.712024]  ? compat_SyS_vmsplice+0x150/0x150
[   31.716686]  ? do_syscall_64+0x4c/0x640
[   31.720641]  ? compat_SyS_vmsplice+0x150/0x150
[   31.725326]  do_syscall_64+0x1d5/0x640
[   31.729196]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   31.734384] RIP: 0033:0x448ec9
[   31.737554] RSP: 002b:00007f353af152f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
[   31.745258] RAX: ffffffffffffffda RBX: 00000000004cf518 RCX: 0000000000448ec9
[   31.752509] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
[   31.759847] RBP: 00000000004cf510 R08: 00000000ffffffff R09: 0000000000000000
[   31.767102] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cf51c
[   31.774442] R13: 000000000049e004 R14: 6d32cc5e8ead0600 R15: 0000000000022000
[   31.782397] Kernel Offset: disabled
[   31.786007] Rebooting in 86400 seconds..