[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts. syzkaller login: [ 29.646479] IPVS: ftp: loaded support on port[0] = 21 [ 29.716390] chnl_net:caif_netlink_parms(): no params data found [ 29.795168] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.802355] bridge0: port 1(bridge_slave_0) entered disabled state [ 29.810668] device bridge_slave_0 entered promiscuous mode [ 29.817681] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.825461] bridge0: port 2(bridge_slave_1) entered disabled state [ 29.833437] device bridge_slave_1 entered promiscuous mode [ 29.851156] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 29.860250] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 29.879465] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 29.886786] team0: Port device team_slave_0 added [ 29.892844] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 29.900581] team0: Port device team_slave_1 added [ 29.915646] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 29.922487] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 29.949112] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 29.960751] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 29.967101] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 29.992442] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 30.003119] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 30.011792] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 30.029987] device hsr_slave_0 entered promiscuous mode [ 30.035894] device hsr_slave_1 entered promiscuous mode [ 30.042155] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 30.049447] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 30.111992] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.118638] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.125660] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.132085] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.160531] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 30.166810] 8021q: adding VLAN 0 to HW filter on device bond0 [ 30.176312] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 30.185285] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 30.204755] bridge0: port 1(bridge_slave_0) entered disabled state [ 30.212273] bridge0: port 2(bridge_slave_1) entered disabled state [ 30.223604] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 30.229921] 8021q: adding VLAN 0 to HW filter on device team0 [ 30.238694] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 30.246669] bridge0: port 1(bridge_slave_0) entered blocking state [ 30.253944] bridge0: port 1(bridge_slave_0) entered forwarding state [ 30.264978] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 30.273196] bridge0: port 2(bridge_slave_1) entered blocking state [ 30.279940] bridge0: port 2(bridge_slave_1) entered forwarding state [ 30.298337] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 30.309694] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 30.320290] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 30.327279] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 30.335727] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 30.344176] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 30.352277] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 30.360031] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 30.368094] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 30.382460] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 30.390002] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 30.396964] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 30.407774] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 30.461200] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 30.472321] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 30.501836] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 30.510140] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 30.516704] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 30.526715] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 30.535350] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 30.543071] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 30.552860] device veth0_vlan entered promiscuous mode [ 30.562378] device veth1_vlan entered promiscuous mode [ 30.569640] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 30.578215] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 30.590973] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 30.600514] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 30.607775] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 30.615513] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 30.624733] device veth0_macvtap entered promiscuous mode [ 30.631283] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 30.640715] device veth1_macvtap entered promiscuous mode [ 30.650539] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 30.659982] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 30.671018] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 30.677871] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 30.688048] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 30.699846] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 30.708786] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 30.715815] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 30.847810] ================================================================== [ 30.855462] BUG: KASAN: use-after-free in ip_tunnel_xmit+0x246f/0x3390 [ 30.862645] Read of size 4 at addr ffff8880b0622330 by task syz-executor015/8191 [ 30.870219] [ 30.871844] CPU: 1 PID: 8191 Comm: syz-executor015 Not tainted 4.14.222-syzkaller #0 [ 30.879725] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.889184] Call Trace: [ 30.891760] dump_stack+0x1b2/0x281 [ 30.895426] print_address_description.cold+0x54/0x1d3 [ 30.900698] kasan_report_error.cold+0x8a/0x191 [ 30.905563] ? ip_tunnel_xmit+0x246f/0x3390 [ 30.909964] __asan_report_load4_noabort+0x68/0x70 [ 30.916320] ? kasan_kmalloc+0x130/0x160 [ 30.921308] ? ip_tunnel_xmit+0x246f/0x3390 [ 30.925943] ip_tunnel_xmit+0x246f/0x3390 [ 30.930186] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 30.935615] ? ip_md_tunnel_xmit+0x1020/0x1020 [ 30.940426] ? skb_release_data+0x5f6/0x820 [ 30.944785] ? skb_push+0x9d/0xc0 [ 30.948267] ? __gre_xmit+0x445/0x7c0 [ 30.952762] ipgre_xmit+0x398/0x6d0 [ 30.956400] dev_hard_start_xmit+0x188/0x890 [ 30.960812] __dev_queue_xmit+0x1d7f/0x2480 [ 30.965210] ? netdev_pick_tx+0x2e0/0x2e0 [ 30.969342] ? __check_object_size+0x179/0x230 [ 30.973918] ? skb_copy_datagram_from_iter+0x3c1/0x5f0 [ 30.979375] packet_snd+0x1393/0x21e0 [ 30.983168] ? prb_retire_rx_blk_timer_expired+0x630/0x630 [ 30.988793] packet_sendmsg+0x1139/0x2ad0 [ 30.992934] ? __lock_acquire+0x5fc/0x3f20 [ 30.997153] ? compat_packet_setsockopt+0x140/0x140 [ 31.002565] ? security_socket_sendmsg+0x83/0xb0 [ 31.007320] ? compat_packet_setsockopt+0x140/0x140 [ 31.012356] sock_sendmsg+0xb5/0x100 [ 31.016260] sock_no_sendpage+0xe2/0x110 [ 31.020450] ? __sk_mem_schedule+0xd0/0xd0 [ 31.024883] ? __sk_mem_schedule+0xd0/0xd0 [ 31.029326] sock_sendpage+0xdf/0x140 [ 31.033141] pipe_to_sendpage+0x226/0x2d0 [ 31.037278] ? sockfs_setattr+0x140/0x140 [ 31.041441] ? direct_splice_actor+0x160/0x160 [ 31.046062] __splice_from_pipe+0x326/0x7a0 [ 31.050483] ? direct_splice_actor+0x160/0x160 [ 31.055089] generic_splice_sendpage+0xc1/0x110 [ 31.064016] ? vmsplice_to_user+0x1b0/0x1b0 [ 31.069002] ? rw_verify_area+0xe1/0x2a0 [ 31.073049] ? vmsplice_to_user+0x1b0/0x1b0 [ 31.077535] SyS_splice+0xd59/0x1380 [ 31.082309] ? _raw_spin_unlock_irq+0x24/0x80 [ 31.087602] ? compat_SyS_vmsplice+0x150/0x150 [ 31.092282] ? do_syscall_64+0x4c/0x640 [ 31.096243] ? compat_SyS_vmsplice+0x150/0x150 [ 31.100918] do_syscall_64+0x1d5/0x640 [ 31.104969] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.110507] RIP: 0033:0x448ec9 [ 31.113694] RSP: 002b:00007f353af152f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 31.122559] RAX: ffffffffffffffda RBX: 00000000004cf518 RCX: 0000000000448ec9 [ 31.129817] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 [ 31.137324] RBP: 00000000004cf510 R08: 00000000ffffffff R09: 0000000000000000 [ 31.144589] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cf51c [ 31.152291] R13: 000000000049e004 R14: 6d32cc5e8ead0600 R15: 0000000000022000 [ 31.159936] [ 31.161589] Allocated by task 8191: [ 31.182795] kasan_kmalloc+0xeb/0x160 [ 31.186602] __kmalloc_node_track_caller+0x4c/0x70 [ 31.191609] __alloc_skb+0x96/0x510 [ 31.195255] skb_segment+0x677/0x2e60 [ 31.199096] udp4_ufo_fragment+0x40b/0x690 [ 31.203919] inet_gso_segment+0x470/0x10c0 [ 31.208326] skb_mac_gso_segment+0x240/0x4c0 [ 31.212728] __skb_gso_segment+0x302/0x600 [ 31.216951] validate_xmit_skb+0x49c/0x9f0 [ 31.221174] __dev_queue_xmit+0x816/0x2480 [ 31.225406] packet_snd+0x1393/0x21e0 [ 31.229455] packet_sendmsg+0x1139/0x2ad0 [ 31.233608] sock_sendmsg+0xb5/0x100 [ 31.237490] sock_no_sendpage+0xe2/0x110 [ 31.249134] sock_sendpage+0xdf/0x140 [ 31.252937] pipe_to_sendpage+0x226/0x2d0 [ 31.257089] __splice_from_pipe+0x326/0x7a0 [ 31.263004] generic_splice_sendpage+0xc1/0x110 [ 31.267679] SyS_splice+0xd59/0x1380 [ 31.271491] do_syscall_64+0x1d5/0x640 [ 31.275369] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.280556] [ 31.282233] Freed by task 8191: [ 31.285585] kasan_slab_free+0xc3/0x1a0 [ 31.290656] kfree+0xc9/0x250 [ 31.294090] pskb_expand_head+0x895/0xd30 [ 31.298317] __pskb_pull_tail+0xd9/0x14a0 [ 31.302467] ip_tunnel_xmit+0x142c/0x3390 [ 31.306719] ipgre_xmit+0x398/0x6d0 [ 31.310429] dev_hard_start_xmit+0x188/0x890 [ 31.314824] __dev_queue_xmit+0x1d7f/0x2480 [ 31.319128] packet_snd+0x1393/0x21e0 [ 31.322927] packet_sendmsg+0x1139/0x2ad0 [ 31.327087] sock_sendmsg+0xb5/0x100 [ 31.330797] sock_no_sendpage+0xe2/0x110 [ 31.334838] sock_sendpage+0xdf/0x140 [ 31.338670] pipe_to_sendpage+0x226/0x2d0 [ 31.342813] __splice_from_pipe+0x326/0x7a0 [ 31.347377] generic_splice_sendpage+0xc1/0x110 [ 31.352039] SyS_splice+0xd59/0x1380 [ 31.355753] do_syscall_64+0x1d5/0x640 [ 31.359852] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.365196] [ 31.366831] The buggy address belongs to the object at ffff8880b0622280 [ 31.366831] which belongs to the cache kmalloc-512 of size 512 [ 31.379568] The buggy address is located 176 bytes inside of [ 31.379568] 512-byte region [ffff8880b0622280, ffff8880b0622480) [ 31.391427] The buggy address belongs to the page: [ 31.396345] page:ffffea0002c18880 count:1 mapcount:0 mapping:ffff8880b0622000 index:0x0 [ 31.404482] flags: 0xfff00000000100(slab) [ 31.408796] raw: 00fff00000000100 ffff8880b0622000 0000000000000000 0000000100000006 [ 31.417646] raw: ffffea0002c69ee0 ffffea0002862460 ffff88813fe80940 0000000000000000 [ 31.425619] page dumped because: kasan: bad access detected [ 31.431339] [ 31.433034] Memory state around the buggy address: [ 31.438083] ffff8880b0622200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 31.445611] ffff8880b0622280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.452963] >ffff8880b0622300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.460311] ^ [ 31.465236] ffff8880b0622380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.472707] ffff8880b0622400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 31.480050] ================================================================== [ 31.487393] Disabling lock debugging due to kernel taint [ 31.492941] Kernel panic - not syncing: panic_on_warn set ... [ 31.492941] [ 31.500314] CPU: 1 PID: 8191 Comm: syz-executor015 Tainted: G B 4.14.222-syzkaller #0 [ 31.510712] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 31.520069] Call Trace: [ 31.522660] dump_stack+0x1b2/0x281 [ 31.526287] panic+0x1f9/0x42d [ 31.529474] ? add_taint.cold+0x16/0x16 [ 31.533449] kasan_end_report+0x43/0x49 [ 31.537422] kasan_report_error.cold+0xa7/0x191 [ 31.542081] ? ip_tunnel_xmit+0x246f/0x3390 [ 31.546393] __asan_report_load4_noabort+0x68/0x70 [ 31.551305] ? kasan_kmalloc+0x130/0x160 [ 31.555365] ? ip_tunnel_xmit+0x246f/0x3390 [ 31.559686] ip_tunnel_xmit+0x246f/0x3390 [ 31.563830] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 31.568929] ? ip_md_tunnel_xmit+0x1020/0x1020 [ 31.573643] ? skb_release_data+0x5f6/0x820 [ 31.578135] ? skb_push+0x9d/0xc0 [ 31.581843] ? __gre_xmit+0x445/0x7c0 [ 31.585638] ipgre_xmit+0x398/0x6d0 [ 31.589250] dev_hard_start_xmit+0x188/0x890 [ 31.593685] __dev_queue_xmit+0x1d7f/0x2480 [ 31.598005] ? netdev_pick_tx+0x2e0/0x2e0 [ 31.602146] ? __check_object_size+0x179/0x230 [ 31.606716] ? skb_copy_datagram_from_iter+0x3c1/0x5f0 [ 31.611974] packet_snd+0x1393/0x21e0 [ 31.615768] ? prb_retire_rx_blk_timer_expired+0x630/0x630 [ 31.621374] packet_sendmsg+0x1139/0x2ad0 [ 31.625521] ? __lock_acquire+0x5fc/0x3f20 [ 31.629824] ? compat_packet_setsockopt+0x140/0x140 [ 31.634874] ? security_socket_sendmsg+0x83/0xb0 [ 31.639644] ? compat_packet_setsockopt+0x140/0x140 [ 31.644641] sock_sendmsg+0xb5/0x100 [ 31.648332] sock_no_sendpage+0xe2/0x110 [ 31.652379] ? __sk_mem_schedule+0xd0/0xd0 [ 31.656605] ? __sk_mem_schedule+0xd0/0xd0 [ 31.660824] sock_sendpage+0xdf/0x140 [ 31.664606] pipe_to_sendpage+0x226/0x2d0 [ 31.668737] ? sockfs_setattr+0x140/0x140 [ 31.672888] ? direct_splice_actor+0x160/0x160 [ 31.677468] __splice_from_pipe+0x326/0x7a0 [ 31.681804] ? direct_splice_actor+0x160/0x160 [ 31.686391] generic_splice_sendpage+0xc1/0x110 [ 31.691067] ? vmsplice_to_user+0x1b0/0x1b0 [ 31.695383] ? rw_verify_area+0xe1/0x2a0 [ 31.699455] ? vmsplice_to_user+0x1b0/0x1b0 [ 31.703766] SyS_splice+0xd59/0x1380 [ 31.707466] ? _raw_spin_unlock_irq+0x24/0x80 [ 31.712024] ? compat_SyS_vmsplice+0x150/0x150 [ 31.716686] ? do_syscall_64+0x4c/0x640 [ 31.720641] ? compat_SyS_vmsplice+0x150/0x150 [ 31.725326] do_syscall_64+0x1d5/0x640 [ 31.729196] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 31.734384] RIP: 0033:0x448ec9 [ 31.737554] RSP: 002b:00007f353af152f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 31.745258] RAX: ffffffffffffffda RBX: 00000000004cf518 RCX: 0000000000448ec9 [ 31.752509] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 [ 31.759847] RBP: 00000000004cf510 R08: 00000000ffffffff R09: 0000000000000000 [ 31.767102] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cf51c [ 31.774442] R13: 000000000049e004 R14: 6d32cc5e8ead0600 R15: 0000000000022000 [ 31.782397] Kernel Offset: disabled [ 31.786007] Rebooting in 86400 seconds..