[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts. 2020/07/04 14:24:47 parsed 1 programs 2020/07/04 14:24:47 executed programs: 0 syzkaller login: [ 44.373963][ T6810] IPVS: ftp: loaded support on port[0] = 21 [ 44.460605][ T6810] chnl_net:caif_netlink_parms(): no params data found [ 44.503773][ T6810] bridge0: port 1(bridge_slave_0) entered blocking state [ 44.511042][ T6810] bridge0: port 1(bridge_slave_0) entered disabled state [ 44.519420][ T6810] device bridge_slave_0 entered promiscuous mode [ 44.527848][ T6810] bridge0: port 2(bridge_slave_1) entered blocking state [ 44.535719][ T6810] bridge0: port 2(bridge_slave_1) entered disabled state [ 44.543767][ T6810] device bridge_slave_1 entered promiscuous mode [ 44.561508][ T6810] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 44.572403][ T6810] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 44.592732][ T6810] team0: Port device team_slave_0 added [ 44.599719][ T6810] team0: Port device team_slave_1 added [ 44.614898][ T6810] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 44.621820][ T6810] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 44.647749][ T6810] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 44.659715][ T6810] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 44.666715][ T6810] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 44.692653][ T6810] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 44.756267][ T6810] device hsr_slave_0 entered promiscuous mode [ 44.803420][ T6810] device hsr_slave_1 entered promiscuous mode [ 44.913610][ T6810] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 44.945803][ T6810] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 45.005686][ T6810] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 45.065077][ T6810] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 45.116513][ T6810] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.123663][ T6810] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.131142][ T6810] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.138245][ T6810] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.177223][ T6810] 8021q: adding VLAN 0 to HW filter on device bond0 [ 45.189319][ T2586] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 45.199436][ T2586] bridge0: port 1(bridge_slave_0) entered disabled state [ 45.207560][ T2586] bridge0: port 2(bridge_slave_1) entered disabled state [ 45.215640][ T2586] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 45.229139][ T6810] 8021q: adding VLAN 0 to HW filter on device team0 [ 45.238811][ T2673] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 45.248098][ T2673] bridge0: port 1(bridge_slave_0) entered blocking state [ 45.255265][ T2673] bridge0: port 1(bridge_slave_0) entered forwarding state [ 45.267365][ T2586] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 45.275983][ T2586] bridge0: port 2(bridge_slave_1) entered blocking state [ 45.283221][ T2586] bridge0: port 2(bridge_slave_1) entered forwarding state [ 45.304443][ T2673] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 45.314081][ T2673] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 45.324389][ T2673] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 45.332181][ T2673] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 45.345212][ T2586] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 45.355334][ T6810] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 45.373565][ T2673] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 45.380936][ T2673] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 45.394246][ T6810] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 45.410467][ T2673] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 45.428814][ T2586] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 45.437798][ T2586] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 45.445952][ T2586] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 45.455990][ T6810] device veth0_vlan entered promiscuous mode [ 45.468020][ T6810] device veth1_vlan entered promiscuous mode [ 45.487694][ T2673] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 45.496859][ T2673] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 45.511998][ T6810] device veth0_macvtap entered promiscuous mode [ 45.521688][ T6810] device veth1_macvtap entered promiscuous mode [ 45.536433][ T6810] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 45.544169][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 45.552001][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 45.561001][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 45.569994][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 45.581915][ T6810] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 45.590018][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 45.598465][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 47.482937][ T7088] bridge0: port 1(bridge_slave_0) entered disabled state [ 47.676225][ T7088] device bridge_slave_0 left promiscuous mode [ 47.682961][ T7088] bridge0: port 1(bridge_slave_0) entered disabled state [ 48.111854][ T7102] bond0: (slave bond_slave_0): Releasing backup interface [ 48.593547][ T7116] team0: Port device team_slave_0 removed [ 48.801517][ T7131] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 49.084113][ T7131] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 49.242100][ T7141] ================================================================== [ 49.250314][ T7141] BUG: KASAN: use-after-free in free_netdev+0x186/0x350 [ 49.257222][ T7141] Read of size 8 at addr ffff8880a1dc26f8 by task syz-executor.0/7141 [ 49.265336][ T7141] [ 49.267637][ T7141] CPU: 1 PID: 7141 Comm: syz-executor.0 Not tainted 5.8.0-rc3-syzkaller #0 [ 49.276213][ T7141] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.286239][ T7141] Call Trace: [ 49.289501][ T7141] dump_stack+0x1f0/0x31e [ 49.293809][ T7141] print_address_description+0x66/0x5a0 [ 49.299350][ T7141] ? printk+0x62/0x83 [ 49.303308][ T7141] ? kfree_call_rcu+0x4eb/0x6b0 [ 49.308146][ T7141] ? vprintk_emit+0x339/0x3c0 [ 49.312797][ T7141] kasan_report+0x132/0x1d0 [ 49.317280][ T7141] ? free_netdev+0x186/0x350 [ 49.321871][ T7141] free_netdev+0x186/0x350 [ 49.326261][ T7141] netdev_run_todo+0xaaa/0xc90 [ 49.330999][ T7141] rtnetlink_rcv_msg+0x890/0xd40 [ 49.336042][ T7141] ? lock_acquire+0x160/0x720 [ 49.340692][ T7141] ? rcu_lock_acquire+0x5/0x30 [ 49.345435][ T7141] netlink_rcv_skb+0x190/0x3a0 [ 49.350194][ T7141] ? rtnetlink_bind+0x80/0x80 [ 49.354861][ T7141] netlink_unicast+0x786/0x940 [ 49.359608][ T7141] netlink_sendmsg+0xa57/0xd70 [ 49.364350][ T7141] ? netlink_getsockopt+0x9e0/0x9e0 [ 49.369520][ T7141] ____sys_sendmsg+0x519/0x800 [ 49.374257][ T7141] ? import_iovec+0x12a/0x2c0 [ 49.378904][ T7141] __sys_sendmsg+0x2b1/0x360 [ 49.383474][ T7141] ? __might_fault+0xf5/0x150 [ 49.388132][ T7141] ? _copy_to_user+0x100/0x140 [ 49.392868][ T7141] ? lock_is_held_type+0x87/0xe0 [ 49.397778][ T7141] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 49.403823][ T7141] do_syscall_64+0x73/0xe0 [ 49.408210][ T7141] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 49.414071][ T7141] RIP: 0033:0x45cb29 [ 49.417929][ T7141] Code: Bad RIP value. [ 49.421965][ T7141] RSP: 002b:00007f0cbb15cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 49.430353][ T7141] RAX: ffffffffffffffda RBX: 0000000000502760 RCX: 000000000045cb29 [ 49.438307][ T7141] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 49.446250][ T7141] RBP: 000000000078c040 R08: 0000000000000000 R09: 0000000000000000 [ 49.454196][ T7141] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 49.462144][ T7141] R13: 0000000000000a43 R14: 00000000004cd2a1 R15: 00007f0cbb15d6d4 [ 49.470091][ T7141] [ 49.472416][ T7141] Allocated by task 7131: [ 49.476719][ T7141] __kasan_kmalloc+0x103/0x140 [ 49.481455][ T7141] __kmalloc+0x24b/0x330 [ 49.485680][ T7141] sk_prot_alloc+0xa7/0x2b0 [ 49.490165][ T7141] sk_alloc+0x36/0x9f0 [ 49.494204][ T7141] tun_chr_open+0x77/0x470 [ 49.498599][ T7141] misc_open+0x346/0x3c0 [ 49.502824][ T7141] chrdev_open+0x498/0x580 [ 49.507211][ T7141] do_dentry_open+0x813/0x1070 [ 49.511961][ T7141] path_openat+0x278d/0x37f0 [ 49.516518][ T7141] do_filp_open+0x191/0x3a0 [ 49.521002][ T7141] do_sys_openat2+0x463/0x770 [ 49.525657][ T7141] __x64_sys_openat+0x1c8/0x1f0 [ 49.530508][ T7141] do_syscall_64+0x73/0xe0 [ 49.534911][ T7141] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 49.540769][ T7141] [ 49.543067][ T7141] Freed by task 7130: [ 49.547018][ T7141] __kasan_slab_free+0x114/0x170 [ 49.551935][ T7141] kfree+0x10a/0x220 [ 49.555818][ T7141] __sk_destruct+0x612/0x770 [ 49.560380][ T7141] tun_chr_close+0x113/0x130 [ 49.564939][ T7141] __fput+0x2f0/0x750 [ 49.568901][ T7141] task_work_run+0x137/0x1c0 [ 49.573461][ T7141] __prepare_exit_to_usermode+0x14c/0x1e0 [ 49.579158][ T7141] do_syscall_64+0x7f/0xe0 [ 49.584848][ T7141] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 49.590715][ T7141] [ 49.593028][ T7141] The buggy address belongs to the object at ffff8880a1dc2000 [ 49.593028][ T7141] which belongs to the cache kmalloc-4k of size 4096 [ 49.607076][ T7141] The buggy address is located 1784 bytes inside of [ 49.607076][ T7141] 4096-byte region [ffff8880a1dc2000, ffff8880a1dc3000) [ 49.620485][ T7141] The buggy address belongs to the page: [ 49.626102][ T7141] page:ffffea0002877080 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea0002877080 order:1 compound_mapcount:0 [ 49.639518][ T7141] flags: 0xfffe0000010200(slab|head) [ 49.644774][ T7141] raw: 00fffe0000010200 ffffea000288de08 ffffea0002898908 ffff8880aa402000 [ 49.653324][ T7141] raw: 0000000000000000 ffff8880a1dc2000 0000000100000001 0000000000000000 [ 49.661872][ T7141] page dumped because: kasan: bad access detected [ 49.668248][ T7141] [ 49.670557][ T7141] Memory state around the buggy address: [ 49.676157][ T7141] ffff8880a1dc2580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.684195][ T7141] ffff8880a1dc2600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.692224][ T7141] >ffff8880a1dc2680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.700261][ T7141] ^ [ 49.708215][ T7141] ffff8880a1dc2700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.716255][ T7141] ffff8880a1dc2780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.724295][ T7141] ================================================================== [ 49.732334][ T7141] Disabling lock debugging due to kernel taint [ 49.739746][ T7141] Kernel panic - not syncing: panic_on_warn set ... [ 49.754060][ T7141] CPU: 1 PID: 7141 Comm: syz-executor.0 Tainted: G B 5.8.0-rc3-syzkaller #0 [ 49.764017][ T7141] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.774060][ T7141] Call Trace: [ 49.777360][ T7141] dump_stack+0x1f0/0x31e [ 49.781664][ T7141] panic+0x264/0x7a0 [ 49.785530][ T7141] ? trace_hardirqs_on+0x30/0x80 [ 49.790441][ T7141] kasan_report+0x1c9/0x1d0 [ 49.794915][ T7141] ? free_netdev+0x186/0x350 [ 49.799474][ T7141] free_netdev+0x186/0x350 [ 49.803863][ T7141] netdev_run_todo+0xaaa/0xc90 [ 49.808601][ T7141] rtnetlink_rcv_msg+0x890/0xd40 [ 49.813516][ T7141] ? lock_acquire+0x160/0x720 [ 49.818163][ T7141] ? rcu_lock_acquire+0x5/0x30 [ 49.822916][ T7141] netlink_rcv_skb+0x190/0x3a0 [ 49.827662][ T7141] ? rtnetlink_bind+0x80/0x80 [ 49.832310][ T7141] netlink_unicast+0x786/0x940 [ 49.837045][ T7141] netlink_sendmsg+0xa57/0xd70 [ 49.841779][ T7141] ? netlink_getsockopt+0x9e0/0x9e0 [ 49.846949][ T7141] ____sys_sendmsg+0x519/0x800 [ 49.851684][ T7141] ? import_iovec+0x12a/0x2c0 [ 49.856339][ T7141] __sys_sendmsg+0x2b1/0x360 [ 49.860911][ T7141] ? __might_fault+0xf5/0x150 [ 49.865559][ T7141] ? _copy_to_user+0x100/0x140 [ 49.870294][ T7141] ? lock_is_held_type+0x87/0xe0 [ 49.875218][ T7141] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 49.881267][ T7141] do_syscall_64+0x73/0xe0 [ 49.885666][ T7141] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 49.891533][ T7141] RIP: 0033:0x45cb29 [ 49.895419][ T7141] Code: Bad RIP value. [ 49.899453][ T7141] RSP: 002b:00007f0cbb15cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 49.907839][ T7141] RAX: ffffffffffffffda RBX: 0000000000502760 RCX: 000000000045cb29 [ 49.915794][ T7141] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000005 [ 49.923743][ T7141] RBP: 000000000078c040 R08: 0000000000000000 R09: 0000000000000000 [ 49.931684][ T7141] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 49.939638][ T7141] R13: 0000000000000a43 R14: 00000000004cd2a1 R15: 00007f0cbb15d6d4 [ 49.948648][ T7141] Kernel Offset: disabled [ 49.952956][ T7141] Rebooting in 86400 seconds..