[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.62' (ECDSA) to the list of known hosts. 2020/04/02 18:53:11 parsed 1 programs 2020/04/02 18:53:14 executed programs: 0 syzkaller login: [ 48.870109][ T7026] IPVS: ftp: loaded support on port[0] = 21 [ 48.948558][ T7026] chnl_net:caif_netlink_parms(): no params data found [ 48.996498][ T7026] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.004339][ T7026] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.012779][ T7026] device bridge_slave_0 entered promiscuous mode [ 49.021784][ T7026] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.029520][ T7026] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.037813][ T7026] device bridge_slave_1 entered promiscuous mode [ 49.056481][ T7026] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 49.068304][ T7026] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 49.088625][ T7026] team0: Port device team_slave_0 added [ 49.095900][ T7026] team0: Port device team_slave_1 added [ 49.111346][ T7026] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 49.119089][ T7026] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 49.146152][ T7026] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 49.159770][ T7026] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 49.167065][ T7026] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 49.193837][ T7026] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 49.249685][ T7026] device hsr_slave_0 entered promiscuous mode [ 49.298091][ T7026] device hsr_slave_1 entered promiscuous mode [ 49.427628][ T7026] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 49.460205][ T7026] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 49.520205][ T7026] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 49.579432][ T7026] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 49.650215][ T7026] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.657584][ T7026] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.665274][ T7026] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.672533][ T7026] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.711272][ T7026] 8021q: adding VLAN 0 to HW filter on device bond0 [ 49.723231][ T2714] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 49.733507][ T2714] bridge0: port 1(bridge_slave_0) entered disabled state [ 49.742023][ T2714] bridge0: port 2(bridge_slave_1) entered disabled state [ 49.750522][ T2714] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 49.763069][ T7026] 8021q: adding VLAN 0 to HW filter on device team0 [ 49.772797][ T2679] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 49.782198][ T2679] bridge0: port 1(bridge_slave_0) entered blocking state [ 49.789428][ T2679] bridge0: port 1(bridge_slave_0) entered forwarding state [ 49.808728][ T2679] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 49.818130][ T2679] bridge0: port 2(bridge_slave_1) entered blocking state [ 49.825189][ T2679] bridge0: port 2(bridge_slave_1) entered forwarding state [ 49.833934][ T2679] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 49.850446][ T7026] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 49.861033][ T7026] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 49.875562][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 49.883974][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 49.892527][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 49.901180][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 49.917061][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 49.917167][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 49.917245][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 49.942468][ T7026] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 49.959433][ T2714] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 49.970051][ T2714] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 49.989471][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 49.998241][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 50.006814][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 50.018424][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 50.026685][ T7026] device veth0_vlan entered promiscuous mode [ 50.037327][ T7026] device veth1_vlan entered promiscuous mode [ 50.054888][ T2679] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 50.063415][ T2679] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 50.071713][ T2679] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 50.080233][ T2679] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 50.090755][ T7026] device veth0_macvtap entered promiscuous mode [ 50.101341][ T7026] device veth1_macvtap entered promiscuous mode [ 50.116394][ T7026] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 50.124384][ T2679] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 50.133580][ T2679] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 50.141682][ T2679] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 50.151073][ T2679] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 50.163830][ T7026] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 50.174261][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 50.184235][ T5] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 50.477947][ T7251] netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'. [ 50.557647][ T7261] netlink: 16 bytes leftover after parsing attributes in process `syz-executor.0'. [ 50.647601][ T7273] ------------[ cut here ]------------ [ 50.653110][ T7273] refcount_t: addition on 0; use-after-free. [ 50.662907][ T7273] WARNING: CPU: 0 PID: 7273 at lib/refcount.c:25 refcount_warn_saturate+0x13d/0x1a0 [ 50.672298][ T7273] Kernel panic - not syncing: panic_on_warn set ... [ 50.678893][ T7273] CPU: 0 PID: 7273 Comm: syz-executor.0 Not tainted 5.6.0-syzkaller #0 [ 50.687129][ T7273] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 50.697185][ T7273] Call Trace: [ 50.700465][ T7273] dump_stack+0x1e9/0x30e [ 50.704776][ T7273] panic+0x264/0x7a0 [ 50.708657][ T7273] ? __warn+0x102/0x210 [ 50.712800][ T7273] ? refcount_warn_saturate+0x13d/0x1a0 [ 50.718327][ T7273] __warn+0x209/0x210 [ 50.722292][ T7273] ? refcount_warn_saturate+0x13d/0x1a0 [ 50.727819][ T7273] report_bug+0x1ac/0x2d0 [ 50.732137][ T7273] do_error_trap+0xca/0x1c0 [ 50.736627][ T7273] do_invalid_op+0x32/0x40 [ 50.741044][ T7273] ? refcount_warn_saturate+0x13d/0x1a0 [ 50.746578][ T7273] invalid_op+0x23/0x30 [ 50.750737][ T7273] RIP: 0010:refcount_warn_saturate+0x13d/0x1a0 [ 50.756890][ T7273] Code: c7 33 ff f1 88 31 c0 e8 d1 f9 b1 fd 0f 0b eb a3 e8 28 97 df fd c6 05 e0 1c d2 05 01 48 c7 c7 6a ff f1 88 31 c0 e8 b3 f9 b1 fd <0f> 0b eb 85 e8 0a 97 df fd c6 05 c3 1c d2 05 01 48 c7 c7 96 ff f1 [ 50.776484][ T7273] RSP: 0018:ffffc900020f7d40 EFLAGS: 00010246 [ 50.782531][ T7273] RAX: ef5780d4f83b8300 RBX: 0000000000000002 RCX: ffff88809ed44540 [ 50.790500][ T7273] RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 [ 50.798458][ T7273] RBP: 0000000000000002 R08: ffffffff815e4dd6 R09: ffffed1015d06660 [ 50.806412][ T7273] R10: ffffed1015d06660 R11: 0000000000000000 R12: ffff8880a4cfe040 [ 50.814371][ T7273] R13: dffffc0000000000 R14: ffff8880a4cfe044 R15: ffff88809e110000 [ 50.822343][ T7273] ? vprintk_emit+0x2e6/0x3b0 [ 50.827019][ T7273] sk_alloc+0x8a6/0x990 [ 50.831160][ T7273] __netlink_create+0x6a/0x270 [ 50.835905][ T7273] netlink_create+0x370/0x4d0 [ 50.840562][ T7273] ? rtnetlink_rcv+0x20/0x20 [ 50.845828][ T7273] __sock_create+0x5c9/0x8d0 [ 50.850404][ T7273] __sys_socket+0xde/0x2d0 [ 50.854820][ T7273] __x64_sys_socket+0x76/0x80 [ 50.859481][ T7273] do_syscall_64+0xf3/0x1b0 [ 50.863967][ T7273] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 50.869842][ T7273] RIP: 0033:0x45c849 [ 50.873720][ T7273] Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 50.893306][ T7273] RSP: 002b:00007efd85580c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 [ 50.901698][ T7273] RAX: ffffffffffffffda RBX: 00007efd855816d4 RCX: 000000000045c849 [ 50.909658][ T7273] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 0000000000000010 [ 50.917625][ T7273] RBP: 000000000076bf00 R08: 0000000000000000 R09: 0000000000000000 [ 50.925579][ T7273] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff [ 50.933547][ T7273] R13: 0000000000000b8e R14: 00000000004cdbf4 R15: 000000000076bf0c [ 50.942943][ T7273] Kernel Offset: disabled [ 50.947374][ T7273] Rebooting in 86400 seconds..