[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.196' (ECDSA) to the list of known hosts. syzkaller login: [ 35.806153] IPVS: ftp: loaded support on port[0] = 21 [ 35.913036] chnl_net:caif_netlink_parms(): no params data found [ 36.032102] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.038986] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.046192] device bridge_slave_0 entered promiscuous mode [ 36.053978] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.060649] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.067604] device bridge_slave_1 entered promiscuous mode [ 36.084969] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 36.093856] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 36.111917] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 36.119700] team0: Port device team_slave_0 added [ 36.125801] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 36.133563] team0: Port device team_slave_1 added [ 36.148723] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 36.155289] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 36.184099] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 36.195645] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 36.202394] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 36.227807] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 36.239533] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 36.246915] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 36.266224] device hsr_slave_0 entered promiscuous mode [ 36.272031] device hsr_slave_1 entered promiscuous mode [ 36.278258] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 36.285381] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 36.349439] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.356319] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.363285] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.369824] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.400881] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 36.406975] 8021q: adding VLAN 0 to HW filter on device bond0 [ 36.416771] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 36.425846] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 36.435072] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.442980] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.450280] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 36.460460] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 36.466534] 8021q: adding VLAN 0 to HW filter on device team0 [ 36.476396] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 36.484227] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.490641] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.501468] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 36.509240] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.515572] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.537415] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 36.548748] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 36.559967] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 36.567381] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 36.575846] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 36.584267] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 36.592727] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 36.600742] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 36.607750] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 36.622208] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 36.629629] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 36.636277] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 36.646668] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 36.660380] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 36.670638] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 36.704745] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 36.712492] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 36.720347] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 36.731864] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 36.739831] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 36.747065] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 36.756502] device veth0_vlan entered promiscuous mode [ 36.766216] device veth1_vlan entered promiscuous mode [ 36.772205] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 36.781597] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 36.793344] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 36.802932] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 36.810558] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 36.818535] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 36.828600] device veth0_macvtap entered promiscuous mode [ 36.834704] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 36.843499] device veth1_macvtap entered promiscuous mode [ 36.853635] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 36.863042] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 36.873872] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 36.881875] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 36.890305] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 36.901936] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 36.908930] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 36.915516] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 36.930755] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 37.049187] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 37.056300] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 37.068300] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 37.076388] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready executing program [ 37.102942] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 37.109579] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 37.116696] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 37.123965] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 37.143225] netlink: 20 bytes leftover after parsing attributes in process `syz-executor132'. [ 37.198020] ================================================================== [ 37.205505] BUG: KASAN: slab-out-of-bounds in netif_napi_del+0x301/0x380 [ 37.212337] Read of size 8 at addr ffff888095a60798 by task syz-executor132/8371 [ 37.219851] [ 37.221485] CPU: 0 PID: 8371 Comm: syz-executor132 Not tainted 4.19.211-syzkaller #0 [ 37.229385] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.238829] Call Trace: [ 37.241406] dump_stack+0x1fc/0x2ef [ 37.245021] print_address_description.cold+0x54/0x219 [ 37.250292] kasan_report_error.cold+0x8a/0x1b9 [ 37.254960] ? netif_napi_del+0x301/0x380 [ 37.259109] __asan_report_load8_noabort+0x88/0x90 [ 37.264035] ? netif_napi_del+0x301/0x380 [ 37.268176] netif_napi_del+0x301/0x380 [ 37.272137] free_netdev+0x21f/0x410 [ 37.275907] netdev_run_todo+0x89b/0xab0 [ 37.279955] ? default_device_exit_batch+0x3c0/0x3c0 [ 37.285044] ? rtnl_newlink+0x15c0/0x15c0 [ 37.289183] rtnetlink_rcv_msg+0x460/0xb80 [ 37.293428] ? rtnl_calcit.isra.0+0x430/0x430 [ 37.299558] ? memcpy+0x35/0x50 [ 37.302819] ? netdev_pick_tx+0x2f0/0x2f0 [ 37.306959] ? __copy_skb_header+0x414/0x500 [ 37.307095] syz-executor132 (8125) used greatest stack depth: 23736 bytes left [ 37.311363] ? kfree_skbmem+0x140/0x140 [ 37.322694] netlink_rcv_skb+0x160/0x440 [ 37.326761] ? rtnl_calcit.isra.0+0x430/0x430 [ 37.331267] ? netlink_ack+0xae0/0xae0 [ 37.335174] netlink_unicast+0x4d5/0x690 [ 37.339238] ? netlink_sendskb+0x110/0x110 [ 37.343470] ? _copy_from_iter_full+0x229/0x7c0 [ 37.348961] ? __phys_addr_symbol+0x2c/0x70 [ 37.353651] ? __check_object_size+0x17b/0x3e0 [ 37.358823] netlink_sendmsg+0x6c3/0xc50 [ 37.363235] ? aa_af_perm+0x230/0x230 [ 37.367363] ? nlmsg_notify+0x1f0/0x1f0 [ 37.371536] ? kernel_recvmsg+0x220/0x220 [ 37.375849] ? nlmsg_notify+0x1f0/0x1f0 [ 37.380042] sock_sendmsg+0xc3/0x120 [ 37.383943] ___sys_sendmsg+0x7bb/0x8e0 [ 37.387924] ? copy_msghdr_from_user+0x440/0x440 [ 37.392668] ? __fget+0x32f/0x510 [ 37.396117] ? lock_downgrade+0x720/0x720 [ 37.400256] ? check_preemption_disabled+0x41/0x280 [ 37.405258] ? check_preemption_disabled+0x41/0x280 [ 37.410259] ? __fget+0x356/0x510 [ 37.413697] ? do_dup2+0x450/0x450 [ 37.417221] ? lock_downgrade+0x720/0x720 [ 37.421350] ? check_preemption_disabled+0x41/0x280 [ 37.426364] ? __fdget+0x1d0/0x230 [ 37.429891] __x64_sys_sendmsg+0x132/0x220 [ 37.434124] ? __sys_sendmsg+0x1b0/0x1b0 [ 37.438166] ? __se_sys_futex+0x298/0x3b0 [ 37.442301] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 37.447650] ? trace_hardirqs_off_caller+0x6e/0x210 [ 37.452648] ? do_syscall_64+0x21/0x620 [ 37.456604] do_syscall_64+0xf9/0x620 [ 37.460392] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.465563] RIP: 0033:0x7f1b23a0d499 [ 37.469260] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 37.488578] RSP: 002b:00007f1b239b3308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 37.496287] RAX: ffffffffffffffda RBX: 00007f1b23a8e4c8 RCX: 00007f1b23a0d499 [ 37.503542] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 37.510799] RBP: 00007f1b23a8e4c0 R08: 0000000000000000 R09: 0000000000000000 [ 37.518137] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1b23a8e4cc [ 37.525415] R13: 00007f1b23a5b7f8 R14: 74656e2f7665642f R15: 0000000000022000 [ 37.532687] [ 37.534296] Allocated by task 8376: [ 37.537905] __kmalloc_node+0x4c/0x70 [ 37.541693] kvmalloc_node+0xb4/0xf0 [ 37.545387] alloc_netdev_mqs+0x97/0xd50 [ 37.549429] __tun_chr_ioctl.isra.0+0x2184/0x3d00 [ 37.554250] do_vfs_ioctl+0xcdb/0x12e0 [ 37.558118] ksys_ioctl+0x9b/0xc0 [ 37.561550] __x64_sys_ioctl+0x6f/0xb0 [ 37.565417] do_syscall_64+0xf9/0x620 [ 37.569202] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.574365] [ 37.575971] Freed by task 0: [ 37.578999] (stack is not available) [ 37.583032] [ 37.584640] The buggy address belongs to the object at ffff888095a60840 [ 37.584640] which belongs to the cache kmalloc-16384 of size 16384 [ 37.597622] The buggy address is located 168 bytes to the left of [ 37.597622] 16384-byte region [ffff888095a60840, ffff888095a64840) [ 37.610092] The buggy address belongs to the page: [ 37.615024] page:ffffea0002569800 count:1 mapcount:0 mapping:ffff88813bff2200 index:0x0 compound_mapcount: 0 [ 37.625090] flags: 0xfff00000008100(slab|head) [ 37.629702] raw: 00fff00000008100 ffffea0002509208 ffff88813bff1c48 ffff88813bff2200 [ 37.638312] raw: 0000000000000000 ffff888095a60840 0000000100000001 0000000000000000 [ 37.647425] page dumped because: kasan: bad access detected [ 37.653499] [ 37.655215] Memory state around the buggy address: [ 37.660513] ffff888095a60680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.667862] ffff888095a60700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.675208] >ffff888095a60780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.682545] ^ [ 37.686692] ffff888095a60800: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 37.694045] ffff888095a60880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 37.701378] ================================================================== [ 37.708811] Disabling lock debugging due to kernel taint [ 37.718251] Kernel panic - not syncing: panic_on_warn set ... [ 37.718251] [ 37.727557] CPU: 0 PID: 8371 Comm: syz-executor132 Tainted: G B 4.19.211-syzkaller #0 [ 37.736822] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.746171] Call Trace: [ 37.748756] dump_stack+0x1fc/0x2ef [ 37.752369] panic+0x26a/0x50e [ 37.755555] ? __warn_printk+0xf3/0xf3 [ 37.759424] ? preempt_schedule_common+0x45/0xc0 [ 37.764249] ? ___preempt_schedule+0x16/0x18 [ 37.768641] ? trace_hardirqs_on+0x55/0x210 [ 37.773072] kasan_end_report+0x43/0x49 [ 37.777063] kasan_report_error.cold+0xa7/0x1b9 [ 37.781716] ? netif_napi_del+0x301/0x380 [ 37.785863] __asan_report_load8_noabort+0x88/0x90 [ 37.790808] ? netif_napi_del+0x301/0x380 [ 37.794934] netif_napi_del+0x301/0x380 [ 37.798902] free_netdev+0x21f/0x410 [ 37.802608] netdev_run_todo+0x89b/0xab0 [ 37.806662] ? default_device_exit_batch+0x3c0/0x3c0 [ 37.811756] ? rtnl_newlink+0x15c0/0x15c0 [ 37.815936] rtnetlink_rcv_msg+0x460/0xb80 [ 37.820284] ? rtnl_calcit.isra.0+0x430/0x430 [ 37.825595] ? memcpy+0x35/0x50 [ 37.830883] ? netdev_pick_tx+0x2f0/0x2f0 [ 37.836738] ? __copy_skb_header+0x414/0x500 [ 37.841568] ? kfree_skbmem+0x140/0x140 [ 37.846597] netlink_rcv_skb+0x160/0x440 [ 37.851498] ? rtnl_calcit.isra.0+0x430/0x430 [ 37.856071] ? netlink_ack+0xae0/0xae0 [ 37.859945] netlink_unicast+0x4d5/0x690 [ 37.863986] ? netlink_sendskb+0x110/0x110 [ 37.868199] ? _copy_from_iter_full+0x229/0x7c0 [ 37.872860] ? __phys_addr_symbol+0x2c/0x70 [ 37.877161] ? __check_object_size+0x17b/0x3e0 [ 37.881722] netlink_sendmsg+0x6c3/0xc50 [ 37.885765] ? aa_af_perm+0x230/0x230 [ 37.889558] ? nlmsg_notify+0x1f0/0x1f0 [ 37.893533] ? kernel_recvmsg+0x220/0x220 [ 37.897667] ? nlmsg_notify+0x1f0/0x1f0 [ 37.901649] sock_sendmsg+0xc3/0x120 [ 37.905358] ___sys_sendmsg+0x7bb/0x8e0 [ 37.909324] ? copy_msghdr_from_user+0x440/0x440 [ 37.914069] ? __fget+0x32f/0x510 [ 37.917508] ? lock_downgrade+0x720/0x720 [ 37.921635] ? check_preemption_disabled+0x41/0x280 [ 37.926640] ? check_preemption_disabled+0x41/0x280 [ 37.931633] ? __fget+0x356/0x510 [ 37.935063] ? do_dup2+0x450/0x450 [ 37.938579] ? lock_downgrade+0x720/0x720 [ 37.942713] ? check_preemption_disabled+0x41/0x280 [ 37.947895] ? __fdget+0x1d0/0x230 [ 37.951414] __x64_sys_sendmsg+0x132/0x220 [ 37.955624] ? __sys_sendmsg+0x1b0/0x1b0 [ 37.959751] ? __se_sys_futex+0x298/0x3b0 [ 37.963893] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 37.969237] ? trace_hardirqs_off_caller+0x6e/0x210 [ 37.974230] ? do_syscall_64+0x21/0x620 [ 37.978183] do_syscall_64+0xf9/0x620 [ 37.981968] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.987153] RIP: 0033:0x7f1b23a0d499 [ 37.990850] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 91 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 38.009725] RSP: 002b:00007f1b239b3308 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 38.017408] RAX: ffffffffffffffda RBX: 00007f1b23a8e4c8 RCX: 00007f1b23a0d499 [ 38.024664] RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000004 [ 38.031911] RBP: 00007f1b23a8e4c0 R08: 0000000000000000 R09: 0000000000000000 [ 38.039170] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f1b23a8e4cc [ 38.046421] R13: 00007f1b23a5b7f8 R14: 74656e2f7665642f R15: 0000000000022000 [ 38.053760] Kernel Offset: disabled [ 38.057373] Rebooting in 86400 seconds..