[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 27.250541] kauditd_printk_skb: 7 callbacks suppressed [ 27.250554] audit: type=1800 audit(1541022561.456:29): pid=5331 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 27.276420] audit: type=1800 audit(1541022561.486:30): pid=5331 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 35.339385] sshd (5471) used greatest stack depth: 15984 bytes left Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts. [ 42.007776] IPVS: ftp: loaded support on port[0] = 21 [ 42.168281] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.175080] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.182282] device bridge_slave_0 entered promiscuous mode [ 42.201344] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.207749] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.214934] device bridge_slave_1 entered promiscuous mode [ 42.232231] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 42.249603] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 42.297980] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 42.317599] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 42.392443] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 42.399729] team0: Port device team_slave_0 added [ 42.415642] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 42.422907] team0: Port device team_slave_1 added [ 42.439023] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 42.458519] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 42.477519] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 42.495882] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 42.635313] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.641780] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.648549] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.654976] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 43.156258] 8021q: adding VLAN 0 to HW filter on device bond0 [ 43.207026] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 43.258174] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 43.264596] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 43.272752] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 43.318281] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 43.596908] ================================================================== [ 43.604405] BUG: KASAN: slab-out-of-bounds in ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 43.612198] Read of size 1 at addr ffff8801d9077787 by task syz-executor708/5488 [ 43.619716] [ 43.621356] CPU: 0 PID: 5488 Comm: syz-executor708 Not tainted 4.19.0+ #135 [ 43.628461] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.637800] Call Trace: [ 43.640392] dump_stack+0x244/0x39d [ 43.644012] ? dump_stack_print_info.cold.1+0x20/0x20 [ 43.649184] ? printk+0xa7/0xcf [ 43.652452] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 43.657198] print_address_description.cold.7+0x9/0x1ff [ 43.662549] kasan_report.cold.8+0x242/0x309 [ 43.666941] ? ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 43.672031] __asan_report_load1_noabort+0x14/0x20 [ 43.676966] ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 43.681888] ip6_tnl_start_xmit+0x49f/0x25a0 [ 43.686283] ? ip6_tnl_xmit+0x3730/0x3730 [ 43.690426] ? mark_held_locks+0x130/0x130 [ 43.694646] ? zap_class+0x640/0x640 [ 43.698342] ? __lock_acquire+0x62f/0x4c20 [ 43.702567] ? zap_class+0x640/0x640 [ 43.706264] ? zap_class+0x640/0x640 [ 43.709966] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.715508] ? check_preemption_disabled+0x48/0x280 [ 43.720514] ? __lock_is_held+0xb5/0x140 [ 43.724572] dev_hard_start_xmit+0x295/0xc90 [ 43.728976] ? dev_direct_xmit+0x6b0/0x6b0 [ 43.733198] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 43.738720] ? netif_skb_features+0x690/0xb70 [ 43.743199] ? unwind_dump+0x190/0x190 [ 43.747082] ? validate_xmit_xfrm+0x1ef/0xda0 [ 43.751575] ? validate_xmit_skb+0x80c/0xf30 [ 43.755974] ? netif_skb_features+0xb70/0xb70 [ 43.760457] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.765982] ? check_preemption_disabled+0x48/0x280 [ 43.770998] ? check_preemption_disabled+0x48/0x280 [ 43.776009] __dev_queue_xmit+0x2f71/0x3ad0 [ 43.780316] ? save_stack+0x43/0xd0 [ 43.783925] ? kasan_kmalloc+0xc7/0xe0 [ 43.787798] ? __kmalloc_node_track_caller+0x47/0x70 [ 43.792888] ? __kmalloc_reserve.isra.40+0x41/0xe0 [ 43.797827] ? netdev_pick_tx+0x310/0x310 [ 43.801965] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.807487] ? check_preemption_disabled+0x48/0x280 [ 43.812500] ? __lock_is_held+0xb5/0x140 [ 43.816550] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 43.821552] ? skb_release_data+0x1c4/0x880 [ 43.825880] ? kmem_cache_alloc_node_trace+0x34b/0x740 [ 43.831150] ? kasan_unpoison_shadow+0x35/0x50 [ 43.835716] ? skb_tx_error+0x2f0/0x2f0 [ 43.839689] ? __kmalloc_node_track_caller+0x47/0x70 [ 43.844779] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 43.850315] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 43.855842] ? kasan_check_write+0x14/0x20 [ 43.860061] ? pskb_expand_head+0x6b3/0x10f0 [ 43.864462] ? skb_release_data+0x880/0x880 [ 43.868767] ? __alloc_skb+0x770/0x770 [ 43.872650] ? kasan_check_write+0x14/0x20 [ 43.876884] ? __skb_clone+0x6c7/0xa00 [ 43.880764] ? __copy_skb_header+0x6b0/0x6b0 [ 43.885155] ? kmem_cache_alloc+0x33a/0x730 [ 43.889465] ? skb_ensure_writable+0x15e/0x640 [ 43.894038] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.899565] dev_queue_xmit+0x17/0x20 [ 43.903353] ? dev_queue_xmit+0x17/0x20 [ 43.907337] __bpf_redirect+0x5cf/0xb20 [ 43.911301] bpf_clone_redirect+0x2f6/0x490 [ 43.915610] bpf_prog_759a992c578a3894+0xb5d/0x1000 [ 43.920611] ? bpf_test_run+0x175/0x780 [ 43.924581] ? lock_downgrade+0x900/0x900 [ 43.928730] ? ktime_get+0x332/0x400 [ 43.932434] ? find_held_lock+0x36/0x1c0 [ 43.936483] ? lock_acquire+0x1ed/0x520 [ 43.940439] ? bpf_test_run+0x3cb/0x780 [ 43.944406] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.949931] ? check_preemption_disabled+0x48/0x280 [ 43.954951] ? kasan_check_read+0x11/0x20 [ 43.959088] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 43.964352] ? rcu_softirq_qs+0x20/0x20 [ 43.968315] ? bpf_cgroup_storage_release+0x220/0x220 [ 43.973487] ? skb_try_coalesce+0x1b70/0x1b70 [ 43.977969] ? bpf_test_run+0x25d/0x780 [ 43.981939] ? netlink_diag_dump+0x2a0/0x2a0 [ 43.986332] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 43.991852] ? bpf_test_init.isra.10+0x70/0x100 [ 43.996507] ? bpf_prog_test_run_skb+0x73c/0xcb0 [ 44.001251] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 44.006077] ? bpf_prog_add+0x69/0xd0 [ 44.009863] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.015395] ? __bpf_prog_get+0x9b/0x290 [ 44.019445] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 44.024271] ? bpf_prog_test_run+0x130/0x1a0 [ 44.028669] ? __x64_sys_bpf+0x3d8/0x520 [ 44.032715] ? bpf_prog_get+0x20/0x20 [ 44.036510] ? do_syscall_64+0x1b9/0x820 [ 44.040554] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 44.045904] ? syscall_return_slowpath+0x5e0/0x5e0 [ 44.050819] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.055648] ? trace_hardirqs_on_caller+0x310/0x310 [ 44.060661] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 44.065672] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.071197] ? prepare_exit_to_usermode+0x291/0x3b0 [ 44.076199] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.081050] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.086409] [ 44.088022] Allocated by task 5488: [ 44.091640] save_stack+0x43/0xd0 [ 44.095075] kasan_kmalloc+0xc7/0xe0 [ 44.098774] __kmalloc_node_track_caller+0x47/0x70 [ 44.103689] __kmalloc_reserve.isra.40+0x41/0xe0 [ 44.108432] pskb_expand_head+0x230/0x10f0 [ 44.112661] skb_ensure_writable+0x3dd/0x640 [ 44.117056] bpf_clone_redirect+0x14a/0x490 [ 44.121366] bpf_prog_759a992c578a3894+0xb5d/0x1000 [ 44.126376] [ 44.127989] Freed by task 3273: [ 44.131257] save_stack+0x43/0xd0 [ 44.134696] __kasan_slab_free+0x102/0x150 [ 44.139331] kasan_slab_free+0xe/0x10 [ 44.143115] kfree+0xcf/0x230 [ 44.146204] skb_free_head+0x99/0xc0 [ 44.149924] skb_release_data+0x6a4/0x880 [ 44.154058] skb_release_all+0x4a/0x60 [ 44.157928] consume_skb+0x1ae/0x570 [ 44.161625] skb_free_datagram+0x1a/0xf0 [ 44.165674] unix_dgram_recvmsg+0xd6d/0x1b10 [ 44.170085] sock_recvmsg+0xd0/0x110 [ 44.173791] __sys_recvfrom+0x311/0x5d0 [ 44.177753] __x64_sys_recvfrom+0xe1/0x1a0 [ 44.181991] do_syscall_64+0x1b9/0x820 [ 44.185881] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.191051] [ 44.192666] The buggy address belongs to the object at ffff8801d9077580 [ 44.192666] which belongs to the cache kmalloc-512 of size 512 [ 44.205308] The buggy address is located 7 bytes to the right of [ 44.205308] 512-byte region [ffff8801d9077580, ffff8801d9077780) [ 44.217512] The buggy address belongs to the page: [ 44.222427] page:ffffea0007641dc0 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 44.230557] flags: 0x2fffc0000000100(slab) [ 44.234778] raw: 02fffc0000000100 ffffea0006f67948 ffff8801da801748 ffff8801da800940 [ 44.242647] raw: 0000000000000000 ffff8801d9077080 0000000100000006 0000000000000000 [ 44.250507] page dumped because: kasan: bad access detected [ 44.256197] [ 44.257803] Memory state around the buggy address: [ 44.262713] ffff8801d9077680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.270055] ffff8801d9077700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 44.277402] >ffff8801d9077780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.284744] ^ [ 44.288109] ffff8801d9077800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.295465] ffff8801d9077880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.302801] ================================================================== [ 44.310137] Disabling lock debugging due to kernel taint [ 44.315629] Kernel panic - not syncing: panic_on_warn set ... [ 44.315629] [ 44.323009] CPU: 0 PID: 5488 Comm: syz-executor708 Tainted: G B 4.19.0+ #135 [ 44.331490] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.340827] Call Trace: [ 44.343408] dump_stack+0x244/0x39d [ 44.347022] ? dump_stack_print_info.cold.1+0x20/0x20 [ 44.352201] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 44.356941] panic+0x238/0x4e7 [ 44.360119] ? add_taint.cold.5+0x16/0x16 [ 44.364257] ? trace_hardirqs_on+0xb4/0x310 [ 44.368576] kasan_end_report+0x47/0x4f [ 44.372544] kasan_report.cold.8+0x76/0x309 [ 44.376850] ? ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 44.381953] __asan_report_load1_noabort+0x14/0x20 [ 44.386866] ip6_tnl_parse_tlv_enc_lim+0x5df/0x660 [ 44.391785] ip6_tnl_start_xmit+0x49f/0x25a0 [ 44.396178] ? ip6_tnl_xmit+0x3730/0x3730 [ 44.400313] ? mark_held_locks+0x130/0x130 [ 44.404533] ? zap_class+0x640/0x640 [ 44.408226] ? __lock_acquire+0x62f/0x4c20 [ 44.412448] ? zap_class+0x640/0x640 [ 44.416142] ? zap_class+0x640/0x640 [ 44.419839] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.425360] ? check_preemption_disabled+0x48/0x280 [ 44.430380] ? __lock_is_held+0xb5/0x140 [ 44.434537] dev_hard_start_xmit+0x295/0xc90 [ 44.438935] ? dev_direct_xmit+0x6b0/0x6b0 [ 44.443155] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 44.448689] ? netif_skb_features+0x690/0xb70 [ 44.453169] ? unwind_dump+0x190/0x190 [ 44.457056] ? validate_xmit_xfrm+0x1ef/0xda0 [ 44.461541] ? validate_xmit_skb+0x80c/0xf30 [ 44.465936] ? netif_skb_features+0xb70/0xb70 [ 44.470417] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.475940] ? check_preemption_disabled+0x48/0x280 [ 44.480939] ? check_preemption_disabled+0x48/0x280 [ 44.485942] __dev_queue_xmit+0x2f71/0x3ad0 [ 44.490248] ? save_stack+0x43/0xd0 [ 44.493857] ? kasan_kmalloc+0xc7/0xe0 [ 44.497725] ? __kmalloc_node_track_caller+0x47/0x70 [ 44.502810] ? __kmalloc_reserve.isra.40+0x41/0xe0 [ 44.507726] ? netdev_pick_tx+0x310/0x310 [ 44.511887] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.517411] ? check_preemption_disabled+0x48/0x280 [ 44.522418] ? __lock_is_held+0xb5/0x140 [ 44.526464] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 44.531466] ? skb_release_data+0x1c4/0x880 [ 44.535775] ? kmem_cache_alloc_node_trace+0x34b/0x740 [ 44.541064] ? kasan_unpoison_shadow+0x35/0x50 [ 44.545635] ? skb_tx_error+0x2f0/0x2f0 [ 44.549593] ? __kmalloc_node_track_caller+0x47/0x70 [ 44.554680] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.560199] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 44.565722] ? kasan_check_write+0x14/0x20 [ 44.569946] ? pskb_expand_head+0x6b3/0x10f0 [ 44.574358] ? skb_release_data+0x880/0x880 [ 44.578676] ? __alloc_skb+0x770/0x770 [ 44.582552] ? kasan_check_write+0x14/0x20 [ 44.586766] ? __skb_clone+0x6c7/0xa00 [ 44.590670] ? __copy_skb_header+0x6b0/0x6b0 [ 44.595066] ? kmem_cache_alloc+0x33a/0x730 [ 44.599379] ? skb_ensure_writable+0x15e/0x640 [ 44.603950] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.609513] dev_queue_xmit+0x17/0x20 [ 44.613310] ? dev_queue_xmit+0x17/0x20 [ 44.617283] __bpf_redirect+0x5cf/0xb20 [ 44.621261] bpf_clone_redirect+0x2f6/0x490 [ 44.625570] bpf_prog_759a992c578a3894+0xb5d/0x1000 [ 44.630585] ? bpf_test_run+0x175/0x780 [ 44.634547] ? lock_downgrade+0x900/0x900 [ 44.638678] ? ktime_get+0x332/0x400 [ 44.642403] ? find_held_lock+0x36/0x1c0 [ 44.646450] ? lock_acquire+0x1ed/0x520 [ 44.650410] ? bpf_test_run+0x3cb/0x780 [ 44.654369] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.659919] ? check_preemption_disabled+0x48/0x280 [ 44.664922] ? kasan_check_read+0x11/0x20 [ 44.669054] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 44.674316] ? rcu_softirq_qs+0x20/0x20 [ 44.678269] ? bpf_cgroup_storage_release+0x220/0x220 [ 44.683447] ? skb_try_coalesce+0x1b70/0x1b70 [ 44.687931] ? bpf_test_run+0x25d/0x780 [ 44.691890] ? netlink_diag_dump+0x2a0/0x2a0 [ 44.696286] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.701806] ? bpf_test_init.isra.10+0x70/0x100 [ 44.706458] ? bpf_prog_test_run_skb+0x73c/0xcb0 [ 44.711215] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 44.716040] ? bpf_prog_add+0x69/0xd0 [ 44.719821] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.725341] ? __bpf_prog_get+0x9b/0x290 [ 44.729394] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 44.734235] ? bpf_prog_test_run+0x130/0x1a0 [ 44.738629] ? __x64_sys_bpf+0x3d8/0x520 [ 44.742673] ? bpf_prog_get+0x20/0x20 [ 44.746463] ? do_syscall_64+0x1b9/0x820 [ 44.750526] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 44.755893] ? syscall_return_slowpath+0x5e0/0x5e0 [ 44.760811] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.765646] ? trace_hardirqs_on_caller+0x310/0x310 [ 44.770657] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 44.775669] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.781190] ? prepare_exit_to_usermode+0x291/0x3b0 [ 44.786192] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.791025] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 44.797211] Kernel Offset: disabled [ 44.800850] Rebooting in 86400 seconds..