[ OK ] Started Getty on tty1. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.189' (ECDSA) to the list of known hosts. executing program executing program executing program executing program syzkaller login: [ 72.517466][ T6653] netlink: 12 bytes leftover after parsing attributes in process `syz-executor381'. [ 72.535480][ T6649] netlink: 12 bytes leftover after parsing attributes in process `syz-executor381'. [ 72.558325][ T6661] netlink: 12 bytes leftover after parsing attributes in process `syz-executor381'. [ 72.571050][ T6663] netlink: 12 bytes leftover after parsing attributes in process `syz-executor381'. [ 72.612259][ T6688] rdma_rxe: rxe_register_device failed with error -23 [ 72.621118][ T6688] rdma_rxe: failed to add lo [ 72.633002][ T6663] rdma_rxe: rxe_register_device failed with error -23 [ 72.638007][ T6693] rdma_rxe: rxe_register_device failed with error -23 [ 72.644179][ T6663] rdma_rxe: failed to add lo [ 72.647865][ T6693] rdma_rxe: failed to add lo executing program executing program [ 72.665176][ T6681] lo speed is unknown, defaulting to 1000 [ 72.684778][ T6709] netlink: 12 bytes leftover after parsing attributes in process `syz-executor381'. [ 72.701947][ T6681] lo speed is unknown, defaulting to 1000 [ 72.716120][ T6711] netlink: 12 bytes leftover after parsing attributes in process `syz-executor381'. [ 72.730014][ T6681] lo speed is unknown, defaulting to 1000 executing program [ 72.758254][ T6726] rdma_rxe: rxe_register_device failed with error -23 [ 72.767985][ T6726] rdma_rxe: failed to add lo [ 72.790670][ T6734] rdma_rxe: rxe_register_device failed with error -23 [ 72.801498][ T6734] rdma_rxe: failed to add lo executing program executing program [ 72.803751][ T6735] netlink: 12 bytes leftover after parsing attributes in process `syz-executor381'. [ 72.824613][ T6737] netlink: 12 bytes leftover after parsing attributes in process `syz-executor381'. executing program [ 72.876150][ T6751] netlink: 12 bytes leftover after parsing attributes in process `syz-executor381'. [ 72.886063][ T6756] rdma_rxe: rxe_register_device failed with error -23 [ 72.898082][ T6756] rdma_rxe: failed to add lo [ 72.907349][ T6762] rdma_rxe: rxe_register_device failed with error -23 [ 72.917680][ T6681] infiniband syz1: set down [ 72.923224][ T6763] netlink: 12 bytes leftover after parsing attributes in process `syz-executor381'. [ 72.924626][ T6681] infiniband syz1: added lo [ 72.949243][ T6681] infiniband syz1: Couldn't open port 1 executing program [ 72.976643][ T5] lo speed is unknown, defaulting to 1000 [ 72.999841][ T6681] RDS/IB: syz1: added [ 73.013821][ T6681] smc: adding ib device syz1 with port count 1 [ 73.050465][ T6681] smc: ib device syz1 port 1 has pnetid executing program [ 73.102681][ T5] lo speed is unknown, defaulting to 1000 [ 73.114949][ T6681] lo speed is unknown, defaulting to 1000 [ 73.245237][ T6681] lo speed is unknown, defaulting to 1000 [ 73.301876][ T6681] lo speed is unknown, defaulting to 1000 [ 73.352970][ T6681] lo speed is unknown, defaulting to 1000 [ 73.406537][ T6681] lo speed is unknown, defaulting to 1000 [ 73.456048][ T6681] lo speed is unknown, defaulting to 1000 executing program [ 73.506003][ T6767] rdma_rxe: rxe_register_device failed with error -23 [ 73.506055][ T6762] rdma_rxe: failed to add lo [ 73.513809][ T8] ================================================================== [ 73.525671][ T8] BUG: KASAN: use-after-free in vlan_dev_real_dev+0xf9/0x120 [ 73.533085][ T8] Read of size 4 at addr ffff888014de40c4 by task kworker/u4:0/8 [ 73.540813][ T8] [ 73.543144][ T8] CPU: 1 PID: 8 Comm: kworker/u4:0 Not tainted 5.15.0-rc4-syzkaller #0 executing program [ 73.551395][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.561465][ T8] Workqueue: gid-cache-wq netdevice_event_work_handler [ 73.568339][ T8] Call Trace: [ 73.571631][ T8] dump_stack_lvl+0xcd/0x134 [ 73.576250][ T8] print_address_description.constprop.0.cold+0x6c/0x309 [ 73.583311][ T8] ? vlan_dev_real_dev+0xf9/0x120 [ 73.588360][ T8] ? vlan_dev_real_dev+0xf9/0x120 [ 73.593408][ T8] kasan_report.cold+0x83/0xdf [ 73.598310][ T8] ? spin_bug+0xb0/0x100 [ 73.602661][ T8] ? vlan_dev_real_dev+0xf9/0x120 [ 73.607680][ T8] vlan_dev_real_dev+0xf9/0x120 [ 73.612532][ T8] is_eth_port_of_netdev_filter.part.0+0xb1/0x2c0 [ 73.618976][ T8] is_eth_port_of_netdev_filter+0x28/0x40 [ 73.624758][ T8] ib_enum_roce_netdev+0x177/0x2f0 [ 73.626819][ T6825] rdma_rxe: already configured on lo [ 73.629966][ T8] ? is_eth_port_of_netdev_filter.part.0+0x2c0/0x2c0 [ 73.630001][ T8] ? enum_all_gids_of_dev_cb+0x2d0/0x2d0 [ 73.630037][ T8] ? enum_all_gids_of_dev_cb+0x2d0/0x2d0 [ 73.630063][ T8] ? is_eth_port_of_netdev_filter.part.0+0x2c0/0x2c0 [ 73.659991][ T8] ib_enum_all_roce_netdevs+0xbd/0x130 [ 73.665494][ T8] ? ib_enum_roce_netdev+0x2f0/0x2f0 [ 73.670804][ T8] ? lock_downgrade+0x6e0/0x6e0 [ 73.675662][ T8] ? enum_all_gids_of_dev_cb+0x2d0/0x2d0 [ 73.681315][ T8] netdevice_event_work_handler+0x9c/0x230 [ 73.687148][ T8] process_one_work+0x9bf/0x16b0 [ 73.692123][ T8] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 73.697519][ T8] ? rwlock_bug.part.0+0x90/0x90 [ 73.702458][ T8] ? _raw_spin_lock_irq+0x41/0x50 [ 73.707510][ T8] worker_thread+0x658/0x11f0 [ 73.712191][ T8] ? process_one_work+0x16b0/0x16b0 [ 73.717404][ T8] kthread+0x3e5/0x4d0 [ 73.721477][ T8] ? set_kthread_struct+0x130/0x130 [ 73.726694][ T8] ret_from_fork+0x1f/0x30 [ 73.731116][ T8] [ 73.733425][ T8] Allocated by task 6763: [ 73.737736][ T8] kasan_save_stack+0x1b/0x40 [ 73.742504][ T8] __kasan_kmalloc+0xa4/0xd0 [ 73.747108][ T8] kvmalloc_node+0x61/0x120 [ 73.751711][ T8] alloc_netdev_mqs+0x98/0xe80 [ 73.756469][ T8] rtnl_create_link+0x95a/0xb80 [ 73.761337][ T8] __rtnl_newlink+0xf73/0x1750 [ 73.766109][ T8] rtnl_newlink+0x64/0xa0 [ 73.770478][ T8] rtnetlink_rcv_msg+0x413/0xb80 [ 73.775415][ T8] netlink_rcv_skb+0x153/0x420 [ 73.780193][ T8] netlink_unicast+0x533/0x7d0 [ 73.785017][ T8] netlink_sendmsg+0x86d/0xda0 [ 73.789825][ T8] sock_sendmsg+0xcf/0x120 [ 73.794329][ T8] ____sys_sendmsg+0x6e8/0x810 [ 73.799091][ T8] ___sys_sendmsg+0xf3/0x170 [ 73.803732][ T8] __sys_sendmsg+0xe5/0x1b0 [ 73.808255][ T8] do_syscall_64+0x35/0xb0 [ 73.812691][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.818605][ T8] [ 73.820920][ T8] Freed by task 6759: [ 73.824889][ T8] kasan_save_stack+0x1b/0x40 [ 73.829589][ T8] kasan_set_track+0x1c/0x30 [ 73.834240][ T8] kasan_set_free_info+0x20/0x30 [ 73.839351][ T8] __kasan_slab_free+0xff/0x130 [ 73.844487][ T8] slab_free_freelist_hook+0x81/0x190 [ 73.850054][ T8] kfree+0xe4/0x530 [ 73.853882][ T8] kvfree+0x42/0x50 [ 73.857680][ T8] device_release+0x9f/0x240 [ 73.862263][ T8] kobject_put+0x1c8/0x540 [ 73.866690][ T8] put_device+0x1b/0x30 [ 73.870863][ T8] free_netdev+0x3e0/0x5b0 [ 73.875299][ T8] ppp_destroy_interface+0x2ab/0x340 [ 73.880629][ T8] ppp_release+0x1bf/0x240 [ 73.885035][ T8] __fput+0x288/0x9f0 [ 73.889012][ T8] task_work_run+0xdd/0x1a0 [ 73.893513][ T8] exit_to_user_mode_prepare+0x27e/0x290 [ 73.899142][ T8] syscall_exit_to_user_mode+0x19/0x60 [ 73.904635][ T8] do_syscall_64+0x42/0xb0 [ 73.909072][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.914990][ T8] [ 73.917477][ T8] The buggy address belongs to the object at ffff888014de4000 [ 73.917477][ T8] which belongs to the cache kmalloc-cg-4k of size 4096 [ 73.931923][ T8] The buggy address is located 196 bytes inside of [ 73.931923][ T8] 4096-byte region [ffff888014de4000, ffff888014de5000) [ 73.945292][ T8] The buggy address belongs to the page: [ 73.950933][ T8] page:ffffea0000537800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14de0 [ 73.961079][ T8] head:ffffea0000537800 order:3 compound_mapcount:0 compound_pincount:0 [ 73.969403][ T8] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 73.977400][ T8] raw: 00fff00000010200 ffffea0001e2ca00 0000000300000003 ffff888010c4c280 [ 73.985993][ T8] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 [ 73.994564][ T8] page dumped because: kasan: bad access detected [ 74.000985][ T8] page_owner tracks the page as allocated [ 74.006708][ T8] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2961, ts 18470528775, free_ts 18467429204 [ 74.026180][ T8] get_page_from_freelist+0xa72/0x2f80 [ 74.031672][ T8] __alloc_pages+0x1b2/0x500 [ 74.036447][ T8] alloc_pages+0x1a7/0x300 [ 74.041004][ T8] new_slab+0x319/0x490 [ 74.045284][ T8] ___slab_alloc+0x921/0xfe0 [ 74.050058][ T8] __slab_alloc.constprop.0+0x4d/0xa0 [ 74.055563][ T8] __kmalloc_node+0x2d2/0x370 [ 74.060254][ T8] kvmalloc_node+0x61/0x120 [ 74.064779][ T8] seq_read_iter+0x7e7/0x1240 [ 74.069570][ T8] kernfs_fop_read_iter+0x44f/0x5f0 [ 74.074840][ T8] new_sync_read+0x421/0x6e0 [ 74.079448][ T8] vfs_read+0x35c/0x600 [ 74.083604][ T8] ksys_read+0x12d/0x250 [ 74.087846][ T8] do_syscall_64+0x35/0xb0 [ 74.092275][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.098192][ T8] page last free stack trace: [ 74.102851][ T8] free_pcp_prepare+0x2c5/0x780 [ 74.107698][ T8] free_unref_page+0x19/0x690 [ 74.112372][ T8] __unfreeze_partials+0x340/0x360 [ 74.117486][ T8] qlist_free_all+0x5a/0xc0 [ 74.121995][ T8] kasan_quarantine_reduce+0x180/0x200 [ 74.127456][ T8] __kasan_slab_alloc+0x95/0xb0 [ 74.132319][ T8] kmem_cache_alloc+0x209/0x390 [ 74.137170][ T8] getname_flags.part.0+0x50/0x4f0 [ 74.142305][ T8] getname_flags+0x9a/0xe0 [ 74.146710][ T8] user_path_at_empty+0x2b/0x60 [ 74.151556][ T8] vfs_statx+0x142/0x390 [ 74.155804][ T8] __do_sys_newlstat+0x91/0x110 [ 74.160652][ T8] do_syscall_64+0x35/0xb0 [ 74.165063][ T8] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 74.170955][ T8] [ 74.173265][ T8] Memory state around the buggy address: [ 74.178881][ T8] ffff888014de3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.187207][ T8] ffff888014de4000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.195266][ T8] >ffff888014de4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.203337][ T8] ^ [ 74.209496][ T8] ffff888014de4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.217559][ T8] ffff888014de4180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.225610][ T8] ================================================================== [ 74.233676][ T8] Disabling lock debugging due to kernel taint [ 74.240652][ T8] Kernel panic - not syncing: panic_on_warn set ... [ 74.247362][ T8] CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G B 5.15.0-rc4-syzkaller #0 [ 74.256993][ T8] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.267219][ T8] Workqueue: gid-cache-wq netdevice_event_work_handler [ 74.274071][ T8] Call Trace: [ 74.277347][ T8] dump_stack_lvl+0xcd/0x134 [ 74.281938][ T8] panic+0x2b0/0x6dd [ 74.285829][ T8] ? __warn_printk+0xf3/0xf3 [ 74.290416][ T8] ? preempt_schedule_common+0x59/0xc0 [ 74.295870][ T8] ? vlan_dev_real_dev+0xf9/0x120 [ 74.300913][ T8] ? preempt_schedule_thunk+0x16/0x18 [ 74.306382][ T8] ? trace_hardirqs_on+0x38/0x1c0 [ 74.311407][ T8] ? trace_hardirqs_on+0x51/0x1c0 [ 74.316432][ T8] ? vlan_dev_real_dev+0xf9/0x120 [ 74.321450][ T8] ? vlan_dev_real_dev+0xf9/0x120 [ 74.326483][ T8] end_report.cold+0x63/0x6f [ 74.331167][ T8] kasan_report.cold+0x71/0xdf [ 74.335939][ T8] ? spin_bug+0xb0/0x100 [ 74.340198][ T8] ? vlan_dev_real_dev+0xf9/0x120 [ 74.345218][ T8] vlan_dev_real_dev+0xf9/0x120 [ 74.350416][ T8] is_eth_port_of_netdev_filter.part.0+0xb1/0x2c0 [ 74.356919][ T8] is_eth_port_of_netdev_filter+0x28/0x40 [ 74.362637][ T8] ib_enum_roce_netdev+0x177/0x2f0 [ 74.367753][ T8] ? is_eth_port_of_netdev_filter.part.0+0x2c0/0x2c0 [ 74.374512][ T8] ? enum_all_gids_of_dev_cb+0x2d0/0x2d0 [ 74.380146][ T8] ? enum_all_gids_of_dev_cb+0x2d0/0x2d0 [ 74.385774][ T8] ? is_eth_port_of_netdev_filter.part.0+0x2c0/0x2c0 [ 74.392538][ T8] ib_enum_all_roce_netdevs+0xbd/0x130 [ 74.397996][ T8] ? ib_enum_roce_netdev+0x2f0/0x2f0 [ 74.403293][ T8] ? lock_downgrade+0x6e0/0x6e0 [ 74.408154][ T8] ? enum_all_gids_of_dev_cb+0x2d0/0x2d0 [ 74.413780][ T8] netdevice_event_work_handler+0x9c/0x230 [ 74.419583][ T8] process_one_work+0x9bf/0x16b0 [ 74.424524][ T8] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 74.429888][ T8] ? rwlock_bug.part.0+0x90/0x90 [ 74.434823][ T8] ? _raw_spin_lock_irq+0x41/0x50 [ 74.439851][ T8] worker_thread+0x658/0x11f0 [ 74.444958][ T8] ? process_one_work+0x16b0/0x16b0 [ 74.450149][ T8] kthread+0x3e5/0x4d0 [ 74.454216][ T8] ? set_kthread_struct+0x130/0x130 [ 74.459575][ T8] ret_from_fork+0x1f/0x30 [ 74.464287][ T8] Kernel Offset: disabled [ 74.468598][ T8] Rebooting in 86400 seconds..