[ 81.125565][ T27] audit: type=1800 audit(1578370702.115:26): pid=9609 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 82.143464][ T27] kauditd_printk_skb: 2 callbacks suppressed [ 82.143476][ T27] audit: type=1800 audit(1578370703.155:29): pid=9609 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 82.170434][ T27] audit: type=1800 audit(1578370703.165:30): pid=9609 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.57' (ECDSA) to the list of known hosts. syzkaller login: [ 90.665184][ T9764] IPVS: ftp: loaded support on port[0] = 21 [ 90.727489][ T9764] chnl_net:caif_netlink_parms(): no params data found [ 90.759862][ T9764] bridge0: port 1(bridge_slave_0) entered blocking state [ 90.767895][ T9764] bridge0: port 1(bridge_slave_0) entered disabled state [ 90.776658][ T9764] device bridge_slave_0 entered promiscuous mode [ 90.785942][ T9764] bridge0: port 2(bridge_slave_1) entered blocking state [ 90.793134][ T9764] bridge0: port 2(bridge_slave_1) entered disabled state [ 90.801676][ T9764] device bridge_slave_1 entered promiscuous mode [ 90.821069][ T9764] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 90.832345][ T9764] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 90.854710][ T9764] team0: Port device team_slave_0 added [ 90.863963][ T9764] team0: Port device team_slave_1 added [ 90.938151][ T9764] device hsr_slave_0 entered promiscuous mode [ 91.005852][ T9764] device hsr_slave_1 entered promiscuous mode [ 91.112910][ T9764] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 91.178901][ T9764] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 91.238075][ T9764] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 91.298191][ T9764] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 91.347534][ T9764] bridge0: port 2(bridge_slave_1) entered blocking state [ 91.354700][ T9764] bridge0: port 2(bridge_slave_1) entered forwarding state [ 91.362644][ T9764] bridge0: port 1(bridge_slave_0) entered blocking state [ 91.369729][ T9764] bridge0: port 1(bridge_slave_0) entered forwarding state [ 91.414278][ T9764] 8021q: adding VLAN 0 to HW filter on device bond0 [ 91.428233][ T2710] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 91.440400][ T2710] bridge0: port 1(bridge_slave_0) entered disabled state [ 91.448575][ T2710] bridge0: port 2(bridge_slave_1) entered disabled state [ 91.457128][ T2710] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 91.470987][ T9764] 8021q: adding VLAN 0 to HW filter on device team0 [ 91.481598][ T2770] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 91.491441][ T2770] bridge0: port 1(bridge_slave_0) entered blocking state [ 91.498560][ T2770] bridge0: port 1(bridge_slave_0) entered forwarding state [ 91.510827][ T2710] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 91.519686][ T2710] bridge0: port 2(bridge_slave_1) entered blocking state [ 91.526786][ T2710] bridge0: port 2(bridge_slave_1) entered forwarding state [ 91.549333][ T2880] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 91.558989][ T2880] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 91.577431][ T2880] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 91.588921][ T2770] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 91.602027][ T9764] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 91.614193][ T9764] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 91.623269][ T2880] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 91.642184][ T2770] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 91.649955][ T2770] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 91.662715][ T9764] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 91.682634][ T2880] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 91.702543][ T2770] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 91.711470][ T2770] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 91.719404][ T2770] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready executing program [ 91.730183][ T9764] device veth0_vlan entered promiscuous mode [ 91.741913][ T9764] device veth1_vlan entered promiscuous mode [ 91.816354][ T9764] ================================================================== [ 91.824729][ T9764] BUG: KASAN: slab-out-of-bounds in macvlan_broadcast+0x547/0x620 [ 91.832536][ T9764] Read of size 4 at addr ffff888097dfd001 by task syz-executor791/9764 [ 91.840800][ T9764] [ 91.843124][ T9764] CPU: 0 PID: 9764 Comm: syz-executor791 Not tainted 5.5.0-rc5-syzkaller #0 [ 91.851777][ T9764] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 91.861824][ T9764] Call Trace: [ 91.865114][ T9764] dump_stack+0x197/0x210 [ 91.869436][ T9764] ? macvlan_broadcast+0x547/0x620 [ 91.874552][ T9764] print_address_description.constprop.0.cold+0xd4/0x30b [ 91.881577][ T9764] ? macvlan_broadcast+0x547/0x620 [ 91.886682][ T9764] ? macvlan_broadcast+0x547/0x620 [ 91.891775][ T9764] __kasan_report.cold+0x1b/0x41 [ 91.896695][ T9764] ? validate_xmit_xfrm+0x3d0/0xf10 [ 91.901875][ T9764] ? macvlan_broadcast+0x547/0x620 [ 91.906974][ T9764] kasan_report+0x12/0x20 [ 91.911300][ T9764] __asan_report_load_n_noabort+0xf/0x20 [ 91.916912][ T9764] macvlan_broadcast+0x547/0x620 [ 91.921848][ T9764] ? validate_xmit_skb+0x81f/0xe50 [ 91.926946][ T9764] macvlan_start_xmit+0x402/0x77f [ 91.931968][ T9764] dev_direct_xmit+0x419/0x630 [ 91.936720][ T9764] ? __check_heap_object+0x51/0xb3 [ 91.941822][ T9764] ? validate_xmit_skb_list+0x150/0x150 [ 91.947366][ T9764] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 91.954563][ T9764] ? netdev_pick_tx+0x14e/0xb00 [ 91.959407][ T9764] packet_direct_xmit+0x1a9/0x250 [ 91.964415][ T9764] packet_sendmsg+0x260d/0x6220 [ 91.969249][ T9764] ? ___might_sleep+0x163/0x2c0 [ 91.974095][ T9764] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 91.980320][ T9764] ? aa_label_sk_perm+0x91/0xf0 [ 91.985164][ T9764] ? packet_notifier+0x880/0x880 [ 91.990085][ T9764] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 91.995632][ T9764] ? apparmor_socket_sendmsg+0x2a/0x30 [ 92.001071][ T9764] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 92.007315][ T9764] ? security_socket_sendmsg+0x8d/0xc0 [ 92.012820][ T9764] ? packet_notifier+0x880/0x880 [ 92.017761][ T9764] sock_sendmsg+0xd7/0x130 [ 92.022167][ T9764] __sys_sendto+0x262/0x380 [ 92.026671][ T9764] ? __ia32_sys_getpeername+0xb0/0xb0 [ 92.032051][ T9764] ? __ia32_sys_socketpair+0xf0/0xf0 [ 92.037358][ T9764] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 92.043772][ T9764] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 92.049215][ T9764] ? do_syscall_64+0x26/0x790 [ 92.053874][ T9764] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.059938][ T9764] __x64_sys_sendto+0xe1/0x1a0 [ 92.064696][ T9764] do_syscall_64+0xfa/0x790 [ 92.069185][ T9764] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.075057][ T9764] RIP: 0033:0x442599 [ 92.078943][ T9764] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 92.098541][ T9764] RSP: 002b:00007fff542591b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 92.106951][ T9764] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442599 [ 92.114913][ T9764] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 [ 92.122870][ T9764] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 [ 92.130832][ T9764] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 92.138784][ T9764] R13: 0000000000403b10 R14: 0000000000000000 R15: 0000000000000000 [ 92.146761][ T9764] [ 92.149071][ T9764] Allocated by task 9764: [ 92.153391][ T9764] save_stack+0x23/0x90 [ 92.158223][ T9764] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 92.163834][ T9764] kasan_kmalloc+0x9/0x10 [ 92.168156][ T9764] kmem_cache_alloc_trace+0x158/0x790 [ 92.173529][ T9764] kobject_uevent_env+0x387/0x10a6 [ 92.178635][ T9764] kobject_uevent+0x20/0x26 [ 92.183120][ T9764] net_rx_queue_update_kobjects+0xe5/0x440 [ 92.188927][ T9764] netdev_register_kobject+0x278/0x3b0 [ 92.194367][ T9764] register_netdevice+0x4f4/0x1020 [ 92.199470][ T9764] bond_newlink+0x4b/0x90 [ 92.203782][ T9764] __rtnl_newlink+0x109e/0x1790 [ 92.208687][ T9764] rtnl_newlink+0x69/0xa0 [ 92.213022][ T9764] rtnetlink_rcv_msg+0x45e/0xaf0 [ 92.218129][ T9764] netlink_rcv_skb+0x177/0x450 [ 92.222876][ T9764] rtnetlink_rcv+0x1d/0x30 [ 92.227318][ T9764] netlink_unicast+0x58c/0x7d0 [ 92.232064][ T9764] netlink_sendmsg+0x91c/0xea0 [ 92.236899][ T9764] sock_sendmsg+0xd7/0x130 [ 92.241294][ T9764] __sys_sendto+0x262/0x380 [ 92.245777][ T9764] __x64_sys_sendto+0xe1/0x1a0 [ 92.250563][ T9764] do_syscall_64+0xfa/0x790 [ 92.255046][ T9764] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.260929][ T9764] [ 92.263240][ T9764] Freed by task 9764: [ 92.267297][ T9764] save_stack+0x23/0x90 [ 92.271436][ T9764] __kasan_slab_free+0x102/0x150 [ 92.277044][ T9764] kasan_slab_free+0xe/0x10 [ 92.281547][ T9764] kfree+0x10a/0x2c0 [ 92.285424][ T9764] kobject_uevent_env+0x1045/0x10a6 [ 92.290614][ T9764] kobject_uevent+0x20/0x26 [ 92.295095][ T9764] net_rx_queue_update_kobjects+0xe5/0x440 [ 92.300881][ T9764] netdev_register_kobject+0x278/0x3b0 [ 92.306320][ T9764] register_netdevice+0x4f4/0x1020 [ 92.311434][ T9764] bond_newlink+0x4b/0x90 [ 92.315752][ T9764] __rtnl_newlink+0x109e/0x1790 [ 92.320581][ T9764] rtnl_newlink+0x69/0xa0 [ 92.325195][ T9764] rtnetlink_rcv_msg+0x45e/0xaf0 [ 92.330251][ T9764] netlink_rcv_skb+0x177/0x450 [ 92.335160][ T9764] rtnetlink_rcv+0x1d/0x30 [ 92.339577][ T9764] netlink_unicast+0x58c/0x7d0 [ 92.344332][ T9764] netlink_sendmsg+0x91c/0xea0 [ 92.349111][ T9764] sock_sendmsg+0xd7/0x130 [ 92.353516][ T9764] __sys_sendto+0x262/0x380 [ 92.358049][ T9764] __x64_sys_sendto+0xe1/0x1a0 [ 92.362815][ T9764] do_syscall_64+0xfa/0x790 [ 92.367308][ T9764] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.373213][ T9764] [ 92.375527][ T9764] The buggy address belongs to the object at ffff888097dfc000 [ 92.375527][ T9764] which belongs to the cache kmalloc-4k of size 4096 [ 92.389675][ T9764] The buggy address is located 1 bytes to the right of [ 92.389675][ T9764] 4096-byte region [ffff888097dfc000, ffff888097dfd000) [ 92.403357][ T9764] The buggy address belongs to the page: [ 92.408972][ T9764] page:ffffea00025f7f00 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 [ 92.419897][ T9764] raw: 00fffe0000010200 ffffea00025ea888 ffffea00026e9188 ffff8880aa402000 [ 92.428463][ T9764] raw: 0000000000000000 ffff888097dfc000 0000000100000001 0000000000000000 [ 92.437023][ T9764] page dumped because: kasan: bad access detected [ 92.443425][ T9764] [ 92.445759][ T9764] Memory state around the buggy address: [ 92.451383][ T9764] ffff888097dfcf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.459429][ T9764] ffff888097dfcf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 92.467490][ T9764] >ffff888097dfd000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.475686][ T9764] ^ [ 92.479924][ T9764] ffff888097dfd080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.487989][ T9764] ffff888097dfd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 92.496038][ T9764] ================================================================== [ 92.504075][ T9764] Disabling lock debugging due to kernel taint [ 92.510404][ T9764] Kernel panic - not syncing: panic_on_warn set ... [ 92.517002][ T9764] CPU: 0 PID: 9764 Comm: syz-executor791 Tainted: G B 5.5.0-rc5-syzkaller #0 [ 92.527058][ T9764] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 92.538503][ T9764] Call Trace: [ 92.541800][ T9764] dump_stack+0x197/0x210 [ 92.546111][ T9764] panic+0x2e3/0x75c [ 92.549997][ T9764] ? add_taint.cold+0x16/0x16 [ 92.554657][ T9764] ? trace_hardirqs_on+0x5e/0x240 [ 92.559659][ T9764] ? trace_hardirqs_on+0x5e/0x240 [ 92.564660][ T9764] ? macvlan_broadcast+0x547/0x620 [ 92.569750][ T9764] end_report+0x47/0x4f [ 92.575009][ T9764] ? macvlan_broadcast+0x547/0x620 [ 92.580114][ T9764] __kasan_report.cold+0xe/0x41 [ 92.585064][ T9764] ? validate_xmit_xfrm+0x3d0/0xf10 [ 92.590250][ T9764] ? macvlan_broadcast+0x547/0x620 [ 92.595439][ T9764] kasan_report+0x12/0x20 [ 92.599758][ T9764] __asan_report_load_n_noabort+0xf/0x20 [ 92.605371][ T9764] macvlan_broadcast+0x547/0x620 [ 92.610298][ T9764] ? validate_xmit_skb+0x81f/0xe50 [ 92.615427][ T9764] macvlan_start_xmit+0x402/0x77f [ 92.620444][ T9764] dev_direct_xmit+0x419/0x630 [ 92.625193][ T9764] ? __check_heap_object+0x51/0xb3 [ 92.630285][ T9764] ? validate_xmit_skb_list+0x150/0x150 [ 92.636769][ T9764] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 92.643004][ T9764] ? netdev_pick_tx+0x14e/0xb00 [ 92.647845][ T9764] packet_direct_xmit+0x1a9/0x250 [ 92.652877][ T9764] packet_sendmsg+0x260d/0x6220 [ 92.658143][ T9764] ? ___might_sleep+0x163/0x2c0 [ 92.662976][ T9764] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 92.669196][ T9764] ? aa_label_sk_perm+0x91/0xf0 [ 92.674047][ T9764] ? packet_notifier+0x880/0x880 [ 92.678977][ T9764] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 92.684516][ T9764] ? apparmor_socket_sendmsg+0x2a/0x30 [ 92.690405][ T9764] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 92.696643][ T9764] ? security_socket_sendmsg+0x8d/0xc0 [ 92.702167][ T9764] ? packet_notifier+0x880/0x880 [ 92.707446][ T9764] sock_sendmsg+0xd7/0x130 [ 92.711862][ T9764] __sys_sendto+0x262/0x380 [ 92.716351][ T9764] ? __ia32_sys_getpeername+0xb0/0xb0 [ 92.721708][ T9764] ? __ia32_sys_socketpair+0xf0/0xf0 [ 92.726979][ T9764] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 92.732427][ T9764] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 92.737875][ T9764] ? do_syscall_64+0x26/0x790 [ 92.742899][ T9764] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.748942][ T9764] __x64_sys_sendto+0xe1/0x1a0 [ 92.753689][ T9764] do_syscall_64+0xfa/0x790 [ 92.758173][ T9764] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 92.764042][ T9764] RIP: 0033:0x442599 [ 92.767936][ T9764] Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 92.792741][ T9764] RSP: 002b:00007fff542591b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 92.801133][ T9764] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442599 [ 92.809099][ T9764] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 [ 92.817063][ T9764] RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 [ 92.825197][ T9764] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 92.833146][ T9764] R13: 0000000000403b10 R14: 0000000000000000 R15: 0000000000000000 [ 92.842537][ T9764] Kernel Offset: disabled [ 92.846871][ T9764] Rebooting in 86400 seconds..