[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.227' (ECDSA) to the list of known hosts. 2020/04/10 09:47:08 parsed 1 programs 2020/04/10 09:47:10 executed programs: 0 syzkaller login: [ 61.326645][ T7060] IPVS: ftp: loaded support on port[0] = 21 [ 61.419292][ T7060] chnl_net:caif_netlink_parms(): no params data found [ 61.469385][ T7060] bridge0: port 1(bridge_slave_0) entered blocking state [ 61.477667][ T7060] bridge0: port 1(bridge_slave_0) entered disabled state [ 61.486152][ T7060] device bridge_slave_0 entered promiscuous mode [ 61.499096][ T7060] bridge0: port 2(bridge_slave_1) entered blocking state [ 61.506973][ T7060] bridge0: port 2(bridge_slave_1) entered disabled state [ 61.515443][ T7060] device bridge_slave_1 entered promiscuous mode [ 61.537092][ T7060] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 61.548597][ T7060] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 61.570611][ T7060] team0: Port device team_slave_0 added [ 61.578736][ T7060] team0: Port device team_slave_1 added [ 61.602745][ T7060] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 61.609761][ T7060] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 61.638159][ T7060] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 61.653986][ T7060] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 61.661462][ T7060] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 61.689936][ T7060] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 61.765291][ T7060] device hsr_slave_0 entered promiscuous mode [ 61.822449][ T7060] device hsr_slave_1 entered promiscuous mode [ 61.947672][ T7060] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 61.994232][ T7060] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 62.053913][ T7060] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 62.123126][ T7060] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 62.176647][ T7060] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.183974][ T7060] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.191802][ T7060] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.198873][ T7060] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.244264][ T7060] 8021q: adding VLAN 0 to HW filter on device bond0 [ 62.257331][ T2801] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 62.268031][ T2801] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.276630][ T2801] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.285439][ T2801] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 62.299594][ T7060] 8021q: adding VLAN 0 to HW filter on device team0 [ 62.311000][ T3443] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 62.319327][ T3443] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.326448][ T3443] bridge0: port 1(bridge_slave_0) entered forwarding state [ 62.338660][ T2801] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 62.348827][ T2801] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.355946][ T2801] bridge0: port 2(bridge_slave_1) entered forwarding state [ 62.381229][ T2801] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 62.389900][ T2801] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 62.402862][ T2801] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 62.411907][ T2801] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 62.424092][ T3443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready [ 62.434278][ T3443] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 62.445798][ T7060] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 62.464592][ T3443] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 62.473585][ T3443] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 62.486598][ T7060] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 62.510377][ T3443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready [ 62.519561][ T3443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 62.541590][ T3443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 62.549765][ T3443] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 62.559212][ T7060] device veth0_vlan entered promiscuous mode [ 62.567321][ T2685] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 62.576458][ T2685] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 62.589680][ T7060] device veth1_vlan entered promiscuous mode [ 62.611261][ T2801] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 62.620003][ T2801] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 62.628750][ T2801] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 62.638379][ T2801] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 62.650475][ T7060] device veth0_macvtap entered promiscuous mode [ 62.661049][ T7060] device veth1_macvtap entered promiscuous mode [ 62.679253][ T7060] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 62.687361][ T2685] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 62.696707][ T2685] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 62.705446][ T2685] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 62.715031][ T2685] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 62.727045][ T7060] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 62.736132][ T3443] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 62.745263][ T3443] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 62.942631][ T7269] L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. 2020/04/10 09:47:15 executed programs: 43 2020/04/10 09:47:20 executed programs: 114 [ 74.978666][ T8228] ================================================================== [ 74.987129][ T8228] BUG: KASAN: slab-out-of-bounds in gfn_to_hva+0x4a0/0x4c0 [ 74.994337][ T8228] Read of size 8 at addr ffff88809422f468 by task syz-executor.0/8228 [ 75.002481][ T8228] [ 75.004817][ T8228] CPU: 0 PID: 8228 Comm: syz-executor.0 Not tainted 5.6.0-syzkaller #0 [ 75.013048][ T8228] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.023101][ T8228] Call Trace: [ 75.026400][ T8228] dump_stack+0x188/0x20d [ 75.030745][ T8228] print_address_description.constprop.0.cold+0xd3/0x315 [ 75.037803][ T8228] ? gfn_to_hva+0x4a0/0x4c0 [ 75.042312][ T8228] __kasan_report.cold+0x35/0x4d [ 75.047261][ T8228] ? gfn_to_hva+0x4a0/0x4c0 [ 75.051770][ T8228] ? gfn_to_hva+0x4a0/0x4c0 [ 75.056273][ T8228] kasan_report+0x33/0x50 [ 75.060609][ T8228] gfn_to_hva+0x4a0/0x4c0 [ 75.064951][ T8228] kvm_arch_mmu_notifier_invalidate_range+0x21/0x80 [ 75.071550][ T8228] kvm_mmu_notifier_invalidate_range_start+0x1a1/0x280 [ 75.078405][ T8228] ? kvm_flush_remote_tlbs+0x120/0x120 [ 75.083876][ T8228] __mmu_notifier_invalidate_range_start+0x4bc/0x6b0 [ 75.090566][ T8228] change_protection+0x1ed0/0x2710 [ 75.095705][ T8228] ? __vma_adjust+0xbf6/0x1c50 [ 75.100488][ T8228] ? prot_none_pte_entry+0x150/0x150 [ 75.105777][ T8228] ? vma_wants_writenotify+0x223/0x4f0 [ 75.111256][ T8228] ? vma_set_page_prot+0x19c/0x250 [ 75.116376][ T8228] mprotect_fixup+0x46c/0x940 [ 75.121065][ T8228] ? change_protection+0x2710/0x2710 [ 75.126351][ T8228] ? vmacache_find+0x62/0x300 [ 75.131034][ T8228] ? apparmor_file_mprotect+0xe8/0x110 [ 75.136511][ T8228] do_mprotect_pkey+0x542/0x950 [ 75.141375][ T8228] ? mprotect_fixup+0x940/0x940 [ 75.146223][ T8228] ? handle_mm_fault+0x491/0xa10 [ 75.151168][ T8228] ? trace_hardirqs_off_caller+0x55/0x230 [ 75.156898][ T8228] __x64_sys_mprotect+0x74/0xb0 [ 75.161753][ T8228] ? lockdep_hardirqs_on+0x463/0x620 [ 75.167144][ T8228] do_syscall_64+0xf6/0x7d0 [ 75.171659][ T8228] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 75.177575][ T8228] RIP: 0033:0x45c987 [ 75.181481][ T8228] Code: 00 00 00 b8 0b 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 9d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 0a 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 7d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 75.201084][ T8228] RSP: 002b:00007fffeb2b1198 EFLAGS: 00000246 ORIG_RAX: 000000000000000a [ 75.209499][ T8228] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 000000000045c987 [ 75.217482][ T8228] RDX: 0000000000000000 RSI: 0000000000001000 RDI: 00007fb6ab53b000 [ 75.225445][ T8228] RBP: 00007fffeb2b1280 R08: 00000000007217e0 R09: 00000000007217e0 [ 75.233398][ T8228] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffeb2b1370 [ 75.241351][ T8228] R13: 00007fb6ab55b700 R14: 00007fb6ab55b9c0 R15: 000000000076bfac [ 75.249312][ T8228] [ 75.251622][ T8228] Allocated by task 8229: [ 75.255936][ T8228] save_stack+0x1b/0x40 [ 75.260073][ T8228] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 75.265688][ T8228] kvmalloc_node+0x61/0xf0 [ 75.270085][ T8228] kvm_set_memslot+0x115/0x1530 [ 75.274914][ T8228] __kvm_set_memory_region+0xcf7/0x1320 [ 75.280435][ T8228] kvm_set_memory_region+0x29/0x50 [ 75.285532][ T8228] kvm_vm_ioctl+0x678/0x23e0 [ 75.290103][ T8228] ksys_ioctl+0x11a/0x180 [ 75.294425][ T8228] __x64_sys_ioctl+0x6f/0xb0 [ 75.299008][ T8228] do_syscall_64+0xf6/0x7d0 [ 75.303492][ T8228] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 75.309356][ T8228] [ 75.311663][ T8228] Freed by task 7060: [ 75.315629][ T8228] save_stack+0x1b/0x40 [ 75.319792][ T8228] __kasan_slab_free+0xf7/0x140 [ 75.324634][ T8228] kfree+0x109/0x2b0 [ 75.328553][ T8228] kvfree+0x42/0x50 [ 75.332383][ T8228] __do_replace+0x6a3/0x8c0 [ 75.336927][ T8228] do_ip6t_set_ctl+0x2e8/0x457 [ 75.341668][ T8228] nf_setsockopt+0x6f/0xc0 [ 75.346063][ T8228] ipv6_setsockopt+0x145/0x180 [ 75.350809][ T8228] tcp_setsockopt+0x86/0xd0 [ 75.355333][ T8228] __sys_setsockopt+0x248/0x480 [ 75.360164][ T8228] __x64_sys_setsockopt+0xba/0x150 [ 75.365270][ T8228] do_syscall_64+0xf6/0x7d0 [ 75.369778][ T8228] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 75.375651][ T8228] [ 75.377995][ T8228] The buggy address belongs to the object at ffff88809422f000 [ 75.377995][ T8228] which belongs to the cache kmalloc-2k of size 2048 [ 75.392033][ T8228] The buggy address is located 1128 bytes inside of [ 75.392033][ T8228] 2048-byte region [ffff88809422f000, ffff88809422f800) [ 75.405455][ T8228] The buggy address belongs to the page: [ 75.411069][ T8228] page:ffffea0002508bc0 refcount:1 mapcount:0 mapping:00000000fcfbb453 index:0x0 [ 75.420162][ T8228] flags: 0xfffe0000000200(slab) [ 75.424997][ T8228] raw: 00fffe0000000200 ffffea0002901648 ffffea00028c9d08 ffff8880aa000e00 [ 75.433563][ T8228] raw: 0000000000000000 ffff88809422f000 0000000100000001 0000000000000000 [ 75.442126][ T8228] page dumped because: kasan: bad access detected [ 75.448513][ T8228] [ 75.450824][ T8228] Memory state around the buggy address: [ 75.456435][ T8228] ffff88809422f300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.464478][ T8228] ffff88809422f380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 75.472530][ T8228] >ffff88809422f400: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 75.480573][ T8228] ^ [ 75.488032][ T8228] ffff88809422f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.496111][ T8228] ffff88809422f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.504169][ T8228] ================================================================== [ 75.512212][ T8228] Disabling lock debugging due to kernel taint [ 75.528806][ T8228] Kernel panic - not syncing: panic_on_warn set ... [ 75.535438][ T8228] CPU: 0 PID: 8228 Comm: syz-executor.0 Tainted: G B 5.6.0-syzkaller #0 [ 75.545086][ T8228] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.555160][ T8228] Call Trace: [ 75.558434][ T8228] dump_stack+0x188/0x20d [ 75.562747][ T8228] panic+0x2e3/0x75c [ 75.566621][ T8228] ? add_taint.cold+0x16/0x16 [ 75.571282][ T8228] ? preempt_schedule_common+0x5e/0xc0 [ 75.576724][ T8228] ? gfn_to_hva+0x4a0/0x4c0 [ 75.581207][ T8228] ? preempt_schedule_thunk+0x16/0x18 [ 75.586569][ T8228] ? trace_hardirqs_on+0x55/0x220 [ 75.591569][ T8228] ? gfn_to_hva+0x4a0/0x4c0 [ 75.596046][ T8228] end_report+0x4d/0x53 [ 75.600203][ T8228] __kasan_report.cold+0xd/0x4d [ 75.605042][ T8228] ? gfn_to_hva+0x4a0/0x4c0 [ 75.609518][ T8228] ? gfn_to_hva+0x4a0/0x4c0 [ 75.614009][ T8228] kasan_report+0x33/0x50 [ 75.618327][ T8228] gfn_to_hva+0x4a0/0x4c0 [ 75.622634][ T8228] kvm_arch_mmu_notifier_invalidate_range+0x21/0x80 [ 75.629198][ T8228] kvm_mmu_notifier_invalidate_range_start+0x1a1/0x280 [ 75.636022][ T8228] ? kvm_flush_remote_tlbs+0x120/0x120 [ 75.641461][ T8228] __mmu_notifier_invalidate_range_start+0x4bc/0x6b0 [ 75.648113][ T8228] change_protection+0x1ed0/0x2710 [ 75.653204][ T8228] ? __vma_adjust+0xbf6/0x1c50 [ 75.657944][ T8228] ? prot_none_pte_entry+0x150/0x150 [ 75.663216][ T8228] ? vma_wants_writenotify+0x223/0x4f0 [ 75.668679][ T8228] ? vma_set_page_prot+0x19c/0x250 [ 75.674019][ T8228] mprotect_fixup+0x46c/0x940 [ 75.678691][ T8228] ? change_protection+0x2710/0x2710 [ 75.684021][ T8228] ? vmacache_find+0x62/0x300 [ 75.688786][ T8228] ? apparmor_file_mprotect+0xe8/0x110 [ 75.694303][ T8228] do_mprotect_pkey+0x542/0x950 [ 75.699169][ T8228] ? mprotect_fixup+0x940/0x940 [ 75.704115][ T8228] ? handle_mm_fault+0x491/0xa10 [ 75.709049][ T8228] ? trace_hardirqs_off_caller+0x55/0x230 [ 75.714788][ T8228] __x64_sys_mprotect+0x74/0xb0 [ 75.719626][ T8228] ? lockdep_hardirqs_on+0x463/0x620 [ 75.724894][ T8228] do_syscall_64+0xf6/0x7d0 [ 75.729504][ T8228] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 75.735466][ T8228] RIP: 0033:0x45c987 [ 75.739356][ T8228] Code: 00 00 00 b8 0b 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 9d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 0a 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 7d b5 fb ff c3 66 2e 0f 1f 84 00 00 00 00 [ 75.758958][ T8228] RSP: 002b:00007fffeb2b1198 EFLAGS: 00000246 ORIG_RAX: 000000000000000a [ 75.767361][ T8228] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 000000000045c987 [ 75.775418][ T8228] RDX: 0000000000000000 RSI: 0000000000001000 RDI: 00007fb6ab53b000 [ 75.783374][ T8228] RBP: 00007fffeb2b1280 R08: 00000000007217e0 R09: 00000000007217e0 [ 75.791465][ T8228] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffeb2b1370 [ 75.799522][ T8228] R13: 00007fb6ab55b700 R14: 00007fb6ab55b9c0 R15: 000000000076bfac [ 75.808811][ T8228] Kernel Offset: disabled [ 75.813141][ T8228] Rebooting in 86400 seconds..