Warning: Permanently added '10.128.0.185' (ECDSA) to the list of known hosts. 2020/01/07 01:20:14 parsed 1 programs 2020/01/07 01:20:16 executed programs: 0 syzkaller login: [ 99.841835][ T9488] IPVS: ftp: loaded support on port[0] = 21 [ 99.908644][ T9488] chnl_net:caif_netlink_parms(): no params data found [ 99.939413][ T9488] bridge0: port 1(bridge_slave_0) entered blocking state [ 99.946810][ T9488] bridge0: port 1(bridge_slave_0) entered disabled state [ 99.955214][ T9488] device bridge_slave_0 entered promiscuous mode [ 99.963553][ T9488] bridge0: port 2(bridge_slave_1) entered blocking state [ 99.971426][ T9488] bridge0: port 2(bridge_slave_1) entered disabled state [ 99.979304][ T9488] device bridge_slave_1 entered promiscuous mode [ 99.996714][ T9488] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 100.008556][ T9488] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 100.028208][ T9488] team0: Port device team_slave_0 added [ 100.037030][ T9488] team0: Port device team_slave_1 added [ 100.111714][ T9488] device hsr_slave_0 entered promiscuous mode [ 100.159424][ T9488] device hsr_slave_1 entered promiscuous mode [ 100.263762][ T9488] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 100.311205][ T9488] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 100.361558][ T9488] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 100.401641][ T9488] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 100.470731][ T9488] bridge0: port 2(bridge_slave_1) entered blocking state [ 100.478021][ T9488] bridge0: port 2(bridge_slave_1) entered forwarding state [ 100.485914][ T9488] bridge0: port 1(bridge_slave_0) entered blocking state [ 100.493019][ T9488] bridge0: port 1(bridge_slave_0) entered forwarding state [ 100.535861][ T9488] 8021q: adding VLAN 0 to HW filter on device bond0 [ 100.548790][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 100.560997][ T17] bridge0: port 1(bridge_slave_0) entered disabled state [ 100.569452][ T17] bridge0: port 2(bridge_slave_1) entered disabled state [ 100.577320][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 100.591065][ T9488] 8021q: adding VLAN 0 to HW filter on device team0 [ 100.601526][ T3165] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 100.610700][ T3165] bridge0: port 1(bridge_slave_0) entered blocking state [ 100.617740][ T3165] bridge0: port 1(bridge_slave_0) entered forwarding state [ 100.640461][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 100.649790][ T17] bridge0: port 2(bridge_slave_1) entered blocking state [ 100.656940][ T17] bridge0: port 2(bridge_slave_1) entered forwarding state [ 100.665102][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 100.673806][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 100.682749][ T17] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 100.693367][ T3165] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 100.706983][ T9488] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 100.718471][ T9488] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 100.727833][ T3165] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 100.750176][ T9488] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 100.758253][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 100.766494][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 100.783991][ T2707] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 100.803047][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 100.811658][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 100.819687][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 100.830821][ T9488] device veth0_vlan entered promiscuous mode [ 100.841892][ T9488] device veth1_vlan entered promiscuous mode [ 100.899656][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 100.907578][ T2712] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 101.000044][ T9491] ================================================================== [ 101.008312][ T9491] BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 [ 101.015755][ T9491] Read of size 4 at addr ffff8880a67fc401 by task syz-executor.0/9491 [ 101.023883][ T9491] [ 101.026217][ T9491] CPU: 0 PID: 9491 Comm: syz-executor.0 Not tainted 5.5.0-rc5-syzkaller #0 [ 101.034790][ T9491] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 101.044846][ T9491] Call Trace: [ 101.048140][ T9491] dump_stack+0x197/0x210 [ 101.052454][ T9491] ? macvlan_broadcast+0x547/0x620 [ 101.057548][ T9491] print_address_description.constprop.0.cold+0xd4/0x30b [ 101.064564][ T9491] ? macvlan_broadcast+0x547/0x620 [ 101.069663][ T9491] ? macvlan_broadcast+0x547/0x620 [ 101.074758][ T9491] __kasan_report.cold+0x1b/0x41 [ 101.079698][ T9491] ? validate_xmit_xfrm+0x3d0/0xf10 [ 101.084886][ T9491] ? macvlan_broadcast+0x547/0x620 [ 101.089988][ T9491] kasan_report+0x12/0x20 [ 101.094299][ T9491] __asan_report_load_n_noabort+0xf/0x20 [ 101.099934][ T9491] macvlan_broadcast+0x547/0x620 [ 101.104853][ T9491] ? validate_xmit_skb+0x81f/0xe50 [ 101.109950][ T9491] macvlan_start_xmit+0x402/0x77f [ 101.114956][ T9491] dev_direct_xmit+0x419/0x630 [ 101.119713][ T9491] ? __check_heap_object+0x51/0xb3 [ 101.124829][ T9491] ? validate_xmit_skb_list+0x150/0x150 [ 101.130359][ T9491] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 101.136590][ T9491] ? netdev_pick_tx+0x14e/0xb00 [ 101.141429][ T9491] packet_direct_xmit+0x1a9/0x250 [ 101.146433][ T9491] packet_sendmsg+0x260d/0x6220 [ 101.151265][ T9491] ? ___might_sleep+0x163/0x2c0 [ 101.156093][ T9491] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 101.162313][ T9491] ? aa_label_sk_perm+0x91/0xf0 [ 101.167151][ T9491] ? packet_notifier+0x880/0x880 [ 101.172068][ T9491] ? __kasan_check_read+0x11/0x20 [ 101.177069][ T9491] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 101.182596][ T9491] ? apparmor_socket_sendmsg+0x2a/0x30 [ 101.188038][ T9491] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 101.194258][ T9491] ? security_socket_sendmsg+0x8d/0xc0 [ 101.199711][ T9491] ? packet_notifier+0x880/0x880 [ 101.204641][ T9491] sock_sendmsg+0xd7/0x130 [ 101.209052][ T9491] __sys_sendto+0x262/0x380 [ 101.213547][ T9491] ? __ia32_sys_getpeername+0xb0/0xb0 [ 101.218940][ T9491] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 101.225208][ T9491] ? put_old_timespec32+0x113/0x200 [ 101.230389][ T9491] ? get_old_timespec32+0x200/0x200 [ 101.235575][ T9491] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 101.241801][ T9491] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 101.247267][ T9491] ? do_fast_syscall_32+0xd1/0xe16 [ 101.252379][ T9491] ? entry_SYSENTER_compat+0x70/0x7f [ 101.257662][ T9491] __ia32_sys_sendto+0xdf/0x1a0 [ 101.262514][ T9491] do_fast_syscall_32+0x27b/0xe16 [ 101.267557][ T9491] entry_SYSENTER_compat+0x70/0x7f [ 101.272652][ T9491] RIP: 0023:0xf7faca39 [ 101.276707][ T9491] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 101.297259][ T9491] RSP: 002b:000000000848fb6c EFLAGS: 00000216 ORIG_RAX: 0000000000000171 [ 101.305705][ T9491] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 101.313704][ T9491] RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000000 [ 101.321684][ T9491] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 101.329643][ T9491] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 101.338029][ T9491] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 101.345992][ T9491] [ 101.348302][ T9491] Allocated by task 9374: [ 101.352614][ T9491] save_stack+0x23/0x90 [ 101.356766][ T9491] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 101.362378][ T9491] kasan_slab_alloc+0xf/0x20 [ 101.366947][ T9491] kmem_cache_alloc_node+0x138/0x740 [ 101.372207][ T9491] copy_process+0x3be/0x7230 [ 101.376838][ T9491] _do_fork+0x146/0x1090 [ 101.381125][ T9491] __x64_sys_clone+0x19a/0x260 [ 101.386304][ T9491] do_syscall_64+0xfa/0x790 [ 101.390793][ T9491] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 101.396662][ T9491] [ 101.398975][ T9491] Freed by task 0: [ 101.402687][ T9491] save_stack+0x23/0x90 [ 101.406859][ T9491] __kasan_slab_free+0x102/0x150 [ 101.411778][ T9491] kasan_slab_free+0xe/0x10 [ 101.416261][ T9491] kmem_cache_free+0x86/0x320 [ 101.420924][ T9491] free_task+0xdd/0x120 [ 101.425056][ T9491] __put_task_struct+0x240/0x530 [ 101.429974][ T9491] delayed_put_task_struct+0x253/0x3c0 [ 101.435411][ T9491] rcu_core+0x570/0x1540 [ 101.439653][ T9491] rcu_core_si+0x9/0x10 [ 101.443802][ T9491] __do_softirq+0x262/0x98c [ 101.448286][ T9491] [ 101.450603][ T9491] The buggy address belongs to the object at ffff8880a67fc080 [ 101.450603][ T9491] which belongs to the cache task_struct of size 6272 [ 101.464850][ T9491] The buggy address is located 897 bytes inside of [ 101.464850][ T9491] 6272-byte region [ffff8880a67fc080, ffff8880a67fd900) [ 101.478231][ T9491] The buggy address belongs to the page: [ 101.483847][ T9491] page:ffffea000299ff00 refcount:1 mapcount:0 mapping:ffff8880aa5ed8c0 index:0x0 compound_mapcount: 0 [ 101.494880][ T9491] raw: 00fffe0000010200 ffffea000248f208 ffffea00027b7488 ffff8880aa5ed8c0 [ 101.503455][ T9491] raw: 0000000000000000 ffff8880a67fc080 0000000100000001 0000000000000000 [ 101.512014][ T9491] page dumped because: kasan: bad access detected [ 101.518404][ T9491] [ 101.520712][ T9491] Memory state around the buggy address: [ 101.526440][ T9491] ffff8880a67fc300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.534482][ T9491] ffff8880a67fc380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.542539][ T9491] >ffff8880a67fc400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.550581][ T9491] ^ [ 101.554630][ T9491] ffff8880a67fc480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.562719][ T9491] ffff8880a67fc500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.570761][ T9491] ================================================================== [ 101.578811][ T9491] Disabling lock debugging due to kernel taint [ 101.585027][ T9491] Kernel panic - not syncing: panic_on_warn set ... [ 101.591611][ T9491] CPU: 0 PID: 9491 Comm: syz-executor.0 Tainted: G B 5.5.0-rc5-syzkaller #0 [ 101.601612][ T9491] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 101.611659][ T9491] Call Trace: [ 101.614937][ T9491] dump_stack+0x197/0x210 [ 101.619259][ T9491] panic+0x2e3/0x75c [ 101.623319][ T9491] ? add_taint.cold+0x16/0x16 [ 101.627983][ T9491] ? trace_hardirqs_on+0x5e/0x240 [ 101.632999][ T9491] ? trace_hardirqs_on+0x5e/0x240 [ 101.638013][ T9491] ? macvlan_broadcast+0x547/0x620 [ 101.643111][ T9491] end_report+0x47/0x4f [ 101.647245][ T9491] ? macvlan_broadcast+0x547/0x620 [ 101.652351][ T9491] __kasan_report.cold+0xe/0x41 [ 101.657196][ T9491] ? validate_xmit_xfrm+0x3d0/0xf10 [ 101.662377][ T9491] ? macvlan_broadcast+0x547/0x620 [ 101.667472][ T9491] kasan_report+0x12/0x20 [ 101.671784][ T9491] __asan_report_load_n_noabort+0xf/0x20 [ 101.677419][ T9491] macvlan_broadcast+0x547/0x620 [ 101.682341][ T9491] ? validate_xmit_skb+0x81f/0xe50 [ 101.687446][ T9491] macvlan_start_xmit+0x402/0x77f [ 101.693425][ T9491] dev_direct_xmit+0x419/0x630 [ 101.698186][ T9491] ? __check_heap_object+0x51/0xb3 [ 101.703372][ T9491] ? validate_xmit_skb_list+0x150/0x150 [ 101.708914][ T9491] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 101.715156][ T9491] ? netdev_pick_tx+0x14e/0xb00 [ 101.720008][ T9491] packet_direct_xmit+0x1a9/0x250 [ 101.725030][ T9491] packet_sendmsg+0x260d/0x6220 [ 101.729959][ T9491] ? ___might_sleep+0x163/0x2c0 [ 101.734933][ T9491] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 101.741168][ T9491] ? aa_label_sk_perm+0x91/0xf0 [ 101.746042][ T9491] ? packet_notifier+0x880/0x880 [ 101.750967][ T9491] ? __kasan_check_read+0x11/0x20 [ 101.755973][ T9491] ? aa_sock_msg_perm.isra.0+0xba/0x170 [ 101.761499][ T9491] ? apparmor_socket_sendmsg+0x2a/0x30 [ 101.766939][ T9491] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 101.773175][ T9491] ? security_socket_sendmsg+0x8d/0xc0 [ 101.778653][ T9491] ? packet_notifier+0x880/0x880 [ 101.783573][ T9491] sock_sendmsg+0xd7/0x130 [ 101.787968][ T9491] __sys_sendto+0x262/0x380 [ 101.792466][ T9491] ? __ia32_sys_getpeername+0xb0/0xb0 [ 101.797842][ T9491] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 101.804069][ T9491] ? put_old_timespec32+0x113/0x200 [ 101.809259][ T9491] ? get_old_timespec32+0x200/0x200 [ 101.814441][ T9491] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 101.821018][ T9491] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 101.826465][ T9491] ? do_fast_syscall_32+0xd1/0xe16 [ 101.831570][ T9491] ? entry_SYSENTER_compat+0x70/0x7f [ 101.836836][ T9491] __ia32_sys_sendto+0xdf/0x1a0 [ 101.841715][ T9491] do_fast_syscall_32+0x27b/0xe16 [ 101.846722][ T9491] entry_SYSENTER_compat+0x70/0x7f [ 101.851810][ T9491] RIP: 0023:0xf7faca39 [ 101.855874][ T9491] Code: 00 00 00 89 d3 5b 5e 5f 5d c3 b8 80 96 98 00 eb c4 8b 04 24 c3 8b 1c 24 c3 8b 34 24 c3 8b 3c 24 c3 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 [ 101.875460][ T9491] RSP: 002b:000000000848fb6c EFLAGS: 00000216 ORIG_RAX: 0000000000000171 [ 101.883854][ T9491] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000080 [ 101.891826][ T9491] RDX: 000000000000000e RSI: 0000000000000000 RDI: 0000000000000000 [ 101.899786][ T9491] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 101.907757][ T9491] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 101.915708][ T9491] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 101.925056][ T9491] Kernel Offset: disabled [ 101.929470][ T9491] Rebooting in 86400 seconds..