[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.216' (ECDSA) to the list of known hosts. syzkaller login: [ 35.159108] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program [ 35.890007] netlink: 4 bytes leftover after parsing attributes in process `syz-executor583'. [ 35.905236] tunl0: Master is either lo or non-ether device [ 35.915562] netlink: 4 bytes leftover after parsing attributes in process `syz-executor583'. [ 35.928451] gre0: Master is either lo or non-ether device [ 35.936916] netlink: 4 bytes leftover after parsing attributes in process `syz-executor583'. [ 35.950619] ================================================================== [ 35.958325] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x950/0x9a0 [ 35.965418] Read of size 8 at addr ffff888098101308 by task syz-executor583/6357 [ 35.973026] [ 35.974673] CPU: 0 PID: 6357 Comm: syz-executor583 Not tainted 4.14.176-syzkaller #0 [ 35.982621] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.991995] Call Trace: [ 35.994579] dump_stack+0x13e/0x194 [ 35.998198] ? radix_tree_next_chunk+0x950/0x9a0 [ 36.002941] print_address_description.cold+0x7c/0x1e2 [ 36.008492] ? radix_tree_next_chunk+0x950/0x9a0 [ 36.013410] kasan_report.cold+0xa9/0x2ae [ 36.017546] radix_tree_next_chunk+0x950/0x9a0 [ 36.022118] ida_remove+0x9b/0x210 [ 36.025696] ? ida_destroy+0x1b0/0x1b0 [ 36.029620] ? lock_acquire+0x170/0x3f0 [ 36.033683] ida_simple_remove+0x31/0x50 [ 36.037732] ipvlan_link_new+0x4f9/0xfc0 [ 36.041784] rtnl_newlink+0xecb/0x1720 [ 36.045675] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 36.050335] ? trace_hardirqs_on+0x10/0x10 [ 36.054580] ? rtnl_link_unregister+0x1f0/0x1f0 [ 36.059239] ? lock_acquire+0x170/0x3f0 [ 36.063316] ? lock_acquire+0x170/0x3f0 [ 36.067291] ? rtnetlink_rcv_msg+0x31d/0xb10 [ 36.071814] ? __lock_is_held+0xad/0x140 [ 36.075867] ? lock_downgrade+0x6e0/0x6e0 [ 36.080002] ? rtnl_link_unregister+0x1f0/0x1f0 [ 36.084657] rtnetlink_rcv_msg+0x3be/0xb10 [ 36.088932] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 36.093516] ? save_trace+0x290/0x290 [ 36.097313] ? save_trace+0x290/0x290 [ 36.101176] netlink_rcv_skb+0x127/0x370 [ 36.105246] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 36.109873] ? netlink_ack+0x980/0x980 [ 36.113767] netlink_unicast+0x437/0x620 [ 36.117824] ? netlink_attachskb+0x600/0x600 [ 36.122221] netlink_sendmsg+0x733/0xbe0 [ 36.126269] ? netlink_unicast+0x620/0x620 [ 36.130495] ? SYSC_sendto+0x2b0/0x2b0 [ 36.134373] ? security_socket_sendmsg+0x83/0xb0 [ 36.139132] ? netlink_unicast+0x620/0x620 [ 36.143652] sock_sendmsg+0xc5/0x100 [ 36.147361] ___sys_sendmsg+0x70a/0x840 [ 36.151323] ? copy_msghdr_from_user+0x380/0x380 [ 36.156076] ? trace_hardirqs_on+0x10/0x10 [ 36.160295] ? save_trace+0x290/0x290 [ 36.164600] ? find_held_lock+0x2d/0x110 [ 36.168647] ? __might_fault+0x104/0x1b0 [ 36.172695] ? lock_acquire+0x170/0x3f0 [ 36.176658] ? lock_downgrade+0x6e0/0x6e0 [ 36.180791] ? __might_fault+0x177/0x1b0 [ 36.184903] ? _copy_to_user+0x82/0xd0 [ 36.188789] ? __fget_light+0x16a/0x1f0 [ 36.192755] ? sockfd_lookup_light+0xb2/0x160 [ 36.197254] __sys_sendmsg+0xa3/0x120 [ 36.201039] ? SyS_shutdown+0x160/0x160 [ 36.205009] ? move_addr_to_kernel+0x60/0x60 [ 36.209447] ? __do_page_fault+0x35b/0xb40 [ 36.213680] SyS_sendmsg+0x27/0x40 [ 36.217210] ? __sys_sendmsg+0x120/0x120 [ 36.221291] do_syscall_64+0x1d5/0x640 [ 36.225197] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.230385] RIP: 0033:0x441689 [ 36.233556] RSP: 002b:00007ffd2bb9c858 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 36.241244] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441689 [ 36.248494] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003 [ 36.255754] RBP: 00007ffd2bb9c860 R08: 0000000100000000 R09: 0000000100000000 [ 36.263009] R10: 0000000100000000 R11: 0000000000000246 R12: 0000000000008c6a [ 36.270267] R13: 00000000004025e0 R14: 0000000000000000 R15: 0000000000000000 [ 36.277810] [ 36.279437] Allocated by task 6357: [ 36.283053] save_stack+0x32/0xa0 [ 36.286496] kasan_kmalloc+0xbf/0xe0 [ 36.290192] kmem_cache_alloc_trace+0x14d/0x7b0 [ 36.294844] ipvlan_link_new+0x640/0xfc0 [ 36.298887] rtnl_newlink+0xecb/0x1720 [ 36.304899] rtnetlink_rcv_msg+0x3be/0xb10 [ 36.309148] netlink_rcv_skb+0x127/0x370 [ 36.313277] netlink_unicast+0x437/0x620 [ 36.317381] netlink_sendmsg+0x733/0xbe0 [ 36.321453] sock_sendmsg+0xc5/0x100 [ 36.325163] ___sys_sendmsg+0x70a/0x840 [ 36.329204] __sys_sendmsg+0xa3/0x120 [ 36.332996] SyS_sendmsg+0x27/0x40 [ 36.336525] do_syscall_64+0x1d5/0x640 [ 36.340401] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.345577] [ 36.347209] Freed by task 6357: [ 36.350468] save_stack+0x32/0xa0 [ 36.353910] kasan_slab_free+0x75/0xc0 [ 36.357775] kfree+0xcb/0x260 [ 36.360884] ipvlan_uninit+0xb6/0xe0 [ 36.364582] register_netdevice+0x756/0xc70 [ 36.368970] ipvlan_link_new+0x485/0xfc0 [ 36.373018] rtnl_newlink+0xecb/0x1720 [ 36.377243] rtnetlink_rcv_msg+0x3be/0xb10 [ 36.381469] netlink_rcv_skb+0x127/0x370 [ 36.385642] netlink_unicast+0x437/0x620 [ 36.389842] netlink_sendmsg+0x733/0xbe0 [ 36.393897] sock_sendmsg+0xc5/0x100 [ 36.397675] ___sys_sendmsg+0x70a/0x840 [ 36.401655] __sys_sendmsg+0xa3/0x120 [ 36.405446] SyS_sendmsg+0x27/0x40 [ 36.408973] do_syscall_64+0x1d5/0x640 [ 36.412862] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.418044] [ 36.419653] The buggy address belongs to the object at ffff888098100a40 [ 36.419653] which belongs to the cache kmalloc-4096 of size 4096 [ 36.432470] The buggy address is located 2248 bytes inside of [ 36.432470] 4096-byte region [ffff888098100a40, ffff888098101a40) [ 36.444494] The buggy address belongs to the page: [ 36.449421] page:ffffea0002604000 count:1 mapcount:0 mapping:ffff888098100a40 index:0x0 compound_mapcount: 0 [ 36.460081] flags: 0xfffe0000008100(slab|head) [ 36.464662] raw: 00fffe0000008100 ffff888098100a40 0000000000000000 0000000100000001 [ 36.472543] raw: ffffea00026b5020 ffff88812fe54a48 ffff88812fe56dc0 0000000000000000 [ 36.480412] page dumped because: kasan: bad access detected [ 36.486185] [ 36.487803] Memory state around the buggy address: [ 36.492719] ffff888098101200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.500162] ffff888098101280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.507500] >ffff888098101300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.514846] ^ [ 36.518449] ffff888098101380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.525803] ffff888098101400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.533145] ================================================================== [ 36.540727] Disabling lock debugging due to kernel taint [ 36.546173] Kernel panic - not syncing: panic_on_warn set ... [ 36.546173] [ 36.553607] CPU: 0 PID: 6357 Comm: syz-executor583 Tainted: G B 4.14.176-syzkaller #0 [ 36.562695] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.572039] Call Trace: [ 36.574611] dump_stack+0x13e/0x194 [ 36.578219] panic+0x1f9/0x42d [ 36.581393] ? add_taint.cold+0x16/0x16 [ 36.585957] ? lock_downgrade+0x6e0/0x6e0 [ 36.590083] ? radix_tree_next_chunk+0x950/0x9a0 [ 36.594904] kasan_end_report+0x43/0x49 [ 36.598856] kasan_report.cold+0x12f/0x2ae [ 36.603120] radix_tree_next_chunk+0x950/0x9a0 [ 36.607762] ida_remove+0x9b/0x210 [ 36.611299] ? ida_destroy+0x1b0/0x1b0 [ 36.615183] ? lock_acquire+0x170/0x3f0 [ 36.619141] ida_simple_remove+0x31/0x50 [ 36.623253] ipvlan_link_new+0x4f9/0xfc0 [ 36.627321] rtnl_newlink+0xecb/0x1720 [ 36.631248] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 36.635828] ? trace_hardirqs_on+0x10/0x10 [ 36.640051] ? rtnl_link_unregister+0x1f0/0x1f0 [ 36.644723] ? lock_acquire+0x170/0x3f0 [ 36.648684] ? lock_acquire+0x170/0x3f0 [ 36.652819] ? rtnetlink_rcv_msg+0x31d/0xb10 [ 36.657215] ? __lock_is_held+0xad/0x140 [ 36.664217] ? lock_downgrade+0x6e0/0x6e0 [ 36.668350] ? rtnl_link_unregister+0x1f0/0x1f0 [ 36.673000] rtnetlink_rcv_msg+0x3be/0xb10 [ 36.677215] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 36.681776] ? save_trace+0x290/0x290 [ 36.685554] ? save_trace+0x290/0x290 [ 36.689338] netlink_rcv_skb+0x127/0x370 [ 36.693480] ? rtnl_bridge_getlink+0x7a0/0x7a0 [ 36.698046] ? netlink_ack+0x980/0x980 [ 36.701924] netlink_unicast+0x437/0x620 [ 36.705975] ? netlink_attachskb+0x600/0x600 [ 36.710493] netlink_sendmsg+0x733/0xbe0 [ 36.714550] ? netlink_unicast+0x620/0x620 [ 36.718765] ? SYSC_sendto+0x2b0/0x2b0 [ 36.722650] ? security_socket_sendmsg+0x83/0xb0 [ 36.727384] ? netlink_unicast+0x620/0x620 [ 36.731601] sock_sendmsg+0xc5/0x100 [ 36.735325] ___sys_sendmsg+0x70a/0x840 [ 36.739287] ? copy_msghdr_from_user+0x380/0x380 [ 36.744035] ? trace_hardirqs_on+0x10/0x10 [ 36.748252] ? save_trace+0x290/0x290 [ 36.752067] ? find_held_lock+0x2d/0x110 [ 36.756119] ? __might_fault+0x104/0x1b0 [ 36.760163] ? lock_acquire+0x170/0x3f0 [ 36.764116] ? lock_downgrade+0x6e0/0x6e0 [ 36.768250] ? __might_fault+0x177/0x1b0 [ 36.772442] ? _copy_to_user+0x82/0xd0 [ 36.776321] ? __fget_light+0x16a/0x1f0 [ 36.780276] ? sockfd_lookup_light+0xb2/0x160 [ 36.784751] __sys_sendmsg+0xa3/0x120 [ 36.788535] ? SyS_shutdown+0x160/0x160 [ 36.792492] ? move_addr_to_kernel+0x60/0x60 [ 36.796885] ? __do_page_fault+0x35b/0xb40 [ 36.801101] SyS_sendmsg+0x27/0x40 [ 36.804619] ? __sys_sendmsg+0x120/0x120 [ 36.808676] do_syscall_64+0x1d5/0x640 [ 36.812545] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 36.817715] RIP: 0033:0x441689 [ 36.820883] RSP: 002b:00007ffd2bb9c858 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 36.828570] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441689 [ 36.835828] RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003 [ 36.843108] RBP: 00007ffd2bb9c860 R08: 0000000100000000 R09: 0000000100000000 [ 36.850370] R10: 0000000100000000 R11: 0000000000000246 R12: 0000000000008c6a [ 36.857618] R13: 00000000004025e0 R14: 0000000000000000 R15: 0000000000000000 [ 36.866259] Kernel Offset: disabled [ 36.869917] Rebooting in 86400 seconds..