Warning: Permanently added '10.128.10.34' (ECDSA) to the list of known hosts. syzkaller login: [ 37.603611][ T4217] chnl_net:caif_netlink_parms(): no params data found [ 37.638341][ T4217] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.639918][ T4217] bridge0: port 1(bridge_slave_0) entered disabled state [ 37.641904][ T4217] device bridge_slave_0 entered promiscuous mode [ 37.647107][ T4217] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.648579][ T4217] bridge0: port 2(bridge_slave_1) entered disabled state [ 37.650530][ T4217] device bridge_slave_1 entered promiscuous mode [ 37.663795][ T4217] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 37.668293][ T4217] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 37.681213][ T4217] team0: Port device team_slave_0 added [ 37.684319][ T4217] team0: Port device team_slave_1 added [ 37.696288][ T4217] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 37.697731][ T4217] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 37.703052][ T4217] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 37.707168][ T4217] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 37.708535][ T4217] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 37.713717][ T4217] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 37.787284][ T4217] device hsr_slave_0 entered promiscuous mode [ 37.845357][ T4217] device hsr_slave_1 entered promiscuous mode [ 37.970037][ T4217] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 38.007521][ T4217] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 38.058421][ T4217] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 38.097074][ T4217] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 38.150736][ T4217] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.152353][ T4217] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.154243][ T4217] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.155879][ T4217] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.192892][ T4217] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.200044][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 38.203433][ T22] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.206858][ T22] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.209347][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 38.216048][ T4217] 8021q: adding VLAN 0 to HW filter on device team0 [ 38.221842][ T108] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 38.223890][ T108] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.225418][ T108] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.237679][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 38.239927][ T22] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.241387][ T22] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.243912][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 38.248206][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 38.254106][ T4226] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 38.261045][ T3801] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 38.265696][ T4226] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 38.268923][ T4217] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 38.281266][ T4226] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 38.283038][ T4226] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 38.289753][ T4217] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 38.301522][ T4226] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 38.313785][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 38.317321][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 38.319211][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 38.322952][ T4217] device veth0_vlan entered promiscuous mode [ 38.329740][ T4217] device veth1_vlan entered promiscuous mode [ 38.343585][ T4226] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 38.346704][ T4226] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 38.349043][ T4226] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 38.352815][ T4217] device veth0_macvtap entered promiscuous mode [ 38.357768][ T4217] device veth1_macvtap entered promiscuous mode [ 38.368670][ T4217] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 38.370509][ T4226] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 38.373724][ T4226] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 38.379653][ T4217] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 38.381766][ T3801] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 38.388364][ T4217] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 38.390222][ T4217] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 38.391951][ T4217] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 38.393816][ T4217] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 executing program [ 38.695210][ T4226] usb 1-1: new high-speed USB device number 2 using dummy_hcd [ 39.075477][ T4226] usb 1-1: New USB device found, idVendor=047d, idProduct=5002, bcdDevice=b9.5b [ 39.077438][ T4226] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 [ 39.081806][ T4226] usb 1-1: config 0 descriptor?? [ 39.121750][ T4226] gspca_main: se401-2.14.0 probing 047d:5002 [ 39.505252][ T4226] usb 1-1: reset high-speed USB device number 2 using dummy_hcd [ 39.698506][ T4226] usb 1-1: device descriptor read/64, error -32 [ 39.965153][ T4226] usb 1-1: reset high-speed USB device number 2 using dummy_hcd [ 40.155090][ T4226] usb 1-1: device descriptor read/64, error -32 [ 40.445249][ T4226] usb 1-1: reset high-speed USB device number 2 using dummy_hcd [ 40.555458][ T4226] usb 1-1: Using ep0 maxpacket: 16 [ 40.975683][ T4226] usb 1-1: device descriptor read/all, error 1 [ 41.125091][ T4226] usb 1-1: reset high-speed USB device number 2 using dummy_hcd [ 41.235298][ T4226] usb 1-1: device descriptor read/8, error -71 [ 41.356212][ T4226] gspca_se401: read req failed req 0x06 error -19 [ 41.359276][ T4226] usb 1-1: USB disconnect, device number 2 [ 41.360145][ T4228] ================================================================== [ 41.362127][ T4228] BUG: KASAN: slab-out-of-bounds in read_descriptors+0x23c/0x290 [ 41.363650][ T4228] Read of size 2 at addr ffff0000d8e96aaa by task udevd/4228 [ 41.365197][ T4228] [ 41.365719][ T4228] CPU: 1 PID: 4228 Comm: udevd Not tainted 6.1.34-syzkaller #0 [ 41.367432][ T4228] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 [ 41.369786][ T4228] Call trace: [ 41.370454][ T4228] dump_backtrace+0x1c8/0x1f4 [ 41.371530][ T4228] show_stack+0x2c/0x3c [ 41.372392][ T4228] dump_stack_lvl+0x108/0x170 [ 41.373352][ T4228] print_report+0x174/0x4c0 [ 41.374353][ T4228] kasan_report+0xd4/0x130 [ 41.375343][ T4228] __asan_report_load2_noabort+0x2c/0x38 [ 41.376641][ T4228] read_descriptors+0x23c/0x290 [ 41.377731][ T4228] sysfs_kf_bin_read+0x19c/0x1d4 [ 41.378764][ T4228] kernfs_fop_read_iter+0x3ac/0x5c8 [ 41.379944][ T4228] vfs_read+0x5bc/0x8ac [ 41.380815][ T4228] ksys_read+0x15c/0x26c [ 41.381726][ T4228] __arm64_sys_read+0x7c/0x90 [ 41.382750][ T4228] invoke_syscall+0x98/0x2c0 [ 41.383771][ T4228] el0_svc_common+0x138/0x258 [ 41.384739][ T4228] do_el0_svc+0x64/0x218 [ 41.385776][ T4228] el0_svc+0x58/0x168 [ 41.386708][ T4228] el0t_64_sync_handler+0x84/0xf0 [ 41.387801][ T4228] el0t_64_sync+0x18c/0x190 [ 41.388766][ T4228] [ 41.389275][ T4228] Allocated by task 4226: [ 41.390184][ T4228] kasan_set_track+0x4c/0x80 [ 41.391186][ T4228] kasan_save_alloc_info+0x24/0x30 [ 41.392216][ T4228] __kasan_kmalloc+0xac/0xc4 [ 41.393336][ T4228] __kmalloc+0xd8/0x1c4 [ 41.394186][ T4228] usb_get_configuration+0xd8/0x4048 [ 41.395354][ T4228] usb_new_device+0x134/0x142c [ 41.396445][ T4228] hub_event+0x23dc/0x44a0 [ 41.397396][ T4228] process_one_work+0x7ac/0x1404 [ 41.398394][ T4228] worker_thread+0x8e4/0xfec [ 41.399385][ T4228] kthread+0x250/0x2d8 [ 41.400254][ T4228] ret_from_fork+0x10/0x20 [ 41.401082][ T4228] [ 41.401635][ T4228] The buggy address belongs to the object at ffff0000d8e96800 [ 41.401635][ T4228] which belongs to the cache kmalloc-1k of size 1024 [ 41.404814][ T4228] The buggy address is located 682 bytes inside of [ 41.404814][ T4228] 1024-byte region [ffff0000d8e96800, ffff0000d8e96c00) [ 41.407709][ T4228] [ 41.408217][ T4228] The buggy address belongs to the physical page: [ 41.409566][ T4228] page:000000003eb4bdce refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x118e90 [ 41.411692][ T4228] head:000000003eb4bdce order:3 compound_mapcount:0 compound_pincount:0 [ 41.413506][ T4228] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 41.415214][ T4228] raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002780 [ 41.416968][ T4228] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 41.418789][ T4228] page dumped because: kasan: bad access detected [ 41.420232][ T4228] [ 41.420716][ T4228] Memory state around the buggy address: [ 41.421902][ T4228] ffff0000d8e96980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.423637][ T4228] ffff0000d8e96a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 41.425241][ T4228] >ffff0000d8e96a80: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 41.427005][ T4228] ^ [ 41.428138][ T4228] ffff0000d8e96b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.429796][ T4228] ffff0000d8e96b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.431472][ T4228] ================================================================== [ 41.433346][ T4228] Disabling lock debugging due to kernel taint [ 41.438662][ T4226] ------------[ cut here ]------------ [ 41.439863][ T4226] virt_to_phys used for non-linear address: 00000000e3c11ec8 (0x4e102fc00001082) [ 41.441590][ T4226] WARNING: CPU: 0 PID: 4226 at arch/arm64/mm/physaddr.c:15 __virt_to_phys+0x84/0x9c [ 41.443497][ T4226] Modules linked in: [ 41.444318][ T4226] CPU: 0 PID: 4226 Comm: kworker/0:4 Tainted: G B 6.1.34-syzkaller #0 [ 41.446403][ T4226] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 [ 41.448677][ T4226] Workqueue: usb_hub_wq hub_event [ 41.449707][ T4226] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 41.451347][ T4226] pc : __virt_to_phys+0x84/0x9c [ 41.452344][ T4226] lr : __virt_to_phys+0x80/0x9c [ 41.453397][ T4226] sp : ffff80001dac74f0 [ 41.454275][ T4226] x29: ffff80001dac74f0 x28: dfff800000000000 x27: ffff0000d8bf4548 [ 41.455934][ T4226] x26: ffff0000ccab3700 x25: 0000000000000011 x24: 1fffe0001b17e8a7 [ 41.457568][ T4226] x23: 0000000000000080 x22: ffff0000d8bf4539 x21: 0000000000040000 [ 41.459170][ T4226] x20: 04e202fc00001082 x19: 04e102fc00001082 x18: 1fffe000368b5f76 [ 41.460872][ T4226] x17: 6534783028203863 x16: ffff800012104df4 x15: 0000000000000000 [ 41.462469][ T4226] x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001 [ 41.464044][ T4226] x11: ff8080000804fb18 x10: 0000000000000000 x9 : 8b7458b0e6f00a00 [ 41.465741][ T4226] x8 : ffff800014fcd000 x7 : 0000000000000000 x6 : ffff8000121d160c [ 41.467424][ T4226] x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 [ 41.469163][ T4226] x2 : ffff80001dac7100 x1 : 0000000000000000 x0 : ffff8000121d2340 [ 41.470887][ T4226] Call trace: [ 41.471645][ T4226] __virt_to_phys+0x84/0x9c [ 41.472548][ T4226] kfree+0x90/0x1b8 [ 41.473302][ T4226] usb_destroy_configuration+0xd8/0x574 [ 41.474505][ T4226] usb_release_dev+0x48/0xcc [ 41.475483][ T4226] device_release+0x8c/0x1ac [ 41.476536][ T4226] kobject_put+0x2a8/0x41c [ 41.477415][ T4226] put_device+0x28/0x40 [ 41.478287][ T4226] usb_disconnect+0x618/0x7b0 [ 41.479316][ T4226] hub_event+0x17a0/0x44a0 [ 41.480191][ T4226] process_one_work+0x7ac/0x1404 [ 41.481258][ T4226] worker_thread+0xb6c/0xfec [ 41.482242][ T4226] kthread+0x250/0x2d8 [ 41.483105][ T4226] ret_from_fork+0x10/0x20 [ 41.484048][ T4226] irq event stamp: 13410 [ 41.484924][ T4226] hardirqs last enabled at (13409): [] finish_lock_switch+0xbc/0x1e8 [ 41.486944][ T4226] hardirqs last disabled at (13410): [] __schedule+0x2a4/0x1c98 [ 41.488965][ T4226] softirqs last enabled at (6958): [] __do_softirq+0xc14/0xea0 [ 41.490920][ T4226] softirqs last disabled at (6939): [] ____do_softirq+0x14/0x20 [ 41.492936][ T4226] ---[ end trace 0000000000000000 ]--- [ 41.495096][ T4226] Unable to handle kernel paging request at virtual address 0013820bf5738048 [ 41.496835][ T4226] Mem abort info: [ 41.497637][ T4226] ESR = 0x0000000096000004 [ 41.498620][ T4226] EC = 0x25: DABT (current EL), IL = 32 bits [ 41.499898][ T4226] SET = 0, FnV = 0 [ 41.500629][ T4226] EA = 0, S1PTW = 0 [ 41.501435][ T4226] FSC = 0x04: level 0 translation fault [ 41.502615][ T4226] Data abort info: [ 41.503455][ T4226] ISV = 0, ISS = 0x00000004 [ 41.504449][ T4226] CM = 0, WnR = 0 [ 41.505877][ T4226] [0013820bf5738048] address between user and kernel address ranges [ 41.507398][ T4226] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 41.508923][ T4226] Modules linked in: [ 41.509645][ T4226] CPU: 0 PID: 4226 Comm: kworker/0:4 Tainted: G B W 6.1.34-syzkaller #0 [ 41.511675][ T4226] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 [ 41.513761][ T4226] Workqueue: usb_hub_wq hub_event [ 41.514809][ T4226] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 41.516439][ T4226] pc : kfree+0xa4/0x1b8 [ 41.517298][ T4226] lr : kfree+0x90/0x1b8 [ 41.518219][ T4226] sp : ffff80001dac7510 [ 41.519072][ T4226] x29: ffff80001dac7510 x28: dfff800000000000 x27: ffff0000d8bf4548 [ 41.520700][ T4226] x26: ffff0000ccab3700 x25: 0000000000000011 x24: 1fffe0001b17e8a7 [ 41.522476][ T4226] x23: 0000000000000080 x22: ffff0000d8bf4539 x21: 0000000000040000 [ 41.524110][ T4226] x20: ffff80000daebc68 x19: 04e102fc00001082 x18: 1fffe000368b5f76 [ 41.525786][ T4226] x17: 6534783028203863 x16: ffff800012104df4 x15: 0000000000000000 [ 41.527505][ T4226] x14: 0000000000000000 x13: 0000000000000001 x12: 0000000000000001 [ 41.529252][ T4226] x11: ff8080000804fb18 x10: 0000000000000000 x9 : 0013860bf5738040 [ 41.531073][ T4226] x8 : fffffc0000000000 x7 : 0000000000000000 x6 : ffff8000121d160c [ 41.532685][ T4226] x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 [ 41.534254][ T4226] x2 : ffff80001dac7100 x1 : 0000000000000000 x0 : 0013820bf5738040 [ 41.535844][ T4226] Call trace: [ 41.536566][ T4226] kfree+0xa4/0x1b8 [ 41.537368][ T4226] usb_destroy_configuration+0xd8/0x574 [ 41.538639][ T4226] usb_release_dev+0x48/0xcc [ 41.539614][ T4226] device_release+0x8c/0x1ac [ 41.540519][ T4226] kobject_put+0x2a8/0x41c [ 41.541458][ T4226] put_device+0x28/0x40 [ 41.542300][ T4226] usb_disconnect+0x618/0x7b0 [ 41.543303][ T4226] hub_event+0x17a0/0x44a0 [ 41.544203][ T4226] process_one_work+0x7ac/0x1404 [ 41.545270][ T4226] worker_thread+0xb6c/0xfec [ 41.546197][ T4226] kthread+0x250/0x2d8 [ 41.547116][ T4226] ret_from_fork+0x10/0x20 [ 41.548074][ T4226] Code: b25657e8 927acd29 cb151929 8b080120 (f9400408) [ 41.549555][ T4226] ---[ end trace 0000000000000000 ]--- [ 41.917986][ T4226] Kernel panic - not syncing: Oops: Fatal exception [ 41.919421][ T4226] SMP: stopping secondary CPUs [ 41.920386][ T4226] Kernel Offset: disabled [ 41.921401][ T4226] CPU features: 0x00000,02070084,26017203 [ 41.922526][ T4226] Memory Limit: none [ 42.283248][ T4226] Rebooting in 86400 seconds..