forked to background, child pid 3181
no interfaces have a carrier
[ 24.834425][ T3182] 8021q: adding VLAN 0 to HW filter on device bond0
[ 24.850107][ T3182] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK
syzkaller
Warning: Permanently added '10.128.0.93' (ECDSA) to the list of known hosts.
syzkaller login: [ 39.510937][ T3596] chnl_net:caif_netlink_parms(): no params data found
[ 39.547850][ T3596] bridge0: port 1(bridge_slave_0) entered blocking state
[ 39.555758][ T3596] bridge0: port 1(bridge_slave_0) entered disabled state
[ 39.563605][ T3596] device bridge_slave_0 entered promiscuous mode
[ 39.571656][ T3596] bridge0: port 2(bridge_slave_1) entered blocking state
[ 39.578796][ T3596] bridge0: port 2(bridge_slave_1) entered disabled state
[ 39.586567][ T3596] device bridge_slave_1 entered promiscuous mode
[ 39.604055][ T3596] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 39.614728][ T3596] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 39.636876][ T3596] team0: Port device team_slave_0 added
[ 39.645352][ T3596] team0: Port device team_slave_1 added
[ 39.662420][ T3596] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 39.669875][ T3596] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 39.695978][ T3596] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 39.709539][ T3596] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 39.716708][ T3596] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 39.742992][ T3596] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 39.768610][ T3596] device hsr_slave_0 entered promiscuous mode
[ 39.775822][ T3596] device hsr_slave_1 entered promiscuous mode
[ 39.856771][ T3596] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 39.869297][ T3596] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 39.880427][ T3596] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 39.890357][ T3596] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 39.914317][ T3596] bridge0: port 2(bridge_slave_1) entered blocking state
[ 39.921696][ T3596] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 39.929735][ T3596] bridge0: port 1(bridge_slave_0) entered blocking state
[ 39.936974][ T3596] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 39.980921][ T3596] 8021q: adding VLAN 0 to HW filter on device bond0
[ 39.992697][ T1131] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 40.005461][ T1131] bridge0: port 1(bridge_slave_0) entered disabled state
[ 40.015613][ T1131] bridge0: port 2(bridge_slave_1) entered disabled state
[ 40.024874][ T1131] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 40.040161][ T3596] 8021q: adding VLAN 0 to HW filter on device team0
[ 40.051214][ T135] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 40.060518][ T135] bridge0: port 1(bridge_slave_0) entered blocking state
[ 40.067782][ T135] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 40.079711][ T1131] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 40.088448][ T1131] bridge0: port 2(bridge_slave_1) entered blocking state
[ 40.095705][ T1131] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 40.116637][ T1131] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 40.126277][ T1131] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 40.135725][ T1131] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 40.148150][ T135] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 40.160712][ T3596] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[ 40.172626][ T3596] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 40.181705][ T1131] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 40.200953][ T3596] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 40.209454][ T1131] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 40.217839][ T1131] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 40.241604][ T3596] device veth0_vlan entered promiscuous mode
[ 40.250004][ T917] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 40.259625][ T917] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 40.268729][ T917] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 40.277384][ T917] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 40.290335][ T3596] device veth1_vlan entered promiscuous mode
[ 40.311820][ T917] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 40.320238][ T917] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 40.329175][ T917] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 40.340864][ T3596] device veth0_macvtap entered promiscuous mode
[ 40.350288][ T3596] device veth1_macvtap entered promiscuous mode
[ 40.365763][ T3596] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 40.373780][ T917] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 40.383286][ T917] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 40.395230][ T3596] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 40.403304][ T3602] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 40.415158][ T3596] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 40.425017][ T3596] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 40.434014][ T3596] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
executing program
[ 40.443092][ T3596] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 40.479181][ T3607] ==================================================================
[ 40.487500][ T3607] BUG: KASAN: use-after-free in ipvlan_queue_xmit+0x1731/0x19d0
[ 40.495178][ T3607] Read of size 4 at addr ffff88806f05a7ff by task syz-executor133/3607
[ 40.503572][ T3607]
[ 40.503976][ T3602] IPv6: ADDRCONF(NETDEV_CHANGE): ipvlan1: link becomes ready
[ 40.506080][ T3607] CPU: 0 PID: 3607 Comm: syz-executor133 Not tainted 5.16.0-rc6-syzkaller #0
[ 40.522294][ T3607] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 40.532399][ T3607] Call Trace:
[ 40.535783][ T3607]
[ 40.538721][ T3607] dump_stack_lvl+0xcd/0x134
[ 40.543367][ T3607] print_address_description.constprop.0.cold+0x8d/0x320
[ 40.550435][ T3607] ? ipvlan_queue_xmit+0x1731/0x19d0
[ 40.555748][ T3607] ? ipvlan_queue_xmit+0x1731/0x19d0
[ 40.561061][ T3607] kasan_report.cold+0x83/0xdf
[ 40.565945][ T3607] ? ipvlan_queue_xmit+0x1731/0x19d0
[ 40.571258][ T3607] ipvlan_queue_xmit+0x1731/0x19d0
[ 40.576390][ T3607] ? ipvlan_handle_mode_l3+0x140/0x140
[ 40.581957][ T3607] ? skb_network_protocol+0x148/0x580
[ 40.587615][ T3607] ? skb_crc32c_csum_help+0x70/0x70
[ 40.592826][ T3607] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 40.598811][ T3607] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 40.605065][ T3607] ? validate_xmit_xfrm+0x498/0x1050
[ 40.610532][ T3607] ? netif_skb_features+0x38d/0xb90
[ 40.615744][ T3607] ipvlan_start_xmit+0x45/0x190
[ 40.620782][ T3607] __dev_direct_xmit+0x530/0x740
[ 40.625723][ T3607] ? validate_xmit_skb_list+0x120/0x120
[ 40.631279][ T3607] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 40.637524][ T3607] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 40.643774][ T3607] ? netdev_pick_tx+0x14f/0xbe0
[ 40.648629][ T3607] packet_direct_xmit+0x1b8/0x2c0
[ 40.653667][ T3607] packet_sendmsg+0x2223/0x5280
[ 40.658541][ T3607] ? aa_sk_perm+0x30f/0xaa0
[ 40.663133][ T3607] ? packet_sendmsg_spkt+0x13e0/0x13e0
[ 40.668676][ T3607] ? aa_af_perm+0x230/0x230
[ 40.673191][ T3607] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 40.679438][ T3607] ? packet_sendmsg_spkt+0x13e0/0x13e0
[ 40.685092][ T3607] sock_sendmsg+0xcf/0x120
[ 40.689535][ T3607] __sys_sendto+0x21c/0x320
[ 40.694031][ T3607] ? __ia32_sys_getpeername+0xb0/0xb0
[ 40.699512][ T3607] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 40.705672][ T3607] ? kfree+0x1e1/0x560
[ 40.709761][ T3607] ? lock_downgrade+0x6e0/0x6e0
[ 40.714603][ T3607] ? lock_downgrade+0x6e0/0x6e0
[ 40.719459][ T3607] __x64_sys_sendto+0xdd/0x1b0
[ 40.724216][ T3607] ? lockdep_hardirqs_on+0x79/0x100
[ 40.729586][ T3607] ? syscall_enter_from_user_mode+0x21/0x70
[ 40.735504][ T3607] do_syscall_64+0x35/0xb0
[ 40.739945][ T3607] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 40.745839][ T3607] RIP: 0033:0x7efd9ae4dcd9
[ 40.750424][ T3607] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 40.770207][ T3607] RSP: 002b:00007ffdbd78db18 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 40.778719][ T3607] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007efd9ae4dcd9
[ 40.786700][ T3607] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000005
[ 40.794672][ T3607] RBP: 0000000000000000 R08: 0000000020000040 R09: 0000000000000014
[ 40.802896][ T3607] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdbd78db40
[ 40.810872][ T3607] R13: 00000000000f4240 R14: 0000000000000000 R15: 0000000000000000
[ 40.819239][ T3607]
[ 40.822262][ T3607]
[ 40.824569][ T3607] The buggy address belongs to the page:
[ 40.830186][ T3607] page:ffffea0001bc1680 refcount:0 mapcount:0 mapping:0000000000000000 index:0x100 pfn:0x6f05a
[ 40.840509][ T3607] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 40.847720][ T3607] raw: 00fff00000000000 dead000000000100 dead000000000122 0000000000000000
[ 40.856486][ T3607] raw: 0000000000000100 0000000000000000 00000000ffffffff 0000000000000000
[ 40.865157][ T3607] page dumped because: kasan: bad access detected
[ 40.871575][ T3607] page_owner tracks the page as freed
[ 40.876931][ T3607] page last allocated via order 2, migratetype Unmovable, gfp_mask 0x2a20(GFP_ATOMIC|__GFP_NOWARN), pid 3602, ts 40545051440, free_ts 40545056049
[ 40.891880][ T3607] get_page_from_freelist+0xa72/0x2f50
[ 40.897357][ T3607] __alloc_pages+0x1b2/0x500
[ 40.901946][ T3607] alloc_pages+0x1a7/0x300
[ 40.906360][ T3607] __stack_depot_save+0x3b5/0x4f0
[ 40.911384][ T3607] kasan_save_stack+0x38/0x50
[ 40.916059][ T3607] __kasan_slab_alloc+0x90/0xc0
[ 40.920911][ T3607] kmem_cache_alloc+0x202/0x3a0
[ 40.925852][ T3607] skb_clone+0x170/0x3c0
[ 40.930361][ T3607] packet_rcv+0xe26/0x13e0
[ 40.934779][ T3607] __netif_receive_skb_core+0x9ce/0x3770
[ 40.940420][ T3607] __netif_receive_skb_one_core+0xae/0x180
[ 40.946423][ T3607] __netif_receive_skb+0x24/0x1b0
[ 40.951451][ T3607] process_backlog+0x2a5/0x6c0
[ 40.956218][ T3607] __napi_poll+0xaf/0x440
[ 40.960557][ T3607] net_rx_action+0x801/0xb40
[ 40.965142][ T3607] __do_softirq+0x29b/0x9c2
[ 40.969736][ T3607] page last free stack trace:
[ 40.974561][ T3607] free_pcp_prepare+0x374/0x870
[ 40.979611][ T3607] free_unref_page+0x19/0x690
[ 40.984283][ T3607] __stack_depot_save+0x16d/0x4f0
[ 40.989303][ T3607] kasan_save_stack+0x38/0x50
[ 40.993978][ T3607] __kasan_slab_alloc+0x90/0xc0
[ 40.998825][ T3607] kmem_cache_alloc+0x202/0x3a0
[ 41.003664][ T3607] skb_clone+0x170/0x3c0
[ 41.007980][ T3607] packet_rcv+0xe26/0x13e0
[ 41.012385][ T3607] __netif_receive_skb_core+0x9ce/0x3770
[ 41.018024][ T3607] __netif_receive_skb_one_core+0xae/0x180
[ 41.023833][ T3607] __netif_receive_skb+0x24/0x1b0
[ 41.028850][ T3607] process_backlog+0x2a5/0x6c0
[ 41.033613][ T3607] __napi_poll+0xaf/0x440
[ 41.037937][ T3607] net_rx_action+0x801/0xb40
[ 41.042519][ T3607] __do_softirq+0x29b/0x9c2
[ 41.047025][ T3607] do_softirq.part.0+0xde/0x130
[ 41.051889][ T3607]
[ 41.054202][ T3607] Memory state around the buggy address:
[ 41.059819][ T3607] ffff88806f05a680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 41.067964][ T3607] ffff88806f05a700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 41.076112][ T3607] >ffff88806f05a780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 41.084163][ T3607] ^
[ 41.092120][ T3607] ffff88806f05a800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 41.100187][ T3607] ffff88806f05a880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 41.108260][ T3607] ==================================================================
[ 41.116317][ T3607] Disabling lock debugging due to kernel taint
[ 41.122532][ T3607] Kernel panic - not syncing: panic_on_warn set ...
[ 41.129126][ T3607] CPU: 0 PID: 3607 Comm: syz-executor133 Tainted: G B 5.16.0-rc6-syzkaller #0
[ 41.139469][ T3607] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 41.149538][ T3607] Call Trace:
[ 41.152827][ T3607]
[ 41.155773][ T3607] dump_stack_lvl+0xcd/0x134
[ 41.160635][ T3607] panic+0x2b0/0x6dd
[ 41.164529][ T3607] ? __warn_printk+0xf3/0xf3
[ 41.169207][ T3607] ? ipvlan_queue_xmit+0x1731/0x19d0
[ 41.174587][ T3607] ? trace_hardirqs_on+0x38/0x1c0
[ 41.179625][ T3607] ? trace_hardirqs_on+0x51/0x1c0
[ 41.184657][ T3607] ? ipvlan_queue_xmit+0x1731/0x19d0
[ 41.189942][ T3607] ? ipvlan_queue_xmit+0x1731/0x19d0
[ 41.195235][ T3607] end_report.cold+0x63/0x6f
[ 41.199963][ T3607] kasan_report.cold+0x71/0xdf
[ 41.204821][ T3607] ? ipvlan_queue_xmit+0x1731/0x19d0
[ 41.210220][ T3607] ipvlan_queue_xmit+0x1731/0x19d0
[ 41.215339][ T3607] ? ipvlan_handle_mode_l3+0x140/0x140
[ 41.220824][ T3607] ? skb_network_protocol+0x148/0x580
[ 41.226201][ T3607] ? skb_crc32c_csum_help+0x70/0x70
[ 41.231402][ T3607] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 41.237385][ T3607] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 41.243642][ T3607] ? validate_xmit_xfrm+0x498/0x1050
[ 41.248926][ T3607] ? netif_skb_features+0x38d/0xb90
[ 41.254126][ T3607] ipvlan_start_xmit+0x45/0x190
[ 41.258983][ T3607] __dev_direct_xmit+0x530/0x740
[ 41.263920][ T3607] ? validate_xmit_skb_list+0x120/0x120
[ 41.269984][ T3607] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80
[ 41.276228][ T3607] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 41.282474][ T3607] ? netdev_pick_tx+0x14f/0xbe0
[ 41.287336][ T3607] packet_direct_xmit+0x1b8/0x2c0
[ 41.292369][ T3607] packet_sendmsg+0x2223/0x5280
[ 41.297229][ T3607] ? aa_sk_perm+0x30f/0xaa0
[ 41.301746][ T3607] ? packet_sendmsg_spkt+0x13e0/0x13e0
[ 41.307215][ T3607] ? aa_af_perm+0x230/0x230
[ 41.311720][ T3607] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70
[ 41.317967][ T3607] ? packet_sendmsg_spkt+0x13e0/0x13e0
[ 41.323427][ T3607] sock_sendmsg+0xcf/0x120
[ 41.327838][ T3607] __sys_sendto+0x21c/0x320
[ 41.332331][ T3607] ? __ia32_sys_getpeername+0xb0/0xb0
[ 41.337872][ T3607] ? lockdep_hardirqs_on_prepare+0x400/0x400
[ 41.344215][ T3607] ? kfree+0x1e1/0x560
[ 41.348393][ T3607] ? lock_downgrade+0x6e0/0x6e0
[ 41.353338][ T3607] ? lock_downgrade+0x6e0/0x6e0
[ 41.358701][ T3607] __x64_sys_sendto+0xdd/0x1b0
[ 41.363542][ T3607] ? lockdep_hardirqs_on+0x79/0x100
[ 41.368935][ T3607] ? syscall_enter_from_user_mode+0x21/0x70
[ 41.374814][ T3607] do_syscall_64+0x35/0xb0
[ 41.379388][ T3607] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 41.385356][ T3607] RIP: 0033:0x7efd9ae4dcd9
[ 41.389781][ T3607] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[ 41.410421][ T3607] RSP: 002b:00007ffdbd78db18 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[ 41.419032][ T3607] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007efd9ae4dcd9
[ 41.426994][ T3607] RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000005
[ 41.434954][ T3607] RBP: 0000000000000000 R08: 0000000020000040 R09: 0000000000000014
[ 41.442911][ T3607] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffdbd78db40
[ 41.450869][ T3607] R13: 00000000000f4240 R14: 0000000000000000 R15: 0000000000000000
[ 41.458833][ T3607]
[ 41.462826][ T3607] Kernel Offset: disabled
[ 41.467380][ T3607] Rebooting in 86400 seconds..