[ 50.635198][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 50.656098][ T8] device veth1_macvtap left promiscuous mode [ 50.662568][ T8] device veth0_macvtap left promiscuous mode [ 50.670872][ T8] device veth1_vlan left promiscuous mode [ 50.676981][ T8] device veth0_vlan left promiscuous mode [ 50.872342][ T8] team0 (unregistering): Port device team_slave_1 removed [ 50.885228][ T8] team0 (unregistering): Port device team_slave_0 removed [ 50.897704][ T8] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 50.911463][ T8] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 50.958155][ T8] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.10.37' (ECDSA) to the list of known hosts. 2022/08/06 05:15:52 parsed 1 programs 2022/08/06 05:15:53 executed programs: 0 [ 66.150076][ T1233] ieee802154 phy0 wpan0: encryption failed: -22 [ 66.156991][ T1233] ieee802154 phy1 wpan1: encryption failed: -22 [ 67.108013][ T3598] Bluetooth: hci0: Opcode 0x c03 failed: -110 [ 71.267973][ T3598] Bluetooth: hci0: Opcode 0x c03 failed: -110 [ 71.274047][ T6] cfg80211: failed to load regulatory.db [ 75.427956][ T3598] Bluetooth: hci0: Opcode 0x c03 failed: -110 [ 77.514487][ T47] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 77.522617][ T47] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 77.531082][ T47] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 77.539058][ T47] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 77.547037][ T47] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 77.554393][ T47] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 77.615462][ T4061] chnl_net:caif_netlink_parms(): no params data found [ 77.650140][ T4061] bridge0: port 1(bridge_slave_0) entered blocking state [ 77.657259][ T4061] bridge0: port 1(bridge_slave_0) entered disabled state [ 77.665256][ T4061] device bridge_slave_0 entered promiscuous mode [ 77.673678][ T4061] bridge0: port 2(bridge_slave_1) entered blocking state [ 77.681572][ T4061] bridge0: port 2(bridge_slave_1) entered disabled state [ 77.690117][ T4061] device bridge_slave_1 entered promiscuous mode [ 77.710602][ T4061] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 77.721708][ T4061] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 77.743197][ T4061] team0: Port device team_slave_0 added [ 77.751680][ T4061] team0: Port device team_slave_1 added [ 77.767751][ T4061] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 77.775295][ T4061] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 77.804116][ T4061] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 77.816733][ T4061] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 77.824409][ T4061] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 77.852387][ T4061] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 77.876398][ T4061] device hsr_slave_0 entered promiscuous mode [ 77.883728][ T4061] device hsr_slave_1 entered promiscuous mode [ 77.935833][ T4061] bridge0: port 2(bridge_slave_1) entered blocking state [ 77.943318][ T4061] bridge0: port 2(bridge_slave_1) entered forwarding state [ 77.951464][ T4061] bridge0: port 1(bridge_slave_0) entered blocking state [ 77.958760][ T4061] bridge0: port 1(bridge_slave_0) entered forwarding state [ 77.993989][ T4061] 8021q: adding VLAN 0 to HW filter on device bond0 [ 78.005980][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 78.015045][ T6] bridge0: port 1(bridge_slave_0) entered disabled state [ 78.023260][ T6] bridge0: port 2(bridge_slave_1) entered disabled state [ 78.033477][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 78.044829][ T4061] 8021q: adding VLAN 0 to HW filter on device team0 [ 78.055216][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 78.063913][ T6] bridge0: port 1(bridge_slave_0) entered blocking state [ 78.071256][ T6] bridge0: port 1(bridge_slave_0) entered forwarding state [ 78.081658][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 78.090457][ T26] bridge0: port 2(bridge_slave_1) entered blocking state [ 78.102193][ T26] bridge0: port 2(bridge_slave_1) entered forwarding state [ 78.119310][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 78.128181][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 78.136634][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 78.149283][ T143] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 78.161706][ T4061] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 78.173941][ T4061] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 78.182070][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 78.197236][ T143] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 78.204759][ T143] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 78.216767][ T4061] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 78.378331][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 78.387454][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 78.396188][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 78.404922][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 78.415044][ T4061] device veth0_vlan entered promiscuous mode [ 78.425583][ T4061] device veth1_vlan entered promiscuous mode [ 78.442102][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 78.451003][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 78.459786][ T26] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 78.471102][ T4061] device veth0_macvtap entered promiscuous mode [ 78.481727][ T4061] device veth1_macvtap entered promiscuous mode [ 78.500393][ T4061] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 78.508070][ T143] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 78.517412][ T143] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 78.529620][ T4061] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 78.537623][ T143] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 78.579411][ T500] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 78.587438][ T500] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 78.605536][ T143] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 78.614747][ T45] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 78.624119][ T45] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 78.634293][ T143] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready 2022/08/06 05:16:07 executed programs: 1 [ 78.768617][ T500] ================================================================== [ 78.776708][ T500] BUG: KASAN: use-after-free in __io_remove_buffers.part.0+0x32c/0x470 [ 78.785201][ T500] Read of size 2 at addr ffff88807b9a9012 by task kworker/u4:3/500 [ 78.793350][ T500] [ 78.795664][ T500] CPU: 1 PID: 500 Comm: kworker/u4:3 Not tainted 5.18.0-rc4-syzkaller #0 [ 78.804272][ T500] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 78.814926][ T500] Workqueue: events_unbound io_ring_exit_work [ 78.821511][ T500] Call Trace: [ 78.824854][ T500] [ 78.827772][ T500] dump_stack_lvl+0x57/0x7d [ 78.832265][ T500] print_address_description.constprop.0.cold+0xeb/0x495 [ 78.839456][ T500] ? __io_remove_buffers.part.0+0x32c/0x470 [ 78.845489][ T500] kasan_report.cold+0xf4/0x1c6 [ 78.851549][ T500] ? _raw_spin_trylock+0x70/0x70 [ 78.856482][ T500] ? __io_remove_buffers.part.0+0x32c/0x470 [ 78.862366][ T500] __io_remove_buffers.part.0+0x32c/0x470 [ 78.868106][ T500] io_ring_exit_work+0x757/0xc5f [ 78.873037][ T500] ? io_uring_try_cancel_requests+0x61c/0x61c [ 78.879370][ T500] ? lock_acquire+0x1ab/0x510 [ 78.884038][ T500] ? io_uring_del_tctx_node+0x1df/0x1df [ 78.889621][ T500] process_one_work+0x865/0x13d0 [ 78.894634][ T500] ? lock_release+0x720/0x720 [ 78.899297][ T500] ? pwq_dec_nr_in_flight+0x230/0x230 [ 78.904744][ T500] ? rwlock_bug.part.0+0x90/0x90 [ 78.909668][ T500] ? _raw_spin_lock_irq+0x41/0x50 [ 78.914683][ T500] worker_thread+0x598/0xec0 [ 78.919348][ T500] ? process_one_work+0x13d0/0x13d0 [ 78.924533][ T500] kthread+0x299/0x340 [ 78.928584][ T500] ? kthread_complete_and_exit+0x20/0x20 [ 78.934228][ T500] ret_from_fork+0x1f/0x30 [ 78.938810][ T500] [ 78.941990][ T500] [ 78.944301][ T500] Allocated by task 4080: [ 78.948610][ T500] kasan_save_stack+0x1e/0x40 [ 78.953272][ T500] __kasan_kmalloc+0xa9/0xd0 [ 78.958450][ T500] io_init_bl_list+0x1f/0xea [ 78.963118][ T500] __do_sys_io_uring_register.cold+0x495/0xcba [ 78.969806][ T500] do_syscall_64+0x35/0xb0 [ 78.974557][ T500] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 78.980609][ T500] [ 78.982919][ T500] Freed by task 4080: [ 78.986876][ T500] kasan_save_stack+0x1e/0x40 [ 78.991623][ T500] kasan_set_track+0x21/0x30 [ 78.996196][ T500] kasan_set_free_info+0x20/0x30 [ 79.001215][ T500] ____kasan_slab_free+0x166/0x1a0 [ 79.006666][ T500] slab_free_freelist_hook+0x8b/0x1c0 [ 79.012024][ T500] kfree+0xd6/0x4d0 [ 79.016244][ T500] __do_sys_io_uring_register+0x1557/0x19d0 [ 79.022323][ T500] do_syscall_64+0x35/0xb0 [ 79.027079][ T500] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 79.033222][ T500] [ 79.035533][ T500] The buggy address belongs to the object at ffff88807b9a9000 [ 79.035533][ T500] which belongs to the cache kmalloc-2k of size 2048 [ 79.049754][ T500] The buggy address is located 18 bytes inside of [ 79.049754][ T500] 2048-byte region [ffff88807b9a9000, ffff88807b9a9800) [ 79.063275][ T500] [ 79.065761][ T500] The buggy address belongs to the physical page: [ 79.072157][ T500] page:ffffea0001ee6a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7b9a8 [ 79.082346][ T500] head:ffffea0001ee6a00 order:3 compound_mapcount:0 compound_pincount:0 [ 79.090657][ T500] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 79.098666][ T500] raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888010842000 [ 79.107253][ T500] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 79.116453][ T500] page dumped because: kasan: bad access detected [ 79.122851][ T500] page_owner tracks the page as allocated [ 79.128640][ T500] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3594, tgid 3594 (syz-executor.0), ts 43160208108, free_ts 35760742800 [ 79.150679][ T500] get_page_from_freelist+0x178d/0x3dc0 [ 79.156312][ T500] __alloc_pages+0x1b2/0x500 [ 79.160885][ T500] allocate_slab+0x26c/0x3c0 [ 79.165495][ T500] ___slab_alloc+0x8e1/0xf20 [ 79.170075][ T500] __slab_alloc.constprop.0+0x4d/0xa0 [ 79.176042][ T500] kmem_cache_alloc_trace+0x310/0x3f0 [ 79.181386][ T500] ipv6_add_dev+0xcc/0x10f0 [ 79.185869][ T500] addrconf_notify+0x5b7/0x15a0 [ 79.190802][ T500] notifier_call_chain+0x94/0x170 [ 79.195884][ T500] register_netdevice+0xd6f/0x1400 [ 79.201049][ T500] __rtnl_newlink+0x10a4/0x13f0 [ 79.206073][ T500] rtnl_newlink+0x5a/0x90 [ 79.210370][ T500] rtnetlink_rcv_msg+0x31d/0x8d0 [ 79.215652][ T500] netlink_rcv_skb+0x118/0x370 [ 79.220477][ T500] netlink_unicast+0x433/0x710 [ 79.225208][ T500] netlink_sendmsg+0x770/0xc20 [ 79.230052][ T500] page last free stack trace: [ 79.234710][ T500] free_pcp_prepare+0x549/0xd20 [ 79.239653][ T500] free_unref_page+0x19/0x6a0 [ 79.244762][ T500] skb_release_data+0x3db/0x650 [ 79.249589][ T500] __kfree_skb+0x39/0x50 [ 79.253993][ T500] tcp_recvmsg+0x17f/0x4b0 [ 79.258757][ T500] inet_recvmsg+0xf2/0x490 [ 79.263239][ T500] sock_read_iter+0x2ae/0x3f0 [ 79.267915][ T500] new_sync_read+0x413/0x510 [ 79.272913][ T500] vfs_read+0x378/0x4b0 [ 79.277507][ T500] ksys_read+0x16b/0x1c0 [ 79.281801][ T500] do_syscall_64+0x35/0xb0 [ 79.286199][ T500] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 79.292071][ T500] [ 79.294380][ T500] Memory state around the buggy address: [ 79.299980][ T500] ffff88807b9a8f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 79.308032][ T500] ffff88807b9a8f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 79.316156][ T500] >ffff88807b9a9000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 79.324188][ T500] ^ [ 79.328843][ T500] ffff88807b9a9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 79.336954][ T500] ffff88807b9a9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 79.345066][ T500] ================================================================== [ 79.367107][ T500] Kernel panic - not syncing: panic_on_warn set ... [ 79.373962][ T500] CPU: 1 PID: 500 Comm: kworker/u4:3 Not tainted 5.18.0-rc4-syzkaller #0 [ 79.382359][ T500] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 79.393172][ T500] Workqueue: events_unbound io_ring_exit_work [ 79.399217][ T500] Call Trace: [ 79.402475][ T500] [ 79.405391][ T500] dump_stack_lvl+0x57/0x7d [ 79.409867][ T500] panic+0x227/0x466 [ 79.413731][ T500] ? panic_print_sys_info.part.0+0x69/0x69 [ 79.419553][ T500] ? preempt_schedule_common+0x59/0xc0 [ 79.425065][ T500] ? __io_remove_buffers.part.0+0x32c/0x470 [ 79.430939][ T500] ? preempt_schedule_thunk+0x16/0x18 [ 79.436280][ T500] ? __io_remove_buffers.part.0+0x32c/0x470 [ 79.442211][ T500] end_report.part.0+0x3f/0x7c [ 79.447465][ T500] kasan_report.cold+0x93/0x1c6 [ 79.452370][ T500] ? _raw_spin_trylock+0x70/0x70 [ 79.457276][ T500] ? __io_remove_buffers.part.0+0x32c/0x470 [ 79.463137][ T500] __io_remove_buffers.part.0+0x32c/0x470 [ 79.468911][ T500] io_ring_exit_work+0x757/0xc5f [ 79.473832][ T500] ? io_uring_try_cancel_requests+0x61c/0x61c [ 79.480049][ T500] ? lock_acquire+0x1ab/0x510 [ 79.484789][ T500] ? io_uring_del_tctx_node+0x1df/0x1df [ 79.490742][ T500] process_one_work+0x865/0x13d0 [ 79.495835][ T500] ? lock_release+0x720/0x720 [ 79.500569][ T500] ? pwq_dec_nr_in_flight+0x230/0x230 [ 79.505997][ T500] ? rwlock_bug.part.0+0x90/0x90 [ 79.510911][ T500] ? _raw_spin_lock_irq+0x41/0x50 [ 79.515998][ T500] worker_thread+0x598/0xec0 [ 79.520560][ T500] ? process_one_work+0x13d0/0x13d0 [ 79.525723][ T500] kthread+0x299/0x340 [ 79.529875][ T500] ? kthread_complete_and_exit+0x20/0x20 [ 79.535474][ T500] ret_from_fork+0x1f/0x30 [ 79.539889][ T500] [ 79.542946][ T500] Kernel Offset: disabled [ 79.547262][ T500] Rebooting in 86400 seconds..