Warning: Permanently added '10.128.1.178' (ED25519) to the list of known hosts. [ 62.763790][ T4019] chnl_net:caif_netlink_parms(): no params data found [ 62.800703][ T4019] bridge0: port 1(bridge_slave_0) entered blocking state [ 62.802518][ T4019] bridge0: port 1(bridge_slave_0) entered disabled state [ 62.804978][ T4019] device bridge_slave_0 entered promiscuous mode [ 62.809448][ T4019] bridge0: port 2(bridge_slave_1) entered blocking state [ 62.811423][ T4019] bridge0: port 2(bridge_slave_1) entered disabled state [ 62.813765][ T4019] device bridge_slave_1 entered promiscuous mode [ 62.830893][ T4019] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 62.835164][ T4019] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 62.849563][ T4019] team0: Port device team_slave_0 added [ 62.853428][ T4019] team0: Port device team_slave_1 added [ 62.865767][ T4019] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 62.867649][ T4019] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 62.874215][ T4019] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 62.878800][ T4019] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 62.880491][ T4019] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 62.886906][ T4019] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 62.968813][ T4019] device hsr_slave_0 entered promiscuous mode [ 63.007122][ T4019] device hsr_slave_1 entered promiscuous mode [ 63.118863][ T4019] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 63.170416][ T4019] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 63.208777][ T4019] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 63.278585][ T4019] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 63.334613][ T4019] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.336545][ T4019] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.338831][ T4019] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.340738][ T4019] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.379993][ T4019] 8021q: adding VLAN 0 to HW filter on device bond0 [ 63.388153][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 63.392271][ T9] bridge0: port 1(bridge_slave_0) entered disabled state [ 63.395418][ T9] bridge0: port 2(bridge_slave_1) entered disabled state [ 63.398855][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 63.405385][ T4019] 8021q: adding VLAN 0 to HW filter on device team0 [ 63.411778][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 63.414396][ T9] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.416286][ T9] bridge0: port 1(bridge_slave_0) entered forwarding state [ 63.421097][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 63.423587][ T9] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.425320][ T9] bridge0: port 2(bridge_slave_1) entered forwarding state [ 63.439267][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 63.441763][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 63.448566][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 63.454629][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 63.463250][ T148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 63.468007][ T4019] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 63.479189][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 63.481167][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 63.488994][ T4019] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 63.502988][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 63.514333][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 63.520719][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 63.523056][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 63.527562][ T4019] device veth0_vlan entered promiscuous mode [ 63.533423][ T4019] device veth1_vlan entered promiscuous mode [ 63.547953][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 63.550342][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 63.552838][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 63.560416][ T4019] device veth0_macvtap entered promiscuous mode [ 63.564671][ T4019] device veth1_macvtap entered promiscuous mode [ 63.577441][ T4019] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 63.579512][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 63.582555][ T9] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 63.587497][ T4019] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 63.589691][ T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 63.594531][ T4019] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 63.596866][ T4019] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 63.598979][ T4019] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 63.601214][ T4019] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 executing program [ 63.636627][ T4028] IPv6: ADDRCONF(NETDEV_CHANGE): bpq0: link becomes ready executing program executing program executing program [ 63.668954][ T4031] ================================================================== [ 63.670990][ T4031] BUG: KASAN: use-after-free in ax25_fillin_cb+0x39c/0x588 [ 63.672754][ T4031] Read of size 4 at addr ffff0000c1dbaa38 by task syz-executor376/4031 [ 63.674753][ T4031] [ 63.675317][ T4031] CPU: 1 PID: 4031 Comm: syz-executor376 Not tainted 5.15.180-syzkaller #0 [ 63.677497][ T4031] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 63.680032][ T4031] Call trace: [ 63.680869][ T4031] dump_backtrace+0x0/0x530 [ 63.681990][ T4031] show_stack+0x2c/0x3c [ 63.683027][ T4031] dump_stack_lvl+0x108/0x170 [ 63.684194][ T4031] print_address_description+0x7c/0x3f0 [ 63.685722][ T4031] kasan_report+0x174/0x1e4 [ 63.686883][ T4031] __asan_report_load4_noabort+0x44/0x50 [ 63.686910][ T4031] ax25_fillin_cb+0x39c/0x588 [ 63.686920][ T4031] ax25_setsockopt+0x980/0xcdc [ 63.690744][ T4031] __sys_setsockopt+0x3a8/0x6b4 [ 63.692000][ T4031] __arm64_sys_setsockopt+0xb8/0xd4 [ 63.693317][ T4031] invoke_syscall+0x98/0x2b8 [ 63.694504][ T4031] el0_svc_common+0x138/0x258 [ 63.695661][ T4031] do_el0_svc+0x58/0x14c [ 63.696785][ T4031] el0_svc+0x7c/0x1f0 [ 63.697830][ T4031] el0t_64_sync_handler+0x84/0xe4 [ 63.699138][ T4031] el0t_64_sync+0x1a0/0x1a4 [ 63.700287][ T4031] [ 63.700879][ T4031] Allocated by task 4028: [ 63.701981][ T4031] ____kasan_kmalloc+0xbc/0xfc [ 63.703224][ T4031] __kasan_kmalloc+0x10/0x1c [ 63.704412][ T4031] kmem_cache_alloc_trace+0x27c/0x47c [ 63.705781][ T4031] ax25_dev_device_up+0x5c/0x548 [ 63.707069][ T4031] ax25_device_event+0x504/0x590 [ 63.708338][ T4031] raw_notifier_call_chain+0xd4/0x164 [ 63.709673][ T4031] __dev_notify_flags+0x2b4/0x540 [ 63.710926][ T4031] dev_change_flags+0xc8/0x154 [ 63.712120][ T4031] dev_ifsioc+0x140/0xfe4 [ 63.713322][ T4031] dev_ioctl+0x4e0/0xd3c [ 63.714407][ T4031] sock_do_ioctl+0x1dc/0x2dc [ 63.715565][ T4031] sock_ioctl+0x4f4/0x8b0 [ 63.716722][ T4031] __arm64_sys_ioctl+0x14c/0x1c8 [ 63.718012][ T4031] invoke_syscall+0x98/0x2b8 [ 63.719214][ T4031] el0_svc_common+0x138/0x258 [ 63.720413][ T4031] do_el0_svc+0x58/0x14c [ 63.721502][ T4031] el0_svc+0x7c/0x1f0 [ 63.722581][ T4031] el0t_64_sync_handler+0x84/0xe4 [ 63.723825][ T4031] el0t_64_sync+0x1a0/0x1a4 [ 63.724970][ T4031] [ 63.725580][ T4031] Freed by task 4030: [ 63.726632][ T4031] kasan_set_track+0x4c/0x84 [ 63.727784][ T4031] kasan_set_free_info+0x28/0x4c [ 63.729125][ T4031] ____kasan_slab_free+0x118/0x164 [ 63.730455][ T4031] __kasan_slab_free+0x18/0x28 [ 63.731653][ T4031] slab_free_freelist_hook+0x128/0x1ec [ 63.733044][ T4031] kfree+0x178/0x410 [ 63.734044][ T4031] ax25_release+0x57c/0x82c [ 63.735313][ T4031] sock_close+0xb8/0x1fc [ 63.736464][ T4031] __fput+0x1c4/0x800 [ 63.737498][ T4031] ____fput+0x20/0x30 [ 63.738490][ T4031] task_work_run+0x130/0x1e4 [ 63.739728][ T4031] do_notify_resume+0x262c/0x32b8 [ 63.741027][ T4031] el0_svc+0xfc/0x1f0 [ 63.742071][ T4031] el0t_64_sync_handler+0x84/0xe4 [ 63.743333][ T4031] el0t_64_sync+0x1a0/0x1a4 [ 63.744498][ T4031] [ 63.745055][ T4031] The buggy address belongs to the object at ffff0000c1dbaa00 [ 63.745055][ T4031] which belongs to the cache kmalloc-256 of size 256 [ 63.748719][ T4031] The buggy address is located 56 bytes inside of [ 63.748719][ T4031] 256-byte region [ffff0000c1dbaa00, ffff0000c1dbab00) [ 63.752120][ T4031] The buggy address belongs to the page: [ 63.753486][ T4031] page:00000000abadb21f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101dba [ 63.756163][ T4031] head:00000000abadb21f order:1 compound_mapcount:0 [ 63.757834][ T4031] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) [ 63.759871][ T4031] raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002480 [ 63.762093][ T4031] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 63.764346][ T4031] page dumped because: kasan: bad access detected [ 63.765974][ T4031] [ 63.766552][ T4031] Memory state around the buggy address: [ 63.768236][ T4031] ffff0000c1dba900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.770224][ T4031] ffff0000c1dba980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.772284][ T4031] >ffff0000c1dbaa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.774238][ T4031] ^ [ 63.775772][ T4031] ffff0000c1dbaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.777780][ T4031] ffff0000c1dbab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.779826][ T4031] ================================================================== [ 63.781861][ T4031] Disabling lock debugging due to kernel taint [ 63.785490][ T4031] Unable to handle kernel paging request at virtual address 002002c300001566 [ 63.790578][ T4031] Mem abort info: [ 63.791526][ T4031] ESR = 0x0000000096000021 [ 63.792651][ T4031] EC = 0x25: DABT (current EL), IL = 32 bits [ 63.794213][ T4031] SET = 0, FnV = 0 [ 63.795177][ T4031] EA = 0, S1PTW = 0 [ 63.796157][ T4031] FSC = 0x21: alignment fault [ 63.800802][ T4031] Data abort info: [ 63.801820][ T4031] ISV = 0, ISS = 0x00000021 [ 63.803696][ T4031] CM = 0, WnR = 0 [ 63.804701][ T4031] [002002c300001566] address between user and kernel address ranges [ 63.806683][ T4031] Internal error: Oops: 0000000096000021 [#1] PREEMPT SMP [ 63.808472][ T4031] Modules linked in: [ 63.809434][ T4031] CPU: 0 PID: 4031 Comm: syz-executor376 Tainted: G B 5.15.180-syzkaller #0 [ 63.811999][ T4031] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 [ 63.814532][ T4031] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 63.816520][ T4031] pc : ax25_release+0x50c/0x82c [ 63.817755][ T4031] lr : ax25_release+0x504/0x82c [ 63.819005][ T4031] sp : ffff80001fb47950 [ 63.820114][ T4031] x29: ffff80001fb47970 x28: dfff800000000000 x27: ffff0000c9087080 [ 63.822146][ T4031] x26: ffff0000cd0cb028 x25: 0000000000000002 x24: 00000000ffffffff [ 63.824193][ T4031] x23: ae2002c300001566 x22: ffff0000c1dbaa00 x21: ffff0000debada18 [ 63.826136][ T4031] x20: ffff0000c9087000 x19: 1fffe00019a19605 x18: 0000000000000000 [ 63.828194][ T4031] x17: 0000000000000000 x16: ffff8000084c73cc x15: 0000000000000002 [ 63.830312][ T4031] x14: ffff0000c22f8000 x13: 0000000000ff0100 x12: 0000000000000001 [ 63.832402][ T4031] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff0000c22f8000 [ 63.834422][ T4031] x8 : ffff800010de0938 x7 : 0000000000000000 x6 : ffff8000083bb1b4 [ 63.836475][ T4031] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800010de092c [ 63.838536][ T4031] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000001 [ 63.840501][ T4031] Call trace: [ 63.841372][ T4031] ax25_release+0x50c/0x82c [ 63.842610][ T4031] sock_close+0xb8/0x1fc [ 63.843691][ T4031] __fput+0x1c4/0x800 [ 63.844680][ T4031] ____fput+0x20/0x30 [ 63.845717][ T4031] task_work_run+0x130/0x1e4 [ 63.846850][ T4031] do_notify_resume+0x262c/0x32b8 [ 63.848139][ T4031] el0_svc+0xfc/0x1f0 [ 63.849168][ T4031] el0t_64_sync_handler+0x84/0xe4 [ 63.850456][ T4031] el0t_64_sync+0x1a0/0x1a4 [ 63.851621][ T4031] Code: d503201f 97c5148f 52800038 4b1803f8 (b87802f8) [ 63.853509][ T4031] ---[ end trace 7bc59057ec10ed4f ]--- [ 64.151070][ T4031] Kernel panic - not syncing: Oops: Fatal exception [ 64.152805][ T4031] SMP: stopping secondary CPUs [ 64.154136][ T4031] Kernel Offset: disabled [ 64.155233][ T4031] CPU features: 0x8,000081c1,21302e40 [ 64.156602][ T4031] Memory Limit: none [ 64.450691][ T4031] Rebooting in 86400 seconds..