Warning: Permanently added '10.128.0.121' (ECDSA) to the list of known hosts. syzkaller login: [ 37.738349] IPVS: ftp: loaded support on port[0] = 21 [ 37.820699] chnl_net:caif_netlink_parms(): no params data found [ 37.892158] bridge0: port 1(bridge_slave_0) entered blocking state [ 37.898829] bridge0: port 1(bridge_slave_0) entered disabled state [ 37.905870] device bridge_slave_0 entered promiscuous mode [ 37.913704] bridge0: port 2(bridge_slave_1) entered blocking state [ 37.920236] bridge0: port 2(bridge_slave_1) entered disabled state [ 37.927838] device bridge_slave_1 entered promiscuous mode [ 37.944273] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 37.953024] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 37.971229] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 37.978632] team0: Port device team_slave_0 added [ 37.984032] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 37.991638] team0: Port device team_slave_1 added [ 38.006289] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 38.012928] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 38.038176] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 38.049540] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 38.055772] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 38.081046] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 38.091855] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 38.099507] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 38.119043] device hsr_slave_0 entered promiscuous mode [ 38.124782] device hsr_slave_1 entered promiscuous mode [ 38.131401] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 38.138707] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 38.200448] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.206915] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.213668] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.220078] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.250580] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 38.258019] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.265781] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 38.275072] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 38.284326] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.291528] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.298879] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 38.309168] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 38.315367] 8021q: adding VLAN 0 to HW filter on device team0 [ 38.327334] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 38.335012] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.341422] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.348834] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 38.356709] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.363046] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.377681] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 38.388281] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 38.395486] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 38.409489] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 38.419980] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 38.431103] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 38.438263] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 38.445969] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 38.453628] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 38.467059] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 38.474237] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 38.481420] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 38.491082] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 38.503135] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 38.513217] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 38.544493] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 38.552603] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 38.559592] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 38.568697] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 38.576783] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 38.583613] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 38.592214] device veth0_vlan entered promiscuous mode [ 38.601156] device veth1_vlan entered promiscuous mode [ 38.607398] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 38.615677] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 38.628017] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 38.637901] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 38.645076] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 38.652609] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 38.662378] device veth0_macvtap entered promiscuous mode [ 38.668613] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 38.676972] device veth1_macvtap entered promiscuous mode [ 38.685864] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 38.694979] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 38.705979] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 38.713116] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 38.721328] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 38.732023] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 38.739678] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 38.827702] ================================================================== [ 38.835135] BUG: KASAN: use-after-free in ipvlan_queue_xmit+0x9d2/0x18e0 [ 38.841960] Read of size 4 at addr ffff8880aac32cff by task syz-executor303/8134 [ 38.849498] [ 38.851110] CPU: 0 PID: 8134 Comm: syz-executor303 Not tainted 4.19.211-syzkaller #0 [ 38.858967] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 38.868299] Call Trace: [ 38.870871] dump_stack+0x1fc/0x2ef [ 38.874482] print_address_description.cold+0x54/0x219 [ 38.879767] kasan_report_error.cold+0x8a/0x1b9 [ 38.884419] ? ipvlan_queue_xmit+0x9d2/0x18e0 [ 38.888926] __asan_report_load4_noabort+0x88/0x90 [ 38.893855] ? __sanitizer_cov_trace_const_cmp4+0x20/0x20 [ 38.899372] ? ipvlan_queue_xmit+0x9d2/0x18e0 [ 38.903848] ipvlan_queue_xmit+0x9d2/0x18e0 [ 38.908152] ? skb_network_protocol+0x14b/0x570 [ 38.912821] ? ipvlan_process_multicast+0xcb0/0xcb0 [ 38.917820] ? skb_crc32c_csum_help+0x70/0x70 [ 38.922297] ? __alloc_skb+0x34f/0x560 [ 38.926177] ? netif_skb_features+0x5c1/0xb30 [ 38.930661] ? __skb_gso_segment+0x720/0x720 [ 38.935074] ? validate_xmit_xfrm+0x3dc/0xe30 [ 38.939562] ? skb_set_owner_w+0x1f6/0x330 [ 38.943784] ? sock_alloc_send_pskb+0x609/0x830 [ 38.948445] ipvlan_start_xmit+0x4f/0x190 [ 38.952602] dev_direct_xmit+0x3f9/0x6d0 [ 38.956653] ? validate_xmit_skb_list+0x120/0x120 [ 38.961485] ? dev_pick_tx_cpu_id+0xd/0x70 [ 38.965716] packet_sendmsg+0x25ae/0x7720 [ 38.969866] ? aa_sk_perm+0x534/0x930 [ 38.973669] ? compat_packet_setsockopt+0x160/0x160 [ 38.978712] ? aa_af_perm+0x230/0x230 [ 38.982503] ? compat_packet_setsockopt+0x160/0x160 [ 38.987508] sock_sendmsg+0xc3/0x120 [ 38.991205] __sys_sendto+0x21a/0x320 [ 38.994987] ? __ia32_sys_getpeername+0xb0/0xb0 [ 38.999644] ? aa_af_perm+0x230/0x230 [ 39.003435] ? __sys_setsockopt+0x179/0x240 [ 39.007738] ? kernel_accept+0x310/0x310 [ 39.011779] ? __sys_socket+0x16d/0x200 [ 39.015738] __x64_sys_sendto+0xdd/0x1b0 [ 39.019783] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 39.024345] do_syscall_64+0xf9/0x620 [ 39.028129] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.033320] RIP: 0033:0x7f925b4f69b9 [ 39.037015] Code: 28 c3 e8 aa 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 39.055894] RSP: 002b:00007ffe8c619388 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 39.063594] RAX: ffffffffffffffda RBX: 00007f925b579e90 RCX: 00007f925b4f69b9 [ 39.070848] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 39.078097] RBP: 0000000000000003 R08: 00000000200000c0 R09: 0000000000000014 [ 39.085344] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe8c6193f0 [ 39.092591] R13: 00007ffe8c619420 R14: 00007ffe8c619400 R15: 0000000000000001 [ 39.099865] [ 39.101473] Allocated by task 6348: [ 39.105095] kmem_cache_alloc+0x122/0x370 [ 39.109224] getname_flags+0xce/0x590 [ 39.113018] user_path_at_empty+0x2a/0x50 [ 39.117159] vfs_statx+0x113/0x210 [ 39.120679] __se_sys_newstat+0x96/0x120 [ 39.124733] do_syscall_64+0xf9/0x620 [ 39.128527] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.133705] [ 39.135311] Freed by task 6348: [ 39.138572] kmem_cache_free+0x7f/0x260 [ 39.142539] putname+0xe1/0x120 [ 39.145796] filename_lookup+0x3d0/0x5a0 [ 39.149848] vfs_statx+0x113/0x210 [ 39.153384] __se_sys_newstat+0x96/0x120 [ 39.157424] do_syscall_64+0xf9/0x620 [ 39.161204] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.166369] [ 39.167985] The buggy address belongs to the object at ffff8880aac32a00 [ 39.167985] which belongs to the cache names_cache of size 4096 [ 39.180710] The buggy address is located 767 bytes inside of [ 39.180710] 4096-byte region [ffff8880aac32a00, ffff8880aac33a00) [ 39.192648] The buggy address belongs to the page: [ 39.197556] page:ffffea0002ab0c80 count:1 mapcount:0 mapping:ffff88823b843380 index:0x0 compound_mapcount: 0 [ 39.207510] flags: 0xfff00000008100(slab|head) [ 39.212083] raw: 00fff00000008100 ffffea0002ab1388 ffffea0002ab9208 ffff88823b843380 [ 39.219945] raw: 0000000000000000 ffff8880aac32a00 0000000100000001 0000000000000000 [ 39.227811] page dumped because: kasan: bad access detected [ 39.233498] [ 39.235105] Memory state around the buggy address: [ 39.240017] ffff8880aac32b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.247362] ffff8880aac32c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.255072] >ffff8880aac32c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.262417] ^ [ 39.269673] ffff8880aac32d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.277028] ffff8880aac32d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.284368] ================================================================== [ 39.291710] Disabling lock debugging due to kernel taint [ 39.297199] Kernel panic - not syncing: panic_on_warn set ... [ 39.297199] [ 39.304568] CPU: 0 PID: 8134 Comm: syz-executor303 Tainted: G B 4.19.211-syzkaller #0 [ 39.313827] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 39.323176] Call Trace: [ 39.325763] dump_stack+0x1fc/0x2ef [ 39.329384] panic+0x26a/0x50e [ 39.332575] ? __warn_printk+0xf3/0xf3 [ 39.336454] ? retint_kernel+0x2d/0x2d [ 39.340322] ? trace_hardirqs_on+0x55/0x210 [ 39.344625] kasan_end_report+0x43/0x49 [ 39.348582] kasan_report_error.cold+0xa7/0x1b9 [ 39.353244] ? ipvlan_queue_xmit+0x9d2/0x18e0 [ 39.357720] __asan_report_load4_noabort+0x88/0x90 [ 39.362629] ? __sanitizer_cov_trace_const_cmp4+0x20/0x20 [ 39.368149] ? ipvlan_queue_xmit+0x9d2/0x18e0 [ 39.372621] ipvlan_queue_xmit+0x9d2/0x18e0 [ 39.376922] ? skb_network_protocol+0x14b/0x570 [ 39.381569] ? ipvlan_process_multicast+0xcb0/0xcb0 [ 39.386560] ? skb_crc32c_csum_help+0x70/0x70 [ 39.391032] ? __alloc_skb+0x34f/0x560 [ 39.394899] ? netif_skb_features+0x5c1/0xb30 [ 39.399385] ? __skb_gso_segment+0x720/0x720 [ 39.403769] ? validate_xmit_xfrm+0x3dc/0xe30 [ 39.408328] ? skb_set_owner_w+0x1f6/0x330 [ 39.412541] ? sock_alloc_send_pskb+0x609/0x830 [ 39.417187] ipvlan_start_xmit+0x4f/0x190 [ 39.421314] dev_direct_xmit+0x3f9/0x6d0 [ 39.425354] ? validate_xmit_skb_list+0x120/0x120 [ 39.430176] ? dev_pick_tx_cpu_id+0xd/0x70 [ 39.434388] packet_sendmsg+0x25ae/0x7720 [ 39.438535] ? aa_sk_perm+0x534/0x930 [ 39.442314] ? compat_packet_setsockopt+0x160/0x160 [ 39.447312] ? aa_af_perm+0x230/0x230 [ 39.451095] ? compat_packet_setsockopt+0x160/0x160 [ 39.456499] sock_sendmsg+0xc3/0x120 [ 39.460192] __sys_sendto+0x21a/0x320 [ 39.463970] ? __ia32_sys_getpeername+0xb0/0xb0 [ 39.468623] ? aa_af_perm+0x230/0x230 [ 39.472406] ? __sys_setsockopt+0x179/0x240 [ 39.476724] ? kernel_accept+0x310/0x310 [ 39.480764] ? __sys_socket+0x16d/0x200 [ 39.484720] __x64_sys_sendto+0xdd/0x1b0 [ 39.488762] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 39.493320] do_syscall_64+0xf9/0x620 [ 39.497102] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.502267] RIP: 0033:0x7f925b4f69b9 [ 39.505965] Code: 28 c3 e8 aa 15 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 39.524865] RSP: 002b:00007ffe8c619388 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 39.532563] RAX: ffffffffffffffda RBX: 00007f925b579e90 RCX: 00007f925b4f69b9 [ 39.539827] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 39.547074] RBP: 0000000000000003 R08: 00000000200000c0 R09: 0000000000000014 [ 39.554319] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe8c6193f0 [ 39.561568] R13: 00007ffe8c619420 R14: 00007ffe8c619400 R15: 0000000000000001 [ 39.568992] Kernel Offset: disabled [ 39.572602] Rebooting in 86400 seconds..