Warning: Permanently added '10.128.0.117' (ECDSA) to the list of known hosts. syzkaller login: [ 33.599772] IPVS: ftp: loaded support on port[0] = 21 [ 33.664242] chnl_net:caif_netlink_parms(): no params data found [ 33.766313] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.772826] bridge0: port 1(bridge_slave_0) entered disabled state [ 33.780544] device bridge_slave_0 entered promiscuous mode [ 33.787570] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.793914] bridge0: port 2(bridge_slave_1) entered disabled state [ 33.801234] device bridge_slave_1 entered promiscuous mode [ 33.816512] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 33.825736] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 33.843194] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 33.850384] team0: Port device team_slave_0 added [ 33.856117] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 33.863112] team0: Port device team_slave_1 added [ 33.877300] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 33.883520] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 33.908801] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 33.919820] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 33.926091] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 33.951314] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 33.961947] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 33.969747] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 33.987880] device hsr_slave_0 entered promiscuous mode [ 33.993423] device hsr_slave_1 entered promiscuous mode [ 33.999472] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 34.006455] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 34.064317] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.070875] bridge0: port 2(bridge_slave_1) entered forwarding state [ 34.077677] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.084019] bridge0: port 1(bridge_slave_0) entered forwarding state [ 34.112076] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 34.118653] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.126817] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.134531] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.143201] bridge0: port 1(bridge_slave_0) entered disabled state [ 34.160271] bridge0: port 2(bridge_slave_1) entered disabled state [ 34.169507] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 34.175945] 8021q: adding VLAN 0 to HW filter on device team0 [ 34.183782] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 34.191824] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.198192] bridge0: port 1(bridge_slave_0) entered forwarding state [ 34.207363] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 34.215641] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.221977] bridge0: port 2(bridge_slave_1) entered forwarding state [ 34.240490] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 34.250225] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 34.261536] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 34.268492] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 34.276391] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 34.283802] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 34.291810] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 34.299453] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 34.306439] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 34.318495] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 34.327961] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 34.334305] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 34.343181] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 34.384924] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 34.393786] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 34.420049] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 34.427041] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 34.433404] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 34.442052] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 34.449575] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 34.456626] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 34.465210] device veth0_vlan entered promiscuous mode [ 34.473144] device veth1_vlan entered promiscuous mode [ 34.479493] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 34.487655] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 34.499225] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 34.507727] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 34.515601] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 34.522637] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 34.531532] device veth0_macvtap entered promiscuous mode [ 34.537860] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 34.545994] device veth1_macvtap entered promiscuous mode [ 34.553658] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 34.562893] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 34.572822] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 34.579711] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 34.587937] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 34.596832] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 34.605541] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 34.654671] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 34.735034] ================================================================== [ 34.742458] BUG: KASAN: use-after-free in ip_tunnel_xmit+0x2476/0x33a0 [ 34.749294] Read of size 4 at addr ffff88809cf430f0 by task syz-executor033/8201 [ 34.756797] [ 34.758413] CPU: 0 PID: 8201 Comm: syz-executor033 Not tainted 4.14.227-syzkaller #0 [ 34.766279] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.775606] Call Trace: [ 34.778175] dump_stack+0x1b2/0x281 [ 34.781922] print_address_description.cold+0x54/0x1d3 [ 34.787188] kasan_report_error.cold+0x8a/0x191 [ 34.791847] ? ip_tunnel_xmit+0x2476/0x33a0 [ 34.796143] __asan_report_load4_noabort+0x68/0x70 [ 34.801054] ? memset+0x10/0x40 [ 34.806044] ? ip_tunnel_xmit+0x2476/0x33a0 [ 34.810340] ip_tunnel_xmit+0x2476/0x33a0 [ 34.814478] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 34.819561] ? ip_md_tunnel_xmit+0x1020/0x1020 [ 34.824145] ? skb_release_data+0x5f6/0x820 [ 34.828455] ? skb_push+0x9d/0xc0 [ 34.831884] ? __gre_xmit+0x445/0x7c0 [ 34.835663] ipgre_xmit+0x398/0x6d0 [ 34.839282] dev_hard_start_xmit+0x188/0x890 [ 34.843667] __dev_queue_xmit+0x1d7f/0x2480 [ 34.847978] ? netdev_pick_tx+0x2e0/0x2e0 [ 34.852109] ? __check_object_size+0x179/0x230 [ 34.856668] ? skb_copy_datagram_from_iter+0x3c1/0x5f0 [ 34.861922] packet_snd+0x1393/0x2370 [ 34.865702] ? prb_retire_rx_blk_timer_expired+0x630/0x630 [ 34.871304] packet_sendmsg+0x112b/0x2c50 [ 34.875431] ? __lock_acquire+0x5fc/0x3f20 [ 34.879662] ? compat_packet_setsockopt+0x140/0x140 [ 34.884657] ? security_socket_sendmsg+0x83/0xb0 [ 34.889399] ? compat_packet_setsockopt+0x140/0x140 [ 34.894027] syz-executor033 (7972) used greatest stack depth: 25080 bytes left [ 34.894399] sock_sendmsg+0xb5/0x100 [ 34.894410] sock_no_sendpage+0xe2/0x110 [ 34.894418] ? __sk_mem_schedule+0xd0/0xd0 [ 34.913724] ? __sk_mem_schedule+0xd0/0xd0 [ 34.917946] sock_sendpage+0xdf/0x140 [ 34.921724] pipe_to_sendpage+0x226/0x2d0 [ 34.925846] ? sockfs_setattr+0x140/0x140 [ 34.929966] ? direct_splice_actor+0x160/0x160 [ 34.934522] __splice_from_pipe+0x326/0x7a0 [ 34.938820] ? direct_splice_actor+0x160/0x160 [ 34.943379] generic_splice_sendpage+0xc1/0x110 [ 34.948028] ? vmsplice_to_user+0x1b0/0x1b0 [ 34.952324] ? rw_verify_area+0xe1/0x2a0 [ 34.956358] ? vmsplice_to_user+0x1b0/0x1b0 [ 34.960653] SyS_splice+0xd59/0x1380 [ 34.964343] ? _raw_spin_unlock_irq+0x24/0x80 [ 34.968812] ? compat_SyS_vmsplice+0x150/0x150 [ 34.973371] ? do_syscall_64+0x4c/0x640 [ 34.977318] ? compat_SyS_vmsplice+0x150/0x150 [ 34.981887] do_syscall_64+0x1d5/0x640 [ 34.985752] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.990914] RIP: 0033:0x448ec9 [ 34.994080] RSP: 002b:00007f4605a2b2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 35.001761] RAX: ffffffffffffffda RBX: 00000000004cf518 RCX: 0000000000448ec9 [ 35.009015] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 [ 35.016262] RBP: 00000000004cf510 R08: 00000000ffffffff R09: 0000000000000000 [ 35.023545] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cf51c [ 35.030797] R13: 000000000049e004 R14: 6d32cc5e8ead0600 R15: 0000000000022000 [ 35.038046] [ 35.039645] Allocated by task 8201: [ 35.043249] kasan_kmalloc+0xeb/0x160 [ 35.047027] __kmalloc_node_track_caller+0x4c/0x70 [ 35.051936] __alloc_skb+0x96/0x510 [ 35.055812] skb_segment+0x677/0x2e60 [ 35.059604] udp4_ufo_fragment+0x40b/0x690 [ 35.063811] inet_gso_segment+0x470/0x10c0 [ 35.068022] skb_mac_gso_segment+0x240/0x4c0 [ 35.072416] __skb_gso_segment+0x302/0x600 [ 35.076628] validate_xmit_skb+0x49c/0x9f0 [ 35.080837] __dev_queue_xmit+0x816/0x2480 [ 35.085059] packet_snd+0x1393/0x2370 [ 35.088833] packet_sendmsg+0x112b/0x2c50 [ 35.092953] sock_sendmsg+0xb5/0x100 [ 35.096641] sock_no_sendpage+0xe2/0x110 [ 35.100672] sock_sendpage+0xdf/0x140 [ 35.104446] pipe_to_sendpage+0x226/0x2d0 [ 35.108577] __splice_from_pipe+0x326/0x7a0 [ 35.112871] generic_splice_sendpage+0xc1/0x110 [ 35.117511] SyS_splice+0xd59/0x1380 [ 35.121206] do_syscall_64+0x1d5/0x640 [ 35.125068] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.130229] [ 35.131918] Freed by task 8201: [ 35.135172] kasan_slab_free+0xc3/0x1a0 [ 35.139121] kfree+0xc9/0x250 [ 35.142198] pskb_expand_head+0x895/0xd30 [ 35.146318] __pskb_pull_tail+0xd9/0x14a0 [ 35.150437] ip_tunnel_xmit+0x142c/0x33a0 [ 35.154558] ipgre_xmit+0x398/0x6d0 [ 35.158160] dev_hard_start_xmit+0x188/0x890 [ 35.162539] __dev_queue_xmit+0x1d7f/0x2480 [ 35.166842] packet_snd+0x1393/0x2370 [ 35.170616] packet_sendmsg+0x112b/0x2c50 [ 35.174741] sock_sendmsg+0xb5/0x100 [ 35.178434] sock_no_sendpage+0xe2/0x110 [ 35.182473] sock_sendpage+0xdf/0x140 [ 35.186257] pipe_to_sendpage+0x226/0x2d0 [ 35.190383] __splice_from_pipe+0x326/0x7a0 [ 35.194683] generic_splice_sendpage+0xc1/0x110 [ 35.199326] SyS_splice+0xd59/0x1380 [ 35.203015] do_syscall_64+0x1d5/0x640 [ 35.206881] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.212042] [ 35.213649] The buggy address belongs to the object at ffff88809cf43040 [ 35.213649] which belongs to the cache kmalloc-512 of size 512 [ 35.226304] The buggy address is located 176 bytes inside of [ 35.226304] 512-byte region [ffff88809cf43040, ffff88809cf43240) [ 35.238277] The buggy address belongs to the page: [ 35.243185] page:ffffea000273d0c0 count:1 mapcount:0 mapping:ffff88809cf43040 index:0x0 [ 35.251303] flags: 0xfff00000000100(slab) [ 35.255429] raw: 00fff00000000100 ffff88809cf43040 0000000000000000 0000000100000006 [ 35.263288] raw: ffffea00027efbe0 ffffea000286cce0 ffff88813fe80940 0000000000000000 [ 35.271143] page dumped because: kasan: bad access detected [ 35.276840] [ 35.278442] Memory state around the buggy address: [ 35.283351] ffff88809cf42f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 35.290699] ffff88809cf43000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 35.298034] >ffff88809cf43080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.305368] ^ [ 35.312353] ffff88809cf43100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.319689] ffff88809cf43180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.327024] ================================================================== [ 35.334446] Disabling lock debugging due to kernel taint [ 35.339922] Kernel panic - not syncing: panic_on_warn set ... [ 35.339922] [ 35.347275] CPU: 0 PID: 8201 Comm: syz-executor033 Tainted: G B 4.14.227-syzkaller #0 [ 35.356361] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.365701] Call Trace: [ 35.368280] dump_stack+0x1b2/0x281 [ 35.371891] panic+0x1f9/0x42d [ 35.375058] ? add_taint.cold+0x16/0x16 [ 35.379010] kasan_end_report+0x43/0x49 [ 35.382956] kasan_report_error.cold+0xa7/0x191 [ 35.387612] ? ip_tunnel_xmit+0x2476/0x33a0 [ 35.391906] __asan_report_load4_noabort+0x68/0x70 [ 35.396807] ? memset+0x10/0x40 [ 35.400057] ? ip_tunnel_xmit+0x2476/0x33a0 [ 35.404383] ip_tunnel_xmit+0x2476/0x33a0 [ 35.408506] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 35.413613] ? ip_md_tunnel_xmit+0x1020/0x1020 [ 35.418199] ? skb_release_data+0x5f6/0x820 [ 35.422491] ? skb_push+0x9d/0xc0 [ 35.425919] ? __gre_xmit+0x445/0x7c0 [ 35.429692] ipgre_xmit+0x398/0x6d0 [ 35.433291] dev_hard_start_xmit+0x188/0x890 [ 35.437676] __dev_queue_xmit+0x1d7f/0x2480 [ 35.441969] ? netdev_pick_tx+0x2e0/0x2e0 [ 35.446090] ? __check_object_size+0x179/0x230 [ 35.450646] ? skb_copy_datagram_from_iter+0x3c1/0x5f0 [ 35.455895] packet_snd+0x1393/0x2370 [ 35.459682] ? prb_retire_rx_blk_timer_expired+0x630/0x630 [ 35.465278] packet_sendmsg+0x112b/0x2c50 [ 35.469400] ? __lock_acquire+0x5fc/0x3f20 [ 35.473604] ? compat_packet_setsockopt+0x140/0x140 [ 35.478593] ? security_socket_sendmsg+0x83/0xb0 [ 35.483326] ? compat_packet_setsockopt+0x140/0x140 [ 35.488326] sock_sendmsg+0xb5/0x100 [ 35.492015] sock_no_sendpage+0xe2/0x110 [ 35.496046] ? __sk_mem_schedule+0xd0/0xd0 [ 35.500255] ? __sk_mem_schedule+0xd0/0xd0 [ 35.504462] sock_sendpage+0xdf/0x140 [ 35.508322] pipe_to_sendpage+0x226/0x2d0 [ 35.512441] ? sockfs_setattr+0x140/0x140 [ 35.516561] ? direct_splice_actor+0x160/0x160 [ 35.521115] __splice_from_pipe+0x326/0x7a0 [ 35.525409] ? direct_splice_actor+0x160/0x160 [ 35.529963] generic_splice_sendpage+0xc1/0x110 [ 35.534603] ? vmsplice_to_user+0x1b0/0x1b0 [ 35.538894] ? rw_verify_area+0xe1/0x2a0 [ 35.542927] ? vmsplice_to_user+0x1b0/0x1b0 [ 35.547221] SyS_splice+0xd59/0x1380 [ 35.550909] ? _raw_spin_unlock_irq+0x24/0x80 [ 35.555378] ? compat_SyS_vmsplice+0x150/0x150 [ 35.559932] ? do_syscall_64+0x4c/0x640 [ 35.563878] ? compat_SyS_vmsplice+0x150/0x150 [ 35.568429] do_syscall_64+0x1d5/0x640 [ 35.572289] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.577451] RIP: 0033:0x448ec9 [ 35.580612] RSP: 002b:00007f4605a2b2f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 35.588290] RAX: ffffffffffffffda RBX: 00000000004cf518 RCX: 0000000000448ec9 [ 35.595620] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 [ 35.602862] RBP: 00000000004cf510 R08: 00000000ffffffff R09: 0000000000000000 [ 35.610103] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004cf51c [ 35.617359] R13: 000000000049e004 R14: 6d32cc5e8ead0600 R15: 0000000000022000 [ 35.625305] Kernel Offset: disabled [ 35.628913] Rebooting in 86400 seconds..