Warning: Permanently added '10.128.0.21' (ECDSA) to the list of known hosts. syzkaller login: [ 69.261516][ T8887] IPVS: ftp: loaded support on port[0] = 21 [ 69.315037][ T8887] chnl_net:caif_netlink_parms(): no params data found [ 69.343547][ T8887] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.351360][ T8887] bridge0: port 1(bridge_slave_0) entered disabled state [ 69.359164][ T8887] device bridge_slave_0 entered promiscuous mode [ 69.367307][ T8887] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.374841][ T8887] bridge0: port 2(bridge_slave_1) entered disabled state [ 69.382519][ T8887] device bridge_slave_1 entered promiscuous mode [ 69.398988][ T8887] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 69.409974][ T8887] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 69.428929][ T8887] team0: Port device team_slave_0 added [ 69.436213][ T8887] team0: Port device team_slave_1 added [ 69.502799][ T8887] device hsr_slave_0 entered promiscuous mode [ 69.551198][ T8887] device hsr_slave_1 entered promiscuous mode [ 69.628558][ T8887] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.635995][ T8887] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.643913][ T8887] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.651033][ T8887] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.686775][ T8887] 8021q: adding VLAN 0 to HW filter on device bond0 [ 69.699564][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 69.709638][ T12] bridge0: port 1(bridge_slave_0) entered disabled state [ 69.718226][ T12] bridge0: port 2(bridge_slave_1) entered disabled state [ 69.726132][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 69.738567][ T8887] 8021q: adding VLAN 0 to HW filter on device team0 [ 69.753097][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 69.762585][ T12] bridge0: port 1(bridge_slave_0) entered blocking state [ 69.769716][ T12] bridge0: port 1(bridge_slave_0) entered forwarding state [ 69.792232][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 69.801704][ T22] bridge0: port 2(bridge_slave_1) entered blocking state [ 69.808782][ T22] bridge0: port 2(bridge_slave_1) entered forwarding state [ 69.817009][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 69.825574][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 69.834089][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready executing program [ 69.842980][ T22] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 69.853329][ T12] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 69.864964][ T8887] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 69.882514][ T8887] 8021q: adding VLAN 0 to HW filter on device batadv0 executing program executing program [ 70.281063][ T22] ================================================================== [ 70.289475][ T22] BUG: KASAN: use-after-free in cbq_enqueue+0xecd/0xef0 [ 70.296405][ T22] Read of size 8 at addr ffff888092245770 by task kworker/1:1/22 [ 70.304117][ T22] [ 70.306450][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Not tainted 5.4.0-rc1+ #0 [ 70.313798][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.323854][ T22] Workqueue: ipv6_addrconf addrconf_dad_work [ 70.329817][ T22] Call Trace: [ 70.333098][ T22] dump_stack+0x172/0x1f0 [ 70.337441][ T22] ? cbq_enqueue+0xecd/0xef0 [ 70.342046][ T22] print_address_description.constprop.0.cold+0xd4/0x30b [ 70.349132][ T22] ? cbq_enqueue+0xecd/0xef0 [ 70.353718][ T22] ? cbq_enqueue+0xecd/0xef0 [ 70.358425][ T22] __kasan_report.cold+0x1b/0x41 [ 70.363356][ T22] ? cbq_enqueue+0xecd/0xef0 [ 70.367943][ T22] kasan_report+0x12/0x20 [ 70.372257][ T22] __asan_report_load8_noabort+0x14/0x20 [ 70.377891][ T22] cbq_enqueue+0xecd/0xef0 [ 70.382291][ T22] ? do_raw_spin_lock+0x12a/0x2e0 [ 70.387302][ T22] ? cbq_delete+0xd30/0xd30 [ 70.391795][ T22] __dev_queue_xmit+0x157e/0x3720 [ 70.396802][ T22] ? __kasan_check_read+0x11/0x20 [ 70.401840][ T22] ? netdev_core_pick_tx+0x2f0/0x2f0 [ 70.407118][ T22] ? ip6_finish_output2+0x1034/0x2550 [ 70.412487][ T22] ? __kasan_check_read+0x11/0x20 [ 70.417519][ T22] ? mark_held_locks+0xa4/0xf0 [ 70.422272][ T22] dev_queue_xmit+0x18/0x20 [ 70.426758][ T22] ? dev_queue_xmit+0x18/0x20 [ 70.431421][ T22] neigh_resolve_output+0x5a5/0x970 [ 70.436632][ T22] ip6_finish_output2+0x1034/0x2550 [ 70.441906][ T22] ? ip6_sk_dst_lookup_flow+0xb90/0xb90 [ 70.447434][ T22] ? lock_downgrade+0x920/0x920 [ 70.452442][ T22] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 70.458680][ T22] ? __kasan_check_read+0x11/0x20 [ 70.463822][ T22] __ip6_finish_output+0x444/0xaa0 [ 70.468931][ T22] ? __ip6_finish_output+0x444/0xaa0 [ 70.474206][ T22] ip6_finish_output+0x38/0x1f0 [ 70.479070][ T22] ip6_output+0x235/0x7f0 [ 70.483384][ T22] ? ip6_finish_output+0x1f0/0x1f0 [ 70.488553][ T22] ? __ip6_finish_output+0xaa0/0xaa0 [ 70.493846][ T22] ndisc_send_skb+0xf29/0x14a0 [ 70.498623][ T22] ? nf_hook.constprop.0+0x560/0x560 [ 70.503924][ T22] ? skb_set_owner_w+0x21b/0x320 [ 70.508852][ T22] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 70.514584][ T22] ndisc_send_ns+0x3a9/0x850 [ 70.519183][ T22] ? mark_held_locks+0xa4/0xf0 [ 70.523944][ T22] ? ndisc_netdev_event+0x4e0/0x4e0 [ 70.529127][ T22] ? lockdep_hardirqs_on+0x421/0x5e0 [ 70.534397][ T22] ? addrconf_dad_work+0xac4/0x1150 [ 70.539666][ T22] ? trace_hardirqs_on+0x67/0x240 [ 70.544676][ T22] ? addrconf_dad_work+0xac4/0x1150 [ 70.550649][ T22] addrconf_dad_work+0xb88/0x1150 [ 70.555664][ T22] ? addrconf_dad_completed+0xbb0/0xbb0 [ 70.561200][ T22] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 70.567225][ T22] ? trace_hardirqs_on+0x67/0x240 [ 70.572252][ T22] process_one_work+0x9af/0x1740 [ 70.577205][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 70.582561][ T22] ? lock_acquire+0x190/0x410 [ 70.587231][ T22] worker_thread+0x98/0xe40 [ 70.591719][ T22] ? trace_hardirqs_on+0x67/0x240 [ 70.599799][ T22] kthread+0x361/0x430 [ 70.603855][ T22] ? process_one_work+0x1740/0x1740 [ 70.609035][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 70.615355][ T22] ret_from_fork+0x24/0x30 [ 70.619755][ T22] [ 70.622070][ T22] Allocated by task 8896: [ 70.626384][ T22] save_stack+0x23/0x90 [ 70.630538][ T22] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 70.636182][ T22] kasan_kmalloc+0x9/0x10 [ 70.640506][ T22] __kmalloc_node_track_caller+0x4e/0x70 [ 70.646178][ T22] __kmalloc_reserve.isra.0+0x40/0xf0 [ 70.651537][ T22] __alloc_skb+0x10b/0x5e0 [ 70.655939][ T22] netlink_sendmsg+0x972/0xd60 [ 70.660699][ T22] sock_sendmsg+0xd7/0x130 [ 70.665121][ T22] ___sys_sendmsg+0x803/0x920 [ 70.669791][ T22] __sys_sendmsg+0x105/0x1d0 [ 70.674366][ T22] __x64_sys_sendmsg+0x78/0xb0 [ 70.679128][ T22] do_syscall_64+0xfa/0x760 [ 70.683615][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.689488][ T22] [ 70.691805][ T22] Freed by task 8896: [ 70.695776][ T22] save_stack+0x23/0x90 [ 70.699961][ T22] __kasan_slab_free+0x102/0x150 [ 70.704967][ T22] kasan_slab_free+0xe/0x10 [ 70.709450][ T22] kfree+0x10a/0x2c0 [ 70.713328][ T22] skb_free_head+0x93/0xb0 [ 70.717731][ T22] skb_release_data+0x42d/0x7c0 [ 70.722573][ T22] skb_release_all+0x4d/0x60 [ 70.727146][ T22] consume_skb+0xfb/0x3b0 [ 70.731461][ T22] netlink_unicast+0x539/0x710 [ 70.736205][ T22] netlink_sendmsg+0x8a5/0xd60 [ 70.740954][ T22] sock_sendmsg+0xd7/0x130 [ 70.745359][ T22] ___sys_sendmsg+0x803/0x920 [ 70.750040][ T22] __sys_sendmsg+0x105/0x1d0 [ 70.754618][ T22] __x64_sys_sendmsg+0x78/0xb0 [ 70.759385][ T22] do_syscall_64+0xfa/0x760 [ 70.763874][ T22] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 70.769743][ T22] [ 70.772071][ T22] The buggy address belongs to the object at ffff888092245700 [ 70.772071][ T22] which belongs to the cache kmalloc-2k of size 2048 [ 70.786128][ T22] The buggy address is located 112 bytes inside of [ 70.786128][ T22] 2048-byte region [ffff888092245700, ffff888092245f00) [ 70.799470][ T22] The buggy address belongs to the page: [ 70.805107][ T22] page:ffffea0002489100 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 compound_mapcount: 0 [ 70.816544][ T22] flags: 0x1fffc0000010200(slab|head) [ 70.822530][ T22] raw: 01fffc0000010200 ffffea000253d788 ffffea0002481908 ffff8880aa400e00 [ 70.831162][ T22] raw: 0000000000000000 ffff888092244600 0000000100000003 0000000000000000 [ 70.840863][ T22] page dumped because: kasan: bad access detected [ 70.847273][ T22] [ 70.849654][ T22] Memory state around the buggy address: [ 70.855384][ T22] ffff888092245600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.863444][ T22] ffff888092245680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.871494][ T22] >ffff888092245700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.879545][ T22] ^ [ 70.887267][ T22] ffff888092245780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.895329][ T22] ffff888092245800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.903456][ T22] ================================================================== [ 70.911509][ T22] Disabling lock debugging due to kernel taint [ 70.917684][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 70.924277][ T22] CPU: 1 PID: 22 Comm: kworker/1:1 Tainted: G B 5.4.0-rc1+ #0 [ 70.933732][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.943788][ T22] Workqueue: ipv6_addrconf addrconf_dad_work [ 70.949742][ T22] Call Trace: [ 70.953096][ T22] dump_stack+0x172/0x1f0 [ 70.957426][ T22] panic+0x2dc/0x755 [ 70.961475][ T22] ? add_taint.cold+0x16/0x16 [ 70.966158][ T22] ? trace_hardirqs_on+0x5e/0x240 [ 70.971278][ T22] ? trace_hardirqs_on+0x5e/0x240 [ 70.976529][ T22] ? cbq_enqueue+0xecd/0xef0 [ 70.981281][ T22] end_report+0x47/0x4f [ 70.985436][ T22] ? cbq_enqueue+0xecd/0xef0 [ 70.990013][ T22] __kasan_report.cold+0xe/0x41 [ 70.994870][ T22] ? cbq_enqueue+0xecd/0xef0 [ 70.999456][ T22] kasan_report+0x12/0x20 [ 71.003775][ T22] __asan_report_load8_noabort+0x14/0x20 [ 71.009391][ T22] cbq_enqueue+0xecd/0xef0 [ 71.013817][ T22] ? do_raw_spin_lock+0x12a/0x2e0 [ 71.018891][ T22] ? cbq_delete+0xd30/0xd30 [ 71.023397][ T22] __dev_queue_xmit+0x157e/0x3720 [ 71.028425][ T22] ? __kasan_check_read+0x11/0x20 [ 71.033633][ T22] ? netdev_core_pick_tx+0x2f0/0x2f0 [ 71.038902][ T22] ? ip6_finish_output2+0x1034/0x2550 [ 71.044271][ T22] ? __kasan_check_read+0x11/0x20 [ 71.049278][ T22] ? mark_held_locks+0xa4/0xf0 [ 71.054026][ T22] dev_queue_xmit+0x18/0x20 [ 71.058513][ T22] ? dev_queue_xmit+0x18/0x20 [ 71.063183][ T22] neigh_resolve_output+0x5a5/0x970 [ 71.068739][ T22] ip6_finish_output2+0x1034/0x2550 [ 71.073934][ T22] ? ip6_sk_dst_lookup_flow+0xb90/0xb90 [ 71.079469][ T22] ? lock_downgrade+0x920/0x920 [ 71.084307][ T22] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 71.090545][ T22] ? __kasan_check_read+0x11/0x20 [ 71.095642][ T22] __ip6_finish_output+0x444/0xaa0 [ 71.100733][ T22] ? __ip6_finish_output+0x444/0xaa0 [ 71.105996][ T22] ip6_finish_output+0x38/0x1f0 [ 71.110862][ T22] ip6_output+0x235/0x7f0 [ 71.115169][ T22] ? ip6_finish_output+0x1f0/0x1f0 [ 71.120259][ T22] ? __ip6_finish_output+0xaa0/0xaa0 [ 71.125533][ T22] ndisc_send_skb+0xf29/0x14a0 [ 71.130277][ T22] ? nf_hook.constprop.0+0x560/0x560 [ 71.135547][ T22] ? skb_set_owner_w+0x21b/0x320 [ 71.140486][ T22] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 71.146208][ T22] ndisc_send_ns+0x3a9/0x850 [ 71.150777][ T22] ? mark_held_locks+0xa4/0xf0 [ 71.155789][ T22] ? ndisc_netdev_event+0x4e0/0x4e0 [ 71.160967][ T22] ? lockdep_hardirqs_on+0x421/0x5e0 [ 71.166240][ T22] ? addrconf_dad_work+0xac4/0x1150 [ 71.171418][ T22] ? trace_hardirqs_on+0x67/0x240 [ 71.176423][ T22] ? addrconf_dad_work+0xac4/0x1150 [ 71.181605][ T22] addrconf_dad_work+0xb88/0x1150 [ 71.186631][ T22] ? addrconf_dad_completed+0xbb0/0xbb0 [ 71.193206][ T22] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 71.199186][ T22] ? trace_hardirqs_on+0x67/0x240 [ 71.204193][ T22] process_one_work+0x9af/0x1740 [ 71.209111][ T22] ? pwq_dec_nr_in_flight+0x320/0x320 [ 71.214475][ T22] ? lock_acquire+0x190/0x410 [ 71.219138][ T22] worker_thread+0x98/0xe40 [ 71.223623][ T22] ? trace_hardirqs_on+0x67/0x240 [ 71.228632][ T22] kthread+0x361/0x430 [ 71.232693][ T22] ? process_one_work+0x1740/0x1740 [ 71.237889][ T22] ? kthread_cancel_delayed_work_sync+0x20/0x20 [ 71.244135][ T22] ret_from_fork+0x24/0x30 [ 71.250042][ T22] Kernel Offset: disabled [ 71.254443][ T22] Rebooting in 86400 seconds..