Warning: Permanently added '10.128.1.129' (ECDSA) to the list of known hosts.
2021/10/29 13:54:03 parsed 1 programs
syzkaller login: [ 1575.065027][ T6567] cgroup: Unknown subsys name 'net'
[ 1575.076718][ T6567] cgroup: Unknown subsys name 'rlimit'
2021/10/29 13:54:03 executed programs: 0
[ 1576.695902][ T6580] chnl_net:caif_netlink_parms(): no params data found
[ 1576.775115][ T6580] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1576.782250][ T6580] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1576.790208][ T6580] device bridge_slave_0 entered promiscuous mode
[ 1576.799903][ T6580] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1576.807189][ T6580] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1576.815285][ T6580] device bridge_slave_1 entered promiscuous mode
[ 1576.846184][ T6580] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1576.857380][ T6580] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1576.891510][ T6580] team0: Port device team_slave_0 added
[ 1576.899188][ T6580] team0: Port device team_slave_1 added
[ 1576.928843][ T6580] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 1576.936048][ T6580] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1576.961981][ T6580] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 1576.974741][ T6580] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 1576.982171][ T6580] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1577.008165][ T6580] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 1577.044938][ T6580] device hsr_slave_0 entered promiscuous mode
[ 1577.052248][ T6580] device hsr_slave_1 entered promiscuous mode
[ 1577.172818][ T6580] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 1577.185895][ T6580] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 1577.194850][ T6580] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 1577.204826][ T6580] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 1577.226085][ T6580] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1577.233474][ T6580] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1577.241139][ T6580] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1577.248238][ T6580] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1577.292840][ T6580] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1577.307956][ T6580] 8021q: adding VLAN 0 to HW filter on device team0
[ 1577.316516][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1577.328300][    T7] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1577.337824][    T7] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1577.346360][    T7] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1577.362808][ T6841] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1577.372236][ T6841] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1577.379276][ T6841] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1577.386959][ T6841] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1577.395492][ T6841] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1577.402592][ T6841] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1577.420462][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1577.430329][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1577.440706][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1577.458817][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1577.467373][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1577.478699][ T6580] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1577.496808][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 1577.504407][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 1577.518230][ T6580] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1577.537976][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 1577.558708][ T6841] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 1577.566898][ T6841] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 1577.574856][ T6841] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 1577.585130][ T6580] device veth0_vlan entered promiscuous mode
[ 1577.597422][ T6580] device veth1_vlan entered promiscuous mode
[ 1577.618746][ T6841] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 1577.626793][ T6841] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 1577.635097][ T6841] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 1577.646835][ T6580] device veth0_macvtap entered promiscuous mode
[ 1577.656370][ T6580] device veth1_macvtap entered promiscuous mode
[ 1577.673582][ T6841] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 1577.683852][ T6580] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 1577.693608][ T6916] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 1577.702898][ T6916] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 1577.715690][ T6580] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 1577.723496][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 1577.732225][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 1577.745132][ T6580] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 1577.754095][ T6580] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 1577.763081][ T6580] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 1577.771855][ T6580] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 1577.864246][ T6617] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 1577.872602][ T6617] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 1577.882891][ T6916] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[ 1577.914190][ T6617] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50
[ 1577.922506][ T6617] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 1577.932343][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready
[ 1578.532821][ T6914] Bluetooth: hci0: command 0x0409 tx timeout
2021/10/29 13:54:08 executed programs: 56
[ 1580.611723][    T7] Bluetooth: hci0: command 0x041b tx timeout
[ 1582.691864][    T7] Bluetooth: hci0: command 0x040f tx timeout
[ 1584.770626][ T6914] Bluetooth: hci0: command 0x0419 tx timeout
2021/10/29 13:54:13 executed programs: 179
[ 1590.060420][ T8059] ==================================================================
[ 1590.068772][ T8059] BUG: KASAN: use-after-free in __io_free_req+0x33f/0x3c5
[ 1590.075946][ T8059] Write of size 8 at addr ffff8880713ecbb8 by task syz-executor.0/8059
[ 1590.084236][ T8059] 
[ 1590.086549][ T8059] CPU: 1 PID: 8059 Comm: syz-executor.0 Not tainted 5.15.0-rc7-next-20211029-syzkaller #0
[ 1590.096420][ T8059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1590.106489][ T8059] Call Trace:
[ 1590.109796][ T8059]  <TASK>
[ 1590.112712][ T8059]  dump_stack_lvl+0xcd/0x134
[ 1590.117368][ T8059]  print_address_description.constprop.0.cold+0x8d/0x320
[ 1590.124434][ T8059]  ? __io_free_req+0x33f/0x3c5
[ 1590.129185][ T8059]  ? __io_free_req+0x33f/0x3c5
[ 1590.133930][ T8059]  kasan_report.cold+0x83/0xdf
[ 1590.138682][ T8059]  ? __io_free_req+0x33f/0x3c5
[ 1590.143431][ T8059]  __io_free_req+0x33f/0x3c5
[ 1590.148008][ T8059]  tctx_task_work+0x1b3/0x630
[ 1590.152736][ T8059]  ? __io_submit_flush_completions+0x2c0/0x2c0
[ 1590.158905][ T8059]  task_work_run+0xdd/0x1a0
[ 1590.164000][ T8059]  do_exit+0xc14/0x2b40
[ 1590.168234][ T8059]  ? mm_update_next_owner+0x7a0/0x7a0
[ 1590.173595][ T8059]  ? lock_downgrade+0x6e0/0x6e0
[ 1590.178496][ T8059]  do_group_exit+0x125/0x310
[ 1590.183105][ T8059]  get_signal+0x47d/0x21d0
[ 1590.187589][ T8059]  arch_do_signal_or_restart+0x2a9/0x1c40
[ 1590.193345][ T8059]  ? do_futex+0x10c/0x390
[ 1590.197723][ T8059]  ? __ia32_sys_get_robust_list+0x420/0x420
[ 1590.203625][ T8059]  ? find_held_lock+0x2d/0x110
[ 1590.208387][ T8059]  ? get_sigframe_size+0x10/0x10
[ 1590.213321][ T8059]  ? __x64_sys_futex+0x1b0/0x4a0
[ 1590.218249][ T8059]  ? do_futex+0x390/0x390
[ 1590.222566][ T8059]  exit_to_user_mode_prepare+0x17d/0x290
[ 1590.228236][ T8059]  syscall_exit_to_user_mode+0x19/0x60
[ 1590.233697][ T8059]  do_syscall_64+0x42/0xb0
[ 1590.238096][ T8059]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 1590.244100][ T8059] RIP: 0033:0x7f9da8c4ea39
[ 1590.248498][ T8059] Code: Unable to access opcode bytes at RIP 0x7f9da8c4ea0f.
[ 1590.255853][ T8059] RSP: 002b:00007f9da83a3218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[ 1590.264256][ T8059] RAX: fffffffffffffe00 RBX: 00007f9da8d62028 RCX: 00007f9da8c4ea39
[ 1590.272225][ T8059] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f9da8d62028
[ 1590.280196][ T8059] RBP: 00007f9da8d62020 R08: 0000000000000000 R09: 0000000000000000
[ 1590.288159][ T8059] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9da8d6202c
[ 1590.296124][ T8059] R13: 00007ffd6e91741f R14: 00007f9da83a3300 R15: 0000000000022000
[ 1590.304176][ T8059]  </TASK>
[ 1590.307177][ T8059] 
[ 1590.309479][ T8059] Allocated by task 8059:
[ 1590.313812][ T8059]  kasan_save_stack+0x1e/0x50
[ 1590.318549][ T8059]  __kasan_slab_alloc+0x90/0xc0
[ 1590.323394][ T8059]  kmem_cache_alloc_bulk+0x39d/0x720
[ 1590.328659][ T8059]  io_submit_sqes.cold+0x20b/0x43d
[ 1590.333764][ T8059]  __do_sys_io_uring_enter+0xf6e/0x1f50
[ 1590.339311][ T8059]  do_syscall_64+0x35/0xb0
[ 1590.343709][ T8059]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 1590.349605][ T8059] 
[ 1590.351908][ T8059] Freed by task 1041:
[ 1590.355865][ T8059]  kasan_save_stack+0x1e/0x50
[ 1590.360528][ T8059]  kasan_set_track+0x21/0x30
[ 1590.365104][ T8059]  kasan_set_free_info+0x20/0x30
[ 1590.370097][ T8059]  __kasan_slab_free+0xff/0x130
[ 1590.374947][ T8059]  slab_free_freelist_hook+0x8b/0x1c0
[ 1590.380300][ T8059]  kmem_cache_free+0x92/0x5e0
[ 1590.385139][ T8059]  io_req_caches_free+0x1aa/0x1e6
[ 1590.390151][ T8059]  io_ring_exit_work+0x1e4/0xbe8
[ 1590.395169][ T8059]  process_one_work+0x9b2/0x1690
[ 1590.400092][ T8059]  worker_thread+0x658/0x11f0
[ 1590.404763][ T8059]  kthread+0x405/0x4f0
[ 1590.408880][ T8059]  ret_from_fork+0x1f/0x30
[ 1590.413308][ T8059] 
[ 1590.415615][ T8059] The buggy address belongs to the object at ffff8880713ecb40
[ 1590.415615][ T8059]  which belongs to the cache io_kiocb of size 224
[ 1590.429387][ T8059] The buggy address is located 120 bytes inside of
[ 1590.429387][ T8059]  224-byte region [ffff8880713ecb40, ffff8880713ecc20)
[ 1590.442643][ T8059] The buggy address belongs to the page:
[ 1590.448253][ T8059] page:ffffea0001c4fb00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880713ec8c0 pfn:0x713ec
[ 1590.459771][ T8059] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
[ 1590.467310][ T8059] raw: 00fff00000000200 ffffea0001c4d400 dead000000000004 ffff88814607bdc0
[ 1590.475875][ T8059] raw: ffff8880713ec8c0 00000000800c000b 00000001ffffffff 0000000000000000
[ 1590.484432][ T8059] page dumped because: kasan: bad access detected
[ 1590.490822][ T8059] page_owner tracks the page as allocated
[ 1590.496527][ T8059] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 7168, ts 1580559391621, free_ts 1580537948913
[ 1590.512916][ T8059]  get_page_from_freelist+0xa72/0x2f50
[ 1590.518415][ T8059]  __alloc_pages+0x1b2/0x500
[ 1590.522987][ T8059]  alloc_pages+0x1a7/0x300
[ 1590.527416][ T8059]  new_slab+0x32d/0x4a0
[ 1590.531556][ T8059]  ___slab_alloc+0x918/0xfe0
[ 1590.536128][ T8059]  kmem_cache_alloc_bulk+0x21a/0x720
[ 1590.541396][ T8059]  io_submit_sqes.cold+0x20b/0x43d
[ 1590.546491][ T8059]  __do_sys_io_uring_enter+0xf6e/0x1f50
[ 1590.552193][ T8059]  do_syscall_64+0x35/0xb0
[ 1590.556593][ T8059]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 1590.562470][ T8059] page last free stack trace:
[ 1590.567143][ T8059]  free_pcp_prepare+0x374/0x870
[ 1590.571994][ T8059]  free_unref_page_list+0x1a9/0xfa0
[ 1590.577187][ T8059]  release_pages+0x3f4/0x1480
[ 1590.581896][ T8059]  tlb_finish_mmu+0x165/0x8c0
[ 1590.586564][ T8059]  exit_mmap+0x1ea/0x630
[ 1590.590829][ T8059]  __mmput+0x122/0x4b0
[ 1590.594893][ T8059]  mmput+0x56/0x60
[ 1590.598600][ T8059]  do_exit+0xb27/0x2b40
[ 1590.602750][ T8059]  do_group_exit+0x125/0x310
[ 1590.607336][ T8059]  get_signal+0x47d/0x21d0
[ 1590.611740][ T8059]  arch_do_signal_or_restart+0x2a9/0x1c40
[ 1590.617455][ T8059]  exit_to_user_mode_prepare+0x17d/0x290
[ 1590.623071][ T8059]  syscall_exit_to_user_mode+0x19/0x60
[ 1590.628513][ T8059]  do_syscall_64+0x42/0xb0
[ 1590.632930][ T8059]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 1590.638891][ T8059] 
[ 1590.641193][ T8059] Memory state around the buggy address:
[ 1590.646802][ T8059]  ffff8880713eca80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[ 1590.654861][ T8059]  ffff8880713ecb00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
[ 1590.662900][ T8059] >ffff8880713ecb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1590.670934][ T8059]                                         ^
[ 1590.676799][ T8059]  ffff8880713ecc00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[ 1590.684835][ T8059]  ffff8880713ecc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1590.692872][ T8059] ==================================================================
[ 1590.700904][ T8059] Disabling lock debugging due to kernel taint
[ 1590.707104][ T8059] Kernel panic - not syncing: panic_on_warn set ...
[ 1590.713674][ T8059] CPU: 1 PID: 8059 Comm: syz-executor.0 Tainted: G    B             5.15.0-rc7-next-20211029-syzkaller #0
[ 1590.724949][ T8059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1590.734989][ T8059] Call Trace:
[ 1590.738259][ T8059]  <TASK>
[ 1590.741181][ T8059]  dump_stack_lvl+0xcd/0x134
[ 1590.745760][ T8059]  panic+0x2b0/0x6dd
[ 1590.749668][ T8059]  ? __warn_printk+0xf3/0xf3
[ 1590.754243][ T8059]  ? __io_free_req+0x33f/0x3c5
[ 1590.758998][ T8059]  ? trace_hardirqs_on+0x38/0x1c0
[ 1590.764073][ T8059]  ? trace_hardirqs_on+0x51/0x1c0
[ 1590.769100][ T8059]  ? __io_free_req+0x33f/0x3c5
[ 1590.773900][ T8059]  ? __io_free_req+0x33f/0x3c5
[ 1590.778656][ T8059]  end_report.cold+0x63/0x6f
[ 1590.783235][ T8059]  kasan_report.cold+0x71/0xdf
[ 1590.787987][ T8059]  ? __io_free_req+0x33f/0x3c5
[ 1590.792735][ T8059]  __io_free_req+0x33f/0x3c5
[ 1590.797318][ T8059]  tctx_task_work+0x1b3/0x630
[ 1590.801994][ T8059]  ? __io_submit_flush_completions+0x2c0/0x2c0
[ 1590.808143][ T8059]  task_work_run+0xdd/0x1a0
[ 1590.812627][ T8059]  do_exit+0xc14/0x2b40
[ 1590.816767][ T8059]  ? mm_update_next_owner+0x7a0/0x7a0
[ 1590.822123][ T8059]  ? lock_downgrade+0x6e0/0x6e0
[ 1590.826957][ T8059]  do_group_exit+0x125/0x310
[ 1590.831528][ T8059]  get_signal+0x47d/0x21d0
[ 1590.835931][ T8059]  arch_do_signal_or_restart+0x2a9/0x1c40
[ 1590.841633][ T8059]  ? do_futex+0x10c/0x390
[ 1590.845942][ T8059]  ? __ia32_sys_get_robust_list+0x420/0x420
[ 1590.851813][ T8059]  ? find_held_lock+0x2d/0x110
[ 1590.856564][ T8059]  ? get_sigframe_size+0x10/0x10
[ 1590.861485][ T8059]  ? __x64_sys_futex+0x1b0/0x4a0
[ 1590.866408][ T8059]  ? do_futex+0x390/0x390
[ 1590.870719][ T8059]  exit_to_user_mode_prepare+0x17d/0x290
[ 1590.876339][ T8059]  syscall_exit_to_user_mode+0x19/0x60
[ 1590.881787][ T8059]  do_syscall_64+0x42/0xb0
[ 1590.886183][ T8059]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 1590.892058][ T8059] RIP: 0033:0x7f9da8c4ea39
[ 1590.896448][ T8059] Code: Unable to access opcode bytes at RIP 0x7f9da8c4ea0f.
[ 1590.903788][ T8059] RSP: 002b:00007f9da83a3218 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
[ 1590.912177][ T8059] RAX: fffffffffffffe00 RBX: 00007f9da8d62028 RCX: 00007f9da8c4ea39
[ 1590.920307][ T8059] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00007f9da8d62028
[ 1590.928278][ T8059] RBP: 00007f9da8d62020 R08: 0000000000000000 R09: 0000000000000000
[ 1590.936387][ T8059] R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9da8d6202c
[ 1590.944525][ T8059] R13: 00007ffd6e91741f R14: 00007f9da83a3300 R15: 0000000000022000
[ 1590.952496][ T8059]  </TASK>
[ 1590.955784][ T8059] Kernel Offset: disabled
[ 1590.960094][ T8059] Rebooting in 86400 seconds..