Warning: Permanently added '10.128.1.102' (ECDSA) to the list of known hosts. syzkaller login: [ 63.692546][ T8399] IPVS: ftp: loaded support on port[0] = 21 [ 63.829566][ T8399] chnl_net:caif_netlink_parms(): no params data found [ 63.876507][ T8399] bridge0: port 1(bridge_slave_0) entered blocking state [ 63.884925][ T8399] bridge0: port 1(bridge_slave_0) entered disabled state [ 63.893844][ T8399] device bridge_slave_0 entered promiscuous mode [ 63.903954][ T8399] bridge0: port 2(bridge_slave_1) entered blocking state [ 63.911461][ T8399] bridge0: port 2(bridge_slave_1) entered disabled state [ 63.919009][ T8399] device bridge_slave_1 entered promiscuous mode [ 63.937087][ T8399] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 63.948474][ T8399] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 63.970723][ T8399] team0: Port device team_slave_0 added [ 63.978117][ T8399] team0: Port device team_slave_1 added [ 63.994135][ T8399] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 64.001229][ T8399] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 64.028160][ T8399] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 64.041946][ T8399] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 64.048878][ T8399] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 64.075271][ T8399] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 64.099300][ T8399] device hsr_slave_0 entered promiscuous mode [ 64.106144][ T8399] device hsr_slave_1 entered promiscuous mode [ 64.193700][ T8399] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 64.204628][ T8399] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 64.214321][ T8399] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 64.224871][ T8399] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 64.249197][ T8399] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.256518][ T8399] bridge0: port 2(bridge_slave_1) entered forwarding state [ 64.264198][ T8399] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.271340][ T8399] bridge0: port 1(bridge_slave_0) entered forwarding state [ 64.309751][ T8399] 8021q: adding VLAN 0 to HW filter on device bond0 [ 64.323702][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 64.335452][ T8] bridge0: port 1(bridge_slave_0) entered disabled state [ 64.344494][ T8] bridge0: port 2(bridge_slave_1) entered disabled state [ 64.352878][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 64.366126][ T8399] 8021q: adding VLAN 0 to HW filter on device team0 [ 64.376322][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 64.385620][ T8] bridge0: port 1(bridge_slave_0) entered blocking state [ 64.392718][ T8] bridge0: port 1(bridge_slave_0) entered forwarding state [ 64.411716][ T36] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 64.421893][ T36] bridge0: port 2(bridge_slave_1) entered blocking state [ 64.428955][ T36] bridge0: port 2(bridge_slave_1) entered forwarding state [ 64.442319][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 64.461165][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 64.469262][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 64.478734][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 64.487968][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 64.499105][ T8399] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 64.520243][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 64.527701][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 64.539418][ T8399] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 64.558891][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 64.578828][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 64.587500][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 64.596234][ T8] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 64.606969][ T8399] device veth0_vlan entered promiscuous mode [ 64.619389][ T8399] device veth1_vlan entered promiscuous mode [ 64.642807][ T8616] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 64.652034][ T8616] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 64.659921][ T8616] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 64.671578][ T8399] device veth0_macvtap entered promiscuous mode [ 64.681017][ T8399] device veth1_macvtap entered promiscuous mode [ 64.696853][ T8399] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 64.706000][ T8616] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 64.716498][ T8616] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 64.727959][ T8399] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 64.737570][ T8616] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 64.748747][ T8399] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.758065][ T8399] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.770064][ T8399] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.778794][ T8399] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 64.865141][ T25] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 64.877414][ T25] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 64.904391][ T114] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 executing program [ 64.907972][ T36] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 64.923259][ T114] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 64.936424][ T36] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 64.949351][ T8399] ================================================================== [ 64.957654][ T8399] BUG: KASAN: use-after-free in eth_header_parse_protocol+0xdc/0xe0 [ 64.965631][ T8399] Read of size 2 at addr ffff88801b5bf00b by task syz-executor950/8399 [ 64.973964][ T8399] [ 64.976365][ T8399] CPU: 1 PID: 8399 Comm: syz-executor950 Not tainted 5.12.0-rc2-syzkaller #0 [ 64.985107][ T8399] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.995150][ T8399] Call Trace: [ 64.998408][ T8399] dump_stack+0x141/0x1d7 [ 65.002735][ T8399] ? eth_header_parse_protocol+0xdc/0xe0 [ 65.008344][ T8399] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 65.015348][ T8399] ? llc_sysctl_exit+0x60/0x60 [ 65.020092][ T8399] ? eth_header_parse_protocol+0xdc/0xe0 [ 65.025702][ T8399] ? eth_header_parse_protocol+0xdc/0xe0 [ 65.031313][ T8399] kasan_report.cold+0x7c/0xd8 [ 65.036055][ T8399] ? eth_header_parse_protocol+0xdc/0xe0 [ 65.041667][ T8399] ? llc_sysctl_exit+0x60/0x60 [ 65.046413][ T8399] eth_header_parse_protocol+0xdc/0xe0 [ 65.051867][ T8399] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 [ 65.058178][ T8399] ? tpacket_destruct_skb+0x860/0x860 [ 65.063537][ T8399] packet_sendmsg+0x2325/0x52b0 [ 65.068404][ T8399] ? lockdep_hardirqs_on_prepare+0x340/0x400 [ 65.074469][ T8399] ? aa_sk_perm+0x31b/0xab0 [ 65.078971][ T8399] ? packet_cached_dev_get+0x250/0x250 [ 65.084413][ T8399] ? aa_af_perm+0x230/0x230 [ 65.088901][ T8399] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 65.095123][ T8399] ? packet_cached_dev_get+0x250/0x250 [ 65.100564][ T8399] sock_sendmsg+0xcf/0x120 [ 65.104968][ T8399] sock_write_iter+0x289/0x3c0 [ 65.109726][ T8399] ? sock_sendmsg+0x120/0x120 [ 65.114392][ T8399] ? aa_path_link+0x2f0/0x2f0 [ 65.119047][ T8399] ? lock_downgrade+0x6e0/0x6e0 [ 65.123878][ T8399] ? rwlock_bug.part.0+0x90/0x90 [ 65.128797][ T8399] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 65.135024][ T8399] new_sync_write+0x426/0x650 [ 65.139812][ T8399] ? new_sync_read+0x6e0/0x6e0 [ 65.144556][ T8399] ? packet_do_bind+0x454/0xc00 [ 65.149413][ T8399] ? packet_do_bind+0x454/0xc00 [ 65.154250][ T8399] ? apparmor_file_permission+0x26e/0x4e0 [ 65.159956][ T8399] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 65.166195][ T8399] vfs_write+0x796/0xa30 [ 65.170422][ T8399] ksys_write+0x1ee/0x250 [ 65.174732][ T8399] ? __ia32_sys_read+0xb0/0xb0 [ 65.179478][ T8399] ? syscall_enter_from_user_mode+0x1d/0x50 [ 65.185357][ T8399] do_syscall_64+0x2d/0x70 [ 65.189752][ T8399] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.195629][ T8399] RIP: 0033:0x449a79 [ 65.199529][ T8399] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 65.219117][ T8399] RSP: 002b:00007ffd9e26c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 65.227510][ T8399] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000449a79 [ 65.235455][ T8399] RDX: 000000000000054a RSI: 0000000020000200 RDI: 0000000000000003 [ 65.243411][ T8399] RBP: 00007ffd9e26c390 R08: 0000000000000031 R09: 0000000000000031 [ 65.251359][ T8399] R10: 0000000000000031 R11: 0000000000000246 R12: 00007ffd9e26c370 [ 65.259307][ T8399] R13: 00000000004d0500 R14: 0000000000000003 R15: 00007ffd9e26c33a [ 65.267264][ T8399] [ 65.269564][ T8399] Allocated by task 1: [ 65.273604][ T8399] kasan_save_stack+0x1b/0x40 [ 65.278267][ T8399] __kasan_slab_alloc+0x75/0x90 [ 65.283098][ T8399] kmem_cache_alloc+0x155/0x370 [ 65.287949][ T8399] __alloc_file+0x21/0x280 [ 65.292409][ T8399] alloc_empty_file+0x6d/0x170 [ 65.297154][ T8399] path_openat+0xe3/0x27e0 [ 65.301552][ T8399] do_filp_open+0x17e/0x3c0 [ 65.306034][ T8399] do_sys_openat2+0x16d/0x420 [ 65.310861][ T8399] __x64_sys_open+0x119/0x1c0 [ 65.315517][ T8399] do_syscall_64+0x2d/0x70 [ 65.319919][ T8399] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.325941][ T8399] [ 65.328248][ T8399] Freed by task 19: [ 65.332028][ T8399] kasan_save_stack+0x1b/0x40 [ 65.336686][ T8399] kasan_set_track+0x1c/0x30 [ 65.341254][ T8399] kasan_set_free_info+0x20/0x30 [ 65.346174][ T8399] __kasan_slab_free+0xf5/0x130 [ 65.351011][ T8399] slab_free_freelist_hook+0x92/0x210 [ 65.356381][ T8399] kmem_cache_free+0x8a/0x740 [ 65.361037][ T8399] rcu_core+0x74a/0x12f0 [ 65.365350][ T8399] __do_softirq+0x29b/0x9f6 [ 65.369839][ T8399] [ 65.372147][ T8399] Last potentially related work creation: [ 65.377841][ T8399] kasan_save_stack+0x1b/0x40 [ 65.382502][ T8399] kasan_record_aux_stack+0xe5/0x110 [ 65.387764][ T8399] call_rcu+0xb1/0x740 [ 65.391813][ T8399] task_work_run+0xdd/0x1a0 [ 65.396296][ T8399] exit_to_user_mode_prepare+0x249/0x250 [ 65.401905][ T8399] syscall_exit_to_user_mode+0x19/0x50 [ 65.407341][ T8399] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.413216][ T8399] [ 65.415519][ T8399] The buggy address belongs to the object at ffff88801b5bef00 [ 65.415519][ T8399] which belongs to the cache filp of size 464 [ 65.429463][ T8399] The buggy address is located 267 bytes inside of [ 65.429463][ T8399] 464-byte region [ffff88801b5bef00, ffff88801b5bf0d0) [ 65.443072][ T8399] The buggy address belongs to the page: [ 65.448679][ T8399] page:ffffea00006d6f80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1b5be [ 65.458822][ T8399] head:ffffea00006d6f80 order:1 compound_mapcount:0 [ 65.465422][ T8399] flags: 0xfff00000010200(slab|head) [ 65.470700][ T8399] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff8880109bd500 [ 65.479263][ T8399] raw: 0000000000000000 00000000000c000c 00000001ffffffff 0000000000000000 [ 65.487954][ T8399] page dumped because: kasan: bad access detected [ 65.494353][ T8399] [ 65.496667][ T8399] Memory state around the buggy address: [ 65.502272][ T8399] ffff88801b5bef00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.510400][ T8399] ffff88801b5bef80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.518442][ T8399] >ffff88801b5bf000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.526480][ T8399] ^ [ 65.530783][ T8399] ffff88801b5bf080: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 65.538820][ T8399] ffff88801b5bf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.546857][ T8399] ================================================================== [ 65.554917][ T8399] Disabling lock debugging due to kernel taint [ 65.565496][ T8399] Kernel panic - not syncing: panic_on_warn set ... [ 65.572087][ T8399] CPU: 1 PID: 8399 Comm: syz-executor950 Tainted: G B 5.12.0-rc2-syzkaller #0 [ 65.582252][ T8399] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.592284][ T8399] Call Trace: [ 65.595544][ T8399] dump_stack+0x141/0x1d7 [ 65.599867][ T8399] panic+0x306/0x73d [ 65.603746][ T8399] ? __warn_printk+0xf3/0xf3 [ 65.608335][ T8399] ? preempt_schedule_common+0x59/0xc0 [ 65.613783][ T8399] ? llc_sysctl_exit+0x60/0x60 [ 65.618535][ T8399] ? eth_header_parse_protocol+0xdc/0xe0 [ 65.624161][ T8399] ? preempt_schedule_thunk+0x16/0x18 [ 65.629517][ T8399] ? trace_hardirqs_on+0x38/0x1c0 [ 65.634531][ T8399] ? trace_hardirqs_on+0x51/0x1c0 [ 65.639551][ T8399] ? llc_sysctl_exit+0x60/0x60 [ 65.644321][ T8399] ? eth_header_parse_protocol+0xdc/0xe0 [ 65.649936][ T8399] ? eth_header_parse_protocol+0xdc/0xe0 [ 65.655568][ T8399] end_report.cold+0x5a/0x5a [ 65.660229][ T8399] kasan_report.cold+0x6a/0xd8 [ 65.664992][ T8399] ? eth_header_parse_protocol+0xdc/0xe0 [ 65.670608][ T8399] ? llc_sysctl_exit+0x60/0x60 [ 65.675354][ T8399] eth_header_parse_protocol+0xdc/0xe0 [ 65.680794][ T8399] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 [ 65.687107][ T8399] ? tpacket_destruct_skb+0x860/0x860 [ 65.692461][ T8399] packet_sendmsg+0x2325/0x52b0 [ 65.697297][ T8399] ? lockdep_hardirqs_on_prepare+0x340/0x400 [ 65.703271][ T8399] ? aa_sk_perm+0x31b/0xab0 [ 65.707769][ T8399] ? packet_cached_dev_get+0x250/0x250 [ 65.713230][ T8399] ? aa_af_perm+0x230/0x230 [ 65.717718][ T8399] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 65.723963][ T8399] ? packet_cached_dev_get+0x250/0x250 [ 65.729408][ T8399] sock_sendmsg+0xcf/0x120 [ 65.733810][ T8399] sock_write_iter+0x289/0x3c0 [ 65.738561][ T8399] ? sock_sendmsg+0x120/0x120 [ 65.743227][ T8399] ? aa_path_link+0x2f0/0x2f0 [ 65.747890][ T8399] ? lock_downgrade+0x6e0/0x6e0 [ 65.752733][ T8399] ? rwlock_bug.part.0+0x90/0x90 [ 65.757653][ T8399] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 65.763880][ T8399] new_sync_write+0x426/0x650 [ 65.768546][ T8399] ? new_sync_read+0x6e0/0x6e0 [ 65.773290][ T8399] ? packet_do_bind+0x454/0xc00 [ 65.778125][ T8399] ? packet_do_bind+0x454/0xc00 [ 65.782959][ T8399] ? apparmor_file_permission+0x26e/0x4e0 [ 65.788666][ T8399] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 65.794892][ T8399] vfs_write+0x796/0xa30 [ 65.799120][ T8399] ksys_write+0x1ee/0x250 [ 65.803430][ T8399] ? __ia32_sys_read+0xb0/0xb0 [ 65.808174][ T8399] ? syscall_enter_from_user_mode+0x1d/0x50 [ 65.814060][ T8399] do_syscall_64+0x2d/0x70 [ 65.818462][ T8399] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 65.824349][ T8399] RIP: 0033:0x449a79 [ 65.828231][ T8399] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 65.847959][ T8399] RSP: 002b:00007ffd9e26c2d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 65.856358][ T8399] RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000449a79 [ 65.864432][ T8399] RDX: 000000000000054a RSI: 0000000020000200 RDI: 0000000000000003 [ 65.872412][ T8399] RBP: 00007ffd9e26c390 R08: 0000000000000031 R09: 0000000000000031 [ 65.880365][ T8399] R10: 0000000000000031 R11: 0000000000000246 R12: 00007ffd9e26c370 [ 65.888417][ T8399] R13: 00000000004d0500 R14: 0000000000000003 R15: 00007ffd9e26c33a [ 65.896974][ T8399] Kernel Offset: disabled [ 65.901299][ T8399] Rebooting in 86400 seconds..