Warning: Permanently added '10.128.0.174' (ECDSA) to the list of known hosts. syzkaller login: [ 41.334186] IPVS: ftp: loaded support on port[0] = 21 [ 41.415748] chnl_net:caif_netlink_parms(): no params data found [ 41.505016] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.512110] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.520175] device bridge_slave_0 entered promiscuous mode [ 41.529365] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.535853] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.544223] device bridge_slave_1 entered promiscuous mode [ 41.563512] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 41.572854] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 41.592530] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 41.600134] team0: Port device team_slave_0 added [ 41.605704] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 41.613433] team0: Port device team_slave_1 added [ 41.630471] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 41.636858] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 41.663298] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 41.675248] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 41.681735] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 41.707443] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 41.718700] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 41.726515] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 41.790127] device hsr_slave_0 entered promiscuous mode [ 41.837403] device hsr_slave_1 entered promiscuous mode [ 41.877837] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 41.884982] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 41.960568] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.967058] bridge0: port 2(bridge_slave_1) entered forwarding state [ 41.973927] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.980374] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.015341] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 42.022738] 8021q: adding VLAN 0 to HW filter on device bond0 [ 42.032547] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 42.041996] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 42.062245] bridge0: port 1(bridge_slave_0) entered disabled state [ 42.070242] bridge0: port 2(bridge_slave_1) entered disabled state [ 42.079064] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 42.090821] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 42.097643] 8021q: adding VLAN 0 to HW filter on device team0 [ 42.107541] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 42.115389] bridge0: port 1(bridge_slave_0) entered blocking state [ 42.121844] bridge0: port 1(bridge_slave_0) entered forwarding state [ 42.133044] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 42.141614] bridge0: port 2(bridge_slave_1) entered blocking state [ 42.148158] bridge0: port 2(bridge_slave_1) entered forwarding state [ 42.164068] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 42.172638] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 42.183591] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 42.196278] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 42.209044] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 42.220691] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 42.228339] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 42.235846] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 42.250000] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 42.258779] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 42.265643] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 42.278335] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 42.291624] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 42.301496] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 42.340521] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 42.347743] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 42.354291] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 42.363941] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 42.371896] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 42.379283] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 42.390208] device veth0_vlan entered promiscuous mode [ 42.399903] device veth1_vlan entered promiscuous mode [ 42.415220] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 42.424984] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 42.432479] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 42.441064] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 42.452135] device veth0_macvtap entered promiscuous mode [ 42.459819] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 42.469843] device veth1_macvtap entered promiscuous mode [ 42.476078] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 42.485594] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 42.495490] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 42.505382] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 42.513472] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 42.520682] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 42.528668] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 42.535857] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 42.544091] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 42.554588] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 42.562446] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 42.569899] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 42.578551] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 42.678313] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. [ 42.704807] FAULT_INJECTION: forcing a failure. [ 42.704807] name failslab, interval 1, probability 0, space 0, times 1 [ 42.716699] CPU: 1 PID: 6662 Comm: syz-executor351 Not tainted 4.19.114-syzkaller #0 [ 42.724707] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.734073] Call Trace: [ 42.736665] dump_stack+0x188/0x20d [ 42.740290] should_fail.cold+0xa/0x1b [ 42.744179] ? fault_create_debugfs_attr+0x1e0/0x1e0 [ 42.749369] ? __lock_is_held+0xad/0x140 [ 42.753421] __should_failslab+0x115/0x180 [ 42.757730] should_failslab+0x5/0xf [ 42.761457] __kmalloc+0x2d3/0x770 [ 42.765003] ? tls_push_record+0x102/0x1380 [ 42.769336] tls_push_record+0x102/0x1380 [ 42.773582] ? _copy_from_iter+0x313/0xb60 [ 42.777817] ? __phys_addr+0x9a/0x110 [ 42.781816] ? __check_object_size+0x171/0x42a [ 42.786434] tls_sw_sendmsg+0xd00/0x1150 [ 42.790534] ? tls_sw_push_pending_record+0x30/0x30 [ 42.795576] ? get_pid_task+0xf4/0x190 [ 42.799475] ? proc_fail_nth_write+0x95/0x1d0 [ 42.803988] ? proc_cwd_link+0x1d0/0x1d0 [ 42.808058] inet_sendmsg+0x12e/0x590 [ 42.811949] ? ipip_gro_receive+0x100/0x100 [ 42.816286] sock_sendmsg+0xcf/0x120 [ 42.820004] __sys_sendto+0x21a/0x330 [ 42.823797] ? __ia32_sys_getpeername+0xb0/0xb0 [ 42.828548] ? lock_downgrade+0x740/0x740 [ 42.832721] ? check_preemption_disabled+0x41/0x280 [ 42.837740] ? wait_for_completion+0x3c0/0x3c0 [ 42.842833] ? vfs_write+0x15b/0x550 [ 42.846549] ? fput+0x2b/0x190 [ 42.849739] ? ksys_write+0x1c8/0x2a0 [ 42.853528] ? __ia32_sys_read+0xb0/0xb0 [ 42.857725] __x64_sys_sendto+0xdd/0x1b0 [ 42.861781] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 42.866358] do_syscall_64+0xf9/0x620 [ 42.870232] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.875407] RIP: 0033:0x449299 [ 42.878584] Code: e8 bc 15 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 42.897557] RSP: 002b:00007f9e63f5cca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 42.905357] RAX: ffffffffffffffda RBX: 00007f9e63f5ccc0 RCX: 0000000000449299 [ 42.912639] RDX: 00000000e0ffffff RSI: 00000000200005c0 RDI: 0000000000000003 [ 42.920000] RBP: 0000000000000006 R08: 0000000000000000 R09: 00000000000000d8 [ 42.927277] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dfc4c [ 42.934594] R13: 00007fff5874d23f R14: 00007f9e63f5d9c0 R15: 00000000006dfc4c [ 43.027373] ================================================================== [ 43.035210] BUG: KASAN: use-after-free in tls_push_record+0x1007/0x1380 [ 43.041983] Write of size 1 at addr ffff8880a0cc0000 by task syz-executor351/6662 [ 43.049640] [ 43.051642] CPU: 0 PID: 6662 Comm: syz-executor351 Not tainted 4.19.114-syzkaller #0 [ 43.059514] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.068870] Call Trace: [ 43.071477] dump_stack+0x188/0x20d [ 43.075345] ? tls_push_record+0x1007/0x1380 [ 43.079755] print_address_description.cold+0x7c/0x212 [ 43.085028] ? tls_push_record+0x1007/0x1380 [ 43.089428] kasan_report.cold+0x88/0x2b9 [ 43.093583] tls_push_record+0x1007/0x1380 [ 43.097836] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 43.102431] tls_sk_proto_close+0x641/0xb20 [ 43.106762] ? tcp_check_oom+0x550/0x550 [ 43.110826] ? _raw_spin_unlock_irqrestore+0xa0/0xe0 [ 43.115930] ? tls_write_space+0x2f0/0x2f0 [ 43.120164] ? lock_acquire+0x170/0x400 [ 43.124128] ? ip_mc_drop_socket+0x16/0x260 [ 43.128443] ? __sock_release+0x86/0x2a0 [ 43.132493] inet_release+0xd7/0x1e0 [ 43.136204] inet6_release+0x4c/0x70 [ 43.139924] __sock_release+0xcd/0x2a0 [ 43.143880] ? __sock_release+0x2a0/0x2a0 [ 43.148199] sock_close+0x15/0x20 [ 43.151672] __fput+0x2cd/0x890 [ 43.154958] task_work_run+0x13f/0x1b0 [ 43.158858] do_exit+0xbcd/0x2f30 [ 43.162400] ? lockdep_hardirqs_on+0x3f1/0x5d0 [ 43.167074] ? mm_update_next_owner+0x650/0x650 [ 43.171747] ? get_signal+0x383/0x1f90 [ 43.175652] ? lock_downgrade+0x740/0x740 [ 43.179900] do_group_exit+0x125/0x350 [ 43.183784] get_signal+0x3ec/0x1f90 [ 43.187496] ? inet_sendmsg+0x136/0x590 [ 43.191465] do_signal+0x8f/0x1710 [ 43.194996] ? __ia32_sys_getpeername+0xb0/0xb0 [ 43.199657] ? lock_downgrade+0x740/0x740 [ 43.203920] ? setup_sigcontext+0x820/0x820 [ 43.208280] ? check_preemption_disabled+0x41/0x280 [ 43.213292] ? wait_for_completion+0x3c0/0x3c0 [ 43.217864] ? vfs_write+0x15b/0x550 [ 43.221568] ? fput+0x2b/0x190 [ 43.224749] ? ksys_write+0x1c8/0x2a0 [ 43.228554] ? exit_to_usermode_loop+0x36/0x2b0 [ 43.233211] exit_to_usermode_loop+0x22b/0x2b0 [ 43.237781] do_syscall_64+0x538/0x620 [ 43.241655] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.246963] RIP: 0033:0x449299 [ 43.250177] Code: Bad RIP value. [ 43.253531] RSP: 002b:00007f9e63f5cca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 43.261237] RAX: 0000000000004000 RBX: 00007f9e63f5ccc0 RCX: 0000000000449299 [ 43.268509] RDX: 00000000e0ffffff RSI: 00000000200005c0 RDI: 0000000000000003 [ 43.279415] RBP: 0000000000000006 R08: 0000000000000000 R09: 00000000000000d8 [ 43.286682] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dfc4c [ 43.293935] R13: 00007fff5874d23f R14: 00007f9e63f5d9c0 R15: 00000000006dfc4c [ 43.301197] [ 43.302804] The buggy address belongs to the page: [ 43.307730] page:ffffea0002833000 count:0 mapcount:-128 mapping:0000000000000000 index:0x0 [ 43.316190] flags: 0xfffe0000000000() [ 43.319994] raw: 00fffe0000000000 ffffea000293d608 ffffea000222ba08 0000000000000000 [ 43.327868] raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000 [ 43.335737] page dumped because: kasan: bad access detected [ 43.341441] [ 43.343071] Memory state around the buggy address: [ 43.348040] ffff8880a0cbff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.355413] ffff8880a0cbff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.363119] >ffff8880a0cc0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.370458] ^ [ 43.373806] ffff8880a0cc0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.381167] ffff8880a0cc0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 43.388511] ================================================================== [ 43.395859] Disabling lock debugging due to kernel taint [ 43.402121] Kernel panic - not syncing: panic_on_warn set ... [ 43.402121] [ 43.409524] CPU: 1 PID: 6662 Comm: syz-executor351 Tainted: G B 4.19.114-syzkaller #0 [ 43.418800] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.428160] Call Trace: [ 43.430761] dump_stack+0x188/0x20d [ 43.435557] panic+0x26a/0x50e [ 43.438738] ? __warn_printk+0xf3/0xf3 [ 43.442618] ? preempt_schedule_common+0x4a/0xc0 [ 43.447472] ? tls_push_record+0x1007/0x1380 [ 43.452033] ? ___preempt_schedule+0x16/0x18 [ 43.456428] ? trace_hardirqs_on+0x55/0x210 [ 43.460798] ? tls_push_record+0x1007/0x1380 [ 43.465195] kasan_end_report+0x43/0x49 [ 43.469156] kasan_report.cold+0xa4/0x2b9 [ 43.473310] tls_push_record+0x1007/0x1380 [ 43.477547] ? lockdep_hardirqs_on+0x40b/0x5d0 [ 43.482121] tls_sk_proto_close+0x641/0xb20 [ 43.486708] ? tcp_check_oom+0x550/0x550 [ 43.490771] ? _raw_spin_unlock_irqrestore+0xa0/0xe0 [ 43.495868] ? tls_write_space+0x2f0/0x2f0 [ 43.500216] ? lock_acquire+0x170/0x400 [ 43.504196] ? ip_mc_drop_socket+0x16/0x260 [ 43.508822] ? __sock_release+0x86/0x2a0 [ 43.513029] inet_release+0xd7/0x1e0 [ 43.516786] inet6_release+0x4c/0x70 [ 43.520497] __sock_release+0xcd/0x2a0 [ 43.524388] ? __sock_release+0x2a0/0x2a0 [ 43.528526] sock_close+0x15/0x20 [ 43.531975] __fput+0x2cd/0x890 [ 43.535238] task_work_run+0x13f/0x1b0 [ 43.539118] do_exit+0xbcd/0x2f30 [ 43.542557] ? lockdep_hardirqs_on+0x3f1/0x5d0 [ 43.547128] ? mm_update_next_owner+0x650/0x650 [ 43.551812] ? get_signal+0x383/0x1f90 [ 43.555713] ? lock_downgrade+0x740/0x740 [ 43.559867] do_group_exit+0x125/0x350 [ 43.563738] get_signal+0x3ec/0x1f90 [ 43.567438] ? inet_sendmsg+0x136/0x590 [ 43.571402] do_signal+0x8f/0x1710 [ 43.574948] ? __ia32_sys_getpeername+0xb0/0xb0 [ 43.579605] ? lock_downgrade+0x740/0x740 [ 43.583919] ? setup_sigcontext+0x820/0x820 [ 43.588230] ? check_preemption_disabled+0x41/0x280 [ 43.593230] ? wait_for_completion+0x3c0/0x3c0 [ 43.597910] ? vfs_write+0x15b/0x550 [ 43.601697] ? fput+0x2b/0x190 [ 43.604884] ? ksys_write+0x1c8/0x2a0 [ 43.608679] ? exit_to_usermode_loop+0x36/0x2b0 [ 43.613333] exit_to_usermode_loop+0x22b/0x2b0 [ 43.617926] do_syscall_64+0x538/0x620 [ 43.621867] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.627047] RIP: 0033:0x449299 [ 43.630236] Code: Bad RIP value. [ 43.633586] RSP: 002b:00007f9e63f5cca8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 43.641374] RAX: 0000000000004000 RBX: 00007f9e63f5ccc0 RCX: 0000000000449299 [ 43.648650] RDX: 00000000e0ffffff RSI: 00000000200005c0 RDI: 0000000000000003 [ 43.655922] RBP: 0000000000000006 R08: 0000000000000000 R09: 00000000000000d8 [ 43.663190] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dfc4c [ 43.670467] R13: 00007fff5874d23f R14: 00007f9e63f5d9c0 R15: 00000000006dfc4c [ 43.679280] Kernel Offset: disabled [ 43.682919] Rebooting in 86400 seconds..