[ 59.672394][ T42] bridge0: port 1(bridge_slave_0) entered disabled state [ 59.712768][ T42] device veth1_macvtap left promiscuous mode [ 59.712933][ T42] device veth0_macvtap left promiscuous mode [ 59.713066][ T42] device veth1_vlan left promiscuous mode [ 59.713257][ T42] device veth0_vlan left promiscuous mode [ 59.957581][ T42] team0 (unregistering): Port device team_slave_1 removed [ 59.973780][ T42] team0 (unregistering): Port device team_slave_0 removed [ 59.987266][ T42] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 60.006647][ T42] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 60.065507][ T42] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.1.37' (ECDSA) to the list of known hosts. 2022/06/13 12:45:50 parsed 1 programs 2022/06/13 12:45:50 executed programs: 0 [ 75.021037][ T4062] cgroup: Unknown subsys name 'net' [ 75.024123][ T4062] cgroup: Unknown subsys name 'rlimit' [ 76.158568][ T49] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 76.159207][ T49] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 76.161623][ T49] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 76.162486][ T49] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 76.162928][ T49] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3 [ 76.163292][ T49] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 76.232039][ T14] cfg80211: failed to load regulatory.db [ 76.246882][ T4069] chnl_net:caif_netlink_parms(): no params data found [ 76.303906][ T4069] bridge0: port 1(bridge_slave_0) entered blocking state [ 76.304032][ T4069] bridge0: port 1(bridge_slave_0) entered disabled state [ 76.305144][ T4069] device bridge_slave_0 entered promiscuous mode [ 76.307513][ T4069] bridge0: port 2(bridge_slave_1) entered blocking state [ 76.307627][ T4069] bridge0: port 2(bridge_slave_1) entered disabled state [ 76.308607][ T4069] device bridge_slave_1 entered promiscuous mode [ 76.338329][ T4069] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 76.341714][ T4069] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 76.373685][ T4069] team0: Port device team_slave_0 added [ 76.376023][ T4069] team0: Port device team_slave_1 added [ 76.404256][ T4069] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 76.404270][ T4069] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 76.404294][ T4069] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 76.406545][ T4069] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 76.406557][ T4069] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 76.406580][ T4069] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 76.436165][ T4069] device hsr_slave_0 entered promiscuous mode [ 76.441708][ T4069] device hsr_slave_1 entered promiscuous mode [ 76.550183][ T4069] bridge0: port 2(bridge_slave_1) entered blocking state [ 76.550244][ T4069] bridge0: port 2(bridge_slave_1) entered forwarding state [ 76.550719][ T4069] bridge0: port 1(bridge_slave_0) entered blocking state [ 76.550793][ T4069] bridge0: port 1(bridge_slave_0) entered forwarding state [ 76.640609][ T4069] 8021q: adding VLAN 0 to HW filter on device bond0 [ 76.648407][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 76.665866][ T27] bridge0: port 1(bridge_slave_0) entered disabled state [ 76.666496][ T27] bridge0: port 2(bridge_slave_1) entered disabled state [ 76.667683][ T27] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 76.694637][ T4069] 8021q: adding VLAN 0 to HW filter on device team0 [ 76.705976][ T4076] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 76.706402][ T4076] bridge0: port 1(bridge_slave_0) entered blocking state [ 76.706457][ T4076] bridge0: port 1(bridge_slave_0) entered forwarding state [ 76.710431][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 76.710883][ T23] bridge0: port 2(bridge_slave_1) entered blocking state [ 76.710938][ T23] bridge0: port 2(bridge_slave_1) entered forwarding state [ 76.724292][ T2730] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 76.725118][ T2730] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 76.734536][ T23] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 76.739379][ T4076] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 76.746130][ T2730] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 76.754012][ T4069] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 76.766013][ T2730] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 76.766111][ T2730] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 76.777193][ T4069] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 77.150002][ T2730] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 77.156303][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 77.156768][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 77.157091][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 77.159432][ T4069] device veth0_vlan entered promiscuous mode [ 77.165343][ T4069] device veth1_vlan entered promiscuous mode [ 77.182749][ T14] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 77.183226][ T14] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 77.183889][ T14] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 77.186880][ T4069] device veth0_macvtap entered promiscuous mode [ 77.191064][ T4069] device veth1_macvtap entered promiscuous mode [ 77.204172][ T4069] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 77.204259][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 77.213637][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 77.218587][ T4069] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 77.227486][ T14] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 77.308594][ T1087] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 77.308613][ T1087] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 77.311792][ T4076] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 77.335914][ T42] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 77.335938][ T42] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 77.337846][ T6] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 78.212949][ T4090] ================================================================== [ 78.212957][ T4090] BUG: KASAN: use-after-free in userfaultfd_release+0x651/0x670 [ 78.212976][ T4090] Write of size 8 at addr ffff8880781dfe78 by task syz-executor.0/4090 [ 78.212994][ T4090] [ 78.212997][ T4090] CPU: 0 PID: 4090 Comm: syz-executor.0 Not tainted 5.19.0-rc1-next-20220610-syzkaller-dirty #0 [ 78.213011][ T4090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.213018][ T4090] Call Trace: [ 78.213022][ T4090] [ 78.213026][ T4090] dump_stack_lvl+0xcd/0x134 [ 78.213041][ T4090] print_address_description.constprop.0.cold+0xeb/0x495 [ 78.213056][ T4090] ? userfaultfd_release+0x651/0x670 [ 78.213067][ T4090] kasan_report.cold+0xf4/0x1c6 [ 78.213079][ T4090] ? userfaultfd_release+0x651/0x670 [ 78.213091][ T4090] userfaultfd_release+0x651/0x670 [ 78.213112][ T4090] ? userfaultfd_event_wait_completion+0xbd0/0xbd0 [ 78.213139][ T4090] ? ima_file_free+0xb6/0x410 [ 78.213165][ T4090] __fput+0x277/0x9d0 [ 78.213187][ T4090] ? userfaultfd_event_wait_completion+0xbd0/0xbd0 [ 78.213210][ T4090] task_work_run+0xdd/0x1a0 [ 78.213230][ T4090] get_signal+0x1c5/0x2600 [ 78.213244][ T4090] ? find_held_lock+0x2d/0x110 [ 78.213262][ T4090] ? exit_signals+0x8b0/0x8b0 [ 78.213274][ T4090] ? userfaultfd_release+0x670/0x670 [ 78.213285][ T4090] ? lock_downgrade+0x6e0/0x6e0 [ 78.213297][ T4090] arch_do_signal_or_restart+0x82/0x2300 [ 78.213317][ T4090] ? wake_up_q+0xf0/0xf0 [ 78.213331][ T4090] ? get_sigframe_size+0x10/0x10 [ 78.213348][ T4090] ? kick_process+0xf2/0x190 [ 78.213365][ T4090] ? task_work_add+0xa4/0x1f0 [ 78.213382][ T4090] ? fput+0xf2/0x190 [ 78.213395][ T4090] ? exit_to_user_mode_prepare+0x137/0x250 [ 78.213409][ T4090] exit_to_user_mode_prepare+0x15f/0x250 [ 78.213421][ T4090] syscall_exit_to_user_mode+0x19/0x50 [ 78.213435][ T4090] do_syscall_64+0x42/0xb0 [ 78.213450][ T4090] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 78.213465][ T4090] RIP: 0033:0x7f734c489109 [ 78.213475][ T4090] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 78.213487][ T4090] RSP: 002b:00007f734d629168 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 78.213499][ T4090] RAX: fffffffffffffe00 RBX: 00007f734c59bf60 RCX: 00007f734c489109 [ 78.213508][ T4090] RDX: 000000000000003c RSI: 0000000020000180 RDI: 0000000000000003 [ 78.213515][ T4090] RBP: 00007f734d6291d0 R08: 0000000000000000 R09: 0000000000000000 [ 78.213523][ T4090] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 78.213530][ T4090] R13: 00007ffcee01460f R14: 00007f734d629300 R15: 0000000000022000 [ 78.213542][ T4090] [ 78.213545][ T4090] [ 78.213547][ T4090] Allocated by task 4069: [ 78.213552][ T4090] kasan_save_stack+0x1e/0x40 [ 78.213564][ T4090] __kasan_slab_alloc+0x90/0xc0 [ 78.213575][ T4090] kmem_cache_alloc+0x204/0x3b0 [ 78.213593][ T4090] vm_area_dup+0x81/0x380 [ 78.213605][ T4090] dup_mmap+0x656/0x1090 [ 78.213617][ T4090] dup_mm+0x91/0x370 [ 78.213628][ T4090] copy_process+0x3c95/0x7080 [ 78.213641][ T4090] kernel_clone+0xe7/0xab0 [ 78.213653][ T4090] __do_sys_clone+0xba/0x100 [ 78.213665][ T4090] do_syscall_64+0x35/0xb0 [ 78.213679][ T4090] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 78.213691][ T4090] [ 78.213693][ T4090] Freed by task 4090: [ 78.213697][ T4090] kasan_save_stack+0x1e/0x40 [ 78.213708][ T4090] kasan_set_track+0x21/0x30 [ 78.213718][ T4090] kasan_set_free_info+0x20/0x30 [ 78.213730][ T4090] ____kasan_slab_free+0x166/0x1a0 [ 78.213741][ T4090] slab_free_freelist_hook+0x8b/0x1c0 [ 78.213757][ T4090] kmem_cache_free+0xdd/0x5a0 [ 78.213766][ T4090] __vma_adjust+0x9ae/0x1910 [ 78.213778][ T4090] vma_merge+0x590/0x870 [ 78.213788][ T4090] userfaultfd_release+0x4c5/0x670 [ 78.213798][ T4090] __fput+0x277/0x9d0 [ 78.213808][ T4090] task_work_run+0xdd/0x1a0 [ 78.213823][ T4090] get_signal+0x1c5/0x2600 [ 78.213833][ T4090] arch_do_signal_or_restart+0x82/0x2300 [ 78.213851][ T4090] exit_to_user_mode_prepare+0x15f/0x250 [ 78.213862][ T4090] syscall_exit_to_user_mode+0x19/0x50 [ 78.213872][ T4090] do_syscall_64+0x42/0xb0 [ 78.213885][ T4090] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 78.213898][ T4090] [ 78.213900][ T4090] The buggy address belongs to the object at ffff8880781dfe58 [ 78.213900][ T4090] which belongs to the cache vm_area_struct of size 152 [ 78.213908][ T4090] The buggy address is located 32 bytes inside of [ 78.213908][ T4090] 152-byte region [ffff8880781dfe58, ffff8880781dfef0) [ 78.213919][ T4090] [ 78.213921][ T4090] The buggy address belongs to the physical page: [ 78.213926][ T4090] page:ffffea0001e077c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x781df [ 78.213938][ T4090] memcg:ffff88801e8b2f01 [ 78.213942][ T4090] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 78.213959][ T4090] raw: 00fff00000000200 ffffea0000973500 dead000000000007 ffff888140006b40 [ 78.213970][ T4090] raw: 0000000000000000 0000000000120012 00000001ffffffff ffff88801e8b2f01 [ 78.213975][ T4090] page dumped because: kasan: bad access detected [ 78.213980][ T4090] page_owner tracks the page as allocated [ 78.213983][ T4090] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112cc0(GFP_USER|__GFP_NOWARN|__GFP_NORETRY), pid 3812, tgid 3812 (sed), ts 62101588097, free_ts 62100288733 [ 78.214009][ T4090] get_page_from_freelist+0xa64/0x3d10 [ 78.214024][ T4090] __alloc_pages+0x1c7/0x510 [ 78.214036][ T4090] alloc_pages+0x1aa/0x310 [ 78.214046][ T4090] allocate_slab+0x26c/0x3c0 [ 78.214062][ T4090] ___slab_alloc+0x985/0xd90 [ 78.214078][ T4090] __slab_alloc.constprop.0+0x4d/0xa0 [ 78.214095][ T4090] kmem_cache_alloc+0x360/0x3b0 [ 78.214112][ T4090] vm_area_alloc+0x1c/0xf0 [ 78.214124][ T4090] __install_special_mapping+0x2e/0x3a0 [ 78.214137][ T4090] map_vdso+0x131/0x390 [ 78.214152][ T4090] load_elf_binary+0x206e/0x4ec0 [ 78.214167][ T4090] bprm_execve+0x7ef/0x1970 [ 78.214184][ T4090] do_execveat_common+0x724/0x890 [ 78.214202][ T4090] __x64_sys_execve+0x8f/0xc0 [ 78.214226][ T4090] do_syscall_64+0x35/0xb0 [ 78.214248][ T4090] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 78.214269][ T4090] page last free stack trace: [ 78.214274][ T4090] free_pcp_prepare+0x549/0xd20 [ 78.214294][ T4090] free_unref_page_list+0x184/0x1530 [ 78.214322][ T4090] release_pages+0xff1/0x2290 [ 78.214339][ T4090] tlb_batch_pages_flush+0xa8/0x1a0 [ 78.214352][ T4090] tlb_finish_mmu+0x147/0x7e0 [ 78.214365][ T4090] exit_mmap+0x217/0x750 [ 78.214376][ T4090] __mmput+0x128/0x4c0 [ 78.214387][ T4090] mmput+0x5c/0x70 [ 78.214397][ T4090] begin_new_exec+0xfbd/0x2e50 [ 78.214407][ T4090] load_elf_binary+0x15a3/0x4ec0 [ 78.214421][ T4090] bprm_execve+0x7ef/0x1970 [ 78.214437][ T4090] do_execveat_common+0x724/0x890 [ 78.214455][ T4090] __x64_sys_execve+0x8f/0xc0 [ 78.214464][ T4090] do_syscall_64+0x35/0xb0 [ 78.214478][ T4090] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 78.214491][ T4090] [ 78.214492][ T4090] Memory state around the buggy address: [ 78.214497][ T4090] ffff8880781dfd00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 78.214505][ T4090] ffff8880781dfd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 78.214513][ T4090] >ffff8880781dfe00: 00 00 00 fc fc fc fc fc fc fc fc fa fb fb fb fb [ 78.214518][ T4090] ^ [ 78.214524][ T4090] ffff8880781dfe80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc [ 78.214531][ T4090] ffff8880781dff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.214537][ T4090] ================================================================== [ 78.214542][ T4090] Kernel panic - not syncing: panic_on_warn set ... [ 78.260931][ T4076] Bluetooth: hci0: command 0x0409 tx timeout [ 78.962615][ T4090] CPU: 0 PID: 4090 Comm: syz-executor.0 Not tainted 5.19.0-rc1-next-20220610-syzkaller-dirty #0 [ 78.973020][ T4090] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.983060][ T4090] Call Trace: [ 78.986325][ T4090] [ 78.989242][ T4090] dump_stack_lvl+0xcd/0x134 [ 78.993829][ T4090] panic+0x2d7/0x636 [ 78.997724][ T4090] ? panic_print_sys_info.part.0+0x10b/0x10b [ 79.003697][ T4090] ? mark_held_locks+0x9f/0xe0 [ 79.008535][ T4090] ? userfaultfd_release+0x651/0x670 [ 79.013851][ T4090] ? userfaultfd_release+0x651/0x670 [ 79.019311][ T4090] end_report.part.0+0x3f/0x7c [ 79.024064][ T4090] kasan_report.cold+0x93/0x1c6 [ 79.028920][ T4090] ? userfaultfd_release+0x651/0x670 [ 79.034193][ T4090] userfaultfd_release+0x651/0x670 [ 79.039290][ T4090] ? userfaultfd_event_wait_completion+0xbd0/0xbd0 [ 79.045789][ T4090] ? ima_file_free+0xb6/0x410 [ 79.050475][ T4090] __fput+0x277/0x9d0 [ 79.054444][ T4090] ? userfaultfd_event_wait_completion+0xbd0/0xbd0 [ 79.060933][ T4090] task_work_run+0xdd/0x1a0 [ 79.065431][ T4090] get_signal+0x1c5/0x2600 [ 79.069835][ T4090] ? find_held_lock+0x2d/0x110 [ 79.074591][ T4090] ? exit_signals+0x8b0/0x8b0 [ 79.079254][ T4090] ? userfaultfd_release+0x670/0x670 [ 79.084524][ T4090] ? lock_downgrade+0x6e0/0x6e0 [ 79.089448][ T4090] arch_do_signal_or_restart+0x82/0x2300 [ 79.095160][ T4090] ? wake_up_q+0xf0/0xf0 [ 79.099389][ T4090] ? get_sigframe_size+0x10/0x10 [ 79.104320][ T4090] ? kick_process+0xf2/0x190 [ 79.108897][ T4090] ? task_work_add+0xa4/0x1f0 [ 79.113598][ T4090] ? fput+0xf2/0x190 [ 79.117493][ T4090] ? exit_to_user_mode_prepare+0x137/0x250 [ 79.123294][ T4090] exit_to_user_mode_prepare+0x15f/0x250 [ 79.128935][ T4090] syscall_exit_to_user_mode+0x19/0x50 [ 79.134736][ T4090] do_syscall_64+0x42/0xb0 [ 79.139155][ T4090] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 79.145050][ T4090] RIP: 0033:0x7f734c489109 [ 79.149449][ T4090] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 79.169045][ T4090] RSP: 002b:00007f734d629168 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 79.177444][ T4090] RAX: fffffffffffffe00 RBX: 00007f734c59bf60 RCX: 00007f734c489109 [ 79.185402][ T4090] RDX: 000000000000003c RSI: 0000000020000180 RDI: 0000000000000003 [ 79.193368][ T4090] RBP: 00007f734d6291d0 R08: 0000000000000000 R09: 0000000000000000 [ 79.201333][ T4090] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 79.209311][ T4090] R13: 00007ffcee01460f R14: 00007f734d629300 R15: 0000000000022000 [ 79.217275][ T4090] [ 79.220482][ T4090] Kernel Offset: disabled [ 79.224798][ T4090] Rebooting in 86400 seconds..