[ 405.876660] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 405.884092] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 405.892530] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 405.899213] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 405.907602] device bridge_slave_1 left promiscuous mode [ 405.913451] bridge0: port 2(bridge_slave_1) entered disabled state [ 405.920673] device bridge_slave_0 left promiscuous mode [ 405.926099] bridge0: port 1(bridge_slave_0) entered disabled state [ 405.934135] device veth1_macvtap left promiscuous mode [ 405.939511] device veth0_macvtap left promiscuous mode [ 405.944960] device veth1_vlan left promiscuous mode [ 405.950010] device veth0_vlan left promiscuous mode [ 405.994858] device hsr_slave_1 left promiscuous mode [ 406.003203] device hsr_slave_0 left promiscuous mode [ 406.013429] team0 (unregistering): Port device team_slave_1 removed [ 406.023298] team0 (unregistering): Port device team_slave_0 removed [ 406.032325] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 406.043737] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 406.065082] bond0 (unregistering): Released all slaves [ 407.566054] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 407.573139] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 407.580051] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 407.586816] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 407.593922] device bridge_slave_1 left promiscuous mode [ 407.599301] bridge0: port 2(bridge_slave_1) entered disabled state [ 407.606524] device bridge_slave_0 left promiscuous mode [ 407.612080] bridge0: port 1(bridge_slave_0) entered disabled state [ 407.621537] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 407.629180] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 407.636789] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 407.644241] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 407.651807] device bridge_slave_1 left promiscuous mode [ 407.657243] bridge0: port 2(bridge_slave_1) entered disabled state [ 407.664153] device bridge_slave_0 left promiscuous mode [ 407.669527] bridge0: port 1(bridge_slave_0) entered disabled state [ 407.678101] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 407.685148] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 407.692886] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 407.699603] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 407.707594] device bridge_slave_1 left promiscuous mode [ 407.713107] bridge0: port 2(bridge_slave_1) entered disabled state [ 407.720028] device bridge_slave_0 left promiscuous mode [ 407.725599] bridge0: port 1(bridge_slave_0) entered disabled state [ 407.733643] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 407.740524] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 407.747602] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 407.754341] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 407.761334] device bridge_slave_1 left promiscuous mode [ 407.766720] bridge0: port 2(bridge_slave_1) entered disabled state [ 407.773844] device bridge_slave_0 left promiscuous mode [ 407.779244] bridge0: port 1(bridge_slave_0) entered disabled state [ 407.787406] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 407.794345] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 407.801843] ================================================================== [ 407.809557] BUG: KASAN: use-after-free in batadv_iv_ogm_queue_add+0x327/0xf00 [ 407.816980] Read of size 60 at addr ffff8880b3ad6660 by task kworker/u4:1/21 [ 407.825108] [ 407.826710] CPU: 1 PID: 21 Comm: kworker/u4:1 Not tainted 4.20.0-rc4-syzkaller #0 [ 407.834318] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 407.843752] Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet [ 407.850928] Call Trace: [ 407.853487] dump_stack+0x86/0xca [ 407.856913] print_address_description.cold.5+0x9/0x244 [ 407.862266] kasan_report.cold.6+0x242/0x304 [ 407.866663] ? batadv_iv_ogm_queue_add+0x327/0xf00 [ 407.871582] check_memory_region+0x13c/0x1b0 [ 407.875962] memcpy+0x23/0x50 [ 407.879057] batadv_iv_ogm_queue_add+0x327/0xf00 [ 407.883804] ? batadv_iv_ogm_iface_enable+0x370/0x370 [ 407.888982] ? lock_acquire+0x111/0x2d0 [ 407.893120] ? kasan_check_read+0x11/0x20 [ 407.897255] batadv_iv_ogm_schedule+0xb47/0xe80 [ 407.901912] ? batadv_iv_ogm_queue_add+0xf00/0xf00 [ 407.906834] batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x7a0 [ 407.913125] ? rcu_lockdep_current_cpu_online+0xe5/0x130 [ 407.918547] process_one_work+0x7b9/0x15a0 [ 407.922772] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 407.927427] ? lock_acquire+0x111/0x2d0 [ 407.931391] ? _raw_spin_lock_irq+0xe/0x50 [ 407.935598] worker_thread+0x85/0xb60 [ 407.939387] ? __kthread_parkme+0x47/0x190 [ 407.943615] kthread+0x324/0x3e0 [ 407.946951] ? process_one_work+0x15a0/0x15a0 [ 407.951414] ? kthread_park+0x120/0x120 [ 407.955358] ret_from_fork+0x24/0x30 [ 407.959042] [ 407.960640] Allocated by task 21: [ 407.964063] kasan_kmalloc.part.1+0x62/0xf0 [ 407.968373] kasan_kmalloc+0xaf/0xc0 [ 407.972156] __kmalloc+0x157/0x340 [ 407.975665] batadv_tvlv_container_ogm_append+0x16f/0x4b0 [ 407.981192] batadv_iv_ogm_schedule+0xc39/0xe80 [ 407.985830] batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x7a0 [ 407.992117] process_one_work+0x7b9/0x15a0 [ 407.996422] worker_thread+0x85/0xb60 [ 408.000211] kthread+0x324/0x3e0 [ 408.003547] ret_from_fork+0x24/0x30 [ 408.007247] [ 408.008858] Freed by task 51: [ 408.011936] __kasan_slab_free+0x167/0x240 [ 408.016417] kasan_slab_free+0xe/0x10 [ 408.020273] kfree+0xf2/0x310 [ 408.023365] batadv_iv_ogm_iface_disable+0x34/0x70 [ 408.028279] batadv_hardif_disable_interface.cold.10+0x712/0x107a [ 408.034496] batadv_softif_destroy_netlink+0x94/0x100 [ 408.039671] default_device_exit_batch+0x239/0x3d0 [ 408.044586] ops_exit_list.isra.0+0xd3/0x120 [ 408.048962] cleanup_net+0x363/0x840 [ 408.052645] process_one_work+0x7b9/0x15a0 [ 408.056861] worker_thread+0x85/0xb60 [ 408.060645] kthread+0x324/0x3e0 [ 408.063997] ret_from_fork+0x24/0x30 [ 408.067683] [ 408.069298] The buggy address belongs to the object at ffff8880b3ad6660 [ 408.069298] which belongs to the cache kmalloc-64 of size 64 [ 408.081819] The buggy address is located 0 bytes inside of [ 408.081819] 64-byte region [ffff8880b3ad6660, ffff8880b3ad66a0) [ 408.093423] The buggy address belongs to the page: [ 408.098340] page:ffffea0002ceb580 count:1 mapcount:0 mapping:ffff88813ff35600 index:0xffff8880b3ad6300 [ 408.107771] flags: 0xfff00000000200(slab) [ 408.111887] raw: 00fff00000000200 ffffea0002b2c440 0000000a0000000a ffff88813ff35600 [ 408.119735] raw: ffff8880b3ad6300 00000000802a001c 00000001ffffffff 0000000000000000 [ 408.127598] page dumped because: kasan: bad access detected [ 408.133291] [ 408.134888] Memory state around the buggy address: [ 408.139784] ffff8880b3ad6500: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 408.147287] ffff8880b3ad6580: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 408.154630] >ffff8880b3ad6600: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 408.161977] ^ [ 408.168458] ffff8880b3ad6680: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 408.175788] ffff8880b3ad6700: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 408.183116] ================================================================== [ 408.190455] Disabling lock debugging due to kernel taint [ 408.196209] Kernel panic - not syncing: panic_on_warn set ... [ 408.202075] CPU: 1 PID: 21 Comm: kworker/u4:1 Tainted: G B 4.20.0-rc4-syzkaller #0 [ 408.211338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 408.220692] Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet [ 408.227760] Call Trace: [ 408.230322] dump_stack+0x86/0xca [ 408.233747] panic+0x1e7/0x358 [ 408.236910] ? __warn_printk+0xd6/0xd6 [ 408.240770] ? ___preempt_schedule+0x16/0x18 [ 408.245153] kasan_end_report+0x47/0x4f [ 408.249098] kasan_report.cold.6+0x76/0x304 [ 408.253414] ? batadv_iv_ogm_queue_add+0x327/0xf00 [ 408.258336] check_memory_region+0x13c/0x1b0 [ 408.262730] memcpy+0x23/0x50 [ 408.265807] batadv_iv_ogm_queue_add+0x327/0xf00 [ 408.270549] ? batadv_iv_ogm_iface_enable+0x370/0x370 [ 408.275812] ? lock_acquire+0x111/0x2d0 [ 408.279756] ? kasan_check_read+0x11/0x20 [ 408.283887] batadv_iv_ogm_schedule+0xb47/0xe80 [ 408.288524] ? batadv_iv_ogm_queue_add+0xf00/0xf00 [ 408.293424] batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x7a0 [ 408.299712] ? rcu_lockdep_current_cpu_online+0xe5/0x130 [ 408.305133] process_one_work+0x7b9/0x15a0 [ 408.309512] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 408.314252] ? lock_acquire+0x111/0x2d0 [ 408.318197] ? _raw_spin_lock_irq+0xe/0x50 [ 408.322663] worker_thread+0x85/0xb60 [ 408.326609] ? __kthread_parkme+0x47/0x190 [ 408.330830] kthread+0x324/0x3e0 [ 408.334166] ? process_one_work+0x15a0/0x15a0 [ 408.338628] ? kthread_park+0x120/0x120 [ 408.342572] ret_from_fork+0x24/0x30 [ 408.350227] Kernel Offset: disabled [ 408.353884] Rebooting in 86400 seconds..