Warning: Permanently added '10.128.0.46' (ECDSA) to the list of known hosts. syzkaller login: [ 39.464881] audit: type=1400 audit(1591680239.262:8): avc: denied { execmem } for pid=6408 comm="syz-executor421" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 39.490232] IPVS: ftp: loaded support on port[0] = 21 [ 39.564763] chnl_net:caif_netlink_parms(): no params data found [ 39.665218] bridge0: port 1(bridge_slave_0) entered blocking state [ 39.671819] bridge0: port 1(bridge_slave_0) entered disabled state [ 39.679813] device bridge_slave_0 entered promiscuous mode [ 39.687719] bridge0: port 2(bridge_slave_1) entered blocking state [ 39.694108] bridge0: port 2(bridge_slave_1) entered disabled state [ 39.702634] device bridge_slave_1 entered promiscuous mode [ 39.720349] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 39.729452] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 39.748543] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 39.756957] team0: Port device team_slave_0 added [ 39.762644] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 39.770763] team0: Port device team_slave_1 added [ 39.787247] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 39.793501] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 39.819775] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 39.831917] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 39.839543] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 39.865748] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 39.877020] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 39.884515] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 39.938489] device hsr_slave_0 entered promiscuous mode [ 39.976214] device hsr_slave_1 entered promiscuous mode [ 40.016607] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 40.023761] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 40.095158] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.101689] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.108740] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.115130] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.149869] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 40.156575] 8021q: adding VLAN 0 to HW filter on device bond0 [ 40.164781] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 40.175453] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.186404] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.193656] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.201626] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 40.212975] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 40.219608] 8021q: adding VLAN 0 to HW filter on device team0 [ 40.229605] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 40.237870] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.244230] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.267280] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 40.275032] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.281480] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.288917] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 40.297011] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 40.304742] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 40.312596] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 40.320962] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 40.330180] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 40.336419] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 40.352717] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 40.360329] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 40.368573] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 40.380621] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 40.394518] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 40.404786] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 40.436382] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 40.443422] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 40.451332] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 40.461394] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 40.469673] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 40.477973] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 40.487975] device veth0_vlan entered promiscuous mode [ 40.498816] device veth1_vlan entered promiscuous mode [ 40.504753] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 40.515152] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 40.536102] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 40.546927] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 40.554089] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 40.562491] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 40.572113] device veth0_macvtap entered promiscuous mode [ 40.582049] device veth1_macvtap entered promiscuous mode [ 40.591925] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 40.601513] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 40.611761] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 40.619308] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 40.626819] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 40.634674] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 40.646109] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 40.652992] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 40.661433] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 40.670047] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 40.835579] kasan: CONFIG_KASAN_INLINE enabled [ 40.840400] kasan: GPF could be caused by NULL-ptr deref or user memory access [ 40.847831] general protection fault: 0000 [#1] PREEMPT SMP KASAN [ 40.854091] CPU: 1 PID: 6634 Comm: syz-executor421 Not tainted 4.19.127-syzkaller #0 [ 40.861963] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.871329] RIP: 0010:xfrmi_decode_session+0x14a/0x780 [ 40.876596] Code: 7c dc 10 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 f4 05 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c dc 10 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 c7 05 00 00 4c 8b 23 e8 44 58 31 fb e8 cf a8 42 [ 40.895496] RSP: 0018:ffff888080a2eff8 EFLAGS: 00010246 [ 40.900838] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8624e667 [ 40.908100] RDX: 0000000000000000 RSI: ffffffff8624e164 RDI: ffff88809e959788 [ 40.915349] RBP: 0000000000000039 R08: ffff888089380500 R09: ffffed1015ce473b [ 40.922613] R10: ffffed1015ce473a R11: ffff8880ae7239d3 R12: ffff88809e959780 [ 40.929867] R13: 000000000000003f R14: ffff888084d706c0 R15: 0000000000000000 [ 40.937157] FS: 00007f9720e50700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000 [ 40.945386] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 40.951255] CR2: 00007f9720e4fe78 CR3: 00000000a0861000 CR4: 00000000001406e0 [ 40.958502] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 40.965762] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 40.973011] Call Trace: [ 40.975584] __xfrm_policy_check+0x1eb/0x2310 [ 40.980131] ? vti6_tnl_lookup+0x287/0x1020 [ 40.984439] ? __xfrm_route_forward+0x790/0x790 [ 40.989097] ? lock_downgrade+0x740/0x740 [ 40.993283] ? lock_acquire+0x170/0x3c0 [ 40.997613] ? check_preemption_disabled+0x41/0x280 [ 41.002614] ? vti6_tnl_lookup+0x69a/0x1020 [ 41.006929] ? check_preemption_disabled+0x41/0x280 [ 41.011938] ? vti6_dev_free+0x40/0x40 [ 41.015810] ? lock_acquire+0x170/0x3c0 [ 41.019773] ? vti6_rcv+0x70/0x900 [ 41.023305] ? check_preemption_disabled+0x41/0x280 [ 41.028310] vti6_rcv+0x4f3/0x900 [ 41.031843] xfrm6_esp_rcv+0xc8/0x220 [ 41.035655] ip6_input_finish+0x46f/0x1790 [ 41.039893] ? check_preemption_disabled+0x41/0x280 [ 41.044895] ip6_input+0xcf/0x3c0 [ 41.048330] ? ip6_input_finish+0x1790/0x1790 [ 41.052807] ? check_preemption_disabled+0x41/0x280 [ 41.059889] ? ip6_sublist_rcv_finish+0x2c0/0x2c0 [ 41.064723] ? ipv6_chk_mcast_addr+0x150/0x6c0 [ 41.069294] ip6_mc_input+0x403/0xa88 [ 41.073608] ? ipv6_list_rcv+0x460/0x460 [ 41.077664] ip6_rcv_finish+0x1d9/0x2f0 [ 41.081629] ipv6_rcv+0x101/0x400 [ 41.085097] ? ip6_rcv_core.isra.0+0x1b70/0x1b70 [ 41.089833] ? xfrm_state_lookup+0x105/0x1b0 [ 41.094233] ? ip6_rcv_finish_core.isra.0+0x550/0x550 [ 41.099413] ? netif_receive_skb_internal+0x203/0x400 [ 41.104594] ? ip6_rcv_core.isra.0+0x1b70/0x1b70 [ 41.109346] __netif_receive_skb_one_core+0x114/0x180 [ 41.114531] ? __netif_receive_skb_core+0x3640/0x3640 [ 41.121814] ? mark_held_locks+0xa6/0xf0 [ 41.125856] ? lock_acquire+0x170/0x3c0 [ 41.129810] ? netif_receive_skb_internal+0x77/0x400 [ 41.135168] ? check_preemption_disabled+0x41/0x280 [ 41.140162] __netif_receive_skb+0x27/0x1c0 [ 41.144475] netif_receive_skb_internal+0xf9/0x400 [ 41.149403] ? __netif_receive_skb+0x1c0/0x1c0 [ 41.153981] ? eth_get_headlen+0x1b0/0x1b0 [ 41.158225] ? check_preemption_disabled+0x41/0x280 [ 41.163296] napi_gro_frags+0x6cc/0xa00 [ 41.167372] tun_get_user+0x2b1e/0x4a30 [ 41.171349] ? tun_rx_batched.isra.0+0x760/0x760 [ 41.176102] ? tun_get+0x16d/0x290 [ 41.179642] ? lock_downgrade+0x740/0x740 [ 41.183779] ? lock_acquire+0x170/0x3c0 [ 41.187733] ? check_preemption_disabled+0x41/0x280 [ 41.192730] tun_chr_write_iter+0xb0/0x150 [ 41.196953] __vfs_write+0x512/0x760 [ 41.200648] ? kernel_read+0x110/0x110 [ 41.204528] ? lock_acquire+0x170/0x3c0 [ 41.208504] __kernel_write+0x109/0x370 [ 41.212463] write_pipe_buf+0x153/0x1e0 [ 41.216445] ? default_file_splice_read+0x970/0x970 [ 41.221455] ? splice_from_pipe_next.part.0+0x24f/0x2f0 [ 41.226836] __splice_from_pipe+0x38f/0x7a0 [ 41.231156] ? default_file_splice_read+0x970/0x970 [ 41.236167] ? default_file_splice_read+0x970/0x970 [ 41.241161] splice_from_pipe+0xd9/0x140 [ 41.245201] ? splice_shrink_spd+0xc0/0xc0 [ 41.249420] ? security_file_permission+0x84/0x220 [ 41.254339] default_file_splice_write+0x37/0x90 [ 41.259089] ? generic_splice_sendpage+0x40/0x40 [ 41.263826] __se_sys_splice+0xf18/0x1560 [ 41.267972] ? lock_downgrade+0x740/0x740 [ 41.272116] ? ret_from_fork+0x8/0x30 [ 41.275908] ? opipe_prep.part.0+0x2c0/0x2c0 [ 41.280306] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.285051] ? trace_hardirqs_off_caller+0x69/0x210 [ 41.290173] ? do_syscall_64+0x21/0x620 [ 41.294279] do_syscall_64+0xf9/0x620 [ 41.298128] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.303301] RIP: 0033:0x448c89 [ 41.306482] Code: e8 cc 14 03 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 ab 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 41.325385] RSP: 002b:00007f9720e4fd98 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 [ 41.333078] RAX: ffffffffffffffda RBX: 00000000006dec78 RCX: 0000000000448c89 [ 41.340326] RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 [ 41.347574] RBP: 00000000006dec70 R08: 0000000000018100 R09: 0000000000000000 [ 41.354822] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dec7c [ 41.362080] R13: 0000000000003172 R14: 656c6c616b7a7973 R15: 00000000006dec7c [ 41.369344] Modules linked in: [ 41.372573] ---[ end trace 5b860cf3b7bd9b27 ]--- [ 41.377361] RIP: 0010:xfrmi_decode_session+0x14a/0x780 [ 41.382642] Code: 7c dc 10 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 f4 05 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5c dc 10 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 c7 05 00 00 4c 8b 23 e8 44 58 31 fb e8 cf a8 42 [ 41.401854] RSP: 0018:ffff888080a2eff8 EFLAGS: 00010246 [ 41.407276] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff8624e667 [ 41.414579] RDX: 0000000000000000 RSI: ffffffff8624e164 RDI: ffff88809e959788 [ 41.422048] RBP: 0000000000000039 R08: ffff888089380500 R09: ffffed1015ce473b [ 41.429334] R10: ffffed1015ce473a R11: ffff8880ae7239d3 R12: ffff88809e959780 [ 41.436645] R13: 000000000000003f R14: ffff888084d706c0 R15: 0000000000000000 [ 41.443910] FS: 00007f9720e50700(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000 [ 41.452236] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 41.458144] CR2: 00007f9720e4fe78 CR3: 00000000a0861000 CR4: 00000000001406e0 [ 41.465443] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 41.472713] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 41.480004] Kernel panic - not syncing: Fatal exception in interrupt [ 41.487808] Kernel Offset: disabled [ 41.491441] Rebooting in 86400 seconds..