[....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[ 28.547580] sshd (5954) used greatest stack depth: 16232 bytes left [?25l[?1c7[ ok 8[?25h[?0c. [ 28.668814] kauditd_printk_skb: 7 callbacks suppressed [ 28.668827] audit: type=1800 audit(1544501414.736:29): pid=5850 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 28.695457] audit: type=1800 audit(1544501414.736:30): pid=5850 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 33.203455] sshd (5989) used greatest stack depth: 15744 bytes left Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts. 2018/12/11 04:10:25 fuzzer started 2018/12/11 04:10:28 dialing manager at 10.128.0.26:45045 2018/12/11 04:10:28 syscalls: 1 2018/12/11 04:10:28 code coverage: enabled 2018/12/11 04:10:28 comparison tracing: enabled 2018/12/11 04:10:28 setuid sandbox: enabled 2018/12/11 04:10:28 namespace sandbox: enabled 2018/12/11 04:10:28 Android sandbox: /sys/fs/selinux/policy does not exist 2018/12/11 04:10:28 fault injection: enabled 2018/12/11 04:10:28 leak checking: CONFIG_DEBUG_KMEMLEAK is not enabled 2018/12/11 04:10:28 net packet injection: enabled 2018/12/11 04:10:28 net device setup: enabled 04:11:46 executing program 0: r0 = socket$kcm(0x10, 0x2, 0x0) sendmsg$kcm(r0, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)=[{&(0x7f0000000040)="23000000210081ae00060c00f20e000081000000000000018001006fabeb264e7d06a4", 0x23}], 0x1}, 0x0) [ 120.495926] IPVS: ftp: loaded support on port[0] = 21 04:11:46 executing program 1: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f00000001c0)='./cgroup\x00', 0x200002, 0x0) r1 = openat$cgroup_int(r0, &(0x7f0000000140)='pids.max\x00', 0x2, 0x0) sendfile(r1, r1, 0x0, 0x9) [ 120.779756] IPVS: ftp: loaded support on port[0] = 21 04:11:47 executing program 2: syz_emit_ethernet(0x66, &(0x7f0000000300)={@local, @dev, [], {@ipv6={0x86dd, {0x0, 0x6, "c13208", 0x30, 0x2b, 0x0, @empty, @local, {[@routing={0x0, 0x4, 0x2, 0x2, 0x0, [@mcast1, @mcast2]}], @udp={0x0, 0x0, 0x8}}}}}}, 0x0) [ 121.080394] IPVS: ftp: loaded support on port[0] = 21 04:11:47 executing program 3: syz_emit_ethernet(0x10d, &(0x7f0000000300)={@local, @dev, [], {@ipv6={0x86dd, {0x0, 0x6, "c13208", 0xd7, 0x2b, 0x0, @empty, @local, {[], @udp={0x4e24, 0x4e21, 0xd7, 0x0, [@guehdr={0x1, 0xfa9, 0x5, 0x5}, @guehdr={0x2, 0x1, 0xffffffffffff1a7f, 0x6, 0x100, [0x0]}, @guehdr={0x1, 0x3, 0x4, 0x9, 0x100}, @guehdr={0x2, 0x8, 0x5, 0x4, 0x100, [0x80]}, @guehdr={0x1, 0x3, 0x2, 0x4, 0x100}, @guehdr={0x2, 0x7, 0x2, 0xffffffff, 0x100, [0x80]}], "a94d9fefca216370a4ef0c31f8eab088b9fda32076b991bee0da19cc3b76921a8502e62cfa7ae7a4109474cb7cc32242d3b7021e9857c59bd0c87dbb34345f5e11afcf69f0fa17faaf301f9f170d979177289cb5729ce8d083c9cd0c2884baedf5e5fa0136812eb2098214b74b824457bb100e45217a371a69160ec4d0c7e4adcdde74502baa83ed7908cce68f1ebfba18732e5b02cfa6d34eddcac6ac6de0a6f238cf349d80837f6cffe5"}}}}}}, 0x0) [ 121.659354] IPVS: ftp: loaded support on port[0] = 21 04:11:48 executing program 4: socketpair$unix(0x1, 0x5, 0x0, &(0x7f0000000000)={0xffffffffffffffff}) pipe(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) splice(r1, 0x0, r0, 0x0, 0x400000a77, 0x0) write$binfmt_elf64(r2, &(0x7f0000000000)=ANY=[], 0xfffffd88) vmsplice(r2, &(0x7f0000000400)=[{&(0x7f0000000080)='\a', 0x1}], 0x1, 0x0) [ 122.090480] bridge0: port 1(bridge_slave_0) entered blocking state [ 122.106522] bridge0: port 1(bridge_slave_0) entered disabled state [ 122.114096] device bridge_slave_0 entered promiscuous mode [ 122.117326] IPVS: ftp: loaded support on port[0] = 21 [ 122.290113] bridge0: port 2(bridge_slave_1) entered blocking state [ 122.302520] bridge0: port 2(bridge_slave_1) entered disabled state [ 122.315620] device bridge_slave_1 entered promiscuous mode 04:11:48 executing program 5: r0 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f00000001c0)='./cgroup\x00', 0x200002, 0x0) r1 = openat$cgroup_int(r0, &(0x7f0000000140)='rdma.max\x00', 0x2, 0x0) pwrite64(r1, &(0x7f0000000000)="26d5f24510a9a9acac68a00120d5837d1a6dd7f4301ac0db65808964c3f61c882739b479d9815b6a0858908e923d", 0x2e, 0x0) [ 122.472196] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 122.581986] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 122.750907] IPVS: ftp: loaded support on port[0] = 21 [ 122.801755] bridge0: port 1(bridge_slave_0) entered blocking state [ 122.831762] bridge0: port 1(bridge_slave_0) entered disabled state [ 122.840461] device bridge_slave_0 entered promiscuous mode [ 122.986718] bridge0: port 2(bridge_slave_1) entered blocking state [ 122.993182] bridge0: port 2(bridge_slave_1) entered disabled state [ 123.034520] device bridge_slave_1 entered promiscuous mode [ 123.077770] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 123.127084] bridge0: port 1(bridge_slave_0) entered blocking state [ 123.133965] bridge0: port 1(bridge_slave_0) entered disabled state [ 123.165533] device bridge_slave_0 entered promiscuous mode [ 123.220462] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 123.242375] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 123.337146] bridge0: port 2(bridge_slave_1) entered blocking state [ 123.343510] bridge0: port 2(bridge_slave_1) entered disabled state [ 123.355139] device bridge_slave_1 entered promiscuous mode [ 123.378178] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 123.499124] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 123.632374] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 123.784751] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 123.792491] team0: Port device team_slave_0 added [ 123.836032] bridge0: port 1(bridge_slave_0) entered blocking state [ 123.844634] bridge0: port 1(bridge_slave_0) entered disabled state [ 123.864065] device bridge_slave_0 entered promiscuous mode [ 123.937520] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 123.954767] team0: Port device team_slave_1 added [ 123.963921] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 124.005610] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 124.034914] bridge0: port 2(bridge_slave_1) entered blocking state [ 124.041360] bridge0: port 2(bridge_slave_1) entered disabled state [ 124.064423] device bridge_slave_1 entered promiscuous mode [ 124.117964] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 124.148859] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 124.167234] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 124.197031] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 124.231648] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 124.332651] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 124.370546] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 124.423606] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 124.441549] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 124.455497] bridge0: port 1(bridge_slave_0) entered blocking state [ 124.461854] bridge0: port 1(bridge_slave_0) entered disabled state [ 124.477833] device bridge_slave_0 entered promiscuous mode [ 124.526358] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 124.533814] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 124.553349] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 124.563198] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 124.585344] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 124.608431] bridge0: port 2(bridge_slave_1) entered blocking state [ 124.624380] bridge0: port 2(bridge_slave_1) entered disabled state [ 124.631668] device bridge_slave_1 entered promiscuous mode [ 124.706491] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 124.766024] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 124.869130] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 124.887089] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 124.919984] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 124.929993] team0: Port device team_slave_0 added [ 125.017871] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 125.026593] team0: Port device team_slave_0 added [ 125.037476] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 125.053791] team0: Port device team_slave_1 added [ 125.106780] bridge0: port 1(bridge_slave_0) entered blocking state [ 125.113462] bridge0: port 1(bridge_slave_0) entered disabled state [ 125.145383] device bridge_slave_0 entered promiscuous mode [ 125.156181] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 125.163664] team0: Port device team_slave_1 added [ 125.185912] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 125.203168] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 125.247457] bridge0: port 2(bridge_slave_1) entered blocking state [ 125.253892] bridge0: port 2(bridge_slave_1) entered disabled state [ 125.273989] device bridge_slave_1 entered promiscuous mode [ 125.332157] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 125.361326] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 125.406437] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 125.415317] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 125.464574] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 125.473646] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 125.491741] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 125.505923] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready [ 125.516999] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 125.540899] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready [ 125.557347] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 125.585920] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 125.613167] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 125.629086] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 125.638108] team0: Port device team_slave_0 added [ 125.652657] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 125.667276] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 125.686850] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 125.705558] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 125.715269] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 125.737341] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 125.754019] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready [ 125.780018] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 125.789858] team0: Port device team_slave_1 added [ 125.796121] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready [ 125.824858] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 125.832679] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 125.845844] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 125.919640] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 125.938158] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 125.951801] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 126.060024] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 126.084836] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 126.219934] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 126.233253] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 126.257612] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 126.275445] team0: Port device team_slave_0 added [ 126.282681] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 126.299726] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 126.316546] bridge0: port 2(bridge_slave_1) entered blocking state [ 126.323030] bridge0: port 2(bridge_slave_1) entered forwarding state [ 126.330095] bridge0: port 1(bridge_slave_0) entered blocking state [ 126.336528] bridge0: port 1(bridge_slave_0) entered forwarding state [ 126.344122] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 126.359958] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 126.389457] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 126.405367] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 126.437709] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 126.459940] team0: Port device team_slave_1 added [ 126.496443] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 126.584721] IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready [ 126.604782] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready [ 126.617630] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 126.736735] IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready [ 126.754722] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready [ 126.771674] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 126.881901] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 126.910677] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 126.927232] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 126.946081] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 126.955329] team0: Port device team_slave_0 added [ 127.048972] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 127.070094] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 127.085387] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 127.096936] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 127.105193] team0: Port device team_slave_1 added [ 127.123280] bridge0: port 2(bridge_slave_1) entered blocking state [ 127.129693] bridge0: port 2(bridge_slave_1) entered forwarding state [ 127.136458] bridge0: port 1(bridge_slave_0) entered blocking state [ 127.142821] bridge0: port 1(bridge_slave_0) entered forwarding state [ 127.172782] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 127.258484] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 127.382113] bridge0: port 2(bridge_slave_1) entered blocking state [ 127.388542] bridge0: port 2(bridge_slave_1) entered forwarding state [ 127.395346] bridge0: port 1(bridge_slave_0) entered blocking state [ 127.401726] bridge0: port 1(bridge_slave_0) entered forwarding state [ 127.436795] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 127.465045] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 127.520138] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 127.527736] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 127.582165] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 127.599645] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 127.645390] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 127.725897] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 127.735762] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 127.758492] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready [ 127.917289] bridge0: port 2(bridge_slave_1) entered blocking state [ 127.923696] bridge0: port 2(bridge_slave_1) entered forwarding state [ 127.930440] bridge0: port 1(bridge_slave_0) entered blocking state [ 127.936858] bridge0: port 1(bridge_slave_0) entered forwarding state [ 127.967929] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 128.497733] bridge0: port 2(bridge_slave_1) entered blocking state [ 128.504170] bridge0: port 2(bridge_slave_1) entered forwarding state [ 128.510901] bridge0: port 1(bridge_slave_0) entered blocking state [ 128.517321] bridge0: port 1(bridge_slave_0) entered forwarding state [ 128.540312] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 128.552263] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 128.568155] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 129.121963] bridge0: port 2(bridge_slave_1) entered blocking state [ 129.128388] bridge0: port 2(bridge_slave_1) entered forwarding state [ 129.135142] bridge0: port 1(bridge_slave_0) entered blocking state [ 129.141510] bridge0: port 1(bridge_slave_0) entered forwarding state [ 129.157794] IPv6: ADDRCONF(NETDEV_UP): bridge0: link is not ready [ 129.565770] IPv6: ADDRCONF(NETDEV_CHANGE): bridge0: link becomes ready [ 130.494802] ================================================================== [ 130.502312] BUG: KASAN: use-after-free in __list_add_valid+0x8f/0xac [ 130.508803] Read of size 8 at addr ffff8881b5c5d930 by task kworker/1:2/2937 [ 130.515981] [ 130.517618] CPU: 1 PID: 2937 Comm: kworker/1:2 Not tainted 4.20.0-rc6+ #337 [ 130.524721] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 130.534093] Workqueue: ipv6_addrconf addrconf_dad_work [ 130.539366] Call Trace: [ 130.541970] dump_stack+0x244/0x39d [ 130.545606] ? dump_stack_print_info.cold.1+0x20/0x20 [ 130.550792] ? printk+0xa7/0xcf [ 130.554076] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 130.558842] print_address_description.cold.7+0x9/0x1ff [ 130.564207] kasan_report.cold.8+0x242/0x309 [ 130.568639] ? __list_add_valid+0x8f/0xac [ 130.572826] __asan_report_load8_noabort+0x14/0x20 [ 130.577761] __list_add_valid+0x8f/0xac [ 130.581739] ___neigh_create+0x14b7/0x2600 [ 130.585985] ? print_usage_bug+0xc0/0xc0 [ 130.590058] ? print_usage_bug+0xc0/0xc0 [ 130.594139] ? neigh_remove_one+0x5a0/0x5a0 [ 130.598469] ? ipv6_skip_exthdr+0x416/0x760 [ 130.602800] ? mark_held_locks+0x130/0x130 [ 130.607036] ? __lock_acquire+0x62f/0x4c20 [ 130.611267] ? ip_vs_in+0x2a8/0x29e0 [ 130.614983] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 130.620551] ? ip_vs_out+0x2a0/0x1d70 [ 130.624406] ? lock_acquire+0x1ed/0x520 [ 130.628383] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 130.633940] ? check_preemption_disabled+0x48/0x280 [ 130.638969] ? rcu_lockdep_current_cpu_online+0x1a4/0x210 [ 130.644521] ? rcu_pm_notify+0xc0/0xc0 [ 130.648412] __neigh_create+0x30/0x40 [ 130.652214] ip6_finish_output2+0xa64/0x2940 [ 130.656634] ? kthread+0x35a/0x440 [ 130.660179] ? ret_from_fork+0x3a/0x50 [ 130.664070] ? find_held_lock+0x36/0x1c0 [ 130.668131] ? ip6_forward_finish+0x560/0x560 [ 130.672635] ? ip6_mtu+0x39c/0x520 [ 130.676182] ? lock_downgrade+0x900/0x900 [ 130.680333] ? check_preemption_disabled+0x48/0x280 [ 130.685356] ? rcu_read_unlock_special+0x1c0/0x1c0 [ 130.690315] ? kasan_check_read+0x11/0x20 [ 130.694475] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 130.699771] ? rcu_softirq_qs+0x20/0x20 [ 130.703774] ? ip6_mtu+0x160/0x520 [ 130.707337] ? find_match+0x10a0/0x10a0 [ 130.711314] ? kasan_check_read+0x11/0x20 [ 130.715476] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 130.720775] ip6_finish_output+0x58c/0xc60 [ 130.725086] ? ip6_finish_output+0x58c/0xc60 [ 130.729499] ip6_output+0x232/0x9d0 [ 130.733127] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 130.738665] ? ip6_finish_output+0xc60/0xc60 [ 130.743077] ? ip6_fragment+0x38b0/0x38b0 [ 130.747235] ? __lock_is_held+0xb5/0x140 [ 130.751313] ndisc_send_skb+0x1005/0x1560 [ 130.755500] ? nf_hook.constprop.33+0x860/0x860 [ 130.760175] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 130.765714] ? refcount_sub_and_test_checked+0x203/0x310 [ 130.771200] ? refcount_inc_not_zero_checked+0x2f0/0x2f0 [ 130.776673] ? memset+0x31/0x40 [ 130.779978] ndisc_send_rs+0x134/0x6e0 [ 130.783882] addrconf_dad_completed+0x331/0xbf0 [ 130.788567] ? _raw_read_unlock_bh+0x30/0x40 [ 130.792979] ? addrconf_verify_work+0x20/0x20 [ 130.797526] ? addrconf_dad_work+0x866/0x1310 [ 130.802032] addrconf_dad_work+0x876/0x1310 [ 130.806373] ? addrconf_dad_work+0x876/0x1310 [ 130.810877] ? addrconf_ifdown+0x1650/0x1650 [ 130.815302] ? __lock_is_held+0xb5/0x140 [ 130.819393] process_one_work+0xc90/0x1c40 [ 130.823645] ? mark_held_locks+0x130/0x130 [ 130.827891] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 130.832558] ? __switch_to_asm+0x40/0x70 [ 130.836624] ? __switch_to_asm+0x34/0x70 [ 130.840684] ? __switch_to_asm+0x40/0x70 [ 130.844766] ? __switch_to_asm+0x34/0x70 [ 130.848827] ? __switch_to_asm+0x40/0x70 [ 130.852904] ? __switch_to_asm+0x34/0x70 [ 130.856965] ? __switch_to_asm+0x40/0x70 [ 130.861039] ? __switch_to_asm+0x34/0x70 [ 130.865101] ? __switch_to_asm+0x40/0x70 [ 130.869184] ? __schedule+0x8d7/0x21d0 [ 130.873087] ? lock_downgrade+0x900/0x900 [ 130.877252] ? zap_class+0x640/0x640 [ 130.880975] ? find_held_lock+0x36/0x1c0 [ 130.885060] ? lock_acquire+0x1ed/0x520 [ 130.889037] ? worker_thread+0x3e0/0x1390 [ 130.893192] ? kasan_check_read+0x11/0x20 [ 130.897347] ? do_raw_spin_lock+0x14f/0x350 [ 130.901684] ? kasan_check_read+0x11/0x20 [ 130.905838] ? rwlock_bug.part.2+0x90/0x90 [ 130.910075] ? trace_hardirqs_on+0x310/0x310 [ 130.914499] worker_thread+0x17f/0x1390 [ 130.918470] ? __switch_to_asm+0x34/0x70 [ 130.922577] ? process_one_work+0x1c40/0x1c40 [ 130.927092] ? __sched_text_start+0x8/0x8 [ 130.931267] ? __kthread_parkme+0xce/0x1a0 [ 130.935531] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 130.940649] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 130.945760] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 130.950342] ? trace_hardirqs_on+0xbd/0x310 [ 130.954673] ? kasan_check_read+0x11/0x20 [ 130.958821] ? __kthread_parkme+0xce/0x1a0 [ 130.963055] ? trace_hardirqs_off_caller+0x310/0x310 [ 130.968163] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 130.973358] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 130.978921] ? __kthread_parkme+0xfb/0x1a0 [ 130.983165] ? process_one_work+0x1c40/0x1c40 [ 130.987668] kthread+0x35a/0x440 [ 130.991037] ? kthread_stop+0x900/0x900 [ 130.995018] ret_from_fork+0x3a/0x50 [ 130.998737] [ 131.000366] Allocated by task 6859: [ 131.004001] save_stack+0x43/0xd0 [ 131.007458] kasan_kmalloc+0xc7/0xe0 [ 131.011171] __kmalloc+0x15b/0x760 [ 131.014708] ___neigh_create+0x13fc/0x2600 [ 131.018940] __neigh_create+0x30/0x40 [ 131.022739] ip6_finish_output2+0xa64/0x2940 [ 131.027181] ip6_finish_output+0x58c/0xc60 [ 131.031418] ip6_output+0x232/0x9d0 [ 131.035047] ndisc_send_skb+0x1005/0x1560 [ 131.039192] ndisc_send_rs+0x134/0x6e0 [ 131.043082] addrconf_rs_timer+0x314/0x690 [ 131.047314] call_timer_fn+0x272/0x920 [ 131.051201] __run_timers+0x7e5/0xc70 [ 131.055037] run_timer_softirq+0x52/0xb0 [ 131.059109] __do_softirq+0x308/0xb7e [ 131.062927] [ 131.064547] Freed by task 6858: [ 131.067824] save_stack+0x43/0xd0 [ 131.071281] __kasan_slab_free+0x102/0x150 [ 131.075516] kasan_slab_free+0xe/0x10 [ 131.079318] kfree+0xcf/0x230 [ 131.082423] rcu_process_callbacks+0x1140/0x1ac0 [ 131.087178] __do_softirq+0x308/0xb7e [ 131.090974] [ 131.092615] The buggy address belongs to the object at ffff8881b5c5d6c0 [ 131.092615] which belongs to the cache kmalloc-1k of size 1024 [ 131.105290] The buggy address is located 624 bytes inside of [ 131.105290] 1024-byte region [ffff8881b5c5d6c0, ffff8881b5c5dac0) [ 131.117483] The buggy address belongs to the page: [ 131.122438] page:ffffea0006d71700 count:1 mapcount:0 mapping:ffff8881da800ac0 index:0xffff8881b5c5db40 compound_mapcount: 0 [ 131.133708] flags: 0x2fffc0000010200(slab|head) [ 131.138381] raw: 02fffc0000010200 ffffea0006d68a08 ffffea0006d56e88 ffff8881da800ac0 [ 131.146280] raw: ffff8881b5c5db40 ffff8881b5c5c040 0000000100000001 0000000000000000 [ 131.154151] page dumped because: kasan: bad access detected [ 131.159869] [ 131.161488] Memory state around the buggy address: [ 131.166433] ffff8881b5c5d800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 131.173792] ffff8881b5c5d880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 131.181153] >ffff8881b5c5d900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 131.188502] ^ [ 131.193430] ffff8881b5c5d980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 131.200790] ffff8881b5c5da00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 131.208160] ================================================================== [ 131.215548] Disabling lock debugging due to kernel taint [ 131.221076] Kernel panic - not syncing: panic_on_warn set ... [ 131.226994] CPU: 1 PID: 2937 Comm: kworker/1:2 Tainted: G B 4.20.0-rc6+ #337 [ 131.235483] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 131.245374] Workqueue: ipv6_addrconf addrconf_dad_work [ 131.250654] Call Trace: [ 131.253270] dump_stack+0x244/0x39d [ 131.256933] ? dump_stack_print_info.cold.1+0x20/0x20 [ 131.262148] panic+0x2ad/0x55c [ 131.265341] ? add_taint.cold.5+0x16/0x16 [ 131.269492] ? trace_hardirqs_on+0xb4/0x310 [ 131.273841] kasan_end_report+0x47/0x4f [ 131.277811] kasan_report.cold.8+0x76/0x309 [ 131.282157] ? __list_add_valid+0x8f/0xac [ 131.286306] __asan_report_load8_noabort+0x14/0x20 [ 131.291257] __list_add_valid+0x8f/0xac [ 131.295256] ___neigh_create+0x14b7/0x2600 [ 131.299495] ? print_usage_bug+0xc0/0xc0 [ 131.303559] ? print_usage_bug+0xc0/0xc0 [ 131.307623] ? neigh_remove_one+0x5a0/0x5a0 [ 131.311951] ? ipv6_skip_exthdr+0x416/0x760 [ 131.316279] ? mark_held_locks+0x130/0x130 [ 131.320515] ? __lock_acquire+0x62f/0x4c20 [ 131.324751] ? ip_vs_in+0x2a8/0x29e0 [ 131.328472] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 131.334021] ? ip_vs_out+0x2a0/0x1d70 [ 131.337839] ? lock_acquire+0x1ed/0x520 [ 131.341845] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 131.347418] ? check_preemption_disabled+0x48/0x280 [ 131.352438] ? rcu_lockdep_current_cpu_online+0x1a4/0x210 [ 131.357990] ? rcu_pm_notify+0xc0/0xc0 [ 131.361879] __neigh_create+0x30/0x40 [ 131.365680] ip6_finish_output2+0xa64/0x2940 [ 131.370090] ? kthread+0x35a/0x440 [ 131.373628] ? ret_from_fork+0x3a/0x50 [ 131.377520] ? find_held_lock+0x36/0x1c0 [ 131.381606] ? ip6_forward_finish+0x560/0x560 [ 131.386100] ? ip6_mtu+0x39c/0x520 [ 131.389639] ? lock_downgrade+0x900/0x900 [ 131.393787] ? check_preemption_disabled+0x48/0x280 [ 131.398817] ? rcu_read_unlock_special+0x1c0/0x1c0 [ 131.403763] ? kasan_check_read+0x11/0x20 [ 131.407913] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 131.413188] ? rcu_softirq_qs+0x20/0x20 [ 131.417185] ? ip6_mtu+0x160/0x520 [ 131.420774] ? find_match+0x10a0/0x10a0 [ 131.424752] ? kasan_check_read+0x11/0x20 [ 131.428901] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 131.434177] ip6_finish_output+0x58c/0xc60 [ 131.438422] ? ip6_finish_output+0x58c/0xc60 [ 131.442954] ip6_output+0x232/0x9d0 [ 131.446611] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 131.452167] ? ip6_finish_output+0xc60/0xc60 [ 131.456572] ? ip6_fragment+0x38b0/0x38b0 [ 131.460715] ? __lock_is_held+0xb5/0x140 [ 131.464804] ndisc_send_skb+0x1005/0x1560 [ 131.468968] ? nf_hook.constprop.33+0x860/0x860 [ 131.473651] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 131.479189] ? refcount_sub_and_test_checked+0x203/0x310 [ 131.484645] ? refcount_inc_not_zero_checked+0x2f0/0x2f0 [ 131.490103] ? memset+0x31/0x40 [ 131.493394] ndisc_send_rs+0x134/0x6e0 [ 131.497301] addrconf_dad_completed+0x331/0xbf0 [ 131.501968] ? _raw_read_unlock_bh+0x30/0x40 [ 131.506379] ? addrconf_verify_work+0x20/0x20 [ 131.510875] ? addrconf_dad_work+0x866/0x1310 [ 131.515376] addrconf_dad_work+0x876/0x1310 [ 131.519705] ? addrconf_dad_work+0x876/0x1310 [ 131.524205] ? addrconf_ifdown+0x1650/0x1650 [ 131.528635] ? __lock_is_held+0xb5/0x140 [ 131.532704] process_one_work+0xc90/0x1c40 [ 131.536947] ? mark_held_locks+0x130/0x130 [ 131.541185] ? pwq_dec_nr_in_flight+0x4a0/0x4a0 [ 131.545860] ? __switch_to_asm+0x40/0x70 [ 131.549970] ? __switch_to_asm+0x34/0x70 [ 131.554039] ? __switch_to_asm+0x40/0x70 [ 131.558108] ? __switch_to_asm+0x34/0x70 [ 131.562166] ? __switch_to_asm+0x40/0x70 [ 131.566246] ? __switch_to_asm+0x34/0x70 [ 131.570329] ? __switch_to_asm+0x40/0x70 [ 131.574402] ? __switch_to_asm+0x34/0x70 [ 131.578479] ? __switch_to_asm+0x40/0x70 [ 131.582543] ? __schedule+0x8d7/0x21d0 [ 131.586437] ? lock_downgrade+0x900/0x900 [ 131.590588] ? zap_class+0x640/0x640 [ 131.594301] ? find_held_lock+0x36/0x1c0 [ 131.598375] ? lock_acquire+0x1ed/0x520 [ 131.602349] ? worker_thread+0x3e0/0x1390 [ 131.606503] ? kasan_check_read+0x11/0x20 [ 131.610684] ? do_raw_spin_lock+0x14f/0x350 [ 131.615018] ? kasan_check_read+0x11/0x20 [ 131.619163] ? rwlock_bug.part.2+0x90/0x90 [ 131.623400] ? trace_hardirqs_on+0x310/0x310 [ 131.627817] worker_thread+0x17f/0x1390 [ 131.631814] ? __switch_to_asm+0x34/0x70 [ 131.635906] ? process_one_work+0x1c40/0x1c40 [ 131.640408] ? __sched_text_start+0x8/0x8 [ 131.644566] ? __kthread_parkme+0xce/0x1a0 [ 131.648796] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 131.653895] ? _raw_spin_unlock_irqrestore+0x82/0xd0 [ 131.658996] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 131.663578] ? trace_hardirqs_on+0xbd/0x310 [ 131.667910] ? kasan_check_read+0x11/0x20 [ 131.672074] ? __kthread_parkme+0xce/0x1a0 [ 131.676313] ? trace_hardirqs_off_caller+0x310/0x310 [ 131.681417] ? _raw_spin_unlock_irqrestore+0x6d/0xd0 [ 131.686523] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 131.692055] ? __kthread_parkme+0xfb/0x1a0 [ 131.696316] ? process_one_work+0x1c40/0x1c40 [ 131.700813] kthread+0x35a/0x440 [ 131.704211] ? kthread_stop+0x900/0x900 [ 131.708193] ret_from_fork+0x3a/0x50 [ 131.712840] Kernel Offset: disabled [ 131.716466] Rebooting in 86400 seconds..