Warning: Permanently added '10.128.0.249' (ECDSA) to the list of known hosts. [ 28.430928] IPVS: ftp: loaded support on port[0] = 21 [ 28.496017] chnl_net:caif_netlink_parms(): no params data found [ 28.573435] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.580616] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.587487] device bridge_slave_0 entered promiscuous mode [ 28.594595] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.601238] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.608776] device bridge_slave_1 entered promiscuous mode [ 28.624386] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 28.632894] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 28.650642] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 28.658344] team0: Port device team_slave_0 added [ 28.663619] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 28.671165] team0: Port device team_slave_1 added [ 28.685616] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 28.691875] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 28.717670] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 28.729676] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 28.735896] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 28.762026] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 28.773018] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 28.781291] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 28.799376] device hsr_slave_0 entered promiscuous mode [ 28.805046] device hsr_slave_1 entered promiscuous mode [ 28.811603] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 28.818993] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 28.876816] bridge0: port 2(bridge_slave_1) entered blocking state [ 28.883219] bridge0: port 2(bridge_slave_1) entered forwarding state [ 28.890016] bridge0: port 1(bridge_slave_0) entered blocking state [ 28.896357] bridge0: port 1(bridge_slave_0) entered forwarding state [ 28.923568] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 28.930496] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.938062] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 28.946619] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 28.956504] bridge0: port 1(bridge_slave_0) entered disabled state [ 28.963610] bridge0: port 2(bridge_slave_1) entered disabled state [ 28.972969] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 28.979485] 8021q: adding VLAN 0 to HW filter on device team0 [ 28.987285] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 28.994966] bridge0: port 1(bridge_slave_0) entered blocking state [ 29.001347] bridge0: port 1(bridge_slave_0) entered forwarding state [ 29.018815] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 29.026443] bridge0: port 2(bridge_slave_1) entered blocking state [ 29.032838] bridge0: port 2(bridge_slave_1) entered forwarding state [ 29.040321] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 29.048361] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 29.055753] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 29.063319] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 29.072760] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 29.083264] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 29.089295] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 29.096093] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 29.109687] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 29.117518] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 29.124151] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 29.134497] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 29.181099] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 29.190655] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 29.219526] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 29.226352] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 29.234065] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 29.242721] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 29.250704] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 29.259094] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 29.267621] device veth0_vlan entered promiscuous mode [ 29.275463] device veth1_vlan entered promiscuous mode [ 29.281404] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 29.290000] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 29.300355] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 29.309631] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 29.316713] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 29.324312] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 29.333047] device veth0_macvtap entered promiscuous mode [ 29.339194] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 29.346623] device veth1_macvtap entered promiscuous mode [ 29.354978] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 29.363790] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 29.373195] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 29.380769] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 29.389553] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 29.398896] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 29.408283] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 29.481324] netlink: 4 bytes leftover after parsing attributes in process `syz-executor130'. [ 29.493784] ================================================================== [ 29.501226] BUG: KASAN: use-after-free in radix_tree_next_chunk+0x89f/0x8c0 [ 29.508303] Read of size 8 at addr ffff88809ed90b48 by task syz-executor130/7979 [ 29.515806] [ 29.517412] CPU: 1 PID: 7979 Comm: syz-executor130 Not tainted 4.14.278-syzkaller #0 [ 29.525264] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.534593] Call Trace: [ 29.537171] dump_stack+0x1b2/0x281 [ 29.540790] print_address_description.cold+0x54/0x1d3 [ 29.546040] kasan_report_error.cold+0x8a/0x191 [ 29.550685] ? radix_tree_next_chunk+0x89f/0x8c0 [ 29.555417] __asan_report_load8_noabort+0x68/0x70 [ 29.560320] ? radix_tree_next_chunk+0x89f/0x8c0 [ 29.565050] radix_tree_next_chunk+0x89f/0x8c0 [ 29.569613] ida_remove+0x9b/0x210 [ 29.573130] ? ida_destroy+0x1b0/0x1b0 [ 29.576993] ? lock_acquire+0x170/0x3f0 [ 29.580945] ida_simple_remove+0x31/0x50 [ 29.584981] ipvlan_link_new+0x50c/0xfa0 [ 29.589019] rtnl_newlink+0xf7c/0x1830 [ 29.592885] ? __lock_acquire+0x5fc/0x3f20 [ 29.597097] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 29.601690] ? kasan_slab_free+0xc3/0x1a0 [ 29.605819] ? rtnl_dellink+0x6a0/0x6a0 [ 29.609778] ? trace_hardirqs_on+0x10/0x10 [ 29.613995] ? __dev_queue_xmit+0x1d7f/0x2480 [ 29.618466] ? netlink_deliver_tap+0x61b/0x860 [ 29.623046] ? netlink_unicast+0x485/0x610 [ 29.627259] ? sock_sendmsg+0x40/0x100 [ 29.631123] ? ___sys_sendmsg+0x6c8/0x800 [ 29.635249] ? __sys_sendmsg+0xa3/0x120 [ 29.639216] ? lock_acquire+0x170/0x3f0 [ 29.643167] ? lock_downgrade+0x740/0x740 [ 29.647291] ? rtnl_dellink+0x6a0/0x6a0 [ 29.651241] rtnetlink_rcv_msg+0x3be/0xb10 [ 29.655453] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 29.659923] ? __netlink_lookup+0x345/0x5d0 [ 29.664223] ? netdev_pick_tx+0x2e0/0x2e0 [ 29.668349] netlink_rcv_skb+0x125/0x390 [ 29.672384] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 29.676857] ? netlink_ack+0x9a0/0x9a0 [ 29.680725] netlink_unicast+0x437/0x610 [ 29.684761] ? netlink_sendskb+0xd0/0xd0 [ 29.688796] ? __check_object_size+0x179/0x230 [ 29.693355] netlink_sendmsg+0x648/0xbc0 [ 29.697403] ? nlmsg_notify+0x1b0/0x1b0 [ 29.701359] ? kernel_recvmsg+0x210/0x210 [ 29.705487] ? security_socket_sendmsg+0x83/0xb0 [ 29.710222] ? nlmsg_notify+0x1b0/0x1b0 [ 29.714175] sock_sendmsg+0xb5/0x100 [ 29.717866] ___sys_sendmsg+0x6c8/0x800 [ 29.721818] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 29.726552] ? trace_hardirqs_on+0x10/0x10 [ 29.730768] ? lock_acquire+0x170/0x3f0 [ 29.734718] ? lock_downgrade+0x740/0x740 [ 29.738843] ? __might_fault+0x104/0x1b0 [ 29.742887] ? lock_acquire+0x170/0x3f0 [ 29.746835] ? lock_downgrade+0x740/0x740 [ 29.750964] ? __might_fault+0x177/0x1b0 [ 29.755001] ? _copy_to_user+0x82/0xd0 [ 29.758868] ? move_addr_to_user+0x13f/0x180 [ 29.763249] ? __fdget+0x167/0x1f0 [ 29.766769] ? sockfd_lookup_light+0xb2/0x160 [ 29.771240] __sys_sendmsg+0xa3/0x120 [ 29.775018] ? SyS_shutdown+0x160/0x160 [ 29.778971] ? move_addr_to_kernel+0x60/0x60 [ 29.783357] SyS_sendmsg+0x27/0x40 [ 29.786870] ? __sys_sendmsg+0x120/0x120 [ 29.790905] do_syscall_64+0x1d5/0x640 [ 29.794773] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.799937] RIP: 0033:0x7f3f36316869 [ 29.803633] RSP: 002b:00007fffbaaca258 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 29.811316] RAX: ffffffffffffffda RBX: 00007fffbaaca268 RCX: 00007f3f36316869 [ 29.818561] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000004 [ 29.825806] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 29.833051] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffbaaca270 [ 29.840299] R13: 00007fffbaaca290 R14: 0000000000000000 R15: 0000000000000000 [ 29.847548] [ 29.849150] Allocated by task 7979: [ 29.852754] kasan_kmalloc+0xeb/0x160 [ 29.856531] kmem_cache_alloc_trace+0x131/0x3d0 [ 29.861175] ipvlan_link_new+0x64f/0xfa0 [ 29.865211] rtnl_newlink+0xf7c/0x1830 [ 29.869075] rtnetlink_rcv_msg+0x3be/0xb10 [ 29.873286] netlink_rcv_skb+0x125/0x390 [ 29.877321] netlink_unicast+0x437/0x610 [ 29.881356] netlink_sendmsg+0x648/0xbc0 [ 29.885392] sock_sendmsg+0xb5/0x100 [ 29.889080] ___sys_sendmsg+0x6c8/0x800 [ 29.893029] __sys_sendmsg+0xa3/0x120 [ 29.896804] SyS_sendmsg+0x27/0x40 [ 29.900320] do_syscall_64+0x1d5/0x640 [ 29.904185] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.909345] [ 29.910947] Freed by task 7979: [ 29.914199] kasan_slab_free+0xc3/0x1a0 [ 29.918145] kfree+0xc9/0x250 [ 29.921223] ipvlan_uninit+0xb6/0xe0 [ 29.924913] register_netdevice+0x7fd/0xe50 [ 29.929212] ipvlan_link_new+0x499/0xfa0 [ 29.933264] rtnl_newlink+0xf7c/0x1830 [ 29.937127] rtnetlink_rcv_msg+0x3be/0xb10 [ 29.941334] netlink_rcv_skb+0x125/0x390 [ 29.945370] netlink_unicast+0x437/0x610 [ 29.949406] netlink_sendmsg+0x648/0xbc0 [ 29.953441] sock_sendmsg+0xb5/0x100 [ 29.957126] ___sys_sendmsg+0x6c8/0x800 [ 29.961075] __sys_sendmsg+0xa3/0x120 [ 29.964847] SyS_sendmsg+0x27/0x40 [ 29.968360] do_syscall_64+0x1d5/0x640 [ 29.972222] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 29.977381] [ 29.978986] The buggy address belongs to the object at ffff88809ed90280 [ 29.978986] which belongs to the cache kmalloc-4096 of size 4096 [ 29.991792] The buggy address is located 2248 bytes inside of [ 29.991792] 4096-byte region [ffff88809ed90280, ffff88809ed91280) [ 30.003812] The buggy address belongs to the page: [ 30.008716] page:ffffea00027b6400 count:1 mapcount:0 mapping:ffff88809ed90280 index:0x0 compound_mapcount: 0 [ 30.018776] flags: 0xfff00000008100(slab|head) [ 30.023344] raw: 00fff00000008100 ffff88809ed90280 0000000000000000 0000000100000001 [ 30.031200] raw: ffffea00027b63a0 ffff88813fe64a48 ffff88813fe74dc0 0000000000000000 [ 30.039058] page dumped because: kasan: bad access detected [ 30.044742] [ 30.046346] Memory state around the buggy address: [ 30.051251] ffff88809ed90a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.058590] ffff88809ed90a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.065931] >ffff88809ed90b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.073273] ^ [ 30.078964] ffff88809ed90b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.086308] ffff88809ed90c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.093640] ================================================================== [ 30.100975] Disabling lock debugging due to kernel taint [ 30.106398] Kernel panic - not syncing: panic_on_warn set ... [ 30.106398] [ 30.113747] CPU: 1 PID: 7979 Comm: syz-executor130 Tainted: G B 4.14.278-syzkaller #0 [ 30.122818] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.132239] Call Trace: [ 30.134807] dump_stack+0x1b2/0x281 [ 30.138413] panic+0x1f9/0x42d [ 30.141584] ? add_taint.cold+0x16/0x16 [ 30.145534] ? lock_downgrade+0x740/0x740 [ 30.149665] kasan_end_report+0x43/0x49 [ 30.153622] kasan_report_error.cold+0xa7/0x191 [ 30.158262] ? radix_tree_next_chunk+0x89f/0x8c0 [ 30.162997] __asan_report_load8_noabort+0x68/0x70 [ 30.167902] ? radix_tree_next_chunk+0x89f/0x8c0 [ 30.172633] radix_tree_next_chunk+0x89f/0x8c0 [ 30.177192] ida_remove+0x9b/0x210 [ 30.180706] ? ida_destroy+0x1b0/0x1b0 [ 30.184566] ? lock_acquire+0x170/0x3f0 [ 30.188517] ida_simple_remove+0x31/0x50 [ 30.192556] ipvlan_link_new+0x50c/0xfa0 [ 30.196595] rtnl_newlink+0xf7c/0x1830 [ 30.200455] ? __lock_acquire+0x5fc/0x3f20 [ 30.204666] ? ipvlan_port_destroy+0x3f0/0x3f0 [ 30.209223] ? kasan_slab_free+0xc3/0x1a0 [ 30.213349] ? rtnl_dellink+0x6a0/0x6a0 [ 30.217296] ? trace_hardirqs_on+0x10/0x10 [ 30.221511] ? __dev_queue_xmit+0x1d7f/0x2480 [ 30.225979] ? netlink_deliver_tap+0x61b/0x860 [ 30.230531] ? netlink_unicast+0x485/0x610 [ 30.234740] ? sock_sendmsg+0x40/0x100 [ 30.238602] ? ___sys_sendmsg+0x6c8/0x800 [ 30.242722] ? __sys_sendmsg+0xa3/0x120 [ 30.246679] ? lock_acquire+0x170/0x3f0 [ 30.250627] ? lock_downgrade+0x740/0x740 [ 30.254751] ? rtnl_dellink+0x6a0/0x6a0 [ 30.258699] rtnetlink_rcv_msg+0x3be/0xb10 [ 30.262906] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 30.267372] ? __netlink_lookup+0x345/0x5d0 [ 30.271683] ? netdev_pick_tx+0x2e0/0x2e0 [ 30.275804] netlink_rcv_skb+0x125/0x390 [ 30.279841] ? rtnl_calcit.isra.0+0x3a0/0x3a0 [ 30.284310] ? netlink_ack+0x9a0/0x9a0 [ 30.288175] netlink_unicast+0x437/0x610 [ 30.292209] ? netlink_sendskb+0xd0/0xd0 [ 30.296248] ? __check_object_size+0x179/0x230 [ 30.300802] netlink_sendmsg+0x648/0xbc0 [ 30.304841] ? nlmsg_notify+0x1b0/0x1b0 [ 30.308788] ? kernel_recvmsg+0x210/0x210 [ 30.312920] ? security_socket_sendmsg+0x83/0xb0 [ 30.317646] ? nlmsg_notify+0x1b0/0x1b0 [ 30.321594] sock_sendmsg+0xb5/0x100 [ 30.325282] ___sys_sendmsg+0x6c8/0x800 [ 30.329231] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 30.333959] ? trace_hardirqs_on+0x10/0x10 [ 30.338167] ? lock_acquire+0x170/0x3f0 [ 30.342112] ? lock_downgrade+0x740/0x740 [ 30.346233] ? __might_fault+0x104/0x1b0 [ 30.350268] ? lock_acquire+0x170/0x3f0 [ 30.354214] ? lock_downgrade+0x740/0x740 [ 30.358340] ? __might_fault+0x177/0x1b0 [ 30.362378] ? _copy_to_user+0x82/0xd0 [ 30.366239] ? move_addr_to_user+0x13f/0x180 [ 30.370620] ? __fdget+0x167/0x1f0 [ 30.374143] ? sockfd_lookup_light+0xb2/0x160 [ 30.378612] __sys_sendmsg+0xa3/0x120 [ 30.382386] ? SyS_shutdown+0x160/0x160 [ 30.386335] ? move_addr_to_kernel+0x60/0x60 [ 30.390733] SyS_sendmsg+0x27/0x40 [ 30.394244] ? __sys_sendmsg+0x120/0x120 [ 30.398280] do_syscall_64+0x1d5/0x640 [ 30.402143] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 30.407306] RIP: 0033:0x7f3f36316869 [ 30.410990] RSP: 002b:00007fffbaaca258 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 30.418670] RAX: ffffffffffffffda RBX: 00007fffbaaca268 RCX: 00007f3f36316869 [ 30.425914] RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000004 [ 30.433157] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 30.440398] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fffbaaca270 [ 30.447639] R13: 00007fffbaaca290 R14: 0000000000000000 R15: 0000000000000000 [ 30.455054] Kernel Offset: disabled [ 30.458658] Rebooting in 86400 seconds..