Warning: Permanently added '10.128.0.50' (ECDSA) to the list of known hosts. syzkaller login: [ 52.215537] IPVS: ftp: loaded support on port[0] = 21 [ 52.371039] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.377952] bridge0: port 1(bridge_slave_0) entered disabled state [ 52.385060] device bridge_slave_0 entered promiscuous mode [ 52.403254] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.409689] bridge0: port 2(bridge_slave_1) entered disabled state [ 52.416630] device bridge_slave_1 entered promiscuous mode [ 52.434574] IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready [ 52.452726] IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready [ 52.500691] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 52.521741] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 52.595444] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 52.602914] team0: Port device team_slave_0 added [ 52.619864] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 52.627335] team0: Port device team_slave_1 added [ 52.643977] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 52.662578] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 52.681760] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready [ 52.699808] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready RTNETLINK answers: Operation not supported RTNETLINK answers: No buffer space available RTNETLINK answers: Operation not supported [ 52.841559] bridge0: port 2(bridge_slave_1) entered blocking state [ 52.848047] bridge0: port 2(bridge_slave_1) entered forwarding state [ 52.854886] bridge0: port 1(bridge_slave_0) entered blocking state [ 52.861298] bridge0: port 1(bridge_slave_0) entered forwarding state RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Operation not supported RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument RTNETLINK answers: Invalid argument [ 53.358925] 8021q: adding VLAN 0 to HW filter on device bond0 [ 53.409968] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 53.460124] IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready [ 53.466350] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 53.473400] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 53.524068] 8021q: adding VLAN 0 to HW filter on device team0 executing program [ 53.799626] ================================================================== [ 53.807076] BUG: KASAN: slab-out-of-bounds in _decode_session6+0x134a/0x1500 [ 53.814253] Read of size 1 at addr ffff8801ca84f507 by task syz-executor318/5450 [ 53.821770] [ 53.823389] CPU: 0 PID: 5450 Comm: syz-executor318 Not tainted 4.19.0+ #135 [ 53.830471] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 53.839808] Call Trace: [ 53.842389] dump_stack+0x244/0x39d [ 53.846014] ? dump_stack_print_info.cold.1+0x20/0x20 [ 53.851200] ? printk+0xa7/0xcf [ 53.854468] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 53.859265] print_address_description.cold.7+0x9/0x1ff [ 53.864632] kasan_report.cold.8+0x242/0x309 [ 53.869029] ? _decode_session6+0x134a/0x1500 [ 53.873601] __asan_report_load1_noabort+0x14/0x20 [ 53.878534] _decode_session6+0x134a/0x1500 [ 53.882850] __xfrm_decode_session+0x71/0x140 [ 53.887334] vti6_tnl_xmit+0x3fc/0x1c10 [ 53.891295] ? __lock_acquire+0x62f/0x4c20 [ 53.895569] ? vti6_tnl_create2+0x430/0x430 [ 53.899885] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.905413] ? check_preemption_disabled+0x48/0x280 [ 53.910431] dev_hard_start_xmit+0x295/0xc90 [ 53.914827] ? dev_direct_xmit+0x6b0/0x6b0 [ 53.919055] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 53.924584] ? netif_skb_features+0x690/0xb70 [ 53.929067] ? unwind_dump+0x190/0x190 [ 53.932946] ? lock_acquire+0x1ed/0x520 [ 53.936906] ? __dev_queue_xmit+0x3063/0x3ad0 [ 53.941393] ? kasan_check_read+0x11/0x20 [ 53.945523] ? do_raw_spin_lock+0x14f/0x350 [ 53.949840] ? rwlock_bug.part.2+0x90/0x90 [ 53.954065] ? netif_skb_features+0xb70/0xb70 [ 53.958591] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 53.964119] ? check_preemption_disabled+0x48/0x280 [ 53.969130] __dev_queue_xmit+0x2f71/0x3ad0 [ 53.973445] ? save_stack+0x43/0xd0 [ 53.977057] ? kasan_kmalloc+0xc7/0xe0 [ 53.980939] ? __kmalloc_node_track_caller+0x47/0x70 [ 53.986027] ? __kmalloc_reserve.isra.40+0x41/0xe0 [ 53.990946] ? netdev_pick_tx+0x310/0x310 [ 53.995086] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.000609] ? check_preemption_disabled+0x48/0x280 [ 54.005614] ? __lock_is_held+0xb5/0x140 [ 54.009663] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 54.014662] ? skb_release_data+0x1c4/0x880 [ 54.018968] ? kmem_cache_alloc_node_trace+0x34b/0x740 [ 54.024228] ? kasan_unpoison_shadow+0x35/0x50 [ 54.028800] ? skb_tx_error+0x2f0/0x2f0 [ 54.032762] ? __kmalloc_node_track_caller+0x47/0x70 [ 54.037849] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.043368] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 54.048892] ? kasan_check_write+0x14/0x20 [ 54.053111] ? pskb_expand_head+0x6b3/0x10f0 [ 54.057511] ? find_held_lock+0x36/0x1c0 [ 54.061572] ? skb_release_data+0x880/0x880 [ 54.065879] ? __alloc_skb+0x770/0x770 [ 54.069763] ? kasan_check_write+0x14/0x20 [ 54.073981] ? __skb_clone+0x6c7/0xa00 [ 54.077853] ? __copy_skb_header+0x6b0/0x6b0 [ 54.082242] ? kmem_cache_alloc+0x33a/0x730 [ 54.086549] ? skb_ensure_writable+0x15e/0x640 [ 54.091115] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.096647] dev_queue_xmit+0x17/0x20 [ 54.100435] ? dev_queue_xmit+0x17/0x20 [ 54.104398] __bpf_redirect+0x5cf/0xb20 [ 54.108412] bpf_clone_redirect+0x2f6/0x490 [ 54.112731] bpf_prog_c39d1ba309a769f7+0xb86/0x1000 [ 54.117734] ? bpf_test_run+0x175/0x780 [ 54.121693] ? lock_downgrade+0x900/0x900 [ 54.125827] ? ktime_get+0x332/0x400 [ 54.129529] ? find_held_lock+0x36/0x1c0 [ 54.133647] ? lock_acquire+0x1ed/0x520 [ 54.137622] ? bpf_test_run+0x3cb/0x780 [ 54.141580] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.147100] ? check_preemption_disabled+0x48/0x280 [ 54.152104] ? kasan_check_read+0x11/0x20 [ 54.156238] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 54.161500] ? rcu_softirq_qs+0x20/0x20 [ 54.165464] ? bpf_cgroup_storage_release+0x220/0x220 [ 54.170638] ? skb_try_coalesce+0x1b70/0x1b70 [ 54.175124] ? bpf_test_run+0x25d/0x780 [ 54.179100] ? netlink_diag_dump+0x2a0/0x2a0 [ 54.183499] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.189027] ? bpf_test_init.isra.10+0x70/0x100 [ 54.193680] ? bpf_prog_test_run_skb+0x73c/0xcb0 [ 54.198423] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 54.203250] ? bpf_prog_add+0x69/0xd0 [ 54.207035] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.212553] ? __bpf_prog_get+0x9b/0x290 [ 54.216601] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 54.221429] ? bpf_prog_test_run+0x130/0x1a0 [ 54.225822] ? __x64_sys_bpf+0x3d8/0x520 [ 54.229863] ? bpf_prog_get+0x20/0x20 [ 54.233657] ? do_syscall_64+0x1b9/0x820 [ 54.237786] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 54.243146] ? syscall_return_slowpath+0x5e0/0x5e0 [ 54.248158] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.252990] ? trace_hardirqs_on_caller+0x310/0x310 [ 54.257995] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 54.262997] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.268517] ? prepare_exit_to_usermode+0x291/0x3b0 [ 54.273566] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.278417] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.283827] [ 54.285450] Allocated by task 5450: [ 54.289071] save_stack+0x43/0xd0 [ 54.292515] kasan_kmalloc+0xc7/0xe0 [ 54.296214] __kmalloc_node_track_caller+0x47/0x70 [ 54.301125] __kmalloc_reserve.isra.40+0x41/0xe0 [ 54.305867] pskb_expand_head+0x230/0x10f0 [ 54.310298] skb_ensure_writable+0x3dd/0x640 [ 54.314701] bpf_clone_redirect+0x14a/0x490 [ 54.319009] bpf_prog_c39d1ba309a769f7+0xb86/0x1000 [ 54.324000] [ 54.325623] Freed by task 4033: [ 54.328889] save_stack+0x43/0xd0 [ 54.332329] __kasan_slab_free+0x102/0x150 [ 54.336553] kasan_slab_free+0xe/0x10 [ 54.340401] kfree+0xcf/0x230 [ 54.343515] load_elf_binary+0x25b4/0x5620 [ 54.347735] search_binary_handler+0x17d/0x570 [ 54.352305] __do_execve_file.isra.33+0x162f/0x2540 [ 54.357310] __x64_sys_execve+0x8f/0xc0 [ 54.361276] do_syscall_64+0x1b9/0x820 [ 54.365153] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.370327] [ 54.371944] The buggy address belongs to the object at ffff8801ca84f300 [ 54.371944] which belongs to the cache kmalloc-512 of size 512 [ 54.384581] The buggy address is located 7 bytes to the right of [ 54.384581] 512-byte region [ffff8801ca84f300, ffff8801ca84f500) [ 54.396795] The buggy address belongs to the page: [ 54.401707] page:ffffea00072a13c0 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0 [ 54.410107] flags: 0x2fffc0000000100(slab) [ 54.414332] raw: 02fffc0000000100 ffffea0007295b88 ffffea00072eb608 ffff8801da800940 [ 54.422259] raw: 0000000000000000 ffff8801ca84f080 0000000100000006 0000000000000000 [ 54.430126] page dumped because: kasan: bad access detected [ 54.435815] [ 54.437421] Memory state around the buggy address: [ 54.442334] ffff8801ca84f400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.449676] ffff8801ca84f480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.457020] >ffff8801ca84f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 54.464356] ^ [ 54.467706] ffff8801ca84f580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.475044] ffff8801ca84f600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 54.482472] ================================================================== [ 54.489817] Disabling lock debugging due to kernel taint [ 54.495313] Kernel panic - not syncing: panic_on_warn set ... [ 54.495313] [ 54.502666] CPU: 0 PID: 5450 Comm: syz-executor318 Tainted: G B 4.19.0+ #135 [ 54.511131] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 54.520463] Call Trace: [ 54.523053] dump_stack+0x244/0x39d [ 54.526714] ? dump_stack_print_info.cold.1+0x20/0x20 [ 54.531941] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 54.536695] panic+0x238/0x4e7 [ 54.539870] ? add_taint.cold.5+0x16/0x16 [ 54.544004] ? trace_hardirqs_on+0x9a/0x310 [ 54.548352] ? trace_hardirqs_on+0xb4/0x310 [ 54.552665] ? trace_hardirqs_on+0xb4/0x310 [ 54.556973] kasan_end_report+0x47/0x4f [ 54.560931] kasan_report.cold.8+0x76/0x309 [ 54.565235] ? _decode_session6+0x134a/0x1500 [ 54.569713] __asan_report_load1_noabort+0x14/0x20 [ 54.574623] _decode_session6+0x134a/0x1500 [ 54.578930] __xfrm_decode_session+0x71/0x140 [ 54.583416] vti6_tnl_xmit+0x3fc/0x1c10 [ 54.587371] ? __lock_acquire+0x62f/0x4c20 [ 54.591594] ? vti6_tnl_create2+0x430/0x430 [ 54.595898] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.601474] ? check_preemption_disabled+0x48/0x280 [ 54.606492] dev_hard_start_xmit+0x295/0xc90 [ 54.610890] ? dev_direct_xmit+0x6b0/0x6b0 [ 54.615112] ? __sanitizer_cov_trace_const_cmp1+0x1a/0x20 [ 54.620636] ? netif_skb_features+0x690/0xb70 [ 54.625116] ? unwind_dump+0x190/0x190 [ 54.629040] ? lock_acquire+0x1ed/0x520 [ 54.633004] ? __dev_queue_xmit+0x3063/0x3ad0 [ 54.637484] ? kasan_check_read+0x11/0x20 [ 54.641614] ? do_raw_spin_lock+0x14f/0x350 [ 54.645920] ? rwlock_bug.part.2+0x90/0x90 [ 54.650135] ? netif_skb_features+0xb70/0xb70 [ 54.654618] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.660141] ? check_preemption_disabled+0x48/0x280 [ 54.665158] __dev_queue_xmit+0x2f71/0x3ad0 [ 54.669486] ? save_stack+0x43/0xd0 [ 54.673099] ? kasan_kmalloc+0xc7/0xe0 [ 54.676969] ? __kmalloc_node_track_caller+0x47/0x70 [ 54.682062] ? __kmalloc_reserve.isra.40+0x41/0xe0 [ 54.686983] ? netdev_pick_tx+0x310/0x310 [ 54.691236] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.696757] ? check_preemption_disabled+0x48/0x280 [ 54.701761] ? __lock_is_held+0xb5/0x140 [ 54.705805] ? __sanitizer_cov_trace_cmp4+0x16/0x20 [ 54.710827] ? skb_release_data+0x1c4/0x880 [ 54.715131] ? kmem_cache_alloc_node_trace+0x34b/0x740 [ 54.720388] ? kasan_unpoison_shadow+0x35/0x50 [ 54.724952] ? skb_tx_error+0x2f0/0x2f0 [ 54.728912] ? __kmalloc_node_track_caller+0x47/0x70 [ 54.733998] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.739518] ? __sanitizer_cov_trace_const_cmp2+0x18/0x20 [ 54.745040] ? kasan_check_write+0x14/0x20 [ 54.749331] ? pskb_expand_head+0x6b3/0x10f0 [ 54.753729] ? find_held_lock+0x36/0x1c0 [ 54.757774] ? skb_release_data+0x880/0x880 [ 54.762082] ? __alloc_skb+0x770/0x770 [ 54.765960] ? kasan_check_write+0x14/0x20 [ 54.770176] ? __skb_clone+0x6c7/0xa00 [ 54.774044] ? __copy_skb_header+0x6b0/0x6b0 [ 54.778431] ? kmem_cache_alloc+0x33a/0x730 [ 54.782739] ? skb_ensure_writable+0x15e/0x640 [ 54.787304] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.792827] dev_queue_xmit+0x17/0x20 [ 54.796611] ? dev_queue_xmit+0x17/0x20 [ 54.800569] __bpf_redirect+0x5cf/0xb20 [ 54.804524] bpf_clone_redirect+0x2f6/0x490 [ 54.808829] bpf_prog_c39d1ba309a769f7+0xb86/0x1000 [ 54.813830] ? bpf_test_run+0x175/0x780 [ 54.817789] ? lock_downgrade+0x900/0x900 [ 54.821924] ? ktime_get+0x332/0x400 [ 54.825631] ? find_held_lock+0x36/0x1c0 [ 54.829680] ? lock_acquire+0x1ed/0x520 [ 54.833639] ? bpf_test_run+0x3cb/0x780 [ 54.837597] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.843114] ? check_preemption_disabled+0x48/0x280 [ 54.848112] ? kasan_check_read+0x11/0x20 [ 54.852257] ? rcu_dynticks_curr_cpu_in_eqs+0xa2/0x170 [ 54.857522] ? rcu_softirq_qs+0x20/0x20 [ 54.861484] ? bpf_cgroup_storage_release+0x220/0x220 [ 54.866658] ? skb_try_coalesce+0x1b70/0x1b70 [ 54.871270] ? bpf_test_run+0x25d/0x780 [ 54.875232] ? netlink_diag_dump+0x2a0/0x2a0 [ 54.879623] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 54.885148] ? bpf_test_init.isra.10+0x70/0x100 [ 54.889803] ? bpf_prog_test_run_skb+0x73c/0xcb0 [ 54.894544] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 54.899377] ? bpf_prog_add+0x69/0xd0 [ 54.903165] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.908683] ? __bpf_prog_get+0x9b/0x290 [ 54.912726] ? bpf_test_finish.isra.9+0x1f0/0x1f0 [ 54.917550] ? bpf_prog_test_run+0x130/0x1a0 [ 54.921943] ? __x64_sys_bpf+0x3d8/0x520 [ 54.925988] ? bpf_prog_get+0x20/0x20 [ 54.929786] ? do_syscall_64+0x1b9/0x820 [ 54.933831] ? entry_SYSCALL_64_after_hwframe+0x3e/0xbe [ 54.939176] ? syscall_return_slowpath+0x5e0/0x5e0 [ 54.944092] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.948917] ? trace_hardirqs_on_caller+0x310/0x310 [ 54.953914] ? prepare_exit_to_usermode+0x3b0/0x3b0 [ 54.958913] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 54.964432] ? prepare_exit_to_usermode+0x291/0x3b0 [ 54.969515] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 54.974351] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 54.980587] Kernel Offset: disabled [ 54.984208] Rebooting in 86400 seconds..