[ 412.923664][ T0] NOHZ: local_softirq_pending 08 [ 413.514421][ T589] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 413.525942][ T589] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 413.536065][ T589] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 413.545126][ T589] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 413.556805][ T589] device bridge_slave_1 left promiscuous mode [ 413.568311][ T589] bridge0: port 2(bridge_slave_1) entered disabled state [ 413.578099][ T589] device bridge_slave_0 left promiscuous mode [ 413.585550][ T589] bridge0: port 1(bridge_slave_0) entered disabled state [ 413.595188][ T589] device veth1_macvtap left promiscuous mode [ 413.602014][ T589] device veth0_macvtap left promiscuous mode [ 413.609877][ T589] device veth1_vlan left promiscuous mode [ 413.618084][ T589] device veth0_vlan left promiscuous mode [ 414.336912][ T589] device hsr_slave_0 left promiscuous mode [ 414.345812][ T589] device hsr_slave_1 left promiscuous mode [ 414.359155][ T589] team0 (unregistering): Port device team_slave_1 removed [ 414.373367][ T589] team0 (unregistering): Port device team_slave_0 removed [ 414.385119][ T589] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 414.399133][ T589] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 414.420657][ T589] bond0 (unregistering): Released all slaves [ 416.715387][ T589] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 416.724893][ T589] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 416.739199][ T589] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 416.748881][ T589] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 416.760392][ T589] device bridge_slave_1 left promiscuous mode [ 416.772179][ T589] bridge0: port 2(bridge_slave_1) entered disabled state [ 416.784850][ T589] device bridge_slave_0 left promiscuous mode [ 416.792044][ T589] bridge0: port 1(bridge_slave_0) entered disabled state [ 416.803645][ T589] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 416.817524][ T589] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 416.829192][ T589] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 416.846920][ T589] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 416.864262][ T589] device bridge_slave_1 left promiscuous mode [ 416.873539][ T589] bridge0: port 2(bridge_slave_1) entered disabled state [ 416.887142][ T589] device bridge_slave_0 left promiscuous mode [ 416.896534][ T589] bridge0: port 1(bridge_slave_0) entered disabled state [ 416.909244][ T589] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 416.919601][ T589] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 416.929744][T10428] ================================================================== [ 416.941662][T10428] BUG: KASAN: use-after-free in batadv_iv_ogm_queue_add+0x327/0xec0 [ 416.952797][T10428] Read of size 60 at addr ffff8880a86e7720 by task kworker/u4:6/10428 [ 416.965821][T10428] [ 416.969023][T10428] CPU: 0 PID: 10428 Comm: kworker/u4:6 Not tainted 5.3.0-rc8-syzkaller #0 [ 416.983149][T10428] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 417.001684][T10428] Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet [ 417.012001][T10428] Call Trace: [ 417.016063][T10428] dump_stack+0x86/0xca [ 417.021568][T10428] print_address_description.cold.4+0x9/0x35a [ 417.029879][T10428] ? batadv_iv_ogm_queue_add+0x327/0xec0 [ 417.036913][T10428] __kasan_report.cold.5+0x1b/0x3e [ 417.045868][T10428] ? batadv_iv_ogm_queue_add+0x327/0xec0 [ 417.053274][T10428] ? batadv_iv_ogm_queue_add+0x327/0xec0 [ 417.060773][T10428] kasan_report+0x12/0x17 [ 417.067470][T10428] check_memory_region+0x151/0x1d0 [ 417.076299][T10428] memcpy+0x23/0x50 [ 417.084126][T10428] batadv_iv_ogm_queue_add+0x327/0xec0 [ 417.092635][T10428] ? mark_held_locks+0x130/0x130 [ 417.098872][T10428] ? __local_bh_enable_ip+0x11e/0x1c0 [ 417.105780][T10428] ? batadv_iv_ogm_iface_disable+0x70/0x70 [ 417.113922][T10428] ? lock_acquire+0x12a/0x300 [ 417.119552][T10428] ? batadv_iv_ogm_schedule+0x916/0xe80 [ 417.128195][T10428] batadv_iv_ogm_schedule+0xb47/0xe80 [ 417.135582][T10428] ? batadv_iv_ogm_queue_add+0xec0/0xec0 [ 417.143249][T10428] ? mark_held_locks+0x130/0x130 [ 417.150611][T10428] ? process_one_work+0x6fc/0x1560 [ 417.156507][T10428] ? lock_downgrade+0x710/0x710 [ 417.162524][T10428] batadv_iv_send_outstanding_bat_ogm_packet+0x570/0x7d0 [ 417.171745][T10428] ? lock_acquire+0x12a/0x300 [ 417.178222][T10428] ? process_one_work+0x71b/0x1560 [ 417.194336][T10428] ? trace_hardirqs_on+0x28/0x1b0 [ 417.212114][T10428] process_one_work+0x7d2/0x1560 [ 417.221365][T10428] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 417.231076][T10428] ? lock_acquire+0x12a/0x300 [ 417.237276][T10428] ? _raw_spin_lock_irq+0xe/0x50 [ 417.245923][T10428] worker_thread+0x85/0xb60 [ 417.251487][T10428] ? __kthread_parkme+0x47/0x1a0 [ 417.257239][T10428] kthread+0x331/0x3f0 [ 417.262319][T10428] ? process_one_work+0x1560/0x1560 [ 417.268917][T10428] ? kthread_park+0x120/0x120 [ 417.275838][T10428] ret_from_fork+0x24/0x30 [ 417.282195][T10428] [ 417.285868][T10428] Allocated by task 10428: [ 417.293869][T10428] __kasan_kmalloc.part.0+0x44/0xc0 [ 417.302277][T10428] __kasan_kmalloc.constprop.1+0xb1/0xc0 [ 417.312608][T10428] kasan_kmalloc+0x9/0x10 [ 417.319613][T10428] __kmalloc+0x153/0x390 [ 417.325912][T10428] batadv_tvlv_container_ogm_append+0x16f/0x4c0 [ 417.335208][T10428] batadv_iv_ogm_schedule+0xc39/0xe80 [ 417.348163][T10428] batadv_iv_send_outstanding_bat_ogm_packet+0x570/0x7d0 [ 417.358206][T10428] process_one_work+0x7d2/0x1560 [ 417.365997][T10428] worker_thread+0x85/0xb60 [ 417.373403][T10428] kthread+0x331/0x3f0 [ 417.380941][T10428] ret_from_fork+0x24/0x30 [ 417.388466][T10428] [ 417.391928][T10428] Freed by task 589: [ 417.402140][T10428] __kasan_slab_free+0x145/0x210 [ 417.413729][T10428] kasan_slab_free+0xe/0x10 [ 417.423720][T10428] kfree+0xf7/0x380 [ 417.430789][T10428] batadv_iv_ogm_iface_disable+0x34/0x70 [ 417.441717][T10428] batadv_hardif_disable_interface.cold.8+0x5fb/0xeff [ 417.458062][T10428] batadv_softif_destroy_netlink+0x94/0x100 [ 417.467516][T10428] default_device_exit_batch+0x239/0x3d0 [ 417.476800][T10428] ops_exit_list.isra.1+0xd3/0x120 [ 417.483099][T10428] cleanup_net+0x430/0x940 [ 417.491445][T10428] process_one_work+0x7d2/0x1560 [ 417.499241][T10428] worker_thread+0x85/0xb60 [ 417.505576][T10428] kthread+0x331/0x3f0 [ 417.511351][T10428] ret_from_fork+0x24/0x30 [ 417.518000][T10428] [ 417.523213][T10428] The buggy address belongs to the object at ffff8880a86e7720 [ 417.523213][T10428] which belongs to the cache kmalloc-64 of size 64 [ 417.541798][T10428] The buggy address is located 0 bytes inside of [ 417.541798][T10428] 64-byte region [ffff8880a86e7720, ffff8880a86e7760) [ 417.562396][T10428] The buggy address belongs to the page: [ 417.568940][T10428] page:ffffea0002a1b9c0 refcount:1 mapcount:0 mapping:ffff8880b5c03180 index:0x0 [ 417.584075][T10428] flags: 0xfff00000000200(slab) [ 417.590881][T10428] raw: 00fff00000000200 ffffea0002303040 0000000700000007 ffff8880b5c03180 [ 417.605854][T10428] raw: 0000000000000000 00000000802a002a 00000001ffffffff 0000000000000000 [ 417.618937][T10428] page dumped because: kasan: bad access detected [ 417.627845][T10428] [ 417.631486][T10428] Memory state around the buggy address: [ 417.639568][T10428] ffff8880a86e7600: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb [ 417.650285][T10428] ffff8880a86e7680: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb [ 417.659669][T10428] >ffff8880a86e7700: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc [ 417.669669][T10428] ^ [ 417.679839][T10428] ffff8880a86e7780: fb fb fb fb fb fb fb fb fc fc fc fc 00 00 00 00 [ 417.690626][T10428] ffff8880a86e7800: 00 00 00 00 fc fc fc fc 00 00 00 00 00 00 00 00 [ 417.702932][T10428] ================================================================== [ 417.713860][T10428] Kernel panic - not syncing: panic_on_warn set ... [ 417.721000][T10428] CPU: 0 PID: 10428 Comm: kworker/u4:6 Tainted: G B 5.3.0-rc8-syzkaller #0 [ 417.733661][T10428] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 417.745219][T10428] Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet [ 417.754931][T10428] Call Trace: [ 417.759607][T10428] dump_stack+0x86/0xca [ 417.766184][T10428] ? batadv_iv_ogm_queue_add+0x240/0xec0 [ 417.774144][T10428] panic+0x1f8/0x47d [ 417.779464][T10428] ? __warn_printk+0xd6/0xd6 [ 417.785525][T10428] ? ___preempt_schedule+0x16/0x20 [ 417.791663][T10428] ? batadv_iv_ogm_queue_add+0x327/0xec0 [ 417.798643][T10428] end_report+0x47/0x4f [ 417.804537][T10428] __kasan_report.cold.5+0xe/0x3e [ 417.810435][T10428] ? batadv_iv_ogm_queue_add+0x327/0xec0 [ 417.816945][T10428] ? batadv_iv_ogm_queue_add+0x327/0xec0 [ 417.824107][T10428] kasan_report+0x12/0x17 [ 417.830695][T10428] check_memory_region+0x151/0x1d0 [ 417.838384][T10428] memcpy+0x23/0x50 [ 417.843390][T10428] batadv_iv_ogm_queue_add+0x327/0xec0 [ 417.852428][T10428] ? mark_held_locks+0x130/0x130 [ 417.859484][T10428] ? __local_bh_enable_ip+0x11e/0x1c0 [ 417.866989][T10428] ? batadv_iv_ogm_iface_disable+0x70/0x70 [ 417.875529][T10428] ? lock_acquire+0x12a/0x300 [ 417.882859][T10428] ? batadv_iv_ogm_schedule+0x916/0xe80 [ 417.890425][T10428] batadv_iv_ogm_schedule+0xb47/0xe80 [ 417.898523][T10428] ? batadv_iv_ogm_queue_add+0xec0/0xec0 [ 417.906276][T10428] ? mark_held_locks+0x130/0x130 [ 417.912287][T10428] ? process_one_work+0x6fc/0x1560 [ 417.918386][T10428] ? lock_downgrade+0x710/0x710 [ 417.923734][T10428] batadv_iv_send_outstanding_bat_ogm_packet+0x570/0x7d0 [ 417.932654][T10428] ? lock_acquire+0x12a/0x300 [ 417.938148][T10428] ? process_one_work+0x71b/0x1560 [ 417.944314][T10428] ? trace_hardirqs_on+0x28/0x1b0 [ 417.951736][T10428] process_one_work+0x7d2/0x1560 [ 417.958068][T10428] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 417.964244][T10428] ? lock_acquire+0x12a/0x300 [ 417.969929][T10428] ? _raw_spin_lock_irq+0xe/0x50 [ 417.976615][T10428] worker_thread+0x85/0xb60 [ 417.982911][T10428] ? __kthread_parkme+0x47/0x1a0 [ 417.989351][T10428] kthread+0x331/0x3f0 [ 417.994495][T10428] ? process_one_work+0x1560/0x1560 [ 418.001306][T10428] ? kthread_park+0x120/0x120 [ 418.007506][T10428] ret_from_fork+0x24/0x30 [ 418.015473][T10428] Kernel Offset: disabled [ 418.021370][T10428] Rebooting in 86400 seconds..