Warning: Permanently added '10.128.1.83' (ED25519) to the list of known hosts.
syzkaller login: [   43.603538][ T4024] chnl_net:caif_netlink_parms(): no params data found
[   43.636185][ T4024] bridge0: port 1(bridge_slave_0) entered blocking state
[   43.638362][ T4024] bridge0: port 1(bridge_slave_0) entered disabled state
[   43.640943][ T4024] device bridge_slave_0 entered promiscuous mode
[   43.645084][ T4024] bridge0: port 2(bridge_slave_1) entered blocking state
[   43.647144][ T4024] bridge0: port 2(bridge_slave_1) entered disabled state
[   43.649613][ T4024] device bridge_slave_1 entered promiscuous mode
[   43.663008][ T4024] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[   43.667253][ T4024] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[   43.679980][ T4024] team0: Port device team_slave_0 added
[   43.683042][ T4024] team0: Port device team_slave_1 added
[   43.694809][ T4024] batman_adv: batadv0: Adding interface: batadv_slave_0
[   43.696768][ T4024] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   43.703643][ T4024] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   43.708317][ T4024] batman_adv: batadv0: Adding interface: batadv_slave_1
[   43.710238][ T4024] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   43.717643][ T4024] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   43.767010][ T4024] device hsr_slave_0 entered promiscuous mode
[   43.805006][ T4024] device hsr_slave_1 entered promiscuous mode
[   43.910252][ T4024] netdevsim netdevsim0 netdevsim0: renamed from eth0
[   43.946898][ T4024] netdevsim netdevsim0 netdevsim1: renamed from eth1
[   43.986675][ T4024] netdevsim netdevsim0 netdevsim2: renamed from eth2
[   44.026522][ T4024] netdevsim netdevsim0 netdevsim3: renamed from eth3
[   44.078046][ T4024] bridge0: port 2(bridge_slave_1) entered blocking state
[   44.080079][ T4024] bridge0: port 2(bridge_slave_1) entered forwarding state
[   44.082279][ T4024] bridge0: port 1(bridge_slave_0) entered blocking state
[   44.084236][ T4024] bridge0: port 1(bridge_slave_0) entered forwarding state
[   44.113775][ T4024] 8021q: adding VLAN 0 to HW filter on device bond0
[   44.123633][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   44.127524][  T136] bridge0: port 1(bridge_slave_0) entered disabled state
[   44.130713][  T136] bridge0: port 2(bridge_slave_1) entered disabled state
[   44.133598][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   44.141111][ T4024] 8021q: adding VLAN 0 to HW filter on device team0
[   44.147461][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   44.150015][  T136] bridge0: port 1(bridge_slave_0) entered blocking state
[   44.151947][  T136] bridge0: port 1(bridge_slave_0) entered forwarding state
[   44.157474][  T408] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   44.160033][  T408] bridge0: port 2(bridge_slave_1) entered blocking state
[   44.161975][  T408] bridge0: port 2(bridge_slave_1) entered forwarding state
[   44.172666][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   44.176084][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   44.181430][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   44.189070][    T9] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   44.194227][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   44.198913][ T4024] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   44.208510][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   44.210751][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   44.217147][ T4024] 8021q: adding VLAN 0 to HW filter on device batadv0
[   44.228362][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   44.239645][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   44.242766][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   44.246071][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   44.250129][ T4024] device veth0_vlan entered promiscuous mode
[   44.256678][ T4024] device veth1_vlan entered promiscuous mode
[   44.268666][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   44.271421][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   44.274237][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   44.279081][ T4024] device veth0_macvtap entered promiscuous mode
[   44.282956][ T4024] device veth1_macvtap entered promiscuous mode
[   44.292310][ T4024] batman_adv: batadv0: Interface activated: batadv_slave_0
[   44.294460][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   44.298410][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   44.303397][ T4024] batman_adv: batadv0: Interface activated: batadv_slave_1
[   44.306950][  T136] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[   44.311298][ T4024] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[   44.313757][ T4024] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[   44.316950][ T4024] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[   44.319271][ T4024] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
executing program
[   44.352030][ T4032] IPv6: ADDRCONF(NETDEV_CHANGE): bpq0: link becomes ready
executing program
executing program
[   44.373305][ T4034] ==================================================================
[   44.375626][ T4034] BUG: KASAN: use-after-free in ax25_fillin_cb+0x394/0x568
[   44.377641][ T4034] Read of size 4 at addr ffff0000c1c2ce38 by task syz-executor436/4034
[   44.379980][ T4034] 
[   44.380603][ T4034] CPU: 1 PID: 4034 Comm: syz-executor436 Not tainted 5.15.184-syzkaller #0
[   44.383004][ T4034] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   44.385819][ T4034] Call trace:
[   44.386730][ T4034]  dump_backtrace+0x0/0x43c
[   44.388018][ T4034]  show_stack+0x2c/0x3c
[   44.389206][ T4034]  __dump_stack+0x30/0x40
[   44.390615][ T4034]  dump_stack_lvl+0xf8/0x160
[   44.391989][ T4034]  print_address_description+0x78/0x30c
[   44.393517][ T4034]  kasan_report+0xec/0x15c
[   44.394730][ T4034]  __asan_report_load4_noabort+0x44/0x50
[   44.396279][ T4034]  ax25_fillin_cb+0x394/0x568
[   44.397576][ T4034]  ax25_setsockopt+0x8d0/0xa5c
[   44.398881][ T4034]  __sys_setsockopt+0x2f8/0x4b0
[   44.400211][ T4034]  __arm64_sys_setsockopt+0xb8/0xd4
[   44.401669][ T4034]  invoke_syscall+0x98/0x2b8
[   44.402932][ T4034]  el0_svc_common+0x138/0x258
[   44.404264][ T4034]  do_el0_svc+0x58/0x14c
[   44.405437][ T4034]  el0_svc+0x78/0x1e0
[   44.406523][ T4034]  el0t_64_sync_handler+0xcc/0xe4
[   44.407914][ T4034]  el0t_64_sync+0x1a0/0x1a4
[   44.409158][ T4034] 
[   44.409798][ T4034] Allocated by task 4032:
[   44.411011][ T4034]  __kasan_kmalloc+0xb0/0xf0
[   44.412245][ T4034]  kmem_cache_alloc_trace+0x274/0x3fc
[   44.413723][ T4034]  ax25_dev_device_up+0x5c/0x540
[   44.415057][ T4034]  ax25_device_event+0x504/0x590
[   44.416372][ T4034]  raw_notifier_call_chain+0xd4/0x164
[   44.417865][ T4034]  __dev_notify_flags+0x250/0x46c
[   44.419227][ T4034]  dev_change_flags+0xc8/0x154
[   44.420544][ T4034]  dev_ifsioc+0x504/0xef4
[   44.421753][ T4034]  dev_ioctl+0x4d0/0xc94
[   44.422963][ T4034]  sock_do_ioctl+0x18c/0x240
[   44.424283][ T4034]  sock_ioctl+0x5c8/0x87c
[   44.425550][ T4034]  __arm64_sys_ioctl+0x14c/0x1c8
[   44.426921][ T4034]  invoke_syscall+0x98/0x2b8
[   44.428201][ T4034]  el0_svc_common+0x138/0x258
[   44.429525][ T4034]  do_el0_svc+0x58/0x14c
[   44.430693][ T4034]  el0_svc+0x78/0x1e0
[   44.431776][ T4034]  el0t_64_sync_handler+0xcc/0xe4
[   44.433146][ T4034]  el0t_64_sync+0x1a0/0x1a4
[   44.434358][ T4034] 
[   44.434960][ T4034] Freed by task 4033:
[   44.436078][ T4034]  kasan_set_track+0x4c/0x84
[   44.437322][ T4034]  kasan_set_free_info+0x28/0x4c
[   44.438676][ T4034]  ____kasan_slab_free+0x118/0x164
[   44.440078][ T4034]  __kasan_slab_free+0x18/0x28
[   44.441383][ T4034]  slab_free_freelist_hook+0x128/0x1e8
[   44.442892][ T4034]  kfree+0x170/0x40c
[   44.444113][ T4034]  ax25_release+0x564/0x814
[   44.445321][ T4034]  sock_close+0xb4/0x1f8
[   44.446465][ T4034]  __fput+0x1c0/0x7f8
[   44.447513][ T4034]  ____fput+0x20/0x30
[   44.448610][ T4034]  task_work_run+0x12c/0x1e0
[   44.449859][ T4034]  do_notify_resume+0x24b4/0x3128
[   44.451196][ T4034]  el0_svc+0xf0/0x1e0
[   44.452226][ T4034]  el0t_64_sync_handler+0xcc/0xe4
[   44.453577][ T4034]  el0t_64_sync+0x1a0/0x1a4
[   44.454796][ T4034] 
[   44.455441][ T4034] The buggy address belongs to the object at ffff0000c1c2ce00
[   44.455441][ T4034]  which belongs to the cache kmalloc-256 of size 256
[   44.459228][ T4034] The buggy address is located 56 bytes inside of
[   44.459228][ T4034]  256-byte region [ffff0000c1c2ce00, ffff0000c1c2cf00)
[   44.462805][ T4034] The buggy address belongs to the page:
[   44.464302][ T4034] page:000000004ab359df refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x101c2c
[   44.467106][ T4034] head:000000004ab359df order:1 compound_mapcount:0
[   44.468896][ T4034] flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
[   44.471120][ T4034] raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002480
[   44.473461][ T4034] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   44.475852][ T4034] page dumped because: kasan: bad access detected
[   44.477614][ T4034] 
[   44.478206][ T4034] Memory state around the buggy address:
[   44.479722][ T4034]  ffff0000c1c2cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.481904][ T4034]  ffff0000c1c2cd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.484088][ T4034] >ffff0000c1c2ce00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.486286][ T4034]                                         ^
[   44.487811][ T4034]  ffff0000c1c2ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   44.489991][ T4034]  ffff0000c1c2cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.492161][ T4034] ==================================================================
[   44.494396][ T4034] Disabling lock debugging due to kernel taint
[   44.497780][ T4034] Unable to handle kernel paging request at virtual address aac0028e00001569
[   44.500286][ T4034] Mem abort info:
[   44.501336][ T4034]   ESR = 0x0000000096000021
[   44.502621][ T4034]   EC = 0x25: DABT (current EL), IL = 32 bits
[   44.504277][ T4034]   SET = 0, FnV = 0
[   44.506258][ T4034]   EA = 0, S1PTW = 0
[   44.507365][ T4034]   FSC = 0x21: alignment fault
[   44.508664][ T4034] Data abort info:
[   44.509695][ T4034]   ISV = 0, ISS = 0x00000021
[   44.510981][ T4034]   CM = 0, WnR = 0
[   44.511997][ T4034] [aac0028e00001569] address between user and kernel address ranges
[   44.514115][ T4034] Internal error: Oops: 0000000096000021 [#1] PREEMPT SMP
[   44.516011][ T4034] Modules linked in:
[   44.517115][ T4034] CPU: 0 PID: 4034 Comm: syz-executor436 Tainted: G    B             5.15.184-syzkaller #0
[   44.519769][ T4034] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
[   44.522575][ T4034] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[   44.524715][ T4034] pc : ax25_release+0x4f4/0x814
[   44.526006][ T4034] lr : ax25_release+0x4ec/0x814
[   44.527283][ T4034] sp : ffff80001f0f7a00
[   44.528375][ T4034] x29: ffff80001f0f7a20 x28: dfff800000000000 x27: ffff0000da6a7080
[   44.530551][ T4034] x26: ffff0000c82df028 x25: 0000000000000002 x24: 00000000ffffffff
[   44.532693][ T4034] x23: aac0028e00001569 x22: ffff0000c1c2ce00 x21: ffff0000de7c3c18
[   44.534830][ T4034] x20: ffff0000da6a7000 x19: 1fffe0001905be05 x18: 0000000000000000
[   44.537004][ T4034] x17: 0000000000000000 x16: ffff8000082d4b38 x15: 0000000000000002
[   44.539310][ T4034] x14: 0000000000ff0100 x13: ffffffffffffffff x12: 0000000000ff0100
[   44.541440][ T4034] x11: 0000000000000000 x10: 0000000000000000 x9 : ffff800010448c94
[   44.543630][ T4034] x8 : ffff0000ce7a51c0 x7 : 0000000000000000 x6 : ffff80000837a0a0
[   44.545822][ T4034] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff800010448c88
[   44.548032][ T4034] x2 : 0000000000000001 x1 : 0000000000000004 x0 : 0000000000000001
[   44.550190][ T4034] Call trace:
[   44.551059][ T4034]  ax25_release+0x4f4/0x814
[   44.552255][ T4034]  sock_close+0xb4/0x1f8
[   44.553370][ T4034]  __fput+0x1c0/0x7f8
[   44.554483][ T4034]  ____fput+0x20/0x30
[   44.555556][ T4034]  task_work_run+0x12c/0x1e0
[   44.556843][ T4034]  do_notify_resume+0x24b4/0x3128
[   44.558278][ T4034]  el0_svc+0xf0/0x1e0
[   44.559360][ T4034]  el0t_64_sync_handler+0xcc/0xe4
[   44.560717][ T4034]  el0t_64_sync+0x1a0/0x1a4
[   44.561971][ T4034] Code: d503201f 9600bf1c 52800038 4b1803f8 (b87802f8) 
[   44.563791][ T4034] ---[ end trace deae1ec87cd57b48 ]---
[   44.887743][ T4034] Kernel panic - not syncing: Oops: Fatal exception
[   44.889604][ T4034] SMP: stopping secondary CPUs
[   44.890967][ T4034] Kernel Offset: disabled
[   44.892120][ T4034] CPU features: 0x8,000081c1,21302e40
[   44.893584][ T4034] Memory Limit: none
[   45.193490][ T4034] Rebooting in 86400 seconds..