Warning: Permanently added '10.128.0.235' (ECDSA) to the list of known hosts. syzkaller login: [ 32.094212] IPVS: ftp: loaded support on port[0] = 21 [ 32.156953] chnl_net:caif_netlink_parms(): no params data found [ 32.227078] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.233732] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.241567] device bridge_slave_0 entered promiscuous mode [ 32.248316] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.254976] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.262588] device bridge_slave_1 entered promiscuous mode [ 32.277792] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 32.286409] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 32.304184] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 32.311364] team0: Port device team_slave_0 added [ 32.316684] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 32.324162] team0: Port device team_slave_1 added [ 32.337667] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 32.343960] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 32.369194] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 32.380650] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 32.386886] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 32.412117] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 32.425750] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 32.433122] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 32.450395] device hsr_slave_0 entered promiscuous mode [ 32.455962] device hsr_slave_1 entered promiscuous mode [ 32.462151] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 32.469082] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 32.525516] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.531937] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.538676] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.545059] bridge0: port 1(bridge_slave_0) entered forwarding state [ 32.570883] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 32.576945] 8021q: adding VLAN 0 to HW filter on device bond0 [ 32.585396] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 32.593997] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 32.612861] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.630463] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.640459] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 32.646611] 8021q: adding VLAN 0 to HW filter on device team0 [ 32.654881] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 32.662720] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.669057] bridge0: port 1(bridge_slave_0) entered forwarding state [ 32.687279] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 32.697168] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 32.708697] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 32.715884] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 32.723775] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.730146] bridge0: port 2(bridge_slave_1) entered forwarding state [ 32.737561] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 32.745360] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 32.753026] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 32.760633] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 32.768070] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 32.774909] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 32.785755] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 32.794041] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 32.800788] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 32.811118] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 32.859790] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 32.868773] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 32.894649] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 32.901659] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 32.908268] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 32.917117] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 32.924664] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 32.931608] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 32.941291] device veth0_vlan entered promiscuous mode [ 32.949140] device veth1_vlan entered promiscuous mode [ 32.955149] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 32.963513] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 32.974013] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 32.983000] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 32.990508] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 32.997591] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 33.006855] device veth0_macvtap entered promiscuous mode [ 33.013201] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 33.021646] device veth1_macvtap entered promiscuous mode [ 33.029593] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 33.038804] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 33.048304] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 33.055781] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 33.064454] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 33.074107] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 33.081993] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 33.149567] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 33.166116] ================================================================== [ 33.173532] BUG: KASAN: use-after-free in ip_tunnel_xmit+0x24b4/0x33e0 [ 33.180182] Read of size 4 at addr ffff8880abbbd8b0 by task syz-executor339/7977 [ 33.187698] [ 33.189309] CPU: 0 PID: 7977 Comm: syz-executor339 Not tainted 4.14.298-syzkaller #0 [ 33.197169] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 33.206510] Call Trace: [ 33.209076] dump_stack+0x1b2/0x281 [ 33.212699] print_address_description.cold+0x54/0x1d3 [ 33.217959] kasan_report_error.cold+0x8a/0x191 [ 33.222614] ? ip_tunnel_xmit+0x24b4/0x33e0 [ 33.226909] __asan_report_load4_noabort+0x68/0x70 [ 33.232039] ? kasan_unpoison_task_stack+0x20/0x30 [ 33.236946] ? ip_tunnel_xmit+0x24b4/0x33e0 [ 33.241245] ip_tunnel_xmit+0x24b4/0x33e0 [ 33.245525] ? ip_md_tunnel_xmit+0x1060/0x1060 [ 33.250094] ? trace_hardirqs_on+0x10/0x10 [ 33.254313] ? trace_hardirqs_on_caller+0x4c0/0x580 [ 33.259319] ? skb_crc32c_csum_help+0x70/0x70 [ 33.263883] ? skb_push+0x9d/0xc0 [ 33.267407] ? __gre_xmit+0x42f/0x7b0 [ 33.271189] ipgre_xmit+0x412/0x780 [ 33.274808] dev_hard_start_xmit+0x188/0x890 [ 33.279198] __dev_queue_xmit+0x1d7f/0x2480 [ 33.283501] ? netdev_pick_tx+0x2e0/0x2e0 [ 33.287622] ? __pskb_pull_tail+0xb54/0x14a0 [ 33.292006] ? skb_copy_datagram_from_iter+0x3c1/0x5f0 [ 33.297257] ? skb_partial_csum_set+0x1e2/0x260 [ 33.301900] packet_snd+0x13aa/0x26f0 [ 33.305682] ? prb_retire_rx_blk_timer_expired+0x630/0x630 [ 33.311309] ? get_user_pages_unlocked+0x70/0x2e0 [ 33.316164] ? lock_acquire+0x170/0x3f0 [ 33.320119] ? lock_downgrade+0x740/0x740 [ 33.324356] packet_sendmsg+0x12ed/0x33a0 [ 33.328478] ? __might_fault+0x177/0x1b0 [ 33.332519] ? rw_copy_check_uvector+0x1dd/0x2b0 [ 33.337253] ? import_iovec+0x1df/0x360 [ 33.341202] ? dup_iter+0x240/0x240 [ 33.344820] ? compat_packet_setsockopt+0x140/0x140 [ 33.349813] ? copy_msghdr_from_user+0x218/0x3b0 [ 33.354547] ? kernel_recvmsg+0x210/0x210 [ 33.358672] ? security_socket_sendmsg+0x83/0xb0 [ 33.363413] ? compat_packet_setsockopt+0x140/0x140 [ 33.368418] sock_sendmsg+0xb5/0x100 [ 33.372116] ___sys_sendmsg+0x6c8/0x800 [ 33.376068] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 33.380806] ? reacquire_held_locks+0xb5/0x3f0 [ 33.385364] ? release_sock+0x1b/0x1b0 [ 33.389232] ? lock_sock_nested+0x98/0x100 [ 33.393442] ? packet_do_bind+0x3ee/0xb30 [ 33.397566] ? lock_downgrade+0x740/0x740 [ 33.401696] ? __local_bh_enable_ip+0xc1/0x170 [ 33.406253] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 33.411262] ? packet_do_bind+0x3ee/0xb30 [ 33.415471] ? __local_bh_enable_ip+0xc1/0x170 [ 33.420120] ? packet_do_bind+0x3ee/0xb30 [ 33.424261] ? __fdget+0x167/0x1f0 [ 33.427776] ? sockfd_lookup_light+0xb2/0x160 [ 33.432244] __sys_sendmsg+0xa3/0x120 [ 33.436023] ? SyS_shutdown+0x160/0x160 [ 33.439979] SyS_sendmsg+0x27/0x40 [ 33.443496] ? __sys_sendmsg+0x120/0x120 [ 33.447532] do_syscall_64+0x1d5/0x640 [ 33.451398] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 33.456564] [ 33.458166] Allocated by task 7977: [ 33.461770] kasan_kmalloc+0xeb/0x160 [ 33.465550] __kmalloc_node_track_caller+0x4c/0x70 [ 33.470552] __alloc_skb+0x96/0x510 [ 33.474153] alloc_skb_with_frags+0x85/0x500 [ 33.478534] sock_alloc_send_pskb+0x577/0x6d0 [ 33.483003] packet_snd+0x4f7/0x26f0 [ 33.486716] packet_sendmsg+0x12ed/0x33a0 [ 33.490842] sock_sendmsg+0xb5/0x100 [ 33.494529] ___sys_sendmsg+0x6c8/0x800 [ 33.498475] __sys_sendmsg+0xa3/0x120 [ 33.502249] SyS_sendmsg+0x27/0x40 [ 33.505762] do_syscall_64+0x1d5/0x640 [ 33.509625] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 33.514784] [ 33.516388] Freed by task 7977: [ 33.519649] kasan_slab_free+0xc3/0x1a0 [ 33.523843] kfree+0xc9/0x250 [ 33.526943] pskb_expand_head+0x895/0xd30 [ 33.531070] __pskb_pull_tail+0xd9/0x14a0 [ 33.535197] ip_tunnel_xmit+0x1405/0x33e0 [ 33.539322] ipgre_xmit+0x412/0x780 [ 33.542938] dev_hard_start_xmit+0x188/0x890 [ 33.547320] __dev_queue_xmit+0x1d7f/0x2480 [ 33.551616] packet_snd+0x13aa/0x26f0 [ 33.555391] packet_sendmsg+0x12ed/0x33a0 [ 33.559515] sock_sendmsg+0xb5/0x100 [ 33.563207] ___sys_sendmsg+0x6c8/0x800 [ 33.567156] __sys_sendmsg+0xa3/0x120 [ 33.570932] SyS_sendmsg+0x27/0x40 [ 33.574447] do_syscall_64+0x1d5/0x640 [ 33.578326] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 33.583495] [ 33.585103] The buggy address belongs to the object at ffff8880abbbd800 [ 33.585103] which belongs to the cache kmalloc-512 of size 512 [ 33.597734] The buggy address is located 176 bytes inside of [ 33.597734] 512-byte region [ffff8880abbbd800, ffff8880abbbda00) [ 33.609578] The buggy address belongs to the page: [ 33.614752] page:ffffea0002aeef40 count:1 mapcount:0 mapping:ffff8880abbbd080 index:0x0 [ 33.622878] flags: 0xfff00000000100(slab) [ 33.627015] raw: 00fff00000000100 ffff8880abbbd080 0000000000000000 0000000100000006 [ 33.635753] raw: ffffea0002b1d320 ffffea0002ab6260 ffff88813fe74940 0000000000000000 [ 33.643751] page dumped because: kasan: bad access detected [ 33.649466] [ 33.651086] Memory state around the buggy address: [ 33.655999] ffff8880abbbd780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 33.663343] ffff8880abbbd800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.671538] >ffff8880abbbd880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.678965] ^ [ 33.683876] ffff8880abbbd900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.691210] ffff8880abbbd980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.698546] ================================================================== [ 33.705893] Disabling lock debugging due to kernel taint [ 33.711366] Kernel panic - not syncing: panic_on_warn set ... [ 33.711366] [ 33.718806] CPU: 0 PID: 7977 Comm: syz-executor339 Tainted: G B 4.14.298-syzkaller #0 [ 33.727902] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 33.737336] Call Trace: [ 33.739915] dump_stack+0x1b2/0x281 [ 33.743532] panic+0x1f9/0x42d [ 33.746711] ? add_taint.cold+0x16/0x16 [ 33.750684] kasan_end_report+0x43/0x49 [ 33.754631] kasan_report_error.cold+0xa7/0x191 [ 33.759274] ? ip_tunnel_xmit+0x24b4/0x33e0 [ 33.763570] __asan_report_load4_noabort+0x68/0x70 [ 33.768472] ? kasan_unpoison_task_stack+0x20/0x30 [ 33.773371] ? ip_tunnel_xmit+0x24b4/0x33e0 [ 33.777662] ip_tunnel_xmit+0x24b4/0x33e0 [ 33.782135] ? ip_md_tunnel_xmit+0x1060/0x1060 [ 33.786701] ? trace_hardirqs_on+0x10/0x10 [ 33.790908] ? trace_hardirqs_on_caller+0x4c0/0x580 [ 33.795894] ? skb_crc32c_csum_help+0x70/0x70 [ 33.800361] ? skb_push+0x9d/0xc0 [ 33.803788] ? __gre_xmit+0x42f/0x7b0 [ 33.807572] ipgre_xmit+0x412/0x780 [ 33.811183] dev_hard_start_xmit+0x188/0x890 [ 33.815570] __dev_queue_xmit+0x1d7f/0x2480 [ 33.819870] ? netdev_pick_tx+0x2e0/0x2e0 [ 33.824002] ? __pskb_pull_tail+0xb54/0x14a0 [ 33.828387] ? skb_copy_datagram_from_iter+0x3c1/0x5f0 [ 33.833643] ? skb_partial_csum_set+0x1e2/0x260 [ 33.838287] packet_snd+0x13aa/0x26f0 [ 33.842062] ? prb_retire_rx_blk_timer_expired+0x630/0x630 [ 33.847658] ? get_user_pages_unlocked+0x70/0x2e0 [ 33.853257] ? lock_acquire+0x170/0x3f0 [ 33.857202] ? lock_downgrade+0x740/0x740 [ 33.861324] packet_sendmsg+0x12ed/0x33a0 [ 33.865443] ? __might_fault+0x177/0x1b0 [ 33.869487] ? rw_copy_check_uvector+0x1dd/0x2b0 [ 33.874218] ? import_iovec+0x1df/0x360 [ 33.878168] ? dup_iter+0x240/0x240 [ 33.881770] ? compat_packet_setsockopt+0x140/0x140 [ 33.886848] ? copy_msghdr_from_user+0x218/0x3b0 [ 33.891585] ? kernel_recvmsg+0x210/0x210 [ 33.895708] ? security_socket_sendmsg+0x83/0xb0 [ 33.900436] ? compat_packet_setsockopt+0x140/0x140 [ 33.905426] sock_sendmsg+0xb5/0x100 [ 33.909111] ___sys_sendmsg+0x6c8/0x800 [ 33.913142] ? copy_msghdr_from_user+0x3b0/0x3b0 [ 33.917965] ? reacquire_held_locks+0xb5/0x3f0 [ 33.922519] ? release_sock+0x1b/0x1b0 [ 33.926380] ? lock_sock_nested+0x98/0x100 [ 33.930588] ? packet_do_bind+0x3ee/0xb30 [ 33.934787] ? lock_downgrade+0x740/0x740 [ 33.938912] ? __local_bh_enable_ip+0xc1/0x170 [ 33.943471] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 33.948458] ? packet_do_bind+0x3ee/0xb30 [ 33.952580] ? __local_bh_enable_ip+0xc1/0x170 [ 33.957135] ? packet_do_bind+0x3ee/0xb30 [ 33.961254] ? __fdget+0x167/0x1f0 [ 33.964766] ? sockfd_lookup_light+0xb2/0x160 [ 33.969237] __sys_sendmsg+0xa3/0x120 [ 33.973035] ? SyS_shutdown+0x160/0x160 [ 33.977012] SyS_sendmsg+0x27/0x40 [ 33.980551] ? __sys_sendmsg+0x120/0x120 [ 33.984605] do_syscall_64+0x1d5/0x640 [ 33.988562] entry_SYSCALL_64_after_hwframe+0x5e/0xd3 [ 33.993979] Kernel Offset: disabled [ 33.997586] Rebooting in 86400 seconds..