wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state syz-executor.1 (8011) used greatest stack depth: 23176 bytes left ================================================================================ UBSAN: Undefined behaviour in net/bridge/br_private.h:586:29 load of value 5 is not a valid value for type '_Bool' CPU: 1 PID: 3725 Comm: systemd-udevd Not tainted 4.19.148-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x22c/0x33e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x3a lib/ubsan.c:161 __ubsan_handle_load_invalid_value.cold+0x63/0x6f lib/ubsan.c:454 br_skb_isolated net/bridge/br_private.h:586 [inline] should_deliver net/bridge/br_forward.c:34 [inline] maybe_deliver.cold+0x15/0x34 net/bridge/br_forward.c:178 br_flood+0x180/0x4f0 net/bridge/br_forward.c:226 br_dev_xmit+0xdd0/0x1510 net/bridge/br_device.c:103 __netdev_start_xmit include/linux/netdevice.h:4333 [inline] netdev_start_xmit include/linux/netdevice.h:4347 [inline] xmit_one net/core/dev.c:3256 [inline] dev_hard_start_xmit+0x1a8/0x960 net/core/dev.c:3272 __dev_queue_xmit+0x276a/0x2ec0 net/core/dev.c:3838 wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 mrp_queue_xmit net/802/mrp.c:354 [inline] mrp_join_timer+0x8a/0xc0 net/802/mrp.c:598 call_timer_fn+0x177/0x760 kernel/time/timer.c:1338 expire_timers+0x243/0x500 kernel/time/timer.c:1375 __run_timers kernel/time/timer.c:1703 [inline] run_timer_softirq+0x259/0x730 kernel/time/timer.c:1716 __do_softirq+0x27d/0xad2 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:372 [inline] irq_exit+0x22d/0x270 kernel/softirq.c:412 exiting_irq arch/x86/include/asm/apic.h:544 [inline] smp_apic_timer_interrupt+0x15f/0x5d0 arch/x86/kernel/apic/apic.c:1094 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:894 RIP: 0010:preempt_count arch/x86/include/asm/preempt.h:23 [inline] RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline] RIP: 0010:__sanitizer_cov_trace_pc+0xd/0x50 kernel/kcov.c:101 Code: 0b 41 bc f4 ff ff ff e8 40 7b e9 ff 48 c7 05 e6 fa bc 0b 00 00 00 00 e9 39 ec ff ff 90 48 8b 34 24 65 48 8b 04 25 40 ee 01 00 <65> 8b 15 dc 2a 90 7e 81 e2 00 01 1f 00 75 2b 8b 90 e0 12 00 00 83 RSP: 0000:ffff888090c37b20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: ffff888090c28380 RBX: ffff888090c37d48 RCX: ffffffff819d0402 RDX: 8000000000000025 RSI: ffffffff819cfaee RDI: 0000000000000006 RBP: ffffea00014f8d80 R08: 0000000000000001 R09: 8000000000000025 R10: 0000000000000006 R11: 0000000000000001 R12: ffff888090c5b880 R13: 8000000000000025 R14: 8000000000000025 R15: 0000000053e36000 pfn_pte arch/x86/include/asm/pgtable.h:555 [inline] wp_page_copy+0x96e/0x2040 mm/memory.c:2542 do_wp_page+0x2d4/0x2290 mm/memory.c:2799 handle_pte_fault mm/memory.c:4057 [inline] __handle_mm_fault+0x25dc/0x4370 mm/memory.c:4165 handle_mm_fault+0x489/0xb90 mm/memory.c:4202 __do_page_fault+0x6d8/0xe00 arch/x86/mm/fault.c:1412 page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1205 RIP: 0033:0x7f322db1b60e Code: 15 17 05 32 00 31 c9 49 39 d7 4c 89 e2 0f 95 c1 48 83 ca 01 48 c1 e1 02 48 09 ca 49 89 56 08 48 89 da 48 83 ca 01 48 89 50 08 <48> 89 5d 00 e9 8d f9 ff ff 8b 3d 33 fb 31 00 48 8d 35 fa 94 0e 00 RSP: 002b:00007fff3c108af0 EFLAGS: 00010206 RAX: 000055aa5e30bd30 RBX: 00000000000004b0 RCX: 0000000000000000 RDX: 00000000000004b1 RSI: 000000008cb4be00 RDI: 0000000000000002 RBP: 000055aa5e30c1e0 R08: 00007f322de3bfd8 R09: 00000000000001a0 R10: 0000000000000075 R11: 00007f322dbff184 R12: 00000000000001a0 R13: 00007f322de3bb58 R14: 000055aa5e30bb90 R15: 00007f322de3bb00 ================================================================================ device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details. nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. syz-executor.0 (8096) used greatest stack depth: 23008 bytes left netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.0'. device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device macvlan2 device bond_slave_0 left promiscuous mode device bond_slave_1 left promiscuous mode device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device macvlan2 nla_parse: 2 callbacks suppressed netlink: 20 bytes leftover after parsing attributes in process `syz-executor.4'. device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device macvlan2 device bond_slave_0 left promiscuous mode device bond_slave_1 left promiscuous mode audit: type=1804 audit(1601148776.926:10): pid=8246 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=open_writers comm="syz-executor.1" name="/root/syzkaller-testdir270048949/syzkaller.RQrsKY/9/cgroup.controllers" dev="sda1" ino=15770 res=1 8021q: adding VLAN 0 to HW filter on device macvlan3 netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.0'. netlink: 20 bytes leftover after parsing attributes in process `syz-executor.0'. device bond_slave_0 entered promiscuous mode device bond_slave_1 entered promiscuous mode 8021q: adding VLAN 0 to HW filter on device macvlan2 device bond_slave_0 left promiscuous mode device bond_slave_1 left promiscuous mode netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. netlink: 24 bytes leftover after parsing attributes in process `syz-executor.2'. audit: type=1804 audit(1601148780.976:11): pid=8527 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="syz-executor.3" name="/root/syzkaller-testdir865627987/syzkaller.9AMc3q/34/file0" dev="sda1" ino=15801 res=1 binder: 8595:8604 ioctl 40086602 0 returned -22