[ 61.613063][ T7619] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 61.622998][ T7619] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 [ 61.633666][ T7619] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 61.643786][ T7619] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 [ 61.654417][ T7619] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 61.665826][ T7619] batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 [ 61.676631][ T7619] batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! [ 61.687833][ T7619] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 61.707802][ T7662] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 61.716509][ T7662] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 477.540809][ T7609] syz-executor.2 (7609) used greatest stack depth: 23504 bytes left Warning: Permanently added '10.128.10.48' (ECDSA) to the list of known hosts. [ 478.333876][ T2625] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 478.342340][ T2625] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 478.351642][ T2625] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 478.359259][ T2625] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 478.368702][ T2625] device bridge_slave_1 left promiscuous mode [ 478.375249][ T2625] bridge0: port 2(bridge_slave_1) entered disabled state [ 478.431786][ T2625] device bridge_slave_0 left promiscuous mode [ 478.438120][ T2625] bridge0: port 1(bridge_slave_0) entered disabled state [ 478.492908][ T2625] device veth1_macvtap left promiscuous mode [ 478.499394][ T2625] device veth0_macvtap left promiscuous mode [ 478.505421][ T2625] device veth1_vlan left promiscuous mode [ 478.511629][ T2625] device veth0_vlan left promiscuous mode [ 480.860732][ T2625] device hsr_slave_1 left promiscuous mode [ 480.910003][ T2625] device hsr_slave_0 left promiscuous mode [ 480.967597][ T2625] team0 (unregistering): Port device team_slave_1 removed [ 480.978620][ T2625] team0 (unregistering): Port device team_slave_0 removed [ 480.989441][ T2625] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 481.041077][ T2625] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 481.107534][ T2625] bond0 (unregistering): Released all slaves [ 486.932634][ T2625] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 486.942491][ T2625] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 486.951928][ T2625] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 486.960319][ T2625] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 486.969641][ T2625] device bridge_slave_1 left promiscuous mode [ 486.977095][ T2625] bridge0: port 2(bridge_slave_1) entered disabled state [ 487.008249][ T2625] device bridge_slave_0 left promiscuous mode [ 487.014762][ T2625] bridge0: port 1(bridge_slave_0) entered disabled state [ 487.061988][ T2625] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 487.070051][ T2625] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 487.079392][ T2625] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 487.089965][ T2625] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 487.097961][ T7] ================================================================== [ 487.106732][ T7] BUG: KASAN: use-after-free in batadv_iv_ogm_schedule+0xd63/0xe90 [ 487.115086][ T7] Write of size 2 at addr ffff888098c2b816 by task kworker/u4:0/7 [ 487.123354][ T7] [ 487.126004][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.2.0-rc6-syzkaller #0 [ 487.134495][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 487.145226][ T7] Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet [ 487.153027][ T7] Call Trace: [ 487.156399][ T7] dump_stack+0x113/0x167 [ 487.160732][ T7] print_address_description.cold.5+0x9/0x1ff [ 487.166970][ T7] ? batadv_iv_ogm_schedule+0xd63/0xe90 [ 487.172876][ T7] __kasan_report.cold.6+0x1b/0x39 [ 487.177973][ T7] ? batadv_iv_ogm_schedule+0xd63/0xe90 [ 487.183531][ T7] ? batadv_iv_ogm_schedule+0xd63/0xe90 [ 487.189070][ T7] kasan_report+0x12/0x20 [ 487.193606][ T7] __asan_report_store2_noabort+0x17/0x20 [ 487.199337][ T7] batadv_iv_ogm_schedule+0xd63/0xe90 [ 487.204806][ T7] ? find_held_lock+0x36/0x1d0 [ 487.209764][ T7] ? batadv_iv_ogm_orig_dump+0xbd0/0xbd0 [ 487.215407][ T7] ? debug_object_deactivate+0x214/0x340 [ 487.221055][ T7] batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 [ 487.228380][ T7] process_one_work+0x830/0x16a0 [ 487.233450][ T7] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 487.238815][ T7] ? lock_acquire+0x173/0x3d0 [ 487.243487][ T7] worker_thread+0x85/0xb60 [ 487.247973][ T7] ? __kthread_parkme+0x47/0x190 [ 487.253033][ T7] kthread+0x324/0x3e0 [ 487.257078][ T7] ? process_one_work+0x16a0/0x16a0 [ 487.262275][ T7] ? kthread_cancel_delayed_work_sync+0x10/0x10 [ 487.268558][ T7] ret_from_fork+0x24/0x30 [ 487.272969][ T7] [ 487.275307][ T7] Allocated by task 7611: [ 487.279747][ T7] save_stack+0x21/0x90 [ 487.283959][ T7] __kasan_kmalloc.constprop.12+0xc7/0xd0 [ 487.289668][ T7] kasan_kmalloc+0x9/0x10 [ 487.293986][ T7] kmem_cache_alloc_trace+0x154/0x740 [ 487.299488][ T7] batadv_iv_ogm_iface_enable+0x11c/0x370 [ 487.305246][ T7] batadv_hardif_enable_interface+0x20d/0x8f0 [ 487.311308][ T7] batadv_softif_slave_add+0x7f/0xd0 [ 487.316968][ T7] do_set_master+0x171/0x200 [ 487.321635][ T7] do_setlink+0x95a/0x2db0 [ 487.326073][ T7] __rtnl_newlink+0xa57/0x13f0 [ 487.330817][ T7] rtnl_newlink+0x61/0x90 [ 487.336610][ T7] rtnetlink_rcv_msg+0x34f/0x8f0 [ 487.341836][ T7] netlink_rcv_skb+0x13c/0x380 [ 487.347633][ T7] rtnetlink_rcv+0x10/0x20 [ 487.352161][ T7] netlink_unicast+0x43b/0x640 [ 487.356900][ T7] netlink_sendmsg+0x765/0xc40 [ 487.361701][ T7] sock_sendmsg+0xb5/0xf0 [ 487.366017][ T7] __sys_sendto+0x1f2/0x2e0 [ 487.370658][ T7] __ia32_compat_sys_socketcall+0x473/0x610 [ 487.376553][ T7] do_fast_syscall_32+0x235/0xb05 [ 487.381579][ T7] entry_SYSENTER_compat+0x70/0x7f [ 487.386752][ T7] [ 487.389079][ T7] Freed by task 2625: [ 487.393109][ T7] save_stack+0x21/0x90 [ 487.397321][ T7] __kasan_slab_free+0x102/0x150 [ 487.402264][ T7] kasan_slab_free+0xe/0x10 [ 487.406859][ T7] kfree+0xcf/0x220 [ 487.410657][ T7] batadv_iv_ogm_iface_disable+0x34/0x70 [ 487.416276][ T7] batadv_hardif_disable_interface.cold.23+0x5a8/0xc32 [ 487.423116][ T7] batadv_softif_destroy_netlink+0x98/0x110 [ 487.429111][ T7] default_device_exit_batch+0x239/0x3d0 [ 487.434764][ T7] ops_exit_list.isra.5+0xd3/0x120 [ 487.440912][ T7] cleanup_net+0x363/0x850 [ 487.445678][ T7] process_one_work+0x830/0x16a0 [ 487.450660][ T7] worker_thread+0x85/0xb60 [ 487.455148][ T7] kthread+0x324/0x3e0 [ 487.459208][ T7] ret_from_fork+0x24/0x30 [ 487.463618][ T7] [ 487.465976][ T7] The buggy address belongs to the object at ffff888098c2b800 [ 487.465976][ T7] which belongs to the cache kmalloc-32 of size 32 [ 487.480181][ T7] The buggy address is located 22 bytes inside of [ 487.480181][ T7] 32-byte region [ffff888098c2b800, ffff888098c2b820) [ 487.493278][ T7] The buggy address belongs to the page: [ 487.498890][ T7] page:ffffea0002630ac0 refcount:1 mapcount:0 mapping:ffff8880aa4001c0 index:0xffff888098c2bfc1 [ 487.509289][ T7] flags: 0xfffe0000000200(slab) [ 487.514122][ T7] raw: 00fffe0000000200 ffffea00027949c8 ffffea00026daf08 ffff8880aa4001c0 [ 487.522890][ T7] raw: ffff888098c2bfc1 ffff888098c2b000 000000010000003e 0000000000000000 [ 487.531546][ T7] page dumped because: kasan: bad access detected [ 487.538102][ T7] [ 487.540464][ T7] Memory state around the buggy address: [ 487.546081][ T7] ffff888098c2b700: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 487.554170][ T7] ffff888098c2b780: 00 04 fc fc fc fc fc fc 00 03 fc fc fc fc fc fc [ 487.562261][ T7] >ffff888098c2b800: fb fb fb fb fc fc fc fc 00 06 fc fc fc fc fc fc [ 487.570381][ T7] ^ [ 487.575096][ T7] ffff888098c2b880: 00 00 05 fc fc fc fc fc fb fb fb fb fc fc fc fc [ 487.583149][ T7] ffff888098c2b900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc [ 487.591365][ T7] ================================================================== [ 487.599526][ T7] Disabling lock debugging due to kernel taint [ 487.606967][ T7] Kernel panic - not syncing: panic_on_warn set ... [ 487.613761][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Tainted: G B 5.2.0-rc6-syzkaller #0 [ 487.623422][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 487.633629][ T7] Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet [ 487.641625][ T7] Call Trace: [ 487.644931][ T7] dump_stack+0x113/0x167 [ 487.649255][ T7] ? batadv_iv_ogm_schedule+0xd00/0xe90 [ 487.654973][ T7] panic+0x212/0x4cb [ 487.658879][ T7] ? __warn_printk+0xd6/0xd6 [ 487.663466][ T7] ? ___preempt_schedule+0x16/0x18 [ 487.668587][ T7] ? batadv_iv_ogm_schedule+0xd63/0xe90 [ 487.674130][ T7] end_report+0x47/0x4f [ 487.678283][ T7] __kasan_report.cold.6+0xe/0x39 [ 487.683317][ T7] ? batadv_iv_ogm_schedule+0xd63/0xe90 [ 487.688863][ T7] ? batadv_iv_ogm_schedule+0xd63/0xe90 [ 487.694394][ T7] kasan_report+0x12/0x20 [ 487.698722][ T7] __asan_report_store2_noabort+0x17/0x20 [ 487.704549][ T7] batadv_iv_ogm_schedule+0xd63/0xe90 [ 487.709953][ T7] ? find_held_lock+0x36/0x1d0 [ 487.714719][ T7] ? batadv_iv_ogm_orig_dump+0xbd0/0xbd0 [ 487.720349][ T7] ? debug_object_deactivate+0x214/0x340 [ 487.726045][ T7] batadv_iv_send_outstanding_bat_ogm_packet+0x4a2/0x790 [ 487.733100][ T7] process_one_work+0x830/0x16a0 [ 487.738042][ T7] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 487.743424][ T7] ? lock_acquire+0x173/0x3d0 [ 487.748111][ T7] worker_thread+0x85/0xb60 [ 487.752788][ T7] ? __kthread_parkme+0x47/0x190 [ 487.757739][ T7] kthread+0x324/0x3e0 [ 487.761887][ T7] ? process_one_work+0x16a0/0x16a0 [ 487.767181][ T7] ? kthread_cancel_delayed_work_sync+0x10/0x10 [ 487.773426][ T7] ret_from_fork+0x24/0x30 [ 487.779618][ T7] Kernel Offset: disabled [ 487.784151][ T7] Rebooting in 86400 seconds..