[ 417.068287] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 417.078931] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 417.094135] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 417.104766] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 417.126625] device bridge_slave_1 left promiscuous mode [ 417.132463] bridge0: port 2(bridge_slave_1) entered disabled state [ 417.139409] device bridge_slave_0 left promiscuous mode [ 417.144946] bridge0: port 1(bridge_slave_0) entered disabled state [ 417.171670] device veth1_macvtap left promiscuous mode [ 417.177079] device veth0_macvtap left promiscuous mode [ 417.182582] device veth1_vlan left promiscuous mode [ 417.187649] device veth0_vlan left promiscuous mode [ 428.339281] device hsr_slave_1 left promiscuous mode [ 428.348480] device hsr_slave_0 left promiscuous mode [ 428.377340] team0 (unregistering): Port device team_slave_1 removed [ 428.394598] team0 (unregistering): Port device team_slave_0 removed [ 428.411554] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 428.428035] bond0 (unregistering): Releasing backup interface bond_slave_0 Warning: Permanently added '10.128.10.13' (ECDSA) to the list of known hosts. [ 428.507797] bond0 (unregistering): Released all slaves [ 428.718603] nla_parse: 59 callbacks suppressed [ 428.718608] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 428.758430] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 428.792201] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 428.828732] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 428.864787] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 428.912563] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 429.144789] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 429.453860] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 429.512358] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 429.553754] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 434.019477] nla_parse: 41 callbacks suppressed [ 434.019481] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 434.139441] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 434.201668] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 434.243972] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 434.302178] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 434.347383] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 434.532264] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 434.636985] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 434.764026] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 434.896684] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 439.258325] nla_parse: 42 callbacks suppressed [ 439.258330] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 439.345067] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 439.378502] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 439.407717] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 439.550359] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 439.904595] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 439.974135] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 440.003030] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 440.034261] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 440.064125] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 444.293734] nla_parse: 38 callbacks suppressed [ 444.293738] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 444.406742] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 444.442234] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 444.481766] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 444.597167] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 444.994369] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 445.093795] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 445.134853] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 445.173044] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 445.224465] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 449.545408] nla_parse: 37 callbacks suppressed [ 449.545413] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 449.644224] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 449.673062] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 449.707040] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 449.741655] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 449.833288] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 450.248272] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 450.320922] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 450.356375] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 450.391553] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 454.596186] nla_parse: 39 callbacks suppressed [ 454.596190] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 454.847380] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 454.901512] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 454.936514] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 454.971752] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 455.014352] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 455.114947] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 455.496082] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 455.568494] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 455.616518] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 459.698523] nla_parse: 41 callbacks suppressed [ 459.698527] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 459.897610] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 460.033616] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 460.238143] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 460.372119] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 460.431679] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 460.496503] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 460.656764] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 460.728559] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 460.982775] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 464.753910] nla_parse: 36 callbacks suppressed [ 464.753914] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 464.906064] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 464.950075] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 464.985596] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 465.034245] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 465.134433] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 465.426827] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 465.573038] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 465.605766] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 465.638335] netlink: 24 bytes leftover after parsing attributes in process `syz-executor330'. [ 468.245746] ================================================================== [ 468.253295] BUG: KASAN: use-after-free in rht_deferred_worker+0x116a/0x1610 [ 468.260398] Read of size 8 at addr ffff8880388add00 by task kworker/1:1/4076 [ 468.267647] [ 468.269252] CPU: 1 PID: 4076 Comm: kworker/1:1 Not tainted 4.14.228-syzkaller #0 [ 468.276757] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 468.286097] Workqueue: events rht_deferred_worker [ 468.290913] Call Trace: [ 468.293477] dump_stack+0x14b/0x1e7 [ 468.297095] ? rht_deferred_worker+0x116a/0x1610 [ 468.301839] print_address_description.cold.6+0x9/0x1ca [ 468.307185] ? rht_deferred_worker+0x116a/0x1610 [ 468.311924] kasan_report.cold.7+0x11a/0x2d3 [ 468.317444] __asan_report_load8_noabort+0x14/0x20 [ 468.322349] rht_deferred_worker+0x116a/0x1610 [ 468.326911] process_one_work+0x74f/0x1620 [ 468.331123] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 468.335770] worker_thread+0xcc/0xee0 [ 468.339551] kthread+0x338/0x400 [ 468.342905] ? process_one_work+0x1620/0x1620 [ 468.347372] ? kthread_create_on_node+0xa0/0xa0 [ 468.352016] ret_from_fork+0x24/0x30 [ 468.355707] [ 468.357311] Allocated by task 20870: [ 468.361000] save_stack_trace+0x16/0x20 [ 468.364947] kasan_kmalloc.part.1+0x62/0xf0 [ 468.369253] kasan_kmalloc+0xaf/0xc0 [ 468.372969] kmem_cache_alloc_trace+0x152/0x3f0 [ 468.377699] fl_change+0x32a/0x4820 [ 468.381298] tc_ctl_tfilter+0x1141/0x1b20 [ 468.385506] rtnetlink_rcv_msg+0x34c/0x9e0 [ 468.389716] netlink_rcv_skb+0x12f/0x3b0 [ 468.393751] rtnetlink_rcv+0x10/0x20 [ 468.397441] netlink_unicast+0x40b/0x610 [ 468.401473] netlink_sendmsg+0x639/0xbe0 [ 468.405507] sock_sendmsg+0xac/0xf0 [ 468.409107] ___sys_sendmsg+0x282/0x920 [ 468.413065] __sys_sendmmsg+0x126/0x300 [ 468.417011] SyS_sendmmsg+0xd/0x20 [ 468.420525] do_syscall_64+0x1c7/0x5b0 [ 468.424396] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 468.429570] [ 468.431170] Freed by task 7315: [ 468.434530] save_stack_trace+0x16/0x20 [ 468.438479] kasan_slab_free+0xab/0x190 [ 468.442773] kfree+0xcc/0x270 [ 468.445849] __fl_destroy_filter+0x4c/0x70 [ 468.450055] fl_destroy_filter_work+0x19/0x30 [ 468.454525] process_one_work+0x74f/0x1620 [ 468.458744] worker_thread+0xcc/0xee0 [ 468.462518] kthread+0x338/0x400 [ 468.465858] ret_from_fork+0x24/0x30 [ 468.469542] [ 468.471143] The buggy address belongs to the object at ffff8880388add00 [ 468.471143] which belongs to the cache kmalloc-512 of size 512 [ 468.483857] The buggy address is located 0 bytes inside of [ 468.483857] 512-byte region [ffff8880388add00, ffff8880388adf00) [ 468.496397] The buggy address belongs to the page: [ 468.501307] page:ffffea0000e22b40 count:1 mapcount:0 mapping:ffff8880388ad080 index:0x0 [ 468.509422] flags: 0xfff00000000100(slab) [ 468.513544] raw: 00fff00000000100 ffff8880388ad080 0000000000000000 0000000100000006 [ 468.521399] raw: ffffea0000860060 ffffea000052b520 ffff88813fe60940 0000000000000000 [ 468.529261] page dumped because: kasan: bad access detected [ 468.535560] [ 468.537161] Memory state around the buggy address: [ 468.542062] ffff8880388adc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 468.549393] ffff8880388adc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 468.556724] >ffff8880388add00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 468.564145] ^ [ 468.567485] ffff8880388add80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 468.574829] ffff8880388ade00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 468.582160] ================================================================== [ 468.589667] Disabling lock debugging due to kernel taint [ 468.595149] Kernel panic - not syncing: panic_on_warn set ... [ 468.595149] [ 468.602506] CPU: 1 PID: 4076 Comm: kworker/1:1 Tainted: G B 4.14.228-syzkaller #0 [ 468.611515] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 468.621485] Workqueue: events rht_deferred_worker [ 468.626506] Call Trace: [ 468.629092] dump_stack+0x14b/0x1e7 [ 468.632895] ? rht_deferred_worker+0x116a/0x1610 [ 468.638517] panic+0x1b0/0x358 [ 468.641708] ? add_taint.cold.4+0x11/0x11 [ 468.645857] ? rht_deferred_worker+0x116a/0x1610 [ 468.650645] kasan_end_report+0x47/0x4f [ 468.654699] kasan_report.cold.7+0x76/0x2d3 [ 468.659021] __asan_report_load8_noabort+0x14/0x20 [ 468.664553] rht_deferred_worker+0x116a/0x1610 [ 468.669131] process_one_work+0x74f/0x1620 [ 468.673968] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 468.678899] worker_thread+0xcc/0xee0 [ 468.682784] kthread+0x338/0x400 [ 468.686145] ? process_one_work+0x1620/0x1620 [ 468.690633] ? kthread_create_on_node+0xa0/0xa0 [ 468.695311] ret_from_fork+0x24/0x30 [ 468.699577] Kernel Offset: disabled [ 468.703189] Rebooting in 86400 seconds..