[ 412.094793][T10368] netdevsim netdevsim3 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 412.214068][T10368] netdevsim netdevsim3 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 412.282064][T10368] netdevsim netdevsim3 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 412.371537][T10368] netdevsim netdevsim3 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 413.366758][T10368] device hsr_slave_0 left promiscuous mode [ 413.374493][T10368] device hsr_slave_1 left promiscuous mode [ 413.381980][T10368] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 413.390633][T10368] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 413.401000][T10368] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 413.409999][T10368] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 413.419505][T10368] device bridge_slave_1 left promiscuous mode [ 413.426013][T10368] bridge0: port 2(bridge_slave_1) entered disabled state [ 413.434390][T10368] device bridge_slave_0 left promiscuous mode [ 413.441135][T10368] bridge0: port 1(bridge_slave_0) entered disabled state [ 413.451166][T10368] device veth1_macvtap left promiscuous mode [ 413.458312][T10368] device veth0_macvtap left promiscuous mode [ 413.464989][T10368] device veth1_vlan left promiscuous mode [ 413.471277][T10368] device veth0_vlan left promiscuous mode [ 414.126646][T10368] team0 (unregistering): Port device team_slave_1 removed [ 414.138938][T10368] team0 (unregistering): Port device team_slave_0 removed [ 414.151334][T10368] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 414.163121][T10368] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 414.190789][T10368] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.10.29' (ECDSA) to the list of known hosts. [ 415.333527][T10368] netdevsim netdevsim1 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 415.443326][T10368] netdevsim netdevsim1 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 415.555796][T10368] netdevsim netdevsim1 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 415.662144][T10368] netdevsim netdevsim1 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 415.894103][T10368] netdevsim netdevsim2 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 416.094660][T10368] netdevsim netdevsim2 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 416.244701][T10368] netdevsim netdevsim2 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 416.372273][T10368] netdevsim netdevsim2 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 416.589269][T10368] netdevsim netdevsim4 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 416.786115][T10368] netdevsim netdevsim4 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 416.946840][T10368] netdevsim netdevsim4 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 417.069121][T10368] netdevsim netdevsim4 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 417.302827][T10368] netdevsim netdevsim5 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 417.495280][T10368] netdevsim netdevsim5 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 417.622142][T10368] netdevsim netdevsim5 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 417.733520][T10368] netdevsim netdevsim5 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 422.814563][T10368] device hsr_slave_0 left promiscuous mode [ 422.834509][T10368] device hsr_slave_1 left promiscuous mode [ 422.851630][T10368] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 422.871077][T10368] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 422.898380][T10368] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 422.907241][T10368] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 422.927405][T10368] device bridge_slave_1 left promiscuous mode [ 422.937255][T10368] bridge0: port 2(bridge_slave_1) entered disabled state [ 422.959716][T10368] device bridge_slave_0 left promiscuous mode [ 422.971327][T10368] bridge0: port 1(bridge_slave_0) entered disabled state [ 423.000477][T10368] device hsr_slave_0 left promiscuous mode [ 423.012640][T10368] device hsr_slave_1 left promiscuous mode [ 423.026788][T10368] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 423.052114][T10368] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 423.067418][T10368] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 423.076158][T10368] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 423.091840][T10368] device bridge_slave_1 left promiscuous mode [ 423.100094][T10368] bridge0: port 2(bridge_slave_1) entered disabled state [ 423.117449][T10368] device bridge_slave_0 left promiscuous mode [ 423.131599][T10368] bridge0: port 1(bridge_slave_0) entered disabled state [ 423.152140][T10368] device hsr_slave_0 left promiscuous mode [ 423.160719][T10368] device hsr_slave_1 left promiscuous mode [ 423.173920][T10368] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 423.181667][T10368] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 423.200013][T10368] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 423.214619][T10368] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 423.230755][T10368] device bridge_slave_1 left promiscuous mode [ 423.237738][T10368] bridge0: port 2(bridge_slave_1) entered disabled state [ 423.257126][T10368] device bridge_slave_0 left promiscuous mode [ 423.266764][T10368] bridge0: port 1(bridge_slave_0) entered disabled state [ 423.282237][T10368] device hsr_slave_0 left promiscuous mode [ 423.291830][T10368] device hsr_slave_1 left promiscuous mode [ 423.313458][T10368] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 423.325048][T10368] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 423.347262][T10368] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 423.359115][T10368] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 423.375465][T10368] device bridge_slave_1 left promiscuous mode [ 423.385919][T10368] bridge0: port 2(bridge_slave_1) entered disabled state [ 423.411736][T10368] device bridge_slave_0 left promiscuous mode [ 423.430536][T10368] bridge0: port 1(bridge_slave_0) entered disabled state [ 423.444020][T10368] device hsr_slave_0 left promiscuous mode [ 423.461852][T10368] device hsr_slave_1 left promiscuous mode [ 423.479136][T10368] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 423.501543][T10368] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 423.511747][T10368] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 423.525555][T10368] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 423.541076][T10368] device bridge_slave_1 left promiscuous mode [ 423.556501][T10368] bridge0: port 2(bridge_slave_1) entered disabled state [ 423.576240][T10368] device bridge_slave_0 left promiscuous mode [ 423.588236][T10368] bridge0: port 1(bridge_slave_0) entered disabled state [ 423.617982][T10368] device veth1_macvtap left promiscuous mode [ 423.628873][T10368] device veth0_macvtap left promiscuous mode [ 423.644000][T10368] device veth1_vlan left promiscuous mode [ 423.657047][T10368] device veth0_vlan left promiscuous mode [ 423.666084][T10368] device veth1_macvtap left promiscuous mode [ 423.685926][T10368] device veth0_macvtap left promiscuous mode [ 423.695631][T10368] device veth1_vlan left promiscuous mode [ 423.709366][T10368] device veth0_vlan left promiscuous mode [ 423.734053][T10368] device veth1_macvtap left promiscuous mode [ 423.743465][T10368] device veth0_macvtap left promiscuous mode [ 423.751741][T10368] device veth1_vlan left promiscuous mode [ 423.767651][T10368] device veth0_vlan left promiscuous mode [ 423.789882][T10368] device veth1_macvtap left promiscuous mode [ 423.806454][T10368] device veth0_macvtap left promiscuous mode [ 423.821303][T10368] device veth1_vlan left promiscuous mode [ 423.837259][T10368] device veth0_vlan left promiscuous mode [ 423.850143][T10368] device veth1_macvtap left promiscuous mode [ 423.866520][T10368] device veth0_macvtap left promiscuous mode [ 423.875999][T10368] device veth1_vlan left promiscuous mode [ 423.882799][T10368] device veth0_vlan left promiscuous mode [ 437.204876][ T22] ================================================================== [ 437.212963][ T22] BUG: KASAN: use-after-free in __d_alloc+0x161/0x950 [ 437.219892][ T22] Read of size 5 at addr ffff888011f44420 by task kdevtmpfs/22 [ 437.227497][ T22] [ 437.229801][ T22] CPU: 0 PID: 22 Comm: kdevtmpfs Not tainted 5.14.0-syzkaller #0 [ 437.237572][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 437.248145][ T22] Call Trace: [ 437.251445][ T22] dump_stack_lvl+0x57/0x7d [ 437.256306][ T22] print_address_description.constprop.0.cold+0x6c/0x309 [ 437.263329][ T22] ? __d_alloc+0x161/0x950 [ 437.267738][ T22] ? __d_alloc+0x161/0x950 [ 437.272169][ T22] kasan_report.cold+0x83/0xdf [ 437.277192][ T22] ? __d_alloc+0x161/0x950 [ 437.281584][ T22] kasan_check_range+0x13d/0x180 [ 437.286689][ T22] memcpy+0x20/0x60 [ 437.290467][ T22] __d_alloc+0x161/0x950 [ 437.295033][ T22] d_alloc+0x3f/0x200 [ 437.298999][ T22] __lookup_hash+0x97/0x140 [ 437.303591][ T22] kern_path_locked+0x146/0x300 [ 437.308702][ T22] ? filename_lookup+0x30/0x30 [ 437.313629][ T22] ? rcu_read_lock_sched_held+0xd/0x70 [ 437.319070][ T22] ? lock_acquire+0x442/0x510 [ 437.324638][ T22] ? rcu_read_lock_sched_held+0xd/0x70 [ 437.330596][ T22] ? rcu_read_lock_sched_held+0xd/0x70 [ 437.336716][ T22] handle_remove+0x9a/0x4fa [ 437.341362][ T22] ? get_vtime_delta+0x26e/0x420 [ 437.346285][ T22] ? cacheinfo_cpu_online.cold+0x34/0x34 [ 437.354754][ T22] ? finish_task_switch.isra.0+0x232/0xa10 [ 437.360631][ T22] ? trace_hardirqs_on+0x1c/0x140 [ 437.365726][ T22] ? finish_task_switch.isra.0+0x232/0xa10 [ 437.371643][ T22] ? __switch_to+0x5cc/0x1060 [ 437.376330][ T22] ? rcu_read_lock_sched_held+0xd/0x70 [ 437.381921][ T22] ? lock_acquire+0x442/0x510 [ 437.386581][ T22] ? rcu_read_lock_sched_held+0xd/0x70 [ 437.392141][ T22] ? lock_release+0x522/0x720 [ 437.396808][ T22] ? devtmpfsd+0x84/0x24e [ 437.401180][ T22] ? lock_downgrade+0x6e0/0x6e0 [ 437.406009][ T22] ? do_raw_spin_lock+0x120/0x2b0 [ 437.411287][ T22] ? rwlock_bug.part.0+0x90/0x90 [ 437.416211][ T22] devtmpfsd+0x176/0x24e [ 437.420442][ T22] ? dmar_validate_one_drhd+0x1d2/0x1d2 [ 437.426000][ T22] kthread+0x38b/0x460 [ 437.430149][ T22] ? _raw_spin_unlock_irq+0x1f/0x40 [ 437.435401][ T22] ? set_kthread_struct+0x100/0x100 [ 437.440771][ T22] ret_from_fork+0x1f/0x30 [ 437.445176][ T22] [ 437.447481][ T22] Allocated by task 22: [ 437.451691][ T22] kasan_save_stack+0x1b/0x40 [ 437.456565][ T22] __kasan_slab_alloc+0x83/0xb0 [ 437.461553][ T22] kmem_cache_alloc+0x285/0x4a0 [ 437.466685][ T22] getname_kernel+0x48/0x330 [ 437.471265][ T22] kern_path_locked+0x6f/0x300 [ 437.476382][ T22] handle_remove+0x9a/0x4fa [ 437.481145][ T22] devtmpfsd+0x176/0x24e [ 437.485376][ T22] kthread+0x38b/0x460 [ 437.489630][ T22] ret_from_fork+0x1f/0x30 [ 437.494032][ T22] [ 437.496347][ T22] Freed by task 22: [ 437.500298][ T22] kasan_save_stack+0x1b/0x40 [ 437.505032][ T22] kasan_set_track+0x1c/0x30 [ 437.509688][ T22] kasan_set_free_info+0x20/0x30 [ 437.514679][ T22] __kasan_slab_free+0xff/0x130 [ 437.519671][ T22] slab_free_freelist_hook+0xe3/0x250 [ 437.525009][ T22] kmem_cache_free+0x8a/0x5b0 [ 437.529828][ T22] kern_path_locked+0xa7/0x300 [ 437.534646][ T22] handle_remove+0x9a/0x4fa [ 437.539552][ T22] devtmpfsd+0x176/0x24e [ 437.543805][ T22] kthread+0x38b/0x460 [ 437.547843][ T22] ret_from_fork+0x1f/0x30 [ 437.552226][ T22] [ 437.554525][ T22] The buggy address belongs to the object at ffff888011f44400 [ 437.554525][ T22] which belongs to the cache names_cache of size 4096 [ 437.568980][ T22] The buggy address is located 32 bytes inside of [ 437.568980][ T22] 4096-byte region [ffff888011f44400, ffff888011f45400) [ 437.582402][ T22] The buggy address belongs to the page: [ 437.588089][ T22] page:ffffea000047d000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f40 [ 437.598669][ T22] head:ffffea000047d000 order:3 compound_mapcount:0 compound_pincount:0 [ 437.607067][ T22] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 437.615042][ T22] raw: 00fff00000010200 0000000000000000 0000000100000001 ffff88800fdc43c0 [ 437.623595][ T22] raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000 [ 437.632258][ T22] page dumped because: kasan: bad access detected [ 437.638638][ T22] page_owner tracks the page as allocated [ 437.644409][ T22] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6375, ts 24250878650, free_ts 23733110061 [ 437.663729][ T22] get_page_from_freelist+0xa6f/0x2f50 [ 437.669189][ T22] __alloc_pages+0x1b2/0x500 [ 437.673748][ T22] allocate_slab+0x32e/0x4b0 [ 437.678322][ T22] ___slab_alloc+0x4ba/0x820 [ 437.683185][ T22] __slab_alloc.constprop.0+0xa7/0xf0 [ 437.688546][ T22] kmem_cache_alloc+0x3e1/0x4a0 [ 437.693388][ T22] getname_flags.part.0+0x4a/0x440 [ 437.698575][ T22] do_sys_openat2+0xd2/0x400 [ 437.703339][ T22] __x64_sys_open+0xfd/0x1a0 [ 437.708088][ T22] do_syscall_64+0x35/0xb0 [ 437.712760][ T22] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 437.718882][ T22] page last free stack trace: [ 437.723622][ T22] free_pcp_prepare+0x2c5/0x780 [ 437.728713][ T22] free_unref_page+0x19/0x690 [ 437.733379][ T22] unfreeze_partials+0x17c/0x1d0 [ 437.738367][ T22] put_cpu_partial+0x13d/0x230 [ 437.743195][ T22] qlist_free_all+0x5a/0xc0 [ 437.747671][ T22] kasan_quarantine_reduce+0x180/0x200 [ 437.753093][ T22] __kasan_slab_alloc+0x95/0xb0 [ 437.758098][ T22] kmem_cache_alloc+0x285/0x4a0 [ 437.763176][ T22] ptlock_alloc+0x19/0x60 [ 437.768280][ T22] pte_alloc_one+0x4c/0x190 [ 437.772875][ T22] __pte_alloc+0x15/0x240 [ 437.777624][ T22] copy_page_range+0x1009/0x32b0 [ 437.782737][ T22] dup_mm+0x7cc/0x1090 [ 437.787231][ T22] copy_process+0x5c89/0x69f0 [ 437.791959][ T22] kernel_clone+0xb8/0x7f0 [ 437.796529][ T22] __do_sys_clone+0xaf/0xf0 [ 437.801893][ T22] [ 437.804289][ T22] Memory state around the buggy address: [ 437.810017][ T22] ffff888011f44300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 437.819193][ T22] ffff888011f44380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 437.827439][ T22] >ffff888011f44400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 437.835835][ T22] ^ [ 437.841364][ T22] ffff888011f44480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 437.849497][ T22] ffff888011f44500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 437.857713][ T22] ================================================================== [ 437.879947][ T22] Kernel panic - not syncing: panic_on_warn set ... [ 437.888371][ T22] CPU: 0 PID: 22 Comm: kdevtmpfs Tainted: G B 5.14.0-syzkaller #0 [ 437.897635][ T22] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 437.908033][ T22] Call Trace: [ 437.911736][ T22] dump_stack_lvl+0x57/0x7d [ 437.916308][ T22] panic+0x256/0x4eb [ 437.920505][ T22] ? __warn_printk+0xee/0xee [ 437.925488][ T22] ? preempt_schedule_common+0x59/0xc0 [ 437.931037][ T22] ? __d_alloc+0x161/0x950 [ 437.935889][ T22] ? preempt_schedule_thunk+0x16/0x18 [ 437.941258][ T22] ? __d_alloc+0x161/0x950 [ 437.946021][ T22] ? __d_alloc+0x161/0x950 [ 437.950459][ T22] end_report.cold+0x5a/0x5a [ 437.955830][ T22] kasan_report.cold+0x71/0xdf [ 437.960589][ T22] ? __d_alloc+0x161/0x950 [ 437.965118][ T22] kasan_check_range+0x13d/0x180 [ 437.970240][ T22] memcpy+0x20/0x60 [ 437.974156][ T22] __d_alloc+0x161/0x950 [ 437.978581][ T22] d_alloc+0x3f/0x200 [ 437.982587][ T22] __lookup_hash+0x97/0x140 [ 437.987246][ T22] kern_path_locked+0x146/0x300 [ 437.992363][ T22] ? filename_lookup+0x30/0x30 [ 437.997321][ T22] ? rcu_read_lock_sched_held+0xd/0x70 [ 438.002976][ T22] ? lock_acquire+0x442/0x510 [ 438.008288][ T22] ? rcu_read_lock_sched_held+0xd/0x70 [ 438.014772][ T22] ? rcu_read_lock_sched_held+0xd/0x70 [ 438.020661][ T22] handle_remove+0x9a/0x4fa [ 438.025248][ T22] ? get_vtime_delta+0x26e/0x420 [ 438.030553][ T22] ? cacheinfo_cpu_online.cold+0x34/0x34 [ 438.036186][ T22] ? finish_task_switch.isra.0+0x232/0xa10 [ 438.041984][ T22] ? trace_hardirqs_on+0x1c/0x140 [ 438.047324][ T22] ? finish_task_switch.isra.0+0x232/0xa10 [ 438.053212][ T22] ? __switch_to+0x5cc/0x1060 [ 438.057902][ T22] ? rcu_read_lock_sched_held+0xd/0x70 [ 438.063541][ T22] ? lock_acquire+0x442/0x510 [ 438.068244][ T22] ? rcu_read_lock_sched_held+0xd/0x70 [ 438.073874][ T22] ? lock_release+0x522/0x720 [ 438.078547][ T22] ? devtmpfsd+0x84/0x24e [ 438.082980][ T22] ? lock_downgrade+0x6e0/0x6e0 [ 438.088001][ T22] ? do_raw_spin_lock+0x120/0x2b0 [ 438.093396][ T22] ? rwlock_bug.part.0+0x90/0x90 [ 438.098334][ T22] devtmpfsd+0x176/0x24e [ 438.102833][ T22] ? dmar_validate_one_drhd+0x1d2/0x1d2 [ 438.108376][ T22] kthread+0x38b/0x460 [ 438.112533][ T22] ? _raw_spin_unlock_irq+0x1f/0x40 [ 438.118070][ T22] ? set_kthread_struct+0x100/0x100 [ 438.123613][ T22] ret_from_fork+0x1f/0x30 [ 438.128171][ T22] Kernel Offset: disabled [ 438.132622][ T22] Rebooting in 86400 seconds..