[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.215' (ECDSA) to the list of known hosts. 2021/08/03 23:00:56 parsed 1 programs 2021/08/03 23:00:56 executed programs: 0 syzkaller login: [ 407.103389] IPVS: ftp: loaded support on port[0] = 21 [ 407.207756] chnl_net:caif_netlink_parms(): no params data found [ 407.333462] bridge0: port 1(bridge_slave_0) entered blocking state [ 407.340105] bridge0: port 1(bridge_slave_0) entered disabled state [ 407.347551] device bridge_slave_0 entered promiscuous mode [ 407.354233] bridge0: port 2(bridge_slave_1) entered blocking state [ 407.361214] bridge0: port 2(bridge_slave_1) entered disabled state [ 407.368199] device bridge_slave_1 entered promiscuous mode [ 407.384593] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 407.393449] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 407.410385] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 407.417536] team0: Port device team_slave_0 added [ 407.422876] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 407.430189] team0: Port device team_slave_1 added [ 407.445179] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 407.451455] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 407.476896] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 407.488042] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 407.494395] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 407.520083] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 407.530638] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 407.538137] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 407.555636] device hsr_slave_0 entered promiscuous mode [ 407.561246] device hsr_slave_1 entered promiscuous mode [ 407.567307] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 407.574233] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 407.632588] bridge0: port 2(bridge_slave_1) entered blocking state [ 407.639008] bridge0: port 2(bridge_slave_1) entered forwarding state [ 407.645800] bridge0: port 1(bridge_slave_0) entered blocking state [ 407.652195] bridge0: port 1(bridge_slave_0) entered forwarding state [ 407.675974] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 407.682545] 8021q: adding VLAN 0 to HW filter on device bond0 [ 407.690572] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 407.701212] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 407.719121] bridge0: port 1(bridge_slave_0) entered disabled state [ 407.725956] bridge0: port 2(bridge_slave_1) entered disabled state [ 407.735320] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 407.742020] 8021q: adding VLAN 0 to HW filter on device team0 [ 407.750457] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 407.758658] bridge0: port 1(bridge_slave_0) entered blocking state [ 407.764980] bridge0: port 1(bridge_slave_0) entered forwarding state [ 407.783149] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 407.793399] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 407.804853] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 407.811756] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 407.819756] bridge0: port 2(bridge_slave_1) entered blocking state [ 407.826078] bridge0: port 2(bridge_slave_1) entered forwarding state [ 407.833589] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 407.841384] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 407.849054] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 407.856647] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 407.864351] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 407.871166] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 407.883343] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 407.890684] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 407.897624] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 407.909277] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 407.957435] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 407.966332] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 407.990633] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 407.997843] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 408.004195] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 408.013495] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 408.020868] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 408.027910] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 408.036229] device veth0_vlan entered promiscuous mode [ 408.044649] device veth1_vlan entered promiscuous mode [ 408.050719] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 408.059568] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 408.069915] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 408.079012] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 408.086096] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 408.093334] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 408.102384] device veth0_macvtap entered promiscuous mode [ 408.108834] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 408.116566] device veth1_macvtap entered promiscuous mode [ 408.125119] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 408.134124] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 408.143811] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 408.150866] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 408.158923] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 408.168919] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 408.177650] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 408.197266] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 409.147467] Bluetooth: hci0 command 0x0409 tx timeout [ 411.226324] Bluetooth: hci0 command 0x041b tx timeout 2021/08/03 23:01:01 executed programs: 4 [ 413.306371] Bluetooth: hci0 command 0x040f tx timeout [ 415.396144] Bluetooth: hci0 command 0x0419 tx timeout 2021/08/03 23:01:06 executed programs: 10 [ 417.466258] Bluetooth: hci0 command 0x0405 tx timeout 2021/08/03 23:01:11 executed programs: 16 2021/08/03 23:01:16 executed programs: 22 2021/08/03 23:01:22 executed programs: 28 2021/08/03 23:01:27 executed programs: 34 2021/08/03 23:01:32 executed programs: 40 2021/08/03 23:01:37 executed programs: 46 2021/08/03 23:01:42 executed programs: 52 2021/08/03 23:01:47 executed programs: 58 2021/08/03 23:01:52 executed programs: 64 [ 463.785025] ================================================================== [ 463.792422] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 463.799110] Read of size 8 at addr ffff8880937ab7e0 by task kworker/1:1/23 [ 463.806097] [ 463.807741] CPU: 1 PID: 23 Comm: kworker/1:1 Not tainted 4.14.241-syzkaller #0 [ 463.815082] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 463.824416] Workqueue: events l2cap_chan_timeout [ 463.829144] Call Trace: [ 463.831708] dump_stack+0x1b2/0x281 [ 463.835318] print_address_description.cold+0x54/0x1d3 [ 463.840569] kasan_report_error.cold+0x8a/0x191 [ 463.845215] ? __lock_acquire+0x2c57/0x3f20 [ 463.849509] __asan_report_load8_noabort+0x68/0x70 [ 463.854423] ? __lock_acquire+0x2c57/0x3f20 [ 463.858723] __lock_acquire+0x2c57/0x3f20 [ 463.862846] ? lock_acquire+0x170/0x3f0 [ 463.866797] ? lock_downgrade+0x740/0x740 [ 463.870921] ? trace_hardirqs_on+0x10/0x10 [ 463.875131] ? debug_object_assert_init+0x22d/0x2d0 [ 463.880124] ? debug_object_active_state+0x330/0x330 [ 463.885270] ? ret_from_fork+0x24/0x30 [ 463.889494] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 463.894833] ? save_trace+0xd6/0x290 [ 463.898524] lock_acquire+0x170/0x3f0 [ 463.902299] ? lock_sock_nested+0x39/0x100 [ 463.906507] _raw_spin_lock_bh+0x2f/0x40 [ 463.910542] ? lock_sock_nested+0x39/0x100 [ 463.914752] lock_sock_nested+0x39/0x100 [ 463.918834] l2cap_sock_teardown_cb+0x93/0x650 [ 463.923392] l2cap_chan_del+0xaf/0x950 [ 463.927265] ? retint_kernel+0x2d/0x2d [ 463.931136] l2cap_chan_close+0x103/0x870 [ 463.935256] ? __set_monitor_timer+0x1d0/0x1d0 [ 463.939817] ? lock_acquire+0x1ec/0x3f0 [ 463.943768] l2cap_chan_timeout+0x143/0x2a0 [ 463.948081] process_one_work+0x793/0x14a0 [ 463.952299] ? work_busy+0x320/0x320 [ 463.955993] ? worker_thread+0x158/0xff0 [ 463.960029] ? _raw_spin_unlock_irq+0x24/0x80 [ 463.964499] worker_thread+0x5cc/0xff0 [ 463.968362] ? rescuer_thread+0xc80/0xc80 [ 463.972484] kthread+0x30d/0x420 [ 463.975828] ? kthread_create_on_node+0xd0/0xd0 [ 463.980469] ret_from_fork+0x24/0x30 [ 463.984156] [ 463.985759] Allocated by task 8343: [ 463.989362] kasan_kmalloc+0xeb/0x160 [ 463.993153] __kmalloc+0x15a/0x400 [ 463.996686] sk_prot_alloc+0x1ba/0x290 [ 464.000552] sk_alloc+0x36/0xcd0 [ 464.003889] l2cap_sock_alloc.constprop.0+0x31/0x210 [ 464.008964] l2cap_sock_create+0xf0/0x1a0 [ 464.013084] bt_sock_create+0x13b/0x280 [ 464.017030] __sock_create+0x303/0x620 [ 464.020888] SyS_socket+0xd1/0x1b0 [ 464.024400] do_syscall_64+0x1d5/0x640 [ 464.028258] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 464.033418] [ 464.035017] Freed by task 8342: [ 464.038270] kasan_slab_free+0xc3/0x1a0 [ 464.042217] kfree+0xc9/0x250 [ 464.045300] __sk_destruct+0x5e3/0x760 [ 464.049163] __sk_free+0xd9/0x2d0 [ 464.052602] sk_free+0x2b/0x40 [ 464.055772] l2cap_sock_kill.part.0+0x106/0x130 [ 464.060413] l2cap_sock_release+0x1cd/0x280 [ 464.064719] __sock_release+0xcd/0x2b0 [ 464.068591] sock_close+0x15/0x20 [ 464.072025] __fput+0x25f/0x7a0 [ 464.075277] task_work_run+0x11f/0x190 [ 464.079138] get_signal+0x18a3/0x1ca0 [ 464.082908] do_signal+0x7c/0x1550 [ 464.086428] exit_to_usermode_loop+0x160/0x200 [ 464.090987] do_syscall_64+0x4a3/0x640 [ 464.094847] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 464.100006] [ 464.101606] The buggy address belongs to the object at ffff8880937ab740 [ 464.101606] which belongs to the cache kmalloc-2048 of size 2048 [ 464.114419] The buggy address is located 160 bytes inside of [ 464.114419] 2048-byte region [ffff8880937ab740, ffff8880937abf40) [ 464.126349] The buggy address belongs to the page: [ 464.131263] page:ffffea00024dea80 count:1 mapcount:0 mapping:ffff8880937aa640 index:0x0 compound_mapcount: 0 [ 464.141199] flags: 0xfff00000008100(slab|head) [ 464.145753] raw: 00fff00000008100 ffff8880937aa640 0000000000000000 0000000100000003 [ 464.153619] raw: ffffea00024df6a0 ffffea00024d9c20 ffff88813fe80c40 0000000000000000 [ 464.161470] page dumped because: kasan: bad access detected [ 464.167161] [ 464.168765] Memory state around the buggy address: [ 464.173704] ffff8880937ab680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 464.181035] ffff8880937ab700: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 464.188364] >ffff8880937ab780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 464.196127] ^ [ 464.202588] ffff8880937ab800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 464.209921] ffff8880937ab880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 464.217251] ================================================================== [ 464.224579] Disabling lock debugging due to kernel taint [ 464.229999] Kernel panic - not syncing: panic_on_warn set ... [ 464.229999] [ 464.237335] CPU: 1 PID: 23 Comm: kworker/1:1 Tainted: G B 4.14.241-syzkaller #0 [ 464.245877] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 464.255213] Workqueue: events l2cap_chan_timeout [ 464.259950] Call Trace: [ 464.262512] dump_stack+0x1b2/0x281 [ 464.266111] panic+0x1f9/0x42d [ 464.269274] ? add_taint.cold+0x16/0x16 [ 464.273222] ? lock_downgrade+0x740/0x740 [ 464.277345] kasan_end_report+0x43/0x49 [ 464.281292] kasan_report_error.cold+0xa7/0x191 [ 464.285979] ? __lock_acquire+0x2c57/0x3f20 [ 464.290622] __asan_report_load8_noabort+0x68/0x70 [ 464.295530] ? __lock_acquire+0x2c57/0x3f20 [ 464.299824] __lock_acquire+0x2c57/0x3f20 [ 464.304031] ? lock_acquire+0x170/0x3f0 [ 464.307976] ? lock_downgrade+0x740/0x740 [ 464.312098] ? trace_hardirqs_on+0x10/0x10 [ 464.316309] ? debug_object_assert_init+0x22d/0x2d0 [ 464.321298] ? debug_object_active_state+0x330/0x330 [ 464.326372] ? ret_from_fork+0x24/0x30 [ 464.330231] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 464.335563] ? save_trace+0xd6/0x290 [ 464.339250] lock_acquire+0x170/0x3f0 [ 464.343024] ? lock_sock_nested+0x39/0x100 [ 464.347251] _raw_spin_lock_bh+0x2f/0x40 [ 464.351285] ? lock_sock_nested+0x39/0x100 [ 464.355492] lock_sock_nested+0x39/0x100 [ 464.359549] l2cap_sock_teardown_cb+0x93/0x650 [ 464.364104] l2cap_chan_del+0xaf/0x950 [ 464.367964] ? retint_kernel+0x2d/0x2d [ 464.371824] l2cap_chan_close+0x103/0x870 [ 464.375942] ? __set_monitor_timer+0x1d0/0x1d0 [ 464.380499] ? lock_acquire+0x1ec/0x3f0 [ 464.384448] l2cap_chan_timeout+0x143/0x2a0 [ 464.388747] process_one_work+0x793/0x14a0 [ 464.392957] ? work_busy+0x320/0x320 [ 464.396646] ? worker_thread+0x158/0xff0 [ 464.400685] ? _raw_spin_unlock_irq+0x24/0x80 [ 464.405167] worker_thread+0x5cc/0xff0 [ 464.409032] ? rescuer_thread+0xc80/0xc80 [ 464.413152] kthread+0x30d/0x420 [ 464.416505] ? kthread_create_on_node+0xd0/0xd0 [ 464.421148] ret_from_fork+0x24/0x30 [ 464.426059] Kernel Offset: disabled [ 464.429665] Rebooting in 86400 seconds..