Warning: Permanently added '10.128.0.124' (ECDSA) to the list of known hosts. 2021/09/12 20:40:25 parsed 1 programs 2021/09/12 20:40:25 executed programs: 0 syzkaller login: [ 1585.335168] IPVS: ftp: loaded support on port[0] = 21 [ 1585.428956] chnl_net:caif_netlink_parms(): no params data found [ 1585.522700] bridge0: port 1(bridge_slave_0) entered blocking state [ 1585.529721] bridge0: port 1(bridge_slave_0) entered disabled state [ 1585.537222] device bridge_slave_0 entered promiscuous mode [ 1585.544435] bridge0: port 2(bridge_slave_1) entered blocking state [ 1585.550900] bridge0: port 2(bridge_slave_1) entered disabled state [ 1585.558046] device bridge_slave_1 entered promiscuous mode [ 1585.576228] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1585.584989] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1585.603117] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1585.610512] team0: Port device team_slave_0 added [ 1585.615901] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1585.623982] team0: Port device team_slave_1 added [ 1585.639147] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1585.645376] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1585.672084] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1585.683916] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1585.690611] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1585.716310] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1585.727894] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1585.735210] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1585.754960] device hsr_slave_0 entered promiscuous mode [ 1585.760734] device hsr_slave_1 entered promiscuous mode [ 1585.767716] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1585.774735] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1585.840641] bridge0: port 2(bridge_slave_1) entered blocking state [ 1585.847113] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1585.853880] bridge0: port 1(bridge_slave_0) entered blocking state [ 1585.860276] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1585.890889] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1585.899015] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1585.906753] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1585.914849] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1585.923909] bridge0: port 1(bridge_slave_0) entered disabled state [ 1585.931346] bridge0: port 2(bridge_slave_1) entered disabled state [ 1585.938770] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1585.949167] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1585.955225] 8021q: adding VLAN 0 to HW filter on device team0 [ 1585.964645] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1585.973205] bridge0: port 1(bridge_slave_0) entered blocking state [ 1585.979604] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1585.989538] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1585.998719] bridge0: port 2(bridge_slave_1) entered blocking state [ 1586.005065] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1586.023951] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1586.034551] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1586.045838] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1586.055274] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1586.062964] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1586.071038] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1586.079538] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1586.087191] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1586.093987] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1586.107290] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1586.114469] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1586.121571] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1586.131940] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1586.144487] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1586.154737] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1586.186108] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1586.193296] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1586.200901] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1586.210073] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1586.218569] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1586.225372] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1586.234540] device veth0_vlan entered promiscuous mode [ 1586.243785] device veth1_vlan entered promiscuous mode [ 1586.249890] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1586.259695] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1586.270941] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1586.280073] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1586.287964] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1586.295205] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1586.304527] device veth0_macvtap entered promiscuous mode [ 1586.311163] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1586.320203] device veth1_macvtap entered promiscuous mode [ 1586.328912] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1586.339503] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1586.349288] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1586.355986] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1586.365487] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1586.376370] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1586.384687] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1586.496318] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 1586.504247] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1586.512983] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1586.529655] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 1586.542289] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 1586.548941] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1586.556047] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1586.562867] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 1587.357916] Bluetooth: hci0: command 0x0409 tx timeout [ 1589.436816] Bluetooth: hci0: command 0x041b tx timeout 2021/09/12 20:40:31 executed programs: 4 [ 1591.516680] Bluetooth: hci0: command 0x040f tx timeout [ 1593.596421] Bluetooth: hci0: command 0x0419 tx timeout 2021/09/12 20:40:36 executed programs: 10 [ 1595.676315] Bluetooth: hci0: command 0x0405 tx timeout 2021/09/12 20:40:41 executed programs: 16 2021/09/12 20:40:46 executed programs: 22 [ 1608.477731] ieee802154 phy0 wpan0: encryption failed: -22 [ 1608.483537] ieee802154 phy1 wpan1: encryption failed: -22 2021/09/12 20:40:51 executed programs: 28 2021/09/12 20:40:56 executed programs: 34 2021/09/12 20:41:01 executed programs: 40 2021/09/12 20:41:06 executed programs: 46 2021/09/12 20:41:11 executed programs: 52 [ 1635.355030] ================================================================== [ 1635.362427] BUG: KASAN: use-after-free in __lock_acquire+0x2cb4/0x3ff0 [ 1635.369075] Read of size 8 at addr ffff8880aa7f2ba0 by task kworker/0:1/14 [ 1635.376064] [ 1635.377709] CPU: 0 PID: 14 Comm: kworker/0:1 Not tainted 4.19.206-syzkaller #0 [ 1635.385072] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1635.394422] Workqueue: events l2cap_chan_timeout [ 1635.399198] Call Trace: [ 1635.401772] dump_stack+0x1fc/0x2ef [ 1635.405382] print_address_description.cold+0x54/0x219 [ 1635.410639] kasan_report_error.cold+0x8a/0x1b9 [ 1635.415291] ? __lock_acquire+0x2cb4/0x3ff0 [ 1635.419609] __asan_report_load8_noabort+0x88/0x90 [ 1635.424526] ? __lock_acquire+0x2cb4/0x3ff0 [ 1635.428830] __lock_acquire+0x2cb4/0x3ff0 [ 1635.432972] ? trace_hardirqs_off+0x64/0x200 [ 1635.437375] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 1635.442456] ? debug_object_assert_init+0x242/0x2e0 [ 1635.447454] ? mark_held_locks+0xf0/0xf0 [ 1635.451490] ? debug_object_free+0x380/0x380 [ 1635.455874] ? mark_held_locks+0xf0/0xf0 [ 1635.459914] ? __save_stack_trace+0x9f/0x190 [ 1635.464307] ? del_timer+0xc3/0x100 [ 1635.467977] lock_acquire+0x170/0x3c0 [ 1635.471760] ? lock_sock_nested+0x3b/0x110 [ 1635.476010] _raw_spin_lock_bh+0x2f/0x40 [ 1635.480058] ? lock_sock_nested+0x3b/0x110 [ 1635.484282] lock_sock_nested+0x3b/0x110 [ 1635.488324] l2cap_sock_teardown_cb+0xa0/0x6d0 [ 1635.492933] ? lock_downgrade+0x720/0x720 [ 1635.497060] l2cap_chan_del+0xbc/0xa50 [ 1635.500924] ? trace_hardirqs_off+0x64/0x200 [ 1635.505311] l2cap_chan_close+0x1b5/0x950 [ 1635.509437] ? __set_monitor_timer+0x200/0x200 [ 1635.514012] ? check_preemption_disabled+0x41/0x280 [ 1635.519009] l2cap_chan_timeout+0x17e/0x2f0 [ 1635.523322] process_one_work+0x864/0x1570 [ 1635.527540] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 1635.532194] worker_thread+0x64c/0x1130 [ 1635.536150] ? __kthread_parkme+0x133/0x1e0 [ 1635.540625] ? process_one_work+0x1570/0x1570 [ 1635.545100] kthread+0x33f/0x460 [ 1635.548455] ? kthread_park+0x180/0x180 [ 1635.552417] ret_from_fork+0x24/0x30 [ 1635.556111] [ 1635.557725] Allocated by task 8408: [ 1635.561390] __kmalloc+0x15a/0x3c0 [ 1635.564916] sk_prot_alloc+0x1e2/0x2d0 [ 1635.568788] sk_alloc+0x36/0xec0 [ 1635.572138] l2cap_sock_alloc.constprop.0+0x31/0x210 [ 1635.577217] l2cap_sock_create+0x123/0x1f0 [ 1635.581431] bt_sock_create+0x154/0x2a0 [ 1635.585383] __sock_create+0x3d8/0x740 [ 1635.589248] __sys_socket+0xef/0x200 [ 1635.592940] __x64_sys_socket+0x6f/0xb0 [ 1635.596928] do_syscall_64+0xf9/0x620 [ 1635.600709] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1635.605910] [ 1635.607528] Freed by task 8407: [ 1635.610791] kfree+0xcc/0x210 [ 1635.613913] __sk_destruct+0x684/0x8a0 [ 1635.617779] __sk_free+0x165/0x3b0 [ 1635.621294] sk_free+0x3b/0x50 [ 1635.624553] l2cap_sock_kill.part.0+0x124/0x150 [ 1635.629207] l2cap_sock_release+0x1e6/0x290 [ 1635.633510] __sock_release+0xcd/0x2a0 [ 1635.637448] sock_close+0x15/0x20 [ 1635.640936] __fput+0x2ce/0x890 [ 1635.644228] task_work_run+0x148/0x1c0 [ 1635.648099] get_signal+0x1b64/0x1f70 [ 1635.651879] do_signal+0x8f/0x1670 [ 1635.655399] exit_to_usermode_loop+0x204/0x2a0 [ 1635.659962] do_syscall_64+0x538/0x620 [ 1635.663830] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1635.669036] [ 1635.670645] The buggy address belongs to the object at ffff8880aa7f2b00 [ 1635.670645] which belongs to the cache kmalloc-2048 of size 2048 [ 1635.683451] The buggy address is located 160 bytes inside of [ 1635.683451] 2048-byte region [ffff8880aa7f2b00, ffff8880aa7f3300) [ 1635.695385] The buggy address belongs to the page: [ 1635.700291] page:ffffea0002a9fc80 count:1 mapcount:0 mapping:ffff88813bff0c40 index:0x0 compound_mapcount: 0 [ 1635.710232] flags: 0xfff00000008100(slab|head) [ 1635.714796] raw: 00fff00000008100 ffffea0002aaf588 ffffea00024b2088 ffff88813bff0c40 [ 1635.722659] raw: 0000000000000000 ffff8880aa7f2280 0000000100000003 0000000000000000 [ 1635.730566] page dumped because: kasan: bad access detected [ 1635.736254] [ 1635.737894] Memory state around the buggy address: [ 1635.742801] ffff8880aa7f2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1635.750137] ffff8880aa7f2b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1635.757511] >ffff8880aa7f2b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1635.764843] ^ [ 1635.769230] ffff8880aa7f2c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1635.776566] ffff8880aa7f2c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1635.783901] ================================================================== [ 1635.791234] Disabling lock debugging due to kernel taint [ 1635.796659] Kernel panic - not syncing: panic_on_warn set ... [ 1635.796659] [ 1635.804002] CPU: 0 PID: 14 Comm: kworker/0:1 Tainted: G B 4.19.206-syzkaller #0 [ 1635.812726] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1635.822065] Workqueue: events l2cap_chan_timeout [ 1635.826842] Call Trace: [ 1635.829425] dump_stack+0x1fc/0x2ef [ 1635.833072] panic+0x26a/0x50e [ 1635.836256] ? __warn_printk+0xf3/0xf3 [ 1635.840123] ? lock_downgrade+0x720/0x720 [ 1635.844252] ? print_shadow_for_address+0xb8/0x114 [ 1635.849195] ? trace_hardirqs_off+0x64/0x200 [ 1635.853590] kasan_end_report+0x43/0x49 [ 1635.857545] kasan_report_error.cold+0xa7/0x1b9 [ 1635.862196] ? __lock_acquire+0x2cb4/0x3ff0 [ 1635.866498] __asan_report_load8_noabort+0x88/0x90 [ 1635.871405] ? __lock_acquire+0x2cb4/0x3ff0 [ 1635.875705] __lock_acquire+0x2cb4/0x3ff0 [ 1635.879872] ? trace_hardirqs_off+0x64/0x200 [ 1635.884262] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 1635.889354] ? debug_object_assert_init+0x242/0x2e0 [ 1635.894363] ? mark_held_locks+0xf0/0xf0 [ 1635.898402] ? debug_object_free+0x380/0x380 [ 1635.902794] ? mark_held_locks+0xf0/0xf0 [ 1635.906845] ? __save_stack_trace+0x9f/0x190 [ 1635.911235] ? del_timer+0xc3/0x100 [ 1635.914843] lock_acquire+0x170/0x3c0 [ 1635.918624] ? lock_sock_nested+0x3b/0x110 [ 1635.922852] _raw_spin_lock_bh+0x2f/0x40 [ 1635.926900] ? lock_sock_nested+0x3b/0x110 [ 1635.931119] lock_sock_nested+0x3b/0x110 [ 1635.935173] l2cap_sock_teardown_cb+0xa0/0x6d0 [ 1635.939735] ? lock_downgrade+0x720/0x720 [ 1635.943861] l2cap_chan_del+0xbc/0xa50 [ 1635.947727] ? trace_hardirqs_off+0x64/0x200 [ 1635.952113] l2cap_chan_close+0x1b5/0x950 [ 1635.956243] ? __set_monitor_timer+0x200/0x200 [ 1635.960819] ? check_preemption_disabled+0x41/0x280 [ 1635.965816] l2cap_chan_timeout+0x17e/0x2f0 [ 1635.970124] process_one_work+0x864/0x1570 [ 1635.974344] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 1635.979005] worker_thread+0x64c/0x1130 [ 1635.982959] ? __kthread_parkme+0x133/0x1e0 [ 1635.987261] ? process_one_work+0x1570/0x1570 [ 1635.991736] kthread+0x33f/0x460 [ 1635.995088] ? kthread_park+0x180/0x180 [ 1635.999129] ret_from_fork+0x24/0x30 [ 1636.003082] Kernel Offset: disabled [ 1636.006705] Rebooting in 86400 seconds..