[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. 2021/02/07 19:16:18 parsed 1 programs 2021/02/07 19:16:19 executed programs: 0 syzkaller login: [ 1584.217966] IPVS: ftp: loaded support on port[0] = 21 [ 1584.340180] chnl_net:caif_netlink_parms(): no params data found [ 1584.445152] bridge0: port 1(bridge_slave_0) entered blocking state [ 1584.452197] bridge0: port 1(bridge_slave_0) entered disabled state [ 1584.460216] device bridge_slave_0 entered promiscuous mode [ 1584.467919] bridge0: port 2(bridge_slave_1) entered blocking state [ 1584.474344] bridge0: port 2(bridge_slave_1) entered disabled state [ 1584.482300] device bridge_slave_1 entered promiscuous mode [ 1584.501121] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1584.510568] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1584.530396] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1584.538081] team0: Port device team_slave_0 added [ 1584.543817] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1584.552287] team0: Port device team_slave_1 added [ 1584.569002] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1584.575425] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1584.602392] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1584.614386] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1584.621421] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1584.648265] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1584.659427] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1584.667473] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1584.687614] device hsr_slave_0 entered promiscuous mode [ 1584.693414] device hsr_slave_1 entered promiscuous mode [ 1584.700309] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1584.707981] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1584.779070] bridge0: port 2(bridge_slave_1) entered blocking state [ 1584.786177] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1584.793143] bridge0: port 1(bridge_slave_0) entered blocking state [ 1584.799589] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1584.831227] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1584.838570] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1584.847709] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1584.857915] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1584.868229] bridge0: port 1(bridge_slave_0) entered disabled state [ 1584.875500] bridge0: port 2(bridge_slave_1) entered disabled state [ 1584.883447] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1584.894889] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1584.901816] 8021q: adding VLAN 0 to HW filter on device team0 [ 1584.912459] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1584.920846] bridge0: port 1(bridge_slave_0) entered blocking state [ 1584.927547] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1584.947529] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1584.955246] bridge0: port 2(bridge_slave_1) entered blocking state [ 1584.961730] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1584.970341] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1584.978397] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1584.987164] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1584.997490] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1585.009359] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1585.021021] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1585.028791] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1585.036369] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1585.050645] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1585.059181] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1585.067108] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1585.078958] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1585.091744] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1585.101857] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1585.138356] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1585.147693] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1585.154270] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1585.164139] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1585.172577] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1585.179896] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1585.189425] device veth0_vlan entered promiscuous mode [ 1585.200628] device veth1_vlan entered promiscuous mode [ 1585.206814] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1585.219302] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1585.232272] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1585.241999] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1585.250461] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1585.258661] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1585.269278] device veth0_macvtap entered promiscuous mode [ 1585.276392] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1585.284590] device veth1_macvtap entered promiscuous mode [ 1585.293593] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1585.303515] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1585.315052] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1585.323417] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1585.332599] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1585.342800] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 1585.350071] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1585.357173] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1585.365090] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1585.488751] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 1585.496935] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1585.504256] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1585.521757] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 1585.534248] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 1585.542459] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1585.550071] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1585.558567] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 1586.266570] Bluetooth: hci0: command 0x0409 tx timeout 2021/02/07 19:16:24 executed programs: 145 [ 1588.337109] Bluetooth: hci0: command 0x041b tx timeout [ 1590.416412] Bluetooth: hci0: command 0x040f tx timeout [ 1592.495841] Bluetooth: hci0: command 0x0419 tx timeout 2021/02/07 19:16:29 executed programs: 614 2021/02/07 19:16:34 executed programs: 1097 2021/02/07 19:16:39 executed programs: 1578 2021/02/07 19:16:44 executed programs: 2060 2021/02/07 19:16:49 executed programs: 2517 2021/02/07 19:16:54 executed programs: 2969 2021/02/07 19:16:59 executed programs: 3426 [ 1623.312818] ================================================================== [ 1623.320313] BUG: KASAN: use-after-free in __lock_acquire+0x2cb4/0x3ff0 [ 1623.327414] Read of size 8 at addr ffff8880aa2cd2e0 by task syz-executor.0/8132 [ 1623.335083] [ 1623.336717] CPU: 0 PID: 8132 Comm: syz-executor.0 Not tainted 4.19.172-syzkaller #0 [ 1623.344600] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1623.354458] Call Trace: [ 1623.357191] dump_stack+0x1fc/0x2ef [ 1623.360824] print_address_description.cold+0x54/0x219 [ 1623.366119] kasan_report_error.cold+0x8a/0x1b9 [ 1623.370804] ? __lock_acquire+0x2cb4/0x3ff0 [ 1623.375130] __asan_report_load8_noabort+0x88/0x90 [ 1623.380283] ? __lock_acquire+0x2cb4/0x3ff0 [ 1623.384728] __lock_acquire+0x2cb4/0x3ff0 [ 1623.388865] ? trace_hardirqs_off+0x64/0x200 [ 1623.393297] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 1623.398402] ? debug_object_assert_init+0x242/0x2e0 [ 1623.403418] ? mark_held_locks+0xf0/0xf0 [ 1623.407940] ? debug_object_free+0x380/0x380 [ 1623.412343] ? kfree+0xcc/0x210 [ 1623.415607] ? kfree_const+0x51/0x60 [ 1623.419319] ? kobject_put+0x2b5/0x5d0 [ 1623.423292] ? put_device+0x1c/0x30 [ 1623.426933] ? lock_acquire+0x170/0x3c0 [ 1623.430916] ? l2cap_conn_del+0x39b/0x6e0 [ 1623.435069] ? del_timer+0xc3/0x100 [ 1623.438688] lock_acquire+0x170/0x3c0 [ 1623.442551] ? lock_sock_nested+0x3b/0x110 [ 1623.446775] _raw_spin_lock_bh+0x2f/0x40 [ 1623.450855] ? lock_sock_nested+0x3b/0x110 [ 1623.455776] lock_sock_nested+0x3b/0x110 [ 1623.460574] l2cap_sock_teardown_cb+0xa0/0x6d0 [ 1623.465685] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 1623.470391] l2cap_chan_del+0xbc/0xa50 [ 1623.474288] l2cap_conn_del+0x3a6/0x6e0 [ 1623.478348] ? l2cap_conn_del+0x6e0/0x6e0 [ 1623.482521] l2cap_disconn_cfm+0x98/0xd0 [ 1623.486586] hci_conn_hash_flush+0x127/0x260 [ 1623.491537] hci_dev_do_close+0x659/0xf10 [ 1623.495697] ? hci_dev_open+0x250/0x250 [ 1623.499767] ? hci_unregister_dev+0x71/0x910 [ 1623.504302] hci_unregister_dev+0x18b/0x910 [ 1623.508727] ? vhci_close_dev+0x50/0x50 [ 1623.512820] vhci_release+0x70/0xe0 [ 1623.516649] __fput+0x2ce/0x890 [ 1623.519951] task_work_run+0x148/0x1c0 [ 1623.524031] do_exit+0xbf3/0x2be0 [ 1623.527875] ? lock_downgrade+0x720/0x720 [ 1623.532031] ? mm_update_next_owner+0x650/0x650 [ 1623.536802] ? up_read+0x17/0x110 [ 1623.540357] ? __do_page_fault+0x180/0xd60 [ 1623.544601] do_group_exit+0x125/0x310 [ 1623.549091] __x64_sys_exit_group+0x3a/0x50 [ 1623.553503] do_syscall_64+0xf9/0x620 [ 1623.557320] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1623.562524] RIP: 0033:0x465b09 [ 1623.565779] Code: 00 e9 30 ff ff ff 83 f9 77 75 26 48 83 b8 d8 00 00 00 00 7c e2 83 f9 72 75 10 80 78 19 00 74 0a b9 03 00 00 00 e9 0c ff ff ff <31> c9 e9 05 ff ff ff 83 f9 72 eb e2 e8 c6 35 00 00 e9 c1 fe ff ff [ 1623.584887] RSP: 002b:00007ffc60227a18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1623.592648] RAX: ffffffffffffffda RBX: 0000000000002852 RCX: 0000000000465b09 [ 1623.600016] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 [ 1623.607272] RBP: 00000000004b0265 R08: 000000000000000b R09: 0000000000000005 [ 1623.614543] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 1623.621969] R13: 000000000018c513 R14: 0000000000000005 R15: 00007ffc60227c00 [ 1623.629249] [ 1623.630877] Allocated by task 18925: [ 1623.634595] __kmalloc+0x15a/0x3c0 [ 1623.638125] sk_prot_alloc+0x1e2/0x2d0 [ 1623.642034] sk_alloc+0x36/0xec0 [ 1623.645509] l2cap_sock_alloc.constprop.0+0x31/0x210 [ 1623.650617] l2cap_sock_create+0x123/0x1f0 [ 1623.655000] bt_sock_create+0x154/0x2a0 [ 1623.658998] __sock_create+0x3d8/0x740 [ 1623.662890] __sys_socket+0xef/0x200 [ 1623.666614] __x64_sys_socket+0x6f/0xb0 [ 1623.670593] do_syscall_64+0xf9/0x620 [ 1623.674386] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1623.679565] [ 1623.681175] Freed by task 18924: [ 1623.684660] kfree+0xcc/0x210 [ 1623.687915] __sk_destruct+0x684/0x8a0 [ 1623.691793] __sk_free+0x165/0x3b0 [ 1623.695322] sk_free+0x3b/0x50 [ 1623.698596] l2cap_sock_kill.part.0+0x124/0x150 [ 1623.703264] l2cap_sock_release+0x1e6/0x290 [ 1623.707581] __sock_release+0xcd/0x2a0 [ 1623.711550] sock_close+0x15/0x20 [ 1623.715020] __fput+0x2ce/0x890 [ 1623.718298] task_work_run+0x148/0x1c0 [ 1623.722439] exit_to_usermode_loop+0x251/0x2a0 [ 1623.727013] do_syscall_64+0x538/0x620 [ 1623.730887] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1623.736065] [ 1623.737676] The buggy address belongs to the object at ffff8880aa2cd240 [ 1623.737676] which belongs to the cache kmalloc-2048 of size 2048 [ 1623.750534] The buggy address is located 160 bytes inside of [ 1623.750534] 2048-byte region [ffff8880aa2cd240, ffff8880aa2cda40) [ 1623.762518] The buggy address belongs to the page: [ 1623.767454] page:ffffea0002a8b300 count:1 mapcount:0 mapping:ffff88813bff0c40 index:0x0 compound_mapcount: 0 [ 1623.778141] flags: 0xfff00000008100(slab|head) [ 1623.782721] raw: 00fff00000008100 ffffea00027e6488 ffffea0002a68308 ffff88813bff0c40 [ 1623.790615] raw: 0000000000000000 ffff8880aa2cc140 0000000100000003 0000000000000000 [ 1623.798499] page dumped because: kasan: bad access detected [ 1623.804198] [ 1623.805810] Memory state around the buggy address: [ 1623.810730] ffff8880aa2cd180: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1623.818205] ffff8880aa2cd200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1623.825872] >ffff8880aa2cd280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1623.833271] ^ [ 1623.839754] ffff8880aa2cd300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1623.847421] ffff8880aa2cd380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1623.855269] ================================================================== [ 1623.862757] Disabling lock debugging due to kernel taint [ 1623.868544] Kernel panic - not syncing: panic_on_warn set ... [ 1623.868544] [ 1623.875906] CPU: 0 PID: 8132 Comm: syz-executor.0 Tainted: G B 4.19.172-syzkaller #0 [ 1623.885496] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1623.896416] Call Trace: [ 1623.899006] dump_stack+0x1fc/0x2ef [ 1623.902719] panic+0x26a/0x50e [ 1623.905970] ? __warn_printk+0xf3/0xf3 [ 1623.909869] ? lock_downgrade+0x720/0x720 [ 1623.914014] ? print_shadow_for_address+0xb8/0x114 [ 1623.919144] ? trace_hardirqs_off+0x64/0x200 [ 1623.923651] kasan_end_report+0x43/0x49 [ 1623.928091] kasan_report_error.cold+0xa7/0x1b9 [ 1623.932781] ? __lock_acquire+0x2cb4/0x3ff0 [ 1623.937132] __asan_report_load8_noabort+0x88/0x90 [ 1623.942079] ? __lock_acquire+0x2cb4/0x3ff0 [ 1623.946422] __lock_acquire+0x2cb4/0x3ff0 [ 1623.950921] ? trace_hardirqs_off+0x64/0x200 [ 1623.955445] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 1623.960560] ? debug_object_assert_init+0x242/0x2e0 [ 1623.965582] ? mark_held_locks+0xf0/0xf0 [ 1623.969875] ? debug_object_free+0x380/0x380 [ 1623.974551] ? kfree+0xcc/0x210 [ 1623.977935] ? kfree_const+0x51/0x60 [ 1623.981657] ? kobject_put+0x2b5/0x5d0 [ 1623.985739] ? put_device+0x1c/0x30 [ 1623.989377] ? lock_acquire+0x170/0x3c0 [ 1623.993348] ? l2cap_conn_del+0x39b/0x6e0 [ 1623.997529] ? del_timer+0xc3/0x100 [ 1624.002321] lock_acquire+0x170/0x3c0 [ 1624.006117] ? lock_sock_nested+0x3b/0x110 [ 1624.010931] _raw_spin_lock_bh+0x2f/0x40 [ 1624.015644] ? lock_sock_nested+0x3b/0x110 [ 1624.020294] lock_sock_nested+0x3b/0x110 [ 1624.024723] l2cap_sock_teardown_cb+0xa0/0x6d0 [ 1624.029558] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 1624.034397] l2cap_chan_del+0xbc/0xa50 [ 1624.038373] l2cap_conn_del+0x3a6/0x6e0 [ 1624.042513] ? l2cap_conn_del+0x6e0/0x6e0 [ 1624.046674] l2cap_disconn_cfm+0x98/0xd0 [ 1624.050838] hci_conn_hash_flush+0x127/0x260 [ 1624.056645] hci_dev_do_close+0x659/0xf10 [ 1624.061669] ? hci_dev_open+0x250/0x250 [ 1624.065776] ? hci_unregister_dev+0x71/0x910 [ 1624.070368] hci_unregister_dev+0x18b/0x910 [ 1624.074701] ? vhci_close_dev+0x50/0x50 [ 1624.078678] vhci_release+0x70/0xe0 [ 1624.082416] __fput+0x2ce/0x890 [ 1624.085855] task_work_run+0x148/0x1c0 [ 1624.090093] do_exit+0xbf3/0x2be0 [ 1624.093735] ? lock_downgrade+0x720/0x720 [ 1624.098959] ? mm_update_next_owner+0x650/0x650 [ 1624.103927] ? up_read+0x17/0x110 [ 1624.107498] ? __do_page_fault+0x180/0xd60 [ 1624.112111] do_group_exit+0x125/0x310 [ 1624.116088] __x64_sys_exit_group+0x3a/0x50 [ 1624.120421] do_syscall_64+0xf9/0x620 [ 1624.124342] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1624.129814] RIP: 0033:0x465b09 [ 1624.133102] Code: 00 e9 30 ff ff ff 83 f9 77 75 26 48 83 b8 d8 00 00 00 00 7c e2 83 f9 72 75 10 80 78 19 00 74 0a b9 03 00 00 00 e9 0c ff ff ff <31> c9 e9 05 ff ff ff 83 f9 72 eb e2 e8 c6 35 00 00 e9 c1 fe ff ff [ 1624.155162] RSP: 002b:00007ffc60227a18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1624.163588] RAX: ffffffffffffffda RBX: 0000000000002852 RCX: 0000000000465b09 [ 1624.171172] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 [ 1624.179692] RBP: 00000000004b0265 R08: 000000000000000b R09: 0000000000000005 [ 1624.187700] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 1624.195157] R13: 000000000018c513 R14: 0000000000000005 R15: 00007ffc60227c00 [ 1624.203503] Kernel Offset: disabled [ 1624.207425] Rebooting in 86400 seconds..