Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts. 2021/01/31 18:13:17 parsed 1 programs 2021/01/31 18:13:17 executed programs: 0 syzkaller login: [ 1583.509172] IPVS: ftp: loaded support on port[0] = 21 [ 1583.586987] chnl_net:caif_netlink_parms(): no params data found [ 1583.659910] bridge0: port 1(bridge_slave_0) entered blocking state [ 1583.666555] bridge0: port 1(bridge_slave_0) entered disabled state [ 1583.674088] device bridge_slave_0 entered promiscuous mode [ 1583.681474] bridge0: port 2(bridge_slave_1) entered blocking state [ 1583.687929] bridge0: port 2(bridge_slave_1) entered disabled state [ 1583.694761] device bridge_slave_1 entered promiscuous mode [ 1583.710524] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1583.719247] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1583.736016] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1583.743468] team0: Port device team_slave_0 added [ 1583.749178] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1583.756140] team0: Port device team_slave_1 added [ 1583.771211] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1583.777510] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1583.803191] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1583.814797] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1583.821364] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1583.846881] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1583.857813] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1583.865019] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1583.882861] device hsr_slave_0 entered promiscuous mode [ 1583.888464] device hsr_slave_1 entered promiscuous mode [ 1583.894212] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1583.901784] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1583.961082] bridge0: port 2(bridge_slave_1) entered blocking state [ 1583.967482] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1583.974138] bridge0: port 1(bridge_slave_0) entered blocking state [ 1583.980687] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1584.006291] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1584.012554] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1584.021639] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1584.030839] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1584.048781] bridge0: port 1(bridge_slave_0) entered disabled state [ 1584.055628] bridge0: port 2(bridge_slave_1) entered disabled state [ 1584.065104] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1584.071228] 8021q: adding VLAN 0 to HW filter on device team0 [ 1584.079191] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1584.087079] bridge0: port 1(bridge_slave_0) entered blocking state [ 1584.093457] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1584.112047] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1584.122388] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1584.132911] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1584.140008] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1584.148022] bridge0: port 2(bridge_slave_1) entered blocking state [ 1584.154389] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1584.161898] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1584.170123] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1584.177882] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1584.185320] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1584.193624] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1584.200694] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1584.212317] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1584.219374] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1584.225994] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1584.236383] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1584.284658] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1584.294000] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1584.319905] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1584.327784] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1584.334126] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1584.342856] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1584.350619] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1584.357646] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1584.366024] device veth0_vlan entered promiscuous mode [ 1584.374223] device veth1_vlan entered promiscuous mode [ 1584.380257] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1584.389188] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1584.399737] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1584.409231] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1584.416308] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1584.423783] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1584.432705] device veth0_macvtap entered promiscuous mode [ 1584.438749] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1584.446180] device veth1_macvtap entered promiscuous mode [ 1584.454656] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1584.463897] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1584.473182] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1584.480309] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1584.488417] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1584.498922] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1584.508287] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1584.576872] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1585.537939] Bluetooth: hci0 command 0x0409 tx timeout [ 1587.616424] Bluetooth: hci0 command 0x041b tx timeout 2021/01/31 18:13:23 executed programs: 4 [ 1589.706327] Bluetooth: hci0 command 0x040f tx timeout [ 1591.775949] Bluetooth: hci0 command 0x0419 tx timeout 2021/01/31 18:13:28 executed programs: 10 [ 1593.855835] Bluetooth: hci0 command 0x0405 tx timeout 2021/01/31 18:13:33 executed programs: 16 2021/01/31 18:13:38 executed programs: 22 2021/01/31 18:13:43 executed programs: 28 2021/01/31 18:13:48 executed programs: 34 2021/01/31 18:13:53 executed programs: 40 2021/01/31 18:13:58 executed programs: 46 2021/01/31 18:14:03 executed programs: 52 2021/01/31 18:14:08 executed programs: 58 2021/01/31 18:14:13 executed programs: 64 2021/01/31 18:14:18 executed programs: 70 2021/01/31 18:14:23 executed programs: 76 2021/01/31 18:14:28 executed programs: 82 2021/01/31 18:14:33 executed programs: 88 2021/01/31 18:14:38 executed programs: 94 2021/01/31 18:14:44 executed programs: 100 2021/01/31 18:14:49 executed programs: 106 2021/01/31 18:14:54 executed programs: 112 2021/01/31 18:14:59 executed programs: 118 2021/01/31 18:15:04 executed programs: 124 2021/01/31 18:15:09 executed programs: 130 2021/01/31 18:15:14 executed programs: 136 2021/01/31 18:15:19 executed programs: 142 2021/01/31 18:15:24 executed programs: 148 [ 1709.928172] Bluetooth: hci0 command 0x0406 tx timeout 2021/01/31 18:15:29 executed programs: 154 2021/01/31 18:15:34 executed programs: 160 2021/01/31 18:15:39 executed programs: 166 2021/01/31 18:15:44 executed programs: 172 2021/01/31 18:15:49 executed programs: 178 2021/01/31 18:15:54 executed programs: 184 2021/01/31 18:15:59 executed programs: 190 2021/01/31 18:16:04 executed programs: 196 2021/01/31 18:16:09 executed programs: 202 2021/01/31 18:16:14 executed programs: 208 2021/01/31 18:16:19 executed programs: 214 2021/01/31 18:16:24 executed programs: 220 2021/01/31 18:16:30 executed programs: 226 2021/01/31 18:16:35 executed programs: 232 2021/01/31 18:16:40 executed programs: 238 2021/01/31 18:16:45 executed programs: 244 2021/01/31 18:16:50 executed programs: 250 2021/01/31 18:16:55 executed programs: 256 2021/01/31 18:17:00 executed programs: 262 2021/01/31 18:17:05 executed programs: 268 2021/01/31 18:17:10 executed programs: 274 2021/01/31 18:17:15 executed programs: 280 2021/01/31 18:17:20 executed programs: 286 2021/01/31 18:17:25 executed programs: 292 [ 1833.280798] ================================================================== [ 1833.288194] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 1833.294831] Read of size 8 at addr ffff8880ac272460 by task kworker/1:3/4648 [ 1833.301983] [ 1833.303587] CPU: 1 PID: 4648 Comm: kworker/1:3 Not tainted 4.14.218-syzkaller #0 [ 1833.311088] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1833.320450] Workqueue: events l2cap_chan_timeout [ 1833.325175] Call Trace: [ 1833.327740] dump_stack+0x1b2/0x281 [ 1833.331343] print_address_description.cold+0x54/0x1d3 [ 1833.336593] kasan_report_error.cold+0x8a/0x191 [ 1833.341238] ? __lock_acquire+0x2c57/0x3f20 [ 1833.345557] __asan_report_load8_noabort+0x68/0x70 [ 1833.350458] ? __lock_acquire+0x2c57/0x3f20 [ 1833.354748] __lock_acquire+0x2c57/0x3f20 [ 1833.358868] ? lock_acquire+0x170/0x3f0 [ 1833.362813] ? lock_downgrade+0x740/0x740 [ 1833.366938] ? trace_hardirqs_on+0x10/0x10 [ 1833.371147] ? debug_object_assert_init+0x22d/0x2d0 [ 1833.376139] ? debug_object_active_state+0x330/0x330 [ 1833.381215] ? ret_from_fork+0x24/0x30 [ 1833.385074] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 1833.390407] ? save_trace+0xd6/0x290 [ 1833.394102] lock_acquire+0x170/0x3f0 [ 1833.397884] ? lock_sock_nested+0x39/0x100 [ 1833.402088] _raw_spin_lock_bh+0x2f/0x40 [ 1833.406118] ? lock_sock_nested+0x39/0x100 [ 1833.410322] lock_sock_nested+0x39/0x100 [ 1833.414356] l2cap_sock_teardown_cb+0x93/0x650 [ 1833.418911] l2cap_chan_del+0xaf/0x950 [ 1833.422772] l2cap_chan_close+0x103/0x870 [ 1833.426910] ? __set_monitor_timer+0x1d0/0x1d0 [ 1833.431486] ? lock_acquire+0x170/0x3f0 [ 1833.435429] l2cap_chan_timeout+0x143/0x2a0 [ 1833.439723] process_one_work+0x793/0x14a0 [ 1833.443945] ? work_busy+0x320/0x320 [ 1833.447634] ? worker_thread+0x158/0xff0 [ 1833.451686] ? _raw_spin_unlock_irq+0x24/0x80 [ 1833.456153] worker_thread+0x5cc/0xff0 [ 1833.460017] ? rescuer_thread+0xc80/0xc80 [ 1833.464136] kthread+0x30d/0x420 [ 1833.467475] ? kthread_create_on_node+0xd0/0xd0 [ 1833.472115] ret_from_fork+0x24/0x30 [ 1833.475805] [ 1833.477409] Allocated by task 9725: [ 1833.481013] kasan_kmalloc+0xeb/0x160 [ 1833.484785] __kmalloc+0x15a/0x400 [ 1833.488297] sk_prot_alloc+0x1ba/0x290 [ 1833.492155] sk_alloc+0x36/0xcd0 [ 1833.495495] l2cap_sock_alloc.constprop.0+0x31/0x210 [ 1833.500572] l2cap_sock_create+0xf0/0x1a0 [ 1833.504690] bt_sock_create+0x13b/0x280 [ 1833.508639] __sock_create+0x303/0x620 [ 1833.512583] SyS_socket+0xd1/0x1b0 [ 1833.516095] do_syscall_64+0x1d5/0x640 [ 1833.519955] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1833.525114] [ 1833.526714] Freed by task 9725: [ 1833.529964] kasan_slab_free+0xc3/0x1a0 [ 1833.533909] kfree+0xc9/0x250 [ 1833.536986] __sk_destruct+0x5e3/0x760 [ 1833.540847] __sk_free+0xd9/0x2d0 [ 1833.544272] sk_free+0x2b/0x40 [ 1833.547440] l2cap_sock_kill.part.0+0x106/0x130 [ 1833.552079] l2cap_sock_release+0x1cd/0x280 [ 1833.556385] __sock_release+0xcd/0x2b0 [ 1833.560243] sock_close+0x15/0x20 [ 1833.563696] __fput+0x25f/0x7a0 [ 1833.566978] task_work_run+0x11f/0x190 [ 1833.570838] get_signal+0x18a3/0x1ca0 [ 1833.574608] do_signal+0x7c/0x1550 [ 1833.578118] exit_to_usermode_loop+0x160/0x200 [ 1833.582670] do_syscall_64+0x4a3/0x640 [ 1833.586529] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1833.591699] [ 1833.593299] The buggy address belongs to the object at ffff8880ac2723c0 [ 1833.593299] which belongs to the cache kmalloc-2048 of size 2048 [ 1833.606110] The buggy address is located 160 bytes inside of [ 1833.606110] 2048-byte region [ffff8880ac2723c0, ffff8880ac272bc0) [ 1833.618126] The buggy address belongs to the page: [ 1833.623031] page:ffffea0002b09c80 count:1 mapcount:0 mapping:ffff8880ac2723c0 index:0x0 compound_mapcount: 0 [ 1833.632967] flags: 0xfff00000008100(slab|head) [ 1833.637521] raw: 00fff00000008100 ffff8880ac2723c0 0000000000000000 0000000100000003 [ 1833.645380] raw: ffffea0002b06420 ffffea0002b01fa0 ffff88813fe80c40 0000000000000000 [ 1833.653229] page dumped because: kasan: bad access detected [ 1833.658906] [ 1833.660510] Memory state around the buggy address: [ 1833.665412] ffff8880ac272300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1833.672747] ffff8880ac272380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1833.680078] >ffff8880ac272400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1833.687405] ^ [ 1833.693898] ffff8880ac272480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1833.701234] ffff8880ac272500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1833.708565] ================================================================== [ 1833.715894] Disabling lock debugging due to kernel taint [ 1833.721322] Kernel panic - not syncing: panic_on_warn set ... [ 1833.721322] [ 1833.728656] CPU: 1 PID: 4648 Comm: kworker/1:3 Tainted: G B 4.14.218-syzkaller #0 [ 1833.737380] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1833.746713] Workqueue: events l2cap_chan_timeout [ 1833.751440] Call Trace: [ 1833.754005] dump_stack+0x1b2/0x281 [ 1833.757605] panic+0x1f9/0x42d [ 1833.760804] ? add_taint.cold+0x16/0x16 [ 1833.764891] ? lock_downgrade+0x740/0x740 [ 1833.769059] kasan_end_report+0x43/0x49 [ 1833.773008] kasan_report_error.cold+0xa7/0x191 [ 1833.777648] ? __lock_acquire+0x2c57/0x3f20 [ 1833.781944] __asan_report_load8_noabort+0x68/0x70 [ 1833.786845] ? __lock_acquire+0x2c57/0x3f20 [ 1833.791145] __lock_acquire+0x2c57/0x3f20 [ 1833.795264] ? lock_acquire+0x170/0x3f0 [ 1833.799212] ? lock_downgrade+0x740/0x740 [ 1833.803402] ? trace_hardirqs_on+0x10/0x10 [ 1833.807610] ? debug_object_assert_init+0x22d/0x2d0 [ 1833.812609] ? debug_object_active_state+0x330/0x330 [ 1833.817685] ? ret_from_fork+0x24/0x30 [ 1833.821549] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 1833.826934] ? save_trace+0xd6/0x290 [ 1833.830632] lock_acquire+0x170/0x3f0 [ 1833.834411] ? lock_sock_nested+0x39/0x100 [ 1833.838656] _raw_spin_lock_bh+0x2f/0x40 [ 1833.842700] ? lock_sock_nested+0x39/0x100 [ 1833.846929] lock_sock_nested+0x39/0x100 [ 1833.850963] l2cap_sock_teardown_cb+0x93/0x650 [ 1833.855524] l2cap_chan_del+0xaf/0x950 [ 1833.859384] l2cap_chan_close+0x103/0x870 [ 1833.863505] ? __set_monitor_timer+0x1d0/0x1d0 [ 1833.868059] ? lock_acquire+0x170/0x3f0 [ 1833.872021] l2cap_chan_timeout+0x143/0x2a0 [ 1833.876376] process_one_work+0x793/0x14a0 [ 1833.880585] ? work_busy+0x320/0x320 [ 1833.884271] ? worker_thread+0x158/0xff0 [ 1833.888307] ? _raw_spin_unlock_irq+0x24/0x80 [ 1833.892776] worker_thread+0x5cc/0xff0 [ 1833.896636] ? rescuer_thread+0xc80/0xc80 [ 1833.900766] kthread+0x30d/0x420 [ 1833.904105] ? kthread_create_on_node+0xd0/0xd0 [ 1833.908745] ret_from_fork+0x24/0x30 [ 1833.913071] Kernel Offset: disabled [ 1833.916698] Rebooting in 86400 seconds..