Warning: Permanently added '10.128.1.22' (ECDSA) to the list of known hosts. 2021/10/15 17:27:35 parsed 1 programs [ 1583.691993][ T6543] cgroup: Unknown subsys name 'net' [ 1583.707076][ T6543] cgroup: Unknown subsys name 'rlimit' 2021/10/15 17:27:36 executed programs: 0 [ 1584.076636][ T25] audit: type=1400 audit(1634318856.274:8): avc: denied { execmem } for pid=6554 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 1585.465556][ T6555] chnl_net:caif_netlink_parms(): no params data found [ 1585.536472][ T6555] bridge0: port 1(bridge_slave_0) entered blocking state [ 1585.544288][ T6555] bridge0: port 1(bridge_slave_0) entered disabled state [ 1585.554332][ T6555] device bridge_slave_0 entered promiscuous mode [ 1585.564021][ T6555] bridge0: port 2(bridge_slave_1) entered blocking state [ 1585.571270][ T6555] bridge0: port 2(bridge_slave_1) entered disabled state [ 1585.581235][ T6555] device bridge_slave_1 entered promiscuous mode [ 1585.615683][ T6555] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1585.626625][ T6555] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1585.662069][ T6555] team0: Port device team_slave_0 added [ 1585.669651][ T6555] team0: Port device team_slave_1 added [ 1585.698119][ T6555] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1585.705327][ T6555] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1585.731502][ T6555] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1585.745918][ T6555] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1585.752926][ T6555] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1585.778877][ T6555] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1585.816865][ T6555] device hsr_slave_0 entered promiscuous mode [ 1585.824427][ T6555] device hsr_slave_1 entered promiscuous mode [ 1585.957938][ T6555] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 1585.969189][ T6555] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 1585.982285][ T6555] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 1585.992952][ T6555] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 1586.017058][ T6555] bridge0: port 2(bridge_slave_1) entered blocking state [ 1586.024215][ T6555] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1586.032086][ T6555] bridge0: port 1(bridge_slave_0) entered blocking state [ 1586.039143][ T6555] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1586.090442][ T6555] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1586.104472][ T6889] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1586.116590][ T6889] bridge0: port 1(bridge_slave_0) entered disabled state [ 1586.126091][ T6889] bridge0: port 2(bridge_slave_1) entered disabled state [ 1586.134581][ T6889] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1586.149125][ T6555] 8021q: adding VLAN 0 to HW filter on device team0 [ 1586.160553][ T6721] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1586.169998][ T6721] bridge0: port 1(bridge_slave_0) entered blocking state [ 1586.177083][ T6721] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1586.202055][ T6721] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1586.210427][ T6721] bridge0: port 2(bridge_slave_1) entered blocking state [ 1586.217552][ T6721] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1586.226051][ T6721] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1586.235477][ T6721] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1586.244834][ T6527] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1586.255357][ T6889] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1586.270733][ T6555] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1586.282602][ T6555] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1586.290659][ T6527] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1586.311780][ T6527] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1586.319175][ T6527] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1586.332381][ T6555] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1586.350652][ T6527] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1586.372177][ T6527] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1586.380322][ T6527] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1586.388311][ T6527] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1586.398142][ T6555] device veth0_vlan entered promiscuous mode [ 1586.410826][ T6555] device veth1_vlan entered promiscuous mode [ 1586.433497][ T6889] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1586.443191][ T6889] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1586.451216][ T6889] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1586.463735][ T6555] device veth0_macvtap entered promiscuous mode [ 1586.475900][ T6555] device veth1_macvtap entered promiscuous mode [ 1586.493556][ T6555] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1586.500916][ T6889] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 1586.512210][ T6889] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1586.525498][ T6555] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1586.533028][ T6527] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1586.543939][ T6527] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1586.556694][ T6555] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 1586.566091][ T6555] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 1586.576721][ T6555] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 1586.586037][ T6555] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 1586.686719][ T8] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1586.700712][ T8] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1586.727001][ T6889] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 1586.746392][ T155] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1586.756007][ T155] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1586.769800][ T6889] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 1587.242947][ T6889] Bluetooth: hci0: command 0x0409 tx timeout 2021/10/15 17:27:41 executed programs: 59 [ 1589.312784][ T6890] Bluetooth: hci0: command 0x041b tx timeout [ 1591.402033][ T6889] Bluetooth: hci0: command 0x040f tx timeout [ 1593.480925][ T6889] Bluetooth: hci0: command 0x0419 tx timeout 2021/10/15 17:27:46 executed programs: 201 [ 1595.553775][ T6889] Bluetooth: hci0: command 0x0405 tx timeout 2021/10/15 17:27:51 executed programs: 343 2021/10/15 17:27:56 executed programs: 491 [ 1606.920401][ T1360] ieee802154 phy0 wpan0: encryption failed: -22 [ 1606.927016][ T1360] ieee802154 phy1 wpan1: encryption failed: -22 2021/10/15 17:28:01 executed programs: 625 2021/10/15 17:28:06 executed programs: 777 2021/10/15 17:28:11 executed programs: 919 2021/10/15 17:28:16 executed programs: 1064 [ 1628.679713][ T6889] ================================================================== [ 1628.687801][ T6889] BUG: KASAN: use-after-free in __lock_acquire+0x3d86/0x54a0 [ 1628.695271][ T6889] Read of size 8 at addr ffff888020832120 by task kworker/0:2/6889 [ 1628.703167][ T6889] [ 1628.705496][ T6889] CPU: 0 PID: 6889 Comm: kworker/0:2 Not tainted 5.15.0-rc5-syzkaller #0 [ 1628.713919][ T6889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1628.723977][ T6889] Workqueue: events l2cap_chan_timeout [ 1628.729554][ T6889] Call Trace: [ 1628.732843][ T6889] dump_stack_lvl+0xcd/0x134 [ 1628.737484][ T6889] print_address_description.constprop.0.cold+0x6c/0x2d6 [ 1628.744547][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 1628.749572][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 1628.754609][ T6889] kasan_report.cold+0x83/0xdf [ 1628.759366][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 1628.764383][ T6889] __lock_acquire+0x3d86/0x54a0 [ 1628.769230][ T6889] ? mark_lock+0xef/0x17b0 [ 1628.773638][ T6889] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 1628.779515][ T6889] ? debug_object_assert_init+0x246/0x2e0 [ 1628.785265][ T6889] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 1628.791244][ T6889] lock_acquire+0x1ab/0x510 [ 1628.795739][ T6889] ? l2cap_sock_teardown_cb+0xa1/0x660 [ 1628.801237][ T6889] ? lock_release+0x720/0x720 [ 1628.805906][ T6889] ? mark_held_locks+0x9f/0xe0 [ 1628.810662][ T6889] ? cancel_delayed_work+0x2bd/0x340 [ 1628.815974][ T6889] lock_sock_nested+0x2f/0xf0 [ 1628.820683][ T6889] ? l2cap_sock_teardown_cb+0xa1/0x660 [ 1628.826141][ T6889] l2cap_sock_teardown_cb+0xa1/0x660 [ 1628.831423][ T6889] ? __mutex_lock+0x21c/0x12f0 [ 1628.836188][ T6889] l2cap_chan_del+0xbc/0xa80 [ 1628.840773][ T6889] l2cap_chan_close+0x1b9/0xaf0 [ 1628.845620][ T6889] ? l2cap_rx+0x1fb0/0x1fb0 [ 1628.850115][ T6889] ? lock_release+0x720/0x720 [ 1628.854784][ T6889] ? lock_downgrade+0x6e0/0x6e0 [ 1628.859631][ T6889] l2cap_chan_timeout+0x17e/0x2f0 [ 1628.864683][ T6889] process_one_work+0x9bf/0x16b0 [ 1628.869699][ T6889] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 1628.875073][ T6889] ? rwlock_bug.part.0+0x90/0x90 [ 1628.880014][ T6889] ? _raw_spin_lock_irq+0x41/0x50 [ 1628.885057][ T6889] worker_thread+0x658/0x11f0 [ 1628.889734][ T6889] ? process_one_work+0x16b0/0x16b0 [ 1628.894929][ T6889] kthread+0x3e5/0x4d0 [ 1628.898993][ T6889] ? set_kthread_struct+0x130/0x130 [ 1628.904201][ T6889] ret_from_fork+0x1f/0x30 [ 1628.908636][ T6889] [ 1628.910946][ T6889] Allocated by task 10811: [ 1628.915347][ T6889] kasan_save_stack+0x1b/0x40 [ 1628.920057][ T6889] __kasan_kmalloc+0xa1/0xd0 [ 1628.924639][ T6889] kmem_cache_alloc_trace+0x1e4/0x480 [ 1628.930004][ T6889] l2cap_chan_create+0x40/0x570 [ 1628.934847][ T6889] l2cap_sock_alloc.constprop.0+0x185/0x230 [ 1628.940734][ T6889] l2cap_sock_create+0x123/0x1f0 [ 1628.945663][ T6889] bt_sock_create+0x17c/0x340 [ 1628.950370][ T6889] __sock_create+0x353/0x790 [ 1628.954990][ T6889] __sys_socket+0xef/0x200 [ 1628.959395][ T6889] __x64_sys_socket+0x6f/0xb0 [ 1628.964068][ T6889] do_syscall_64+0x35/0xb0 [ 1628.968511][ T6889] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 1628.974431][ T6889] [ 1628.976748][ T6889] Freed by task 10810: [ 1628.980813][ T6889] kasan_save_stack+0x1b/0x40 [ 1628.985497][ T6889] kasan_set_track+0x1c/0x30 [ 1628.990100][ T6889] kasan_set_free_info+0x20/0x30 [ 1628.995041][ T6889] __kasan_slab_free+0xd1/0x110 [ 1628.999891][ T6889] kfree+0x10a/0x2c0 [ 1629.003779][ T6889] l2cap_chan_put+0x22b/0x2d0 [ 1629.008453][ T6889] l2cap_sock_release+0x194/0x200 [ 1629.013471][ T6889] __sock_release+0xcd/0x280 [ 1629.018051][ T6889] sock_close+0x18/0x20 [ 1629.022194][ T6889] __fput+0x288/0x9f0 [ 1629.026246][ T6889] task_work_run+0xdd/0x1a0 [ 1629.030737][ T6889] exit_to_user_mode_prepare+0x27e/0x290 [ 1629.036512][ T6889] syscall_exit_to_user_mode+0x19/0x60 [ 1629.041964][ T6889] do_syscall_64+0x42/0xb0 [ 1629.046370][ T6889] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 1629.052260][ T6889] [ 1629.054570][ T6889] The buggy address belongs to the object at ffff888020832000 [ 1629.054570][ T6889] which belongs to the cache kmalloc-2k of size 2048 [ 1629.068605][ T6889] The buggy address is located 288 bytes inside of [ 1629.068605][ T6889] 2048-byte region [ffff888020832000, ffff888020832800) [ 1629.081951][ T6889] The buggy address belongs to the page: [ 1629.087564][ T6889] page:ffffea0000820c80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20832 [ 1629.097703][ T6889] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 1629.105247][ T6889] raw: 00fff00000000200 ffffea0001e31308 ffffea0001cd09c8 ffff888010c40800 [ 1629.113836][ T6889] raw: 0000000000000000 ffff888020832000 0000000100000001 0000000000000000 [ 1629.122400][ T6889] page dumped because: kasan: bad access detected [ 1629.128795][ T6889] page_owner tracks the page as allocated [ 1629.134490][ T6889] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x242220(__GFP_HIGH|__GFP_ATOMIC|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 7064, ts 1588388281206, free_ts 1588361940490 [ 1629.153143][ T6889] get_page_from_freelist+0xa72/0x2f80 [ 1629.158623][ T6889] __alloc_pages+0x1b2/0x500 [ 1629.163202][ T6889] cache_grow_begin+0x75/0x460 [ 1629.167955][ T6889] cache_alloc_refill+0x27f/0x380 [ 1629.172971][ T6889] __kmalloc+0x3d5/0x4d0 [ 1629.177203][ T6889] sk_prot_alloc+0x110/0x290 [ 1629.181783][ T6889] sk_alloc+0x30/0xa60 [ 1629.185842][ T6889] l2cap_sock_alloc.constprop.0+0x31/0x230 [ 1629.191646][ T6889] l2cap_sock_create+0x123/0x1f0 [ 1629.196578][ T6889] bt_sock_create+0x17c/0x340 [ 1629.201265][ T6889] __sock_create+0x353/0x790 [ 1629.205849][ T6889] __sys_socket+0xef/0x200 [ 1629.210256][ T6889] __x64_sys_socket+0x6f/0xb0 [ 1629.214926][ T6889] do_syscall_64+0x35/0xb0 [ 1629.219332][ T6889] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 1629.225220][ T6889] page last free stack trace: [ 1629.229876][ T6889] free_pcp_prepare+0x2c5/0x780 [ 1629.234715][ T6889] free_unref_page_list+0x1a9/0xfa0 [ 1629.239903][ T6889] release_pages+0x830/0x20b0 [ 1629.244664][ T6889] tlb_finish_mmu+0x165/0x8c0 [ 1629.249354][ T6889] exit_mmap+0x1ea/0x630 [ 1629.253583][ T6889] __mmput+0x122/0x4b0 [ 1629.257687][ T6889] mmput+0x58/0x60 [ 1629.261397][ T6889] do_exit+0xabc/0x2a30 [ 1629.265631][ T6889] do_group_exit+0x125/0x310 [ 1629.270311][ T6889] get_signal+0x47f/0x2160 [ 1629.274747][ T6889] arch_do_signal_or_restart+0x2a9/0x1c40 [ 1629.280481][ T6889] exit_to_user_mode_prepare+0x17d/0x290 [ 1629.286103][ T6889] syscall_exit_to_user_mode+0x19/0x60 [ 1629.291555][ T6889] do_syscall_64+0x42/0xb0 [ 1629.295960][ T6889] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 1629.301850][ T6889] [ 1629.304174][ T6889] Memory state around the buggy address: [ 1629.309788][ T6889] ffff888020832000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1629.317837][ T6889] ffff888020832080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1629.325881][ T6889] >ffff888020832100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1629.333932][ T6889] ^ [ 1629.339032][ T6889] ffff888020832180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1629.347079][ T6889] ffff888020832200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1629.355132][ T6889] ================================================================== [ 1629.363172][ T6889] Disabling lock debugging due to kernel taint [ 1629.369309][ T6889] Kernel panic - not syncing: panic_on_warn set ... [ 1629.375880][ T6889] CPU: 0 PID: 6889 Comm: kworker/0:2 Tainted: G B 5.15.0-rc5-syzkaller #0 [ 1629.385677][ T6889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1629.395726][ T6889] Workqueue: events l2cap_chan_timeout [ 1629.401184][ T6889] Call Trace: [ 1629.404452][ T6889] dump_stack_lvl+0xcd/0x134 [ 1629.409470][ T6889] panic+0x2b0/0x6dd [ 1629.413384][ T6889] ? __warn_printk+0xf3/0xf3 [ 1629.417964][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 1629.422981][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 1629.427992][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 1629.433003][ T6889] end_report.cold+0x63/0x6f [ 1629.437582][ T6889] kasan_report.cold+0x71/0xdf [ 1629.442345][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 1629.447364][ T6889] __lock_acquire+0x3d86/0x54a0 [ 1629.452206][ T6889] ? mark_lock+0xef/0x17b0 [ 1629.456613][ T6889] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 1629.462417][ T6889] ? debug_object_assert_init+0x246/0x2e0 [ 1629.468129][ T6889] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 1629.474099][ T6889] lock_acquire+0x1ab/0x510 [ 1629.478592][ T6889] ? l2cap_sock_teardown_cb+0xa1/0x660 [ 1629.484047][ T6889] ? lock_release+0x720/0x720 [ 1629.488717][ T6889] ? mark_held_locks+0x9f/0xe0 [ 1629.493478][ T6889] ? cancel_delayed_work+0x2bd/0x340 [ 1629.498758][ T6889] lock_sock_nested+0x2f/0xf0 [ 1629.503463][ T6889] ? l2cap_sock_teardown_cb+0xa1/0x660 [ 1629.509539][ T6889] l2cap_sock_teardown_cb+0xa1/0x660 [ 1629.514837][ T6889] ? __mutex_lock+0x21c/0x12f0 [ 1629.519591][ T6889] l2cap_chan_del+0xbc/0xa80 [ 1629.524177][ T6889] l2cap_chan_close+0x1b9/0xaf0 [ 1629.529054][ T6889] ? l2cap_rx+0x1fb0/0x1fb0 [ 1629.533564][ T6889] ? lock_release+0x720/0x720 [ 1629.538234][ T6889] ? lock_downgrade+0x6e0/0x6e0 [ 1629.543082][ T6889] l2cap_chan_timeout+0x17e/0x2f0 [ 1629.548113][ T6889] process_one_work+0x9bf/0x16b0 [ 1629.553062][ T6889] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 1629.558439][ T6889] ? rwlock_bug.part.0+0x90/0x90 [ 1629.563376][ T6889] ? _raw_spin_lock_irq+0x41/0x50 [ 1629.568429][ T6889] worker_thread+0x658/0x11f0 [ 1629.573105][ T6889] ? process_one_work+0x16b0/0x16b0 [ 1629.578300][ T6889] kthread+0x3e5/0x4d0 [ 1629.582365][ T6889] ? set_kthread_struct+0x130/0x130 [ 1629.587553][ T6889] ret_from_fork+0x1f/0x30 [ 1629.592240][ T6889] Kernel Offset: disabled [ 1629.596546][ T6889] Rebooting in 86400 seconds..