[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.69' (ECDSA) to the list of known hosts. 2021/02/10 04:41:29 parsed 1 programs 2021/02/10 04:41:29 executed programs: 0 syzkaller login: [ 1581.254884] IPVS: ftp: loaded support on port[0] = 21 [ 1581.340469] chnl_net:caif_netlink_parms(): no params data found [ 1581.439637] bridge0: port 1(bridge_slave_0) entered blocking state [ 1581.446701] bridge0: port 1(bridge_slave_0) entered disabled state [ 1581.455896] device bridge_slave_0 entered promiscuous mode [ 1581.463507] bridge0: port 2(bridge_slave_1) entered blocking state [ 1581.471480] bridge0: port 2(bridge_slave_1) entered disabled state [ 1581.478678] device bridge_slave_1 entered promiscuous mode [ 1581.496077] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1581.505522] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1581.523989] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1581.531352] team0: Port device team_slave_0 added [ 1581.536846] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1581.544798] team0: Port device team_slave_1 added [ 1581.559965] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1581.566549] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1581.594055] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1581.606012] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1581.612622] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1581.639255] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1581.650553] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1581.658325] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1581.677043] device hsr_slave_0 entered promiscuous mode [ 1581.683719] device hsr_slave_1 entered promiscuous mode [ 1581.690552] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1581.698289] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1581.764721] bridge0: port 2(bridge_slave_1) entered blocking state [ 1581.771965] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1581.781348] bridge0: port 1(bridge_slave_0) entered blocking state [ 1581.788726] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1581.816701] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1581.824230] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1581.833915] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1581.843788] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1581.863686] bridge0: port 1(bridge_slave_0) entered disabled state [ 1581.871642] bridge0: port 2(bridge_slave_1) entered disabled state [ 1581.883397] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1581.890098] 8021q: adding VLAN 0 to HW filter on device team0 [ 1581.898692] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1581.906945] bridge0: port 1(bridge_slave_0) entered blocking state [ 1581.914017] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1581.925553] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1581.933912] bridge0: port 2(bridge_slave_1) entered blocking state [ 1581.940493] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1581.958963] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1581.970302] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1581.981790] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1581.988855] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1581.997022] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1582.005292] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1582.013829] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1582.021794] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1582.028772] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1582.041290] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1582.050114] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1582.056911] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1582.068038] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1582.122096] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1582.132624] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1582.164525] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1582.172746] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1582.181295] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1582.191713] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1582.200257] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1582.207346] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1582.217152] device veth0_vlan entered promiscuous mode [ 1582.226382] device veth1_vlan entered promiscuous mode [ 1582.233332] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1582.242564] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1582.254781] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1582.264325] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1582.272725] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1582.280426] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1582.291465] device veth0_macvtap entered promiscuous mode [ 1582.298059] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1582.307676] device veth1_macvtap entered promiscuous mode [ 1582.316789] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1582.328185] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1582.338952] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1582.347085] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1582.358237] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 1582.368570] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1582.377528] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 1582.386142] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1582.398107] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 1582.405398] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1582.412442] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1582.421025] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1583.270239] Bluetooth: hci0 command 0x0409 tx timeout 2021/02/10 04:41:34 executed programs: 192 [ 1585.349551] Bluetooth: hci0 command 0x041b tx timeout [ 1587.429918] Bluetooth: hci0 command 0x040f tx timeout [ 1589.508974] Bluetooth: hci0 command 0x0419 tx timeout 2021/02/10 04:41:39 executed programs: 563 2021/02/10 04:41:44 executed programs: 980 [ 1596.836793] ================================================================== [ 1596.844917] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 1596.852606] Read of size 8 at addr ffff8880a3abf360 by task syz-executor.0/8001 [ 1596.860545] [ 1596.862322] CPU: 0 PID: 8001 Comm: syz-executor.0 Not tainted 4.14.218-syzkaller #0 [ 1596.870336] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1596.880328] Call Trace: [ 1596.883876] dump_stack+0x1b2/0x281 [ 1596.887975] print_address_description.cold+0x54/0x1d3 [ 1596.893502] kasan_report_error.cold+0x8a/0x191 [ 1596.898254] ? __lock_acquire+0x2c57/0x3f20 [ 1596.902914] __asan_report_load8_noabort+0x68/0x70 [ 1596.908228] ? __lock_acquire+0x2c57/0x3f20 [ 1596.912740] __lock_acquire+0x2c57/0x3f20 [ 1596.917192] ? lock_acquire+0x170/0x3f0 [ 1596.921238] ? lock_downgrade+0x740/0x740 [ 1596.926131] ? trace_hardirqs_on+0x10/0x10 [ 1596.930881] ? debug_object_assert_init+0x22d/0x2d0 [ 1596.936512] ? hci_conn_hash_flush+0x19c/0x260 [ 1596.941185] ? debug_object_active_state+0x330/0x330 [ 1596.946861] ? lock_acquire+0x170/0x3f0 [ 1596.951497] ? l2cap_conn_del+0x363/0x690 [ 1596.955829] lock_acquire+0x170/0x3f0 [ 1596.960079] ? lock_sock_nested+0x39/0x100 [ 1596.964400] _raw_spin_lock_bh+0x2f/0x40 [ 1596.968757] ? lock_sock_nested+0x39/0x100 [ 1596.973282] lock_sock_nested+0x39/0x100 [ 1596.977341] l2cap_sock_teardown_cb+0x93/0x650 [ 1596.981998] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 1596.987008] l2cap_chan_del+0xaf/0x950 [ 1596.990994] l2cap_conn_del+0x36e/0x690 [ 1596.994952] ? l2cap_conn_del+0x690/0x690 [ 1596.999177] l2cap_disconn_cfm+0x7c/0xb0 [ 1597.003565] hci_conn_hash_flush+0x127/0x260 [ 1597.008459] hci_dev_do_close+0x535/0xca0 [ 1597.012867] ? __fsnotify_inode_delete+0x20/0x20 [ 1597.017724] hci_unregister_dev+0x17f/0x8c0 [ 1597.022274] ? fcntl_setlk+0xdb0/0xdb0 [ 1597.026338] ? vhci_close_dev+0x50/0x50 [ 1597.030453] vhci_release+0x70/0xe0 [ 1597.034262] __fput+0x25f/0x7a0 [ 1597.037712] task_work_run+0x11f/0x190 [ 1597.041777] do_exit+0xa44/0x2850 [ 1597.045495] ? __do_page_fault+0x571/0xad0 [ 1597.049939] ? mm_update_next_owner+0x5b0/0x5b0 [ 1597.054793] ? lock_downgrade+0x740/0x740 [ 1597.058942] do_group_exit+0x100/0x2e0 [ 1597.062899] SyS_exit_group+0x19/0x20 [ 1597.066693] ? do_group_exit+0x2e0/0x2e0 [ 1597.070733] do_syscall_64+0x1d5/0x640 [ 1597.075405] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1597.080584] RIP: 0033:0x465b09 [ 1597.083755] RSP: 002b:00007ffe23970678 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1597.092138] RAX: ffffffffffffffda RBX: 0000000000000de6 RCX: 0000000000465b09 [ 1597.100520] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 [ 1597.108357] RBP: 00000000004b0265 R08: 000000000000000b R09: 0000000000000004 [ 1597.115953] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 1597.123888] R13: 0000000000185e3f R14: 0000000000000004 R15: 00007ffe23970860 [ 1597.131447] [ 1597.133054] Allocated by task 12814: [ 1597.137011] kasan_kmalloc+0xeb/0x160 [ 1597.141865] __kmalloc+0x15a/0x400 [ 1597.145390] sk_prot_alloc+0x1ba/0x290 [ 1597.149931] sk_alloc+0x36/0xcd0 [ 1597.153457] l2cap_sock_alloc.constprop.0+0x31/0x210 [ 1597.159456] l2cap_sock_create+0xf0/0x1a0 [ 1597.164299] bt_sock_create+0x13b/0x280 [ 1597.168370] __sock_create+0x303/0x620 [ 1597.172444] SyS_socket+0xd1/0x1b0 [ 1597.175978] do_syscall_64+0x1d5/0x640 [ 1597.179856] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1597.185107] [ 1597.186718] Freed by task 12813: [ 1597.190271] kasan_slab_free+0xc3/0x1a0 [ 1597.195029] kfree+0xc9/0x250 [ 1597.198472] __sk_destruct+0x5e3/0x760 [ 1597.202346] __sk_free+0xd9/0x2d0 [ 1597.205794] sk_free+0x2b/0x40 [ 1597.209110] l2cap_sock_kill.part.0+0x106/0x130 [ 1597.213941] l2cap_sock_release+0x1cd/0x280 [ 1597.218487] __sock_release+0xcd/0x2b0 [ 1597.222445] sock_close+0x15/0x20 [ 1597.226184] __fput+0x25f/0x7a0 [ 1597.229917] task_work_run+0x11f/0x190 [ 1597.233921] exit_to_usermode_loop+0x1ad/0x200 [ 1597.238502] do_syscall_64+0x4a3/0x640 [ 1597.242833] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1597.247995] [ 1597.249609] The buggy address belongs to the object at ffff8880a3abf2c0 [ 1597.249609] which belongs to the cache kmalloc-2048 of size 2048 [ 1597.262831] The buggy address is located 160 bytes inside of [ 1597.262831] 2048-byte region [ffff8880a3abf2c0, ffff8880a3abfac0) [ 1597.275906] The buggy address belongs to the page: [ 1597.281567] page:ffffea00028eaf80 count:1 mapcount:0 mapping:ffff8880a3abe1c0 index:0x0 compound_mapcount: 0 [ 1597.292901] flags: 0xfff00000008100(slab|head) [ 1597.297652] raw: 00fff00000008100 ffff8880a3abe1c0 0000000000000000 0000000100000003 [ 1597.306154] raw: ffffea00028cc2a0 ffffea00028c9920 ffff88813fe80c40 0000000000000000 [ 1597.316367] page dumped because: kasan: bad access detected [ 1597.323579] [ 1597.325496] Memory state around the buggy address: [ 1597.330579] ffff8880a3abf200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1597.339227] ffff8880a3abf280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1597.347370] >ffff8880a3abf300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1597.355161] ^ [ 1597.362081] ffff8880a3abf380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1597.370471] ffff8880a3abf400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1597.378219] ================================================================== [ 1597.386470] Disabling lock debugging due to kernel taint [ 1597.392232] Kernel panic - not syncing: panic_on_warn set ... [ 1597.392232] [ 1597.400317] CPU: 0 PID: 8001 Comm: syz-executor.0 Tainted: G B 4.14.218-syzkaller #0 [ 1597.410198] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1597.419946] Call Trace: [ 1597.422520] dump_stack+0x1b2/0x281 [ 1597.426319] panic+0x1f9/0x42d [ 1597.429640] ? add_taint.cold+0x16/0x16 [ 1597.433923] ? lock_downgrade+0x740/0x740 [ 1597.438346] kasan_end_report+0x43/0x49 [ 1597.442413] kasan_report_error.cold+0xa7/0x191 [ 1597.447410] ? __lock_acquire+0x2c57/0x3f20 [ 1597.451735] __asan_report_load8_noabort+0x68/0x70 [ 1597.456843] ? __lock_acquire+0x2c57/0x3f20 [ 1597.461444] __lock_acquire+0x2c57/0x3f20 [ 1597.465676] ? lock_acquire+0x170/0x3f0 [ 1597.469811] ? lock_downgrade+0x740/0x740 [ 1597.473958] ? trace_hardirqs_on+0x10/0x10 [ 1597.478171] ? debug_object_assert_init+0x22d/0x2d0 [ 1597.483369] ? hci_conn_hash_flush+0x19c/0x260 [ 1597.488173] ? debug_object_active_state+0x330/0x330 [ 1597.493440] ? lock_acquire+0x170/0x3f0 [ 1597.497503] ? l2cap_conn_del+0x363/0x690 [ 1597.501722] lock_acquire+0x170/0x3f0 [ 1597.505709] ? lock_sock_nested+0x39/0x100 [ 1597.510013] _raw_spin_lock_bh+0x2f/0x40 [ 1597.514317] ? lock_sock_nested+0x39/0x100 [ 1597.518731] lock_sock_nested+0x39/0x100 [ 1597.522876] l2cap_sock_teardown_cb+0x93/0x650 [ 1597.527442] ? trace_hardirqs_on_caller+0x3a8/0x580 [ 1597.532589] l2cap_chan_del+0xaf/0x950 [ 1597.536927] l2cap_conn_del+0x36e/0x690 [ 1597.541281] ? l2cap_conn_del+0x690/0x690 [ 1597.545515] l2cap_disconn_cfm+0x7c/0xb0 [ 1597.549563] hci_conn_hash_flush+0x127/0x260 [ 1597.554159] hci_dev_do_close+0x535/0xca0 [ 1597.558384] ? __fsnotify_inode_delete+0x20/0x20 [ 1597.563215] hci_unregister_dev+0x17f/0x8c0 [ 1597.567604] ? fcntl_setlk+0xdb0/0xdb0 [ 1597.571689] ? vhci_close_dev+0x50/0x50 [ 1597.575675] vhci_release+0x70/0xe0 [ 1597.579490] __fput+0x25f/0x7a0 [ 1597.582751] task_work_run+0x11f/0x190 [ 1597.586796] do_exit+0xa44/0x2850 [ 1597.590338] ? __do_page_fault+0x571/0xad0 [ 1597.595119] ? mm_update_next_owner+0x5b0/0x5b0 [ 1597.600157] ? lock_downgrade+0x740/0x740 [ 1597.604374] do_group_exit+0x100/0x2e0 [ 1597.608244] SyS_exit_group+0x19/0x20 [ 1597.612474] ? do_group_exit+0x2e0/0x2e0 [ 1597.616604] do_syscall_64+0x1d5/0x640 [ 1597.620672] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1597.626098] RIP: 0033:0x465b09 [ 1597.629644] RSP: 002b:00007ffe23970678 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1597.637730] RAX: ffffffffffffffda RBX: 0000000000000de6 RCX: 0000000000465b09 [ 1597.645255] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 [ 1597.652860] RBP: 00000000004b0265 R08: 000000000000000b R09: 0000000000000004 [ 1597.660723] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 1597.668692] R13: 0000000000185e3f R14: 0000000000000004 R15: 00007ffe23970860 [ 1597.678264] Kernel Offset: disabled [ 1597.682011] Rebooting in 86400 seconds..