Warning: Permanently added '10.128.0.113' (ECDSA) to the list of known hosts. 2021/05/18 10:25:20 parsed 1 programs 2021/05/18 10:25:20 executed programs: 0 [ 1579.518755] IPVS: ftp: loaded support on port[0] = 21 [ 1579.639017] chnl_net:caif_netlink_parms(): no params data found [ 1579.730307] bridge0: port 1(bridge_slave_0) entered blocking state [ 1579.737193] bridge0: port 1(bridge_slave_0) entered disabled state [ 1579.744128] device bridge_slave_0 entered promiscuous mode [ 1579.751807] bridge0: port 2(bridge_slave_1) entered blocking state [ 1579.758737] bridge0: port 2(bridge_slave_1) entered disabled state [ 1579.766235] device bridge_slave_1 entered promiscuous mode [ 1579.782015] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1579.790823] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1579.809883] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1579.817134] team0: Port device team_slave_0 added [ 1579.822436] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1579.829754] team0: Port device team_slave_1 added [ 1579.844530] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1579.850838] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1579.876961] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1579.888374] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1579.894610] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1579.919862] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1579.930421] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1579.937950] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1579.956464] device hsr_slave_0 entered promiscuous mode [ 1579.962043] device hsr_slave_1 entered promiscuous mode [ 1579.968313] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1579.975204] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1580.036726] bridge0: port 2(bridge_slave_1) entered blocking state [ 1580.043136] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1580.050065] bridge0: port 1(bridge_slave_0) entered blocking state [ 1580.056471] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1580.086639] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1580.092742] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1580.101837] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1580.111506] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1580.129834] bridge0: port 1(bridge_slave_0) entered disabled state [ 1580.137182] bridge0: port 2(bridge_slave_1) entered disabled state [ 1580.147114] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1580.153779] 8021q: adding VLAN 0 to HW filter on device team0 [ 1580.162616] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1580.170312] bridge0: port 1(bridge_slave_0) entered blocking state [ 1580.176714] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1580.186154] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1580.193875] bridge0: port 2(bridge_slave_1) entered blocking state [ 1580.200279] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1580.217711] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1580.226577] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1580.234032] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1580.244370] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1580.256032] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1580.262042] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1580.269802] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1580.276990] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1580.290319] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1580.297850] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1580.304495] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1580.314897] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1580.365665] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1580.374978] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1580.402665] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1580.409942] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1580.417708] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1580.426502] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1580.433947] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1580.441323] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1580.449638] device veth0_vlan entered promiscuous mode [ 1580.458697] device veth1_vlan entered promiscuous mode [ 1580.464592] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1580.473703] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1580.484147] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1580.493709] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1580.501501] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1580.508976] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1580.518471] device veth0_macvtap entered promiscuous mode [ 1580.524501] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1580.533284] device veth1_macvtap entered promiscuous mode [ 1580.542609] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1580.551476] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1580.561629] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1580.568648] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1580.576775] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1580.586704] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1580.593368] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1580.627166] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1581.566214] Bluetooth: hci0 command 0x0409 tx timeout [ 1583.645331] Bluetooth: hci0 command 0x041b tx timeout 2021/05/18 10:25:25 executed programs: 4 [ 1585.725805] Bluetooth: hci0 command 0x040f tx timeout [ 1587.815316] Bluetooth: hci0 command 0x0419 tx timeout 2021/05/18 10:25:31 executed programs: 10 [ 1589.885316] Bluetooth: hci0 command 0x0405 tx timeout 2021/05/18 10:25:36 executed programs: 16 2021/05/18 10:25:41 executed programs: 22 2021/05/18 10:25:46 executed programs: 28 2021/05/18 10:25:51 executed programs: 34 2021/05/18 10:25:56 executed programs: 40 2021/05/18 10:26:01 executed programs: 46 2021/05/18 10:26:06 executed programs: 52 2021/05/18 10:26:11 executed programs: 58 2021/05/18 10:26:16 executed programs: 64 2021/05/18 10:26:21 executed programs: 70 2021/05/18 10:26:26 executed programs: 76 2021/05/18 10:26:31 executed programs: 82 2021/05/18 10:26:36 executed programs: 88 2021/05/18 10:26:41 executed programs: 94 2021/05/18 10:26:46 executed programs: 100 2021/05/18 10:26:52 executed programs: 106 2021/05/18 10:26:57 executed programs: 112 2021/05/18 10:27:02 executed programs: 118 2021/05/18 10:27:07 executed programs: 124 2021/05/18 10:27:12 executed programs: 130 2021/05/18 10:27:17 executed programs: 136 [ 1699.646004] ================================================================== [ 1699.653400] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 1699.660047] Read of size 8 at addr ffff8880b54fabe0 by task kworker/1:0/8195 [ 1699.667206] [ 1699.668836] CPU: 1 PID: 8195 Comm: kworker/1:0 Not tainted 4.14.232-syzkaller #0 [ 1699.676352] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1699.685703] Workqueue: events l2cap_chan_timeout [ 1699.690435] Call Trace: [ 1699.693018] dump_stack+0x1b2/0x281 [ 1699.696657] print_address_description.cold+0x54/0x1d3 [ 1699.701940] kasan_report_error.cold+0x8a/0x191 [ 1699.706588] ? __lock_acquire+0x2c57/0x3f20 [ 1699.710897] __asan_report_load8_noabort+0x68/0x70 [ 1699.715830] ? __lock_acquire+0x2c57/0x3f20 [ 1699.720130] __lock_acquire+0x2c57/0x3f20 [ 1699.724271] ? lock_acquire+0x170/0x3f0 [ 1699.728234] ? lock_downgrade+0x740/0x740 [ 1699.732360] ? trace_hardirqs_on+0x10/0x10 [ 1699.736585] ? debug_object_assert_init+0x22d/0x2d0 [ 1699.741579] ? debug_object_active_state+0x330/0x330 [ 1699.746659] ? ret_from_fork+0x24/0x30 [ 1699.750542] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 1699.755931] ? save_trace+0xd6/0x290 [ 1699.759679] lock_acquire+0x170/0x3f0 [ 1699.763512] ? lock_sock_nested+0x39/0x100 [ 1699.767742] _raw_spin_lock_bh+0x2f/0x40 [ 1699.771782] ? lock_sock_nested+0x39/0x100 [ 1699.775992] lock_sock_nested+0x39/0x100 [ 1699.780055] l2cap_sock_teardown_cb+0x93/0x650 [ 1699.784618] l2cap_chan_del+0xaf/0x950 [ 1699.788489] l2cap_chan_close+0x103/0x870 [ 1699.792630] ? __set_monitor_timer+0x1d0/0x1d0 [ 1699.797191] ? lock_acquire+0x170/0x3f0 [ 1699.801157] l2cap_chan_timeout+0x143/0x2a0 [ 1699.805478] process_one_work+0x793/0x14a0 [ 1699.809692] ? work_busy+0x320/0x320 [ 1699.813390] ? worker_thread+0x158/0xff0 [ 1699.817439] ? _raw_spin_unlock_irq+0x24/0x80 [ 1699.821911] worker_thread+0x5cc/0xff0 [ 1699.825808] ? rescuer_thread+0xc80/0xc80 [ 1699.829937] kthread+0x30d/0x420 [ 1699.833296] ? kthread_create_on_node+0xd0/0xd0 [ 1699.837958] ret_from_fork+0x24/0x30 [ 1699.841646] [ 1699.843256] Allocated by task 8794: [ 1699.846862] kasan_kmalloc+0xeb/0x160 [ 1699.850653] __kmalloc+0x15a/0x400 [ 1699.854186] sk_prot_alloc+0x1ba/0x290 [ 1699.858146] sk_alloc+0x36/0xcd0 [ 1699.861522] l2cap_sock_alloc.constprop.0+0x31/0x210 [ 1699.866640] l2cap_sock_create+0xf0/0x1a0 [ 1699.870786] bt_sock_create+0x13b/0x280 [ 1699.874735] __sock_create+0x303/0x620 [ 1699.878597] SyS_socket+0xd1/0x1b0 [ 1699.882129] do_syscall_64+0x1d5/0x640 [ 1699.885993] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1699.891155] [ 1699.892764] Freed by task 8793: [ 1699.896027] kasan_slab_free+0xc3/0x1a0 [ 1699.899988] kfree+0xc9/0x250 [ 1699.903069] __sk_destruct+0x5e3/0x760 [ 1699.906947] __sk_free+0xd9/0x2d0 [ 1699.910380] sk_free+0x2b/0x40 [ 1699.913549] l2cap_sock_kill.part.0+0x106/0x130 [ 1699.918194] l2cap_sock_release+0x1cd/0x280 [ 1699.922508] __sock_release+0xcd/0x2b0 [ 1699.926369] sock_close+0x15/0x20 [ 1699.929826] __fput+0x25f/0x7a0 [ 1699.933093] task_work_run+0x11f/0x190 [ 1699.936973] get_signal+0x18a3/0x1ca0 [ 1699.940768] do_signal+0x7c/0x1550 [ 1699.944287] exit_to_usermode_loop+0x160/0x200 [ 1699.948864] do_syscall_64+0x4a3/0x640 [ 1699.952743] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1699.957918] [ 1699.959524] The buggy address belongs to the object at ffff8880b54fab40 [ 1699.959524] which belongs to the cache kmalloc-2048 of size 2048 [ 1699.972345] The buggy address is located 160 bytes inside of [ 1699.972345] 2048-byte region [ffff8880b54fab40, ffff8880b54fb340) [ 1699.984283] The buggy address belongs to the page: [ 1699.989295] page:ffffea0002d53e80 count:1 mapcount:0 mapping:ffff8880b54fa2c0 index:0x0 compound_mapcount: 0 [ 1699.999243] flags: 0xfff00000008100(slab|head) [ 1700.003806] raw: 00fff00000008100 ffff8880b54fa2c0 0000000000000000 0000000100000003 [ 1700.011686] raw: ffffea0002ca9720 ffffea0002865ca0 ffff88813fe80c40 0000000000000000 [ 1700.019553] page dumped because: kasan: bad access detected [ 1700.025236] [ 1700.026837] Memory state around the buggy address: [ 1700.031756] ffff8880b54faa80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1700.039091] ffff8880b54fab00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1700.046422] >ffff8880b54fab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1700.053769] ^ [ 1700.060250] ffff8880b54fac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1700.067599] ffff8880b54fac80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1700.074935] ================================================================== [ 1700.082283] Disabling lock debugging due to kernel taint [ 1700.087708] Kernel panic - not syncing: panic_on_warn set ... [ 1700.087708] [ 1700.095056] CPU: 1 PID: 8195 Comm: kworker/1:0 Tainted: G B 4.14.232-syzkaller #0 [ 1700.103778] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1700.113118] Workqueue: events l2cap_chan_timeout [ 1700.117869] Call Trace: [ 1700.120440] dump_stack+0x1b2/0x281 [ 1700.124059] panic+0x1f9/0x42d [ 1700.127335] ? add_taint.cold+0x16/0x16 [ 1700.131289] ? lock_downgrade+0x740/0x740 [ 1700.135543] kasan_end_report+0x43/0x49 [ 1700.139499] kasan_report_error.cold+0xa7/0x191 [ 1700.144163] ? __lock_acquire+0x2c57/0x3f20 [ 1700.148478] __asan_report_load8_noabort+0x68/0x70 [ 1700.153404] ? __lock_acquire+0x2c57/0x3f20 [ 1700.157720] __lock_acquire+0x2c57/0x3f20 [ 1700.161849] ? lock_acquire+0x170/0x3f0 [ 1700.165805] ? lock_downgrade+0x740/0x740 [ 1700.169932] ? trace_hardirqs_on+0x10/0x10 [ 1700.174161] ? debug_object_assert_init+0x22d/0x2d0 [ 1700.179157] ? debug_object_active_state+0x330/0x330 [ 1700.184237] ? ret_from_fork+0x24/0x30 [ 1700.188102] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 1700.193459] ? save_trace+0xd6/0x290 [ 1700.197160] lock_acquire+0x170/0x3f0 [ 1700.200941] ? lock_sock_nested+0x39/0x100 [ 1700.205160] _raw_spin_lock_bh+0x2f/0x40 [ 1700.209202] ? lock_sock_nested+0x39/0x100 [ 1700.213537] lock_sock_nested+0x39/0x100 [ 1700.217593] l2cap_sock_teardown_cb+0x93/0x650 [ 1700.222153] l2cap_chan_del+0xaf/0x950 [ 1700.226044] l2cap_chan_close+0x103/0x870 [ 1700.230181] ? __set_monitor_timer+0x1d0/0x1d0 [ 1700.234761] ? lock_acquire+0x170/0x3f0 [ 1700.238714] l2cap_chan_timeout+0x143/0x2a0 [ 1700.243022] process_one_work+0x793/0x14a0 [ 1700.247236] ? work_busy+0x320/0x320 [ 1700.250927] ? worker_thread+0x158/0xff0 [ 1700.254966] ? _raw_spin_unlock_irq+0x24/0x80 [ 1700.259486] worker_thread+0x5cc/0xff0 [ 1700.263359] ? rescuer_thread+0xc80/0xc80 [ 1700.267495] kthread+0x30d/0x420 [ 1700.270854] ? kthread_create_on_node+0xd0/0xd0 [ 1700.275514] ret_from_fork+0x24/0x30 [ 1700.279840] Kernel Offset: disabled [ 1700.283451] Rebooting in 86400 seconds..