Warning: Permanently added '10.128.0.106' (ECDSA) to the list of known hosts. 2021/06/04 05:47:32 parsed 1 programs 2021/06/04 05:47:32 executed programs: 0 syzkaller login: [ 410.807662] IPVS: ftp: loaded support on port[0] = 21 [ 410.901904] chnl_net:caif_netlink_parms(): no params data found [ 410.998091] bridge0: port 1(bridge_slave_0) entered blocking state [ 411.005140] bridge0: port 1(bridge_slave_0) entered disabled state [ 411.012429] device bridge_slave_0 entered promiscuous mode [ 411.020338] bridge0: port 2(bridge_slave_1) entered blocking state [ 411.027316] bridge0: port 2(bridge_slave_1) entered disabled state [ 411.034506] device bridge_slave_1 entered promiscuous mode [ 411.051498] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 411.060577] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 411.079268] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 411.086724] team0: Port device team_slave_0 added [ 411.092601] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 411.100565] team0: Port device team_slave_1 added [ 411.116992] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 411.123601] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 411.150150] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 411.162209] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 411.169072] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 411.195405] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 411.207250] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 411.215620] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 411.235044] device hsr_slave_0 entered promiscuous mode [ 411.241702] device hsr_slave_1 entered promiscuous mode [ 411.250027] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 411.258167] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 411.320894] bridge0: port 2(bridge_slave_1) entered blocking state [ 411.327532] bridge0: port 2(bridge_slave_1) entered forwarding state [ 411.334723] bridge0: port 1(bridge_slave_0) entered blocking state [ 411.341190] bridge0: port 1(bridge_slave_0) entered forwarding state [ 411.371344] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 411.378560] 8021q: adding VLAN 0 to HW filter on device bond0 [ 411.387074] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 411.396293] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 411.405232] bridge0: port 1(bridge_slave_0) entered disabled state [ 411.412192] bridge0: port 2(bridge_slave_1) entered disabled state [ 411.422566] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 411.429940] 8021q: adding VLAN 0 to HW filter on device team0 [ 411.438506] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 411.446280] bridge0: port 1(bridge_slave_0) entered blocking state [ 411.452632] bridge0: port 1(bridge_slave_0) entered forwarding state [ 411.472459] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 411.484023] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 411.495229] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 411.502352] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 411.510484] bridge0: port 2(bridge_slave_1) entered blocking state [ 411.516984] bridge0: port 2(bridge_slave_1) entered forwarding state [ 411.524733] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 411.532384] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 411.540862] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 411.548854] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 411.556930] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 411.564196] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 411.577760] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 411.585359] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 411.592091] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 411.602545] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 411.657605] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 411.667202] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 411.696624] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 411.704619] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 411.712140] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 411.722404] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 411.730327] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 411.737407] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 411.749775] device veth0_vlan entered promiscuous mode [ 411.758595] device veth1_vlan entered promiscuous mode [ 411.765461] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 411.774920] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 411.786385] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 411.795659] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 411.803433] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 411.810685] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 411.819742] device veth0_macvtap entered promiscuous mode [ 411.826514] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 411.835689] device veth1_macvtap entered promiscuous mode [ 411.844784] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 411.854180] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 411.864562] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 411.871286] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 411.879884] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 411.887640] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 411.896926] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 411.904733] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 411.912372] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 411.920271] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 412.843925] Bluetooth: hci0 command 0x0409 tx timeout [ 414.913169] Bluetooth: hci0 command 0x041b tx timeout 2021/06/04 05:47:38 executed programs: 4 [ 416.993097] Bluetooth: hci0 command 0x040f tx timeout [ 419.072850] Bluetooth: hci0 command 0x0419 tx timeout 2021/06/04 05:47:43 executed programs: 10 [ 421.153077] Bluetooth: hci0 command 0x0405 tx timeout 2021/06/04 05:47:48 executed programs: 16 2021/06/04 05:47:53 executed programs: 22 2021/06/04 05:47:58 executed programs: 28 2021/06/04 05:48:03 executed programs: 34 2021/06/04 05:48:08 executed programs: 40 2021/06/04 05:48:13 executed programs: 46 [ 452.923408] ================================================================== [ 452.931033] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 452.938119] Read of size 8 at addr ffff888094fc56a0 by task kworker/0:1/24 [ 452.945153] [ 452.946763] CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.235-syzkaller #0 [ 452.954126] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 452.963733] Workqueue: events l2cap_chan_timeout [ 452.968477] Call Trace: [ 452.971180] dump_stack+0x1b2/0x281 [ 452.974811] print_address_description.cold+0x54/0x1d3 [ 452.980327] kasan_report_error.cold+0x8a/0x191 [ 452.984994] ? __lock_acquire+0x2c57/0x3f20 [ 452.989533] __asan_report_load8_noabort+0x68/0x70 [ 452.994563] ? __lock_acquire+0x2c57/0x3f20 [ 452.998881] __lock_acquire+0x2c57/0x3f20 [ 453.003245] ? lock_acquire+0x170/0x3f0 [ 453.007485] ? lock_downgrade+0x740/0x740 [ 453.011968] ? trace_hardirqs_on+0x10/0x10 [ 453.016288] ? debug_object_assert_init+0x22d/0x2d0 [ 453.021411] ? debug_object_active_state+0x330/0x330 [ 453.026521] ? ret_from_fork+0x24/0x30 [ 453.030496] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 453.035926] ? save_trace+0xd6/0x290 [ 453.039890] lock_acquire+0x170/0x3f0 [ 453.044219] ? lock_sock_nested+0x39/0x100 [ 453.048456] _raw_spin_lock_bh+0x2f/0x40 [ 453.052509] ? lock_sock_nested+0x39/0x100 [ 453.056827] lock_sock_nested+0x39/0x100 [ 453.061757] l2cap_sock_teardown_cb+0x93/0x650 [ 453.066338] l2cap_chan_del+0xaf/0x950 [ 453.070224] l2cap_chan_close+0x103/0x870 [ 453.074358] ? __set_monitor_timer+0x1d0/0x1d0 [ 453.078926] ? lock_acquire+0x170/0x3f0 [ 453.082891] l2cap_chan_timeout+0x143/0x2a0 [ 453.087218] process_one_work+0x793/0x14a0 [ 453.091444] ? work_busy+0x320/0x320 [ 453.095178] ? worker_thread+0x158/0xff0 [ 453.099519] ? _raw_spin_unlock_irq+0x24/0x80 [ 453.104285] worker_thread+0x5cc/0xff0 [ 453.108315] ? rescuer_thread+0xc80/0xc80 [ 453.112767] kthread+0x30d/0x420 [ 453.116291] ? kthread_create_on_node+0xd0/0xd0 [ 453.120997] ret_from_fork+0x24/0x30 [ 453.124692] [ 453.126326] Allocated by task 8256: [ 453.130039] kasan_kmalloc+0xeb/0x160 [ 453.133836] __kmalloc+0x15a/0x400 [ 453.137487] sk_prot_alloc+0x1ba/0x290 [ 453.141466] sk_alloc+0x36/0xcd0 [ 453.144925] l2cap_sock_alloc.constprop.0+0x31/0x210 [ 453.150058] l2cap_sock_create+0xf0/0x1a0 [ 453.154288] bt_sock_create+0x13b/0x280 [ 453.158255] __sock_create+0x303/0x620 [ 453.162122] SyS_socket+0xd1/0x1b0 [ 453.165656] do_syscall_64+0x1d5/0x640 [ 453.169544] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 453.174841] [ 453.176561] Freed by task 8256: [ 453.179828] kasan_slab_free+0xc3/0x1a0 [ 453.184031] kfree+0xc9/0x250 [ 453.187210] __sk_destruct+0x5e3/0x760 [ 453.191169] __sk_free+0xd9/0x2d0 [ 453.194605] sk_free+0x2b/0x40 [ 453.197875] l2cap_sock_kill.part.0+0x106/0x130 [ 453.202769] l2cap_sock_release+0x1cd/0x280 [ 453.207090] __sock_release+0xcd/0x2b0 [ 453.211087] sock_close+0x15/0x20 [ 453.214581] __fput+0x25f/0x7a0 [ 453.217859] task_work_run+0x11f/0x190 [ 453.221744] get_signal+0x18a3/0x1ca0 [ 453.225663] do_signal+0x7c/0x1550 [ 453.229420] exit_to_usermode_loop+0x160/0x200 [ 453.234243] do_syscall_64+0x4a3/0x640 [ 453.238115] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 453.243389] [ 453.245036] The buggy address belongs to the object at ffff888094fc5600 [ 453.245036] which belongs to the cache kmalloc-2048 of size 2048 [ 453.257898] The buggy address is located 160 bytes inside of [ 453.257898] 2048-byte region [ffff888094fc5600, ffff888094fc5e00) [ 453.270218] The buggy address belongs to the page: [ 453.275344] page:ffffea000253f100 count:1 mapcount:0 mapping:ffff888094fc4500 index:0x0 compound_mapcount: 0 [ 453.285831] flags: 0xfff00000008100(slab|head) [ 453.290757] raw: 00fff00000008100 ffff888094fc4500 0000000000000000 0000000100000003 [ 453.298981] raw: ffffea0002565620 ffffea000253cc20 ffff88813fe80c40 0000000000000000 [ 453.306977] page dumped because: kasan: bad access detected [ 453.313620] [ 453.315249] Memory state around the buggy address: [ 453.320477] ffff888094fc5580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 453.328041] ffff888094fc5600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 453.335543] >ffff888094fc5680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 453.342891] ^ [ 453.347308] ffff888094fc5700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 453.354762] ffff888094fc5780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 453.362115] ================================================================== [ 453.369554] Disabling lock debugging due to kernel taint [ 453.375122] Kernel panic - not syncing: panic_on_warn set ... [ 453.375122] [ 453.382463] CPU: 0 PID: 24 Comm: kworker/0:1 Tainted: G B 4.14.235-syzkaller #0 [ 453.391017] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 453.400446] Workqueue: events l2cap_chan_timeout [ 453.405180] Call Trace: [ 453.407771] dump_stack+0x1b2/0x281 [ 453.411382] panic+0x1f9/0x42d [ 453.414562] ? add_taint.cold+0x16/0x16 [ 453.418637] ? lock_downgrade+0x740/0x740 [ 453.422776] kasan_end_report+0x43/0x49 [ 453.426758] kasan_report_error.cold+0xa7/0x191 [ 453.431438] ? __lock_acquire+0x2c57/0x3f20 [ 453.436232] __asan_report_load8_noabort+0x68/0x70 [ 453.441191] ? __lock_acquire+0x2c57/0x3f20 [ 453.445510] __lock_acquire+0x2c57/0x3f20 [ 453.449843] ? lock_acquire+0x170/0x3f0 [ 453.453814] ? lock_downgrade+0x740/0x740 [ 453.457957] ? trace_hardirqs_on+0x10/0x10 [ 453.462265] ? debug_object_assert_init+0x22d/0x2d0 [ 453.467490] ? debug_object_active_state+0x330/0x330 [ 453.472691] ? ret_from_fork+0x24/0x30 [ 453.476658] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 453.482204] ? save_trace+0xd6/0x290 [ 453.485994] lock_acquire+0x170/0x3f0 [ 453.489791] ? lock_sock_nested+0x39/0x100 [ 453.494046] _raw_spin_lock_bh+0x2f/0x40 [ 453.498089] ? lock_sock_nested+0x39/0x100 [ 453.502388] lock_sock_nested+0x39/0x100 [ 453.506434] l2cap_sock_teardown_cb+0x93/0x650 [ 453.511520] l2cap_chan_del+0xaf/0x950 [ 453.515387] l2cap_chan_close+0x103/0x870 [ 453.519600] ? __set_monitor_timer+0x1d0/0x1d0 [ 453.524233] ? lock_acquire+0x170/0x3f0 [ 453.528310] l2cap_chan_timeout+0x143/0x2a0 [ 453.532632] process_one_work+0x793/0x14a0 [ 453.537259] ? work_busy+0x320/0x320 [ 453.541290] ? worker_thread+0x158/0xff0 [ 453.545702] ? _raw_spin_unlock_irq+0x24/0x80 [ 453.550445] worker_thread+0x5cc/0xff0 [ 453.554323] ? rescuer_thread+0xc80/0xc80 [ 453.558695] kthread+0x30d/0x420 [ 453.562048] ? kthread_create_on_node+0xd0/0xd0 [ 453.566831] ret_from_fork+0x24/0x30 [ 453.571713] Kernel Offset: disabled [ 453.575425] Rebooting in 86400 seconds..