[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.221' (ECDSA) to the list of known hosts. 2021/10/10 21:33:11 parsed 1 programs 2021/10/10 21:33:11 executed programs: 0 syzkaller login: [ 1575.205252] IPVS: ftp: loaded support on port[0] = 21 [ 1575.280627] chnl_net:caif_netlink_parms(): no params data found [ 1575.355570] bridge0: port 1(bridge_slave_0) entered blocking state [ 1575.362630] bridge0: port 1(bridge_slave_0) entered disabled state [ 1575.369878] device bridge_slave_0 entered promiscuous mode [ 1575.377818] bridge0: port 2(bridge_slave_1) entered blocking state [ 1575.384426] bridge0: port 2(bridge_slave_1) entered disabled state [ 1575.393516] device bridge_slave_1 entered promiscuous mode [ 1575.410439] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1575.419175] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1575.436856] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1575.444422] team0: Port device team_slave_0 added [ 1575.449743] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1575.457063] team0: Port device team_slave_1 added [ 1575.471219] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1575.477539] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1575.502879] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1575.515502] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1575.521732] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1575.548071] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1575.558843] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1575.566379] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1575.584460] device hsr_slave_0 entered promiscuous mode [ 1575.590190] device hsr_slave_1 entered promiscuous mode [ 1575.596468] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1575.603670] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1575.666535] bridge0: port 2(bridge_slave_1) entered blocking state [ 1575.672973] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1575.679765] bridge0: port 1(bridge_slave_0) entered blocking state [ 1575.686151] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1575.714984] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1575.721056] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1575.730011] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1575.738977] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1575.757460] bridge0: port 1(bridge_slave_0) entered disabled state [ 1575.764536] bridge0: port 2(bridge_slave_1) entered disabled state [ 1575.774525] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1575.780584] 8021q: adding VLAN 0 to HW filter on device team0 [ 1575.792980] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1575.800672] bridge0: port 1(bridge_slave_0) entered blocking state [ 1575.807115] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1575.814112] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1575.821674] bridge0: port 2(bridge_slave_1) entered blocking state [ 1575.828087] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1575.840118] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1575.848420] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1575.860880] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1575.871075] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1575.881742] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1575.888763] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1575.896475] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1575.904315] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1575.912732] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1575.924518] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1575.932391] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1575.939132] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1575.950056] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1575.997967] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1576.007123] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1576.035199] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1576.042797] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1576.049203] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1576.058300] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1576.066334] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1576.073298] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1576.081576] device veth0_vlan entered promiscuous mode [ 1576.090215] device veth1_vlan entered promiscuous mode [ 1576.097016] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1576.106079] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1576.117196] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1576.126461] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1576.133811] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1576.140893] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1576.150133] device veth0_macvtap entered promiscuous mode [ 1576.156462] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1576.164325] device veth1_macvtap entered promiscuous mode [ 1576.172301] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1576.181424] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1576.190691] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1576.198168] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1576.206288] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1576.215631] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1576.222725] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1576.272899] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1577.223229] Bluetooth: hci0 command 0x0409 tx timeout [ 1579.302107] Bluetooth: hci0 command 0x041b tx timeout 2021/10/10 21:33:16 executed programs: 4 [ 1581.382052] Bluetooth: hci0 command 0x040f tx timeout [ 1583.461677] Bluetooth: hci0 command 0x0419 tx timeout 2021/10/10 21:33:22 executed programs: 10 [ 1585.541612] Bluetooth: hci0 command 0x0405 tx timeout 2021/10/10 21:33:27 executed programs: 606 2021/10/10 21:33:32 executed programs: 1350 2021/10/10 21:33:37 executed programs: 2073 2021/10/10 21:33:42 executed programs: 2777 2021/10/10 21:33:47 executed programs: 3503 2021/10/10 21:33:52 executed programs: 4222 2021/10/10 21:33:57 executed programs: 4937 2021/10/10 21:34:02 executed programs: 5655 [ 1625.940656] ================================================================== [ 1625.948037] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 1625.954684] Read of size 8 at addr ffff8880ab17c960 by task kworker/0:1/25 [ 1625.961677] [ 1625.963284] CPU: 0 PID: 25 Comm: kworker/0:1 Not tainted 4.14.249-syzkaller #0 [ 1625.970667] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1625.980091] Workqueue: events l2cap_chan_timeout [ 1625.984834] Call Trace: [ 1625.987401] dump_stack+0x1b2/0x281 [ 1625.991007] print_address_description.cold+0x54/0x1d3 [ 1625.996259] kasan_report_error.cold+0x8a/0x191 [ 1626.000909] ? __lock_acquire+0x2c57/0x3f20 [ 1626.005207] __asan_report_load8_noabort+0x68/0x70 [ 1626.010131] ? __lock_acquire+0x2c57/0x3f20 [ 1626.014427] __lock_acquire+0x2c57/0x3f20 [ 1626.018555] ? lock_acquire+0x170/0x3f0 [ 1626.022508] ? lock_downgrade+0x740/0x740 [ 1626.026638] ? trace_hardirqs_on+0x10/0x10 [ 1626.030868] ? debug_object_assert_init+0x22d/0x2d0 [ 1626.035858] ? debug_object_active_state+0x330/0x330 [ 1626.040937] ? ret_from_fork+0x24/0x30 [ 1626.044800] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 1626.050136] ? save_trace+0xd6/0x290 [ 1626.053828] lock_acquire+0x170/0x3f0 [ 1626.057626] ? lock_sock_nested+0x39/0x100 [ 1626.061840] _raw_spin_lock_bh+0x2f/0x40 [ 1626.065880] ? lock_sock_nested+0x39/0x100 [ 1626.070088] lock_sock_nested+0x39/0x100 [ 1626.074125] l2cap_sock_teardown_cb+0x93/0x650 [ 1626.078683] l2cap_chan_del+0xaf/0x950 [ 1626.082546] l2cap_chan_close+0x103/0x870 [ 1626.086667] ? __set_monitor_timer+0x1d0/0x1d0 [ 1626.091226] ? lock_acquire+0x170/0x3f0 [ 1626.095176] l2cap_chan_timeout+0x143/0x2a0 [ 1626.099477] process_one_work+0x793/0x14a0 [ 1626.103688] ? work_busy+0x320/0x320 [ 1626.107375] ? worker_thread+0x158/0xff0 [ 1626.111412] ? _raw_spin_unlock_irq+0x24/0x80 [ 1626.115883] worker_thread+0x5cc/0xff0 [ 1626.119753] ? rescuer_thread+0xc80/0xc80 [ 1626.123881] kthread+0x30d/0x420 [ 1626.127222] ? kthread_create_on_node+0xd0/0xd0 [ 1626.131882] ret_from_fork+0x24/0x30 [ 1626.135573] [ 1626.137175] Allocated by task 7974: [ 1626.140777] kasan_kmalloc+0xeb/0x160 [ 1626.144553] __kmalloc_node+0x4c/0x70 [ 1626.148327] kvmalloc_node+0x46/0xd0 [ 1626.152014] alloc_fdtable+0xc7/0x270 [ 1626.155784] dup_fd+0x5f2/0xaf0 [ 1626.159166] copy_process.part.0+0x1b4f/0x71c0 [ 1626.163726] _do_fork+0x184/0xc80 [ 1626.167153] do_syscall_64+0x1d5/0x640 [ 1626.171016] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1626.176174] [ 1626.177773] Freed by task 24473: [ 1626.181111] kasan_slab_free+0xc3/0x1a0 [ 1626.185058] kfree+0xc9/0x250 [ 1626.188135] kvfree+0x45/0x50 [ 1626.191213] put_files_struct+0x259/0x340 [ 1626.195330] exit_files+0x7e/0xa0 [ 1626.198779] do_exit+0xa18/0x2850 [ 1626.202207] do_group_exit+0x100/0x2e0 [ 1626.206069] get_signal+0x38d/0x1ca0 [ 1626.209755] do_signal+0x7c/0x1550 [ 1626.213359] exit_to_usermode_loop+0x160/0x200 [ 1626.217916] do_syscall_64+0x4a3/0x640 [ 1626.221804] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1626.226967] [ 1626.228572] The buggy address belongs to the object at ffff8880ab17c8c0 [ 1626.228572] which belongs to the cache kmalloc-2048 of size 2048 [ 1626.241373] The buggy address is located 160 bytes inside of [ 1626.241373] 2048-byte region [ffff8880ab17c8c0, ffff8880ab17d0c0) [ 1626.253304] The buggy address belongs to the page: [ 1626.258208] page:ffffea0002ac5f00 count:1 mapcount:0 mapping:ffff8880ab17c040 index:0x0 compound_mapcount: 0 [ 1626.268147] flags: 0xfff00000008100(slab|head) [ 1626.272816] raw: 00fff00000008100 ffff8880ab17c040 0000000000000000 0000000100000003 [ 1626.280674] raw: ffffea00024d5120 ffffea00026c7220 ffff88813fe80c40 0000000000000000 [ 1626.288525] page dumped because: kasan: bad access detected [ 1626.294203] [ 1626.295805] Memory state around the buggy address: [ 1626.300714] ffff8880ab17c800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1626.308047] ffff8880ab17c880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1626.315378] >ffff8880ab17c900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1626.322708] ^ [ 1626.329191] ffff8880ab17c980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1626.336614] ffff8880ab17ca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1626.343946] ================================================================== [ 1626.351276] Disabling lock debugging due to kernel taint [ 1626.356696] Kernel panic - not syncing: panic_on_warn set ... [ 1626.356696] [ 1626.364033] CPU: 0 PID: 25 Comm: kworker/0:1 Tainted: G B 4.14.249-syzkaller #0 [ 1626.372579] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1626.381928] Workqueue: events l2cap_chan_timeout [ 1626.386657] Call Trace: [ 1626.389221] dump_stack+0x1b2/0x281 [ 1626.392834] panic+0x1f9/0x42d [ 1626.396002] ? add_taint.cold+0x16/0x16 [ 1626.399954] ? lock_downgrade+0x740/0x740 [ 1626.404078] kasan_end_report+0x43/0x49 [ 1626.408026] kasan_report_error.cold+0xa7/0x191 [ 1626.412755] ? __lock_acquire+0x2c57/0x3f20 [ 1626.417048] __asan_report_load8_noabort+0x68/0x70 [ 1626.421958] ? __lock_acquire+0x2c57/0x3f20 [ 1626.426261] __lock_acquire+0x2c57/0x3f20 [ 1626.430403] ? lock_acquire+0x170/0x3f0 [ 1626.434744] ? lock_downgrade+0x740/0x740 [ 1626.438886] ? trace_hardirqs_on+0x10/0x10 [ 1626.443097] ? debug_object_assert_init+0x22d/0x2d0 [ 1626.448086] ? debug_object_active_state+0x330/0x330 [ 1626.453161] ? ret_from_fork+0x24/0x30 [ 1626.457027] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 1626.462362] ? save_trace+0xd6/0x290 [ 1626.466050] lock_acquire+0x170/0x3f0 [ 1626.469926] ? lock_sock_nested+0x39/0x100 [ 1626.474145] _raw_spin_lock_bh+0x2f/0x40 [ 1626.478176] ? lock_sock_nested+0x39/0x100 [ 1626.482476] lock_sock_nested+0x39/0x100 [ 1626.486523] l2cap_sock_teardown_cb+0x93/0x650 [ 1626.491089] l2cap_chan_del+0xaf/0x950 [ 1626.494957] l2cap_chan_close+0x103/0x870 [ 1626.499080] ? __set_monitor_timer+0x1d0/0x1d0 [ 1626.503833] ? lock_acquire+0x170/0x3f0 [ 1626.507787] l2cap_chan_timeout+0x143/0x2a0 [ 1626.512103] process_one_work+0x793/0x14a0 [ 1626.516321] ? work_busy+0x320/0x320 [ 1626.520010] ? worker_thread+0x158/0xff0 [ 1626.524051] ? _raw_spin_unlock_irq+0x24/0x80 [ 1626.528616] worker_thread+0x5cc/0xff0 [ 1626.532479] ? rescuer_thread+0xc80/0xc80 [ 1626.536611] kthread+0x30d/0x420 [ 1626.539952] ? kthread_create_on_node+0xd0/0xd0 [ 1626.544687] ret_from_fork+0x24/0x30 [ 1626.548659] Kernel Offset: disabled [ 1626.552525] Rebooting in 86400 seconds..