[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.98' (ECDSA) to the list of known hosts. 2021/09/02 03:09:48 parsed 1 programs 2021/09/02 03:09:49 executed programs: 0 syzkaller login: [ 1584.164905][ T8479] chnl_net:caif_netlink_parms(): no params data found [ 1584.261550][ T8479] bridge0: port 1(bridge_slave_0) entered blocking state [ 1584.270060][ T8479] bridge0: port 1(bridge_slave_0) entered disabled state [ 1584.278914][ T8479] device bridge_slave_0 entered promiscuous mode [ 1584.288108][ T8479] bridge0: port 2(bridge_slave_1) entered blocking state [ 1584.296438][ T8479] bridge0: port 2(bridge_slave_1) entered disabled state [ 1584.305460][ T8479] device bridge_slave_1 entered promiscuous mode [ 1584.326620][ T8479] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1584.337783][ T8479] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1584.362243][ T8479] team0: Port device team_slave_0 added [ 1584.369350][ T8479] team0: Port device team_slave_1 added [ 1584.386518][ T8479] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1584.393624][ T8479] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1584.420321][ T8479] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1584.433703][ T8479] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1584.440643][ T8479] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1584.466599][ T8479] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1584.492465][ T8479] device hsr_slave_0 entered promiscuous mode [ 1584.499193][ T8479] device hsr_slave_1 entered promiscuous mode [ 1584.600871][ T8479] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 1584.612544][ T8479] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 1584.622464][ T8479] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 1584.632545][ T8479] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 1584.656344][ T8479] bridge0: port 2(bridge_slave_1) entered blocking state [ 1584.663527][ T8479] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1584.671409][ T8479] bridge0: port 1(bridge_slave_0) entered blocking state [ 1584.678475][ T8479] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1584.723887][ T8479] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1584.737153][ T8691] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1584.748095][ T8691] bridge0: port 1(bridge_slave_0) entered disabled state [ 1584.757785][ T8691] bridge0: port 2(bridge_slave_1) entered disabled state [ 1584.766770][ T8691] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1584.780472][ T8479] 8021q: adding VLAN 0 to HW filter on device team0 [ 1584.793093][ T8620] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1584.802478][ T8620] bridge0: port 1(bridge_slave_0) entered blocking state [ 1584.809546][ T8620] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1584.823463][ T8620] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1584.832275][ T8620] bridge0: port 2(bridge_slave_1) entered blocking state [ 1584.839315][ T8620] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1584.863179][ T8620] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1584.872404][ T8620] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1584.880708][ T8620] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1584.894042][ T8454] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1584.902040][ T8454] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1584.914976][ T8479] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1584.932705][ T8454] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1584.940563][ T8454] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1584.954925][ T8479] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1584.981772][ T8454] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1584.997425][ T8620] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1585.007558][ T8620] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1585.016300][ T8620] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1585.025092][ T8479] device veth0_vlan entered promiscuous mode [ 1585.036650][ T8479] device veth1_vlan entered promiscuous mode [ 1585.057733][ T8620] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1585.065930][ T8620] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1585.074838][ T8620] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1585.086780][ T8479] device veth0_macvtap entered promiscuous mode [ 1585.097206][ T8479] device veth1_macvtap entered promiscuous mode [ 1585.115925][ T8479] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1585.125438][ T8691] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1585.135221][ T8691] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1585.147835][ T8479] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1585.155472][ T8691] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1585.165121][ T8691] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1585.176905][ T8479] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 1585.185933][ T8479] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 1585.194754][ T8479] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 1585.203866][ T8479] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 1585.298584][ T10] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1585.308008][ T10] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1585.323856][ T8705] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 1585.358292][ T88] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1585.366668][ T88] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1585.376836][ T8705] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 1586.052047][ T8705] Bluetooth: hci0: command 0x0409 tx timeout 2021/09/02 03:09:54 executed programs: 3 [ 1588.121586][ T8705] Bluetooth: hci0: command 0x041b tx timeout [ 1590.201281][ T8454] Bluetooth: hci0: command 0x040f tx timeout [ 1592.280862][ T8705] Bluetooth: hci0: command 0x0419 tx timeout 2021/09/02 03:09:59 executed programs: 9 [ 1594.360721][ T8454] Bluetooth: hci0: command 0x0405 tx timeout 2021/09/02 03:10:04 executed programs: 15 2021/09/02 03:10:09 executed programs: 21 [ 1606.931058][ T3265] ieee802154 phy0 wpan0: encryption failed: -22 [ 1606.937697][ T3265] ieee802154 phy1 wpan1: encryption failed: -22 2021/09/02 03:10:14 executed programs: 27 2021/09/02 03:10:20 executed programs: 33 2021/09/02 03:10:25 executed programs: 39 2021/09/02 03:10:30 executed programs: 45 [ 1626.759567][ T8437] ================================================================== [ 1626.767718][ T8437] BUG: KASAN: use-after-free in __lock_acquire+0x3d86/0x54a0 [ 1626.775154][ T8437] Read of size 8 at addr ffff888018ab80a0 by task kworker/1:3/8437 [ 1626.783443][ T8437] [ 1626.785753][ T8437] CPU: 1 PID: 8437 Comm: kworker/1:3 Not tainted 5.14.0-rc7-syzkaller #0 [ 1626.794241][ T8437] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1626.804543][ T8437] Workqueue: events l2cap_chan_timeout [ 1626.810067][ T8437] Call Trace: [ 1626.813338][ T8437] dump_stack_lvl+0xcd/0x134 [ 1626.817972][ T8437] print_address_description.constprop.0.cold+0x6c/0x309 [ 1626.825010][ T8437] ? __lock_acquire+0x3d86/0x54a0 [ 1626.830133][ T8437] ? __lock_acquire+0x3d86/0x54a0 [ 1626.835164][ T8437] kasan_report.cold+0x83/0xdf [ 1626.839933][ T8437] ? __lock_acquire+0x3d86/0x54a0 [ 1626.844952][ T8437] __lock_acquire+0x3d86/0x54a0 [ 1626.849794][ T8437] ? call_rcu_zapped+0xb0/0xb0 [ 1626.854614][ T8437] ? mark_lock+0xef/0x17b0 [ 1626.859019][ T8437] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 1626.865044][ T8437] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 1626.871026][ T8437] ? lock_chain_count+0x20/0x20 [ 1626.875872][ T8437] lock_acquire+0x1ab/0x510 [ 1626.880404][ T8437] ? lock_sock_nested+0x40/0x120 [ 1626.885507][ T8437] ? lock_release+0x720/0x720 [ 1626.890189][ T8437] ? del_timer+0xc5/0x110 [ 1626.894549][ T8437] _raw_spin_lock_bh+0x2f/0x40 [ 1626.899309][ T8437] ? lock_sock_nested+0x40/0x120 [ 1626.904246][ T8437] lock_sock_nested+0x40/0x120 [ 1626.909101][ T8437] l2cap_sock_teardown_cb+0xa1/0x660 [ 1626.914384][ T8437] l2cap_chan_del+0xbc/0xa80 [ 1626.918981][ T8437] l2cap_chan_close+0x1b9/0xaf0 [ 1626.923826][ T8437] ? l2cap_rx+0x1fb0/0x1fb0 [ 1626.928425][ T8437] ? lock_release+0x720/0x720 [ 1626.933210][ T8437] ? lock_downgrade+0x6e0/0x6e0 [ 1626.938176][ T8437] l2cap_chan_timeout+0x17e/0x2f0 [ 1626.943197][ T8437] process_one_work+0x98d/0x1630 [ 1626.948207][ T8437] ? pwq_dec_nr_in_flight+0x320/0x320 [ 1626.953576][ T8437] ? rwlock_bug.part.0+0x90/0x90 [ 1626.958501][ T8437] ? _raw_spin_lock_irq+0x41/0x50 [ 1626.963516][ T8437] worker_thread+0x658/0x11f0 [ 1626.968189][ T8437] ? process_one_work+0x1630/0x1630 [ 1626.973379][ T8437] kthread+0x3e5/0x4d0 [ 1626.977526][ T8437] ? set_kthread_struct+0x130/0x130 [ 1626.982714][ T8437] ret_from_fork+0x1f/0x30 [ 1626.987175][ T8437] [ 1626.989480][ T8437] Allocated by task 8729: [ 1626.993784][ T8437] kasan_save_stack+0x1b/0x40 [ 1626.998489][ T8437] __kasan_kmalloc+0xa4/0xd0 [ 1627.003068][ T8437] sk_prot_alloc+0x110/0x290 [ 1627.007650][ T8437] sk_alloc+0x32/0xbc0 [ 1627.011719][ T8437] l2cap_sock_alloc.constprop.0+0x31/0x230 [ 1627.017519][ T8437] l2cap_sock_create+0x123/0x1f0 [ 1627.022451][ T8437] bt_sock_create+0x17c/0x340 [ 1627.027171][ T8437] __sock_create+0x353/0x790 [ 1627.031756][ T8437] __sys_socket+0xef/0x200 [ 1627.036166][ T8437] __x64_sys_socket+0x6f/0xb0 [ 1627.040831][ T8437] do_syscall_64+0x35/0xb0 [ 1627.045398][ T8437] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 1627.051283][ T8437] [ 1627.053590][ T8437] The buggy address belongs to the object at ffff888018ab8000 [ 1627.053590][ T8437] which belongs to the cache kmalloc-2k of size 2048 [ 1627.067715][ T8437] The buggy address is located 160 bytes inside of [ 1627.067715][ T8437] 2048-byte region [ffff888018ab8000, ffff888018ab8800) [ 1627.081068][ T8437] The buggy address belongs to the page: [ 1627.086691][ T8437] page:ffffea000062ae00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888018ab8000 pfn:0x18ab8 [ 1627.098133][ T8437] head:ffffea000062ae00 order:3 compound_mapcount:0 compound_pincount:0 [ 1627.106453][ T8437] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 1627.114548][ T8437] raw: 00fff00000010200 0000000000000000 0000000100000001 ffff888010842000 [ 1627.123132][ T8437] raw: ffff888018ab8000 0000000080080007 00000001ffffffff 0000000000000000 [ 1627.131697][ T8437] page dumped because: kasan: bad access detected [ 1627.138096][ T8437] page_owner tracks the page as allocated [ 1627.143795][ T8437] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 8729, ts 1586247730237, free_ts 1585911828037 [ 1627.161148][ T8437] get_page_from_freelist+0xa72/0x2f80 [ 1627.166628][ T8437] __alloc_pages+0x1b2/0x500 [ 1627.171207][ T8437] alloc_pages+0x18c/0x2a0 [ 1627.175739][ T8437] allocate_slab+0x32e/0x4b0 [ 1627.180343][ T8437] ___slab_alloc+0x4ba/0x820 [ 1627.184933][ T8437] __slab_alloc.constprop.0+0xa7/0xf0 [ 1627.190299][ T8437] __kmalloc+0x312/0x330 [ 1627.194531][ T8437] sk_prot_alloc+0x110/0x290 [ 1627.199116][ T8437] sk_alloc+0x32/0xbc0 [ 1627.203183][ T8437] l2cap_sock_alloc.constprop.0+0x31/0x230 [ 1627.208990][ T8437] l2cap_sock_create+0x123/0x1f0 [ 1627.213922][ T8437] bt_sock_create+0x17c/0x340 [ 1627.220071][ T8437] __sock_create+0x353/0x790 [ 1627.224650][ T8437] __sys_socket+0xef/0x200 [ 1627.229053][ T8437] __x64_sys_socket+0x6f/0xb0 [ 1627.234064][ T8437] do_syscall_64+0x35/0xb0 [ 1627.238481][ T8437] page last free stack trace: [ 1627.243141][ T8437] free_pcp_prepare+0x2c5/0x780 [ 1627.248057][ T8437] free_unref_page+0x19/0x690 [ 1627.252728][ T8437] unfreeze_partials+0x17c/0x1d0 [ 1627.257655][ T8437] put_cpu_partial+0x13d/0x230 [ 1627.262759][ T8437] qlist_free_all+0x5a/0xc0 [ 1627.267288][ T8437] kasan_quarantine_reduce+0x180/0x200 [ 1627.272739][ T8437] __kasan_slab_alloc+0x95/0xb0 [ 1627.277585][ T8437] kmem_cache_alloc_trace+0x1b3/0x3c0 [ 1627.282960][ T8437] nsim_fib_event_work+0x70c/0x2490 [ 1627.288230][ T8437] process_one_work+0x98d/0x1630 [ 1627.293163][ T8437] worker_thread+0x85c/0x11f0 [ 1627.297912][ T8437] kthread+0x3e5/0x4d0 [ 1627.301975][ T8437] ret_from_fork+0x1f/0x30 [ 1627.306393][ T8437] [ 1627.308715][ T8437] Memory state around the buggy address: [ 1627.314332][ T8437] ffff888018ab7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1627.322408][ T8437] ffff888018ab8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1627.330654][ T8437] >ffff888018ab8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1627.338703][ T8437] ^ [ 1627.343893][ T8437] ffff888018ab8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1627.351944][ T8437] ffff888018ab8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1627.359993][ T8437] ================================================================== [ 1627.368048][ T8437] Disabling lock debugging due to kernel taint [ 1627.374273][ T8437] Kernel panic - not syncing: panic_on_warn set ... [ 1627.381126][ T8437] CPU: 1 PID: 8437 Comm: kworker/1:3 Tainted: G B 5.14.0-rc7-syzkaller #0 [ 1627.391025][ T8437] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1627.401074][ T8437] Workqueue: events l2cap_chan_timeout [ 1627.406543][ T8437] Call Trace: [ 1627.409987][ T8437] dump_stack_lvl+0xcd/0x134 [ 1627.414587][ T8437] panic+0x306/0x73d [ 1627.418504][ T8437] ? __warn_printk+0xf3/0xf3 [ 1627.423083][ T8437] ? __lock_acquire+0x3d86/0x54a0 [ 1627.428095][ T8437] ? __lock_acquire+0x3d86/0x54a0 [ 1627.433105][ T8437] ? __lock_acquire+0x3d86/0x54a0 [ 1627.438117][ T8437] end_report.cold+0x5a/0x5a [ 1627.442699][ T8437] kasan_report.cold+0x71/0xdf [ 1627.447455][ T8437] ? __lock_acquire+0x3d86/0x54a0 [ 1627.452729][ T8437] __lock_acquire+0x3d86/0x54a0 [ 1627.457564][ T8437] ? call_rcu_zapped+0xb0/0xb0 [ 1627.462333][ T8437] ? mark_lock+0xef/0x17b0 [ 1627.466774][ T8437] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 1627.472581][ T8437] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 1627.478652][ T8437] ? lock_chain_count+0x20/0x20 [ 1627.483501][ T8437] lock_acquire+0x1ab/0x510 [ 1627.488003][ T8437] ? lock_sock_nested+0x40/0x120 [ 1627.492938][ T8437] ? lock_release+0x720/0x720 [ 1627.497602][ T8437] ? del_timer+0xc5/0x110 [ 1627.501928][ T8437] _raw_spin_lock_bh+0x2f/0x40 [ 1627.506685][ T8437] ? lock_sock_nested+0x40/0x120 [ 1627.511620][ T8437] lock_sock_nested+0x40/0x120 [ 1627.516386][ T8437] l2cap_sock_teardown_cb+0xa1/0x660 [ 1627.521678][ T8437] l2cap_chan_del+0xbc/0xa80 [ 1627.530263][ T8437] l2cap_chan_close+0x1b9/0xaf0 [ 1627.535123][ T8437] ? l2cap_rx+0x1fb0/0x1fb0 [ 1627.539658][ T8437] ? lock_release+0x720/0x720 [ 1627.544332][ T8437] ? lock_downgrade+0x6e0/0x6e0 [ 1627.549181][ T8437] l2cap_chan_timeout+0x17e/0x2f0 [ 1627.554298][ T8437] process_one_work+0x98d/0x1630 [ 1627.559233][ T8437] ? pwq_dec_nr_in_flight+0x320/0x320 [ 1627.564596][ T8437] ? rwlock_bug.part.0+0x90/0x90 [ 1627.569535][ T8437] ? _raw_spin_lock_irq+0x41/0x50 [ 1627.574570][ T8437] worker_thread+0x658/0x11f0 [ 1627.579352][ T8437] ? process_one_work+0x1630/0x1630 [ 1627.584654][ T8437] kthread+0x3e5/0x4d0 [ 1627.588752][ T8437] ? set_kthread_struct+0x130/0x130 [ 1627.594302][ T8437] ret_from_fork+0x1f/0x30 [ 1627.599948][ T8437] Kernel Offset: disabled [ 1627.604268][ T8437] Rebooting in 86400 seconds..