Warning: Permanently added '10.128.0.241' (ECDSA) to the list of known hosts. 2021/10/03 02:40:15 parsed 1 programs 2021/10/03 02:40:15 executed programs: 0 syzkaller login: [ 1580.301943] IPVS: ftp: loaded support on port[0] = 21 [ 1580.398719] chnl_net:caif_netlink_parms(): no params data found [ 1580.486288] bridge0: port 1(bridge_slave_0) entered blocking state [ 1580.492825] bridge0: port 1(bridge_slave_0) entered disabled state [ 1580.500362] device bridge_slave_0 entered promiscuous mode [ 1580.507449] bridge0: port 2(bridge_slave_1) entered blocking state [ 1580.513802] bridge0: port 2(bridge_slave_1) entered disabled state [ 1580.521225] device bridge_slave_1 entered promiscuous mode [ 1580.537430] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1580.546150] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1580.564321] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1580.572734] team0: Port device team_slave_0 added [ 1580.578479] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1580.585700] team0: Port device team_slave_1 added [ 1580.600621] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1580.606996] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1580.632363] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1580.643561] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1580.649867] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1580.675080] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1580.685599] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1580.692808] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1580.710845] device hsr_slave_0 entered promiscuous mode [ 1580.716444] device hsr_slave_1 entered promiscuous mode [ 1580.722220] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1580.729305] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1580.788692] bridge0: port 2(bridge_slave_1) entered blocking state [ 1580.795094] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1580.801767] bridge0: port 1(bridge_slave_0) entered blocking state [ 1580.808161] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1580.834468] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1580.840878] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1580.848897] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1580.859103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1580.867642] bridge0: port 1(bridge_slave_0) entered disabled state [ 1580.874455] bridge0: port 2(bridge_slave_1) entered disabled state [ 1580.884007] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1580.890279] 8021q: adding VLAN 0 to HW filter on device team0 [ 1580.898595] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1580.906731] bridge0: port 1(bridge_slave_0) entered blocking state [ 1580.913054] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1580.932473] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1580.942386] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1580.953673] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1580.960487] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1580.968416] bridge0: port 2(bridge_slave_1) entered blocking state [ 1580.974729] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1580.982196] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1580.989939] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1580.997564] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1581.005148] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1581.012711] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1581.019554] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1581.032122] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1581.039498] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1581.046321] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1581.057428] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1581.106181] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1581.116716] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1581.146475] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1581.153332] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1581.160754] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1581.169664] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1581.177414] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1581.184191] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1581.192644] device veth0_vlan entered promiscuous mode [ 1581.201580] device veth1_vlan entered promiscuous mode [ 1581.208117] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1581.216779] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1581.227223] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1581.236317] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1581.243405] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1581.250891] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1581.259533] device veth0_macvtap entered promiscuous mode [ 1581.265835] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1581.273859] device veth1_macvtap entered promiscuous mode [ 1581.282644] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1581.291376] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1581.301079] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1581.308174] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1581.316223] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1581.325427] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1581.332066] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1581.385081] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1582.355858] Bluetooth: hci0 command 0x0409 tx timeout [ 1584.424761] Bluetooth: hci0 command 0x041b tx timeout 2021/10/03 02:40:21 executed programs: 4 [ 1586.515035] Bluetooth: hci0 command 0x040f tx timeout [ 1588.584555] Bluetooth: hci0 command 0x0419 tx timeout 2021/10/03 02:40:26 executed programs: 10 [ 1590.664422] Bluetooth: hci0 command 0x0405 tx timeout 2021/10/03 02:40:31 executed programs: 16 2021/10/03 02:40:36 executed programs: 22 2021/10/03 02:40:41 executed programs: 28 2021/10/03 02:40:46 executed programs: 34 2021/10/03 02:40:51 executed programs: 40 2021/10/03 02:40:56 executed programs: 46 2021/10/03 02:41:01 executed programs: 52 2021/10/03 02:41:07 executed programs: 58 2021/10/03 02:41:12 executed programs: 64 2021/10/03 02:41:17 executed programs: 70 2021/10/03 02:41:22 executed programs: 76 2021/10/03 02:41:27 executed programs: 82 2021/10/03 02:41:32 executed programs: 88 2021/10/03 02:41:37 executed programs: 94 2021/10/03 02:41:42 executed programs: 100 2021/10/03 02:41:47 executed programs: 106 2021/10/03 02:41:52 executed programs: 112 2021/10/03 02:41:57 executed programs: 118 2021/10/03 02:42:02 executed programs: 124 2021/10/03 02:42:07 executed programs: 130 2021/10/03 02:42:12 executed programs: 136 2021/10/03 02:42:17 executed programs: 142 [ 1704.818307] Bluetooth: hci0 command 0x0406 tx timeout 2021/10/03 02:42:22 executed programs: 148 2021/10/03 02:42:27 executed programs: 154 2021/10/03 02:42:32 executed programs: 160 2021/10/03 02:42:37 executed programs: 166 2021/10/03 02:42:42 executed programs: 172 2021/10/03 02:42:47 executed programs: 178 2021/10/03 02:42:52 executed programs: 184 2021/10/03 02:42:58 executed programs: 190 2021/10/03 02:43:03 executed programs: 196 2021/10/03 02:43:08 executed programs: 202 2021/10/03 02:43:13 executed programs: 208 2021/10/03 02:43:18 executed programs: 214 2021/10/03 02:43:23 executed programs: 220 2021/10/03 02:43:28 executed programs: 226 2021/10/03 02:43:33 executed programs: 232 2021/10/03 02:43:38 executed programs: 238 2021/10/03 02:43:43 executed programs: 244 2021/10/03 02:43:48 executed programs: 250 2021/10/03 02:43:53 executed programs: 256 2021/10/03 02:43:58 executed programs: 262 2021/10/03 02:44:03 executed programs: 268 2021/10/03 02:44:08 executed programs: 274 2021/10/03 02:44:13 executed programs: 280 2021/10/03 02:44:18 executed programs: 286 2021/10/03 02:44:23 executed programs: 292 2021/10/03 02:44:28 executed programs: 298 2021/10/03 02:44:33 executed programs: 304 2021/10/03 02:44:38 executed programs: 310 2021/10/03 02:44:44 executed programs: 316 2021/10/03 02:44:49 executed programs: 322 2021/10/03 02:44:54 executed programs: 328 2021/10/03 02:44:59 executed programs: 334 2021/10/03 02:45:04 executed programs: 340 2021/10/03 02:45:09 executed programs: 346 2021/10/03 02:45:14 executed programs: 352 2021/10/03 02:45:19 executed programs: 358 2021/10/03 02:45:24 executed programs: 364 2021/10/03 02:45:29 executed programs: 370 2021/10/03 02:45:34 executed programs: 376 2021/10/03 02:45:39 executed programs: 382 2021/10/03 02:45:44 executed programs: 388 2021/10/03 02:45:49 executed programs: 394 2021/10/03 02:45:54 executed programs: 400 2021/10/03 02:45:59 executed programs: 406 2021/10/03 02:46:04 executed programs: 412 2021/10/03 02:46:09 executed programs: 418 2021/10/03 02:46:14 executed programs: 424 2021/10/03 02:46:19 executed programs: 430 2021/10/03 02:46:24 executed programs: 436 2021/10/03 02:46:30 executed programs: 442 2021/10/03 02:46:35 executed programs: 448 2021/10/03 02:46:40 executed programs: 454 2021/10/03 02:46:45 executed programs: 460 2021/10/03 02:46:50 executed programs: 466 2021/10/03 02:46:55 executed programs: 472 2021/10/03 02:47:00 executed programs: 478 2021/10/03 02:47:05 executed programs: 484 2021/10/03 02:47:10 executed programs: 490 2021/10/03 02:47:15 executed programs: 496 2021/10/03 02:47:20 executed programs: 502 2021/10/03 02:47:25 executed programs: 508 2021/10/03 02:47:30 executed programs: 514 2021/10/03 02:47:35 executed programs: 520 2021/10/03 02:47:40 executed programs: 526 2021/10/03 02:47:45 executed programs: 532 2021/10/03 02:47:50 executed programs: 538 2021/10/03 02:47:55 executed programs: 544 2021/10/03 02:48:00 executed programs: 550 2021/10/03 02:48:05 executed programs: 556 2021/10/03 02:48:10 executed programs: 562 2021/10/03 02:48:15 executed programs: 568 2021/10/03 02:48:21 executed programs: 574 2021/10/03 02:48:26 executed programs: 580 2021/10/03 02:48:31 executed programs: 586 [ 2075.196556] ================================================================== [ 2075.203940] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 2075.210591] Read of size 8 at addr ffff8880a1b084e0 by task kworker/0:0/7968 [ 2075.217750] [ 2075.219365] CPU: 0 PID: 7968 Comm: kworker/0:0 Not tainted 4.14.248-syzkaller #0 [ 2075.226876] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 2075.236219] Workqueue: events l2cap_chan_timeout [ 2075.240958] Call Trace: [ 2075.243527] dump_stack+0x1b2/0x281 [ 2075.247134] print_address_description.cold+0x54/0x1d3 [ 2075.252390] kasan_report_error.cold+0x8a/0x191 [ 2075.257040] ? __lock_acquire+0x2c57/0x3f20 [ 2075.261346] __asan_report_load8_noabort+0x68/0x70 [ 2075.266253] ? __lock_acquire+0x2c57/0x3f20 [ 2075.270556] __lock_acquire+0x2c57/0x3f20 [ 2075.274794] ? lock_acquire+0x170/0x3f0 [ 2075.278834] ? lock_downgrade+0x740/0x740 [ 2075.282959] ? trace_hardirqs_on+0x10/0x10 [ 2075.288645] ? debug_object_assert_init+0x22d/0x2d0 [ 2075.293651] ? debug_object_active_state+0x330/0x330 [ 2075.298738] ? ret_from_fork+0x24/0x30 [ 2075.302608] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 2075.308032] ? save_trace+0xd6/0x290 [ 2075.311720] lock_acquire+0x170/0x3f0 [ 2075.315496] ? lock_sock_nested+0x39/0x100 [ 2075.319724] _raw_spin_lock_bh+0x2f/0x40 [ 2075.323762] ? lock_sock_nested+0x39/0x100 [ 2075.327985] lock_sock_nested+0x39/0x100 [ 2075.332024] l2cap_sock_teardown_cb+0x93/0x650 [ 2075.336599] l2cap_chan_del+0xaf/0x950 [ 2075.340463] l2cap_chan_close+0x103/0x870 [ 2075.344593] ? __set_monitor_timer+0x1d0/0x1d0 [ 2075.349150] ? lock_acquire+0x170/0x3f0 [ 2075.353103] l2cap_chan_timeout+0x143/0x2a0 [ 2075.357431] process_one_work+0x793/0x14a0 [ 2075.361655] ? work_busy+0x320/0x320 [ 2075.365345] ? worker_thread+0x158/0xff0 [ 2075.369383] ? _raw_spin_unlock_irq+0x24/0x80 [ 2075.373854] worker_thread+0x5cc/0xff0 [ 2075.377718] ? rescuer_thread+0xc80/0xc80 [ 2075.381843] kthread+0x30d/0x420 [ 2075.385187] ? kthread_create_on_node+0xd0/0xd0 [ 2075.389832] ret_from_fork+0x24/0x30 [ 2075.393561] [ 2075.395164] Allocated by task 11464: [ 2075.398855] kasan_kmalloc+0xeb/0x160 [ 2075.402629] __kmalloc+0x15a/0x400 [ 2075.406149] sk_prot_alloc+0x1ba/0x290 [ 2075.410012] sk_alloc+0x36/0xcd0 [ 2075.413357] l2cap_sock_alloc.constprop.0+0x31/0x210 [ 2075.418437] l2cap_sock_create+0xf0/0x1a0 [ 2075.422558] bt_sock_create+0x13b/0x280 [ 2075.426504] __sock_create+0x303/0x620 [ 2075.430363] SyS_socket+0xd1/0x1b0 [ 2075.433876] do_syscall_64+0x1d5/0x640 [ 2075.437749] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 2075.442909] [ 2075.444512] Freed by task 11464: [ 2075.447872] kasan_slab_free+0xc3/0x1a0 [ 2075.451824] kfree+0xc9/0x250 [ 2075.454942] __sk_destruct+0x5e3/0x760 [ 2075.458821] __sk_free+0xd9/0x2d0 [ 2075.462246] sk_free+0x2b/0x40 [ 2075.465414] l2cap_sock_kill.part.0+0x106/0x130 [ 2075.470056] l2cap_sock_release+0x1cd/0x280 [ 2075.474351] __sock_release+0xcd/0x2b0 [ 2075.478299] sock_close+0x15/0x20 [ 2075.481728] __fput+0x25f/0x7a0 [ 2075.484999] task_work_run+0x11f/0x190 [ 2075.488865] get_signal+0x18a3/0x1ca0 [ 2075.492640] do_signal+0x7c/0x1550 [ 2075.496154] exit_to_usermode_loop+0x160/0x200 [ 2075.500796] do_syscall_64+0x4a3/0x640 [ 2075.504660] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 2075.509820] [ 2075.511425] The buggy address belongs to the object at ffff8880a1b08440 [ 2075.511425] which belongs to the cache kmalloc-2048 of size 2048 [ 2075.524228] The buggy address is located 160 bytes inside of [ 2075.524228] 2048-byte region [ffff8880a1b08440, ffff8880a1b08c40) [ 2075.536161] The buggy address belongs to the page: [ 2075.541069] page:ffffea000286c200 count:1 mapcount:0 mapping:ffff8880a1b08440 index:0xffff8880a1b09540 compound_mapcount: 0 [ 2075.552312] flags: 0xfff00000008100(slab|head) [ 2075.556867] raw: 00fff00000008100 ffff8880a1b08440 ffff8880a1b09540 0000000100000002 [ 2075.564721] raw: ffffea00025345a0 ffffea00028d37a0 ffff88813fe80c40 0000000000000000 [ 2075.572604] page dumped because: kasan: bad access detected [ 2075.578290] [ 2075.579893] Memory state around the buggy address: [ 2075.584803] ffff8880a1b08380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 2075.592139] ffff8880a1b08400: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 2075.599577] >ffff8880a1b08480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2075.606910] ^ [ 2075.613431] ffff8880a1b08500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2075.620772] ffff8880a1b08580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2075.628107] ================================================================== [ 2075.635439] Disabling lock debugging due to kernel taint [ 2075.640884] Kernel panic - not syncing: panic_on_warn set ... [ 2075.640884] [ 2075.648240] CPU: 0 PID: 7968 Comm: kworker/0:0 Tainted: G B 4.14.248-syzkaller #0 [ 2075.656962] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 2075.666305] Workqueue: events l2cap_chan_timeout [ 2075.671038] Call Trace: [ 2075.673610] dump_stack+0x1b2/0x281 [ 2075.677242] panic+0x1f9/0x42d [ 2075.680410] ? add_taint.cold+0x16/0x16 [ 2075.684369] ? lock_downgrade+0x740/0x740 [ 2075.688503] kasan_end_report+0x43/0x49 [ 2075.692483] kasan_report_error.cold+0xa7/0x191 [ 2075.697132] ? __lock_acquire+0x2c57/0x3f20 [ 2075.701449] __asan_report_load8_noabort+0x68/0x70 [ 2075.706359] ? __lock_acquire+0x2c57/0x3f20 [ 2075.710676] __lock_acquire+0x2c57/0x3f20 [ 2075.714825] ? lock_acquire+0x170/0x3f0 [ 2075.718775] ? lock_downgrade+0x740/0x740 [ 2075.722894] ? trace_hardirqs_on+0x10/0x10 [ 2075.727102] ? debug_object_assert_init+0x22d/0x2d0 [ 2075.732092] ? debug_object_active_state+0x330/0x330 [ 2075.737169] ? ret_from_fork+0x24/0x30 [ 2075.741071] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 2075.746410] ? save_trace+0xd6/0x290 [ 2075.750101] lock_acquire+0x170/0x3f0 [ 2075.753891] ? lock_sock_nested+0x39/0x100 [ 2075.758100] _raw_spin_lock_bh+0x2f/0x40 [ 2075.762134] ? lock_sock_nested+0x39/0x100 [ 2075.766340] lock_sock_nested+0x39/0x100 [ 2075.770377] l2cap_sock_teardown_cb+0x93/0x650 [ 2075.774930] l2cap_chan_del+0xaf/0x950 [ 2075.778791] l2cap_chan_close+0x103/0x870 [ 2075.782922] ? __set_monitor_timer+0x1d0/0x1d0 [ 2075.787484] ? lock_acquire+0x170/0x3f0 [ 2075.791439] l2cap_chan_timeout+0x143/0x2a0 [ 2075.795737] process_one_work+0x793/0x14a0 [ 2075.799946] ? work_busy+0x320/0x320 [ 2075.803638] ? worker_thread+0x158/0xff0 [ 2075.807686] ? _raw_spin_unlock_irq+0x24/0x80 [ 2075.812246] worker_thread+0x5cc/0xff0 [ 2075.816111] ? rescuer_thread+0xc80/0xc80 [ 2075.820319] kthread+0x30d/0x420 [ 2075.823665] ? kthread_create_on_node+0xd0/0xd0 [ 2075.828318] ret_from_fork+0x24/0x30 [ 2075.832261] Kernel Offset: disabled [ 2075.835873] Rebooting in 86400 seconds..