Warning: Permanently added '10.128.0.124' (ECDSA) to the list of known hosts. 2021/10/23 02:55:44 parsed 1 programs syzkaller login: [ 405.774903][ T6543] cgroup: Unknown subsys name 'net' [ 405.787365][ T6543] cgroup: Unknown subsys name 'rlimit' 2021/10/23 02:55:44 executed programs: 0 [ 406.175640][ T25] audit: type=1400 audit(1634957744.904:8): avc: denied { execmem } for pid=6555 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 407.495453][ T6556] chnl_net:caif_netlink_parms(): no params data found [ 407.587139][ T6556] bridge0: port 1(bridge_slave_0) entered blocking state [ 407.595391][ T6556] bridge0: port 1(bridge_slave_0) entered disabled state [ 407.605572][ T6556] device bridge_slave_0 entered promiscuous mode [ 407.616329][ T6556] bridge0: port 2(bridge_slave_1) entered blocking state [ 407.624483][ T6556] bridge0: port 2(bridge_slave_1) entered disabled state [ 407.633757][ T6556] device bridge_slave_1 entered promiscuous mode [ 407.668037][ T6556] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 407.684627][ T6556] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 407.726279][ T6556] team0: Port device team_slave_0 added [ 407.734584][ T6556] team0: Port device team_slave_1 added [ 407.761328][ T6556] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 407.768364][ T6556] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 407.795160][ T6556] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 407.808311][ T6556] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 407.815493][ T6556] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 407.841559][ T6556] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 407.879433][ T6556] device hsr_slave_0 entered promiscuous mode [ 407.886915][ T6556] device hsr_slave_1 entered promiscuous mode [ 408.020932][ T6556] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 408.036680][ T6556] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 408.046029][ T6556] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 408.058113][ T6556] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 408.085706][ T6556] bridge0: port 2(bridge_slave_1) entered blocking state [ 408.092878][ T6556] bridge0: port 2(bridge_slave_1) entered forwarding state [ 408.100765][ T6556] bridge0: port 1(bridge_slave_0) entered blocking state [ 408.107890][ T6556] bridge0: port 1(bridge_slave_0) entered forwarding state [ 408.156752][ T6556] 8021q: adding VLAN 0 to HW filter on device bond0 [ 408.173186][ T1265] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 408.184954][ T1265] bridge0: port 1(bridge_slave_0) entered disabled state [ 408.194484][ T1265] bridge0: port 2(bridge_slave_1) entered disabled state [ 408.202993][ T1265] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 408.216237][ T6556] 8021q: adding VLAN 0 to HW filter on device team0 [ 408.228548][ T1265] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 408.237169][ T1265] bridge0: port 1(bridge_slave_0) entered blocking state [ 408.244322][ T1265] bridge0: port 1(bridge_slave_0) entered forwarding state [ 408.256536][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 408.266170][ T1054] bridge0: port 2(bridge_slave_1) entered blocking state [ 408.273884][ T1054] bridge0: port 2(bridge_slave_1) entered forwarding state [ 408.297168][ T6890] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 408.306774][ T6890] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 408.319543][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 408.336796][ T6556] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 408.348087][ T6556] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 408.362130][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 408.371979][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 408.381300][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 408.400226][ T6892] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 408.407700][ T6892] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 408.421274][ T6556] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 408.444898][ T6892] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 408.465653][ T6892] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 408.473898][ T6892] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 408.484495][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 408.492844][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 408.502764][ T6556] device veth0_vlan entered promiscuous mode [ 408.517276][ T6556] device veth1_vlan entered promiscuous mode [ 408.539134][ T6890] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 408.548431][ T6890] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 408.557502][ T6890] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 408.566862][ T6890] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 408.578812][ T6556] device veth0_macvtap entered promiscuous mode [ 408.590418][ T6556] device veth1_macvtap entered promiscuous mode [ 408.611704][ T6556] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 408.619965][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 408.628250][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 408.636756][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 408.645779][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 408.658855][ T6556] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 408.666499][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 408.675328][ T1054] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 408.688039][ T6556] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 408.697051][ T6556] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 408.706353][ T6556] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 408.716197][ T6556] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 408.813237][ T450] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 408.821317][ T450] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 408.837178][ T6892] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 408.885049][ T450] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 408.894689][ T450] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 408.904254][ T6892] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 409.330823][ T6889] Bluetooth: hci0: command 0x0409 tx timeout 2021/10/23 02:55:49 executed programs: 60 [ 411.400435][ T1054] Bluetooth: hci0: command 0x041b tx timeout [ 413.479631][ T1054] Bluetooth: hci0: command 0x040f tx timeout [ 415.559459][ T6721] Bluetooth: hci0: command 0x0419 tx timeout 2021/10/23 02:55:54 executed programs: 194 [ 417.639281][ T1054] Bluetooth: hci0: command 0x0405 tx timeout 2021/10/23 02:55:59 executed programs: 336 2021/10/23 02:56:04 executed programs: 476 2021/10/23 02:56:09 executed programs: 616 2021/10/23 02:56:14 executed programs: 759 [ 439.639782][ T1360] ieee802154 phy0 wpan0: encryption failed: -22 [ 439.646431][ T1360] ieee802154 phy1 wpan1: encryption failed: -22 2021/10/23 02:56:20 executed programs: 895 2021/10/23 02:56:25 executed programs: 1037 2021/10/23 02:56:30 executed programs: 1174 [ 453.728803][ T6889] ================================================================== [ 453.736887][ T6889] BUG: KASAN: use-after-free in __lock_acquire+0x3d86/0x54a0 [ 453.744356][ T6889] Read of size 8 at addr ffff888070018120 by task kworker/0:1/6889 [ 453.752266][ T6889] [ 453.754589][ T6889] CPU: 0 PID: 6889 Comm: kworker/0:1 Not tainted 5.15.0-rc6-syzkaller #0 [ 453.763006][ T6889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 453.773067][ T6889] Workqueue: events l2cap_chan_timeout [ 453.778611][ T6889] Call Trace: [ 453.781889][ T6889] dump_stack_lvl+0xcd/0x134 [ 453.786563][ T6889] print_address_description.constprop.0.cold+0x6c/0x2d6 [ 453.793614][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 453.798647][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 453.804116][ T6889] kasan_report.cold+0x83/0xdf [ 453.808895][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 453.813928][ T6889] __lock_acquire+0x3d86/0x54a0 [ 453.819146][ T6889] ? mark_lock+0xef/0x17b0 [ 453.823571][ T6889] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 453.829470][ T6889] ? debug_object_assert_init+0x246/0x2e0 [ 453.835520][ T6889] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 453.841516][ T6889] lock_acquire+0x1ab/0x510 [ 453.846033][ T6889] ? l2cap_sock_teardown_cb+0xa1/0x660 [ 453.851568][ T6889] ? lock_release+0x720/0x720 [ 453.856254][ T6889] ? mark_held_locks+0x9f/0xe0 [ 453.861027][ T6889] ? cancel_delayed_work+0x2bd/0x340 [ 453.866382][ T6889] lock_sock_nested+0x2f/0xf0 [ 453.871133][ T6889] ? l2cap_sock_teardown_cb+0xa1/0x660 [ 453.876581][ T6889] l2cap_sock_teardown_cb+0xa1/0x660 [ 453.881855][ T6889] ? __mutex_lock+0x21c/0x12f0 [ 453.886609][ T6889] l2cap_chan_del+0xbc/0xa80 [ 453.891296][ T6889] l2cap_chan_close+0x1b9/0xaf0 [ 453.896135][ T6889] ? l2cap_rx+0x1fb0/0x1fb0 [ 453.900627][ T6889] ? lock_release+0x720/0x720 [ 453.905412][ T6889] ? lock_downgrade+0x6e0/0x6e0 [ 453.910249][ T6889] l2cap_chan_timeout+0x17e/0x2f0 [ 453.915262][ T6889] process_one_work+0x9bf/0x16b0 [ 453.920255][ T6889] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 453.925667][ T6889] ? rwlock_bug.part.0+0x90/0x90 [ 453.930592][ T6889] ? _raw_spin_lock_irq+0x41/0x50 [ 453.935609][ T6889] worker_thread+0x658/0x11f0 [ 453.940275][ T6889] ? process_one_work+0x16b0/0x16b0 [ 453.945466][ T6889] kthread+0x3e5/0x4d0 [ 453.949523][ T6889] ? set_kthread_struct+0x130/0x130 [ 453.954719][ T6889] ret_from_fork+0x1f/0x30 [ 453.959166][ T6889] [ 453.961472][ T6889] Allocated by task 10896: [ 453.965865][ T6889] kasan_save_stack+0x1b/0x40 [ 453.970573][ T6889] __kasan_kmalloc+0xa1/0xd0 [ 453.975152][ T6889] kmem_cache_alloc_trace+0x1e4/0x480 [ 453.980507][ T6889] l2cap_chan_create+0x40/0x570 [ 453.985360][ T6889] l2cap_sock_alloc.constprop.0+0x185/0x230 [ 453.991264][ T6889] l2cap_sock_create+0x123/0x1f0 [ 453.996193][ T6889] bt_sock_create+0x17c/0x340 [ 454.001005][ T6889] __sock_create+0x353/0x790 [ 454.005701][ T6889] __sys_socket+0xef/0x200 [ 454.010104][ T6889] __x64_sys_socket+0x6f/0xb0 [ 454.014777][ T6889] do_syscall_64+0x35/0xb0 [ 454.019221][ T6889] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 454.025103][ T6889] [ 454.027411][ T6889] Freed by task 10895: [ 454.031462][ T6889] kasan_save_stack+0x1b/0x40 [ 454.036132][ T6889] kasan_set_track+0x1c/0x30 [ 454.040703][ T6889] kasan_set_free_info+0x20/0x30 [ 454.045625][ T6889] __kasan_slab_free+0xd1/0x110 [ 454.050461][ T6889] kfree+0x10a/0x2c0 [ 454.054343][ T6889] l2cap_chan_put+0x22b/0x2d0 [ 454.059018][ T6889] l2cap_sock_release+0x194/0x200 [ 454.064030][ T6889] __sock_release+0xcd/0x280 [ 454.068611][ T6889] sock_close+0x18/0x20 [ 454.072862][ T6889] __fput+0x288/0x9f0 [ 454.076881][ T6889] task_work_run+0xdd/0x1a0 [ 454.081372][ T6889] exit_to_user_mode_prepare+0x27e/0x290 [ 454.087051][ T6889] syscall_exit_to_user_mode+0x19/0x60 [ 454.092496][ T6889] do_syscall_64+0x42/0xb0 [ 454.096909][ T6889] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 454.102804][ T6889] [ 454.105116][ T6889] The buggy address belongs to the object at ffff888070018000 [ 454.105116][ T6889] which belongs to the cache kmalloc-2k of size 2048 [ 454.119155][ T6889] The buggy address is located 288 bytes inside of [ 454.119155][ T6889] 2048-byte region [ffff888070018000, ffff888070018800) [ 454.132539][ T6889] The buggy address belongs to the page: [ 454.138152][ T6889] page:ffffea0001c00600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x70018 [ 454.148471][ T6889] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 454.156143][ T6889] raw: 00fff00000000200 ffffea0001c09ec8 ffffea000089a188 ffff888010c40800 [ 454.164814][ T6889] raw: 0000000000000000 ffff888070018000 0000000100000001 0000000000000000 [ 454.173393][ T6889] page dumped because: kasan: bad access detected [ 454.179784][ T6889] page_owner tracks the page as allocated [ 454.185474][ T6889] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2d2220(__GFP_HIGH|__GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_THISNODE), pid 6556, ts 408078480606, free_ts 65966719407 [ 454.206564][ T6889] get_page_from_freelist+0xa72/0x2f80 [ 454.212085][ T6889] __alloc_pages+0x1b2/0x500 [ 454.216666][ T6889] cache_grow_begin+0x75/0x460 [ 454.221413][ T6889] cache_alloc_refill+0x27f/0x380 [ 454.226449][ T6889] kmem_cache_alloc_node_trace+0x4ca/0x5d0 [ 454.232250][ T6889] __kmalloc_node_track_caller+0x38/0x60 [ 454.237891][ T6889] pskb_expand_head+0x15e/0x1060 [ 454.242825][ T6889] netlink_trim+0x1ea/0x240 [ 454.247371][ T6889] netlink_broadcast_filtered+0x65/0xdc0 [ 454.253050][ T6889] nlmsg_notify+0x94/0x290 [ 454.257457][ T6889] rtmsg_ifinfo+0xf0/0x120 [ 454.262010][ T6889] __dev_notify_flags+0x226/0x2b0 [ 454.267178][ T6889] dev_change_flags+0x112/0x170 [ 454.272019][ T6889] do_setlink+0x96d/0x3970 [ 454.276420][ T6889] __rtnl_newlink+0xde6/0x1750 [ 454.281268][ T6889] rtnl_newlink+0x64/0xa0 [ 454.285604][ T6889] page last free stack trace: [ 454.290256][ T6889] free_pcp_prepare+0x2c5/0x780 [ 454.295101][ T6889] free_unref_page_list+0x1a9/0xfa0 [ 454.300287][ T6889] release_pages+0x830/0x20b0 [ 454.305021][ T6889] tlb_finish_mmu+0x165/0x8c0 [ 454.309755][ T6889] exit_mmap+0x1ea/0x630 [ 454.313990][ T6889] __mmput+0x122/0x4b0 [ 454.318200][ T6889] mmput+0x58/0x60 [ 454.321995][ T6889] do_exit+0xabc/0x2a30 [ 454.326147][ T6889] do_group_exit+0x125/0x310 [ 454.330725][ T6889] __x64_sys_exit_group+0x3a/0x50 [ 454.335738][ T6889] do_syscall_64+0x35/0xb0 [ 454.340143][ T6889] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 454.346029][ T6889] [ 454.348336][ T6889] Memory state around the buggy address: [ 454.353960][ T6889] ffff888070018000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 454.362019][ T6889] ffff888070018080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 454.370141][ T6889] >ffff888070018100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 454.378194][ T6889] ^ [ 454.383283][ T6889] ffff888070018180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 454.391347][ T6889] ffff888070018200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 454.399561][ T6889] ================================================================== [ 454.407604][ T6889] Disabling lock debugging due to kernel taint [ 454.413742][ T6889] Kernel panic - not syncing: panic_on_warn set ... [ 454.420307][ T6889] CPU: 0 PID: 6889 Comm: kworker/0:1 Tainted: G B 5.15.0-rc6-syzkaller #0 [ 454.430088][ T6889] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 454.440129][ T6889] Workqueue: events l2cap_chan_timeout [ 454.445580][ T6889] Call Trace: [ 454.448844][ T6889] dump_stack_lvl+0xcd/0x134 [ 454.453423][ T6889] panic+0x2b0/0x6dd [ 454.457331][ T6889] ? __warn_printk+0xf3/0xf3 [ 454.461915][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 454.466925][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 454.471930][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 454.476941][ T6889] end_report.cold+0x63/0x6f [ 454.481514][ T6889] kasan_report.cold+0x71/0xdf [ 454.486277][ T6889] ? __lock_acquire+0x3d86/0x54a0 [ 454.491292][ T6889] __lock_acquire+0x3d86/0x54a0 [ 454.496126][ T6889] ? mark_lock+0xef/0x17b0 [ 454.500528][ T6889] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 454.506320][ T6889] ? debug_object_assert_init+0x246/0x2e0 [ 454.512110][ T6889] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 454.518073][ T6889] lock_acquire+0x1ab/0x510 [ 454.522560][ T6889] ? l2cap_sock_teardown_cb+0xa1/0x660 [ 454.528008][ T6889] ? lock_release+0x720/0x720 [ 454.532667][ T6889] ? mark_held_locks+0x9f/0xe0 [ 454.537413][ T6889] ? cancel_delayed_work+0x2bd/0x340 [ 454.542692][ T6889] lock_sock_nested+0x2f/0xf0 [ 454.547358][ T6889] ? l2cap_sock_teardown_cb+0xa1/0x660 [ 454.552827][ T6889] l2cap_sock_teardown_cb+0xa1/0x660 [ 454.558103][ T6889] ? __mutex_lock+0x21c/0x12f0 [ 454.562865][ T6889] l2cap_chan_del+0xbc/0xa80 [ 454.567451][ T6889] l2cap_chan_close+0x1b9/0xaf0 [ 454.572311][ T6889] ? l2cap_rx+0x1fb0/0x1fb0 [ 454.576817][ T6889] ? lock_release+0x720/0x720 [ 454.581477][ T6889] ? lock_downgrade+0x6e0/0x6e0 [ 454.586313][ T6889] l2cap_chan_timeout+0x17e/0x2f0 [ 454.591320][ T6889] process_one_work+0x9bf/0x16b0 [ 454.596243][ T6889] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 454.601614][ T6889] ? rwlock_bug.part.0+0x90/0x90 [ 454.606536][ T6889] ? _raw_spin_lock_irq+0x41/0x50 [ 454.611548][ T6889] worker_thread+0x658/0x11f0 [ 454.616245][ T6889] ? process_one_work+0x16b0/0x16b0 [ 454.621437][ T6889] kthread+0x3e5/0x4d0 [ 454.625491][ T6889] ? set_kthread_struct+0x130/0x130 [ 454.630682][ T6889] ret_from_fork+0x1f/0x30 [ 454.635327][ T6889] Kernel Offset: disabled [ 454.639640][ T6889] Rebooting in 86400 seconds..