[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 syzkaller login: [ 683.317946][ T8464] cron (8464) used greatest stack depth: 22744 bytes left Warning: Permanently added '10.128.1.109' (ECDSA) to the list of known hosts. 2021/08/31 00:31:58 parsed 1 programs 2021/08/31 00:31:58 executed programs: 0 [ 1581.436390][ T8496] chnl_net:caif_netlink_parms(): no params data found [ 1581.510063][ T8496] bridge0: port 1(bridge_slave_0) entered blocking state [ 1581.518735][ T8496] bridge0: port 1(bridge_slave_0) entered disabled state [ 1581.526656][ T8496] device bridge_slave_0 entered promiscuous mode [ 1581.536712][ T8496] bridge0: port 2(bridge_slave_1) entered blocking state [ 1581.544587][ T8496] bridge0: port 2(bridge_slave_1) entered disabled state [ 1581.552793][ T8496] device bridge_slave_1 entered promiscuous mode [ 1581.584109][ T8496] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1581.594819][ T8496] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1581.626409][ T8496] team0: Port device team_slave_0 added [ 1581.634042][ T8496] team0: Port device team_slave_1 added [ 1581.659401][ T8496] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1581.666357][ T8496] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1581.692411][ T8496] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1581.705228][ T8496] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1581.713971][ T8496] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1581.742052][ T8496] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1581.779032][ T8496] device hsr_slave_0 entered promiscuous mode [ 1581.786161][ T8496] device hsr_slave_1 entered promiscuous mode [ 1581.908180][ T8496] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 1581.920058][ T8496] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 1581.929588][ T8496] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 1581.940470][ T8496] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 1581.963426][ T8496] bridge0: port 2(bridge_slave_1) entered blocking state [ 1581.970592][ T8496] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1581.978296][ T8496] bridge0: port 1(bridge_slave_0) entered blocking state [ 1581.985331][ T8496] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1582.028688][ T8496] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1582.041292][ T8470] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1582.052878][ T8470] bridge0: port 1(bridge_slave_0) entered disabled state [ 1582.061965][ T8470] bridge0: port 2(bridge_slave_1) entered disabled state [ 1582.071305][ T8470] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1582.083728][ T8496] 8021q: adding VLAN 0 to HW filter on device team0 [ 1582.095990][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1582.104579][ T2960] bridge0: port 1(bridge_slave_0) entered blocking state [ 1582.111706][ T2960] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1582.122659][ T8470] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1582.132134][ T8470] bridge0: port 2(bridge_slave_1) entered blocking state [ 1582.139232][ T8470] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1582.159307][ T8831] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1582.167941][ T8831] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1582.180223][ T8831] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1582.195909][ T8496] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1582.207897][ T8496] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1582.219845][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1582.228874][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1582.237324][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1582.254509][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1582.261931][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1582.275720][ T8496] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1582.294892][ T8831] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1582.314597][ T8831] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1582.323060][ T8831] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1582.331440][ T8831] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1582.343375][ T8496] device veth0_vlan entered promiscuous mode [ 1582.355375][ T8496] device veth1_vlan entered promiscuous mode [ 1582.376412][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1582.385414][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1582.394526][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1582.405879][ T8496] device veth0_macvtap entered promiscuous mode [ 1582.414589][ T2960] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1582.425725][ T8496] device veth1_macvtap entered promiscuous mode [ 1582.442767][ T8496] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1582.451565][ T8661] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 1582.460973][ T8661] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1582.474247][ T8496] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1582.482576][ T8661] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1582.491576][ T8661] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1582.503455][ T8496] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 1582.513401][ T8496] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 1582.522471][ T8496] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 1582.532016][ T8496] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 1582.634344][ T120] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1582.642577][ T120] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1582.680979][ T8470] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 1582.696560][ T120] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1582.705166][ T120] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1582.714486][ T8470] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 1583.257820][ T8470] Bluetooth: hci0: command 0x0409 tx timeout 2021/08/31 00:32:03 executed programs: 3 [ 1585.346651][ T8470] Bluetooth: hci0: command 0x041b tx timeout [ 1587.417888][ T8470] Bluetooth: hci0: command 0x040f tx timeout [ 1589.496464][ T8661] Bluetooth: hci0: command 0x0419 tx timeout 2021/08/31 00:32:08 executed programs: 9 2021/08/31 00:32:13 executed programs: 15 2021/08/31 00:32:19 executed programs: 21 2021/08/31 00:32:24 executed programs: 27 [ 1606.936491][ T3267] ieee802154 phy0 wpan0: encryption failed: -22 [ 1606.943561][ T3267] ieee802154 phy1 wpan1: encryption failed: -22 2021/08/31 00:32:29 executed programs: 33 2021/08/31 00:32:34 executed programs: 39 2021/08/31 00:32:39 executed programs: 45 [ 1624.225629][ T8831] ================================================================== [ 1624.233822][ T8831] BUG: KASAN: use-after-free in __lock_acquire+0x3d86/0x54a0 [ 1624.241259][ T8831] Read of size 8 at addr ffff8880161b20a0 by task kworker/0:4/8831 [ 1624.249130][ T8831] [ 1624.251434][ T8831] CPU: 0 PID: 8831 Comm: kworker/0:4 Not tainted 5.14.0-rc7-syzkaller #0 [ 1624.259827][ T8831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1624.269866][ T8831] Workqueue: events l2cap_chan_timeout [ 1624.275369][ T8831] Call Trace: [ 1624.278631][ T8831] dump_stack_lvl+0xcd/0x134 [ 1624.283240][ T8831] print_address_description.constprop.0.cold+0x6c/0x309 [ 1624.290290][ T8831] ? __lock_acquire+0x3d86/0x54a0 [ 1624.295295][ T8831] ? __lock_acquire+0x3d86/0x54a0 [ 1624.300297][ T8831] kasan_report.cold+0x83/0xdf [ 1624.305046][ T8831] ? __lock_acquire+0x3d86/0x54a0 [ 1624.310141][ T8831] __lock_acquire+0x3d86/0x54a0 [ 1624.314976][ T8831] ? call_rcu_zapped+0xb0/0xb0 [ 1624.319781][ T8831] ? mark_lock+0xef/0x17b0 [ 1624.324178][ T8831] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 1624.330007][ T8831] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 1624.335969][ T8831] ? lock_chain_count+0x20/0x20 [ 1624.340800][ T8831] lock_acquire+0x1ab/0x510 [ 1624.345285][ T8831] ? lock_sock_nested+0x40/0x120 [ 1624.350248][ T8831] ? lock_release+0x720/0x720 [ 1624.354909][ T8831] ? del_timer+0xc5/0x110 [ 1624.359259][ T8831] _raw_spin_lock_bh+0x2f/0x40 [ 1624.364010][ T8831] ? lock_sock_nested+0x40/0x120 [ 1624.368931][ T8831] lock_sock_nested+0x40/0x120 [ 1624.373683][ T8831] l2cap_sock_teardown_cb+0xa1/0x660 [ 1624.378957][ T8831] l2cap_chan_del+0xbc/0xa80 [ 1624.383537][ T8831] l2cap_chan_close+0x1b9/0xaf0 [ 1624.388543][ T8831] ? l2cap_rx+0x1fb0/0x1fb0 [ 1624.393129][ T8831] ? lock_release+0x720/0x720 [ 1624.397875][ T8831] ? lock_downgrade+0x6e0/0x6e0 [ 1624.402709][ T8831] l2cap_chan_timeout+0x17e/0x2f0 [ 1624.407719][ T8831] process_one_work+0x98d/0x1630 [ 1624.412719][ T8831] ? pwq_dec_nr_in_flight+0x320/0x320 [ 1624.418089][ T8831] ? rwlock_bug.part.0+0x90/0x90 [ 1624.423008][ T8831] ? _raw_spin_lock_irq+0x41/0x50 [ 1624.428021][ T8831] worker_thread+0x658/0x11f0 [ 1624.432686][ T8831] ? process_one_work+0x1630/0x1630 [ 1624.437874][ T8831] kthread+0x3e5/0x4d0 [ 1624.441927][ T8831] ? set_kthread_struct+0x130/0x130 [ 1624.447207][ T8831] ret_from_fork+0x1f/0x30 [ 1624.451662][ T8831] [ 1624.453970][ T8831] Allocated by task 8856: [ 1624.458274][ T8831] kasan_save_stack+0x1b/0x40 [ 1624.462969][ T8831] __kasan_kmalloc+0xa4/0xd0 [ 1624.467539][ T8831] sk_prot_alloc+0x110/0x290 [ 1624.472144][ T8831] sk_alloc+0x32/0xbc0 [ 1624.476191][ T8831] l2cap_sock_alloc.constprop.0+0x31/0x230 [ 1624.481979][ T8831] l2cap_sock_create+0x123/0x1f0 [ 1624.486908][ T8831] bt_sock_create+0x17c/0x340 [ 1624.491613][ T8831] __sock_create+0x353/0x790 [ 1624.496200][ T8831] __sys_socket+0xef/0x200 [ 1624.500599][ T8831] __x64_sys_socket+0x6f/0xb0 [ 1624.505266][ T8831] do_syscall_64+0x35/0xb0 [ 1624.509715][ T8831] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 1624.515589][ T8831] [ 1624.517894][ T8831] The buggy address belongs to the object at ffff8880161b2000 [ 1624.517894][ T8831] which belongs to the cache kmalloc-2k of size 2048 [ 1624.531960][ T8831] The buggy address is located 160 bytes inside of [ 1624.531960][ T8831] 2048-byte region [ffff8880161b2000, ffff8880161b2800) [ 1624.545475][ T8831] The buggy address belongs to the page: [ 1624.551084][ T8831] page:ffffea0000586c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880161b7000 pfn:0x161b0 [ 1624.562610][ T8831] head:ffffea0000586c00 order:3 compound_mapcount:0 compound_pincount:0 [ 1624.570916][ T8831] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 1624.578967][ T8831] raw: 00fff00000010200 ffffea00008e8208 ffffea000084e808 ffff888010c42000 [ 1624.587540][ T8831] raw: ffff8880161b7000 0000000000080001 00000001ffffffff 0000000000000000 [ 1624.596102][ T8831] page dumped because: kasan: bad access detected [ 1624.602495][ T8831] page_owner tracks the page as allocated [ 1624.608197][ T8831] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 8470, ts 1583429111537, free_ts 1583157245659 [ 1624.627626][ T8831] get_page_from_freelist+0xa72/0x2f80 [ 1624.633096][ T8831] __alloc_pages+0x1b2/0x500 [ 1624.637679][ T8831] alloc_pages+0x18c/0x2a0 [ 1624.642117][ T8831] allocate_slab+0x32e/0x4b0 [ 1624.646688][ T8831] ___slab_alloc+0x473/0x7b0 [ 1624.651258][ T8831] __slab_alloc.constprop.0+0xa7/0xf0 [ 1624.656610][ T8831] __kmalloc_node_track_caller+0x2e3/0x360 [ 1624.662400][ T8831] __alloc_skb+0xde/0x340 [ 1624.666716][ T8831] alloc_skb_with_frags+0x93/0x620 [ 1624.671869][ T8831] sock_alloc_send_pskb+0x783/0x910 [ 1624.677062][ T8831] mld_newpack+0x1df/0x770 [ 1624.681517][ T8831] add_grhead+0x265/0x330 [ 1624.685830][ T8831] add_grec+0x1053/0x14e0 [ 1624.690141][ T8831] mld_send_initial_cr.part.0+0xf6/0x230 [ 1624.695763][ T8831] ipv6_mc_dad_complete+0x1d0/0x690 [ 1624.700980][ T8831] addrconf_dad_completed+0xa20/0xd60 [ 1624.706460][ T8831] page last free stack trace: [ 1624.711108][ T8831] free_pcp_prepare+0x2c5/0x780 [ 1624.715977][ T8831] free_unref_page+0x19/0x690 [ 1624.720634][ T8831] unfreeze_partials+0x16c/0x1b0 [ 1624.725573][ T8831] put_cpu_partial+0x13d/0x230 [ 1624.730328][ T8831] qlist_free_all+0x5a/0xc0 [ 1624.734839][ T8831] kasan_quarantine_reduce+0x180/0x200 [ 1624.741316][ T8831] __kasan_slab_alloc+0x95/0xb0 [ 1624.746168][ T8831] kmem_cache_alloc_trace+0x26d/0x3c0 [ 1624.752490][ T8831] nsim_fib_event_work+0xe43/0x2490 [ 1624.757733][ T8831] process_one_work+0x98d/0x1630 [ 1624.762660][ T8831] worker_thread+0x85c/0x11f0 [ 1624.767324][ T8831] kthread+0x3e5/0x4d0 [ 1624.771377][ T8831] ret_from_fork+0x1f/0x30 [ 1624.775782][ T8831] [ 1624.778127][ T8831] Memory state around the buggy address: [ 1624.783754][ T8831] ffff8880161b1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1624.791816][ T8831] ffff8880161b2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1624.799870][ T8831] >ffff8880161b2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1624.807992][ T8831] ^ [ 1624.813077][ T8831] ffff8880161b2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1624.821125][ T8831] ffff8880161b2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1624.829161][ T8831] ================================================================== [ 1624.837199][ T8831] Disabling lock debugging due to kernel taint [ 1624.843327][ T8831] Kernel panic - not syncing: panic_on_warn set ... [ 1624.849895][ T8831] CPU: 0 PID: 8831 Comm: kworker/0:4 Tainted: G B 5.14.0-rc7-syzkaller #0 [ 1624.859677][ T8831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1624.869725][ T8831] Workqueue: events l2cap_chan_timeout [ 1624.875432][ T8831] Call Trace: [ 1624.878694][ T8831] dump_stack_lvl+0xcd/0x134 [ 1624.883272][ T8831] panic+0x306/0x73d [ 1624.887179][ T8831] ? __warn_printk+0xf3/0xf3 [ 1624.891750][ T8831] ? __lock_acquire+0x3d86/0x54a0 [ 1624.896844][ T8831] ? __lock_acquire+0x3d86/0x54a0 [ 1624.901849][ T8831] ? __lock_acquire+0x3d86/0x54a0 [ 1624.906851][ T8831] end_report.cold+0x5a/0x5a [ 1624.911424][ T8831] kasan_report.cold+0x71/0xdf [ 1624.916170][ T8831] ? __lock_acquire+0x3d86/0x54a0 [ 1624.921175][ T8831] __lock_acquire+0x3d86/0x54a0 [ 1624.926009][ T8831] ? call_rcu_zapped+0xb0/0xb0 [ 1624.930756][ T8831] ? mark_lock+0xef/0x17b0 [ 1624.935258][ T8831] ? _raw_spin_unlock_irqrestore+0x3d/0x70 [ 1624.941049][ T8831] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 1624.947008][ T8831] ? lock_chain_count+0x20/0x20 [ 1624.951853][ T8831] lock_acquire+0x1ab/0x510 [ 1624.956337][ T8831] ? lock_sock_nested+0x40/0x120 [ 1624.961343][ T8831] ? lock_release+0x720/0x720 [ 1624.966000][ T8831] ? del_timer+0xc5/0x110 [ 1624.970312][ T8831] _raw_spin_lock_bh+0x2f/0x40 [ 1624.975062][ T8831] ? lock_sock_nested+0x40/0x120 [ 1624.979994][ T8831] lock_sock_nested+0x40/0x120 [ 1624.984740][ T8831] l2cap_sock_teardown_cb+0xa1/0x660 [ 1624.990011][ T8831] l2cap_chan_del+0xbc/0xa80 [ 1624.994589][ T8831] l2cap_chan_close+0x1b9/0xaf0 [ 1624.999437][ T8831] ? l2cap_rx+0x1fb0/0x1fb0 [ 1625.003930][ T8831] ? lock_release+0x720/0x720 [ 1625.008599][ T8831] ? lock_downgrade+0x6e0/0x6e0 [ 1625.013440][ T8831] l2cap_chan_timeout+0x17e/0x2f0 [ 1625.018459][ T8831] process_one_work+0x98d/0x1630 [ 1625.023396][ T8831] ? pwq_dec_nr_in_flight+0x320/0x320 [ 1625.028780][ T8831] ? rwlock_bug.part.0+0x90/0x90 [ 1625.033800][ T8831] ? _raw_spin_lock_irq+0x41/0x50 [ 1625.038912][ T8831] worker_thread+0x658/0x11f0 [ 1625.043586][ T8831] ? process_one_work+0x1630/0x1630 [ 1625.048768][ T8831] kthread+0x3e5/0x4d0 [ 1625.052825][ T8831] ? set_kthread_struct+0x130/0x130 [ 1625.058016][ T8831] ret_from_fork+0x1f/0x30 [ 1625.063755][ T8831] Kernel Offset: disabled [ 1625.068068][ T8831] Rebooting in 86400 seconds..