[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.205' (ECDSA) to the list of known hosts. 2021/09/06 11:06:42 parsed 1 programs 2021/09/06 11:06:42 executed programs: 0 syzkaller login: [ 410.731955][ T37] audit: type=1400 audit(1630926402.809:8): avc: denied { execmem } for pid=8456 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 411.958401][ T8457] chnl_net:caif_netlink_parms(): no params data found [ 412.038201][ T8457] bridge0: port 1(bridge_slave_0) entered blocking state [ 412.046957][ T8457] bridge0: port 1(bridge_slave_0) entered disabled state [ 412.055077][ T8457] device bridge_slave_0 entered promiscuous mode [ 412.062965][ T8457] bridge0: port 2(bridge_slave_1) entered blocking state [ 412.070332][ T8457] bridge0: port 2(bridge_slave_1) entered disabled state [ 412.077933][ T8457] device bridge_slave_1 entered promiscuous mode [ 412.100279][ T8457] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 412.111398][ T8457] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 412.137128][ T8457] team0: Port device team_slave_0 added [ 412.144132][ T8457] team0: Port device team_slave_1 added [ 412.164330][ T8457] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 412.171616][ T8457] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 412.199163][ T8457] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 412.211234][ T8457] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 412.218225][ T8457] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 412.244981][ T8457] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 412.273109][ T8457] device hsr_slave_0 entered promiscuous mode [ 412.279915][ T8457] device hsr_slave_1 entered promiscuous mode [ 412.365360][ T8457] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 412.374061][ T8457] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 412.383481][ T8457] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 412.393063][ T8457] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 412.412131][ T8457] bridge0: port 2(bridge_slave_1) entered blocking state [ 412.419378][ T8457] bridge0: port 2(bridge_slave_1) entered forwarding state [ 412.426655][ T8457] bridge0: port 1(bridge_slave_0) entered blocking state [ 412.433723][ T8457] bridge0: port 1(bridge_slave_0) entered forwarding state [ 412.466112][ T8457] 8021q: adding VLAN 0 to HW filter on device bond0 [ 412.477457][ T8584] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 412.487757][ T8584] bridge0: port 1(bridge_slave_0) entered disabled state [ 412.496020][ T8584] bridge0: port 2(bridge_slave_1) entered disabled state [ 412.504459][ T8584] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 412.516061][ T8457] 8021q: adding VLAN 0 to HW filter on device team0 [ 412.526523][ T8781] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 412.535227][ T8781] bridge0: port 1(bridge_slave_0) entered blocking state [ 412.542289][ T8781] bridge0: port 1(bridge_slave_0) entered forwarding state [ 412.559288][ T8781] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 412.567547][ T8781] bridge0: port 2(bridge_slave_1) entered blocking state [ 412.574737][ T8781] bridge0: port 2(bridge_slave_1) entered forwarding state [ 412.582764][ T8781] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 412.592486][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 412.602617][ T4871] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 412.616370][ T8457] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 412.627233][ T8457] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 412.639780][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 412.648058][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 412.656510][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 412.672000][ T4871] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 412.679822][ T4871] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 412.692943][ T8457] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 412.708973][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 412.727735][ T8457] device veth0_vlan entered promiscuous mode [ 412.734537][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 412.743258][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 412.751155][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 412.763621][ T8457] device veth1_vlan entered promiscuous mode [ 412.780476][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 412.788396][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 412.796722][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 412.807091][ T8457] device veth0_macvtap entered promiscuous mode [ 412.816201][ T8457] device veth1_macvtap entered promiscuous mode [ 412.836260][ T8457] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 412.843923][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 412.853274][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 412.865216][ T8457] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 412.872828][ T8791] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 412.883456][ T8457] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 412.892489][ T8457] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 412.901628][ T8457] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 412.910397][ T8457] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 412.960777][ T29] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 412.968622][ T29] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 412.992770][ T8794] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 413.007602][ T29] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 413.017235][ T29] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 413.025129][ T4871] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 413.859502][ T8794] Bluetooth: hci0: command 0x0409 tx timeout [ 415.938747][ T8794] Bluetooth: hci0: command 0x041b tx timeout 2021/09/06 11:06:48 executed programs: 4 [ 418.018856][ T8584] Bluetooth: hci0: command 0x040f tx timeout [ 420.098437][ T8584] Bluetooth: hci0: command 0x0419 tx timeout 2021/09/06 11:06:53 executed programs: 10 [ 422.178392][ T8584] Bluetooth: hci0: command 0x0405 tx timeout 2021/09/06 11:06:58 executed programs: 16 2021/09/06 11:07:03 executed programs: 22 2021/09/06 11:07:08 executed programs: 28 [ 439.698550][ T3241] ieee802154 phy0 wpan0: encryption failed: -22 [ 439.704846][ T3241] ieee802154 phy1 wpan1: encryption failed: -22 2021/09/06 11:07:14 executed programs: 34 2021/09/06 11:07:19 executed programs: 40 2021/09/06 11:07:24 executed programs: 46 2021/09/06 11:07:29 executed programs: 52 2021/09/06 11:07:34 executed programs: 58 2021/09/06 11:07:39 executed programs: 64 2021/09/06 11:07:44 executed programs: 70 [ 474.896191][ T4871] ================================================================== [ 474.904275][ T4871] BUG: KASAN: use-after-free in do_raw_spin_lock+0x262/0x2b0 [ 474.911836][ T4871] Read of size 4 at addr ffff888017b5108c by task kworker/1:4/4871 [ 474.919809][ T4871] [ 474.922119][ T4871] CPU: 1 PID: 4871 Comm: kworker/1:4 Not tainted 5.14.0-syzkaller #0 [ 474.930170][ T4871] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 474.940304][ T4871] Workqueue: events l2cap_chan_timeout [ 474.945848][ T4871] Call Trace: [ 474.949120][ T4871] dump_stack_lvl+0xcd/0x134 [ 474.953870][ T4871] print_address_description.constprop.0.cold+0x6c/0x2d6 [ 474.961156][ T4871] ? do_raw_spin_lock+0x262/0x2b0 [ 474.966226][ T4871] ? do_raw_spin_lock+0x262/0x2b0 [ 474.971332][ T4871] kasan_report.cold+0x83/0xdf [ 474.976092][ T4871] ? do_raw_spin_lock+0x262/0x2b0 [ 474.981288][ T4871] do_raw_spin_lock+0x262/0x2b0 [ 474.986319][ T4871] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 474.992615][ T4871] ? rwlock_bug.part.0+0x90/0x90 [ 474.997545][ T4871] lock_sock_nested+0x40/0x120 [ 475.002447][ T4871] l2cap_sock_teardown_cb+0xa1/0x660 [ 475.007736][ T4871] ? __mutex_lock+0x21c/0x12f0 [ 475.012532][ T4871] l2cap_chan_del+0xbc/0xa80 [ 475.017107][ T4871] l2cap_chan_close+0x1b9/0xaf0 [ 475.021960][ T4871] ? l2cap_rx+0x1fb0/0x1fb0 [ 475.026552][ T4871] ? lock_acquire+0x442/0x510 [ 475.031217][ T4871] ? lock_release+0x720/0x720 [ 475.035877][ T4871] ? lock_downgrade+0x6e0/0x6e0 [ 475.040708][ T4871] l2cap_chan_timeout+0x17e/0x2f0 [ 475.045725][ T4871] process_one_work+0x9bf/0x16b0 [ 475.050740][ T4871] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 475.056107][ T4871] ? rwlock_bug.part.0+0x90/0x90 [ 475.061035][ T4871] worker_thread+0x658/0x11f0 [ 475.065699][ T4871] ? process_one_work+0x16b0/0x16b0 [ 475.070979][ T4871] kthread+0x3e5/0x4d0 [ 475.075088][ T4871] ? set_kthread_struct+0x130/0x130 [ 475.080459][ T4871] ret_from_fork+0x1f/0x30 [ 475.084973][ T4871] [ 475.087274][ T4871] Allocated by task 8979: [ 475.091584][ T4871] kasan_save_stack+0x1b/0x40 [ 475.096315][ T4871] __kasan_kmalloc+0xa1/0xd0 [ 475.100891][ T4871] __kmalloc+0x214/0x4d0 [ 475.105118][ T4871] sk_prot_alloc+0x110/0x290 [ 475.109693][ T4871] sk_alloc+0x32/0xbc0 [ 475.113781][ T4871] l2cap_sock_alloc.constprop.0+0x31/0x230 [ 475.119582][ T4871] l2cap_sock_create+0x123/0x1f0 [ 475.124773][ T4871] bt_sock_create+0x17c/0x340 [ 475.129494][ T4871] __sock_create+0x353/0x790 [ 475.134070][ T4871] __sys_socket+0xef/0x200 [ 475.138473][ T4871] __x64_sys_socket+0x6f/0xb0 [ 475.143132][ T4871] do_syscall_64+0x35/0xb0 [ 475.147554][ T4871] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 475.153519][ T4871] [ 475.155825][ T4871] Freed by task 8979: [ 475.159779][ T4871] kasan_save_stack+0x1b/0x40 [ 475.164436][ T4871] kasan_set_track+0x1c/0x30 [ 475.169008][ T4871] kasan_set_free_info+0x20/0x30 [ 475.173927][ T4871] __kasan_slab_free+0xd1/0x110 [ 475.178866][ T4871] kfree+0x10a/0x2c0 [ 475.182750][ T4871] __sk_destruct+0x6a8/0x900 [ 475.187332][ T4871] sk_destruct+0xbd/0xe0 [ 475.191554][ T4871] __sk_free+0xef/0x3d0 [ 475.195702][ T4871] sk_free+0x78/0xa0 [ 475.199595][ T4871] l2cap_sock_kill+0x203/0x240 [ 475.204357][ T4871] l2cap_sock_release+0x184/0x200 [ 475.209538][ T4871] __sock_release+0xcd/0x280 [ 475.214106][ T4871] sock_close+0x18/0x20 [ 475.218249][ T4871] __fput+0x288/0x9f0 [ 475.222266][ T4871] task_work_run+0xdd/0x1a0 [ 475.226759][ T4871] get_signal+0x1b35/0x2160 [ 475.231290][ T4871] arch_do_signal_or_restart+0x2a9/0x1c40 [ 475.237027][ T4871] exit_to_user_mode_prepare+0x17d/0x290 [ 475.242759][ T4871] syscall_exit_to_user_mode+0x19/0x60 [ 475.248208][ T4871] do_syscall_64+0x42/0xb0 [ 475.252612][ T4871] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 475.258534][ T4871] [ 475.260845][ T4871] Last potentially related work creation: [ 475.266620][ T4871] kasan_save_stack+0x1b/0x40 [ 475.271281][ T4871] kasan_record_aux_stack+0xa7/0xd0 [ 475.276479][ T4871] call_rcu+0xb1/0x750 [ 475.280621][ T4871] netlink_release+0xdd4/0x1dd0 [ 475.285526][ T4871] __sock_release+0xcd/0x280 [ 475.290193][ T4871] sock_close+0x18/0x20 [ 475.294359][ T4871] __fput+0x288/0x9f0 [ 475.298323][ T4871] task_work_run+0xdd/0x1a0 [ 475.302818][ T4871] exit_to_user_mode_prepare+0x27e/0x290 [ 475.308442][ T4871] syscall_exit_to_user_mode+0x19/0x60 [ 475.313885][ T4871] do_syscall_64+0x42/0xb0 [ 475.318279][ T4871] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 475.324166][ T4871] [ 475.326478][ T4871] The buggy address belongs to the object at ffff888017b51000 [ 475.326478][ T4871] which belongs to the cache kmalloc-2k of size 2048 [ 475.340507][ T4871] The buggy address is located 140 bytes inside of [ 475.340507][ T4871] 2048-byte region [ffff888017b51000, ffff888017b51800) [ 475.354022][ T4871] The buggy address belongs to the page: [ 475.359644][ T4871] page:ffffea00005ed440 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17b51 [ 475.370042][ T4871] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 475.377597][ T4871] raw: 00fff00000000200 ffffea00006378c8 ffffea00005e2f08 ffff888010c40800 [ 475.386254][ T4871] raw: 0000000000000000 ffff888017b51000 0000000100000001 0000000000000000 [ 475.395258][ T4871] page dumped because: kasan: bad access detected [ 475.401741][ T4871] page_owner tracks the page as allocated [ 475.407442][ T4871] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 371, ts 9155794363, free_ts 9149260142 [ 475.425233][ T4871] get_page_from_freelist+0xa72/0x2f80 [ 475.430747][ T4871] __alloc_pages+0x1b2/0x500 [ 475.435340][ T4871] cache_grow_begin+0x75/0x460 [ 475.440107][ T4871] cache_alloc_refill+0x27f/0x380 [ 475.445201][ T4871] __kmalloc+0x3d5/0x4d0 [ 475.449437][ T4871] scsi_alloc_target+0x132/0xbb0 [ 475.454427][ T4871] __scsi_scan_target+0x13a/0xdb0 [ 475.459449][ T4871] scsi_scan_channel+0x148/0x1e0 [ 475.464377][ T4871] scsi_scan_host_selected+0x2df/0x3b0 [ 475.470007][ T4871] do_scsi_scan_host+0x1e8/0x260 [ 475.475068][ T4871] do_scan_async+0x3e/0x500 [ 475.479582][ T4871] async_run_entry_fn+0x9d/0x550 [ 475.484693][ T4871] process_one_work+0x9bf/0x16b0 [ 475.489632][ T4871] worker_thread+0x658/0x11f0 [ 475.494385][ T4871] kthread+0x3e5/0x4d0 [ 475.498550][ T4871] ret_from_fork+0x1f/0x30 [ 475.502967][ T4871] page last free stack trace: [ 475.507706][ T4871] free_pcp_prepare+0x2c5/0x780 [ 475.512550][ T4871] free_unref_page+0x19/0x690 [ 475.517208][ T4871] __mmdrop+0xcb/0x3f0 [ 475.521337][ T4871] __mmput+0x3f1/0x4b0 [ 475.525481][ T4871] mmput+0x58/0x60 [ 475.529249][ T4871] free_bprm+0x65/0x2e0 [ 475.533525][ T4871] kernel_execve+0x380/0x460 [ 475.538258][ T4871] call_usermodehelper_exec_async+0x2e3/0x580 [ 475.544348][ T4871] ret_from_fork+0x1f/0x30 [ 475.548757][ T4871] [ 475.551094][ T4871] Memory state around the buggy address: [ 475.556701][ T4871] ffff888017b50f80: 00 00 00 00 00 00 00 00 04 fc fc fc fc fc fc fc [ 475.564764][ T4871] ffff888017b51000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 475.572805][ T4871] >ffff888017b51080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 475.580928][ T4871] ^ [ 475.585232][ T4871] ffff888017b51100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 475.593477][ T4871] ffff888017b51180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 475.601623][ T4871] ================================================================== [ 475.609897][ T4871] Kernel panic - not syncing: panic_on_warn set ... [ 475.616481][ T4871] CPU: 1 PID: 4871 Comm: kworker/1:4 Tainted: G B 5.14.0-syzkaller #0 [ 475.625939][ T4871] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 475.636099][ T4871] Workqueue: events l2cap_chan_timeout [ 475.641655][ T4871] Call Trace: [ 475.644922][ T4871] dump_stack_lvl+0xcd/0x134 [ 475.649507][ T4871] panic+0x2b0/0x6dd [ 475.653424][ T4871] ? __warn_printk+0xf3/0xf3 [ 475.658089][ T4871] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 475.664239][ T4871] ? trace_hardirqs_on+0x38/0x1c0 [ 475.669601][ T4871] ? trace_hardirqs_on+0x51/0x1c0 [ 475.674641][ T4871] ? do_raw_spin_lock+0x262/0x2b0 [ 475.679664][ T4871] ? do_raw_spin_lock+0x262/0x2b0 [ 475.684679][ T4871] end_report.cold+0x63/0x6f [ 475.689279][ T4871] kasan_report.cold+0x71/0xdf [ 475.694054][ T4871] ? do_raw_spin_lock+0x262/0x2b0 [ 475.699169][ T4871] do_raw_spin_lock+0x262/0x2b0 [ 475.704010][ T4871] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 475.710340][ T4871] ? rwlock_bug.part.0+0x90/0x90 [ 475.715357][ T4871] lock_sock_nested+0x40/0x120 [ 475.720114][ T4871] l2cap_sock_teardown_cb+0xa1/0x660 [ 475.725405][ T4871] ? __mutex_lock+0x21c/0x12f0 [ 475.730160][ T4871] l2cap_chan_del+0xbc/0xa80 [ 475.734745][ T4871] l2cap_chan_close+0x1b9/0xaf0 [ 475.739675][ T4871] ? l2cap_rx+0x1fb0/0x1fb0 [ 475.744258][ T4871] ? lock_acquire+0x442/0x510 [ 475.748931][ T4871] ? lock_release+0x720/0x720 [ 475.753783][ T4871] ? lock_downgrade+0x6e0/0x6e0 [ 475.758635][ T4871] l2cap_chan_timeout+0x17e/0x2f0 [ 475.763672][ T4871] process_one_work+0x9bf/0x16b0 [ 475.768615][ T4871] ? pwq_dec_nr_in_flight+0x2a0/0x2a0 [ 475.773982][ T4871] ? rwlock_bug.part.0+0x90/0x90 [ 475.778912][ T4871] worker_thread+0x658/0x11f0 [ 475.783583][ T4871] ? process_one_work+0x16b0/0x16b0 [ 475.788970][ T4871] kthread+0x3e5/0x4d0 [ 475.793127][ T4871] ? set_kthread_struct+0x130/0x130 [ 475.798329][ T4871] ret_from_fork+0x1f/0x30 [ 475.804206][ T4871] Kernel Offset: disabled [ 475.808522][ T4871] Rebooting in 86400 seconds..