Warning: Permanently added '10.128.0.184' (ECDSA) to the list of known hosts. 2021/08/20 21:07:27 parsed 1 programs 2021/08/20 21:07:27 executed programs: 0 [ 410.450043][ T6581] chnl_net:caif_netlink_parms(): no params data found [ 410.493053][ T6581] bridge0: port 1(bridge_slave_0) entered blocking state [ 410.500513][ T6581] bridge0: port 1(bridge_slave_0) entered disabled state [ 410.509029][ T6581] device bridge_slave_0 entered promiscuous mode [ 410.517624][ T6581] bridge0: port 2(bridge_slave_1) entered blocking state [ 410.525132][ T6581] bridge0: port 2(bridge_slave_1) entered disabled state [ 410.533667][ T6581] device bridge_slave_1 entered promiscuous mode [ 410.554736][ T6581] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 410.565285][ T6581] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 410.587186][ T6581] team0: Port device team_slave_0 added [ 410.593896][ T6581] team0: Port device team_slave_1 added [ 410.612759][ T6581] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 410.619716][ T6581] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 410.645626][ T6581] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 410.657065][ T6581] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 410.664049][ T6581] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 410.690279][ T6581] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 410.716642][ T6581] device hsr_slave_0 entered promiscuous mode [ 410.723704][ T6581] device hsr_slave_1 entered promiscuous mode [ 410.794787][ T6581] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 410.804540][ T6581] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 410.813417][ T6581] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 410.821534][ T6581] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 410.839155][ T6581] bridge0: port 2(bridge_slave_1) entered blocking state [ 410.846196][ T6581] bridge0: port 2(bridge_slave_1) entered forwarding state [ 410.853495][ T6581] bridge0: port 1(bridge_slave_0) entered blocking state [ 410.860535][ T6581] bridge0: port 1(bridge_slave_0) entered forwarding state [ 410.888476][ T6581] 8021q: adding VLAN 0 to HW filter on device bond0 [ 410.900144][ T6745] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 410.908953][ T6745] bridge0: port 1(bridge_slave_0) entered disabled state [ 410.917230][ T6745] bridge0: port 2(bridge_slave_1) entered disabled state [ 410.925521][ T6745] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 410.936044][ T6581] 8021q: adding VLAN 0 to HW filter on device team0 [ 410.945652][ T6904] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 410.953904][ T6904] bridge0: port 1(bridge_slave_0) entered blocking state [ 410.960917][ T6904] bridge0: port 1(bridge_slave_0) entered forwarding state [ 410.971928][ T6904] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 410.980116][ T6904] bridge0: port 2(bridge_slave_1) entered blocking state [ 410.987164][ T6904] bridge0: port 2(bridge_slave_1) entered forwarding state [ 411.001312][ T6745] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 411.009607][ T6745] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 411.019969][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 411.030259][ T6915] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 411.041403][ T6581] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 411.052763][ T6581] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 411.060358][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 411.074538][ T6915] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 411.082172][ T6915] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 411.093751][ T6581] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 411.109321][ T6915] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 411.124793][ T6915] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 411.132970][ T6915] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 411.140405][ T6915] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 411.150772][ T6581] device veth0_vlan entered promiscuous mode [ 411.160625][ T6581] device veth1_vlan entered promiscuous mode [ 411.176909][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 411.184979][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 411.192965][ T6914] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 411.203795][ T6581] device veth0_macvtap entered promiscuous mode [ 411.213325][ T6581] device veth1_macvtap entered promiscuous mode [ 411.227196][ T6581] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 411.234597][ T6915] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 411.244035][ T6915] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 411.254777][ T6581] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 411.262142][ T6915] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 411.273327][ T6581] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 411.282479][ T6581] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 411.291154][ T6581] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 411.300475][ T6581] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 411.346456][ T1098] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 411.357255][ T1098] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 411.378297][ T6915] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 411.389854][ T1098] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 411.398962][ T1098] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 411.407734][ T6904] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 412.372301][ T6904] Bluetooth: hci0: command 0x0409 tx timeout [ 414.441637][ T6914] Bluetooth: hci0: command 0x041b tx timeout 2021/08/20 21:07:33 executed programs: 4 [ 416.522176][ T6914] Bluetooth: hci0: command 0x040f tx timeout [ 418.601411][ T6914] Bluetooth: hci0: command 0x0419 tx timeout 2021/08/20 21:07:38 executed programs: 10 [ 420.681326][ T1051] Bluetooth: hci0: command 0x0405 tx timeout 2021/08/20 21:07:43 executed programs: 16 2021/08/20 21:07:48 executed programs: 22 2021/08/20 21:07:53 executed programs: 28 [ 439.641150][ T1361] ieee802154 phy0 wpan0: encryption failed: -22 [ 439.647515][ T1361] ieee802154 phy1 wpan1: encryption failed: -22 2021/08/20 21:07:58 executed programs: 34 2021/08/20 21:08:03 executed programs: 40 2021/08/20 21:08:08 executed programs: 46 2021/08/20 21:08:14 executed programs: 52 [ 460.119494][ T6915] ================================================================== [ 460.127613][ T6915] BUG: KASAN: use-after-free in do_raw_spin_lock+0x262/0x2b0 [ 460.135081][ T6915] Read of size 4 at addr ffff88802589a08c by task kworker/0:2/6915 [ 460.142950][ T6915] [ 460.145308][ T6915] CPU: 0 PID: 6915 Comm: kworker/0:2 Not tainted 5.14.0-rc6-next-20210820-syzkaller #0 [ 460.154965][ T6915] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 460.165005][ T6915] Workqueue: events l2cap_chan_timeout [ 460.170550][ T6915] Call Trace: [ 460.173814][ T6915] dump_stack_lvl+0xcd/0x134 [ 460.178433][ T6915] print_address_description.constprop.0.cold+0x6c/0x309 [ 460.185452][ T6915] ? do_raw_spin_lock+0x262/0x2b0 [ 460.190507][ T6915] ? do_raw_spin_lock+0x262/0x2b0 [ 460.195515][ T6915] kasan_report.cold+0x83/0xdf [ 460.200324][ T6915] ? do_raw_spin_lock+0x262/0x2b0 [ 460.205335][ T6915] do_raw_spin_lock+0x262/0x2b0 [ 460.210173][ T6915] ? try_to_grab_pending.part.0+0x47/0x780 [ 460.216015][ T6915] ? rwlock_bug.part.0+0x90/0x90 [ 460.220943][ T6915] lock_sock_nested+0x40/0x120 [ 460.225735][ T6915] l2cap_sock_teardown_cb+0xa1/0x660 [ 460.231049][ T6915] l2cap_chan_del+0xbc/0xa80 [ 460.235641][ T6915] ? l2cap_chan_timeout+0xb9/0x2f0 [ 460.240736][ T6915] l2cap_chan_close+0x1ba/0xaf0 [ 460.245570][ T6915] ? mutex_lock_io_nested+0x1160/0x1160 [ 460.251171][ T6915] ? l2cap_rx+0x1fb0/0x1fb0 [ 460.255652][ T6915] ? lock_acquire+0x442/0x510 [ 460.260309][ T6915] ? lock_release+0x720/0x720 [ 460.264968][ T6915] ? process_one_work+0x8b5/0x16b0 [ 460.270109][ T6915] ? lock_downgrade+0x6e0/0x6e0 [ 460.274955][ T6915] l2cap_chan_timeout+0x182/0x2f0 [ 460.280153][ T6915] process_one_work+0x9c9/0x16b0 [ 460.285089][ T6915] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 460.290459][ T6915] ? rwlock_bug.part.0+0x90/0x90 [ 460.295485][ T6915] worker_thread+0x65b/0x1200 [ 460.300140][ T6915] ? io_schedule_timeout+0x140/0x140 [ 460.305437][ T6915] ? process_one_work+0x16b0/0x16b0 [ 460.310635][ T6915] kthread+0x3e5/0x4d0 [ 460.314742][ T6915] ? set_kthread_struct+0x130/0x130 [ 460.319921][ T6915] ? _raw_spin_unlock_irq+0x1f/0x40 [ 460.325107][ T6915] ? set_kthread_struct+0x130/0x130 [ 460.330298][ T6915] ret_from_fork+0x1f/0x30 [ 460.334717][ T6915] [ 460.337028][ T6915] Allocated by task 6997: [ 460.341334][ T6915] kasan_save_stack+0x1b/0x40 [ 460.346053][ T6915] __kasan_kmalloc+0xa8/0xe0 [ 460.350639][ T6915] sk_prot_alloc+0x114/0x2a0 [ 460.355211][ T6915] sk_alloc+0x36/0xbe0 [ 460.359262][ T6915] l2cap_sock_alloc.constprop.0+0x35/0x230 [ 460.365051][ T6915] l2cap_sock_create+0x127/0x1f0 [ 460.369987][ T6915] bt_sock_create+0x180/0x350 [ 460.374774][ T6915] __sock_create+0x35f/0x7a0 [ 460.379380][ T6915] __sys_socket+0xef/0x200 [ 460.383789][ T6915] __x64_sys_socket+0x6f/0xb0 [ 460.388448][ T6915] do_syscall_64+0x39/0xb0 [ 460.392962][ T6915] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 460.398838][ T6915] [ 460.401140][ T6915] Freed by task 6998: [ 460.405106][ T6915] kasan_save_stack+0x1b/0x40 [ 460.409777][ T6915] kasan_set_track+0x1c/0x30 [ 460.414359][ T6915] kasan_set_free_info+0x20/0x30 [ 460.419277][ T6915] __kasan_slab_free+0x103/0x140 [ 460.424199][ T6915] slab_free_freelist_hook+0x85/0x190 [ 460.429654][ T6915] kfree+0xea/0x540 [ 460.433446][ T6915] __sk_destruct+0x6b0/0x910 [ 460.438114][ T6915] sk_destruct+0xbd/0xe0 [ 460.442339][ T6915] __sk_free+0xef/0x3d0 [ 460.446500][ T6915] sk_free+0x78/0xa0 [ 460.450379][ T6915] l2cap_sock_kill+0x20b/0x250 [ 460.455150][ T6915] l2cap_sock_release+0x184/0x200 [ 460.460176][ T6915] __sock_release+0xcd/0x280 [ 460.464750][ T6915] sock_close+0x18/0x20 [ 460.468885][ T6915] __fput+0x288/0x9f0 [ 460.472909][ T6915] task_work_run+0xdd/0x1a0 [ 460.477403][ T6915] get_signal+0x1b45/0x2170 [ 460.481940][ T6915] arch_do_signal_or_restart+0x2a9/0x1c40 [ 460.487764][ T6915] exit_to_user_mode_prepare+0x17d/0x290 [ 460.493417][ T6915] syscall_exit_to_user_mode+0x19/0x60 [ 460.498998][ T6915] do_syscall_64+0x46/0xb0 [ 460.503408][ T6915] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 460.509330][ T6915] [ 460.511634][ T6915] The buggy address belongs to the object at ffff88802589a000 [ 460.511634][ T6915] which belongs to the cache kmalloc-2k of size 2048 [ 460.525662][ T6915] The buggy address is located 140 bytes inside of [ 460.525662][ T6915] 2048-byte region [ffff88802589a000, ffff88802589a800) [ 460.539104][ T6915] The buggy address belongs to the page: [ 460.544708][ T6915] page:ffffea0000962600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25898 [ 460.554848][ T6915] head:ffffea0000962600 order:3 compound_mapcount:0 compound_pincount:0 [ 460.563147][ T6915] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 460.571111][ T6915] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c42000 [ 460.579672][ T6915] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 460.588227][ T6915] page dumped because: kasan: bad access detected [ 460.594613][ T6915] page_owner tracks the page as allocated [ 460.600305][ T6915] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 6991, ts 419076735007, free_ts 418277860080 [ 460.617472][ T6915] get_page_from_freelist+0xa76/0x2f90 [ 460.622952][ T6915] __alloc_pages+0x1ba/0x510 [ 460.627524][ T6915] alloc_pages+0x1a7/0x300 [ 460.631918][ T6915] new_slab+0x321/0x490 [ 460.636058][ T6915] ___slab_alloc+0x937/0x1000 [ 460.640737][ T6915] __slab_alloc.constprop.0+0x51/0xa0 [ 460.646088][ T6915] kmem_cache_alloc_trace+0x307/0x3c0 [ 460.651449][ T6915] l2cap_chan_create+0x44/0x570 [ 460.656304][ T6915] l2cap_sock_alloc.constprop.0+0x189/0x230 [ 460.662200][ T6915] l2cap_sock_create+0x127/0x1f0 [ 460.667124][ T6915] bt_sock_create+0x180/0x350 [ 460.671779][ T6915] __sock_create+0x35f/0x7a0 [ 460.676353][ T6915] __sys_socket+0xef/0x200 [ 460.680933][ T6915] __x64_sys_socket+0x6f/0xb0 [ 460.685610][ T6915] do_syscall_64+0x39/0xb0 [ 460.690019][ T6915] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 460.695898][ T6915] page last free stack trace: [ 460.700565][ T6915] free_pcp_prepare+0x377/0x860 [ 460.705411][ T6915] free_unref_page+0x19/0x690 [ 460.710082][ T6915] __unfreeze_partials+0x184/0x1a0 [ 460.715176][ T6915] qlist_free_all+0x5a/0xd0 [ 460.719660][ T6915] kasan_quarantine_reduce+0x185/0x210 [ 460.725113][ T6915] __kasan_slab_alloc+0xa1/0xc0 [ 460.729962][ T6915] __kmalloc+0x1e7/0x320 [ 460.734195][ T6915] tomoyo_realpath_from_path+0xc3/0x620 [ 460.739785][ T6915] tomoyo_path_perm+0x21f/0x410 [ 460.744619][ T6915] security_inode_getattr+0xd3/0x150 [ 460.749935][ T6915] vfs_statx+0x164/0x390 [ 460.754200][ T6915] __do_sys_newlstat+0x91/0x110 [ 460.759031][ T6915] do_syscall_64+0x39/0xb0 [ 460.763440][ T6915] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 460.769315][ T6915] [ 460.771616][ T6915] Memory state around the buggy address: [ 460.777219][ T6915] ffff888025899f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 460.785257][ T6915] ffff88802589a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 460.793296][ T6915] >ffff88802589a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 460.801327][ T6915] ^ [ 460.805638][ T6915] ffff88802589a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 460.813676][ T6915] ffff88802589a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 460.821728][ T6915] ================================================================== [ 460.829833][ T6915] Kernel panic - not syncing: panic_on_warn set ... [ 460.836411][ T6915] CPU: 0 PID: 6915 Comm: kworker/0:2 Tainted: G B 5.14.0-rc6-next-20210820-syzkaller #0 [ 460.847431][ T6915] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 460.857491][ T6915] Workqueue: events l2cap_chan_timeout [ 460.862962][ T6915] Call Trace: [ 460.866235][ T6915] dump_stack_lvl+0xcd/0x134 [ 460.870833][ T6915] panic+0x2af/0x6d5 [ 460.874754][ T6915] ? __warn_printk+0xf0/0xf0 [ 460.879324][ T6915] ? do_raw_spin_lock+0x262/0x2b0 [ 460.884332][ T6915] ? trace_hardirqs_on+0x38/0x1c0 [ 460.889376][ T6915] ? trace_hardirqs_on+0x51/0x1c0 [ 460.894395][ T6915] ? do_raw_spin_lock+0x262/0x2b0 [ 460.899420][ T6915] ? do_raw_spin_lock+0x262/0x2b0 [ 460.904435][ T6915] end_report.cold+0x63/0x6f [ 460.909009][ T6915] kasan_report.cold+0x71/0xdf [ 460.913754][ T6915] ? do_raw_spin_lock+0x262/0x2b0 [ 460.918762][ T6915] do_raw_spin_lock+0x262/0x2b0 [ 460.923593][ T6915] ? try_to_grab_pending.part.0+0x47/0x780 [ 460.929382][ T6915] ? rwlock_bug.part.0+0x90/0x90 [ 460.934311][ T6915] lock_sock_nested+0x40/0x120 [ 460.939060][ T6915] l2cap_sock_teardown_cb+0xa1/0x660 [ 460.944333][ T6915] l2cap_chan_del+0xbc/0xa80 [ 460.948915][ T6915] ? l2cap_chan_timeout+0xb9/0x2f0 [ 460.954028][ T6915] l2cap_chan_close+0x1ba/0xaf0 [ 460.958859][ T6915] ? mutex_lock_io_nested+0x1160/0x1160 [ 460.964382][ T6915] ? l2cap_rx+0x1fb0/0x1fb0 [ 460.968871][ T6915] ? lock_acquire+0x442/0x510 [ 460.973528][ T6915] ? lock_release+0x720/0x720 [ 460.978185][ T6915] ? process_one_work+0x8b5/0x16b0 [ 460.983280][ T6915] ? lock_downgrade+0x6e0/0x6e0 [ 460.988113][ T6915] l2cap_chan_timeout+0x182/0x2f0 [ 460.993125][ T6915] process_one_work+0x9c9/0x16b0 [ 460.998061][ T6915] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 461.003419][ T6915] ? rwlock_bug.part.0+0x90/0x90 [ 461.008344][ T6915] worker_thread+0x65b/0x1200 [ 461.013261][ T6915] ? io_schedule_timeout+0x140/0x140 [ 461.018550][ T6915] ? process_one_work+0x16b0/0x16b0 [ 461.023739][ T6915] kthread+0x3e5/0x4d0 [ 461.027801][ T6915] ? set_kthread_struct+0x130/0x130 [ 461.032978][ T6915] ? _raw_spin_unlock_irq+0x1f/0x40 [ 461.038157][ T6915] ? set_kthread_struct+0x130/0x130 [ 461.043369][ T6915] ret_from_fork+0x1f/0x30 [ 461.048990][ T6915] Kernel Offset: disabled [ 461.053299][ T6915] Rebooting in 86400 seconds..