[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.170' (ECDSA) to the list of known hosts. 2021/01/09 04:10:08 parsed 1 programs 2021/01/09 04:10:08 executed programs: 0 syzkaller login: [ 1587.321589] IPVS: ftp: loaded support on port[0] = 21 [ 1587.414025] chnl_net:caif_netlink_parms(): no params data found [ 1587.529043] bridge0: port 1(bridge_slave_0) entered blocking state [ 1587.535691] bridge0: port 1(bridge_slave_0) entered disabled state [ 1587.543262] device bridge_slave_0 entered promiscuous mode [ 1587.550748] bridge0: port 2(bridge_slave_1) entered blocking state [ 1587.557172] bridge0: port 2(bridge_slave_1) entered disabled state [ 1587.564001] device bridge_slave_1 entered promiscuous mode [ 1587.579540] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1587.588217] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1587.605014] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1587.612282] team0: Port device team_slave_0 added [ 1587.617763] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1587.624902] team0: Port device team_slave_1 added [ 1587.639287] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1587.645507] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1587.670739] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1587.681721] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1587.688015] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1587.713208] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1587.723864] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1587.731444] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1587.748592] device hsr_slave_0 entered promiscuous mode [ 1587.754135] device hsr_slave_1 entered promiscuous mode [ 1587.760176] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1587.767141] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1587.823049] bridge0: port 2(bridge_slave_1) entered blocking state [ 1587.829447] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1587.836244] bridge0: port 1(bridge_slave_0) entered blocking state [ 1587.842578] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1587.868563] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1587.874608] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1587.882650] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1587.890977] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1587.909933] bridge0: port 1(bridge_slave_0) entered disabled state [ 1587.916936] bridge0: port 2(bridge_slave_1) entered disabled state [ 1587.925433] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1587.931984] 8021q: adding VLAN 0 to HW filter on device team0 [ 1587.940019] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1587.947723] bridge0: port 1(bridge_slave_0) entered blocking state [ 1587.954052] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1587.963221] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1587.971136] bridge0: port 2(bridge_slave_1) entered blocking state [ 1587.977621] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1587.995445] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1588.005330] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1588.016472] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1588.023403] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1588.031128] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1588.038806] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1588.046476] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1588.053806] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1588.060754] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1588.071948] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1588.079832] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1588.086661] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1588.095523] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1588.141159] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1588.150075] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1588.176791] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1588.183639] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1588.191400] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1588.200801] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1588.208530] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1588.215317] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1588.224100] device veth0_vlan entered promiscuous mode [ 1588.232171] device veth1_vlan entered promiscuous mode [ 1588.238106] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1588.246325] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1588.256957] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1588.265445] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1588.273107] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1588.280375] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1588.288942] device veth0_macvtap entered promiscuous mode [ 1588.294877] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1588.303502] device veth1_macvtap entered promiscuous mode [ 1588.311770] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1588.320519] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1588.330001] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1588.337075] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1588.345152] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1588.354236] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1588.361224] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1588.405969] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1589.366472] Bluetooth: hci0 command 0x0409 tx timeout [ 1591.455604] Bluetooth: hci0 command 0x041b tx timeout 2021/01/09 04:10:13 executed programs: 4 [ 1593.525783] Bluetooth: hci0 command 0x040f tx timeout [ 1595.605277] Bluetooth: hci0 command 0x0419 tx timeout 2021/01/09 04:10:18 executed programs: 10 [ 1597.685147] Bluetooth: hci0 command 0x0405 tx timeout 2021/01/09 04:10:24 executed programs: 16 2021/01/09 04:10:29 executed programs: 22 2021/01/09 04:10:34 executed programs: 28 2021/01/09 04:10:39 executed programs: 34 2021/01/09 04:10:44 executed programs: 40 2021/01/09 04:10:49 executed programs: 46 2021/01/09 04:10:54 executed programs: 52 [ 1632.323521] ================================================================== [ 1632.330898] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 1632.337532] Read of size 8 at addr ffff8880abf2e960 by task kworker/1:3/8207 [ 1632.344835] [ 1632.346439] CPU: 1 PID: 8207 Comm: kworker/1:3 Not tainted 4.14.213-syzkaller #0 [ 1632.353941] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1632.363452] Workqueue: events l2cap_chan_timeout [ 1632.368186] Call Trace: [ 1632.370834] dump_stack+0x1b2/0x283 [ 1632.374458] print_address_description.cold+0x54/0x1d3 [ 1632.379715] kasan_report_error.cold+0x8a/0x194 [ 1632.384375] ? __lock_acquire+0x2c57/0x3f20 [ 1632.388688] __asan_report_load8_noabort+0x68/0x70 [ 1632.393595] ? __lock_acquire+0x2c57/0x3f20 [ 1632.397887] __lock_acquire+0x2c57/0x3f20 [ 1632.402007] ? lock_acquire+0x170/0x3f0 [ 1632.405954] ? lock_downgrade+0x740/0x740 [ 1632.410072] ? trace_hardirqs_on+0x10/0x10 [ 1632.414277] ? debug_object_assert_init+0x22d/0x2d0 [ 1632.419259] ? debug_object_active_state+0x330/0x330 [ 1632.424356] ? ret_from_fork+0x24/0x30 [ 1632.428221] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 1632.433560] ? save_trace+0xd6/0x290 [ 1632.437258] lock_acquire+0x170/0x3f0 [ 1632.441034] ? lock_sock_nested+0x39/0x100 [ 1632.445244] _raw_spin_lock_bh+0x2f/0x40 [ 1632.449279] ? lock_sock_nested+0x39/0x100 [ 1632.453488] lock_sock_nested+0x39/0x100 [ 1632.457524] l2cap_sock_teardown_cb+0x93/0x650 [ 1632.462074] l2cap_chan_del+0xaf/0x950 [ 1632.465941] l2cap_chan_close+0x103/0x870 [ 1632.470076] ? __set_monitor_timer+0x1d0/0x1d0 [ 1632.474626] ? lock_acquire+0x170/0x3f0 [ 1632.478570] l2cap_chan_timeout+0x143/0x2a0 [ 1632.482872] process_one_work+0x793/0x14a0 [ 1632.487083] ? work_busy+0x320/0x320 [ 1632.490768] ? worker_thread+0x158/0xff0 [ 1632.494951] ? _raw_spin_unlock_irq+0x24/0x80 [ 1632.499418] worker_thread+0x5cc/0xff0 [ 1632.503284] ? rescuer_thread+0xc80/0xc80 [ 1632.507412] kthread+0x30d/0x420 [ 1632.510750] ? kthread_create_on_node+0xd0/0xd0 [ 1632.515388] ret_from_fork+0x24/0x30 [ 1632.519069] [ 1632.520673] Allocated by task 8271: [ 1632.524274] kasan_kmalloc+0xeb/0x160 [ 1632.528049] __kmalloc+0x15a/0x400 [ 1632.531575] sk_prot_alloc+0x1ba/0x290 [ 1632.535432] sk_alloc+0x36/0xcd0 [ 1632.538768] l2cap_sock_alloc.constprop.0+0x31/0x210 [ 1632.543876] l2cap_sock_create+0xf0/0x1a0 [ 1632.547997] bt_sock_create+0x13b/0x280 [ 1632.551943] __sock_create+0x303/0x620 [ 1632.555828] SyS_socket+0xd1/0x1b0 [ 1632.559338] do_syscall_64+0x1d5/0x640 [ 1632.563203] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1632.568369] [ 1632.569970] Freed by task 8270: [ 1632.573235] kasan_slab_free+0xc3/0x1a0 [ 1632.577183] kfree+0xc9/0x250 [ 1632.580261] __sk_destruct+0x5e3/0x760 [ 1632.584123] __sk_free+0xd9/0x2d0 [ 1632.587547] sk_free+0x2b/0x40 [ 1632.590709] l2cap_sock_kill.part.0+0x106/0x130 [ 1632.595348] l2cap_sock_release+0x1cd/0x280 [ 1632.599638] __sock_release+0xcd/0x2b0 [ 1632.603493] sock_close+0x15/0x20 [ 1632.606932] __fput+0x25f/0x7a0 [ 1632.610182] task_work_run+0x11f/0x190 [ 1632.614043] get_signal+0x18a3/0x1ca0 [ 1632.617813] do_signal+0x7c/0x1550 [ 1632.621327] exit_to_usermode_loop+0x160/0x200 [ 1632.625884] do_syscall_64+0x4a3/0x640 [ 1632.629840] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1632.634995] [ 1632.636592] The buggy address belongs to the object at ffff8880abf2e8c0 [ 1632.636592] which belongs to the cache kmalloc-2048 of size 2048 [ 1632.649400] The buggy address is located 160 bytes inside of [ 1632.649400] 2048-byte region [ffff8880abf2e8c0, ffff8880abf2f0c0) [ 1632.661328] The buggy address belongs to the page: [ 1632.666231] page:ffffea0002afcb80 count:1 mapcount:0 mapping:ffff8880abf2e040 index:0x0 compound_mapcount: 0 [ 1632.676175] flags: 0xfff00000008100(slab|head) [ 1632.680729] raw: 00fff00000008100 ffff8880abf2e040 0000000000000000 0000000100000003 [ 1632.688580] raw: ffffea0002ad1820 ffffea0002af6ea0 ffff88813fe80c40 0000000000000000 [ 1632.696428] page dumped because: kasan: bad access detected [ 1632.702106] [ 1632.703705] Memory state around the buggy address: [ 1632.708604] ffff8880abf2e800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1632.715934] ffff8880abf2e880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1632.723264] >ffff8880abf2e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1632.730605] ^ [ 1632.737170] ffff8880abf2e980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1632.744497] ffff8880abf2ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1632.751824] ================================================================== [ 1632.759151] Disabling lock debugging due to kernel taint [ 1632.764568] Kernel panic - not syncing: panic_on_warn set ... [ 1632.764568] [ 1632.771904] CPU: 1 PID: 8207 Comm: kworker/1:3 Tainted: G B 4.14.213-syzkaller #0 [ 1632.780622] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1632.789971] Workqueue: events l2cap_chan_timeout [ 1632.794696] Call Trace: [ 1632.797258] dump_stack+0x1b2/0x283 [ 1632.800855] panic+0x1f9/0x42d [ 1632.804040] ? add_taint.cold+0x16/0x16 [ 1632.807985] ? lock_downgrade+0x740/0x740 [ 1632.812101] kasan_end_report+0x43/0x49 [ 1632.816046] kasan_report_error.cold+0xa7/0x194 [ 1632.820686] ? __lock_acquire+0x2c57/0x3f20 [ 1632.824977] __asan_report_load8_noabort+0x68/0x70 [ 1632.829878] ? __lock_acquire+0x2c57/0x3f20 [ 1632.834172] __lock_acquire+0x2c57/0x3f20 [ 1632.838288] ? lock_acquire+0x170/0x3f0 [ 1632.842229] ? lock_downgrade+0x740/0x740 [ 1632.846350] ? trace_hardirqs_on+0x10/0x10 [ 1632.850558] ? debug_object_assert_init+0x22d/0x2d0 [ 1632.855550] ? debug_object_active_state+0x330/0x330 [ 1632.860623] ? ret_from_fork+0x24/0x30 [ 1632.864482] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 1632.869814] ? save_trace+0xd6/0x290 [ 1632.873510] lock_acquire+0x170/0x3f0 [ 1632.877281] ? lock_sock_nested+0x39/0x100 [ 1632.881488] _raw_spin_lock_bh+0x2f/0x40 [ 1632.885521] ? lock_sock_nested+0x39/0x100 [ 1632.889831] lock_sock_nested+0x39/0x100 [ 1632.893864] l2cap_sock_teardown_cb+0x93/0x650 [ 1632.898423] l2cap_chan_del+0xaf/0x950 [ 1632.902286] l2cap_chan_close+0x103/0x870 [ 1632.906405] ? __set_monitor_timer+0x1d0/0x1d0 [ 1632.910957] ? lock_acquire+0x170/0x3f0 [ 1632.914902] l2cap_chan_timeout+0x143/0x2a0 [ 1632.919194] process_one_work+0x793/0x14a0 [ 1632.923402] ? work_busy+0x320/0x320 [ 1632.927084] ? worker_thread+0x158/0xff0 [ 1632.931113] ? _raw_spin_unlock_irq+0x24/0x80 [ 1632.935578] worker_thread+0x5cc/0xff0 [ 1632.939435] ? rescuer_thread+0xc80/0xc80 [ 1632.943554] kthread+0x30d/0x420 [ 1632.946906] ? kthread_create_on_node+0xd0/0xd0 [ 1632.951568] ret_from_fork+0x24/0x30 [ 1632.955782] Kernel Offset: disabled [ 1632.959394] Rebooting in 86400 seconds..