Warning: Permanently added '10.128.1.3' (ECDSA) to the list of known hosts. 2021/05/28 23:31:37 parsed 1 programs 2021/05/28 23:31:37 executed programs: 0 syzkaller login: [ 1576.972473] IPVS: ftp: loaded support on port[0] = 21 [ 1577.073270] chnl_net:caif_netlink_parms(): no params data found [ 1577.188698] bridge0: port 1(bridge_slave_0) entered blocking state [ 1577.196144] bridge0: port 1(bridge_slave_0) entered disabled state [ 1577.205494] device bridge_slave_0 entered promiscuous mode [ 1577.214223] bridge0: port 2(bridge_slave_1) entered blocking state [ 1577.221120] bridge0: port 2(bridge_slave_1) entered disabled state [ 1577.228313] device bridge_slave_1 entered promiscuous mode [ 1577.247025] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1577.256852] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1577.276748] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1577.285374] team0: Port device team_slave_0 added [ 1577.292321] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1577.300868] team0: Port device team_slave_1 added [ 1577.318181] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1577.324780] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1577.350615] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1577.362333] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1577.369280] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1577.396104] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1577.406850] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1577.415122] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1577.435249] device hsr_slave_0 entered promiscuous mode [ 1577.441063] device hsr_slave_1 entered promiscuous mode [ 1577.447277] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1577.454877] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1577.523186] bridge0: port 2(bridge_slave_1) entered blocking state [ 1577.529760] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1577.537600] bridge0: port 1(bridge_slave_0) entered blocking state [ 1577.544154] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1577.576551] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1577.584202] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1577.593249] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1577.603517] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1577.613191] bridge0: port 1(bridge_slave_0) entered disabled state [ 1577.621773] bridge0: port 2(bridge_slave_1) entered disabled state [ 1577.628966] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1577.640544] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1577.647565] 8021q: adding VLAN 0 to HW filter on device team0 [ 1577.658383] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1577.667009] bridge0: port 1(bridge_slave_0) entered blocking state [ 1577.674018] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1577.684497] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1577.693415] bridge0: port 2(bridge_slave_1) entered blocking state [ 1577.699847] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1577.715087] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1577.723587] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1577.734163] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1577.745499] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1577.757759] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1577.769784] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1577.775993] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1577.784226] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1577.797209] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1577.806554] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1577.813799] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1577.825292] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1577.839666] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1577.849287] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1577.882457] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1577.890814] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1577.897777] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1577.908166] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1577.916399] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1577.924025] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1577.933382] device veth0_vlan entered promiscuous mode [ 1577.943953] device veth1_vlan entered promiscuous mode [ 1577.950687] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1577.961550] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1577.973589] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1577.982916] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1577.991316] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1578.000842] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1578.011965] device veth0_macvtap entered promiscuous mode [ 1578.018610] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1578.027766] device veth1_macvtap entered promiscuous mode [ 1578.038620] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1578.048384] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1578.058749] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1578.066775] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1578.076063] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1578.085871] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 1578.093094] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1578.100680] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1578.108494] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1578.229713] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [ 1578.236876] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1578.246050] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1578.254783] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 1578.277586] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready [ 1578.284964] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1578.294037] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1578.301675] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 1579.000181] Bluetooth: hci0: command 0x0409 tx timeout 2021/05/28 23:31:42 executed programs: 108 [ 1581.079431] Bluetooth: hci0: command 0x041b tx timeout [ 1583.149717] Bluetooth: hci0: command 0x040f tx timeout [ 1585.229287] Bluetooth: hci0: command 0x0419 tx timeout 2021/05/28 23:31:47 executed programs: 319 [ 1587.309888] Bluetooth: hci0: command 0x0405 tx timeout 2021/05/28 23:31:52 executed programs: 537 2021/05/28 23:31:57 executed programs: 777 2021/05/28 23:32:02 executed programs: 995 2021/05/28 23:32:07 executed programs: 1222 [ 1608.432109] ieee802154 phy0 wpan0: encryption failed: -22 [ 1608.437958] ieee802154 phy1 wpan1: encryption failed: -22 2021/05/28 23:32:12 executed programs: 1429 2021/05/28 23:32:17 executed programs: 1644 2021/05/28 23:32:22 executed programs: 1866 2021/05/28 23:32:27 executed programs: 2092 2021/05/28 23:32:32 executed programs: 2301 2021/05/28 23:32:37 executed programs: 2515 2021/05/28 23:32:42 executed programs: 2745 2021/05/28 23:32:47 executed programs: 3046 2021/05/28 23:32:52 executed programs: 3510 2021/05/28 23:32:57 executed programs: 3986 2021/05/28 23:33:02 executed programs: 4448 2021/05/28 23:33:07 executed programs: 4939 [ 1669.875531] ieee802154 phy0 wpan0: encryption failed: -22 [ 1669.881316] ieee802154 phy1 wpan1: encryption failed: -22 2021/05/28 23:33:12 executed programs: 5403 2021/05/28 23:33:17 executed programs: 5883 2021/05/28 23:33:22 executed programs: 6354 2021/05/28 23:33:27 executed programs: 6842 2021/05/28 23:33:32 executed programs: 7325 2021/05/28 23:33:37 executed programs: 7792 2021/05/28 23:33:42 executed programs: 8235 [ 1702.669559] Bluetooth: hci0: command 0x0406 tx timeout 2021/05/28 23:33:47 executed programs: 8710 [ 1706.359862] ================================================================== [ 1706.367489] BUG: KASAN: use-after-free in __lock_acquire+0x2cb4/0x3ff0 [ 1706.374263] Read of size 8 at addr ffff8880af084220 by task kworker/0:0/8154 [ 1706.381464] [ 1706.383094] CPU: 0 PID: 8154 Comm: kworker/0:0 Not tainted 4.19.192-syzkaller #0 [ 1706.390622] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1706.399988] Workqueue: events l2cap_chan_timeout [ 1706.404734] Call Trace: [ 1706.407323] dump_stack+0x1fc/0x2ef [ 1706.411057] print_address_description.cold+0x54/0x219 [ 1706.416349] kasan_report_error.cold+0x8a/0x1b9 [ 1706.421128] ? __lock_acquire+0x2cb4/0x3ff0 [ 1706.425450] __asan_report_load8_noabort+0x88/0x90 [ 1706.430399] ? __lock_acquire+0x2cb4/0x3ff0 [ 1706.434854] __lock_acquire+0x2cb4/0x3ff0 [ 1706.439055] ? __save_stack_trace+0x9f/0x190 [ 1706.443465] ? mark_held_locks+0xf0/0xf0 [ 1706.447524] ? mark_held_locks+0xf0/0xf0 [ 1706.451609] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 1706.457167] ? save_trace+0xd6/0x290 [ 1706.460885] lock_acquire+0x170/0x3c0 [ 1706.464771] ? lock_sock_nested+0x3b/0x110 [ 1706.469004] _raw_spin_lock_bh+0x2f/0x40 [ 1706.473066] ? lock_sock_nested+0x3b/0x110 [ 1706.477306] lock_sock_nested+0x3b/0x110 [ 1706.481938] l2cap_sock_teardown_cb+0xa0/0x6d0 [ 1706.486553] ? trace_hardirqs_off+0x64/0x200 [ 1706.490965] l2cap_chan_close+0x377/0x950 [ 1706.495108] ? __set_monitor_timer+0x200/0x200 [ 1706.499715] ? check_preemption_disabled+0x41/0x280 [ 1706.504742] l2cap_chan_timeout+0x17e/0x2f0 [ 1706.509567] process_one_work+0x864/0x1570 [ 1706.513809] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 1706.518492] worker_thread+0x64c/0x1130 [ 1706.522472] ? __kthread_parkme+0x133/0x1e0 [ 1706.527076] ? process_one_work+0x1570/0x1570 [ 1706.531649] kthread+0x33f/0x460 [ 1706.535021] ? kthread_park+0x180/0x180 [ 1706.539090] ret_from_fork+0x24/0x30 [ 1706.542801] [ 1706.544521] Allocated by task 3625: [ 1706.548168] __kmalloc+0x15a/0x3c0 [ 1706.551710] sk_prot_alloc+0x1e2/0x2d0 [ 1706.555685] sk_alloc+0x36/0xec0 [ 1706.559047] __netlink_create+0x63/0x270 [ 1706.563309] netlink_create+0x3a1/0x5d0 [ 1706.567364] __sock_create+0x3d8/0x740 [ 1706.571248] __sys_socket+0xef/0x200 [ 1706.575235] __x64_sys_socket+0x6f/0xb0 [ 1706.579388] do_syscall_64+0xf9/0x620 [ 1706.583297] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1706.588560] [ 1706.590200] Freed by task 3633: [ 1706.593481] kfree+0xcc/0x210 [ 1706.596602] __sk_destruct+0x684/0x8a0 [ 1706.600838] __sk_free+0x165/0x3b0 [ 1706.604493] sk_free+0x3b/0x50 [ 1706.607875] deferred_put_nlk_sk+0x10d/0x280 [ 1706.612449] rcu_process_callbacks+0x8ff/0x18b0 [ 1706.617117] __do_softirq+0x265/0x980 [ 1706.620994] [ 1706.622618] The buggy address belongs to the object at ffff8880af084180 [ 1706.622618] which belongs to the cache kmalloc-2048 of size 2048 [ 1706.635924] The buggy address is located 160 bytes inside of [ 1706.635924] 2048-byte region [ffff8880af084180, ffff8880af084980) [ 1706.648402] The buggy address belongs to the page: [ 1706.653419] page:ffffea0002bc2100 count:1 mapcount:0 mapping:ffff88813bff0c40 index:0x0 compound_mapcount: 0 [ 1706.663473] flags: 0xfff00000008100(slab|head) [ 1706.668055] raw: 00fff00000008100 ffffea0002d6dd08 ffffea0002a91988 ffff88813bff0c40 [ 1706.675939] raw: 0000000000000000 ffff8880af084180 0000000100000003 0000000000000000 [ 1706.684333] page dumped because: kasan: bad access detected [ 1706.690034] [ 1706.691707] Memory state around the buggy address: [ 1706.696724] ffff8880af084100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1706.704506] ffff8880af084180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1706.711945] >ffff8880af084200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1706.719571] ^ [ 1706.723975] ffff8880af084280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1706.731415] ffff8880af084300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1706.738865] ================================================================== [ 1706.746227] Disabling lock debugging due to kernel taint [ 1706.751814] Kernel panic - not syncing: panic_on_warn set ... [ 1706.751814] [ 1706.759898] CPU: 0 PID: 8154 Comm: kworker/0:0 Tainted: G B 4.19.192-syzkaller #0 [ 1706.769195] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1706.779168] Workqueue: events l2cap_chan_timeout [ 1706.784468] Call Trace: [ 1706.787175] dump_stack+0x1fc/0x2ef [ 1706.791006] panic+0x26a/0x50e [ 1706.794199] ? __warn_printk+0xf3/0xf3 [ 1706.798171] ? lock_downgrade+0x720/0x720 [ 1706.802417] ? print_shadow_for_address+0xb8/0x114 [ 1706.807541] ? trace_hardirqs_off+0x64/0x200 [ 1706.812454] kasan_end_report+0x43/0x49 [ 1706.816511] kasan_report_error.cold+0xa7/0x1b9 [ 1706.821311] ? __lock_acquire+0x2cb4/0x3ff0 [ 1706.825745] __asan_report_load8_noabort+0x88/0x90 [ 1706.831339] ? __lock_acquire+0x2cb4/0x3ff0 [ 1706.836052] __lock_acquire+0x2cb4/0x3ff0 [ 1706.840303] ? __save_stack_trace+0x9f/0x190 [ 1706.845188] ? mark_held_locks+0xf0/0xf0 [ 1706.849367] ? mark_held_locks+0xf0/0xf0 [ 1706.853522] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 1706.858971] ? save_trace+0xd6/0x290 [ 1706.862689] lock_acquire+0x170/0x3c0 [ 1706.866515] ? lock_sock_nested+0x3b/0x110 [ 1706.870934] _raw_spin_lock_bh+0x2f/0x40 [ 1706.875088] ? lock_sock_nested+0x3b/0x110 [ 1706.879339] lock_sock_nested+0x3b/0x110 [ 1706.883407] l2cap_sock_teardown_cb+0xa0/0x6d0 [ 1706.888088] ? trace_hardirqs_off+0x64/0x200 [ 1706.892685] l2cap_chan_close+0x377/0x950 [ 1706.896943] ? __set_monitor_timer+0x200/0x200 [ 1706.901789] ? check_preemption_disabled+0x41/0x280 [ 1706.906922] l2cap_chan_timeout+0x17e/0x2f0 [ 1706.911361] process_one_work+0x864/0x1570 [ 1706.915999] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 1706.920677] worker_thread+0x64c/0x1130 [ 1706.924654] ? __kthread_parkme+0x133/0x1e0 [ 1706.929060] ? process_one_work+0x1570/0x1570 [ 1706.933564] kthread+0x33f/0x460 [ 1706.937039] ? kthread_park+0x180/0x180 [ 1706.941306] ret_from_fork+0x24/0x30 [ 1706.946252] Kernel Offset: disabled [ 1706.950008] Rebooting in 86400 seconds..