Warning: Permanently added '10.128.0.165' (ECDSA) to the list of known hosts. 2021/08/23 09:29:56 parsed 1 programs 2021/08/23 09:29:56 executed programs: 0 [ 1581.237761][ T6538] chnl_net:caif_netlink_parms(): no params data found [ 1581.301087][ T6538] bridge0: port 1(bridge_slave_0) entered blocking state [ 1581.309565][ T6538] bridge0: port 1(bridge_slave_0) entered disabled state [ 1581.318391][ T6538] device bridge_slave_0 entered promiscuous mode [ 1581.326286][ T6538] bridge0: port 2(bridge_slave_1) entered blocking state [ 1581.334255][ T6538] bridge0: port 2(bridge_slave_1) entered disabled state [ 1581.342397][ T6538] device bridge_slave_1 entered promiscuous mode [ 1581.364424][ T6538] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 1581.374820][ T6538] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 1581.400098][ T6538] team0: Port device team_slave_0 added [ 1581.407310][ T6538] team0: Port device team_slave_1 added [ 1581.426400][ T6538] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1581.433779][ T6538] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1581.459970][ T6538] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1581.473080][ T6538] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1581.480025][ T6538] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1581.506020][ T6538] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1581.533343][ T6538] device hsr_slave_0 entered promiscuous mode [ 1581.539805][ T6538] device hsr_slave_1 entered promiscuous mode [ 1581.612086][ T6538] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 1581.620524][ T6538] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 1581.629967][ T6538] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 1581.640063][ T6538] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 1581.657487][ T6538] bridge0: port 2(bridge_slave_1) entered blocking state [ 1581.664744][ T6538] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1581.672025][ T6538] bridge0: port 1(bridge_slave_0) entered blocking state [ 1581.679170][ T6538] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1581.708402][ T6538] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1581.719417][ T6513] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1581.728387][ T6513] bridge0: port 1(bridge_slave_0) entered disabled state [ 1581.736870][ T6513] bridge0: port 2(bridge_slave_1) entered disabled state [ 1581.745459][ T6513] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1581.756849][ T6538] 8021q: adding VLAN 0 to HW filter on device team0 [ 1581.766481][ T6513] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1581.775207][ T6513] bridge0: port 1(bridge_slave_0) entered blocking state [ 1581.782373][ T6513] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1581.794038][ T6513] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1581.802421][ T6513] bridge0: port 2(bridge_slave_1) entered blocking state [ 1581.809488][ T6513] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1581.830201][ T6538] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1581.840961][ T6538] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1581.854610][ T6703] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1581.864035][ T6703] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1581.872591][ T6703] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1581.880694][ T6703] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1581.897509][ T6538] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1581.906841][ T6872] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1581.914455][ T6872] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1581.922438][ T6872] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1581.930123][ T6872] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1581.952512][ T6703] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1581.963056][ T6704] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1581.973100][ T6704] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1581.980817][ T6704] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1581.990315][ T6538] device veth0_vlan entered promiscuous mode [ 1582.000778][ T6538] device veth1_vlan entered promiscuous mode [ 1582.019341][ T6538] device veth0_macvtap entered promiscuous mode [ 1582.026429][ T6872] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1582.034644][ T6872] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1582.043515][ T6872] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1582.052149][ T6872] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1582.062252][ T6538] device veth1_macvtap entered promiscuous mode [ 1582.076296][ T6538] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1582.083751][ T6872] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1582.096184][ T6538] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1582.104563][ T6703] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1582.115092][ T6538] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 1582.124194][ T6538] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 1582.132943][ T6538] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 1582.141896][ T6538] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 1582.201086][ T6642] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1582.210396][ T6642] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1582.229308][ T8] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 1582.229883][ T6704] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 1582.238740][ T8] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 1582.255076][ T6513] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 1583.172224][ T6513] Bluetooth: hci0: command 0x0409 tx timeout [ 1585.251219][ T6513] Bluetooth: hci0: command 0x041b tx timeout 2021/08/23 09:30:01 executed programs: 4 [ 1587.331286][ T6703] Bluetooth: hci0: command 0x040f tx timeout [ 1589.410968][ T6513] Bluetooth: hci0: command 0x0419 tx timeout 2021/08/23 09:30:06 executed programs: 10 [ 1591.490807][ T6513] Bluetooth: hci0: command 0x0405 tx timeout 2021/08/23 09:30:12 executed programs: 16 2021/08/23 09:30:17 executed programs: 22 2021/08/23 09:30:22 executed programs: 28 [ 1607.010439][ T1358] ieee802154 phy0 wpan0: encryption failed: -22 [ 1607.016745][ T1358] ieee802154 phy1 wpan1: encryption failed: -22 2021/08/23 09:30:27 executed programs: 34 2021/08/23 09:30:32 executed programs: 40 2021/08/23 09:30:37 executed programs: 46 2021/08/23 09:30:42 executed programs: 52 [ 1626.848364][ T2979] ================================================================== [ 1626.856652][ T2979] BUG: KASAN: use-after-free in do_raw_spin_lock+0x262/0x2b0 [ 1626.864291][ T2979] Read of size 4 at addr ffff88801e1a808c by task kworker/1:4/2979 [ 1626.872193][ T2979] [ 1626.874505][ T2979] CPU: 1 PID: 2979 Comm: kworker/1:4 Not tainted 5.14.0-rc6-next-20210820-syzkaller #0 [ 1626.884135][ T2979] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1626.894555][ T2979] Workqueue: events l2cap_chan_timeout [ 1626.900264][ T2979] Call Trace: [ 1626.903533][ T2979] dump_stack_lvl+0xcd/0x134 [ 1626.908128][ T2979] print_address_description.constprop.0.cold+0x6c/0x309 [ 1626.915662][ T2979] ? do_raw_spin_lock+0x262/0x2b0 [ 1626.920729][ T2979] ? do_raw_spin_lock+0x262/0x2b0 [ 1626.925836][ T2979] kasan_report.cold+0x83/0xdf [ 1626.930686][ T2979] ? do_raw_spin_lock+0x262/0x2b0 [ 1626.935702][ T2979] do_raw_spin_lock+0x262/0x2b0 [ 1626.940539][ T2979] ? try_to_grab_pending.part.0+0x47/0x780 [ 1626.946384][ T2979] ? rwlock_bug.part.0+0x90/0x90 [ 1626.951309][ T2979] lock_sock_nested+0x40/0x120 [ 1626.956251][ T2979] l2cap_sock_teardown_cb+0xa1/0x660 [ 1626.961532][ T2979] l2cap_chan_del+0xbc/0xa80 [ 1626.966119][ T2979] ? l2cap_chan_timeout+0xb9/0x2f0 [ 1626.971255][ T2979] l2cap_chan_close+0x1ba/0xaf0 [ 1626.976115][ T2979] ? mutex_lock_io_nested+0x1160/0x1160 [ 1626.981746][ T2979] ? l2cap_rx+0x1fb0/0x1fb0 [ 1626.986234][ T2979] ? lock_acquire+0x442/0x510 [ 1626.990926][ T2979] ? lock_release+0x720/0x720 [ 1626.995878][ T2979] ? process_one_work+0x8b5/0x16b0 [ 1627.001338][ T2979] ? lock_downgrade+0x6e0/0x6e0 [ 1627.006194][ T2979] l2cap_chan_timeout+0x182/0x2f0 [ 1627.011226][ T2979] process_one_work+0x9c9/0x16b0 [ 1627.016158][ T2979] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 1627.021517][ T2979] ? rwlock_bug.part.0+0x90/0x90 [ 1627.026443][ T2979] worker_thread+0x65b/0x1200 [ 1627.031124][ T2979] ? process_one_work+0x16b0/0x16b0 [ 1627.036308][ T2979] kthread+0x3e5/0x4d0 [ 1627.040427][ T2979] ? set_kthread_struct+0x130/0x130 [ 1627.045882][ T2979] ret_from_fork+0x1f/0x30 [ 1627.050306][ T2979] [ 1627.052618][ T2979] Allocated by task 6922: [ 1627.056923][ T2979] kasan_save_stack+0x1b/0x40 [ 1627.061663][ T2979] __kasan_kmalloc+0xa8/0xe0 [ 1627.066331][ T2979] sk_prot_alloc+0x114/0x2a0 [ 1627.070991][ T2979] sk_alloc+0x36/0xbe0 [ 1627.075051][ T2979] l2cap_sock_alloc.constprop.0+0x35/0x230 [ 1627.080875][ T2979] l2cap_sock_create+0x127/0x1f0 [ 1627.085811][ T2979] bt_sock_create+0x180/0x350 [ 1627.090570][ T2979] __sock_create+0x35f/0x7a0 [ 1627.095374][ T2979] __sys_socket+0xef/0x200 [ 1627.099864][ T2979] __x64_sys_socket+0x6f/0xb0 [ 1627.104536][ T2979] do_syscall_64+0x39/0xb0 [ 1627.109030][ T2979] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 1627.114907][ T2979] [ 1627.117220][ T2979] Freed by task 6921: [ 1627.121195][ T2979] kasan_save_stack+0x1b/0x40 [ 1627.125880][ T2979] kasan_set_track+0x1c/0x30 [ 1627.130479][ T2979] kasan_set_free_info+0x20/0x30 [ 1627.135415][ T2979] __kasan_slab_free+0x103/0x140 [ 1627.140338][ T2979] slab_free_freelist_hook+0x85/0x190 [ 1627.145782][ T2979] kfree+0xea/0x540 [ 1627.149586][ T2979] __sk_destruct+0x6b0/0x910 [ 1627.154247][ T2979] sk_destruct+0xbd/0xe0 [ 1627.158490][ T2979] __sk_free+0xef/0x3d0 [ 1627.162714][ T2979] sk_free+0x78/0xa0 [ 1627.166618][ T2979] l2cap_sock_kill+0x20b/0x250 [ 1627.171368][ T2979] l2cap_sock_release+0x184/0x200 [ 1627.176381][ T2979] __sock_release+0xcd/0x280 [ 1627.180989][ T2979] sock_close+0x18/0x20 [ 1627.185219][ T2979] __fput+0x288/0x9f0 [ 1627.189243][ T2979] task_work_run+0xdd/0x1a0 [ 1627.193818][ T2979] get_signal+0x1b45/0x2170 [ 1627.198407][ T2979] arch_do_signal_or_restart+0x2a9/0x1c40 [ 1627.204358][ T2979] exit_to_user_mode_prepare+0x17d/0x290 [ 1627.210013][ T2979] syscall_exit_to_user_mode+0x19/0x60 [ 1627.215799][ T2979] do_syscall_64+0x46/0xb0 [ 1627.220397][ T2979] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 1627.226472][ T2979] [ 1627.228787][ T2979] The buggy address belongs to the object at ffff88801e1a8000 [ 1627.228787][ T2979] which belongs to the cache kmalloc-2k of size 2048 [ 1627.243444][ T2979] The buggy address is located 140 bytes inside of [ 1627.243444][ T2979] 2048-byte region [ffff88801e1a8000, ffff88801e1a8800) [ 1627.256815][ T2979] The buggy address belongs to the page: [ 1627.262688][ T2979] page:ffffea0000786a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1e1a8 [ 1627.272960][ T2979] head:ffffea0000786a00 order:3 compound_mapcount:0 compound_pincount:0 [ 1627.281405][ T2979] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 1627.289507][ T2979] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c42000 [ 1627.298275][ T2979] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 1627.307376][ T2979] page dumped because: kasan: bad access detected [ 1627.313780][ T2979] page_owner tracks the page as allocated [ 1627.319474][ T2979] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 6922, ts 1586511989518, free_ts 1585704948033 [ 1627.337104][ T2979] get_page_from_freelist+0xa76/0x2f90 [ 1627.342587][ T2979] __alloc_pages+0x1ba/0x510 [ 1627.347284][ T2979] alloc_pages+0x1a7/0x300 [ 1627.351700][ T2979] new_slab+0x321/0x490 [ 1627.355855][ T2979] ___slab_alloc+0x937/0x1000 [ 1627.360528][ T2979] __slab_alloc.constprop.0+0x51/0xa0 [ 1627.365892][ T2979] __kmalloc+0x305/0x320 [ 1627.370129][ T2979] sk_prot_alloc+0x114/0x2a0 [ 1627.374870][ T2979] sk_alloc+0x36/0xbe0 [ 1627.378936][ T2979] l2cap_sock_alloc.constprop.0+0x35/0x230 [ 1627.384747][ T2979] l2cap_sock_create+0x127/0x1f0 [ 1627.389682][ T2979] bt_sock_create+0x180/0x350 [ 1627.394351][ T2979] __sock_create+0x35f/0x7a0 [ 1627.399039][ T2979] __sys_socket+0xef/0x200 [ 1627.403617][ T2979] __x64_sys_socket+0x6f/0xb0 [ 1627.408413][ T2979] do_syscall_64+0x39/0xb0 [ 1627.412819][ T2979] page last free stack trace: [ 1627.417608][ T2979] free_pcp_prepare+0x377/0x860 [ 1627.422631][ T2979] free_unref_page+0x19/0x690 [ 1627.428021][ T2979] __unfreeze_partials+0x184/0x1a0 [ 1627.433319][ T2979] qlist_free_all+0x5a/0xd0 [ 1627.437825][ T2979] kasan_quarantine_reduce+0x185/0x210 [ 1627.443281][ T2979] __kasan_slab_alloc+0xa1/0xc0 [ 1627.448174][ T2979] kmem_cache_alloc_trace+0x265/0x3c0 [ 1627.453561][ T2979] kernfs_fop_open+0x2ca/0xd50 [ 1627.458424][ T2979] do_dentry_open+0x4c8/0x11d0 [ 1627.463226][ T2979] path_openat+0x1cbe/0x28b0 [ 1627.468008][ T2979] do_filp_open+0x1aa/0x400 [ 1627.472505][ T2979] do_sys_openat2+0x16d/0x4e0 [ 1627.477185][ T2979] __x64_sys_open+0x119/0x1c0 [ 1627.481848][ T2979] do_syscall_64+0x39/0xb0 [ 1627.486255][ T2979] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 1627.492139][ T2979] [ 1627.494455][ T2979] Memory state around the buggy address: [ 1627.500063][ T2979] ffff88801e1a7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1627.508215][ T2979] ffff88801e1a8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1627.516334][ T2979] >ffff88801e1a8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1627.524565][ T2979] ^ [ 1627.528876][ T2979] ffff88801e1a8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1627.537914][ T2979] ffff88801e1a8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1627.546357][ T2979] ================================================================== [ 1627.554473][ T2979] Kernel panic - not syncing: panic_on_warn set ... [ 1627.561055][ T2979] CPU: 1 PID: 2979 Comm: kworker/1:4 Tainted: G B 5.14.0-rc6-next-20210820-syzkaller #0 [ 1627.572068][ T2979] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1627.582115][ T2979] Workqueue: events l2cap_chan_timeout [ 1627.587578][ T2979] Call Trace: [ 1627.590845][ T2979] dump_stack_lvl+0xcd/0x134 [ 1627.595430][ T2979] panic+0x2af/0x6d5 [ 1627.599367][ T2979] ? __warn_printk+0xf0/0xf0 [ 1627.603947][ T2979] ? do_raw_spin_lock+0x262/0x2b0 [ 1627.608967][ T2979] ? trace_hardirqs_on+0x38/0x1c0 [ 1627.614000][ T2979] ? trace_hardirqs_on+0x51/0x1c0 [ 1627.619018][ T2979] ? do_raw_spin_lock+0x262/0x2b0 [ 1627.624035][ T2979] ? do_raw_spin_lock+0x262/0x2b0 [ 1627.629057][ T2979] end_report.cold+0x63/0x6f [ 1627.633638][ T2979] kasan_report.cold+0x71/0xdf [ 1627.638403][ T2979] ? do_raw_spin_lock+0x262/0x2b0 [ 1627.643422][ T2979] do_raw_spin_lock+0x262/0x2b0 [ 1627.648813][ T2979] ? try_to_grab_pending.part.0+0x47/0x780 [ 1627.654675][ T2979] ? rwlock_bug.part.0+0x90/0x90 [ 1627.659723][ T2979] lock_sock_nested+0x40/0x120 [ 1627.664494][ T2979] l2cap_sock_teardown_cb+0xa1/0x660 [ 1627.669811][ T2979] l2cap_chan_del+0xbc/0xa80 [ 1627.674394][ T2979] ? l2cap_chan_timeout+0xb9/0x2f0 [ 1627.679513][ T2979] l2cap_chan_close+0x1ba/0xaf0 [ 1627.684358][ T2979] ? mutex_lock_io_nested+0x1160/0x1160 [ 1627.689983][ T2979] ? l2cap_rx+0x1fb0/0x1fb0 [ 1627.694484][ T2979] ? lock_acquire+0x442/0x510 [ 1627.699155][ T2979] ? lock_release+0x720/0x720 [ 1627.703850][ T2979] ? process_one_work+0x8b5/0x16b0 [ 1627.708957][ T2979] ? lock_downgrade+0x6e0/0x6e0 [ 1627.713817][ T2979] l2cap_chan_timeout+0x182/0x2f0 [ 1627.718878][ T2979] process_one_work+0x9c9/0x16b0 [ 1627.723857][ T2979] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 1627.729226][ T2979] ? rwlock_bug.part.0+0x90/0x90 [ 1627.734168][ T2979] worker_thread+0x65b/0x1200 [ 1627.738847][ T2979] ? process_one_work+0x16b0/0x16b0 [ 1627.744042][ T2979] kthread+0x3e5/0x4d0 [ 1627.748104][ T2979] ? set_kthread_struct+0x130/0x130 [ 1627.753318][ T2979] ret_from_fork+0x1f/0x30 [ 1627.759186][ T2979] Kernel Offset: disabled [ 1627.763495][ T2979] Rebooting in 86400 seconds..