[ 47.943915] Bluetooth: hci2: command 0x0419 tx timeout [ 47.963182] Bluetooth: hci1: command 0x0419 tx timeout [ 47.997282] Bluetooth: hci4: command 0x0419 tx timeout [ 48.014703] Bluetooth: hci5: command 0x0419 tx timeout [ 165.117984] Bluetooth: hci3: command 0x0406 tx timeout [ 165.130301] Bluetooth: hci1: command 0x0406 tx timeout [ 165.156898] Bluetooth: hci2: command 0x0406 tx timeout [ 165.180304] Bluetooth: hci4: command 0x0406 tx timeout [ 165.215425] Bluetooth: hci0: command 0x0406 tx timeout [ 165.231082] Bluetooth: hci5: command 0x0406 tx timeout [ 458.908224] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 458.915292] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 458.923301] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 458.929975] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 458.938819] device bridge_slave_1 left promiscuous mode [ 458.945724] bridge0: port 2(bridge_slave_1) entered disabled state [ 458.956431] device bridge_slave_0 left promiscuous mode [ 458.961978] bridge0: port 1(bridge_slave_0) entered disabled state [ 458.974055] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 458.980806] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 458.988387] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 458.995701] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 459.003234] device bridge_slave_1 left promiscuous mode [ 459.008634] bridge0: port 2(bridge_slave_1) entered disabled state [ 459.015822] device bridge_slave_0 left promiscuous mode [ 459.021239] bridge0: port 1(bridge_slave_0) entered disabled state [ 459.031329] device veth1_macvtap left promiscuous mode [ 459.037091] device veth0_macvtap left promiscuous mode [ 459.042937] device veth1_vlan left promiscuous mode [ 459.048312] device veth0_vlan left promiscuous mode [ 459.054661] device veth1_macvtap left promiscuous mode [ 459.059948] device veth0_macvtap left promiscuous mode [ 459.065316] device veth1_vlan left promiscuous mode [ 459.070346] device veth0_vlan left promiscuous mode [ 459.181262] device hsr_slave_1 left promiscuous mode [ 459.188785] device hsr_slave_0 left promiscuous mode [ 459.204760] team0 (unregistering): Port device team_slave_1 removed [ 459.215465] team0 (unregistering): Port device team_slave_0 removed [ 459.226442] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 459.237387] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 459.264080] bond0 (unregistering): Released all slaves [ 459.357850] device hsr_slave_1 left promiscuous mode [ 459.365049] device hsr_slave_0 left promiscuous mode [ 459.377754] team0 (unregistering): Port device team_slave_1 removed [ 459.389757] team0 (unregistering): Port device team_slave_0 removed [ 459.399278] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 459.408855] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 459.435076] bond0 (unregistering): Released all slaves [ 461.117493] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 461.124325] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 461.131570] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 461.139236] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 461.146873] device bridge_slave_1 left promiscuous mode [ 461.152679] bridge0: port 2(bridge_slave_1) entered disabled state [ 461.159611] device bridge_slave_0 left promiscuous mode [ 461.166080] bridge0: port 1(bridge_slave_0) entered disabled state [ 461.175715] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 461.182536] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 461.189738] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 461.196455] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 461.204252] device bridge_slave_1 left promiscuous mode [ 461.209644] bridge0: port 2(bridge_slave_1) entered disabled state [ 461.216860] device bridge_slave_0 left promiscuous mode [ 461.222385] bridge0: port 1(bridge_slave_0) entered disabled state [ 461.230863] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 461.237746] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 461.246117] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 461.253281] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 461.260450] device bridge_slave_1 left promiscuous mode [ 461.266433] bridge0: port 2(bridge_slave_1) entered disabled state [ 461.273962] device bridge_slave_0 left promiscuous mode [ 461.279377] bridge0: port 1(bridge_slave_0) entered disabled state [ 461.288668] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 461.295464] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 461.303024] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 461.309687] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 461.317610] device bridge_slave_1 left promiscuous mode [ 461.323099] bridge0: port 2(bridge_slave_1) entered disabled state [ 461.329966] device bridge_slave_0 left promiscuous mode [ 461.335594] bridge0: port 1(bridge_slave_0) entered disabled state [ 461.346119] device veth1_macvtap left promiscuous mode [ 461.351451] device veth0_macvtap left promiscuous mode [ 461.358402] device veth1_vlan left promiscuous mode [ 461.363491] device veth0_vlan left promiscuous mode [ 461.368748] device veth1_macvtap left promiscuous mode [ 461.375714] device veth0_macvtap left promiscuous mode [ 461.381029] device veth1_vlan left promiscuous mode [ 461.386245] device veth0_vlan left promiscuous mode [ 461.391500] device veth1_macvtap left promiscuous mode [ 461.397477] device veth0_macvtap left promiscuous mode [ 461.402883] device veth1_vlan left promiscuous mode [ 461.407910] device veth0_vlan left promiscuous mode [ 461.413932] device veth1_macvtap left promiscuous mode [ 461.419235] device veth0_macvtap left promiscuous mode [ 461.424613] device veth1_vlan left promiscuous mode [ 461.429636] device veth0_vlan left promiscuous mode [ 461.600892] device hsr_slave_1 left promiscuous mode [ 461.609974] device hsr_slave_0 left promiscuous mode [ 461.625194] team0 (unregistering): Port device team_slave_1 removed [ 461.633799] team0 (unregistering): Port device team_slave_0 removed [ 461.642376] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 461.651509] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 461.676700] bond0 (unregistering): Released all slaves [ 461.725912] device hsr_slave_1 left promiscuous mode [ 461.734259] device hsr_slave_0 left promiscuous mode [ 461.746890] team0 (unregistering): Port device team_slave_1 removed [ 461.756512] team0 (unregistering): Port device team_slave_0 removed [ 461.766475] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 461.776986] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 461.801389] bond0 (unregistering): Released all slaves [ 461.876675] device hsr_slave_1 left promiscuous mode [ 461.883773] device hsr_slave_0 left promiscuous mode [ 461.897165] team0 (unregistering): Port device team_slave_1 removed [ 461.905984] team0 (unregistering): Port device team_slave_0 removed [ 461.915880] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 461.925744] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 461.950874] bond0 (unregistering): Released all slaves [ 461.996691] device hsr_slave_1 left promiscuous mode [ 462.005025] device hsr_slave_0 left promiscuous mode [ 462.018173] team0 (unregistering): Port device team_slave_1 removed [ 462.028060] team0 (unregistering): Port device team_slave_0 removed [ 462.037057] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 462.048340] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 462.071257] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.10.33' (ECDSA) to the list of known hosts. [ 464.719787] FS-Cache: Duplicate cookie detected [ 464.724744] FS-Cache: O-cookie c=00000000a8ef1dec [p=00000000bfe85683 fl=212 nc=0 na=0] [ 464.732926] FS-Cache: O-cookie d= (null) n= (null) [ 464.739407] FS-Cache: O-key=[10] '5e5d375b2b255d28247b' [ 464.744825] FS-Cache: N-cookie c=0000000012d4d2a6 [p=00000000bfe85683 fl=2 nc=0 na=1] [ 464.752816] FS-Cache: N-cookie d=0000000008a5e808 n=0000000097ea05d3 [ 464.759283] FS-Cache: N-key=[10] '5e5d375b2b255d28247b' [ 464.772343] ================================================================== [ 464.779992] BUG: KASAN: use-after-free in __d_alloc+0x164/0x8a0 [ 464.786043] Read of size 10 at addr ffff8880a84051b1 by task kworker/1:3/7432 [ 464.793299] [ 464.794914] CPU: 1 PID: 7432 Comm: kworker/1:3 Not tainted 5.0.0-rc2-syzkaller #0 [ 464.802517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 464.809697] ------------[ cut here ]------------ [ 464.811972] Workqueue: afs afs_manage_cell [ 464.816795] proc_dir_entry 'afs/^]7[+%](${' already registered [ 464.821027] Call Trace: [ 464.827137] WARNING: CPU: 0 PID: 12 at fs/proc/generic.c:360 proc_register+0x2c3/0x490 [ 464.829598] dump_stack+0x165/0x21a [ 464.837533] Kernel panic - not syncing: panic_on_warn set ... [ 464.841198] print_address_description.cold.3+0x9/0x211 [ 464.852328] ? __d_alloc+0x164/0x8a0 [ 464.856021] kasan_report.cold.4+0x1b/0x37 [ 464.860228] ? __d_alloc+0x164/0x8a0 [ 464.863976] ? rcu_lockdep_current_cpu_online+0x20/0x130 [ 464.869400] ? __d_alloc+0x164/0x8a0 [ 464.873088] check_memory_region+0x13c/0x1b0 [ 464.877472] memcpy+0x23/0x50 [ 464.880555] __d_alloc+0x164/0x8a0 [ 464.884074] d_alloc+0x43/0x250 [ 464.887333] d_alloc_parallel+0xf3/0x1570 [ 464.891478] ? mark_held_locks+0x130/0x130 [ 464.895694] ? __d_lookup_rcu+0x920/0x920 [ 464.899821] ? mark_held_locks+0x130/0x130 [ 464.904031] ? lockdep_init_map+0x105/0x590 [ 464.908343] ? lockdep_init_map+0x105/0x590 [ 464.912708] __lookup_slow+0x18d/0x3f0 [ 464.916591] ? terminate_walk+0x4e0/0x4e0 [ 464.920723] ? __d_lookup+0x2e7/0x590 [ 464.924502] ? lockdep_hardirqs_on+0x3bb/0x5b0 [ 464.929090] ? d_lookup+0x138/0x1b0 [ 464.932717] ? d_lookup+0x113/0x1b0 [ 464.936330] lookup_one_len+0x132/0x160 [ 464.940297] ? try_lookup_one_len+0x150/0x150 [ 464.944776] afs_dynroot_mkdir+0x12b/0x1f0 [ 464.948989] afs_manage_cell+0x534/0xe50 [ 464.953032] ? afs_set_cell_timer.part.0+0x80/0x80 [ 464.958036] ? trace_hardirqs_off+0x41/0x180 [ 464.962435] ? rcu_lockdep_current_cpu_online+0xe5/0x130 [ 464.967921] process_one_work+0x7b9/0x15a0 [ 464.972150] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 464.976792] ? lock_acquire+0x180/0x3a0 [ 464.980772] ? _raw_spin_lock_irq+0x3c/0x90 [ 464.985077] worker_thread+0x85/0xb60 [ 464.988852] ? __kthread_parkme+0x47/0x190 [ 464.993067] kthread+0x324/0x3e0 [ 464.996408] ? process_one_work+0x15a0/0x15a0 [ 465.000885] ? kthread_park+0x120/0x120 [ 465.004836] ret_from_fork+0x24/0x30 [ 465.008531] [ 465.008538] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.0.0-rc2-syzkaller #0 [ 465.010151] Allocated by task 23116: [ 465.017581] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 465.021269] __kasan_kmalloc.part.0+0x66/0x100 [ 465.030595] Workqueue: afs afs_manage_cell [ 465.035145] __kasan_kmalloc.constprop.1+0xb5/0xc0 [ 465.039347] Call Trace: [ 465.044249] kasan_kmalloc+0x9/0x10 [ 465.046810] dump_stack+0x165/0x21a [ 465.050414] kmem_cache_alloc_trace+0x15b/0x3d0 [ 465.054016] ? proc_register+0x2c3/0x490 [ 465.058653] afs_lookup_cell+0x14a/0xb70 [ 465.062745] panic+0x212/0x40b [ 465.066753] afs_parse_param+0x322/0x9f0 [ 465.069887] ? __warn_printk+0xd6/0xd6 [ 465.073950] vfs_parse_fs_param+0x228/0x470 [ 465.077783] __warn.cold.7+0x1b/0x38 [ 465.082082] vfs_parse_fs_string+0xb8/0x110 [ 465.082088] generic_parse_monolithic+0x117/0x190 [ 465.085791] ? proc_register+0x2c3/0x490 [ 465.090077] parse_monolithic_mount_data+0x5c/0x83 [ 465.094894] report_bug+0x1a4/0x200 [ 465.098990] do_mount+0x10e4/0x2ae0 [ 465.103872] do_error_trap+0x11b/0x200 [ 465.107431] ksys_mount+0xba/0xe0 [ 465.111032] do_invalid_op+0x36/0x40 [ 465.114891] __x64_sys_mount+0xb9/0x150 [ 465.118316] ? proc_register+0x2c3/0x490 [ 465.122114] do_syscall_64+0xd0/0x4d0 [ 465.122120] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 465.126064] invalid_op+0x14/0x20 [ 465.130094] [ 465.133866] RIP: 0010:proc_register+0x2c3/0x490 [ 465.139025] Freed by task 16: [ 465.142456] Code: 00 00 fc ff df 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 c1 01 00 00 49 8b b4 24 c8 00 00 00 48 c7 c7 60 84 55 87 e8 d0 06 82 ff <0f> 0b 48 c7 c7 c0 95 86 88 e8 9f ec 45 05 4c 89 ea 48 b8 00 00 00 [ 465.144056] __kasan_slab_free+0x13c/0x220 [ 465.148691] RSP: 0018:ffff8880a984fa88 EFLAGS: 00010282 [ 465.151773] kasan_slab_free+0xe/0x10 [ 465.170650] RAX: 0000000000000000 RBX: ffffed1013fcbaf2 RCX: 0000000000000000 [ 465.170654] RDX: 0000000000000004 RSI: ffffffff878b6d60 RDI: ffffffff8a3add60 [ 465.174860] kfree+0xcf/0x220 [ 465.180192] RBP: ffff8880a984fad8 R08: ffffed1015d05029 R09: ffffed1015d05028 [ 465.180196] R10: ffffed1015d05028 R11: ffff8880ae828147 R12: ffff8882163e8300 [ 465.183988] afs_cell_destroy+0xd3/0x110 [ 465.191241] R13: ffff88809fe5d744 R14: ffff88809fe5d788 R15: ffff88809fe5d6c0 [ 465.198487] rcu_process_callbacks+0x8a7/0x12e0 [ 465.201572] ? proc_register+0x2c3/0x490 [ 465.208807] __do_softirq+0x25e/0x958 [ 465.208809] [ 465.216061] proc_mkdir_data+0x13a/0x220 [ 465.220087] The buggy address belongs to the object at ffff8880a8405080 [ 465.220087] which belongs to the cache kmalloc-512 of size 512 [ 465.227332] ? proc_symlink+0x1a0/0x1a0 [ 465.231983] The buggy address is located 305 bytes inside of [ 465.231983] 512-byte region [ffff8880a8405080, ffff8880a8405280) [ 465.236071] ? fscache_free_cookie+0xc0/0x150 [ 465.239783] The buggy address belongs to the page: [ 465.241386] ? __fscache_acquire_cookie+0x15d/0x620 [ 465.245416] page:ffffea0002a10140 count:1 mapcount:0 mapping:ffff88812c3f6940 index:0xffff8880a8405d00 [ 465.258045] afs_proc_cell_setup+0x92/0x170 [ 465.261986] flags: 0xfffe0000000200(slab) [ 465.273837] afs_manage_cell+0x42f/0xe50 [ 465.278303] raw: 00fffe0000000200 ffffea0002585688 ffffea000258b9c8 ffff88812c3f6940 [ 465.283206] ? afs_set_cell_timer.part.0+0x80/0x80 [ 465.288188] raw: ffff8880a8405d00 ffff8880a8405080 0000000100000005 0000000000000000 [ 465.297600] ? trace_hardirqs_off+0x41/0x180 [ 465.301888] page dumped because: kasan: bad access detected [ 465.306019] ? rcu_lockdep_current_cpu_online+0xe5/0x130 [ 465.310521] [ 465.318378] process_one_work+0x7b9/0x15a0 [ 465.323273] Memory state around the buggy address: [ 465.331132] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 465.335506] ffff8880a8405080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 465.341193] ? lock_acquire+0x180/0x3a0 [ 465.346624] ffff8880a8405100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 465.348239] ? _raw_spin_lock_irq+0x3c/0x90 [ 465.352440] >ffff8880a8405180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 465.357347] worker_thread+0x85/0xb60 [ 465.361979] ^ [ 465.369312] ? __kthread_parkme+0x47/0x190 [ 465.373255] ffff8880a8405200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 465.380592] kthread+0x324/0x3e0 [ 465.384877] ffff8880a8405280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 465.392210] ? process_one_work+0x15a0/0x15a0 [ 465.395989] ================================================================== [ 465.400891] ? kthread_park+0x120/0x120 [ 465.405092] Disabling lock debugging due to kernel taint [ 465.412425] ret_from_fork+0x24/0x30 [ 465.449411] Kernel Offset: disabled [ 465.453073] Rebooting in 86400 seconds..