bisecting fixing commit since c076c79e03c6094e578df5d210fde808b3ad32e6 building syzkaller on 4ca1c0ea446d2c09b1fb49a85ae645e3754f1058 testing commit c076c79e03c6094e578df5d210fde808b3ad32e6 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: e5c170a046c5156ac6d989bdf73350ca1e9af32ba45ca8738a4623e2f3ad7050 run #0: crashed: KASAN: use-after-free Write in hci_conn_del run #1: crashed: KASAN: use-after-free Write in hci_conn_del run #2: crashed: KASAN: use-after-free Write in hci_conn_del run #3: crashed: KASAN: use-after-free Write in hci_conn_del run #4: crashed: KASAN: use-after-free Write in hci_conn_del run #5: crashed: KASAN: use-after-free Write in hci_conn_del run #6: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #7: crashed: KASAN: use-after-free Write in hci_conn_del run #8: crashed: KASAN: use-after-free Write in hci_conn_del run #9: crashed: KASAN: use-after-free Write in hci_conn_del run #10: crashed: WARNING: ODEBUG bug in bt_link_release run #11: crashed: KASAN: use-after-free Write in hci_conn_del run #12: crashed: KASAN: use-after-free Write in hci_conn_del run #13: crashed: KASAN: use-after-free Write in hci_conn_del run #14: crashed: KASAN: use-after-free Write in hci_conn_del run #15: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #16: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #17: crashed: KASAN: use-after-free Write in hci_conn_del run #18: crashed: KASAN: use-after-free Read in __queue_work run #19: OK testing current HEAD 2950c9c5e0df6bd34af45a5168bbee345e95eae2 testing commit 2950c9c5e0df6bd34af45a5168bbee345e95eae2 compiler: gcc version 8.4.1 20210217 (GCC) kernel signature: b91223eb9baf32e6e4532ba0181f1f184a5fdad69eeee7446568b17b658aedce run #0: crashed: KASAN: use-after-free Write in hci_conn_del run #1: crashed: KASAN: use-after-free Write in hci_conn_del run #2: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #3: crashed: KASAN: use-after-free Write in hci_conn_del run #4: crashed: KASAN: use-after-free Write in hci_conn_del run #5: crashed: KASAN: use-after-free Write in hci_conn_del run #6: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #7: crashed: KASAN: use-after-free Read in sco_chan_del run #8: crashed: KASAN: slab-out-of-bounds Write in hci_conn_del run #9: crashed: KASAN: use-after-free Write in hci_conn_del revisions tested: 2, total time: 33m24.357526265s (build: 17m29.342759982s, test: 15m26.60887332s) the crash still happens on HEAD commit msg: Linux 4.19.207 crash: KASAN: use-after-free Write in hci_conn_del bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves ================================================================== BUG: KASAN: use-after-free in hci_conn_del+0x5a4/0x5f0 net/bluetooth/hci_conn.c:596 Write of size 8 at addr ffff8881e1e2a9a8 by task syz-executor.2/25410 CPU: 0 PID: 25410 Comm: syz-executor.2 Not tainted 4.19.207-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x17c/0x226 lib/dump_stack.c:118 print_address_description.cold.6+0x9/0x211 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:396 __asan_report_store8_noabort+0x17/0x20 mm/kasan/report.c:438 hci_conn_del+0x5a4/0x5f0 net/bluetooth/hci_conn.c:596 hci_conn_hash_flush+0x168/0x200 net/bluetooth/hci_conn.c:1513 hci_dev_do_close+0x52f/0xdd0 net/bluetooth/hci_core.c:1687 hci_unregister_dev+0x12a/0x330 net/bluetooth/hci_core.c:3288 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xa6a/0x2d90 kernel/exit.c:870 do_group_exit+0xf8/0x2c0 kernel/exit.c:967 __do_sys_exit_group kernel/exit.c:978 [inline] __se_sys_exit_group kernel/exit.c:976 [inline] __x64_sys_exit_group+0x39/0x40 kernel/exit.c:976 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x464759 Code: Bad RIP value. RSP: 002b:00007ffcd16bf378 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000054 RCX: 0000000000464759 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 RBP: 00000000004ae1d2 R08: 000000000000000b R09: 000000000003fa34 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000003fa58 R14: 000000000003fa34 R15: 0000000000000019 Allocated by task 25915: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc.part.1+0x62/0xf0 mm/kasan/kasan.c:553 kasan_kmalloc+0xaf/0xc0 mm/kasan/kasan.c:538 kmem_cache_alloc_trace+0x152/0x3a0 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] hci_conn_add+0x55/0x1130 net/bluetooth/hci_conn.c:501 hci_connect_acl net/bluetooth/hci_conn.c:1209 [inline] hci_connect_acl+0x210/0x3f0 net/bluetooth/hci_conn.c:1195 hci_connect_sco+0x37/0x680 net/bluetooth/hci_conn.c:1232 sco_connect net/bluetooth/sco.c:254 [inline] sco_sock_connect+0x24a/0x800 net/bluetooth/sco.c:586 __sys_connect+0x20d/0x2d0 net/socket.c:1775 __do_sys_connect net/socket.c:1786 [inline] __se_sys_connect net/socket.c:1783 [inline] __x64_sys_connect+0x6e/0xb0 net/socket.c:1783 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 7277: save_stack mm/kasan/kasan.c:448 [inline] set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x13c/0x220 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kfree+0xcf/0x220 mm/slab.c:3822 bt_link_release+0x10/0x20 net/bluetooth/hci_sysfs.c:14 device_release+0x71/0x1d0 drivers/base/core.c:1076 kobject_cleanup lib/kobject.c:662 [inline] kobject_release lib/kobject.c:691 [inline] kref_put include/linux/kref.h:70 [inline] kobject_put+0x115/0x1f0 lib/kobject.c:708 put_device+0x12/0x20 drivers/base/core.c:2267 hci_conn_put include/net/bluetooth/hci_core.h:958 [inline] hci_conn_cleanup+0x2cc/0x520 net/bluetooth/hci_conn.c:134 hci_conn_del+0x220/0x5f0 net/bluetooth/hci_conn.c:611 hci_conn_complete_evt.isra.52+0xce3/0x1260 net/bluetooth/hci_event.c:2483 hci_event_packet+0xd3b/0x72c0 net/bluetooth/hci_event.c:5825 hci_rx_work+0x363/0x8f0 net/bluetooth/hci_core.c:4380 process_one_work+0x7b9/0x15a0 kernel/workqueue.c:2153 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x347/0x410 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff8881e1e2a140 which belongs to the cache kmalloc-4096 of size 4096 The buggy address is located 2152 bytes inside of 4096-byte region [ffff8881e1e2a140, ffff8881e1e2b140) The buggy address belongs to the page: page:ffffea0007878a80 count:1 mapcount:0 mapping:ffff8881f6400dc0 index:0x0 compound_mapcount: 0 flags: 0x17ffe0000008100(slab|head) raw: 017ffe0000008100 ffffea00079d0408 ffffea0007badc88 ffff8881f6400dc0 raw: 0000000000000000 ffff8881e1e2a140 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881e1e2a880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881e1e2a900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8881e1e2a980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881e1e2aa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881e1e2aa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== ------------[ cut here ]------------ ODEBUG: assert_init not available (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x90 kernel/workqueue.c:4954 WARNING: CPU: 0 PID: 25410 at lib/debugobjects.c:328 debug_print_object+0x168/0x210 lib/debugobjects.c:325 Modules linked in: CPU: 0 PID: 25410 Comm: syz-executor.2 Tainted: G B 4.19.207-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:debug_print_object+0x168/0x210 lib/debugobjects.c:325 Code: 67 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 92 00 00 00 48 8b 14 dd 00 b4 67 87 4c 89 fe 48 c7 c7 80 a9 67 87 e8 44 19 98 03 <0f> 0b 83 05 4b 45 f9 05 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f RSP: 0018:ffff8881e7c7f820 EFLAGS: 00010086 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000000 RDX: 0000000000000004 RSI: 0000000000000008 RDI: ffffffff8a19faa0 RBP: ffff8881e7c7f860 R08: ffffed103ed03ef7 R09: ffffed103ed03ef6 R10: ffffed103ed03ef6 R11: ffff8881f681f7b7 R12: 0000000000000001 R13: ffffffff885992c0 R14: ffffffff8151b080 R15: ffffffff8767afe0 FS: 0000000001aee400(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000046472f CR3: 000000000846d002 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: debug_object_assert_init lib/debugobjects.c:694 [inline] debug_object_assert_init+0x261/0x370 lib/debugobjects.c:665 debug_timer_assert_init kernel/time/timer.c:733 [inline] debug_assert_init kernel/time/timer.c:785 [inline] del_timer+0x74/0x100 kernel/time/timer.c:1210 try_to_grab_pending+0x215/0x5f0 kernel/workqueue.c:1224 __cancel_work kernel/workqueue.c:3101 [inline] cancel_delayed_work+0x70/0x190 kernel/workqueue.c:3130 hci_conn_drop include/net/bluetooth/hci_core.h:979 [inline] hci_conn_del+0x479/0x5f0 net/bluetooth/hci_conn.c:597 hci_conn_hash_flush+0x168/0x200 net/bluetooth/hci_conn.c:1513 hci_dev_do_close+0x52f/0xdd0 net/bluetooth/hci_core.c:1687 hci_unregister_dev+0x12a/0x330 net/bluetooth/hci_core.c:3288 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xa6a/0x2d90 kernel/exit.c:870 do_group_exit+0xf8/0x2c0 kernel/exit.c:967 __do_sys_exit_group kernel/exit.c:978 [inline] __se_sys_exit_group kernel/exit.c:976 [inline] __x64_sys_exit_group+0x39/0x40 kernel/exit.c:976 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x464759 Code: Bad RIP value. RSP: 002b:00007ffcd16bf378 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000054 RCX: 0000000000464759 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 RBP: 00000000004ae1d2 R08: 000000000000000b R09: 000000000003fa34 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000003fa58 R14: 000000000003fa34 R15: 0000000000000019 irq event stamp: 304658 hardirqs last enabled at (304657): [] start_flush_work kernel/workqueue.c:2867 [inline] hardirqs last enabled at (304657): [] __flush_work+0x59d/0x820 kernel/workqueue.c:2925 hardirqs last disabled at (304658): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (304658): [] _raw_spin_lock_irqsave+0x74/0xd0 kernel/locking/spinlock.c:152 softirqs last enabled at (301320): [] spin_unlock_bh include/linux/spinlock.h:374 [inline] softirqs last enabled at (301320): [] release_sock+0x11f/0x180 net/core/sock.c:2892 softirqs last disabled at (301318): [] spin_lock_bh include/linux/spinlock.h:334 [inline] softirqs last disabled at (301318): [] release_sock+0x1b/0x180 net/core/sock.c:2879 ---[ end trace 93d28ae693321ba4 ]--- ------------[ cut here ]------------ ODEBUG: assert_init not available (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x90 kernel/workqueue.c:4954 WARNING: CPU: 0 PID: 25410 at lib/debugobjects.c:328 debug_print_object+0x168/0x210 lib/debugobjects.c:325 Modules linked in: CPU: 0 PID: 25410 Comm: syz-executor.2 Tainted: G B W 4.19.207-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:debug_print_object+0x168/0x210 lib/debugobjects.c:325 Code: 67 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 92 00 00 00 48 8b 14 dd 00 b4 67 87 4c 89 fe 48 c7 c7 80 a9 67 87 e8 44 19 98 03 <0f> 0b 83 05 4b 45 f9 05 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f RSP: 0018:ffff8881e7c7f820 EFLAGS: 00010086 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000000 RDX: 0000000000000004 RSI: 0000000000000008 RDI: ffffffff8a19faa0 RBP: ffff8881e7c7f860 R08: ffffed103ed03ef7 R09: ffffed103ed03ef6 R10: ffffed103ed03ef6 R11: ffff8881f681f7b7 R12: 0000000000000002 R13: ffffffff885992c0 R14: ffffffff8151b080 R15: ffffffff8767afe0 FS: 0000000001aee400(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000046472f CR3: 000000000846d002 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: debug_object_assert_init lib/debugobjects.c:694 [inline] debug_object_assert_init+0x261/0x370 lib/debugobjects.c:665 debug_timer_assert_init kernel/time/timer.c:733 [inline] debug_assert_init kernel/time/timer.c:785 [inline] del_timer+0x74/0x100 kernel/time/timer.c:1210 try_to_grab_pending+0x215/0x5f0 kernel/workqueue.c:1224 __cancel_work kernel/workqueue.c:3101 [inline] cancel_delayed_work+0x70/0x190 kernel/workqueue.c:3130 hci_conn_drop include/net/bluetooth/hci_core.h:998 [inline] hci_conn_del+0x173/0x5f0 net/bluetooth/hci_conn.c:597 hci_conn_hash_flush+0x168/0x200 net/bluetooth/hci_conn.c:1513 hci_dev_do_close+0x52f/0xdd0 net/bluetooth/hci_core.c:1687 hci_unregister_dev+0x12a/0x330 net/bluetooth/hci_core.c:3288 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xa6a/0x2d90 kernel/exit.c:870 do_group_exit+0xf8/0x2c0 kernel/exit.c:967 __do_sys_exit_group kernel/exit.c:978 [inline] __se_sys_exit_group kernel/exit.c:976 [inline] __x64_sys_exit_group+0x39/0x40 kernel/exit.c:976 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x464759 Code: Bad RIP value. RSP: 002b:00007ffcd16bf378 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000054 RCX: 0000000000464759 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 RBP: 00000000004ae1d2 R08: 000000000000000b R09: 000000000003fa34 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000003fa58 R14: 000000000003fa34 R15: 0000000000000019 irq event stamp: 304658 hardirqs last enabled at (304657): [] start_flush_work kernel/workqueue.c:2867 [inline] hardirqs last enabled at (304657): [] __flush_work+0x59d/0x820 kernel/workqueue.c:2925 hardirqs last disabled at (304658): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (304658): [] _raw_spin_lock_irqsave+0x74/0xd0 kernel/locking/spinlock.c:152 softirqs last enabled at (301320): [] spin_unlock_bh include/linux/spinlock.h:374 [inline] softirqs last enabled at (301320): [] release_sock+0x11f/0x180 net/core/sock.c:2892 softirqs last disabled at (301318): [] spin_lock_bh include/linux/spinlock.h:334 [inline] softirqs last disabled at (301318): [] release_sock+0x1b/0x180 net/core/sock.c:2879 ---[ end trace 93d28ae693321ba5 ]--- WARNING: CPU: 0 PID: 25410 at kernel/workqueue.c:1514 __queue_delayed_work+0x186/0x290 kernel/workqueue.c:1513 Modules linked in: CPU: 0 PID: 25410 Comm: syz-executor.2 Tainted: G B W 4.19.207-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__queue_delayed_work+0x186/0x290 kernel/workqueue.c:1514 Code: e8 4f ce 14 00 48 83 c4 18 5b 41 5c 41 5d 5d c3 44 89 e7 e8 2c ec ff ff 48 83 c4 18 5b 41 5c 41 5d 5d c3 0f 0b e9 97 fe ff ff <0f> 0b e9 be fe ff ff 0f 0b e9 e2 fe ff ff 0f 0b e9 07 ff ff ff 44 RSP: 0018:ffff8881e7c7fa38 EFLAGS: 00010006 RAX: 0000000000000000 RBX: 0000000000000286 RCX: 0000000000000000 RDX: ffff8881e1e2a260 RSI: ffff8881da093780 RDI: ffff8881e1e2a2b8 RBP: ffff8881e7c7fa68 R08: 1ffff1103c3c5457 R09: ffffed103c3c544c R10: ffffed103c3c544c R11: 0000000000000007 R12: 0000000000000040 R13: ffff8881e1e2a2a0 R14: ffff8881da093780 R15: 0000000000000000 FS: 0000000001aee400(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000046472f CR3: 000000000846d002 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: queue_delayed_work_on+0x148/0x180 kernel/workqueue.c:1561 queue_delayed_work include/linux/workqueue.h:527 [inline] hci_conn_drop include/net/bluetooth/hci_core.h:999 [inline] hci_conn_del+0x1d9/0x5f0 net/bluetooth/hci_conn.c:597 hci_conn_hash_flush+0x168/0x200 net/bluetooth/hci_conn.c:1513 hci_dev_do_close+0x52f/0xdd0 net/bluetooth/hci_core.c:1687 hci_unregister_dev+0x12a/0x330 net/bluetooth/hci_core.c:3288 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xa6a/0x2d90 kernel/exit.c:870 do_group_exit+0xf8/0x2c0 kernel/exit.c:967 __do_sys_exit_group kernel/exit.c:978 [inline] __se_sys_exit_group kernel/exit.c:976 [inline] __x64_sys_exit_group+0x39/0x40 kernel/exit.c:976 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x464759 Code: Bad RIP value. RSP: 002b:00007ffcd16bf378 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000054 RCX: 0000000000464759 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 RBP: 00000000004ae1d2 R08: 000000000000000b R09: 000000000003fa34 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000003fa58 R14: 000000000003fa34 R15: 0000000000000019 irq event stamp: 304658 hardirqs last enabled at (304657): [] start_flush_work kernel/workqueue.c:2867 [inline] hardirqs last enabled at (304657): [] __flush_work+0x59d/0x820 kernel/workqueue.c:2925 hardirqs last disabled at (304658): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (304658): [] _raw_spin_lock_irqsave+0x74/0xd0 kernel/locking/spinlock.c:152 softirqs last enabled at (301320): [] spin_unlock_bh include/linux/spinlock.h:374 [inline] softirqs last enabled at (301320): [] release_sock+0x11f/0x180 net/core/sock.c:2892 softirqs last disabled at (301318): [] spin_lock_bh include/linux/spinlock.h:334 [inline] softirqs last disabled at (301318): [] release_sock+0x1b/0x180 net/core/sock.c:2879 ---[ end trace 93d28ae693321ba6 ]--- ------------[ cut here ]------------ ODEBUG: activate not available (active state 0) object type: work_struct hint: hci_conn_timeout+0x0/0x200 include/linux/list.h:63 WARNING: CPU: 0 PID: 25410 at lib/debugobjects.c:328 debug_print_object+0x168/0x210 lib/debugobjects.c:325 Modules linked in: CPU: 0 PID: 25410 Comm: syz-executor.2 Tainted: G B W 4.19.207-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:debug_print_object+0x168/0x210 lib/debugobjects.c:325 Code: 67 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 92 00 00 00 48 8b 14 dd 00 b4 67 87 4c 89 fe 48 c7 c7 80 a9 67 87 e8 44 19 98 03 <0f> 0b 83 05 4b 45 f9 05 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f RSP: 0018:ffff8881e7c7f8a0 EFLAGS: 00010082 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000000 RDX: 0000000000000004 RSI: 0000000000000008 RDI: ffffffff8a19faa0 RBP: ffff8881e7c7f8e0 R08: ffffed103ed03ef7 R09: ffffed103ed03ef6 R10: ffffed103ed03ef6 R11: ffff8881f681f7b7 R12: 0000000000000003 R13: ffffffff8855ab20 R14: ffffffff813cc930 R15: ffffffff8767b020 FS: 0000000001aee400(0000) GS:ffff8881f6800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000046472f CR3: 000000000846d002 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: debug_object_activate+0x27a/0x4e0 lib/debugobjects.c:515 debug_work_activate kernel/workqueue.c:492 [inline] __queue_work+0x354/0xdd0 kernel/workqueue.c:1463 __queue_delayed_work+0x174/0x290 kernel/workqueue.c:1525 queue_delayed_work_on+0x148/0x180 kernel/workqueue.c:1561 queue_delayed_work include/linux/workqueue.h:527 [inline] hci_conn_drop include/net/bluetooth/hci_core.h:999 [inline] hci_conn_del+0x1d9/0x5f0 net/bluetooth/hci_conn.c:597 hci_conn_hash_flush+0x168/0x200 net/bluetooth/hci_conn.c:1513 hci_dev_do_close+0x52f/0xdd0 net/bluetooth/hci_core.c:1687 hci_unregister_dev+0x12a/0x330 net/bluetooth/hci_core.c:3288 vhci_release+0x6b/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x249/0x7f0 fs/file_table.c:278 ____fput+0x9/0x10 fs/file_table.c:309 task_work_run+0x108/0x180 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xa6a/0x2d90 kernel/exit.c:870 do_group_exit+0xf8/0x2c0 kernel/exit.c:967 __do_sys_exit_group kernel/exit.c:978 [inline] __se_sys_exit_group kernel/exit.c:976 [inline] __x64_sys_exit_group+0x39/0x40 kernel/exit.c:976 do_syscall_64+0xd0/0x4e0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x464759 Code: Bad RIP value. RSP: 002b:00007ffcd16bf378 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000054 RCX: 0000000000464759 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000043 RBP: 00000000004ae1d2 R08: 000000000000000b R09: 000000000003fa34 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000003fa58 R14: 000000000003fa34 R15: 0000000000000019 irq event stamp: 304658 hardirqs last enabled at (304657): [] start_flush_work kernel/workqueue.c:2867 [inline] hardirqs last enabled at (304657): [] __flush_work+0x59d/0x820 kernel/workqueue.c:2925 hardirqs last disabled at (304658): [] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] hardirqs last disabled at (304658): [] _raw_spin_lock_irqsave+0x74/0xd0 kernel/locking/spinlock.c:152 softirqs last enabled at (301320): [] spin_unlock_bh include/linux/spinlock.h:374 [inline] softirqs last enabled at (301320): [] release_sock+0x11f/0x180 net/core/sock.c:2892 softirqs last disabled at (301318): [] spin_lock_bh include/linux/spinlock.h:334 [inline] softirqs last disabled at (301318): [] release_sock+0x1b/0x180 net/core/sock.c:2879 ---[ end trace 93d28ae693321ba7 ]--- ------------[ cut here ]------------ ODEBUG: deactivate not available (active state 0) object type: work_struct hint: hci_conn_timeout+0x0/0x200 include/linux/list.h:63 WARNING: CPU: 1 PID: 7277 at lib/debugobjects.c:328 debug_print_object+0x168/0x210 lib/debugobjects.c:325 Modules linked in: CPU: 1 PID: 7277 Comm: kworker/u5:5 Tainted: G B W 4.19.207-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: (null) (hci2) RIP: 0010:debug_print_object+0x168/0x210 lib/debugobjects.c:325 Code: 67 87 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 92 00 00 00 48 8b 14 dd 00 b4 67 87 4c 89 fe 48 c7 c7 80 a9 67 87 e8 44 19 98 03 <0f> 0b 83 05 4b 45 f9 05 01 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f RSP: 0018:ffff8881d71bfc50 EFLAGS: 00010086 RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000000000 RDX: 0000000000000004 RSI: 0000000000000008 RDI: ffffffff8a19faa0 RBP: ffff8881d71bfc90 R08: ffffed103ed23ef7 R09: ffffed103ed23ef6 R10: ffffed103ed23ef6 R11: ffff8881f691f7b7 R12: 0000000000000004 R13: ffffffff8855ab20 R14: ffffffff813cc930 R15: ffffffff8767ad60 FS: 0000000000000000(0000) GS:ffff8881f6900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000130 CR3: 000000000846d003 CR4: 00000000001606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: debug_object_deactivate lib/debugobjects.c:565 [inline] debug_object_deactivate+0x208/0x340 lib/debugobjects.c:529 debug_work_deactivate kernel/workqueue.c:497 [inline] process_one_work+0x314/0x15a0 kernel/workqueue.c:2084 worker_thread+0x85/0xb60 kernel/workqueue.c:2296 kthread+0x347/0x410 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 irq event stamp: 124168 hardirqs last enabled at (124167): [] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline] hardirqs last enabled at (124167): [] _raw_spin_unlock_irq+0x27/0x90 kernel/locking/spinlock.c:192 hardirqs last disabled at (124168): [] __schedule+0x1dd/0x1f70 kernel/sched/core.c:3444 softirqs last enabled at (121188): [] __do_softirq+0x62d/0x919 kernel/softirq.c:318 softirqs last disabled at (120987): [] invoke_softirq kernel/softirq.c:372 [inline] softirqs last disabled at (120987): [] irq_exit+0x17f/0x1c0 kernel/softirq.c:412 ---[ end trace 93d28ae693321ba8 ]--- Bluetooth: hci4: command 0x0405 tx timeout IPVS: ftp: loaded support on port[0] = 21 chnl_net:caif_netlink_parms(): no params data found bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered disabled state device bridge_slave_0 entered promiscuous mode bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_1 entered promiscuous mode bond0: Enslaving bond_slave_0 as an active interface with an up link bond0: Enslaving bond_slave_1 as an active interface with an up link IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready team0: Port device team_slave_0 added IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready team0: Port device team_slave_1 added batman_adv: batadv0: Adding interface: batadv_slave_0 batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active batman_adv: batadv0: Adding interface: batadv_slave_1 batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready device hsr_slave_0 entered promiscuous mode device hsr_slave_1 entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered forwarding state 8021q: adding VLAN 0 to HW filter on device bond0 IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready bridge0: port 1(bridge_slave_0) entered disabled state bridge0: port 2(bridge_slave_1) entered disabled state IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready 8021q: adding VLAN 0 to HW filter on device team0 IPv6: ADDRCONF(NETDEV_UP): veth0_to_bridge: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bridge: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready bridge0: port 1(bridge_slave_0) entered blocking state bridge0: port 1(bridge_slave_0) entered forwarding state IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bridge: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready bridge0: port 2(bridge_slave_1) entered blocking state bridge0: port 2(bridge_slave_1) entered forwarding state batman_adv: batadv0: Interface deactivated: batadv_slave_0 batman_adv: batadv0: Removing interface: batadv_slave_0 batman_adv: batadv0: Interface deactivated: batadv_slave_1 batman_adv: batadv0: Removing interface: batadv_slave_1 device bridge_slave_1 left promiscuous mode bridge0: port 2(bridge_slave_1) entered disabled state device bridge_slave_0 left promiscuous mode bridge0: port 1(bridge_slave_0) entered disabled state device veth1_macvtap left promiscuous mode device veth0_macvtap left promiscuous mode device veth1_vlan left promiscuous mode device veth0_vlan left promiscuous mode Bluetooth: hci4: command 0x0405 tx timeout Bluetooth: hci0: command 0x0405 tx timeout device hsr_slave_1 left promiscuous mode device hsr_slave_0 left promiscuous mode team0 (unregistering): Port device team_slave_1 removed team0 (unregistering): Port device team_slave_0 removed bond0 (unregistering): Releasing backup interface bond_slave_1 bond0 (unregistering): Releasing backup interface bond_slave_0 bond0 (unregistering): Released all slaves IPv6: ADDRCONF(NETDEV_UP): veth0_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_bond: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_team: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_team: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_hsr: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready 8021q: adding VLAN 0 to HW filter on device batadv0 IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_virt_wifi: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready device veth0_vlan entered promiscuous mode IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready device veth1_vlan entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready device veth0_macvtap entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready device veth1_macvtap entered promiscuous mode IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3d) already exists on: batadv_slave_0 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_0 IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! batman_adv: The newly added mac address (aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_1 batman_adv: It is strongly recommended to keep mac addresses unique to avoid problems! IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready batman_adv: batadv0: Interface activated: batadv_slave_1 IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready