[ 682.682913] syz-executor.4 (10349) used greatest stack depth: 23784 bytes left [ 683.031352] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 683.040335] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 683.052436] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 683.061061] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 683.070965] device bridge_slave_1 left promiscuous mode [ 683.077388] bridge0: port 2(bridge_slave_1) entered disabled state [ 683.130500] device bridge_slave_0 left promiscuous mode [ 683.136577] bridge0: port 1(bridge_slave_0) entered disabled state [ 683.182422] device veth1_macvtap left promiscuous mode [ 683.188380] device veth0_macvtap left promiscuous mode [ 683.195643] device veth1_vlan left promiscuous mode [ 683.201599] device veth0_vlan left promiscuous mode [ 683.286745] device hsr_slave_1 left promiscuous mode [ 683.323545] device hsr_slave_0 left promiscuous mode [ 683.376807] team0 (unregistering): Port device team_slave_1 removed [ 683.387231] team0 (unregistering): Port device team_slave_0 removed [ 683.397448] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 683.422885] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 683.496821] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.15.209' (ECDSA) to the list of known hosts. [ 687.880933] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 687.889217] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 687.898634] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 687.906769] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 687.915697] device bridge_slave_1 left promiscuous mode [ 687.921750] bridge0: port 2(bridge_slave_1) entered disabled state [ 687.980385] device bridge_slave_0 left promiscuous mode [ 687.987285] bridge0: port 1(bridge_slave_0) entered disabled state [ 688.021861] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 688.029898] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 688.040025] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 688.050732] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 688.059008] device bridge_slave_1 left promiscuous mode [ 688.065632] bridge0: port 2(bridge_slave_1) entered disabled state [ 688.130162] device bridge_slave_0 left promiscuous mode [ 688.137009] bridge0: port 1(bridge_slave_0) entered disabled state [ 688.202049] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 688.209325] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 688.218707] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 688.226422] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 688.234563] device bridge_slave_1 left promiscuous mode [ 688.241579] bridge0: port 2(bridge_slave_1) entered disabled state [ 688.280365] device bridge_slave_0 left promiscuous mode [ 688.286321] bridge0: port 1(bridge_slave_0) entered disabled state [ 688.322068] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 688.330565] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 688.340272] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 688.347610] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 688.356131] device bridge_slave_1 left promiscuous mode [ 688.363536] bridge0: port 2(bridge_slave_1) entered disabled state [ 688.430099] device bridge_slave_0 left promiscuous mode [ 688.436298] bridge0: port 1(bridge_slave_0) entered disabled state [ 688.492147] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 688.499866] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 688.509482] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 688.517766] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 688.525509] device bridge_slave_1 left promiscuous mode [ 688.532603] bridge0: port 2(bridge_slave_1) entered disabled state [ 688.590236] device bridge_slave_0 left promiscuous mode [ 688.596519] bridge0: port 1(bridge_slave_0) entered disabled state [ 688.635203] device veth1_macvtap left promiscuous mode [ 688.640735] device veth0_macvtap left promiscuous mode [ 688.646790] device veth1_vlan left promiscuous mode [ 688.652508] device veth0_vlan left promiscuous mode [ 688.658241] device veth1_macvtap left promiscuous mode [ 688.664520] device veth0_macvtap left promiscuous mode [ 688.670328] device veth1_vlan left promiscuous mode [ 688.676865] device veth0_vlan left promiscuous mode [ 688.682831] device veth1_macvtap left promiscuous mode [ 688.688838] device veth0_macvtap left promiscuous mode [ 688.695549] device veth1_vlan left promiscuous mode [ 688.702525] device veth0_vlan left promiscuous mode [ 688.708625] device veth1_macvtap left promiscuous mode [ 688.714878] device veth0_macvtap left promiscuous mode [ 688.720548] device veth1_vlan left promiscuous mode [ 688.726245] device veth0_vlan left promiscuous mode [ 688.731688] device veth1_macvtap left promiscuous mode [ 688.737145] device veth0_macvtap left promiscuous mode [ 688.742929] device veth1_vlan left promiscuous mode [ 688.748357] device veth0_vlan left promiscuous mode [ 688.972342] device hsr_slave_1 left promiscuous mode [ 689.021610] device hsr_slave_0 left promiscuous mode [ 689.065317] team0 (unregistering): Port device team_slave_1 removed [ 689.076654] team0 (unregistering): Port device team_slave_0 removed [ 689.085976] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 689.133104] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 689.183704] bond0 (unregistering): Released all slaves [ 689.293275] device hsr_slave_1 left promiscuous mode [ 689.351540] device hsr_slave_0 left promiscuous mode [ 689.396244] team0 (unregistering): Port device team_slave_1 removed [ 689.407017] team0 (unregistering): Port device team_slave_0 removed [ 689.417786] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 689.481718] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 689.554934] bond0 (unregistering): Released all slaves [ 689.655170] device hsr_slave_1 left promiscuous mode [ 689.701378] device hsr_slave_0 left promiscuous mode [ 689.744872] team0 (unregistering): Port device team_slave_1 removed [ 689.755907] team0 (unregistering): Port device team_slave_0 removed [ 689.766243] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 689.811708] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 689.874722] bond0 (unregistering): Released all slaves [ 689.982614] device hsr_slave_1 left promiscuous mode [ 690.021456] device hsr_slave_0 left promiscuous mode [ 690.064909] team0 (unregistering): Port device team_slave_1 removed [ 690.074613] team0 (unregistering): Port device team_slave_0 removed [ 690.084704] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 690.151642] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 690.223417] bond0 (unregistering): Released all slaves [ 690.343497] device hsr_slave_1 left promiscuous mode [ 690.391417] device hsr_slave_0 left promiscuous mode [ 690.454982] team0 (unregistering): Port device team_slave_1 removed [ 690.466332] team0 (unregistering): Port device team_slave_0 removed [ 690.476639] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 690.511785] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 690.564958] bond0 (unregistering): Released all slaves [ 694.590889] IPVS: ftp: loaded support on port[0] = 21 [ 695.357842] IPVS: ftp: loaded support on port[0] = 21 [ 696.135888] IPVS: ftp: loaded support on port[0] = 21 [ 696.819459] IPVS: ftp: loaded support on port[0] = 21 [ 697.435958] IPVS: ftp: loaded support on port[0] = 21 [ 698.024022] IPVS: ftp: loaded support on port[0] = 21 [ 698.470110] Bluetooth: hci0 command 0x0409 tx timeout [ 699.268964] Bluetooth: hci1 command 0x0409 tx timeout [ 699.908920] Bluetooth: hci2 command 0x0409 tx timeout [ 700.549071] Bluetooth: hci3 command 0x0409 tx timeout [ 700.556566] Bluetooth: hci0 command 0x041b tx timeout [ 701.108933] Bluetooth: hci4 command 0x0409 tx timeout [ 701.348710] Bluetooth: hci1 command 0x041b tx timeout [ 701.570705] ================================================================== [ 701.578547] BUG: KASAN: use-after-free in l2cap_sock_shutdown+0x954/0xbb0 [ 701.585678] Read of size 1 at addr ffff8881f47f53fe by task syz-executor911/5842 [ 701.593654] [ 701.595378] CPU: 1 PID: 5842 Comm: syz-executor911 Not tainted 4.14.232-syzkaller #0 [ 701.603769] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 701.613477] Call Trace: [ 701.616159] dump_stack+0x14b/0x1e7 [ 701.619803] ? l2cap_sock_shutdown+0x954/0xbb0 [ 701.624404] print_address_description.cold.6+0x9/0x1ca [ 701.630161] ? l2cap_sock_shutdown+0x954/0xbb0 [ 701.634967] kasan_report.cold.7+0x11a/0x2d3 [ 701.639769] __asan_report_load1_noabort+0x14/0x20 [ 701.645176] l2cap_sock_shutdown+0x954/0xbb0 [ 701.649918] ? trace_hardirqs_on+0x10/0x10 [ 701.654171] ? l2cap_sock_teardown_cb+0x3e0/0x3e0 [ 701.659395] ? __lock_acquire+0x701/0x42d0 [ 701.663858] ? bt_sock_unlink+0x10b/0x150 [ 701.668190] ? lock_downgrade+0x7f0/0x7f0 [ 701.672623] ? _raw_write_unlock+0x2c/0x50 [ 701.676967] l2cap_sock_release+0x60/0x230 [ 701.681563] __sock_release+0xc2/0x2a0 [ 701.685994] sock_close+0x10/0x20 [ 701.689563] __fput+0x232/0x740 [ 701.692954] ? _raw_spin_unlock_irq+0x27/0x90 [ 701.697569] ____fput+0x9/0x10 [ 701.700859] task_work_run+0xe5/0x170 [ 701.705010] exit_to_usermode_loop+0x14a/0x190 [ 701.709612] do_syscall_64+0x416/0x5b0 [ 701.713953] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 701.718805] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 701.724199] RIP: 0033:0x406fcb [ 701.727398] RSP: 002b:00007ffdaf29fe90 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 701.735197] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000406fcb [ 701.743080] RDX: ffffffffffffffb8 RSI: 00000000400443c8 RDI: 0000000000000004 [ 701.751598] RBP: 0000000000000000 R08: 0000000000000000 R09: 0404040400000015 [ 701.758962] R10: 0000000000000000 R11: 0000000000000293 R12: 00000000000ab4bc [ 701.766511] R13: 00007ffdaf29ff10 R14: 00007ffdaf29ff00 R15: 00007ffdaf29fec0 [ 701.774400] [ 701.776242] Allocated by task 5842: [ 701.780080] save_stack_trace+0x16/0x20 [ 701.784502] kasan_kmalloc.part.1+0x62/0xf0 [ 701.789025] kasan_kmalloc+0xaf/0xc0 [ 701.792746] kmem_cache_alloc_trace+0x152/0x3f0 [ 701.797427] l2cap_chan_create+0x41/0x380 [ 701.801679] l2cap_sock_alloc.constprop.4+0x150/0x1e0 [ 701.806878] l2cap_sock_create+0xb5/0x180 [ 701.811307] bt_sock_create+0x121/0x260 [ 701.815373] __sock_create+0x262/0x540 [ 701.819264] SyS_socket+0xd5/0x1e0 [ 701.822898] do_syscall_64+0x1c7/0x5b0 [ 701.827421] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 701.833581] [ 701.835294] Freed by task 7242: [ 701.838679] save_stack_trace+0x16/0x20 [ 701.842747] kasan_slab_free+0xab/0x190 [ 701.846852] kfree+0xcc/0x270 [ 701.850982] l2cap_chan_put+0x141/0x1a0 [ 701.855445] l2cap_recv_frame+0xeca/0x9e10 [ 701.859774] l2cap_recv_acldata+0x756/0x8a0 [ 701.864105] hci_rx_work+0x5c9/0x8e0 [ 701.867831] process_one_work+0x74f/0x1620 [ 701.872253] worker_thread+0xcc/0xee0 [ 701.877444] kthread+0x338/0x400 [ 701.882901] ret_from_fork+0x24/0x30 [ 701.886789] [ 701.888418] The buggy address belongs to the object at ffff8881f47f53c0 [ 701.888418] which belongs to the cache kmalloc-2048 of size 2048 [ 701.901609] The buggy address is located 62 bytes inside of [ 701.901609] 2048-byte region [ffff8881f47f53c0, ffff8881f47f5bc0) [ 701.914250] The buggy address belongs to the page: [ 701.919460] page:ffffea0007d1fd00 count:1 mapcount:0 mapping:ffff8881f47f42c0 index:0x0 compound_mapcount: 0 [ 701.930145] flags: 0x17ffe0000008100(slab|head) [ 701.935093] raw: 017ffe0000008100 ffff8881f47f42c0 0000000000000000 0000000100000003 [ 701.943802] raw: ffffea000779d220 ffffea00074f45a0 ffff8881f6000c40 0000000000000000 [ 701.952895] page dumped because: kasan: bad access detected [ 701.958883] [ 701.960518] Memory state around the buggy address: [ 701.965983] ffff8881f47f5280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 701.973574] ffff8881f47f5300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 701.981284] >ffff8881f47f5380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 701.989237] ^ [ 701.996601] ffff8881f47f5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 702.004405] ffff8881f47f5480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 702.012326] ================================================================== [ 702.019882] Disabling lock debugging due to kernel taint [ 702.026241] Bluetooth: hci2 command 0x041b tx timeout [ 702.030834] Bluetooth: hci5 command 0x0409 tx timeout [ 702.050649] list_del corruption, ffff8881f47f5828->next is LIST_POISON1 (dead000000000100) [ 702.059930] ------------[ cut here ]------------ [ 702.064690] kernel BUG at lib/list_debug.c:47! [ 702.069570] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 702.075018] Modules linked in: [ 702.078224] CPU: 1 PID: 5842 Comm: syz-executor911 Tainted: G B 4.14.232-syzkaller #0 [ 702.088099] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 702.097796] task: ffff8881ec8b4480 task.stack: ffff8881e24c8000 [ 702.104029] RIP: 0010:__list_del_entry_valid.cold.1+0x26/0x4a [ 702.110434] RSP: 0018:ffff8881e24cfcf8 EFLAGS: 00010282 [ 702.115950] RAX: 000000000000004e RBX: ffff8881f47f5828 RCX: 0000000000000000 [ 702.123567] RDX: 000000000000004e RSI: ffffffff86cbeca0 RDI: ffffed103c499f96 [ 702.131378] RBP: ffff8881e24cfd10 R08: 0000000000000000 R09: 0000000000000000 [ 702.138906] R10: fffffbfff1344ec7 R11: dffffc0000000000 R12: dead000000000200 [ 702.146661] R13: dead000000000100 R14: ffff8881f47f5848 R15: ffff8881d52fc560 [ 702.154449] FS: 0000000000936300(0000) GS:ffff8881f6700000(0000) knlGS:0000000000000000 [ 702.163377] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 702.169521] CR2: 00000000004d14a0 CR3: 00000001d9fca002 CR4: 00000000001606e0 [ 702.176951] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 702.184707] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 702.192309] Call Trace: [ 702.195036] l2cap_chan_put+0x49/0x1a0 [ 702.198924] l2cap_sock_release+0x1b4/0x230 [ 702.203317] __sock_release+0xc2/0x2a0 [ 702.207877] sock_close+0x10/0x20 [ 702.211310] __fput+0x232/0x740 [ 702.214569] ? _raw_spin_unlock_irq+0x27/0x90 [ 702.219132] ____fput+0x9/0x10 [ 702.222333] task_work_run+0xe5/0x170 [ 702.226207] exit_to_usermode_loop+0x14a/0x190 [ 702.231231] do_syscall_64+0x416/0x5b0 [ 702.235189] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 702.240210] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 702.245435] RIP: 0033:0x406fcb [ 702.248761] RSP: 002b:00007ffdaf29fe90 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 702.256449] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000406fcb [ 702.264085] RDX: ffffffffffffffb8 RSI: 00000000400443c8 RDI: 0000000000000004 [ 702.271950] RBP: 0000000000000000 R08: 0000000000000000 R09: 0404040400000015 [ 702.279786] R10: 0000000000000000 R11: 0000000000000293 R12: 00000000000ab4bc [ 702.287426] R13: 00007ffdaf29ff10 R14: 00007ffdaf29ff00 R15: 00007ffdaf29fec0 [ 702.295117] Code: 83 f9 ff 0f 0b 4c 89 e2 48 89 de 48 c7 c7 20 22 04 87 e8 f7 82 f9 ff 0f 0b 4c 89 ea 48 89 de 48 c7 c7 c0 21 04 87 e8 e3 82 f9 ff <0f> 0b 48 89 de 48 c7 c7 e0 22 04 87 e8 d2 82 f9 ff 0f 0b 48 89 [ 702.315053] RIP: __list_del_entry_valid.cold.1+0x26/0x4a RSP: ffff8881e24cfcf8 [ 702.324291] ---[ end trace 890ee3b5353da3ff ]--- [ 702.329626] Kernel panic - not syncing: Fatal exception [ 702.338280] Kernel Offset: disabled [ 702.342967] Rebooting in 86400 seconds..