Warning: Permanently added '10.128.10.14' (ECDSA) to the list of known hosts. [ 71.206115][ T3532] cfg80211: failed to load regulatory.db [ 71.360381][ T5878] IPVS: ftp: loaded support on port[0] = 21 [ 71.360386][ T5885] IPVS: ftp: loaded support on port[0] = 21 [ 71.374674][ T5886] IPVS: ftp: loaded support on port[0] = 21 [ 71.390816][ T5883] IPVS: ftp: loaded support on port[0] = 21 [ 71.391474][ T5887] IPVS: ftp: loaded support on port[0] = 21 [ 71.404195][ T5884] IPVS: ftp: loaded support on port[0] = 21 [ 73.362764][ T5444] Bluetooth: hci1: command 0x0409 tx timeout [ 73.370166][ T5444] Bluetooth: hci4: command 0x0409 tx timeout [ 73.371546][ T3532] Bluetooth: hci3: command 0x0409 tx timeout [ 73.377014][ T5444] Bluetooth: hci2: command 0x0409 tx timeout [ 73.401571][ T3532] Bluetooth: hci5: command 0x0409 tx timeout [ 73.441717][ T5444] Bluetooth: hci0: command 0x0409 tx timeout [ 75.441522][ T5444] Bluetooth: hci3: command 0x041b tx timeout [ 75.441722][ T3532] Bluetooth: hci5: command 0x041b tx timeout [ 75.451272][ T5444] Bluetooth: hci2: command 0x041b tx timeout [ 75.466760][ T5444] Bluetooth: hci4: command 0x041b tx timeout [ 75.477787][ T5444] Bluetooth: hci1: command 0x041b tx timeout [ 75.531825][ T3532] Bluetooth: hci0: command 0x041b tx timeout [ 77.521655][ T5444] Bluetooth: hci1: command 0x040f tx timeout [ 77.535835][ T5444] Bluetooth: hci4: command 0x040f tx timeout [ 77.548173][ T5444] Bluetooth: hci5: command 0x040f tx timeout [ 77.554625][ T5444] Bluetooth: hci2: command 0x040f tx timeout [ 77.561032][ T5444] Bluetooth: hci3: command 0x040f tx timeout [ 77.601711][ T5444] Bluetooth: hci0: command 0x040f tx timeout [ 79.601605][ T5444] Bluetooth: hci3: command 0x0419 tx timeout [ 79.615772][ T5444] Bluetooth: hci2: command 0x0419 tx timeout [ 79.630913][ T5444] Bluetooth: hci5: command 0x0419 tx timeout [ 79.637366][ T5444] Bluetooth: hci4: command 0x0419 tx timeout [ 79.651233][ T5444] Bluetooth: hci1: command 0x0419 tx timeout [ 79.681684][ T5444] Bluetooth: hci0: command 0x0419 tx timeout [ 79.730514][ T3532] ================================================================== [ 79.738709][ T3532] BUG: KASAN: use-after-free in __lock_acquire+0x3f13/0x57d0 [ 79.746073][ T3532] Read of size 8 at addr ffff88802f43c0a0 by task kworker/1:2/3532 [ 79.753938][ T3532] [ 79.756306][ T3532] CPU: 1 PID: 3532 Comm: kworker/1:2 Not tainted 5.11.0-syzkaller #0 [ 79.764919][ T3532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 79.775047][ T3532] Workqueue: events l2cap_chan_timeout [ 79.780488][ T3532] Call Trace: [ 79.783750][ T3532] dump_stack+0x9a/0xcc [ 79.787886][ T3532] ? __lock_acquire+0x3f13/0x57d0 [ 79.793106][ T3532] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 79.800376][ T3532] ? __lock_acquire+0x3f13/0x57d0 [ 79.805392][ T3532] ? __lock_acquire+0x3f13/0x57d0 [ 79.810499][ T3532] kasan_report.cold+0x79/0xd5 [ 79.815250][ T3532] ? __lock_acquire+0x3f13/0x57d0 [ 79.820253][ T3532] __lock_acquire+0x3f13/0x57d0 [ 79.825093][ T3532] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 79.831051][ T3532] ? _raw_spin_unlock_irq+0x2a/0x40 [ 79.836452][ T3532] lock_acquire+0x1a8/0x720 [ 79.840958][ T3532] ? lock_sock_nested+0x34/0xf0 [ 79.845893][ T3532] ? lock_release+0x710/0x710 [ 79.850649][ T3532] ? lock_downgrade+0x6d0/0x6d0 [ 79.855576][ T3532] _raw_spin_lock_bh+0x2f/0x40 [ 79.860326][ T3532] ? lock_sock_nested+0x34/0xf0 [ 79.865158][ T3532] lock_sock_nested+0x34/0xf0 [ 79.869901][ T3532] l2cap_sock_teardown_cb+0x90/0x590 [ 79.875165][ T3532] l2cap_chan_close+0x304/0x990 [ 79.879993][ T3532] ? lock_acquire+0x1a8/0x720 [ 79.884830][ T3532] ? l2cap_rx+0x1fc0/0x1fc0 [ 79.889321][ T3532] ? lock_downgrade+0x6d0/0x6d0 [ 79.894268][ T3532] l2cap_chan_timeout+0x125/0x280 [ 79.899683][ T3532] process_one_work+0x828/0x1390 [ 79.904617][ T3532] ? lock_release+0x710/0x710 [ 79.909273][ T3532] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 79.914637][ T3532] ? rwlock_bug.part.0+0x90/0x90 [ 79.919675][ T3532] ? _raw_spin_lock_irq+0x41/0x50 [ 79.924809][ T3532] worker_thread+0x598/0xf80 [ 79.929401][ T3532] ? __kthread_parkme+0xa2/0x1c0 [ 79.934317][ T3532] ? process_one_work+0x1390/0x1390 [ 79.939494][ T3532] kthread+0x36f/0x450 [ 79.943538][ T3532] ? _raw_spin_unlock_irq+0x1f/0x40 [ 79.948713][ T3532] ? __kthread_bind_mask+0x90/0x90 [ 79.953972][ T3532] ret_from_fork+0x1f/0x30 [ 79.958376][ T3532] [ 79.960883][ T3532] Allocated by task 7671: [ 79.965184][ T3532] kasan_save_stack+0x1b/0x40 [ 79.969888][ T3532] ____kasan_kmalloc.constprop.0+0x82/0xa0 [ 79.975991][ T3532] sk_prot_alloc+0x133/0x260 [ 79.980567][ T3532] sk_alloc+0x27/0x8d0 [ 79.984636][ T3532] l2cap_sock_alloc.constprop.0+0x22/0x200 [ 79.990601][ T3532] l2cap_sock_create+0xc8/0x160 [ 79.995529][ T3532] bt_sock_create+0x142/0x2e0 [ 80.000385][ T3532] __sock_create+0x26b/0x580 [ 80.005046][ T3532] __sys_socket+0xd6/0x1a0 [ 80.009458][ T3532] __x64_sys_socket+0x6a/0xb0 [ 80.014109][ T3532] do_syscall_64+0x2d/0x70 [ 80.018653][ T3532] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 80.024621][ T3532] [ 80.026928][ T3532] Freed by task 7671: [ 80.030987][ T3532] kasan_save_stack+0x1b/0x40 [ 80.035645][ T3532] kasan_set_track+0x1c/0x30 [ 80.040216][ T3532] kasan_set_free_info+0x20/0x30 [ 80.045210][ T3532] ____kasan_slab_free+0xe1/0x110 [ 80.050220][ T3532] slab_free_freelist_hook+0x5d/0x150 [ 80.055562][ T3532] kfree+0xdb/0x3b0 [ 80.059341][ T3532] __sk_destruct+0x53f/0x730 [ 80.063916][ T3532] l2cap_sock_release+0x16b/0x1e0 [ 80.068923][ T3532] __sock_release+0xbb/0x270 [ 80.073492][ T3532] sock_close+0xf/0x20 [ 80.077533][ T3532] __fput+0x204/0x870 [ 80.082018][ T3532] task_work_run+0xc0/0x160 [ 80.086508][ T3532] exit_to_user_mode_prepare+0x249/0x250 [ 80.092110][ T3532] syscall_exit_to_user_mode+0x19/0x60 [ 80.097740][ T3532] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 80.103624][ T3532] [ 80.105928][ T3532] The buggy address belongs to the object at ffff88802f43c000 [ 80.105928][ T3532] which belongs to the cache kmalloc-2k of size 2048 [ 80.120220][ T3532] The buggy address is located 160 bytes inside of [ 80.120220][ T3532] 2048-byte region [ffff88802f43c000, ffff88802f43c800) [ 80.134089][ T3532] The buggy address belongs to the page: [ 80.139694][ T3532] page:0000000053367472 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2f438 [ 80.149825][ T3532] head:0000000053367472 order:3 compound_mapcount:0 compound_pincount:0 [ 80.158128][ T3532] flags: 0xfff00000010200(slab|head) [ 80.163546][ T3532] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88800f442000 [ 80.172115][ T3532] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 80.180675][ T3532] page dumped because: kasan: bad access detected [ 80.187149][ T3532] page_owner tracks the page as allocated [ 80.192847][ T3532] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x152a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_HARDWALL), pid 7669, ts 79692578921 [ 80.209856][ T3532] post_alloc_hook+0x144/0x1c0 [ 80.214636][ T3532] get_page_from_freelist+0x1c6e/0x3f80 [ 80.220161][ T3532] __alloc_pages_nodemask+0x2d6/0x730 [ 80.225513][ T3532] allocate_slab+0x2b6/0x4a0 [ 80.230194][ T3532] ___slab_alloc+0x476/0x790 [ 80.234781][ T3532] __slab_alloc.constprop.0+0x95/0xe0 [ 80.240213][ T3532] __kmalloc+0x34a/0x3e0 [ 80.244444][ T3532] sk_prot_alloc+0x133/0x260 [ 80.249007][ T3532] sk_alloc+0x27/0x8d0 [ 80.253077][ T3532] l2cap_sock_alloc.constprop.0+0x22/0x200 [ 80.258867][ T3532] l2cap_sock_create+0xc8/0x160 [ 80.263695][ T3532] bt_sock_create+0x142/0x2e0 [ 80.268353][ T3532] __sock_create+0x26b/0x580 [ 80.273019][ T3532] __sys_socket+0xd6/0x1a0 [ 80.277570][ T3532] __x64_sys_socket+0x6a/0xb0 [ 80.282240][ T3532] do_syscall_64+0x2d/0x70 [ 80.286725][ T3532] page last free stack trace: [ 80.291379][ T3532] __free_pages_ok+0x4da/0xed0 [ 80.296131][ T3532] unfreeze_partials+0x16c/0x1b0 [ 80.301087][ T3532] put_cpu_partial+0x129/0x200 [ 80.305826][ T3532] qlist_free_all+0x5a/0xc0 [ 80.310440][ T3532] quarantine_reduce+0x180/0x200 [ 80.315851][ T3532] ____kasan_kmalloc.constprop.0+0x98/0xa0 [ 80.321799][ T3532] kmem_cache_alloc+0x1c6/0x440 [ 80.326643][ T3532] create_new_namespaces+0x2b/0x920 [ 80.331840][ T3532] __do_sys_setns+0x1e7/0x1190 [ 80.336783][ T3532] do_syscall_64+0x2d/0x70 [ 80.341305][ T3532] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 80.347328][ T3532] [ 80.349914][ T3532] Memory state around the buggy address: [ 80.355726][ T3532] ffff88802f43bf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 80.363774][ T3532] ffff88802f43c000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.371833][ T3532] >ffff88802f43c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.380122][ T3532] ^ [ 80.385320][ T3532] ffff88802f43c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.393459][ T3532] ffff88802f43c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 80.401504][ T3532] ================================================================== [ 80.409644][ T3532] Disabling lock debugging due to kernel taint [ 80.416015][ T3532] Kernel panic - not syncing: panic_on_warn set ... [ 80.422941][ T3532] CPU: 1 PID: 3532 Comm: kworker/1:2 Tainted: G B 5.11.0-syzkaller #0 [ 80.432391][ T3532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 80.442700][ T3532] Workqueue: events l2cap_chan_timeout [ 80.448141][ T3532] Call Trace: [ 80.451402][ T3532] dump_stack+0x9a/0xcc [ 80.455639][ T3532] panic+0x256/0x4eb [ 80.459513][ T3532] ? __warn_printk+0xee/0xee [ 80.464098][ T3532] ? __lock_acquire+0x3f13/0x57d0 [ 80.469619][ T3532] ? __lock_acquire+0x3f13/0x57d0 [ 80.474618][ T3532] end_report+0x58/0x5e [ 80.478941][ T3532] kasan_report.cold+0x67/0xd5 [ 80.483681][ T3532] ? __lock_acquire+0x3f13/0x57d0 [ 80.488690][ T3532] __lock_acquire+0x3f13/0x57d0 [ 80.493534][ T3532] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 80.499578][ T3532] ? _raw_spin_unlock_irq+0x2a/0x40 [ 80.504770][ T3532] lock_acquire+0x1a8/0x720 [ 80.509274][ T3532] ? lock_sock_nested+0x34/0xf0 [ 80.514110][ T3532] ? lock_release+0x710/0x710 [ 80.518759][ T3532] ? lock_downgrade+0x6d0/0x6d0 [ 80.523591][ T3532] _raw_spin_lock_bh+0x2f/0x40 [ 80.528474][ T3532] ? lock_sock_nested+0x34/0xf0 [ 80.533305][ T3532] lock_sock_nested+0x34/0xf0 [ 80.537955][ T3532] l2cap_sock_teardown_cb+0x90/0x590 [ 80.543340][ T3532] l2cap_chan_close+0x304/0x990 [ 80.548169][ T3532] ? lock_acquire+0x1a8/0x720 [ 80.552904][ T3532] ? l2cap_rx+0x1fc0/0x1fc0 [ 80.557484][ T3532] ? lock_downgrade+0x6d0/0x6d0 [ 80.562311][ T3532] l2cap_chan_timeout+0x125/0x280 [ 80.567309][ T3532] process_one_work+0x828/0x1390 [ 80.572303][ T3532] ? lock_release+0x710/0x710 [ 80.576980][ T3532] ? pwq_dec_nr_in_flight+0x2b0/0x2b0 [ 80.582598][ T3532] ? rwlock_bug.part.0+0x90/0x90 [ 80.587520][ T3532] ? _raw_spin_lock_irq+0x41/0x50 [ 80.592521][ T3532] worker_thread+0x598/0xf80 [ 80.597087][ T3532] ? __kthread_parkme+0xa2/0x1c0 [ 80.602103][ T3532] ? process_one_work+0x1390/0x1390 [ 80.607279][ T3532] kthread+0x36f/0x450 [ 80.611502][ T3532] ? _raw_spin_unlock_irq+0x1f/0x40 [ 80.616674][ T3532] ? __kthread_bind_mask+0x90/0x90 [ 80.621765][ T3532] ret_from_fork+0x1f/0x30 [ 80.626373][ T3532] Kernel Offset: disabled [ 80.630701][ T3532] Rebooting in 86400 seconds..