[ 400.877567] syz-executor.4 (5813) used greatest stack depth: 24344 bytes left [ 401.109022] syz-executor.5 (5814) used greatest stack depth: 24256 bytes left [ 401.537646] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 401.547000] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 401.557825] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 401.566013] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 401.577705] device bridge_slave_1 left promiscuous mode [ 401.585787] bridge0: port 2(bridge_slave_1) entered disabled state [ 401.638354] device bridge_slave_0 left promiscuous mode [ 401.646043] bridge0: port 1(bridge_slave_0) entered disabled state [ 401.700338] device veth1_macvtap left promiscuous mode [ 401.708181] device veth0_macvtap left promiscuous mode [ 401.713974] device veth1_vlan left promiscuous mode [ 401.720290] device veth0_vlan left promiscuous mode [ 401.827817] device hsr_slave_1 left promiscuous mode [ 401.889963] device hsr_slave_0 left promiscuous mode [ 401.932152] team0 (unregistering): Port device team_slave_1 removed [ 401.945056] team0 (unregistering): Port device team_slave_0 removed [ 401.957715] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 401.999729] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 402.062245] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.1.12' (ECDSA) to the list of known hosts. [ 406.546724] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 406.555185] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 406.567335] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 406.576279] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 406.596522] device bridge_slave_1 left promiscuous mode [ 406.608552] bridge0: port 2(bridge_slave_1) entered disabled state [ 406.656222] device bridge_slave_0 left promiscuous mode [ 406.662924] bridge0: port 1(bridge_slave_0) entered disabled state [ 406.697468] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 406.706752] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 406.718480] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 406.726645] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 406.735164] device bridge_slave_1 left promiscuous mode [ 406.742210] bridge0: port 2(bridge_slave_1) entered disabled state [ 406.796331] device bridge_slave_0 left promiscuous mode [ 406.803621] bridge0: port 1(bridge_slave_0) entered disabled state [ 406.867833] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 406.878638] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 406.890759] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 406.902805] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 406.919058] device bridge_slave_1 left promiscuous mode [ 406.926137] bridge0: port 2(bridge_slave_1) entered disabled state [ 406.965917] device bridge_slave_0 left promiscuous mode [ 406.972485] bridge0: port 1(bridge_slave_0) entered disabled state [ 407.027637] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 407.036874] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 407.046866] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 407.057402] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 407.067112] device bridge_slave_1 left promiscuous mode [ 407.074274] bridge0: port 2(bridge_slave_1) entered disabled state [ 407.117232] device bridge_slave_0 left promiscuous mode [ 407.125530] bridge0: port 1(bridge_slave_0) entered disabled state [ 407.177965] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 407.189944] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 407.199866] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 407.209047] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 407.222791] device bridge_slave_1 left promiscuous mode [ 407.231813] bridge0: port 2(bridge_slave_1) entered disabled state [ 407.275931] device bridge_slave_0 left promiscuous mode [ 407.286845] bridge0: port 1(bridge_slave_0) entered disabled state [ 407.379723] device veth1_macvtap left promiscuous mode [ 407.391707] device veth0_macvtap left promiscuous mode [ 407.405145] device veth1_vlan left promiscuous mode [ 407.415600] device veth0_vlan left promiscuous mode [ 407.428784] device veth1_macvtap left promiscuous mode [ 407.440381] device veth0_macvtap left promiscuous mode [ 407.450355] device veth1_vlan left promiscuous mode [ 407.464230] device veth0_vlan left promiscuous mode [ 407.473993] device veth1_macvtap left promiscuous mode [ 407.486625] device veth0_macvtap left promiscuous mode [ 407.497725] device veth1_vlan left promiscuous mode [ 407.507081] device veth0_vlan left promiscuous mode [ 407.515661] device veth1_macvtap left promiscuous mode [ 407.522357] device veth0_macvtap left promiscuous mode [ 407.531044] device veth1_vlan left promiscuous mode [ 407.539640] device veth0_vlan left promiscuous mode [ 407.548059] device veth1_macvtap left promiscuous mode [ 407.556858] device veth0_macvtap left promiscuous mode [ 407.565672] device veth1_vlan left promiscuous mode [ 407.574151] device veth0_vlan left promiscuous mode [ 407.799635] device hsr_slave_1 left promiscuous mode [ 407.858663] device hsr_slave_0 left promiscuous mode [ 407.903001] team0 (unregistering): Port device team_slave_1 removed [ 407.913922] team0 (unregistering): Port device team_slave_0 removed [ 407.924230] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 407.958157] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 408.010772] bond0 (unregistering): Released all slaves [ 408.117751] device hsr_slave_1 left promiscuous mode [ 408.187194] device hsr_slave_0 left promiscuous mode [ 408.242645] team0 (unregistering): Port device team_slave_1 removed [ 408.254121] team0 (unregistering): Port device team_slave_0 removed [ 408.264823] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 408.299017] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 408.360903] bond0 (unregistering): Released all slaves [ 408.467846] device hsr_slave_1 left promiscuous mode [ 408.507560] device hsr_slave_0 left promiscuous mode [ 408.561548] team0 (unregistering): Port device team_slave_1 removed [ 408.575713] team0 (unregistering): Port device team_slave_0 removed [ 408.592220] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 408.637495] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 408.712315] bond0 (unregistering): Released all slaves [ 408.829449] device hsr_slave_1 left promiscuous mode [ 408.888839] device hsr_slave_0 left promiscuous mode [ 408.932695] team0 (unregistering): Port device team_slave_1 removed [ 408.943657] team0 (unregistering): Port device team_slave_0 removed [ 408.954616] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 408.989423] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 409.060148] bond0 (unregistering): Released all slaves [ 409.170062] device hsr_slave_1 left promiscuous mode [ 409.208429] device hsr_slave_0 left promiscuous mode [ 409.262644] team0 (unregistering): Port device team_slave_1 removed [ 409.274555] team0 (unregistering): Port device team_slave_0 removed [ 409.288095] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 409.358095] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 409.420622] bond0 (unregistering): Released all slaves [ 413.492661] IPVS: ftp: loaded support on port[0] = 21 [ 416.143075] ================================================================== [ 416.154129] BUG: KASAN: use-after-free in __list_del_entry_valid+0xd0/0x100 [ 416.163192] Read of size 8 at addr ffff8881dbae7130 by task syz-executor312/927 [ 416.172728] [ 416.174740] CPU: 1 PID: 927 Comm: syz-executor312 Not tainted 4.14.226-syzkaller #0 [ 416.185155] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 416.198226] Call Trace: [ 416.201927] dump_stack+0x14b/0x1e7 [ 416.206012] ? __list_del_entry_valid+0xd0/0x100 [ 416.212563] print_address_description.cold.6+0x9/0x1ca [ 416.218825] ? __list_del_entry_valid+0xd0/0x100 [ 416.224218] kasan_report.cold.7+0x11a/0x2d3 [ 416.230399] __asan_report_load8_noabort+0x14/0x20 [ 416.238555] __list_del_entry_valid+0xd0/0x100 [ 416.246523] l2cap_chan_put+0x49/0x1a0 [ 416.252428] l2cap_sock_release+0x1b4/0x230 [ 416.257619] __sock_release+0xc2/0x2a0 [ 416.262744] sock_close+0x10/0x20 [ 416.268022] __fput+0x232/0x740 [ 416.271858] ? _raw_spin_unlock_irq+0x27/0x90 [ 416.278424] ____fput+0x9/0x10 [ 416.284944] task_work_run+0xe5/0x170 [ 416.291251] exit_to_usermode_loop+0x14a/0x190 [ 416.301172] do_syscall_64+0x416/0x5b0 [ 416.308842] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 416.315859] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 416.324613] RIP: 0033:0x406dcb [ 416.329834] RSP: 002b:00007ffe28ecaef0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 416.348474] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000406dcb [ 416.363419] RDX: ffffffffffffffb8 RSI: 0000000020000180 RDI: 0000000000000004 [ 416.374730] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 416.384876] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe28ecaf50 [ 416.395564] R13: 00007ffe28ecaf40 R14: 00000000000659cc R15: 00007ffe28ecaf18 [ 416.405698] [ 416.408735] Allocated by task 927: [ 416.414380] save_stack_trace+0x16/0x20 [ 416.420801] kasan_kmalloc.part.1+0x62/0xf0 [ 416.426289] kasan_kmalloc+0xaf/0xc0 [ 416.432702] kmem_cache_alloc_trace+0x152/0x3f0 [ 416.441077] l2cap_chan_create+0x41/0x380 [ 416.446697] l2cap_sock_alloc.constprop.4+0x150/0x1e0 [ 416.454746] l2cap_sock_create+0xb5/0x180 [ 416.461396] bt_sock_create+0x121/0x260 [ 416.468047] __sock_create+0x262/0x540 [ 416.474451] SyS_socket+0xd5/0x1e0 [ 416.482390] do_syscall_64+0x1c7/0x5b0 [ 416.488522] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 416.496601] [ 416.499423] Freed by task 650: [ 416.503712] save_stack_trace+0x16/0x20 [ 416.509349] kasan_slab_free+0xab/0x190 [ 416.514969] kfree+0xcc/0x270 [ 416.519715] l2cap_chan_put+0x141/0x1a0 [ 416.525827] l2cap_recv_frame+0xeca/0x9e10 [ 416.532354] l2cap_recv_acldata+0x756/0x8a0 [ 416.540099] hci_rx_work+0x5c9/0x8e0 [ 416.545414] process_one_work+0x74f/0x1620 [ 416.551398] worker_thread+0xcc/0xee0 [ 416.556857] kthread+0x338/0x400 [ 416.562439] ret_from_fork+0x24/0x30 [ 416.567980] [ 416.570075] The buggy address belongs to the object at ffff8881dbae6cc0 [ 416.570075] which belongs to the cache kmalloc-2048 of size 2048 [ 416.589796] The buggy address is located 1136 bytes inside of [ 416.589796] 2048-byte region [ffff8881dbae6cc0, ffff8881dbae74c0) [ 416.606569] The buggy address belongs to the page: [ 416.613511] page:ffffea00076eb980 count:1 mapcount:0 mapping:ffff8881dbae6440 index:0x0 compound_mapcount: 0 [ 416.627858] flags: 0x17ffe0000008100(slab|head) [ 416.633948] raw: 017ffe0000008100 ffff8881dbae6440 0000000000000000 0000000100000003 [ 416.644565] raw: ffffea00075fa820 ffff8881f6001948 ffff8881f6000c40 0000000000000000 [ 416.655180] page dumped because: kasan: bad access detected [ 416.662292] [ 416.664263] Memory state around the buggy address: [ 416.669961] ffff8881dbae7000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 416.679483] ffff8881dbae7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 416.688338] >ffff8881dbae7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 416.699121] ^ [ 416.706458] ffff8881dbae7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 416.716578] ffff8881dbae7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 416.726261] ================================================================== [ 416.735729] Disabling lock debugging due to kernel taint [ 416.742892] list_del corruption, ffff8881dbae7128->next is LIST_POISON1 (dead000000000100) [ 416.754541] ------------[ cut here ]------------ [ 416.760187] kernel BUG at lib/list_debug.c:47! [ 416.765680] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 416.774514] Modules linked in: [ 416.779291] CPU: 1 PID: 927 Comm: syz-executor312 Tainted: G B 4.14.226-syzkaller #0 [ 416.791870] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 416.802857] task: ffff8881c65184c0 task.stack: ffff8881e02a8000 [ 416.810173] RIP: 0010:__list_del_entry_valid.cold.1+0x26/0x4a [ 416.816536] RSP: 0018:ffff8881e02afcf8 EFLAGS: 00010282 [ 416.823087] RAX: 000000000000004e RBX: ffff8881dbae7128 RCX: 0000000000000000 [ 416.831851] RDX: 000000000000004e RSI: ffffffff86cbec60 RDI: ffffed103c055f96 [ 416.840366] RBP: ffff8881e02afd10 R08: 0000000000000000 R09: 0000000000000000 [ 416.848979] R10: fffffbfff13446c7 R11: dffffc0000000000 R12: dead000000000200 [ 416.857532] R13: dead000000000100 R14: ffff8881dbae7148 R15: ffff8881dbae78a0 [ 416.866578] FS: 0000000000708300(0000) GS:ffff8881f6700000(0000) knlGS:0000000000000000 [ 416.877007] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 416.883962] CR2: 0000000020000180 CR3: 00000001f2bc0002 CR4: 00000000001606e0 [ 416.892723] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 416.902625] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 416.910837] Call Trace: [ 416.913525] l2cap_chan_put+0x49/0x1a0 [ 416.918186] l2cap_sock_release+0x1b4/0x230 [ 416.924027] __sock_release+0xc2/0x2a0 [ 416.928305] sock_close+0x10/0x20 [ 416.932342] __fput+0x232/0x740 [ 416.936336] ? _raw_spin_unlock_irq+0x27/0x90 [ 416.941569] ____fput+0x9/0x10 [ 416.945993] task_work_run+0xe5/0x170 [ 416.950536] exit_to_usermode_loop+0x14a/0x190 [ 416.955963] do_syscall_64+0x416/0x5b0 [ 416.960856] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 416.966224] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 416.972318] RIP: 0033:0x406dcb [ 416.976173] RSP: 002b:00007ffe28ecaef0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 416.987722] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000406dcb [ 416.997949] RDX: ffffffffffffffb8 RSI: 0000000020000180 RDI: 0000000000000004 [ 417.007005] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 417.017380] R10: 0000000000000000 R11: 0000000000000293 R12: 00007ffe28ecaf50 [ 417.027368] R13: 00007ffe28ecaf40 R14: 00000000000659cc R15: 00007ffe28ecaf18 [ 417.036195] Code: 86 f9 ff 0f 0b 4c 89 e2 48 89 de 48 c7 c7 a0 0e 04 87 e8 d4 86 f9 ff 0f 0b 4c 89 ea 48 89 de 48 c7 c7 40 0e 04 87 e8 c0 86 f9 ff <0f> 0b 48 89 de 48 c7 c7 60 0f 04 87 e8 af 86 f9 ff 0f 0b 48 89 [ 417.061530] RIP: __list_del_entry_valid.cold.1+0x26/0x4a RSP: ffff8881e02afcf8 [ 417.071204] ---[ end trace 1e8f58a10d21de5e ]--- [ 417.076401] Kernel panic - not syncing: Fatal exception [ 417.085766] Kernel Offset: disabled [ 417.090024] Rebooting in 86400 seconds..