[ 400.647871] syz-executor.2 (5811) used greatest stack depth: 23872 bytes left [ 401.342021] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 401.349918] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 401.361435] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 401.370002] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 401.382352] device bridge_slave_1 left promiscuous mode [ 401.390651] bridge0: port 2(bridge_slave_1) entered disabled state [ 401.442839] device bridge_slave_0 left promiscuous mode [ 401.452098] bridge0: port 1(bridge_slave_0) entered disabled state [ 401.502315] device veth1_macvtap left promiscuous mode [ 401.510238] device veth0_macvtap left promiscuous mode [ 401.521037] device veth1_vlan left promiscuous mode [ 401.530226] device veth0_vlan left promiscuous mode [ 401.624287] device hsr_slave_1 left promiscuous mode [ 401.683912] device hsr_slave_0 left promiscuous mode [ 401.746755] team0 (unregistering): Port device team_slave_1 removed [ 401.767266] team0 (unregistering): Port device team_slave_0 removed [ 401.782233] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 401.813407] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 401.886207] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.0.149' (ECDSA) to the list of known hosts. [ 406.071693] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 406.084210] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 406.094964] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 406.106217] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 406.116054] device bridge_slave_1 left promiscuous mode [ 406.122335] bridge0: port 2(bridge_slave_1) entered disabled state [ 406.170900] device bridge_slave_0 left promiscuous mode [ 406.177902] bridge0: port 1(bridge_slave_0) entered disabled state [ 406.232617] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 406.240607] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 406.249798] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 406.258580] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 406.269279] device bridge_slave_1 left promiscuous mode [ 406.276100] bridge0: port 2(bridge_slave_1) entered disabled state [ 406.340718] device bridge_slave_0 left promiscuous mode [ 406.346878] bridge0: port 1(bridge_slave_0) entered disabled state [ 406.392496] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 406.400759] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 406.409695] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 406.418440] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 406.427827] device bridge_slave_1 left promiscuous mode [ 406.434507] bridge0: port 2(bridge_slave_1) entered disabled state [ 406.493876] device bridge_slave_0 left promiscuous mode [ 406.503281] bridge0: port 1(bridge_slave_0) entered disabled state [ 406.542871] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 406.551148] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 406.559112] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 406.567656] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 406.576375] device bridge_slave_1 left promiscuous mode [ 406.583434] bridge0: port 2(bridge_slave_1) entered disabled state [ 406.621007] device bridge_slave_0 left promiscuous mode [ 406.628200] bridge0: port 1(bridge_slave_0) entered disabled state [ 406.682240] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 406.690848] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 406.702763] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 406.712410] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 406.724985] device bridge_slave_1 left promiscuous mode [ 406.737303] bridge0: port 2(bridge_slave_1) entered disabled state [ 406.780754] device bridge_slave_0 left promiscuous mode [ 406.788294] bridge0: port 1(bridge_slave_0) entered disabled state [ 406.844910] device veth1_macvtap left promiscuous mode [ 406.855523] device veth0_macvtap left promiscuous mode [ 406.863624] device veth1_vlan left promiscuous mode [ 406.870950] device veth0_vlan left promiscuous mode [ 406.877597] device veth1_macvtap left promiscuous mode [ 406.886675] device veth0_macvtap left promiscuous mode [ 406.894652] device veth1_vlan left promiscuous mode [ 406.900734] device veth0_vlan left promiscuous mode [ 406.909713] device veth1_macvtap left promiscuous mode [ 406.917726] device veth0_macvtap left promiscuous mode [ 406.926283] device veth1_vlan left promiscuous mode [ 406.936533] device veth0_vlan left promiscuous mode [ 406.951845] device veth1_macvtap left promiscuous mode [ 406.962651] device veth0_macvtap left promiscuous mode [ 406.972721] device veth1_vlan left promiscuous mode [ 406.985472] device veth0_vlan left promiscuous mode [ 406.993344] device veth1_macvtap left promiscuous mode [ 407.003303] device veth0_macvtap left promiscuous mode [ 407.012225] device veth1_vlan left promiscuous mode [ 407.021833] device veth0_vlan left promiscuous mode [ 407.272590] device hsr_slave_1 left promiscuous mode [ 407.313348] device hsr_slave_0 left promiscuous mode [ 407.376074] team0 (unregistering): Port device team_slave_1 removed [ 407.388527] team0 (unregistering): Port device team_slave_0 removed [ 407.402382] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 407.452514] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 407.506391] bond0 (unregistering): Released all slaves [ 407.613208] device hsr_slave_1 left promiscuous mode [ 407.662292] device hsr_slave_0 left promiscuous mode [ 407.718247] team0 (unregistering): Port device team_slave_1 removed [ 407.734640] team0 (unregistering): Port device team_slave_0 removed [ 407.749792] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 407.793320] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 407.846462] bond0 (unregistering): Released all slaves [ 407.953041] device hsr_slave_1 left promiscuous mode [ 408.023918] device hsr_slave_0 left promiscuous mode [ 408.086956] team0 (unregistering): Port device team_slave_1 removed [ 408.106659] team0 (unregistering): Port device team_slave_0 removed [ 408.124876] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 408.163693] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 408.216147] bond0 (unregistering): Released all slaves [ 408.313833] device hsr_slave_1 left promiscuous mode [ 408.361745] device hsr_slave_0 left promiscuous mode [ 408.406784] team0 (unregistering): Port device team_slave_1 removed [ 408.417802] team0 (unregistering): Port device team_slave_0 removed [ 408.430180] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 408.473390] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 408.544590] bond0 (unregistering): Released all slaves [ 408.653044] device hsr_slave_1 left promiscuous mode [ 408.713253] device hsr_slave_0 left promiscuous mode [ 408.757798] team0 (unregistering): Port device team_slave_1 removed [ 408.771712] team0 (unregistering): Port device team_slave_0 removed [ 408.786992] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 408.833709] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 408.904009] bond0 (unregistering): Released all slaves [ 413.064642] IPVS: ftp: loaded support on port[0] = 21 [ 413.817909] IPVS: ftp: loaded support on port[0] = 21 [ 414.626915] IPVS: ftp: loaded support on port[0] = 21 [ 415.317832] IPVS: ftp: loaded support on port[0] = 21 [ 415.965093] IPVS: ftp: loaded support on port[0] = 21 [ 416.547140] IPVS: ftp: loaded support on port[0] = 21 [ 416.959288] Bluetooth: hci0 command 0x0409 tx timeout [ 417.759236] Bluetooth: hci1 command 0x0409 tx timeout [ 418.399077] Bluetooth: hci2 command 0x0409 tx timeout [ 419.042469] Bluetooth: hci0 command 0x041b tx timeout [ 419.119141] Bluetooth: hci3 command 0x0409 tx timeout [ 419.679497] Bluetooth: hci4 command 0x0409 tx timeout [ 419.839187] Bluetooth: hci1 command 0x041b tx timeout [ 420.158945] Bluetooth: hci5 command 0x0409 tx timeout [ 420.479651] Bluetooth: hci2 command 0x041b tx timeout [ 421.118925] Bluetooth: hci0 command 0x040f tx timeout [ 421.199471] Bluetooth: hci3 command 0x041b tx timeout [ 421.758984] Bluetooth: hci4 command 0x041b tx timeout [ 421.928775] Bluetooth: hci1 command 0x040f tx timeout [ 422.239491] Bluetooth: hci5 command 0x041b tx timeout [ 422.558834] Bluetooth: hci2 command 0x040f tx timeout [ 423.208680] Bluetooth: hci0 command 0x0419 tx timeout [ 423.278938] Bluetooth: hci3 command 0x040f tx timeout [ 423.838783] Bluetooth: hci4 command 0x040f tx timeout [ 423.998781] Bluetooth: hci1 command 0x0419 tx timeout [ 424.318695] Bluetooth: hci5 command 0x040f tx timeout [ 424.638535] Bluetooth: hci2 command 0x0419 tx timeout [ 425.358981] Bluetooth: hci3 command 0x0419 tx timeout [ 425.918587] Bluetooth: hci4 command 0x0419 tx timeout [ 426.398506] Bluetooth: hci5 command 0x0419 tx timeout [ 431.508035] ================================================================== [ 431.522592] BUG: KASAN: use-after-free in l2cap_sock_shutdown+0x954/0xbb0 [ 431.533667] Read of size 1 at addr ffff8881c961a3be by task syz-executor303/460 [ 431.547328] [ 431.551619] CPU: 1 PID: 460 Comm: syz-executor303 Not tainted 4.14.226-syzkaller #0 [ 431.572491] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 431.591585] Call Trace: [ 431.595312] dump_stack+0x14b/0x1e7 [ 431.601499] ? l2cap_sock_shutdown+0x954/0xbb0 [ 431.608237] print_address_description.cold.6+0x9/0x1ca [ 431.620861] ? l2cap_sock_shutdown+0x954/0xbb0 [ 431.631832] kasan_report.cold.7+0x11a/0x2d3 [ 431.640420] __asan_report_load1_noabort+0x14/0x20 [ 431.648928] l2cap_sock_shutdown+0x954/0xbb0 [ 431.654924] ? trace_hardirqs_on+0x10/0x10 [ 431.661516] ? l2cap_sock_teardown_cb+0x3e0/0x3e0 [ 431.668193] ? __lock_acquire+0x701/0x42d0 [ 431.673024] ? bt_sock_unlink+0x10b/0x150 [ 431.678770] ? lock_downgrade+0x7f0/0x7f0 [ 431.686308] ? _raw_write_unlock+0x2c/0x50 [ 431.692201] l2cap_sock_release+0x60/0x230 [ 431.696953] __sock_release+0xc2/0x2a0 [ 431.702204] sock_close+0x10/0x20 [ 431.708687] __fput+0x232/0x740 [ 431.714121] ? _raw_spin_unlock_irq+0x27/0x90 [ 431.720514] ____fput+0x9/0x10 [ 431.725685] task_work_run+0xe5/0x170 [ 431.733285] exit_to_usermode_loop+0x14a/0x190 [ 431.742128] do_syscall_64+0x416/0x5b0 [ 431.750069] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 431.757541] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 431.766928] RIP: 0033:0x406fcb [ 431.774419] RSP: 002b:00007ffc7f4e3ee0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 431.789325] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000406fcb [ 431.801586] RDX: ffffffffffffffb8 RSI: 00000000400443c8 RDI: 0000000000000004 [ 431.814250] RBP: 0000000000000000 R08: 0000000000000000 R09: 0404040400000015 [ 431.825018] R10: 0000000000000000 R11: 0000000000000293 R12: 00000000000696b9 [ 431.834090] R13: 00007ffc7f4e3f60 R14: 00007ffc7f4e3f50 R15: 00007ffc7f4e3f10 [ 431.842377] [ 431.844317] Allocated by task 460: [ 431.848734] save_stack_trace+0x16/0x20 [ 431.854080] kasan_kmalloc.part.1+0x62/0xf0 [ 431.858846] kasan_kmalloc+0xaf/0xc0 [ 431.863523] kmem_cache_alloc_trace+0x152/0x3f0 [ 431.868827] l2cap_chan_create+0x41/0x380 [ 431.873969] l2cap_sock_alloc.constprop.4+0x150/0x1e0 [ 431.881582] l2cap_sock_create+0xb5/0x180 [ 431.887415] bt_sock_create+0x121/0x260 [ 431.892305] __sock_create+0x262/0x540 [ 431.897246] SyS_socket+0xd5/0x1e0 [ 431.902134] do_syscall_64+0x1c7/0x5b0 [ 431.906640] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 431.913370] [ 431.915715] Freed by task 1202: [ 431.920138] save_stack_trace+0x16/0x20 [ 431.926335] kasan_slab_free+0xab/0x190 [ 431.930669] kfree+0xcc/0x270 [ 431.934106] l2cap_chan_put+0x141/0x1a0 [ 431.938440] l2cap_recv_frame+0xeca/0x9e10 [ 431.943765] l2cap_recv_acldata+0x756/0x8a0 [ 431.950171] hci_rx_work+0x5c9/0x8e0 [ 431.955459] process_one_work+0x74f/0x1620 [ 431.961315] worker_thread+0xcc/0xee0 [ 431.966645] kthread+0x338/0x400 [ 431.971430] ret_from_fork+0x24/0x30 [ 431.976147] [ 431.979019] The buggy address belongs to the object at ffff8881c961a380 [ 431.979019] which belongs to the cache kmalloc-2048 of size 2048 [ 431.999244] The buggy address is located 62 bytes inside of [ 431.999244] 2048-byte region [ffff8881c961a380, ffff8881c961ab80) [ 432.016179] The buggy address belongs to the page: [ 432.022475] page:ffffea0007258680 count:1 mapcount:0 mapping:ffff8881c961a380 index:0x0 compound_mapcount: 0 [ 432.038135] flags: 0x17ffe0000008100(slab|head) [ 432.043800] raw: 017ffe0000008100 ffff8881c961a380 0000000000000000 0000000100000003 [ 432.053394] raw: ffffea00077663a0 ffffea0007960aa0 ffff8881f6000c40 0000000000000000 [ 432.062870] page dumped because: kasan: bad access detected [ 432.069462] [ 432.071861] Memory state around the buggy address: [ 432.080627] ffff8881c961a280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 432.089977] ffff8881c961a300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 432.099285] >ffff8881c961a380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 432.111236] ^ [ 432.118475] ffff8881c961a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 432.128837] ffff8881c961a480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 432.140562] ================================================================== [ 432.150825] Disabling lock debugging due to kernel taint [ 432.169452] list_del corruption, ffff8881c961a7e8->next is LIST_POISON1 (dead000000000100) [ 432.181211] ------------[ cut here ]------------ [ 432.186957] kernel BUG at lib/list_debug.c:47! [ 432.192327] invalid opcode: 0000 [#1] PREEMPT SMP KASAN [ 432.198550] Modules linked in: [ 432.201909] CPU: 1 PID: 460 Comm: syz-executor303 Tainted: G B 4.14.226-syzkaller #0 [ 432.212687] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 432.223116] task: ffff8881f483a100 task.stack: ffff8881dd3a8000 [ 432.230023] RIP: 0010:__list_del_entry_valid.cold.1+0x26/0x4a [ 432.237011] RSP: 0000:ffff8881dd3afcf8 EFLAGS: 00010282 [ 432.242713] RAX: 000000000000004e RBX: ffff8881c961a7e8 RCX: 0000000000000000 [ 432.251170] RDX: 000000000000004e RSI: ffffffff86cbec60 RDI: ffffed103ba75f96 [ 432.259837] RBP: ffff8881dd3afd10 R08: 0000000000000000 R09: 0000000000000000 [ 432.270734] R10: fffffbfff13446c7 R11: dffffc0000000000 R12: dead000000000200 [ 432.281241] R13: dead000000000100 R14: ffff8881c961a808 R15: ffff8881c961af60 [ 432.292447] FS: 00000000015c9300(0000) GS:ffff8881f6700000(0000) knlGS:0000000000000000 [ 432.303209] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 432.311193] CR2: 0000000000444b1b CR3: 00000001dd89a004 CR4: 00000000001606e0 [ 432.319865] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 432.328156] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 432.336669] Call Trace: [ 432.339972] l2cap_chan_put+0x49/0x1a0 [ 432.344013] l2cap_sock_release+0x1b4/0x230 [ 432.349471] __sock_release+0xc2/0x2a0 [ 432.354321] sock_close+0x10/0x20 [ 432.358634] __fput+0x232/0x740 [ 432.362077] ? _raw_spin_unlock_irq+0x27/0x90 [ 432.367184] ____fput+0x9/0x10 [ 432.370973] task_work_run+0xe5/0x170 [ 432.375097] exit_to_usermode_loop+0x14a/0x190 [ 432.382521] do_syscall_64+0x416/0x5b0 [ 432.387809] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 432.394008] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 432.402204] RIP: 0033:0x406fcb [ 432.406718] RSP: 002b:00007ffc7f4e3ee0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 432.416611] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000406fcb [ 432.425729] RDX: ffffffffffffffb8 RSI: 00000000400443c8 RDI: 0000000000000004 [ 432.433847] RBP: 0000000000000000 R08: 0000000000000000 R09: 0404040400000015 [ 432.443293] R10: 0000000000000000 R11: 0000000000000293 R12: 00000000000696b9 [ 432.452419] R13: 00007ffc7f4e3f60 R14: 00007ffc7f4e3f50 R15: 00007ffc7f4e3f10 [ 432.460284] Code: 86 f9 ff 0f 0b 4c 89 e2 48 89 de 48 c7 c7 a0 0e 04 87 e8 d4 86 f9 ff 0f 0b 4c 89 ea 48 89 de 48 c7 c7 40 0e 04 87 e8 c0 86 f9 ff <0f> 0b 48 89 de 48 c7 c7 60 0f 04 87 e8 af 86 f9 ff 0f 0b 48 89 [ 432.480367] RIP: __list_del_entry_valid.cold.1+0x26/0x4a RSP: ffff8881dd3afcf8 [ 432.488360] ---[ end trace adf6a0224896cac4 ]--- [ 432.493183] Kernel panic - not syncing: Fatal exception [ 432.501459] Kernel Offset: disabled [ 432.505870] Rebooting in 86400 seconds..