[ 406.152591] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 406.159599] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 406.168269] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 406.175284] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 406.183818] device bridge_slave_1 left promiscuous mode [ 406.189581] bridge0: port 2(bridge_slave_1) entered disabled state [ 406.221785] device bridge_slave_0 left promiscuous mode [ 406.228062] bridge0: port 1(bridge_slave_0) entered disabled state [ 406.272997] device veth1_macvtap left promiscuous mode [ 406.278444] device veth0_macvtap left promiscuous mode [ 406.284098] device veth1_vlan left promiscuous mode [ 406.290175] device veth0_vlan left promiscuous mode [ 406.373789] device hsr_slave_1 left promiscuous mode [ 406.413441] device hsr_slave_0 left promiscuous mode [ 406.457437] team0 (unregistering): Port device team_slave_1 removed [ 406.466779] team0 (unregistering): Port device team_slave_0 removed [ 406.475839] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 406.535828] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 406.586254] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.15.229' (ECDSA) to the list of known hosts. [ 410.822674] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 410.830433] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 410.838861] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 410.846299] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 410.854649] device bridge_slave_1 left promiscuous mode [ 410.860553] bridge0: port 2(bridge_slave_1) entered disabled state [ 410.901342] device bridge_slave_0 left promiscuous mode [ 410.907001] bridge0: port 1(bridge_slave_0) entered disabled state [ 410.963557] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 410.970410] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 410.979771] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 410.987011] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 410.995029] device bridge_slave_1 left promiscuous mode [ 411.000586] bridge0: port 2(bridge_slave_1) entered disabled state [ 411.042156] device bridge_slave_0 left promiscuous mode [ 411.047986] bridge0: port 1(bridge_slave_0) entered disabled state [ 411.093115] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 411.100218] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 411.108564] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 411.116118] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 411.124771] device bridge_slave_1 left promiscuous mode [ 411.131647] bridge0: port 2(bridge_slave_1) entered disabled state [ 411.161387] device bridge_slave_0 left promiscuous mode [ 411.167246] bridge0: port 1(bridge_slave_0) entered disabled state [ 411.214213] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 411.221255] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 411.230045] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 411.238045] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 411.246215] device bridge_slave_1 left promiscuous mode [ 411.252484] bridge0: port 2(bridge_slave_1) entered disabled state [ 411.291637] device bridge_slave_0 left promiscuous mode [ 411.297246] bridge0: port 1(bridge_slave_0) entered disabled state [ 411.353391] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 411.360714] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 411.369016] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 411.376594] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 411.384584] device bridge_slave_1 left promiscuous mode [ 411.393574] bridge0: port 2(bridge_slave_1) entered disabled state [ 411.431540] device bridge_slave_0 left promiscuous mode [ 411.437764] bridge0: port 1(bridge_slave_0) entered disabled state [ 411.484958] device veth1_macvtap left promiscuous mode [ 411.490486] device veth0_macvtap left promiscuous mode [ 411.496603] device veth1_vlan left promiscuous mode [ 411.501735] device veth0_vlan left promiscuous mode [ 411.507081] device veth1_macvtap left promiscuous mode [ 411.512590] device veth0_macvtap left promiscuous mode [ 411.517912] device veth1_vlan left promiscuous mode [ 411.524051] device veth0_vlan left promiscuous mode [ 411.529589] device veth1_macvtap left promiscuous mode [ 411.535270] device veth0_macvtap left promiscuous mode [ 411.540965] device veth1_vlan left promiscuous mode [ 411.546122] device veth0_vlan left promiscuous mode [ 411.552514] device veth1_macvtap left promiscuous mode [ 411.557904] device veth0_macvtap left promiscuous mode [ 411.563985] device veth1_vlan left promiscuous mode [ 411.569512] device veth0_vlan left promiscuous mode [ 411.575242] device veth1_macvtap left promiscuous mode [ 411.581051] device veth0_macvtap left promiscuous mode [ 411.586634] device veth1_vlan left promiscuous mode [ 411.591763] device veth0_vlan left promiscuous mode [ 411.803918] device hsr_slave_1 left promiscuous mode [ 411.854138] device hsr_slave_0 left promiscuous mode [ 411.897205] team0 (unregistering): Port device team_slave_1 removed [ 411.905966] team0 (unregistering): Port device team_slave_0 removed [ 411.915086] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 411.944527] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 411.995594] bond0 (unregistering): Released all slaves [ 412.104457] device hsr_slave_1 left promiscuous mode [ 412.143138] device hsr_slave_0 left promiscuous mode [ 412.186240] team0 (unregistering): Port device team_slave_1 removed [ 412.194984] team0 (unregistering): Port device team_slave_0 removed [ 412.205034] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 412.253254] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 412.315393] bond0 (unregistering): Released all slaves [ 412.414134] device hsr_slave_1 left promiscuous mode [ 412.453932] device hsr_slave_0 left promiscuous mode [ 412.506813] team0 (unregistering): Port device team_slave_1 removed [ 412.516872] team0 (unregistering): Port device team_slave_0 removed [ 412.526033] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 412.564252] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 412.616068] bond0 (unregistering): Released all slaves [ 412.725623] device hsr_slave_1 left promiscuous mode [ 412.783690] device hsr_slave_0 left promiscuous mode [ 412.836782] team0 (unregistering): Port device team_slave_1 removed [ 412.846385] team0 (unregistering): Port device team_slave_0 removed [ 412.855550] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 412.904178] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 412.974616] bond0 (unregistering): Released all slaves [ 413.084233] device hsr_slave_1 left promiscuous mode [ 413.122949] device hsr_slave_0 left promiscuous mode [ 413.167399] team0 (unregistering): Port device team_slave_1 removed [ 413.177124] team0 (unregistering): Port device team_slave_0 removed [ 413.186586] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 413.225550] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 413.295028] bond0 (unregistering): Released all slaves [ 417.214257] IPVS: ftp: loaded support on port[0] = 21 [ 417.966887] IPVS: ftp: loaded support on port[0] = 21 [ 418.706618] IPVS: ftp: loaded support on port[0] = 21 [ 419.389424] IPVS: ftp: loaded support on port[0] = 21 [ 419.952925] IPVS: ftp: loaded support on port[0] = 21 [ 420.511101] IPVS: ftp: loaded support on port[0] = 21 [ 421.050476] Bluetooth: hci0 command 0x0409 tx timeout [ 421.850510] Bluetooth: hci1 command 0x0409 tx timeout [ 422.490312] Bluetooth: hci2 command 0x0409 tx timeout [ 423.050773] Bluetooth: hci3 command 0x0409 tx timeout [ 423.130299] Bluetooth: hci0 command 0x041b tx timeout [ 423.610363] Bluetooth: hci4 command 0x0409 tx timeout [ 423.940949] Bluetooth: hci1 command 0x041b tx timeout [ 424.170348] Bluetooth: hci5 command 0x0409 tx timeout [ 424.570174] Bluetooth: hci2 command 0x041b tx timeout [ 425.130252] Bluetooth: hci3 command 0x041b tx timeout [ 425.210257] Bluetooth: hci0 command 0x040f tx timeout [ 425.690252] Bluetooth: hci4 command 0x041b tx timeout [ 426.010273] Bluetooth: hci1 command 0x040f tx timeout [ 426.250186] Bluetooth: hci5 command 0x041b tx timeout [ 426.650143] Bluetooth: hci2 command 0x040f tx timeout [ 427.210134] Bluetooth: hci3 command 0x040f tx timeout [ 427.290134] Bluetooth: hci0 command 0x0419 tx timeout [ 427.770138] Bluetooth: hci4 command 0x040f tx timeout [ 428.090214] Bluetooth: hci1 command 0x0419 tx timeout [ 428.330135] Bluetooth: hci5 command 0x040f tx timeout [ 428.730396] Bluetooth: hci2 command 0x0419 tx timeout [ 429.290034] Bluetooth: hci3 command 0x0419 tx timeout [ 429.861193] Bluetooth: hci4 command 0x0419 tx timeout [ 430.410085] Bluetooth: hci5 command 0x0419 tx timeout [ 434.136855] ================================================================== [ 434.144845] BUG: KASAN: use-after-free in l2cap_sock_shutdown+0x954/0xbb0 [ 434.152371] Read of size 1 at addr ffff8881e208b13e by task syz-executor293/12934 [ 434.160075] [ 434.161794] CPU: 1 PID: 12934 Comm: syz-executor293 Not tainted 4.14.221-syzkaller #0 [ 434.170442] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 434.179991] Call Trace: [ 434.182584] dump_stack+0x14b/0x1e7 [ 434.186313] ? l2cap_sock_shutdown+0x954/0xbb0 [ 434.190983] print_address_description.cold.6+0x9/0x1ca [ 434.196442] ? l2cap_sock_shutdown+0x954/0xbb0 [ 434.201216] kasan_report.cold.7+0x11a/0x2d3 [ 434.205916] __asan_report_load1_noabort+0x14/0x20 [ 434.211158] l2cap_sock_shutdown+0x954/0xbb0 [ 434.215918] ? trace_hardirqs_on+0x10/0x10 [ 434.220243] ? l2cap_sock_teardown_cb+0x3e0/0x3e0 [ 434.225269] ? __lock_acquire+0x701/0x42d0 [ 434.229730] ? bt_sock_unlink+0x10b/0x150 [ 434.233979] ? lock_downgrade+0x7f0/0x7f0 [ 434.238433] ? _raw_write_unlock+0x2c/0x50 [ 434.242948] l2cap_sock_release+0x60/0x230 [ 434.247712] __sock_release+0xc2/0x2a0 [ 434.251893] sock_close+0x10/0x20 [ 434.255443] __fput+0x232/0x740 [ 434.258723] ? _raw_spin_unlock_irq+0x27/0x90 [ 434.263221] ____fput+0x9/0x10 [ 434.266418] task_work_run+0xe5/0x170 [ 434.270343] exit_to_usermode_loop+0x14a/0x190 [ 434.275071] do_syscall_64+0x416/0x5b0 [ 434.279312] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 434.284171] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 434.289536] RIP: 0033:0x406fcb [ 434.292726] RSP: 002b:00007fffd8a8ef90 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 434.300608] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000406fcb [ 434.307971] RDX: ffffffffffffffb8 RSI: 00000000400443c8 RDI: 0000000000000004 [ 434.315339] RBP: 0000000000000000 R08: 0000000000000000 R09: 0404040400000015 [ 434.322962] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000006a002 [ 434.330404] R13: 00007fffd8a8f010 R14: 00007fffd8a8f000 R15: 00007fffd8a8efc0 [ 434.337858] [ 434.339676] Allocated by task 12934: [ 434.343500] save_stack_trace+0x16/0x20 [ 434.347590] kasan_kmalloc.part.1+0x62/0xf0 [ 434.351999] kasan_kmalloc+0xaf/0xc0 [ 434.355715] kmem_cache_alloc_trace+0x152/0x3f0 [ 434.360501] l2cap_chan_create+0x41/0x380 [ 434.364871] l2cap_sock_alloc.constprop.4+0x150/0x1e0 [ 434.370333] l2cap_sock_create+0xb5/0x180 [ 434.374570] bt_sock_create+0x121/0x260 [ 434.378546] __sock_create+0x262/0x540 [ 434.382435] SyS_socket+0xd5/0x1e0 [ 434.386088] do_syscall_64+0x1c7/0x5b0 [ 434.389975] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 434.395243] [ 434.397109] Freed by task 4632: [ 434.400603] save_stack_trace+0x16/0x20 [ 434.404697] kasan_slab_free+0xab/0x190 [ 434.408861] kfree+0xcc/0x270 [ 434.411974] l2cap_chan_put+0x141/0x1a0 [ 434.416040] l2cap_recv_frame+0xeca/0x9e10 [ 434.420378] l2cap_recv_acldata+0x756/0x8a0 [ 434.424971] hci_rx_work+0x5c9/0x8e0 [ 434.428784] process_one_work+0x74f/0x1620 [ 434.433192] worker_thread+0xcc/0xee0 [ 434.437090] kthread+0x338/0x400 [ 434.440545] ret_from_fork+0x24/0x30 [ 434.444434] [ 434.446066] The buggy address belongs to the object at ffff8881e208b100 [ 434.446066] which belongs to the cache kmalloc-2048 of size 2048 [ 434.459428] The buggy address is located 62 bytes inside of [ 434.459428] 2048-byte region [ffff8881e208b100, ffff8881e208b900) [ 434.471979] The buggy address belongs to the page: [ 434.477289] page:ffffea0007882280 count:1 mapcount:0 mapping:ffff8881e208a000 index:0x0 compound_mapcount: 0 [ 434.487626] flags: 0x17ffe0000008100(slab|head) [ 434.492300] raw: 017ffe0000008100 ffff8881e208a000 0000000000000000 0000000100000003 [ 434.500536] raw: ffffea00079ef220 ffffea000765cd20 ffff8881f6000c40 0000000000000000 [ 434.508928] page dumped because: kasan: bad access detected [ 434.514764] [ 434.516391] Memory state around the buggy address: [ 434.521405] ffff8881e208b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 434.528938] ffff8881e208b080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 434.536657] >ffff8881e208b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 434.544415] ^ [ 434.549908] ffff8881e208b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 434.559512] ffff8881e208b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 434.567745] ================================================================== [ 434.575288] Disabling lock debugging due to kernel taint [ 434.591712] Kernel panic - not syncing: panic_on_warn set ... [ 434.591712] [ 434.599768] CPU: 1 PID: 12934 Comm: syz-executor293 Tainted: G B 4.14.221-syzkaller #0 [ 434.609394] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 434.618944] Call Trace: [ 434.621545] dump_stack+0x14b/0x1e7 [ 434.625274] ? l2cap_sock_shutdown+0x954/0xbb0 [ 434.630096] panic+0x1b0/0x358 [ 434.633294] ? add_taint.cold.4+0x11/0x11 [ 434.637444] ? ___preempt_schedule+0x16/0x18 [ 434.642400] ? l2cap_sock_shutdown+0x954/0xbb0 [ 434.646984] kasan_end_report+0x47/0x4f [ 434.651133] kasan_report.cold.7+0x76/0x2d3 [ 434.655743] __asan_report_load1_noabort+0x14/0x20 [ 434.661297] l2cap_sock_shutdown+0x954/0xbb0 [ 434.665909] ? trace_hardirqs_on+0x10/0x10 [ 434.670539] ? l2cap_sock_teardown_cb+0x3e0/0x3e0 [ 434.675574] ? __lock_acquire+0x701/0x42d0 [ 434.680106] ? bt_sock_unlink+0x10b/0x150 [ 434.684431] ? lock_downgrade+0x7f0/0x7f0 [ 434.688582] ? _raw_write_unlock+0x2c/0x50 [ 434.693017] l2cap_sock_release+0x60/0x230 [ 434.697280] __sock_release+0xc2/0x2a0 [ 434.701224] sock_close+0x10/0x20 [ 434.704851] __fput+0x232/0x740 [ 434.708306] ? _raw_spin_unlock_irq+0x27/0x90 [ 434.713324] ____fput+0x9/0x10 [ 434.716836] task_work_run+0xe5/0x170 [ 434.720943] exit_to_usermode_loop+0x14a/0x190 [ 434.725982] do_syscall_64+0x416/0x5b0 [ 434.730040] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 434.735058] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 434.740516] RIP: 0033:0x406fcb [ 434.743876] RSP: 002b:00007fffd8a8ef90 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 434.752053] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 0000000000406fcb [ 434.759523] RDX: ffffffffffffffb8 RSI: 00000000400443c8 RDI: 0000000000000004 [ 434.766792] RBP: 0000000000000000 R08: 0000000000000000 R09: 0404040400000015 [ 434.774532] R10: 0000000000000000 R11: 0000000000000293 R12: 000000000006a002 [ 434.782080] R13: 00007fffd8a8f010 R14: 00007fffd8a8f000 R15: 00007fffd8a8efc0 [ 434.791760] Kernel Offset: disabled [ 434.795575] Rebooting in 86400 seconds..