[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.1.44' (ECDSA) to the list of known hosts.
syzkaller login: [   33.949567] audit: type=1400 audit(1596379316.558:8): avc:  denied  { execmem } for  pid=6362 comm="syz-executor275" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   34.218717] IPVS: ftp: loaded support on port[0] = 21
[   35.122112] chnl_net:caif_netlink_parms(): no params data found
[   35.214471] bridge0: port 1(bridge_slave_0) entered blocking state
[   35.221066] bridge0: port 1(bridge_slave_0) entered disabled state
[   35.228748] device bridge_slave_0 entered promiscuous mode
[   35.235481] bridge0: port 2(bridge_slave_1) entered blocking state
[   35.242015] bridge0: port 2(bridge_slave_1) entered disabled state
[   35.249820] device bridge_slave_1 entered promiscuous mode
[   35.265504] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   35.274171] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   35.291383] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   35.298578] team0: Port device team_slave_0 added
[   35.304433] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   35.311832] team0: Port device team_slave_1 added
[   35.325946] batman_adv: batadv0: Adding interface: batadv_slave_0
[   35.332227] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   35.357561] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   35.369059] batman_adv: batadv0: Adding interface: batadv_slave_1
[   35.375277] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   35.401088] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   35.411703] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   35.419272] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   35.479739] device hsr_slave_0 entered promiscuous mode
[   35.527643] device hsr_slave_1 entered promiscuous mode
[   35.567863] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   35.574891] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   35.636115] bridge0: port 2(bridge_slave_1) entered blocking state
[   35.642561] bridge0: port 2(bridge_slave_1) entered forwarding state
[   35.649383] bridge0: port 1(bridge_slave_0) entered blocking state
[   35.655733] bridge0: port 1(bridge_slave_0) entered forwarding state
[   35.685259] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   35.692198] 8021q: adding VLAN 0 to HW filter on device bond0
[   35.700815] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   35.710203] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   35.718856] bridge0: port 1(bridge_slave_0) entered disabled state
[   35.725756] bridge0: port 2(bridge_slave_1) entered disabled state
[   35.736347] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   35.742742] 8021q: adding VLAN 0 to HW filter on device team0
[   35.751231] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   35.759118] bridge0: port 1(bridge_slave_0) entered blocking state
[   35.765440] bridge0: port 1(bridge_slave_0) entered forwarding state
[   35.774556] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   35.782952] bridge0: port 2(bridge_slave_1) entered blocking state
[   35.789344] bridge0: port 2(bridge_slave_1) entered forwarding state
[   35.808234] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   35.815795] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   35.823650] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   35.831358] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   35.840414] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   35.851334] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[   35.857810] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   35.864950] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   35.877969] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[   35.885073] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   35.892548] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   35.903066] 8021q: adding VLAN 0 to HW filter on device batadv0
[   35.953578] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[   35.963347] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   35.995150] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[   36.002328] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[   36.009554] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[   36.018380] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   36.025759] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   36.033099] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   36.041807] device veth0_vlan entered promiscuous mode
[   36.051016] device veth1_vlan entered promiscuous mode
[   36.056799] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[   36.065918] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[   36.077814] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[   36.086704] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   36.095101] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   36.102740] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   36.111507] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   36.120367] device veth0_macvtap entered promiscuous mode
[   36.128713] device veth1_macvtap entered promiscuous mode
[   36.136418] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[   36.146629] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[   36.156007] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
[   36.164297] batman_adv: batadv0: Interface activated: batadv_slave_0
[   36.171900] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   36.180103] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   36.190021] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[   36.196894] batman_adv: batadv0: Interface activated: batadv_slave_1
[   36.203726] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   36.211595] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
[   37.417256] ==================================================================
[   37.424751] BUG: KASAN: use-after-free in hci_send_acl+0xac8/0xc60
[   37.431074] Read of size 8 at addr ffff8880a459dd98 by task kworker/u5:1/6595
[   37.438322] 
[   37.439942] CPU: 0 PID: 6595 Comm: kworker/u5:1 Not tainted 4.14.191-syzkaller #0
[   37.447533] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.456894] Workqueue: hci0 hci_rx_work
[   37.460841] Call Trace:
[   37.463405]  dump_stack+0x1b2/0x283
[   37.467022]  print_address_description.cold+0x54/0x1d3
[   37.472284]  kasan_report_error.cold+0x8a/0x194
[   37.476954]  ? hci_send_acl+0xac8/0xc60
[   37.480914]  __asan_report_load8_noabort+0x68/0x70
[   37.485815]  ? hci_send_acl+0xac8/0xc60
[   37.489780]  hci_send_acl+0xac8/0xc60
[   37.493552]  ? memcpy+0x35/0x50
[   37.496812]  ? l2cap_build_cmd+0x4fc/0x690
[   37.501034]  l2cap_send_cmd+0x19d/0x1f0
[   37.504982]  l2cap_recv_frame+0x5d9a/0x95c0
[   37.509285]  ? sock_dequeue_err_skb+0x391/0x3d0
[   37.513943]  ? __lock_acquire+0x5fc/0x3f20
[   37.518169]  ? l2cap_ertm_init+0xb70/0xb70
[   37.522381]  ? lock_acquire+0x170/0x3f0
[   37.526327]  ? hci_rx_work+0x278/0x970
[   37.530190]  ? trace_hardirqs_on+0x10/0x10
[   37.534398]  ? hci_rx_work+0x278/0x970
[   37.538273]  ? hci_rx_work+0x3a2/0x970
[   37.542134]  ? lock_downgrade+0x740/0x740
[   37.546254]  ? __ww_mutex_wakeup_for_backoff+0x210/0x210
[   37.551693]  ? __mutex_unlock_slowpath+0x75/0x770
[   37.556511]  l2cap_recv_acldata+0x7a6/0x8b0
[   37.560812]  hci_rx_work+0x3d1/0x970
[   37.564502]  process_one_work+0x793/0x14a0
[   37.568718]  ? work_busy+0x320/0x320
[   37.572405]  ? worker_thread+0x158/0xff0
[   37.576442]  ? _raw_spin_unlock_irq+0x24/0x80
[   37.580916]  worker_thread+0x5cc/0xff0
[   37.584868]  ? rescuer_thread+0xc80/0xc80
[   37.589008]  kthread+0x30d/0x420
[   37.592348]  ? kthread_create_on_node+0xd0/0xd0
[   37.596997]  ret_from_fork+0x24/0x30
[   37.600708] 
[   37.602310] Allocated by task 1203:
[   37.605910]  kasan_kmalloc+0xeb/0x160
[   37.609683]  kmem_cache_alloc_trace+0x131/0x3d0
[   37.614325]  hci_chan_create+0x7c/0x300
[   37.618275]  l2cap_conn_add.part.0+0x18/0xc20
[   37.622756]  l2cap_connect_cfm+0x1d2/0xce0
[   37.626983]  hci_event_packet+0x1eb3/0x7c7a
[   37.631299]  hci_rx_work+0x3e6/0x970
[   37.634998]  process_one_work+0x793/0x14a0
[   37.639205]  worker_thread+0x5cc/0xff0
[   37.643065]  kthread+0x30d/0x420
[   37.646408]  ret_from_fork+0x24/0x30
[   37.650096] 
[   37.651694] Freed by task 6595:
[   37.654946]  kasan_slab_free+0xc3/0x1a0
[   37.658908]  kfree+0xc9/0x250
[   37.662009]  hci_event_packet+0xeae/0x7c7a
[   37.666213]  hci_rx_work+0x3e6/0x970
[   37.669900]  process_one_work+0x793/0x14a0
[   37.674113]  worker_thread+0x5cc/0xff0
[   37.677972]  kthread+0x30d/0x420
[   37.681310]  ret_from_fork+0x24/0x30
[   37.684990] 
[   37.686616] The buggy address belongs to the object at ffff8880a459dd80
[   37.686616]  which belongs to the cache kmalloc-128 of size 128
[   37.699271] The buggy address is located 24 bytes inside of
[   37.699271]  128-byte region [ffff8880a459dd80, ffff8880a459de00)
[   37.711036] The buggy address belongs to the page:
[   37.715946] page:ffffea0002916740 count:1 mapcount:0 mapping:ffff8880a459d000 index:0x0
[   37.724109] flags: 0xfffe0000000100(slab)
[   37.728235] raw: 00fffe0000000100 ffff8880a459d000 0000000000000000 0000000100000015
[   37.736114] raw: ffffea000290dba0 ffffea0002a2fde0 ffff88812fe52640 0000000000000000
[   37.743972] page dumped because: kasan: bad access detected
[   37.749655] 
[   37.751255] Memory state around the buggy address:
[   37.756172]  ffff8880a459dc80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   37.763506]  ffff8880a459dd00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   37.770858] >ffff8880a459dd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   37.778190]                             ^
[   37.782311]  ffff8880a459de00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   37.789662]  ffff8880a459de80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   37.797009] ==================================================================
[   37.804340] Disabling lock debugging due to kernel taint
[   37.816010] Kernel panic - not syncing: panic_on_warn set ...
[   37.816010] 
[   37.823379] CPU: 0 PID: 6595 Comm: kworker/u5:1 Tainted: G    B           4.14.191-syzkaller #0
[   37.832202] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   37.841547] Workqueue: hci0 hci_rx_work
[   37.845491] Call Trace:
[   37.848073]  dump_stack+0x1b2/0x283
[   37.851686]  panic+0x1f9/0x42d
[   37.854850]  ? add_taint.cold+0x16/0x16
[   37.858796]  ? ___preempt_schedule+0x16/0x18
[   37.863195]  kasan_end_report+0x43/0x49
[   37.867158]  kasan_report_error.cold+0xa7/0x194
[   37.871819]  ? hci_send_acl+0xac8/0xc60
[   37.875764]  __asan_report_load8_noabort+0x68/0x70
[   37.880667]  ? hci_send_acl+0xac8/0xc60
[   37.884611]  hci_send_acl+0xac8/0xc60
[   37.888385]  ? memcpy+0x35/0x50
[   37.891638]  ? l2cap_build_cmd+0x4fc/0x690
[   37.895843]  l2cap_send_cmd+0x19d/0x1f0
[   37.899789]  l2cap_recv_frame+0x5d9a/0x95c0
[   37.904082]  ? sock_dequeue_err_skb+0x391/0x3d0
[   37.908731]  ? __lock_acquire+0x5fc/0x3f20
[   37.912950]  ? l2cap_ertm_init+0xb70/0xb70
[   37.917159]  ? lock_acquire+0x170/0x3f0
[   37.921106]  ? hci_rx_work+0x278/0x970
[   37.924963]  ? trace_hardirqs_on+0x10/0x10
[   37.929183]  ? hci_rx_work+0x278/0x970
[   37.933040]  ? hci_rx_work+0x3a2/0x970
[   37.936903]  ? lock_downgrade+0x740/0x740
[   37.941037]  ? __ww_mutex_wakeup_for_backoff+0x210/0x210
[   37.946466]  ? __mutex_unlock_slowpath+0x75/0x770
[   37.951292]  l2cap_recv_acldata+0x7a6/0x8b0
[   37.955597]  hci_rx_work+0x3d1/0x970
[   37.959287]  process_one_work+0x793/0x14a0
[   37.963494]  ? work_busy+0x320/0x320
[   37.967179]  ? worker_thread+0x158/0xff0
[   37.971212]  ? _raw_spin_unlock_irq+0x24/0x80
[   37.975679]  worker_thread+0x5cc/0xff0
[   37.979544]  ? rescuer_thread+0xc80/0xc80
[   37.983679]  kthread+0x30d/0x420
[   37.987043]  ? kthread_create_on_node+0xd0/0xd0
[   37.991686]  ret_from_fork+0x24/0x30
[   37.996423] Kernel Offset: disabled
[   38.000043] Rebooting in 86400 seconds..