Warning: Permanently added '10.128.0.78' (ECDSA) to the list of known hosts. 2019/09/15 20:42:06 parsed 1 programs 2019/09/15 20:42:07 executed programs: 0 syzkaller login: [ 469.452820][ T9764] IPVS: ftp: loaded support on port[0] = 21 [ 469.498990][ T9764] chnl_net:caif_netlink_parms(): no params data found [ 469.520975][ T9764] bridge0: port 1(bridge_slave_0) entered blocking state [ 469.528091][ T9764] bridge0: port 1(bridge_slave_0) entered disabled state [ 469.535720][ T9764] device bridge_slave_0 entered promiscuous mode [ 469.542971][ T9764] bridge0: port 2(bridge_slave_1) entered blocking state [ 469.550015][ T9764] bridge0: port 2(bridge_slave_1) entered disabled state [ 469.557799][ T9764] device bridge_slave_1 entered promiscuous mode [ 469.572038][ T9764] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 469.584652][ T9764] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 469.601732][ T9764] team0: Port device team_slave_0 added [ 469.608403][ T9764] team0: Port device team_slave_1 added [ 469.672372][ T9764] device hsr_slave_0 entered promiscuous mode [ 469.750899][ T9764] device hsr_slave_1 entered promiscuous mode [ 469.816212][ T9764] bridge0: port 2(bridge_slave_1) entered blocking state [ 469.823504][ T9764] bridge0: port 2(bridge_slave_1) entered forwarding state [ 469.831062][ T9764] bridge0: port 1(bridge_slave_0) entered blocking state [ 469.838137][ T9764] bridge0: port 1(bridge_slave_0) entered forwarding state [ 469.863326][ T9764] 8021q: adding VLAN 0 to HW filter on device bond0 [ 469.875890][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 469.894804][ T9766] bridge0: port 1(bridge_slave_0) entered disabled state [ 469.902546][ T9766] bridge0: port 2(bridge_slave_1) entered disabled state [ 469.911314][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 469.921925][ T9764] 8021q: adding VLAN 0 to HW filter on device team0 [ 469.932001][ T3520] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 469.940357][ T3520] bridge0: port 1(bridge_slave_0) entered blocking state [ 469.947468][ T3520] bridge0: port 1(bridge_slave_0) entered forwarding state [ 469.957035][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 469.965756][ T9766] bridge0: port 2(bridge_slave_1) entered blocking state [ 469.972964][ T9766] bridge0: port 2(bridge_slave_1) entered forwarding state [ 469.987903][ T3520] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 469.996693][ T3520] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 470.006775][ T9766] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 470.018145][ T3520] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 470.029127][ T9770] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 470.039515][ T9764] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 470.054905][ T9764] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 470.430943][ T9767] Bluetooth: Error in BCSP hdr checksum [ 470.690780][ T30] Bluetooth: Error in BCSP hdr checksum [ 472.230805][ T9770] Bluetooth: hci0: command 0x1003 tx timeout [ 472.238139][ T9779] Bluetooth: hci0: sending frame failed (-49) [ 474.310681][ T9770] Bluetooth: hci0: command 0x1001 tx timeout [ 474.316969][ T9779] Bluetooth: hci0: sending frame failed (-49) [ 476.390660][ T9766] Bluetooth: hci0: command 0x1009 tx timeout [ 480.711465][ T9775] ================================================================== [ 480.719638][ T9775] BUG: KASAN: use-after-free in kfree_skb+0x38/0x3c0 [ 480.726293][ T9775] Read of size 4 at addr ffff8880a273a394 by task syz-executor.0/9775 [ 480.734423][ T9775] [ 480.736734][ T9775] CPU: 0 PID: 9775 Comm: syz-executor.0 Not tainted 5.3.0-rc8+ #0 [ 480.744704][ T9775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 480.754746][ T9775] Call Trace: [ 480.758077][ T9775] dump_stack+0x172/0x1f0 [ 480.762397][ T9775] ? kfree_skb+0x38/0x3c0 [ 480.766750][ T9775] print_address_description.cold+0xd4/0x306 [ 480.772711][ T9775] ? kfree_skb+0x38/0x3c0 [ 480.777018][ T9775] ? kfree_skb+0x38/0x3c0 [ 480.781329][ T9775] __kasan_report.cold+0x1b/0x36 [ 480.786241][ T9775] ? kfree_skb+0x38/0x3c0 [ 480.790553][ T9775] kasan_report+0x12/0x17 [ 480.794869][ T9775] check_memory_region+0x134/0x1a0 [ 480.799957][ T9775] __kasan_check_read+0x11/0x20 [ 480.804799][ T9775] kfree_skb+0x38/0x3c0 [ 480.808982][ T9775] bcsp_close+0xc7/0x130 [ 480.813202][ T9775] hci_uart_tty_close+0x21e/0x280 [ 480.818199][ T9775] ? hci_uart_close+0x50/0x50 [ 480.822852][ T9775] tty_ldisc_close.isra.0+0x119/0x190 [ 480.828197][ T9775] tty_ldisc_kill+0x9c/0x160 [ 480.832766][ T9775] tty_ldisc_release+0xe9/0x2b0 [ 480.837592][ T9775] tty_release_struct+0x1b/0x50 [ 480.842415][ T9775] tty_release+0xbcb/0xe90 [ 480.846810][ T9775] __fput+0x2ff/0x890 [ 480.850772][ T9775] ? put_tty_driver+0x20/0x20 [ 480.855435][ T9775] ____fput+0x16/0x20 [ 480.859391][ T9775] task_work_run+0x145/0x1c0 [ 480.863959][ T9775] exit_to_usermode_loop+0x316/0x380 [ 480.869218][ T9775] do_syscall_64+0x5a9/0x6a0 [ 480.873834][ T9775] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 480.879700][ T9775] RIP: 0033:0x4135d1 [ 480.883572][ T9775] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 480.903150][ T9775] RSP: 002b:00007ffce5e60b60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 480.911535][ T9775] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004135d1 [ 480.919482][ T9775] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 480.927528][ T9775] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 480.935475][ T9775] R10: 00007ffce5e60c40 R11: 0000000000000293 R12: 000000000075c9a0 [ 480.943422][ T9775] R13: 000000000075c9a0 R14: 00000000007603c0 R15: ffffffffffffffff [ 480.951384][ T9775] [ 480.953692][ T9775] Allocated by task 30: [ 480.957824][ T9775] save_stack+0x23/0x90 [ 480.961956][ T9775] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 480.967559][ T9775] kasan_slab_alloc+0xf/0x20 [ 480.972125][ T9775] kmem_cache_alloc_node+0x138/0x740 [ 480.977382][ T9775] __alloc_skb+0xd5/0x5e0 [ 480.981687][ T9775] bcsp_recv+0x8c1/0x13a0 [ 480.985990][ T9775] hci_uart_tty_receive+0x279/0x790 [ 480.991207][ T9775] tty_ldisc_receive_buf+0x15f/0x1c0 [ 480.996525][ T9775] tty_port_default_receive_buf+0x7d/0xb0 [ 481.002225][ T9775] flush_to_ldisc+0x222/0x390 [ 481.006886][ T9775] process_one_work+0x9af/0x1740 [ 481.011802][ T9775] worker_thread+0x98/0xe40 [ 481.016280][ T9775] kthread+0x361/0x430 [ 481.020348][ T9775] ret_from_fork+0x24/0x30 [ 481.024820][ T9775] [ 481.027133][ T9775] Freed by task 30: [ 481.030924][ T9775] save_stack+0x23/0x90 [ 481.035061][ T9775] __kasan_slab_free+0x102/0x150 [ 481.039970][ T9775] kasan_slab_free+0xe/0x10 [ 481.044457][ T9775] kmem_cache_free+0x86/0x320 [ 481.049127][ T9775] kfree_skbmem+0xc5/0x150 [ 481.053536][ T9775] kfree_skb+0x109/0x3c0 [ 481.057763][ T9775] bcsp_recv+0x2d8/0x13a0 [ 481.062069][ T9775] hci_uart_tty_receive+0x279/0x790 [ 481.067253][ T9775] tty_ldisc_receive_buf+0x15f/0x1c0 [ 481.072512][ T9775] tty_port_default_receive_buf+0x7d/0xb0 [ 481.078206][ T9775] flush_to_ldisc+0x222/0x390 [ 481.082859][ T9775] process_one_work+0x9af/0x1740 [ 481.087787][ T9775] worker_thread+0x98/0xe40 [ 481.092438][ T9775] kthread+0x361/0x430 [ 481.096492][ T9775] ret_from_fork+0x24/0x30 [ 481.100887][ T9775] [ 481.103205][ T9775] The buggy address belongs to the object at ffff8880a273a2c0 [ 481.103205][ T9775] which belongs to the cache skbuff_head_cache of size 224 [ 481.117764][ T9775] The buggy address is located 212 bytes inside of [ 481.117764][ T9775] 224-byte region [ffff8880a273a2c0, ffff8880a273a3a0) [ 481.131010][ T9775] The buggy address belongs to the page: [ 481.136678][ T9775] page:ffffea000289ce80 refcount:1 mapcount:0 mapping:ffff88821b69e540 index:0x0 [ 481.146039][ T9775] flags: 0x1fffc0000000200(slab) [ 481.150973][ T9775] raw: 01fffc0000000200 ffffea0002935648 ffffea0002419508 ffff88821b69e540 [ 481.159807][ T9775] raw: 0000000000000000 ffff8880a273a040 000000010000000c 0000000000000000 [ 481.168623][ T9775] page dumped because: kasan: bad access detected [ 481.175007][ T9775] [ 481.177314][ T9775] Memory state around the buggy address: [ 481.183104][ T9775] ffff8880a273a280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 481.191149][ T9775] ffff8880a273a300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 481.199189][ T9775] >ffff8880a273a380: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc [ 481.207233][ T9775] ^ [ 481.211809][ T9775] ffff8880a273a400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 481.219842][ T9775] ffff8880a273a480: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 481.227886][ T9775] ================================================================== [ 481.236246][ T9775] Kernel panic - not syncing: panic_on_warn set ... [ 481.242841][ T9775] CPU: 0 PID: 9775 Comm: syz-executor.0 Tainted: G B 5.3.0-rc8+ #0 [ 481.252011][ T9775] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 481.262050][ T9775] Call Trace: [ 481.265484][ T9775] dump_stack+0x172/0x1f0 [ 481.269796][ T9775] panic+0x2dc/0x755 [ 481.273674][ T9775] ? add_taint.cold+0x16/0x16 [ 481.278332][ T9775] ? kfree_skb+0x38/0x3c0 [ 481.282638][ T9775] ? preempt_schedule+0x4b/0x60 [ 481.287466][ T9775] ? ___preempt_schedule+0x16/0x20 [ 481.292556][ T9775] ? trace_hardirqs_on+0x5e/0x240 [ 481.297731][ T9775] ? kfree_skb+0x38/0x3c0 [ 481.302038][ T9775] end_report+0x47/0x4f [ 481.306168][ T9775] ? kfree_skb+0x38/0x3c0 [ 481.310469][ T9775] __kasan_report.cold+0xe/0x36 [ 481.315388][ T9775] ? kfree_skb+0x38/0x3c0 [ 481.319690][ T9775] kasan_report+0x12/0x17 [ 481.323997][ T9775] check_memory_region+0x134/0x1a0 [ 481.329084][ T9775] __kasan_check_read+0x11/0x20 [ 481.334780][ T9775] kfree_skb+0x38/0x3c0 [ 481.338966][ T9775] bcsp_close+0xc7/0x130 [ 481.343211][ T9775] hci_uart_tty_close+0x21e/0x280 [ 481.348255][ T9775] ? hci_uart_close+0x50/0x50 [ 481.352918][ T9775] tty_ldisc_close.isra.0+0x119/0x190 [ 481.358272][ T9775] tty_ldisc_kill+0x9c/0x160 [ 481.362852][ T9775] tty_ldisc_release+0xe9/0x2b0 [ 481.367678][ T9775] tty_release_struct+0x1b/0x50 [ 481.372507][ T9775] tty_release+0xbcb/0xe90 [ 481.376918][ T9775] __fput+0x2ff/0x890 [ 481.380880][ T9775] ? put_tty_driver+0x20/0x20 [ 481.385531][ T9775] ____fput+0x16/0x20 [ 481.389495][ T9775] task_work_run+0x145/0x1c0 [ 481.394328][ T9775] exit_to_usermode_loop+0x316/0x380 [ 481.399587][ T9775] do_syscall_64+0x5a9/0x6a0 [ 481.404156][ T9775] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 481.410021][ T9775] RIP: 0033:0x4135d1 [ 481.413893][ T9775] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 481.433480][ T9775] RSP: 002b:00007ffce5e60b60 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 481.441878][ T9775] RAX: 0000000000000000 RBX: 0000000000000005 RCX: 00000000004135d1 [ 481.449832][ T9775] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004 [ 481.457785][ T9775] RBP: 0000000000000001 R08: ffffffffffffffff R09: ffffffffffffffff [ 481.466091][ T9775] R10: 00007ffce5e60c40 R11: 0000000000000293 R12: 000000000075c9a0 [ 481.474046][ T9775] R13: 000000000075c9a0 R14: 00000000007603c0 R15: ffffffffffffffff [ 481.483407][ T9775] Kernel Offset: disabled [ 481.487786][ T9775] Rebooting in 86400 seconds..