Warning: Permanently added '10.128.0.238' (ECDSA) to the list of known hosts.
syzkaller login: [   36.017400] audit: type=1400 audit(1596648661.760:8): avc:  denied  { execmem } for  pid=6339 comm="syz-executor709" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   36.286521] IPVS: ftp: loaded support on port[0] = 21
[   37.098699] chnl_net:caif_netlink_parms(): no params data found
[   37.238193] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.244924] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.253046] device bridge_slave_0 entered promiscuous mode
[   37.261085] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.267726] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.274590] device bridge_slave_1 entered promiscuous mode
[   37.291122] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   37.300178] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   37.318019] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   37.325356] team0: Port device team_slave_0 added
[   37.330862] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   37.339061] team0: Port device team_slave_1 added
[   37.353998] batman_adv: batadv0: Adding interface: batadv_slave_0
[   37.360406] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   37.385762] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   37.397187] batman_adv: batadv0: Adding interface: batadv_slave_1
[   37.403607] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   37.429213] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   37.440424] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   37.447990] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   37.507405] device hsr_slave_0 entered promiscuous mode
[   37.545187] device hsr_slave_1 entered promiscuous mode
[   37.595620] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   37.602675] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   37.663774] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.670194] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.677067] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.683410] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.711180] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   37.717907] 8021q: adding VLAN 0 to HW filter on device bond0
[   37.725751] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   37.733584] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   37.752054] bridge0: port 1(bridge_slave_0) entered disabled state
[   37.759421] bridge0: port 2(bridge_slave_1) entered disabled state
[   37.770163] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   37.776373] 8021q: adding VLAN 0 to HW filter on device team0
[   37.784554] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   37.792654] bridge0: port 1(bridge_slave_0) entered blocking state
[   37.799041] bridge0: port 1(bridge_slave_0) entered forwarding state
[   37.808410] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   37.816034] bridge0: port 2(bridge_slave_1) entered blocking state
[   37.822609] bridge0: port 2(bridge_slave_1) entered forwarding state
[   37.836362] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   37.843948] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   37.852767] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   37.865258] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   37.872676] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   37.881360] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[   37.887393] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   37.899576] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[   37.906733] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   37.913336] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   37.923884] 8021q: adding VLAN 0 to HW filter on device batadv0
[   37.972201] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[   37.981882] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   38.013065] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[   38.020661] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[   38.028091] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[   38.037472] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   38.045906] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   38.052685] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   38.061897] device veth0_vlan entered promiscuous mode
[   38.070543] device veth1_vlan entered promiscuous mode
[   38.076624] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[   38.085170] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[   38.091634] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   38.099008] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   38.106899] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   38.118687] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[   38.127170] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready
[   38.133943] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[   38.141757] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   38.151243] device veth0_macvtap entered promiscuous mode
[   38.157375] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
[   38.166577] device veth1_macvtap entered promiscuous mode
[   38.172555] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready
[   38.181198] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[   38.190626] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[   38.200145] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
[   38.207820] batman_adv: batadv0: Interface activated: batadv_slave_0
[   38.215300] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   38.222448] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[   38.229915] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   38.237696] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   38.248254] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[   38.255580] batman_adv: batadv0: Interface activated: batadv_slave_1
[   38.262126] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   38.273245] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
executing program
executing program
executing program
[   41.493836] Bluetooth: hci0 command 0x0409 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   43.572694] Bluetooth: hci0 command 0x041b tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   45.651805] Bluetooth: hci0 command 0x040f tx timeout
executing program
executing program
executing program
executing program
executing program
[   47.173181] NOHZ: local_softirq_pending 08
executing program
executing program
[   47.740990] Bluetooth: hci0 command 0x0419 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   49.810513] Bluetooth: hci0 command 0x0405 tx timeout
executing program
[   50.243857] ==================================================================
[   50.251430] BUG: KASAN: use-after-free in sco_chan_del+0x3b2/0x3d0
[   50.257774] Read of size 1 at addr ffff88809485cdb5 by task syz-executor709/6725
[   50.265277] 
[   50.266882] CPU: 0 PID: 6725 Comm: syz-executor709 Not tainted 4.14.192-syzkaller #0
[   50.274735] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.284071] Call Trace:
[   50.290634]  dump_stack+0x1b2/0x283
[   50.294248]  print_address_description.cold+0x54/0x1d3
[   50.299508]  kasan_report_error.cold+0x8a/0x194
[   50.304155]  ? sco_chan_del+0x3b2/0x3d0
[   50.308105]  __asan_report_load1_noabort+0x68/0x70
[   50.313012]  ? sco_chan_del+0x3b2/0x3d0
[   50.317002]  sco_chan_del+0x3b2/0x3d0
[   50.320876]  __sco_sock_close+0xb0/0x670
[   50.324920]  sco_sock_release+0x6a/0x370
[   50.328956]  __sock_release+0xcd/0x2b0
[   50.332820]  ? __sock_release+0x2b0/0x2b0
[   50.336941]  sock_close+0x15/0x20
[   50.340374]  __fput+0x25f/0x7a0
[   50.343643]  task_work_run+0x11f/0x190
[   50.347508]  get_signal+0x18a3/0x1ca0
[   50.351283]  ? reacquire_held_locks+0xb5/0x3f0
[   50.355840]  ? sco_sock_connect+0x42b/0x860
[   50.360140]  do_signal+0x7c/0x1550
[   50.363656]  ? lock_downgrade+0x740/0x740
[   50.367778]  ? check_preemption_disabled+0x35/0x240
[   50.372775]  ? setup_sigcontext+0x820/0x820
[   50.377073]  ? kick_process+0xe4/0x170
[   50.380937]  ? task_work_add+0x87/0xe0
[   50.385241]  ? sco_sock_create+0xf0/0xf0
[   50.389274]  ? fput+0xaa/0x140
[   50.392443]  ? SyS_connect+0xf6/0x240
[   50.396219]  ? SyS_accept+0x30/0x30
[   50.399840]  ? SyS_futex+0x1da/0x290
[   50.403544]  ? SyS_futex+0x1e3/0x290
[   50.407262]  ? exit_to_usermode_loop+0x41/0x200
[   50.411961]  exit_to_usermode_loop+0x160/0x200
[   50.416546]  do_syscall_64+0x4a3/0x640
[   50.420437]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   50.426743] RIP: 0033:0x44aa69
[   50.429924] RSP: 002b:00007fb01d361db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   50.437606] RAX: fffffffffffffffc RBX: 00000000006e6a08 RCX: 000000000044aa69
[   50.444851] RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000004
[   50.452122] RBP: 00000000006e6a00 R08: 0000000000000000 R09: 0000000000000000
[   50.459367] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e6a0c
[   50.466612] R13: 00007ffc9f1286ff R14: 00007fb01d3629c0 R15: 00000000006e6a0c
[   50.473876] 
[   50.475482] Allocated by task 6722:
[   50.479089]  kasan_kmalloc+0xeb/0x160
[   50.482877]  kmem_cache_alloc_trace+0x131/0x3d0
[   50.487521]  hci_conn_add+0x53/0x12f0
[   50.491294]  hci_connect_sco+0x265/0x7d0
[   50.495329]  sco_sock_connect+0x26c/0x860
[   50.499454]  SyS_connect+0x1f4/0x240
[   50.503144]  do_syscall_64+0x1d5/0x640
[   50.507014]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   50.512173] 
[   50.513775] Freed by task 6570:
[   50.517028]  kasan_slab_free+0xc3/0x1a0
[   50.520979]  kfree+0xc9/0x250
[   50.524058]  device_release+0xf0/0x1a0
[   50.527915]  kobject_put+0x1f3/0x2d0
[   50.531601]  put_device+0x1c/0x30
[   50.535029]  hci_conn_del+0x235/0x620
[   50.538802]  hci_phy_link_complete_evt.isra.0+0x4d0/0x6c0
[   50.544329]  hci_event_packet+0x2592/0x7c7a
[   50.548638]  hci_rx_work+0x3e6/0x970
[   50.552341]  process_one_work+0x793/0x14a0
[   50.556573]  worker_thread+0x5cc/0xff0
[   50.560443]  kthread+0x30d/0x420
[   50.563793]  ret_from_fork+0x24/0x30
[   50.567480] 
[   50.569082] The buggy address belongs to the object at ffff88809485cd80
[   50.569082]  which belongs to the cache kmalloc-4096 of size 4096
[   50.581883] The buggy address is located 53 bytes inside of
[   50.581883]  4096-byte region [ffff88809485cd80, ffff88809485dd80)
[   50.593782] The buggy address belongs to the page:
[   50.598683] page:ffffea0002521700 count:1 mapcount:0 mapping:ffff88809485cd80 index:0x0 compound_mapcount: 0
[   50.608624] flags: 0xfffe0000008100(slab|head)
[   50.613180] raw: 00fffe0000008100 ffff88809485cd80 0000000000000000 0000000100000001
[   50.621036] raw: ffffea0002519b20 ffffea00025173a0 ffff88812fe52dc0 0000000000000000
[   50.628885] page dumped because: kasan: bad access detected
[   50.634565] 
[   50.636164] Memory state around the buggy address:
[   50.641065]  ffff88809485cc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   50.648394]  ffff88809485cd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   50.655733] >ffff88809485cd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.663105]                                      ^
[   50.668045]  ffff88809485ce00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.675423]  ffff88809485ce80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   50.682755] ==================================================================
[   50.690084] Disabling lock debugging due to kernel taint
[   50.698518] Kernel panic - not syncing: panic_on_warn set ...
[   50.698518] 
[   50.705904] CPU: 0 PID: 6725 Comm: syz-executor709 Tainted: G    B           4.14.192-syzkaller #0
[   50.714991] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.724334] Call Trace:
[   50.726900]  dump_stack+0x1b2/0x283
[   50.730506]  panic+0x1f9/0x42d
[   50.733674]  ? add_taint.cold+0x16/0x16
[   50.737681]  ? ___preempt_schedule+0x16/0x18
[   50.742240]  kasan_end_report+0x43/0x49
[   50.746192]  kasan_report_error.cold+0xa7/0x194
[   50.750837]  ? sco_chan_del+0x3b2/0x3d0
[   50.754824]  __asan_report_load1_noabort+0x68/0x70
[   50.759727]  ? sco_chan_del+0x3b2/0x3d0
[   50.763685]  sco_chan_del+0x3b2/0x3d0
[   50.767459]  __sco_sock_close+0xb0/0x670
[   50.771611]  sco_sock_release+0x6a/0x370
[   50.775650]  __sock_release+0xcd/0x2b0
[   50.779510]  ? __sock_release+0x2b0/0x2b0
[   50.783632]  sock_close+0x15/0x20
[   50.787147]  __fput+0x25f/0x7a0
[   50.790408]  task_work_run+0x11f/0x190
[   50.794273]  get_signal+0x18a3/0x1ca0
[   50.798048]  ? reacquire_held_locks+0xb5/0x3f0
[   50.802610]  ? sco_sock_connect+0x42b/0x860
[   50.806912]  do_signal+0x7c/0x1550
[   50.810429]  ? lock_downgrade+0x740/0x740
[   50.814607]  ? check_preemption_disabled+0x35/0x240
[   50.819649]  ? setup_sigcontext+0x820/0x820
[   50.823986]  ? kick_process+0xe4/0x170
[   50.827847]  ? task_work_add+0x87/0xe0
[   50.831708]  ? sco_sock_create+0xf0/0xf0
[   50.835855]  ? fput+0xaa/0x140
[   50.839020]  ? SyS_connect+0xf6/0x240
[   50.842796]  ? SyS_accept+0x30/0x30
[   50.846427]  ? SyS_futex+0x1da/0x290
[   50.850135]  ? SyS_futex+0x1e3/0x290
[   50.853841]  ? exit_to_usermode_loop+0x41/0x200
[   50.858490]  exit_to_usermode_loop+0x160/0x200
[   50.863054]  do_syscall_64+0x4a3/0x640
[   50.866927]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   50.872098] RIP: 0033:0x44aa69
[   50.875263] RSP: 002b:00007fb01d361db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   50.882945] RAX: fffffffffffffffc RBX: 00000000006e6a08 RCX: 000000000044aa69
[   50.890189] RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000004
[   50.897431] RBP: 00000000006e6a00 R08: 0000000000000000 R09: 0000000000000000
[   50.904675] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e6a0c
[   50.911916] R13: 00007ffc9f1286ff R14: 00007fb01d3629c0 R15: 00000000006e6a0c
[   50.920409] Kernel Offset: disabled
[   50.924020] Rebooting in 86400 seconds..