Warning: Permanently added '10.128.15.212' (ECDSA) to the list of known hosts. 2020/08/06 14:35:58 parsed 1 programs 2020/08/06 14:35:58 executed programs: 0 syzkaller login: [ 33.161393] audit: type=1400 audit(1596724558.691:8): avc: denied { execmem } for pid=6371 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.408160] IPVS: ftp: loaded support on port[0] = 21 [ 34.277803] chnl_net:caif_netlink_parms(): no params data found [ 34.358521] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.365037] bridge0: port 1(bridge_slave_0) entered disabled state [ 34.372554] device bridge_slave_0 entered promiscuous mode [ 34.380207] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.386553] bridge0: port 2(bridge_slave_1) entered disabled state [ 34.393703] device bridge_slave_1 entered promiscuous mode [ 34.409544] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 34.418312] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 34.435002] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 34.442213] team0: Port device team_slave_0 added [ 34.447854] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 34.454851] team0: Port device team_slave_1 added [ 34.469176] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 34.475394] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 34.500698] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 34.512223] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 34.518706] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 34.543944] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 34.554625] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 34.562233] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 34.619929] device hsr_slave_0 entered promiscuous mode [ 34.657015] device hsr_slave_1 entered promiscuous mode [ 34.697385] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 34.704328] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 34.763890] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.770304] bridge0: port 2(bridge_slave_1) entered forwarding state [ 34.777142] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.783486] bridge0: port 1(bridge_slave_0) entered forwarding state [ 34.811013] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 34.817924] 8021q: adding VLAN 0 to HW filter on device bond0 [ 34.825378] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 34.834270] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 34.853098] bridge0: port 1(bridge_slave_0) entered disabled state [ 34.860236] bridge0: port 2(bridge_slave_1) entered disabled state [ 34.870031] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 34.876092] 8021q: adding VLAN 0 to HW filter on device team0 [ 34.884712] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 34.892565] bridge0: port 1(bridge_slave_0) entered blocking state [ 34.898927] bridge0: port 1(bridge_slave_0) entered forwarding state [ 34.917618] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 34.925133] bridge0: port 2(bridge_slave_1) entered blocking state [ 34.931513] bridge0: port 2(bridge_slave_1) entered forwarding state [ 34.939532] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 34.947245] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 34.954653] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 34.965752] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 34.976395] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 34.982430] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 34.989893] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 34.997291] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 35.009812] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 35.017553] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 35.024186] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 35.034784] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 35.082726] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 35.092384] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 35.119620] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 35.126441] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 35.134253] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 35.143272] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 35.151200] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 35.158317] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 35.166387] device veth0_vlan entered promiscuous mode [ 35.175005] device veth1_vlan entered promiscuous mode [ 35.181301] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 35.193935] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 35.204430] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 35.213679] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 35.220991] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 35.228604] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 35.238032] device veth0_macvtap entered promiscuous mode [ 35.243986] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 35.252395] device veth1_macvtap entered promiscuous mode [ 35.260673] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 35.268426] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 35.275449] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 35.284207] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 35.293040] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 35.300479] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 35.307371] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 35.314923] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 35.325472] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 35.332470] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 35.339320] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 35.347480] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2020/08/06 14:36:03 executed programs: 47 [ 38.536463] Bluetooth: hci0 command 0x0409 tx timeout [ 40.615013] Bluetooth: hci0 command 0x041b tx timeout [ 42.694205] Bluetooth: hci0 command 0x040f tx timeout 2020/08/06 14:36:08 executed programs: 446 [ 43.444953] ================================================================== [ 43.452381] BUG: KASAN: use-after-free in hci_chan_del+0x131/0x180 [ 43.458674] Read of size 8 at addr ffff8880a4848cd8 by task syz-executor.0/6372 [ 43.466090] [ 43.467728] CPU: 0 PID: 6372 Comm: syz-executor.0 Not tainted 4.14.192-syzkaller #0 [ 43.475528] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.484854] Call Trace: [ 43.487418] dump_stack+0x1b2/0x283 [ 43.491017] ? l2cap_conn_del+0x670/0x670 [ 43.495140] print_address_description.cold+0x54/0x1d3 [ 43.500391] kasan_report_error.cold+0x8a/0x194 [ 43.505032] ? hci_chan_del+0x131/0x180 [ 43.508979] __asan_report_load8_noabort+0x68/0x70 [ 43.513887] ? hci_chan_del+0x131/0x180 [ 43.517833] hci_chan_del+0x131/0x180 [ 43.521604] l2cap_conn_del+0x417/0x670 [ 43.525551] ? __mutex_unlock_slowpath+0x75/0x770 [ 43.530370] ? l2cap_conn_del+0x670/0x670 [ 43.534488] l2cap_disconn_cfm+0x6b/0x80 [ 43.538567] hci_conn_hash_flush+0x114/0x220 [ 43.542949] hci_dev_do_close+0x542/0xc50 [ 43.547072] ? lock_downgrade+0x740/0x740 [ 43.551196] hci_unregister_dev+0x170/0x7a0 [ 43.555494] ? fcntl_setlk+0xdb0/0xdb0 [ 43.559357] ? vhci_close_dev+0x50/0x50 [ 43.563306] vhci_release+0x70/0xe0 [ 43.566908] __fput+0x25f/0x7a0 [ 43.570164] task_work_run+0x11f/0x190 [ 43.574026] do_exit+0xa08/0x27f0 [ 43.577453] ? mm_update_next_owner+0x5b0/0x5b0 [ 43.582094] ? vfs_write+0x319/0x4d0 [ 43.585781] ? SyS_write+0x14d/0x210 [ 43.589467] do_group_exit+0x100/0x2e0 [ 43.593328] SyS_exit_group+0x19/0x20 [ 43.597101] ? do_group_exit+0x2e0/0x2e0 [ 43.601134] do_syscall_64+0x1d5/0x640 [ 43.604997] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 43.610193] RIP: 0033:0x45ccd9 [ 43.613361] RSP: 002b:00007ffc221cddd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 43.621042] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ccd9 [ 43.628283] RDX: 0000000000416731 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 43.635525] RBP: 00000000004c2963 R08: 000000000000000b R09: 0000000000000000 [ 43.642768] R10: 0000000001ff7940 R11: 0000000000000246 R12: 0000000000000007 [ 43.650009] R13: 00007ffc221cdf20 R14: 000000000000a963 R15: 00007ffc221cdf30 [ 43.657259] [ 43.658858] Allocated by task 6372: [ 43.662458] kasan_kmalloc+0xeb/0x160 [ 43.666233] kmem_cache_alloc_trace+0x131/0x3d0 [ 43.670875] sock_alloc_inode+0x5f/0x250 [ 43.674907] alloc_inode+0x5d/0x170 [ 43.678515] new_inode_pseudo+0x14/0xe0 [ 43.682498] sock_alloc+0x3c/0x270 [ 43.686010] __sock_create+0x8a/0x620 [ 43.689784] SyS_socket+0xd1/0x1b0 [ 43.693294] do_syscall_64+0x1d5/0x640 [ 43.697154] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 43.702310] [ 43.703909] Freed by task 7: [ 43.706900] kasan_slab_free+0xc3/0x1a0 [ 43.710842] kfree+0xc9/0x250 [ 43.713918] rcu_process_callbacks+0x88b/0x1180 [ 43.718595] __do_softirq+0x254/0xa1d [ 43.722364] [ 43.723965] The buggy address belongs to the object at ffff8880a4848cc0 [ 43.723965] which belongs to the cache kmalloc-128 of size 128 [ 43.736603] The buggy address is located 24 bytes inside of [ 43.736603] 128-byte region [ffff8880a4848cc0, ffff8880a4848d40) [ 43.748360] The buggy address belongs to the page: [ 43.753260] page:ffffea0002921200 count:1 mapcount:0 mapping:ffff8880a4848000 index:0x0 [ 43.761403] flags: 0xfffe0000000100(slab) [ 43.765524] raw: 00fffe0000000100 ffff8880a4848000 0000000000000000 0000000100000015 [ 43.773376] raw: ffffea00029e2260 ffffea0002a21fe0 ffff88812fe52640 0000000000000000 [ 43.781226] page dumped because: kasan: bad access detected [ 43.786904] [ 43.788504] Memory state around the buggy address: [ 43.793404] ffff8880a4848b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.800734] ffff8880a4848c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.808065] >ffff8880a4848c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 43.815394] ^ [ 43.821605] ffff8880a4848d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.828935] ffff8880a4848d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.836270] ================================================================== [ 43.843608] Disabling lock debugging due to kernel taint [ 43.849118] Kernel panic - not syncing: panic_on_warn set ... [ 43.849118] [ 43.856469] CPU: 0 PID: 6372 Comm: syz-executor.0 Tainted: G B 4.14.192-syzkaller #0 [ 43.865463] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.874806] Call Trace: [ 43.877381] dump_stack+0x1b2/0x283 [ 43.880991] ? l2cap_conn_del+0x670/0x670 [ 43.885112] panic+0x1f9/0x42d [ 43.888277] ? add_taint.cold+0x16/0x16 [ 43.892226] kasan_end_report+0x43/0x49 [ 43.896173] kasan_report_error.cold+0xa7/0x194 [ 43.900811] ? hci_chan_del+0x131/0x180 [ 43.904759] __asan_report_load8_noabort+0x68/0x70 [ 43.909662] ? hci_chan_del+0x131/0x180 [ 43.913608] hci_chan_del+0x131/0x180 [ 43.917382] l2cap_conn_del+0x417/0x670 [ 43.921339] ? __mutex_unlock_slowpath+0x75/0x770 [ 43.926151] ? l2cap_conn_del+0x670/0x670 [ 43.930269] l2cap_disconn_cfm+0x6b/0x80 [ 43.934311] hci_conn_hash_flush+0x114/0x220 [ 43.938708] hci_dev_do_close+0x542/0xc50 [ 43.942827] ? lock_downgrade+0x740/0x740 [ 43.946947] hci_unregister_dev+0x170/0x7a0 [ 43.951253] ? fcntl_setlk+0xdb0/0xdb0 [ 43.955112] ? vhci_close_dev+0x50/0x50 [ 43.959054] vhci_release+0x70/0xe0 [ 43.962652] __fput+0x25f/0x7a0 [ 43.965905] task_work_run+0x11f/0x190 [ 43.969763] do_exit+0xa08/0x27f0 [ 43.973191] ? mm_update_next_owner+0x5b0/0x5b0 [ 43.977837] ? vfs_write+0x319/0x4d0 [ 43.981522] ? SyS_write+0x14d/0x210 [ 43.985207] do_group_exit+0x100/0x2e0 [ 43.989064] SyS_exit_group+0x19/0x20 [ 43.992836] ? do_group_exit+0x2e0/0x2e0 [ 43.996870] do_syscall_64+0x1d5/0x640 [ 44.000732] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 44.005893] RIP: 0033:0x45ccd9 [ 44.009107] RSP: 002b:00007ffc221cddd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 44.016786] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ccd9 [ 44.024026] RDX: 0000000000416731 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 44.031266] RBP: 00000000004c2963 R08: 000000000000000b R09: 0000000000000000 [ 44.038512] R10: 0000000001ff7940 R11: 0000000000000246 R12: 0000000000000007 [ 44.045754] R13: 00007ffc221cdf20 R14: 000000000000a963 R15: 00007ffc221cdf30 [ 44.054237] Kernel Offset: disabled [ 44.057845] Rebooting in 86400 seconds..