[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.100' (ECDSA) to the list of known hosts. 2020/08/10 04:49:55 parsed 1 programs 2020/08/10 04:49:56 executed programs: 0 syzkaller login: [ 1048.184354] audit: type=1400 audit(1597034996.135:8): avc: denied { execmem } for pid=6381 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 1048.216103] IPVS: ftp: loaded support on port[0] = 21 [ 1048.296470] chnl_net:caif_netlink_parms(): no params data found [ 1048.397080] bridge0: port 1(bridge_slave_0) entered blocking state [ 1048.403890] bridge0: port 1(bridge_slave_0) entered disabled state [ 1048.410822] device bridge_slave_0 entered promiscuous mode [ 1048.418744] bridge0: port 2(bridge_slave_1) entered blocking state [ 1048.425757] bridge0: port 2(bridge_slave_1) entered disabled state [ 1048.432935] device bridge_slave_1 entered promiscuous mode [ 1048.449290] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1048.458104] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1048.475615] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1048.482790] team0: Port device team_slave_0 added [ 1048.488130] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1048.496188] team0: Port device team_slave_1 added [ 1048.510912] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1048.517179] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1048.542483] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1048.553721] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1048.559937] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1048.585181] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1048.595659] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1048.603194] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1048.621434] device hsr_slave_0 entered promiscuous mode [ 1048.627020] device hsr_slave_1 entered promiscuous mode [ 1048.633660] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1048.640560] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1048.701468] bridge0: port 2(bridge_slave_1) entered blocking state [ 1048.707958] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1048.715097] bridge0: port 1(bridge_slave_0) entered blocking state [ 1048.721543] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1048.752080] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1048.758158] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1048.768755] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1048.777740] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1048.796335] bridge0: port 1(bridge_slave_0) entered disabled state [ 1048.803879] bridge0: port 2(bridge_slave_1) entered disabled state [ 1048.813707] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1048.819778] 8021q: adding VLAN 0 to HW filter on device team0 [ 1048.828860] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1048.836619] bridge0: port 1(bridge_slave_0) entered blocking state [ 1048.843010] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1048.852692] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1048.860256] bridge0: port 2(bridge_slave_1) entered blocking state [ 1048.866691] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1048.880508] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1048.889672] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1048.899240] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1048.909398] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1048.919942] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1048.928788] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1048.935082] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1048.947059] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1048.954713] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1048.961752] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1048.972379] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1049.022914] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1049.033113] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1049.063571] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1049.070443] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1049.077781] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1049.087890] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1049.095699] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1049.102780] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1049.111383] device veth0_vlan entered promiscuous mode [ 1049.120671] device veth1_vlan entered promiscuous mode [ 1049.126816] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1049.137078] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1049.147774] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1049.156967] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1049.164339] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1049.172737] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1049.181623] device veth0_macvtap entered promiscuous mode [ 1049.187601] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1049.196445] device veth1_macvtap entered promiscuous mode [ 1049.204610] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1049.213903] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1049.224000] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1049.230581] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1049.239371] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1049.248828] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1049.256089] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1049.282510] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1052.452056] Bluetooth: hci0 command 0x0409 tx timeout 2020/08/10 04:50:01 executed programs: 181 [ 1054.536184] Bluetooth: hci0 command 0x041b tx timeout [ 1056.611400] Bluetooth: hci0 command 0x040f tx timeout 2020/08/10 04:50:06 executed programs: 516 [ 1058.691541] Bluetooth: hci0 command 0x0419 tx timeout 2020/08/10 04:50:11 executed programs: 874 2020/08/10 04:50:16 executed programs: 1224 2020/08/10 04:50:21 executed programs: 1570 2020/08/10 04:50:26 executed programs: 1900 2020/08/10 04:50:31 executed programs: 2256 2020/08/10 04:50:36 executed programs: 2599 2020/08/10 04:50:41 executed programs: 2943 2020/08/10 04:50:46 executed programs: 3503 2020/08/10 04:50:51 executed programs: 4177 2020/08/10 04:50:56 executed programs: 4864 2020/08/10 04:51:01 executed programs: 5550 2020/08/10 04:51:06 executed programs: 6224 2020/08/10 04:51:11 executed programs: 6886 2020/08/10 04:51:16 executed programs: 7543 2020/08/10 04:51:21 executed programs: 8212 2020/08/10 04:51:26 executed programs: 8875 2020/08/10 04:51:31 executed programs: 9517 [ 1144.825305] ================================================================== [ 1144.832848] BUG: KASAN: use-after-free in hci_chan_del+0x131/0x180 [ 1144.839192] Read of size 8 at addr ffff8880a8c933d8 by task syz-executor.0/6382 [ 1144.846622] [ 1144.848234] CPU: 0 PID: 6382 Comm: syz-executor.0 Not tainted 4.14.193-syzkaller #0 [ 1144.856015] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1144.865358] Call Trace: [ 1144.867979] dump_stack+0x1b2/0x283 [ 1144.871616] ? l2cap_conn_del+0x670/0x670 [ 1144.875780] print_address_description.cold+0x54/0x1d3 [ 1144.881035] kasan_report_error.cold+0x8a/0x194 [ 1144.885683] ? hci_chan_del+0x131/0x180 [ 1144.889631] __asan_report_load8_noabort+0x68/0x70 [ 1144.894552] ? hci_chan_del+0x131/0x180 [ 1144.898519] hci_chan_del+0x131/0x180 [ 1144.902297] l2cap_conn_del+0x417/0x670 [ 1144.906302] ? __mutex_unlock_slowpath+0x75/0x770 [ 1144.911124] ? l2cap_conn_del+0x670/0x670 [ 1144.915274] l2cap_disconn_cfm+0x6b/0x80 [ 1144.919414] hci_conn_hash_flush+0x114/0x220 [ 1144.923812] hci_dev_do_close+0x542/0xc50 [ 1144.927991] ? lock_downgrade+0x740/0x740 [ 1144.932212] hci_unregister_dev+0x170/0x7a0 [ 1144.936532] ? fcntl_setlk+0xdb0/0xdb0 [ 1144.940480] ? vhci_close_dev+0x50/0x50 [ 1144.944463] vhci_release+0x70/0xe0 [ 1144.948090] __fput+0x25f/0x7a0 [ 1144.951378] task_work_run+0x11f/0x190 [ 1144.955299] do_exit+0xa08/0x27f0 [ 1144.958762] ? mm_update_next_owner+0x5b0/0x5b0 [ 1144.963433] ? vfs_write+0x319/0x4d0 [ 1144.967146] ? SyS_write+0x14d/0x210 [ 1144.970836] do_group_exit+0x100/0x2e0 [ 1144.974699] SyS_exit_group+0x19/0x20 [ 1144.978484] ? do_group_exit+0x2e0/0x2e0 [ 1144.982534] do_syscall_64+0x1d5/0x640 [ 1144.986412] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1144.991578] RIP: 0033:0x45ce69 [ 1144.994742] RSP: 002b:00007ffddde28d38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1145.002423] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ce69 [ 1145.009681] RDX: 00000000004168c1 RSI: 00000000016a85f0 RDI: 0000000000000043 [ 1145.016925] RBP: 00000000004c2b1b R08: 000000000000000b R09: 0000000000000000 [ 1145.024169] R10: 00000000031a5940 R11: 0000000000000246 R12: 0000000000000004 [ 1145.031419] R13: 00007ffddde28e80 R14: 0000000000117804 R15: 00007ffddde28e90 [ 1145.038675] [ 1145.040285] Allocated by task 6382: [ 1145.043892] kasan_kmalloc+0xeb/0x160 [ 1145.047668] kmem_cache_alloc_trace+0x131/0x3d0 [ 1145.052365] sock_alloc_inode+0x5f/0x250 [ 1145.056426] alloc_inode+0x5d/0x170 [ 1145.060068] new_inode_pseudo+0x14/0xe0 [ 1145.064020] sock_alloc+0x3c/0x270 [ 1145.067530] __sock_create+0x8a/0x620 [ 1145.071301] SyS_socket+0xd1/0x1b0 [ 1145.074826] do_syscall_64+0x1d5/0x640 [ 1145.078690] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1145.083861] [ 1145.085462] Freed by task 4253: [ 1145.088714] kasan_slab_free+0xc3/0x1a0 [ 1145.092661] kfree+0xc9/0x250 [ 1145.095784] rcu_process_callbacks+0x88b/0x1180 [ 1145.100455] __do_softirq+0x254/0xa1d [ 1145.104228] [ 1145.105830] The buggy address belongs to the object at ffff8880a8c933c0 [ 1145.105830] which belongs to the cache kmalloc-128 of size 128 [ 1145.118459] The buggy address is located 24 bytes inside of [ 1145.118459] 128-byte region [ffff8880a8c933c0, ffff8880a8c93440) [ 1145.130218] The buggy address belongs to the page: [ 1145.135134] page:ffffea0002a324c0 count:1 mapcount:0 mapping:ffff8880a8c93000 index:0x0 [ 1145.143251] flags: 0xfffe0000000100(slab) [ 1145.147383] raw: 00fffe0000000100 ffff8880a8c93000 0000000000000000 0000000100000015 [ 1145.155236] raw: ffffea000285e920 ffffea00029cf3a0 ffff88812fe52640 0000000000000000 [ 1145.163095] page dumped because: kasan: bad access detected [ 1145.168774] [ 1145.170372] Memory state around the buggy address: [ 1145.175275] ffff8880a8c93280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1145.182608] ffff8880a8c93300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1145.189942] >ffff8880a8c93380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1145.197278] ^ [ 1145.203482] ffff8880a8c93400: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1145.210824] ffff8880a8c93480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1145.218153] ================================================================== [ 1145.225485] Disabling lock debugging due to kernel taint [ 1145.235988] Kernel panic - not syncing: panic_on_warn set ... [ 1145.235988] [ 1145.243353] CPU: 1 PID: 6382 Comm: syz-executor.0 Tainted: G B 4.14.193-syzkaller #0 [ 1145.252357] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1145.261694] Call Trace: [ 1145.264260] dump_stack+0x1b2/0x283 [ 1145.268034] ? l2cap_conn_del+0x670/0x670 [ 1145.272189] panic+0x1f9/0x42d [ 1145.275423] ? add_taint.cold+0x16/0x16 [ 1145.279379] ? ___preempt_schedule+0x16/0x18 [ 1145.283770] kasan_end_report+0x43/0x49 [ 1145.287738] kasan_report_error.cold+0xa7/0x194 [ 1145.292382] ? hci_chan_del+0x131/0x180 [ 1145.296329] __asan_report_load8_noabort+0x68/0x70 [ 1145.301237] ? hci_chan_del+0x131/0x180 [ 1145.305201] hci_chan_del+0x131/0x180 [ 1145.308980] l2cap_conn_del+0x417/0x670 [ 1145.312964] ? __mutex_unlock_slowpath+0x75/0x770 [ 1145.317781] ? l2cap_conn_del+0x670/0x670 [ 1145.321902] l2cap_disconn_cfm+0x6b/0x80 [ 1145.325942] hci_conn_hash_flush+0x114/0x220 [ 1145.330322] hci_dev_do_close+0x542/0xc50 [ 1145.334443] ? lock_downgrade+0x740/0x740 [ 1145.338593] hci_unregister_dev+0x170/0x7a0 [ 1145.342888] ? fcntl_setlk+0xdb0/0xdb0 [ 1145.346754] ? vhci_close_dev+0x50/0x50 [ 1145.350706] vhci_release+0x70/0xe0 [ 1145.354321] __fput+0x25f/0x7a0 [ 1145.357584] task_work_run+0x11f/0x190 [ 1145.361455] do_exit+0xa08/0x27f0 [ 1145.364892] ? mm_update_next_owner+0x5b0/0x5b0 [ 1145.369532] ? vfs_write+0x319/0x4d0 [ 1145.373219] ? SyS_write+0x14d/0x210 [ 1145.376903] do_group_exit+0x100/0x2e0 [ 1145.380762] SyS_exit_group+0x19/0x20 [ 1145.384535] ? do_group_exit+0x2e0/0x2e0 [ 1145.388582] do_syscall_64+0x1d5/0x640 [ 1145.392455] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1145.397618] RIP: 0033:0x45ce69 [ 1145.400790] RSP: 002b:00007ffddde28d38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1145.408471] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ce69 [ 1145.415717] RDX: 00000000004168c1 RSI: 00000000016a85f0 RDI: 0000000000000043 [ 1145.422969] RBP: 00000000004c2b1b R08: 000000000000000b R09: 0000000000000000 [ 1145.430220] R10: 00000000031a5940 R11: 0000000000000246 R12: 0000000000000004 [ 1145.437462] R13: 00007ffddde28e80 R14: 0000000000117804 R15: 00007ffddde28e90 [ 1145.445837] Kernel Offset: disabled [ 1145.449459] Rebooting in 86400 seconds..