[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.198' (ECDSA) to the list of known hosts. 2020/08/06 17:35:22 parsed 1 programs 2020/08/06 17:35:23 executed programs: 0 syzkaller login: [ 34.359211] audit: type=1400 audit(1596735323.128:8): avc: denied { execmem } for pid=6416 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 34.618929] IPVS: ftp: loaded support on port[0] = 21 [ 35.271123] chnl_net:caif_netlink_parms(): no params data found [ 35.440410] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.446964] bridge0: port 1(bridge_slave_0) entered disabled state [ 35.454749] device bridge_slave_0 entered promiscuous mode [ 35.462435] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.469017] bridge0: port 2(bridge_slave_1) entered disabled state [ 35.475839] device bridge_slave_1 entered promiscuous mode [ 35.492048] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 35.500666] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 35.517926] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 35.525155] team0: Port device team_slave_0 added [ 35.531078] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 35.538354] team0: Port device team_slave_1 added [ 35.553069] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 35.559352] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 35.584616] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 35.595865] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 35.602200] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 35.631363] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 35.641928] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 35.649541] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 35.710237] device hsr_slave_0 entered promiscuous mode [ 35.757970] device hsr_slave_1 entered promiscuous mode [ 35.827852] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 35.834817] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 35.895887] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.902374] bridge0: port 2(bridge_slave_1) entered forwarding state [ 35.909229] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.915558] bridge0: port 1(bridge_slave_0) entered forwarding state [ 35.943706] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 35.950868] 8021q: adding VLAN 0 to HW filter on device bond0 [ 35.959151] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 35.969639] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 35.977951] bridge0: port 1(bridge_slave_0) entered disabled state [ 35.984872] bridge0: port 2(bridge_slave_1) entered disabled state [ 35.994586] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 36.000853] 8021q: adding VLAN 0 to HW filter on device team0 [ 36.009768] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 36.017381] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.023714] bridge0: port 1(bridge_slave_0) entered forwarding state [ 36.034565] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 36.042770] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.049276] bridge0: port 2(bridge_slave_1) entered forwarding state [ 36.068132] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 36.075761] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 36.083620] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 36.091840] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 36.100691] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 36.110772] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 36.116748] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 36.129851] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 36.138120] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 36.144736] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 36.156317] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 36.206012] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 36.215881] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 36.247877] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 36.254780] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 36.261479] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 36.268358] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 36.278965] IPv6: ADDRCONF(NETDEV_UP): veth1_vlan: link is not ready [ 36.285491] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready [ 36.294399] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 36.304252] device veth0_vlan entered promiscuous mode [ 36.311039] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 36.319236] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 36.329188] device veth1_vlan entered promiscuous mode [ 36.334955] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 36.343453] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 36.354132] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 36.363313] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 36.370785] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 36.378121] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 36.385198] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 36.393405] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 36.402572] device veth0_macvtap entered promiscuous mode [ 36.409831] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 36.418865] device veth1_macvtap entered promiscuous mode [ 36.424835] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 36.433397] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 36.442402] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 36.451569] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 36.459295] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 36.465981] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 36.473841] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 36.481178] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 36.489109] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 36.499040] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 36.505879] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 36.512708] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 36.520573] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 39.226117] ================================================================== [ 39.233565] BUG: KASAN: use-after-free in hci_chan_del+0x131/0x180 [ 39.239863] Read of size 8 at addr ffff8880a7e980d8 by task syz-executor.0/6417 [ 39.247283] [ 39.248890] CPU: 0 PID: 6417 Comm: syz-executor.0 Not tainted 4.14.192-syzkaller #0 [ 39.256655] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.265997] Call Trace: [ 39.268576] dump_stack+0x1b2/0x283 [ 39.272193] ? l2cap_conn_del+0x670/0x670 [ 39.276320] print_address_description.cold+0x54/0x1d3 [ 39.281580] kasan_report_error.cold+0x8a/0x194 [ 39.286234] ? hci_chan_del+0x131/0x180 [ 39.290200] __asan_report_load8_noabort+0x68/0x70 [ 39.295120] ? hci_chan_del+0x131/0x180 [ 39.299087] hci_chan_del+0x131/0x180 [ 39.302877] l2cap_conn_del+0x417/0x670 [ 39.306834] ? __mutex_unlock_slowpath+0x75/0x770 [ 39.311660] ? l2cap_conn_del+0x670/0x670 [ 39.315781] l2cap_disconn_cfm+0x6b/0x80 [ 39.319830] hci_conn_hash_flush+0x114/0x220 [ 39.324224] hci_dev_do_close+0x542/0xc50 [ 39.328348] ? lock_downgrade+0x740/0x740 [ 39.332491] hci_unregister_dev+0x170/0x7a0 [ 39.336803] ? fcntl_setlk+0xdb0/0xdb0 [ 39.340666] ? vhci_close_dev+0x50/0x50 [ 39.344624] vhci_release+0x70/0xe0 [ 39.348227] __fput+0x25f/0x7a0 [ 39.351482] task_work_run+0x11f/0x190 [ 39.355607] do_exit+0xa08/0x27f0 [ 39.359036] ? mm_update_next_owner+0x5b0/0x5b0 [ 39.363680] ? vfs_write+0x319/0x4d0 [ 39.367370] ? SyS_write+0x14d/0x210 [ 39.371080] do_group_exit+0x100/0x2e0 [ 39.375032] SyS_exit_group+0x19/0x20 [ 39.378804] ? do_group_exit+0x2e0/0x2e0 [ 39.382860] do_syscall_64+0x1d5/0x640 [ 39.386743] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 39.391908] RIP: 0033:0x45ccd9 [ 39.395086] RSP: 002b:00007ffff6fe7b48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 39.402781] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ccd9 [ 39.410026] RDX: 0000000000416731 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 39.417282] RBP: 00000000004c2963 R08: 000000000000000b R09: 0000000000000000 [ 39.424524] R10: 0000000001511940 R11: 0000000000000246 R12: 0000000000000014 [ 39.431766] R13: 00007ffff6fe7c90 R14: 00000000000098f5 R15: 00007ffff6fe7ca0 [ 39.439018] [ 39.440622] Allocated by task 1202: [ 39.444229] kasan_kmalloc+0xeb/0x160 [ 39.448005] kmem_cache_alloc_trace+0x131/0x3d0 [ 39.452651] hci_chan_create+0x7c/0x300 [ 39.456602] l2cap_conn_add.part.0+0x18/0xc20 [ 39.461071] l2cap_connect_cfm+0x1d2/0xce0 [ 39.465295] hci_le_meta_evt+0x3288/0x3fc0 [ 39.469509] hci_event_packet+0x25a7/0x7c7a [ 39.473802] hci_rx_work+0x3e6/0x970 [ 39.477494] process_one_work+0x793/0x14a0 [ 39.481716] worker_thread+0x5cc/0xff0 [ 39.485575] kthread+0x30d/0x420 [ 39.488914] ret_from_fork+0x24/0x30 [ 39.492611] [ 39.494222] Freed by task 6649: [ 39.497496] kasan_slab_free+0xc3/0x1a0 [ 39.501461] kfree+0xc9/0x250 [ 39.504540] hci_event_packet+0xeae/0x7c7a [ 39.508838] hci_rx_work+0x3e6/0x970 [ 39.512546] process_one_work+0x793/0x14a0 [ 39.516754] worker_thread+0x5cc/0xff0 [ 39.520633] kthread+0x30d/0x420 [ 39.523989] ret_from_fork+0x24/0x30 [ 39.527672] [ 39.529293] The buggy address belongs to the object at ffff8880a7e980c0 [ 39.529293] which belongs to the cache kmalloc-128 of size 128 [ 39.541940] The buggy address is located 24 bytes inside of [ 39.541940] 128-byte region [ffff8880a7e980c0, ffff8880a7e98140) [ 39.553968] The buggy address belongs to the page: [ 39.558885] page:ffffea00029fa600 count:1 mapcount:0 mapping:ffff8880a7e98000 index:0x0 [ 39.567025] flags: 0xfffe0000000100(slab) [ 39.571185] raw: 00fffe0000000100 ffff8880a7e98000 0000000000000000 0000000100000015 [ 39.579055] raw: ffffea000299d3e0 ffffea0002a07b20 ffff88812fe52640 0000000000000000 [ 39.586908] page dumped because: kasan: bad access detected [ 39.592604] [ 39.594212] Memory state around the buggy address: [ 39.599113] ffff8880a7e97f80: 00 02 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 39.606445] ffff8880a7e98000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.613782] >ffff8880a7e98080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 39.621117] ^ [ 39.627324] ffff8880a7e98100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.634662] ffff8880a7e98180: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc [ 39.642008] ================================================================== [ 39.649338] Disabling lock debugging due to kernel taint [ 39.655283] Kernel panic - not syncing: panic_on_warn set ... [ 39.655283] [ 39.662653] CPU: 0 PID: 6417 Comm: syz-executor.0 Tainted: G B 4.14.192-syzkaller #0 [ 39.671651] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.681341] Call Trace: [ 39.683925] dump_stack+0x1b2/0x283 [ 39.687540] ? l2cap_conn_del+0x670/0x670 [ 39.691677] panic+0x1f9/0x42d [ 39.694939] ? add_taint.cold+0x16/0x16 [ 39.698898] ? ___preempt_schedule+0x16/0x18 [ 39.703281] kasan_end_report+0x43/0x49 [ 39.707227] kasan_report_error.cold+0xa7/0x194 [ 39.711880] ? hci_chan_del+0x131/0x180 [ 39.715824] __asan_report_load8_noabort+0x68/0x70 [ 39.720726] ? hci_chan_del+0x131/0x180 [ 39.724690] hci_chan_del+0x131/0x180 [ 39.728482] l2cap_conn_del+0x417/0x670 [ 39.732438] ? __mutex_unlock_slowpath+0x75/0x770 [ 39.737259] ? l2cap_conn_del+0x670/0x670 [ 39.741381] l2cap_disconn_cfm+0x6b/0x80 [ 39.745431] hci_conn_hash_flush+0x114/0x220 [ 39.749813] hci_dev_do_close+0x542/0xc50 [ 39.753934] ? lock_downgrade+0x740/0x740 [ 39.758068] hci_unregister_dev+0x170/0x7a0 [ 39.762362] ? fcntl_setlk+0xdb0/0xdb0 [ 39.766224] ? vhci_close_dev+0x50/0x50 [ 39.770169] vhci_release+0x70/0xe0 [ 39.773768] __fput+0x25f/0x7a0 [ 39.777034] task_work_run+0x11f/0x190 [ 39.780896] do_exit+0xa08/0x27f0 [ 39.784323] ? mm_update_next_owner+0x5b0/0x5b0 [ 39.788964] ? vfs_write+0x319/0x4d0 [ 39.792661] ? SyS_write+0x14d/0x210 [ 39.796349] do_group_exit+0x100/0x2e0 [ 39.800223] SyS_exit_group+0x19/0x20 [ 39.804007] ? do_group_exit+0x2e0/0x2e0 [ 39.808040] do_syscall_64+0x1d5/0x640 [ 39.811915] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 39.817088] RIP: 0033:0x45ccd9 [ 39.820250] RSP: 002b:00007ffff6fe7b48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 39.827940] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ccd9 [ 39.835195] RDX: 0000000000416731 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 39.842435] RBP: 00000000004c2963 R08: 000000000000000b R09: 0000000000000000 [ 39.849676] R10: 0000000001511940 R11: 0000000000000246 R12: 0000000000000014 [ 39.856916] R13: 00007ffff6fe7c90 R14: 00000000000098f5 R15: 00007ffff6fe7ca0 [ 39.865174] Kernel Offset: disabled [ 39.868797] Rebooting in 86400 seconds..