[ OK ] Started Regular background program processing daemon. Starting Permit User Sessions... Starting OpenBSD Secure Shell server... [ OK ] Started Daily Cleanup of Temporary Directories. [ OK ] Reached target Timers. [ OK ] Started System Logging Service. [ OK ] Started Permit User Sessions. [ 67.143423][ T8103] sshd (8103) used greatest stack depth: 22576 bytes left [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.234' (ECDSA) to the list of known hosts. 2021/03/04 02:59:02 parsed 1 programs 2021/03/04 02:59:02 executed programs: 0 syzkaller login: [ 84.126619][ T37] audit: type=1400 audit(1614826742.799:8): avc: denied { execmem } for pid=8417 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 85.243970][ T8418] IPVS: ftp: loaded support on port[0] = 21 [ 85.414568][ T8418] chnl_net:caif_netlink_parms(): no params data found [ 85.477531][ T8418] bridge0: port 1(bridge_slave_0) entered blocking state [ 85.485906][ T8418] bridge0: port 1(bridge_slave_0) entered disabled state [ 85.496691][ T8418] device bridge_slave_0 entered promiscuous mode [ 85.507745][ T8418] bridge0: port 2(bridge_slave_1) entered blocking state [ 85.515132][ T8418] bridge0: port 2(bridge_slave_1) entered disabled state [ 85.523052][ T8418] device bridge_slave_1 entered promiscuous mode [ 85.546224][ T8418] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 85.557875][ T8418] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 85.584540][ T8418] team0: Port device team_slave_0 added [ 85.592166][ T8418] team0: Port device team_slave_1 added [ 85.610978][ T8418] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 85.618041][ T8418] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 85.644379][ T8418] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 85.657592][ T8418] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 85.664618][ T8418] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 85.690661][ T8418] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 85.721361][ T8418] device hsr_slave_0 entered promiscuous mode [ 85.728809][ T8418] device hsr_slave_1 entered promiscuous mode [ 85.845663][ T8418] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 85.857231][ T8418] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 85.868492][ T8418] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 85.880360][ T8418] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 85.911363][ T8418] bridge0: port 2(bridge_slave_1) entered blocking state [ 85.918705][ T8418] bridge0: port 2(bridge_slave_1) entered forwarding state [ 85.927089][ T8418] bridge0: port 1(bridge_slave_0) entered blocking state [ 85.934317][ T8418] bridge0: port 1(bridge_slave_0) entered forwarding state [ 85.987330][ T8418] 8021q: adding VLAN 0 to HW filter on device bond0 [ 86.002488][ T3802] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 86.015861][ T3802] bridge0: port 1(bridge_slave_0) entered disabled state [ 86.026369][ T3802] bridge0: port 2(bridge_slave_1) entered disabled state [ 86.035434][ T3802] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 86.052515][ T8418] 8021q: adding VLAN 0 to HW filter on device team0 [ 86.064720][ T3802] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 86.074387][ T3802] bridge0: port 1(bridge_slave_0) entered blocking state [ 86.082321][ T3802] bridge0: port 1(bridge_slave_0) entered forwarding state [ 86.096428][ T3160] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 86.107346][ T3160] bridge0: port 2(bridge_slave_1) entered blocking state [ 86.114512][ T3160] bridge0: port 2(bridge_slave_1) entered forwarding state [ 86.144997][ T3160] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 86.155889][ T3160] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 86.164708][ T3160] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 86.173715][ T3160] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 86.187304][ T2956] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 86.200588][ T8418] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 86.223107][ T2956] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 86.232833][ T2956] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 86.248140][ T8418] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 86.270409][ T3802] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 86.293760][ T2956] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 86.303118][ T2956] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 86.313171][ T2956] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 86.325590][ T8418] device veth0_vlan entered promiscuous mode [ 86.338179][ T8418] device veth1_vlan entered promiscuous mode [ 86.362217][ T8636] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 86.371187][ T8636] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 86.382305][ T8636] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 86.396002][ T8418] device veth0_macvtap entered promiscuous mode [ 86.407692][ T8418] device veth1_macvtap entered promiscuous mode [ 86.430339][ T8418] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 86.437837][ T3802] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 86.447710][ T3802] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 86.462192][ T8418] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 86.469914][ T3802] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 86.478593][ T3802] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 86.495476][ T8418] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 86.504658][ T8418] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 86.514127][ T8418] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 86.523346][ T8418] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 86.637057][ T1398] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 86.655384][ T1398] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 86.681825][ T8636] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready [ 86.714756][ T8] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 86.722964][ T8] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 86.733928][ T2956] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 86.842511][ T8663] ================================================================== [ 86.850903][ T8663] BUG: KASAN: use-after-free in __cpuhp_state_remove_instance+0x58b/0x5b0 [ 86.859464][ T8663] Read of size 8 at addr ffff888018ee3498 by task syz-executor.0/8663 [ 86.867632][ T8663] [ 86.869969][ T8663] CPU: 0 PID: 8663 Comm: syz-executor.0 Not tainted 5.12.0-rc1-syzkaller #0 [ 86.879357][ T8663] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 86.889427][ T8663] Call Trace: [ 86.892728][ T8663] dump_stack+0xfa/0x151 [ 86.897029][ T8663] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 86.903223][ T8663] print_address_description.constprop.0.cold+0x5b/0x2c6 [ 86.910288][ T8663] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 86.916473][ T8663] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 86.922663][ T8663] kasan_report.cold+0x7c/0xd8 [ 86.927461][ T8663] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 86.933647][ T8663] __cpuhp_state_remove_instance+0x58b/0x5b0 [ 86.939670][ T8663] io_wq_create+0x6ca/0xbf0 [ 86.944395][ T8663] io_uring_alloc_task_context+0x1bf/0x6a0 [ 86.950239][ T8663] ? io_timeout_extract+0x2a0/0x2a0 [ 86.955556][ T8663] ? io_issue_sqe+0x4f00/0x4f00 [ 86.960427][ T8663] ? io_async_find_and_cancel+0x2f0/0x2f0 [ 86.966196][ T8663] io_uring_setup+0x1dcb/0x2be0 [ 86.971118][ T8663] ? io_async_buf_func+0x720/0x720 [ 86.976351][ T8663] ? syscall_enter_from_user_mode+0x1d/0x50 [ 86.982294][ T8663] do_syscall_64+0x2d/0x70 [ 86.986745][ T8663] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 86.992676][ T8663] RIP: 0033:0x465ef9 [ 86.996590][ T8663] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 87.016224][ T8663] RSP: 002b:00007f1d53efc188 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 [ 87.024667][ T8663] RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465ef9 [ 87.032656][ T8663] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 00000000000002df [ 87.040637][ T8663] RBP: 00000000004bfa34 R08: 0000000000000000 R09: 0000000000000000 [ 87.048598][ T8663] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 [ 87.056572][ T8663] R13: 00007ffc0cd7692f R14: 00007f1d53efc300 R15: 0000000000022000 [ 87.064563][ T8663] [ 87.066885][ T8663] Allocated by task 8663: [ 87.071196][ T8663] kasan_save_stack+0x1b/0x40 [ 87.075886][ T8663] __kasan_kmalloc+0x96/0xc0 [ 87.080477][ T8663] kmem_cache_alloc_trace+0x1ef/0x430 [ 87.085852][ T8663] io_wq_create+0xc0/0xbf0 [ 87.090260][ T8663] io_uring_alloc_task_context+0x1bf/0x6a0 [ 87.096057][ T8663] io_uring_setup+0x1dcb/0x2be0 [ 87.100899][ T8663] do_syscall_64+0x2d/0x70 [ 87.105311][ T8663] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 87.111193][ T8663] [ 87.113515][ T8663] Freed by task 8663: [ 87.117483][ T8663] kasan_save_stack+0x1b/0x40 [ 87.122157][ T8663] kasan_set_track+0x1c/0x30 [ 87.126744][ T8663] kasan_set_free_info+0x20/0x30 [ 87.131671][ T8663] __kasan_slab_free+0xc7/0x100 [ 87.136515][ T8663] kfree+0x104/0x2a0 [ 87.140420][ T8663] io_wq_put+0x4d0/0x6d0 [ 87.144672][ T8663] io_wq_create+0x92d/0xbf0 [ 87.149176][ T8663] io_uring_alloc_task_context+0x1bf/0x6a0 [ 87.154992][ T8663] io_uring_setup+0x1dcb/0x2be0 [ 87.159851][ T8663] do_syscall_64+0x2d/0x70 [ 87.164291][ T8663] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 87.170195][ T8663] [ 87.172506][ T8663] Last potentially related work creation: [ 87.178202][ T8663] kasan_save_stack+0x1b/0x40 [ 87.182870][ T8663] kasan_record_aux_stack+0xa4/0xd0 [ 87.188075][ T8663] insert_work+0x48/0x370 [ 87.192414][ T8663] __queue_work+0x5c1/0xf00 [ 87.196913][ T8663] queue_work_on+0xae/0xc0 [ 87.201402][ T8663] call_usermodehelper_exec+0x1f0/0x4c0 [ 87.206975][ T8663] kobject_uevent_env+0xf9f/0x1680 [ 87.212089][ T8663] kobject_synth_uevent+0x701/0x850 [ 87.217292][ T8663] store_uevent+0x12/0x20 [ 87.221726][ T8663] module_attr_store+0x50/0x80 [ 87.226511][ T8663] sysfs_kf_write+0x110/0x160 [ 87.231188][ T8663] kernfs_fop_write_iter+0x342/0x500 [ 87.236482][ T8663] new_sync_write+0x426/0x650 [ 87.241153][ T8663] vfs_write+0x796/0xa30 [ 87.245391][ T8663] ksys_write+0x12d/0x250 [ 87.249716][ T8663] do_syscall_64+0x2d/0x70 [ 87.251138][ T8636] Bluetooth: hci0: command 0x0409 tx timeout [ 87.254139][ T8663] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 87.254217][ T8663] [ 87.254223][ T8663] Second to last potentially related work creation: [ 87.275080][ T8663] kasan_save_stack+0x1b/0x40 [ 87.279800][ T8663] kasan_record_aux_stack+0xa4/0xd0 [ 87.285026][ T8663] insert_work+0x48/0x370 [ 87.289379][ T8663] __queue_work+0x5c1/0xf00 [ 87.293901][ T8663] queue_work_on+0xae/0xc0 [ 87.298329][ T8663] call_usermodehelper_exec+0x1f0/0x4c0 [ 87.303911][ T8663] kobject_uevent_env+0xf9f/0x1680 [ 87.309056][ T8663] driver_register+0x2db/0x3a0 [ 87.313852][ T8663] pcie_port_service_register+0x146/0x1b0 [ 87.319604][ T8663] pcie_hp_init+0x13/0x85 [ 87.324040][ T8663] pcie_portdrv_init+0x35/0x65 [ 87.328820][ T8663] do_one_initcall+0x103/0x650 [ 87.333628][ T8663] kernel_init_freeable+0x5ff/0x683 [ 87.339028][ T8663] kernel_init+0xd/0x1b8 [ 87.343263][ T8663] ret_from_fork+0x1f/0x30 [ 87.347673][ T8663] [ 87.350003][ T8663] The buggy address belongs to the object at ffff888018ee3400 [ 87.350003][ T8663] which belongs to the cache kmalloc-192 of size 192 [ 87.364064][ T8663] The buggy address is located 152 bytes inside of [ 87.364064][ T8663] 192-byte region [ffff888018ee3400, ffff888018ee34c0) [ 87.377357][ T8663] The buggy address belongs to the page: [ 87.383024][ T8663] page:00000000c0fb973a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x18ee3 [ 87.393173][ T8663] flags: 0xfff00000000200(slab) [ 87.398045][ T8663] raw: 00fff00000000200 ffffea0000630fc8 ffffea000062f888 ffff888010840000 [ 87.406628][ T8663] raw: 0000000000000000 ffff888018ee3000 0000000100000010 0000000000000000 [ 87.415217][ T8663] page dumped because: kasan: bad access detected [ 87.421621][ T8663] [ 87.423950][ T8663] Memory state around the buggy address: [ 87.429565][ T8663] ffff888018ee3380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 87.437625][ T8663] ffff888018ee3400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.445790][ T8663] >ffff888018ee3480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 87.453867][ T8663] ^ [ 87.458714][ T8663] ffff888018ee3500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.466775][ T8663] ffff888018ee3580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 87.474912][ T8663] ================================================================== [ 87.483146][ T8663] Disabling lock debugging due to kernel taint [ 87.498584][ T8663] Kernel panic - not syncing: panic_on_warn set ... [ 87.505214][ T8663] CPU: 0 PID: 8663 Comm: syz-executor.0 Tainted: G B 5.12.0-rc1-syzkaller #0 [ 87.515274][ T8663] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 87.528808][ T8663] Call Trace: [ 87.532087][ T8663] dump_stack+0xfa/0x151 [ 87.536360][ T8663] panic+0x306/0x73d [ 87.540247][ T8663] ? __warn_printk+0xf3/0xf3 [ 87.544831][ T8663] ? preempt_schedule_common+0x59/0xc0 [ 87.550278][ T8663] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 87.556446][ T8663] ? preempt_schedule_thunk+0x16/0x18 [ 87.561820][ T8663] ? trace_hardirqs_on+0x38/0x1c0 [ 87.569011][ T8663] ? trace_hardirqs_on+0x51/0x1c0 [ 87.574181][ T8663] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 87.581137][ T8663] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 87.587423][ T8663] end_report.cold+0x5a/0x5a [ 87.592047][ T8663] kasan_report.cold+0x6a/0xd8 [ 87.596811][ T8663] ? __cpuhp_state_remove_instance+0x58b/0x5b0 [ 87.602975][ T8663] __cpuhp_state_remove_instance+0x58b/0x5b0 [ 87.608951][ T8663] io_wq_create+0x6ca/0xbf0 [ 87.613450][ T8663] io_uring_alloc_task_context+0x1bf/0x6a0 [ 87.619249][ T8663] ? io_timeout_extract+0x2a0/0x2a0 [ 87.624440][ T8663] ? io_issue_sqe+0x4f00/0x4f00 [ 87.629287][ T8663] ? io_async_find_and_cancel+0x2f0/0x2f0 [ 87.635181][ T8663] io_uring_setup+0x1dcb/0x2be0 [ 87.640082][ T8663] ? io_async_buf_func+0x720/0x720 [ 87.645201][ T8663] ? syscall_enter_from_user_mode+0x1d/0x50 [ 87.651117][ T8663] do_syscall_64+0x2d/0x70 [ 87.655561][ T8663] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 87.661709][ T8663] RIP: 0033:0x465ef9 [ 87.665589][ T8663] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 [ 87.685311][ T8663] RSP: 002b:00007f1d53efc188 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 [ 87.693789][ T8663] RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465ef9 [ 87.701773][ T8663] RDX: 0000000000000000 RSI: 0000000020000080 RDI: 00000000000002df [ 87.709754][ T8663] RBP: 00000000004bfa34 R08: 0000000000000000 R09: 0000000000000000 [ 87.717801][ T8663] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60 [ 87.725762][ T8663] R13: 00007ffc0cd7692f R14: 00007f1d53efc300 R15: 0000000000022000 [ 87.734442][ T8663] Kernel Offset: disabled [ 87.738766][ T8663] Rebooting in 86400 seconds..