[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.202' (ECDSA) to the list of known hosts. 2020/08/29 09:14:57 parsed 1 programs 2020/08/29 09:14:58 executed programs: 0 syzkaller login: [ 38.515927] audit: type=1400 audit(1598692498.090:8): avc: denied { execmem } for pid=6478 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 39.613696] IPVS: ftp: loaded support on port[0] = 21 [ 39.729098] chnl_net:caif_netlink_parms(): no params data found [ 39.803801] bridge0: port 1(bridge_slave_0) entered blocking state [ 39.810611] bridge0: port 1(bridge_slave_0) entered disabled state [ 39.818415] device bridge_slave_0 entered promiscuous mode [ 39.826250] bridge0: port 2(bridge_slave_1) entered blocking state [ 39.832970] bridge0: port 2(bridge_slave_1) entered disabled state [ 39.840872] device bridge_slave_1 entered promiscuous mode [ 39.859149] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 39.868275] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 39.887088] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 39.894780] team0: Port device team_slave_0 added [ 39.900279] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 39.907811] team0: Port device team_slave_1 added [ 39.923174] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 39.929476] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 39.954873] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 39.966724] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 39.972956] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 39.998282] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 40.009090] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 40.016887] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 40.036613] device hsr_slave_0 entered promiscuous mode [ 40.042449] device hsr_slave_1 entered promiscuous mode [ 40.048887] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 40.056371] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 40.123672] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.130135] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.137049] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.143404] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.177016] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 40.183250] 8021q: adding VLAN 0 to HW filter on device bond0 [ 40.192152] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 40.201854] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.210746] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.218032] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.225709] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 40.236330] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 40.242497] 8021q: adding VLAN 0 to HW filter on device team0 [ 40.251837] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 40.260282] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.266826] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.285059] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 40.292711] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.299100] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.307326] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 40.315265] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 40.323329] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 40.335597] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 40.345619] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 40.356662] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 40.364523] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 40.372247] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 40.380779] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 40.392616] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 40.405151] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 40.411453] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 40.419108] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 40.432424] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 40.442940] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 40.478862] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 40.486893] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 40.493507] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 40.503336] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 40.511456] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 40.519034] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 40.528879] device veth0_vlan entered promiscuous mode [ 40.537423] device veth1_vlan entered promiscuous mode [ 40.543238] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 40.552139] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 40.564211] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 40.573522] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 40.582282] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 40.589889] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 40.599673] device veth0_macvtap entered promiscuous mode [ 40.606212] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 40.614373] device veth1_macvtap entered promiscuous mode [ 40.622914] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 40.632418] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 40.642452] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 40.650549] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 40.659238] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 40.669628] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 40.676990] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 41.644001] Bluetooth: hci0: command 0x0409 tx timeout 2020/08/29 09:15:03 executed programs: 140 [ 43.722252] Bluetooth: hci0: command 0x041b tx timeout [ 45.800957] Bluetooth: hci0: command 0x040f tx timeout [ 47.880798] Bluetooth: hci0: command 0x0419 tx timeout 2020/08/29 09:15:08 executed programs: 525 [ 49.295546] ================================================================== [ 49.303144] BUG: KASAN: use-after-free in __wake_up_common+0x607/0x650 [ 49.309931] Read of size 8 at addr ffff88808e47b3c0 by task syz-executor.0/8907 [ 49.317363] [ 49.318977] CPU: 1 PID: 8907 Comm: syz-executor.0 Not tainted 4.19.142-syzkaller #0 [ 49.326858] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.336225] Call Trace: [ 49.338803] dump_stack+0x1fc/0x2fe [ 49.342414] print_address_description.cold+0x54/0x219 [ 49.347761] kasan_report_error.cold+0x8a/0x1c7 [ 49.352427] ? __wake_up_common+0x607/0x650 [ 49.356744] __asan_report_load8_noabort+0x88/0x90 [ 49.361667] ? __wake_up_common+0x607/0x650 [ 49.365998] __wake_up_common+0x607/0x650 [ 49.370140] __wake_up_common_lock+0xcd/0x170 [ 49.374620] ? __wake_up_common+0x650/0x650 [ 49.379053] ? fcntl_setlk+0xee0/0xee0 [ 49.382940] ? eventfd_show_fdinfo+0x90/0x90 [ 49.387344] eventfd_release+0x47/0x60 [ 49.391233] __fput+0x2ce/0x890 [ 49.394496] task_work_run+0x148/0x1c0 [ 49.398366] exit_to_usermode_loop+0x251/0x2a0 [ 49.402932] do_syscall_64+0x538/0x620 [ 49.406802] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.411971] RIP: 0033:0x416f01 [ 49.415152] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 49.434035] RSP: 002b:00007ffd336ebb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 49.441723] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01 [ 49.449008] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003 [ 49.456259] RBP: 0000000000000000 R08: 0000000001190538 R09: 0000000000000000 [ 49.463511] R10: 00007ffd336ebc50 R11: 0000000000000293 R12: 0000000001190540 [ 49.470760] R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c [ 49.478100] [ 49.479723] Allocated by task 8908: [ 49.483332] kmem_cache_alloc_trace+0x12f/0x380 [ 49.487984] do_eventfd+0x61/0x1a0 [ 49.491508] __x64_sys_eventfd2+0x50/0x70 [ 49.495636] do_syscall_64+0xf9/0x620 [ 49.499692] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.504855] [ 49.506456] Freed by task 8908: [ 49.509730] kfree+0xcc/0x210 [ 49.512837] eventfd_ctx_put+0x31/0x40 [ 49.516717] eventfd_release+0x4f/0x60 [ 49.520597] __fput+0x2ce/0x890 [ 49.523872] task_work_run+0x148/0x1c0 [ 49.527739] exit_to_usermode_loop+0x251/0x2a0 [ 49.533210] do_syscall_64+0x538/0x620 [ 49.537077] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.542326] [ 49.543949] The buggy address belongs to the object at ffff88808e47b380 [ 49.543949] which belongs to the cache kmalloc-96 of size 96 [ 49.556410] The buggy address is located 64 bytes inside of [ 49.556410] 96-byte region [ffff88808e47b380, ffff88808e47b3e0) [ 49.568523] The buggy address belongs to the page: [ 49.573433] page:ffffea0002391ec0 count:1 mapcount:0 mapping:ffff88812c39c4c0 index:0x0 [ 49.581554] flags: 0xfffe0000000100(slab) [ 49.586044] raw: 00fffe0000000100 ffffea00024425c8 ffffea0002414908 ffff88812c39c4c0 [ 49.593923] raw: 0000000000000000 ffff88808e47b000 0000000100000020 0000000000000000 [ 49.601793] page dumped because: kasan: bad access detected [ 49.607478] [ 49.609105] Memory state around the buggy address: [ 49.614013] ffff88808e47b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.621351] ffff88808e47b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.628688] >ffff88808e47b380: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 49.636022] ^ [ 49.641449] ffff88808e47b400: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc [ 49.652189] ffff88808e47b480: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc [ 49.659610] ================================================================== [ 49.667001] Disabling lock debugging due to kernel taint [ 49.672469] Kernel panic - not syncing: panic_on_warn set ... [ 49.672469] [ 49.679908] CPU: 1 PID: 8907 Comm: syz-executor.0 Tainted: G B 4.19.142-syzkaller #0 [ 49.689081] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.698422] Call Trace: [ 49.701016] dump_stack+0x1fc/0x2fe [ 49.704640] panic+0x26a/0x50e [ 49.707811] ? __warn_printk+0xf3/0xf3 [ 49.711680] ? lock_downgrade+0x720/0x720 [ 49.715807] ? print_shadow_for_address+0xb8/0x114 [ 49.720716] ? trace_hardirqs_off+0x64/0x200 [ 49.725106] kasan_end_report+0x43/0x49 [ 49.729062] kasan_report_error.cold+0xa7/0x1c7 [ 49.733713] ? __wake_up_common+0x607/0x650 [ 49.738028] __asan_report_load8_noabort+0x88/0x90 [ 49.742936] ? __wake_up_common+0x607/0x650 [ 49.747325] __wake_up_common+0x607/0x650 [ 49.751454] __wake_up_common_lock+0xcd/0x170 [ 49.755929] ? __wake_up_common+0x650/0x650 [ 49.760255] ? fcntl_setlk+0xee0/0xee0 [ 49.764134] ? eventfd_show_fdinfo+0x90/0x90 [ 49.768531] eventfd_release+0x47/0x60 [ 49.772404] __fput+0x2ce/0x890 [ 49.775670] task_work_run+0x148/0x1c0 [ 49.779542] exit_to_usermode_loop+0x251/0x2a0 [ 49.784119] do_syscall_64+0x538/0x620 [ 49.787988] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 49.793277] RIP: 0033:0x416f01 [ 49.796448] Code: 75 14 b8 03 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 04 1b 00 00 c3 48 83 ec 08 e8 0a fc ff ff 48 89 04 24 b8 03 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 53 fc ff ff 48 89 d0 48 83 c4 08 48 3d 01 [ 49.815389] RSP: 002b:00007ffd336ebb70 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 [ 49.823206] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000416f01 [ 49.830460] RDX: 00000000000f4240 RSI: 0000000000000081 RDI: 0000000000000003 [ 49.837725] RBP: 0000000000000000 R08: 0000000001190538 R09: 0000000000000000 [ 49.845006] R10: 00007ffd336ebc50 R11: 0000000000000293 R12: 0000000001190540 [ 49.852259] R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000118cf4c [ 49.861479] Kernel Offset: disabled [ 49.865116] Rebooting in 86400 seconds..