[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts.
2020/08/05 11:42:14 parsed 1 programs
2020/08/05 11:42:14 executed programs: 0
syzkaller login: [ 1050.045251] audit: type=1400 audit(1596627734.610:8): avc:  denied  { execmem } for  pid=6486 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[ 1050.083988] IPVS: ftp: loaded support on port[0] = 21
[ 1050.168957] chnl_net:caif_netlink_parms(): no params data found
[ 1050.273083] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1050.279667] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1050.287569] device bridge_slave_0 entered promiscuous mode
[ 1050.295500] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1050.302190] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1050.309088] device bridge_slave_1 entered promiscuous mode
[ 1050.327016] bond0: Enslaving bond_slave_0 as an active interface with an up link
[ 1050.335838] bond0: Enslaving bond_slave_1 as an active interface with an up link
[ 1050.355102] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[ 1050.362534] team0: Port device team_slave_0 added
[ 1050.367988] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[ 1050.375903] team0: Port device team_slave_1 added
[ 1050.391062] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 1050.397289] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1050.422823] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 1050.434334] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 1050.440628] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1050.465866] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 1050.476822] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[ 1050.484512] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[ 1050.552737] device hsr_slave_0 entered promiscuous mode
[ 1050.590153] device hsr_slave_1 entered promiscuous mode
[ 1050.630812] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[ 1050.637899] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[ 1050.705090] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1050.711509] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1050.718191] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1050.724609] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1050.757508] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[ 1050.764976] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1050.773640] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[ 1050.783838] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1050.801981] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1050.809187] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1050.816871] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1050.827871] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[ 1050.834143] 8021q: adding VLAN 0 to HW filter on device team0
[ 1050.843809] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1050.851731] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1050.858075] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1050.881214] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1050.888842] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1050.895253] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1050.903318] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1050.911330] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1050.918806] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1050.926421] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1050.935208] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1050.942983] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[ 1050.948978] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1050.963432] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[ 1050.971293] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 1050.977924] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 1050.988682] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1051.003917] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[ 1051.013493] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 1051.049734] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[ 1051.057455] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[ 1051.065036] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[ 1051.074700] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 1051.082420] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 1051.089282] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 1051.098472] device veth0_vlan entered promiscuous mode
[ 1051.107205] device veth1_vlan entered promiscuous mode
[ 1051.113703] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[ 1051.122560] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[ 1051.135626] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[ 1051.145377] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 1051.153048] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 1051.161041] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 1051.171203] device veth0_macvtap entered promiscuous mode
[ 1051.181285] device veth1_macvtap entered promiscuous mode
[ 1051.189835] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[ 1051.198734] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[ 1051.208869] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
[ 1051.216917] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 1051.223656] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 1051.231754] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 1051.242536] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[ 1051.249390] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 1051.256850] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 1051.265203] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 1054.491096] Bluetooth: hci0: command 0x0409 tx timeout
2020/08/05 11:42:19 executed programs: 125
[ 1056.570062] Bluetooth: hci0: command 0x041b tx timeout
[ 1058.649893] Bluetooth: hci0: command 0x040f tx timeout
2020/08/05 11:42:24 executed programs: 371
[ 1060.729895] Bluetooth: hci0: command 0x0419 tx timeout
2020/08/05 11:42:29 executed programs: 703
[ 1069.640974] ==================================================================
[ 1069.648484] BUG: KASAN: use-after-free in hci_chan_del+0x13e/0x180
[ 1069.654790] Read of size 8 at addr ffff8880a4975198 by task syz-executor.0/6487
[ 1069.662215] 
[ 1069.663839] CPU: 0 PID: 6487 Comm: syz-executor.0 Not tainted 4.19.137-syzkaller #0
[ 1069.671609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1069.680942] Call Trace:
[ 1069.683583]  dump_stack+0x1fc/0x2fe
[ 1069.687240]  ? l2cap_conn_del+0x6b0/0x6b0
[ 1069.691373]  print_address_description.cold+0x54/0x219
[ 1069.696631]  kasan_report_error.cold+0x8a/0x1c7
[ 1069.701368]  ? hci_chan_del+0x13e/0x180
[ 1069.705320]  __asan_report_load8_noabort+0x88/0x90
[ 1069.710230]  ? hci_chan_del+0x13e/0x180
[ 1069.714195]  hci_chan_del+0x13e/0x180
[ 1069.717985]  l2cap_conn_del+0x44f/0x6b0
[ 1069.721954]  ? l2cap_conn_del+0x6b0/0x6b0
[ 1069.726090]  l2cap_disconn_cfm+0x85/0xa0
[ 1069.730140]  hci_conn_hash_flush+0x114/0x220
[ 1069.734541]  hci_dev_do_close+0x624/0xe70
[ 1069.738680]  ? hci_dev_open+0x2a0/0x2a0
[ 1069.742636]  ? hci_unregister_dev+0x62/0x7f0
[ 1069.747029]  hci_unregister_dev+0x17c/0x7f0
[ 1069.751406]  ? vhci_close_dev+0x50/0x50
[ 1069.755375]  vhci_release+0x70/0xe0
[ 1069.758984]  __fput+0x2ce/0x890
[ 1069.762250]  task_work_run+0x148/0x1c0
[ 1069.766129]  do_exit+0xbb2/0x2b70
[ 1069.769577]  ? mm_update_next_owner+0x650/0x650
[ 1069.774229]  ? vfs_write+0x393/0x540
[ 1069.777940]  ? ksys_write+0x1c8/0x2a0
[ 1069.781725]  do_group_exit+0x125/0x310
[ 1069.785608]  __x64_sys_exit_group+0x3a/0x50
[ 1069.789935]  do_syscall_64+0xf9/0x620
[ 1069.793791]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1069.798962] RIP: 0033:0x45ccd9
[ 1069.802137] Code: ff 64 48 8b 0c 25 f8 ff ff ff 48 3b 61 10 76 21 48 83 ec 18 48 89 6c 24 10 48 8d 6c 24 10 c6 04 24 01 e8 3a a4 fd ff 48 8b 6c <24> 10 48 83 c4 18 c3 e8 eb 31 00 00 eb c9 cc cc cc cc cc cc cc cc
[ 1069.821020] RSP: 002b:00007ffe431951c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 1069.828707] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ccd9
[ 1069.835956] RDX: 0000000000416731 RSI: 0000000000ca85f0 RDI: 0000000000000043
[ 1069.843220] RBP: 00000000004c2963 R08: 000000000000000b R09: 0000000000000000
[ 1069.850469] R10: 0000000002416940 R11: 0000000000000246 R12: 0000000000000005
[ 1069.857716] R13: 00007ffe43195310 R14: 00000000001051f6 R15: 00007ffe43195320
[ 1069.864981] 
[ 1069.866598] Allocated by task 6487:
[ 1069.870209]  kmem_cache_alloc_trace+0x12f/0x380
[ 1069.874919]  sock_alloc_inode+0x5f/0x250
[ 1069.878961]  alloc_inode+0x5d/0x180
[ 1069.882580]  new_inode_pseudo+0x14/0xe0
[ 1069.886531]  sock_alloc+0x3c/0x260
[ 1069.890051]  __sock_create+0xba/0x740
[ 1069.893838]  __sys_socket+0xef/0x200
[ 1069.897527]  __x64_sys_socket+0x6f/0xb0
[ 1069.901499]  do_syscall_64+0xf9/0x620
[ 1069.905283]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1069.910456] 
[ 1069.912074] Freed by task 10250:
[ 1069.915420]  kfree+0xcc/0x210
[ 1069.918503]  rcu_process_callbacks+0xa0d/0x18b0
[ 1069.923164]  __do_softirq+0x26c/0x9a0
[ 1069.926936] 
[ 1069.928552] The buggy address belongs to the object at ffff8880a4975180
[ 1069.928552]  which belongs to the cache kmalloc-128 of size 128
[ 1069.941208] The buggy address is located 24 bytes inside of
[ 1069.941208]  128-byte region [ffff8880a4975180, ffff8880a4975200)
[ 1069.953591] The buggy address belongs to the page:
[ 1069.958502] page:ffffea0002925d40 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0
[ 1069.966632] flags: 0xfffe0000000100(slab)
[ 1069.970761] raw: 00fffe0000000100 ffffea00025670c8 ffffea00023cc388 ffff88812c39c640
[ 1069.978630] raw: 0000000000000000 ffff8880a4975000 0000000100000015 0000000000000000
[ 1069.986484] page dumped because: kasan: bad access detected
[ 1069.992167] 
[ 1069.993771] Memory state around the buggy address:
[ 1069.998677]  ffff8880a4975080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 1070.006026]  ffff8880a4975100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 1070.013374] >ffff8880a4975180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1070.020716]                             ^
[ 1070.024844]  ffff8880a4975200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 1070.032287]  ffff8880a4975280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[ 1070.039632] ==================================================================
[ 1070.047014] Disabling lock debugging due to kernel taint
[ 1070.053064] Kernel panic - not syncing: panic_on_warn set ...
[ 1070.053064] 
[ 1070.060440] CPU: 0 PID: 6487 Comm: syz-executor.0 Tainted: G    B             4.19.137-syzkaller #0
[ 1070.069616] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1070.078964] Call Trace:
[ 1070.081556]  dump_stack+0x1fc/0x2fe
[ 1070.085186]  ? l2cap_conn_del+0x6b0/0x6b0
[ 1070.089332]  panic+0x26a/0x50e
[ 1070.092516]  ? __warn_printk+0xf3/0xf3
[ 1070.096382]  ? l2cap_conn_del+0x6b0/0x6b0
[ 1070.100510]  ? preempt_schedule_common+0x45/0xc0
[ 1070.105256]  ? ___preempt_schedule+0x16/0x18
[ 1070.109656]  ? trace_hardirqs_on+0x55/0x210
[ 1070.113967]  ? l2cap_conn_del+0x6b0/0x6b0
[ 1070.118103]  kasan_end_report+0x43/0x49
[ 1070.122062]  kasan_report_error.cold+0xa7/0x1c7
[ 1070.126718]  ? hci_chan_del+0x13e/0x180
[ 1070.130683]  __asan_report_load8_noabort+0x88/0x90
[ 1070.135598]  ? hci_chan_del+0x13e/0x180
[ 1070.139561]  hci_chan_del+0x13e/0x180
[ 1070.143360]  l2cap_conn_del+0x44f/0x6b0
[ 1070.147325]  ? l2cap_conn_del+0x6b0/0x6b0
[ 1070.151450]  l2cap_disconn_cfm+0x85/0xa0
[ 1070.155497]  hci_conn_hash_flush+0x114/0x220
[ 1070.159896]  hci_dev_do_close+0x624/0xe70
[ 1070.164035]  ? hci_dev_open+0x2a0/0x2a0
[ 1070.168083]  ? hci_unregister_dev+0x62/0x7f0
[ 1070.172482]  hci_unregister_dev+0x17c/0x7f0
[ 1070.176783]  ? vhci_close_dev+0x50/0x50
[ 1070.180749]  vhci_release+0x70/0xe0
[ 1070.184398]  __fput+0x2ce/0x890
[ 1070.187661]  task_work_run+0x148/0x1c0
[ 1070.191560]  do_exit+0xbb2/0x2b70
[ 1070.195012]  ? mm_update_next_owner+0x650/0x650
[ 1070.199660]  ? vfs_write+0x393/0x540
[ 1070.203353]  ? ksys_write+0x1c8/0x2a0
[ 1070.207135]  do_group_exit+0x125/0x310
[ 1070.211020]  __x64_sys_exit_group+0x3a/0x50
[ 1070.215331]  do_syscall_64+0xf9/0x620
[ 1070.219118]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1070.224423] RIP: 0033:0x45ccd9
[ 1070.227595] Code: ff 64 48 8b 0c 25 f8 ff ff ff 48 3b 61 10 76 21 48 83 ec 18 48 89 6c 24 10 48 8d 6c 24 10 c6 04 24 01 e8 3a a4 fd ff 48 8b 6c <24> 10 48 83 c4 18 c3 e8 eb 31 00 00 eb c9 cc cc cc cc cc cc cc cc
[ 1070.246562] RSP: 002b:00007ffe431951c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 1070.254247] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ccd9
[ 1070.261504] RDX: 0000000000416731 RSI: 0000000000ca85f0 RDI: 0000000000000043
[ 1070.268781] RBP: 00000000004c2963 R08: 000000000000000b R09: 0000000000000000
[ 1070.276031] R10: 0000000002416940 R11: 0000000000000246 R12: 0000000000000005
[ 1070.283282] R13: 00007ffe43195310 R14: 00000000001051f6 R15: 00007ffe43195320
[ 1070.291258] Kernel Offset: disabled
[ 1070.294893] Rebooting in 86400 seconds..