[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.17' (ECDSA) to the list of known hosts. 2020/08/05 11:42:14 parsed 1 programs 2020/08/05 11:42:14 executed programs: 0 syzkaller login: [ 1050.045251] audit: type=1400 audit(1596627734.610:8): avc: denied { execmem } for pid=6486 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 1050.083988] IPVS: ftp: loaded support on port[0] = 21 [ 1050.168957] chnl_net:caif_netlink_parms(): no params data found [ 1050.273083] bridge0: port 1(bridge_slave_0) entered blocking state [ 1050.279667] bridge0: port 1(bridge_slave_0) entered disabled state [ 1050.287569] device bridge_slave_0 entered promiscuous mode [ 1050.295500] bridge0: port 2(bridge_slave_1) entered blocking state [ 1050.302190] bridge0: port 2(bridge_slave_1) entered disabled state [ 1050.309088] device bridge_slave_1 entered promiscuous mode [ 1050.327016] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1050.335838] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1050.355102] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1050.362534] team0: Port device team_slave_0 added [ 1050.367988] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1050.375903] team0: Port device team_slave_1 added [ 1050.391062] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1050.397289] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1050.422823] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1050.434334] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1050.440628] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1050.465866] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1050.476822] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1050.484512] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1050.552737] device hsr_slave_0 entered promiscuous mode [ 1050.590153] device hsr_slave_1 entered promiscuous mode [ 1050.630812] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1050.637899] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1050.705090] bridge0: port 2(bridge_slave_1) entered blocking state [ 1050.711509] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1050.718191] bridge0: port 1(bridge_slave_0) entered blocking state [ 1050.724609] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1050.757508] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1050.764976] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1050.773640] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1050.783838] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1050.801981] bridge0: port 1(bridge_slave_0) entered disabled state [ 1050.809187] bridge0: port 2(bridge_slave_1) entered disabled state [ 1050.816871] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1050.827871] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1050.834143] 8021q: adding VLAN 0 to HW filter on device team0 [ 1050.843809] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1050.851731] bridge0: port 1(bridge_slave_0) entered blocking state [ 1050.858075] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1050.881214] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1050.888842] bridge0: port 2(bridge_slave_1) entered blocking state [ 1050.895253] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1050.903318] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1050.911330] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1050.918806] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1050.926421] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1050.935208] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1050.942983] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1050.948978] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1050.963432] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1050.971293] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1050.977924] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1050.988682] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1051.003917] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1051.013493] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1051.049734] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1051.057455] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1051.065036] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1051.074700] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1051.082420] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1051.089282] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1051.098472] device veth0_vlan entered promiscuous mode [ 1051.107205] device veth1_vlan entered promiscuous mode [ 1051.113703] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1051.122560] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1051.135626] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1051.145377] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1051.153048] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1051.161041] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1051.171203] device veth0_macvtap entered promiscuous mode [ 1051.181285] device veth1_macvtap entered promiscuous mode [ 1051.189835] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1051.198734] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1051.208869] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 1051.216917] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1051.223656] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 1051.231754] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1051.242536] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 1051.249390] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1051.256850] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1051.265203] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1054.491096] Bluetooth: hci0: command 0x0409 tx timeout 2020/08/05 11:42:19 executed programs: 125 [ 1056.570062] Bluetooth: hci0: command 0x041b tx timeout [ 1058.649893] Bluetooth: hci0: command 0x040f tx timeout 2020/08/05 11:42:24 executed programs: 371 [ 1060.729895] Bluetooth: hci0: command 0x0419 tx timeout 2020/08/05 11:42:29 executed programs: 703 [ 1069.640974] ================================================================== [ 1069.648484] BUG: KASAN: use-after-free in hci_chan_del+0x13e/0x180 [ 1069.654790] Read of size 8 at addr ffff8880a4975198 by task syz-executor.0/6487 [ 1069.662215] [ 1069.663839] CPU: 0 PID: 6487 Comm: syz-executor.0 Not tainted 4.19.137-syzkaller #0 [ 1069.671609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1069.680942] Call Trace: [ 1069.683583] dump_stack+0x1fc/0x2fe [ 1069.687240] ? l2cap_conn_del+0x6b0/0x6b0 [ 1069.691373] print_address_description.cold+0x54/0x219 [ 1069.696631] kasan_report_error.cold+0x8a/0x1c7 [ 1069.701368] ? hci_chan_del+0x13e/0x180 [ 1069.705320] __asan_report_load8_noabort+0x88/0x90 [ 1069.710230] ? hci_chan_del+0x13e/0x180 [ 1069.714195] hci_chan_del+0x13e/0x180 [ 1069.717985] l2cap_conn_del+0x44f/0x6b0 [ 1069.721954] ? l2cap_conn_del+0x6b0/0x6b0 [ 1069.726090] l2cap_disconn_cfm+0x85/0xa0 [ 1069.730140] hci_conn_hash_flush+0x114/0x220 [ 1069.734541] hci_dev_do_close+0x624/0xe70 [ 1069.738680] ? hci_dev_open+0x2a0/0x2a0 [ 1069.742636] ? hci_unregister_dev+0x62/0x7f0 [ 1069.747029] hci_unregister_dev+0x17c/0x7f0 [ 1069.751406] ? vhci_close_dev+0x50/0x50 [ 1069.755375] vhci_release+0x70/0xe0 [ 1069.758984] __fput+0x2ce/0x890 [ 1069.762250] task_work_run+0x148/0x1c0 [ 1069.766129] do_exit+0xbb2/0x2b70 [ 1069.769577] ? mm_update_next_owner+0x650/0x650 [ 1069.774229] ? vfs_write+0x393/0x540 [ 1069.777940] ? ksys_write+0x1c8/0x2a0 [ 1069.781725] do_group_exit+0x125/0x310 [ 1069.785608] __x64_sys_exit_group+0x3a/0x50 [ 1069.789935] do_syscall_64+0xf9/0x620 [ 1069.793791] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1069.798962] RIP: 0033:0x45ccd9 [ 1069.802137] Code: ff 64 48 8b 0c 25 f8 ff ff ff 48 3b 61 10 76 21 48 83 ec 18 48 89 6c 24 10 48 8d 6c 24 10 c6 04 24 01 e8 3a a4 fd ff 48 8b 6c <24> 10 48 83 c4 18 c3 e8 eb 31 00 00 eb c9 cc cc cc cc cc cc cc cc [ 1069.821020] RSP: 002b:00007ffe431951c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1069.828707] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ccd9 [ 1069.835956] RDX: 0000000000416731 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 1069.843220] RBP: 00000000004c2963 R08: 000000000000000b R09: 0000000000000000 [ 1069.850469] R10: 0000000002416940 R11: 0000000000000246 R12: 0000000000000005 [ 1069.857716] R13: 00007ffe43195310 R14: 00000000001051f6 R15: 00007ffe43195320 [ 1069.864981] [ 1069.866598] Allocated by task 6487: [ 1069.870209] kmem_cache_alloc_trace+0x12f/0x380 [ 1069.874919] sock_alloc_inode+0x5f/0x250 [ 1069.878961] alloc_inode+0x5d/0x180 [ 1069.882580] new_inode_pseudo+0x14/0xe0 [ 1069.886531] sock_alloc+0x3c/0x260 [ 1069.890051] __sock_create+0xba/0x740 [ 1069.893838] __sys_socket+0xef/0x200 [ 1069.897527] __x64_sys_socket+0x6f/0xb0 [ 1069.901499] do_syscall_64+0xf9/0x620 [ 1069.905283] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1069.910456] [ 1069.912074] Freed by task 10250: [ 1069.915420] kfree+0xcc/0x210 [ 1069.918503] rcu_process_callbacks+0xa0d/0x18b0 [ 1069.923164] __do_softirq+0x26c/0x9a0 [ 1069.926936] [ 1069.928552] The buggy address belongs to the object at ffff8880a4975180 [ 1069.928552] which belongs to the cache kmalloc-128 of size 128 [ 1069.941208] The buggy address is located 24 bytes inside of [ 1069.941208] 128-byte region [ffff8880a4975180, ffff8880a4975200) [ 1069.953591] The buggy address belongs to the page: [ 1069.958502] page:ffffea0002925d40 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0 [ 1069.966632] flags: 0xfffe0000000100(slab) [ 1069.970761] raw: 00fffe0000000100 ffffea00025670c8 ffffea00023cc388 ffff88812c39c640 [ 1069.978630] raw: 0000000000000000 ffff8880a4975000 0000000100000015 0000000000000000 [ 1069.986484] page dumped because: kasan: bad access detected [ 1069.992167] [ 1069.993771] Memory state around the buggy address: [ 1069.998677] ffff8880a4975080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1070.006026] ffff8880a4975100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1070.013374] >ffff8880a4975180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1070.020716] ^ [ 1070.024844] ffff8880a4975200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1070.032287] ffff8880a4975280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1070.039632] ================================================================== [ 1070.047014] Disabling lock debugging due to kernel taint [ 1070.053064] Kernel panic - not syncing: panic_on_warn set ... [ 1070.053064] [ 1070.060440] CPU: 0 PID: 6487 Comm: syz-executor.0 Tainted: G B 4.19.137-syzkaller #0 [ 1070.069616] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1070.078964] Call Trace: [ 1070.081556] dump_stack+0x1fc/0x2fe [ 1070.085186] ? l2cap_conn_del+0x6b0/0x6b0 [ 1070.089332] panic+0x26a/0x50e [ 1070.092516] ? __warn_printk+0xf3/0xf3 [ 1070.096382] ? l2cap_conn_del+0x6b0/0x6b0 [ 1070.100510] ? preempt_schedule_common+0x45/0xc0 [ 1070.105256] ? ___preempt_schedule+0x16/0x18 [ 1070.109656] ? trace_hardirqs_on+0x55/0x210 [ 1070.113967] ? l2cap_conn_del+0x6b0/0x6b0 [ 1070.118103] kasan_end_report+0x43/0x49 [ 1070.122062] kasan_report_error.cold+0xa7/0x1c7 [ 1070.126718] ? hci_chan_del+0x13e/0x180 [ 1070.130683] __asan_report_load8_noabort+0x88/0x90 [ 1070.135598] ? hci_chan_del+0x13e/0x180 [ 1070.139561] hci_chan_del+0x13e/0x180 [ 1070.143360] l2cap_conn_del+0x44f/0x6b0 [ 1070.147325] ? l2cap_conn_del+0x6b0/0x6b0 [ 1070.151450] l2cap_disconn_cfm+0x85/0xa0 [ 1070.155497] hci_conn_hash_flush+0x114/0x220 [ 1070.159896] hci_dev_do_close+0x624/0xe70 [ 1070.164035] ? hci_dev_open+0x2a0/0x2a0 [ 1070.168083] ? hci_unregister_dev+0x62/0x7f0 [ 1070.172482] hci_unregister_dev+0x17c/0x7f0 [ 1070.176783] ? vhci_close_dev+0x50/0x50 [ 1070.180749] vhci_release+0x70/0xe0 [ 1070.184398] __fput+0x2ce/0x890 [ 1070.187661] task_work_run+0x148/0x1c0 [ 1070.191560] do_exit+0xbb2/0x2b70 [ 1070.195012] ? mm_update_next_owner+0x650/0x650 [ 1070.199660] ? vfs_write+0x393/0x540 [ 1070.203353] ? ksys_write+0x1c8/0x2a0 [ 1070.207135] do_group_exit+0x125/0x310 [ 1070.211020] __x64_sys_exit_group+0x3a/0x50 [ 1070.215331] do_syscall_64+0xf9/0x620 [ 1070.219118] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1070.224423] RIP: 0033:0x45ccd9 [ 1070.227595] Code: ff 64 48 8b 0c 25 f8 ff ff ff 48 3b 61 10 76 21 48 83 ec 18 48 89 6c 24 10 48 8d 6c 24 10 c6 04 24 01 e8 3a a4 fd ff 48 8b 6c <24> 10 48 83 c4 18 c3 e8 eb 31 00 00 eb c9 cc cc cc cc cc cc cc cc [ 1070.246562] RSP: 002b:00007ffe431951c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1070.254247] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ccd9 [ 1070.261504] RDX: 0000000000416731 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 1070.268781] RBP: 00000000004c2963 R08: 000000000000000b R09: 0000000000000000 [ 1070.276031] R10: 0000000002416940 R11: 0000000000000246 R12: 0000000000000005 [ 1070.283282] R13: 00007ffe43195310 R14: 00000000001051f6 R15: 00007ffe43195320 [ 1070.291258] Kernel Offset: disabled [ 1070.294893] Rebooting in 86400 seconds..