Warning: Permanently added '10.128.0.241' (ECDSA) to the list of known hosts. 2020/08/05 13:21:53 parsed 1 programs 2020/08/05 13:21:54 executed programs: 0 syzkaller login: [ 39.624508] audit: type=1400 audit(1596633714.146:8): avc: denied { execmem } for pid=6500 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 39.654390] IPVS: ftp: loaded support on port[0] = 21 [ 39.736873] chnl_net:caif_netlink_parms(): no params data found [ 39.826095] bridge0: port 1(bridge_slave_0) entered blocking state [ 39.832787] bridge0: port 1(bridge_slave_0) entered disabled state [ 39.840336] device bridge_slave_0 entered promiscuous mode [ 39.847893] bridge0: port 2(bridge_slave_1) entered blocking state [ 39.855096] bridge0: port 2(bridge_slave_1) entered disabled state [ 39.862035] device bridge_slave_1 entered promiscuous mode [ 39.879493] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 39.888497] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 39.907144] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 39.914806] team0: Port device team_slave_0 added [ 39.920319] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 39.928912] team0: Port device team_slave_1 added [ 39.945658] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 39.951907] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 39.977276] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 39.988903] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 39.995217] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 40.020466] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 40.031409] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 40.039109] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 40.106986] device hsr_slave_0 entered promiscuous mode [ 40.144507] device hsr_slave_1 entered promiscuous mode [ 40.205123] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 40.212220] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 40.277431] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.283896] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.290897] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.297347] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.330428] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 40.337596] 8021q: adding VLAN 0 to HW filter on device bond0 [ 40.347057] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 40.356976] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 40.376160] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.383261] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.390986] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 40.402245] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 40.408999] 8021q: adding VLAN 0 to HW filter on device team0 [ 40.418167] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 40.426204] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.432528] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.456020] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 40.463623] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.470032] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.477301] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 40.485547] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 40.493086] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 40.500724] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 40.509563] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 40.519074] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 40.525178] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 40.538823] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 40.546861] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 40.553507] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 40.566570] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 40.579988] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 40.589852] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 40.623876] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 40.631058] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 40.639002] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 40.648982] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 40.657238] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 40.664719] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 40.673205] device veth0_vlan entered promiscuous mode [ 40.682364] device veth1_vlan entered promiscuous mode [ 40.688729] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 40.699763] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 40.711719] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 40.719784] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 40.727818] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 40.737024] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 40.744529] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 40.752175] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 40.762109] device veth0_macvtap entered promiscuous mode [ 40.769074] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 40.777454] device veth1_macvtap entered promiscuous mode [ 40.783494] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 40.792124] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 40.801206] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 40.810411] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 40.817696] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 40.825755] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 40.832973] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 40.840487] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 40.848265] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 40.858972] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 40.866849] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 40.874399] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 40.882140] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 42.493998] ================================================================== [ 42.501457] BUG: KASAN: use-after-free in hci_chan_del+0x13e/0x180 [ 42.507764] Read of size 8 at addr ffff8880a006a198 by task syz-executor.0/6501 [ 42.515185] [ 42.516795] CPU: 0 PID: 6501 Comm: syz-executor.0 Not tainted 4.19.137-syzkaller #0 [ 42.524565] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.533894] Call Trace: [ 42.536469] dump_stack+0x1fc/0x2fe [ 42.540078] ? l2cap_conn_del+0x6b0/0x6b0 [ 42.544209] print_address_description.cold+0x54/0x219 [ 42.549464] kasan_report_error.cold+0x8a/0x1c7 [ 42.554116] ? hci_chan_del+0x13e/0x180 [ 42.558073] __asan_report_load8_noabort+0x88/0x90 [ 42.562991] ? hci_chan_del+0x13e/0x180 [ 42.566955] hci_chan_del+0x13e/0x180 [ 42.570737] l2cap_conn_del+0x44f/0x6b0 [ 42.574693] ? l2cap_conn_del+0x6b0/0x6b0 [ 42.578819] l2cap_disconn_cfm+0x85/0xa0 [ 42.582860] hci_conn_hash_flush+0x114/0x220 [ 42.587251] hci_dev_do_close+0x624/0xe70 [ 42.591379] ? hci_dev_open+0x2a0/0x2a0 [ 42.595334] ? hci_unregister_dev+0x62/0x7f0 [ 42.599897] hci_unregister_dev+0x17c/0x7f0 [ 42.604199] ? vhci_close_dev+0x50/0x50 [ 42.608149] vhci_release+0x70/0xe0 [ 42.611842] __fput+0x2ce/0x890 [ 42.615107] task_work_run+0x148/0x1c0 [ 42.618976] do_exit+0xbb2/0x2b70 [ 42.622412] ? mm_update_next_owner+0x650/0x650 [ 42.627061] ? vfs_write+0x393/0x540 [ 42.630753] ? ksys_write+0x1c8/0x2a0 [ 42.634887] do_group_exit+0x125/0x310 [ 42.638841] __x64_sys_exit_group+0x3a/0x50 [ 42.643152] do_syscall_64+0xf9/0x620 [ 42.646945] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.652139] RIP: 0033:0x45ccd9 [ 42.655314] Code: ff 64 48 8b 0c 25 f8 ff ff ff 48 3b 61 10 76 21 48 83 ec 18 48 89 6c 24 10 48 8d 6c 24 10 c6 04 24 01 e8 3a a4 fd ff 48 8b 6c <24> 10 48 83 c4 18 c3 e8 eb 31 00 00 eb c9 cc cc cc cc cc cc cc cc [ 42.675155] RSP: 002b:00007ffdddd10e28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 42.682842] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ccd9 [ 42.690090] RDX: 0000000000416731 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 42.697342] RBP: 00000000004c2963 R08: 000000000000000b R09: 0000000000000000 [ 42.704591] R10: 0000000001516940 R11: 0000000000000246 R12: 0000000000000010 [ 42.711839] R13: 00007ffdddd10f70 R14: 000000000000a5a8 R15: 00007ffdddd10f80 [ 42.719119] [ 42.720733] Allocated by task 6728: [ 42.724347] kmem_cache_alloc_trace+0x12f/0x380 [ 42.729089] hci_chan_create+0x8e/0x310 [ 42.733041] l2cap_conn_add.part.0+0x18/0xc40 [ 42.737516] l2cap_connect_cfm+0x236/0xe70 [ 42.741730] le_conn_complete_evt+0x111b/0x1730 [ 42.746386] hci_le_meta_evt+0x32c/0x3a50 [ 42.750515] hci_event_packet+0x1a29/0x858f [ 42.754816] hci_rx_work+0x46b/0xa90 [ 42.758518] process_one_work+0x864/0x1570 [ 42.762745] worker_thread+0x64c/0x1130 [ 42.766710] kthread+0x30b/0x410 [ 42.770055] ret_from_fork+0x24/0x30 [ 42.773742] [ 42.775348] Freed by task 6728: [ 42.778606] kfree+0xcc/0x210 [ 42.781689] hci_event_packet+0xf52/0x858f [ 42.785903] hci_rx_work+0x46b/0xa90 [ 42.789612] process_one_work+0x864/0x1570 [ 42.793825] worker_thread+0x64c/0x1130 [ 42.797776] kthread+0x30b/0x410 [ 42.801122] ret_from_fork+0x24/0x30 [ 42.804811] [ 42.806416] The buggy address belongs to the object at ffff8880a006a180 [ 42.806416] which belongs to the cache kmalloc-128 of size 128 [ 42.819064] The buggy address is located 24 bytes inside of [ 42.819064] 128-byte region [ffff8880a006a180, ffff8880a006a200) [ 42.830859] The buggy address belongs to the page: [ 42.835772] page:ffffea0002801a80 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0 [ 42.843915] flags: 0xfffe0000000100(slab) [ 42.848044] raw: 00fffe0000000100 ffffea0002201508 ffffea00027fac88 ffff88812c39c640 [ 42.855904] raw: 0000000000000000 ffff8880a006a000 0000000100000015 0000000000000000 [ 42.863759] page dumped because: kasan: bad access detected [ 42.869443] [ 42.871045] Memory state around the buggy address: [ 42.875950] ffff8880a006a080: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 42.883295] ffff8880a006a100: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 42.890642] >ffff8880a006a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.897976] ^ [ 42.902450] ffff8880a006a200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 42.910582] ffff8880a006a280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 42.917932] ================================================================== [ 42.925292] Disabling lock debugging due to kernel taint [ 42.933854] Kernel panic - not syncing: panic_on_warn set ... [ 42.933854] [ 42.941241] CPU: 1 PID: 6501 Comm: syz-executor.0 Tainted: G B 4.19.137-syzkaller #0 [ 42.951556] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.960906] Call Trace: [ 42.963482] dump_stack+0x1fc/0x2fe [ 42.968045] ? l2cap_conn_del+0x6b0/0x6b0 [ 42.972169] panic+0x26a/0x50e [ 42.975339] ? __warn_printk+0xf3/0xf3 [ 42.979204] ? l2cap_conn_del+0x6b0/0x6b0 [ 42.983379] ? preempt_schedule_common+0x45/0xc0 [ 42.988113] ? ___preempt_schedule+0x16/0x18 [ 42.992500] ? trace_hardirqs_on+0x55/0x210 [ 42.996801] ? l2cap_conn_del+0x6b0/0x6b0 [ 43.000928] kasan_end_report+0x43/0x49 [ 43.004880] kasan_report_error.cold+0xa7/0x1c7 [ 43.009528] ? hci_chan_del+0x13e/0x180 [ 43.013478] __asan_report_load8_noabort+0x88/0x90 [ 43.018821] ? hci_chan_del+0x13e/0x180 [ 43.022777] hci_chan_del+0x13e/0x180 [ 43.026558] l2cap_conn_del+0x44f/0x6b0 [ 43.030510] ? l2cap_conn_del+0x6b0/0x6b0 [ 43.034649] l2cap_disconn_cfm+0x85/0xa0 [ 43.038688] hci_conn_hash_flush+0x114/0x220 [ 43.043078] hci_dev_do_close+0x624/0xe70 [ 43.047206] ? hci_dev_open+0x2a0/0x2a0 [ 43.051156] ? hci_unregister_dev+0x62/0x7f0 [ 43.055545] hci_unregister_dev+0x17c/0x7f0 [ 43.059847] ? vhci_close_dev+0x50/0x50 [ 43.063796] vhci_release+0x70/0xe0 [ 43.067403] __fput+0x2ce/0x890 [ 43.070663] task_work_run+0x148/0x1c0 [ 43.074529] do_exit+0xbb2/0x2b70 [ 43.077979] ? mm_update_next_owner+0x650/0x650 [ 43.082624] ? vfs_write+0x393/0x540 [ 43.086315] ? ksys_write+0x1c8/0x2a0 [ 43.090094] do_group_exit+0x125/0x310 [ 43.093960] __x64_sys_exit_group+0x3a/0x50 [ 43.098262] do_syscall_64+0xf9/0x620 [ 43.102057] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.107224] RIP: 0033:0x45ccd9 [ 43.110418] Code: Bad RIP value. [ 43.113760] RSP: 002b:00007ffdddd10e28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 43.121458] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ccd9 [ 43.128723] RDX: 0000000000416731 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 43.136089] RBP: 00000000004c2963 R08: 000000000000000b R09: 0000000000000000 [ 43.143682] R10: 0000000001516940 R11: 0000000000000246 R12: 0000000000000010 [ 43.150938] R13: 00007ffdddd10f70 R14: 000000000000a5a8 R15: 00007ffdddd10f80 [ 43.159423] Kernel Offset: disabled [ 43.163049] Rebooting in 86400 seconds..