[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.59' (ECDSA) to the list of known hosts. 2020/08/09 05:23:32 parsed 1 programs 2020/08/09 05:23:32 executed programs: 0 syzkaller login: [ 32.743675] audit: type=1400 audit(1596950612.589:8): avc: denied { execmem } for pid=6368 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 32.783266] IPVS: ftp: loaded support on port[0] = 21 [ 32.864094] chnl_net:caif_netlink_parms(): no params data found [ 32.935085] bridge0: port 1(bridge_slave_0) entered blocking state [ 32.942258] bridge0: port 1(bridge_slave_0) entered disabled state [ 32.949121] device bridge_slave_0 entered promiscuous mode [ 32.956470] bridge0: port 2(bridge_slave_1) entered blocking state [ 32.962899] bridge0: port 2(bridge_slave_1) entered disabled state [ 32.969705] device bridge_slave_1 entered promiscuous mode [ 32.985899] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 32.994638] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 33.012499] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 33.019574] team0: Port device team_slave_0 added [ 33.025222] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 33.032403] team0: Port device team_slave_1 added [ 33.046629] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 33.052916] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 33.078199] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 33.089370] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 33.095973] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 33.121611] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 33.132328] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 33.139595] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 33.158092] device hsr_slave_0 entered promiscuous mode [ 33.163766] device hsr_slave_1 entered promiscuous mode [ 33.169580] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 33.176710] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 33.236939] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.243371] bridge0: port 2(bridge_slave_1) entered forwarding state [ 33.250159] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.256558] bridge0: port 1(bridge_slave_0) entered forwarding state [ 33.285738] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 33.292401] 8021q: adding VLAN 0 to HW filter on device bond0 [ 33.299902] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 33.308716] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 33.327165] bridge0: port 1(bridge_slave_0) entered disabled state [ 33.334171] bridge0: port 2(bridge_slave_1) entered disabled state [ 33.344476] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 33.350711] 8021q: adding VLAN 0 to HW filter on device team0 [ 33.358711] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 33.366960] bridge0: port 1(bridge_slave_0) entered blocking state [ 33.373335] bridge0: port 1(bridge_slave_0) entered forwarding state [ 33.382872] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 33.390666] bridge0: port 2(bridge_slave_1) entered blocking state [ 33.397083] bridge0: port 2(bridge_slave_1) entered forwarding state [ 33.410453] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 33.418327] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 33.429151] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 33.437080] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 33.448077] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 33.456533] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 33.462784] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 33.474961] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 33.482043] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 33.488644] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 33.498789] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 33.545294] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 33.555340] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 33.581831] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 33.588629] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 33.595279] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 33.603826] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 33.612189] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 33.618909] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 33.627466] device veth0_vlan entered promiscuous mode [ 33.635933] device veth1_vlan entered promiscuous mode [ 33.642025] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 33.649892] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 33.660404] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 33.668936] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 33.676503] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 33.683767] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 33.692711] device veth0_macvtap entered promiscuous mode [ 33.698635] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 33.707269] device veth1_macvtap entered promiscuous mode [ 33.715672] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 33.724659] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 33.734887] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 33.742087] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 33.750539] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 33.759504] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 33.766715] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 33.850064] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 36.866624] ================================================================== [ 36.874099] BUG: KASAN: use-after-free in hci_chan_del+0x131/0x180 [ 36.880414] Read of size 8 at addr ffff8880a9524b58 by task syz-executor.0/6369 [ 36.887828] [ 36.889432] CPU: 0 PID: 6369 Comm: syz-executor.0 Not tainted 4.14.193-syzkaller #0 [ 36.897198] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.906522] Call Trace: [ 36.909084] dump_stack+0x1b2/0x283 [ 36.912684] ? l2cap_conn_del+0x670/0x670 [ 36.916850] print_address_description.cold+0x54/0x1d3 [ 36.922102] kasan_report_error.cold+0x8a/0x194 [ 36.926743] ? hci_chan_del+0x131/0x180 [ 36.930695] __asan_report_load8_noabort+0x68/0x70 [ 36.935598] ? hci_chan_del+0x131/0x180 [ 36.939545] hci_chan_del+0x131/0x180 [ 36.943317] l2cap_conn_del+0x417/0x670 [ 36.949176] ? __mutex_unlock_slowpath+0x75/0x770 [ 36.954031] ? l2cap_conn_del+0x670/0x670 [ 36.958151] l2cap_disconn_cfm+0x6b/0x80 [ 36.962185] hci_conn_hash_flush+0x114/0x220 [ 36.966599] hci_dev_do_close+0x542/0xc50 [ 36.970722] ? lock_downgrade+0x740/0x740 [ 36.974844] hci_unregister_dev+0x170/0x7a0 [ 36.979142] ? fcntl_setlk+0xdb0/0xdb0 [ 36.983003] ? vhci_close_dev+0x50/0x50 [ 36.986947] vhci_release+0x70/0xe0 [ 36.990554] __fput+0x25f/0x7a0 [ 36.993809] task_work_run+0x11f/0x190 [ 36.997672] do_exit+0xa08/0x27f0 [ 37.001103] ? mm_update_next_owner+0x5b0/0x5b0 [ 37.005742] ? vfs_write+0x319/0x4d0 [ 37.009445] ? SyS_write+0x14d/0x210 [ 37.013137] do_group_exit+0x100/0x2e0 [ 37.016996] SyS_exit_group+0x19/0x20 [ 37.020769] ? do_group_exit+0x2e0/0x2e0 [ 37.024804] do_syscall_64+0x1d5/0x640 [ 37.028667] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 37.033827] RIP: 0033:0x45ce69 [ 37.037020] RSP: 002b:00007ffda79059a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 37.044699] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ce69 [ 37.051942] RDX: 00000000004168c1 RSI: 00000000016a85f0 RDI: 0000000000000043 [ 37.059185] RBP: 00000000004c2b1b R08: 000000000000000b R09: 0000000000000000 [ 37.066426] R10: 0000000001732940 R11: 0000000000000246 R12: 0000000000000014 [ 37.073668] R13: 00007ffda7905af0 R14: 0000000000009007 R15: 00007ffda7905b00 [ 37.080915] [ 37.082517] Allocated by task 1202: [ 37.086121] kasan_kmalloc+0xeb/0x160 [ 37.089897] kmem_cache_alloc_trace+0x131/0x3d0 [ 37.094539] hci_chan_create+0x7c/0x300 [ 37.098489] l2cap_conn_add.part.0+0x18/0xc20 [ 37.102952] l2cap_connect_cfm+0x1d2/0xce0 [ 37.107164] hci_le_meta_evt+0x3288/0x3fc0 [ 37.111409] hci_event_packet+0x25a7/0x7c7a [ 37.115742] hci_rx_work+0x3e6/0x970 [ 37.119439] process_one_work+0x793/0x14a0 [ 37.123644] worker_thread+0x5cc/0xff0 [ 37.127500] kthread+0x30d/0x420 [ 37.130840] ret_from_fork+0x24/0x30 [ 37.134521] [ 37.136130] Freed by task 6605: [ 37.139382] kasan_slab_free+0xc3/0x1a0 [ 37.143327] kfree+0xc9/0x250 [ 37.146405] hci_event_packet+0xeae/0x7c7a [ 37.150612] hci_rx_work+0x3e6/0x970 [ 37.154296] process_one_work+0x793/0x14a0 [ 37.158501] worker_thread+0x5cc/0xff0 [ 37.162359] kthread+0x30d/0x420 [ 37.165734] ret_from_fork+0x24/0x30 [ 37.169417] [ 37.171018] The buggy address belongs to the object at ffff8880a9524b40 [ 37.171018] which belongs to the cache kmalloc-128 of size 128 [ 37.183644] The buggy address is located 24 bytes inside of [ 37.183644] 128-byte region [ffff8880a9524b40, ffff8880a9524bc0) [ 37.195402] The buggy address belongs to the page: [ 37.200302] page:ffffea0002a54900 count:1 mapcount:0 mapping:ffff8880a9524000 index:0x0 [ 37.208416] flags: 0xfffe0000000100(slab) [ 37.212534] raw: 00fffe0000000100 ffff8880a9524000 0000000000000000 0000000100000015 [ 37.220385] raw: ffffea00026cf960 ffffea00029c4160 ffff88812fe52640 0000000000000000 [ 37.228238] page dumped because: kasan: bad access detected [ 37.233925] [ 37.235540] Memory state around the buggy address: [ 37.240442] ffff8880a9524a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.247787] ffff8880a9524a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.255124] >ffff8880a9524b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.262453] ^ [ 37.268654] ffff8880a9524b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.276006] ffff8880a9524c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.283387] ================================================================== [ 37.290758] Disabling lock debugging due to kernel taint [ 37.296346] Bluetooth: hci0 command 0x0409 tx timeout [ 37.304016] Kernel panic - not syncing: panic_on_warn set ... [ 37.304016] [ 37.311388] CPU: 0 PID: 6369 Comm: syz-executor.0 Tainted: G B 4.14.193-syzkaller #0 [ 37.320379] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.329704] Call Trace: [ 37.332265] dump_stack+0x1b2/0x283 [ 37.335865] ? l2cap_conn_del+0x670/0x670 [ 37.339991] panic+0x1f9/0x42d [ 37.343196] ? add_taint.cold+0x16/0x16 [ 37.347142] ? ___preempt_schedule+0x16/0x18 [ 37.351524] kasan_end_report+0x43/0x49 [ 37.355469] kasan_report_error.cold+0xa7/0x194 [ 37.360110] ? hci_chan_del+0x131/0x180 [ 37.364056] __asan_report_load8_noabort+0x68/0x70 [ 37.368959] ? hci_chan_del+0x131/0x180 [ 37.372945] hci_chan_del+0x131/0x180 [ 37.376716] l2cap_conn_del+0x417/0x670 [ 37.380669] ? __mutex_unlock_slowpath+0x75/0x770 [ 37.385485] ? l2cap_conn_del+0x670/0x670 [ 37.389604] l2cap_disconn_cfm+0x6b/0x80 [ 37.393639] hci_conn_hash_flush+0x114/0x220 [ 37.398021] hci_dev_do_close+0x542/0xc50 [ 37.402183] ? lock_downgrade+0x740/0x740 [ 37.406304] hci_unregister_dev+0x170/0x7a0 [ 37.410598] ? fcntl_setlk+0xdb0/0xdb0 [ 37.414459] ? vhci_close_dev+0x50/0x50 [ 37.418403] vhci_release+0x70/0xe0 [ 37.422000] __fput+0x25f/0x7a0 [ 37.425251] task_work_run+0x11f/0x190 [ 37.429114] do_exit+0xa08/0x27f0 [ 37.432543] ? mm_update_next_owner+0x5b0/0x5b0 [ 37.437179] ? vfs_write+0x319/0x4d0 [ 37.440867] ? SyS_write+0x14d/0x210 [ 37.444552] do_group_exit+0x100/0x2e0 [ 37.448410] SyS_exit_group+0x19/0x20 [ 37.452179] ? do_group_exit+0x2e0/0x2e0 [ 37.456210] do_syscall_64+0x1d5/0x640 [ 37.460071] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 37.465261] RIP: 0033:0x45ce69 [ 37.468423] RSP: 002b:00007ffda79059a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 37.476108] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ce69 [ 37.483470] RDX: 00000000004168c1 RSI: 00000000016a85f0 RDI: 0000000000000043 [ 37.490728] RBP: 00000000004c2b1b R08: 000000000000000b R09: 0000000000000000 [ 37.497972] R10: 0000000001732940 R11: 0000000000000246 R12: 0000000000000014 [ 37.505213] R13: 00007ffda7905af0 R14: 0000000000009007 R15: 00007ffda7905b00 [ 37.513666] Kernel Offset: disabled [ 37.517279] Rebooting in 86400 seconds..