Warning: Permanently added '10.128.0.174' (ECDSA) to the list of known hosts. 2020/08/03 19:12:15 parsed 1 programs 2020/08/03 19:12:16 executed programs: 0 syzkaller login: [ 1045.035976] audit: type=1400 audit(1596481936.190:8): avc: denied { execmem } for pid=6378 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 1045.281976] IPVS: ftp: loaded support on port[0] = 21 [ 1046.162486] chnl_net:caif_netlink_parms(): no params data found [ 1046.240127] bridge0: port 1(bridge_slave_0) entered blocking state [ 1046.247311] bridge0: port 1(bridge_slave_0) entered disabled state [ 1046.254893] device bridge_slave_0 entered promiscuous mode [ 1046.262869] bridge0: port 2(bridge_slave_1) entered blocking state [ 1046.269215] bridge0: port 2(bridge_slave_1) entered disabled state [ 1046.276554] device bridge_slave_1 entered promiscuous mode [ 1046.293058] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1046.302024] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1046.318981] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1046.326820] team0: Port device team_slave_0 added [ 1046.332650] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1046.339677] team0: Port device team_slave_1 added [ 1046.354633] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1046.361630] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1046.386925] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1046.398231] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1046.404545] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1046.429744] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1046.440455] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1046.447971] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1046.513552] device hsr_slave_0 entered promiscuous mode [ 1046.561046] device hsr_slave_1 entered promiscuous mode [ 1046.621592] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1046.628568] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1046.687894] bridge0: port 2(bridge_slave_1) entered blocking state [ 1046.694359] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1046.701221] bridge0: port 1(bridge_slave_0) entered blocking state [ 1046.707581] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1046.736207] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1046.742954] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1046.750436] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1046.760003] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1046.778670] bridge0: port 1(bridge_slave_0) entered disabled state [ 1046.785775] bridge0: port 2(bridge_slave_1) entered disabled state [ 1046.796264] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1046.802425] 8021q: adding VLAN 0 to HW filter on device team0 [ 1046.810482] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1046.818876] bridge0: port 1(bridge_slave_0) entered blocking state [ 1046.825257] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1046.834759] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1046.842362] bridge0: port 2(bridge_slave_1) entered blocking state [ 1046.848681] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1046.867192] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1046.877029] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1046.888351] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1046.895534] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1046.903390] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1046.911646] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1046.919281] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1046.927492] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1046.934606] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1046.947584] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1046.954829] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1046.962148] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1046.973239] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1047.023684] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1047.033819] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1047.063254] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1047.070192] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1047.078024] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1047.087851] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1047.095595] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1047.103077] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1047.112425] device veth0_vlan entered promiscuous mode [ 1047.120776] device veth1_vlan entered promiscuous mode [ 1047.126641] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1047.135522] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1047.146762] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1047.154248] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1047.161379] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1047.168421] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1047.188296] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 1047.195530] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 1047.204452] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1047.213827] device veth0_macvtap entered promiscuous mode [ 1047.219782] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1047.227642] device veth1_macvtap entered promiscuous mode [ 1047.234002] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 1047.242773] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1047.252120] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1047.260842] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 1047.268071] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1047.275191] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1047.282476] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 1047.289408] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 1047.297446] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1047.307079] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 1047.314063] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1047.321504] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1047.329120] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2020/08/03 19:12:21 executed programs: 35 [ 1050.501064] Bluetooth: hci0 command 0x0409 tx timeout [ 1052.580602] Bluetooth: hci0 command 0x041b tx timeout [ 1054.659885] Bluetooth: hci0 command 0x040f tx timeout 2020/08/03 19:12:26 executed programs: 419 [ 1056.739773] Bluetooth: hci0 command 0x0419 tx timeout 2020/08/03 19:12:31 executed programs: 789 2020/08/03 19:12:36 executed programs: 1184 2020/08/03 19:12:41 executed programs: 1570 2020/08/03 19:12:46 executed programs: 2224 2020/08/03 19:12:51 executed programs: 2990 2020/08/03 19:12:56 executed programs: 3762 2020/08/03 19:13:01 executed programs: 4532 2020/08/03 19:13:06 executed programs: 5306 2020/08/03 19:13:11 executed programs: 6083 2020/08/03 19:13:16 executed programs: 6852 2020/08/03 19:13:21 executed programs: 7623 2020/08/03 19:13:26 executed programs: 8388 2020/08/03 19:13:31 executed programs: 9154 2020/08/03 19:13:36 executed programs: 9916 2020/08/03 19:13:41 executed programs: 10671 2020/08/03 19:13:46 executed programs: 11437 [ 1138.262673] NOHZ: local_softirq_pending 08 2020/08/03 19:13:51 executed programs: 12195 2020/08/03 19:13:56 executed programs: 12941 2020/08/03 19:14:01 executed programs: 13688 2020/08/03 19:14:06 executed programs: 14442 2020/08/03 19:14:11 executed programs: 15187 2020/08/03 19:14:16 executed programs: 15920 2020/08/03 19:14:21 executed programs: 16666 [ 1172.327971] Bluetooth: hci0 command 0x0406 tx timeout 2020/08/03 19:14:26 executed programs: 17381 2020/08/03 19:14:31 executed programs: 18139 2020/08/03 19:14:36 executed programs: 18897 2020/08/03 19:14:41 executed programs: 19647 2020/08/03 19:14:46 executed programs: 20387 [ 1199.686799] NOHZ: local_softirq_pending 08 [ 1199.692751] NOHZ: local_softirq_pending 08 2020/08/03 19:14:51 executed programs: 21121 2020/08/03 19:14:56 executed programs: 21844 2020/08/03 19:15:01 executed programs: 22556 2020/08/03 19:15:06 executed programs: 23279 2020/08/03 19:15:11 executed programs: 23988 [ 1220.164286] NOHZ: local_softirq_pending 08 [ 1220.170541] NOHZ: local_softirq_pending 08 2020/08/03 19:15:16 executed programs: 24722 2020/08/03 19:15:21 executed programs: 25446 2020/08/03 19:15:26 executed programs: 26145 2020/08/03 19:15:31 executed programs: 26885 [ 1240.643187] NOHZ: local_softirq_pending 08 [ 1240.649187] NOHZ: local_softirq_pending 08 2020/08/03 19:15:36 executed programs: 27611 [ 1246.805452] random: crng init done [ 1246.809376] random: 7 urandom warning(s) missed due to ratelimiting 2020/08/03 19:15:41 executed programs: 28322 2020/08/03 19:15:46 executed programs: 29019 [ 1257.341256] ================================================================== [ 1257.348735] BUG: KASAN: use-after-free in hci_chan_del+0x131/0x180 [ 1257.355030] Read of size 8 at addr ffff8880a96dae58 by task syz-executor.0/6379 [ 1257.362446] [ 1257.364048] CPU: 0 PID: 6379 Comm: syz-executor.0 Not tainted 4.14.191-syzkaller #0 [ 1257.371813] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1257.381142] Call Trace: [ 1257.383752] dump_stack+0x1b2/0x283 [ 1257.387381] ? l2cap_conn_del+0x670/0x670 [ 1257.391558] print_address_description.cold+0x54/0x1d3 [ 1257.396810] kasan_report_error.cold+0x8a/0x194 [ 1257.401543] ? hci_chan_del+0x131/0x180 [ 1257.405489] __asan_report_load8_noabort+0x68/0x70 [ 1257.410406] ? hci_chan_del+0x131/0x180 [ 1257.414361] hci_chan_del+0x131/0x180 [ 1257.418149] l2cap_conn_del+0x417/0x670 [ 1257.422155] ? __mutex_unlock_slowpath+0x75/0x770 [ 1257.426972] ? l2cap_conn_del+0x670/0x670 [ 1257.431094] l2cap_disconn_cfm+0x6b/0x80 [ 1257.435136] hci_conn_hash_flush+0x114/0x220 [ 1257.439520] hci_dev_do_close+0x542/0xc50 [ 1257.443758] ? lock_downgrade+0x740/0x740 [ 1257.447883] hci_unregister_dev+0x170/0x7a0 [ 1257.452289] ? fcntl_setlk+0xdb0/0xdb0 [ 1257.457661] ? vhci_close_dev+0x50/0x50 [ 1257.461618] vhci_release+0x70/0xe0 [ 1257.465261] __fput+0x25f/0x7a0 [ 1257.468567] task_work_run+0x11f/0x190 [ 1257.472470] do_exit+0xa08/0x27f0 [ 1257.475900] ? mm_update_next_owner+0x5b0/0x5b0 [ 1257.480542] ? vfs_write+0x319/0x4d0 [ 1257.484229] ? SyS_write+0x14d/0x210 [ 1257.487913] do_group_exit+0x100/0x2e0 [ 1257.491826] SyS_exit_group+0x19/0x20 [ 1257.495636] ? do_group_exit+0x2e0/0x2e0 [ 1257.499670] do_syscall_64+0x1d5/0x640 [ 1257.503535] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1257.508697] RIP: 0033:0x45cc79 [ 1257.511860] RSP: 002b:00007ffc099f4ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1257.519552] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045cc79 [ 1257.526839] RDX: 00000000004166d1 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 1257.534085] RBP: 00000000004c2903 R08: 000000000000000b R09: 0000000000000000 [ 1257.541332] R10: 00000000016f6940 R11: 0000000000000246 R12: 0000000000000002 [ 1257.548576] R13: 00007ffc099f4e30 R14: 0000000000132fbf R15: 00007ffc099f4e40 [ 1257.555828] [ 1257.557516] Allocated by task 6379: [ 1257.561119] kasan_kmalloc+0xeb/0x160 [ 1257.564930] kmem_cache_alloc_trace+0x131/0x3d0 [ 1257.569654] sock_alloc_inode+0x5f/0x250 [ 1257.573826] alloc_inode+0x5d/0x170 [ 1257.577457] new_inode_pseudo+0x14/0xe0 [ 1257.581412] sock_alloc+0x3c/0x270 [ 1257.584924] __sock_create+0x8a/0x620 [ 1257.588733] SyS_socket+0xd1/0x1b0 [ 1257.592245] do_syscall_64+0x1d5/0x640 [ 1257.596157] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1257.601314] [ 1257.602912] Freed by task 0: [ 1257.605903] kasan_slab_free+0xc3/0x1a0 [ 1257.609861] kfree+0xc9/0x250 [ 1257.612981] rcu_process_callbacks+0x88b/0x1180 [ 1257.617645] __do_softirq+0x254/0xa1d [ 1257.621413] [ 1257.623014] The buggy address belongs to the object at ffff8880a96dae40 [ 1257.623014] which belongs to the cache kmalloc-128 of size 128 [ 1257.635640] The buggy address is located 24 bytes inside of [ 1257.635640] 128-byte region [ffff8880a96dae40, ffff8880a96daec0) [ 1257.647398] The buggy address belongs to the page: [ 1257.652300] page:ffffea0002a5b680 count:1 mapcount:0 mapping:ffff8880a96da000 index:0x0 [ 1257.660414] flags: 0xfffe0000000100(slab) [ 1257.664533] raw: 00fffe0000000100 ffff8880a96da000 0000000000000000 0000000100000015 [ 1257.672385] raw: ffffea000277dee0 ffffea000275c4a0 ffff88812fe52640 0000000000000000 [ 1257.680255] page dumped because: kasan: bad access detected [ 1257.685932] [ 1257.687530] Memory state around the buggy address: [ 1257.692433] ffff8880a96dad00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1257.699776] ffff8880a96dad80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1257.707105] >ffff8880a96dae00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1257.714448] ^ [ 1257.720662] ffff8880a96dae80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1257.727990] ffff8880a96daf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1257.735336] ================================================================== [ 1257.742751] Disabling lock debugging due to kernel taint [ 1257.752153] Kernel panic - not syncing: panic_on_warn set ... [ 1257.752153] [ 1257.759525] CPU: 1 PID: 6379 Comm: syz-executor.0 Tainted: G B 4.14.191-syzkaller #0 [ 1257.768521] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1257.777856] Call Trace: [ 1257.780428] dump_stack+0x1b2/0x283 [ 1257.784086] ? l2cap_conn_del+0x670/0x670 [ 1257.788204] panic+0x1f9/0x42d [ 1257.791377] ? add_taint.cold+0x16/0x16 [ 1257.795337] ? ___preempt_schedule+0x16/0x18 [ 1257.799721] kasan_end_report+0x43/0x49 [ 1257.803693] kasan_report_error.cold+0xa7/0x194 [ 1257.808333] ? hci_chan_del+0x131/0x180 [ 1257.812284] __asan_report_load8_noabort+0x68/0x70 [ 1257.817199] ? hci_chan_del+0x131/0x180 [ 1257.821840] hci_chan_del+0x131/0x180 [ 1257.825612] l2cap_conn_del+0x417/0x670 [ 1257.829556] ? __mutex_unlock_slowpath+0x75/0x770 [ 1257.834368] ? l2cap_conn_del+0x670/0x670 [ 1257.838484] l2cap_disconn_cfm+0x6b/0x80 [ 1257.842516] hci_conn_hash_flush+0x114/0x220 [ 1257.846903] hci_dev_do_close+0x542/0xc50 [ 1257.851022] ? lock_downgrade+0x740/0x740 [ 1257.855140] hci_unregister_dev+0x170/0x7a0 [ 1257.859431] ? fcntl_setlk+0xdb0/0xdb0 [ 1257.863292] ? vhci_close_dev+0x50/0x50 [ 1257.867253] vhci_release+0x70/0xe0 [ 1257.870865] __fput+0x25f/0x7a0 [ 1257.874129] task_work_run+0x11f/0x190 [ 1257.877987] do_exit+0xa08/0x27f0 [ 1257.881418] ? mm_update_next_owner+0x5b0/0x5b0 [ 1257.886057] ? vfs_write+0x319/0x4d0 [ 1257.889742] ? SyS_write+0x14d/0x210 [ 1257.893426] do_group_exit+0x100/0x2e0 [ 1257.897282] SyS_exit_group+0x19/0x20 [ 1257.901053] ? do_group_exit+0x2e0/0x2e0 [ 1257.905083] do_syscall_64+0x1d5/0x640 [ 1257.908949] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1257.914118] RIP: 0033:0x45cc79 [ 1257.917278] RSP: 002b:00007ffc099f4ce8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1257.924957] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045cc79 [ 1257.932289] RDX: 00000000004166d1 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 1257.939540] RBP: 00000000004c2903 R08: 000000000000000b R09: 0000000000000000 [ 1257.946782] R10: 00000000016f6940 R11: 0000000000000246 R12: 0000000000000002 [ 1257.954041] R13: 00007ffc099f4e30 R14: 0000000000132fbf R15: 00007ffc099f4e40 [ 1257.964955] Kernel Offset: disabled [ 1257.968570] Rebooting in 86400 seconds..