Starting Update UTMP about System Runlevel Changes... [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.32' (ECDSA) to the list of known hosts. 2020/08/04 08:31:11 parsed 1 programs 2020/08/04 08:31:11 executed programs: 0 syzkaller login: [ 1050.170479] audit: type=1400 audit(1596529871.313:8): avc: denied { execmem } for pid=6366 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 1050.420976] IPVS: ftp: loaded support on port[0] = 21 [ 1051.252096] chnl_net:caif_netlink_parms(): no params data found [ 1051.327594] bridge0: port 1(bridge_slave_0) entered blocking state [ 1051.334547] bridge0: port 1(bridge_slave_0) entered disabled state [ 1051.341962] device bridge_slave_0 entered promiscuous mode [ 1051.348593] bridge0: port 2(bridge_slave_1) entered blocking state [ 1051.355565] bridge0: port 2(bridge_slave_1) entered disabled state [ 1051.362536] device bridge_slave_1 entered promiscuous mode [ 1051.378407] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1051.386843] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1051.403544] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1051.410655] team0: Port device team_slave_0 added [ 1051.415913] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1051.423238] team0: Port device team_slave_1 added [ 1051.437540] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1051.443807] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1051.469712] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1051.480780] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1051.486990] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1051.512335] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1051.522813] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1051.530319] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1051.582097] device hsr_slave_0 entered promiscuous mode [ 1051.629747] device hsr_slave_1 entered promiscuous mode [ 1051.670012] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1051.676856] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1051.735759] bridge0: port 2(bridge_slave_1) entered blocking state [ 1051.742206] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1051.748858] bridge0: port 1(bridge_slave_0) entered blocking state [ 1051.755257] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1051.782270] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1051.788418] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1051.797721] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1051.806251] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1051.825137] bridge0: port 1(bridge_slave_0) entered disabled state [ 1051.832072] bridge0: port 2(bridge_slave_1) entered disabled state [ 1051.841873] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1051.847926] 8021q: adding VLAN 0 to HW filter on device team0 [ 1051.856237] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1051.864183] bridge0: port 1(bridge_slave_0) entered blocking state [ 1051.870552] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1051.878948] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1051.886827] bridge0: port 2(bridge_slave_1) entered blocking state [ 1051.893190] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1051.906313] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1051.914377] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1051.923658] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1051.936064] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1051.946299] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1051.957032] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1051.963918] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1051.971357] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1051.978848] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1051.989683] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1051.998988] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1052.005704] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1052.013546] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1052.055011] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1052.065791] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1052.091088] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1052.098037] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1052.105587] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1052.114347] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1052.121824] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1052.128592] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1052.137364] device veth0_vlan entered promiscuous mode [ 1052.146250] device veth1_vlan entered promiscuous mode [ 1052.152962] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 1052.162659] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 1052.173234] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1052.182146] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 1052.189216] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 1052.197098] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1052.205941] device veth0_macvtap entered promiscuous mode [ 1052.212329] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1052.220527] device veth1_macvtap entered promiscuous mode [ 1052.228276] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1052.237736] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1052.245693] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1052.253022] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1052.262198] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 1052.269212] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1052.275891] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 1052.283583] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1052.293788] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 1052.301071] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1052.307574] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1052.315465] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready 2020/08/04 08:31:16 executed programs: 74 [ 1055.490435] Bluetooth: hci0 command 0x0409 tx timeout [ 1057.569223] Bluetooth: hci0 command 0x041b tx timeout [ 1059.648684] Bluetooth: hci0 command 0x040f tx timeout 2020/08/04 08:31:21 executed programs: 475 [ 1061.738466] Bluetooth: hci0 command 0x0419 tx timeout 2020/08/04 08:31:26 executed programs: 977 2020/08/04 08:31:31 executed programs: 1772 2020/08/04 08:31:36 executed programs: 2564 2020/08/04 08:31:41 executed programs: 3360 2020/08/04 08:31:46 executed programs: 4148 2020/08/04 08:31:51 executed programs: 4933 2020/08/04 08:31:56 executed programs: 5703 2020/08/04 08:32:01 executed programs: 6475 2020/08/04 08:32:06 executed programs: 7258 2020/08/04 08:32:11 executed programs: 8048 2020/08/04 08:32:16 executed programs: 8834 2020/08/04 08:32:21 executed programs: 9630 2020/08/04 08:32:26 executed programs: 10418 2020/08/04 08:32:31 executed programs: 11214 2020/08/04 08:32:36 executed programs: 12001 2020/08/04 08:32:41 executed programs: 12787 2020/08/04 08:32:46 executed programs: 13581 2020/08/04 08:32:51 executed programs: 14345 2020/08/04 08:32:56 executed programs: 15142 2020/08/04 08:33:01 executed programs: 15940 2020/08/04 08:33:06 executed programs: 16734 2020/08/04 08:33:11 executed programs: 17500 2020/08/04 08:33:16 executed programs: 18263 [ 1177.477312] Bluetooth: hci0 command 0x0406 tx timeout 2020/08/04 08:33:21 executed programs: 19026 2020/08/04 08:33:26 executed programs: 19805 2020/08/04 08:33:31 executed programs: 20582 2020/08/04 08:33:36 executed programs: 21347 2020/08/04 08:33:41 executed programs: 22129 2020/08/04 08:33:46 executed programs: 22907 2020/08/04 08:33:51 executed programs: 23669 2020/08/04 08:33:56 executed programs: 24462 2020/08/04 08:34:01 executed programs: 25232 2020/08/04 08:34:06 executed programs: 26008 [ 1225.314357] NOHZ: local_softirq_pending 08 2020/08/04 08:34:11 executed programs: 26771 2020/08/04 08:34:16 executed programs: 27543 2020/08/04 08:34:21 executed programs: 28306 2020/08/04 08:34:26 executed programs: 29090 2020/08/04 08:34:31 executed programs: 29862 2020/08/04 08:34:36 executed programs: 30622 2020/08/04 08:34:41 executed programs: 31377 2020/08/04 08:34:46 executed programs: 32137 2020/08/04 08:34:51 executed programs: 32879 [ 1270.364431] random: crng init done [ 1270.367991] random: 7 urandom warning(s) missed due to ratelimiting 2020/08/04 08:34:56 executed programs: 33656 2020/08/04 08:35:01 executed programs: 34402 [ 1280.899764] ================================================================== [ 1280.907257] BUG: KASAN: use-after-free in hci_chan_del+0x131/0x180 [ 1280.913563] Read of size 8 at addr ffff8880a8fd50d8 by task syz-executor.0/6367 [ 1280.920977] [ 1280.922577] CPU: 0 PID: 6367 Comm: syz-executor.0 Not tainted 4.14.191-syzkaller #0 [ 1280.930335] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1280.939660] Call Trace: [ 1280.942287] dump_stack+0x1b2/0x283 [ 1280.945910] ? l2cap_conn_del+0x670/0x670 [ 1280.950083] print_address_description.cold+0x54/0x1d3 [ 1280.955333] kasan_report_error.cold+0x8a/0x194 [ 1280.959977] ? hci_chan_del+0x131/0x180 [ 1280.963922] __asan_report_load8_noabort+0x68/0x70 [ 1280.968857] ? hci_chan_del+0x131/0x180 [ 1280.972802] hci_chan_del+0x131/0x180 [ 1280.976573] l2cap_conn_del+0x417/0x670 [ 1280.980548] ? __mutex_unlock_slowpath+0x75/0x770 [ 1280.985362] ? l2cap_conn_del+0x670/0x670 [ 1280.989481] l2cap_disconn_cfm+0x6b/0x80 [ 1280.993520] hci_conn_hash_flush+0x114/0x220 [ 1280.997901] hci_dev_do_close+0x542/0xc50 [ 1281.002097] ? lock_downgrade+0x740/0x740 [ 1281.006219] hci_unregister_dev+0x170/0x7a0 [ 1281.010622] ? fcntl_setlk+0xdb0/0xdb0 [ 1281.014531] ? vhci_close_dev+0x50/0x50 [ 1281.018476] vhci_release+0x70/0xe0 [ 1281.022092] __fput+0x25f/0x7a0 [ 1281.025390] task_work_run+0x11f/0x190 [ 1281.029281] do_exit+0xa08/0x27f0 [ 1281.032709] ? mm_update_next_owner+0x5b0/0x5b0 [ 1281.037463] ? vfs_write+0x319/0x4d0 [ 1281.041149] ? SyS_write+0x14d/0x210 [ 1281.044834] do_group_exit+0x100/0x2e0 [ 1281.048695] SyS_exit_group+0x19/0x20 [ 1281.052468] ? do_group_exit+0x2e0/0x2e0 [ 1281.056553] do_syscall_64+0x1d5/0x640 [ 1281.060419] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1281.065582] RIP: 0033:0x45cc79 [ 1281.068742] RSP: 002b:00007ffc893c9a88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1281.076418] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045cc79 [ 1281.083656] RDX: 00000000004166d1 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 1281.090915] RBP: 00000000004c2903 R08: 000000000000000b R09: 0000000000000000 [ 1281.098156] R10: 0000000001acd940 R11: 0000000000000246 R12: 0000000000000002 [ 1281.105398] R13: 00007ffc893c9bd0 R14: 0000000000138bbd R15: 00007ffc893c9be0 [ 1281.112647] [ 1281.114245] Allocated by task 10670: [ 1281.117928] kasan_kmalloc+0xeb/0x160 [ 1281.121717] kmem_cache_alloc_trace+0x131/0x3d0 [ 1281.126407] sock_alloc_inode+0x5f/0x250 [ 1281.130446] alloc_inode+0x5d/0x170 [ 1281.134077] new_inode_pseudo+0x14/0xe0 [ 1281.138022] sock_alloc+0x3c/0x270 [ 1281.141533] __sock_create+0x8a/0x620 [ 1281.145320] SyS_socket+0xd1/0x1b0 [ 1281.148942] do_syscall_64+0x1d5/0x640 [ 1281.152803] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1281.157958] [ 1281.159559] Freed by task 6367: [ 1281.162813] kasan_slab_free+0xc3/0x1a0 [ 1281.166754] kfree+0xc9/0x250 [ 1281.169868] rcu_process_callbacks+0x88b/0x1180 [ 1281.174526] __do_softirq+0x254/0xa1d [ 1281.178293] [ 1281.179894] The buggy address belongs to the object at ffff8880a8fd50c0 [ 1281.179894] which belongs to the cache kmalloc-128 of size 128 [ 1281.192641] The buggy address is located 24 bytes inside of [ 1281.192641] 128-byte region [ffff8880a8fd50c0, ffff8880a8fd5140) [ 1281.204396] The buggy address belongs to the page: [ 1281.209301] page:ffffea0002a3f540 count:1 mapcount:0 mapping:ffff8880a8fd5000 index:0x0 [ 1281.217802] flags: 0xfffe0000000100(slab) [ 1281.221926] raw: 00fffe0000000100 ffff8880a8fd5000 0000000000000000 0000000100000015 [ 1281.229779] raw: ffffea0002a66e20 ffffea0002719160 ffff88812fe52640 0000000000000000 [ 1281.237627] page dumped because: kasan: bad access detected [ 1281.243306] [ 1281.244902] Memory state around the buggy address: [ 1281.249802] ffff8880a8fd4f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1281.257130] ffff8880a8fd5000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1281.264457] >ffff8880a8fd5080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1281.271802] ^ [ 1281.278001] ffff8880a8fd5100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1281.285327] ffff8880a8fd5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1281.292672] ================================================================== [ 1281.300006] Disabling lock debugging due to kernel taint [ 1281.305948] Kernel panic - not syncing: panic_on_warn set ... [ 1281.305948] [ 1281.313306] CPU: 0 PID: 6367 Comm: syz-executor.0 Tainted: G B 4.14.191-syzkaller #0 [ 1281.322295] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1281.331626] Call Trace: [ 1281.334190] dump_stack+0x1b2/0x283 [ 1281.337787] ? l2cap_conn_del+0x670/0x670 [ 1281.341909] panic+0x1f9/0x42d [ 1281.345071] ? add_taint.cold+0x16/0x16 [ 1281.349016] ? ___preempt_schedule+0x16/0x18 [ 1281.353398] kasan_end_report+0x43/0x49 [ 1281.357347] kasan_report_error.cold+0xa7/0x194 [ 1281.361988] ? hci_chan_del+0x131/0x180 [ 1281.365945] __asan_report_load8_noabort+0x68/0x70 [ 1281.370845] ? hci_chan_del+0x131/0x180 [ 1281.374790] hci_chan_del+0x131/0x180 [ 1281.378566] l2cap_conn_del+0x417/0x670 [ 1281.382512] ? __mutex_unlock_slowpath+0x75/0x770 [ 1281.387320] ? l2cap_conn_del+0x670/0x670 [ 1281.391440] l2cap_disconn_cfm+0x6b/0x80 [ 1281.395472] hci_conn_hash_flush+0x114/0x220 [ 1281.399852] hci_dev_do_close+0x542/0xc50 [ 1281.403967] ? lock_downgrade+0x740/0x740 [ 1281.408084] hci_unregister_dev+0x170/0x7a0 [ 1281.412388] ? fcntl_setlk+0xdb0/0xdb0 [ 1281.416253] ? vhci_close_dev+0x50/0x50 [ 1281.420195] vhci_release+0x70/0xe0 [ 1281.423790] __fput+0x25f/0x7a0 [ 1281.427042] task_work_run+0x11f/0x190 [ 1281.430906] do_exit+0xa08/0x27f0 [ 1281.434333] ? mm_update_next_owner+0x5b0/0x5b0 [ 1281.438970] ? vfs_write+0x319/0x4d0 [ 1281.442652] ? SyS_write+0x14d/0x210 [ 1281.446333] do_group_exit+0x100/0x2e0 [ 1281.450188] SyS_exit_group+0x19/0x20 [ 1281.453956] ? do_group_exit+0x2e0/0x2e0 [ 1281.457984] do_syscall_64+0x1d5/0x640 [ 1281.461842] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 1281.466999] RIP: 0033:0x45cc79 [ 1281.470159] RSP: 002b:00007ffc893c9a88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1281.477836] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045cc79 [ 1281.485074] RDX: 00000000004166d1 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 1281.492311] RBP: 00000000004c2903 R08: 000000000000000b R09: 0000000000000000 [ 1281.499551] R10: 0000000001acd940 R11: 0000000000000246 R12: 0000000000000002 [ 1281.506790] R13: 00007ffc893c9bd0 R14: 0000000000138bbd R15: 00007ffc893c9be0 [ 1281.515792] Kernel Offset: disabled [ 1281.519412] Rebooting in 86400 seconds..