Warning: Permanently added '10.128.0.157' (ECDSA) to the list of known hosts. [ 38.126792] audit: type=1400 audit(1596601920.137:8): avc: denied { execmem } for pid=6462 comm="syz-executor585" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 38.142633] IPVS: ftp: loaded support on port[0] = 21 [ 38.218747] chnl_net:caif_netlink_parms(): no params data found [ 38.307305] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.314115] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.321163] device bridge_slave_0 entered promiscuous mode [ 38.329433] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.336117] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.344133] device bridge_slave_1 entered promiscuous mode [ 38.361071] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 38.370811] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 38.389696] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 38.397842] team0: Port device team_slave_0 added [ 38.403945] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 38.411304] team0: Port device team_slave_1 added [ 38.426874] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 38.433163] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 38.458440] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 38.469896] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 38.476251] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 38.501930] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 38.512927] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 38.520294] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 38.585663] device hsr_slave_0 entered promiscuous mode [ 38.623897] device hsr_slave_1 entered promiscuous mode [ 38.663651] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 38.670716] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 38.737914] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.744488] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.751202] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.763013] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.793655] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 38.799725] 8021q: adding VLAN 0 to HW filter on device bond0 [ 38.809372] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 38.818190] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 38.837577] bridge0: port 1(bridge_slave_0) entered disabled state [ 38.845110] bridge0: port 2(bridge_slave_1) entered disabled state [ 38.852093] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 38.863439] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 38.869504] 8021q: adding VLAN 0 to HW filter on device team0 [ 38.879481] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 38.887190] bridge0: port 1(bridge_slave_0) entered blocking state [ 38.893583] bridge0: port 1(bridge_slave_0) entered forwarding state [ 38.903220] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 38.910777] bridge0: port 2(bridge_slave_1) entered blocking state [ 38.917216] bridge0: port 2(bridge_slave_1) entered forwarding state [ 38.930921] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 38.940218] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 38.950044] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 38.960908] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 38.971082] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 38.980500] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 38.987260] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 39.000482] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 39.008091] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 39.015230] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 39.026630] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 39.038550] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 39.048703] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 39.080010] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 39.087752] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 39.094960] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 39.104376] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 39.111858] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 39.119695] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 39.128542] device veth0_vlan entered promiscuous mode [ 39.137624] device veth1_vlan entered promiscuous mode [ 39.144040] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 39.153040] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 39.164507] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 39.173854] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 39.181048] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 39.188928] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 39.200242] device veth0_macvtap entered promiscuous mode [ 39.209010] device veth1_macvtap entered promiscuous mode [ 39.217694] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 39.227655] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 39.239314] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 39.247181] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 39.254404] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 39.262290] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 39.272015] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 39.279272] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 39.286559] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 39.294503] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 40.531975] Bluetooth: hci0: hardware error 0x43 [ 40.537077] ================================================================== [ 40.544468] BUG: KASAN: use-after-free in hci_chan_del+0x13e/0x180 [ 40.550765] Read of size 8 at addr ffff8880a4b0e918 by task kworker/u5:1/6690 [ 40.558010] [ 40.559621] CPU: 0 PID: 6690 Comm: kworker/u5:1 Not tainted 4.19.136-syzkaller #0 [ 40.567216] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.576555] Workqueue: hci0 hci_error_reset [ 40.580851] Call Trace: [ 40.583421] dump_stack+0x1fc/0x2fe [ 40.587030] ? l2cap_conn_del+0x6b0/0x6b0 [ 40.591159] print_address_description.cold+0x54/0x219 [ 40.596417] kasan_report_error.cold+0x8a/0x1c7 [ 40.601084] ? hci_chan_del+0x13e/0x180 [ 40.605051] __asan_report_load8_noabort+0x88/0x90 [ 40.609972] ? hci_chan_del+0x13e/0x180 [ 40.613933] hci_chan_del+0x13e/0x180 [ 40.617735] l2cap_conn_del+0x44f/0x6b0 [ 40.621700] ? l2cap_conn_del+0x6b0/0x6b0 [ 40.625881] l2cap_disconn_cfm+0x85/0xa0 [ 40.629925] hci_conn_hash_flush+0x114/0x220 [ 40.634320] hci_dev_do_close+0x624/0xe70 [ 40.638456] ? hci_dev_open+0x2a0/0x2a0 [ 40.642413] ? check_preemption_disabled+0x41/0x280 [ 40.647414] hci_error_reset+0x90/0xf0 [ 40.651283] process_one_work+0x864/0x1570 [ 40.655502] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 40.660157] worker_thread+0x64c/0x1130 [ 40.664120] ? process_one_work+0x1570/0x1570 [ 40.668594] kthread+0x30b/0x410 [ 40.671940] ? kthread_park+0x180/0x180 [ 40.675903] ret_from_fork+0x24/0x30 [ 40.679595] [ 40.681203] Allocated by task 6690: [ 40.684809] kmem_cache_alloc_trace+0x12f/0x380 [ 40.689457] hci_chan_create+0x8e/0x310 [ 40.693410] l2cap_conn_add.part.0+0x18/0xc40 [ 40.698664] l2cap_connect_cfm+0x236/0xe70 [ 40.702879] le_conn_complete_evt+0x111b/0x1730 [ 40.707527] hci_le_meta_evt+0x738/0x39c0 [ 40.711654] hci_event_packet+0x1a29/0x858f [ 40.715963] hci_rx_work+0x46b/0xa90 [ 40.719671] process_one_work+0x864/0x1570 [ 40.723882] worker_thread+0x64c/0x1130 [ 40.727834] kthread+0x30b/0x410 [ 40.731180] ret_from_fork+0x24/0x30 [ 40.734867] [ 40.736472] Freed by task 6690: [ 40.739750] kfree+0xcc/0x210 [ 40.742835] hci_event_packet+0xf52/0x858f [ 40.747049] hci_rx_work+0x46b/0xa90 [ 40.750743] process_one_work+0x864/0x1570 [ 40.754955] worker_thread+0x64c/0x1130 [ 40.758908] kthread+0x30b/0x410 [ 40.762253] ret_from_fork+0x24/0x30 [ 40.765940] [ 40.767548] The buggy address belongs to the object at ffff8880a4b0e900 [ 40.767548] which belongs to the cache kmalloc-128 of size 128 [ 40.780200] The buggy address is located 24 bytes inside of [ 40.780200] 128-byte region [ffff8880a4b0e900, ffff8880a4b0e980) [ 40.791968] The buggy address belongs to the page: [ 40.796917] page:ffffea000292c380 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0 [ 40.805078] flags: 0xfffe0000000100(slab) [ 40.809290] raw: 00fffe0000000100 ffffea0002316288 ffffea0002690288 ffff88812c39c640 [ 40.817192] raw: 0000000000000000 ffff8880a4b0e000 0000000100000015 0000000000000000 [ 40.825054] page dumped because: kasan: bad access detected [ 40.830740] [ 40.832342] Memory state around the buggy address: [ 40.837252] ffff8880a4b0e800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.844853] ffff8880a4b0e880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.852190] >ffff8880a4b0e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.859612] ^ [ 40.863752] ffff8880a4b0e980: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 40.871089] ffff8880a4b0ea00: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 40.878422] ================================================================== [ 40.885754] Disabling lock debugging due to kernel taint [ 40.897769] Kernel panic - not syncing: panic_on_warn set ... [ 40.897769] [ 40.905161] CPU: 1 PID: 6690 Comm: kworker/u5:1 Tainted: G B 4.19.136-syzkaller #0 [ 40.914172] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.923529] Workqueue: hci0 hci_error_reset [ 40.927827] Call Trace: [ 40.930394] dump_stack+0x1fc/0x2fe [ 40.934004] ? l2cap_conn_del+0x6b0/0x6b0 [ 40.938176] panic+0x26a/0x50e [ 40.941353] ? __warn_printk+0xf3/0xf3 [ 40.945230] ? l2cap_conn_del+0x6b0/0x6b0 [ 40.949360] ? preempt_schedule_common+0x45/0xc0 [ 40.954100] ? ___preempt_schedule+0x16/0x18 [ 40.958533] ? trace_hardirqs_on+0x55/0x210 [ 40.962837] ? l2cap_conn_del+0x6b0/0x6b0 [ 40.966964] kasan_end_report+0x43/0x49 [ 40.970967] kasan_report_error.cold+0xa7/0x1c7 [ 40.975622] ? hci_chan_del+0x13e/0x180 [ 40.979576] __asan_report_load8_noabort+0x88/0x90 [ 40.984487] ? hci_chan_del+0x13e/0x180 [ 40.988490] hci_chan_del+0x13e/0x180 [ 40.993064] l2cap_conn_del+0x44f/0x6b0 [ 40.997016] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.001140] l2cap_disconn_cfm+0x85/0xa0 [ 41.005186] hci_conn_hash_flush+0x114/0x220 [ 41.010364] hci_dev_do_close+0x624/0xe70 [ 41.014493] ? hci_dev_open+0x2a0/0x2a0 [ 41.018446] ? check_preemption_disabled+0x41/0x280 [ 41.023714] hci_error_reset+0x90/0xf0 [ 41.027580] process_one_work+0x864/0x1570 [ 41.031795] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 41.036444] worker_thread+0x64c/0x1130 [ 41.040396] ? process_one_work+0x1570/0x1570 [ 41.044871] kthread+0x30b/0x410 [ 41.048229] ? kthread_park+0x180/0x180 [ 41.052181] ret_from_fork+0x24/0x30 [ 41.057018] Kernel Offset: disabled [ 41.060636] Rebooting in 86400 seconds..