Warning: Permanently added '10.128.0.153' (ECDSA) to the list of known hosts. 2020/08/03 07:46:51 parsed 1 programs 2020/08/03 07:46:51 executed programs: 0 syzkaller login: [ 1049.073342] audit: type=1400 audit(1596440811.656:8): avc: denied { execmem } for pid=6494 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 1049.112024] IPVS: ftp: loaded support on port[0] = 21 [ 1049.194242] chnl_net:caif_netlink_parms(): no params data found [ 1049.285358] bridge0: port 1(bridge_slave_0) entered blocking state [ 1049.292712] bridge0: port 1(bridge_slave_0) entered disabled state [ 1049.301326] device bridge_slave_0 entered promiscuous mode [ 1049.308859] bridge0: port 2(bridge_slave_1) entered blocking state [ 1049.316365] bridge0: port 2(bridge_slave_1) entered disabled state [ 1049.323613] device bridge_slave_1 entered promiscuous mode [ 1049.343270] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 1049.352726] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 1049.372896] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 1049.380625] team0: Port device team_slave_0 added [ 1049.386292] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 1049.395094] team0: Port device team_slave_1 added [ 1049.411466] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 1049.418139] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1049.446711] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 1049.460573] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 1049.466930] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 1049.494342] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 1049.507349] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 1049.515668] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 1049.571880] device hsr_slave_0 entered promiscuous mode [ 1049.619755] device hsr_slave_1 entered promiscuous mode [ 1049.660173] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 1049.668038] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 1049.744091] bridge0: port 2(bridge_slave_1) entered blocking state [ 1049.751519] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1049.759934] bridge0: port 1(bridge_slave_0) entered blocking state [ 1049.766698] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1049.803136] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 1049.810098] 8021q: adding VLAN 0 to HW filter on device bond0 [ 1049.818398] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 1049.828423] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 1049.848815] bridge0: port 1(bridge_slave_0) entered disabled state [ 1049.856965] bridge0: port 2(bridge_slave_1) entered disabled state [ 1049.866894] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 1049.878379] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 1049.884620] 8021q: adding VLAN 0 to HW filter on device team0 [ 1049.894351] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 1049.902193] bridge0: port 1(bridge_slave_0) entered blocking state [ 1049.909359] bridge0: port 1(bridge_slave_0) entered forwarding state [ 1049.919075] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 1049.927715] bridge0: port 2(bridge_slave_1) entered blocking state [ 1049.935110] bridge0: port 2(bridge_slave_1) entered forwarding state [ 1049.953027] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 1049.961344] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 1049.972311] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 1049.985986] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 1049.997569] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 1050.008861] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 1050.015583] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 1050.023671] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 1050.032032] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 1050.044711] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 1050.056511] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 1050.064507] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 1050.071746] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 1050.087112] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 1050.097442] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 1050.138307] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 1050.146279] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 1050.154066] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 1050.164672] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 1050.173260] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 1050.180943] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 1050.190940] device veth0_vlan entered promiscuous mode [ 1050.201315] device veth1_vlan entered promiscuous mode [ 1050.215828] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 1050.225505] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 1050.234417] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 1050.243543] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 1050.253318] device veth0_macvtap entered promiscuous mode [ 1050.260827] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 1050.270077] device veth1_macvtap entered promiscuous mode [ 1050.276570] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 1050.285935] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 1050.296490] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 1050.306002] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 1050.314006] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 1050.321647] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 1050.330341] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 1050.338196] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 1050.347146] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 1050.358366] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 1050.366447] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 1050.374077] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 1050.382467] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 1053.621323] Bluetooth: hci0: command 0x0409 tx timeout 2020/08/03 07:46:56 executed programs: 163 [ 1055.698877] Bluetooth: hci0: command 0x041b tx timeout [ 1057.239501] ================================================================== [ 1057.247466] BUG: KASAN: use-after-free in hci_chan_del+0x13e/0x180 [ 1057.254731] Read of size 8 at addr ffff8880a9419258 by task syz-executor.0/6495 [ 1057.262481] [ 1057.264346] CPU: 1 PID: 6495 Comm: syz-executor.0 Not tainted 4.19.136-syzkaller #0 [ 1057.272341] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1057.283203] Call Trace: [ 1057.286152] dump_stack+0x1fc/0x2fe [ 1057.289974] ? l2cap_conn_del+0x6b0/0x6b0 [ 1057.294225] print_address_description.cold+0x54/0x219 [ 1057.299563] kasan_report_error.cold+0x8a/0x1c7 [ 1057.304666] ? hci_chan_del+0x13e/0x180 [ 1057.308700] __asan_report_load8_noabort+0x88/0x90 [ 1057.313630] ? hci_chan_del+0x13e/0x180 [ 1057.318304] hci_chan_del+0x13e/0x180 [ 1057.322471] l2cap_conn_del+0x44f/0x6b0 [ 1057.326994] ? l2cap_conn_del+0x6b0/0x6b0 [ 1057.331148] l2cap_disconn_cfm+0x85/0xa0 [ 1057.335533] hci_conn_hash_flush+0x114/0x220 [ 1057.340290] hci_dev_do_close+0x624/0xe70 [ 1057.344641] ? hci_dev_open+0x2a0/0x2a0 [ 1057.348702] ? hci_unregister_dev+0x62/0x7f0 [ 1057.353486] hci_unregister_dev+0x17c/0x7f0 [ 1057.357863] ? vhci_close_dev+0x50/0x50 [ 1057.361926] vhci_release+0x70/0xe0 [ 1057.365832] __fput+0x2ce/0x890 [ 1057.369172] task_work_run+0x148/0x1c0 [ 1057.373375] do_exit+0xbb2/0x2b70 [ 1057.377252] ? mm_update_next_owner+0x650/0x650 [ 1057.382109] ? vfs_write+0x393/0x540 [ 1057.386410] ? ksys_write+0x1c8/0x2a0 [ 1057.390736] do_group_exit+0x125/0x310 [ 1057.394624] __x64_sys_exit_group+0x3a/0x50 [ 1057.399124] do_syscall_64+0xf9/0x620 [ 1057.403159] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1057.408790] RIP: 0033:0x45cc79 [ 1057.412254] Code: Bad RIP value. [ 1057.415868] RSP: 002b:00007ffd3c78e498 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1057.424325] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045cc79 [ 1057.432148] RDX: 00000000004166d1 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 1057.440154] RBP: 00000000004c2903 R08: 000000000000000b R09: 0000000000000000 [ 1057.448747] R10: 0000000002661940 R11: 0000000000000246 R12: 0000000000000002 [ 1057.456710] R13: 00007ffd3c78e5e0 R14: 00000000001021df R15: 00007ffd3c78e5f0 [ 1057.464654] [ 1057.466402] Allocated by task 7482: [ 1057.470116] kmem_cache_alloc_trace+0x12f/0x380 [ 1057.475168] sock_alloc_inode+0x5f/0x250 [ 1057.479637] alloc_inode+0x5d/0x180 [ 1057.483412] new_inode_pseudo+0x14/0xe0 [ 1057.487961] sock_alloc+0x3c/0x260 [ 1057.491493] __sock_create+0xba/0x740 [ 1057.495570] __sys_socket+0xef/0x200 [ 1057.499471] __x64_sys_socket+0x6f/0xb0 [ 1057.504547] do_syscall_64+0xf9/0x620 [ 1057.508654] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1057.514135] [ 1057.515832] Freed by task 18: [ 1057.518937] kfree+0xcc/0x210 [ 1057.522274] rcu_process_callbacks+0xa0d/0x18b0 [ 1057.527197] __do_softirq+0x26c/0x9a0 [ 1057.531202] [ 1057.532824] The buggy address belongs to the object at ffff8880a9419240 [ 1057.532824] which belongs to the cache kmalloc-128 of size 128 [ 1057.546894] The buggy address is located 24 bytes inside of [ 1057.546894] 128-byte region [ffff8880a9419240, ffff8880a94192c0) [ 1057.559199] The buggy address belongs to the page: [ 1057.564297] page:ffffea0002a50640 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0 [ 1057.572833] flags: 0xfffe0000000100(slab) [ 1057.577492] raw: 00fffe0000000100 ffffea00023d9248 ffffea00023f0208 ffff88812c39c640 [ 1057.586132] raw: 0000000000000000 ffff8880a9419000 0000000100000015 0000000000000000 [ 1057.594161] page dumped because: kasan: bad access detected [ 1057.600192] [ 1057.602194] Memory state around the buggy address: [ 1057.607121] ffff8880a9419100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1057.614657] ffff8880a9419180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1057.622400] >ffff8880a9419200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 1057.630201] ^ [ 1057.636739] ffff8880a9419280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 1057.645613] ffff8880a9419300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1057.653317] ================================================================== [ 1057.661174] Disabling lock debugging due to kernel taint [ 1057.670736] Kernel panic - not syncing: panic_on_warn set ... [ 1057.670736] [ 1057.678746] CPU: 0 PID: 6495 Comm: syz-executor.0 Tainted: G B 4.19.136-syzkaller #0 [ 1057.688091] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 1057.698063] Call Trace: [ 1057.700665] dump_stack+0x1fc/0x2fe [ 1057.704438] ? l2cap_conn_del+0x6b0/0x6b0 [ 1057.708587] panic+0x26a/0x50e [ 1057.712408] ? __warn_printk+0xf3/0xf3 [ 1057.716611] ? l2cap_conn_del+0x6b0/0x6b0 [ 1057.720762] ? preempt_schedule_common+0x45/0xc0 [ 1057.725793] ? ___preempt_schedule+0x16/0x18 [ 1057.730304] ? trace_hardirqs_on+0x55/0x210 [ 1057.734816] ? l2cap_conn_del+0x6b0/0x6b0 [ 1057.739046] kasan_end_report+0x43/0x49 [ 1057.743055] kasan_report_error.cold+0xa7/0x1c7 [ 1057.747767] ? hci_chan_del+0x13e/0x180 [ 1057.751852] __asan_report_load8_noabort+0x88/0x90 [ 1057.756864] ? hci_chan_del+0x13e/0x180 [ 1057.760867] hci_chan_del+0x13e/0x180 [ 1057.764796] l2cap_conn_del+0x44f/0x6b0 [ 1057.769119] ? l2cap_conn_del+0x6b0/0x6b0 [ 1057.773342] l2cap_disconn_cfm+0x85/0xa0 [ 1057.777499] hci_conn_hash_flush+0x114/0x220 [ 1057.782000] hci_dev_do_close+0x624/0xe70 [ 1057.786489] ? hci_dev_open+0x2a0/0x2a0 [ 1057.791364] ? hci_unregister_dev+0x62/0x7f0 [ 1057.795940] hci_unregister_dev+0x17c/0x7f0 [ 1057.800373] ? vhci_close_dev+0x50/0x50 [ 1057.804431] vhci_release+0x70/0xe0 [ 1057.808225] __fput+0x2ce/0x890 [ 1057.811501] task_work_run+0x148/0x1c0 [ 1057.815385] do_exit+0xbb2/0x2b70 [ 1057.819100] ? mm_update_next_owner+0x650/0x650 [ 1057.823851] ? vfs_write+0x393/0x540 [ 1057.827668] ? ksys_write+0x1c8/0x2a0 [ 1057.831586] do_group_exit+0x125/0x310 [ 1057.835558] __x64_sys_exit_group+0x3a/0x50 [ 1057.839973] do_syscall_64+0xf9/0x620 [ 1057.843926] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 1057.849540] RIP: 0033:0x45cc79 [ 1057.853408] Code: Bad RIP value. [ 1057.857087] RSP: 002b:00007ffd3c78e498 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 1057.865338] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045cc79 [ 1057.872929] RDX: 00000000004166d1 RSI: 0000000000ca85f0 RDI: 0000000000000043 [ 1057.880702] RBP: 00000000004c2903 R08: 000000000000000b R09: 0000000000000000 [ 1057.888318] R10: 0000000002661940 R11: 0000000000000246 R12: 0000000000000002 [ 1057.895876] R13: 00007ffd3c78e5e0 R14: 00000000001021df R15: 00007ffd3c78e5f0 [ 1057.905585] Kernel Offset: disabled [ 1057.909227] Rebooting in 86400 seconds..