[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.249' (ECDSA) to the list of known hosts. 2020/09/01 08:45:16 parsed 1 programs 2020/09/01 08:45:16 executed programs: 0 syzkaller login: [ 39.786246] audit: type=1400 audit(1598949916.855:8): avc: denied { execmem } for pid=6369 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 40.886334] IPVS: ftp: loaded support on port[0] = 21 [ 40.991579] chnl_net:caif_netlink_parms(): no params data found [ 41.072431] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.079992] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.087791] device bridge_slave_0 entered promiscuous mode [ 41.095641] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.102030] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.109609] device bridge_slave_1 entered promiscuous mode [ 41.126230] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 41.135481] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 41.154431] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 41.161555] team0: Port device team_slave_0 added [ 41.167945] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 41.175324] team0: Port device team_slave_1 added [ 41.189969] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 41.196265] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 41.221879] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 41.233377] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 41.239672] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 41.264902] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 41.275802] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 41.283040] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 41.301495] device hsr_slave_0 entered promiscuous mode [ 41.307145] device hsr_slave_1 entered promiscuous mode [ 41.312988] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 41.320130] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 41.381298] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.387732] bridge0: port 2(bridge_slave_1) entered forwarding state [ 41.394597] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.400935] bridge0: port 1(bridge_slave_0) entered forwarding state [ 41.430965] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 41.437156] 8021q: adding VLAN 0 to HW filter on device bond0 [ 41.445585] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 41.454541] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 41.462353] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.479556] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.489704] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 41.496141] 8021q: adding VLAN 0 to HW filter on device team0 [ 41.505324] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 41.512885] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.519291] bridge0: port 1(bridge_slave_0) entered forwarding state [ 41.528237] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 41.537161] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.543538] bridge0: port 2(bridge_slave_1) entered forwarding state [ 41.564162] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 41.571769] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 41.579398] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 41.586895] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 41.595259] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 41.601261] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 41.608923] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 41.621421] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 41.629057] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 41.636549] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 41.648367] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 41.699440] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 41.708936] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 41.741096] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 41.748156] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 41.756297] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 41.765502] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 41.772754] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 41.780736] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 41.789507] device veth0_vlan entered promiscuous mode [ 41.798563] device veth1_vlan entered promiscuous mode [ 41.804911] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 41.813071] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready [ 41.825261] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 41.835472] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 41.842497] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready [ 41.850301] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 41.860479] device veth0_macvtap entered promiscuous mode [ 41.866556] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 41.874752] device veth1_macvtap entered promiscuous mode [ 41.882640] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 41.891817] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 41.901232] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 41.908190] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 41.916388] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 41.926641] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 41.933228] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 41.993696] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 42.923849] Bluetooth: hci0 command 0x0409 tx timeout [ 42.998424] ================================================================== [ 43.005923] BUG: KASAN: double-free or invalid-free in (null) [ 43.012693] [ 43.014307] CPU: 0 PID: 6845 Comm: syz-executor.0 Not tainted 4.14.195-syzkaller #0 [ 43.022073] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.031402] Call Trace: [ 43.034007] dump_stack+0x1b2/0x283 [ 43.037614] ? vt_move_to_console+0x100/0x100 [ 43.042101] print_address_description.cold+0x54/0x1d3 [ 43.047355] ? vt_move_to_console+0x100/0x100 [ 43.051827] kasan_report_double_free+0x51/0x80 [ 43.056487] kasan_slab_free+0x16f/0x1a0 [ 43.060536] ? lock_acquire+0x170/0x3f0 [ 43.064487] ? lock_downgrade+0x740/0x740 [ 43.068614] ? check_preemption_disabled+0x35/0x240 [ 43.073608] ? debug_check_no_obj_freed+0x2c0/0x674 [ 43.078603] ? lock_acquire+0x170/0x3f0 [ 43.082567] ? lock_downgrade+0x740/0x740 [ 43.086697] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 43.091781] ? debug_check_no_obj_freed+0x2c0/0x674 [ 43.096785] ? lock_downgrade+0x740/0x740 [ 43.100915] ? debug_object_activate+0x490/0x490 [ 43.105659] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 43.111091] ? vcs_release+0x49/0x60 [ 43.114785] kfree+0xc9/0x250 [ 43.117883] vcs_release+0x49/0x60 [ 43.121400] __fput+0x25f/0x7a0 [ 43.124658] task_work_run+0x11f/0x190 [ 43.128528] exit_to_usermode_loop+0x1ad/0x200 [ 43.133093] do_syscall_64+0x4a3/0x640 [ 43.136968] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 43.142152] RIP: 0033:0x45d5b9 [ 43.145316] RSP: 002b:00007f2ac0861c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 43.152999] RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 [ 43.160244] RDX: 0000000000000005 RSI: 0000000000000001 RDI: 0000000000000006 [ 43.167491] RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000 [ 43.174752] R10: 0000000020000040 R11: 0000000000000246 R12: 000000000118cf4c [ 43.181998] R13: 00007fff7c5aad2f R14: 00007f2ac08629c0 R15: 000000000118cf4c [ 43.189263] [ 43.190868] Allocated by task 6846: [ 43.194487] kasan_kmalloc+0xeb/0x160 [ 43.198260] kmem_cache_alloc_trace+0x131/0x3d0 [ 43.202909] vcs_poll_data_get.part.0+0x43/0x220 [ 43.207644] vcs_poll+0xed/0x120 [ 43.210990] SyS_epoll_ctl+0xa91/0x2950 [ 43.214966] do_syscall_64+0x1d5/0x640 [ 43.218831] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 43.223998] [ 43.225608] Freed by task 6844: [ 43.228874] kasan_slab_free+0xc3/0x1a0 [ 43.232844] kfree+0xc9/0x250 [ 43.235923] vcs_release+0x49/0x60 [ 43.239438] __fput+0x25f/0x7a0 [ 43.242696] task_work_run+0x11f/0x190 [ 43.246573] exit_to_usermode_loop+0x1ad/0x200 [ 43.251129] do_syscall_64+0x4a3/0x640 [ 43.255010] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 43.260184] [ 43.261794] The buggy address belongs to the object at ffff888094a23240 [ 43.261794] which belongs to the cache kmalloc-128 of size 128 [ 43.274430] The buggy address is located 0 bytes inside of [ 43.274430] 128-byte region [ffff888094a23240, ffff888094a232c0) [ 43.286105] The buggy address belongs to the page: [ 43.291007] page:ffffea00025288c0 count:1 mapcount:0 mapping:ffff888094a23000 index:0x0 [ 43.299388] flags: 0xfffe0000000100(slab) [ 43.303523] raw: 00fffe0000000100 ffff888094a23000 0000000000000000 0000000100000015 [ 43.311401] raw: ffffea00024a5960 ffffea0002843f60 ffff88812fe52640 0000000000000000 [ 43.319269] page dumped because: kasan: bad access detected [ 43.324957] [ 43.326568] Memory state around the buggy address: [ 43.331483] ffff888094a23100: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 43.338824] ffff888094a23180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.346175] >ffff888094a23200: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 43.353521] ^ [ 43.358944] ffff888094a23280: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 43.366277] ffff888094a23300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.373623] ================================================================== [ 43.380953] Disabling lock debugging due to kernel taint [ 43.386386] Kernel panic - not syncing: panic_on_warn set ... [ 43.386386] [ 43.393729] CPU: 0 PID: 6845 Comm: syz-executor.0 Tainted: G B 4.14.195-syzkaller #0 [ 43.402723] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.412056] Call Trace: [ 43.414636] dump_stack+0x1b2/0x283 [ 43.418244] panic+0x1f9/0x42d [ 43.421410] ? add_taint.cold+0x16/0x16 [ 43.425360] ? lock_downgrade+0x740/0x740 [ 43.429484] ? vt_move_to_console+0x100/0x100 [ 43.433956] kasan_end_report+0x43/0x49 [ 43.437906] kasan_report_double_free+0x6d/0x80 [ 43.442550] kasan_slab_free+0x16f/0x1a0 [ 43.446597] ? lock_acquire+0x170/0x3f0 [ 43.450545] ? lock_downgrade+0x740/0x740 [ 43.454670] ? check_preemption_disabled+0x35/0x240 [ 43.459671] ? debug_check_no_obj_freed+0x2c0/0x674 [ 43.464673] ? lock_acquire+0x170/0x3f0 [ 43.468636] ? lock_downgrade+0x740/0x740 [ 43.472763] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 43.477840] ? debug_check_no_obj_freed+0x2c0/0x674 [ 43.482843] ? lock_downgrade+0x740/0x740 [ 43.486973] ? debug_object_activate+0x490/0x490 [ 43.491702] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 43.497147] ? vcs_release+0x49/0x60 [ 43.500836] kfree+0xc9/0x250 [ 43.503915] vcs_release+0x49/0x60 [ 43.507428] __fput+0x25f/0x7a0 [ 43.510692] task_work_run+0x11f/0x190 [ 43.514571] exit_to_usermode_loop+0x1ad/0x200 [ 43.519128] do_syscall_64+0x4a3/0x640 [ 43.522995] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 43.528173] RIP: 0033:0x45d5b9 [ 43.531335] RSP: 002b:00007f2ac0861c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e9 [ 43.539034] RAX: 0000000000000000 RBX: 0000000000002ac0 RCX: 000000000045d5b9 [ 43.546293] RDX: 0000000000000005 RSI: 0000000000000001 RDI: 0000000000000006 [ 43.553544] RBP: 000000000118cf88 R08: 0000000000000000 R09: 0000000000000000 [ 43.560791] R10: 0000000020000040 R11: 0000000000000246 R12: 000000000118cf4c [ 43.568047] R13: 00007fff7c5aad2f R14: 00007f2ac08629c0 R15: 000000000118cf4c [ 43.576421] Kernel Offset: disabled [ 43.580048] Rebooting in 86400 seconds..