[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.10.48' (ECDSA) to the list of known hosts.
syzkaller login: [   50.695630] audit: type=1400 audit(1596732246.844:8): avc:  denied  { execmem } for  pid=6462 comm="syz-executor227" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   50.721583] IPVS: ftp: loaded support on port[0] = 21
[   50.795312] chnl_net:caif_netlink_parms(): no params data found
[   50.857520] bridge0: port 1(bridge_slave_0) entered blocking state
[   50.864594] bridge0: port 1(bridge_slave_0) entered disabled state
[   50.872325] device bridge_slave_0 entered promiscuous mode
[   50.879468] bridge0: port 2(bridge_slave_1) entered blocking state
[   50.886178] bridge0: port 2(bridge_slave_1) entered disabled state
[   50.893557] device bridge_slave_1 entered promiscuous mode
[   50.910480] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   50.919364] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   50.936817] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   50.944217] team0: Port device team_slave_0 added
[   50.949648] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   50.957295] team0: Port device team_slave_1 added
[   50.972947] batman_adv: batadv0: Adding interface: batadv_slave_0
[   50.979205] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   51.004478] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   51.016092] batman_adv: batadv0: Adding interface: batadv_slave_1
[   51.022454] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   51.047931] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   51.058844] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   51.066544] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   51.123656] device hsr_slave_0 entered promiscuous mode
[   51.171252] device hsr_slave_1 entered promiscuous mode
[   51.211651] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   51.218675] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   51.282876] bridge0: port 2(bridge_slave_1) entered blocking state
[   51.289321] bridge0: port 2(bridge_slave_1) entered forwarding state
[   51.296213] bridge0: port 1(bridge_slave_0) entered blocking state
[   51.302687] bridge0: port 1(bridge_slave_0) entered forwarding state
[   51.335034] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   51.342089] 8021q: adding VLAN 0 to HW filter on device bond0
[   51.350198] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   51.359740] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   51.368677] bridge0: port 1(bridge_slave_0) entered disabled state
[   51.386175] bridge0: port 2(bridge_slave_1) entered disabled state
[   51.393911] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   51.405367] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   51.411651] 8021q: adding VLAN 0 to HW filter on device team0
[   51.420457] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   51.428516] bridge0: port 1(bridge_slave_0) entered blocking state
[   51.434910] bridge0: port 1(bridge_slave_0) entered forwarding state
[   51.451600] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   51.459239] bridge0: port 2(bridge_slave_1) entered blocking state
[   51.465642] bridge0: port 2(bridge_slave_1) entered forwarding state
[   51.474235] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   51.482607] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   51.492730] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   51.505720] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   51.515725] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   51.527135] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[   51.534224] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   51.542317] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   51.549709] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   51.563027] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[   51.570194] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   51.578205] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   51.588611] 8021q: adding VLAN 0 to HW filter on device batadv0
[   51.602058] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[   51.611924] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   51.647039] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[   51.654854] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[   51.662336] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[   51.671090] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   51.678576] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   51.686089] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   51.694955] device veth0_vlan entered promiscuous mode
[   51.704981] device veth1_vlan entered promiscuous mode
[   51.711535] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[   51.719829] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[   51.732686] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[   51.744617] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   51.752277] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   51.759463] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   51.769621] device veth0_macvtap entered promiscuous mode
[   51.775926] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready
[   51.784993] device veth1_macvtap entered promiscuous mode
[   51.792439] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[   51.802517] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[   51.811781] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[   51.822205] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
[   51.829291] batman_adv: batadv0: Interface activated: batadv_slave_0
[   51.836391] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   51.844264] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   51.854775] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[   51.862232] batman_adv: batadv0: Interface activated: batadv_slave_1
[   51.868772] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   51.877309] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
[   55.100310] Bluetooth: hci0: command 0x0409 tx timeout
[   57.178931] Bluetooth: hci0: command 0x041b tx timeout
executing program
[   59.258241] Bluetooth: hci0: command 0x040f tx timeout
[   61.337791] Bluetooth: hci0: command 0x0419 tx timeout
executing program
[   63.427373] Bluetooth: hci0: command 0x0405 tx timeout
[   68.130728] ==================================================================
[   68.138219] BUG: KASAN: use-after-free in sco_chan_del+0xe6/0x420
[   68.144433] Write of size 4 at addr ffff8880a0656850 by task syz-executor227/6696
[   68.152029] 
[   68.153643] CPU: 1 PID: 6696 Comm: syz-executor227 Not tainted 4.19.137-syzkaller #0
[   68.161501] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   68.170834] Call Trace:
[   68.173470]  dump_stack+0x1fc/0x2fe
[   68.177096]  print_address_description.cold+0x54/0x219
[   68.182364]  kasan_report_error.cold+0x8a/0x1c7
[   68.187016]  ? sco_chan_del+0xe6/0x420
[   68.190883]  kasan_report+0x8f/0x96
[   68.194581]  ? sco_chan_del+0xe6/0x420
[   68.198453]  sco_chan_del+0xe6/0x420
[   68.202163]  __sco_sock_close+0xc3/0x720
[   68.206261]  sco_sock_release+0x6b/0x3d0
[   68.210354]  __sock_release+0xcd/0x2a0
[   68.214268]  ? __sock_release+0x2a0/0x2a0
[   68.218394]  sock_close+0x15/0x20
[   68.221874]  __fput+0x2ce/0x890
[   68.225179]  task_work_run+0x148/0x1c0
[   68.229097]  do_exit+0xbb2/0x2b70
[   68.232534]  ? bt_sock_wait_state+0x418/0x540
[   68.237026]  ? mm_update_next_owner+0x650/0x650
[   68.241711]  ? get_signal+0x388/0x1f70
[   68.245596]  ? lock_downgrade+0x720/0x720
[   68.249722]  ? lock_acquire+0x170/0x3c0
[   68.253693]  do_group_exit+0x125/0x310
[   68.257564]  get_signal+0x3f2/0x1f70
[   68.261266]  do_signal+0x8f/0x1670
[   68.264810]  ? lockdep_hardirqs_on+0x3a8/0x5c0
[   68.269473]  ? sco_sock_connect+0x540/0x970
[   68.273774]  ? __local_bh_enable_ip+0x159/0x270
[   68.278531]  ? setup_sigcontext+0x820/0x820
[   68.282836]  ? sco_sock_create+0x100/0x100
[   68.287054]  ? __ia32_sys_accept+0xb0/0xb0
[   68.291272]  ? vfs_write+0x393/0x540
[   68.295098]  ? ksys_write+0x1c8/0x2a0
[   68.298882]  ? exit_to_usermode_loop+0x36/0x2a0
[   68.303534]  exit_to_usermode_loop+0x204/0x2a0
[   68.308131]  do_syscall_64+0x538/0x620
[   68.312001]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   68.317345] RIP: 0033:0x44aa59
[   68.320527] Code: Bad RIP value.
[   68.323870] RSP: 002b:00007fffe2513ff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   68.331572] RAX: fffffffffffffffc RBX: 0000000000000003 RCX: 000000000044aa59
[   68.338833] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004
[   68.346105] RBP: 0000000000000000 R08: 0000000000000002 R09: 0000006e0000005b
[   68.353370] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000002
[   68.360638] R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000
[   68.367985] 
[   68.369593] Allocated by task 6695:
[   68.373219]  kmem_cache_alloc_trace+0x12f/0x380
[   68.377867]  hci_conn_add+0x53/0x11e0
[   68.381664]  hci_connect_sco+0x2fc/0x950
[   68.385725]  sco_sock_connect+0x2ff/0x970
[   68.389852]  __sys_connect+0x265/0x2c0
[   68.393718]  __x64_sys_connect+0x6f/0xb0
[   68.397760]  do_syscall_64+0xf9/0x620
[   68.401542]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   68.406703] 
[   68.408320] Freed by task 6686:
[   68.411578]  kfree+0xcc/0x210
[   68.414663]  device_release+0x76/0x210
[   68.418534]  kobject_put+0x22d/0x350
[   68.422245]  put_device+0x1c/0x30
[   68.425675]  hci_conn_del+0x27e/0x6a0
[   68.429476]  hci_phy_link_complete_evt.isra.0+0x5a4/0x7a0
[   68.434990]  hci_event_packet+0x1973/0x858f
[   68.439291]  hci_rx_work+0x46b/0xa90
[   68.442985]  process_one_work+0x864/0x1570
[   68.447197]  worker_thread+0x64c/0x1130
[   68.451149]  kthread+0x30b/0x410
[   68.454493]  ret_from_fork+0x24/0x30
[   68.458179] 
[   68.459785] The buggy address belongs to the object at ffff8880a0656840
[   68.459785]  which belongs to the cache kmalloc-4096 of size 4096
[   68.472613] The buggy address is located 16 bytes inside of
[   68.472613]  4096-byte region [ffff8880a0656840, ffff8880a0657840)
[   68.484461] The buggy address belongs to the page:
[   68.489369] page:ffffea0002819580 count:1 mapcount:0 mapping:ffff88812c39cdc0 index:0x0 compound_mapcount: 0
[   68.499334] flags: 0xfffe0000008100(slab|head)
[   68.503911] raw: 00fffe0000008100 ffffea0002801a08 ffffea000221a908 ffff88812c39cdc0
[   68.511773] raw: 0000000000000000 ffff8880a0656840 0000000100000001 0000000000000000
[   68.519630] page dumped because: kasan: bad access detected
[   68.525313] 
[   68.526919] Memory state around the buggy address:
[   68.531842]  ffff8880a0656700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   68.539180]  ffff8880a0656780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   68.546528] >ffff8880a0656800: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   68.553870]                                                  ^
[   68.559819]  ffff8880a0656880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.567155]  ffff8880a0656900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   68.574504] ==================================================================
[   68.581847] Disabling lock debugging due to kernel taint
[   68.596897] Kernel panic - not syncing: panic_on_warn set ...
[   68.596897] 
[   68.604304] CPU: 0 PID: 6696 Comm: syz-executor227 Tainted: G    B             4.19.137-syzkaller #0
[   68.613564] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   68.622894] Call Trace:
[   68.625523]  dump_stack+0x1fc/0x2fe
[   68.629129]  panic+0x26a/0x50e
[   68.632298]  ? __warn_printk+0xf3/0xf3
[   68.636164]  ? preempt_schedule_common+0x45/0xc0
[   68.640899]  ? ___preempt_schedule+0x16/0x18
[   68.645285]  ? trace_hardirqs_on+0x55/0x210
[   68.649637]  kasan_end_report+0x43/0x49
[   68.653630]  kasan_report_error.cold+0xa7/0x1c7
[   68.658305]  ? sco_chan_del+0xe6/0x420
[   68.662208]  kasan_report+0x8f/0x96
[   68.665830]  ? sco_chan_del+0xe6/0x420
[   68.669722]  sco_chan_del+0xe6/0x420
[   68.673419]  __sco_sock_close+0xc3/0x720
[   68.677482]  sco_sock_release+0x6b/0x3d0
[   68.681521]  __sock_release+0xcd/0x2a0
[   68.685385]  ? __sock_release+0x2a0/0x2a0
[   68.689511]  sock_close+0x15/0x20
[   68.692939]  __fput+0x2ce/0x890
[   68.696220]  task_work_run+0x148/0x1c0
[   68.700087]  do_exit+0xbb2/0x2b70
[   68.703518]  ? bt_sock_wait_state+0x418/0x540
[   68.707993]  ? mm_update_next_owner+0x650/0x650
[   68.712658]  ? get_signal+0x388/0x1f70
[   68.716545]  ? lock_downgrade+0x720/0x720
[   68.720668]  ? lock_acquire+0x170/0x3c0
[   68.724735]  do_group_exit+0x125/0x310
[   68.728618]  get_signal+0x3f2/0x1f70
[   68.732314]  do_signal+0x8f/0x1670
[   68.735831]  ? lockdep_hardirqs_on+0x3a8/0x5c0
[   68.740389]  ? sco_sock_connect+0x540/0x970
[   68.744684]  ? __local_bh_enable_ip+0x159/0x270
[   68.749331]  ? setup_sigcontext+0x820/0x820
[   68.753647]  ? sco_sock_create+0x100/0x100
[   68.757862]  ? __ia32_sys_accept+0xb0/0xb0
[   68.762078]  ? vfs_write+0x393/0x540
[   68.765769]  ? ksys_write+0x1c8/0x2a0
[   68.769548]  ? exit_to_usermode_loop+0x36/0x2a0
[   68.774201]  exit_to_usermode_loop+0x204/0x2a0
[   68.778781]  do_syscall_64+0x538/0x620
[   68.782669]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   68.787837] RIP: 0033:0x44aa59
[   68.791033] Code: Bad RIP value.
[   68.794374] RSP: 002b:00007fffe2513ff8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   68.802061] RAX: fffffffffffffffc RBX: 0000000000000003 RCX: 000000000044aa59
[   68.809307] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004
[   68.816555] RBP: 0000000000000000 R08: 0000000000000002 R09: 0000006e0000005b
[   68.823808] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000002
[   68.831064] R13: 0000000000000003 R14: 0000000000000000 R15: 0000000000000000
[   68.839619] Kernel Offset: disabled
[   68.843235] Rebooting in 86400 seconds..