[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.10.26' (ECDSA) to the list of known hosts.
2020/08/06 20:46:13 parsed 1 programs
2020/08/06 20:46:13 executed programs: 0
syzkaller login: [ 1041.669295][ T6869] IPVS: ftp: loaded support on port[0] = 21
[ 1041.771659][ T6869] chnl_net:caif_netlink_parms(): no params data found
[ 1041.824660][ T6869] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1041.833344][ T6869] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1041.842503][ T6869] device bridge_slave_0 entered promiscuous mode
[ 1041.851546][ T6869] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1041.859764][ T6869] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1041.867981][ T6869] device bridge_slave_1 entered promiscuous mode
[ 1041.888425][ T6869] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[ 1041.899380][ T6869] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[ 1041.921730][ T6869] team0: Port device team_slave_0 added
[ 1041.929325][ T6869] team0: Port device team_slave_1 added
[ 1041.946962][ T6869] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 1041.954022][ T6869] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1041.981614][ T6869] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[ 1041.994350][ T6869] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 1042.002077][ T6869] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[ 1042.029017][ T6869] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[ 1042.089323][ T6869] device hsr_slave_0 entered promiscuous mode
[ 1042.145916][ T6869] device hsr_slave_1 entered promiscuous mode
[ 1042.284210][ T6869] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 1042.368428][ T6869] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 1042.437899][ T6869] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 1042.488413][ T6869] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 1042.561594][ T6869] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1042.568931][ T6869] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1042.576872][ T6869] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1042.584016][ T6869] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1042.628834][ T6869] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1042.641547][ T7000] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[ 1042.653358][ T7000] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1042.661850][ T7000] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1042.670601][ T7000] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[ 1042.683796][ T6869] 8021q: adding VLAN 0 to HW filter on device team0
[ 1042.694789][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[ 1042.704241][ T6839] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1042.711351][ T6839] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1042.726608][ T7000] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[ 1042.734902][ T7000] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1042.742005][ T7000] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1042.765537][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_bond: link becomes ready
[ 1042.774072][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_team: link becomes ready
[ 1042.783844][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[ 1042.792472][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_team: link becomes ready
[ 1042.801330][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[ 1042.810530][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_hsr: link becomes ready
[ 1042.819020][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[ 1042.827305][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_hsr: link becomes ready
[ 1042.835731][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[ 1042.844682][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[ 1042.854091][ T6869] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[ 1042.872227][ T7000] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[ 1042.880869][ T7000] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[ 1042.893290][ T6869] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1042.911822][ T7000] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_virt_wifi: link becomes ready
[ 1042.920716][ T7000] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[ 1042.940741][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_vlan: link becomes ready
[ 1042.950005][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[ 1042.958674][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[ 1042.966577][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[ 1042.977415][ T6869] device veth0_vlan entered promiscuous mode
[ 1042.989486][ T6869] device veth1_vlan entered promiscuous mode
[ 1043.009998][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[ 1043.018523][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[ 1043.027364][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready
[ 1043.037652][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[ 1043.049760][ T6869] device veth0_macvtap entered promiscuous mode
[ 1043.060186][ T6869] device veth1_macvtap entered promiscuous mode
[ 1043.078449][ T6869] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 1043.086288][ T7000] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready
[ 1043.094307][ T7000] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready
[ 1043.103124][ T7000] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[ 1043.112664][ T7000] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[ 1043.124699][ T6869] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 1043.133051][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[ 1043.141818][ T6839] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
[ 1043.152611][ T6869] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0
[ 1043.162042][ T6869] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
[ 1043.171269][ T6869] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
[ 1043.180340][ T6869] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
[ 1046.485850][   T17] Bluetooth: hci0: command 0x0409 tx timeout
2020/08/06 20:46:18 executed programs: 62
[ 1048.564687][ T7000] Bluetooth: hci0: command 0x041b tx timeout
[ 1050.644395][ T7000] Bluetooth: hci0: command 0x040f tx timeout
2020/08/06 20:46:23 executed programs: 222
[ 1052.724301][   T17] Bluetooth: hci0: command 0x0419 tx timeout
2020/08/06 20:46:28 executed programs: 390
2020/08/06 20:46:33 executed programs: 538
2020/08/06 20:46:38 executed programs: 703
[ 1067.924553][ T6869] ==================================================================
[ 1067.932995][ T6869] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[ 1067.939996][ T6869] Read of size 8 at addr ffff8880a5ff6c18 by task syz-executor.0/6869
[ 1067.948115][ T6869] 
[ 1067.950424][ T6869] CPU: 0 PID: 6869 Comm: syz-executor.0 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0
[ 1067.960198][ T6869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1067.970313][ T6869] Call Trace:
[ 1067.973659][ T6869]  dump_stack+0x18f/0x20d
[ 1067.977971][ T6869]  ? hci_chan_del+0x14f/0x190
[ 1067.982637][ T6869]  ? hci_chan_del+0x14f/0x190
[ 1067.987391][ T6869]  print_address_description.constprop.0.cold+0xae/0x497
[ 1067.994442][ T6869]  ? mutex_lock_io_nested+0xf60/0xf60
[ 1067.999819][ T6869]  ? lockdep_hardirqs_off+0x7e/0xb0
[ 1068.005017][ T6869]  ? vprintk_func+0x97/0x1a6
[ 1068.009586][ T6869]  ? hci_chan_del+0x14f/0x190
[ 1068.014447][ T6869]  ? hci_chan_del+0x14f/0x190
[ 1068.019111][ T6869]  kasan_report.cold+0x1f/0x37
[ 1068.023858][ T6869]  ? hci_chan_del+0x14f/0x190
[ 1068.028521][ T6869]  hci_chan_del+0x14f/0x190
[ 1068.033089][ T6869]  l2cap_conn_del+0x61b/0x9e0
[ 1068.037756][ T6869]  ? l2cap_conn_del+0x9e0/0x9e0
[ 1068.042607][ T6869]  l2cap_disconn_cfm+0x85/0xa0
[ 1068.047687][ T6869]  hci_conn_hash_flush+0x114/0x220
[ 1068.052822][ T6869]  hci_dev_do_close+0x5c6/0x1080
[ 1068.057739][ T6869]  ? hci_dev_open+0x350/0x350
[ 1068.062457][ T6869]  ? do_raw_read_unlock+0x70/0x70
[ 1068.067546][ T6869]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[ 1068.073427][ T6869]  hci_unregister_dev+0x1bd/0xe30
[ 1068.078473][ T6869]  ? fcntl_setlk+0xf60/0xf60
[ 1068.083055][ T6869]  ? lock_is_held_type+0xbb/0xf0
[ 1068.088061][ T6869]  vhci_release+0x70/0xe0
[ 1068.092401][ T6869]  __fput+0x285/0x920
[ 1068.096371][ T6869]  ? vhci_close_dev+0x50/0x50
[ 1068.101027][ T6869]  task_work_run+0xdd/0x190
[ 1068.105544][ T6869]  do_exit+0xb7d/0x29f0
[ 1068.109679][ T6869]  ? mm_update_next_owner+0x7a0/0x7a0
[ 1068.115060][ T6869]  ? vfs_write+0x62b/0x730
[ 1068.119452][ T6869]  ? vfs_write+0x1b0/0x730
[ 1068.123849][ T6869]  ? lock_is_held_type+0xbb/0xf0
[ 1068.128764][ T6869]  do_group_exit+0x125/0x310
[ 1068.133332][ T6869]  __x64_sys_exit_group+0x3a/0x50
[ 1068.138333][ T6869]  do_syscall_64+0x2d/0x70
[ 1068.142738][ T6869]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1068.148617][ T6869] RIP: 0033:0x45ccd9
[ 1068.152483][ T6869] Code: Bad RIP value.
[ 1068.156524][ T6869] RSP: 002b:00007fff1883ac88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 1068.164966][ T6869] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ccd9
[ 1068.172925][ T6869] RDX: 0000000000416731 RSI: 0000000000ca85f0 RDI: 0000000000000043
[ 1068.180887][ T6869] RBP: 00000000004c2963 R08: 000000000000000b R09: 0000000000000000
[ 1068.188838][ T6869] R10: 0000000001d3e940 R11: 0000000000000246 R12: 0000000000000003
[ 1068.196786][ T6869] R13: 00007fff1883add0 R14: 0000000000104bd1 R15: 00007fff1883ade0
[ 1068.204741][ T6869] 
[ 1068.207094][ T6869] Allocated by task 3907:
[ 1068.211405][ T6869]  kasan_save_stack+0x1b/0x40
[ 1068.216114][ T6869]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 1068.221721][ T6869]  kmem_cache_alloc_trace+0x16e/0x2c0
[ 1068.227107][ T6869]  kernfs_fop_open+0x957/0xd40
[ 1068.231845][ T6869]  do_dentry_open+0x4b9/0x11b0
[ 1068.236621][ T6869]  path_openat+0x1b9a/0x2730
[ 1068.241186][ T6869]  do_filp_open+0x17e/0x3c0
[ 1068.245665][ T6869]  do_sys_openat2+0x16d/0x420
[ 1068.250364][ T6869]  __x64_sys_open+0x119/0x1c0
[ 1068.255019][ T6869]  do_syscall_64+0x2d/0x70
[ 1068.259446][ T6869]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1068.265309][ T6869] 
[ 1068.267614][ T6869] Freed by task 3907:
[ 1068.271572][ T6869]  kasan_save_stack+0x1b/0x40
[ 1068.276223][ T6869]  kasan_set_track+0x1c/0x30
[ 1068.280789][ T6869]  kasan_set_free_info+0x1b/0x30
[ 1068.285703][ T6869]  __kasan_slab_free+0xd8/0x120
[ 1068.290530][ T6869]  kfree+0x103/0x2c0
[ 1068.294418][ T6869]  kernfs_fop_release+0xe3/0x190
[ 1068.299329][ T6869]  __fput+0x285/0x920
[ 1068.303300][ T6869]  task_work_run+0xdd/0x190
[ 1068.307828][ T6869]  exit_to_user_mode_prepare+0x195/0x1c0
[ 1068.313439][ T6869]  syscall_exit_to_user_mode+0x59/0x2b0
[ 1068.318975][ T6869]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1068.324837][ T6869] 
[ 1068.327143][ T6869] The buggy address belongs to the object at ffff8880a5ff6c00
[ 1068.327143][ T6869]  which belongs to the cache kmalloc-128 of size 128
[ 1068.341173][ T6869] The buggy address is located 24 bytes inside of
[ 1068.341173][ T6869]  128-byte region [ffff8880a5ff6c00, ffff8880a5ff6c80)
[ 1068.354328][ T6869] The buggy address belongs to the page:
[ 1068.359955][ T6869] page:00000000bd0fe72b refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a5ff6e00 pfn:0xa5ff6
[ 1068.371378][ T6869] flags: 0xfffe0000000200(slab)
[ 1068.376209][ T6869] raw: 00fffe0000000200 ffffea0002798e88 ffffea0002520fc8 ffff8880aa000400
[ 1068.384773][ T6869] raw: ffff8880a5ff6e00 ffff8880a5ff6000 000000010000000d 0000000000000000
[ 1068.393337][ T6869] page dumped because: kasan: bad access detected
[ 1068.399719][ T6869] 
[ 1068.402021][ T6869] Memory state around the buggy address:
[ 1068.407627][ T6869]  ffff8880a5ff6b00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1068.415665][ T6869]  ffff8880a5ff6b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1068.423701][ T6869] >ffff8880a5ff6c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1068.431732][ T6869]                             ^
[ 1068.436557][ T6869]  ffff8880a5ff6c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1068.444594][ T6869]  ffff8880a5ff6d00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1068.452640][ T6869] ==================================================================
[ 1068.460682][ T6869] Disabling lock debugging due to kernel taint
[ 1068.469343][ T6869] Kernel panic - not syncing: panic_on_warn set ...
[ 1068.475952][ T6869] CPU: 1 PID: 6869 Comm: syz-executor.0 Tainted: G    B             5.8.0-rc7-next-20200731-syzkaller #0
[ 1068.487134][ T6869] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1068.497178][ T6869] Call Trace:
[ 1068.500450][ T6869]  dump_stack+0x18f/0x20d
[ 1068.504765][ T6869]  ? hci_chan_del+0x140/0x190
[ 1068.509476][ T6869]  panic+0x2e3/0x75c
[ 1068.513346][ T6869]  ? __warn_printk+0xf3/0xf3
[ 1068.517911][ T6869]  ? preempt_schedule_common+0x59/0xc0
[ 1068.523344][ T6869]  ? hci_chan_del+0x14f/0x190
[ 1068.528061][ T6869]  ? preempt_schedule_thunk+0x16/0x18
[ 1068.533500][ T6869]  ? trace_hardirqs_on+0x55/0x220
[ 1068.538513][ T6869]  ? hci_chan_del+0x14f/0x190
[ 1068.543195][ T6869]  ? hci_chan_del+0x14f/0x190
[ 1068.547880][ T6869]  end_report+0x4d/0x53
[ 1068.552009][ T6869]  kasan_report.cold+0xd/0x37
[ 1068.556659][ T6869]  ? hci_chan_del+0x14f/0x190
[ 1068.561307][ T6869]  hci_chan_del+0x14f/0x190
[ 1068.565788][ T6869]  l2cap_conn_del+0x61b/0x9e0
[ 1068.570440][ T6869]  ? l2cap_conn_del+0x9e0/0x9e0
[ 1068.575262][ T6869]  l2cap_disconn_cfm+0x85/0xa0
[ 1068.579997][ T6869]  hci_conn_hash_flush+0x114/0x220
[ 1068.585083][ T6869]  hci_dev_do_close+0x5c6/0x1080
[ 1068.589991][ T6869]  ? hci_dev_open+0x350/0x350
[ 1068.594638][ T6869]  ? do_raw_read_unlock+0x70/0x70
[ 1068.599634][ T6869]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[ 1068.605537][ T6869]  hci_unregister_dev+0x1bd/0xe30
[ 1068.610536][ T6869]  ? fcntl_setlk+0xf60/0xf60
[ 1068.615140][ T6869]  ? lock_is_held_type+0xbb/0xf0
[ 1068.620056][ T6869]  vhci_release+0x70/0xe0
[ 1068.624359][ T6869]  __fput+0x285/0x920
[ 1068.628315][ T6869]  ? vhci_close_dev+0x50/0x50
[ 1068.632968][ T6869]  task_work_run+0xdd/0x190
[ 1068.637446][ T6869]  do_exit+0xb7d/0x29f0
[ 1068.641574][ T6869]  ? mm_update_next_owner+0x7a0/0x7a0
[ 1068.646919][ T6869]  ? vfs_write+0x62b/0x730
[ 1068.651308][ T6869]  ? vfs_write+0x1b0/0x730
[ 1068.655700][ T6869]  ? lock_is_held_type+0xbb/0xf0
[ 1068.660611][ T6869]  do_group_exit+0x125/0x310
[ 1068.665175][ T6869]  __x64_sys_exit_group+0x3a/0x50
[ 1068.670171][ T6869]  do_syscall_64+0x2d/0x70
[ 1068.674561][ T6869]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1068.680421][ T6869] RIP: 0033:0x45ccd9
[ 1068.684283][ T6869] Code: Bad RIP value.
[ 1068.688336][ T6869] RSP: 002b:00007fff1883ac88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 1068.696722][ T6869] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000045ccd9
[ 1068.704680][ T6869] RDX: 0000000000416731 RSI: 0000000000ca85f0 RDI: 0000000000000043
[ 1068.712627][ T6869] RBP: 00000000004c2963 R08: 000000000000000b R09: 0000000000000000
[ 1068.720571][ T6869] R10: 0000000001d3e940 R11: 0000000000000246 R12: 0000000000000003
[ 1068.728516][ T6869] R13: 00007fff1883add0 R14: 0000000000104bd1 R15: 00007fff1883ade0
[ 1068.737835][ T6869] Kernel Offset: disabled
[ 1068.742150][ T6869] Rebooting in 86400 seconds..