Warning: Permanently added '10.128.1.56' (ECDSA) to the list of known hosts.
[   38.512792] audit: type=1400 audit(1596655899.513:8): avc:  denied  { execmem } for  pid=6352 comm="syz-executor187" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   38.746627] IPVS: ftp: loaded support on port[0] = 21
[   39.600457] chnl_net:caif_netlink_parms(): no params data found
[   39.651803] bridge0: port 1(bridge_slave_0) entered blocking state
[   39.659391] bridge0: port 1(bridge_slave_0) entered disabled state
[   39.668077] device bridge_slave_0 entered promiscuous mode
[   39.676664] bridge0: port 2(bridge_slave_1) entered blocking state
[   39.683481] bridge0: port 2(bridge_slave_1) entered disabled state
[   39.691450] device bridge_slave_1 entered promiscuous mode
[   39.708172] bond0: Enslaving bond_slave_0 as an active interface with an up link
[   39.717619] bond0: Enslaving bond_slave_1 as an active interface with an up link
[   39.736379] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready
[   39.744647] team0: Port device team_slave_0 added
[   39.750965] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready
[   39.760691] team0: Port device team_slave_1 added
[   39.775353] batman_adv: batadv0: Adding interface: batadv_slave_0
[   39.783301] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   39.811218] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active
[   39.823888] batman_adv: batadv0: Adding interface: batadv_slave_1
[   39.830928] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem.
[   39.857580] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active
[   39.868823] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready
[   39.876628] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready
[   39.937081] device hsr_slave_0 entered promiscuous mode
[   39.974908] device hsr_slave_1 entered promiscuous mode
[   40.035160] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready
[   40.042394] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready
[   40.102499] bridge0: port 2(bridge_slave_1) entered blocking state
[   40.110002] bridge0: port 2(bridge_slave_1) entered forwarding state
[   40.117449] bridge0: port 1(bridge_slave_0) entered blocking state
[   40.124527] bridge0: port 1(bridge_slave_0) entered forwarding state
[   40.153801] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready
[   40.160861] 8021q: adding VLAN 0 to HW filter on device bond0
[   40.169853] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
[   40.178939] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[   40.197903] bridge0: port 1(bridge_slave_0) entered disabled state
[   40.205771] bridge0: port 2(bridge_slave_1) entered disabled state
[   40.215465] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready
[   40.223152] 8021q: adding VLAN 0 to HW filter on device team0
[   40.232131] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[   40.240268] bridge0: port 1(bridge_slave_0) entered blocking state
[   40.246972] bridge0: port 1(bridge_slave_0) entered forwarding state
[   40.257059] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[   40.265756] bridge0: port 2(bridge_slave_1) entered blocking state
[   40.272703] bridge0: port 2(bridge_slave_1) entered forwarding state
[   40.287511] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[   40.296172] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[   40.307529] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[   40.319962] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[   40.330479] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[   40.341080] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready
[   40.347481] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[   40.355719] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[   40.363129] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[   40.375894] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready
[   40.382961] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready
[   40.389970] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready
[   40.400063] 8021q: adding VLAN 0 to HW filter on device batadv0
[   40.448095] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready
[   40.458432] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready
[   40.487218] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready
[   40.494834] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready
[   40.501259] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready
[   40.510296] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready
[   40.518461] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready
[   40.525500] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready
[   40.535269] device veth0_vlan entered promiscuous mode
[   40.543477] device veth1_vlan entered promiscuous mode
[   40.550199] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready
[   40.559581] IPv6: ADDRCONF(NETDEV_UP): macvlan1: link is not ready
[   40.570577] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready
[   40.579738] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[   40.586970] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready
[   40.594004] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan1: link becomes ready
[   40.601321] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready
[   40.610693] device veth0_macvtap entered promiscuous mode
[   40.619039] device veth1_macvtap entered promiscuous mode
[   40.627422] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready
[   40.636356] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready
[   40.646389] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready
[   40.653559] batman_adv: batadv0: Interface activated: batadv_slave_0
[   40.660740] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready
[   40.668738] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready
[   40.678451] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready
[   40.686406] batman_adv: batadv0: Interface activated: batadv_slave_1
[   40.692939] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready
[   40.700810] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready
executing program
executing program
executing program
[   43.882423] Bluetooth: hci0 command 0x0409 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   45.971721] Bluetooth: hci0 command 0x041b tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   48.039498] Bluetooth: hci0 command 0x040f tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
[   49.720171] NOHZ: local_softirq_pending 08
executing program
[   50.118504] Bluetooth: hci0 command 0x0419 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   52.207676] Bluetooth: hci0 command 0x0405 tx timeout
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   55.695492] ==================================================================
[   55.703161] BUG: KASAN: use-after-free in sco_chan_del+0x3b2/0x3d0
[   55.709472] Read of size 1 at addr ffff8880983360b5 by task syz-executor187/6775
[   55.716999] 
[   55.718605] CPU: 1 PID: 6775 Comm: syz-executor187 Not tainted 4.14.192-syzkaller #0
[   55.726462] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   55.735828] Call Trace:
[   55.738407]  dump_stack+0x1b2/0x283
[   55.742014]  print_address_description.cold+0x54/0x1d3
[   55.747269]  kasan_report_error.cold+0x8a/0x194
[   55.751914]  ? sco_chan_del+0x3b2/0x3d0
[   55.755880]  __asan_report_load1_noabort+0x68/0x70
[   55.760788]  ? sco_chan_del+0x3b2/0x3d0
[   55.764756]  sco_chan_del+0x3b2/0x3d0
[   55.768536]  __sco_sock_close+0xb0/0x670
[   55.772575]  sco_sock_release+0x6a/0x370
[   55.776614]  __sock_release+0xcd/0x2b0
[   55.780477]  ? __sock_release+0x2b0/0x2b0
[   55.784599]  sock_close+0x15/0x20
[   55.788033]  __fput+0x25f/0x7a0
[   55.791377]  task_work_run+0x11f/0x190
[   55.795436]  get_signal+0x18a3/0x1ca0
[   55.799245]  ? reacquire_held_locks+0xb5/0x3f0
[   55.803824]  ? sco_sock_connect+0x42b/0x860
[   55.808125]  do_signal+0x7c/0x1550
[   55.811640]  ? lock_downgrade+0x740/0x740
[   55.815766]  ? check_preemption_disabled+0x35/0x240
[   55.820758]  ? setup_sigcontext+0x820/0x820
[   55.825052]  ? kick_process+0xe4/0x170
[   55.828917]  ? task_work_add+0x87/0xe0
[   55.832779]  ? sco_sock_create+0xf0/0xf0
[   55.836813]  ? fput+0xaa/0x140
[   55.839984]  ? SyS_connect+0xf6/0x240
[   55.843773]  ? SyS_accept+0x30/0x30
[   55.847377]  ? SyS_futex+0x1da/0x290
[   55.851066]  ? SyS_futex+0x1e3/0x290
[   55.854755]  ? exit_to_usermode_loop+0x41/0x200
[   55.859401]  exit_to_usermode_loop+0x160/0x200
[   55.863957]  do_syscall_64+0x4a3/0x640
[   55.867845]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   55.873018] RIP: 0033:0x44a499
[   55.876183] RSP: 002b:00007f6d6158edb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   55.883951] RAX: fffffffffffffffc RBX: 00000000006e5a08 RCX: 000000000044a499
[   55.891196] RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000004
[   55.898439] RBP: 00000000006e5a00 R08: 0000000000000000 R09: 0000000000000000
[   55.905682] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e5a0c
[   55.914229] R13: 00007ffe6e8c39ef R14: 00007f6d6158f9c0 R15: 00000000006e5a0c
[   55.921481] 
[   55.923083] Allocated by task 6775:
[   55.926696]  kasan_kmalloc+0xeb/0x160
[   55.930475]  kmem_cache_alloc_trace+0x131/0x3d0
[   55.935117]  hci_conn_add+0x53/0x12f0
[   55.938897]  hci_connect_sco+0x265/0x7d0
[   55.942931]  sco_sock_connect+0x26c/0x860
[   55.947144]  SyS_connect+0x1f4/0x240
[   55.950830]  do_syscall_64+0x1d5/0x640
[   55.955211]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   55.960370] 
[   55.961973] Freed by task 6586:
[   55.965240]  kasan_slab_free+0xc3/0x1a0
[   55.969202]  kfree+0xc9/0x250
[   55.972282]  device_release+0xf0/0x1a0
[   55.976142]  kobject_put+0x1f3/0x2d0
[   55.979830]  put_device+0x1c/0x30
[   55.983256]  hci_conn_del+0x235/0x620
[   55.987032]  hci_phy_link_complete_evt.isra.0+0x4d0/0x6c0
[   55.992563]  hci_event_packet+0x2592/0x7c7a
[   55.996872]  hci_rx_work+0x3e6/0x970
[   56.000559]  process_one_work+0x793/0x14a0
[   56.004766]  worker_thread+0x5cc/0xff0
[   56.008627]  kthread+0x30d/0x420
[   56.011967]  ret_from_fork+0x24/0x30
[   56.015649] 
[   56.017253] The buggy address belongs to the object at ffff888098336080
[   56.017253]  which belongs to the cache kmalloc-4096 of size 4096
[   56.030077] The buggy address is located 53 bytes inside of
[   56.030077]  4096-byte region [ffff888098336080, ffff888098337080)
[   56.041926] The buggy address belongs to the page:
[   56.046922] page:ffffea000260cd80 count:1 mapcount:0 mapping:ffff888098336080 index:0x0 compound_mapcount: 0
[   56.057906] flags: 0xfffe0000008100(slab|head)
[   56.062465] raw: 00fffe0000008100 ffff888098336080 0000000000000000 0000000100000001
[   56.070319] raw: ffffea00024db920 ffffea00024de620 ffff88812fe52dc0 0000000000000000
[   56.078171] page dumped because: kasan: bad access detected
[   56.083853] 
[   56.085453] Memory state around the buggy address:
[   56.090625]  ffff888098335f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   56.098052]  ffff888098336000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   56.105389] >ffff888098336080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.112739]                                      ^
[   56.117678]  ffff888098336100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.125012]  ffff888098336180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   56.132358] ==================================================================
[   56.139689] Disabling lock debugging due to kernel taint
[   56.146247] Kernel panic - not syncing: panic_on_warn set ...
[   56.146247] 
[   56.153642] CPU: 1 PID: 6775 Comm: syz-executor187 Tainted: G    B           4.14.192-syzkaller #0
[   56.162730] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   56.172082] Call Trace:
[   56.174659]  dump_stack+0x1b2/0x283
[   56.178265]  panic+0x1f9/0x42d
[   56.181439]  ? add_taint.cold+0x16/0x16
[   56.185397]  ? ___preempt_schedule+0x16/0x18
[   56.189787]  kasan_end_report+0x43/0x49
[   56.193970]  kasan_report_error.cold+0xa7/0x194
[   56.198625]  ? sco_chan_del+0x3b2/0x3d0
[   56.202576]  __asan_report_load1_noabort+0x68/0x70
[   56.208623]  ? sco_chan_del+0x3b2/0x3d0
[   56.212576]  sco_chan_del+0x3b2/0x3d0
[   56.216361]  __sco_sock_close+0xb0/0x670
[   56.220498]  sco_sock_release+0x6a/0x370
[   56.224535]  __sock_release+0xcd/0x2b0
[   56.228405]  ? __sock_release+0x2b0/0x2b0
[   56.232526]  sock_close+0x15/0x20
[   56.235952]  __fput+0x25f/0x7a0
[   56.239207]  task_work_run+0x11f/0x190
[   56.243164]  get_signal+0x18a3/0x1ca0
[   56.246941]  ? reacquire_held_locks+0xb5/0x3f0
[   56.251515]  ? sco_sock_connect+0x42b/0x860
[   56.255837]  do_signal+0x7c/0x1550
[   56.259350]  ? lock_downgrade+0x740/0x740
[   56.263472]  ? check_preemption_disabled+0x35/0x240
[   56.268810]  ? setup_sigcontext+0x820/0x820
[   56.273128]  ? kick_process+0xe4/0x170
[   56.277009]  ? task_work_add+0x87/0xe0
[   56.280872]  ? sco_sock_create+0xf0/0xf0
[   56.284910]  ? fput+0xaa/0x140
[   56.288086]  ? SyS_connect+0xf6/0x240
[   56.291858]  ? SyS_accept+0x30/0x30
[   56.295464]  ? SyS_futex+0x1da/0x290
[   56.299167]  ? SyS_futex+0x1e3/0x290
[   56.302871]  ? exit_to_usermode_loop+0x41/0x200
[   56.307526]  exit_to_usermode_loop+0x160/0x200
[   56.312093]  do_syscall_64+0x4a3/0x640
[   56.315973]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   56.321140] RIP: 0033:0x44a499
[   56.324312] RSP: 002b:00007f6d6158edb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
[   56.332121] RAX: fffffffffffffffc RBX: 00000000006e5a08 RCX: 000000000044a499
[   56.339374] RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000004
[   56.346622] RBP: 00000000006e5a00 R08: 0000000000000000 R09: 0000000000000000
[   56.353867] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006e5a0c
[   56.361113] R13: 00007ffe6e8c39ef R14: 00007f6d6158f9c0 R15: 00000000006e5a0c
[   56.370246] Kernel Offset: disabled
[   56.373861] Rebooting in 86400 seconds..