Warning: Permanently added '10.128.0.240' (ECDSA) to the list of known hosts. syzkaller login: [ 40.358338] audit: type=1400 audit(1596416578.615:8): avc: denied { execmem } for pid=6441 comm="syz-executor369" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 40.381172] IPVS: ftp: loaded support on port[0] = 21 [ 40.456180] chnl_net:caif_netlink_parms(): no params data found [ 40.569207] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.576988] bridge0: port 1(bridge_slave_0) entered disabled state [ 40.584316] device bridge_slave_0 entered promiscuous mode [ 40.592009] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.598842] bridge0: port 2(bridge_slave_1) entered disabled state [ 40.605823] device bridge_slave_1 entered promiscuous mode [ 40.623937] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 40.633134] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 40.654648] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 40.663638] team0: Port device team_slave_0 added [ 40.669856] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 40.677799] team0: Port device team_slave_1 added [ 40.695388] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 40.701762] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 40.727162] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 40.739579] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 40.745837] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1560 would solve the problem. [ 40.771079] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 40.787276] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 40.794831] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 40.859755] device hsr_slave_0 entered promiscuous mode [ 40.907160] device hsr_slave_1 entered promiscuous mode [ 40.947449] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 40.954804] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 41.025379] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.032128] bridge0: port 2(bridge_slave_1) entered forwarding state [ 41.039412] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.045789] bridge0: port 1(bridge_slave_0) entered forwarding state [ 41.081382] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 41.088281] 8021q: adding VLAN 0 to HW filter on device bond0 [ 41.096389] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 41.105789] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 41.126051] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.133457] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.142650] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 41.153606] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 41.159924] 8021q: adding VLAN 0 to HW filter on device team0 [ 41.169173] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 41.177523] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.183944] bridge0: port 1(bridge_slave_0) entered forwarding state [ 41.208537] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 41.216301] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.222725] bridge0: port 2(bridge_slave_1) entered forwarding state [ 41.231375] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 41.239676] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 41.247508] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 41.254977] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 41.264023] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 41.272987] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 41.279430] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready [ 41.293055] IPv6: ADDRCONF(NETDEV_UP): vxcan0: link is not ready [ 41.300587] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan0: link becomes ready [ 41.307554] IPv6: ADDRCONF(NETDEV_CHANGE): vxcan1: link becomes ready [ 41.319473] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 41.332637] IPv6: ADDRCONF(NETDEV_UP): veth0_virt_wifi: link is not ready [ 41.343123] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 41.376905] IPv6: ADDRCONF(NETDEV_UP): veth0_vlan: link is not ready [ 41.384075] IPv6: ADDRCONF(NETDEV_UP): vlan0: link is not ready [ 41.391786] IPv6: ADDRCONF(NETDEV_UP): vlan1: link is not ready [ 41.401800] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready [ 41.409951] IPv6: ADDRCONF(NETDEV_CHANGE): vlan0: link becomes ready [ 41.417228] IPv6: ADDRCONF(NETDEV_CHANGE): vlan1: link becomes ready [ 41.425858] device veth0_vlan entered promiscuous mode [ 41.435951] device veth1_vlan entered promiscuous mode [ 41.442541] IPv6: ADDRCONF(NETDEV_UP): macvlan0: link is not ready [ 41.449939] IPv6: ADDRCONF(NETDEV_CHANGE): macvlan0: link becomes ready [ 41.464158] IPv6: ADDRCONF(NETDEV_UP): veth0_macvtap: link is not ready [ 41.474208] IPv6: ADDRCONF(NETDEV_UP): veth1_macvtap: link is not ready [ 41.481863] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_macvtap: link becomes ready [ 41.490510] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 41.501691] device veth0_macvtap entered promiscuous mode [ 41.508813] IPv6: ADDRCONF(NETDEV_UP): macvtap0: link is not ready [ 41.517964] device veth1_macvtap entered promiscuous mode [ 41.524106] IPv6: ADDRCONF(NETDEV_UP): macsec0: link is not ready [ 41.534138] IPv6: ADDRCONF(NETDEV_UP): veth0_to_batadv: link is not ready [ 41.544299] IPv6: ADDRCONF(NETDEV_UP): veth1_to_batadv: link is not ready [ 41.554110] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_0: link is not ready [ 41.561524] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 41.568699] IPv6: ADDRCONF(NETDEV_CHANGE): macvtap0: link becomes ready [ 41.576006] IPv6: ADDRCONF(NETDEV_CHANGE): macsec0: link becomes ready [ 41.583889] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_0: link becomes ready [ 41.592130] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 41.603804] IPv6: ADDRCONF(NETDEV_UP): batadv_slave_1: link is not ready [ 41.610939] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 41.617882] IPv6: ADDRCONF(NETDEV_CHANGE): batadv_slave_1: link becomes ready [ 41.625679] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready executing program [ 42.842301] Bluetooth: hci0: Dropping invalid advertising data [ 42.849246] ================================================================== [ 42.856777] BUG: KASAN: slab-out-of-bounds in hci_le_meta_evt+0x33b1/0x39c0 [ 42.863872] Read of size 1 at addr ffff8880a8093c84 by task kworker/u5:2/6671 [ 42.871125] [ 42.872745] CPU: 1 PID: 6671 Comm: kworker/u5:2 Not tainted 4.19.136-syzkaller #0 [ 42.880350] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.889701] Workqueue: hci0 hci_rx_work [ 42.893657] Call Trace: [ 42.896237] dump_stack+0x1fc/0x2fe [ 42.900033] print_address_description.cold+0x54/0x219 [ 42.905401] kasan_report_error.cold+0x8a/0x1c7 [ 42.910060] ? hci_le_meta_evt+0x33b1/0x39c0 [ 42.914459] __asan_report_load1_noabort+0x88/0x90 [ 42.919447] ? hci_le_meta_evt+0x33b1/0x39c0 [ 42.924148] hci_le_meta_evt+0x33b1/0x39c0 [ 42.928467] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 42.933557] ? debug_check_no_obj_freed+0x201/0x482 [ 42.938563] ? check_preemption_disabled+0x41/0x280 [ 42.943654] ? read_enc_key_size_complete+0xb90/0xb90 [ 42.948832] ? kfree_skbmem+0xc1/0x140 [ 42.952728] ? hci_event_packet+0x561/0x858f [ 42.957144] ? __lock_acquire+0x6de/0x3ff0 [ 42.961376] hci_event_packet+0x1a29/0x858f [ 42.965707] ? mark_held_locks+0xf0/0xf0 [ 42.969760] ? hci_cmd_complete_evt+0xb5e0/0xb5e0 [ 42.974591] ? switch_mm_irqs_off+0x750/0x1340 [ 42.979165] ? debug_object_deactivate+0x1f9/0x2e0 [ 42.984120] ? mark_held_locks+0xa6/0xf0 [ 42.988171] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 42.993264] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 42.997837] hci_rx_work+0x46b/0xa90 [ 43.001545] process_one_work+0x864/0x1570 [ 43.005772] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 43.010440] worker_thread+0x64c/0x1130 [ 43.014410] ? __kthread_parkme+0xfd/0x1b0 [ 43.018632] ? process_one_work+0x1570/0x1570 [ 43.023119] kthread+0x30b/0x410 [ 43.026493] ? kthread_park+0x180/0x180 [ 43.030634] ret_from_fork+0x24/0x30 [ 43.034349] [ 43.035976] Allocated by task 6442: [ 43.039604] __kmalloc_node_track_caller+0x4c/0x70 [ 43.044522] __alloc_skb+0xae/0x560 [ 43.048154] vhci_write+0xbd/0x450 [ 43.051715] __vfs_write+0x51b/0x770 [ 43.055420] vfs_write+0x1f3/0x540 [ 43.058951] ksys_write+0x12b/0x2a0 [ 43.062564] do_syscall_64+0xf9/0x620 [ 43.066357] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.071544] [ 43.073162] Freed by task 4632: [ 43.076437] kfree+0xcc/0x210 [ 43.079530] pipe_release+0x2e3/0x340 [ 43.083430] __fput+0x2ce/0x890 [ 43.086807] task_work_run+0x148/0x1c0 [ 43.090697] exit_to_usermode_loop+0x251/0x2a0 [ 43.095273] do_syscall_64+0x538/0x620 [ 43.099158] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 43.105465] [ 43.107080] The buggy address belongs to the object at ffff8880a8093a80 [ 43.107080] which belongs to the cache kmalloc-512 of size 512 [ 43.119725] The buggy address is located 4 bytes to the right of [ 43.119725] 512-byte region [ffff8880a8093a80, ffff8880a8093c80) [ 43.131931] The buggy address belongs to the page: [ 43.136854] page:ffffea0002a024c0 count:1 mapcount:0 mapping:ffff88812c39c940 index:0x0 [ 43.144983] flags: 0xfffe0000000100(slab) [ 43.149123] raw: 00fffe0000000100 ffffea0002954f88 ffff88812c394748 ffff88812c39c940 [ 43.156995] raw: 0000000000000000 ffff8880a8093080 0000000100000006 0000000000000000 [ 43.164880] page dumped because: kasan: bad access detected [ 43.170597] [ 43.172205] Memory state around the buggy address: [ 43.177135] ffff8880a8093b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.184480] ffff8880a8093c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 43.191827] >ffff8880a8093c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.199167] ^ [ 43.202595] ffff8880a8093d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.209962] ffff8880a8093d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.217322] ================================================================== [ 43.224665] Disabling lock debugging due to kernel taint [ 43.234233] Kernel panic - not syncing: panic_on_warn set ... [ 43.234233] [ 43.241647] CPU: 1 PID: 6671 Comm: kworker/u5:2 Tainted: G B 4.19.136-syzkaller #0 [ 43.250659] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.260029] Workqueue: hci0 hci_rx_work [ 43.264037] Call Trace: [ 43.266641] dump_stack+0x1fc/0x2fe [ 43.270284] panic+0x26a/0x50e [ 43.273472] ? __warn_printk+0xf3/0xf3 [ 43.277368] ? preempt_schedule_common+0x45/0xc0 [ 43.282285] ? ___preempt_schedule+0x16/0x18 [ 43.286845] ? trace_hardirqs_on+0x55/0x210 [ 43.291240] kasan_end_report+0x43/0x49 [ 43.295700] kasan_report_error.cold+0xa7/0x1c7 [ 43.300577] ? hci_le_meta_evt+0x33b1/0x39c0 [ 43.304975] __asan_report_load1_noabort+0x88/0x90 [ 43.310014] ? hci_le_meta_evt+0x33b1/0x39c0 [ 43.314418] hci_le_meta_evt+0x33b1/0x39c0 [ 43.318640] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 43.323730] ? debug_check_no_obj_freed+0x201/0x482 [ 43.328742] ? check_preemption_disabled+0x41/0x280 [ 43.333745] ? read_enc_key_size_complete+0xb90/0xb90 [ 43.339160] ? kfree_skbmem+0xc1/0x140 [ 43.343371] ? hci_event_packet+0x561/0x858f [ 43.347770] ? __lock_acquire+0x6de/0x3ff0 [ 43.351989] hci_event_packet+0x1a29/0x858f [ 43.356319] ? mark_held_locks+0xf0/0xf0 [ 43.360389] ? hci_cmd_complete_evt+0xb5e0/0xb5e0 [ 43.365401] ? switch_mm_irqs_off+0x750/0x1340 [ 43.370221] ? debug_object_deactivate+0x1f9/0x2e0 [ 43.375138] ? mark_held_locks+0xa6/0xf0 [ 43.379204] ? _raw_spin_unlock_irqrestore+0x79/0xe0 [ 43.384293] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 43.388885] hci_rx_work+0x46b/0xa90 [ 43.392778] process_one_work+0x864/0x1570 [ 43.397107] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 43.401870] worker_thread+0x64c/0x1130 [ 43.405829] ? __kthread_parkme+0xfd/0x1b0 [ 43.410045] ? process_one_work+0x1570/0x1570 [ 43.414520] kthread+0x30b/0x410 [ 43.417886] ? kthread_park+0x180/0x180 [ 43.422128] ret_from_fork+0x24/0x30 [ 43.427121] Kernel Offset: disabled [ 43.430745] Rebooting in 86400 seconds..