[ 404.131355] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 404.139040] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 404.148907] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 404.156287] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 404.166004] device bridge_slave_1 left promiscuous mode [ 404.174195] bridge0: port 2(bridge_slave_1) entered disabled state [ 404.221484] device bridge_slave_0 left promiscuous mode [ 404.227774] bridge0: port 1(bridge_slave_0) entered disabled state [ 404.283391] device veth1_macvtap left promiscuous mode [ 404.290483] device veth0_macvtap left promiscuous mode [ 404.297555] device veth1_vlan left promiscuous mode [ 404.303491] device veth0_vlan left promiscuous mode [ 404.429278] device hsr_slave_1 left promiscuous mode [ 404.479142] device hsr_slave_0 left promiscuous mode [ 404.535055] team0 (unregistering): Port device team_slave_1 removed [ 404.546638] team0 (unregistering): Port device team_slave_0 removed [ 404.557930] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 404.582259] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 404.655576] bond0 (unregistering): Released all slaves Warning: Permanently added '10.128.0.88' (ECDSA) to the list of known hosts. [ 407.482638] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 407.534226] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 407.578275] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 407.646346] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 407.708686] device bridge_slave_1 left promiscuous mode [ 407.734411] bridge0: port 2(bridge_slave_1) entered disabled state [ 407.829497] device bridge_slave_0 left promiscuous mode [ 407.835780] bridge0: port 1(bridge_slave_0) entered disabled state [ 407.973270] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 408.004026] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 408.094036] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 408.122807] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 408.197661] device bridge_slave_1 left promiscuous mode [ 408.234642] bridge0: port 2(bridge_slave_1) entered disabled state [ 408.329091] device bridge_slave_0 left promiscuous mode [ 408.360742] bridge0: port 1(bridge_slave_0) entered disabled state [ 408.520344] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 408.551052] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 408.608492] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 408.644759] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 408.715160] device bridge_slave_1 left promiscuous mode [ 408.749270] bridge0: port 2(bridge_slave_1) entered disabled state [ 408.867595] device bridge_slave_0 left promiscuous mode [ 408.873481] bridge0: port 1(bridge_slave_0) entered disabled state [ 408.998505] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 409.038240] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 409.098833] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 409.141064] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 409.195234] device bridge_slave_1 left promiscuous mode [ 409.263302] bridge0: port 2(bridge_slave_1) entered disabled state [ 409.357879] device bridge_slave_0 left promiscuous mode [ 409.377679] bridge0: port 1(bridge_slave_0) entered disabled state [ 409.472101] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 409.523812] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 409.593702] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 409.634943] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 409.698672] device bridge_slave_1 left promiscuous mode [ 409.737183] bridge0: port 2(bridge_slave_1) entered disabled state [ 409.818510] device bridge_slave_0 left promiscuous mode [ 409.837041] bridge0: port 1(bridge_slave_0) entered disabled state [ 409.918246] device veth1_macvtap left promiscuous mode [ 410.007973] device veth0_macvtap left promiscuous mode [ 410.067139] device veth1_vlan left promiscuous mode [ 410.105201] device veth0_vlan left promiscuous mode [ 410.212091] device veth1_macvtap left promiscuous mode [ 410.224039] device veth0_macvtap left promiscuous mode [ 410.253523] device veth1_vlan left promiscuous mode [ 410.301404] device veth0_vlan left promiscuous mode [ 410.392148] device veth1_macvtap left promiscuous mode [ 410.410227] device veth0_macvtap left promiscuous mode [ 410.457440] device veth1_vlan left promiscuous mode [ 410.531096] device veth0_vlan left promiscuous mode [ 410.614207] device veth1_macvtap left promiscuous mode [ 410.672788] device veth0_macvtap left promiscuous mode [ 410.741976] device veth1_vlan left promiscuous mode [ 410.798392] device veth0_vlan left promiscuous mode [ 410.881984] device veth1_macvtap left promiscuous mode [ 410.939542] device veth0_macvtap left promiscuous mode [ 410.945183] device veth1_vlan left promiscuous mode [ 410.980173] device veth0_vlan left promiscuous mode [ 414.059640] device hsr_slave_1 left promiscuous mode [ 414.150223] device hsr_slave_0 left promiscuous mode [ 414.287906] team0 (unregistering): Port device team_slave_1 removed [ 414.381315] team0 (unregistering): Port device team_slave_0 removed [ 414.484536] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 414.593259] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 414.939124] bond0 (unregistering): Released all slaves [ 415.462414] device hsr_slave_1 left promiscuous mode [ 415.536521] device hsr_slave_0 left promiscuous mode [ 415.699482] team0 (unregistering): Port device team_slave_1 removed [ 415.778709] team0 (unregistering): Port device team_slave_0 removed [ 415.853543] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 415.969513] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 416.368206] bond0 (unregistering): Released all slaves [ 416.928565] device hsr_slave_1 left promiscuous mode [ 417.010166] device hsr_slave_0 left promiscuous mode [ 417.174809] team0 (unregistering): Port device team_slave_1 removed [ 417.258969] team0 (unregistering): Port device team_slave_0 removed [ 417.374724] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 417.519775] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 417.851180] bond0 (unregistering): Released all slaves [ 418.382898] device hsr_slave_1 left promiscuous mode [ 418.454121] device hsr_slave_0 left promiscuous mode [ 418.592616] team0 (unregistering): Port device team_slave_1 removed [ 418.699872] team0 (unregistering): Port device team_slave_0 removed [ 418.794010] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 418.903860] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 419.319898] bond0 (unregistering): Released all slaves [ 419.731152] device hsr_slave_1 left promiscuous mode [ 419.800420] device hsr_slave_0 left promiscuous mode [ 419.904931] team0 (unregistering): Port device team_slave_1 removed [ 419.974146] team0 (unregistering): Port device team_slave_0 removed [ 420.060895] bond0 (unregistering): Releasing backup interface bond_slave_1 [ 420.223578] bond0 (unregistering): Releasing backup interface bond_slave_0 [ 420.664251] bond0 (unregistering): Released all slaves [ 435.287494] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 436.676197] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 437.744855] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 438.515468] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 440.215610] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 448.085865] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 449.471642] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 450.181344] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 450.564236] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 452.775557] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 453.415134] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 455.133979] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 455.855735] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 458.235455] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 458.365674] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 459.646188] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 462.254168] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 462.906487] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 463.085327] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 463.244739] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 464.283939] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 465.533976] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 466.594303] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 469.894153] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 470.153525] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 471.912705] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 472.083933] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 474.913318] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 476.042175] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 477.207646] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 477.352816] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 478.422145] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 479.142227] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 484.011329] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 484.770985] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 485.461112] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 488.831405] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 490.547573] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 492.951507] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 493.421487] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 495.190115] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 499.639022] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 500.899562] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 503.789791] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 504.230235] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 504.498688] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 506.058319] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 507.960631] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 511.547763] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 518.327408] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 519.768519] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 521.296787] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 521.428025] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 521.777913] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 522.359092] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 526.396988] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 528.560760] ================================================================== [ 528.569042] BUG: KASAN: use-after-free in hci_sock_bind+0x66b/0xf30 [ 528.576244] Write of size 4 at addr ffff8881ddc86a20 by task syz-executor855/3690 [ 528.584392] [ 528.586045] CPU: 1 PID: 3690 Comm: syz-executor855 Not tainted 4.19.183-syzkaller #0 [ 528.594187] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 528.604193] Call Trace: [ 528.607243] dump_stack+0x123/0x171 [ 528.611571] print_address_description.cold.8+0x9/0x1ff [ 528.617564] kasan_report.cold.9+0x242/0x2fe [ 528.622241] ? hci_sock_bind+0x66b/0xf30 [ 528.627547] check_memory_region+0x13e/0x1b0 [ 528.632055] kasan_check_write+0x14/0x20 [ 528.636490] hci_sock_bind+0x66b/0xf30 [ 528.640646] ? hci_sock_ioctl+0x600/0x600 [ 528.645016] ? apparmor_socket_bind+0x81/0x110 [ 528.649867] __sys_bind+0x1e1/0x230 [ 528.653678] ? __ia32_sys_socketpair+0xf0/0xf0 [ 528.658449] ? kasan_check_read+0x11/0x20 [ 528.662733] ? __x64_sys_futex+0x1cb/0x3a0 [ 528.667267] ? fd_install+0x47/0x60 [ 528.671719] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 528.676831] ? do_syscall_64+0x21/0x4e0 [ 528.680942] ? entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 528.686313] __x64_sys_bind+0x6e/0xb0 [ 528.690556] do_syscall_64+0xd0/0x4e0 [ 528.694706] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 528.700153] RIP: 0033:0x445809 [ 528.703802] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 11 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 [ 528.724197] RSP: 002b:00007f145beb5318 EFLAGS: 00000246 ORIG_RAX: 0000000000000031 [ 528.732105] RAX: ffffffffffffffda RBX: 00000000004ca428 RCX: 0000000000445809 [ 528.740334] RDX: 0000000000000006 RSI: 0000000020000080 RDI: 0000000000000004 [ 528.748679] RBP: 00000000004ca420 R08: 0000000000000000 R09: 0000000000000000 [ 528.756748] R10: 0000000000000000 R11: 0000000000000246 R12: 6368762f7665642f [ 528.765043] R13: 00007ffe2625c73f R14: 00007f145beb5400 R15: 0000000000022000 [ 528.773190] [ 528.775260] Allocated by task 3687: [ 528.780117] save_stack+0x43/0xd0 [ 528.784430] kasan_kmalloc+0xc7/0xe0 [ 528.789225] kmem_cache_alloc_trace+0x152/0x740 [ 528.794367] hci_alloc_dev+0x3f/0x1bd0 [ 528.798624] __vhci_create_device+0xe1/0x500 [ 528.803583] vhci_write+0x28a/0x3f0 [ 528.808083] __vfs_write+0x443/0x890 [ 528.812624] vfs_write+0x150/0x4d0 [ 528.816435] ksys_write+0x103/0x260 [ 528.820593] __x64_sys_write+0x6e/0xb0 [ 528.825344] do_syscall_64+0xd0/0x4e0 [ 528.829811] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 528.835566] [ 528.837550] Freed by task 3687: [ 528.841068] save_stack+0x43/0xd0 [ 528.844611] __kasan_slab_free+0x102/0x150 [ 528.849426] kasan_slab_free+0xe/0x10 [ 528.854560] kfree+0xcf/0x220 [ 528.857964] bt_host_release+0x10/0x20 [ 528.862151] device_release+0x71/0x1d0 [ 528.866219] kobject_put+0x115/0x1f0 [ 528.870267] put_device+0x12/0x20 [ 528.873726] hci_free_dev+0x10/0x20 [ 528.877713] vhci_release+0x73/0xe0 [ 528.882074] __fput+0x249/0x7f0 [ 528.885746] ____fput+0x9/0x10 [ 528.889368] task_work_run+0x108/0x180 [ 528.894233] do_exit+0xa6b/0x2da0 [ 528.898755] do_group_exit+0xf4/0x2f0 [ 528.902769] get_signal+0x316/0x19e0 [ 528.907386] do_signal+0x87/0x1960 [ 528.912475] exit_to_usermode_loop+0x114/0x200 [ 528.918079] do_syscall_64+0x413/0x4e0 [ 528.922335] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 528.928290] [ 528.930039] The buggy address belongs to the object at ffff8881ddc859c0 [ 528.930039] which belongs to the cache kmalloc-8192 of size 8192 [ 528.945154] The buggy address is located 4192 bytes inside of [ 528.945154] 8192-byte region [ffff8881ddc859c0, ffff8881ddc879c0) [ 528.958956] The buggy address belongs to the page: [ 528.965138] page:ffffea0007772100 count:1 mapcount:0 mapping:ffff8881f6402080 index:0x0 compound_mapcount: 0 [ 528.980520] flags: 0x17ffe0000008100(slab|head) [ 528.986005] raw: 017ffe0000008100 ffffea0007591108 ffffea000762da08 ffff8881f6402080 [ 528.997354] raw: 0000000000000000 ffff8881ddc859c0 0000000100000001 0000000000000000 [ 529.008536] page dumped because: kasan: bad access detected [ 529.014688] [ 529.017324] Memory state around the buggy address: [ 529.022826] ffff8881ddc86900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 529.031495] ffff8881ddc86980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 529.039386] >ffff8881ddc86a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 529.047229] ^ [ 529.051857] ffff8881ddc86a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 529.061762] ffff8881ddc86b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 529.071377] ================================================================== [ 529.079863] Disabling lock debugging due to kernel taint [ 529.998086] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 531.145381] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 531.925290] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 533.656764] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 533.745811] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 534.219276] systemd[1]: bluetooth.target: Unit not needed anymore, but not stopping since we tried this too often recently. [ 535.745894] systemd[1]: bluetooth.target: Unit not needed anymore, but not stopping since we tried this too often recently. [ 537.235177] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 537.684718] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping. [ 538.265183] systemd[1]: bluetooth.target: Unit not needed anymore. Stopping.