[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.51' (ECDSA) to the list of known hosts. syzkaller login: [ 33.958009] audit: type=1400 audit(1596738471.378:8): avc: denied { execmem } for pid=6354 comm="syz-executor877" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 34.196060] IPVS: ftp: loaded support on port[0] = 21 executing program [ 36.064036] Bluetooth: Wrong link type (-22) [ 36.094763] ================================================================== [ 36.102820] BUG: KASAN: use-after-free in hci_chan_del+0x131/0x180 [ 36.109186] Read of size 8 at addr ffff8880a8fe3018 by task syz-executor877/6355 [ 36.116877] [ 36.118498] CPU: 1 PID: 6355 Comm: syz-executor877 Not tainted 4.14.192-syzkaller #0 [ 36.126771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.136234] Call Trace: [ 36.138870] dump_stack+0x1b2/0x283 [ 36.142576] ? l2cap_conn_del+0x670/0x670 [ 36.146789] print_address_description.cold+0x54/0x1d3 [ 36.152196] kasan_report_error.cold+0x8a/0x194 [ 36.156856] ? hci_chan_del+0x131/0x180 [ 36.160948] __asan_report_load8_noabort+0x68/0x70 [ 36.165869] ? hci_chan_del+0x131/0x180 [ 36.169901] hci_chan_del+0x131/0x180 [ 36.173693] l2cap_conn_del+0x417/0x670 [ 36.177658] ? __mutex_unlock_slowpath+0x75/0x770 [ 36.182620] ? l2cap_conn_del+0x670/0x670 [ 36.186893] l2cap_disconn_cfm+0x6b/0x80 [ 36.190944] hci_conn_hash_flush+0x114/0x220 [ 36.195344] hci_dev_do_close+0x542/0xc50 [ 36.199531] ? lock_downgrade+0x740/0x740 [ 36.203671] hci_unregister_dev+0x170/0x7a0 [ 36.207982] ? fcntl_setlk+0xdb0/0xdb0 [ 36.211861] ? vhci_close_dev+0x50/0x50 [ 36.215821] vhci_release+0x70/0xe0 [ 36.219448] __fput+0x25f/0x7a0 [ 36.222725] task_work_run+0x11f/0x190 [ 36.226610] do_exit+0xa08/0x27f0 [ 36.230137] ? mm_update_next_owner+0x5b0/0x5b0 [ 36.234799] ? vfs_write+0x319/0x4d0 [ 36.238550] ? SyS_write+0x14d/0x210 [ 36.242385] do_group_exit+0x100/0x2e0 [ 36.246395] SyS_exit_group+0x19/0x20 [ 36.250187] ? do_group_exit+0x2e0/0x2e0 [ 36.254477] do_syscall_64+0x1d5/0x640 [ 36.258360] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 36.263540] RIP: 0033:0x445138 [ 36.266762] RSP: 002b:00007ffc34bbfb08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 36.274500] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138 [ 36.281802] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 36.290399] RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 36.297704] R10: 00007feea156e9d0 R11: 0000000000000246 R12: 0000000000000001 [ 36.304961] R13: 00000000006e0200 R14: 0000000000e70850 R15: 0000000000000001 [ 36.312229] [ 36.314010] Allocated by task 1202: [ 36.317632] kasan_kmalloc+0xeb/0x160 [ 36.321421] kmem_cache_alloc_trace+0x131/0x3d0 [ 36.326249] hci_chan_create+0x7c/0x300 [ 36.330284] l2cap_conn_add.part.0+0x18/0xc20 [ 36.334766] l2cap_connect_cfm+0x1d2/0xce0 [ 36.338988] hci_le_meta_evt+0x3288/0x3fc0 [ 36.343214] hci_event_packet+0x25a7/0x7c7a [ 36.347525] hci_rx_work+0x3e6/0x970 [ 36.351270] process_one_work+0x793/0x14a0 [ 36.355492] worker_thread+0x5cc/0xff0 [ 36.359367] kthread+0x30d/0x420 [ 36.362720] ret_from_fork+0x24/0x30 [ 36.366461] [ 36.368079] Freed by task 6381: [ 36.371359] kasan_slab_free+0xc3/0x1a0 [ 36.375504] kfree+0xc9/0x250 [ 36.378600] hci_event_packet+0xeae/0x7c7a [ 36.382823] hci_rx_work+0x3e6/0x970 [ 36.386535] process_one_work+0x793/0x14a0 [ 36.390948] worker_thread+0x5cc/0xff0 [ 36.394825] kthread+0x30d/0x420 [ 36.398317] ret_from_fork+0x24/0x30 [ 36.402014] [ 36.403629] The buggy address belongs to the object at ffff8880a8fe3000 [ 36.403629] which belongs to the cache kmalloc-128 of size 128 [ 36.416273] The buggy address is located 24 bytes inside of [ 36.416273] 128-byte region [ffff8880a8fe3000, ffff8880a8fe3080) [ 36.428188] The buggy address belongs to the page: [ 36.433151] page:ffffea0002a3f8c0 count:1 mapcount:0 mapping:ffff8880a8fe3000 index:0xffff8880a8fe3c00 [ 36.442589] flags: 0xfffe0000000100(slab) [ 36.446817] raw: 00fffe0000000100 ffff8880a8fe3000 ffff8880a8fe3c00 000000010000000a [ 36.454743] raw: ffffea00027cbe60 ffffea0002a3f7a0 ffff88812fe52640 0000000000000000 [ 36.462614] page dumped because: kasan: bad access detected [ 36.468317] [ 36.469951] Memory state around the buggy address: [ 36.475039] ffff8880a8fe2f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.482387] ffff8880a8fe2f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 36.490007] >ffff8880a8fe3000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.497362] ^ [ 36.501636] ffff8880a8fe3080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 36.509194] ffff8880a8fe3100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 36.516957] ================================================================== [ 36.524303] Disabling lock debugging due to kernel taint [ 36.529965] Kernel panic - not syncing: panic_on_warn set ... [ 36.529965] [ 36.537337] CPU: 1 PID: 6355 Comm: syz-executor877 Tainted: G B 4.14.192-syzkaller #0 [ 36.546528] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.555885] Call Trace: [ 36.558519] dump_stack+0x1b2/0x283 [ 36.562144] ? l2cap_conn_del+0x670/0x670 [ 36.566284] panic+0x1f9/0x42d [ 36.569529] ? add_taint.cold+0x16/0x16 [ 36.573493] ? ___preempt_schedule+0x16/0x18 [ 36.577889] kasan_end_report+0x43/0x49 [ 36.581850] kasan_report_error.cold+0xa7/0x194 [ 36.586509] ? hci_chan_del+0x131/0x180 [ 36.590471] __asan_report_load8_noabort+0x68/0x70 [ 36.595432] ? hci_chan_del+0x131/0x180 [ 36.599439] hci_chan_del+0x131/0x180 [ 36.603233] l2cap_conn_del+0x417/0x670 [ 36.607197] ? __mutex_unlock_slowpath+0x75/0x770 [ 36.612028] ? l2cap_conn_del+0x670/0x670 [ 36.616220] l2cap_disconn_cfm+0x6b/0x80 [ 36.620356] hci_conn_hash_flush+0x114/0x220 [ 36.624755] hci_dev_do_close+0x542/0xc50 [ 36.628892] ? lock_downgrade+0x740/0x740 [ 36.633077] hci_unregister_dev+0x170/0x7a0 [ 36.637397] ? fcntl_setlk+0xdb0/0xdb0 [ 36.641269] ? vhci_close_dev+0x50/0x50 [ 36.645229] vhci_release+0x70/0xe0 [ 36.648850] __fput+0x25f/0x7a0 [ 36.652117] task_work_run+0x11f/0x190 [ 36.655996] do_exit+0xa08/0x27f0 [ 36.659482] ? mm_update_next_owner+0x5b0/0x5b0 [ 36.664133] ? vfs_write+0x319/0x4d0 [ 36.667827] ? SyS_write+0x14d/0x210 [ 36.671578] do_group_exit+0x100/0x2e0 [ 36.675455] SyS_exit_group+0x19/0x20 [ 36.679240] ? do_group_exit+0x2e0/0x2e0 [ 36.683289] do_syscall_64+0x1d5/0x640 [ 36.687171] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 36.692356] RIP: 0033:0x445138 [ 36.695533] RSP: 002b:00007ffc34bbfb08 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 36.703394] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138 [ 36.710649] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 36.717909] RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 36.725226] R10: 00007feea156e9d0 R11: 0000000000000246 R12: 0000000000000001 [ 36.732524] R13: 00000000006e0200 R14: 0000000000e70850 R15: 0000000000000001 [ 36.741123] Kernel Offset: disabled [ 36.744791] Rebooting in 86400 seconds..