[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.162' (ECDSA) to the list of known hosts. syzkaller login: [ 65.489469][ T28] audit: type=1400 audit(1596734043.607:8): avc: denied { execmem } for pid=6863 comm="syz-executor213" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 65.508036][ T6871] IPVS: ftp: loaded support on port[0] = 21 [ 65.526405][ T6870] IPVS: ftp: loaded support on port[0] = 21 [ 65.534271][ T6872] IPVS: ftp: loaded support on port[0] = 21 [ 65.544965][ T6874] IPVS: ftp: loaded support on port[0] = 21 [ 65.553103][ T6873] IPVS: ftp: loaded support on port[0] = 21 [ 65.562601][ T6875] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 68.890954][ T3914] Bluetooth: hci1: command 0x0409 tx timeout [ 68.897538][ T3914] Bluetooth: hci2: command 0x0409 tx timeout [ 68.904864][ T3914] Bluetooth: hci0: command 0x0409 tx timeout [ 68.911505][ T3914] Bluetooth: hci3: command 0x0409 tx timeout [ 68.959999][ T5] Bluetooth: hci4: command 0x0409 tx timeout [ 68.960090][ T3914] Bluetooth: hci5: command 0x0409 tx timeout [ 70.959679][ T5] Bluetooth: hci1: command 0x041b tx timeout [ 70.959685][ T3914] Bluetooth: hci3: command 0x041b tx timeout [ 70.959724][ T3914] Bluetooth: hci0: command 0x041b tx timeout [ 70.977785][ T3914] Bluetooth: hci2: command 0x041b tx timeout [ 71.039661][ T5] Bluetooth: hci5: command 0x041b tx timeout [ 71.045862][ T5] Bluetooth: hci4: command 0x041b tx timeout [ 71.833939][ T7028] ================================================================== [ 71.842164][ T7028] BUG: KASAN: use-after-free in sco_chan_del+0xe6/0x430 [ 71.849235][ T7028] Write of size 4 at addr ffff88808a9f8010 by task syz-executor213/7028 [ 71.857525][ T7028] [ 71.859846][ T7028] CPU: 0 PID: 7028 Comm: syz-executor213 Not tainted 5.8.0-syzkaller #0 [ 71.868154][ T7028] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.878184][ T7028] Call Trace: [ 71.881458][ T7028] dump_stack+0x18f/0x20d [ 71.885767][ T7028] ? sco_chan_del+0xe6/0x430 [ 71.890333][ T7028] ? sco_chan_del+0xe6/0x430 [ 71.894899][ T7028] ? __sock_release+0x280/0x280 [ 71.899727][ T7028] print_address_description.constprop.0.cold+0xae/0x436 [ 71.906746][ T7028] ? sco_chan_del+0xab/0x430 [ 71.911315][ T7028] ? vprintk_func+0x97/0x1a6 [ 71.915891][ T7028] ? sco_chan_del+0xe6/0x430 [ 71.920456][ T7028] kasan_report.cold+0x1f/0x37 [ 71.925198][ T7028] ? sco_chan_del+0xe6/0x430 executing program executing program executing program executing program executing program [ 71.929763][ T7028] check_memory_region+0x13d/0x180 [ 71.934851][ T7028] sco_chan_del+0xe6/0x430 [ 71.939249][ T7028] __sco_sock_close+0x16e/0x5b0 [ 71.944098][ T7028] sco_sock_release+0x69/0x290 [ 71.948869][ T7028] __sock_release+0xcd/0x280 [ 71.953451][ T7028] sock_close+0x18/0x20 [ 71.957596][ T7028] __fput+0x33c/0x880 [ 71.961743][ T7028] task_work_run+0xdd/0x190 [ 71.966266][ T7028] do_exit+0xb7d/0x29f0 [ 71.970424][ T7028] ? lock_acquire+0x1f1/0xad0 [ 71.975094][ T7028] ? find_held_lock+0x2d/0x110 executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 71.979851][ T7028] ? mm_update_next_owner+0x7a0/0x7a0 [ 71.985224][ T7028] ? get_signal+0x332/0x1ee0 [ 71.989817][ T7028] ? lock_downgrade+0x830/0x830 [ 71.994671][ T7028] ? lock_is_held_type+0xbb/0xf0 [ 71.999618][ T7028] do_group_exit+0x125/0x310 [ 72.004212][ T7028] get_signal+0x40b/0x1ee0 [ 72.008635][ T7028] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 72.014618][ T7028] ? sco_sock_connect+0x4e4/0x980 [ 72.019646][ T7028] ? lockdep_hardirqs_on+0x76/0xf0 [ 72.024763][ T7028] ? sco_sock_connect+0x4e4/0x980 [ 72.029795][ T7028] arch_do_signal+0x82/0x2520 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 72.034477][ T7028] ? sco_sock_release+0x290/0x290 [ 72.039500][ T7028] ? __sys_connect_file+0x4e/0x1a0 [ 72.044615][ T7028] ? copy_siginfo_to_user32+0xa0/0xa0 [ 72.049984][ T7028] ? __sys_connect+0x109/0x190 [ 72.054750][ T7028] ? __sys_connect_file+0x1a0/0x1a0 [ 72.059961][ T7028] ? exit_to_user_mode_prepare+0xce/0x1d0 [ 72.065681][ T7028] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 72.071672][ T7028] exit_to_user_mode_prepare+0x172/0x1d0 [ 72.077309][ T7028] syscall_exit_to_user_mode+0x59/0x2b0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 72.082867][ T7028] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 72.088756][ T7028] RIP: 0033:0x447769 [ 72.092641][ T7028] Code: Bad RIP value. [ 72.096699][ T7028] RSP: 002b:00007ffe52881ce8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 72.105105][ T7028] RAX: fffffffffffffffc RBX: 00007ffe52881d20 RCX: 0000000000447769 [ 72.113068][ T7028] RDX: 0000000000000008 RSI: 00000000200001c0 RDI: 0000000000000004 [ 72.121029][ T7028] RBP: 0000000000000000 R08: 0000000000000002 R09: 00000000000000ff executing program executing program executing program executing program executing program [ 72.129014][ T7028] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000004 [ 72.136984][ T7028] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 72.144963][ T7028] [ 72.147298][ T7028] Allocated by task 7028: [ 72.151635][ T7028] save_stack+0x1b/0x40 [ 72.155794][ T7028] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 72.161429][ T7028] kmem_cache_alloc_trace+0x14f/0x2d0 [ 72.166798][ T7028] hci_conn_add+0x53/0x1330 [ 72.171299][ T7028] hci_connect_sco+0x356/0x860 [ 72.176072][ T7028] sco_sock_connect+0x308/0x980 executing program executing program executing program [ 72.180923][ T7028] __sys_connect_file+0x155/0x1a0 [ 72.185938][ T7028] __sys_connect+0x160/0x190 [ 72.190525][ T7028] __x64_sys_connect+0x6f/0xb0 [ 72.195289][ T7028] do_syscall_64+0x2d/0x70 [ 72.199706][ T7028] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 72.205592][ T7028] [ 72.207920][ T7028] Freed by task 7017: [ 72.211897][ T7028] save_stack+0x1b/0x40 [ 72.216050][ T7028] __kasan_slab_free+0xf5/0x140 [ 72.220888][ T7028] kfree+0x103/0x2c0 [ 72.224782][ T7028] device_release+0x71/0x200 [ 72.229365][ T7028] kobject_put+0x171/0x270 executing program executing program executing program [ 72.233777][ T7028] put_device+0x1b/0x30 [ 72.237932][ T7028] hci_conn_del+0x27e/0x6a0 [ 72.242432][ T7028] hci_phy_link_complete_evt.isra.0+0x508/0x790 [ 72.248675][ T7028] hci_event_packet+0x4696/0x87a8 [ 72.253732][ T7028] hci_rx_work+0x22e/0xb50 [ 72.258159][ T7028] process_one_work+0x94c/0x1670 [ 72.263094][ T7028] worker_thread+0x64c/0x1120 [ 72.267767][ T7028] kthread+0x3b5/0x4a0 [ 72.271831][ T7028] ret_from_fork+0x1f/0x30 [ 72.276277][ T7028] [ 72.278614][ T7028] The buggy address belongs to the object at ffff88808a9f8000 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 72.278614][ T7028] which belongs to the cache kmalloc-4k of size 4096 [ 72.292698][ T7028] The buggy address is located 16 bytes inside of [ 72.292698][ T7028] 4096-byte region [ffff88808a9f8000, ffff88808a9f9000) [ 72.305967][ T7028] The buggy address belongs to the page: [ 72.311635][ T7028] page:ffffea00022a7e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00022a7e00 order:1 compound_mapcount:0 [ 72.325080][ T7028] flags: 0xfffe0000010200(slab|head) executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 72.330360][ T7028] raw: 00fffe0000010200 ffffea00027a0188 ffffea0002791208 ffff8880aa002000 [ 72.338937][ T7028] raw: 0000000000000000 ffff88808a9f8000 0000000100000001 0000000000000000 [ 72.347514][ T7028] page dumped because: kasan: bad access detected [ 72.353917][ T7028] [ 72.356241][ T7028] Memory state around the buggy address: [ 72.361868][ T7028] ffff88808a9f7f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.369932][ T7028] ffff88808a9f7f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.377992][ T7028] >ffff88808a9f8000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 72.386044][ T7028] ^ [ 72.390634][ T7028] ffff88808a9f8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.398692][ T7028] ffff88808a9f8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.406741][ T7028] ================================================================== [ 72.414794][ T7028] Disabling lock debugging due to kernel taint [ 72.425916][ T7028] Kernel panic - not syncing: panic_on_warn set ... executing program executing program executing program executing program executing program executing program [ 72.432510][ T7028] CPU: 0 PID: 7028 Comm: syz-executor213 Tainted: G B 5.8.0-syzkaller #0 [ 72.442209][ T7028] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.452252][ T7028] Call Trace: [ 72.455544][ T7028] dump_stack+0x18f/0x20d [ 72.459876][ T7028] ? sco_sock_sendmsg+0x5d0/0x5d0 [ 72.464899][ T7028] ? __sock_release+0x280/0x280 [ 72.469744][ T7028] panic+0x2e3/0x75c [ 72.473635][ T7028] ? __warn_printk+0xf3/0xf3 [ 72.478229][ T7028] ? preempt_schedule_common+0x59/0xc0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 72.483683][ T7028] ? sco_chan_del+0xe6/0x430 [ 72.488282][ T7028] ? preempt_schedule_thunk+0x16/0x18 [ 72.493651][ T7028] ? trace_hardirqs_on+0x55/0x220 [ 72.498673][ T7028] ? sco_chan_del+0xe6/0x430 [ 72.503253][ T7028] ? sco_chan_del+0xe6/0x430 [ 72.507841][ T7028] ? __sock_release+0x280/0x280 [ 72.512687][ T7028] end_report+0x4d/0x53 [ 72.516836][ T7028] kasan_report.cold+0xd/0x37 [ 72.521511][ T7028] ? sco_chan_del+0xe6/0x430 [ 72.526091][ T7028] check_memory_region+0x13d/0x180 [ 72.531187][ T7028] sco_chan_del+0xe6/0x430 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 72.535598][ T7028] __sco_sock_close+0x16e/0x5b0 [ 72.540444][ T7028] sco_sock_release+0x69/0x290 [ 72.545220][ T7028] __sock_release+0xcd/0x280 [ 72.549803][ T7028] sock_close+0x18/0x20 [ 72.553958][ T7028] __fput+0x33c/0x880 [ 72.557939][ T7028] task_work_run+0xdd/0x190 [ 72.562437][ T7028] do_exit+0xb7d/0x29f0 [ 72.566587][ T7028] ? lock_acquire+0x1f1/0xad0 [ 72.571258][ T7028] ? find_held_lock+0x2d/0x110 [ 72.576017][ T7028] ? mm_update_next_owner+0x7a0/0x7a0 [ 72.581374][ T7028] ? get_signal+0x332/0x1ee0 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 72.585955][ T7028] ? lock_downgrade+0x830/0x830 [ 72.590802][ T7028] ? lock_is_held_type+0xbb/0xf0 [ 72.595734][ T7028] do_group_exit+0x125/0x310 [ 72.600308][ T7028] get_signal+0x40b/0x1ee0 [ 72.604713][ T7028] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 72.610694][ T7028] ? sco_sock_connect+0x4e4/0x980 [ 72.615707][ T7028] ? lockdep_hardirqs_on+0x76/0xf0 [ 72.620806][ T7028] ? sco_sock_connect+0x4e4/0x980 [ 72.625827][ T7028] arch_do_signal+0x82/0x2520 [ 72.630500][ T7028] ? sco_sock_release+0x290/0x290 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 72.635521][ T7028] ? __sys_connect_file+0x4e/0x1a0 [ 72.640626][ T7028] ? copy_siginfo_to_user32+0xa0/0xa0 [ 72.645989][ T7028] ? __sys_connect+0x109/0x190 [ 72.650742][ T7028] ? __sys_connect_file+0x1a0/0x1a0 [ 72.655930][ T7028] ? exit_to_user_mode_prepare+0xce/0x1d0 [ 72.661647][ T7028] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 72.667625][ T7028] exit_to_user_mode_prepare+0x172/0x1d0 [ 72.673269][ T7028] syscall_exit_to_user_mode+0x59/0x2b0 [ 72.678801][ T7028] entry_SYSCALL_64_after_hwframe+0x44/0xa9 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 72.684682][ T7028] RIP: 0033:0x447769 [ 72.688576][ T7028] Code: Bad RIP value. [ 72.692699][ T7028] RSP: 002b:00007ffe52881ce8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 72.701122][ T7028] RAX: fffffffffffffffc RBX: 00007ffe52881d20 RCX: 0000000000447769 [ 72.709069][ T7028] RDX: 0000000000000008 RSI: 00000000200001c0 RDI: 0000000000000004 [ 72.717018][ T7028] RBP: 0000000000000000 R08: 0000000000000002 R09: 00000000000000ff [ 72.724972][ T7028] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000004 [ 72.732936][ T7028] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 72.741996][ T7028] Kernel Offset: disabled [ 72.746310][ T7028] Rebooting in 86400 seconds..