Warning: Permanently added '10.128.10.59' (ECDSA) to the list of known hosts. syzkaller login: [ 37.976876] audit: type=1400 audit(1596637521.264:8): avc: denied { execmem } for pid=6456 comm="syz-executor364" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 37.992525] IPVS: ftp: loaded support on port[0] = 21 executing program [ 39.192816] Bluetooth: Wrong link type (-22) [ 39.213798] ================================================================== [ 39.221284] BUG: KASAN: use-after-free in hci_chan_del+0x13e/0x180 [ 39.227594] Read of size 8 at addr ffff8880948cab58 by task syz-executor364/6457 [ 39.235100] [ 39.236709] CPU: 1 PID: 6457 Comm: syz-executor364 Not tainted 4.19.137-syzkaller #0 [ 39.244562] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.253891] Call Trace: [ 39.256460] dump_stack+0x1fc/0x2fe [ 39.260065] ? l2cap_conn_del+0x6b0/0x6b0 [ 39.264193] print_address_description.cold+0x54/0x219 [ 39.269448] kasan_report_error.cold+0x8a/0x1c7 [ 39.274094] ? hci_chan_del+0x13e/0x180 [ 39.278044] __asan_report_load8_noabort+0x88/0x90 [ 39.282951] ? hci_chan_del+0x13e/0x180 [ 39.286901] hci_chan_del+0x13e/0x180 [ 39.290684] l2cap_conn_del+0x44f/0x6b0 [ 39.294643] ? l2cap_conn_del+0x6b0/0x6b0 [ 39.298764] l2cap_disconn_cfm+0x85/0xa0 [ 39.302803] hci_conn_hash_flush+0x114/0x220 [ 39.307187] hci_dev_do_close+0x624/0xe70 [ 39.311312] ? hci_dev_open+0x2a0/0x2a0 [ 39.315262] ? hci_unregister_dev+0x62/0x7f0 [ 39.319649] hci_unregister_dev+0x17c/0x7f0 [ 39.323953] ? vhci_close_dev+0x50/0x50 [ 39.327900] vhci_release+0x70/0xe0 [ 39.331502] __fput+0x2ce/0x890 [ 39.334761] task_work_run+0x148/0x1c0 [ 39.338634] do_exit+0xbb2/0x2b70 [ 39.342065] ? __schedule+0x88f/0x2040 [ 39.346054] ? mm_update_next_owner+0x650/0x650 [ 39.350698] ? io_schedule_timeout+0x140/0x140 [ 39.355275] ? ksys_write+0x1c8/0x2a0 [ 39.359055] do_group_exit+0x125/0x310 [ 39.362920] __x64_sys_exit_group+0x3a/0x50 [ 39.367218] do_syscall_64+0xf9/0x620 [ 39.370997] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.376162] RIP: 0033:0x445138 [ 39.379338] Code: Bad RIP value. [ 39.382678] RSP: 002b:00007ffd7ae8ba48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 39.390367] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138 [ 39.397611] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 39.404859] RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 39.412105] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 39.419362] R13: 00000000006e0200 R14: 00000000009e2850 R15: 0000000000000001 [ 39.426612] [ 39.428219] Allocated by task 6481: [ 39.431827] kmem_cache_alloc_trace+0x12f/0x380 [ 39.436469] hci_chan_create+0x8e/0x310 [ 39.440416] l2cap_conn_add.part.0+0x18/0xc40 [ 39.444885] l2cap_connect_cfm+0x236/0xe70 [ 39.449092] le_conn_complete_evt+0x111b/0x1730 [ 39.453737] hci_le_meta_evt+0x32c/0x3a50 [ 39.457859] hci_event_packet+0x1a29/0x858f [ 39.462155] hci_rx_work+0x46b/0xa90 [ 39.465843] process_one_work+0x864/0x1570 [ 39.470051] worker_thread+0x64c/0x1130 [ 39.474003] kthread+0x30b/0x410 [ 39.477344] ret_from_fork+0x24/0x30 [ 39.481029] [ 39.482633] Freed by task 1226: [ 39.485888] kfree+0xcc/0x210 [ 39.489008] hci_event_packet+0xf52/0x858f [ 39.493231] hci_rx_work+0x46b/0xa90 [ 39.496952] process_one_work+0x864/0x1570 [ 39.501189] worker_thread+0x64c/0x1130 [ 39.505155] kthread+0x30b/0x410 [ 39.508497] ret_from_fork+0x24/0x30 [ 39.512181] [ 39.513784] The buggy address belongs to the object at ffff8880948cab40 [ 39.513784] which belongs to the cache kmalloc-128 of size 128 [ 39.526461] The buggy address is located 24 bytes inside of [ 39.526461] 128-byte region [ffff8880948cab40, ffff8880948cabc0) [ 39.538221] The buggy address belongs to the page: [ 39.543127] page:ffffea0002523280 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0 [ 39.551256] flags: 0xfffe0000000100(slab) [ 39.555383] raw: 00fffe0000000100 ffffea0002a2a148 ffffea0002a4a308 ffff88812c39c640 [ 39.563241] raw: 0000000000000000 ffff8880948ca000 0000000100000015 0000000000000000 [ 39.571093] page dumped because: kasan: bad access detected [ 39.576788] [ 39.578405] Memory state around the buggy address: [ 39.583308] ffff8880948caa00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.590641] ffff8880948caa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.597974] >ffff8880948cab00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 39.605306] ^ [ 39.611511] ffff8880948cab80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 39.618845] ffff8880948cac00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 39.626177] ================================================================== [ 39.633510] Disabling lock debugging due to kernel taint [ 39.641987] Kernel panic - not syncing: panic_on_warn set ... [ 39.641987] [ 39.649372] CPU: 0 PID: 6457 Comm: syz-executor364 Tainted: G B 4.19.137-syzkaller #0 [ 39.658631] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 39.667970] Call Trace: [ 39.670536] dump_stack+0x1fc/0x2fe [ 39.674140] ? l2cap_conn_del+0x6b0/0x6b0 [ 39.678259] panic+0x26a/0x50e [ 39.681426] ? __warn_printk+0xf3/0xf3 [ 39.685288] ? l2cap_conn_del+0x6b0/0x6b0 [ 39.689411] ? preempt_schedule_common+0x45/0xc0 [ 39.694144] ? ___preempt_schedule+0x16/0x18 [ 39.698528] ? trace_hardirqs_on+0x55/0x210 [ 39.702826] ? l2cap_conn_del+0x6b0/0x6b0 [ 39.706948] kasan_end_report+0x43/0x49 [ 39.710898] kasan_report_error.cold+0xa7/0x1c7 [ 39.715579] ? hci_chan_del+0x13e/0x180 [ 39.719527] __asan_report_load8_noabort+0x88/0x90 [ 39.724433] ? hci_chan_del+0x13e/0x180 [ 39.728379] hci_chan_del+0x13e/0x180 [ 39.732168] l2cap_conn_del+0x44f/0x6b0 [ 39.736122] ? l2cap_conn_del+0x6b0/0x6b0 [ 39.740244] l2cap_disconn_cfm+0x85/0xa0 [ 39.744316] hci_conn_hash_flush+0x114/0x220 [ 39.748703] hci_dev_do_close+0x624/0xe70 [ 39.752827] ? hci_dev_open+0x2a0/0x2a0 [ 39.756774] ? hci_unregister_dev+0x62/0x7f0 [ 39.761159] hci_unregister_dev+0x17c/0x7f0 [ 39.765494] ? vhci_close_dev+0x50/0x50 [ 39.769441] vhci_release+0x70/0xe0 [ 39.773044] __fput+0x2ce/0x890 [ 39.776315] task_work_run+0x148/0x1c0 [ 39.780192] do_exit+0xbb2/0x2b70 [ 39.783630] ? __schedule+0x88f/0x2040 [ 39.787492] ? mm_update_next_owner+0x650/0x650 [ 39.792134] ? io_schedule_timeout+0x140/0x140 [ 39.796691] ? ksys_write+0x1c8/0x2a0 [ 39.800470] do_group_exit+0x125/0x310 [ 39.804335] __x64_sys_exit_group+0x3a/0x50 [ 39.808634] do_syscall_64+0xf9/0x620 [ 39.812412] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 39.817683] RIP: 0033:0x445138 [ 39.820863] Code: Bad RIP value. [ 39.824201] RSP: 002b:00007ffd7ae8ba48 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 39.831884] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138 [ 39.839130] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 39.846373] RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 39.853627] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 39.860881] R13: 00000000006e0200 R14: 00000000009e2850 R15: 0000000000000001 [ 39.869283] Kernel Offset: disabled [ 39.872899] Rebooting in 86400 seconds..