[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.129' (ECDSA) to the list of known hosts. syzkaller login: [ 61.759150][ T6873] IPVS: ftp: loaded support on port[0] = 21 [ 61.770686][ T6876] IPVS: ftp: loaded support on port[0] = 21 [ 61.770706][ T6875] IPVS: ftp: loaded support on port[0] = 21 [ 61.779337][ T6877] IPVS: ftp: loaded support on port[0] = 21 [ 61.787273][ T6878] IPVS: ftp: loaded support on port[0] = 21 [ 61.788527][ T6874] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 63.243511][ T7034] ================================================================== [ 63.251805][ T7034] BUG: KASAN: use-after-free in sco_chan_del+0xe6/0x430 [ 63.258756][ T7034] Write of size 4 at addr ffff888093190010 by task syz-executor416/7034 [ 63.267091][ T7034] [ 63.269438][ T7034] CPU: 0 PID: 7034 Comm: syz-executor416 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0 [ 63.279329][ T7034] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.289394][ T7034] Call Trace: [ 63.292704][ T7034] dump_stack+0x18f/0x20d [ 63.297056][ T7034] ? sco_chan_del+0xe6/0x430 [ 63.301658][ T7034] ? sco_chan_del+0xe6/0x430 [ 63.306266][ T7034] print_address_description.constprop.0.cold+0xae/0x497 [ 63.313313][ T7034] ? sco_chan_del+0xab/0x430 [ 63.317918][ T7034] ? lockdep_hardirqs_off+0x7e/0xb0 [ 63.323129][ T7034] ? vprintk_func+0x97/0x1a6 [ 63.327735][ T7034] ? sco_chan_del+0xe6/0x430 [ 63.332380][ T7034] ? sco_chan_del+0xe6/0x430 [ 63.336982][ T7034] kasan_report.cold+0x1f/0x37 executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 63.341849][ T7034] ? sco_chan_del+0xe6/0x430 [ 63.346461][ T7034] check_memory_region+0x13d/0x180 [ 63.351589][ T7034] sco_chan_del+0xe6/0x430 [ 63.356023][ T7034] __sco_sock_close+0x16e/0x5b0 [ 63.360893][ T7034] sco_sock_release+0x69/0x290 [ 63.365675][ T7034] __sock_release+0xcd/0x280 [ 63.370280][ T7034] sock_close+0x18/0x20 [ 63.374451][ T7034] __fput+0x285/0x920 [ 63.378449][ T7034] ? __sock_release+0x280/0x280 [ 63.384199][ T7034] task_work_run+0xdd/0x190 [ 63.388718][ T7034] get_signal+0xd6c/0x1ee0 [ 63.393153][ T7034] ? kick_process+0xce/0x150 [ 63.397751][ T7034] ? task_work_add+0xe3/0x250 [ 63.402418][ T7034] arch_do_signal+0x82/0x2520 [ 63.407118][ T7034] ? fput_many+0xf6/0x1a0 [ 63.411470][ T7034] ? copy_siginfo_to_user32+0xa0/0xa0 [ 63.416838][ T7034] ? __sys_connect+0x109/0x190 [ 63.421585][ T7034] ? __sys_connect_file+0x1a0/0x1a0 [ 63.426773][ T7034] ? lock_is_held_type+0xbb/0xf0 [ 63.431721][ T7034] ? exit_to_user_mode_prepare+0xb9/0x1c0 [ 63.437433][ T7034] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 63.443402][ T7034] exit_to_user_mode_prepare+0x15d/0x1c0 [ 63.449036][ T7034] syscall_exit_to_user_mode+0x59/0x2b0 [ 63.454575][ T7034] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.460519][ T7034] RIP: 0033:0x4471b9 [ 63.464401][ T7034] Code: e8 4c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 63.483995][ T7034] RSP: 002b:00007f55edfb6db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 63.492414][ T7034] RAX: fffffffffffffffc RBX: 00000000006dcc28 RCX: 00000000004471b9 [ 63.500395][ T7034] RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000004 [ 63.508388][ T7034] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000 [ 63.516345][ T7034] R10: 0000000000000002 R11: 0000000000000246 R12: 00000000006dcc2c [ 63.524325][ T7034] R13: 00007ffedfc463df R14: 00007f55edfb79c0 R15: 0000000000000064 [ 63.532285][ T7034] [ 63.534604][ T7034] Allocated by task 7034: [ 63.538946][ T7034] kasan_save_stack+0x1b/0x40 [ 63.543607][ T7034] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 63.549217][ T7034] kmem_cache_alloc_trace+0x16e/0x2c0 [ 63.554576][ T7034] hci_conn_add+0x53/0x1330 [ 63.559065][ T7034] hci_connect_sco+0x356/0x860 [ 63.563809][ T7034] sco_sock_connect+0x308/0x980 [ 63.568655][ T7034] __sys_connect_file+0x155/0x1a0 [ 63.573660][ T7034] __sys_connect+0x160/0x190 [ 63.578229][ T7034] __x64_sys_connect+0x6f/0xb0 [ 63.582973][ T7034] do_syscall_64+0x2d/0x70 [ 63.587368][ T7034] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.593257][ T7034] [ 63.595568][ T7034] Freed by task 7014: [ 63.599648][ T7034] kasan_save_stack+0x1b/0x40 [ 63.604302][ T7034] kasan_set_track+0x1c/0x30 [ 63.608883][ T7034] kasan_set_free_info+0x1b/0x30 [ 63.613820][ T7034] __kasan_slab_free+0xd8/0x120 [ 63.618650][ T7034] kfree+0x103/0x2c0 [ 63.622627][ T7034] device_release+0x71/0x200 [ 63.627198][ T7034] kobject_put+0x171/0x270 [ 63.631612][ T7034] put_device+0x1b/0x30 [ 63.635752][ T7034] hci_conn_del+0x27e/0x6a0 [ 63.640240][ T7034] hci_phy_link_complete_evt.isra.0+0x508/0x790 [ 63.646471][ T7034] hci_event_packet+0x4696/0x87a8 [ 63.651476][ T7034] hci_rx_work+0x22e/0xb50 [ 63.655871][ T7034] process_one_work+0x94c/0x1670 [ 63.660816][ T7034] worker_thread+0x64c/0x1120 [ 63.665472][ T7034] kthread+0x3b5/0x4a0 [ 63.669523][ T7034] ret_from_fork+0x1f/0x30 [ 63.673915][ T7034] [ 63.676230][ T7034] The buggy address belongs to the object at ffff888093190000 [ 63.676230][ T7034] which belongs to the cache kmalloc-4k of size 4096 [ 63.690287][ T7034] The buggy address is located 16 bytes inside of [ 63.690287][ T7034] 4096-byte region [ffff888093190000, ffff888093191000) [ 63.703536][ T7034] The buggy address belongs to the page: [ 63.709191][ T7034] page:00000000c69fbb81 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x93190 [ 63.719328][ T7034] head:00000000c69fbb81 order:1 compound_mapcount:0 [ 63.725951][ T7034] flags: 0xfffe0000010200(slab|head) [ 63.731291][ T7034] raw: 00fffe0000010200 ffffea0002782c08 ffffea0002365088 ffff8880aa000900 [ 63.739913][ T7034] raw: 0000000000000000 ffff888093190000 0000000100000001 0000000000000000 [ 63.748488][ T7034] page dumped because: kasan: bad access detected [ 63.754891][ T7034] [ 63.757199][ T7034] Memory state around the buggy address: [ 63.762996][ T7034] ffff88809318ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.771051][ T7034] ffff88809318ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.779123][ T7034] >ffff888093190000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.787253][ T7034] ^ [ 63.791845][ T7034] ffff888093190080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.799912][ T7034] ffff888093190100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.807955][ T7034] ================================================================== [ 63.815997][ T7034] Disabling lock debugging due to kernel taint [ 63.826834][ T7034] Kernel panic - not syncing: panic_on_warn set ... [ 63.833462][ T7034] CPU: 0 PID: 7034 Comm: syz-executor416 Tainted: G B 5.8.0-rc7-next-20200731-syzkaller #0 [ 63.844722][ T7034] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.854864][ T7034] Call Trace: [ 63.858174][ T7034] dump_stack+0x18f/0x20d [ 63.862492][ T7034] ? sco_chan_del+0x20/0x430 [ 63.867082][ T7034] panic+0x2e3/0x75c [ 63.870963][ T7034] ? __warn_printk+0xf3/0xf3 [ 63.875536][ T7034] ? preempt_schedule_common+0x59/0xc0 [ 63.880976][ T7034] ? sco_chan_del+0xe6/0x430 [ 63.885551][ T7034] ? preempt_schedule_thunk+0x16/0x18 [ 63.890904][ T7034] ? trace_hardirqs_on+0x55/0x220 [ 63.895913][ T7034] ? sco_chan_del+0xe6/0x430 [ 63.900483][ T7034] ? sco_chan_del+0xe6/0x430 [ 63.905076][ T7034] end_report+0x4d/0x53 [ 63.909222][ T7034] kasan_report.cold+0xd/0x37 [ 63.913898][ T7034] ? sco_chan_del+0xe6/0x430 [ 63.918491][ T7034] check_memory_region+0x13d/0x180 [ 63.923609][ T7034] sco_chan_del+0xe6/0x430 [ 63.928029][ T7034] __sco_sock_close+0x16e/0x5b0 [ 63.932861][ T7034] sco_sock_release+0x69/0x290 [ 63.937611][ T7034] __sock_release+0xcd/0x280 [ 63.942182][ T7034] sock_close+0x18/0x20 [ 63.946315][ T7034] __fput+0x285/0x920 [ 63.950277][ T7034] ? __sock_release+0x280/0x280 [ 63.955117][ T7034] task_work_run+0xdd/0x190 [ 63.959602][ T7034] get_signal+0xd6c/0x1ee0 [ 63.963999][ T7034] ? kick_process+0xce/0x150 [ 63.968569][ T7034] ? task_work_add+0xe3/0x250 [ 63.973251][ T7034] arch_do_signal+0x82/0x2520 [ 63.977908][ T7034] ? fput_many+0xf6/0x1a0 [ 63.982479][ T7034] ? copy_siginfo_to_user32+0xa0/0xa0 [ 63.987828][ T7034] ? __sys_connect+0x109/0x190 [ 63.992571][ T7034] ? __sys_connect_file+0x1a0/0x1a0 [ 63.997754][ T7034] ? lock_is_held_type+0xbb/0xf0 [ 64.002677][ T7034] ? exit_to_user_mode_prepare+0xb9/0x1c0 [ 64.008378][ T7034] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 64.014346][ T7034] exit_to_user_mode_prepare+0x15d/0x1c0 [ 64.019960][ T7034] syscall_exit_to_user_mode+0x59/0x2b0 [ 64.025487][ T7034] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.031359][ T7034] RIP: 0033:0x4471b9 [ 64.035237][ T7034] Code: e8 4c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00 [ 64.054817][ T7034] RSP: 002b:00007f55edfb6db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 64.064685][ T7034] RAX: fffffffffffffffc RBX: 00000000006dcc28 RCX: 00000000004471b9 [ 64.072896][ T7034] RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000004 [ 64.080847][ T7034] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000 [ 64.088801][ T7034] R10: 0000000000000002 R11: 0000000000000246 R12: 00000000006dcc2c [ 64.096771][ T7034] R13: 00007ffedfc463df R14: 00007f55edfb79c0 R15: 0000000000000064 [ 64.106058][ T7034] Kernel Offset: disabled [ 64.110380][ T7034] Rebooting in 86400 seconds..