Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.8' (ECDSA) to the list of known hosts. syzkaller login: [ 33.457181] audit: type=1400 audit(1596874368.025:8): avc: denied { execmem } for pid=6338 comm="syz-executor284" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.478988] IPVS: ftp: loaded support on port[0] = 21 executing program [ 34.601050] ================================================================== [ 34.608699] BUG: KASAN: use-after-free in hci_chan_del+0x131/0x180 [ 34.615021] Read of size 8 at addr ffff8880a85800d8 by task syz-executor284/6339 [ 34.622535] [ 34.624150] CPU: 0 PID: 6339 Comm: syz-executor284 Not tainted 4.14.193-syzkaller #0 [ 34.632136] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 34.641476] Call Trace: [ 34.644063] dump_stack+0x1b2/0x283 [ 34.647683] ? l2cap_conn_del+0x670/0x670 [ 34.651820] print_address_description.cold+0x54/0x1d3 [ 34.657109] kasan_report_error.cold+0x8a/0x194 [ 34.661766] ? hci_chan_del+0x131/0x180 [ 34.665750] __asan_report_load8_noabort+0x68/0x70 [ 34.670670] ? hci_chan_del+0x131/0x180 [ 34.674655] hci_chan_del+0x131/0x180 [ 34.678458] l2cap_conn_del+0x417/0x670 [ 34.682454] ? __mutex_unlock_slowpath+0x75/0x770 [ 34.687282] ? l2cap_conn_del+0x670/0x670 [ 34.691417] l2cap_disconn_cfm+0x6b/0x80 [ 34.695465] hci_conn_hash_flush+0x114/0x220 [ 34.700817] hci_dev_do_close+0x542/0xc50 [ 34.704971] ? lock_downgrade+0x740/0x740 [ 34.709122] hci_unregister_dev+0x170/0x7a0 [ 34.713476] ? fcntl_setlk+0xdb0/0xdb0 [ 34.727258] ? vhci_close_dev+0x50/0x50 [ 34.731216] vhci_release+0x70/0xe0 [ 34.734848] __fput+0x25f/0x7a0 [ 34.738118] task_work_run+0x11f/0x190 [ 34.741998] do_exit+0xa08/0x27f0 [ 34.745462] ? mm_update_next_owner+0x5b0/0x5b0 [ 34.750129] ? vfs_write+0x319/0x4d0 [ 34.753830] ? SyS_write+0x14d/0x210 [ 34.757543] do_group_exit+0x100/0x2e0 [ 34.761421] SyS_exit_group+0x19/0x20 [ 34.765208] ? do_group_exit+0x2e0/0x2e0 [ 34.769277] do_syscall_64+0x1d5/0x640 [ 34.773221] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 34.778418] RIP: 0033:0x445028 [ 34.781598] RSP: 002b:00007fff38277918 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 34.789311] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445028 [ 34.796565] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 34.803835] RBP: 00000000004cce10 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 34.812044] R10: 00007f2d508df9d0 R11: 0000000000000246 R12: 0000000000000001 [ 34.819315] R13: 00000000006e0200 R14: 0000000001cf6850 R15: 0000000000000001 [ 34.826580] [ 34.828207] Allocated by task 6366: [ 34.831825] kasan_kmalloc+0xeb/0x160 [ 34.835611] kmem_cache_alloc_trace+0x131/0x3d0 [ 34.840268] hci_chan_create+0x7c/0x300 [ 34.845015] l2cap_conn_add.part.0+0x18/0xc20 [ 34.849795] l2cap_connect_cfm+0x1d2/0xce0 [ 34.854019] hci_le_meta_evt+0x3288/0x3fc0 [ 34.858934] hci_event_packet+0x25a7/0x7c7a [ 34.863240] hci_rx_work+0x3e6/0x970 [ 34.866942] process_one_work+0x793/0x14a0 [ 34.871160] worker_thread+0x5cc/0xff0 [ 34.875037] kthread+0x30d/0x420 [ 34.878408] ret_from_fork+0x24/0x30 [ 34.882100] [ 34.883709] Freed by task 6366: [ 34.886972] kasan_slab_free+0xc3/0x1a0 [ 34.890947] kfree+0xc9/0x250 [ 34.894038] hci_event_packet+0xeae/0x7c7a [ 34.898259] hci_rx_work+0x3e6/0x970 [ 34.901960] process_one_work+0x793/0x14a0 [ 34.906179] worker_thread+0x5cc/0xff0 [ 34.910053] kthread+0x30d/0x420 [ 34.913405] ret_from_fork+0x24/0x30 [ 34.917108] [ 34.918723] The buggy address belongs to the object at ffff8880a85800c0 [ 34.918723] which belongs to the cache kmalloc-128 of size 128 [ 34.931385] The buggy address is located 24 bytes inside of [ 34.931385] 128-byte region [ffff8880a85800c0, ffff8880a8580140) [ 34.943164] The buggy address belongs to the page: [ 34.948084] page:ffffea0002a16000 count:1 mapcount:0 mapping:ffff8880a8580000 index:0xffff8880a8580e40 [ 34.957521] flags: 0xfffe0000000100(slab) [ 34.961656] raw: 00fffe0000000100 ffff8880a8580000 ffff8880a8580e40 000000010000000b [ 34.969528] raw: ffffea00029e83a0 ffffea00029e5520 ffff88812fe52640 0000000000000000 [ 34.977394] page dumped because: kasan: bad access detected [ 34.983084] [ 34.984698] Memory state around the buggy address: [ 34.989610] ffff8880a857ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 34.996951] ffff8880a8580000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.004292] >ffff8880a8580080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 35.011653] ^ [ 35.017865] ffff8880a8580100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 35.025207] ffff8880a8580180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.032544] ================================================================== [ 35.039898] Disabling lock debugging due to kernel taint [ 35.078743] Kernel panic - not syncing: panic_on_warn set ... [ 35.078743] [ 35.086130] CPU: 1 PID: 6339 Comm: syz-executor284 Tainted: G B 4.14.193-syzkaller #0 [ 35.095219] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.104549] Call Trace: [ 35.107113] dump_stack+0x1b2/0x283 [ 35.110728] ? l2cap_conn_del+0x670/0x670 [ 35.114865] panic+0x1f9/0x42d [ 35.118030] ? add_taint.cold+0x16/0x16 [ 35.121979] ? ___preempt_schedule+0x16/0x18 [ 35.126379] kasan_end_report+0x43/0x49 [ 35.130340] kasan_report_error.cold+0xa7/0x194 [ 35.134983] ? hci_chan_del+0x131/0x180 [ 35.138943] __asan_report_load8_noabort+0x68/0x70 [ 35.143869] ? hci_chan_del+0x131/0x180 [ 35.147815] hci_chan_del+0x131/0x180 [ 35.151591] l2cap_conn_del+0x417/0x670 [ 35.155540] ? __mutex_unlock_slowpath+0x75/0x770 [ 35.160354] ? l2cap_conn_del+0x670/0x670 [ 35.164476] l2cap_disconn_cfm+0x6b/0x80 [ 35.168510] hci_conn_hash_flush+0x114/0x220 [ 35.172906] hci_dev_do_close+0x542/0xc50 [ 35.177044] ? lock_downgrade+0x740/0x740 [ 35.181167] hci_unregister_dev+0x170/0x7a0 [ 35.185470] ? fcntl_setlk+0xdb0/0xdb0 [ 35.189345] ? vhci_close_dev+0x50/0x50 [ 35.193300] vhci_release+0x70/0xe0 [ 35.196926] __fput+0x25f/0x7a0 [ 35.200190] task_work_run+0x11f/0x190 [ 35.204063] do_exit+0xa08/0x27f0 [ 35.207500] ? mm_update_next_owner+0x5b0/0x5b0 [ 35.212164] ? vfs_write+0x319/0x4d0 [ 35.215860] ? SyS_write+0x14d/0x210 [ 35.219557] do_group_exit+0x100/0x2e0 [ 35.223428] SyS_exit_group+0x19/0x20 [ 35.227210] ? do_group_exit+0x2e0/0x2e0 [ 35.231251] do_syscall_64+0x1d5/0x640 [ 35.235127] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.240298] RIP: 0033:0x445028 [ 35.243467] RSP: 002b:00007fff38277918 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 35.251170] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445028 [ 35.258423] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 35.265673] RBP: 00000000004cce10 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 35.272926] R10: 00007f2d508df9d0 R11: 0000000000000246 R12: 0000000000000001 [ 35.280182] R13: 00000000006e0200 R14: 0000000001cf6850 R15: 0000000000000001 [ 35.288474] Kernel Offset: disabled [ 35.292098] Rebooting in 86400 seconds..