[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.42' (ECDSA) to the list of known hosts. syzkaller login: [ 41.773441][ T6805] IPVS: ftp: loaded support on port[0] = 21 executing program [ 43.334102][ T6838] ================================================================== [ 43.342313][ T6838] BUG: KASAN: use-after-free in __sco_sock_close+0x47c/0xed0 [ 43.349685][ T6838] Write of size 4 at addr ffff888092d80010 by task syz-executor876/6838 [ 43.357998][ T6838] [ 43.360307][ T6838] CPU: 1 PID: 6838 Comm: syz-executor876 Not tainted 5.8.0-syzkaller #0 [ 43.368623][ T6838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.378649][ T6838] Call Trace: [ 43.381917][ T6838] dump_stack+0x1f0/0x31e [ 43.386222][ T6838] print_address_description+0x66/0x5a0 [ 43.391736][ T6838] ? vprintk_emit+0x342/0x3c0 [ 43.396388][ T6838] ? printk+0x62/0x83 [ 43.400339][ T6838] ? vprintk_emit+0x339/0x3c0 [ 43.405030][ T6838] kasan_report+0x132/0x1d0 [ 43.409505][ T6838] ? __sco_sock_close+0x47c/0xed0 [ 43.414501][ T6838] check_memory_region+0x2b5/0x2f0 [ 43.419584][ T6838] __sco_sock_close+0x47c/0xed0 [ 43.424406][ T6838] ? lockdep_hardirqs_on+0x49/0xf0 [ 43.429487][ T6838] sco_sock_release+0x63/0x4f0 [ 43.434221][ T6838] ? down_write+0xcd/0x130 [ 43.438610][ T6838] sock_close+0xd8/0x260 [ 43.442823][ T6838] ? sock_mmap+0x90/0x90 [ 43.447034][ T6838] __fput+0x2f0/0x750 [ 43.450987][ T6838] task_work_run+0x137/0x1c0 [ 43.455548][ T6838] do_exit+0x601/0x1f80 [ 43.459678][ T6838] do_group_exit+0x161/0x2d0 [ 43.464283][ T6838] get_signal+0x139b/0x1d30 [ 43.468770][ T6838] do_signal+0x33/0x610 [ 43.472896][ T6838] ? __se_sys_futex+0x2a7/0x390 [ 43.477719][ T6838] ? __prepare_exit_to_usermode+0x6d/0x1b0 [ 43.483542][ T6838] __prepare_exit_to_usermode+0xc3/0x1b0 [ 43.489145][ T6838] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 43.495198][ T6838] do_syscall_64+0x7f/0xe0 [ 43.499612][ T6838] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 43.505475][ T6838] RIP: 0033:0x446909 [ 43.509352][ T6838] Code: Bad RIP value. [ 43.513386][ T6838] RSP: 002b:00007f9d9920ddb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 43.521764][ T6838] RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 0000000000446909 [ 43.529729][ T6838] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38 [ 43.537669][ T6838] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 43.545609][ T6838] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 43.553551][ T6838] R13: 00007ffda8c421ff R14: 00007f9d9920e9c0 R15: 00000000006dbc3c [ 43.561496][ T6838] [ 43.563795][ T6838] Allocated by task 6833: [ 43.568096][ T6838] __kasan_kmalloc+0x103/0x140 [ 43.572842][ T6838] kmem_cache_alloc_trace+0x234/0x300 [ 43.578181][ T6838] hci_conn_add+0x5d/0x1040 [ 43.582650][ T6838] hci_connect_sco+0x29a/0xa10 [ 43.587380][ T6838] sco_sock_connect+0x2de/0xaa0 [ 43.592202][ T6838] __sys_connect+0x2da/0x360 [ 43.596776][ T6838] __x64_sys_connect+0x76/0x80 [ 43.601525][ T6838] do_syscall_64+0x73/0xe0 [ 43.605909][ T6838] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 43.611763][ T6838] [ 43.614060][ T6838] Freed by task 6832: [ 43.618012][ T6838] __kasan_slab_free+0x114/0x170 [ 43.622915][ T6838] kfree+0x10a/0x220 [ 43.626778][ T6838] device_release+0x70/0x1a0 [ 43.631336][ T6838] kobject_put+0x15b/0x220 [ 43.635734][ T6838] hci_conn_del+0x2c2/0x550 [ 43.640204][ T6838] hci_event_packet+0x8335/0x18260 [ 43.645286][ T6838] hci_rx_work+0x236/0x9c0 [ 43.649670][ T6838] process_one_work+0x789/0xfc0 [ 43.654488][ T6838] worker_thread+0xaa4/0x1460 [ 43.659134][ T6838] kthread+0x37e/0x3a0 [ 43.663172][ T6838] ret_from_fork+0x1f/0x30 [ 43.667558][ T6838] [ 43.669858][ T6838] The buggy address belongs to the object at ffff888092d80000 [ 43.669858][ T6838] which belongs to the cache kmalloc-4k of size 4096 [ 43.683892][ T6838] The buggy address is located 16 bytes inside of [ 43.683892][ T6838] 4096-byte region [ffff888092d80000, ffff888092d81000) [ 43.697126][ T6838] The buggy address belongs to the page: [ 43.702745][ T6838] page:ffffea00024b6000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00024b6000 order:1 compound_mapcount:0 [ 43.716159][ T6838] flags: 0xfffe0000010200(slab|head) [ 43.721413][ T6838] raw: 00fffe0000010200 ffffea00024d7a08 ffffea00023d6f08 ffff8880aa402000 [ 43.729980][ T6838] raw: 0000000000000000 ffff888092d80000 0000000100000001 0000000000000000 [ 43.738531][ T6838] page dumped because: kasan: bad access detected [ 43.744910][ T6838] [ 43.747233][ T6838] Memory state around the buggy address: [ 43.752831][ T6838] ffff888092d7ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.760874][ T6838] ffff888092d7ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 43.768904][ T6838] >ffff888092d80000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.776935][ T6838] ^ [ 43.781489][ T6838] ffff888092d80080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.789534][ T6838] ffff888092d80100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.797562][ T6838] ================================================================== [ 43.805588][ T6838] Disabling lock debugging due to kernel taint [ 43.811812][ T6838] Kernel panic - not syncing: panic_on_warn set ... [ 43.818398][ T6838] CPU: 1 PID: 6838 Comm: syz-executor876 Tainted: G B 5.8.0-syzkaller #0 [ 43.828097][ T6838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.838142][ T6838] Call Trace: [ 43.841404][ T6838] dump_stack+0x1f0/0x31e [ 43.845701][ T6838] panic+0x264/0x7a0 [ 43.849563][ T6838] ? trace_hardirqs_on+0x30/0x80 [ 43.854468][ T6838] ? _raw_spin_unlock_irqrestore+0xa5/0xd0 [ 43.860244][ T6838] kasan_report+0x1c9/0x1d0 [ 43.864714][ T6838] ? __sco_sock_close+0x47c/0xed0 [ 43.869704][ T6838] check_memory_region+0x2b5/0x2f0 [ 43.874780][ T6838] __sco_sock_close+0x47c/0xed0 [ 43.879599][ T6838] ? lockdep_hardirqs_on+0x49/0xf0 [ 43.884674][ T6838] sco_sock_release+0x63/0x4f0 [ 43.889404][ T6838] ? down_write+0xcd/0x130 [ 43.893787][ T6838] sock_close+0xd8/0x260 [ 43.897996][ T6838] ? sock_mmap+0x90/0x90 [ 43.902202][ T6838] __fput+0x2f0/0x750 [ 43.906152][ T6838] task_work_run+0x137/0x1c0 [ 43.910707][ T6838] do_exit+0x601/0x1f80 [ 43.914838][ T6838] do_group_exit+0x161/0x2d0 [ 43.919396][ T6838] get_signal+0x139b/0x1d30 [ 43.923870][ T6838] do_signal+0x33/0x610 [ 43.927995][ T6838] ? __se_sys_futex+0x2a7/0x390 [ 43.932986][ T6838] ? __prepare_exit_to_usermode+0x6d/0x1b0 [ 43.938772][ T6838] __prepare_exit_to_usermode+0xc3/0x1b0 [ 43.944372][ T6838] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 43.950506][ T6838] do_syscall_64+0x7f/0xe0 [ 43.954891][ T6838] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 43.960762][ T6838] RIP: 0033:0x446909 [ 43.964619][ T6838] Code: Bad RIP value. [ 43.968649][ T6838] RSP: 002b:00007f9d9920ddb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 43.977025][ T6838] RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 0000000000446909 [ 43.984982][ T6838] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38 [ 43.992919][ T6838] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 44.000859][ T6838] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 44.008797][ T6838] R13: 00007ffda8c421ff R14: 00007f9d9920e9c0 R15: 00000000006dbc3c [ 44.017985][ T6838] Kernel Offset: disabled [ 44.022297][ T6838] Rebooting in 86400 seconds..