[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. syzkaller login: [ 62.631345][ T6858] IPVS: ftp: loaded support on port[0] = 21 executing program [ 65.761926][ T2626] Bluetooth: hci0: command 0x0409 tx timeout [ 67.841385][ T2626] Bluetooth: hci0: command 0x041b tx timeout executing program [ 69.920687][ T2626] Bluetooth: hci0: command 0x040f tx timeout [ 72.000400][ T2543] Bluetooth: hci0: command 0x0419 tx timeout [ 73.730922][ T6891] ================================================================== [ 73.739256][ T6891] BUG: KASAN: use-after-free in sco_chan_del+0xe6/0x430 [ 73.746207][ T6891] Write of size 4 at addr ffff888092ba2010 by task syz-executor373/6891 [ 73.754523][ T6891] [ 73.756928][ T6891] CPU: 1 PID: 6891 Comm: syz-executor373 Not tainted 5.8.0-next-20200810-syzkaller #0 [ 73.766494][ T6891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.776637][ T6891] Call Trace: [ 73.779934][ T6891] dump_stack+0x18f/0x20d [ 73.784265][ T6891] ? sco_chan_del+0xe6/0x430 [ 73.788834][ T6891] ? sco_chan_del+0xe6/0x430 [ 73.793415][ T6891] print_address_description.constprop.0.cold+0xae/0x497 [ 73.800455][ T6891] ? sco_chan_del+0xab/0x430 [ 73.805037][ T6891] ? vprintk_func+0x97/0x1a6 [ 73.809629][ T6891] ? sco_chan_del+0xe6/0x430 [ 73.814203][ T6891] ? sco_chan_del+0xe6/0x430 [ 73.818963][ T6891] kasan_report.cold+0x1f/0x37 [ 73.823732][ T6891] ? sco_chan_del+0xe6/0x430 [ 73.828495][ T6891] check_memory_region+0x13d/0x180 [ 73.833607][ T6891] sco_chan_del+0xe6/0x430 [ 73.838023][ T6891] __sco_sock_close+0x16e/0x5b0 [ 73.842871][ T6891] sco_sock_release+0x69/0x290 [ 73.847637][ T6891] __sock_release+0xcd/0x280 [ 73.852421][ T6891] sock_close+0x18/0x20 [ 73.856563][ T6891] __fput+0x285/0x920 [ 73.860530][ T6891] ? __sock_release+0x280/0x280 [ 73.865382][ T6891] task_work_run+0xdd/0x190 [ 73.869885][ T6891] do_exit+0xb7d/0x29f0 [ 73.874109][ T6891] ? lock_acquire+0x1f1/0xad0 [ 73.878765][ T6891] ? find_held_lock+0x2d/0x110 [ 73.883510][ T6891] ? mm_update_next_owner+0x7a0/0x7a0 [ 73.888857][ T6891] ? get_signal+0x332/0x1ee0 [ 73.893430][ T6891] ? lock_downgrade+0x830/0x830 [ 73.898270][ T6891] ? lock_is_held_type+0xbb/0xf0 [ 73.903190][ T6891] do_group_exit+0x125/0x310 [ 73.907772][ T6891] get_signal+0x40b/0x1ee0 [ 73.912170][ T6891] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 73.918125][ T6891] ? sco_sock_connect+0x4e4/0x980 [ 73.923127][ T6891] ? lockdep_hardirqs_on+0x76/0xf0 [ 73.928230][ T6891] ? sco_sock_connect+0x4e4/0x980 [ 73.933253][ T6891] arch_do_signal+0x82/0x2520 [ 73.937907][ T6891] ? sco_sock_release+0x290/0x290 [ 73.942936][ T6891] ? __sys_connect_file+0x4e/0x1a0 [ 73.948035][ T6891] ? copy_siginfo_to_user32+0xa0/0xa0 [ 73.953496][ T6891] ? __sys_connect+0x10a/0x190 [ 73.958236][ T6891] ? __sys_connect_file+0x1a0/0x1a0 [ 73.963418][ T6891] ? exit_to_user_mode_prepare+0xb9/0x1c0 [ 73.969114][ T6891] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 73.975164][ T6891] exit_to_user_mode_prepare+0x15d/0x1c0 [ 73.980778][ T6891] syscall_exit_to_user_mode+0x59/0x2b0 [ 73.986313][ T6891] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.992182][ T6891] RIP: 0033:0x446dc9 [ 73.996049][ T6891] Code: Bad RIP value. [ 74.000094][ T6891] RSP: 002b:00007ffdb64a82d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 74.008495][ T6891] RAX: fffffffffffffffc RBX: 0000000000000003 RCX: 0000000000446dc9 [ 74.016481][ T6891] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004 [ 74.024430][ T6891] RBP: 00007ffdb64a8310 R08: 0000000000000002 R09: 00000000000000ff [ 74.032383][ T6891] R10: 0000000000000004 R11: 0000000000000246 R12: 000000000000f8fb [ 74.040346][ T6891] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 74.048322][ T6891] [ 74.050629][ T6891] Allocated by task 6886: [ 74.055059][ T6891] kasan_save_stack+0x1b/0x40 [ 74.059726][ T6891] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 74.065369][ T6891] kmem_cache_alloc_trace+0x16e/0x2c0 [ 74.070740][ T6891] hci_conn_add+0x53/0x1330 [ 74.075239][ T6891] hci_connect_sco+0x356/0x860 [ 74.080015][ T6891] sco_sock_connect+0x308/0x980 [ 74.080161][ T2543] Bluetooth: hci0: command 0x0405 tx timeout [ 74.085157][ T6891] __sys_connect_file+0x155/0x1a0 [ 74.085180][ T6891] __sys_connect+0x161/0x190 [ 74.100729][ T6891] __x64_sys_connect+0x6f/0xb0 [ 74.105552][ T6891] do_syscall_64+0x2d/0x70 [ 74.110251][ T6891] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.116139][ T6891] [ 74.118474][ T6891] Freed by task 6884: [ 74.122468][ T6891] kasan_save_stack+0x1b/0x40 [ 74.127156][ T6891] kasan_set_track+0x1c/0x30 [ 74.131768][ T6891] kasan_set_free_info+0x1b/0x30 [ 74.136705][ T6891] __kasan_slab_free+0xd8/0x120 [ 74.141579][ T6891] kfree+0x103/0x2c0 [ 74.145465][ T6891] device_release+0x71/0x200 [ 74.150040][ T6891] kobject_put+0x171/0x270 [ 74.154450][ T6891] put_device+0x1b/0x30 [ 74.158586][ T6891] hci_conn_del+0x27e/0x6a0 [ 74.163126][ T6891] hci_phy_link_complete_evt.isra.0+0x508/0x790 [ 74.169454][ T6891] hci_event_packet+0x4696/0x87a8 [ 74.174757][ T6891] hci_rx_work+0x22e/0xb50 [ 74.179158][ T6891] process_one_work+0x94c/0x1670 [ 74.184078][ T6891] worker_thread+0x64c/0x1120 [ 74.188743][ T6891] kthread+0x3b5/0x4a0 [ 74.192793][ T6891] ret_from_fork+0x1f/0x30 [ 74.197180][ T6891] [ 74.199500][ T6891] The buggy address belongs to the object at ffff888092ba2000 [ 74.199500][ T6891] which belongs to the cache kmalloc-4k of size 4096 [ 74.213620][ T6891] The buggy address is located 16 bytes inside of [ 74.213620][ T6891] 4096-byte region [ffff888092ba2000, ffff888092ba3000) [ 74.226889][ T6891] The buggy address belongs to the page: [ 74.232602][ T6891] page:00000000450b3bde refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x92ba2 [ 74.242727][ T6891] head:00000000450b3bde order:1 compound_mapcount:0 [ 74.249291][ T6891] flags: 0xfffe0000010200(slab|head) [ 74.254567][ T6891] raw: 00fffe0000010200 ffffea00024d5988 ffffea0002491b88 ffff8880aa040900 [ 74.263129][ T6891] raw: 0000000000000000 ffff888092ba2000 0000000100000001 0000000000000000 [ 74.272902][ T6891] page dumped because: kasan: bad access detected [ 74.279295][ T6891] [ 74.281613][ T6891] Memory state around the buggy address: [ 74.287243][ T6891] ffff888092ba1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.295287][ T6891] ffff888092ba1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.303459][ T6891] >ffff888092ba2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.311504][ T6891] ^ [ 74.316078][ T6891] ffff888092ba2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.324130][ T6891] ffff888092ba2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.332209][ T6891] ================================================================== [ 74.340245][ T6891] Disabling lock debugging due to kernel taint [ 74.346967][ T6891] Kernel panic - not syncing: panic_on_warn set ... [ 74.353577][ T6891] CPU: 1 PID: 6891 Comm: syz-executor373 Tainted: G B 5.8.0-next-20200810-syzkaller #0 [ 74.364695][ T6891] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.374818][ T6891] Call Trace: [ 74.378095][ T6891] dump_stack+0x18f/0x20d [ 74.382401][ T6891] ? sco_chan_del+0x30/0x430 [ 74.386968][ T6891] panic+0x2e3/0x75c [ 74.390840][ T6891] ? __warn_printk+0xf3/0xf3 [ 74.395440][ T6891] ? preempt_schedule_common+0x59/0xc0 [ 74.400879][ T6891] ? sco_chan_del+0xe6/0x430 [ 74.405442][ T6891] ? preempt_schedule_thunk+0x16/0x18 [ 74.410789][ T6891] ? trace_hardirqs_on+0x55/0x220 [ 74.415806][ T6891] ? sco_chan_del+0xe6/0x430 [ 74.420465][ T6891] ? sco_chan_del+0xe6/0x430 [ 74.425046][ T6891] end_report+0x4d/0x53 [ 74.429190][ T6891] kasan_report.cold+0xd/0x37 [ 74.433844][ T6891] ? sco_chan_del+0xe6/0x430 [ 74.438422][ T6891] check_memory_region+0x13d/0x180 [ 74.443528][ T6891] sco_chan_del+0xe6/0x430 [ 74.447916][ T6891] __sco_sock_close+0x16e/0x5b0 [ 74.452988][ T6891] sco_sock_release+0x69/0x290 [ 74.457736][ T6891] __sock_release+0xcd/0x280 [ 74.462746][ T6891] sock_close+0x18/0x20 [ 74.466926][ T6891] __fput+0x285/0x920 [ 74.470884][ T6891] ? __sock_release+0x280/0x280 [ 74.475710][ T6891] task_work_run+0xdd/0x190 [ 74.480190][ T6891] do_exit+0xb7d/0x29f0 [ 74.484334][ T6891] ? lock_acquire+0x1f1/0xad0 [ 74.488984][ T6891] ? find_held_lock+0x2d/0x110 [ 74.493728][ T6891] ? mm_update_next_owner+0x7a0/0x7a0 [ 74.499074][ T6891] ? get_signal+0x332/0x1ee0 [ 74.503639][ T6891] ? lock_downgrade+0x830/0x830 [ 74.508465][ T6891] ? lock_is_held_type+0xbb/0xf0 [ 74.513376][ T6891] do_group_exit+0x125/0x310 [ 74.517949][ T6891] get_signal+0x40b/0x1ee0 [ 74.522354][ T6891] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 74.528501][ T6891] ? sco_sock_connect+0x4e4/0x980 [ 74.533599][ T6891] ? lockdep_hardirqs_on+0x76/0xf0 [ 74.538683][ T6891] ? sco_sock_connect+0x4e4/0x980 [ 74.543681][ T6891] arch_do_signal+0x82/0x2520 [ 74.548333][ T6891] ? sco_sock_release+0x290/0x290 [ 74.553363][ T6891] ? __sys_connect_file+0x4e/0x1a0 [ 74.558448][ T6891] ? copy_siginfo_to_user32+0xa0/0xa0 [ 74.563791][ T6891] ? __sys_connect+0x10a/0x190 [ 74.568528][ T6891] ? __sys_connect_file+0x1a0/0x1a0 [ 74.573707][ T6891] ? exit_to_user_mode_prepare+0xb9/0x1c0 [ 74.579552][ T6891] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 74.585510][ T6891] exit_to_user_mode_prepare+0x15d/0x1c0 [ 74.591129][ T6891] syscall_exit_to_user_mode+0x59/0x2b0 [ 74.596661][ T6891] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.602620][ T6891] RIP: 0033:0x446dc9 [ 74.606494][ T6891] Code: Bad RIP value. [ 74.610530][ T6891] RSP: 002b:00007ffdb64a82d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 74.618929][ T6891] RAX: fffffffffffffffc RBX: 0000000000000003 RCX: 0000000000446dc9 [ 74.627076][ T6891] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004 [ 74.635143][ T6891] RBP: 00007ffdb64a8310 R08: 0000000000000002 R09: 00000000000000ff [ 74.643128][ T6891] R10: 0000000000000004 R11: 0000000000000246 R12: 000000000000f8fb [ 74.651614][ T6891] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 74.661547][ T6891] Kernel Offset: disabled [ 74.666131][ T6891] Rebooting in 86400 seconds..