[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.108' (ECDSA) to the list of known hosts. syzkaller login: [ 35.461711] audit: type=1400 audit(1596773604.721:8): avc: denied { execmem } for pid=6349 comm="syz-executor240" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 35.718467] IPVS: ftp: loaded support on port[0] = 21 executing program [ 37.577318] ================================================================== [ 37.584905] BUG: KASAN: use-after-free in hci_chan_del+0x131/0x180 [ 37.591343] Read of size 8 at addr ffff8880a4b19d98 by task syz-executor240/6350 [ 37.598968] [ 37.600582] CPU: 0 PID: 6350 Comm: syz-executor240 Not tainted 4.14.192-syzkaller #0 [ 37.608434] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.617882] Call Trace: [ 37.620470] dump_stack+0x1b2/0x283 [ 37.624165] ? l2cap_conn_del+0x670/0x670 [ 37.628298] print_address_description.cold+0x54/0x1d3 [ 37.633660] kasan_report_error.cold+0x8a/0x194 [ 37.638315] ? hci_chan_del+0x131/0x180 [ 37.642350] __asan_report_load8_noabort+0x68/0x70 [ 37.647258] ? hci_chan_del+0x131/0x180 [ 37.651379] hci_chan_del+0x131/0x180 [ 37.655158] l2cap_conn_del+0x417/0x670 [ 37.659107] ? __mutex_unlock_slowpath+0x75/0x770 [ 37.663928] ? l2cap_conn_del+0x670/0x670 [ 37.668071] l2cap_disconn_cfm+0x6b/0x80 [ 37.672273] hci_conn_hash_flush+0x114/0x220 [ 37.676669] hci_dev_do_close+0x542/0xc50 [ 37.680792] ? lock_downgrade+0x740/0x740 [ 37.684951] hci_unregister_dev+0x170/0x7a0 [ 37.689536] ? fcntl_setlk+0xdb0/0xdb0 [ 37.693420] ? vhci_close_dev+0x50/0x50 [ 37.697462] vhci_release+0x70/0xe0 [ 37.701072] __fput+0x25f/0x7a0 [ 37.704332] task_work_run+0x11f/0x190 [ 37.709494] do_exit+0xa08/0x27f0 [ 37.712926] ? mm_update_next_owner+0x5b0/0x5b0 [ 37.717571] ? vfs_write+0x319/0x4d0 [ 37.721260] ? SyS_write+0x14d/0x210 [ 37.724951] do_group_exit+0x100/0x2e0 [ 37.728816] SyS_exit_group+0x19/0x20 [ 37.732606] ? do_group_exit+0x2e0/0x2e0 [ 37.736661] do_syscall_64+0x1d5/0x640 [ 37.740527] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 37.745787] RIP: 0033:0x4450e8 [ 37.749093] RSP: 002b:00007ffdda17dac8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 37.756774] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450e8 [ 37.764017] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 37.771286] RBP: 00000000004cced0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 37.778555] R10: 00007f1dc3c2f9d0 R11: 0000000000000246 R12: 0000000000000001 [ 37.785818] R13: 00000000006e0200 R14: 00000000010ef850 R15: 0000000000000001 [ 37.793127] [ 37.794737] Allocated by task 6372: [ 37.798351] kasan_kmalloc+0xeb/0x160 [ 37.802128] kmem_cache_alloc_trace+0x131/0x3d0 [ 37.806784] hci_chan_create+0x7c/0x300 [ 37.810745] l2cap_conn_add.part.0+0x18/0xc20 [ 37.815211] l2cap_connect_cfm+0x1d2/0xce0 [ 37.819418] hci_le_meta_evt+0x3288/0x3fc0 [ 37.823807] hci_event_packet+0x25a7/0x7c7a [ 37.828101] hci_rx_work+0x3e6/0x970 [ 37.831788] process_one_work+0x793/0x14a0 [ 37.836084] worker_thread+0x5cc/0xff0 [ 37.839944] kthread+0x30d/0x420 [ 37.843282] ret_from_fork+0x24/0x30 [ 37.846965] [ 37.848567] Freed by task 6372: [ 37.851821] kasan_slab_free+0xc3/0x1a0 [ 37.855767] kfree+0xc9/0x250 [ 37.858846] hci_event_packet+0xeae/0x7c7a [ 37.863052] hci_rx_work+0x3e6/0x970 [ 37.866738] process_one_work+0x793/0x14a0 [ 37.870956] worker_thread+0x5cc/0xff0 [ 37.874816] kthread+0x30d/0x420 [ 37.878856] ret_from_fork+0x24/0x30 [ 37.882539] [ 37.884166] The buggy address belongs to the object at ffff8880a4b19d80 [ 37.884166] which belongs to the cache kmalloc-128 of size 128 [ 37.896799] The buggy address is located 24 bytes inside of [ 37.896799] 128-byte region [ffff8880a4b19d80, ffff8880a4b19e00) [ 37.908646] The buggy address belongs to the page: [ 37.913561] page:ffffea000292c640 count:1 mapcount:0 mapping:ffff8880a4b19000 index:0xffff8880a4b19000 [ 37.922992] flags: 0xfffe0000000100(slab) [ 37.927201] raw: 00fffe0000000100 ffff8880a4b19000 ffff8880a4b19000 000000010000000a [ 37.935229] raw: ffffea0002a5f9e0 ffffea0002906ae0 ffff88812fe52640 0000000000000000 [ 37.943096] page dumped because: kasan: bad access detected [ 37.948782] [ 37.950384] Memory state around the buggy address: [ 37.955298] ffff8880a4b19c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.962894] ffff8880a4b19d00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.970234] >ffff8880a4b19d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.977565] ^ [ 37.982177] ffff8880a4b19e00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.989522] ffff8880a4b19e80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 37.996858] ================================================================== [ 38.004197] Disabling lock debugging due to kernel taint [ 38.011002] Kernel panic - not syncing: panic_on_warn set ... [ 38.011002] [ 38.018441] CPU: 0 PID: 6350 Comm: syz-executor240 Tainted: G B 4.14.192-syzkaller #0 [ 38.028064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.037489] Call Trace: [ 38.040056] dump_stack+0x1b2/0x283 [ 38.043659] ? l2cap_conn_del+0x670/0x670 [ 38.047780] panic+0x1f9/0x42d [ 38.050968] ? add_taint.cold+0x16/0x16 [ 38.054931] ? ___preempt_schedule+0x16/0x18 [ 38.059315] kasan_end_report+0x43/0x49 [ 38.063350] kasan_report_error.cold+0xa7/0x194 [ 38.068006] ? hci_chan_del+0x131/0x180 [ 38.072025] __asan_report_load8_noabort+0x68/0x70 [ 38.076943] ? hci_chan_del+0x131/0x180 [ 38.080900] hci_chan_del+0x131/0x180 [ 38.084672] l2cap_conn_del+0x417/0x670 [ 38.088620] ? __mutex_unlock_slowpath+0x75/0x770 [ 38.093433] ? l2cap_conn_del+0x670/0x670 [ 38.097552] l2cap_disconn_cfm+0x6b/0x80 [ 38.101583] hci_conn_hash_flush+0x114/0x220 [ 38.105975] hci_dev_do_close+0x542/0xc50 [ 38.110098] ? lock_downgrade+0x740/0x740 [ 38.114219] hci_unregister_dev+0x170/0x7a0 [ 38.118513] ? fcntl_setlk+0xdb0/0xdb0 [ 38.122374] ? vhci_close_dev+0x50/0x50 [ 38.126330] vhci_release+0x70/0xe0 [ 38.130008] __fput+0x25f/0x7a0 [ 38.133286] task_work_run+0x11f/0x190 [ 38.137156] do_exit+0xa08/0x27f0 [ 38.140585] ? mm_update_next_owner+0x5b0/0x5b0 [ 38.145226] ? vfs_write+0x319/0x4d0 [ 38.148917] ? SyS_write+0x14d/0x210 [ 38.152792] do_group_exit+0x100/0x2e0 [ 38.156663] SyS_exit_group+0x19/0x20 [ 38.160435] ? do_group_exit+0x2e0/0x2e0 [ 38.164467] do_syscall_64+0x1d5/0x640 [ 38.168329] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 38.173509] RIP: 0033:0x4450e8 [ 38.176670] RSP: 002b:00007ffdda17dac8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 38.184361] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450e8 [ 38.191607] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 38.198934] RBP: 00000000004cced0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 38.206186] R10: 00007f1dc3c2f9d0 R11: 0000000000000246 R12: 0000000000000001 [ 38.213477] R13: 00000000006e0200 R14: 00000000010ef850 R15: 0000000000000001 [ 38.222867] Kernel Offset: disabled [ 38.226574] Rebooting in 86400 seconds..