[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.117' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 605.255795] IPVS: ftp: loaded support on port[0] = 21 [ 607.300006] Bluetooth: hci0 command 0x0409 tx timeout [ 609.379501] Bluetooth: hci0 command 0x041b tx timeout executing program [ 611.459486] Bluetooth: hci0 command 0x040f tx timeout [ 613.539492] Bluetooth: hci0 command 0x0419 tx timeout executing program [ 615.619494] Bluetooth: hci0 command 0x0405 tx timeout executing program executing program executing program executing program executing program executing program [ 645.540027] ================================================================== [ 645.547528] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 645.554181] Read of size 8 at addr ffff8880b40312a0 by task kworker/0:1/24 [ 645.561534] [ 645.563143] CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.218-syzkaller #0 [ 645.570583] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 645.580015] Workqueue: events l2cap_chan_timeout [ 645.584749] Call Trace: [ 645.587338] dump_stack+0x1b2/0x281 [ 645.590948] print_address_description.cold+0x54/0x1d3 [ 645.596213] kasan_report_error.cold+0x8a/0x191 [ 645.600915] ? __lock_acquire+0x2c57/0x3f20 [ 645.605216] __asan_report_load8_noabort+0x68/0x70 [ 645.610201] ? __lock_acquire+0x2c57/0x3f20 [ 645.614503] __lock_acquire+0x2c57/0x3f20 [ 645.618632] ? lock_acquire+0x170/0x3f0 [ 645.622599] ? lock_downgrade+0x740/0x740 [ 645.626726] ? trace_hardirqs_on+0x10/0x10 [ 645.631586] ? debug_object_assert_init+0x22d/0x2d0 [ 645.636586] ? debug_object_active_state+0x330/0x330 [ 645.641674] ? ret_from_fork+0x24/0x30 [ 645.645570] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 645.650927] ? save_trace+0xd6/0x290 [ 645.654621] lock_acquire+0x170/0x3f0 [ 645.658402] ? lock_sock_nested+0x39/0x100 [ 645.662615] _raw_spin_lock_bh+0x2f/0x40 [ 645.666659] ? lock_sock_nested+0x39/0x100 [ 645.670899] lock_sock_nested+0x39/0x100 [ 645.674938] l2cap_sock_teardown_cb+0x93/0x650 [ 645.679501] l2cap_chan_del+0xaf/0x950 [ 645.683367] l2cap_chan_close+0x103/0x870 [ 645.687495] ? __set_monitor_timer+0x1d0/0x1d0 [ 645.692059] ? lock_acquire+0x170/0x3f0 [ 645.696041] l2cap_chan_timeout+0x143/0x2a0 [ 645.700357] process_one_work+0x793/0x14a0 [ 645.704573] ? work_busy+0x320/0x320 [ 645.708279] ? worker_thread+0x158/0xff0 [ 645.712317] ? _raw_spin_unlock_irq+0x24/0x80 [ 645.716811] worker_thread+0x5cc/0xff0 [ 645.720682] ? rescuer_thread+0xc80/0xc80 [ 645.724814] kthread+0x30d/0x420 [ 645.728254] ? kthread_create_on_node+0xd0/0xd0 [ 645.732919] ret_from_fork+0x24/0x30 [ 645.736610] [ 645.738231] Allocated by task 8018: [ 645.741847] kasan_kmalloc+0xeb/0x160 [ 645.745649] __kmalloc+0x15a/0x400 [ 645.749261] sk_prot_alloc+0x1ba/0x290 [ 645.753151] sk_alloc+0x36/0xcd0 [ 645.756494] l2cap_sock_alloc.constprop.0+0x31/0x210 [ 645.761594] l2cap_sock_create+0xf0/0x1a0 [ 645.765759] bt_sock_create+0x13b/0x280 [ 645.769820] __sock_create+0x303/0x620 [ 645.773681] SyS_socket+0xd1/0x1b0 [ 645.777215] do_syscall_64+0x1d5/0x640 [ 645.781095] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 645.786273] [ 645.787892] Freed by task 8018: [ 645.791184] kasan_slab_free+0xc3/0x1a0 [ 645.795178] kfree+0xc9/0x250 [ 645.798285] __sk_destruct+0x5e3/0x760 [ 645.802254] __sk_free+0xd9/0x2d0 [ 645.806219] sk_free+0x2b/0x40 [ 645.809516] l2cap_sock_kill.part.0+0x106/0x130 [ 645.814171] l2cap_sock_release+0x1cd/0x280 [ 645.818478] __sock_release+0xcd/0x2b0 [ 645.822524] sock_close+0x15/0x20 [ 645.826001] __fput+0x25f/0x7a0 [ 645.829285] task_work_run+0x11f/0x190 [ 645.833158] do_exit+0xa44/0x2850 [ 645.836599] do_group_exit+0x100/0x2e0 [ 645.840472] get_signal+0x38d/0x1ca0 [ 645.844178] do_signal+0x7c/0x1550 [ 645.847720] exit_to_usermode_loop+0x160/0x200 [ 645.852287] do_syscall_64+0x4a3/0x640 [ 645.856164] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 645.861436] [ 645.863060] The buggy address belongs to the object at ffff8880b4031200 [ 645.863060] which belongs to the cache kmalloc-2048 of size 2048 [ 645.875869] The buggy address is located 160 bytes inside of [ 645.875869] 2048-byte region [ffff8880b4031200, ffff8880b4031a00) [ 645.887810] The buggy address belongs to the page: [ 645.892720] page:ffffea0002d00c00 count:1 mapcount:0 mapping:ffff8880b4030100 index:0x0 compound_mapcount: 0 [ 645.902692] flags: 0xfff00000008100(slab|head) [ 645.907373] raw: 00fff00000008100 ffff8880b4030100 0000000000000000 0000000100000003 [ 645.915249] raw: ffffea0002d024a0 ffffea0002cf2420 ffff88813fe80c40 0000000000000000 [ 645.923218] page dumped because: kasan: bad access detected [ 645.928924] [ 645.930555] Memory state around the buggy address: [ 645.935474] ffff8880b4031180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 645.942815] ffff8880b4031200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 645.950164] >ffff8880b4031280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 645.957516] ^ [ 645.961921] ffff8880b4031300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 645.969894] ffff8880b4031380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 645.977244] ================================================================== [ 645.984579] Disabling lock debugging due to kernel taint [ 645.990036] Kernel panic - not syncing: panic_on_warn set ... [ 645.990036] [ 645.997379] CPU: 0 PID: 24 Comm: kworker/0:1 Tainted: G B 4.14.218-syzkaller #0 [ 646.005944] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 646.015650] Workqueue: events l2cap_chan_timeout [ 646.020387] Call Trace: [ 646.022961] dump_stack+0x1b2/0x281 [ 646.026570] panic+0x1f9/0x42d [ 646.029742] ? add_taint.cold+0x16/0x16 [ 646.033797] ? lock_downgrade+0x740/0x740 [ 646.037930] kasan_end_report+0x43/0x49 [ 646.041884] kasan_report_error.cold+0xa7/0x191 [ 646.046559] ? __lock_acquire+0x2c57/0x3f20 [ 646.050860] __asan_report_load8_noabort+0x68/0x70 [ 646.055788] ? __lock_acquire+0x2c57/0x3f20 [ 646.060122] __lock_acquire+0x2c57/0x3f20 [ 646.064270] ? lock_acquire+0x170/0x3f0 [ 646.068312] ? lock_downgrade+0x740/0x740 [ 646.072442] ? trace_hardirqs_on+0x10/0x10 [ 646.076685] ? debug_object_assert_init+0x22d/0x2d0 [ 646.081687] ? debug_object_active_state+0x330/0x330 [ 646.086791] ? ret_from_fork+0x24/0x30 [ 646.090661] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 646.096002] ? save_trace+0xd6/0x290 [ 646.099756] lock_acquire+0x170/0x3f0 [ 646.103537] ? lock_sock_nested+0x39/0x100 [ 646.108335] _raw_spin_lock_bh+0x2f/0x40 [ 646.112378] ? lock_sock_nested+0x39/0x100 [ 646.116596] lock_sock_nested+0x39/0x100 [ 646.120748] l2cap_sock_teardown_cb+0x93/0x650 [ 646.125315] l2cap_chan_del+0xaf/0x950 [ 646.129183] l2cap_chan_close+0x103/0x870 [ 646.133313] ? __set_monitor_timer+0x1d0/0x1d0 [ 646.137878] ? lock_acquire+0x170/0x3f0 [ 646.141868] l2cap_chan_timeout+0x143/0x2a0 [ 646.146536] process_one_work+0x793/0x14a0 [ 646.150756] ? work_busy+0x320/0x320 [ 646.154563] ? worker_thread+0x158/0xff0 [ 646.158626] ? _raw_spin_unlock_irq+0x24/0x80 [ 646.163133] worker_thread+0x5cc/0xff0 [ 646.167018] ? rescuer_thread+0xc80/0xc80 [ 646.171159] kthread+0x30d/0x420 [ 646.174504] ? kthread_create_on_node+0xd0/0xd0 [ 646.179166] ret_from_fork+0x24/0x30 [ 646.183412] Kernel Offset: disabled [ 646.187043] Rebooting in 86400 seconds..