[ OK ] Started Regular background program processing daemon. [ OK ] Started Daily apt download activities. [ OK ] Started Daily apt upgrade and clean activities. [ OK ] Reached target Timers. Starting OpenBSD Secure Shell server... Starting System Logging Service... [ OK ] Started Permit User Sessions. [ OK ] Started System Logging Service. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.153' (ECDSA) to the list of known hosts. syzkaller login: [ 74.153254][ T35] audit: type=1400 audit(1605190844.223:8): avc: denied { execmem } for pid=8471 comm="syz-executor481" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 75.218968][ T8472] IPVS: ftp: loaded support on port[0] = 21 executing program [ 75.295101][ T8472] ================================================================== [ 75.303379][ T8472] BUG: KASAN: use-after-free in hci_chan_del+0x1c5/0x200 [ 75.310416][ T8472] Read of size 8 at addr ffff88801d0dd518 by task syz-executor481/8472 [ 75.318657][ T8472] [ 75.320997][ T8472] CPU: 1 PID: 8472 Comm: syz-executor481 Not tainted 5.10.0-rc3-syzkaller #0 [ 75.329761][ T8472] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.339832][ T8472] Call Trace: [ 75.343141][ T8472] dump_stack+0x107/0x163 [ 75.347499][ T8472] ? hci_chan_del+0x1c5/0x200 [ 75.352195][ T8472] ? hci_chan_del+0x1c5/0x200 [ 75.356882][ T8472] print_address_description.constprop.0.cold+0xae/0x497 [ 75.363921][ T8472] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 75.369312][ T8472] ? vprintk_func+0x95/0x1e0 [ 75.373923][ T8472] ? hci_chan_del+0x1c5/0x200 [ 75.378598][ T8472] ? hci_chan_del+0x1c5/0x200 [ 75.383261][ T8472] kasan_report.cold+0x1f/0x37 [ 75.388057][ T8472] ? hci_chan_del+0x1c5/0x200 [ 75.392745][ T8472] hci_chan_del+0x1c5/0x200 [ 75.397235][ T8472] l2cap_conn_del+0x478/0x7b0 [ 75.401900][ T8472] ? l2cap_conn_del+0x7b0/0x7b0 [ 75.406727][ T8472] l2cap_disconn_cfm+0x98/0xd0 [ 75.411491][ T8472] hci_conn_hash_flush+0x127/0x260 [ 75.416590][ T8472] hci_dev_do_close+0x569/0x1110 [ 75.421514][ T8472] ? hci_dev_open+0x300/0x300 [ 75.426173][ T8472] ? do_raw_read_unlock+0x70/0x70 [ 75.431179][ T8472] ? try_to_grab_pending+0xd0/0xd0 [ 75.436279][ T8472] hci_unregister_dev+0x223/0xfe0 [ 75.441302][ T8472] ? fcntl_setlk+0xf10/0xf10 [ 75.445879][ T8472] vhci_release+0x70/0xe0 [ 75.450216][ T8472] __fput+0x285/0x920 [ 75.454194][ T8472] ? vhci_close_dev+0x50/0x50 [ 75.458855][ T8472] task_work_run+0xdd/0x190 [ 75.463340][ T8472] do_exit+0xb64/0x29b0 [ 75.467502][ T8472] ? __schedule+0x89b/0x2130 [ 75.472078][ T8472] ? mm_update_next_owner+0x7a0/0x7a0 [ 75.477444][ T8472] ? io_schedule_timeout+0x140/0x140 [ 75.482720][ T8472] do_group_exit+0x125/0x310 [ 75.487310][ T8472] __x64_sys_exit_group+0x3a/0x50 [ 75.492333][ T8472] do_syscall_64+0x2d/0x70 [ 75.496734][ T8472] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 75.502622][ T8472] RIP: 0033:0x445038 [ 75.507013][ T8472] Code: Unable to access opcode bytes at RIP 0x44500e. [ 75.513839][ T8472] RSP: 002b:00007ffe89f8e028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 75.522249][ T8472] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445038 [ 75.530206][ T8472] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 75.538173][ T8472] RBP: 00000000004ccd90 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 75.546143][ T8472] R10: 0000000000000015 R11: 0000000000000246 R12: 0000000000000001 [ 75.554109][ T8472] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 75.562096][ T8472] [ 75.564418][ T8472] Allocated by task 8478: [ 75.568730][ T8472] kasan_save_stack+0x1b/0x40 [ 75.573401][ T8472] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 75.579013][ T8472] kmem_cache_alloc_trace+0x162/0x440 [ 75.584366][ T8472] hci_chan_create+0xaa/0x3c0 [ 75.589023][ T8472] l2cap_conn_add.part.0+0x1e/0xdf0 [ 75.594212][ T8472] l2cap_connect_cfm+0x5be/0xf50 [ 75.599135][ T8472] le_conn_complete_evt+0x123d/0x18a0 [ 75.604484][ T8472] hci_le_meta_evt+0x433/0x4400 [ 75.609358][ T8472] hci_event_packet+0x5d9/0x7d60 [ 75.614274][ T8472] hci_rx_work+0x511/0xd30 [ 75.618677][ T8472] process_one_work+0x933/0x15a0 [ 75.623600][ T8472] worker_thread+0x64c/0x1120 [ 75.628254][ T8472] kthread+0x3af/0x4a0 [ 75.632301][ T8472] ret_from_fork+0x1f/0x30 [ 75.636688][ T8472] [ 75.638993][ T8472] Freed by task 8478: [ 75.642960][ T8472] kasan_save_stack+0x1b/0x40 [ 75.647616][ T8472] kasan_set_track+0x1c/0x30 [ 75.652186][ T8472] kasan_set_free_info+0x1b/0x30 [ 75.657100][ T8472] __kasan_slab_free+0xd8/0x120 [ 75.661941][ T8472] kfree+0xe8/0x240 [ 75.665745][ T8472] hci_disconn_loglink_complete_evt.isra.0+0x1cf/0x240 [ 75.672571][ T8472] hci_event_packet+0x2ded/0x7d60 [ 75.677573][ T8472] hci_rx_work+0x511/0xd30 [ 75.681968][ T8472] process_one_work+0x933/0x15a0 [ 75.686882][ T8472] worker_thread+0x64c/0x1120 [ 75.691544][ T8472] kthread+0x3af/0x4a0 [ 75.695594][ T8472] ret_from_fork+0x1f/0x30 [ 75.699982][ T8472] [ 75.702291][ T8472] The buggy address belongs to the object at ffff88801d0dd500 [ 75.702291][ T8472] which belongs to the cache kmalloc-128 of size 128 [ 75.716334][ T8472] The buggy address is located 24 bytes inside of [ 75.716334][ T8472] 128-byte region [ffff88801d0dd500, ffff88801d0dd580) [ 75.729509][ T8472] The buggy address belongs to the page: [ 75.735133][ T8472] page:0000000050d4219c refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88801d0dde00 pfn:0x1d0dd [ 75.746584][ T8472] flags: 0xfff00000000200(slab) [ 75.751434][ T8472] raw: 00fff00000000200 ffffea000088d548 ffffea00008d74c8 ffff888010040400 [ 75.760013][ T8472] raw: ffff88801d0dde00 ffff88801d0dd000 000000010000000b 0000000000000000 [ 75.768582][ T8472] page dumped because: kasan: bad access detected [ 75.774982][ T8472] [ 75.777291][ T8472] Memory state around the buggy address: [ 75.782907][ T8472] ffff88801d0dd400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.790960][ T8472] ffff88801d0dd480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.799013][ T8472] >ffff88801d0dd500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.807063][ T8472] ^ [ 75.811916][ T8472] ffff88801d0dd580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 75.819966][ T8472] ffff88801d0dd600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.828020][ T8472] ================================================================== [ 75.836111][ T8472] Disabling lock debugging due to kernel taint [ 75.842834][ T8472] Kernel panic - not syncing: panic_on_warn set ... [ 75.849445][ T8472] CPU: 1 PID: 8472 Comm: syz-executor481 Tainted: G B 5.10.0-rc3-syzkaller #0 [ 75.859590][ T8472] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.869651][ T8472] Call Trace: [ 75.872961][ T8472] dump_stack+0x107/0x163 [ 75.877300][ T8472] ? hci_chan_del+0xf0/0x200 [ 75.881885][ T8472] panic+0x306/0x73d [ 75.885760][ T8472] ? __warn_printk+0xf3/0xf3 [ 75.890330][ T8472] ? preempt_schedule_common+0x59/0xc0 [ 75.895785][ T8472] ? hci_chan_del+0x1c5/0x200 [ 75.900446][ T8472] ? preempt_schedule_thunk+0x16/0x18 [ 75.905797][ T8472] ? trace_hardirqs_on+0x51/0x1c0 [ 75.910804][ T8472] ? hci_chan_del+0x1c5/0x200 [ 75.915462][ T8472] ? hci_chan_del+0x1c5/0x200 [ 75.920118][ T8472] end_report+0x58/0x5e [ 75.924266][ T8472] kasan_report.cold+0xd/0x37 [ 75.928921][ T8472] ? hci_chan_del+0x1c5/0x200 [ 75.933576][ T8472] hci_chan_del+0x1c5/0x200 [ 75.938087][ T8472] l2cap_conn_del+0x478/0x7b0 [ 75.942759][ T8472] ? l2cap_conn_del+0x7b0/0x7b0 [ 75.947587][ T8472] l2cap_disconn_cfm+0x98/0xd0 [ 75.952334][ T8472] hci_conn_hash_flush+0x127/0x260 [ 75.957426][ T8472] hci_dev_do_close+0x569/0x1110 [ 75.962359][ T8472] ? hci_dev_open+0x300/0x300 [ 75.967015][ T8472] ? do_raw_read_unlock+0x70/0x70 [ 75.972035][ T8472] ? try_to_grab_pending+0xd0/0xd0 [ 75.977129][ T8472] hci_unregister_dev+0x223/0xfe0 [ 75.982150][ T8472] ? fcntl_setlk+0xf10/0xf10 [ 75.986721][ T8472] vhci_release+0x70/0xe0 [ 75.991047][ T8472] __fput+0x285/0x920 [ 75.995007][ T8472] ? vhci_close_dev+0x50/0x50 [ 75.999662][ T8472] task_work_run+0xdd/0x190 [ 76.004145][ T8472] do_exit+0xb64/0x29b0 [ 76.008279][ T8472] ? __schedule+0x89b/0x2130 [ 76.012861][ T8472] ? mm_update_next_owner+0x7a0/0x7a0 [ 76.018211][ T8472] ? io_schedule_timeout+0x140/0x140 [ 76.023487][ T8472] do_group_exit+0x125/0x310 [ 76.028072][ T8472] __x64_sys_exit_group+0x3a/0x50 [ 76.033089][ T8472] do_syscall_64+0x2d/0x70 [ 76.037499][ T8472] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 76.043367][ T8472] RIP: 0033:0x445038 [ 76.047231][ T8472] Code: Unable to access opcode bytes at RIP 0x44500e. [ 76.054054][ T8472] RSP: 002b:00007ffe89f8e028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 76.062441][ T8472] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445038 [ 76.070387][ T8472] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 76.078358][ T8472] RBP: 00000000004ccd90 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 76.086311][ T8472] R10: 0000000000000015 R11: 0000000000000246 R12: 0000000000000001 [ 76.094261][ T8472] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 76.102591][ T8472] Kernel Offset: disabled [ 76.106901][ T8472] Rebooting in 86400 seconds..