[ OK ] Started Regular background program processing daemon. Starting System Logging Service... [ OK ] Started Daily apt download activities. [ OK ] Started Daily apt upgrade and clean activities. [ OK ] Reached target Timers. [ OK ] Started Permit User Sessions. [ OK ] Started System Logging Service. [ OK ] Found device /dev/ttyS0. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.243' (ECDSA) to the list of known hosts. syzkaller login: [ 66.430928][ T27] audit: type=1400 audit(1596494332.950:8): avc: denied { execmem } for pid=6819 comm="syz-executor430" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 66.445753][ T6820] IPVS: ftp: loaded support on port[0] = 21 executing program [ 67.619788][ T6843] ================================================================== [ 67.628210][ T6843] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 67.635241][ T6843] Read of size 8 at addr ffff88809ea4b118 by task syz-executor430/6843 [ 67.643476][ T6843] [ 67.645823][ T6843] CPU: 0 PID: 6843 Comm: syz-executor430 Not tainted 5.8.0-syzkaller #0 [ 67.654145][ T6843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.664215][ T6843] Call Trace: [ 67.667518][ T6843] dump_stack+0x18f/0x20d [ 67.671862][ T6843] ? hci_chan_del+0x14f/0x190 [ 67.676549][ T6843] ? hci_chan_del+0x14f/0x190 [ 67.681238][ T6843] print_address_description.constprop.0.cold+0xae/0x436 [ 67.688291][ T6843] ? mutex_lock_io_nested+0xf60/0xf60 [ 67.693706][ T6843] ? lockdep_hardirqs_off+0x66/0xa0 [ 67.698940][ T6843] ? vprintk_func+0x97/0x1a6 [ 67.703569][ T6843] ? hci_chan_del+0x14f/0x190 [ 67.708863][ T6843] kasan_report.cold+0x1f/0x37 [ 67.713758][ T6843] ? hci_chan_del+0x14f/0x190 [ 67.718445][ T6843] hci_chan_del+0x14f/0x190 [ 67.722946][ T6843] l2cap_conn_del+0x61b/0x9e0 [ 67.727620][ T6843] ? l2cap_conn_del+0x9e0/0x9e0 [ 67.732463][ T6843] l2cap_disconn_cfm+0x85/0xa0 [ 67.737231][ T6843] hci_conn_hash_flush+0x114/0x220 [ 67.742362][ T6843] ? vhci_close_dev+0x50/0x50 [ 67.747052][ T6843] hci_dev_do_close+0x5c6/0x1080 [ 67.751993][ T6843] ? do_raw_write_lock+0x11a/0x280 [ 67.757109][ T6843] ? hci_dev_open+0x350/0x350 [ 67.761785][ T6843] ? do_raw_read_unlock+0x70/0x70 [ 67.766819][ T6843] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 67.772725][ T6843] ? fsnotify_parent+0xb7/0x2b0 [ 67.777581][ T6843] ? vhci_close_dev+0x50/0x50 [ 67.782259][ T6843] hci_unregister_dev+0x1a3/0xe20 [ 67.787289][ T6843] ? fcntl_setlk+0xf60/0xf60 [ 67.791896][ T6843] ? lock_is_held_type+0xb0/0xe0 [ 67.796838][ T6843] ? vhci_close_dev+0x50/0x50 [ 67.801520][ T6843] vhci_release+0x70/0xe0 [ 67.805850][ T6843] __fput+0x33c/0x880 [ 67.809839][ T6843] task_work_run+0xdd/0x190 [ 67.814350][ T6843] do_exit+0xb72/0x2a40 [ 67.818514][ T6843] ? mm_update_next_owner+0x7a0/0x7a0 [ 67.823889][ T6843] ? asm_sysvec_apic_timer_interrupt+0xa/0x20 [ 67.829978][ T6843] ? kvm_sched_clock_read+0x14/0x40 [ 67.835203][ T6843] ? sched_clock+0x2a/0x40 [ 67.839642][ T6843] ? sched_clock_cpu+0x18/0x1b0 [ 67.844515][ T6843] ? lock_is_held_type+0xb0/0xe0 [ 67.849459][ T6843] ? do_syscall_64+0x1c/0xe0 [ 67.854055][ T6843] __x64_sys_exit+0x3e/0x50 [ 67.858571][ T6843] do_syscall_64+0x60/0xe0 [ 67.862992][ T6843] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.868886][ T6843] RIP: 0033:0x402b6e [ 67.872768][ T6843] Code: Bad RIP value. [ 67.876845][ T6843] RSP: 002b:00007f9ffe4b6de0 EFLAGS: 00000246 ORIG_RAX: 000000000000003c [ 67.885255][ T6843] RAX: ffffffffffffffda RBX: 00007f9ffe4b7700 RCX: 0000000000402b6e [ 67.893228][ T6843] RDX: 000000000000003c RSI: 00000000007fb000 RDI: 0000000000000000 [ 67.901200][ T6843] RBP: 0000000000000000 R08: 00000000000000f1 R09: 00007f9ffe4b7700 [ 67.909193][ T6843] R10: 00007f9ffe4b79d0 R11: 0000000000000246 R12: 0000000000000000 [ 67.917165][ T6843] R13: 00007ffd8b201e0f R14: 00007f9ffe4b79c0 R15: 0000000000000000 [ 67.925144][ T6843] [ 67.927464][ T6843] Allocated by task 6844: [ 67.934756][ T6843] save_stack+0x1b/0x40 [ 67.938914][ T6843] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 67.944624][ T6843] kmem_cache_alloc_trace+0x14f/0x2d0 [ 67.949989][ T6843] hci_chan_create+0x9b/0x330 [ 67.954656][ T6843] l2cap_conn_add.part.0+0x1e/0xe10 [ 67.959843][ T6843] l2cap_connect_cfm+0x23b/0x1090 [ 67.964857][ T6843] le_conn_complete_evt+0x1153/0x1740 [ 67.970220][ T6843] hci_le_meta_evt+0x745/0x3eb0 [ 67.975063][ T6843] hci_event_packet+0x245a/0x86f5 [ 67.980099][ T6843] hci_rx_work+0x22e/0xb10 [ 67.984514][ T6843] process_one_work+0x94c/0x1670 [ 67.989466][ T6843] worker_thread+0x64c/0x1120 [ 67.994144][ T6843] kthread+0x3b5/0x4a0 [ 67.998213][ T6843] ret_from_fork+0x1f/0x30 [ 68.002628][ T6843] [ 68.004946][ T6843] Freed by task 6844: [ 68.008924][ T6843] save_stack+0x1b/0x40 [ 68.013072][ T6843] __kasan_slab_free+0xf5/0x140 [ 68.017916][ T6843] kfree+0x103/0x2c0 [ 68.021824][ T6843] hci_event_packet+0x319a/0x86f5 [ 68.026841][ T6843] hci_rx_work+0x22e/0xb10 [ 68.031290][ T6843] process_one_work+0x94c/0x1670 [ 68.036232][ T6843] worker_thread+0x64c/0x1120 [ 68.040908][ T6843] kthread+0x3b5/0x4a0 [ 68.044997][ T6843] ret_from_fork+0x1f/0x30 [ 68.049402][ T6843] [ 68.051744][ T6843] The buggy address belongs to the object at ffff88809ea4b100 [ 68.051744][ T6843] which belongs to the cache kmalloc-128 of size 128 [ 68.066067][ T6843] The buggy address is located 24 bytes inside of [ 68.066067][ T6843] 128-byte region [ffff88809ea4b100, ffff88809ea4b180) [ 68.079245][ T6843] The buggy address belongs to the page: [ 68.084904][ T6843] page:ffffea00027a92c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809ea4b300 [ 68.095320][ T6843] flags: 0xfffe0000000200(slab) [ 68.100171][ T6843] raw: 00fffe0000000200 ffffea0002980d88 ffffea00028b9b48 ffff8880aa000700 [ 68.108751][ T6843] raw: ffff88809ea4b300 ffff88809ea4b000 000000010000000a 0000000000000000 [ 68.117320][ T6843] page dumped because: kasan: bad access detected [ 68.123735][ T6843] [ 68.126052][ T6843] Memory state around the buggy address: [ 68.131679][ T6843] ffff88809ea4b000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.139741][ T6843] ffff88809ea4b080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.147824][ T6843] >ffff88809ea4b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.155895][ T6843] ^ [ 68.160747][ T6843] ffff88809ea4b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.168827][ T6843] ffff88809ea4b200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.176898][ T6843] ================================================================== [ 68.184953][ T6843] Disabling lock debugging due to kernel taint [ 68.229970][ T6843] Kernel panic - not syncing: panic_on_warn set ... [ 68.236598][ T6843] CPU: 1 PID: 6843 Comm: syz-executor430 Tainted: G B 5.8.0-syzkaller #0 [ 68.246295][ T6843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.256332][ T6843] Call Trace: [ 68.259613][ T6843] dump_stack+0x18f/0x20d [ 68.263921][ T6843] ? hci_chan_del+0x110/0x190 [ 68.268574][ T6843] panic+0x2e3/0x75c [ 68.272446][ T6843] ? __warn_printk+0xf3/0xf3 [ 68.277016][ T6843] ? preempt_schedule_common+0x59/0xc0 [ 68.282467][ T6843] ? hci_chan_del+0x14f/0x190 [ 68.288024][ T6843] ? preempt_schedule_thunk+0x16/0x18 [ 68.293381][ T6843] ? trace_hardirqs_on+0x55/0x220 [ 68.298393][ T6843] ? hci_chan_del+0x14f/0x190 [ 68.303053][ T6843] ? hci_chan_del+0x14f/0x190 [ 68.307705][ T6843] end_report+0x4d/0x53 [ 68.311837][ T6843] kasan_report.cold+0xd/0x37 [ 68.316489][ T6843] ? hci_chan_del+0x14f/0x190 [ 68.321139][ T6843] hci_chan_del+0x14f/0x190 [ 68.325627][ T6843] l2cap_conn_del+0x61b/0x9e0 [ 68.330295][ T6843] ? l2cap_conn_del+0x9e0/0x9e0 [ 68.335116][ T6843] l2cap_disconn_cfm+0x85/0xa0 [ 68.339866][ T6843] hci_conn_hash_flush+0x114/0x220 [ 68.344964][ T6843] ? vhci_close_dev+0x50/0x50 [ 68.349615][ T6843] hci_dev_do_close+0x5c6/0x1080 [ 68.354525][ T6843] ? do_raw_write_lock+0x11a/0x280 [ 68.359613][ T6843] ? hci_dev_open+0x350/0x350 [ 68.364262][ T6843] ? do_raw_read_unlock+0x70/0x70 [ 68.369273][ T6843] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 68.375146][ T6843] ? fsnotify_parent+0xb7/0x2b0 [ 68.379983][ T6843] ? vhci_close_dev+0x50/0x50 [ 68.384644][ T6843] hci_unregister_dev+0x1a3/0xe20 [ 68.389643][ T6843] ? fcntl_setlk+0xf60/0xf60 [ 68.394209][ T6843] ? lock_is_held_type+0xb0/0xe0 [ 68.399122][ T6843] ? vhci_close_dev+0x50/0x50 [ 68.403782][ T6843] vhci_release+0x70/0xe0 [ 68.408093][ T6843] __fput+0x33c/0x880 [ 68.412061][ T6843] task_work_run+0xdd/0x190 [ 68.416547][ T6843] do_exit+0xb72/0x2a40 [ 68.420678][ T6843] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.426040][ T6843] ? asm_sysvec_apic_timer_interrupt+0xa/0x20 [ 68.432080][ T6843] ? kvm_sched_clock_read+0x14/0x40 [ 68.437264][ T6843] ? sched_clock+0x2a/0x40 [ 68.441660][ T6843] ? sched_clock_cpu+0x18/0x1b0 [ 68.446486][ T6843] ? lock_is_held_type+0xb0/0xe0 [ 68.451396][ T6843] ? do_syscall_64+0x1c/0xe0 [ 68.455973][ T6843] __x64_sys_exit+0x3e/0x50 [ 68.460464][ T6843] do_syscall_64+0x60/0xe0 [ 68.464853][ T6843] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.470716][ T6843] RIP: 0033:0x402b6e [ 68.474584][ T6843] Code: Bad RIP value. [ 68.478622][ T6843] RSP: 002b:00007f9ffe4b6de0 EFLAGS: 00000246 ORIG_RAX: 000000000000003c [ 68.487040][ T6843] RAX: ffffffffffffffda RBX: 00007f9ffe4b7700 RCX: 0000000000402b6e [ 68.495104][ T6843] RDX: 000000000000003c RSI: 00000000007fb000 RDI: 0000000000000000 [ 68.503145][ T6843] RBP: 0000000000000000 R08: 00000000000000f1 R09: 00007f9ffe4b7700 [ 68.511126][ T6843] R10: 00007f9ffe4b79d0 R11: 0000000000000246 R12: 0000000000000000 [ 68.519092][ T6843] R13: 00007ffd8b201e0f R14: 00007f9ffe4b79c0 R15: 0000000000000000 [ 68.528161][ T6843] Kernel Offset: disabled [ 68.532578][ T6843] Rebooting in 86400 seconds..