[ OK ] Started OpenBSD Secure Shell server. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.61' (ECDSA) to the list of known hosts. syzkaller login: [ 64.317626][ T28] audit: type=1400 audit(1596774997.575:8): avc: denied { execmem } for pid=6839 comm="syz-executor404" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 64.329441][ T6840] IPVS: ftp: loaded support on port[0] = 21 executing program [ 65.437110][ T6862] ================================================================== [ 65.447039][ T6862] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 65.454046][ T6862] Read of size 8 at addr ffff888092d57f18 by task syz-executor404/6862 [ 65.462265][ T6862] [ 65.464588][ T6862] CPU: 0 PID: 6862 Comm: syz-executor404 Not tainted 5.8.0-syzkaller #0 [ 65.472890][ T6862] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.482928][ T6862] Call Trace: [ 65.486211][ T6862] dump_stack+0x18f/0x20d [ 65.490537][ T6862] ? hci_chan_del+0x14f/0x190 [ 65.495199][ T6862] ? hci_chan_del+0x14f/0x190 [ 65.499867][ T6862] print_address_description.constprop.0.cold+0xae/0x436 [ 65.507001][ T6862] ? mutex_lock_io_nested+0xf60/0xf60 [ 65.512361][ T6862] ? vprintk_func+0x97/0x1a6 [ 65.516941][ T6862] ? hci_chan_del+0x14f/0x190 [ 65.521608][ T6862] kasan_report.cold+0x1f/0x37 [ 65.526361][ T6862] ? hci_chan_del+0x14f/0x190 [ 65.531038][ T6862] hci_chan_del+0x14f/0x190 [ 65.535572][ T6862] l2cap_conn_del+0x61b/0x9e0 [ 65.540245][ T6862] ? l2cap_conn_del+0x9e0/0x9e0 [ 65.545077][ T6862] l2cap_disconn_cfm+0x85/0xa0 [ 65.549828][ T6862] hci_conn_hash_flush+0x114/0x220 [ 65.554937][ T6862] ? vhci_close_dev+0x50/0x50 [ 65.559602][ T6862] hci_dev_do_close+0x5c6/0x1080 [ 65.564533][ T6862] ? hci_dev_open+0x350/0x350 [ 65.569191][ T6862] ? do_raw_read_unlock+0x70/0x70 [ 65.574183][ T6862] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 65.580045][ T6862] ? vhci_close_dev+0x50/0x50 [ 65.584685][ T6862] hci_unregister_dev+0x1bd/0xe30 [ 65.589674][ T6862] ? fcntl_setlk+0xf60/0xf60 [ 65.594237][ T6862] ? lock_is_held_type+0xbb/0xf0 [ 65.599139][ T6862] ? vhci_close_dev+0x50/0x50 [ 65.603779][ T6862] vhci_release+0x70/0xe0 [ 65.608072][ T6862] __fput+0x33c/0x880 [ 65.612021][ T6862] task_work_run+0xdd/0x190 [ 65.616502][ T6862] do_exit+0xb7d/0x29f0 [ 65.620657][ T6862] ? swapin_walk_pmd_entry+0x7b0/0x7b0 [ 65.626087][ T6862] ? mm_update_next_owner+0x7a0/0x7a0 [ 65.631428][ T6862] ? lock_is_held_type+0xbb/0xf0 [ 65.636337][ T6862] ? syscall_enter_from_user_mode+0x20/0x290 [ 65.642283][ T6862] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 65.648229][ T6862] ? trace_hardirqs_on+0x5f/0x220 [ 65.653222][ T6862] __x64_sys_exit+0x3e/0x50 [ 65.657691][ T6862] do_syscall_64+0x2d/0x70 [ 65.662078][ T6862] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.667935][ T6862] RIP: 0033:0x402aee [ 65.671790][ T6862] Code: Bad RIP value. [ 65.675823][ T6862] RSP: 002b:00007f7a2ed83de0 EFLAGS: 00000246 ORIG_RAX: 000000000000003c [ 65.684201][ T6862] RAX: ffffffffffffffda RBX: 00007f7a2ed84700 RCX: 0000000000402aee [ 65.692161][ T6862] RDX: 000000000000003c RSI: 00000000007fb000 RDI: 0000000000000000 [ 65.700110][ T6862] RBP: 0000000000000000 R08: 00000000000000f1 R09: 00007f7a2ed84700 [ 65.708047][ T6862] R10: 00007f7a2ed849d0 R11: 0000000000000246 R12: 0000000000000000 [ 65.715987][ T6862] R13: 00007ffeda85bb9f R14: 00007f7a2ed849c0 R15: 0000000000000001 [ 65.723936][ T6862] [ 65.726233][ T6862] Allocated by task 6863: [ 65.730527][ T6862] save_stack+0x1b/0x40 [ 65.734656][ T6862] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 65.740250][ T6862] kmem_cache_alloc_trace+0x14f/0x2d0 [ 65.745595][ T6862] hci_chan_create+0x9b/0x330 [ 65.750237][ T6862] l2cap_conn_add.part.0+0x1e/0xe10 [ 65.755398][ T6862] l2cap_connect_cfm+0x23b/0x1090 [ 65.760387][ T6862] le_conn_complete_evt+0x1153/0x1740 [ 65.765726][ T6862] hci_le_meta_evt+0x745/0x3ff0 [ 65.770562][ T6862] hci_event_packet+0x2e25/0x87a8 [ 65.775581][ T6862] hci_rx_work+0x22e/0xb50 [ 65.779965][ T6862] process_one_work+0x94c/0x1670 [ 65.784864][ T6862] worker_thread+0x64c/0x1120 [ 65.789508][ T6862] kthread+0x3b5/0x4a0 [ 65.793544][ T6862] ret_from_fork+0x1f/0x30 [ 65.797927][ T6862] [ 65.800233][ T6862] Freed by task 6863: [ 65.804181][ T6862] save_stack+0x1b/0x40 [ 65.808299][ T6862] __kasan_slab_free+0xf5/0x140 [ 65.813114][ T6862] kfree+0x103/0x2c0 [ 65.816981][ T6862] hci_event_packet+0x3e33/0x87a8 [ 65.821968][ T6862] hci_rx_work+0x22e/0xb50 [ 65.826351][ T6862] process_one_work+0x94c/0x1670 [ 65.831253][ T6862] worker_thread+0x64c/0x1120 [ 65.835896][ T6862] kthread+0x3b5/0x4a0 [ 65.839934][ T6862] ret_from_fork+0x1f/0x30 [ 65.844311][ T6862] [ 65.846608][ T6862] The buggy address belongs to the object at ffff888092d57f00 [ 65.846608][ T6862] which belongs to the cache kmalloc-128 of size 128 [ 65.860624][ T6862] The buggy address is located 24 bytes inside of [ 65.860624][ T6862] 128-byte region [ffff888092d57f00, ffff888092d57f80) [ 65.873767][ T6862] The buggy address belongs to the page: [ 65.879364][ T6862] page:ffffea00024b55c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888092d57700 [ 65.889732][ T6862] flags: 0xfffe0000000200(slab) [ 65.894550][ T6862] raw: 00fffe0000000200 ffffea0002692748 ffffea00024b54c8 ffff8880aa000700 [ 65.903104][ T6862] raw: ffff888092d57700 ffff888092d57000 0000000100000008 0000000000000000 [ 65.911663][ T6862] page dumped because: kasan: bad access detected [ 65.918041][ T6862] [ 65.920334][ T6862] Memory state around the buggy address: [ 65.925949][ T6862] ffff888092d57e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.933977][ T6862] ffff888092d57e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.942000][ T6862] >ffff888092d57f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.950021][ T6862] ^ [ 65.954836][ T6862] ffff888092d57f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.962859][ T6862] ffff888092d58000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.970880][ T6862] ================================================================== [ 65.978903][ T6862] Disabling lock debugging due to kernel taint [ 65.985233][ T6862] Kernel panic - not syncing: panic_on_warn set ... [ 65.991807][ T6862] CPU: 0 PID: 6862 Comm: syz-executor404 Tainted: G B 5.8.0-syzkaller #0 [ 66.001492][ T6862] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.011518][ T6862] Call Trace: [ 66.014776][ T6862] dump_stack+0x18f/0x20d [ 66.019070][ T6862] ? hci_chan_del+0x140/0x190 [ 66.023709][ T6862] panic+0x2e3/0x75c [ 66.027569][ T6862] ? __warn_printk+0xf3/0xf3 [ 66.032130][ T6862] ? preempt_schedule_common+0x59/0xc0 [ 66.037554][ T6862] ? hci_chan_del+0x14f/0x190 [ 66.042198][ T6862] ? preempt_schedule_thunk+0x16/0x18 [ 66.047534][ T6862] ? trace_hardirqs_on+0x55/0x220 [ 66.052523][ T6862] ? hci_chan_del+0x14f/0x190 [ 66.057164][ T6862] ? hci_chan_del+0x14f/0x190 [ 66.061805][ T6862] end_report+0x4d/0x53 [ 66.065928][ T6862] kasan_report.cold+0xd/0x37 [ 66.070571][ T6862] ? hci_chan_del+0x14f/0x190 [ 66.075210][ T6862] hci_chan_del+0x14f/0x190 [ 66.079678][ T6862] l2cap_conn_del+0x61b/0x9e0 [ 66.084321][ T6862] ? l2cap_conn_del+0x9e0/0x9e0 [ 66.089133][ T6862] l2cap_disconn_cfm+0x85/0xa0 [ 66.093861][ T6862] hci_conn_hash_flush+0x114/0x220 [ 66.098941][ T6862] ? vhci_close_dev+0x50/0x50 [ 66.103585][ T6862] hci_dev_do_close+0x5c6/0x1080 [ 66.108491][ T6862] ? hci_dev_open+0x350/0x350 [ 66.113138][ T6862] ? do_raw_read_unlock+0x70/0x70 [ 66.118139][ T6862] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 66.124005][ T6862] ? vhci_close_dev+0x50/0x50 [ 66.128651][ T6862] hci_unregister_dev+0x1bd/0xe30 [ 66.133645][ T6862] ? fcntl_setlk+0xf60/0xf60 [ 66.138209][ T6862] ? lock_is_held_type+0xbb/0xf0 [ 66.143114][ T6862] ? vhci_close_dev+0x50/0x50 [ 66.147756][ T6862] vhci_release+0x70/0xe0 [ 66.152070][ T6862] __fput+0x33c/0x880 [ 66.156022][ T6862] task_work_run+0xdd/0x190 [ 66.160492][ T6862] do_exit+0xb7d/0x29f0 [ 66.164616][ T6862] ? swapin_walk_pmd_entry+0x7b0/0x7b0 [ 66.170044][ T6862] ? mm_update_next_owner+0x7a0/0x7a0 [ 66.175389][ T6862] ? lock_is_held_type+0xbb/0xf0 [ 66.180299][ T6862] ? syscall_enter_from_user_mode+0x20/0x290 [ 66.186248][ T6862] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 66.192194][ T6862] ? trace_hardirqs_on+0x5f/0x220 [ 66.197189][ T6862] __x64_sys_exit+0x3e/0x50 [ 66.201660][ T6862] do_syscall_64+0x2d/0x70 [ 66.206045][ T6862] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 66.211901][ T6862] RIP: 0033:0x402aee [ 66.215754][ T6862] Code: Bad RIP value. [ 66.219788][ T6862] RSP: 002b:00007f7a2ed83de0 EFLAGS: 00000246 ORIG_RAX: 000000000000003c [ 66.228159][ T6862] RAX: ffffffffffffffda RBX: 00007f7a2ed84700 RCX: 0000000000402aee [ 66.236096][ T6862] RDX: 000000000000003c RSI: 00000000007fb000 RDI: 0000000000000000 [ 66.244034][ T6862] RBP: 0000000000000000 R08: 00000000000000f1 R09: 00007f7a2ed84700 [ 66.251968][ T6862] R10: 00007f7a2ed849d0 R11: 0000000000000246 R12: 0000000000000000 [ 66.259903][ T6862] R13: 00007ffeda85bb9f R14: 00007f7a2ed849c0 R15: 0000000000000001 [ 66.269145][ T6862] Kernel Offset: disabled [ 66.273451][ T6862] Rebooting in 86400 seconds..