Warning: Permanently added '10.128.0.120' (ECDSA) to the list of known hosts. syzkaller login: [ 541.739613] audit: type=1400 audit(1596732977.857:8): avc: denied { execmem } for pid=6372 comm="syz-executor024" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 541.995903] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 545.965419] Bluetooth: hci0 command 0x0409 tx timeout executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 547.600518] ================================================================== [ 547.608160] BUG: KASAN: use-after-free in sco_chan_del+0x3b2/0x3d0 [ 547.614471] Read of size 1 at addr ffff888096c4a9b5 by task syz-executor024/6474 [ 547.622119] [ 547.623749] CPU: 1 PID: 6474 Comm: syz-executor024 Not tainted 4.14.192-syzkaller #0 [ 547.631630] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 547.641009] Call Trace: [ 547.643637] dump_stack+0x1b2/0x283 [ 547.647343] print_address_description.cold+0x54/0x1d3 [ 547.652616] kasan_report_error.cold+0x8a/0x194 [ 547.657272] ? sco_chan_del+0x3b2/0x3d0 [ 547.661237] __asan_report_load1_noabort+0x68/0x70 [ 547.666167] ? sco_chan_del+0x3b2/0x3d0 [ 547.670142] sco_chan_del+0x3b2/0x3d0 [ 547.673936] __sco_sock_close+0xb0/0x670 [ 547.678001] sco_sock_release+0x6a/0x370 [ 547.682122] __sock_release+0xcd/0x2b0 [ 547.686008] ? __sock_release+0x2b0/0x2b0 [ 547.690142] sock_close+0x15/0x20 [ 547.693649] __fput+0x25f/0x7a0 [ 547.696977] task_work_run+0x11f/0x190 [ 547.700890] get_signal+0x18a3/0x1ca0 [ 547.704766] ? reacquire_held_locks+0xb5/0x3f0 [ 547.709363] ? sco_sock_connect+0x42b/0x860 [ 547.713684] do_signal+0x7c/0x1550 [ 547.717212] ? lock_downgrade+0x740/0x740 [ 547.721415] ? check_preemption_disabled+0x35/0x240 [ 547.726442] ? setup_sigcontext+0x820/0x820 [ 547.730808] ? kick_process+0xe4/0x170 [ 547.734714] ? task_work_add+0x87/0xe0 [ 547.738612] ? sco_sock_create+0xf0/0xf0 [ 547.742704] ? fput+0xaa/0x140 [ 547.745918] ? SyS_connect+0xf6/0x240 [ 547.750514] ? SyS_accept+0x30/0x30 [ 547.754182] ? lock_downgrade+0x740/0x740 [ 547.758359] ? exit_to_usermode_loop+0x41/0x200 [ 547.763052] exit_to_usermode_loop+0x160/0x200 [ 547.767667] do_syscall_64+0x4a3/0x640 [ 547.771629] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 547.776841] RIP: 0033:0x4470b9 [ 547.780021] RSP: 002b:00007f565da21db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 547.787723] RAX: fffffffffffffffc RBX: 00000000006dbc28 RCX: 00000000004470b9 [ 547.794983] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004 [ 547.802241] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 547.809524] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 547.816807] R13: 00007ffc5bd4bdef R14: 00007f565da229c0 R15: 00000000006dbc2c [ 547.824087] [ 547.825695] Allocated by task 6404: [ 547.829326] kasan_kmalloc+0xeb/0x160 [ 547.833108] kmem_cache_alloc_trace+0x131/0x3d0 [ 547.837824] hci_conn_add+0x53/0x12f0 [ 547.841631] hci_connect_sco+0x265/0x7d0 [ 547.845694] sco_sock_connect+0x26c/0x860 [ 547.849844] SyS_connect+0x1f4/0x240 [ 547.853545] do_syscall_64+0x1d5/0x640 [ 547.857419] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 547.862599] [ 547.864204] Freed by task 6399: [ 547.867471] kasan_slab_free+0xc3/0x1a0 [ 547.871452] kfree+0xc9/0x250 [ 547.874631] device_release+0xf0/0x1a0 [ 547.878589] kobject_put+0x1f3/0x2d0 [ 547.882306] put_device+0x1c/0x30 [ 547.885763] hci_conn_del+0x235/0x620 [ 547.889550] hci_phy_link_complete_evt.isra.0+0x4d0/0x6c0 [ 547.895085] hci_event_packet+0x2592/0x7c7a [ 547.899396] hci_rx_work+0x3e6/0x970 [ 547.903096] process_one_work+0x793/0x14a0 [ 547.907331] worker_thread+0x5cc/0xff0 [ 547.911213] kthread+0x30d/0x420 [ 547.914560] ret_from_fork+0x24/0x30 [ 547.918252] [ 547.919864] The buggy address belongs to the object at ffff888096c4a980 [ 547.919864] which belongs to the cache kmalloc-4096 of size 4096 [ 547.932692] The buggy address is located 53 bytes inside of [ 547.932692] 4096-byte region [ffff888096c4a980, ffff888096c4b980) [ 547.944563] The buggy address belongs to the page: [ 547.949491] page:ffffea00025b1280 count:1 mapcount:0 mapping:ffff888096c4a980 index:0x0 compound_mapcount: 0 [ 547.959466] flags: 0xfffe0000008100(slab|head) [ 547.964039] raw: 00fffe0000008100 ffff888096c4a980 0000000000000000 0000000100000001 [ 547.971913] raw: ffffea000234e2a0 ffffea00025f8ba0 ffff88812fe52dc0 0000000000000000 [ 547.979811] page dumped because: kasan: bad access detected [ 547.985519] [ 547.987124] Memory state around the buggy address: [ 547.992047] ffff888096c4a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 547.999407] ffff888096c4a900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 548.006845] >ffff888096c4a980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 548.014198] ^ [ 548.019121] ffff888096c4aa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 548.026479] ffff888096c4aa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 548.033933] ================================================================== [ 548.041288] Disabling lock debugging due to kernel taint [ 548.044794] Bluetooth: hci0 command 0x041b tx timeout [ 548.055041] Kernel panic - not syncing: panic_on_warn set ... [ 548.055041] [ 548.062468] CPU: 1 PID: 6474 Comm: syz-executor024 Tainted: G B 4.14.192-syzkaller #0 [ 548.071563] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 548.080927] Call Trace: [ 548.083500] dump_stack+0x1b2/0x283 [ 548.087196] panic+0x1f9/0x42d [ 548.090393] ? add_taint.cold+0x16/0x16 [ 548.094374] ? ___preempt_schedule+0x16/0x18 [ 548.098783] kasan_end_report+0x43/0x49 [ 548.102757] kasan_report_error.cold+0xa7/0x194 [ 548.107467] ? sco_chan_del+0x3b2/0x3d0 [ 548.111473] __asan_report_load1_noabort+0x68/0x70 [ 548.116402] ? sco_chan_del+0x3b2/0x3d0 [ 548.120375] sco_chan_del+0x3b2/0x3d0 [ 548.124175] __sco_sock_close+0xb0/0x670 [ 548.128243] sco_sock_release+0x6a/0x370 [ 548.132293] __sock_release+0xcd/0x2b0 [ 548.136179] ? __sock_release+0x2b0/0x2b0 [ 548.140315] sock_close+0x15/0x20 [ 548.143783] __fput+0x25f/0x7a0 [ 548.147075] task_work_run+0x11f/0x190 [ 548.150953] get_signal+0x18a3/0x1ca0 [ 548.154750] ? reacquire_held_locks+0xb5/0x3f0 [ 548.159340] ? sco_sock_connect+0x42b/0x860 [ 548.163644] do_signal+0x7c/0x1550 [ 548.167188] ? lock_downgrade+0x740/0x740 [ 548.171323] ? check_preemption_disabled+0x35/0x240 [ 548.176348] ? setup_sigcontext+0x820/0x820 [ 548.180673] ? kick_process+0xe4/0x170 [ 548.184558] ? task_work_add+0x87/0xe0 [ 548.188451] ? sco_sock_create+0xf0/0xf0 [ 548.193214] ? fput+0xaa/0x140 [ 548.196403] ? SyS_connect+0xf6/0x240 [ 548.200184] ? SyS_accept+0x30/0x30 [ 548.203793] ? lock_downgrade+0x740/0x740 [ 548.207923] ? exit_to_usermode_loop+0x41/0x200 [ 548.212596] exit_to_usermode_loop+0x160/0x200 [ 548.217183] do_syscall_64+0x4a3/0x640 [ 548.221054] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 548.226237] RIP: 0033:0x4470b9 [ 548.229402] RSP: 002b:00007f565da21db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 548.237103] RAX: fffffffffffffffc RBX: 00000000006dbc28 RCX: 00000000004470b9 [ 548.244354] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004 [ 548.251603] RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000 [ 548.258853] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c [ 548.266120] R13: 00007ffc5bd4bdef R14: 00007f565da229c0 R15: 00000000006dbc2c [ 548.274532] Kernel Offset: disabled [ 548.278147] Rebooting in 86400 seconds..