Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts. syzkaller login: [ 77.016493][ T27] audit: type=1400 audit(1596932326.792:8): avc: denied { execmem } for pid=6849 comm="syz-executor852" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 77.035289][ T6850] IPVS: ftp: loaded support on port[0] = 21 executing program [ 78.216289][ T6850] ================================================================== [ 78.224534][ T6850] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 78.231584][ T6850] Read of size 8 at addr ffff888092864518 by task syz-executor852/6850 [ 78.239847][ T6850] [ 78.242224][ T6850] CPU: 1 PID: 6850 Comm: syz-executor852 Not tainted 5.8.0-syzkaller #0 [ 78.250540][ T6850] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.260612][ T6850] Call Trace: [ 78.263902][ T6850] dump_stack+0x18f/0x20d [ 78.268236][ T6850] ? hci_chan_del+0x14f/0x190 [ 78.272906][ T6850] ? hci_chan_del+0x14f/0x190 [ 78.277594][ T6850] print_address_description.constprop.0.cold+0xae/0x497 [ 78.284642][ T6850] ? mutex_lock_io_nested+0xf60/0xf60 [ 78.290011][ T6850] ? vprintk_func+0x97/0x1a6 [ 78.294597][ T6850] ? hci_chan_del+0x14f/0x190 [ 78.299266][ T6850] ? hci_chan_del+0x14f/0x190 [ 78.303946][ T6850] kasan_report.cold+0x1f/0x37 [ 78.308734][ T6850] ? hci_chan_del+0x14f/0x190 [ 78.313426][ T6850] hci_chan_del+0x14f/0x190 [ 78.317926][ T6850] l2cap_conn_del+0x61b/0x9e0 [ 78.322619][ T6850] ? l2cap_conn_del+0x9e0/0x9e0 [ 78.327460][ T6850] l2cap_disconn_cfm+0x85/0xa0 [ 78.332219][ T6850] hci_conn_hash_flush+0x114/0x220 [ 78.337331][ T6850] hci_dev_do_close+0x5c6/0x1080 [ 78.342260][ T6850] ? hci_dev_open+0x350/0x350 [ 78.346951][ T6850] ? do_raw_read_unlock+0x70/0x70 [ 78.352143][ T6850] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 78.358068][ T6850] hci_unregister_dev+0x1bd/0xe30 [ 78.363097][ T6850] ? fcntl_setlk+0xf60/0xf60 [ 78.367680][ T6850] ? lock_is_held_type+0xbb/0xf0 [ 78.372766][ T6850] vhci_release+0x70/0xe0 [ 78.377090][ T6850] __fput+0x285/0x920 [ 78.381083][ T6850] ? vhci_close_dev+0x50/0x50 [ 78.385754][ T6850] task_work_run+0xdd/0x190 [ 78.390269][ T6850] do_exit+0xb7d/0x29f0 [ 78.394435][ T6850] ? blkcg_maybe_throttle_current+0x617/0xf00 [ 78.400506][ T6850] ? mm_update_next_owner+0x7a0/0x7a0 [ 78.405875][ T6850] ? lock_is_held_type+0xbb/0xf0 [ 78.410803][ T6850] ? __blkcg_punt_bio_submit+0x1d0/0x1d0 [ 78.416445][ T6850] ? mem_cgroup_move_account+0xcb0/0xcb0 [ 78.422083][ T6850] ? lock_is_held_type+0xbb/0xf0 [ 78.427020][ T6850] do_group_exit+0x125/0x310 [ 78.431644][ T6850] __x64_sys_exit_group+0x3a/0x50 [ 78.436692][ T6850] do_syscall_64+0x2d/0x70 [ 78.441117][ T6850] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 78.447001][ T6850] RIP: 0033:0x4450c8 [ 78.450876][ T6850] Code: Bad RIP value. [ 78.454931][ T6850] RSP: 002b:00007ffce217ffd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 78.463332][ T6850] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450c8 [ 78.471293][ T6850] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 78.479256][ T6850] RBP: 00000000004cceb0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 78.487235][ T6850] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 78.495219][ T6850] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 78.503249][ T6850] [ 78.505569][ T6850] Allocated by task 1540: [ 78.509898][ T6850] kasan_save_stack+0x1b/0x40 [ 78.514887][ T6850] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 78.520868][ T6850] kmem_cache_alloc_trace+0x16e/0x2c0 [ 78.526236][ T6850] hci_chan_create+0x9b/0x330 [ 78.530907][ T6850] l2cap_conn_add.part.0+0x1e/0xe10 [ 78.536096][ T6850] l2cap_connect_cfm+0x23b/0x1090 [ 78.541172][ T6850] le_conn_complete_evt+0x1153/0x1740 [ 78.546529][ T6850] hci_le_meta_evt+0x745/0x3ff0 [ 78.551369][ T6850] hci_event_packet+0x2e25/0x87a8 [ 78.556400][ T6850] hci_rx_work+0x22e/0xb50 [ 78.560805][ T6850] process_one_work+0x94c/0x1670 [ 78.565729][ T6850] worker_thread+0x64c/0x1120 [ 78.570393][ T6850] kthread+0x3b5/0x4a0 [ 78.574453][ T6850] ret_from_fork+0x1f/0x30 [ 78.578850][ T6850] [ 78.581167][ T6850] Freed by task 6876: [ 78.585139][ T6850] kasan_save_stack+0x1b/0x40 [ 78.589806][ T6850] kasan_set_track+0x1c/0x30 [ 78.594387][ T6850] kasan_set_free_info+0x1b/0x30 [ 78.599312][ T6850] __kasan_slab_free+0xd8/0x120 [ 78.604149][ T6850] kfree+0x103/0x2c0 [ 78.608033][ T6850] hci_event_packet+0x3e33/0x87a8 [ 78.613062][ T6850] hci_rx_work+0x22e/0xb50 [ 78.617472][ T6850] process_one_work+0x94c/0x1670 [ 78.622414][ T6850] worker_thread+0x64c/0x1120 [ 78.627098][ T6850] kthread+0x3b5/0x4a0 [ 78.631162][ T6850] ret_from_fork+0x1f/0x30 [ 78.635563][ T6850] [ 78.637886][ T6850] The buggy address belongs to the object at ffff888092864500 [ 78.637886][ T6850] which belongs to the cache kmalloc-128 of size 128 [ 78.652012][ T6850] The buggy address is located 24 bytes inside of [ 78.652012][ T6850] 128-byte region [ffff888092864500, ffff888092864580) [ 78.665193][ T6850] The buggy address belongs to the page: [ 78.670837][ T6850] page:0000000042b8e40b refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x92864 [ 78.680973][ T6850] flags: 0xfffe0000000200(slab) [ 78.685822][ T6850] raw: 00fffe0000000200 ffffea0002929a48 ffffea0002909a48 ffff8880aa040400 [ 78.694400][ T6850] raw: 0000000000000000 ffff888092864000 0000000100000010 0000000000000000 [ 78.702980][ T6850] page dumped because: kasan: bad access detected [ 78.709376][ T6850] [ 78.711707][ T6850] Memory state around the buggy address: [ 78.717330][ T6850] ffff888092864400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.725378][ T6850] ffff888092864480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.733427][ T6850] >ffff888092864500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.741502][ T6850] ^ [ 78.746360][ T6850] ffff888092864580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.754428][ T6850] ffff888092864600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.762490][ T6850] ================================================================== [ 78.770534][ T6850] Disabling lock debugging due to kernel taint [ 78.778028][ T6781] tipc: TX() has been purged, node left! [ 78.783888][ T6850] Kernel panic - not syncing: panic_on_warn set ... [ 78.790523][ T6850] CPU: 1 PID: 6850 Comm: syz-executor852 Tainted: G B 5.8.0-syzkaller #0 [ 78.800229][ T6850] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.810276][ T6850] Call Trace: [ 78.813563][ T6850] dump_stack+0x18f/0x20d [ 78.817906][ T6850] ? hci_chan_del+0xf0/0x190 [ 78.822493][ T6850] panic+0x2e3/0x75c [ 78.826388][ T6850] ? __warn_printk+0xf3/0xf3 [ 78.830976][ T6850] ? preempt_schedule_common+0x59/0xc0 [ 78.836432][ T6850] ? hci_chan_del+0x14f/0x190 [ 78.841110][ T6850] ? preempt_schedule_thunk+0x16/0x18 [ 78.846501][ T6850] ? trace_hardirqs_on+0x55/0x220 [ 78.851524][ T6850] ? hci_chan_del+0x14f/0x190 [ 78.856198][ T6850] ? hci_chan_del+0x14f/0x190 [ 78.860872][ T6850] end_report+0x4d/0x53 [ 78.865023][ T6850] kasan_report.cold+0xd/0x37 [ 78.869705][ T6850] ? hci_chan_del+0x14f/0x190 [ 78.874450][ T6850] hci_chan_del+0x14f/0x190 [ 78.878948][ T6850] l2cap_conn_del+0x61b/0x9e0 [ 78.883624][ T6850] ? l2cap_conn_del+0x9e0/0x9e0 [ 78.888465][ T6850] l2cap_disconn_cfm+0x85/0xa0 [ 78.893230][ T6850] hci_conn_hash_flush+0x114/0x220 [ 78.898332][ T6850] hci_dev_do_close+0x5c6/0x1080 [ 78.903304][ T6850] ? hci_dev_open+0x350/0x350 [ 78.907988][ T6850] ? do_raw_read_unlock+0x70/0x70 [ 78.912988][ T6850] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 78.918856][ T6850] hci_unregister_dev+0x1bd/0xe30 [ 78.923877][ T6850] ? fcntl_setlk+0xf60/0xf60 [ 78.928474][ T6850] ? lock_is_held_type+0xbb/0xf0 [ 78.933427][ T6850] vhci_release+0x70/0xe0 [ 78.937764][ T6850] __fput+0x285/0x920 [ 78.941728][ T6850] ? vhci_close_dev+0x50/0x50 [ 78.946499][ T6850] task_work_run+0xdd/0x190 [ 78.951010][ T6850] do_exit+0xb7d/0x29f0 [ 78.955176][ T6850] ? blkcg_maybe_throttle_current+0x617/0xf00 [ 78.961215][ T6850] ? mm_update_next_owner+0x7a0/0x7a0 [ 78.966562][ T6850] ? lock_is_held_type+0xbb/0xf0 [ 78.971473][ T6850] ? __blkcg_punt_bio_submit+0x1d0/0x1d0 [ 78.977092][ T6850] ? mem_cgroup_move_account+0xcb0/0xcb0 [ 78.982701][ T6850] ? lock_is_held_type+0xbb/0xf0 [ 78.987625][ T6850] do_group_exit+0x125/0x310 [ 78.992190][ T6850] __x64_sys_exit_group+0x3a/0x50 [ 78.997191][ T6850] do_syscall_64+0x2d/0x70 [ 79.001602][ T6850] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 79.007480][ T6850] RIP: 0033:0x4450c8 [ 79.011342][ T6850] Code: Bad RIP value. [ 79.015392][ T6850] RSP: 002b:00007ffce217ffd8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 79.023773][ T6850] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450c8 [ 79.031744][ T6850] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 79.039712][ T6850] RBP: 00000000004cceb0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 79.047672][ T6850] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 79.055632][ T6850] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 79.064666][ T6850] Kernel Offset: disabled [ 79.069003][ T6850] Rebooting in 86400 seconds..