[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.37' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 402.415690] IPVS: ftp: loaded support on port[0] = 21 [ 404.458928] Bluetooth: hci0 command 0x0409 tx timeout [ 406.538553] Bluetooth: hci0 command 0x041b tx timeout executing program [ 408.618457] Bluetooth: hci0 command 0x040f tx timeout [ 410.698446] Bluetooth: hci0 command 0x0419 tx timeout executing program [ 412.778475] Bluetooth: hci0 command 0x0405 tx timeout executing program executing program executing program executing program executing program executing program [ 442.698909] ================================================================== [ 442.706291] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 442.712979] Read of size 8 at addr ffff8880b3a68d60 by task kworker/1:0/18 [ 442.720238] [ 442.721852] CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.14.218-syzkaller #0 [ 442.729979] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 442.739316] Workqueue: events l2cap_chan_timeout [ 442.744054] Call Trace: [ 442.747328] dump_stack+0x1b2/0x281 [ 442.750953] print_address_description.cold+0x54/0x1d3 [ 442.756212] kasan_report_error.cold+0x8a/0x191 [ 442.761053] ? __lock_acquire+0x2c57/0x3f20 [ 442.765368] __asan_report_load8_noabort+0x68/0x70 [ 442.770306] ? __lock_acquire+0x2c57/0x3f20 [ 442.774603] __lock_acquire+0x2c57/0x3f20 [ 442.778736] ? lock_acquire+0x170/0x3f0 [ 442.782711] ? lock_downgrade+0x740/0x740 [ 442.786848] ? trace_hardirqs_on+0x10/0x10 [ 442.791061] ? debug_object_assert_init+0x22d/0x2d0 [ 442.796059] ? debug_object_active_state+0x330/0x330 [ 442.801158] ? ret_from_fork+0x24/0x30 [ 442.805028] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 442.810386] ? save_trace+0xd6/0x290 [ 442.814082] lock_acquire+0x170/0x3f0 [ 442.817885] ? lock_sock_nested+0x39/0x100 [ 442.822305] _raw_spin_lock_bh+0x2f/0x40 [ 442.826370] ? lock_sock_nested+0x39/0x100 [ 442.830586] lock_sock_nested+0x39/0x100 [ 442.834623] l2cap_sock_teardown_cb+0x93/0x650 [ 442.839202] l2cap_chan_del+0xaf/0x950 [ 442.843192] l2cap_chan_close+0x103/0x870 [ 442.847323] ? __set_monitor_timer+0x1d0/0x1d0 [ 442.851887] ? lock_acquire+0x170/0x3f0 [ 442.856109] l2cap_chan_timeout+0x143/0x2a0 [ 442.860437] process_one_work+0x793/0x14a0 [ 442.864665] ? work_busy+0x320/0x320 [ 442.868363] ? worker_thread+0x158/0xff0 [ 442.872399] ? _raw_spin_unlock_irq+0x24/0x80 [ 442.876911] worker_thread+0x5cc/0xff0 [ 442.881322] ? rescuer_thread+0xc80/0xc80 [ 442.885445] kthread+0x30d/0x420 [ 442.888804] ? kthread_create_on_node+0xd0/0xd0 [ 442.893454] ret_from_fork+0x24/0x30 [ 442.897157] [ 442.898763] Allocated by task 7998: [ 442.902375] kasan_kmalloc+0xeb/0x160 [ 442.906160] __kmalloc+0x15a/0x400 [ 442.909680] sk_prot_alloc+0x1ba/0x290 [ 442.913551] sk_alloc+0x36/0xcd0 [ 442.916919] l2cap_sock_alloc.constprop.0+0x31/0x210 [ 442.922019] l2cap_sock_create+0xf0/0x1a0 [ 442.926169] bt_sock_create+0x13b/0x280 [ 442.930128] __sock_create+0x303/0x620 [ 442.934013] SyS_socket+0xd1/0x1b0 [ 442.937531] do_syscall_64+0x1d5/0x640 [ 442.941415] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 442.946607] [ 442.948384] Freed by task 7998: [ 442.951664] kasan_slab_free+0xc3/0x1a0 [ 442.955617] kfree+0xc9/0x250 [ 442.958700] __sk_destruct+0x5e3/0x760 [ 442.962560] __sk_free+0xd9/0x2d0 [ 442.965985] sk_free+0x2b/0x40 [ 442.969157] l2cap_sock_kill.part.0+0x106/0x130 [ 442.973888] l2cap_sock_release+0x1cd/0x280 [ 442.978190] __sock_release+0xcd/0x2b0 [ 442.982052] sock_close+0x15/0x20 [ 442.985490] __fput+0x25f/0x7a0 [ 442.988757] task_work_run+0x11f/0x190 [ 442.992631] do_exit+0xa44/0x2850 [ 442.996069] do_group_exit+0x100/0x2e0 [ 442.999953] get_signal+0x38d/0x1ca0 [ 443.003669] do_signal+0x7c/0x1550 [ 443.007210] exit_to_usermode_loop+0x160/0x200 [ 443.012652] do_syscall_64+0x4a3/0x640 [ 443.016545] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 443.021823] [ 443.023448] The buggy address belongs to the object at ffff8880b3a68cc0 [ 443.023448] which belongs to the cache kmalloc-2048 of size 2048 [ 443.037210] The buggy address is located 160 bytes inside of [ 443.037210] 2048-byte region [ffff8880b3a68cc0, ffff8880b3a694c0) [ 443.049240] The buggy address belongs to the page: [ 443.054150] page:ffffea0002ce9a00 count:1 mapcount:0 mapping:ffff8880b3a68440 index:0x0 compound_mapcount: 0 [ 443.064125] flags: 0xfff00000008100(slab|head) [ 443.068694] raw: 00fff00000008100 ffff8880b3a68440 0000000000000000 0000000100000003 [ 443.076558] raw: ffffea0002ccb220 ffffea0002cf37a0 ffff88813fe80c40 0000000000000000 [ 443.084606] page dumped because: kasan: bad access detected [ 443.090300] [ 443.091926] Memory state around the buggy address: [ 443.096922] ffff8880b3a68c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 443.104324] ffff8880b3a68c80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 443.111699] >ffff8880b3a68d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 443.119037] ^ [ 443.125506] ffff8880b3a68d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 443.132944] ffff8880b3a68e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 443.140294] ================================================================== [ 443.147624] Disabling lock debugging due to kernel taint [ 443.153046] Kernel panic - not syncing: panic_on_warn set ... [ 443.153046] [ 443.160575] CPU: 1 PID: 18 Comm: kworker/1:0 Tainted: G B 4.14.218-syzkaller #0 [ 443.170696] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 443.180409] Workqueue: events l2cap_chan_timeout [ 443.185293] Call Trace: [ 443.188344] dump_stack+0x1b2/0x281 [ 443.199736] panic+0x1f9/0x42d [ 443.203016] ? add_taint.cold+0x16/0x16 [ 443.206987] ? lock_downgrade+0x740/0x740 [ 443.212957] kasan_end_report+0x43/0x49 [ 443.217013] kasan_report_error.cold+0xa7/0x191 [ 443.222329] ? __lock_acquire+0x2c57/0x3f20 [ 443.226917] __asan_report_load8_noabort+0x68/0x70 [ 443.232248] ? __lock_acquire+0x2c57/0x3f20 [ 443.236914] __lock_acquire+0x2c57/0x3f20 [ 443.241067] ? lock_acquire+0x170/0x3f0 [ 443.246015] ? lock_downgrade+0x740/0x740 [ 443.250157] ? trace_hardirqs_on+0x10/0x10 [ 443.254669] ? debug_object_assert_init+0x22d/0x2d0 [ 443.259663] ? debug_object_active_state+0x330/0x330 [ 443.264762] ? ret_from_fork+0x24/0x30 [ 443.269234] ? add_lock_to_list.constprop.0+0x17d/0x330 [ 443.274578] ? save_trace+0xd6/0x290 [ 443.278272] lock_acquire+0x170/0x3f0 [ 443.282171] ? lock_sock_nested+0x39/0x100 [ 443.286394] _raw_spin_lock_bh+0x2f/0x40 [ 443.290441] ? lock_sock_nested+0x39/0x100 [ 443.294684] lock_sock_nested+0x39/0x100 [ 443.298824] l2cap_sock_teardown_cb+0x93/0x650 [ 443.303393] l2cap_chan_del+0xaf/0x950 [ 443.307345] l2cap_chan_close+0x103/0x870 [ 443.311495] ? __set_monitor_timer+0x1d0/0x1d0 [ 443.316068] ? lock_acquire+0x170/0x3f0 [ 443.320030] l2cap_chan_timeout+0x143/0x2a0 [ 443.324344] process_one_work+0x793/0x14a0 [ 443.328646] ? work_busy+0x320/0x320 [ 443.332993] ? worker_thread+0x158/0xff0 [ 443.337061] ? _raw_spin_unlock_irq+0x24/0x80 [ 443.341637] worker_thread+0x5cc/0xff0 [ 443.345942] ? rescuer_thread+0xc80/0xc80 [ 443.350087] kthread+0x30d/0x420 [ 443.353449] ? kthread_create_on_node+0xd0/0xd0 [ 443.358286] ret_from_fork+0x24/0x30 [ 443.362571] Kernel Offset: disabled [ 443.366192] Rebooting in 86400 seconds..