Warning: Permanently added '10.128.0.76' (ECDSA) to the list of known hosts. syzkaller login: [ 33.970817] audit: type=1400 audit(1597037522.910:8): avc: denied { execmem } for pid=6349 comm="syz-executor283" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.992553] IPVS: ftp: loaded support on port[0] = 21 executing program [ 35.159761] ================================================================== [ 35.167239] BUG: KASAN: use-after-free in hci_chan_del+0x131/0x180 [ 35.173556] Read of size 8 at addr ffff8880a714ce58 by task syz-executor283/6350 [ 35.181096] [ 35.182701] CPU: 1 PID: 6350 Comm: syz-executor283 Not tainted 4.14.193-syzkaller #0 [ 35.190577] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.200006] Call Trace: [ 35.202573] dump_stack+0x1b2/0x283 [ 35.206176] ? l2cap_conn_del+0x670/0x670 [ 35.210317] print_address_description.cold+0x54/0x1d3 [ 35.215569] kasan_report_error.cold+0x8a/0x194 [ 35.220213] ? hci_chan_del+0x131/0x180 [ 35.224161] __asan_report_load8_noabort+0x68/0x70 [ 35.229074] ? hci_chan_del+0x131/0x180 [ 35.233022] hci_chan_del+0x131/0x180 [ 35.237345] l2cap_conn_del+0x417/0x670 [ 35.241311] ? __mutex_unlock_slowpath+0x75/0x770 [ 35.246127] ? l2cap_conn_del+0x670/0x670 [ 35.250248] l2cap_disconn_cfm+0x6b/0x80 [ 35.254283] hci_conn_hash_flush+0x114/0x220 [ 35.258667] hci_dev_do_close+0x542/0xc50 [ 35.262791] ? lock_downgrade+0x740/0x740 [ 35.266915] hci_unregister_dev+0x170/0x7a0 [ 35.271211] ? fcntl_setlk+0xdb0/0xdb0 [ 35.275091] ? vhci_close_dev+0x50/0x50 [ 35.279048] vhci_release+0x70/0xe0 [ 35.282676] __fput+0x25f/0x7a0 [ 35.285950] task_work_run+0x11f/0x190 [ 35.289816] do_exit+0xa08/0x27f0 [ 35.293243] ? sk_wait_data+0x361/0x3d0 [ 35.297193] ? selinux_socket_setsockopt+0x60/0x80 [ 35.302204] ? mm_update_next_owner+0x5b0/0x5b0 [ 35.306844] ? security_socket_setsockopt+0x83/0xb0 [ 35.311946] ? SyS_setsockopt+0x130/0x1e0 [ 35.316084] ? SyS_recv+0x40/0x40 [ 35.319514] do_group_exit+0x100/0x2e0 [ 35.323377] SyS_exit_group+0x19/0x20 [ 35.327149] ? do_group_exit+0x2e0/0x2e0 [ 35.331184] do_syscall_64+0x1d5/0x640 [ 35.335052] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.340216] RIP: 0033:0x445138 [ 35.343379] RSP: 002b:00007fff43c71c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 35.351087] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138 [ 35.358332] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 35.365575] RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 35.372836] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 35.380096] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000 [ 35.387347] [ 35.388983] Allocated by task 1202: [ 35.392586] kasan_kmalloc+0xeb/0x160 [ 35.396374] kmem_cache_alloc_trace+0x131/0x3d0 [ 35.401104] hci_chan_create+0x7c/0x300 [ 35.405053] l2cap_conn_add.part.0+0x18/0xc20 [ 35.409521] l2cap_connect_cfm+0x1d2/0xce0 [ 35.413741] hci_le_meta_evt+0x3288/0x3fc0 [ 35.417961] hci_event_packet+0x25a7/0x7c7a [ 35.422430] hci_rx_work+0x3e6/0x970 [ 35.426117] process_one_work+0x793/0x14a0 [ 35.430325] worker_thread+0x5cc/0xff0 [ 35.434184] kthread+0x30d/0x420 [ 35.437522] ret_from_fork+0x24/0x30 [ 35.441205] [ 35.442809] Freed by task 1202: [ 35.446061] kasan_slab_free+0xc3/0x1a0 [ 35.450024] kfree+0xc9/0x250 [ 35.453102] hci_event_packet+0xeae/0x7c7a [ 35.457321] hci_rx_work+0x3e6/0x970 [ 35.461009] process_one_work+0x793/0x14a0 [ 35.465231] worker_thread+0x5cc/0xff0 [ 35.469112] kthread+0x30d/0x420 [ 35.472686] ret_from_fork+0x24/0x30 [ 35.476394] [ 35.477999] The buggy address belongs to the object at ffff8880a714ce40 [ 35.477999] which belongs to the cache kmalloc-128 of size 128 [ 35.490683] The buggy address is located 24 bytes inside of [ 35.490683] 128-byte region [ffff8880a714ce40, ffff8880a714cec0) [ 35.502888] The buggy address belongs to the page: [ 35.507790] page:ffffea00029c5300 count:1 mapcount:0 mapping:ffff8880a714c000 index:0xffff8880a714cd80 [ 35.517297] flags: 0xfffe0000000100(slab) [ 35.521435] raw: 00fffe0000000100 ffff8880a714c000 ffff8880a714cd80 0000000100000013 [ 35.529653] raw: ffffea000242aa20 ffffea0002a1e160 ffff88812fe52640 0000000000000000 [ 35.537681] page dumped because: kasan: bad access detected [ 35.543374] [ 35.544993] Memory state around the buggy address: [ 35.549893] ffff8880a714cd00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 35.557250] ffff8880a714cd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 35.565118] >ffff8880a714ce00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 35.572464] ^ [ 35.578684] ffff8880a714ce80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 35.586033] ffff8880a714cf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 35.593365] ================================================================== [ 35.600694] Disabling lock debugging due to kernel taint [ 35.607858] Kernel panic - not syncing: panic_on_warn set ... [ 35.607858] [ 35.615235] CPU: 1 PID: 6350 Comm: syz-executor283 Tainted: G B 4.14.193-syzkaller #0 [ 35.624342] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 35.633687] Call Trace: [ 35.636268] dump_stack+0x1b2/0x283 [ 35.640150] ? l2cap_conn_del+0x670/0x670 [ 35.644287] panic+0x1f9/0x42d [ 35.647483] ? add_taint.cold+0x16/0x16 [ 35.651450] ? ___preempt_schedule+0x16/0x18 [ 35.655838] kasan_end_report+0x43/0x49 [ 35.659796] kasan_report_error.cold+0xa7/0x194 [ 35.664436] ? hci_chan_del+0x131/0x180 [ 35.668381] __asan_report_load8_noabort+0x68/0x70 [ 35.673298] ? hci_chan_del+0x131/0x180 [ 35.677245] hci_chan_del+0x131/0x180 [ 35.681118] l2cap_conn_del+0x417/0x670 [ 35.685086] ? __mutex_unlock_slowpath+0x75/0x770 [ 35.689900] ? l2cap_conn_del+0x670/0x670 [ 35.694038] l2cap_disconn_cfm+0x6b/0x80 [ 35.698085] hci_conn_hash_flush+0x114/0x220 [ 35.702483] hci_dev_do_close+0x542/0xc50 [ 35.706604] ? lock_downgrade+0x740/0x740 [ 35.710726] hci_unregister_dev+0x170/0x7a0 [ 35.715036] ? fcntl_setlk+0xdb0/0xdb0 [ 35.718915] ? vhci_close_dev+0x50/0x50 [ 35.722861] vhci_release+0x70/0xe0 [ 35.726475] __fput+0x25f/0x7a0 [ 35.729736] task_work_run+0x11f/0x190 [ 35.733610] do_exit+0xa08/0x27f0 [ 35.737040] ? sk_wait_data+0x361/0x3d0 [ 35.741165] ? selinux_socket_setsockopt+0x60/0x80 [ 35.746093] ? mm_update_next_owner+0x5b0/0x5b0 [ 35.750735] ? security_socket_setsockopt+0x83/0xb0 [ 35.755735] ? SyS_setsockopt+0x130/0x1e0 [ 35.759972] ? SyS_recv+0x40/0x40 [ 35.763411] do_group_exit+0x100/0x2e0 [ 35.767272] SyS_exit_group+0x19/0x20 [ 35.771047] ? do_group_exit+0x2e0/0x2e0 [ 35.775105] do_syscall_64+0x1d5/0x640 [ 35.778968] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 35.784155] RIP: 0033:0x445138 [ 35.787319] RSP: 002b:00007fff43c71c88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 35.795001] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138 [ 35.802275] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 35.809520] RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 35.816761] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 35.824017] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000 [ 35.832229] Kernel Offset: disabled [ 35.835853] Rebooting in 86400 seconds..