Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.138' (ECDSA) to the list of known hosts. syzkaller login: [ 33.580199] audit: type=1400 audit(1596460078.639:8): avc: denied { execmem } for pid=6351 comm="syz-executor148" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.947914] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program [ 37.234985] ================================================================== [ 37.242460] BUG: KASAN: use-after-free in sco_chan_del+0x3b2/0x3d0 [ 37.248814] Read of size 1 at addr ffff88808944aaf5 by task syz-executor148/6399 [ 37.256331] [ 37.257966] CPU: 0 PID: 6399 Comm: syz-executor148 Not tainted 4.14.191-syzkaller #0 [ 37.265855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.275271] Call Trace: [ 37.277841] dump_stack+0x1b2/0x283 [ 37.281451] print_address_description.cold+0x54/0x1d3 [ 37.286708] kasan_report_error.cold+0x8a/0x194 [ 37.291361] ? sco_chan_del+0x3b2/0x3d0 [ 37.295336] __asan_report_load1_noabort+0x68/0x70 [ 37.300253] ? sco_chan_del+0x3b2/0x3d0 [ 37.304208] sco_chan_del+0x3b2/0x3d0 [ 37.308001] __sco_sock_close+0xb0/0x670 [ 37.312055] sco_sock_release+0x6a/0x370 [ 37.316103] __sock_release+0xcd/0x2b0 [ 37.319979] ? __sock_release+0x2b0/0x2b0 [ 37.324171] sock_close+0x15/0x20 [ 37.327615] __fput+0x25f/0x7a0 [ 37.330886] task_work_run+0x11f/0x190 [ 37.334755] get_signal+0x18a3/0x1ca0 [ 37.338543] ? reacquire_held_locks+0xb5/0x3f0 [ 37.343107] ? sco_sock_connect+0x42b/0x860 [ 37.347408] do_signal+0x7c/0x1550 [ 37.350974] ? lock_downgrade+0x740/0x740 [ 37.355106] ? check_preemption_disabled+0x35/0x240 [ 37.360117] ? setup_sigcontext+0x820/0x820 [ 37.364422] ? kick_process+0xe4/0x170 [ 37.368297] ? task_work_add+0x87/0xe0 [ 37.372349] ? sco_sock_create+0xf0/0xf0 [ 37.376392] ? fput+0xaa/0x140 [ 37.379565] ? SyS_connect+0xf6/0x240 [ 37.383343] ? SyS_accept+0x30/0x30 [ 37.386951] ? lock_downgrade+0x740/0x740 [ 37.391083] ? _raw_spin_unlock_irq+0x24/0x80 [ 37.395558] ? exit_to_usermode_loop+0x41/0x200 [ 37.400311] exit_to_usermode_loop+0x160/0x200 [ 37.404891] do_syscall_64+0x4a3/0x640 [ 37.408786] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 37.413996] RIP: 0033:0x447089 [ 37.417162] RSP: 002b:00007f539742ddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 37.424848] RAX: fffffffffffffffc RBX: 00000000006dbc48 RCX: 0000000000447089 [ 37.432110] RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000004 [ 37.439388] RBP: 00000000006dbc40 R08: 00007f539742e700 R09: 0000000000000000 [ 37.446648] R10: 00007f539742e700 R11: 0000000000000246 R12: 00000000006dbc4c [ 37.453896] R13: 00007ffe19f6cc6f R14: 00007f539742e9c0 R15: 00000000006dbc4c [ 37.461151] [ 37.462755] Allocated by task 6399: [ 37.466807] kasan_kmalloc+0xeb/0x160 [ 37.470595] kmem_cache_alloc_trace+0x131/0x3d0 [ 37.475240] hci_conn_add+0x53/0x12f0 [ 37.479028] hci_connect_sco+0x265/0x7d0 [ 37.483071] sco_sock_connect+0x26c/0x860 [ 37.487210] SyS_connect+0x1f4/0x240 [ 37.490899] do_syscall_64+0x1d5/0x640 [ 37.494760] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 37.499921] [ 37.501521] Freed by task 6381: [ 37.504790] kasan_slab_free+0xc3/0x1a0 [ 37.508739] kfree+0xc9/0x250 [ 37.511820] device_release+0xf0/0x1a0 [ 37.515687] kobject_put+0x1f3/0x2d0 [ 37.519393] put_device+0x1c/0x30 [ 37.522829] hci_conn_del+0x235/0x620 [ 37.526605] hci_phy_link_complete_evt.isra.0+0x4d0/0x6c0 [ 37.532127] hci_event_packet+0x2592/0x7c7a [ 37.536964] hci_rx_work+0x3e6/0x970 [ 37.540665] process_one_work+0x793/0x14a0 [ 37.544876] worker_thread+0x5cc/0xff0 [ 37.548737] kthread+0x30d/0x420 [ 37.552080] ret_from_fork+0x24/0x30 [ 37.556807] [ 37.558436] The buggy address belongs to the object at ffff88808944aac0 [ 37.558436] which belongs to the cache kmalloc-4096 of size 4096 [ 37.571263] The buggy address is located 53 bytes inside of [ 37.571263] 4096-byte region [ffff88808944aac0, ffff88808944bac0) [ 37.583111] The buggy address belongs to the page: [ 37.588016] page:ffffea0002251280 count:1 mapcount:0 mapping:ffff88808944aac0 index:0x0 compound_mapcount: 0 [ 37.597962] flags: 0xfffe0000008100(slab|head) [ 37.602521] raw: 00fffe0000008100 ffff88808944aac0 0000000000000000 0000000100000001 [ 37.610593] raw: ffffea00025e4ca0 ffff88812fe50a48 ffff88812fe52dc0 0000000000000000 [ 37.618467] page dumped because: kasan: bad access detected [ 37.624155] [ 37.625761] Memory state around the buggy address: [ 37.630675] ffff88808944a980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.638016] ffff88808944aa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 37.645352] >ffff88808944aa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 37.652701] ^ [ 37.659711] ffff88808944ab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.667046] ffff88808944ab80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.674391] ================================================================== [ 37.681808] Disabling lock debugging due to kernel taint [ 37.694345] Kernel panic - not syncing: panic_on_warn set ... [ 37.694345] [ 37.701702] CPU: 1 PID: 6399 Comm: syz-executor148 Tainted: G B 4.14.191-syzkaller #0 [ 37.710789] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.720144] Call Trace: [ 37.722710] dump_stack+0x1b2/0x283 [ 37.726315] panic+0x1f9/0x42d [ 37.729482] ? add_taint.cold+0x16/0x16 [ 37.733429] ? ___preempt_schedule+0x16/0x18 [ 37.737822] kasan_end_report+0x43/0x49 [ 37.741772] kasan_report_error.cold+0xa7/0x194 [ 37.746417] ? sco_chan_del+0x3b2/0x3d0 [ 37.750378] __asan_report_load1_noabort+0x68/0x70 [ 37.755318] ? sco_chan_del+0x3b2/0x3d0 [ 37.759266] sco_chan_del+0x3b2/0x3d0 [ 37.763060] __sco_sock_close+0xb0/0x670 [ 37.767118] sco_sock_release+0x6a/0x370 [ 37.771168] __sock_release+0xcd/0x2b0 [ 37.775044] ? __sock_release+0x2b0/0x2b0 [ 37.779163] sock_close+0x15/0x20 [ 37.782602] __fput+0x25f/0x7a0 [ 37.785869] task_work_run+0x11f/0x190 [ 37.789743] get_signal+0x18a3/0x1ca0 [ 37.793530] ? reacquire_held_locks+0xb5/0x3f0 [ 37.798089] ? sco_sock_connect+0x42b/0x860 [ 37.802395] do_signal+0x7c/0x1550 [ 37.805910] ? lock_downgrade+0x740/0x740 [ 37.810030] ? check_preemption_disabled+0x35/0x240 [ 37.815034] ? setup_sigcontext+0x820/0x820 [ 37.819341] ? kick_process+0xe4/0x170 [ 37.823199] ? task_work_add+0x87/0xe0 [ 37.827060] ? sco_sock_create+0xf0/0xf0 [ 37.831094] ? fput+0xaa/0x140 [ 37.834277] ? SyS_connect+0xf6/0x240 [ 37.838047] ? SyS_accept+0x30/0x30 [ 37.841648] ? lock_downgrade+0x740/0x740 [ 37.845784] ? _raw_spin_unlock_irq+0x24/0x80 [ 37.850266] ? exit_to_usermode_loop+0x41/0x200 [ 37.854923] exit_to_usermode_loop+0x160/0x200 [ 37.859479] do_syscall_64+0x4a3/0x640 [ 37.863340] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 37.868519] RIP: 0033:0x447089 [ 37.871694] RSP: 002b:00007f539742ddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 37.879387] RAX: fffffffffffffffc RBX: 00000000006dbc48 RCX: 0000000000447089 [ 37.886635] RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000004 [ 37.893879] RBP: 00000000006dbc40 R08: 00007f539742e700 R09: 0000000000000000 [ 37.901137] R10: 00007f539742e700 R11: 0000000000000246 R12: 00000000006dbc4c [ 37.908380] R13: 00007ffe19f6cc6f R14: 00007f539742e9c0 R15: 00000000006dbc4c [ 37.916647] Kernel Offset: disabled [ 37.920276] Rebooting in 86400 seconds..