Warning: Permanently added '10.128.0.206' (ECDSA) to the list of known hosts. [ 33.320947] audit: type=1400 audit(1596685192.694:8): avc: denied { execmem } for pid=6351 comm="syz-executor582" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 33.575222] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program executing program executing program executing program executing program [ 37.411267] Bluetooth: hci0 command 0x0409 tx timeout executing program executing program [ 38.102559] ================================================================== [ 38.110106] BUG: KASAN: use-after-free in sco_chan_del+0x3b2/0x3d0 [ 38.116454] Read of size 1 at addr ffff888096e247f5 by task syz-executor582/6423 [ 38.123962] [ 38.125569] CPU: 0 PID: 6423 Comm: syz-executor582 Not tainted 4.14.192-syzkaller #0 [ 38.133425] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.142758] Call Trace: [ 38.145331] dump_stack+0x1b2/0x283 [ 38.148942] print_address_description.cold+0x54/0x1d3 [ 38.154204] kasan_report_error.cold+0x8a/0x194 [ 38.158861] ? sco_chan_del+0x3b2/0x3d0 [ 38.162827] __asan_report_load1_noabort+0x68/0x70 [ 38.167753] ? sco_chan_del+0x3b2/0x3d0 [ 38.171742] sco_chan_del+0x3b2/0x3d0 [ 38.175523] __sco_sock_close+0xb0/0x670 [ 38.179584] sco_sock_release+0x6a/0x370 [ 38.183734] __sock_release+0xcd/0x2b0 [ 38.187602] ? __sock_release+0x2b0/0x2b0 [ 38.191736] sock_close+0x15/0x20 [ 38.195177] __fput+0x25f/0x7a0 [ 38.198440] task_work_run+0x11f/0x190 [ 38.202329] get_signal+0x18a3/0x1ca0 [ 38.206110] ? reacquire_held_locks+0xb5/0x3f0 [ 38.210700] ? sco_sock_connect+0x42b/0x860 [ 38.215010] do_signal+0x7c/0x1550 [ 38.218530] ? lock_downgrade+0x740/0x740 [ 38.222657] ? check_preemption_disabled+0x35/0x240 [ 38.227675] ? setup_sigcontext+0x820/0x820 [ 38.231979] ? kick_process+0xe4/0x170 [ 38.235845] ? task_work_add+0x87/0xe0 [ 38.239717] ? sco_sock_create+0xf0/0xf0 [ 38.243757] ? fput+0xaa/0x140 [ 38.246954] ? SyS_connect+0xf6/0x240 [ 38.250759] ? SyS_accept+0x30/0x30 [ 38.254370] ? SyS_futex+0x1da/0x290 [ 38.258061] ? SyS_futex+0x1e3/0x290 [ 38.261756] ? task_work_run+0xfd/0x190 [ 38.265713] ? exit_to_usermode_loop+0x41/0x200 [ 38.270363] exit_to_usermode_loop+0x160/0x200 [ 38.274928] do_syscall_64+0x4a3/0x640 [ 38.278803] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 38.283973] RIP: 0033:0x4470e9 [ 38.287164] RSP: 002b:00007f12d8477db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 38.294875] RAX: fffffffffffffffc RBX: 00000000006dcc28 RCX: 00000000004470e9 [ 38.302128] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004 [ 38.309435] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000 [ 38.316690] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c [ 38.323949] R13: 00007ffd26a9aa2f R14: 00007f12d84789c0 R15: 00000000006dcc2c [ 38.331212] [ 38.332820] Allocated by task 6421: [ 38.336435] kasan_kmalloc+0xeb/0x160 [ 38.340222] kmem_cache_alloc_trace+0x131/0x3d0 [ 38.344871] hci_conn_add+0x53/0x12f0 [ 38.348648] hci_connect_sco+0x265/0x7d0 [ 38.352686] sco_sock_connect+0x26c/0x860 [ 38.356838] SyS_connect+0x1f4/0x240 [ 38.360550] do_syscall_64+0x1d5/0x640 [ 38.364421] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 38.369588] [ 38.371216] Freed by task 1202: [ 38.374482] kasan_slab_free+0xc3/0x1a0 [ 38.378436] kfree+0xc9/0x250 [ 38.381523] device_release+0xf0/0x1a0 [ 38.385394] kobject_put+0x1f3/0x2d0 [ 38.389089] put_device+0x1c/0x30 [ 38.392522] hci_conn_del+0x235/0x620 [ 38.396300] hci_phy_link_complete_evt.isra.0+0x4d0/0x6c0 [ 38.401816] hci_event_packet+0x2592/0x7c7a [ 38.406115] hci_rx_work+0x3e6/0x970 [ 38.409810] process_one_work+0x793/0x14a0 [ 38.414043] worker_thread+0x5cc/0xff0 [ 38.417907] kthread+0x30d/0x420 [ 38.421253] ret_from_fork+0x24/0x30 [ 38.424939] [ 38.426544] The buggy address belongs to the object at ffff888096e247c0 [ 38.426544] which belongs to the cache kmalloc-4096 of size 4096 [ 38.439359] The buggy address is located 53 bytes inside of [ 38.439359] 4096-byte region [ffff888096e247c0, ffff888096e257c0) [ 38.451248] The buggy address belongs to the page: [ 38.456173] page:ffffea00025b8900 count:1 mapcount:0 mapping:ffff888096e247c0 index:0x0 compound_mapcount: 0 [ 38.466137] flags: 0xfffe0000008100(slab|head) [ 38.470724] raw: 00fffe0000008100 ffff888096e247c0 0000000000000000 0000000100000001 [ 38.478619] raw: ffffea00025a72a0 ffffea00025b5020 ffff88812fe52dc0 0000000000000000 [ 38.486668] page dumped because: kasan: bad access detected [ 38.492354] [ 38.493955] Memory state around the buggy address: [ 38.498861] ffff888096e24680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.506201] ffff888096e24700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 38.513626] >ffff888096e24780: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 38.520961] ^ [ 38.527965] ffff888096e24800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.535305] ffff888096e24880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.542640] ================================================================== [ 38.549976] Disabling lock debugging due to kernel taint [ 38.556168] Kernel panic - not syncing: panic_on_warn set ... [ 38.556168] [ 38.563563] CPU: 0 PID: 6423 Comm: syz-executor582 Tainted: G B 4.14.192-syzkaller #0 [ 38.572655] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.582000] Call Trace: [ 38.584574] dump_stack+0x1b2/0x283 [ 38.588205] panic+0x1f9/0x42d [ 38.591382] ? add_taint.cold+0x16/0x16 [ 38.595336] ? ___preempt_schedule+0x16/0x18 [ 38.599730] kasan_end_report+0x43/0x49 [ 38.603682] kasan_report_error.cold+0xa7/0x194 [ 38.608331] ? sco_chan_del+0x3b2/0x3d0 [ 38.612312] __asan_report_load1_noabort+0x68/0x70 [ 38.617220] ? sco_chan_del+0x3b2/0x3d0 [ 38.621175] sco_chan_del+0x3b2/0x3d0 [ 38.624954] __sco_sock_close+0xb0/0x670 [ 38.629012] sco_sock_release+0x6a/0x370 [ 38.633054] __sock_release+0xcd/0x2b0 [ 38.636920] ? __sock_release+0x2b0/0x2b0 [ 38.641042] sock_close+0x15/0x20 [ 38.644476] __fput+0x25f/0x7a0 [ 38.647733] task_work_run+0x11f/0x190 [ 38.651621] get_signal+0x18a3/0x1ca0 [ 38.655402] ? reacquire_held_locks+0xb5/0x3f0 [ 38.659963] ? sco_sock_connect+0x42b/0x860 [ 38.664265] do_signal+0x7c/0x1550 [ 38.667811] ? lock_downgrade+0x740/0x740 [ 38.671937] ? check_preemption_disabled+0x35/0x240 [ 38.676931] ? setup_sigcontext+0x820/0x820 [ 38.681231] ? kick_process+0xe4/0x170 [ 38.685096] ? task_work_add+0x87/0xe0 [ 38.688964] ? sco_sock_create+0xf0/0xf0 [ 38.692999] ? fput+0xaa/0x140 [ 38.696172] ? SyS_connect+0xf6/0x240 [ 38.699970] ? SyS_accept+0x30/0x30 [ 38.703591] ? SyS_futex+0x1da/0x290 [ 38.707300] ? SyS_futex+0x1e3/0x290 [ 38.710990] ? task_work_run+0xfd/0x190 [ 38.714967] ? exit_to_usermode_loop+0x41/0x200 [ 38.719613] exit_to_usermode_loop+0x160/0x200 [ 38.724174] do_syscall_64+0x4a3/0x640 [ 38.728044] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 38.733213] RIP: 0033:0x4470e9 [ 38.736378] RSP: 002b:00007f12d8477db8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 38.744073] RAX: fffffffffffffffc RBX: 00000000006dcc28 RCX: 00000000004470e9 [ 38.751326] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004 [ 38.758620] RBP: 00000000006dcc20 R08: 0000000000000000 R09: 0000000000000000 [ 38.766048] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc2c [ 38.773304] R13: 00007ffd26a9aa2f R14: 00007f12d84789c0 R15: 00000000006dcc2c [ 38.781850] Kernel Offset: disabled [ 38.785467] Rebooting in 86400 seconds..