[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.94' (ECDSA) to the list of known hosts. syzkaller login: [ 65.787712][ T28] audit: type=1400 audit(1596770291.629:8): avc: denied { execmem } for pid=6831 comm="syz-executor881" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 65.804384][ T6832] IPVS: ftp: loaded support on port[0] = 21 executing program [ 68.942866][ T3918] Bluetooth: hci0: command 0x0409 tx timeout [ 71.022487][ T2717] Bluetooth: hci0: command 0x041b tx timeout executing program [ 73.101996][ T2717] Bluetooth: hci0: command 0x040f tx timeout [ 75.181805][ T2717] Bluetooth: hci0: command 0x0419 tx timeout [ 76.896251][ T6864] ================================================================== [ 76.904689][ T6864] BUG: KASAN: use-after-free in sco_chan_del+0xe6/0x430 [ 76.911598][ T6864] Write of size 4 at addr ffff88808efbe010 by task syz-executor881/6864 [ 76.919890][ T6864] [ 76.922211][ T6864] CPU: 0 PID: 6864 Comm: syz-executor881 Not tainted 5.8.0-syzkaller #0 [ 76.930511][ T6864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 76.940660][ T6864] Call Trace: [ 76.943944][ T6864] dump_stack+0x18f/0x20d [ 76.948257][ T6864] ? sco_chan_del+0xe6/0x430 [ 76.952824][ T6864] ? sco_chan_del+0xe6/0x430 [ 76.957460][ T6864] ? __sock_release+0x280/0x280 [ 76.962306][ T6864] print_address_description.constprop.0.cold+0xae/0x436 [ 76.969321][ T6864] ? sco_chan_del+0xab/0x430 [ 76.973890][ T6864] ? vprintk_func+0x97/0x1a6 [ 76.978457][ T6864] ? sco_chan_del+0xe6/0x430 [ 76.983044][ T6864] kasan_report.cold+0x1f/0x37 [ 76.987822][ T6864] ? sco_chan_del+0xe6/0x430 [ 76.992410][ T6864] check_memory_region+0x13d/0x180 [ 76.997499][ T6864] sco_chan_del+0xe6/0x430 [ 77.001918][ T6864] __sco_sock_close+0x16e/0x5b0 [ 77.006776][ T6864] sco_sock_release+0x69/0x290 [ 77.011542][ T6864] __sock_release+0xcd/0x280 [ 77.016161][ T6864] sock_close+0x18/0x20 [ 77.020288][ T6864] __fput+0x33c/0x880 [ 77.024247][ T6864] task_work_run+0xdd/0x190 [ 77.028748][ T6864] do_exit+0xb7d/0x29f0 [ 77.032881][ T6864] ? lock_acquire+0x1f1/0xad0 [ 77.037531][ T6864] ? find_held_lock+0x2d/0x110 [ 77.042269][ T6864] ? mm_update_next_owner+0x7a0/0x7a0 [ 77.047638][ T6864] ? get_signal+0x332/0x1ee0 [ 77.052214][ T6864] ? lock_downgrade+0x830/0x830 [ 77.057044][ T6864] ? lock_is_held_type+0xbb/0xf0 [ 77.061960][ T6864] do_group_exit+0x125/0x310 [ 77.066526][ T6864] get_signal+0x40b/0x1ee0 [ 77.070915][ T6864] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 77.076878][ T6864] ? sco_sock_connect+0x4e4/0x980 [ 77.081907][ T6864] ? lockdep_hardirqs_on+0x76/0xf0 [ 77.087004][ T6864] ? sco_sock_connect+0x4e4/0x980 [ 77.092006][ T6864] arch_do_signal+0x82/0x2520 [ 77.096672][ T6864] ? sco_sock_release+0x290/0x290 [ 77.101672][ T6864] ? __sys_connect_file+0x4e/0x1a0 [ 77.106804][ T6864] ? copy_siginfo_to_user32+0xa0/0xa0 [ 77.112174][ T6864] ? __sys_connect+0x109/0x190 [ 77.116927][ T6864] ? __sys_connect_file+0x1a0/0x1a0 [ 77.122103][ T6864] ? exit_to_user_mode_prepare+0xce/0x1d0 [ 77.127814][ T6864] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 77.133781][ T6864] exit_to_user_mode_prepare+0x172/0x1d0 [ 77.139401][ T6864] syscall_exit_to_user_mode+0x59/0x2b0 [ 77.144930][ T6864] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 77.150819][ T6864] RIP: 0033:0x446dc9 [ 77.154711][ T6864] Code: Bad RIP value. [ 77.158763][ T6864] RSP: 002b:00007ffc8251d0f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 77.167157][ T6864] RAX: fffffffffffffffc RBX: 0000000000000003 RCX: 0000000000446dc9 [ 77.175119][ T6864] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004 [ 77.183063][ T6864] RBP: 00007ffc8251d130 R08: 0000000000000002 R09: 00000000000000ff [ 77.191021][ T6864] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000010556 [ 77.198993][ T6864] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 77.206959][ T6864] [ 77.209261][ T6864] Allocated by task 6861: [ 77.213566][ T6864] save_stack+0x1b/0x40 [ 77.217694][ T6864] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 77.223313][ T6864] kmem_cache_alloc_trace+0x14f/0x2d0 [ 77.228695][ T6864] hci_conn_add+0x53/0x1330 [ 77.233172][ T6864] hci_connect_sco+0x356/0x860 [ 77.237907][ T6864] sco_sock_connect+0x308/0x980 [ 77.242752][ T6864] __sys_connect_file+0x155/0x1a0 [ 77.247836][ T6864] __sys_connect+0x160/0x190 [ 77.252406][ T6864] __x64_sys_connect+0x6f/0xb0 [ 77.257143][ T6864] do_syscall_64+0x2d/0x70 [ 77.261536][ T6864] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 77.267406][ T6864] [ 77.269722][ T6864] Freed by task 6858: [ 77.273685][ T6864] save_stack+0x1b/0x40 [ 77.277815][ T6864] __kasan_slab_free+0xf5/0x140 [ 77.282649][ T6864] kfree+0x103/0x2c0 [ 77.286516][ T6864] device_release+0x71/0x200 [ 77.291083][ T6864] kobject_put+0x171/0x270 [ 77.295476][ T6864] put_device+0x1b/0x30 [ 77.299603][ T6864] hci_conn_del+0x27e/0x6a0 [ 77.304094][ T6864] hci_phy_link_complete_evt.isra.0+0x508/0x790 [ 77.310332][ T6864] hci_event_packet+0x4696/0x87a8 [ 77.315331][ T6864] hci_rx_work+0x22e/0xb50 [ 77.319721][ T6864] process_one_work+0x94c/0x1670 [ 77.324686][ T6864] worker_thread+0x64c/0x1120 [ 77.329333][ T6864] kthread+0x3b5/0x4a0 [ 77.333377][ T6864] ret_from_fork+0x1f/0x30 [ 77.337760][ T6864] [ 77.340074][ T6864] The buggy address belongs to the object at ffff88808efbe000 [ 77.340074][ T6864] which belongs to the cache kmalloc-4k of size 4096 [ 77.354109][ T6864] The buggy address is located 16 bytes inside of [ 77.354109][ T6864] 4096-byte region [ffff88808efbe000, ffff88808efbf000) [ 77.367347][ T6864] The buggy address belongs to the page: [ 77.372958][ T6864] page:ffffea00023bef80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00023bef80 order:1 compound_mapcount:0 [ 77.386375][ T6864] flags: 0xfffe0000010200(slab|head) [ 77.391635][ T6864] raw: 00fffe0000010200 ffffea000291c588 ffffea00027c0008 ffff8880aa002000 [ 77.400190][ T6864] raw: 0000000000000000 ffff88808efbe000 0000000100000001 0000000000000000 [ 77.408745][ T6864] page dumped because: kasan: bad access detected [ 77.415137][ T6864] [ 77.417434][ T6864] Memory state around the buggy address: [ 77.423036][ T6864] ffff88808efbdf00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 77.431071][ T6864] ffff88808efbdf80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff [ 77.439122][ T6864] >ffff88808efbe000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.447150][ T6864] ^ [ 77.451725][ T6864] ffff88808efbe080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.459802][ T6864] ffff88808efbe100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 77.467844][ T6864] ================================================================== [ 77.475872][ T6864] Disabling lock debugging due to kernel taint [ 77.491588][ T2717] Bluetooth: hci0: command 0x0405 tx timeout [ 77.497872][ T6864] Kernel panic - not syncing: panic_on_warn set ... [ 77.504463][ T6864] CPU: 0 PID: 6864 Comm: syz-executor881 Tainted: G B 5.8.0-syzkaller #0 [ 77.514177][ T6864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.524228][ T6864] Call Trace: [ 77.527487][ T6864] dump_stack+0x18f/0x20d [ 77.531793][ T6864] ? sco_sock_sendmsg+0x5d0/0x5d0 [ 77.536799][ T6864] ? __sock_release+0x280/0x280 [ 77.541623][ T6864] panic+0x2e3/0x75c [ 77.545489][ T6864] ? __warn_printk+0xf3/0xf3 [ 77.550051][ T6864] ? preempt_schedule_common+0x59/0xc0 [ 77.555494][ T6864] ? sco_chan_del+0xe6/0x430 [ 77.560088][ T6864] ? preempt_schedule_thunk+0x16/0x18 [ 77.565431][ T6864] ? trace_hardirqs_on+0x55/0x220 [ 77.570440][ T6864] ? sco_chan_del+0xe6/0x430 [ 77.575017][ T6864] ? sco_chan_del+0xe6/0x430 [ 77.579591][ T6864] ? __sock_release+0x280/0x280 [ 77.584424][ T6864] end_report+0x4d/0x53 [ 77.588555][ T6864] kasan_report.cold+0xd/0x37 [ 77.593234][ T6864] ? sco_chan_del+0xe6/0x430 [ 77.597807][ T6864] check_memory_region+0x13d/0x180 [ 77.602893][ T6864] sco_chan_del+0xe6/0x430 [ 77.607280][ T6864] __sco_sock_close+0x16e/0x5b0 [ 77.612103][ T6864] sco_sock_release+0x69/0x290 [ 77.616853][ T6864] __sock_release+0xcd/0x280 [ 77.621420][ T6864] sock_close+0x18/0x20 [ 77.625567][ T6864] __fput+0x33c/0x880 [ 77.629566][ T6864] task_work_run+0xdd/0x190 [ 77.634076][ T6864] do_exit+0xb7d/0x29f0 [ 77.638202][ T6864] ? lock_acquire+0x1f1/0xad0 [ 77.642889][ T6864] ? find_held_lock+0x2d/0x110 [ 77.647633][ T6864] ? mm_update_next_owner+0x7a0/0x7a0 [ 77.652976][ T6864] ? get_signal+0x332/0x1ee0 [ 77.657553][ T6864] ? lock_downgrade+0x830/0x830 [ 77.662392][ T6864] ? lock_is_held_type+0xbb/0xf0 [ 77.667306][ T6864] do_group_exit+0x125/0x310 [ 77.671886][ T6864] get_signal+0x40b/0x1ee0 [ 77.676277][ T6864] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 77.682229][ T6864] ? sco_sock_connect+0x4e4/0x980 [ 77.687224][ T6864] ? lockdep_hardirqs_on+0x76/0xf0 [ 77.692307][ T6864] ? sco_sock_connect+0x4e4/0x980 [ 77.697321][ T6864] arch_do_signal+0x82/0x2520 [ 77.701970][ T6864] ? sco_sock_release+0x290/0x290 [ 77.706964][ T6864] ? __sys_connect_file+0x4e/0x1a0 [ 77.712052][ T6864] ? copy_siginfo_to_user32+0xa0/0xa0 [ 77.717394][ T6864] ? __sys_connect+0x109/0x190 [ 77.722149][ T6864] ? __sys_connect_file+0x1a0/0x1a0 [ 77.727376][ T6864] ? exit_to_user_mode_prepare+0xce/0x1d0 [ 77.733069][ T6864] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 77.739045][ T6864] exit_to_user_mode_prepare+0x172/0x1d0 [ 77.744652][ T6864] syscall_exit_to_user_mode+0x59/0x2b0 [ 77.750210][ T6864] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 77.756071][ T6864] RIP: 0033:0x446dc9 [ 77.759929][ T6864] Code: Bad RIP value. [ 77.763977][ T6864] RSP: 002b:00007ffc8251d0f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 77.772359][ T6864] RAX: fffffffffffffffc RBX: 0000000000000003 RCX: 0000000000446dc9 [ 77.780318][ T6864] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004 [ 77.788261][ T6864] RBP: 00007ffc8251d130 R08: 0000000000000002 R09: 00000000000000ff [ 77.796220][ T6864] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000010556 [ 77.804161][ T6864] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 77.813158][ T6864] Kernel Offset: disabled [ 77.817470][ T6864] Rebooting in 86400 seconds..