[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.125' (ECDSA) to the list of known hosts. syzkaller login: [ 40.505639] audit: type=1400 audit(1596890721.083:8): avc: denied { execmem } for pid=6463 comm="syz-executor950" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 40.521003] IPVS: ftp: loaded support on port[0] = 21 executing program [ 41.692160] ================================================================== [ 41.699755] BUG: KASAN: use-after-free in hci_chan_del+0x13e/0x180 [ 41.706080] Read of size 8 at addr ffff8880a9609a98 by task syz-executor950/6464 [ 41.713626] [ 41.715258] CPU: 0 PID: 6464 Comm: syz-executor950 Not tainted 4.19.138-syzkaller #0 [ 41.723134] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.732472] Call Trace: [ 41.735051] dump_stack+0x1fc/0x2fe [ 41.738682] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.742821] print_address_description.cold+0x54/0x219 [ 41.748082] kasan_report_error.cold+0x8a/0x1c7 [ 41.752753] ? hci_chan_del+0x13e/0x180 [ 41.756717] __asan_report_load8_noabort+0x88/0x90 [ 41.761636] ? hci_chan_del+0x13e/0x180 [ 41.765599] hci_chan_del+0x13e/0x180 [ 41.769406] l2cap_conn_del+0x44f/0x6b0 [ 41.773372] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.777510] l2cap_disconn_cfm+0x85/0xa0 [ 41.781554] hci_conn_hash_flush+0x114/0x220 [ 41.785956] hci_dev_do_close+0x624/0xe70 [ 41.790090] ? hci_dev_open+0x2a0/0x2a0 [ 41.794042] ? hci_unregister_dev+0x62/0x7f0 [ 41.798448] hci_unregister_dev+0x17c/0x7f0 [ 41.802765] ? vhci_close_dev+0x50/0x50 [ 41.806717] vhci_release+0x70/0xe0 [ 41.810342] __fput+0x2ce/0x890 [ 41.813605] task_work_run+0x148/0x1c0 [ 41.817490] do_exit+0xbb2/0x2b70 [ 41.820937] ? selinux_socket_setsockopt+0x6a/0x80 [ 41.825848] ? mm_update_next_owner+0x650/0x650 [ 41.830498] ? __sys_setsockopt+0x179/0x240 [ 41.834808] ? kernel_accept+0x310/0x310 [ 41.838850] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 41.843421] ? task_work_run+0x126/0x1c0 [ 41.847463] do_group_exit+0x125/0x310 [ 41.851349] __x64_sys_exit_group+0x3a/0x50 [ 41.855713] do_syscall_64+0xf9/0x620 [ 41.859510] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.864679] RIP: 0033:0x445138 [ 41.867874] Code: Bad RIP value. [ 41.871235] RSP: 002b:00007ffee4fe1778 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.878920] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138 [ 41.886169] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 41.893430] RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.900692] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 41.907942] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000 [ 41.915199] [ 41.916817] Allocated by task 1229: [ 41.920430] kmem_cache_alloc_trace+0x12f/0x380 [ 41.925084] hci_chan_create+0x8e/0x310 [ 41.929041] l2cap_conn_add.part.0+0x18/0xc40 [ 41.933538] l2cap_connect_cfm+0x236/0xe70 [ 41.937758] le_conn_complete_evt+0x111b/0x1730 [ 41.942416] hci_le_meta_evt+0x32c/0x3a50 [ 41.946542] hci_event_packet+0x1a29/0x858f [ 41.950867] hci_rx_work+0x46b/0xa90 [ 41.954560] process_one_work+0x864/0x1570 [ 41.958801] worker_thread+0x64c/0x1130 [ 41.962886] kthread+0x30b/0x410 [ 41.966234] ret_from_fork+0x24/0x30 [ 41.969921] [ 41.971529] Freed by task 1229: [ 41.974794] kfree+0xcc/0x210 [ 41.977917] hci_event_packet+0xf52/0x858f [ 41.983173] hci_rx_work+0x46b/0xa90 [ 41.986877] process_one_work+0x864/0x1570 [ 41.991090] worker_thread+0x64c/0x1130 [ 41.995051] kthread+0x30b/0x410 [ 41.998412] ret_from_fork+0x24/0x30 [ 42.002099] [ 42.003719] The buggy address belongs to the object at ffff8880a9609a80 [ 42.003719] which belongs to the cache kmalloc-128 of size 128 [ 42.016370] The buggy address is located 24 bytes inside of [ 42.016370] 128-byte region [ffff8880a9609a80, ffff8880a9609b00) [ 42.028152] The buggy address belongs to the page: [ 42.033087] page:ffffea0002a58240 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0 [ 42.041224] flags: 0xfffe0000000100(slab) [ 42.045366] raw: 00fffe0000000100 ffffea0002a57d88 ffffea0002a3f588 ffff88812c39c640 [ 42.053690] raw: 0000000000000000 ffff8880a9609000 0000000100000015 0000000000000000 [ 42.061566] page dumped because: kasan: bad access detected [ 42.067273] [ 42.068888] Memory state around the buggy address: [ 42.073806] ffff8880a9609980: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 42.081147] ffff8880a9609a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 42.088583] >ffff8880a9609a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.095950] ^ [ 42.100109] ffff8880a9609b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 42.107458] ffff8880a9609b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 42.114802] ================================================================== [ 42.122158] Disabling lock debugging due to kernel taint [ 42.130527] Kernel panic - not syncing: panic_on_warn set ... [ 42.130527] [ 42.138448] CPU: 0 PID: 6464 Comm: syz-executor950 Tainted: G B 4.19.138-syzkaller #0 [ 42.147719] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.157095] Call Trace: [ 42.159697] dump_stack+0x1fc/0x2fe [ 42.163340] ? l2cap_conn_del+0x6b0/0x6b0 [ 42.167477] panic+0x26a/0x50e [ 42.170698] ? __warn_printk+0xf3/0xf3 [ 42.174596] ? l2cap_conn_del+0x6b0/0x6b0 [ 42.178744] ? preempt_schedule_common+0x45/0xc0 [ 42.183505] ? ___preempt_schedule+0x16/0x18 [ 42.187928] ? trace_hardirqs_on+0x55/0x210 [ 42.192271] ? l2cap_conn_del+0x6b0/0x6b0 [ 42.196426] kasan_end_report+0x43/0x49 [ 42.200413] kasan_report_error.cold+0xa7/0x1c7 [ 42.205074] ? hci_chan_del+0x13e/0x180 [ 42.209056] __asan_report_load8_noabort+0x88/0x90 [ 42.214003] ? hci_chan_del+0x13e/0x180 [ 42.217973] hci_chan_del+0x13e/0x180 [ 42.221771] l2cap_conn_del+0x44f/0x6b0 [ 42.225765] ? l2cap_conn_del+0x6b0/0x6b0 [ 42.229906] l2cap_disconn_cfm+0x85/0xa0 [ 42.233961] hci_conn_hash_flush+0x114/0x220 [ 42.238371] hci_dev_do_close+0x624/0xe70 [ 42.242515] ? hci_dev_open+0x2a0/0x2a0 [ 42.246479] ? hci_unregister_dev+0x62/0x7f0 [ 42.250900] hci_unregister_dev+0x17c/0x7f0 [ 42.255217] ? vhci_close_dev+0x50/0x50 [ 42.259181] vhci_release+0x70/0xe0 [ 42.262799] __fput+0x2ce/0x890 [ 42.266076] task_work_run+0x148/0x1c0 [ 42.269961] do_exit+0xbb2/0x2b70 [ 42.273410] ? selinux_socket_setsockopt+0x6a/0x80 [ 42.278357] ? mm_update_next_owner+0x650/0x650 [ 42.283020] ? __sys_setsockopt+0x179/0x240 [ 42.287338] ? kernel_accept+0x310/0x310 [ 42.291394] ? lockdep_hardirqs_on+0x3a8/0x5c0 [ 42.295967] ? task_work_run+0x126/0x1c0 [ 42.300023] do_group_exit+0x125/0x310 [ 42.303903] __x64_sys_exit_group+0x3a/0x50 [ 42.308218] do_syscall_64+0xf9/0x620 [ 42.312016] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.317194] RIP: 0033:0x445138 [ 42.320383] Code: Bad RIP value. [ 42.323733] RSP: 002b:00007ffee4fe1778 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 42.331430] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138 [ 42.338689] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 42.345955] RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 42.353214] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 42.360473] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000 [ 42.368743] Kernel Offset: disabled [ 42.372357] Rebooting in 86400 seconds..