[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.189' (ECDSA) to the list of known hosts. syzkaller login: [ 39.947164] audit: type=1400 audit(1596678947.002:8): avc: denied { execmem } for pid=6446 comm="syz-executor927" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 39.960438] IPVS: ftp: loaded support on port[0] = 21 executing program [ 41.149738] ================================================================== [ 41.157317] BUG: KASAN: use-after-free in hci_chan_del+0x13e/0x180 [ 41.163626] Read of size 8 at addr ffff8880a1275918 by task syz-executor927/6447 [ 41.171135] [ 41.172748] CPU: 1 PID: 6447 Comm: syz-executor927 Not tainted 4.19.137-syzkaller #0 [ 41.180609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.190029] Call Trace: [ 41.192633] dump_stack+0x1fc/0x2fe [ 41.196242] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.200370] print_address_description.cold+0x54/0x219 [ 41.205776] kasan_report_error.cold+0x8a/0x1c7 [ 41.210438] ? hci_chan_del+0x13e/0x180 [ 41.214395] __asan_report_load8_noabort+0x88/0x90 [ 41.219397] ? hci_chan_del+0x13e/0x180 [ 41.223355] hci_chan_del+0x13e/0x180 [ 41.227144] l2cap_conn_del+0x44f/0x6b0 [ 41.231112] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.235237] l2cap_disconn_cfm+0x85/0xa0 [ 41.239280] hci_conn_hash_flush+0x114/0x220 [ 41.243673] hci_dev_do_close+0x624/0xe70 [ 41.247803] ? hci_dev_open+0x2a0/0x2a0 [ 41.251847] ? hci_unregister_dev+0x62/0x7f0 [ 41.256242] hci_unregister_dev+0x17c/0x7f0 [ 41.260548] ? vhci_close_dev+0x50/0x50 [ 41.264519] vhci_release+0x70/0xe0 [ 41.268128] __fput+0x2ce/0x890 [ 41.271392] task_work_run+0x148/0x1c0 [ 41.275263] do_exit+0xbb2/0x2b70 [ 41.278699] ? __schedule+0x88f/0x2040 [ 41.282573] ? mm_update_next_owner+0x650/0x650 [ 41.287227] ? io_schedule_timeout+0x140/0x140 [ 41.291792] ? ksys_write+0x1c8/0x2a0 [ 41.295837] do_group_exit+0x125/0x310 [ 41.299708] __x64_sys_exit_group+0x3a/0x50 [ 41.304356] do_syscall_64+0xf9/0x620 [ 41.308139] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.313310] RIP: 0033:0x4450e8 [ 41.316493] Code: Bad RIP value. [ 41.319842] RSP: 002b:00007ffcfdb62768 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.327528] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450e8 [ 41.334776] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 41.342026] RBP: 00000000004cced0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.349275] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 41.356531] R13: 00000000006e0200 R14: 0000000001030850 R15: 0000000000000001 [ 41.363786] [ 41.365392] Allocated by task 6474: [ 41.369000] kmem_cache_alloc_trace+0x12f/0x380 [ 41.373646] hci_chan_create+0x8e/0x310 [ 41.377611] l2cap_conn_add.part.0+0x18/0xc40 [ 41.382083] l2cap_connect_cfm+0x236/0xe70 [ 41.386295] le_conn_complete_evt+0x111b/0x1730 [ 41.390961] hci_le_meta_evt+0x32c/0x3a50 [ 41.395087] hci_event_packet+0x1a29/0x858f [ 41.399390] hci_rx_work+0x46b/0xa90 [ 41.403081] process_one_work+0x864/0x1570 [ 41.407293] worker_thread+0x64c/0x1130 [ 41.411303] kthread+0x30b/0x410 [ 41.414647] ret_from_fork+0x24/0x30 [ 41.418338] [ 41.419972] Freed by task 1226: [ 41.423240] kfree+0xcc/0x210 [ 41.426326] hci_event_packet+0xf52/0x858f [ 41.430539] hci_rx_work+0x46b/0xa90 [ 41.434229] process_one_work+0x864/0x1570 [ 41.438444] worker_thread+0x64c/0x1130 [ 41.442397] kthread+0x30b/0x410 [ 41.445747] ret_from_fork+0x24/0x30 [ 41.449435] [ 41.451044] The buggy address belongs to the object at ffff8880a1275900 [ 41.451044] which belongs to the cache kmalloc-128 of size 128 [ 41.463682] The buggy address is located 24 bytes inside of [ 41.463682] 128-byte region [ffff8880a1275900, ffff8880a1275980) [ 41.475445] The buggy address belongs to the page: [ 41.480356] page:ffffea0002849d40 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0 [ 41.488480] flags: 0xfffe0000000100(slab) [ 41.492610] raw: 00fffe0000000100 ffffea00026efc48 ffffea0002793888 ffff88812c39c640 [ 41.500471] raw: 0000000000000000 ffff8880a1275000 0000000100000015 0000000000000000 [ 41.508327] page dumped because: kasan: bad access detected [ 41.514015] [ 41.515623] Memory state around the buggy address: [ 41.520556] ffff8880a1275800: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 [ 41.527979] ffff8880a1275880: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc [ 41.535334] >ffff8880a1275900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.542685] ^ [ 41.546814] ffff8880a1275980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.554154] ffff8880a1275a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 41.561491] ================================================================== [ 41.568826] Disabling lock debugging due to kernel taint [ 41.574335] Kernel panic - not syncing: panic_on_warn set ... [ 41.574335] [ 41.581709] CPU: 1 PID: 6447 Comm: syz-executor927 Tainted: G B 4.19.137-syzkaller #0 [ 41.590985] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.600337] Call Trace: [ 41.602932] dump_stack+0x1fc/0x2fe [ 41.606571] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.610717] panic+0x26a/0x50e [ 41.613890] ? __warn_printk+0xf3/0xf3 [ 41.617759] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.621887] ? preempt_schedule_common+0x45/0xc0 [ 41.626621] ? ___preempt_schedule+0x16/0x18 [ 41.631008] ? trace_hardirqs_on+0x55/0x210 [ 41.635311] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.639437] kasan_end_report+0x43/0x49 [ 41.643388] kasan_report_error.cold+0xa7/0x1c7 [ 41.648052] ? hci_chan_del+0x13e/0x180 [ 41.652005] __asan_report_load8_noabort+0x88/0x90 [ 41.656915] ? hci_chan_del+0x13e/0x180 [ 41.660868] hci_chan_del+0x13e/0x180 [ 41.664654] l2cap_conn_del+0x44f/0x6b0 [ 41.668614] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.672741] l2cap_disconn_cfm+0x85/0xa0 [ 41.676784] hci_conn_hash_flush+0x114/0x220 [ 41.681173] hci_dev_do_close+0x624/0xe70 [ 41.685310] ? hci_dev_open+0x2a0/0x2a0 [ 41.689263] ? hci_unregister_dev+0x62/0x7f0 [ 41.693683] hci_unregister_dev+0x17c/0x7f0 [ 41.697987] ? vhci_close_dev+0x50/0x50 [ 41.701939] vhci_release+0x70/0xe0 [ 41.705547] __fput+0x2ce/0x890 [ 41.708818] task_work_run+0x148/0x1c0 [ 41.712720] do_exit+0xbb2/0x2b70 [ 41.716167] ? __schedule+0x88f/0x2040 [ 41.720039] ? mm_update_next_owner+0x650/0x650 [ 41.724691] ? io_schedule_timeout+0x140/0x140 [ 41.729258] ? ksys_write+0x1c8/0x2a0 [ 41.733093] do_group_exit+0x125/0x310 [ 41.736963] __x64_sys_exit_group+0x3a/0x50 [ 41.741264] do_syscall_64+0xf9/0x620 [ 41.745045] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.750219] RIP: 0033:0x4450e8 [ 41.753504] Code: Bad RIP value. [ 41.756842] RSP: 002b:00007ffcfdb62768 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.764526] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450e8 [ 41.771773] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 41.779023] RBP: 00000000004cced0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.786270] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 41.793518] R13: 00000000006e0200 R14: 0000000001030850 R15: 0000000000000001 [ 41.801983] Kernel Offset: disabled [ 41.805603] Rebooting in 86400 seconds..