[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.19' (ECDSA) to the list of known hosts. syzkaller login: [ 40.225121] audit: type=1400 audit(1596738819.247:8): avc: denied { execmem } for pid=6487 comm="syz-executor739" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 40.238663] IPVS: ftp: loaded support on port[0] = 21 executing program [ 41.482988] ================================================================== [ 41.490493] BUG: KASAN: use-after-free in hci_chan_del+0x13e/0x180 [ 41.496812] Read of size 8 at addr ffff8880944010d8 by task syz-executor739/6488 [ 41.504420] [ 41.506054] CPU: 0 PID: 6488 Comm: syz-executor739 Not tainted 4.19.137-syzkaller #0 [ 41.513946] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.523310] Call Trace: [ 41.525895] dump_stack+0x1fc/0x2fe [ 41.529528] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.533675] print_address_description.cold+0x54/0x219 [ 41.538965] kasan_report_error.cold+0x8a/0x1c7 [ 41.543627] ? hci_chan_del+0x13e/0x180 [ 41.547591] __asan_report_load8_noabort+0x88/0x90 [ 41.552525] ? hci_chan_del+0x13e/0x180 [ 41.556509] hci_chan_del+0x13e/0x180 [ 41.560317] l2cap_conn_del+0x44f/0x6b0 [ 41.564315] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.568462] l2cap_disconn_cfm+0x85/0xa0 [ 41.572524] hci_conn_hash_flush+0x114/0x220 [ 41.576944] hci_dev_do_close+0x624/0xe70 [ 41.581109] ? hci_dev_open+0x2a0/0x2a0 [ 41.585078] ? hci_unregister_dev+0x62/0x7f0 [ 41.589511] hci_unregister_dev+0x17c/0x7f0 [ 41.593834] ? vhci_close_dev+0x50/0x50 [ 41.597823] vhci_release+0x70/0xe0 [ 41.601467] __fput+0x2ce/0x890 [ 41.604772] task_work_run+0x148/0x1c0 [ 41.608653] do_exit+0xbb2/0x2b70 [ 41.612660] ? mm_update_next_owner+0x650/0x650 [ 41.617326] ? vfs_write+0x393/0x540 [ 41.621046] ? ksys_write+0x1c8/0x2a0 [ 41.625062] do_group_exit+0x125/0x310 [ 41.628944] __x64_sys_exit_group+0x3a/0x50 [ 41.633262] do_syscall_64+0xf9/0x620 [ 41.637067] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 41.642352] RIP: 0033:0x445028 [ 41.645538] Code: Bad RIP value. [ 41.648895] RSP: 002b:00007ffec347c7e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 41.656680] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445028 [ 41.663940] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 41.671209] RBP: 00000000004cce10 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 41.678558] R10: 00007f9e204f89d0 R11: 0000000000000246 R12: 0000000000000001 [ 41.685821] R13: 00000000006e0200 R14: 0000000001ad1850 R15: 0000000000000001 [ 41.693087] [ 41.694817] Allocated by task 1226: [ 41.698634] kmem_cache_alloc_trace+0x12f/0x380 [ 41.703327] hci_chan_create+0x8e/0x310 [ 41.707293] l2cap_conn_add.part.0+0x18/0xc40 [ 41.711781] l2cap_connect_cfm+0x236/0xe70 [ 41.716540] le_conn_complete_evt+0x111b/0x1730 [ 41.721198] hci_le_meta_evt+0x32c/0x3a50 [ 41.725352] hci_event_packet+0x1a29/0x858f [ 41.729673] hci_rx_work+0x46b/0xa90 [ 41.733387] process_one_work+0x864/0x1570 [ 41.737609] worker_thread+0x64c/0x1130 [ 41.741595] kthread+0x30b/0x410 [ 41.745315] ret_from_fork+0x24/0x30 [ 41.749025] [ 41.750633] Freed by task 1226: [ 41.753901] kfree+0xcc/0x210 [ 41.757015] hci_event_packet+0xf52/0x858f [ 41.761240] hci_rx_work+0x46b/0xa90 [ 41.764953] process_one_work+0x864/0x1570 [ 41.769188] worker_thread+0x64c/0x1130 [ 41.773157] kthread+0x30b/0x410 [ 41.776525] ret_from_fork+0x24/0x30 [ 41.780229] [ 41.781862] The buggy address belongs to the object at ffff8880944010c0 [ 41.781862] which belongs to the cache kmalloc-128 of size 128 [ 41.794520] The buggy address is located 24 bytes inside of [ 41.794520] 128-byte region [ffff8880944010c0, ffff888094401140) [ 41.806394] The buggy address belongs to the page: [ 41.811327] page:ffffea0002510040 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0 [ 41.819564] flags: 0xfffe0000000100(slab) [ 41.823716] raw: 00fffe0000000100 ffffea000257f5c8 ffffea0002473a08 ffff88812c39c640 [ 41.831599] raw: 0000000000000000 ffff888094401000 0000000100000015 0000000000000000 [ 41.839475] page dumped because: kasan: bad access detected [ 41.845179] [ 41.846799] Memory state around the buggy address: [ 41.851728] ffff888094400f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.859095] ffff888094401000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.866448] >ffff888094401080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 41.873824] ^ [ 41.880470] ffff888094401100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 41.888185] ffff888094401180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.895554] ================================================================== [ 41.902920] Disabling lock debugging due to kernel taint [ 41.909144] Kernel panic - not syncing: panic_on_warn set ... [ 41.909144] [ 41.916566] CPU: 0 PID: 6488 Comm: syz-executor739 Tainted: G B 4.19.137-syzkaller #0 [ 41.925860] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.935241] Call Trace: [ 41.937859] dump_stack+0x1fc/0x2fe [ 41.941496] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.945647] panic+0x26a/0x50e [ 41.948858] ? __warn_printk+0xf3/0xf3 [ 41.952743] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.956900] ? preempt_schedule_common+0x45/0xc0 [ 41.961647] ? ___preempt_schedule+0x16/0x18 [ 41.966053] ? trace_hardirqs_on+0x55/0x210 [ 41.970365] ? l2cap_conn_del+0x6b0/0x6b0 [ 41.974512] kasan_end_report+0x43/0x49 [ 41.978494] kasan_report_error.cold+0xa7/0x1c7 [ 41.983177] ? hci_chan_del+0x13e/0x180 [ 41.987143] __asan_report_load8_noabort+0x88/0x90 [ 41.992088] ? hci_chan_del+0x13e/0x180 [ 41.996072] hci_chan_del+0x13e/0x180 [ 41.999883] l2cap_conn_del+0x44f/0x6b0 [ 42.003869] ? l2cap_conn_del+0x6b0/0x6b0 [ 42.008019] l2cap_disconn_cfm+0x85/0xa0 [ 42.012098] hci_conn_hash_flush+0x114/0x220 [ 42.016520] hci_dev_do_close+0x624/0xe70 [ 42.020669] ? hci_dev_open+0x2a0/0x2a0 [ 42.024757] ? hci_unregister_dev+0x62/0x7f0 [ 42.029193] hci_unregister_dev+0x17c/0x7f0 [ 42.033786] ? vhci_close_dev+0x50/0x50 [ 42.037889] vhci_release+0x70/0xe0 [ 42.041527] __fput+0x2ce/0x890 [ 42.044850] task_work_run+0x148/0x1c0 [ 42.048941] do_exit+0xbb2/0x2b70 [ 42.052432] ? mm_update_next_owner+0x650/0x650 [ 42.057102] ? vfs_write+0x393/0x540 [ 42.060828] ? ksys_write+0x1c8/0x2a0 [ 42.064641] do_group_exit+0x125/0x310 [ 42.068531] __x64_sys_exit_group+0x3a/0x50 [ 42.072858] do_syscall_64+0xf9/0x620 [ 42.076664] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 42.081842] RIP: 0033:0x445028 [ 42.085037] Code: Bad RIP value. [ 42.088381] RSP: 002b:00007ffec347c7e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 42.096087] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445028 [ 42.103346] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 42.110613] RBP: 00000000004cce10 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 42.117880] R10: 00007f9e204f89d0 R11: 0000000000000246 R12: 0000000000000001 [ 42.125169] R13: 00000000006e0200 R14: 0000000001ad1850 R15: 0000000000000001 [ 42.133450] Kernel Offset: disabled [ 42.137105] Rebooting in 86400 seconds..