
Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts.
syzkaller login: [   38.586371] audit: type=1400 audit(1596825988.801:8): avc:  denied  { execmem } for  pid=6478 comm="syz-executor510" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
[   38.599401] IPVS: ftp: loaded support on port[0] = 21
executing program
[   39.755249] ==================================================================
[   39.763562] BUG: KASAN: use-after-free in hci_chan_del+0x13e/0x180
[   39.769896] Read of size 8 at addr ffff88809af25a98 by task syz-executor510/6479
[   39.777422] 
[   39.779056] CPU: 0 PID: 6479 Comm: syz-executor510 Not tainted 4.19.138-syzkaller #0
[   39.786927] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   39.796261] Call Trace:
[   39.798883]  dump_stack+0x1fc/0x2fe
[   39.802550]  ? l2cap_conn_del+0x6b0/0x6b0
[   39.806683]  print_address_description.cold+0x54/0x219
[   39.811944]  kasan_report_error.cold+0x8a/0x1c7
[   39.816609]  ? hci_chan_del+0x13e/0x180
[   39.820565]  __asan_report_load8_noabort+0x88/0x90
[   39.825483]  ? hci_chan_del+0x13e/0x180
[   39.829464]  hci_chan_del+0x13e/0x180
[   39.833270]  l2cap_conn_del+0x44f/0x6b0
[   39.837226]  ? l2cap_conn_del+0x6b0/0x6b0
[   39.841380]  l2cap_disconn_cfm+0x85/0xa0
[   39.845421]  hci_conn_hash_flush+0x114/0x220
[   39.849813]  hci_dev_do_close+0x624/0xe70
[   39.853945]  ? hci_dev_open+0x2a0/0x2a0
[   39.857918]  ? hci_unregister_dev+0x62/0x7f0
[   39.862317]  hci_unregister_dev+0x17c/0x7f0
[   39.866627]  ? vhci_close_dev+0x50/0x50
[   39.870597]  vhci_release+0x70/0xe0
[   39.874318]  __fput+0x2ce/0x890
[   39.877598]  task_work_run+0x148/0x1c0
[   39.881470]  do_exit+0xbb2/0x2b70
[   39.884908]  ? mm_update_next_owner+0x650/0x650
[   39.889555]  ? vfs_write+0x393/0x540
[   39.893248]  ? ksys_write+0x1c8/0x2a0
[   39.897031]  do_group_exit+0x125/0x310
[   39.900901]  __x64_sys_exit_group+0x3a/0x50
[   39.905202]  do_syscall_64+0xf9/0x620
[   39.908987]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   39.914157] RIP: 0033:0x445228
[   39.917351] Code: Bad RIP value.
[   39.920694] RSP: 002b:00007ffe24ee7488 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   39.928380] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445228
[   39.935643] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   39.943154] RBP: 00000000004cd010 R08: 00000000000000e7 R09: ffffffffffffffd0
[   39.950404] R10: 00000000000000ff R11: 0000000000000246 R12: 0000000000000001
[   39.957677] R13: 00000000006e0240 R14: 0000000000000000 R15: 0000000000000000
[   39.964931] 
[   39.966536] Allocated by task 6504:
[   39.970147]  kmem_cache_alloc_trace+0x12f/0x380
[   39.974796]  hci_chan_create+0x8e/0x310
[   39.978764]  l2cap_conn_add.part.0+0x18/0xc40
[   39.983237]  l2cap_connect_cfm+0x236/0xe70
[   39.987451]  le_conn_complete_evt+0x111b/0x1730
[   39.992101]  hci_le_meta_evt+0x32c/0x3a50
[   39.996227]  hci_event_packet+0x1a29/0x858f
[   40.000544]  hci_rx_work+0x46b/0xa90
[   40.004236]  process_one_work+0x864/0x1570
[   40.008449]  worker_thread+0x64c/0x1130
[   40.012416]  kthread+0x30b/0x410
[   40.015763]  ret_from_fork+0x24/0x30
[   40.019450] 
[   40.021052] Freed by task 1226:
[   40.024314]  kfree+0xcc/0x210
[   40.027399]  hci_event_packet+0xf52/0x858f
[   40.031614]  hci_rx_work+0x46b/0xa90
[   40.035305]  process_one_work+0x864/0x1570
[   40.039518]  worker_thread+0x64c/0x1130
[   40.043488]  kthread+0x30b/0x410
[   40.046835]  ret_from_fork+0x24/0x30
[   40.050520] 
[   40.052123] The buggy address belongs to the object at ffff88809af25a80
[   40.052123]  which belongs to the cache kmalloc-128 of size 128
[   40.064763] The buggy address is located 24 bytes inside of
[   40.064763]  128-byte region [ffff88809af25a80, ffff88809af25b00)
[   40.076543] The buggy address belongs to the page:
[   40.081454] page:ffffea00026bc940 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0
[   40.089574] flags: 0xfffe0000000100(slab)
[   40.093705] raw: 00fffe0000000100 ffffea00026b3e48 ffffea000269e648 ffff88812c39c640
[   40.101566] raw: 0000000000000000 ffff88809af25000 0000000100000015 0000000000000000
[   40.109421] page dumped because: kasan: bad access detected
[   40.115104] 
[   40.116823] Memory state around the buggy address:
[   40.121731]  ffff88809af25980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   40.129075]  ffff88809af25a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   40.136413] >ffff88809af25a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   40.143773]                             ^
[   40.147899]  ffff88809af25b00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
[   40.155235]  ffff88809af25b80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
[   40.162584] ==================================================================
[   40.170190] Disabling lock debugging due to kernel taint
[   40.176436] Kernel panic - not syncing: panic_on_warn set ...
[   40.176436] 
[   40.183812] CPU: 0 PID: 6479 Comm: syz-executor510 Tainted: G    B             4.19.138-syzkaller #0
[   40.193084] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   40.202427] Call Trace:
[   40.205002]  dump_stack+0x1fc/0x2fe
[   40.208611]  ? l2cap_conn_del+0x6b0/0x6b0
[   40.212738]  panic+0x26a/0x50e
[   40.215927]  ? __warn_printk+0xf3/0xf3
[   40.219800]  ? l2cap_conn_del+0x6b0/0x6b0
[   40.223929]  ? preempt_schedule_common+0x45/0xc0
[   40.228666]  ? ___preempt_schedule+0x16/0x18
[   40.233059]  ? trace_hardirqs_on+0x55/0x210
[   40.237360]  ? l2cap_conn_del+0x6b0/0x6b0
[   40.241487]  kasan_end_report+0x43/0x49
[   40.245446]  kasan_report_error.cold+0xa7/0x1c7
[   40.250096]  ? hci_chan_del+0x13e/0x180
[   40.254056]  __asan_report_load8_noabort+0x88/0x90
[   40.258976]  ? hci_chan_del+0x13e/0x180
[   40.262929]  hci_chan_del+0x13e/0x180
[   40.266712]  l2cap_conn_del+0x44f/0x6b0
[   40.270669]  ? l2cap_conn_del+0x6b0/0x6b0
[   40.274796]  l2cap_disconn_cfm+0x85/0xa0
[   40.278838]  hci_conn_hash_flush+0x114/0x220
[   40.283231]  hci_dev_do_close+0x624/0xe70
[   40.287378]  ? hci_dev_open+0x2a0/0x2a0
[   40.291336]  ? hci_unregister_dev+0x62/0x7f0
[   40.295732]  hci_unregister_dev+0x17c/0x7f0
[   40.300038]  ? vhci_close_dev+0x50/0x50
[   40.303995]  vhci_release+0x70/0xe0
[   40.307603]  __fput+0x2ce/0x890
[   40.310867]  task_work_run+0x148/0x1c0
[   40.314739]  do_exit+0xbb2/0x2b70
[   40.318175]  ? mm_update_next_owner+0x650/0x650
[   40.322825]  ? vfs_write+0x393/0x540
[   40.326522]  ? ksys_write+0x1c8/0x2a0
[   40.330312]  do_group_exit+0x125/0x310
[   40.334181]  __x64_sys_exit_group+0x3a/0x50
[   40.338486]  do_syscall_64+0xf9/0x620
[   40.342285]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[   40.348413] RIP: 0033:0x445228
[   40.351597] Code: Bad RIP value.
[   40.354939] RSP: 002b:00007ffe24ee7488 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   40.362628] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445228
[   40.369888] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   40.377136] RBP: 00000000004cd010 R08: 00000000000000e7 R09: ffffffffffffffd0
[   40.384384] R10: 00000000000000ff R11: 0000000000000246 R12: 0000000000000001
[   40.391634] R13: 00000000006e0240 R14: 0000000000000000 R15: 0000000000000000
[   40.400074] Kernel Offset: disabled
[   40.403691] Rebooting in 86400 seconds..