[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.18' (ECDSA) to the list of known hosts. syzkaller login: [ 59.186501][ T6823] IPVS: ftp: loaded support on port[0] = 21 executing program [ 60.721454][ T2820] tipc: TX() has been purged, node left! [ 60.737287][ T6856] ================================================================== [ 60.745573][ T6856] BUG: KASAN: use-after-free in sco_chan_del+0xe6/0x430 [ 60.752507][ T6856] Write of size 4 at addr ffff8880a6e34010 by task syz-executor739/6856 [ 60.760822][ T6856] [ 60.763156][ T6856] CPU: 0 PID: 6856 Comm: syz-executor739 Not tainted 5.8.0-syzkaller #0 [ 60.771674][ T6856] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.781716][ T6856] Call Trace: [ 60.785062][ T6856] dump_stack+0x18f/0x20d [ 60.789381][ T6856] ? sco_chan_del+0xe6/0x430 [ 60.793968][ T6856] ? sco_chan_del+0xe6/0x430 [ 60.798540][ T6856] ? __sock_release+0x280/0x280 [ 60.803376][ T6856] print_address_description.constprop.0.cold+0xae/0x436 [ 60.810442][ T6856] ? sco_chan_del+0xab/0x430 [ 60.815019][ T6856] ? vprintk_func+0x97/0x1a6 [ 60.819592][ T6856] ? sco_chan_del+0xe6/0x430 [ 60.824176][ T6856] kasan_report.cold+0x1f/0x37 [ 60.828945][ T6856] ? sco_chan_del+0xe6/0x430 [ 60.833746][ T6856] check_memory_region+0x13d/0x180 [ 60.839085][ T6856] sco_chan_del+0xe6/0x430 [ 60.843726][ T6856] __sco_sock_close+0x16e/0x5b0 [ 60.848564][ T6856] sco_sock_release+0x69/0x290 [ 60.853316][ T6856] __sock_release+0xcd/0x280 [ 60.857889][ T6856] sock_close+0x18/0x20 [ 60.862122][ T6856] __fput+0x33c/0x880 [ 60.866401][ T6856] task_work_run+0xdd/0x190 [ 60.870891][ T6856] do_exit+0xb7d/0x29f0 [ 60.875032][ T6856] ? lock_acquire+0x1f1/0xad0 [ 60.879692][ T6856] ? find_held_lock+0x2d/0x110 [ 60.884541][ T6856] ? mm_update_next_owner+0x7a0/0x7a0 [ 60.890026][ T6856] ? get_signal+0x332/0x1ee0 [ 60.894602][ T6856] ? lock_downgrade+0x830/0x830 [ 60.899441][ T6856] ? lock_is_held_type+0xbb/0xf0 [ 60.904363][ T6856] do_group_exit+0x125/0x310 [ 60.909022][ T6856] get_signal+0x40b/0x1ee0 [ 60.913427][ T6856] ? fsnotify+0x7ec/0xb30 [ 60.917738][ T6856] ? lock_downgrade+0x830/0x830 [ 60.922748][ T6856] arch_do_signal+0x82/0x2520 [ 60.927409][ T6856] ? fsnotify_first_mark+0x1f0/0x1f0 [ 60.932683][ T6856] ? copy_siginfo_to_user32+0xa0/0xa0 [ 60.938042][ T6856] ? __x64_sys_futex+0x382/0x4e0 [ 60.942973][ T6856] ? exit_to_user_mode_prepare+0xce/0x1d0 [ 60.948671][ T6856] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 60.954634][ T6856] exit_to_user_mode_prepare+0x172/0x1d0 [ 60.960267][ T6856] syscall_exit_to_user_mode+0x59/0x2b0 [ 60.965971][ T6856] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.971846][ T6856] RIP: 0033:0x4468d9 [ 60.975805][ T6856] Code: Bad RIP value. [ 60.979851][ T6856] RSP: 002b:00007fcbcb5d8db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 60.988243][ T6856] RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 00000000004468d9 [ 60.996198][ T6856] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38 [ 61.004151][ T6856] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 61.012114][ T6856] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 61.020076][ T6856] R13: 00007fff30cac95f R14: 00007fcbcb5d99c0 R15: 00000000006dbc3c [ 61.028044][ T6856] [ 61.030361][ T6856] Allocated by task 6853: [ 61.034679][ T6856] save_stack+0x1b/0x40 [ 61.038820][ T6856] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 61.044437][ T6856] kmem_cache_alloc_trace+0x14f/0x2d0 [ 61.049794][ T6856] hci_conn_add+0x53/0x1330 [ 61.054285][ T6856] hci_connect_sco+0x356/0x860 [ 61.059038][ T6856] sco_sock_connect+0x308/0x980 [ 61.063872][ T6856] __sys_connect_file+0x155/0x1a0 [ 61.068877][ T6856] __sys_connect+0x160/0x190 [ 61.073451][ T6856] __x64_sys_connect+0x6f/0xb0 [ 61.078202][ T6856] do_syscall_64+0x2d/0x70 [ 61.082600][ T6856] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.088467][ T6856] [ 61.090778][ T6856] Freed by task 1536: [ 61.094741][ T6856] save_stack+0x1b/0x40 [ 61.098879][ T6856] __kasan_slab_free+0xf5/0x140 [ 61.103719][ T6856] kfree+0x103/0x2c0 [ 61.107595][ T6856] device_release+0x71/0x200 [ 61.112408][ T6856] kobject_put+0x171/0x270 [ 61.116804][ T6856] put_device+0x1b/0x30 [ 61.120947][ T6856] hci_conn_del+0x27e/0x6a0 [ 61.125435][ T6856] hci_phy_link_complete_evt.isra.0+0x508/0x790 [ 61.131705][ T6856] hci_event_packet+0x4696/0x87a8 [ 61.136801][ T6856] hci_rx_work+0x22e/0xb50 [ 61.141199][ T6856] process_one_work+0x94c/0x1670 [ 61.146128][ T6856] worker_thread+0x64c/0x1120 [ 61.150788][ T6856] kthread+0x3b5/0x4a0 [ 61.154955][ T6856] ret_from_fork+0x1f/0x30 [ 61.159346][ T6856] [ 61.161656][ T6856] The buggy address belongs to the object at ffff8880a6e34000 [ 61.161656][ T6856] which belongs to the cache kmalloc-4k of size 4096 [ 61.175694][ T6856] The buggy address is located 16 bytes inside of [ 61.175694][ T6856] 4096-byte region [ffff8880a6e34000, ffff8880a6e35000) [ 61.188941][ T6856] The buggy address belongs to the page: [ 61.194561][ T6856] page:ffffea00029b8d00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea00029b8d00 order:1 compound_mapcount:0 [ 61.208213][ T6856] flags: 0xfffe0000010200(slab|head) [ 61.213615][ T6856] raw: 00fffe0000010200 ffffea0002528b88 ffffea0002514288 ffff8880aa002000 [ 61.222180][ T6856] raw: 0000000000000000 ffff8880a6e34000 0000000100000001 0000000000000000 [ 61.230742][ T6856] page dumped because: kasan: bad access detected [ 61.237147][ T6856] [ 61.239456][ T6856] Memory state around the buggy address: [ 61.245067][ T6856] ffff8880a6e33f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.253107][ T6856] ffff8880a6e33f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.261193][ T6856] >ffff8880a6e34000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.269495][ T6856] ^ [ 61.274070][ T6856] ffff8880a6e34080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.282209][ T6856] ffff8880a6e34100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.290314][ T6856] ================================================================== [ 61.298353][ T6856] Disabling lock debugging due to kernel taint [ 61.304956][ T6856] Kernel panic - not syncing: panic_on_warn set ... [ 61.311657][ T6856] CPU: 0 PID: 6856 Comm: syz-executor739 Tainted: G B 5.8.0-syzkaller #0 [ 61.321375][ T6856] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.331423][ T6856] Call Trace: [ 61.334704][ T6856] dump_stack+0x18f/0x20d [ 61.339022][ T6856] ? sco_sock_sendmsg+0x5d0/0x5d0 [ 61.344113][ T6856] ? __sock_release+0x280/0x280 [ 61.349003][ T6856] panic+0x2e3/0x75c [ 61.352881][ T6856] ? __warn_printk+0xf3/0xf3 [ 61.357452][ T6856] ? preempt_schedule_common+0x59/0xc0 [ 61.362977][ T6856] ? sco_chan_del+0xe6/0x430 [ 61.367592][ T6856] ? preempt_schedule_thunk+0x16/0x18 [ 61.372943][ T6856] ? trace_hardirqs_on+0x55/0x220 [ 61.377945][ T6856] ? sco_chan_del+0xe6/0x430 [ 61.382514][ T6856] ? sco_chan_del+0xe6/0x430 [ 61.387082][ T6856] ? __sock_release+0x280/0x280 [ 61.391930][ T6856] end_report+0x4d/0x53 [ 61.396067][ T6856] kasan_report.cold+0xd/0x37 [ 61.400723][ T6856] ? sco_chan_del+0xe6/0x430 [ 61.405294][ T6856] check_memory_region+0x13d/0x180 [ 61.410471][ T6856] sco_chan_del+0xe6/0x430 [ 61.414956][ T6856] __sco_sock_close+0x16e/0x5b0 [ 61.419787][ T6856] sco_sock_release+0x69/0x290 [ 61.424533][ T6856] __sock_release+0xcd/0x280 [ 61.429104][ T6856] sock_close+0x18/0x20 [ 61.433275][ T6856] __fput+0x33c/0x880 [ 61.437327][ T6856] task_work_run+0xdd/0x190 [ 61.441808][ T6856] do_exit+0xb7d/0x29f0 [ 61.445940][ T6856] ? lock_acquire+0x1f1/0xad0 [ 61.450597][ T6856] ? find_held_lock+0x2d/0x110 [ 61.455336][ T6856] ? mm_update_next_owner+0x7a0/0x7a0 [ 61.460686][ T6856] ? get_signal+0x332/0x1ee0 [ 61.465299][ T6856] ? lock_downgrade+0x830/0x830 [ 61.470128][ T6856] ? lock_is_held_type+0xbb/0xf0 [ 61.475044][ T6856] do_group_exit+0x125/0x310 [ 61.479614][ T6856] get_signal+0x40b/0x1ee0 [ 61.484006][ T6856] ? fsnotify+0x7ec/0xb30 [ 61.488317][ T6856] ? lock_downgrade+0x830/0x830 [ 61.493145][ T6856] arch_do_signal+0x82/0x2520 [ 61.497802][ T6856] ? fsnotify_first_mark+0x1f0/0x1f0 [ 61.503066][ T6856] ? copy_siginfo_to_user32+0xa0/0xa0 [ 61.508420][ T6856] ? __x64_sys_futex+0x382/0x4e0 [ 61.513426][ T6856] ? exit_to_user_mode_prepare+0xce/0x1d0 [ 61.519123][ T6856] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 61.525082][ T6856] exit_to_user_mode_prepare+0x172/0x1d0 [ 61.530695][ T6856] syscall_exit_to_user_mode+0x59/0x2b0 [ 61.536216][ T6856] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.542089][ T6856] RIP: 0033:0x4468d9 [ 61.545963][ T6856] Code: Bad RIP value. [ 61.550033][ T6856] RSP: 002b:00007fcbcb5d8db8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 61.558543][ T6856] RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 00000000004468d9 [ 61.566496][ T6856] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38 [ 61.574448][ T6856] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 61.582400][ T6856] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 61.590380][ T6856] R13: 00007fff30cac95f R14: 00007fcbcb5d99c0 R15: 00000000006dbc3c [ 61.599726][ T6856] Kernel Offset: disabled [ 61.604048][ T6856] Rebooting in 86400 seconds..