[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.221' (ECDSA) to the list of known hosts. syzkaller login: [ 40.959058][ T6827] IPVS: ftp: loaded support on port[0] = 21 executing program [ 44.124508][ T17] Bluetooth: hci0: command 0x0409 tx timeout [ 46.203006][ T2592] Bluetooth: hci0: command 0x041b tx timeout executing program [ 48.282140][ T17] Bluetooth: hci0: command 0x040f tx timeout [ 50.361370][ T17] Bluetooth: hci0: command 0x0419 tx timeout [ 52.066370][ T6863] ================================================================== [ 52.074551][ T6863] BUG: KASAN: use-after-free in __sco_sock_close+0x47c/0xed0 [ 52.081892][ T6863] Write of size 4 at addr ffff888088836010 by task syz-executor333/6863 [ 52.090234][ T6863] [ 52.092542][ T6863] CPU: 1 PID: 6863 Comm: syz-executor333 Not tainted 5.8.0-syzkaller #0 [ 52.100861][ T6863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.110892][ T6863] Call Trace: [ 52.114174][ T6863] dump_stack+0x1f0/0x31e [ 52.118497][ T6863] print_address_description+0x66/0x5a0 [ 52.124014][ T6863] ? vprintk_emit+0x342/0x3c0 [ 52.128679][ T6863] ? printk+0x62/0x83 [ 52.132633][ T6863] ? vprintk_emit+0x339/0x3c0 [ 52.137284][ T6863] kasan_report+0x132/0x1d0 [ 52.141760][ T6863] ? __sco_sock_close+0x47c/0xed0 [ 52.146755][ T6863] check_memory_region+0x2b5/0x2f0 [ 52.151837][ T6863] __sco_sock_close+0x47c/0xed0 [ 52.156663][ T6863] ? lockdep_hardirqs_on+0x49/0xf0 [ 52.161755][ T6863] sco_sock_release+0x63/0x4f0 [ 52.166492][ T6863] ? down_write+0xcd/0x130 [ 52.170881][ T6863] sock_close+0xd8/0x260 [ 52.175098][ T6863] ? sock_mmap+0x90/0x90 [ 52.179317][ T6863] __fput+0x2f0/0x750 [ 52.183278][ T6863] task_work_run+0x137/0x1c0 [ 52.187838][ T6863] do_exit+0x5f3/0x1f20 [ 52.191968][ T6863] ? trace_lock_release+0x137/0x1a0 [ 52.197151][ T6863] do_group_exit+0x161/0x2d0 [ 52.201728][ T6863] get_signal+0x139b/0x1d30 [ 52.206207][ T6863] ? sco_sock_connect+0x5ae/0xaa0 [ 52.211209][ T6863] arch_do_signal+0x33/0x610 [ 52.215767][ T6863] ? lock_is_held_type+0xb3/0xe0 [ 52.220696][ T6863] ? exit_to_user_mode_prepare+0x3d/0x1c0 [ 52.226395][ T6863] exit_to_user_mode_prepare+0x8d/0x1c0 [ 52.231909][ T6863] syscall_exit_to_user_mode+0x5e/0x1a0 [ 52.237423][ T6863] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 52.243285][ T6863] RIP: 0033:0x446dc9 [ 52.247146][ T6863] Code: Bad RIP value. [ 52.251195][ T6863] RSP: 002b:00007ffc5b0293a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 52.259573][ T6863] RAX: fffffffffffffffc RBX: 0000000000000003 RCX: 0000000000446dc9 [ 52.267514][ T6863] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004 [ 52.275457][ T6863] RBP: 00007ffc5b0293e0 R08: 0000000000000002 R09: 00000000000000ff [ 52.283400][ T6863] R10: 0000000000000004 R11: 0000000000000246 R12: 000000000000a457 [ 52.291342][ T6863] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 52.299296][ T6863] [ 52.301598][ T6863] Allocated by task 6858: [ 52.305896][ T6863] __kasan_kmalloc+0x103/0x140 [ 52.310625][ T6863] kmem_cache_alloc_trace+0x234/0x300 [ 52.315966][ T6863] hci_conn_add+0x5d/0x1040 [ 52.320436][ T6863] hci_connect_sco+0x2aa/0xa20 [ 52.325167][ T6863] sco_sock_connect+0x2de/0xaa0 [ 52.329985][ T6863] __sys_connect+0x2da/0x360 [ 52.334542][ T6863] __x64_sys_connect+0x76/0x80 [ 52.339271][ T6863] do_syscall_64+0x31/0x70 [ 52.343657][ T6863] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 52.349510][ T6863] [ 52.351809][ T6863] Freed by task 1540: [ 52.355759][ T6863] __kasan_slab_free+0x114/0x170 [ 52.360668][ T6863] kfree+0x10a/0x220 [ 52.364543][ T6863] device_release+0x70/0x1a0 [ 52.369110][ T6863] kobject_put+0x1a0/0x2c0 [ 52.373493][ T6863] hci_conn_del+0x2c2/0x550 [ 52.377983][ T6863] hci_event_packet+0x82c8/0x17e10 [ 52.383061][ T6863] hci_rx_work+0x246/0xa20 [ 52.387447][ T6863] process_one_work+0x789/0xfc0 [ 52.392266][ T6863] worker_thread+0xaa4/0x1460 [ 52.396909][ T6863] kthread+0x37e/0x3a0 [ 52.400946][ T6863] ret_from_fork+0x1f/0x30 [ 52.405338][ T6863] [ 52.407643][ T6863] The buggy address belongs to the object at ffff888088836000 [ 52.407643][ T6863] which belongs to the cache kmalloc-4k of size 4096 [ 52.421717][ T6863] The buggy address is located 16 bytes inside of [ 52.421717][ T6863] 4096-byte region [ffff888088836000, ffff888088837000) [ 52.434973][ T6863] The buggy address belongs to the page: [ 52.440578][ T6863] page:ffffea0002220d80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea0002220d80 order:1 compound_mapcount:0 [ 52.440717][ T2592] Bluetooth: hci0: command 0x0405 tx timeout [ 52.453999][ T6863] flags: 0xfffe0000010200(slab|head) [ 52.454015][ T6863] raw: 00fffe0000010200 ffffea0002220f08 ffffea0002220b08 ffff8880aa402000 [ 52.454025][ T6863] raw: 0000000000000000 ffff888088836000 0000000100000001 0000000000000000 [ 52.454029][ T6863] page dumped because: kasan: bad access detected [ 52.454036][ T6863] [ 52.491097][ T6863] Memory state around the buggy address: [ 52.496698][ T6863] ffff888088835f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.504727][ T6863] ffff888088835f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 52.512756][ T6863] >ffff888088836000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.520784][ T6863] ^ [ 52.525343][ T6863] ffff888088836080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.533372][ T6863] ffff888088836100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 52.541398][ T6863] ================================================================== [ 52.549439][ T6863] Disabling lock debugging due to kernel taint [ 52.556421][ T6863] Kernel panic - not syncing: panic_on_warn set ... [ 52.563012][ T6863] CPU: 1 PID: 6863 Comm: syz-executor333 Tainted: G B 5.8.0-syzkaller #0 [ 52.572690][ T6863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 52.582715][ T6863] Call Trace: [ 52.585976][ T6863] dump_stack+0x1f0/0x31e [ 52.590275][ T6863] panic+0x264/0x7a0 [ 52.594140][ T6863] ? trace_hardirqs_on+0x30/0x80 [ 52.599088][ T6863] kasan_report+0x1c9/0x1d0 [ 52.603560][ T6863] ? __sco_sock_close+0x47c/0xed0 [ 52.608552][ T6863] check_memory_region+0x2b5/0x2f0 [ 52.613630][ T6863] __sco_sock_close+0x47c/0xed0 [ 52.618447][ T6863] ? lockdep_hardirqs_on+0x49/0xf0 [ 52.623524][ T6863] sco_sock_release+0x63/0x4f0 [ 52.628255][ T6863] ? down_write+0xcd/0x130 [ 52.632640][ T6863] sock_close+0xd8/0x260 [ 52.636864][ T6863] ? sock_mmap+0x90/0x90 [ 52.641506][ T6863] __fput+0x2f0/0x750 [ 52.645542][ T6863] task_work_run+0x137/0x1c0 [ 52.650111][ T6863] do_exit+0x5f3/0x1f20 [ 52.654236][ T6863] ? trace_lock_release+0x137/0x1a0 [ 52.659401][ T6863] do_group_exit+0x161/0x2d0 [ 52.663974][ T6863] get_signal+0x139b/0x1d30 [ 52.668445][ T6863] ? sco_sock_connect+0x5ae/0xaa0 [ 52.673441][ T6863] arch_do_signal+0x33/0x610 [ 52.677998][ T6863] ? lock_is_held_type+0xb3/0xe0 [ 52.683004][ T6863] ? exit_to_user_mode_prepare+0x3d/0x1c0 [ 52.688689][ T6863] exit_to_user_mode_prepare+0x8d/0x1c0 [ 52.694201][ T6863] syscall_exit_to_user_mode+0x5e/0x1a0 [ 52.699716][ T6863] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 52.705575][ T6863] RIP: 0033:0x446dc9 [ 52.709432][ T6863] Code: Bad RIP value. [ 52.713466][ T6863] RSP: 002b:00007ffc5b0293a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 52.721842][ T6863] RAX: fffffffffffffffc RBX: 0000000000000003 RCX: 0000000000446dc9 [ 52.729779][ T6863] RDX: 0000000000000008 RSI: 0000000020000080 RDI: 0000000000000004 [ 52.737732][ T6863] RBP: 00007ffc5b0293e0 R08: 0000000000000002 R09: 00000000000000ff [ 52.745670][ T6863] R10: 0000000000000004 R11: 0000000000000246 R12: 000000000000a457 [ 52.753610][ T6863] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 52.762839][ T6863] Kernel Offset: disabled [ 52.767156][ T6863] Rebooting in 86400 seconds..