Starting Permit User Sessions... [ OK ] Started Daily Cleanup of Temporary Directories. Starting System Logging Service... [ OK ] Started Daily apt download activities. [ OK ] Started Daily apt upgrade and clean activities. [ OK ] Reached target Timers. [ OK ] Started Permit User Sessions. [ OK ] Started System Logging Service. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.3' (ECDSA) to the list of known hosts. syzkaller login: [ 66.807941][ T27] audit: type=1400 audit(1596417687.491:8): avc: denied { execmem } for pid=6821 comm="syz-executor003" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 66.821467][ T6822] IPVS: ftp: loaded support on port[0] = 21 executing program [ 67.966086][ T6822] ================================================================== [ 67.974355][ T6822] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 67.981366][ T6822] Read of size 8 at addr ffff88809e507a18 by task syz-executor003/6822 [ 67.989573][ T6822] [ 67.991885][ T6822] CPU: 1 PID: 6822 Comm: syz-executor003 Not tainted 5.8.0-rc7-syzkaller #0 [ 68.000567][ T6822] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.010596][ T6822] Call Trace: [ 68.013866][ T6822] dump_stack+0x18f/0x20d [ 68.018175][ T6822] ? hci_chan_del+0x14f/0x190 [ 68.022825][ T6822] ? hci_chan_del+0x14f/0x190 [ 68.027476][ T6822] print_address_description.constprop.0.cold+0xae/0x436 [ 68.034473][ T6822] ? mutex_lock_io_nested+0xf60/0xf60 [ 68.039820][ T6822] ? lockdep_hardirqs_off+0x66/0xa0 [ 68.044993][ T6822] ? vprintk_func+0x97/0x1a6 [ 68.049696][ T6822] ? hci_chan_del+0x14f/0x190 [ 68.054346][ T6822] kasan_report.cold+0x1f/0x37 [ 68.059090][ T6822] ? hci_chan_del+0x14f/0x190 [ 68.063745][ T6822] hci_chan_del+0x14f/0x190 [ 68.068225][ T6822] l2cap_conn_del+0x61b/0x9e0 [ 68.072880][ T6822] ? l2cap_conn_del+0x9e0/0x9e0 [ 68.077703][ T6822] l2cap_disconn_cfm+0x85/0xa0 [ 68.082442][ T6822] hci_conn_hash_flush+0x114/0x220 [ 68.087618][ T6822] ? vhci_close_dev+0x50/0x50 [ 68.092268][ T6822] hci_dev_do_close+0x5c6/0x1080 [ 68.097185][ T6822] ? do_raw_write_lock+0x11a/0x280 [ 68.102270][ T6822] ? hci_dev_open+0x350/0x350 [ 68.106921][ T6822] ? do_raw_read_unlock+0x70/0x70 [ 68.111922][ T6822] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 68.117789][ T6822] ? fsnotify_parent+0xb7/0x2b0 [ 68.122617][ T6822] ? vhci_close_dev+0x50/0x50 [ 68.127270][ T6822] hci_unregister_dev+0x1a3/0xe20 [ 68.132279][ T6822] ? fcntl_setlk+0xf60/0xf60 [ 68.136853][ T6822] ? lock_is_held_type+0xb0/0xe0 [ 68.141764][ T6822] ? vhci_close_dev+0x50/0x50 [ 68.146412][ T6822] vhci_release+0x70/0xe0 [ 68.150768][ T6822] __fput+0x33c/0x880 [ 68.154729][ T6822] task_work_run+0xdd/0x190 [ 68.159223][ T6822] do_exit+0xb72/0x2a40 [ 68.163357][ T6822] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.168705][ T6822] ? lock_is_held_type+0xb0/0xe0 [ 68.173620][ T6822] ? __blkcg_punt_bio_submit+0x1d0/0x1d0 [ 68.179230][ T6822] ? mem_cgroup_move_charge_pte_range+0xa70/0xa70 [ 68.185621][ T6822] do_group_exit+0x125/0x310 [ 68.190188][ T6822] __x64_sys_exit_group+0x3a/0x50 [ 68.195191][ T6822] do_syscall_64+0x60/0xe0 [ 68.199586][ T6822] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.205454][ T6822] RIP: 0033:0x444fe8 [ 68.209319][ T6822] Code: Bad RIP value. [ 68.213358][ T6822] RSP: 002b:00007ffe7ecfe498 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.221745][ T6822] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444fe8 [ 68.229693][ T6822] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 68.238421][ T6822] RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 68.246366][ T6822] R10: 00007ff8654309d0 R11: 0000000000000246 R12: 0000000000000001 [ 68.254311][ T6822] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 68.262262][ T6822] [ 68.264565][ T6822] Allocated by task 6843: [ 68.268872][ T6822] save_stack+0x1b/0x40 [ 68.273020][ T6822] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 68.278646][ T6822] kmem_cache_alloc_trace+0x14f/0x2d0 [ 68.283997][ T6822] hci_chan_create+0x9b/0x330 [ 68.288654][ T6822] l2cap_conn_add.part.0+0x1e/0xe10 [ 68.293829][ T6822] l2cap_connect_cfm+0x23b/0x1090 [ 68.298836][ T6822] hci_event_packet+0x3e01/0x86f5 [ 68.303838][ T6822] hci_rx_work+0x22e/0xb10 [ 68.308231][ T6822] process_one_work+0x94c/0x1670 [ 68.313140][ T6822] worker_thread+0x64c/0x1120 [ 68.317790][ T6822] kthread+0x3b5/0x4a0 [ 68.321898][ T6822] ret_from_fork+0x1f/0x30 [ 68.326282][ T6822] [ 68.328587][ T6822] Freed by task 6843: [ 68.332542][ T6822] save_stack+0x1b/0x40 [ 68.336670][ T6822] __kasan_slab_free+0xf5/0x140 [ 68.341493][ T6822] kfree+0x103/0x2c0 [ 68.345366][ T6822] hci_event_packet+0x319a/0x86f5 [ 68.350364][ T6822] hci_rx_work+0x22e/0xb10 [ 68.354799][ T6822] process_one_work+0x94c/0x1670 [ 68.359710][ T6822] worker_thread+0x64c/0x1120 [ 68.364490][ T6822] kthread+0x3b5/0x4a0 [ 68.368533][ T6822] ret_from_fork+0x1f/0x30 [ 68.372914][ T6822] [ 68.375221][ T6822] The buggy address belongs to the object at ffff88809e507a00 [ 68.375221][ T6822] which belongs to the cache kmalloc-128 of size 128 [ 68.389248][ T6822] The buggy address is located 24 bytes inside of [ 68.389248][ T6822] 128-byte region [ffff88809e507a00, ffff88809e507a80) [ 68.402399][ T6822] The buggy address belongs to the page: [ 68.408042][ T6822] page:ffffea00027941c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809e507700 [ 68.418593][ T6822] flags: 0xfffe0000000200(slab) [ 68.423436][ T6822] raw: 00fffe0000000200 ffffea0002845008 ffffea000248f0c8 ffff8880aa000700 [ 68.432011][ T6822] raw: ffff88809e507700 ffff88809e507000 0000000100000008 0000000000000000 [ 68.440579][ T6822] page dumped because: kasan: bad access detected [ 68.446980][ T6822] [ 68.449289][ T6822] Memory state around the buggy address: [ 68.454898][ T6822] ffff88809e507900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.462948][ T6822] ffff88809e507980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.471003][ T6822] >ffff88809e507a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.479100][ T6822] ^ [ 68.483923][ T6822] ffff88809e507a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.491959][ T6822] ffff88809e507b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.499993][ T6822] ================================================================== [ 68.508023][ T6822] Disabling lock debugging due to kernel taint [ 68.514836][ T6822] Kernel panic - not syncing: panic_on_warn set ... [ 68.521447][ T6822] CPU: 1 PID: 6822 Comm: syz-executor003 Tainted: G B 5.8.0-rc7-syzkaller #0 [ 68.531500][ T6822] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.541548][ T6822] Call Trace: [ 68.544843][ T6822] dump_stack+0x18f/0x20d [ 68.549171][ T6822] ? hci_chan_del+0x110/0x190 [ 68.553841][ T6822] panic+0x2e3/0x75c [ 68.557736][ T6822] ? __warn_printk+0xf3/0xf3 [ 68.562324][ T6822] ? preempt_schedule_common+0x59/0xc0 [ 68.567782][ T6822] ? hci_chan_del+0x14f/0x190 [ 68.572456][ T6822] ? preempt_schedule_thunk+0x16/0x18 [ 68.577835][ T6822] ? trace_hardirqs_on+0x55/0x220 [ 68.582860][ T6822] ? hci_chan_del+0x14f/0x190 [ 68.587533][ T6822] ? hci_chan_del+0x14f/0x190 [ 68.592203][ T6822] end_report+0x4d/0x53 [ 68.596356][ T6822] kasan_report.cold+0xd/0x37 [ 68.601010][ T6822] ? hci_chan_del+0x14f/0x190 [ 68.605660][ T6822] hci_chan_del+0x14f/0x190 [ 68.610138][ T6822] l2cap_conn_del+0x61b/0x9e0 [ 68.614792][ T6822] ? l2cap_conn_del+0x9e0/0x9e0 [ 68.619617][ T6822] l2cap_disconn_cfm+0x85/0xa0 [ 68.624355][ T6822] hci_conn_hash_flush+0x114/0x220 [ 68.629439][ T6822] ? vhci_close_dev+0x50/0x50 [ 68.634085][ T6822] hci_dev_do_close+0x5c6/0x1080 [ 68.639002][ T6822] ? do_raw_write_lock+0x11a/0x280 [ 68.644087][ T6822] ? hci_dev_open+0x350/0x350 [ 68.648743][ T6822] ? do_raw_read_unlock+0x70/0x70 [ 68.653739][ T6822] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 68.659603][ T6822] ? fsnotify_parent+0xb7/0x2b0 [ 68.664427][ T6822] ? vhci_close_dev+0x50/0x50 [ 68.669077][ T6822] hci_unregister_dev+0x1a3/0xe20 [ 68.674155][ T6822] ? fcntl_setlk+0xf60/0xf60 [ 68.678721][ T6822] ? lock_is_held_type+0xb0/0xe0 [ 68.683673][ T6822] ? vhci_close_dev+0x50/0x50 [ 68.688322][ T6822] vhci_release+0x70/0xe0 [ 68.692626][ T6822] __fput+0x33c/0x880 [ 68.696583][ T6822] task_work_run+0xdd/0x190 [ 68.701061][ T6822] do_exit+0xb72/0x2a40 [ 68.705190][ T6822] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.710535][ T6822] ? lock_is_held_type+0xb0/0xe0 [ 68.715449][ T6822] ? __blkcg_punt_bio_submit+0x1d0/0x1d0 [ 68.721055][ T6822] ? mem_cgroup_move_charge_pte_range+0xa70/0xa70 [ 68.727440][ T6822] do_group_exit+0x125/0x310 [ 68.732005][ T6822] __x64_sys_exit_group+0x3a/0x50 [ 68.736999][ T6822] do_syscall_64+0x60/0xe0 [ 68.741387][ T6822] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.747248][ T6822] RIP: 0033:0x444fe8 [ 68.751109][ T6822] Code: Bad RIP value. [ 68.755146][ T6822] RSP: 002b:00007ffe7ecfe498 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.763526][ T6822] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444fe8 [ 68.771471][ T6822] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 68.779417][ T6822] RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 68.787624][ T6822] R10: 00007ff8654309d0 R11: 0000000000000246 R12: 0000000000000001 [ 68.795568][ T6822] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 68.804758][ T6822] Kernel Offset: disabled [ 68.809072][ T6822] Rebooting in 86400 seconds..