[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.160' (ECDSA) to the list of known hosts. syzkaller login: [ 65.313084][ T7263] IPVS: ftp: loaded support on port[0] = 21 [ 65.325415][ T7265] IPVS: ftp: loaded support on port[0] = 21 [ 65.327520][ T7264] IPVS: ftp: loaded support on port[0] = 21 [ 65.345029][ T7257] IPVS: ftp: loaded support on port[0] = 21 [ 65.352032][ T7260] IPVS: ftp: loaded support on port[0] = 21 [ 65.358886][ T7262] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program executing program [ 65.654400][ T3242] ================================================================== [ 65.662675][ T3242] BUG: KASAN: use-after-free in l2cap_chan_close+0x763/0xb10 [ 65.670067][ T3242] Read of size 1 at addr ffff88808ad32020 by task kworker/1:158/3242 [ 65.678134][ T3242] [ 65.680483][ T3242] CPU: 1 PID: 3242 Comm: kworker/1:158 Not tainted 5.7.0-rc1-next-20200415-syzkaller #0 [ 65.690197][ T3242] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 executing program [ 65.701223][ T3242] Workqueue: events do_enable_set [ 65.706263][ T3242] Call Trace: [ 65.709566][ T3242] dump_stack+0x188/0x20d [ 65.713919][ T3242] print_address_description.constprop.0.cold+0xd3/0x315 [ 65.721049][ T3242] ? l2cap_chan_close+0x763/0xb10 [ 65.726092][ T3242] __kasan_report.cold+0x35/0x4d [ 65.731058][ T3242] ? l2cap_chan_close+0x763/0xb10 [ 65.736112][ T3242] ? l2cap_chan_close+0x763/0xb10 [ 65.741154][ T3242] kasan_report+0x33/0x50 [ 65.745509][ T3242] l2cap_chan_close+0x763/0xb10 executing program [ 65.750381][ T3242] ? l2cap_send_i_or_rr_or_rnr+0x320/0x320 [ 65.756224][ T3242] do_enable_set+0x4cf/0x8e0 [ 65.760836][ T3242] ? lowpan_control_write+0x480/0x480 [ 65.766233][ T3242] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 65.771793][ T3242] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 65.777792][ T3242] ? _raw_spin_unlock_irq+0x1f/0x80 [ 65.783031][ T3242] process_one_work+0x965/0x16a0 [ 65.788012][ T3242] ? lock_release+0x800/0x800 [ 65.792698][ T3242] ? pwq_dec_nr_in_flight+0x310/0x310 [ 65.798094][ T3242] ? rwlock_bug.part.0+0x90/0x90 executing program [ 65.803062][ T3242] worker_thread+0x96/0xe20 [ 65.807591][ T3242] ? process_one_work+0x16a0/0x16a0 [ 65.812823][ T3242] kthread+0x388/0x470 [ 65.816905][ T3242] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 65.822637][ T3242] ret_from_fork+0x24/0x30 [ 65.827065][ T3242] [ 65.829398][ T3242] Allocated by task 2718: [ 65.833735][ T3242] save_stack+0x1b/0x40 [ 65.837899][ T3242] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 65.843540][ T3242] kmem_cache_alloc_trace+0x153/0x7d0 [ 65.848935][ T3242] l2cap_chan_create+0x40/0x3a0 [ 65.853795][ T3242] chan_create+0xc/0xd0 [ 65.857964][ T3242] do_enable_set+0x511/0x8e0 [ 65.862562][ T3242] process_one_work+0x965/0x16a0 [ 65.867506][ T3242] worker_thread+0x96/0xe20 [ 65.872017][ T3242] kthread+0x388/0x470 [ 65.876122][ T3242] ret_from_fork+0x24/0x30 [ 65.880540][ T3242] [ 65.882877][ T3242] Freed by task 2728: [ 65.886869][ T3242] save_stack+0x1b/0x40 [ 65.891034][ T3242] __kasan_slab_free+0xf7/0x140 [ 65.895903][ T3242] kfree+0x109/0x2b0 [ 65.899814][ T3242] l2cap_chan_put+0x1b2/0x230 [ 65.904502][ T3242] do_enable_set+0x4db/0x8e0 [ 65.909105][ T3242] process_one_work+0x965/0x16a0 [ 65.914059][ T3242] worker_thread+0x96/0xe20 [ 65.918573][ T3242] kthread+0x388/0x470 [ 65.922657][ T3242] ret_from_fork+0x24/0x30 [ 65.927072][ T3242] [ 65.929412][ T3242] The buggy address belongs to the object at ffff88808ad32000 [ 65.929412][ T3242] which belongs to the cache kmalloc-2k of size 2048 [ 65.943480][ T3242] The buggy address is located 32 bytes inside of [ 65.943480][ T3242] 2048-byte region [ffff88808ad32000, ffff88808ad32800) [ 65.956763][ T3242] The buggy address belongs to the page: [ 65.962418][ T3242] page:ffffea00022b4c80 refcount:1 mapcount:0 mapping:00000000628e4504 index:0x0 [ 65.971542][ T3242] flags: 0xfffe0000000200(slab) [ 65.976411][ T3242] raw: 00fffe0000000200 ffffea00024e7688 ffffea00022b4cc8 ffff8880aa000e00 [ 65.985011][ T3242] raw: 0000000000000000 ffff88808ad32000 0000000100000001 0000000000000000 [ 65.993595][ T3242] page dumped because: kasan: bad access detected [ 66.000005][ T3242] [ 66.002355][ T3242] Memory state around the buggy address: [ 66.007990][ T3242] ffff88808ad31f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.016059][ T3242] ffff88808ad31f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.024130][ T3242] >ffff88808ad32000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.032197][ T3242] ^ [ 66.037315][ T3242] ffff88808ad32080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.045381][ T3242] ffff88808ad32100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb executing program executing program executing program executing program executing program executing program executing program executing program [ 66.053497][ T3242] ================================================================== [ 66.061554][ T3242] Disabling lock debugging due to kernel taint executing program [ 66.156388][ T3242] Kernel panic - not syncing: panic_on_warn set ... [ 66.163031][ T3242] CPU: 1 PID: 3242 Comm: kworker/1:158 Tainted: G B 5.7.0-rc1-next-20200415-syzkaller #0 [ 66.174138][ T3242] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.184215][ T3242] Workqueue: events do_enable_set [ 66.189247][ T3242] Call Trace: [ 66.192547][ T3242] dump_stack+0x188/0x20d [ 66.196896][ T3242] panic+0x2e3/0x75c [ 66.200799][ T3242] ? add_taint.cold+0x16/0x16 executing program [ 66.205489][ T3242] ? preempt_schedule_common+0x5e/0xc0 [ 66.211060][ T3242] ? l2cap_chan_close+0x763/0xb10 [ 66.216097][ T3242] ? preempt_schedule_thunk+0x16/0x18 [ 66.221498][ T3242] ? trace_hardirqs_on+0x55/0x220 [ 66.226537][ T3242] ? l2cap_chan_close+0x763/0xb10 [ 66.231567][ T3242] end_report+0x4d/0x53 [ 66.235726][ T3242] __kasan_report.cold+0xd/0x4d [ 66.240696][ T3242] ? l2cap_chan_close+0x763/0xb10 [ 66.245727][ T3242] ? l2cap_chan_close+0x763/0xb10 [ 66.250751][ T3242] kasan_report+0x33/0x50 [ 66.255085][ T3242] l2cap_chan_close+0x763/0xb10 [ 66.259952][ T3242] ? l2cap_send_i_or_rr_or_rnr+0x320/0x320 [ 66.265771][ T3242] do_enable_set+0x4cf/0x8e0 [ 66.270370][ T3242] ? lowpan_control_write+0x480/0x480 [ 66.275938][ T3242] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 66.281512][ T3242] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 66.287500][ T3242] ? _raw_spin_unlock_irq+0x1f/0x80 [ 66.292701][ T3242] process_one_work+0x965/0x16a0 [ 66.297648][ T3242] ? lock_release+0x800/0x800 executing program executing program [ 66.302326][ T3242] ? pwq_dec_nr_in_flight+0x310/0x310 [ 66.307708][ T3242] ? rwlock_bug.part.0+0x90/0x90 [ 66.312654][ T3242] worker_thread+0x96/0xe20 [ 66.317166][ T3242] ? process_one_work+0x16a0/0x16a0 [ 66.322380][ T3242] kthread+0x388/0x470 [ 66.326449][ T3242] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 66.332224][ T3242] ret_from_fork+0x24/0x30 [ 66.337815][ T3242] Kernel Offset: disabled [ 66.342141][ T3242] Rebooting in 86400 seconds..