Warning: Permanently added '10.128.0.115' (ECDSA) to the list of known hosts. syzkaller login: [ 63.054025][ T6839] IPVS: ftp: loaded support on port[0] = 21 executing program [ 64.542451][ T910] tipc: TX() has been purged, node left! [ 64.554852][ T6871] ================================================================== [ 64.563098][ T6871] BUG: KASAN: use-after-free in sco_chan_del+0xe6/0x430 [ 64.570052][ T6871] Write of size 4 at addr ffff888094c32010 by task syz-executor757/6871 [ 64.578383][ T6871] [ 64.580760][ T6871] CPU: 0 PID: 6871 Comm: syz-executor757 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0 [ 64.591305][ T6871] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.602586][ T6871] Call Trace: [ 64.605868][ T6871] dump_stack+0x18f/0x20d [ 64.610195][ T6871] ? sco_chan_del+0xe6/0x430 [ 64.615122][ T6871] ? sco_chan_del+0xe6/0x430 [ 64.619821][ T6871] print_address_description.constprop.0.cold+0xae/0x497 [ 64.626872][ T6871] ? sco_chan_del+0xab/0x430 [ 64.631679][ T6871] ? lockdep_hardirqs_off+0x7e/0xb0 [ 64.636894][ T6871] ? vprintk_func+0x97/0x1a6 [ 64.641494][ T6871] ? sco_chan_del+0xe6/0x430 [ 64.646073][ T6871] ? sco_chan_del+0xe6/0x430 [ 64.650650][ T6871] kasan_report.cold+0x1f/0x37 [ 64.655409][ T6871] ? sco_chan_del+0xe6/0x430 [ 64.659999][ T6871] check_memory_region+0x13d/0x180 [ 64.665214][ T6871] sco_chan_del+0xe6/0x430 [ 64.669832][ T6871] __sco_sock_close+0x16e/0x5b0 [ 64.674691][ T6871] sco_sock_release+0x69/0x290 [ 64.679627][ T6871] __sock_release+0xcd/0x280 [ 64.685092][ T6871] sock_close+0x18/0x20 [ 64.689242][ T6871] __fput+0x285/0x920 [ 64.693233][ T6871] ? __sock_release+0x280/0x280 [ 64.698818][ T6871] task_work_run+0xdd/0x190 [ 64.703325][ T6871] do_exit+0xb7d/0x29f0 [ 64.707603][ T6871] ? lock_acquire+0x1f1/0xad0 [ 64.712537][ T6871] ? find_held_lock+0x2d/0x110 [ 64.717336][ T6871] ? mm_update_next_owner+0x7a0/0x7a0 [ 64.722689][ T6871] ? get_signal+0x332/0x1ee0 [ 64.727274][ T6871] ? lock_downgrade+0x830/0x830 [ 64.732124][ T6871] ? lock_is_held_type+0xbb/0xf0 [ 64.737053][ T6871] do_group_exit+0x125/0x310 [ 64.741722][ T6871] get_signal+0x40b/0x1ee0 [ 64.746139][ T6871] ? find_held_lock+0x2d/0x110 [ 64.750926][ T6871] ? __schedule+0x88e/0x21e0 [ 64.755603][ T6871] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 64.761589][ T6871] arch_do_signal+0x82/0x2520 [ 64.766254][ T6871] ? finish_task_switch+0x1dc/0x750 [ 64.771430][ T6871] ? __switch_to+0x425/0xfe0 [ 64.777228][ T6871] ? lock_is_held_type+0xbb/0xf0 [ 64.782166][ T6871] ? copy_siginfo_to_user32+0xa0/0xa0 [ 64.787537][ T6871] ? __x64_sys_futex+0x382/0x4e0 [ 64.792467][ T6871] ? fput_many+0x2f/0x1a0 [ 64.796783][ T6871] ? exit_to_user_mode_prepare+0xb9/0x1c0 [ 64.802963][ T6871] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 64.808951][ T6871] exit_to_user_mode_prepare+0x15d/0x1c0 [ 64.814754][ T6871] syscall_exit_to_user_mode+0x59/0x2b0 [ 64.820286][ T6871] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.826214][ T6871] RIP: 0033:0x4468d9 [ 64.830102][ T6871] Code: Bad RIP value. [ 64.834149][ T6871] RSP: 002b:00007f34c957edb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 64.842890][ T6871] RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 00000000004468d9 [ 64.850841][ T6871] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38 [ 64.858811][ T6871] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 64.866851][ T6871] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 64.874824][ T6871] R13: 00007ffc7406a40f R14: 00007f34c957f9c0 R15: 00000000006dbc3c [ 64.882799][ T6871] [ 64.885106][ T6871] Allocated by task 6868: [ 64.889436][ T6871] kasan_save_stack+0x1b/0x40 [ 64.894103][ T6871] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 64.899721][ T6871] kmem_cache_alloc_trace+0x16e/0x2c0 [ 64.905185][ T6871] hci_conn_add+0x53/0x1330 [ 64.909821][ T6871] hci_connect_sco+0x356/0x860 [ 64.914730][ T6871] sco_sock_connect+0x308/0x980 [ 64.920536][ T6871] __sys_connect_file+0x155/0x1a0 [ 64.925545][ T6871] __sys_connect+0x160/0x190 [ 64.930115][ T6871] __x64_sys_connect+0x6f/0xb0 [ 64.935245][ T6871] do_syscall_64+0x2d/0x70 [ 64.940259][ T6871] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.946219][ T6871] [ 64.948535][ T6871] Freed by task 1541: [ 64.952703][ T6871] kasan_save_stack+0x1b/0x40 [ 64.957362][ T6871] kasan_set_track+0x1c/0x30 [ 64.961944][ T6871] kasan_set_free_info+0x1b/0x30 [ 64.969264][ T6871] __kasan_slab_free+0xd8/0x120 [ 64.974212][ T6871] kfree+0x103/0x2c0 [ 64.978188][ T6871] device_release+0x71/0x200 [ 64.982778][ T6871] kobject_put+0x171/0x270 [ 64.987297][ T6871] put_device+0x1b/0x30 [ 64.991454][ T6871] hci_conn_del+0x27e/0x6a0 [ 64.995973][ T6871] hci_phy_link_complete_evt.isra.0+0x508/0x790 [ 65.002214][ T6871] hci_event_packet+0x4696/0x87a8 [ 65.007492][ T6871] hci_rx_work+0x22e/0xb50 [ 65.011898][ T6871] process_one_work+0x94c/0x1670 [ 65.016842][ T6871] worker_thread+0x64c/0x1120 [ 65.021774][ T6871] kthread+0x3b5/0x4a0 [ 65.025829][ T6871] ret_from_fork+0x1f/0x30 [ 65.030344][ T6871] [ 65.032673][ T6871] The buggy address belongs to the object at ffff888094c32000 [ 65.032673][ T6871] which belongs to the cache kmalloc-4k of size 4096 [ 65.046732][ T6871] The buggy address is located 16 bytes inside of [ 65.046732][ T6871] 4096-byte region [ffff888094c32000, ffff888094c33000) [ 65.060887][ T6871] The buggy address belongs to the page: [ 65.066526][ T6871] page:000000004bdf02e6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x94c32 [ 65.077141][ T6871] head:000000004bdf02e6 order:1 compound_mapcount:0 [ 65.083716][ T6871] flags: 0xfffe0000010200(slab|head) [ 65.089001][ T6871] raw: 00fffe0000010200 ffffea00025a6988 ffffea0002593088 ffff8880aa000900 [ 65.097577][ T6871] raw: 0000000000000000 ffff888094c32000 0000000100000001 0000000000000000 [ 65.106225][ T6871] page dumped because: kasan: bad access detected [ 65.112731][ T6871] [ 65.115073][ T6871] Memory state around the buggy address: [ 65.120720][ T6871] ffff888094c31f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.128778][ T6871] ffff888094c31f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.136832][ T6871] >ffff888094c32000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.144869][ T6871] ^ [ 65.149479][ T6871] ffff888094c32080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.157528][ T6871] ffff888094c32100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.165566][ T6871] ================================================================== [ 65.173611][ T6871] Disabling lock debugging due to kernel taint [ 65.180252][ T6871] Kernel panic - not syncing: panic_on_warn set ... [ 65.187126][ T6871] CPU: 0 PID: 6871 Comm: syz-executor757 Tainted: G B 5.8.0-rc7-next-20200731-syzkaller #0 [ 65.198405][ T6871] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.208477][ T6871] Call Trace: [ 65.211803][ T6871] dump_stack+0x18f/0x20d [ 65.216239][ T6871] ? sco_chan_del+0x20/0x430 [ 65.221888][ T6871] panic+0x2e3/0x75c [ 65.226695][ T6871] ? __warn_printk+0xf3/0xf3 [ 65.231384][ T6871] ? preempt_schedule_common+0x59/0xc0 [ 65.236977][ T6871] ? sco_chan_del+0xe6/0x430 [ 65.242078][ T6871] ? preempt_schedule_thunk+0x16/0x18 [ 65.247559][ T6871] ? trace_hardirqs_on+0x55/0x220 [ 65.252659][ T6871] ? sco_chan_del+0xe6/0x430 [ 65.257246][ T6871] ? sco_chan_del+0xe6/0x430 [ 65.261829][ T6871] end_report+0x4d/0x53 [ 65.265980][ T6871] kasan_report.cold+0xd/0x37 [ 65.270709][ T6871] ? sco_chan_del+0xe6/0x430 [ 65.275297][ T6871] check_memory_region+0x13d/0x180 [ 65.280423][ T6871] sco_chan_del+0xe6/0x430 [ 65.284826][ T6871] __sco_sock_close+0x16e/0x5b0 [ 65.289666][ T6871] sco_sock_release+0x69/0x290 [ 65.294408][ T6871] __sock_release+0xcd/0x280 [ 65.298984][ T6871] sock_close+0x18/0x20 [ 65.303135][ T6871] __fput+0x285/0x920 [ 65.307156][ T6871] ? __sock_release+0x280/0x280 [ 65.312003][ T6871] task_work_run+0xdd/0x190 [ 65.316506][ T6871] do_exit+0xb7d/0x29f0 [ 65.320651][ T6871] ? lock_acquire+0x1f1/0xad0 [ 65.325410][ T6871] ? find_held_lock+0x2d/0x110 [ 65.330237][ T6871] ? mm_update_next_owner+0x7a0/0x7a0 [ 65.335971][ T6871] ? get_signal+0x332/0x1ee0 [ 65.340542][ T6871] ? lock_downgrade+0x830/0x830 [ 65.345380][ T6871] ? lock_is_held_type+0xbb/0xf0 [ 65.350304][ T6871] do_group_exit+0x125/0x310 [ 65.354877][ T6871] get_signal+0x40b/0x1ee0 [ 65.359272][ T6871] ? find_held_lock+0x2d/0x110 [ 65.364012][ T6871] ? __schedule+0x88e/0x21e0 [ 65.368708][ T6871] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 65.374668][ T6871] arch_do_signal+0x82/0x2520 [ 65.379323][ T6871] ? finish_task_switch+0x1dc/0x750 [ 65.384504][ T6871] ? __switch_to+0x425/0xfe0 [ 65.389248][ T6871] ? lock_is_held_type+0xbb/0xf0 [ 65.394167][ T6871] ? copy_siginfo_to_user32+0xa0/0xa0 [ 65.399519][ T6871] ? __x64_sys_futex+0x382/0x4e0 [ 65.404456][ T6871] ? fput_many+0x2f/0x1a0 [ 65.408776][ T6871] ? exit_to_user_mode_prepare+0xb9/0x1c0 [ 65.414488][ T6871] ? lockdep_hardirqs_on_prepare+0x354/0x530 [ 65.420466][ T6871] exit_to_user_mode_prepare+0x15d/0x1c0 [ 65.426102][ T6871] syscall_exit_to_user_mode+0x59/0x2b0 [ 65.431641][ T6871] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.437508][ T6871] RIP: 0033:0x4468d9 [ 65.441371][ T6871] Code: Bad RIP value. [ 65.445416][ T6871] RSP: 002b:00007f34c957edb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 65.453986][ T6871] RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 00000000004468d9 [ 65.461959][ T6871] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38 [ 65.470019][ T6871] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 65.478295][ T6871] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 65.486259][ T6871] R13: 00007ffc7406a40f R14: 00007f34c957f9c0 R15: 00000000006dbc3c [ 65.495638][ T6871] Kernel Offset: disabled [ 65.500323][ T6871] Rebooting in 86400 seconds..