[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.13' (ECDSA) to the list of known hosts. syzkaller login: [ 64.937220][ T6828] IPVS: ftp: loaded support on port[0] = 21 executing program [ 66.102278][ T6828] ================================================================== [ 66.110548][ T6828] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 66.117582][ T6828] Read of size 8 at addr ffff8880a7f29918 by task syz-executor816/6828 [ 66.125822][ T6828] [ 66.128158][ T6828] CPU: 1 PID: 6828 Comm: syz-executor816 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0 [ 66.138045][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.148149][ T6828] Call Trace: [ 66.151454][ T6828] dump_stack+0x18f/0x20d [ 66.155817][ T6828] ? hci_chan_del+0x14f/0x190 [ 66.160504][ T6828] ? hci_chan_del+0x14f/0x190 [ 66.165187][ T6828] print_address_description.constprop.0.cold+0xae/0x497 [ 66.172191][ T6828] ? mutex_lock_io_nested+0xf60/0xf60 [ 66.177598][ T6828] ? lockdep_hardirqs_off+0x7e/0xb0 [ 66.182776][ T6828] ? vprintk_func+0x97/0x1a6 [ 66.187430][ T6828] ? hci_chan_del+0x14f/0x190 [ 66.192171][ T6828] ? hci_chan_del+0x14f/0x190 [ 66.196870][ T6828] kasan_report.cold+0x1f/0x37 [ 66.201617][ T6828] ? hci_chan_del+0x14f/0x190 [ 66.206271][ T6828] hci_chan_del+0x14f/0x190 [ 66.210762][ T6828] l2cap_conn_del+0x61b/0x9e0 [ 66.215422][ T6828] ? l2cap_conn_del+0x9e0/0x9e0 [ 66.220250][ T6828] l2cap_disconn_cfm+0x85/0xa0 [ 66.224991][ T6828] hci_conn_hash_flush+0x114/0x220 [ 66.230090][ T6828] hci_dev_do_close+0x5c6/0x1080 [ 66.235009][ T6828] ? hci_dev_open+0x350/0x350 [ 66.239661][ T6828] ? do_raw_read_unlock+0x70/0x70 [ 66.244662][ T6828] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 66.250535][ T6828] hci_unregister_dev+0x1bd/0xe30 [ 66.255539][ T6828] ? fcntl_setlk+0xf60/0xf60 [ 66.260109][ T6828] ? lock_is_held_type+0xbb/0xf0 [ 66.265029][ T6828] vhci_release+0x70/0xe0 [ 66.269375][ T6828] __fput+0x285/0x920 [ 66.273337][ T6828] ? vhci_close_dev+0x50/0x50 [ 66.277991][ T6828] task_work_run+0xdd/0x190 [ 66.282474][ T6828] do_exit+0xb7d/0x29f0 [ 66.286609][ T6828] ? blkcg_maybe_throttle_current+0x617/0xf00 [ 66.292690][ T6828] ? mm_update_next_owner+0x7a0/0x7a0 [ 66.298037][ T6828] ? lock_is_held_type+0xbb/0xf0 [ 66.302954][ T6828] ? __blkcg_punt_bio_submit+0x1d0/0x1d0 [ 66.308564][ T6828] ? mem_cgroup_move_account+0xda0/0xda0 [ 66.314172][ T6828] ? lock_is_held_type+0xbb/0xf0 [ 66.319089][ T6828] do_group_exit+0x125/0x310 [ 66.323658][ T6828] __x64_sys_exit_group+0x3a/0x50 [ 66.328663][ T6828] do_syscall_64+0x2d/0x70 [ 66.333056][ T6828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 66.338922][ T6828] RIP: 0033:0x445058 [ 66.342792][ T6828] Code: Bad RIP value. [ 66.346830][ T6828] RSP: 002b:00007fff7c028748 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 66.355222][ T6828] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445058 [ 66.363170][ T6828] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 66.371134][ T6828] RBP: 00000000004cce30 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 66.379081][ T6828] R10: 00007f290ba65700 R11: 0000000000000246 R12: 0000000000000001 [ 66.387068][ T6828] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 66.395023][ T6828] [ 66.397327][ T6828] Allocated by task 1545: [ 66.401635][ T6828] kasan_save_stack+0x1b/0x40 [ 66.406286][ T6828] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 66.411893][ T6828] kmem_cache_alloc_trace+0x16e/0x2c0 [ 66.417260][ T6828] hci_chan_create+0x9b/0x330 [ 66.421924][ T6828] l2cap_conn_add.part.0+0x1e/0xe10 [ 66.427102][ T6828] l2cap_connect_cfm+0x23b/0x1090 [ 66.432157][ T6828] le_conn_complete_evt+0x1153/0x1740 [ 66.437506][ T6828] hci_le_meta_evt+0xe55/0x3fd0 [ 66.442334][ T6828] hci_event_packet+0x2e25/0x87a8 [ 66.447331][ T6828] hci_rx_work+0x22e/0xb50 [ 66.451742][ T6828] process_one_work+0x94c/0x1670 [ 66.456672][ T6828] worker_thread+0x64c/0x1120 [ 66.461340][ T6828] kthread+0x3b5/0x4a0 [ 66.465416][ T6828] ret_from_fork+0x1f/0x30 [ 66.469916][ T6828] [ 66.472249][ T6828] Freed by task 6853: [ 66.476243][ T6828] kasan_save_stack+0x1b/0x40 [ 66.480930][ T6828] kasan_set_track+0x1c/0x30 [ 66.485513][ T6828] kasan_set_free_info+0x1b/0x30 [ 66.490433][ T6828] __kasan_slab_free+0xd8/0x120 [ 66.495262][ T6828] kfree+0x103/0x2c0 [ 66.499141][ T6828] hci_event_packet+0x3e33/0x87a8 [ 66.504156][ T6828] hci_rx_work+0x22e/0xb50 [ 66.508556][ T6828] process_one_work+0x94c/0x1670 [ 66.513475][ T6828] worker_thread+0x64c/0x1120 [ 66.518131][ T6828] kthread+0x3b5/0x4a0 [ 66.522966][ T6828] ret_from_fork+0x1f/0x30 [ 66.527357][ T6828] [ 66.529672][ T6828] The buggy address belongs to the object at ffff8880a7f29900 [ 66.529672][ T6828] which belongs to the cache kmalloc-128 of size 128 [ 66.543707][ T6828] The buggy address is located 24 bytes inside of [ 66.543707][ T6828] 128-byte region [ffff8880a7f29900, ffff8880a7f29980) [ 66.556866][ T6828] The buggy address belongs to the page: [ 66.562482][ T6828] page:000000008d4feb74 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a7f29f00 pfn:0xa7f29 [ 66.573912][ T6828] flags: 0xfffe0000000200(slab) [ 66.578748][ T6828] raw: 00fffe0000000200 ffffea00024e54c8 ffffea0002922588 ffff8880aa000400 [ 66.588966][ T6828] raw: ffff8880a7f29f00 ffff8880a7f29000 0000000100000008 0000000000000000 [ 66.597528][ T6828] page dumped because: kasan: bad access detected [ 66.603918][ T6828] [ 66.606227][ T6828] Memory state around the buggy address: [ 66.612363][ T6828] ffff8880a7f29800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.620408][ T6828] ffff8880a7f29880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.628456][ T6828] >ffff8880a7f29900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.636847][ T6828] ^ [ 66.641680][ T6828] ffff8880a7f29980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 66.649725][ T6828] ffff8880a7f29a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 66.657767][ T6828] ================================================================== [ 66.665898][ T6828] Disabling lock debugging due to kernel taint [ 66.677378][ T6828] Kernel panic - not syncing: panic_on_warn set ... [ 66.684011][ T6828] CPU: 1 PID: 6828 Comm: syz-executor816 Tainted: G B 5.8.0-rc7-next-20200731-syzkaller #0 [ 66.695282][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.705329][ T6828] Call Trace: [ 66.708700][ T6828] dump_stack+0x18f/0x20d [ 66.713055][ T6828] ? hci_chan_del+0x140/0x190 [ 66.717743][ T6828] panic+0x2e3/0x75c [ 66.721643][ T6828] ? __warn_printk+0xf3/0xf3 [ 66.726295][ T6828] ? preempt_schedule_common+0x59/0xc0 [ 66.731746][ T6828] ? hci_chan_del+0x14f/0x190 [ 66.736939][ T6828] ? preempt_schedule_thunk+0x16/0x18 [ 66.742286][ T6828] ? trace_hardirqs_on+0x55/0x220 [ 66.747283][ T6828] ? hci_chan_del+0x14f/0x190 [ 66.751933][ T6828] ? hci_chan_del+0x14f/0x190 [ 66.756591][ T6828] end_report+0x4d/0x53 [ 66.760815][ T6828] kasan_report.cold+0xd/0x37 [ 66.765481][ T6828] ? hci_chan_del+0x14f/0x190 [ 66.770133][ T6828] hci_chan_del+0x14f/0x190 [ 66.774612][ T6828] l2cap_conn_del+0x61b/0x9e0 [ 66.779267][ T6828] ? l2cap_conn_del+0x9e0/0x9e0 [ 66.785840][ T6828] l2cap_disconn_cfm+0x85/0xa0 [ 66.790578][ T6828] hci_conn_hash_flush+0x114/0x220 [ 66.795662][ T6828] hci_dev_do_close+0x5c6/0x1080 [ 66.801010][ T6828] ? hci_dev_open+0x350/0x350 [ 66.807986][ T6828] ? do_raw_read_unlock+0x70/0x70 [ 66.813016][ T6828] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 66.818919][ T6828] hci_unregister_dev+0x1bd/0xe30 [ 66.823923][ T6828] ? fcntl_setlk+0xf60/0xf60 [ 66.828509][ T6828] ? lock_is_held_type+0xbb/0xf0 [ 66.833425][ T6828] vhci_release+0x70/0xe0 [ 66.837730][ T6828] __fput+0x285/0x920 [ 66.841688][ T6828] ? vhci_close_dev+0x50/0x50 [ 66.846340][ T6828] task_work_run+0xdd/0x190 [ 66.850834][ T6828] do_exit+0xb7d/0x29f0 [ 66.855228][ T6828] ? blkcg_maybe_throttle_current+0x617/0xf00 [ 66.861269][ T6828] ? mm_update_next_owner+0x7a0/0x7a0 [ 66.867258][ T6828] ? lock_is_held_type+0xbb/0xf0 [ 66.872182][ T6828] ? __blkcg_punt_bio_submit+0x1d0/0x1d0 [ 66.877792][ T6828] ? mem_cgroup_move_account+0xda0/0xda0 [ 66.883410][ T6828] ? lock_is_held_type+0xbb/0xf0 [ 66.888324][ T6828] do_group_exit+0x125/0x310 [ 66.892888][ T6828] __x64_sys_exit_group+0x3a/0x50 [ 66.897882][ T6828] do_syscall_64+0x2d/0x70 [ 66.902273][ T6828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 66.908215][ T6828] RIP: 0033:0x445058 [ 66.912080][ T6828] Code: Bad RIP value. [ 66.916117][ T6828] RSP: 002b:00007fff7c028748 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 66.924591][ T6828] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445058 [ 66.932653][ T6828] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 66.940604][ T6828] RBP: 00000000004cce30 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 66.948554][ T6828] R10: 00007f290ba65700 R11: 0000000000000246 R12: 0000000000000001 [ 66.956500][ T6828] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 66.965873][ T6828] Kernel Offset: disabled [ 66.970203][ T6828] Rebooting in 86400 seconds..