[ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.219' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 47.695741][ T6855] IPVS: ftp: loaded support on port[0] = 21 [ 47.769825][ T6855] ================================================================== [ 47.779133][ T6855] BUG: KASAN: use-after-free in hci_chan_del+0x33/0x130 [ 47.786347][ T6855] Read of size 8 at addr ffff88809fb7b618 by task syz-executor906/6855 [ 47.795024][ T6855] [ 47.797376][ T6855] CPU: 1 PID: 6855 Comm: syz-executor906 Not tainted 5.9.0-rc8-syzkaller #0 [ 47.806628][ T6855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 47.817395][ T6855] Call Trace: [ 47.821001][ T6855] dump_stack+0x1d6/0x29e [ 47.825760][ T6855] print_address_description+0x66/0x620 [ 47.831309][ T6855] ? printk+0x62/0x83 [ 47.835556][ T6855] ? vprintk_emit+0x2f0/0x370 [ 47.840893][ T6855] kasan_report+0x132/0x1d0 [ 47.845622][ T6855] ? hci_chan_del+0x33/0x130 [ 47.850589][ T6855] hci_chan_del+0x33/0x130 [ 47.855033][ T6855] l2cap_conn_del+0x4c2/0x650 [ 47.859758][ T6855] ? l2cap_connect_cfm+0x12b0/0x12b0 [ 47.865264][ T6855] hci_conn_hash_flush+0x127/0x200 [ 47.870381][ T6855] hci_dev_do_close+0xb7b/0x1040 [ 47.875546][ T6855] hci_unregister_dev+0x185/0x1590 [ 47.881024][ T6855] vhci_release+0x73/0xc0 [ 47.885659][ T6855] ? vhci_open+0x290/0x290 [ 47.890514][ T6855] __fput+0x34f/0x7b0 [ 47.894676][ T6855] task_work_run+0x137/0x1c0 [ 47.899661][ T6855] do_exit+0x5f3/0x1f20 [ 47.904680][ T6855] ? vfs_write+0x78e/0xd10 [ 47.909105][ T6855] do_group_exit+0x161/0x2d0 [ 47.915919][ T6855] __do_sys_exit_group+0x13/0x20 [ 47.921084][ T6855] __se_sys_exit_group+0x10/0x10 [ 47.926676][ T6855] __x64_sys_exit_group+0x37/0x40 [ 47.931861][ T6855] do_syscall_64+0x31/0x70 [ 47.936458][ T6855] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 47.943638][ T6855] RIP: 0033:0x4450c8 [ 47.947650][ T6855] Code: Bad RIP value. [ 47.952157][ T6855] RSP: 002b:00007ffd25fb7f78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 47.961198][ T6855] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450c8 [ 47.969392][ T6855] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 47.978739][ T6855] RBP: 00000000004cce50 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 47.986851][ T6855] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 47.995446][ T6855] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 48.004118][ T6855] [ 48.006876][ T6855] Allocated by task 6862: [ 48.011269][ T6855] __kasan_kmalloc+0x100/0x130 [ 48.016308][ T6855] kmem_cache_alloc_trace+0x1e4/0x2e0 [ 48.022047][ T6855] hci_chan_create+0x9a/0x270 [ 48.027951][ T6855] l2cap_conn_add+0x66/0xb00 [ 48.033322][ T6855] l2cap_connect_cfm+0xdb/0x12b0 [ 48.038584][ T6855] le_conn_complete_evt+0x88d/0x1380 [ 48.044703][ T6855] hci_event_packet+0x16e3/0x17e10 [ 48.050233][ T6855] hci_rx_work+0x246/0xa20 [ 48.055097][ T6855] process_one_work+0x789/0xfc0 [ 48.060470][ T6855] worker_thread+0xaa4/0x1460 [ 48.065428][ T6855] kthread+0x37e/0x3a0 [ 48.069767][ T6855] ret_from_fork+0x1f/0x30 [ 48.074987][ T6855] [ 48.077469][ T6855] Freed by task 1549: [ 48.081684][ T6855] kasan_set_track+0x3d/0x70 [ 48.086823][ T6855] kasan_set_free_info+0x17/0x30 [ 48.092547][ T6855] __kasan_slab_free+0xdd/0x110 [ 48.098113][ T6855] kfree+0x113/0x200 [ 48.102248][ T6855] hci_event_packet+0x2018/0x17e10 [ 48.107561][ T6855] hci_rx_work+0x246/0xa20 [ 48.113807][ T6855] process_one_work+0x789/0xfc0 [ 48.119250][ T6855] worker_thread+0xaa4/0x1460 [ 48.124253][ T6855] kthread+0x37e/0x3a0 [ 48.129794][ T6855] ret_from_fork+0x1f/0x30 [ 48.134200][ T6855] [ 48.136640][ T6855] The buggy address belongs to the object at ffff88809fb7b600 [ 48.136640][ T6855] which belongs to the cache kmalloc-128 of size 128 [ 48.152966][ T6855] The buggy address is located 24 bytes inside of [ 48.152966][ T6855] 128-byte region [ffff88809fb7b600, ffff88809fb7b680) [ 48.168107][ T6855] The buggy address belongs to the page: [ 48.174638][ T6855] page:0000000067ff7160 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809fb7bb00 pfn:0x9fb7b [ 48.187784][ T6855] flags: 0xfffe0000000200(slab) [ 48.192782][ T6855] raw: 00fffe0000000200 ffffea00027d9bc8 ffffea00024d5a08 ffff8880aa440400 [ 48.202387][ T6855] raw: ffff88809fb7bb00 ffff88809fb7b000 000000010000000d 0000000000000000 [ 48.212451][ T6855] page dumped because: kasan: bad access detected [ 48.219708][ T6855] [ 48.222190][ T6855] Memory state around the buggy address: [ 48.228286][ T6855] ffff88809fb7b500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.237889][ T6855] ffff88809fb7b580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.248020][ T6855] >ffff88809fb7b600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.256936][ T6855] ^ [ 48.262716][ T6855] ffff88809fb7b680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 48.273017][ T6855] ffff88809fb7b700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.281651][ T6855] ================================================================== [ 48.290657][ T6855] Disabling lock debugging due to kernel taint [ 48.298427][ T6855] Kernel panic - not syncing: panic_on_warn set ... [ 48.305547][ T6855] CPU: 1 PID: 6855 Comm: syz-executor906 Tainted: G B 5.9.0-rc8-syzkaller #0 [ 48.315899][ T6855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.326391][ T6855] Call Trace: [ 48.330128][ T6855] dump_stack+0x1d6/0x29e [ 48.334801][ T6855] panic+0x2c0/0x800 [ 48.338852][ T6855] ? trace_hardirqs_on+0x30/0x80 [ 48.343777][ T6855] kasan_report+0x1c9/0x1d0 [ 48.348501][ T6855] ? hci_chan_del+0x33/0x130 [ 48.353413][ T6855] hci_chan_del+0x33/0x130 [ 48.357962][ T6855] l2cap_conn_del+0x4c2/0x650 [ 48.362991][ T6855] ? l2cap_connect_cfm+0x12b0/0x12b0 [ 48.368424][ T6855] hci_conn_hash_flush+0x127/0x200 [ 48.373802][ T6855] hci_dev_do_close+0xb7b/0x1040 [ 48.379164][ T6855] hci_unregister_dev+0x185/0x1590 [ 48.384807][ T6855] vhci_release+0x73/0xc0 [ 48.389545][ T6855] ? vhci_open+0x290/0x290 [ 48.394169][ T6855] __fput+0x34f/0x7b0 [ 48.398319][ T6855] task_work_run+0x137/0x1c0 [ 48.402900][ T6855] do_exit+0x5f3/0x1f20 [ 48.407138][ T6855] ? vfs_write+0x78e/0xd10 [ 48.411594][ T6855] do_group_exit+0x161/0x2d0 [ 48.416268][ T6855] __do_sys_exit_group+0x13/0x20 [ 48.421957][ T6855] __se_sys_exit_group+0x10/0x10 [ 48.427173][ T6855] __x64_sys_exit_group+0x37/0x40 [ 48.432489][ T6855] do_syscall_64+0x31/0x70 [ 48.437037][ T6855] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 48.443141][ T6855] RIP: 0033:0x4450c8 [ 48.447106][ T6855] Code: Bad RIP value. [ 48.451470][ T6855] RSP: 002b:00007ffd25fb7f78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 48.460394][ T6855] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450c8 [ 48.468744][ T6855] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 48.477434][ T6855] RBP: 00000000004cce50 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 48.486238][ T6855] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 48.494563][ T6855] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 48.504396][ T6855] Kernel Offset: disabled [ 48.508814][ T6855] Rebooting in 86400 seconds..