Warning: Permanently added '10.128.0.243' (ECDSA) to the list of known hosts. syzkaller login: [ 44.157113][ T6828] IPVS: ftp: loaded support on port[0] = 21 executing program [ 45.308028][ T6828] ================================================================== [ 45.316216][ T6828] BUG: KASAN: use-after-free in hci_chan_del+0x33/0x130 [ 45.323147][ T6828] Read of size 8 at addr ffff88809e4c9718 by task syz-executor294/6828 [ 45.331374][ T6828] [ 45.333700][ T6828] CPU: 0 PID: 6828 Comm: syz-executor294 Not tainted 5.8.0-syzkaller #0 [ 45.342012][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.352057][ T6828] Call Trace: [ 45.355336][ T6828] dump_stack+0x1f0/0x31e [ 45.359648][ T6828] print_address_description+0x66/0x620 [ 45.365180][ T6828] ? printk+0x62/0x83 [ 45.369137][ T6828] ? vprintk_emit+0x339/0x3c0 [ 45.373789][ T6828] kasan_report+0x132/0x1d0 [ 45.378269][ T6828] ? hci_chan_del+0x33/0x130 [ 45.382833][ T6828] hci_chan_del+0x33/0x130 [ 45.387224][ T6828] l2cap_conn_del+0x4c2/0x650 [ 45.391880][ T6828] ? l2cap_connect_cfm+0x12b0/0x12b0 [ 45.397134][ T6828] hci_conn_hash_flush+0x127/0x200 [ 45.402235][ T6828] hci_dev_do_close+0xb7b/0x1040 [ 45.407159][ T6828] hci_unregister_dev+0x185/0x1590 [ 45.412260][ T6828] vhci_release+0x73/0xc0 [ 45.416564][ T6828] ? vhci_open+0x290/0x290 [ 45.420953][ T6828] __fput+0x34f/0x7b0 [ 45.424914][ T6828] task_work_run+0x137/0x1c0 [ 45.429494][ T6828] do_exit+0x5f3/0x1f20 [ 45.433628][ T6828] ? lock_is_held_type+0xb3/0xe0 [ 45.438542][ T6828] do_group_exit+0x161/0x2d0 [ 45.443104][ T6828] ? syscall_enter_from_user_mode+0x24/0x190 [ 45.449060][ T6828] __do_sys_exit_group+0x13/0x20 [ 45.453971][ T6828] __se_sys_exit_group+0x10/0x10 [ 45.458894][ T6828] __x64_sys_exit_group+0x37/0x40 [ 45.463894][ T6828] do_syscall_64+0x31/0x70 [ 45.468283][ T6828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 45.474164][ T6828] RIP: 0033:0x4450a8 [ 45.478028][ T6828] Code: Bad RIP value. [ 45.482078][ T6828] RSP: 002b:00007ffc90294e38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 45.490465][ T6828] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450a8 [ 45.498429][ T6828] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 45.506377][ T6828] RBP: 00000000004cce90 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 45.514320][ T6828] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 45.522265][ T6828] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 45.530220][ T6828] [ 45.532521][ T6828] Allocated by task 6855: [ 45.536825][ T6828] __kasan_kmalloc+0x100/0x130 [ 45.541561][ T6828] kmem_cache_alloc_trace+0x1f6/0x2f0 [ 45.546905][ T6828] hci_chan_create+0x9a/0x270 [ 45.551553][ T6828] l2cap_conn_add+0x66/0xb00 [ 45.556134][ T6828] l2cap_connect_cfm+0xdb/0x12b0 [ 45.561069][ T6828] le_conn_complete_evt+0x88d/0x1380 [ 45.566322][ T6828] hci_event_packet+0x16e3/0x17e10 [ 45.571401][ T6828] hci_rx_work+0x246/0xa20 [ 45.575800][ T6828] process_one_work+0x789/0xfc0 [ 45.580636][ T6828] worker_thread+0xaa4/0x1460 [ 45.585282][ T6828] kthread+0x37e/0x3a0 [ 45.589342][ T6828] ret_from_fork+0x1f/0x30 [ 45.593725][ T6828] [ 45.596035][ T6828] Freed by task 6855: [ 45.599988][ T6828] kasan_set_track+0x3d/0x70 [ 45.604547][ T6828] kasan_set_free_info+0x17/0x30 [ 45.609456][ T6828] __kasan_slab_free+0xdd/0x110 [ 45.614285][ T6828] kfree+0x10a/0x220 [ 45.618159][ T6828] hci_event_packet+0x2018/0x17e10 [ 45.623286][ T6828] hci_rx_work+0x246/0xa20 [ 45.627681][ T6828] process_one_work+0x789/0xfc0 [ 45.632536][ T6828] worker_thread+0xaa4/0x1460 [ 45.637194][ T6828] kthread+0x37e/0x3a0 [ 45.641239][ T6828] ret_from_fork+0x1f/0x30 [ 45.645625][ T6828] [ 45.647925][ T6828] The buggy address belongs to the object at ffff88809e4c9700 [ 45.647925][ T6828] which belongs to the cache kmalloc-128 of size 128 [ 45.661954][ T6828] The buggy address is located 24 bytes inside of [ 45.661954][ T6828] 128-byte region [ffff88809e4c9700, ffff88809e4c9780) [ 45.675119][ T6828] The buggy address belongs to the page: [ 45.680743][ T6828] page:00000000d4d9700d refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809e4c9800 pfn:0x9e4c9 [ 45.692188][ T6828] flags: 0xfffe0000000200(slab) [ 45.697017][ T6828] raw: 00fffe0000000200 ffffea0002935c88 ffffea00027c8588 ffff8880aa440400 [ 45.705637][ T6828] raw: ffff88809e4c9800 ffff88809e4c9000 0000000100000004 0000000000000000 [ 45.715170][ T6828] page dumped because: kasan: bad access detected [ 45.721555][ T6828] [ 45.723857][ T6828] Memory state around the buggy address: [ 45.729472][ T6828] ffff88809e4c9600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.737505][ T6828] ffff88809e4c9680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.745539][ T6828] >ffff88809e4c9700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.753576][ T6828] ^ [ 45.758427][ T6828] ffff88809e4c9780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 45.766486][ T6828] ffff88809e4c9800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.774534][ T6828] ================================================================== [ 45.782567][ T6828] Disabling lock debugging due to kernel taint [ 45.790648][ T498] tipc: TX() has been purged, node left! [ 45.796444][ T6828] Kernel panic - not syncing: panic_on_warn set ... [ 45.803039][ T6828] CPU: 0 PID: 6828 Comm: syz-executor294 Tainted: G B 5.8.0-syzkaller #0 [ 45.812733][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.822799][ T6828] Call Trace: [ 45.826087][ T6828] dump_stack+0x1f0/0x31e [ 45.830410][ T6828] panic+0x264/0x7a0 [ 45.834298][ T6828] ? trace_hardirqs_on+0x30/0x80 [ 45.839241][ T6828] kasan_report+0x1c9/0x1d0 [ 45.843765][ T6828] ? hci_chan_del+0x33/0x130 [ 45.848377][ T6828] hci_chan_del+0x33/0x130 [ 45.852817][ T6828] l2cap_conn_del+0x4c2/0x650 [ 45.857494][ T6828] ? l2cap_connect_cfm+0x12b0/0x12b0 [ 45.862752][ T6828] hci_conn_hash_flush+0x127/0x200 [ 45.867832][ T6828] hci_dev_do_close+0xb7b/0x1040 [ 45.872741][ T6828] hci_unregister_dev+0x185/0x1590 [ 45.877839][ T6828] vhci_release+0x73/0xc0 [ 45.882137][ T6828] ? vhci_open+0x290/0x290 [ 45.886534][ T6828] __fput+0x34f/0x7b0 [ 45.890492][ T6828] task_work_run+0x137/0x1c0 [ 45.895054][ T6828] do_exit+0x5f3/0x1f20 [ 45.899183][ T6828] ? lock_is_held_type+0xb3/0xe0 [ 45.904110][ T6828] do_group_exit+0x161/0x2d0 [ 45.908670][ T6828] ? syscall_enter_from_user_mode+0x24/0x190 [ 45.914620][ T6828] __do_sys_exit_group+0x13/0x20 [ 45.919530][ T6828] __se_sys_exit_group+0x10/0x10 [ 45.924437][ T6828] __x64_sys_exit_group+0x37/0x40 [ 45.929442][ T6828] do_syscall_64+0x31/0x70 [ 45.933830][ T6828] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 45.939690][ T6828] RIP: 0033:0x4450a8 [ 45.943550][ T6828] Code: Bad RIP value. [ 45.947583][ T6828] RSP: 002b:00007ffc90294e38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 45.955964][ T6828] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450a8 [ 45.963918][ T6828] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 45.971874][ T6828] RBP: 00000000004cce90 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 45.979834][ T6828] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 45.987777][ T6828] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 45.996632][ T6828] Kernel Offset: disabled [ 46.000955][ T6828] Rebooting in 86400 seconds..