[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.166' (ECDSA) to the list of known hosts. syzkaller login: [ 57.151688][ T6838] IPVS: ftp: loaded support on port[0] = 21 executing program [ 57.247722][ T6838] ================================================================== [ 57.256230][ T6838] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 57.263280][ T6838] Read of size 8 at addr ffff8880a8689f18 by task syz-executor804/6838 [ 57.271497][ T6838] [ 57.273808][ T6838] CPU: 0 PID: 6838 Comm: syz-executor804 Not tainted 5.8.0-syzkaller #0 [ 57.282101][ T6838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.292132][ T6838] Call Trace: [ 57.295401][ T6838] dump_stack+0x18f/0x20d [ 57.299726][ T6838] ? hci_chan_del+0x14f/0x190 [ 57.304393][ T6838] ? hci_chan_del+0x14f/0x190 [ 57.309047][ T6838] print_address_description.constprop.0.cold+0xae/0x497 [ 57.316046][ T6838] ? mutex_lock_io_nested+0xf60/0xf60 [ 57.321394][ T6838] ? vprintk_func+0x97/0x1a6 [ 57.325965][ T6838] ? hci_chan_del+0x14f/0x190 [ 57.330615][ T6838] ? hci_chan_del+0x14f/0x190 [ 57.335268][ T6838] kasan_report.cold+0x1f/0x37 [ 57.340008][ T6838] ? hci_chan_del+0x14f/0x190 [ 57.344661][ T6838] hci_chan_del+0x14f/0x190 [ 57.349141][ T6838] l2cap_conn_del+0x61b/0x9e0 [ 57.353803][ T6838] ? l2cap_conn_del+0x9e0/0x9e0 [ 57.358626][ T6838] l2cap_disconn_cfm+0x85/0xa0 [ 57.363368][ T6838] hci_conn_hash_flush+0x114/0x220 [ 57.368460][ T6838] hci_dev_do_close+0x5c6/0x1080 [ 57.373378][ T6838] ? hci_dev_open+0x350/0x350 [ 57.378031][ T6838] ? do_raw_read_unlock+0x70/0x70 [ 57.383046][ T6838] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 57.388934][ T6838] hci_unregister_dev+0x1bd/0xe30 [ 57.393955][ T6838] ? fcntl_setlk+0xf60/0xf60 [ 57.398521][ T6838] ? lock_is_held_type+0xbb/0xf0 [ 57.403454][ T6838] vhci_release+0x70/0xe0 [ 57.407759][ T6838] __fput+0x285/0x920 [ 57.411714][ T6838] ? vhci_close_dev+0x50/0x50 [ 57.416388][ T6838] task_work_run+0xdd/0x190 [ 57.420870][ T6838] do_exit+0xb7d/0x29f0 [ 57.425008][ T6838] ? mm_update_next_owner+0x7a0/0x7a0 [ 57.430357][ T6838] ? vfs_write+0x1b0/0x730 [ 57.434754][ T6838] ? lock_is_held_type+0xbb/0xf0 [ 57.439687][ T6838] do_group_exit+0x125/0x310 [ 57.444254][ T6838] __x64_sys_exit_group+0x3a/0x50 [ 57.449252][ T6838] do_syscall_64+0x2d/0x70 [ 57.455384][ T6838] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 57.461252][ T6838] RIP: 0033:0x445048 [ 57.465120][ T6838] Code: Bad RIP value. [ 57.469159][ T6838] RSP: 002b:00007ffce837a708 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 57.477553][ T6838] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445048 [ 57.485519][ T6838] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 57.493821][ T6838] RBP: 00000000004ccdb0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 57.501768][ T6838] R10: 0000000000000015 R11: 0000000000000246 R12: 0000000000000001 [ 57.509714][ T6838] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 57.517669][ T6838] [ 57.519993][ T6838] Allocated by task 1543: [ 57.524299][ T6838] kasan_save_stack+0x1b/0x40 [ 57.528947][ T6838] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 57.534553][ T6838] kmem_cache_alloc_trace+0x16e/0x2c0 [ 57.539924][ T6838] hci_chan_create+0x9b/0x330 [ 57.544577][ T6838] l2cap_conn_add.part.0+0x1e/0xe10 [ 57.549747][ T6838] l2cap_connect_cfm+0x23b/0x1090 [ 57.554763][ T6838] le_conn_complete_evt+0x1153/0x1740 [ 57.560108][ T6838] hci_le_meta_evt+0x745/0x3ff0 [ 57.564931][ T6838] hci_event_packet+0x2e25/0x87a8 [ 57.569930][ T6838] hci_rx_work+0x22e/0xb50 [ 57.574326][ T6838] process_one_work+0x94c/0x1670 [ 57.579252][ T6838] worker_thread+0x64c/0x1120 [ 57.583922][ T6838] kthread+0x3b5/0x4a0 [ 57.587968][ T6838] ret_from_fork+0x1f/0x30 [ 57.592371][ T6838] [ 57.594674][ T6838] Freed by task 6844: [ 57.598643][ T6838] kasan_save_stack+0x1b/0x40 [ 57.603918][ T6838] kasan_set_track+0x1c/0x30 [ 57.608498][ T6838] kasan_set_free_info+0x1b/0x30 [ 57.613410][ T6838] __kasan_slab_free+0xd8/0x120 [ 57.618233][ T6838] kfree+0x103/0x2c0 [ 57.622204][ T6838] hci_event_packet+0x3e33/0x87a8 [ 57.627223][ T6838] hci_rx_work+0x22e/0xb50 [ 57.631613][ T6838] process_one_work+0x94c/0x1670 [ 57.636547][ T6838] worker_thread+0x64c/0x1120 [ 57.641199][ T6838] kthread+0x3b5/0x4a0 [ 57.645256][ T6838] ret_from_fork+0x1f/0x30 [ 57.649637][ T6838] [ 57.651978][ T6838] The buggy address belongs to the object at ffff8880a8689f00 [ 57.651978][ T6838] which belongs to the cache kmalloc-128 of size 128 [ 57.666007][ T6838] The buggy address is located 24 bytes inside of [ 57.666007][ T6838] 128-byte region [ffff8880a8689f00, ffff8880a8689f80) [ 57.679223][ T6838] The buggy address belongs to the page: [ 57.684834][ T6838] page:0000000099d4690c refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a8689500 pfn:0xa8689 [ 57.696258][ T6838] flags: 0xfffe0000000200(slab) [ 57.701085][ T6838] raw: 00fffe0000000200 ffffea00025d4f88 ffffea0002926048 ffff8880aa040400 [ 57.709656][ T6838] raw: ffff8880a8689500 ffff8880a8689000 0000000100000009 0000000000000000 [ 57.718221][ T6838] page dumped because: kasan: bad access detected [ 57.724603][ T6838] [ 57.726903][ T6838] Memory state around the buggy address: [ 57.732507][ T6838] ffff8880a8689e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.740550][ T6838] ffff8880a8689e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.748586][ T6838] >ffff8880a8689f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 57.756616][ T6838] ^ [ 57.761546][ T6838] ffff8880a8689f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.769581][ T6838] ffff8880a868a000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 57.777622][ T6838] ================================================================== [ 57.785830][ T6838] Disabling lock debugging due to kernel taint [ 57.795203][ T7] tipc: TX() has been purged, node left! [ 57.801898][ T6838] Kernel panic - not syncing: panic_on_warn set ... [ 57.808495][ T6838] CPU: 0 PID: 6838 Comm: syz-executor804 Tainted: G B 5.8.0-syzkaller #0 [ 57.818194][ T6838] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.828238][ T6838] Call Trace: [ 57.831506][ T6838] dump_stack+0x18f/0x20d [ 57.835808][ T6838] ? hci_chan_del+0xa0/0x190 [ 57.840368][ T6838] panic+0x2e3/0x75c [ 57.844235][ T6838] ? __warn_printk+0xf3/0xf3 [ 57.849231][ T6838] ? preempt_schedule_common+0x59/0xc0 [ 57.854672][ T6838] ? hci_chan_del+0x14f/0x190 [ 57.859319][ T6838] ? preempt_schedule_thunk+0x16/0x18 [ 57.864661][ T6838] ? trace_hardirqs_on+0x55/0x220 [ 57.869654][ T6838] ? hci_chan_del+0x14f/0x190 [ 57.874297][ T6838] ? hci_chan_del+0x14f/0x190 [ 57.878956][ T6838] end_report+0x4d/0x53 [ 57.883171][ T6838] kasan_report.cold+0xd/0x37 [ 57.887820][ T6838] ? hci_chan_del+0x14f/0x190 [ 57.892469][ T6838] hci_chan_del+0x14f/0x190 [ 57.896962][ T6838] l2cap_conn_del+0x61b/0x9e0 [ 57.901619][ T6838] ? l2cap_conn_del+0x9e0/0x9e0 [ 57.906440][ T6838] l2cap_disconn_cfm+0x85/0xa0 [ 57.911176][ T6838] hci_conn_hash_flush+0x114/0x220 [ 57.918875][ T6838] hci_dev_do_close+0x5c6/0x1080 [ 57.923798][ T6838] ? hci_dev_open+0x350/0x350 [ 57.928448][ T6838] ? do_raw_read_unlock+0x70/0x70 [ 57.933459][ T6838] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 57.939325][ T6838] hci_unregister_dev+0x1bd/0xe30 [ 57.944339][ T6838] ? fcntl_setlk+0xf60/0xf60 [ 57.948900][ T6838] ? lock_is_held_type+0xbb/0xf0 [ 57.953810][ T6838] vhci_release+0x70/0xe0 [ 57.958122][ T6838] __fput+0x285/0x920 [ 57.962088][ T6838] ? vhci_close_dev+0x50/0x50 [ 57.966784][ T6838] task_work_run+0xdd/0x190 [ 57.971258][ T6838] do_exit+0xb7d/0x29f0 [ 57.975405][ T6838] ? mm_update_next_owner+0x7a0/0x7a0 [ 57.980746][ T6838] ? vfs_write+0x1b0/0x730 [ 57.985140][ T6838] ? lock_is_held_type+0xbb/0xf0 [ 57.990049][ T6838] do_group_exit+0x125/0x310 [ 57.994699][ T6838] __x64_sys_exit_group+0x3a/0x50 [ 57.999693][ T6838] do_syscall_64+0x2d/0x70 [ 58.004082][ T6838] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.009954][ T6838] RIP: 0033:0x445048 [ 58.014421][ T6838] Code: Bad RIP value. [ 58.019325][ T6838] RSP: 002b:00007ffce837a708 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 58.027879][ T6838] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445048 [ 58.035824][ T6838] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 58.044557][ T6838] RBP: 00000000004ccdb0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 58.052535][ T6838] R10: 0000000000000015 R11: 0000000000000246 R12: 0000000000000001 [ 58.060478][ T6838] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 58.069979][ T6838] Kernel Offset: disabled [ 58.074305][ T6838] Rebooting in 86400 seconds..