Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.177' (ECDSA) to the list of known hosts. syzkaller login: [ 64.735154][ T7142] IPVS: ftp: loaded support on port[0] = 21 [ 64.737379][ T7136] IPVS: ftp: loaded support on port[0] = 21 [ 64.757865][ T7144] IPVS: ftp: loaded support on port[0] = 21 [ 64.760825][ T7141] IPVS: ftp: loaded support on port[0] = 21 [ 64.777248][ T7139] IPVS: ftp: loaded support on port[0] = 21 [ 64.796678][ T7143] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program [ 65.021053][ T2880] ================================================================== [ 65.029394][ T2880] BUG: KASAN: use-after-free in l2cap_chan_close+0x763/0xb10 [ 65.036787][ T2880] Read of size 1 at addr ffff8880941d6020 by task kworker/0:5/2880 [ 65.044671][ T2880] [ 65.047007][ T2880] CPU: 0 PID: 2880 Comm: kworker/0:5 Not tainted 5.7.0-rc1-next-20200415-syzkaller #0 [ 65.056630][ T2880] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.066695][ T2880] Workqueue: events do_enable_set [ 65.071881][ T2880] Call Trace: [ 65.075171][ T2880] dump_stack+0x188/0x20d [ 65.079519][ T2880] print_address_description.constprop.0.cold+0xd3/0x315 [ 65.086633][ T2880] ? l2cap_chan_close+0x763/0xb10 [ 65.091784][ T2880] __kasan_report.cold+0x35/0x4d [ 65.097056][ T2880] ? l2cap_chan_close+0x763/0xb10 [ 65.102438][ T2880] ? l2cap_chan_close+0x763/0xb10 [ 65.107746][ T2880] kasan_report+0x33/0x50 [ 65.112336][ T2880] l2cap_chan_close+0x763/0xb10 [ 65.117566][ T2880] ? l2cap_send_i_or_rr_or_rnr+0x320/0x320 [ 65.124067][ T2880] do_enable_set+0x4cf/0x8e0 [ 65.128803][ T2880] ? lowpan_control_write+0x480/0x480 [ 65.134427][ T2880] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 65.139959][ T2880] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 65.146446][ T2880] ? _raw_spin_unlock_irq+0x1f/0x80 [ 65.151664][ T2880] process_one_work+0x965/0x16a0 [ 65.156977][ T2880] ? lock_release+0x800/0x800 [ 65.161785][ T2880] ? pwq_dec_nr_in_flight+0x310/0x310 [ 65.167328][ T2880] ? rwlock_bug.part.0+0x90/0x90 [ 65.172783][ T2880] ? kthread_data+0x46/0xc0 [ 65.177382][ T2880] worker_thread+0x96/0xe20 [ 65.182072][ T2880] ? process_one_work+0x16a0/0x16a0 [ 65.187366][ T2880] kthread+0x388/0x470 [ 65.192234][ T2880] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 65.198203][ T2880] ret_from_fork+0x24/0x30 [ 65.203503][ T2880] [ 65.205829][ T2880] Allocated by task 2828: [ 65.210229][ T2880] save_stack+0x1b/0x40 [ 65.214372][ T2880] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 65.220181][ T2880] kmem_cache_alloc_trace+0x153/0x7d0 [ 65.225801][ T2880] l2cap_chan_create+0x40/0x3a0 [ 65.230964][ T2880] chan_create+0xc/0xd0 [ 65.235294][ T2880] do_enable_set+0x511/0x8e0 [ 65.239939][ T2880] process_one_work+0x965/0x16a0 [ 65.244947][ T2880] worker_thread+0x96/0xe20 [ 65.249434][ T2880] kthread+0x388/0x470 [ 65.253754][ T2880] ret_from_fork+0x24/0x30 [ 65.258377][ T2880] [ 65.260706][ T2880] Freed by task 2828: [ 65.264770][ T2880] save_stack+0x1b/0x40 [ 65.269082][ T2880] __kasan_slab_free+0xf7/0x140 [ 65.274254][ T2880] kfree+0x109/0x2b0 [ 65.278305][ T2880] l2cap_chan_put+0x1b2/0x230 [ 65.282961][ T2880] do_enable_set+0x4db/0x8e0 [ 65.287563][ T2880] process_one_work+0x965/0x16a0 [ 65.292476][ T2880] worker_thread+0x96/0xe20 [ 65.297138][ T2880] kthread+0x388/0x470 [ 65.301187][ T2880] ret_from_fork+0x24/0x30 [ 65.305617][ T2880] [ 65.307928][ T2880] The buggy address belongs to the object at ffff8880941d6000 [ 65.307928][ T2880] which belongs to the cache kmalloc-2k of size 2048 [ 65.322162][ T2880] The buggy address is located 32 bytes inside of [ 65.322162][ T2880] 2048-byte region [ffff8880941d6000, ffff8880941d6800) [ 65.335412][ T2880] The buggy address belongs to the page: [ 65.341030][ T2880] page:ffffea0002507580 refcount:1 mapcount:0 mapping:00000000464ff4e4 index:0x0 [ 65.350116][ T2880] flags: 0xfffe0000000200(slab) [ 65.354972][ T2880] raw: 00fffe0000000200 ffffea0002244b48 ffffea00025a6188 ffff8880aa000e00 [ 65.364325][ T2880] raw: 0000000000000000 ffff8880941d6000 0000000100000001 0000000000000000 [ 65.373233][ T2880] page dumped because: kasan: bad access detected [ 65.379623][ T2880] [ 65.381945][ T2880] Memory state around the buggy address: [ 65.387568][ T2880] ffff8880941d5f00: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc [ 65.395611][ T2880] ffff8880941d5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.403682][ T2880] >ffff8880941d6000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.411807][ T2880] ^ executing program executing program executing program executing program executing program [ 65.417686][ T2880] ffff8880941d6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.425916][ T2880] ffff8880941d6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.434051][ T2880] ================================================================== [ 65.443247][ T2880] Disabling lock debugging due to kernel taint executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 65.649036][ T2880] Kernel panic - not syncing: panic_on_warn set ... [ 65.658034][ T2880] CPU: 0 PID: 2880 Comm: kworker/0:5 Tainted: G B 5.7.0-rc1-next-20200415-syzkaller #0 [ 65.670008][ T2880] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.680068][ T2880] Workqueue: events do_enable_set [ 65.685214][ T2880] Call Trace: [ 65.688505][ T2880] dump_stack+0x188/0x20d [ 65.692838][ T2880] panic+0x2e3/0x75c [ 65.696747][ T2880] ? add_taint.cold+0x16/0x16 [ 65.701432][ T2880] ? preempt_schedule_common+0x5e/0xc0 [ 65.706998][ T2880] ? l2cap_chan_close+0x763/0xb10 [ 65.712022][ T2880] ? preempt_schedule_thunk+0x16/0x18 [ 65.717392][ T2880] ? trace_hardirqs_on+0x55/0x220 [ 65.722415][ T2880] ? l2cap_chan_close+0x763/0xb10 [ 65.727440][ T2880] end_report+0x4d/0x53 [ 65.731597][ T2880] __kasan_report.cold+0xd/0x4d [ 65.736509][ T2880] ? l2cap_chan_close+0x763/0xb10 [ 65.741541][ T2880] ? l2cap_chan_close+0x763/0xb10 [ 65.746593][ T2880] kasan_report+0x33/0x50 [ 65.750929][ T2880] l2cap_chan_close+0x763/0xb10 [ 65.755873][ T2880] ? l2cap_send_i_or_rr_or_rnr+0x320/0x320 [ 65.761687][ T2880] do_enable_set+0x4cf/0x8e0 [ 65.766741][ T2880] ? lowpan_control_write+0x480/0x480 [ 65.776317][ T2880] ? rcu_read_lock_sched_held+0x9c/0xd0 [ 65.781866][ T2880] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 65.791512][ T2880] ? _raw_spin_unlock_irq+0x1f/0x80 [ 65.796801][ T2880] process_one_work+0x965/0x16a0 [ 65.801748][ T2880] ? lock_release+0x800/0x800 [ 65.806429][ T2880] ? pwq_dec_nr_in_flight+0x310/0x310 [ 65.811804][ T2880] ? rwlock_bug.part.0+0x90/0x90 [ 65.816740][ T2880] ? kthread_data+0x46/0xc0 [ 65.822118][ T2880] worker_thread+0x96/0xe20 [ 65.826628][ T2880] ? process_one_work+0x16a0/0x16a0 [ 65.831924][ T2880] kthread+0x388/0x470 [ 65.835997][ T2880] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 65.842327][ T2880] ret_from_fork+0x24/0x30 [ 65.847971][ T2880] Kernel Offset: disabled [ 65.852313][ T2880] Rebooting in 86400 seconds..