[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.111' (ECDSA) to the list of known hosts. syzkaller login: [ 49.122005][ T8232] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 49.135259][ T8232] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 49.143759][ T4624] IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready executing program [ 49.175035][ T8232] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 49.182928][ T8232] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 49.191936][ T4624] IPv6: ADDRCONF(NETDEV_CHANGE): wlan1: link becomes ready [ 49.232031][ T2026] Bluetooth: hci1: Received unexpected HCI Event 00000000 [ 51.015119][ T4624] Bluetooth: hci0: command 0x0409 tx timeout [ 51.254431][ T4624] Bluetooth: hci1: command 0x1003 tx timeout [ 51.260916][ T2026] Bluetooth: hci1: sending frame failed (-49) [ 53.094252][ T4624] Bluetooth: hci0: command 0x041b tx timeout [ 53.334213][ T4624] Bluetooth: hci1: command 0x1001 tx timeout [ 53.340261][ T2026] Bluetooth: hci1: sending frame failed (-49) [ 55.184295][ T4624] Bluetooth: hci0: command 0x040f tx timeout [ 55.414001][ T4624] Bluetooth: hci1: command 0x1009 tx timeout [ 57.253919][ T4624] Bluetooth: hci0: command 0x0419 tx timeout executing program [ 59.553017][ T2026] Bluetooth: hci1: sending frame failed (-49) [ 59.559966][ T2026] Bluetooth: hci1: Received unexpected HCI Event 00000000 [ 61.583614][ T20] Bluetooth: hci1: command 0x1003 tx timeout [ 61.589808][ T2026] Bluetooth: hci1: sending frame failed (-49) [ 63.653452][ T20] Bluetooth: hci1: command 0x1001 tx timeout [ 63.659565][ T2026] Bluetooth: hci1: sending frame failed (-49) [ 65.733390][ T20] Bluetooth: hci1: command 0x1009 tx timeout executing program [ 69.762184][ T2026] Bluetooth: hci1: Received unexpected HCI Event 00000000 [ 69.762514][ T8232] Bluetooth: hci1: Frame reassembly failed (-84) [ 69.769586][ T2026] ================================================================== [ 69.784058][ T2026] BUG: KASAN: use-after-free in skb_dequeue+0x90/0x140 [ 69.790880][ T8232] Bluetooth: hci1: Frame reassembly failed (-84) [ 69.790916][ T2026] Read of size 8 at addr ffff888025f8c3c0 by task kworker/u5:0/2026 [ 69.805183][ T2026] [ 69.807507][ T2026] CPU: 1 PID: 2026 Comm: kworker/u5:0 Not tainted 5.14.0-rc6-syzkaller #0 [ 69.816005][ T2026] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.826058][ T2026] Workqueue: hci1 hci_rx_work [ 69.830748][ T2026] Call Trace: [ 69.834031][ T2026] dump_stack_lvl+0x1ae/0x29f [ 69.838719][ T2026] ? show_regs_print_info+0x12/0x12 [ 69.843923][ T2026] ? printk+0xc0/0x108 [ 69.848000][ T2026] ? wake_up_klogd+0xb2/0xf0 [ 69.852598][ T2026] ? log_buf_vmcoreinfo_setup+0x498/0x498 [ 69.858322][ T2026] ? _raw_spin_lock_irqsave+0xbf/0x100 [ 69.863808][ T2026] print_address_description+0x66/0x3b0 [ 69.869367][ T2026] kasan_report+0x163/0x210 [ 69.873879][ T2026] ? skb_dequeue+0x90/0x140 [ 69.878395][ T2026] skb_dequeue+0x90/0x140 [ 69.882737][ T2026] hci_rx_work+0x2e0/0x410 [ 69.887177][ T2026] process_one_work+0x833/0x10c0 [ 69.892138][ T2026] ? worker_detach_from_pool+0x260/0x260 [ 69.897789][ T2026] ? _raw_spin_lock_irqsave+0x100/0x100 [ 69.903378][ T2026] ? kthread_data+0x4d/0xc0 [ 69.907867][ T2026] ? wq_worker_running+0x8b/0x140 [ 69.912876][ T2026] worker_thread+0xac1/0x1320 [ 69.917569][ T2026] kthread+0x453/0x480 [ 69.921622][ T2026] ? rcu_lock_release+0x20/0x20 [ 69.926452][ T2026] ? kthread_blkcg+0xd0/0xd0 [ 69.931035][ T2026] ret_from_fork+0x1f/0x30 [ 69.935449][ T2026] [ 69.937756][ T2026] Allocated by task 8513: [ 69.942071][ T2026] __kasan_slab_alloc+0x96/0xd0 [ 69.946911][ T2026] kmem_cache_alloc_node+0x200/0x370 [ 69.952208][ T2026] __alloc_skb+0xd8/0x580 [ 69.956523][ T2026] h4_recv_buf+0x274/0xd50 [ 69.960924][ T2026] h4_recv+0xf4/0x1b0 [ 69.964897][ T2026] hci_uart_tty_receive+0x1d2/0x4a0 [ 69.970077][ T2026] tty_ioctl+0xde5/0x1720 [ 69.974388][ T2026] __se_sys_ioctl+0xfb/0x170 [ 69.978954][ T2026] do_syscall_64+0x3d/0xb0 [ 69.983347][ T2026] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 69.989233][ T2026] [ 69.991539][ T2026] Freed by task 2026: [ 69.995506][ T2026] kasan_set_track+0x3d/0x70 [ 70.000077][ T2026] kasan_set_free_info+0x1f/0x40 [ 70.004995][ T2026] ____kasan_slab_free+0x109/0x150 [ 70.010097][ T2026] slab_free_freelist_hook+0x1d8/0x290 [ 70.015537][ T2026] kmem_cache_free+0x85/0x170 [ 70.020189][ T2026] hci_event_packet+0x1238/0x1bd0 [ 70.025194][ T2026] hci_rx_work+0x229/0x410 [ 70.029602][ T2026] process_one_work+0x833/0x10c0 [ 70.034529][ T2026] worker_thread+0xac1/0x1320 [ 70.039183][ T2026] kthread+0x453/0x480 [ 70.043228][ T2026] ret_from_fork+0x1f/0x30 [ 70.047621][ T2026] [ 70.049923][ T2026] The buggy address belongs to the object at ffff888025f8c3c0 [ 70.049923][ T2026] which belongs to the cache skbuff_head_cache of size 232 [ 70.064472][ T2026] The buggy address is located 0 bytes inside of [ 70.064472][ T2026] 232-byte region [ffff888025f8c3c0, ffff888025f8c4a8) [ 70.077551][ T2026] The buggy address belongs to the page: [ 70.083161][ T2026] page:ffffea000097e300 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888025f8cc80 pfn:0x25f8c [ 70.094596][ T2026] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 70.102124][ T2026] raw: 00fff00000000200 ffffea0000aa2380 0000000400000004 ffff8880122e9b40 [ 70.110682][ T2026] raw: ffff888025f8cc80 00000000800c0008 00000001ffffffff 0000000000000000 [ 70.119235][ T2026] page dumped because: kasan: bad access detected [ 70.125623][ T2026] page_owner tracks the page as allocated [ 70.131311][ T2026] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY), pid 1, ts 16939168005, free_ts 16936927313 [ 70.147088][ T2026] get_page_from_freelist+0x779/0xa30 [ 70.152456][ T2026] __alloc_pages+0x26c/0x5f0 [ 70.157030][ T2026] allocate_slab+0xf1/0x540 [ 70.161527][ T2026] ___slab