[ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.38' (ECDSA) to the list of known hosts. syzkaller login: [ 63.377218][ T6827] IPVS: ftp: loaded support on port[0] = 21 executing program [ 64.598036][ T7] tipc: TX() has been purged, node left! [ 64.604359][ T6827] ================================================================== [ 64.612586][ T6827] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 64.619625][ T6827] Read of size 8 at addr ffff8880a7bfae18 by task syz-executor499/6827 [ 64.627875][ T6827] [ 64.630228][ T6827] CPU: 0 PID: 6827 Comm: syz-executor499 Not tainted 5.8.0-next-20200810-syzkaller #0 [ 64.639781][ T6827] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.649852][ T6827] Call Trace: [ 64.653346][ T6827] dump_stack+0x18f/0x20d [ 64.657680][ T6827] ? hci_chan_del+0x14f/0x190 [ 64.662359][ T6827] ? hci_chan_del+0x14f/0x190 [ 64.667055][ T6827] print_address_description.constprop.0.cold+0xae/0x497 [ 64.674106][ T6827] ? mutex_lock_io_nested+0xf60/0xf60 [ 64.679505][ T6827] ? vprintk_func+0x97/0x1a6 [ 64.684121][ T6827] ? hci_chan_del+0x14f/0x190 [ 64.688809][ T6827] ? hci_chan_del+0x14f/0x190 [ 64.693497][ T6827] kasan_report.cold+0x1f/0x37 [ 64.698456][ T6827] ? hci_chan_del+0x14f/0x190 [ 64.703145][ T6827] hci_chan_del+0x14f/0x190 [ 64.707664][ T6827] l2cap_conn_del+0x61b/0x9e0 [ 64.712377][ T6827] ? l2cap_conn_del+0x9e0/0x9e0 [ 64.717244][ T6827] l2cap_disconn_cfm+0x85/0xa0 [ 64.722016][ T6827] hci_conn_hash_flush+0x114/0x220 [ 64.727130][ T6827] hci_dev_do_close+0x5c6/0x1080 [ 64.732077][ T6827] ? hci_dev_open+0x350/0x350 [ 64.736746][ T6827] ? do_raw_read_unlock+0x70/0x70 [ 64.741767][ T6827] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 64.747677][ T6827] hci_unregister_dev+0x1bd/0xe30 [ 64.752703][ T6827] ? fcntl_setlk+0xf60/0xf60 [ 64.757286][ T6827] ? lock_is_held_type+0xbb/0xf0 [ 64.762246][ T6827] vhci_release+0x70/0xe0 [ 64.766588][ T6827] __fput+0x285/0x920 [ 64.770567][ T6827] ? vhci_close_dev+0x50/0x50 [ 64.775257][ T6827] task_work_run+0xdd/0x190 [ 64.779776][ T6827] do_exit+0xb7d/0x29f0 [ 64.783944][ T6827] ? __schedule+0x8ed/0x21e0 [ 64.788535][ T6827] ? mm_update_next_owner+0x7a0/0x7a0 [ 64.793906][ T6827] ? io_schedule_timeout+0x140/0x140 [ 64.799212][ T6827] ? lock_is_held_type+0xbb/0xf0 [ 64.804175][ T6827] do_group_exit+0x125/0x310 [ 64.808783][ T6827] __x64_sys_exit_group+0x3a/0x50 [ 64.813806][ T6827] do_syscall_64+0x2d/0x70 [ 64.818222][ T6827] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.824110][ T6827] RIP: 0033:0x445028 [ 64.827991][ T6827] Code: Bad RIP value. [ 64.832066][ T6827] RSP: 002b:00007ffef77fc8c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 64.840478][ T6827] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445028 [ 64.848445][ T6827] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 64.856510][ T6827] RBP: 00000000004cce10 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 64.864479][ T6827] R10: 00007f768f3699d0 R11: 0000000000000246 R12: 0000000000000001 [ 64.872445][ T6827] R13: 00000000006e0200 R14: 0000000000e24850 R15: 0000000000000001 [ 64.880430][ T6827] [ 64.882774][ T6827] Allocated by task 6853: [ 64.887107][ T6827] kasan_save_stack+0x1b/0x40 [ 64.891780][ T6827] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 64.897413][ T6827] kmem_cache_alloc_trace+0x16e/0x2c0 [ 64.902785][ T6827] hci_chan_create+0x9b/0x330 [ 64.908170][ T6827] l2cap_conn_add.part.0+0x1e/0xe10 [ 64.913369][ T6827] l2cap_connect_cfm+0x23b/0x1090 [ 64.918415][ T6827] le_conn_complete_evt+0x1153/0x1740 [ 64.923795][ T6827] hci_le_meta_evt+0x745/0x3ff0 [ 64.928657][ T6827] hci_event_packet+0x2e25/0x87a8 [ 64.933700][ T6827] hci_rx_work+0x22e/0xb50 [ 64.938144][ T6827] process_one_work+0x94c/0x1670 [ 64.943102][ T6827] worker_thread+0x64c/0x1120 [ 64.947784][ T6827] kthread+0x3b5/0x4a0 [ 64.951879][ T6827] ret_from_fork+0x1f/0x30 [ 64.956298][ T6827] [ 64.958634][ T6827] Freed by task 1546: [ 64.962628][ T6827] kasan_save_stack+0x1b/0x40 [ 64.967304][ T6827] kasan_set_track+0x1c/0x30 [ 64.971913][ T6827] kasan_set_free_info+0x1b/0x30 [ 64.976864][ T6827] __kasan_slab_free+0xd8/0x120 [ 64.981728][ T6827] kfree+0x103/0x2c0 [ 64.985638][ T6827] hci_event_packet+0x3e33/0x87a8 [ 64.990682][ T6827] hci_rx_work+0x22e/0xb50 [ 64.995112][ T6827] process_one_work+0x94c/0x1670 [ 65.000060][ T6827] worker_thread+0x64c/0x1120 [ 65.004750][ T6827] kthread+0x3b5/0x4a0 [ 65.008842][ T6827] ret_from_fork+0x1f/0x30 [ 65.013261][ T6827] [ 65.015602][ T6827] The buggy address belongs to the object at ffff8880a7bfae00 [ 65.015602][ T6827] which belongs to the cache kmalloc-128 of size 128 [ 65.029683][ T6827] The buggy address is located 24 bytes inside of [ 65.029683][ T6827] 128-byte region [ffff8880a7bfae00, ffff8880a7bfae80) [ 65.042868][ T6827] The buggy address belongs to the page: [ 65.048508][ T6827] page:000000005de98312 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a7bfaf00 pfn:0xa7bfa [ 65.059973][ T6827] flags: 0xfffe0000000200(slab) [ 65.064856][ T6827] raw: 00fffe0000000200 ffffea0002507248 ffffea0002697588 ffff8880aa040400 [ 65.073455][ T6827] raw: ffff8880a7bfaf00 ffff8880a7bfa000 0000000100000005 0000000000000000 [ 65.082034][ T6827] page dumped because: kasan: bad access detected [ 65.088461][ T6827] [ 65.090840][ T6827] Memory state around the buggy address: [ 65.096480][ T6827] ffff8880a7bfad00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.104550][ T6827] ffff8880a7bfad80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.112613][ T6827] >ffff8880a7bfae00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.120679][ T6827] ^ [ 65.125532][ T6827] ffff8880a7bfae80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 65.133593][ T6827] ffff8880a7bfaf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.141646][ T6827] ================================================================== [ 65.149702][ T6827] Disabling lock debugging due to kernel taint [ 65.192581][ T6827] Kernel panic - not syncing: panic_on_warn set ... [ 65.199183][ T6827] CPU: 0 PID: 6827 Comm: syz-executor499 Tainted: G B 5.8.0-next-20200810-syzkaller #0 [ 65.210101][ T6827] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.220157][ T6827] Call Trace: [ 65.223440][ T6827] dump_stack+0x18f/0x20d [ 65.227760][ T6827] ? hci_chan_del+0x70/0x190 [ 65.232358][ T6827] panic+0x2e3/0x75c [ 65.236234][ T6827] ? __warn_printk+0xf3/0xf3 [ 65.240801][ T6827] ? preempt_schedule_common+0x59/0xc0 [ 65.246238][ T6827] ? hci_chan_del+0x14f/0x190 [ 65.250891][ T6827] ? preempt_schedule_thunk+0x16/0x18 [ 65.256241][ T6827] ? trace_hardirqs_on+0x55/0x220 [ 65.261338][ T6827] ? hci_chan_del+0x14f/0x190 [ 65.266004][ T6827] ? hci_chan_del+0x14f/0x190 [ 65.270675][ T6827] end_report+0x4d/0x53 [ 65.274820][ T6827] kasan_report.cold+0xd/0x37 [ 65.279500][ T6827] ? hci_chan_del+0x14f/0x190 [ 65.284177][ T6827] hci_chan_del+0x14f/0x190 [ 65.288661][ T6827] l2cap_conn_del+0x61b/0x9e0 [ 65.293318][ T6827] ? l2cap_conn_del+0x9e0/0x9e0 [ 65.298263][ T6827] l2cap_disconn_cfm+0x85/0xa0 [ 65.303028][ T6827] hci_conn_hash_flush+0x114/0x220 [ 65.308147][ T6827] hci_dev_do_close+0x5c6/0x1080 [ 65.313067][ T6827] ? hci_dev_open+0x350/0x350 [ 65.317736][ T6827] ? do_raw_read_unlock+0x70/0x70 [ 65.322756][ T6827] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 65.328626][ T6827] hci_unregister_dev+0x1bd/0xe30 [ 65.333630][ T6827] ? fcntl_setlk+0xf60/0xf60 [ 65.340782][ T6827] ? lock_is_held_type+0xbb/0xf0 [ 65.345707][ T6827] vhci_release+0x70/0xe0 [ 65.350022][ T6827] __fput+0x285/0x920 [ 65.354016][ T6827] ? vhci_close_dev+0x50/0x50 [ 65.358668][ T6827] task_work_run+0xdd/0x190 [ 65.363182][ T6827] do_exit+0xb7d/0x29f0 [ 65.367320][ T6827] ? __schedule+0x8ed/0x21e0 [ 65.371889][ T6827] ? mm_update_next_owner+0x7a0/0x7a0 [ 65.377251][ T6827] ? io_schedule_timeout+0x140/0x140 [ 65.382513][ T6827] ? lock_is_held_type+0xbb/0xf0 [ 65.387436][ T6827] do_group_exit+0x125/0x310 [ 65.392020][ T6827] __x64_sys_exit_group+0x3a/0x50 [ 65.397021][ T6827] do_syscall_64+0x2d/0x70 [ 65.401428][ T6827] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 65.407301][ T6827] RIP: 0033:0x445028 [ 65.411180][ T6827] Code: Bad RIP value. [ 65.415219][ T6827] RSP: 002b:00007ffef77fc8c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 65.423607][ T6827] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445028 [ 65.431553][ T6827] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 65.439514][ T6827] RBP: 00000000004cce10 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 65.447477][ T6827] R10: 00007f768f3699d0 R11: 0000000000000246 R12: 0000000000000001 [ 65.455429][ T6827] R13: 00000000006e0200 R14: 0000000000e24850 R15: 0000000000000001 [ 65.464441][ T6827] Kernel Offset: disabled [ 65.468767][ T6827] Rebooting in 86400 seconds..