[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.0' (ECDSA) to the list of known hosts. syzkaller login: [ 41.376622][ T6816] IPVS: ftp: loaded support on port[0] = 21 executing program [ 42.548054][ T1529] ================================================================== [ 42.556248][ T1529] BUG: KASAN: use-after-free in hci_send_acl+0x41/0x980 [ 42.563158][ T1529] Read of size 8 at addr ffff888093265318 by task kworker/u5:0/1529 [ 42.571110][ T1529] [ 42.573420][ T1529] CPU: 0 PID: 1529 Comm: kworker/u5:0 Not tainted 5.8.0-rc7-syzkaller #0 [ 42.581803][ T1529] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.591841][ T1529] Workqueue: hci0 hci_rx_work [ 42.596485][ T1529] Call Trace: [ 42.599747][ T1529] dump_stack+0x1f0/0x31e [ 42.604083][ T1529] print_address_description+0x66/0x5a0 [ 42.609597][ T1529] ? vprintk_emit+0x342/0x3c0 [ 42.614263][ T1529] ? printk+0x62/0x83 [ 42.618215][ T1529] ? vprintk_emit+0x339/0x3c0 [ 42.622862][ T1529] kasan_report+0x132/0x1d0 [ 42.627346][ T1529] ? hci_send_acl+0x41/0x980 [ 42.631904][ T1529] ? l2cap_send_cmd+0x298/0x810 [ 42.636726][ T1529] hci_send_acl+0x41/0x980 [ 42.641114][ T1529] ? l2cap_send_cmd+0x57c/0x810 [ 42.645940][ T1529] l2cap_bredr_sig_cmd+0x2558/0xa5a0 [ 42.651212][ T1529] ? lock_acquire+0x160/0x720 [ 42.655893][ T1529] ? l2cap_recv_frame+0x2e0/0x8f10 [ 42.660981][ T1529] ? trace_lock_release+0x137/0x1a0 [ 42.666153][ T1529] ? l2cap_recv_frame+0x6e7/0x8f10 [ 42.671234][ T1529] ? l2cap_recv_frame+0x6e7/0x8f10 [ 42.676316][ T1529] ? __mutex_unlock_slowpath+0x12d/0x590 [ 42.681919][ T1529] ? skb_pull+0x8b/0x130 [ 42.686129][ T1529] l2cap_recv_frame+0x858/0x8f10 [ 42.691078][ T1529] ? hci_rx_work+0x7ae/0x9c0 [ 42.695686][ T1529] ? hci_rx_work+0x7ae/0x9c0 [ 42.700249][ T1529] ? l2cap_recv_acldata+0x743/0xf00 [ 42.705419][ T1529] hci_rx_work+0x7d7/0x9c0 [ 42.709815][ T1529] process_one_work+0x789/0xfc0 [ 42.714645][ T1529] worker_thread+0xaa4/0x1460 [ 42.719303][ T1529] kthread+0x37e/0x3a0 [ 42.723342][ T1529] ? rcu_lock_release+0x20/0x20 [ 42.728216][ T1529] ? kthread_blkcg+0xd0/0xd0 [ 42.732786][ T1529] ret_from_fork+0x1f/0x30 [ 42.737178][ T1529] [ 42.739482][ T1529] Allocated by task 1529: [ 42.743783][ T1529] __kasan_kmalloc+0x103/0x140 [ 42.748515][ T1529] kmem_cache_alloc_trace+0x234/0x300 [ 42.753856][ T1529] hci_chan_create+0x9a/0x270 [ 42.758504][ T1529] l2cap_conn_add+0x66/0xb00 [ 42.763060][ T1529] l2cap_connect_cfm+0xdb/0x12b0 [ 42.767966][ T1529] hci_event_packet+0x1164c/0x18260 [ 42.773135][ T1529] hci_rx_work+0x236/0x9c0 [ 42.777521][ T1529] process_one_work+0x789/0xfc0 [ 42.782338][ T1529] worker_thread+0xaa4/0x1460 [ 42.786983][ T1529] kthread+0x37e/0x3a0 [ 42.791023][ T1529] ret_from_fork+0x1f/0x30 [ 42.795404][ T1529] [ 42.797701][ T1529] Freed by task 1529: [ 42.801652][ T1529] __kasan_slab_free+0x114/0x170 [ 42.806553][ T1529] kfree+0x10a/0x220 [ 42.810453][ T1529] hci_event_packet+0x304e/0x18260 [ 42.815793][ T1529] hci_rx_work+0x236/0x9c0 [ 42.820178][ T1529] process_one_work+0x789/0xfc0 [ 42.824996][ T1529] worker_thread+0xaa4/0x1460 [ 42.829640][ T1529] kthread+0x37e/0x3a0 [ 42.833676][ T1529] ret_from_fork+0x1f/0x30 [ 42.838056][ T1529] [ 42.840398][ T1529] The buggy address belongs to the object at ffff888093265300 [ 42.840398][ T1529] which belongs to the cache kmalloc-128 of size 128 [ 42.854418][ T1529] The buggy address is located 24 bytes inside of [ 42.854418][ T1529] 128-byte region [ffff888093265300, ffff888093265380) [ 42.867582][ T1529] The buggy address belongs to the page: [ 42.873188][ T1529] page:ffffea00024c9940 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888093265d00 [ 42.883586][ T1529] flags: 0xfffe0000000200(slab) [ 42.888419][ T1529] raw: 00fffe0000000200 ffffea00028b4a08 ffffea00024c9408 ffff8880aa400700 [ 42.896971][ T1529] raw: ffff888093265d00 ffff888093265000 0000000100000009 0000000000000000 [ 42.905521][ T1529] page dumped because: kasan: bad access detected [ 42.911899][ T1529] [ 42.914197][ T1529] Memory state around the buggy address: [ 42.919795][ T1529] ffff888093265200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.927825][ T1529] ffff888093265280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.935855][ T1529] >ffff888093265300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.943897][ T1529] ^ [ 42.948717][ T1529] ffff888093265380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.956748][ T1529] ffff888093265400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 42.964778][ T1529] ================================================================== [ 42.972807][ T1529] Disabling lock debugging due to kernel taint [ 42.980104][ T1529] Kernel panic - not syncing: panic_on_warn set ... [ 42.986698][ T1529] CPU: 0 PID: 1529 Comm: kworker/u5:0 Tainted: G B 5.8.0-rc7-syzkaller #0 [ 42.996489][ T1529] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.006540][ T1529] Workqueue: hci0 hci_rx_work [ 43.011186][ T1529] Call Trace: [ 43.014451][ T1529] dump_stack+0x1f0/0x31e [ 43.018751][ T1529] panic+0x264/0x7a0 [ 43.022614][ T1529] ? trace_hardirqs_on+0x30/0x80 [ 43.027528][ T1529] kasan_report+0x1c9/0x1d0 [ 43.032018][ T1529] ? hci_send_acl+0x41/0x980 [ 43.036623][ T1529] ? l2cap_send_cmd+0x298/0x810 [ 43.041449][ T1529] hci_send_acl+0x41/0x980 [ 43.045839][ T1529] ? l2cap_send_cmd+0x57c/0x810 [ 43.050659][ T1529] l2cap_bredr_sig_cmd+0x2558/0xa5a0 [ 43.055911][ T1529] ? lock_acquire+0x160/0x720 [ 43.060556][ T1529] ? l2cap_recv_frame+0x2e0/0x8f10 [ 43.065635][ T1529] ? trace_lock_release+0x137/0x1a0 [ 43.070804][ T1529] ? l2cap_recv_frame+0x6e7/0x8f10 [ 43.075883][ T1529] ? l2cap_recv_frame+0x6e7/0x8f10 [ 43.080960][ T1529] ? __mutex_unlock_slowpath+0x12d/0x590 [ 43.086562][ T1529] ? skb_pull+0x8b/0x130 [ 43.090772][ T1529] l2cap_recv_frame+0x858/0x8f10 [ 43.095718][ T1529] ? hci_rx_work+0x7ae/0x9c0 [ 43.100277][ T1529] ? hci_rx_work+0x7ae/0x9c0 [ 43.104836][ T1529] ? l2cap_recv_acldata+0x743/0xf00 [ 43.110004][ T1529] hci_rx_work+0x7d7/0x9c0 [ 43.114395][ T1529] process_one_work+0x789/0xfc0 [ 43.119219][ T1529] worker_thread+0xaa4/0x1460 [ 43.123866][ T1529] kthread+0x37e/0x3a0 [ 43.127908][ T1529] ? rcu_lock_release+0x20/0x20 [ 43.132731][ T1529] ? kthread_blkcg+0xd0/0xd0 [ 43.137288][ T1529] ret_from_fork+0x1f/0x30 [ 43.142849][ T1529] Kernel Offset: disabled [ 43.147162][ T1529] Rebooting in 86400 seconds..