Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.147' (ECDSA) to the list of known hosts. syzkaller login: [ 59.916861][ T6870] IPVS: ftp: loaded support on port[0] = 21 executing program [ 60.007154][ T6876] Bluetooth: hci0: hardware error 0x43 [ 60.013423][ T6876] ================================================================== [ 60.021590][ T6876] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 60.028595][ T6876] Read of size 8 at addr ffff8880a5e98818 by task kworker/u5:2/6876 [ 60.036540][ T6876] [ 60.038849][ T6876] CPU: 0 PID: 6876 Comm: kworker/u5:2 Not tainted 5.8.0-syzkaller #0 [ 60.046913][ T6876] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.056968][ T6876] Workqueue: hci0 hci_error_reset [ 60.061976][ T6876] Call Trace: [ 60.065247][ T6876] dump_stack+0x18f/0x20d [ 60.069588][ T6876] ? hci_chan_del+0x14f/0x190 [ 60.074238][ T6876] ? hci_chan_del+0x14f/0x190 [ 60.078918][ T6876] print_address_description.constprop.0.cold+0xae/0x497 [ 60.085917][ T6876] ? mutex_lock_io_nested+0xf60/0xf60 [ 60.091265][ T6876] ? vprintk_func+0x97/0x1a6 [ 60.095847][ T6876] ? hci_chan_del+0x14f/0x190 [ 60.100520][ T6876] ? hci_chan_del+0x14f/0x190 [ 60.105190][ T6876] kasan_report.cold+0x1f/0x37 [ 60.109928][ T6876] ? hci_chan_del+0x14f/0x190 [ 60.114581][ T6876] hci_chan_del+0x14f/0x190 [ 60.119062][ T6876] l2cap_conn_del+0x61b/0x9e0 [ 60.123719][ T6876] ? l2cap_conn_del+0x9e0/0x9e0 [ 60.128545][ T6876] l2cap_disconn_cfm+0x85/0xa0 [ 60.133291][ T6876] hci_conn_hash_flush+0x114/0x220 [ 60.138429][ T6876] hci_dev_do_close+0x5c6/0x1080 [ 60.143347][ T6876] ? hci_dev_open+0x350/0x350 [ 60.148000][ T6876] ? do_raw_spin_lock+0x120/0x2b0 [ 60.153005][ T6876] hci_error_reset+0x90/0xf0 [ 60.157575][ T6876] process_one_work+0x94c/0x1670 [ 60.162500][ T6876] ? lock_release+0x8e0/0x8e0 [ 60.167168][ T6876] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 60.172516][ T6876] ? rwlock_bug.part.0+0x90/0x90 [ 60.177442][ T6876] worker_thread+0x64c/0x1120 [ 60.182100][ T6876] ? __kthread_parkme+0x13f/0x1e0 [ 60.187102][ T6876] ? process_one_work+0x1670/0x1670 [ 60.192288][ T6876] kthread+0x3b5/0x4a0 [ 60.196345][ T6876] ? __kthread_bind_mask+0xc0/0xc0 [ 60.201514][ T6876] ? __kthread_bind_mask+0xc0/0xc0 [ 60.206609][ T6876] ret_from_fork+0x1f/0x30 [ 60.211004][ T6876] [ 60.213307][ T6876] Allocated by task 6876: [ 60.217622][ T6876] kasan_save_stack+0x1b/0x40 [ 60.222294][ T6876] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 60.227902][ T6876] kmem_cache_alloc_trace+0x16e/0x2c0 [ 60.233247][ T6876] hci_chan_create+0x9b/0x330 [ 60.237908][ T6876] l2cap_conn_add.part.0+0x1e/0xe10 [ 60.243178][ T6876] l2cap_connect_cfm+0x23b/0x1090 [ 60.248178][ T6876] le_conn_complete_evt+0x1153/0x1740 [ 60.253525][ T6876] hci_le_meta_evt+0x745/0x3ff0 [ 60.258362][ T6876] hci_event_packet+0x2e25/0x87a8 [ 60.263372][ T6876] hci_rx_work+0x22e/0xb50 [ 60.267779][ T6876] process_one_work+0x94c/0x1670 [ 60.272703][ T6876] worker_thread+0x64c/0x1120 [ 60.277354][ T6876] kthread+0x3b5/0x4a0 [ 60.281415][ T6876] ret_from_fork+0x1f/0x30 [ 60.285803][ T6876] [ 60.288123][ T6876] Freed by task 6876: [ 60.292082][ T6876] kasan_save_stack+0x1b/0x40 [ 60.296734][ T6876] kasan_set_track+0x1c/0x30 [ 60.301295][ T6876] kasan_set_free_info+0x1b/0x30 [ 60.306207][ T6876] __kasan_slab_free+0xd8/0x120 [ 60.311044][ T6876] kfree+0x103/0x2c0 [ 60.314915][ T6876] hci_event_packet+0x3e33/0x87a8 [ 60.319926][ T6876] hci_rx_work+0x22e/0xb50 [ 60.324323][ T6876] process_one_work+0x94c/0x1670 [ 60.329245][ T6876] worker_thread+0x64c/0x1120 [ 60.333899][ T6876] kthread+0x3b5/0x4a0 [ 60.337949][ T6876] ret_from_fork+0x1f/0x30 [ 60.342333][ T6876] [ 60.344642][ T6876] The buggy address belongs to the object at ffff8880a5e98800 [ 60.344642][ T6876] which belongs to the cache kmalloc-128 of size 128 [ 60.358689][ T6876] The buggy address is located 24 bytes inside of [ 60.358689][ T6876] 128-byte region [ffff8880a5e98800, ffff8880a5e98880) [ 60.371932][ T6876] The buggy address belongs to the page: [ 60.377550][ T6876] page:0000000091b860f4 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a5e98300 pfn:0xa5e98 [ 60.389106][ T6876] flags: 0xfffe0000000200(slab) [ 60.393934][ T6876] raw: 00fffe0000000200 ffffea00029f7208 ffffea00028690c8 ffff8880aa040400 [ 60.402493][ T6876] raw: ffff8880a5e98300 ffff8880a5e98000 0000000100000004 0000000000000000 [ 60.411060][ T6876] page dumped because: kasan: bad access detected [ 60.417441][ T6876] [ 60.419741][ T6876] Memory state around the buggy address: [ 60.425347][ T6876] ffff8880a5e98700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.433404][ T6876] ffff8880a5e98780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.441459][ T6876] >ffff8880a5e98800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.449506][ T6876] ^ [ 60.454348][ T6876] ffff8880a5e98880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 60.462407][ T6876] ffff8880a5e98900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 60.470443][ T6876] ================================================================== [ 60.478492][ T6876] Disabling lock debugging due to kernel taint [ 60.486152][ T6876] Kernel panic - not syncing: panic_on_warn set ... [ 60.492744][ T6876] CPU: 0 PID: 6876 Comm: kworker/u5:2 Tainted: G B 5.8.0-syzkaller #0 [ 60.503252][ T6876] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.513320][ T6876] Workqueue: hci0 hci_error_reset [ 60.518339][ T6876] Call Trace: [ 60.521624][ T6876] dump_stack+0x18f/0x20d [ 60.525942][ T6876] ? hci_chan_del+0xa0/0x190 [ 60.530530][ T6876] panic+0x2e3/0x75c [ 60.534417][ T6876] ? __warn_printk+0xf3/0xf3 [ 60.538983][ T6876] ? preempt_schedule_common+0x59/0xc0 [ 60.544420][ T6876] ? hci_chan_del+0x14f/0x190 [ 60.550128][ T6876] ? preempt_schedule_thunk+0x16/0x18 [ 60.555489][ T6876] ? trace_hardirqs_on+0x55/0x220 [ 60.560488][ T6876] ? hci_chan_del+0x14f/0x190 [ 60.565139][ T6876] ? hci_chan_del+0x14f/0x190 [ 60.569790][ T6876] end_report+0x4d/0x53 [ 60.573924][ T6876] kasan_report.cold+0xd/0x37 [ 60.578592][ T6876] ? hci_chan_del+0x14f/0x190 [ 60.583239][ T6876] hci_chan_del+0x14f/0x190 [ 60.587725][ T6876] l2cap_conn_del+0x61b/0x9e0 [ 60.592392][ T6876] ? l2cap_conn_del+0x9e0/0x9e0 [ 60.597224][ T6876] l2cap_disconn_cfm+0x85/0xa0 [ 60.601975][ T6876] hci_conn_hash_flush+0x114/0x220 [ 60.607078][ T6876] hci_dev_do_close+0x5c6/0x1080 [ 60.611990][ T6876] ? hci_dev_open+0x350/0x350 [ 60.616663][ T6876] ? do_raw_spin_lock+0x120/0x2b0 [ 60.621663][ T6876] hci_error_reset+0x90/0xf0 [ 60.626234][ T6876] process_one_work+0x94c/0x1670 [ 60.631162][ T6876] ? lock_release+0x8e0/0x8e0 [ 60.635812][ T6876] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 60.641183][ T6876] ? rwlock_bug.part.0+0x90/0x90 [ 60.646094][ T6876] worker_thread+0x64c/0x1120 [ 60.650758][ T6876] ? __kthread_parkme+0x13f/0x1e0 [ 60.655754][ T6876] ? process_one_work+0x1670/0x1670 [ 60.660941][ T6876] kthread+0x3b5/0x4a0 [ 60.664986][ T6876] ? __kthread_bind_mask+0xc0/0xc0 [ 60.670070][ T6876] ? __kthread_bind_mask+0xc0/0xc0 [ 60.675154][ T6876] ret_from_fork+0x1f/0x30 [ 60.680596][ T6876] Kernel Offset: disabled [ 60.684909][ T6876] Rebooting in 86400 seconds..