[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.110' (ECDSA) to the list of known hosts. syzkaller login: [ 115.469875] IPVS: ftp: loaded support on port[0] = 21 executing program [ 117.488503] Bluetooth: hci0: command 0x0409 tx timeout [ 119.568010] Bluetooth: hci0: command 0x041b tx timeout executing program [ 121.648024] Bluetooth: hci0: command 0x040f tx timeout [ 123.728016] Bluetooth: hci0: command 0x0419 tx timeout executing program [ 125.808046] Bluetooth: hci0: command 0x0405 tx timeout executing program executing program executing program executing program executing program executing program [ 155.728601] ================================================================== [ 155.736009] BUG: KASAN: use-after-free in __lock_acquire+0x2cb4/0x3ff0 [ 155.742657] Read of size 8 at addr ffff8880ab538ca0 by task kworker/1:2/3675 [ 155.750008] [ 155.751632] CPU: 1 PID: 3675 Comm: kworker/1:2 Not tainted 4.19.190-syzkaller #0 [ 155.759271] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 155.768644] Workqueue: events l2cap_chan_timeout [ 155.773385] Call Trace: [ 155.775964] dump_stack+0x1fc/0x2ef [ 155.779603] print_address_description.cold+0x54/0x219 [ 155.784880] kasan_report_error.cold+0x8a/0x1b9 [ 155.789545] ? __lock_acquire+0x2cb4/0x3ff0 [ 155.793856] __asan_report_load8_noabort+0x88/0x90 [ 155.798779] ? __lock_acquire+0x2cb4/0x3ff0 [ 155.803100] __lock_acquire+0x2cb4/0x3ff0 [ 155.807248] ? trace_hardirqs_off+0x64/0x200 [ 155.811645] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 155.816750] ? debug_object_assert_init+0x242/0x2e0 [ 155.821767] ? mark_held_locks+0xf0/0xf0 [ 155.825825] ? debug_object_free+0x380/0x380 [ 155.830219] ? mark_held_locks+0xf0/0xf0 [ 155.834277] ? __save_stack_trace+0x9f/0x190 [ 155.838670] ? del_timer+0xc3/0x100 [ 155.842280] lock_acquire+0x170/0x3c0 [ 155.846070] ? lock_sock_nested+0x3b/0x110 [ 155.850289] _raw_spin_lock_bh+0x2f/0x40 [ 155.854331] ? lock_sock_nested+0x3b/0x110 [ 155.858555] lock_sock_nested+0x3b/0x110 [ 155.862605] l2cap_sock_teardown_cb+0xa0/0x6d0 [ 155.867182] ? lock_downgrade+0x720/0x720 [ 155.871360] l2cap_chan_del+0xbc/0xa50 [ 155.875251] ? trace_hardirqs_off+0x64/0x200 [ 155.879647] l2cap_chan_close+0x1b5/0x950 [ 155.884147] ? __set_monitor_timer+0x200/0x200 [ 155.888716] ? check_preemption_disabled+0x41/0x280 [ 155.893733] l2cap_chan_timeout+0x17e/0x2f0 [ 155.898042] process_one_work+0x864/0x1570 [ 155.902281] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 155.906985] worker_thread+0x64c/0x1130 [ 155.910956] ? __kthread_parkme+0x133/0x1e0 [ 155.915263] ? process_one_work+0x1570/0x1570 [ 155.919761] kthread+0x33f/0x460 [ 155.923111] ? kthread_park+0x180/0x180 [ 155.927067] ret_from_fork+0x24/0x30 [ 155.930759] [ 155.932367] Allocated by task 8127: [ 155.935978] __kmalloc+0x15a/0x3c0 [ 155.939559] sk_prot_alloc+0x1e2/0x2d0 [ 155.943471] sk_alloc+0x36/0xec0 [ 155.946822] l2cap_sock_alloc.constprop.0+0x31/0x210 [ 155.951904] l2cap_sock_create+0x123/0x1f0 [ 155.956122] bt_sock_create+0x154/0x2a0 [ 155.960095] __sock_create+0x3d8/0x740 [ 155.963967] __sys_socket+0xef/0x200 [ 155.967664] __x64_sys_socket+0x6f/0xb0 [ 155.971635] do_syscall_64+0xf9/0x620 [ 155.975427] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 155.980603] [ 155.982211] Freed by task 8127: [ 155.985476] kfree+0xcc/0x210 [ 155.988593] __sk_destruct+0x684/0x8a0 [ 155.992484] __sk_free+0x165/0x3b0 [ 155.996052] sk_free+0x3b/0x50 [ 155.999228] l2cap_sock_kill.part.0+0x124/0x150 [ 156.003890] l2cap_sock_release+0x1e6/0x290 [ 156.008236] __sock_release+0xcd/0x2a0 [ 156.012104] sock_close+0x15/0x20 [ 156.015540] __fput+0x2ce/0x890 [ 156.018821] task_work_run+0x148/0x1c0 [ 156.022758] do_exit+0xbf3/0x2be0 [ 156.026195] do_group_exit+0x125/0x310 [ 156.030065] get_signal+0x3f2/0x1f70 [ 156.033786] do_signal+0x8f/0x1670 [ 156.037323] exit_to_usermode_loop+0x204/0x2a0 [ 156.041911] do_syscall_64+0x538/0x620 [ 156.045800] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 156.050965] [ 156.052590] The buggy address belongs to the object at ffff8880ab538c00 [ 156.052590] which belongs to the cache kmalloc-2048 of size 2048 [ 156.065423] The buggy address is located 160 bytes inside of [ 156.065423] 2048-byte region [ffff8880ab538c00, ffff8880ab539400) [ 156.077370] The buggy address belongs to the page: [ 156.082288] page:ffffea0002ad4e00 count:1 mapcount:0 mapping:ffff88813bff0c40 index:0x0 compound_mapcount: 0 [ 156.092241] flags: 0xfff00000008100(slab|head) [ 156.096813] raw: 00fff00000008100 ffffea0002aef508 ffffea0002ad8b08 ffff88813bff0c40 [ 156.104717] raw: 0000000000000000 ffff8880ab538380 0000000100000003 0000000000000000 [ 156.112582] page dumped because: kasan: bad access detected [ 156.118305] [ 156.119910] Memory state around the buggy address: [ 156.124841] ffff8880ab538b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 156.132208] ffff8880ab538c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 156.139554] >ffff8880ab538c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 156.146891] ^ [ 156.151280] ffff8880ab538d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 156.158641] ffff8880ab538d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 156.166090] ================================================================== [ 156.173478] Disabling lock debugging due to kernel taint [ 156.178938] Kernel panic - not syncing: panic_on_warn set ... [ 156.178938] [ 156.186315] CPU: 1 PID: 3675 Comm: kworker/1:2 Tainted: G B 4.19.190-syzkaller #0 [ 156.195218] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 156.204578] Workqueue: events l2cap_chan_timeout [ 156.209323] Call Trace: [ 156.211899] dump_stack+0x1fc/0x2ef [ 156.215510] panic+0x26a/0x50e [ 156.218686] ? __warn_printk+0xf3/0xf3 [ 156.222563] ? lock_downgrade+0x720/0x720 [ 156.226705] ? print_shadow_for_address+0xb8/0x114 [ 156.231614] ? trace_hardirqs_off+0x64/0x200 [ 156.236005] kasan_end_report+0x43/0x49 [ 156.239960] kasan_report_error.cold+0xa7/0x1b9 [ 156.244642] ? __lock_acquire+0x2cb4/0x3ff0 [ 156.248956] __asan_report_load8_noabort+0x88/0x90 [ 156.253869] ? __lock_acquire+0x2cb4/0x3ff0 [ 156.258173] __lock_acquire+0x2cb4/0x3ff0 [ 156.262320] ? trace_hardirqs_off+0x64/0x200 [ 156.266730] ? _raw_spin_unlock_irqrestore+0x66/0xe0 [ 156.271835] ? debug_object_assert_init+0x242/0x2e0 [ 156.276861] ? mark_held_locks+0xf0/0xf0 [ 156.281033] ? debug_object_free+0x380/0x380 [ 156.285477] ? mark_held_locks+0xf0/0xf0 [ 156.289521] ? __save_stack_trace+0x9f/0x190 [ 156.294029] ? del_timer+0xc3/0x100 [ 156.297664] lock_acquire+0x170/0x3c0 [ 156.301453] ? lock_sock_nested+0x3b/0x110 [ 156.305676] _raw_spin_lock_bh+0x2f/0x40 [ 156.309736] ? lock_sock_nested+0x3b/0x110 [ 156.313965] lock_sock_nested+0x3b/0x110 [ 156.318033] l2cap_sock_teardown_cb+0xa0/0x6d0 [ 156.322654] ? lock_downgrade+0x720/0x720 [ 156.326834] l2cap_chan_del+0xbc/0xa50 [ 156.330728] ? trace_hardirqs_off+0x64/0x200 [ 156.335121] l2cap_chan_close+0x1b5/0x950 [ 156.339253] ? __set_monitor_timer+0x200/0x200 [ 156.343822] ? check_preemption_disabled+0x41/0x280 [ 156.348840] l2cap_chan_timeout+0x17e/0x2f0 [ 156.353147] process_one_work+0x864/0x1570 [ 156.357367] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 156.362021] worker_thread+0x64c/0x1130 [ 156.365995] ? __kthread_parkme+0x133/0x1e0 [ 156.370303] ? process_one_work+0x1570/0x1570 [ 156.374800] kthread+0x33f/0x460 [ 156.378171] ? kthread_park+0x180/0x180 [ 156.382175] ret_from_fork+0x24/0x30 [ 156.386458] Kernel Offset: disabled [ 156.390078] Rebooting in 86400 seconds..