[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.203' (ECDSA) to the list of known hosts. syzkaller login: [ 61.282971][ T6845] IPVS: ftp: loaded support on port[0] = 21 executing program [ 62.396797][ T6845] ================================================================== [ 62.405041][ T6845] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 62.412070][ T6845] Read of size 8 at addr ffff88809ecdb418 by task syz-executor909/6845 [ 62.420298][ T6845] [ 62.422636][ T6845] CPU: 1 PID: 6845 Comm: syz-executor909 Not tainted 5.8.0-syzkaller #0 [ 62.430954][ T6845] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.442082][ T6845] Call Trace: [ 62.445386][ T6845] dump_stack+0x18f/0x20d [ 62.449726][ T6845] ? hci_chan_del+0x14f/0x190 [ 62.454410][ T6845] ? hci_chan_del+0x14f/0x190 [ 62.459101][ T6845] print_address_description.constprop.0.cold+0xae/0x497 [ 62.466144][ T6845] ? mutex_lock_io_nested+0xf60/0xf60 [ 62.471526][ T6845] ? vprintk_func+0x97/0x1a6 [ 62.476129][ T6845] ? hci_chan_del+0x14f/0x190 [ 62.480786][ T6845] ? hci_chan_del+0x14f/0x190 [ 62.485439][ T6845] kasan_report.cold+0x1f/0x37 [ 62.490182][ T6845] ? hci_chan_del+0x14f/0x190 [ 62.494838][ T6845] hci_chan_del+0x14f/0x190 [ 62.499368][ T6845] l2cap_conn_del+0x61b/0x9e0 [ 62.504028][ T6845] ? l2cap_conn_del+0x9e0/0x9e0 [ 62.508851][ T6845] l2cap_disconn_cfm+0x85/0xa0 [ 62.513649][ T6845] hci_conn_hash_flush+0x114/0x220 [ 62.518739][ T6845] hci_dev_do_close+0x5c6/0x1080 [ 62.523699][ T6845] ? hci_dev_open+0x350/0x350 [ 62.528401][ T6845] ? do_raw_read_unlock+0x70/0x70 [ 62.533403][ T6845] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 62.539278][ T6845] hci_unregister_dev+0x1bd/0xe30 [ 62.544285][ T6845] ? fcntl_setlk+0xf60/0xf60 [ 62.548852][ T6845] ? lock_is_held_type+0xbb/0xf0 [ 62.553768][ T6845] vhci_release+0x70/0xe0 [ 62.558091][ T6845] __fput+0x285/0x920 [ 62.562060][ T6845] ? vhci_close_dev+0x50/0x50 [ 62.566732][ T6845] task_work_run+0xdd/0x190 [ 62.571229][ T6845] do_exit+0xb7d/0x29f0 [ 62.575372][ T6845] ? __schedule+0x8ed/0x21e0 [ 62.579944][ T6845] ? mm_update_next_owner+0x7a0/0x7a0 [ 62.585295][ T6845] ? lock_is_held_type+0xbb/0xf0 [ 62.590211][ T6845] ? lock_is_held_type+0xbb/0xf0 [ 62.595135][ T6845] do_group_exit+0x125/0x310 [ 62.599717][ T6845] __x64_sys_exit_group+0x3a/0x50 [ 62.604820][ T6845] do_syscall_64+0x2d/0x70 [ 62.609734][ T6845] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.615615][ T6845] RIP: 0033:0x445128 [ 62.619491][ T6845] Code: Bad RIP value. [ 62.623532][ T6845] RSP: 002b:00007ffc7f04d798 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 62.631927][ T6845] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445128 [ 62.639887][ T6845] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 62.647849][ T6845] RBP: 00000000004ccf10 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 62.655800][ T6845] R10: 00000000000000ff R11: 0000000000000246 R12: 0000000000000001 [ 62.663747][ T6845] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000 [ 62.671701][ T6845] [ 62.674004][ T6845] Allocated by task 6869: [ 62.678325][ T6845] kasan_save_stack+0x1b/0x40 [ 62.682976][ T6845] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.688606][ T6845] kmem_cache_alloc_trace+0x16e/0x2c0 [ 62.693961][ T6845] hci_chan_create+0x9b/0x330 [ 62.698614][ T6845] l2cap_conn_add.part.0+0x1e/0xe10 [ 62.703786][ T6845] l2cap_connect_cfm+0x23b/0x1090 [ 62.708786][ T6845] le_conn_complete_evt+0x1153/0x1740 [ 62.714129][ T6845] hci_le_meta_evt+0x745/0x3ff0 [ 62.718952][ T6845] hci_event_packet+0x2e25/0x87a8 [ 62.723951][ T6845] hci_rx_work+0x22e/0xb50 [ 62.728342][ T6845] process_one_work+0x94c/0x1670 [ 62.733264][ T6845] worker_thread+0x64c/0x1120 [ 62.737925][ T6845] kthread+0x3b5/0x4a0 [ 62.741974][ T6845] ret_from_fork+0x1f/0x30 [ 62.746371][ T6845] [ 62.748693][ T6845] Freed by task 1539: [ 62.752652][ T6845] kasan_save_stack+0x1b/0x40 [ 62.757354][ T6845] kasan_set_track+0x1c/0x30 [ 62.761920][ T6845] kasan_set_free_info+0x1b/0x30 [ 62.766833][ T6845] __kasan_slab_free+0xd8/0x120 [ 62.771656][ T6845] kfree+0x103/0x2c0 [ 62.775537][ T6845] hci_event_packet+0x3e33/0x87a8 [ 62.780535][ T6845] hci_rx_work+0x22e/0xb50 [ 62.784926][ T6845] process_one_work+0x94c/0x1670 [ 62.789850][ T6845] worker_thread+0x64c/0x1120 [ 62.794512][ T6845] kthread+0x3b5/0x4a0 [ 62.798556][ T6845] ret_from_fork+0x1f/0x30 [ 62.802939][ T6845] [ 62.805244][ T6845] The buggy address belongs to the object at ffff88809ecdb400 [ 62.805244][ T6845] which belongs to the cache kmalloc-128 of size 128 [ 62.819269][ T6845] The buggy address is located 24 bytes inside of [ 62.819269][ T6845] 128-byte region [ffff88809ecdb400, ffff88809ecdb480) [ 62.832428][ T6845] The buggy address belongs to the page: [ 62.838042][ T6845] page:00000000d62e32bf refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809ecdb200 pfn:0x9ecdb [ 62.849481][ T6845] flags: 0xfffe0000000200(slab) [ 62.854312][ T6845] raw: 00fffe0000000200 ffffea000267d488 ffffea00024e8ec8 ffff8880aa040400 [ 62.862879][ T6845] raw: ffff88809ecdb200 ffff88809ecdb000 000000010000000e 0000000000000000 [ 62.871436][ T6845] page dumped because: kasan: bad access detected [ 62.877908][ T6845] [ 62.880210][ T6845] Memory state around the buggy address: [ 62.885814][ T6845] ffff88809ecdb300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.893863][ T6845] ffff88809ecdb380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 62.901913][ T6845] >ffff88809ecdb400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.909945][ T6845] ^ [ 62.914779][ T6845] ffff88809ecdb480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 62.922827][ T6845] ffff88809ecdb500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.930857][ T6845] ================================================================== [ 62.938889][ T6845] Disabling lock debugging due to kernel taint [ 62.952046][ T245] tipc: TX() has been purged, node left! [ 62.957852][ T6845] Kernel panic - not syncing: panic_on_warn set ... [ 62.964443][ T6845] CPU: 1 PID: 6845 Comm: syz-executor909 Tainted: G B 5.8.0-syzkaller #0 [ 62.974148][ T6845] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.984194][ T6845] Call Trace: [ 62.987481][ T6845] dump_stack+0x18f/0x20d [ 62.991812][ T6845] ? hci_chan_del+0xf0/0x190 [ 62.996407][ T6845] panic+0x2e3/0x75c [ 63.000303][ T6845] ? __warn_printk+0xf3/0xf3 [ 63.004889][ T6845] ? preempt_schedule_common+0x59/0xc0 [ 63.010469][ T6845] ? hci_chan_del+0x14f/0x190 [ 63.015231][ T6845] ? preempt_schedule_thunk+0x16/0x18 [ 63.020580][ T6845] ? trace_hardirqs_on+0x55/0x220 [ 63.025648][ T6845] ? hci_chan_del+0x14f/0x190 [ 63.030436][ T6845] ? hci_chan_del+0x14f/0x190 [ 63.035091][ T6845] end_report+0x4d/0x53 [ 63.039319][ T6845] kasan_report.cold+0xd/0x37 [ 63.043986][ T6845] ? hci_chan_del+0x14f/0x190 [ 63.048643][ T6845] hci_chan_del+0x14f/0x190 [ 63.053208][ T6845] l2cap_conn_del+0x61b/0x9e0 [ 63.057862][ T6845] ? l2cap_conn_del+0x9e0/0x9e0 [ 63.062687][ T6845] l2cap_disconn_cfm+0x85/0xa0 [ 63.067442][ T6845] hci_conn_hash_flush+0x114/0x220 [ 63.072570][ T6845] hci_dev_do_close+0x5c6/0x1080 [ 63.077485][ T6845] ? hci_dev_open+0x350/0x350 [ 63.082135][ T6845] ? do_raw_read_unlock+0x70/0x70 [ 63.087134][ T6845] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 63.093007][ T6845] hci_unregister_dev+0x1bd/0xe30 [ 63.098017][ T6845] ? fcntl_setlk+0xf60/0xf60 [ 63.102666][ T6845] ? lock_is_held_type+0xbb/0xf0 [ 63.107589][ T6845] vhci_release+0x70/0xe0 [ 63.111893][ T6845] __fput+0x285/0x920 [ 63.115849][ T6845] ? vhci_close_dev+0x50/0x50 [ 63.120501][ T6845] task_work_run+0xdd/0x190 [ 63.124977][ T6845] do_exit+0xb7d/0x29f0 [ 63.129107][ T6845] ? __schedule+0x8ed/0x21e0 [ 63.133670][ T6845] ? mm_update_next_owner+0x7a0/0x7a0 [ 63.139026][ T6845] ? lock_is_held_type+0xbb/0xf0 [ 63.143950][ T6845] ? lock_is_held_type+0xbb/0xf0 [ 63.148864][ T6845] do_group_exit+0x125/0x310 [ 63.153427][ T6845] __x64_sys_exit_group+0x3a/0x50 [ 63.158421][ T6845] do_syscall_64+0x2d/0x70 [ 63.162813][ T6845] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.168675][ T6845] RIP: 0033:0x445128 [ 63.172539][ T6845] Code: Bad RIP value. [ 63.176576][ T6845] RSP: 002b:00007ffc7f04d798 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 63.184984][ T6845] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445128 [ 63.192926][ T6845] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 63.200881][ T6845] RBP: 00000000004ccf10 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 63.208841][ T6845] R10: 00000000000000ff R11: 0000000000000246 R12: 0000000000000001 [ 63.216787][ T6845] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000 [ 63.226930][ T6845] Kernel Offset: disabled [ 63.231247][ T6845] Rebooting in 86400 seconds..