[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.48' (ECDSA) to the list of known hosts. syzkaller login: [ 60.585447][ T6845] IPVS: ftp: loaded support on port[0] = 21 executing program [ 60.690057][ T1542] Bluetooth: hci0: hardware error 0x43 [ 60.696599][ T1542] ================================================================== [ 60.704744][ T1542] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 60.711754][ T1542] Read of size 8 at addr ffff88809fb0fc18 by task kworker/u5:0/1542 [ 60.719701][ T1542] [ 60.722017][ T1542] CPU: 1 PID: 1542 Comm: kworker/u5:0 Not tainted 5.8.0-syzkaller #0 [ 60.730062][ T1542] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.740109][ T1542] Workqueue: hci0 hci_error_reset [ 60.745138][ T1542] Call Trace: [ 60.748412][ T1542] dump_stack+0x18f/0x20d [ 60.752725][ T1542] ? hci_chan_del+0x14f/0x190 [ 60.757379][ T1542] ? hci_chan_del+0x14f/0x190 [ 60.762039][ T1542] print_address_description.constprop.0.cold+0xae/0x497 [ 60.769042][ T1542] ? mutex_lock_io_nested+0xf60/0xf60 [ 60.774397][ T1542] ? vprintk_func+0x97/0x1a6 [ 60.778966][ T1542] ? hci_chan_del+0x14f/0x190 [ 60.783622][ T1542] ? hci_chan_del+0x14f/0x190 [ 60.788278][ T1542] kasan_report.cold+0x1f/0x37 [ 60.793023][ T1542] ? hci_chan_del+0x14f/0x190 [ 60.797680][ T1542] hci_chan_del+0x14f/0x190 [ 60.802169][ T1542] l2cap_conn_del+0x61b/0x9e0 [ 60.806832][ T1542] ? l2cap_conn_del+0x9e0/0x9e0 [ 60.811662][ T1542] l2cap_disconn_cfm+0x85/0xa0 [ 60.816406][ T1542] hci_conn_hash_flush+0x114/0x220 [ 60.821501][ T1542] hci_dev_do_close+0x5c6/0x1080 [ 60.826426][ T1542] ? hci_dev_open+0x350/0x350 [ 60.831099][ T1542] ? do_raw_spin_lock+0x120/0x2b0 [ 60.836132][ T1542] hci_error_reset+0x90/0xf0 [ 60.840719][ T1542] process_one_work+0x94c/0x1670 [ 60.845662][ T1542] ? lock_release+0x8e0/0x8e0 [ 60.850328][ T1542] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 60.855787][ T1542] ? rwlock_bug.part.0+0x90/0x90 [ 60.860713][ T1542] worker_thread+0x64c/0x1120 [ 60.865382][ T1542] ? process_one_work+0x1670/0x1670 [ 60.870579][ T1542] kthread+0x3b5/0x4a0 [ 60.874651][ T1542] ? __kthread_bind_mask+0xc0/0xc0 [ 60.879746][ T1542] ? __kthread_bind_mask+0xc0/0xc0 [ 60.884841][ T1542] ret_from_fork+0x1f/0x30 [ 60.889242][ T1542] [ 60.891551][ T1542] Allocated by task 6849: [ 60.895862][ T1542] kasan_save_stack+0x1b/0x40 [ 60.900521][ T1542] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 60.906137][ T1542] kmem_cache_alloc_trace+0x16e/0x2c0 [ 60.911497][ T1542] hci_chan_create+0x9b/0x330 [ 60.916153][ T1542] l2cap_conn_add.part.0+0x1e/0xe10 [ 60.921333][ T1542] l2cap_connect_cfm+0x23b/0x1090 [ 60.926335][ T1542] le_conn_complete_evt+0x1153/0x1740 [ 60.931682][ T1542] hci_le_meta_evt+0x745/0x3ff0 [ 60.936512][ T1542] hci_event_packet+0x2e25/0x87a8 [ 60.941527][ T1542] hci_rx_work+0x22e/0xb50 [ 60.945923][ T1542] process_one_work+0x94c/0x1670 [ 60.950839][ T1542] worker_thread+0x64c/0x1120 [ 60.955494][ T1542] kthread+0x3b5/0x4a0 [ 60.959545][ T1542] ret_from_fork+0x1f/0x30 [ 60.963931][ T1542] [ 60.966236][ T1542] Freed by task 1542: [ 60.970206][ T1542] kasan_save_stack+0x1b/0x40 [ 60.974860][ T1542] kasan_set_track+0x1c/0x30 [ 60.979428][ T1542] kasan_set_free_info+0x1b/0x30 [ 60.984341][ T1542] __kasan_slab_free+0xd8/0x120 [ 60.989166][ T1542] kfree+0x103/0x2c0 [ 60.993038][ T1542] hci_event_packet+0x3e33/0x87a8 [ 60.998219][ T1542] hci_rx_work+0x22e/0xb50 [ 61.002614][ T1542] process_one_work+0x94c/0x1670 [ 61.007539][ T1542] worker_thread+0x64c/0x1120 [ 61.012201][ T1542] kthread+0x3b5/0x4a0 [ 61.016249][ T1542] ret_from_fork+0x1f/0x30 [ 61.020639][ T1542] [ 61.022948][ T1542] The buggy address belongs to the object at ffff88809fb0fc00 [ 61.022948][ T1542] which belongs to the cache kmalloc-128 of size 128 [ 61.036979][ T1542] The buggy address is located 24 bytes inside of [ 61.036979][ T1542] 128-byte region [ffff88809fb0fc00, ffff88809fb0fc80) [ 61.050133][ T1542] The buggy address belongs to the page: [ 61.055748][ T1542] page:00000000bf304342 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809fb0f200 pfn:0x9fb0f [ 61.067172][ T1542] flags: 0xfffe0000000200(slab) [ 61.072016][ T1542] raw: 00fffe0000000200 ffffea00028a9208 ffffea00029bd308 ffff8880aa040400 [ 61.080580][ T1542] raw: ffff88809fb0f200 ffff88809fb0f000 000000010000000a 0000000000000000 [ 61.089135][ T1542] page dumped because: kasan: bad access detected [ 61.095519][ T1542] [ 61.097825][ T1542] Memory state around the buggy address: [ 61.103434][ T1542] ffff88809fb0fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.111484][ T1542] ffff88809fb0fb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.119524][ T1542] >ffff88809fb0fc00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.127558][ T1542] ^ [ 61.132398][ T1542] ffff88809fb0fc80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.140448][ T1542] ffff88809fb0fd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.148483][ T1542] ================================================================== [ 61.156518][ T1542] Disabling lock debugging due to kernel taint [ 61.164019][ T1542] Kernel panic - not syncing: panic_on_warn set ... [ 61.170615][ T1542] CPU: 1 PID: 1542 Comm: kworker/u5:0 Tainted: G B 5.8.0-syzkaller #0 [ 61.180054][ T1542] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.190103][ T1542] Workqueue: hci0 hci_error_reset [ 61.195097][ T1542] Call Trace: [ 61.198359][ T1542] dump_stack+0x18f/0x20d [ 61.202721][ T1542] ? hci_chan_del+0x120/0x190 [ 61.207369][ T1542] panic+0x2e3/0x75c [ 61.211235][ T1542] ? __warn_printk+0xf3/0xf3 [ 61.215837][ T1542] ? preempt_schedule_common+0x59/0xc0 [ 61.221268][ T1542] ? hci_chan_del+0x14f/0x190 [ 61.225917][ T1542] ? preempt_schedule_thunk+0x16/0x18 [ 61.231262][ T1542] ? trace_hardirqs_on+0x55/0x220 [ 61.236259][ T1542] ? hci_chan_del+0x14f/0x190 [ 61.240905][ T1542] ? hci_chan_del+0x14f/0x190 [ 61.245555][ T1542] end_report+0x4d/0x53 [ 61.249794][ T1542] kasan_report.cold+0xd/0x37 [ 61.254459][ T1542] ? hci_chan_del+0x14f/0x190 [ 61.259104][ T1542] hci_chan_del+0x14f/0x190 [ 61.263580][ T1542] l2cap_conn_del+0x61b/0x9e0 [ 61.268232][ T1542] ? l2cap_conn_del+0x9e0/0x9e0 [ 61.273054][ T1542] l2cap_disconn_cfm+0x85/0xa0 [ 61.277789][ T1542] hci_conn_hash_flush+0x114/0x220 [ 61.282872][ T1542] hci_dev_do_close+0x5c6/0x1080 [ 61.287782][ T1542] ? hci_dev_open+0x350/0x350 [ 61.292434][ T1542] ? do_raw_spin_lock+0x120/0x2b0 [ 61.297430][ T1542] hci_error_reset+0x90/0xf0 [ 61.301993][ T1542] process_one_work+0x94c/0x1670 [ 61.306903][ T1542] ? lock_release+0x8e0/0x8e0 [ 61.311549][ T1542] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 61.316898][ T1542] ? rwlock_bug.part.0+0x90/0x90 [ 61.321817][ T1542] worker_thread+0x64c/0x1120 [ 61.326480][ T1542] ? process_one_work+0x1670/0x1670 [ 61.331662][ T1542] kthread+0x3b5/0x4a0 [ 61.335701][ T1542] ? __kthread_bind_mask+0xc0/0xc0 [ 61.340782][ T1542] ? __kthread_bind_mask+0xc0/0xc0 [ 61.345866][ T1542] ret_from_fork+0x1f/0x30 [ 61.351587][ T1542] Kernel Offset: disabled [ 61.355901][ T1542] Rebooting in 86400 seconds..