[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.35' (ECDSA) to the list of known hosts. syzkaller login: [ 67.792450][ T8484] IPVS: ftp: loaded support on port[0] = 21 executing program [ 67.892080][ T8484] ================================================================== [ 67.901575][ T8484] BUG: KASAN: use-after-free in hci_chan_del+0x1c5/0x200 [ 67.909790][ T8484] Read of size 8 at addr ffff888012eac918 by task syz-executor505/8484 [ 67.919022][ T8484] [ 67.922201][ T8484] CPU: 1 PID: 8484 Comm: syz-executor505 Not tainted 5.10.0-rc3-next-20201110-syzkaller #0 [ 67.934224][ T8484] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.945129][ T8484] Call Trace: [ 67.948586][ T8484] dump_stack+0x107/0x163 [ 67.953354][ T8484] ? hci_chan_del+0x1c5/0x200 [ 67.958075][ T8484] ? hci_chan_del+0x1c5/0x200 [ 67.962994][ T8484] print_address_description.constprop.0.cold+0xae/0x4c8 [ 67.970043][ T8484] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 67.976124][ T8484] ? vprintk_func+0x95/0x1e0 [ 67.981442][ T8484] ? hci_chan_del+0x1c5/0x200 [ 67.986257][ T8484] ? hci_chan_del+0x1c5/0x200 [ 67.992310][ T8484] kasan_report.cold+0x1f/0x37 [ 67.997582][ T8484] ? hci_chan_del+0x1c5/0x200 [ 68.002303][ T8484] hci_chan_del+0x1c5/0x200 [ 68.006921][ T8484] l2cap_conn_del+0x478/0x7b0 [ 68.011694][ T8484] ? l2cap_conn_del+0x7b0/0x7b0 [ 68.016646][ T8484] l2cap_disconn_cfm+0x98/0xd0 [ 68.021438][ T8484] hci_conn_hash_flush+0x127/0x260 [ 68.027094][ T8484] hci_dev_do_close+0x569/0x1110 [ 68.032351][ T8484] ? hci_dev_open+0x300/0x300 [ 68.037969][ T8484] ? do_raw_read_unlock+0x70/0x70 [ 68.043412][ T8484] ? try_to_grab_pending+0xd0/0xd0 [ 68.048797][ T8484] hci_unregister_dev+0x223/0xfe0 [ 68.054218][ T8484] ? fcntl_setlk+0xf10/0xf10 [ 68.059594][ T8484] vhci_release+0x70/0xe0 [ 68.063943][ T8484] __fput+0x283/0x920 [ 68.068257][ T8484] ? vhci_close_dev+0x50/0x50 [ 68.074099][ T8484] task_work_run+0xdd/0x190 [ 68.078656][ T8484] do_exit+0xb9b/0x29f0 [ 68.083583][ T8484] ? __schedule+0x89b/0x2170 [ 68.088542][ T8484] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.094691][ T8484] ? io_schedule_timeout+0x140/0x140 [ 68.101041][ T8484] do_group_exit+0x125/0x310 [ 68.106530][ T8484] __x64_sys_exit_group+0x3a/0x50 [ 68.111814][ T8484] do_syscall_64+0x2d/0x70 [ 68.116525][ T8484] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.122711][ T8484] RIP: 0033:0x445088 [ 68.126703][ T8484] Code: Unable to access opcode bytes at RIP 0x44505e. [ 68.135425][ T8484] RSP: 002b:00007ffcd164cfe8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.144108][ T8484] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445088 [ 68.152836][ T8484] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 68.160999][ T8484] RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 68.169602][ T8484] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 68.178699][ T8484] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 68.188185][ T8484] [ 68.190505][ T8484] Allocated by task 8490: [ 68.195636][ T8484] kasan_save_stack+0x1b/0x40 [ 68.200465][ T8484] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 68.207761][ T8484] hci_chan_create+0xaa/0x3c0 [ 68.212952][ T8484] l2cap_conn_add.part.0+0x1e/0xdf0 [ 68.218388][ T8484] l2cap_connect_cfm+0x5be/0xf50 [ 68.224293][ T8484] le_conn_complete_evt+0x123d/0x18a0 [ 68.229692][ T8484] hci_le_meta_evt+0x715/0x4450 [ 68.237583][ T8484] hci_event_packet+0x5d9/0x7d60 [ 68.243565][ T8484] hci_rx_work+0x511/0xd30 [ 68.248097][ T8484] process_one_work+0x933/0x15a0 [ 68.253051][ T8484] worker_thread+0x64c/0x1120 [ 68.258134][ T8484] kthread+0x3af/0x4a0 [ 68.262224][ T8484] ret_from_fork+0x1f/0x30 [ 68.266782][ T8484] [ 68.269541][ T8484] Freed by task 8490: [ 68.273976][ T8484] kasan_save_stack+0x1b/0x40 [ 68.278830][ T8484] kasan_set_track+0x1c/0x30 [ 68.284661][ T8484] kasan_set_free_info+0x1b/0x30 [ 68.289644][ T8484] __kasan_slab_free+0x102/0x140 [ 68.295156][ T8484] slab_free_freelist_hook+0x5d/0x150 [ 68.300628][ T8484] kfree+0xdb/0x360 [ 68.304830][ T8484] hci_disconn_loglink_complete_evt.isra.0+0x1cf/0x240 [ 68.313078][ T8484] hci_event_packet+0x2ded/0x7d60 [ 68.319041][ T8484] hci_rx_work+0x511/0xd30 [ 68.324864][ T8484] process_one_work+0x933/0x15a0 [ 68.329895][ T8484] worker_thread+0x64c/0x1120 [ 68.334650][ T8484] kthread+0x3af/0x4a0 [ 68.338729][ T8484] ret_from_fork+0x1f/0x30 [ 68.343219][ T8484] [ 68.346905][ T8484] The buggy address belongs to the object at ffff888012eac900 [ 68.346905][ T8484] which belongs to the cache kmalloc-128 of size 128 [ 68.361668][ T8484] The buggy address is located 24 bytes inside of [ 68.361668][ T8484] 128-byte region [ffff888012eac900, ffff888012eac980) [ 68.375060][ T8484] The buggy address belongs to the page: [ 68.381095][ T8484] page:0000000063935590 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12eac [ 68.392851][ T8484] flags: 0xfff00000000200(slab) [ 68.398754][ T8484] raw: 00fff00000000200 ffffea00004d02c0 0000000400000004 ffff888010041640 [ 68.407600][ T8484] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 68.416464][ T8484] page dumped because: kasan: bad access detected [ 68.422998][ T8484] [ 68.425313][ T8484] Memory state around the buggy address: [ 68.431113][ T8484] ffff888012eac800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.439784][ T8484] ffff888012eac880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.447848][ T8484] >ffff888012eac900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.455904][ T8484] ^ [ 68.460758][ T8484] ffff888012eac980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.468829][ T8484] ffff888012eaca00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 68.476959][ T8484] ================================================================== [ 68.485002][ T8484] Disabling lock debugging due to kernel taint [ 68.492106][ T8484] Kernel panic - not syncing: panic_on_warn set ... [ 68.499166][ T8484] CPU: 1 PID: 8484 Comm: syz-executor505 Tainted: G B 5.10.0-rc3-next-20201110-syzkaller #0 [ 68.510642][ T8484] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.520895][ T8484] Call Trace: [ 68.524301][ T8484] dump_stack+0x107/0x163 [ 68.528849][ T8484] ? hci_chan_del+0x100/0x200 [ 68.533608][ T8484] panic+0x306/0x73d [ 68.538201][ T8484] ? __warn_printk+0xf3/0xf3 [ 68.542792][ T8484] ? preempt_schedule_common+0x59/0xc0 [ 68.548313][ T8484] ? hci_chan_del+0x1c5/0x200 [ 68.553813][ T8484] ? preempt_schedule_thunk+0x16/0x18 [ 68.559611][ T8484] ? trace_hardirqs_on+0x51/0x1c0 [ 68.564843][ T8484] ? hci_chan_del+0x1c5/0x200 [ 68.569524][ T8484] ? hci_chan_del+0x1c5/0x200 [ 68.574339][ T8484] end_report+0x58/0x5e [ 68.578530][ T8484] kasan_report.cold+0xd/0x37 [ 68.583439][ T8484] ? hci_chan_del+0x1c5/0x200 [ 68.588577][ T8484] hci_chan_del+0x1c5/0x200 [ 68.593566][ T8484] l2cap_conn_del+0x478/0x7b0 [ 68.598315][ T8484] ? l2cap_conn_del+0x7b0/0x7b0 [ 68.603449][ T8484] l2cap_disconn_cfm+0x98/0xd0 [ 68.608199][ T8484] hci_conn_hash_flush+0x127/0x260 [ 68.613679][ T8484] hci_dev_do_close+0x569/0x1110 [ 68.620030][ T8484] ? hci_dev_open+0x300/0x300 [ 68.624831][ T8484] ? do_raw_read_unlock+0x70/0x70 [ 68.630005][ T8484] ? try_to_grab_pending+0xd0/0xd0 [ 68.635401][ T8484] hci_unregister_dev+0x223/0xfe0 [ 68.640410][ T8484] ? fcntl_setlk+0xf10/0xf10 [ 68.645071][ T8484] vhci_release+0x70/0xe0 [ 68.649562][ T8484] __fput+0x283/0x920 [ 68.653714][ T8484] ? vhci_close_dev+0x50/0x50 [ 68.658386][ T8484] task_work_run+0xdd/0x190 [ 68.663034][ T8484] do_exit+0xb9b/0x29f0 [ 68.667208][ T8484] ? __schedule+0x89b/0x2170 [ 68.672061][ T8484] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.677701][ T8484] ? io_schedule_timeout+0x140/0x140 [ 68.683755][ T8484] do_group_exit+0x125/0x310 [ 68.688531][ T8484] __x64_sys_exit_group+0x3a/0x50 [ 68.693890][ T8484] do_syscall_64+0x2d/0x70 [ 68.698466][ T8484] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.704482][ T8484] RIP: 0033:0x445088 [ 68.708409][ T8484] Code: Unable to access opcode bytes at RIP 0x44505e. [ 68.715517][ T8484] RSP: 002b:00007ffcd164cfe8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.724265][ T8484] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445088 [ 68.732344][ T8484] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 68.740491][ T8484] RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 68.748611][ T8484] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 68.756604][ T8484] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 68.765301][ T8484] Kernel Offset: disabled [ 68.769625][ T8484] Rebooting in 86400 seconds..