[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.33' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 61.166001][ T6846] IPVS: ftp: loaded support on port[0] = 21 [ 61.267278][ T6846] ================================================================== [ 61.275493][ T6846] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 61.282515][ T6846] Read of size 8 at addr ffff8880a3e2a918 by task syz-executor787/6846 [ 61.290731][ T6846] [ 61.293061][ T6846] CPU: 1 PID: 6846 Comm: syz-executor787 Not tainted 5.8.0-syzkaller #0 [ 61.301375][ T6846] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.311427][ T6846] Call Trace: [ 61.314890][ T6846] dump_stack+0x18f/0x20d [ 61.319315][ T6846] ? hci_chan_del+0x14f/0x190 [ 61.323985][ T6846] ? hci_chan_del+0x14f/0x190 [ 61.328653][ T6846] print_address_description.constprop.0.cold+0xae/0x497 [ 61.335667][ T6846] ? mutex_lock_io_nested+0xf60/0xf60 [ 61.341026][ T6846] ? vprintk_func+0x97/0x1a6 [ 61.345606][ T6846] ? hci_chan_del+0x14f/0x190 [ 61.350268][ T6846] ? hci_chan_del+0x14f/0x190 [ 61.355063][ T6846] kasan_report.cold+0x1f/0x37 [ 61.359818][ T6846] ? hci_chan_del+0x14f/0x190 [ 61.364483][ T6846] hci_chan_del+0x14f/0x190 [ 61.368979][ T6846] l2cap_conn_del+0x61b/0x9e0 [ 61.373686][ T6846] ? l2cap_conn_del+0x9e0/0x9e0 [ 61.378519][ T6846] l2cap_disconn_cfm+0x85/0xa0 [ 61.383268][ T6846] hci_conn_hash_flush+0x114/0x220 [ 61.388368][ T6846] hci_dev_do_close+0x5c6/0x1080 [ 61.393559][ T6846] ? hci_dev_open+0x350/0x350 [ 61.398221][ T6846] ? do_raw_read_unlock+0x70/0x70 [ 61.403232][ T6846] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 61.409407][ T6846] hci_unregister_dev+0x1bd/0xe30 [ 61.414487][ T6846] ? fcntl_setlk+0xf60/0xf60 [ 61.419068][ T6846] ? lock_is_held_type+0xbb/0xf0 [ 61.423996][ T6846] vhci_release+0x70/0xe0 [ 61.428311][ T6846] __fput+0x285/0x920 [ 61.432283][ T6846] ? vhci_close_dev+0x50/0x50 [ 61.437102][ T6846] task_work_run+0xdd/0x190 [ 61.441616][ T6846] do_exit+0xb7d/0x29f0 [ 61.445760][ T6846] ? __schedule+0x8ed/0x21e0 [ 61.450339][ T6846] ? mm_update_next_owner+0x7a0/0x7a0 [ 61.455707][ T6846] ? io_schedule_timeout+0x140/0x140 [ 61.460983][ T6846] ? lock_is_held_type+0xbb/0xf0 [ 61.466057][ T6846] do_group_exit+0x125/0x310 [ 61.470653][ T6846] __x64_sys_exit_group+0x3a/0x50 [ 61.475675][ T6846] do_syscall_64+0x2d/0x70 [ 61.480081][ T6846] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.485987][ T6846] RIP: 0033:0x445058 [ 61.489863][ T6846] Code: Bad RIP value. [ 61.493919][ T6846] RSP: 002b:00007fffd3a26718 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 61.502340][ T6846] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445058 [ 61.510435][ T6846] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 61.518400][ T6846] RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 61.526455][ T6846] R10: 0000000000000015 R11: 0000000000000246 R12: 0000000000000001 [ 61.534436][ T6846] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 61.542570][ T6846] [ 61.544888][ T6846] Allocated by task 1543: [ 61.549204][ T6846] kasan_save_stack+0x1b/0x40 [ 61.553953][ T6846] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.559569][ T6846] kmem_cache_alloc_trace+0x16e/0x2c0 [ 61.564956][ T6846] hci_chan_create+0x9b/0x330 [ 61.570838][ T6846] l2cap_conn_add.part.0+0x1e/0xe10 [ 61.576042][ T6846] l2cap_connect_cfm+0x23b/0x1090 [ 61.581136][ T6846] le_conn_complete_evt+0x1153/0x1740 [ 61.586510][ T6846] hci_le_meta_evt+0x745/0x3ff0 [ 61.591351][ T6846] hci_event_packet+0x2e25/0x87a8 [ 61.596371][ T6846] hci_rx_work+0x22e/0xb50 [ 61.600776][ T6846] process_one_work+0x94c/0x1670 [ 61.605701][ T6846] worker_thread+0x64c/0x1120 [ 61.610359][ T6846] kthread+0x3b5/0x4a0 [ 61.614416][ T6846] ret_from_fork+0x1f/0x30 [ 61.618812][ T6846] [ 61.621132][ T6846] Freed by task 6850: [ 61.625108][ T6846] kasan_save_stack+0x1b/0x40 [ 61.629764][ T6846] kasan_set_track+0x1c/0x30 [ 61.634340][ T6846] kasan_set_free_info+0x1b/0x30 [ 61.639314][ T6846] __kasan_slab_free+0xd8/0x120 [ 61.644153][ T6846] kfree+0x103/0x2c0 [ 61.648030][ T6846] hci_event_packet+0x3e33/0x87a8 [ 61.653041][ T6846] hci_rx_work+0x22e/0xb50 [ 61.657443][ T6846] process_one_work+0x94c/0x1670 [ 61.662368][ T6846] worker_thread+0x64c/0x1120 [ 61.667029][ T6846] kthread+0x3b5/0x4a0 [ 61.671092][ T6846] ret_from_fork+0x1f/0x30 [ 61.675496][ T6846] [ 61.677813][ T6846] The buggy address belongs to the object at ffff8880a3e2a900 [ 61.677813][ T6846] which belongs to the cache kmalloc-128 of size 128 [ 61.691853][ T6846] The buggy address is located 24 bytes inside of [ 61.691853][ T6846] 128-byte region [ffff8880a3e2a900, ffff8880a3e2a980) [ 61.705019][ T6846] The buggy address belongs to the page: [ 61.710642][ T6846] page:0000000009b5be52 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a3e2ab00 pfn:0xa3e2a [ 61.722144][ T6846] flags: 0xfffe0000000200(slab) [ 61.726984][ T6846] raw: 00fffe0000000200 ffffea0002a25d48 ffffea0002a20648 ffff8880aa040400 [ 61.735559][ T6846] raw: ffff8880a3e2ab00 ffff8880a3e2a000 0000000100000008 0000000000000000 [ 61.744125][ T6846] page dumped because: kasan: bad access detected [ 61.750582][ T6846] [ 61.752899][ T6846] Memory state around the buggy address: [ 61.758531][ T6846] ffff8880a3e2a800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc [ 61.766829][ T6846] ffff8880a3e2a880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.775002][ T6846] >ffff8880a3e2a900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.783252][ T6846] ^ [ 61.788092][ T6846] ffff8880a3e2a980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 61.796144][ T6846] ffff8880a3e2aa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.804187][ T6846] ================================================================== [ 61.812232][ T6846] Disabling lock debugging due to kernel taint [ 61.819375][ T7] tipc: TX() has been purged, node left! [ 61.839140][ T6846] Kernel panic - not syncing: panic_on_warn set ... [ 61.845747][ T6846] CPU: 0 PID: 6846 Comm: syz-executor787 Tainted: G B 5.8.0-syzkaller #0 [ 61.855441][ T6846] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.865595][ T6846] Call Trace: [ 61.868981][ T6846] dump_stack+0x18f/0x20d [ 61.873297][ T6846] ? hci_chan_del+0xa0/0x190 [ 61.877870][ T6846] panic+0x2e3/0x75c [ 61.881871][ T6846] ? __warn_printk+0xf3/0xf3 [ 61.886445][ T6846] ? preempt_schedule_common+0x59/0xc0 [ 61.891885][ T6846] ? hci_chan_del+0x14f/0x190 [ 61.896545][ T6846] ? preempt_schedule_thunk+0x16/0x18 [ 61.901902][ T6846] ? trace_hardirqs_on+0x55/0x220 [ 61.907014][ T6846] ? hci_chan_del+0x14f/0x190 [ 61.911671][ T6846] ? hci_chan_del+0x14f/0x190 [ 61.916332][ T6846] end_report+0x4d/0x53 [ 61.920469][ T6846] kasan_report.cold+0xd/0x37 [ 61.925131][ T6846] ? hci_chan_del+0x14f/0x190 [ 61.929789][ T6846] hci_chan_del+0x14f/0x190 [ 61.934278][ T6846] l2cap_conn_del+0x61b/0x9e0 [ 61.938936][ T6846] ? l2cap_conn_del+0x9e0/0x9e0 [ 61.943772][ T6846] l2cap_disconn_cfm+0x85/0xa0 [ 61.948521][ T6846] hci_conn_hash_flush+0x114/0x220 [ 61.953619][ T6846] hci_dev_do_close+0x5c6/0x1080 [ 61.958537][ T6846] ? hci_dev_open+0x350/0x350 [ 61.963308][ T6846] ? do_raw_read_unlock+0x70/0x70 [ 61.968316][ T6846] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 61.974313][ T6846] hci_unregister_dev+0x1bd/0xe30 [ 61.979321][ T6846] ? fcntl_setlk+0xf60/0xf60 [ 61.983894][ T6846] ? lock_is_held_type+0xbb/0xf0 [ 61.988813][ T6846] vhci_release+0x70/0xe0 [ 61.993260][ T6846] __fput+0x285/0x920 [ 61.997224][ T6846] ? vhci_close_dev+0x50/0x50 [ 62.002190][ T6846] task_work_run+0xdd/0x190 [ 62.006676][ T6846] do_exit+0xb7d/0x29f0 [ 62.010829][ T6846] ? __schedule+0x8ed/0x21e0 [ 62.015417][ T6846] ? mm_update_next_owner+0x7a0/0x7a0 [ 62.020781][ T6846] ? io_schedule_timeout+0x140/0x140 [ 62.026194][ T6846] ? lock_is_held_type+0xbb/0xf0 [ 62.031122][ T6846] do_group_exit+0x125/0x310 [ 62.035851][ T6846] __x64_sys_exit_group+0x3a/0x50 [ 62.040857][ T6846] do_syscall_64+0x2d/0x70 [ 62.045259][ T6846] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.051259][ T6846] RIP: 0033:0x445058 [ 62.055135][ T6846] Code: Bad RIP value. [ 62.059183][ T6846] RSP: 002b:00007fffd3a26718 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 62.067978][ T6846] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445058 [ 62.075939][ T6846] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 62.084022][ T6846] RBP: 00000000004ccdd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 62.091981][ T6846] R10: 0000000000000015 R11: 0000000000000246 R12: 0000000000000001 [ 62.099937][ T6846] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000 [ 62.109428][ T6846] Kernel Offset: disabled [ 62.113756][ T6846] Rebooting in 86400 seconds..