[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.122' (ECDSA) to the list of known hosts. syzkaller login: [ 58.114409][ T6847] IPVS: ftp: loaded support on port[0] = 21 executing program [ 59.205778][ T6847] ================================================================== [ 59.214048][ T6847] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 59.221086][ T6847] Read of size 8 at addr ffff88809d295a18 by task syz-executor814/6847 [ 59.229462][ T6847] [ 59.231796][ T6847] CPU: 0 PID: 6847 Comm: syz-executor814 Not tainted 5.8.0-syzkaller #0 [ 59.240115][ T6847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.250167][ T6847] Call Trace: [ 59.253460][ T6847] dump_stack+0x18f/0x20d [ 59.257801][ T6847] ? hci_chan_del+0x14f/0x190 [ 59.262478][ T6847] ? hci_chan_del+0x14f/0x190 [ 59.267181][ T6847] print_address_description.constprop.0.cold+0xae/0x436 [ 59.274206][ T6847] ? mutex_lock_io_nested+0xf60/0xf60 [ 59.279583][ T6847] ? vprintk_func+0x97/0x1a6 [ 59.284193][ T6847] ? hci_chan_del+0x14f/0x190 [ 59.288915][ T6847] kasan_report.cold+0x1f/0x37 [ 59.293714][ T6847] ? hci_chan_del+0x14f/0x190 [ 59.298393][ T6847] hci_chan_del+0x14f/0x190 [ 59.302900][ T6847] l2cap_conn_del+0x61b/0x9e0 [ 59.307587][ T6847] ? l2cap_conn_del+0x9e0/0x9e0 [ 59.312468][ T6847] l2cap_disconn_cfm+0x85/0xa0 [ 59.317261][ T6847] hci_conn_hash_flush+0x114/0x220 [ 59.322349][ T6847] ? vhci_close_dev+0x50/0x50 [ 59.327010][ T6847] hci_dev_do_close+0x5c6/0x1080 [ 59.331956][ T6847] ? hci_dev_open+0x350/0x350 [ 59.336631][ T6847] ? do_raw_read_unlock+0x70/0x70 [ 59.341658][ T6847] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 59.347546][ T6847] ? vhci_close_dev+0x50/0x50 [ 59.352201][ T6847] hci_unregister_dev+0x1bd/0xe30 [ 59.357202][ T6847] ? fcntl_setlk+0xf60/0xf60 [ 59.361767][ T6847] ? lock_is_held_type+0xbb/0xf0 [ 59.366680][ T6847] ? vhci_close_dev+0x50/0x50 [ 59.371327][ T6847] vhci_release+0x70/0xe0 [ 59.375631][ T6847] __fput+0x33c/0x880 [ 59.379593][ T6847] task_work_run+0xdd/0x190 [ 59.384074][ T6847] do_exit+0xb7d/0x29f0 [ 59.388208][ T6847] ? mm_update_next_owner+0x7a0/0x7a0 [ 59.393582][ T6847] ? vfs_write+0x1b0/0x6b0 [ 59.397989][ T6847] ? lock_is_held_type+0xbb/0xf0 [ 59.402916][ T6847] do_group_exit+0x125/0x310 [ 59.407478][ T6847] __x64_sys_exit_group+0x3a/0x50 [ 59.412484][ T6847] do_syscall_64+0x2d/0x70 [ 59.416880][ T6847] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.422745][ T6847] RIP: 0033:0x4450e8 [ 59.426607][ T6847] Code: Bad RIP value. [ 59.430660][ T6847] RSP: 002b:00007ffdff5fc3e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 59.439043][ T6847] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450e8 [ 59.446988][ T6847] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 59.454949][ T6847] RBP: 00000000004cced0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 59.462895][ T6847] R10: 00007faa67f899d0 R11: 0000000000000246 R12: 0000000000000001 [ 59.470841][ T6847] R13: 00000000006e0200 R14: 00000000015cb850 R15: 0000000000000001 [ 59.478811][ T6847] [ 59.481122][ T6847] Allocated by task 1538: [ 59.485440][ T6847] save_stack+0x1b/0x40 [ 59.489581][ T6847] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 59.495186][ T6847] kmem_cache_alloc_trace+0x14f/0x2d0 [ 59.500541][ T6847] hci_chan_create+0x9b/0x330 [ 59.505199][ T6847] l2cap_conn_add.part.0+0x1e/0xe10 [ 59.510385][ T6847] l2cap_connect_cfm+0x23b/0x1090 [ 59.515382][ T6847] le_conn_complete_evt+0x1153/0x1740 [ 59.520725][ T6847] hci_le_meta_evt+0x745/0x3ff0 [ 59.525548][ T6847] hci_event_packet+0x2e25/0x87a8 [ 59.530546][ T6847] hci_rx_work+0x22e/0xb50 [ 59.534982][ T6847] process_one_work+0x94c/0x1670 [ 59.539906][ T6847] worker_thread+0x64c/0x1120 [ 59.544556][ T6847] kthread+0x3b5/0x4a0 [ 59.548598][ T6847] ret_from_fork+0x1f/0x30 [ 59.552981][ T6847] [ 59.555282][ T6847] Freed by task 6870: [ 59.559262][ T6847] save_stack+0x1b/0x40 [ 59.563393][ T6847] __kasan_slab_free+0xf5/0x140 [ 59.568262][ T6847] kfree+0x103/0x2c0 [ 59.572161][ T6847] hci_event_packet+0x3e33/0x87a8 [ 59.577158][ T6847] hci_rx_work+0x22e/0xb50 [ 59.581546][ T6847] process_one_work+0x94c/0x1670 [ 59.586457][ T6847] worker_thread+0x64c/0x1120 [ 59.591105][ T6847] kthread+0x3b5/0x4a0 [ 59.595150][ T6847] ret_from_fork+0x1f/0x30 [ 59.599547][ T6847] [ 59.601851][ T6847] The buggy address belongs to the object at ffff88809d295a00 [ 59.601851][ T6847] which belongs to the cache kmalloc-128 of size 128 [ 59.615878][ T6847] The buggy address is located 24 bytes inside of [ 59.615878][ T6847] 128-byte region [ffff88809d295a00, ffff88809d295a80) [ 59.629032][ T6847] The buggy address belongs to the page: [ 59.634651][ T6847] page:ffffea000274a540 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809d295f00 [ 59.645042][ T6847] flags: 0xfffe0000000200(slab) [ 59.649875][ T6847] raw: 00fffe0000000200 ffffea00027fbcc8 ffffea0002846388 ffff8880aa000700 [ 59.658458][ T6847] raw: ffff88809d295f00 ffff88809d295000 000000010000000a 0000000000000000 [ 59.667063][ T6847] page dumped because: kasan: bad access detected [ 59.673447][ T6847] [ 59.675751][ T6847] Memory state around the buggy address: [ 59.681368][ T6847] ffff88809d295900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.689419][ T6847] ffff88809d295980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.697453][ T6847] >ffff88809d295a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.705483][ T6847] ^ [ 59.710344][ T6847] ffff88809d295a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 59.718377][ T6847] ffff88809d295b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.726419][ T6847] ================================================================== [ 59.734448][ T6847] Disabling lock debugging due to kernel taint [ 59.742140][ T6847] Kernel panic - not syncing: panic_on_warn set ... [ 59.748735][ T6847] CPU: 0 PID: 6847 Comm: syz-executor814 Tainted: G B 5.8.0-syzkaller #0 [ 59.758436][ T6847] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.768477][ T6847] Call Trace: [ 59.771765][ T6847] dump_stack+0x18f/0x20d [ 59.776092][ T6847] ? hci_chan_del+0x110/0x190 [ 59.780757][ T6847] panic+0x2e3/0x75c [ 59.784626][ T6847] ? __warn_printk+0xf3/0xf3 [ 59.789204][ T6847] ? preempt_schedule_common+0x59/0xc0 [ 59.794636][ T6847] ? hci_chan_del+0x14f/0x190 [ 59.799290][ T6847] ? preempt_schedule_thunk+0x16/0x18 [ 59.804631][ T6847] ? trace_hardirqs_on+0x55/0x220 [ 59.809642][ T6847] ? hci_chan_del+0x14f/0x190 [ 59.814301][ T6847] ? hci_chan_del+0x14f/0x190 [ 59.818949][ T6847] end_report+0x4d/0x53 [ 59.823092][ T6847] kasan_report.cold+0xd/0x37 [ 59.827782][ T6847] ? hci_chan_del+0x14f/0x190 [ 59.832445][ T6847] hci_chan_del+0x14f/0x190 [ 59.836920][ T6847] l2cap_conn_del+0x61b/0x9e0 [ 59.841569][ T6847] ? l2cap_conn_del+0x9e0/0x9e0 [ 59.846392][ T6847] l2cap_disconn_cfm+0x85/0xa0 [ 59.851127][ T6847] hci_conn_hash_flush+0x114/0x220 [ 59.856212][ T6847] ? vhci_close_dev+0x50/0x50 [ 59.860876][ T6847] hci_dev_do_close+0x5c6/0x1080 [ 59.865797][ T6847] ? hci_dev_open+0x350/0x350 [ 59.870446][ T6847] ? do_raw_read_unlock+0x70/0x70 [ 59.875442][ T6847] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 59.881307][ T6847] ? vhci_close_dev+0x50/0x50 [ 59.885954][ T6847] hci_unregister_dev+0x1bd/0xe30 [ 59.890964][ T6847] ? fcntl_setlk+0xf60/0xf60 [ 59.895527][ T6847] ? lock_is_held_type+0xbb/0xf0 [ 59.900436][ T6847] ? vhci_close_dev+0x50/0x50 [ 59.905095][ T6847] vhci_release+0x70/0xe0 [ 59.909399][ T6847] __fput+0x33c/0x880 [ 59.913359][ T6847] task_work_run+0xdd/0x190 [ 59.917836][ T6847] do_exit+0xb7d/0x29f0 [ 59.921982][ T6847] ? mm_update_next_owner+0x7a0/0x7a0 [ 59.927353][ T6847] ? vfs_write+0x1b0/0x6b0 [ 59.931764][ T6847] ? lock_is_held_type+0xbb/0xf0 [ 59.936689][ T6847] do_group_exit+0x125/0x310 [ 59.941255][ T6847] __x64_sys_exit_group+0x3a/0x50 [ 59.946254][ T6847] do_syscall_64+0x2d/0x70 [ 59.950640][ T6847] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.956506][ T6847] RIP: 0033:0x4450e8 [ 59.960365][ T6847] Code: Bad RIP value. [ 59.964400][ T6847] RSP: 002b:00007ffdff5fc3e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 59.972781][ T6847] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450e8 [ 59.980722][ T6847] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 59.988665][ T6847] RBP: 00000000004cced0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 59.996621][ T6847] R10: 00007faa67f899d0 R11: 0000000000000246 R12: 0000000000000001 [ 60.004564][ T6847] R13: 00000000006e0200 R14: 00000000015cb850 R15: 0000000000000001 [ 60.013500][ T6847] Kernel Offset: disabled [ 60.017826][ T6847] Rebooting in 86400 seconds..