[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.221' (ECDSA) to the list of known hosts. syzkaller login: [ 61.395268][ T6841] IPVS: ftp: loaded support on port[0] = 21 executing program [ 62.570292][ T6841] ================================================================== [ 62.578543][ T6841] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 62.585573][ T6841] Read of size 8 at addr ffff8880a8b44f18 by task syz-executor294/6841 [ 62.593806][ T6841] [ 62.596174][ T6841] CPU: 0 PID: 6841 Comm: syz-executor294 Not tainted 5.8.0-next-20200811-syzkaller #0 [ 62.606921][ T6841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.617636][ T6841] Call Trace: [ 62.620942][ T6841] dump_stack+0x18f/0x20d [ 62.625293][ T6841] ? hci_chan_del+0x14f/0x190 [ 62.629979][ T6841] ? hci_chan_del+0x14f/0x190 [ 62.634670][ T6841] print_address_description.constprop.0.cold+0xae/0x497 [ 62.641713][ T6841] ? mutex_lock_io_nested+0xf60/0xf60 [ 62.647097][ T6841] ? vprintk_func+0x97/0x1a6 [ 62.651706][ T6841] ? hci_chan_del+0x14f/0x190 [ 62.656391][ T6841] ? hci_chan_del+0x14f/0x190 [ 62.661089][ T6841] kasan_report.cold+0x1f/0x37 [ 62.665867][ T6841] ? hci_chan_del+0x14f/0x190 [ 62.670560][ T6841] hci_chan_del+0x14f/0x190 [ 62.675086][ T6841] l2cap_conn_del+0x61b/0x9e0 [ 62.679785][ T6841] ? l2cap_conn_del+0x9e0/0x9e0 [ 62.684636][ T6841] l2cap_disconn_cfm+0x85/0xa0 [ 62.689388][ T6841] hci_conn_hash_flush+0x114/0x220 [ 62.694484][ T6841] hci_dev_do_close+0x5c6/0x1080 [ 62.699417][ T6841] ? hci_dev_open+0x350/0x350 [ 62.704076][ T6841] ? do_raw_read_unlock+0x70/0x70 [ 62.709101][ T6841] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 62.714983][ T6841] hci_unregister_dev+0x1bd/0xe30 [ 62.720003][ T6841] ? fcntl_setlk+0xf60/0xf60 [ 62.724577][ T6841] ? lock_is_held_type+0xbb/0xf0 [ 62.729512][ T6841] vhci_release+0x70/0xe0 [ 62.733839][ T6841] __fput+0x285/0x920 [ 62.737804][ T6841] ? vhci_close_dev+0x50/0x50 [ 62.742466][ T6841] task_work_run+0xdd/0x190 [ 62.746972][ T6841] do_exit+0xb7d/0x29f0 [ 62.751112][ T6841] ? __schedule+0x8ed/0x21e0 [ 62.755699][ T6841] ? mm_update_next_owner+0x7a0/0x7a0 [ 62.761054][ T6841] ? io_schedule_timeout+0x140/0x140 [ 62.766332][ T6841] ? lock_is_held_type+0xbb/0xf0 [ 62.771256][ T6841] do_group_exit+0x125/0x310 [ 62.775834][ T6841] __x64_sys_exit_group+0x3a/0x50 [ 62.780874][ T6841] do_syscall_64+0x2d/0x70 [ 62.785279][ T6841] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.791172][ T6841] RIP: 0033:0x445408 [ 62.795041][ T6841] Code: Bad RIP value. [ 62.799083][ T6841] RSP: 002b:00007ffed28336f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 62.807475][ T6841] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445408 [ 62.815431][ T6841] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 62.823388][ T6841] RBP: 00000000004cd1f0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 62.831350][ T6841] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 62.839304][ T6841] R13: 00000000006e0260 R14: 0000000000000000 R15: 0000000000000000 [ 62.847265][ T6841] [ 62.849574][ T6841] Allocated by task 6867: [ 62.853896][ T6841] kasan_save_stack+0x1b/0x40 [ 62.858557][ T6841] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.864197][ T6841] kmem_cache_alloc_trace+0x16e/0x2c0 [ 62.869566][ T6841] hci_chan_create+0x9b/0x330 [ 62.874249][ T6841] l2cap_conn_add.part.0+0x1e/0xe10 [ 62.879438][ T6841] l2cap_connect_cfm+0x23b/0x1090 [ 62.884455][ T6841] le_conn_complete_evt+0x1153/0x1740 [ 62.889804][ T6841] hci_le_meta_evt+0x745/0x3ff0 [ 62.894637][ T6841] hci_event_packet+0x2e25/0x87a8 [ 62.899642][ T6841] hci_rx_work+0x22e/0xb50 [ 62.904052][ T6841] process_one_work+0x94c/0x1670 [ 62.909071][ T6841] worker_thread+0x64c/0x1120 [ 62.913727][ T6841] kthread+0x3b5/0x4a0 [ 62.917778][ T6841] ret_from_fork+0x1f/0x30 [ 62.922176][ T6841] [ 62.924497][ T6841] Freed by task 6867: [ 62.928470][ T6841] kasan_save_stack+0x1b/0x40 [ 62.933129][ T6841] kasan_set_track+0x1c/0x30 [ 62.937707][ T6841] kasan_set_free_info+0x1b/0x30 [ 62.942639][ T6841] __kasan_slab_free+0xd8/0x120 [ 62.947471][ T6841] kfree+0x103/0x2c0 [ 62.951418][ T6841] hci_event_packet+0x3e33/0x87a8 [ 62.956431][ T6841] hci_rx_work+0x22e/0xb50 [ 62.960830][ T6841] process_one_work+0x94c/0x1670 [ 62.965750][ T6841] worker_thread+0x64c/0x1120 [ 62.970418][ T6841] kthread+0x3b5/0x4a0 [ 62.974472][ T6841] ret_from_fork+0x1f/0x30 [ 62.978871][ T6841] [ 62.981181][ T6841] The buggy address belongs to the object at ffff8880a8b44f00 [ 62.981181][ T6841] which belongs to the cache kmalloc-128 of size 128 [ 62.995213][ T6841] The buggy address is located 24 bytes inside of [ 62.995213][ T6841] 128-byte region [ffff8880a8b44f00, ffff8880a8b44f80) [ 63.008385][ T6841] The buggy address belongs to the page: [ 63.014001][ T6841] page:00000000ac75b0b9 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a8b44a00 pfn:0xa8b44 [ 63.025436][ T6841] flags: 0xfffe0000000200(slab) [ 63.030270][ T6841] raw: 00fffe0000000200 ffffea00029b2ec8 ffffea000284a588 ffff8880aa040400 [ 63.038848][ T6841] raw: ffff8880a8b44a00 ffff8880a8b44000 0000000100000009 0000000000000000 [ 63.047420][ T6841] page dumped because: kasan: bad access detected [ 63.053819][ T6841] [ 63.056136][ T6841] Memory state around the buggy address: [ 63.061771][ T6841] ffff8880a8b44e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.069818][ T6841] ffff8880a8b44e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.077861][ T6841] >ffff8880a8b44f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.085906][ T6841] ^ [ 63.090738][ T6841] ffff8880a8b44f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.098785][ T6841] ffff8880a8b45000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.106825][ T6841] ================================================================== [ 63.114874][ T6841] Disabling lock debugging due to kernel taint [ 63.121846][ T224] tipc: TX() has been purged, node left! [ 63.123180][ T6841] Kernel panic - not syncing: panic_on_warn set ... [ 63.134094][ T6841] CPU: 1 PID: 6841 Comm: syz-executor294 Tainted: G B 5.8.0-next-20200811-syzkaller #0 [ 63.145025][ T6841] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.155070][ T6841] Call Trace: [ 63.158370][ T6841] dump_stack+0x18f/0x20d [ 63.162696][ T6841] ? hci_chan_del+0xa0/0x190 [ 63.167279][ T6841] panic+0x2e3/0x75c [ 63.171167][ T6841] ? __warn_printk+0xf3/0xf3 [ 63.175755][ T6841] ? preempt_schedule_common+0x59/0xc0 [ 63.181207][ T6841] ? hci_chan_del+0x14f/0x190 [ 63.185882][ T6841] ? preempt_schedule_thunk+0x16/0x18 [ 63.191246][ T6841] ? trace_hardirqs_on+0x55/0x220 [ 63.196272][ T6841] ? hci_chan_del+0x14f/0x190 [ 63.200951][ T6841] ? hci_chan_del+0x14f/0x190 [ 63.205624][ T6841] end_report+0x4d/0x53 [ 63.209773][ T6841] kasan_report.cold+0xd/0x37 [ 63.214443][ T6841] ? hci_chan_del+0x14f/0x190 [ 63.219127][ T6841] hci_chan_del+0x14f/0x190 [ 63.223628][ T6841] l2cap_conn_del+0x61b/0x9e0 [ 63.228314][ T6841] ? l2cap_conn_del+0x9e0/0x9e0 [ 63.233241][ T6841] l2cap_disconn_cfm+0x85/0xa0 [ 63.238033][ T6841] hci_conn_hash_flush+0x114/0x220 [ 63.243157][ T6841] hci_dev_do_close+0x5c6/0x1080 [ 63.248107][ T6841] ? hci_dev_open+0x350/0x350 [ 63.252781][ T6841] ? do_raw_read_unlock+0x70/0x70 [ 63.257806][ T6841] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 63.263698][ T6841] hci_unregister_dev+0x1bd/0xe30 [ 63.268735][ T6841] ? fcntl_setlk+0xf60/0xf60 [ 63.277657][ T6841] ? lock_is_held_type+0xbb/0xf0 [ 63.282599][ T6841] vhci_release+0x70/0xe0 [ 63.286923][ T6841] __fput+0x285/0x920 [ 63.290910][ T6841] ? vhci_close_dev+0x50/0x50 [ 63.295596][ T6841] task_work_run+0xdd/0x190 [ 63.300095][ T6841] do_exit+0xb7d/0x29f0 [ 63.304267][ T6841] ? __schedule+0x8ed/0x21e0 [ 63.308862][ T6841] ? mm_update_next_owner+0x7a0/0x7a0 [ 63.314232][ T6841] ? io_schedule_timeout+0x140/0x140 [ 63.319508][ T6841] ? lock_is_held_type+0xbb/0xf0 [ 63.324455][ T6841] do_group_exit+0x125/0x310 [ 63.329040][ T6841] __x64_sys_exit_group+0x3a/0x50 [ 63.334075][ T6841] do_syscall_64+0x2d/0x70 [ 63.338502][ T6841] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.344398][ T6841] RIP: 0033:0x445408 [ 63.348288][ T6841] Code: Bad RIP value. [ 63.352356][ T6841] RSP: 002b:00007ffed28336f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 63.360759][ T6841] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445408 [ 63.368724][ T6841] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 63.376688][ T6841] RBP: 00000000004cd1f0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 63.384666][ T6841] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 63.392634][ T6841] R13: 00000000006e0260 R14: 0000000000000000 R15: 0000000000000000 [ 63.401732][ T6841] Kernel Offset: disabled [ 63.406064][ T6841] Rebooting in 86400 seconds..