[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.53' (ECDSA) to the list of known hosts. syzkaller login: [ 62.538119][ T6863] IPVS: ftp: loaded support on port[0] = 21 executing program [ 62.621610][ T6863] ================================================================== [ 62.629941][ T6863] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190 [ 62.636984][ T6863] Read of size 8 at addr ffff8880a2c3de18 by task syz-executor367/6863 [ 62.645409][ T6863] [ 62.647931][ T6863] CPU: 0 PID: 6863 Comm: syz-executor367 Not tainted 5.8.0-syzkaller #0 [ 62.656463][ T6863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.666726][ T6863] Call Trace: [ 62.670123][ T6863] dump_stack+0x18f/0x20d [ 62.674766][ T6863] ? hci_chan_del+0x14f/0x190 [ 62.679584][ T6863] ? hci_chan_del+0x14f/0x190 [ 62.684328][ T6863] print_address_description.constprop.0.cold+0xae/0x497 [ 62.691491][ T6863] ? mutex_lock_io_nested+0xf60/0xf60 [ 62.697171][ T6863] ? vprintk_func+0x97/0x1a6 [ 62.702115][ T6863] ? hci_chan_del+0x14f/0x190 [ 62.706846][ T6863] ? hci_chan_del+0x14f/0x190 [ 62.712313][ T6863] kasan_report.cold+0x1f/0x37 [ 62.718657][ T6863] ? hci_chan_del+0x14f/0x190 [ 62.723984][ T6863] hci_chan_del+0x14f/0x190 [ 62.728617][ T6863] l2cap_conn_del+0x61b/0x9e0 [ 62.733723][ T6863] ? l2cap_conn_del+0x9e0/0x9e0 [ 62.738618][ T6863] l2cap_disconn_cfm+0x85/0xa0 [ 62.743473][ T6863] hci_conn_hash_flush+0x114/0x220 [ 62.748587][ T6863] hci_dev_do_close+0x5c6/0x1080 [ 62.754576][ T6863] ? hci_dev_open+0x350/0x350 [ 62.759447][ T6863] ? do_raw_read_unlock+0x70/0x70 [ 62.765008][ T6863] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 62.771148][ T6863] hci_unregister_dev+0x1bd/0xe30 [ 62.776340][ T6863] ? fcntl_setlk+0xf60/0xf60 [ 62.781374][ T6863] ? lock_is_held_type+0xbb/0xf0 [ 62.786307][ T6863] vhci_release+0x70/0xe0 [ 62.790885][ T6863] __fput+0x285/0x920 [ 62.794865][ T6863] ? vhci_close_dev+0x50/0x50 [ 62.799538][ T6863] task_work_run+0xdd/0x190 [ 62.804130][ T6863] do_exit+0xb7d/0x29f0 [ 62.808412][ T6863] ? mm_update_next_owner+0x7a0/0x7a0 [ 62.817466][ T6863] ? vmacache_update+0xce/0x140 [ 62.822666][ T6863] ? lock_is_held_type+0xbb/0xf0 [ 62.827910][ T6863] do_group_exit+0x125/0x310 [ 62.833382][ T6863] __ia32_sys_exit_group+0x3a/0x50 [ 62.839581][ T6863] __do_fast_syscall_32+0x57/0x80 [ 62.844911][ T6863] do_fast_syscall_32+0x2f/0x70 [ 62.849765][ T6863] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 62.856535][ T6863] RIP: 0023:0xf7fbe549 [ 62.860853][ T6863] Code: Bad RIP value. [ 62.865237][ T6863] RSP: 002b:00000000fff6064c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc [ 62.873848][ T6863] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000080fd318 [ 62.881816][ T6863] RDX: 0000000000000000 RSI: 00000000080e32c0 RDI: 00000000080fd320 [ 62.889869][ T6863] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 62.898104][ T6863] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 62.906584][ T6863] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 62.914560][ T6863] [ 62.917002][ T6863] Allocated by task 6866: [ 62.921376][ T6863] kasan_save_stack+0x1b/0x40 [ 62.926228][ T6863] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.931904][ T6863] kmem_cache_alloc_trace+0x16e/0x2c0 [ 62.937617][ T6863] hci_chan_create+0x9b/0x330 [ 62.942387][ T6863] l2cap_conn_add.part.0+0x1e/0xe10 [ 62.947622][ T6863] l2cap_connect_cfm+0x23b/0x1090 [ 62.952726][ T6863] le_conn_complete_evt+0x1153/0x1740 [ 62.958565][ T6863] hci_le_meta_evt+0x745/0x3ff0 [ 62.963495][ T6863] hci_event_packet+0x2e25/0x87a8 [ 62.968565][ T6863] hci_rx_work+0x22e/0xb50 [ 62.973105][ T6863] process_one_work+0x94c/0x1670 [ 62.978205][ T6863] worker_thread+0x64c/0x1120 [ 62.982881][ T6863] kthread+0x3b5/0x4a0 [ 62.986936][ T6863] ret_from_fork+0x1f/0x30 [ 62.991335][ T6863] [ 62.993672][ T6863] Freed by task 1543: [ 62.997776][ T6863] kasan_save_stack+0x1b/0x40 [ 63.002485][ T6863] kasan_set_track+0x1c/0x30 [ 63.007107][ T6863] kasan_set_free_info+0x1b/0x30 [ 63.012424][ T6863] __kasan_slab_free+0xd8/0x120 [ 63.017599][ T6863] kfree+0x103/0x2c0 [ 63.021592][ T6863] hci_event_packet+0x3e33/0x87a8 [ 63.026631][ T6863] hci_rx_work+0x22e/0xb50 [ 63.031040][ T6863] process_one_work+0x94c/0x1670 [ 63.036022][ T6863] worker_thread+0x64c/0x1120 [ 63.040828][ T6863] kthread+0x3b5/0x4a0 [ 63.045063][ T6863] ret_from_fork+0x1f/0x30 [ 63.049931][ T6863] [ 63.052299][ T6863] The buggy address belongs to the object at ffff8880a2c3de00 [ 63.052299][ T6863] which belongs to the cache kmalloc-128 of size 128 [ 63.067550][ T6863] The buggy address is located 24 bytes inside of [ 63.067550][ T6863] 128-byte region [ffff8880a2c3de00, ffff8880a2c3de80) [ 63.080723][ T6863] The buggy address belongs to the page: [ 63.086396][ T6863] page:000000007df80c98 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a2c3dc00 pfn:0xa2c3d [ 63.098064][ T6863] flags: 0xfffe0000000200(slab) [ 63.103049][ T6863] raw: 00fffe0000000200 ffffea0002999488 ffffea0002a470c8 ffff8880aa040400 [ 63.112460][ T6863] raw: ffff8880a2c3dc00 ffff8880a2c3d000 000000010000000d 0000000000000000 [ 63.121337][ T6863] page dumped because: kasan: bad access detected [ 63.127764][ T6863] [ 63.130132][ T6863] Memory state around the buggy address: [ 63.135892][ T6863] ffff8880a2c3dd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.144428][ T6863] ffff8880a2c3dd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.152700][ T6863] >ffff8880a2c3de00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.160751][ T6863] ^ [ 63.165721][ T6863] ffff8880a2c3de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 63.174565][ T6863] ffff8880a2c3df00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.182839][ T6863] ================================================================== [ 63.191073][ T6863] Disabling lock debugging due to kernel taint [ 63.199492][ T217] tipc: TX() has been purged, node left! [ 63.221896][ T6863] Kernel panic - not syncing: panic_on_warn set ... [ 63.229409][ T6863] CPU: 1 PID: 6863 Comm: syz-executor367 Tainted: G B 5.8.0-syzkaller #0 [ 63.239423][ T6863] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.249551][ T6863] Call Trace: [ 63.253007][ T6863] dump_stack+0x18f/0x20d [ 63.257324][ T6863] ? hci_chan_del+0x120/0x190 [ 63.262037][ T6863] panic+0x2e3/0x75c [ 63.265967][ T6863] ? __warn_printk+0xf3/0xf3 [ 63.270597][ T6863] ? preempt_schedule_common+0x59/0xc0 [ 63.276043][ T6863] ? hci_chan_del+0x14f/0x190 [ 63.285881][ T6863] ? preempt_schedule_thunk+0x16/0x18 [ 63.291501][ T6863] ? trace_hardirqs_on+0x55/0x220 [ 63.296516][ T6863] ? hci_chan_del+0x14f/0x190 [ 63.301616][ T6863] ? hci_chan_del+0x14f/0x190 [ 63.306279][ T6863] end_report+0x4d/0x53 [ 63.310427][ T6863] kasan_report.cold+0xd/0x37 [ 63.315226][ T6863] ? hci_chan_del+0x14f/0x190 [ 63.320022][ T6863] hci_chan_del+0x14f/0x190 [ 63.324649][ T6863] l2cap_conn_del+0x61b/0x9e0 [ 63.329316][ T6863] ? l2cap_conn_del+0x9e0/0x9e0 [ 63.334155][ T6863] l2cap_disconn_cfm+0x85/0xa0 [ 63.338906][ T6863] hci_conn_hash_flush+0x114/0x220 [ 63.344117][ T6863] hci_dev_do_close+0x5c6/0x1080 [ 63.349048][ T6863] ? hci_dev_open+0x350/0x350 [ 63.353715][ T6863] ? do_raw_read_unlock+0x70/0x70 [ 63.358895][ T6863] ? try_to_grab_pending.part.0+0x7d0/0x7d0 [ 63.364955][ T6863] hci_unregister_dev+0x1bd/0xe30 [ 63.370147][ T6863] ? fcntl_setlk+0xf60/0xf60 [ 63.375173][ T6863] ? lock_is_held_type+0xbb/0xf0 [ 63.380195][ T6863] vhci_release+0x70/0xe0 [ 63.385063][ T6863] __fput+0x285/0x920 [ 63.389125][ T6863] ? vhci_close_dev+0x50/0x50 [ 63.393795][ T6863] task_work_run+0xdd/0x190 [ 63.398292][ T6863] do_exit+0xb7d/0x29f0 [ 63.402479][ T6863] ? mm_update_next_owner+0x7a0/0x7a0 [ 63.408196][ T6863] ? vmacache_update+0xce/0x140 [ 63.413251][ T6863] ? lock_is_held_type+0xbb/0xf0 [ 63.418225][ T6863] do_group_exit+0x125/0x310 [ 63.422978][ T6863] __ia32_sys_exit_group+0x3a/0x50 [ 63.428163][ T6863] __do_fast_syscall_32+0x57/0x80 [ 63.433348][ T6863] do_fast_syscall_32+0x2f/0x70 [ 63.438321][ T6863] entry_SYSENTER_compat_after_hwframe+0x4d/0x5c [ 63.444732][ T6863] RIP: 0023:0xf7fbe549 [ 63.449196][ T6863] Code: Bad RIP value. [ 63.453315][ T6863] RSP: 002b:00000000fff6064c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc [ 63.461972][ T6863] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000080fd318 [ 63.469930][ T6863] RDX: 0000000000000000 RSI: 00000000080e32c0 RDI: 00000000080fd320 [ 63.478034][ T6863] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 63.485998][ T6863] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 63.493954][ T6863] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 63.503624][ T6863] Kernel Offset: disabled [ 63.508049][ T6863] Rebooting in 86400 seconds..