[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.25' (ECDSA) to the list of known hosts. syzkaller login: [ 69.265903][ T8492] IPVS: ftp: loaded support on port[0] = 21 executing program [ 69.364738][ T8525] ================================================================== [ 69.374329][ T8525] BUG: KASAN: use-after-free in hci_chan_del+0x1c5/0x200 [ 69.381370][ T8525] Read of size 8 at addr ffff888015337918 by task syz-executor033/8525 [ 69.389630][ T8525] [ 69.392092][ T8525] CPU: 1 PID: 8525 Comm: syz-executor033 Not tainted 5.10.0-rc3-syzkaller #0 [ 69.400972][ T8525] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.411021][ T8525] Call Trace: [ 69.414316][ T8525] dump_stack+0x107/0x163 [ 69.418630][ T8525] ? hci_chan_del+0x1c5/0x200 [ 69.423375][ T8525] ? hci_chan_del+0x1c5/0x200 [ 69.428033][ T8525] print_address_description.constprop.0.cold+0xae/0x4c8 [ 69.435041][ T8525] ? _raw_spin_lock_irqsave+0x4e/0x50 [ 69.440399][ T8525] ? vprintk_func+0x95/0x1e0 [ 69.444986][ T8525] ? hci_chan_del+0x1c5/0x200 [ 69.449646][ T8525] ? hci_chan_del+0x1c5/0x200 [ 69.454326][ T8525] kasan_report.cold+0x1f/0x37 [ 69.459086][ T8525] ? hci_chan_del+0x1c5/0x200 [ 69.463758][ T8525] hci_chan_del+0x1c5/0x200 [ 69.468250][ T8525] l2cap_conn_del+0x478/0x7b0 [ 69.472950][ T8525] ? l2cap_conn_del+0x7b0/0x7b0 [ 69.477783][ T8525] l2cap_disconn_cfm+0x98/0xd0 [ 69.482543][ T8525] hci_conn_hash_flush+0x127/0x260 [ 69.487642][ T8525] hci_dev_do_close+0x569/0x1110 [ 69.492603][ T8525] ? hci_dev_open+0x300/0x300 [ 69.497275][ T8525] ? do_raw_read_unlock+0x70/0x70 [ 69.502280][ T8525] ? try_to_grab_pending+0xd0/0xd0 [ 69.507384][ T8525] hci_unregister_dev+0x223/0xfe0 [ 69.512410][ T8525] ? fcntl_setlk+0xf10/0xf10 [ 69.516988][ T8525] vhci_release+0x70/0xe0 [ 69.521328][ T8525] __fput+0x285/0x920 [ 69.525305][ T8525] ? vhci_close_dev+0x50/0x50 [ 69.530414][ T8525] task_work_run+0xdd/0x190 [ 69.534910][ T8525] do_exit+0xb64/0x29b0 [ 69.539067][ T8525] ? find_held_lock+0x2d/0x110 [ 69.543901][ T8525] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.549261][ T8525] ? get_signal+0x34f/0x1f00 [ 69.553835][ T8525] ? lock_downgrade+0x6d0/0x6d0 [ 69.558694][ T8525] do_group_exit+0x125/0x310 [ 69.563271][ T8525] get_signal+0x428/0x1f00 [ 69.567682][ T8525] ? _raw_spin_unlock_irqrestore+0x42/0x50 [ 69.573480][ T8525] arch_do_signal+0x82/0x2390 [ 69.578142][ T8525] ? kfree+0xdb/0x360 [ 69.582200][ T8525] ? copy_siginfo_to_user32+0xa0/0xa0 [ 69.587576][ T8525] ? __do_sys_futex+0x2a2/0x470 [ 69.592436][ T8525] ? do_futex+0x1a60/0x1a60 [ 69.596955][ T8525] exit_to_user_mode_prepare+0x100/0x1a0 [ 69.602582][ T8525] syscall_exit_to_user_mode+0x38/0x260 [ 69.608136][ T8525] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.614016][ T8525] RIP: 0033:0x4468b9 [ 69.617959][ T8525] Code: Unable to access opcode bytes at RIP 0x44688f. [ 69.624802][ T8525] RSP: 002b:00007ff435fccdb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 69.633348][ T8525] RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 00000000004468b9 [ 69.641366][ T8525] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38 [ 69.649343][ T8525] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 69.657317][ T8525] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 69.665275][ T8525] R13: 00007ffcbf363e5f R14: 00007ff435fcd9c0 R15: 00000000006dbc3c [ 69.673243][ T8525] [ 69.675554][ T8525] Allocated by task 2042: [ 69.679890][ T8525] kasan_save_stack+0x1b/0x40 [ 69.684563][ T8525] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 69.690200][ T8525] hci_chan_create+0xaa/0x3c0 [ 69.694894][ T8525] l2cap_conn_add.part.0+0x1e/0xdf0 [ 69.700074][ T8525] l2cap_connect_cfm+0x5be/0xf50 [ 69.704999][ T8525] le_conn_complete_evt+0x123d/0x18a0 [ 69.710353][ T8525] hci_le_meta_evt+0x433/0x4400 [ 69.715190][ T8525] hci_event_packet+0x5d9/0x7d60 [ 69.720124][ T8525] hci_rx_work+0x511/0xd30 [ 69.724541][ T8525] process_one_work+0x933/0x15a0 [ 69.729469][ T8525] worker_thread+0x64c/0x1120 [ 69.734142][ T8525] kthread+0x3af/0x4a0 [ 69.738728][ T8525] ret_from_fork+0x1f/0x30 [ 69.743123][ T8525] [ 69.745434][ T8525] Freed by task 8496: [ 69.749399][ T8525] kasan_save_stack+0x1b/0x40 [ 69.754059][ T8525] kasan_set_track+0x1c/0x30 [ 69.758670][ T8525] kasan_set_free_info+0x1b/0x30 [ 69.763588][ T8525] __kasan_slab_free+0x102/0x140 [ 69.768505][ T8525] slab_free_freelist_hook+0x5d/0x150 [ 69.773858][ T8525] kfree+0xdb/0x360 [ 69.777657][ T8525] hci_disconn_loglink_complete_evt.isra.0+0x1cf/0x240 [ 69.784487][ T8525] hci_event_packet+0x2ded/0x7d60 [ 69.789502][ T8525] hci_rx_work+0x511/0xd30 [ 69.793901][ T8525] process_one_work+0x933/0x15a0 [ 69.798820][ T8525] worker_thread+0x64c/0x1120 [ 69.803480][ T8525] kthread+0x3af/0x4a0 [ 69.807532][ T8525] ret_from_fork+0x1f/0x30 [ 69.811963][ T8525] [ 69.814275][ T8525] The buggy address belongs to the object at ffff888015337900 [ 69.814275][ T8525] which belongs to the cache kmalloc-128 of size 128 [ 69.828318][ T8525] The buggy address is located 24 bytes inside of [ 69.828318][ T8525] 128-byte region [ffff888015337900, ffff888015337980) [ 69.841486][ T8525] The buggy address belongs to the page: [ 69.847119][ T8525] page:00000000a4b08fa7 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x15337 [ 69.857443][ T8525] flags: 0xfff00000000200(slab) [ 69.862283][ T8525] raw: 00fff00000000200 ffffea00007ff480 0000000c0000000c ffff888010041640 [ 69.870861][ T8525] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 69.879422][ T8525] page dumped because: kasan: bad access detected [ 69.885810][ T8525] [ 69.888114][ T8525] Memory state around the buggy address: [ 69.893725][ T8525] ffff888015337800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 69.901783][ T8525] ffff888015337880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.909832][ T8525] >ffff888015337900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.917877][ T8525] ^ [ 69.922725][ T8525] ffff888015337980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.930767][ T8525] ffff888015337a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.938837][ T8525] ================================================================== [ 69.947052][ T8525] Disabling lock debugging due to kernel taint [ 69.953932][ T8525] Kernel panic - not syncing: panic_on_warn set ... [ 69.960528][ T8525] CPU: 1 PID: 8525 Comm: syz-executor033 Tainted: G B 5.10.0-rc3-syzkaller #0 [ 69.970667][ T8525] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.980716][ T8525] Call Trace: [ 69.984054][ T8525] dump_stack+0x107/0x163 [ 69.988363][ T8525] ? hci_chan_del+0xd0/0x200 [ 69.992928][ T8525] panic+0x306/0x73d [ 69.996809][ T8525] ? __warn_printk+0xf3/0xf3 [ 70.001376][ T8525] ? preempt_schedule_common+0x59/0xc0 [ 70.006813][ T8525] ? hci_chan_del+0x1c5/0x200 [ 70.011479][ T8525] ? preempt_schedule_thunk+0x16/0x18 [ 70.016828][ T8525] ? trace_hardirqs_on+0x51/0x1c0 [ 70.021830][ T8525] ? hci_chan_del+0x1c5/0x200 [ 70.026482][ T8525] ? hci_chan_del+0x1c5/0x200 [ 70.031138][ T8525] end_report+0x58/0x5e [ 70.035273][ T8525] kasan_report.cold+0xd/0x37 [ 70.039927][ T8525] ? hci_chan_del+0x1c5/0x200 [ 70.044595][ T8525] hci_chan_del+0x1c5/0x200 [ 70.049079][ T8525] l2cap_conn_del+0x478/0x7b0 [ 70.053735][ T8525] ? l2cap_conn_del+0x7b0/0x7b0 [ 70.058560][ T8525] l2cap_disconn_cfm+0x98/0xd0 [ 70.063317][ T8525] hci_conn_hash_flush+0x127/0x260 [ 70.068419][ T8525] hci_dev_do_close+0x569/0x1110 [ 70.073397][ T8525] ? hci_dev_open+0x300/0x300 [ 70.078052][ T8525] ? do_raw_read_unlock+0x70/0x70 [ 70.083052][ T8525] ? try_to_grab_pending+0xd0/0xd0 [ 70.088141][ T8525] hci_unregister_dev+0x223/0xfe0 [ 70.093146][ T8525] ? fcntl_setlk+0xf10/0xf10 [ 70.097729][ T8525] vhci_release+0x70/0xe0 [ 70.102040][ T8525] __fput+0x285/0x920 [ 70.106006][ T8525] ? vhci_close_dev+0x50/0x50 [ 70.110758][ T8525] task_work_run+0xdd/0x190 [ 70.115330][ T8525] do_exit+0xb64/0x29b0 [ 70.119478][ T8525] ? find_held_lock+0x2d/0x110 [ 70.124222][ T8525] ? mm_update_next_owner+0x7a0/0x7a0 [ 70.130187][ T8525] ? get_signal+0x34f/0x1f00 [ 70.134759][ T8525] ? lock_downgrade+0x6d0/0x6d0 [ 70.139687][ T8525] do_group_exit+0x125/0x310 [ 70.144264][ T8525] get_signal+0x428/0x1f00 [ 70.148671][ T8525] ? _raw_spin_unlock_irqrestore+0x42/0x50 [ 70.154456][ T8525] arch_do_signal+0x82/0x2390 [ 70.159124][ T8525] ? kfree+0xdb/0x360 [ 70.163085][ T8525] ? copy_siginfo_to_user32+0xa0/0xa0 [ 70.168434][ T8525] ? __do_sys_futex+0x2a2/0x470 [ 70.173263][ T8525] ? do_futex+0x1a60/0x1a60 [ 70.177752][ T8525] exit_to_user_mode_prepare+0x100/0x1a0 [ 70.183370][ T8525] syscall_exit_to_user_mode+0x38/0x260 [ 70.188894][ T8525] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.194778][ T8525] RIP: 0033:0x4468b9 [ 70.198643][ T8525] Code: Unable to access opcode bytes at RIP 0x44688f. [ 70.205478][ T8525] RSP: 002b:00007ff435fccdb8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca [ 70.213930][ T8525] RAX: fffffffffffffe00 RBX: 00000000006dbc38 RCX: 00000000004468b9 [ 70.221895][ T8525] RDX: 0000000000000000 RSI: 0000000000000080 RDI: 00000000006dbc38 [ 70.229846][ T8525] RBP: 00000000006dbc30 R08: 0000000000000000 R09: 0000000000000000 [ 70.237847][ T8525] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc3c [ 70.245799][ T8525] R13: 00007ffcbf363e5f R14: 00007ff435fcd9c0 R15: 00000000006dbc3c [ 70.254717][ T8525] Kernel Offset: disabled [ 70.259035][ T8525] Rebooting in 86400 seconds..