[ OK ] Reached target Timers. Starting Permit User Sessions... Starting getty on tty2-tty6 if dbus and logind are not available... [ OK ] Started Permit User Sessions. [ OK ] Started Getty on tty1. [ OK ] Started System Logging Service. [ OK ] Started Getty on tty2. [ OK ] Found device /dev/ttyS0. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.249' (ECDSA) to the list of known hosts. syzkaller login: [ 42.769827][ T6824] IPVS: ftp: loaded support on port[0] = 21 executing program [ 43.878037][ T6824] ================================================================== [ 43.886948][ T6824] BUG: KASAN: use-after-free in hci_chan_del+0x33/0x130 [ 43.893906][ T6824] Read of size 8 at addr ffff8880a2976918 by task syz-executor405/6824 [ 43.902260][ T6824] [ 43.904934][ T6824] CPU: 0 PID: 6824 Comm: syz-executor405 Not tainted 5.8.0-syzkaller #0 [ 43.913764][ T6824] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.923924][ T6824] Call Trace: [ 43.927277][ T6824] dump_stack+0x1f0/0x31e [ 43.931631][ T6824] print_address_description+0x66/0x620 [ 43.937289][ T6824] ? printk+0x62/0x83 [ 43.941383][ T6824] ? vprintk_emit+0x339/0x3c0 [ 43.946460][ T6824] kasan_report+0x132/0x1d0 [ 43.951254][ T6824] ? hci_chan_del+0x33/0x130 [ 43.955863][ T6824] hci_chan_del+0x33/0x130 [ 43.960635][ T6824] l2cap_conn_del+0x4c2/0x650 [ 43.965518][ T6824] ? l2cap_connect_cfm+0x12b0/0x12b0 [ 43.970832][ T6824] hci_conn_hash_flush+0x127/0x200 [ 43.976168][ T6824] hci_dev_do_close+0xb7b/0x1040 [ 43.981143][ T6824] hci_unregister_dev+0x185/0x1590 [ 43.986410][ T6824] vhci_release+0x73/0xc0 [ 43.990755][ T6824] ? vhci_open+0x290/0x290 [ 43.995263][ T6824] __fput+0x34f/0x7b0 [ 43.999740][ T6824] task_work_run+0x137/0x1c0 [ 44.004334][ T6824] do_exit+0x5f3/0x1f20 [ 44.008489][ T6824] ? lock_is_held_type+0xb3/0xe0 [ 44.013704][ T6824] do_group_exit+0x161/0x2d0 [ 44.018302][ T6824] ? syscall_enter_from_user_mode+0x24/0x190 [ 44.024277][ T6824] __do_sys_exit_group+0x13/0x20 [ 44.029494][ T6824] __se_sys_exit_group+0x10/0x10 [ 44.034434][ T6824] __x64_sys_exit_group+0x37/0x40 [ 44.040408][ T6824] do_syscall_64+0x31/0x70 [ 44.045229][ T6824] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 44.051419][ T6824] RIP: 0033:0x445108 [ 44.055302][ T6824] Code: Bad RIP value. [ 44.059356][ T6824] RSP: 002b:00007ffe956c7848 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 44.067843][ T6824] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445108 [ 44.076137][ T6824] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 44.084115][ T6824] RBP: 00000000004cced0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 44.092263][ T6824] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 44.100233][ T6824] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000 [ 44.108204][ T6824] [ 44.110523][ T6824] Allocated by task 6853: [ 44.114952][ T6824] __kasan_kmalloc+0x100/0x130 [ 44.119789][ T6824] kmem_cache_alloc_trace+0x1f6/0x2f0 [ 44.125389][ T6824] hci_chan_create+0x9a/0x270 [ 44.130258][ T6824] l2cap_conn_add+0x66/0xb00 [ 44.134841][ T6824] l2cap_connect_cfm+0xdb/0x12b0 [ 44.139766][ T6824] le_conn_complete_evt+0x88d/0x1380 [ 44.145781][ T6824] hci_event_packet+0x16e3/0x17e10 [ 44.150875][ T6824] hci_rx_work+0x246/0xa20 [ 44.155356][ T6824] process_one_work+0x789/0xfc0 [ 44.160278][ T6824] worker_thread+0xaa4/0x1460 [ 44.165200][ T6824] kthread+0x37e/0x3a0 [ 44.169349][ T6824] ret_from_fork+0x1f/0x30 [ 44.173871][ T6824] [ 44.176187][ T6824] Freed by task 6853: [ 44.180371][ T6824] kasan_set_track+0x3d/0x70 [ 44.184963][ T6824] kasan_set_free_info+0x17/0x30 [ 44.190025][ T6824] __kasan_slab_free+0xdd/0x110 [ 44.195208][ T6824] kfree+0x10a/0x220 [ 44.199182][ T6824] hci_event_packet+0x2018/0x17e10 [ 44.204294][ T6824] hci_rx_work+0x246/0xa20 [ 44.208826][ T6824] process_one_work+0x789/0xfc0 [ 44.213662][ T6824] worker_thread+0xaa4/0x1460 [ 44.218413][ T6824] kthread+0x37e/0x3a0 [ 44.222470][ T6824] ret_from_fork+0x1f/0x30 [ 44.226870][ T6824] [ 44.229308][ T6824] The buggy address belongs to the object at ffff8880a2976900 [ 44.229308][ T6824] which belongs to the cache kmalloc-128 of size 128 [ 44.243344][ T6824] The buggy address is located 24 bytes inside of [ 44.243344][ T6824] 128-byte region [ffff8880a2976900, ffff8880a2976980) [ 44.256595][ T6824] The buggy address belongs to the page: [ 44.262505][ T6824] page:00000000110d63a1 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a2976e00 pfn:0xa2976 [ 44.273950][ T6824] flags: 0xfffe0000000200(slab) [ 44.278785][ T6824] raw: 00fffe0000000200 ffffea00027b8448 ffffea00028d3088 ffff8880aa440400 [ 44.287453][ T6824] raw: ffff8880a2976e00 ffff8880a2976000 000000010000000a 0000000000000000 [ 44.296013][ T6824] page dumped because: kasan: bad access detected [ 44.302478][ T6824] [ 44.304787][ T6824] Memory state around the buggy address: [ 44.310473][ T6824] ffff8880a2976800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.318521][ T6824] ffff8880a2976880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.326565][ T6824] >ffff8880a2976900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.334867][ T6824] ^ [ 44.339702][ T6824] ffff8880a2976980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.347904][ T6824] ffff8880a2976a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.355956][ T6824] ================================================================== [ 44.364034][ T6824] Disabling lock debugging due to kernel taint [ 44.371393][ T6824] Kernel panic - not syncing: panic_on_warn set ... [ 44.378007][ T6824] CPU: 0 PID: 6824 Comm: syz-executor405 Tainted: G B 5.8.0-syzkaller #0 [ 44.387719][ T6824] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.397776][ T6824] Call Trace: [ 44.401061][ T6824] dump_stack+0x1f0/0x31e [ 44.405373][ T6824] panic+0x264/0x7a0 [ 44.409264][ T6824] ? trace_hardirqs_on+0x30/0x80 [ 44.414269][ T6824] kasan_report+0x1c9/0x1d0 [ 44.418767][ T6824] ? hci_chan_del+0x33/0x130 [ 44.423343][ T6824] hci_chan_del+0x33/0x130 [ 44.427748][ T6824] l2cap_conn_del+0x4c2/0x650 [ 44.432405][ T6824] ? l2cap_connect_cfm+0x12b0/0x12b0 [ 44.437666][ T6824] hci_conn_hash_flush+0x127/0x200 [ 44.442755][ T6824] hci_dev_do_close+0xb7b/0x1040 [ 44.447676][ T6824] hci_unregister_dev+0x185/0x1590 [ 44.452824][ T6824] vhci_release+0x73/0xc0 [ 44.457308][ T6824] ? vhci_open+0x290/0x290 [ 44.461703][ T6824] __fput+0x34f/0x7b0 [ 44.465666][ T6824] task_work_run+0x137/0x1c0 [ 44.470239][ T6824] do_exit+0x5f3/0x1f20 [ 44.474390][ T6824] ? lock_is_held_type+0xb3/0xe0 [ 44.480141][ T6824] do_group_exit+0x161/0x2d0 [ 44.485838][ T6824] ? syscall_enter_from_user_mode+0x24/0x190 [ 44.491792][ T6824] __do_sys_exit_group+0x13/0x20 [ 44.496704][ T6824] __se_sys_exit_group+0x10/0x10 [ 44.501704][ T6824] __x64_sys_exit_group+0x37/0x40 [ 44.506723][ T6824] do_syscall_64+0x31/0x70 [ 44.511138][ T6824] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 44.518114][ T6824] RIP: 0033:0x445108 [ 44.521982][ T6824] Code: Bad RIP value. [ 44.526034][ T6824] RSP: 002b:00007ffe956c7848 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 44.534632][ T6824] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445108 [ 44.542581][ T6824] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 44.550624][ T6824] RBP: 00000000004cced0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 44.558614][ T6824] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 44.566605][ T6824] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000 [ 44.576047][ T6824] Kernel Offset: disabled [ 44.580406][ T6824] Rebooting in 86400 seconds..