[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.35' (ECDSA) to the list of known hosts. syzkaller login: [ 32.394154] IPVS: ftp: loaded support on port[0] = 21 executing program [ 32.507692] Bluetooth: hci0 hardware error 0xff [ 32.516279] [ 32.517932] ========================= [ 32.521709] WARNING: held lock freed! [ 32.525483] 4.14.294-syzkaller #0 Not tainted [ 32.529967] ------------------------- [ 32.533747] kworker/u5:2/7972 is freeing memory ffff888095be1500-ffff888095be1cff, with a lock still held there! [ 32.544032] (&chan->lock/1){+.+.}, at: [] l2cap_conn_del+0x363/0x690 [ 32.552165] 7 locks held by kworker/u5:2/7972: [ 32.556719] #0: ("%s"hdev->name){+.+.}, at: [] process_one_work+0x6b0/0x14a0 [ 32.565626] #1: ((&hdev->error_reset)){+.+.}, at: [] process_one_work+0x6e6/0x14a0 [ 32.575053] #2: (&hdev->req_lock){+.+.}, at: [] hci_dev_do_close+0xa8/0xd80 [ 32.583877] #3: (&hdev->lock){+.+.}, at: [] hci_dev_do_close+0x264/0xd80 [ 32.592434] #4: (hci_cb_list_lock){+.+.}, at: [] hci_conn_hash_flush+0xda/0x260 [ 32.601601] #5: (&conn->chan_lock){+.+.}, at: [] l2cap_conn_del+0x2aa/0x690 [ 32.610419] #6: (&chan->lock/1){+.+.}, at: [] l2cap_conn_del+0x363/0x690 [ 32.618995] [ 32.618995] stack backtrace: [ 32.623469] CPU: 0 PID: 7972 Comm: kworker/u5:2 Not tainted 4.14.294-syzkaller #0 [ 32.631063] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 32.640401] Workqueue: hci0 hci_error_reset [ 32.644698] Call Trace: [ 32.647266] dump_stack+0x1b2/0x281 [ 32.650873] debug_check_no_locks_freed.cold+0x9c/0xa8 [ 32.656126] ? rcu_lockdep_current_cpu_online+0xed/0x140 [ 32.661552] kfree+0xac/0x250 [ 32.664641] l2cap_chan_put+0x1c2/0x250 [ 32.668619] l2cap_conn_del+0x3aa/0x690 [ 32.672574] ? l2cap_conn_del+0x690/0x690 [ 32.676698] l2cap_disconn_cfm+0x7c/0xb0 [ 32.680752] hci_conn_hash_flush+0x127/0x260 [ 32.685139] hci_dev_do_close+0x57d/0xd80 [ 32.689366] ? lock_acquire+0x170/0x3f0 [ 32.693321] hci_error_reset+0xa3/0x120 [ 32.697273] process_one_work+0x793/0x14a0 [ 32.701485] ? work_busy+0x320/0x320 [ 32.705175] ? worker_thread+0x158/0xff0 [ 32.709212] ? _raw_spin_unlock_irq+0x24/0x80 [ 32.713683] worker_thread+0x5cc/0xff0 [ 32.717550] ? rescuer_thread+0xc80/0xc80 [ 32.721680] kthread+0x30d/0x420 [ 32.725024] ? kthread_create_on_node+0xd0/0xd0 [ 32.729682] ret_from_fork+0x24/0x30 [ 32.733780] ================================================================== [ 32.741142] BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x5bd/0x770 [ 32.748404] Read of size 8 at addr ffff888095be1988 by task kworker/u5:2/7972 [ 32.755658] [ 32.757274] CPU: 0 PID: 7972 Comm: kworker/u5:2 Not tainted 4.14.294-syzkaller #0 [ 32.764876] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 32.774224] Workqueue: hci0 hci_error_reset [ 32.778522] Call Trace: [ 32.781089] dump_stack+0x1b2/0x281 [ 32.784697] print_address_description.cold+0x54/0x1d3 [ 32.790047] kasan_report_error.cold+0x8a/0x191 [ 32.794694] ? __mutex_unlock_slowpath+0x5bd/0x770 [ 32.800339] __asan_report_load8_noabort+0x68/0x70 [ 32.805248] ? __mutex_unlock_slowpath+0x5bd/0x770 [ 32.810167] __mutex_unlock_slowpath+0x5bd/0x770 [ 32.814904] ? kfree+0x15d/0x250 [ 32.818248] ? wait_for_completion_io+0x10/0x10 [ 32.822905] l2cap_conn_del+0x3b2/0x690 [ 32.826863] ? l2cap_conn_del+0x690/0x690 [ 32.830988] l2cap_disconn_cfm+0x7c/0xb0 [ 32.835029] hci_conn_hash_flush+0x127/0x260 [ 32.839415] hci_dev_do_close+0x57d/0xd80 [ 32.843547] ? lock_acquire+0x170/0x3f0 [ 32.847506] hci_error_reset+0xa3/0x120 [ 32.851482] process_one_work+0x793/0x14a0 [ 32.855694] ? work_busy+0x320/0x320 [ 32.859388] ? worker_thread+0x158/0xff0 [ 32.863426] ? _raw_spin_unlock_irq+0x24/0x80 [ 32.867897] worker_thread+0x5cc/0xff0 [ 32.871767] ? rescuer_thread+0xc80/0xc80 [ 32.875908] kthread+0x30d/0x420 [ 32.879250] ? kthread_create_on_node+0xd0/0xd0 [ 32.883914] ret_from_fork+0x24/0x30 [ 32.887604] [ 32.889207] Allocated by task 7972: [ 32.892815] kasan_kmalloc+0xeb/0x160 [ 32.896591] kmem_cache_alloc_trace+0x131/0x3d0 [ 32.901234] l2cap_chan_create+0x3e/0x580 [ 32.905355] amp_mgr_create+0x94/0x930 [ 32.909217] a2mp_channel_create+0x6e/0x140 [ 32.913515] l2cap_recv_frame+0x43e2/0x93d0 [ 32.917834] l2cap_recv_acldata+0x8f9/0xa30 [ 32.922130] hci_rx_work+0x403/0xb40 [ 32.925831] process_one_work+0x793/0x14a0 [ 32.930048] worker_thread+0x5cc/0xff0 [ 32.933913] kthread+0x30d/0x420 [ 32.937257] ret_from_fork+0x24/0x30 [ 32.940943] [ 32.942548] Freed by task 7972: [ 32.945804] kasan_slab_free+0xc3/0x1a0 [ 32.949755] kfree+0xc9/0x250 [ 32.952844] l2cap_chan_put+0x1c2/0x250 [ 32.956797] l2cap_conn_del+0x3aa/0x690 [ 32.960749] l2cap_disconn_cfm+0x7c/0xb0 [ 32.964789] hci_conn_hash_flush+0x127/0x260 [ 32.969176] hci_dev_do_close+0x57d/0xd80 [ 32.973299] hci_error_reset+0xa3/0x120 [ 32.977251] process_one_work+0x793/0x14a0 [ 32.981460] worker_thread+0x5cc/0xff0 [ 32.985338] kthread+0x30d/0x420 [ 32.988683] ret_from_fork+0x24/0x30 [ 32.992384] [ 32.993993] The buggy address belongs to the object at ffff888095be1500 [ 32.993993] which belongs to the cache kmalloc-2048 of size 2048 [ 33.006818] The buggy address is located 1160 bytes inside of [ 33.006818] 2048-byte region [ffff888095be1500, ffff888095be1d00) [ 33.018838] The buggy address belongs to the page: [ 33.023741] page:ffffea000256f800 count:1 mapcount:0 mapping:ffff888095be0400 index:0x0 compound_mapcount: 0 [ 33.033696] flags: 0xfff00000008100(slab|head) [ 33.038256] raw: 00fff00000008100 ffff888095be0400 0000000000000000 0000000100000003 [ 33.046129] raw: ffffea0002d144a0 ffff88813fe64948 ffff88813fe74c40 0000000000000000 [ 33.053980] page dumped because: kasan: bad access detected [ 33.059662] [ 33.061265] Memory state around the buggy address: [ 33.066171] ffff888095be1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.073505] ffff888095be1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.080853] >ffff888095be1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.088184] ^ [ 33.091788] ffff888095be1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.099125] ffff888095be1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 33.106472] ================================================================== [ 33.114661] Kernel panic - not syncing: panic_on_warn set ... [ 33.114661] [ 33.122030] CPU: 0 PID: 7972 Comm: kworker/u5:2 Tainted: G B 4.14.294-syzkaller #0 [ 33.130850] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 [ 33.140195] Workqueue: hci0 hci_error_reset [ 33.144493] Call Trace: [ 33.147056] dump_stack+0x1b2/0x281 [ 33.150659] panic+0x1f9/0x42d [ 33.153841] ? add_taint.cold+0x16/0x16 [ 33.157807] ? ___preempt_schedule+0x16/0x18 [ 33.162189] kasan_end_report+0x43/0x49 [ 33.166135] kasan_report_error.cold+0xa7/0x191 [ 33.170777] ? __mutex_unlock_slowpath+0x5bd/0x770 [ 33.175680] __asan_report_load8_noabort+0x68/0x70 [ 33.180581] ? __mutex_unlock_slowpath+0x5bd/0x770 [ 33.185487] __mutex_unlock_slowpath+0x5bd/0x770 [ 33.190217] ? kfree+0x15d/0x250 [ 33.193556] ? wait_for_completion_io+0x10/0x10 [ 33.198198] l2cap_conn_del+0x3b2/0x690 [ 33.202148] ? l2cap_conn_del+0x690/0x690 [ 33.206277] l2cap_disconn_cfm+0x7c/0xb0 [ 33.210317] hci_conn_hash_flush+0x127/0x260 [ 33.214700] hci_dev_do_close+0x57d/0xd80 [ 33.218825] ? lock_acquire+0x170/0x3f0 [ 33.222780] hci_error_reset+0xa3/0x120 [ 33.226745] process_one_work+0x793/0x14a0 [ 33.230954] ? work_busy+0x320/0x320 [ 33.234642] ? worker_thread+0x158/0xff0 [ 33.238684] ? _raw_spin_unlock_irq+0x24/0x80 [ 33.243152] worker_thread+0x5cc/0xff0 [ 33.247013] ? rescuer_thread+0xc80/0xc80 [ 33.251135] kthread+0x30d/0x420 [ 33.254478] ? kthread_create_on_node+0xd0/0xd0 [ 33.259123] ret_from_fork+0x24/0x30 [ 33.262986] Kernel Offset: disabled [ 33.266592] Rebooting in 86400 seconds..