Warning: Permanently added '10.128.0.238' (ECDSA) to the list of known hosts. syzkaller login: [ 43.179871][ T6822] IPVS: ftp: loaded support on port[0] = 21 [ 43.187809][ T6818] IPVS: ftp: loaded support on port[0] = 21 [ 43.199962][ T6824] IPVS: ftp: loaded support on port[0] = 21 [ 43.202304][ T6825] IPVS: ftp: loaded support on port[0] = 21 [ 43.213998][ T6826] IPVS: ftp: loaded support on port[0] = 21 [ 43.215890][ T6823] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 46.454715][ T3855] Bluetooth: hci1: command 0x0409 tx timeout [ 46.461176][ T3855] Bluetooth: hci0: command 0x0409 tx timeout [ 46.534639][ T3855] Bluetooth: hci4: command 0x0409 tx timeout [ 46.544405][ T2706] Bluetooth: hci3: command 0x0409 tx timeout [ 46.550689][ T2706] Bluetooth: hci5: command 0x0409 tx timeout [ 46.557233][ T2706] Bluetooth: hci2: command 0x0409 tx timeout [ 48.533582][ T2706] Bluetooth: hci0: command 0x041b tx timeout [ 48.539749][ T2706] Bluetooth: hci1: command 0x041b tx timeout [ 48.613460][ T3855] Bluetooth: hci2: command 0x041b tx timeout [ 48.619751][ T3855] Bluetooth: hci5: command 0x041b tx timeout [ 48.623376][ T2706] Bluetooth: hci4: command 0x041b tx timeout [ 48.626177][ T3855] Bluetooth: hci3: command 0x041b tx timeout [ 49.439672][ T6961] ================================================================== [ 49.447805][ T6961] BUG: KASAN: use-after-free in __sco_sock_close+0x47c/0xed0 [ 49.455155][ T6961] Write of size 4 at addr ffff88809191e010 by task syz-executor393/6961 [ 49.463494][ T6961] [ 49.465832][ T6961] CPU: 0 PID: 6961 Comm: syz-executor393 Not tainted 5.8.0-rc7-syzkaller #0 [ 49.474471][ T6961] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.484499][ T6961] Call Trace: executing program executing program [ 49.487803][ T6961] dump_stack+0x1f0/0x31e [ 49.492120][ T6961] print_address_description+0x66/0x5a0 [ 49.497666][ T6961] ? vprintk_emit+0x342/0x3c0 [ 49.502334][ T6961] ? printk+0x62/0x83 [ 49.506305][ T6961] ? vprintk_emit+0x339/0x3c0 [ 49.510956][ T6961] kasan_report+0x132/0x1d0 [ 49.515443][ T6961] ? __sco_sock_close+0x47c/0xed0 [ 49.520448][ T6961] check_memory_region+0x2b5/0x2f0 [ 49.525546][ T6961] __sco_sock_close+0x47c/0xed0 [ 49.530443][ T6961] ? local_bh_enable+0x5/0x20 [ 49.535118][ T6961] sco_sock_release+0x63/0x4f0 executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 49.539879][ T6961] ? down_write+0xcd/0x130 [ 49.544295][ T6961] sock_close+0xd8/0x260 [ 49.548539][ T6961] ? sock_mmap+0x90/0x90 [ 49.552774][ T6961] __fput+0x2f0/0x750 [ 49.556769][ T6961] task_work_run+0x137/0x1c0 [ 49.561361][ T6961] do_exit+0x601/0x1f80 [ 49.565531][ T6961] do_group_exit+0x161/0x2d0 [ 49.570124][ T6961] get_signal+0x139b/0x1d30 [ 49.574641][ T6961] do_signal+0x33/0x610 [ 49.578796][ T6961] ? __prepare_exit_to_usermode+0x81/0x1e0 [ 49.584604][ T6961] __prepare_exit_to_usermode+0xd7/0x1e0 executing program executing program executing program executing program executing program executing program executing program executing program [ 49.590237][ T6961] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 49.596323][ T6961] do_syscall_64+0x7f/0xe0 [ 49.600741][ T6961] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 49.606632][ T6961] RIP: 0033:0x446e69 [ 49.610516][ T6961] Code: Bad RIP value. [ 49.614577][ T6961] RSP: 002b:00007ffde45fd7f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 49.623072][ T6961] RAX: fffffffffffffffc RBX: 0000000000000000 RCX: 0000000000446e69 [ 49.631040][ T6961] RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000004 executing program executing program executing program executing program executing program executing program executing program executing program executing program [ 49.638999][ T6961] RBP: 0000000000000004 R08: 0000000000000002 R09: 00000003000000ff [ 49.646976][ T6961] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 [ 49.654944][ T6961] R13: 0000000000407ac0 R14: 0000000000000000 R15: 0000000000000000 [ 49.662921][ T6961] [ 49.665242][ T6961] Allocated by task 6961: [ 49.669566][ T6961] __kasan_kmalloc+0x103/0x140 [ 49.674323][ T6961] kmem_cache_alloc_trace+0x234/0x300 [ 49.679692][ T6961] hci_conn_add+0x5d/0x1040 [ 49.684193][ T6961] hci_connect_sco+0x29a/0xa10 executing program executing program executing program executing program executing program executing program executing program executing program [ 49.688985][ T6961] sco_sock_connect+0x2de/0xaa0 [ 49.693834][ T6961] __sys_connect+0x2da/0x360 [ 49.698417][ T6961] __x64_sys_connect+0x76/0x80 [ 49.703184][ T6961] do_syscall_64+0x73/0xe0 [ 49.707598][ T6961] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 49.713476][ T6961] [ 49.715796][ T6961] Freed by task 6957: [ 49.719771][ T6961] __kasan_slab_free+0x114/0x170 [ 49.724704][ T6961] kfree+0x10a/0x220 [ 49.728595][ T6961] device_release+0x70/0x1a0 [ 49.733180][ T6961] kobject_put+0x15b/0x220 [ 49.737592][ T6961] hci_conn_del+0x2c2/0x550 [ 49.742098][ T6961] hci_event_packet+0x8335/0x18260 [ 49.747205][ T6961] hci_rx_work+0x236/0x9c0 [ 49.751617][ T6961] process_one_work+0x789/0xfc0 [ 49.756460][ T6961] worker_thread+0xaa4/0x1460 [ 49.761124][ T6961] kthread+0x37e/0x3a0 [ 49.765171][ T6961] ret_from_fork+0x1f/0x30 [ 49.769560][ T6961] [ 49.771925][ T6961] The buggy address belongs to the object at ffff88809191e000 [ 49.771925][ T6961] which belongs to the cache kmalloc-4k of size 4096 [ 49.785986][ T6961] The buggy address is located 16 bytes inside of [ 49.785986][ T6961] 4096-byte region [ffff88809191e000, ffff88809191f000) [ 49.799231][ T6961] The buggy address belongs to the page: [ 49.804874][ T6961] page:ffffea0002464780 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 head:ffffea0002464780 order:1 compound_mapcount:0 [ 49.818319][ T6961] flags: 0xfffe0000010200(slab|head) [ 49.823601][ T6961] raw: 00fffe0000010200 ffffea0002489f88 ffffea000249dd08 ffff8880aa402000 [ 49.832185][ T6961] raw: 0000000000000000 ffff88809191e000 0000000100000001 0000000000000000 [ 49.840792][ T6961] page dumped because: kasan: bad access detected [ 49.847177][ T6961] [ 49.849478][ T6961] Memory state around the buggy address: [ 49.855089][ T6961] ffff88809191df00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.863124][ T6961] ffff88809191df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 49.871257][ T6961] >ffff88809191e000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.879287][ T6961] ^ [ 49.883853][ T6961] ffff88809191e080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.891903][ T6961] ffff88809191e100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 49.899940][ T6961] ================================================================== [ 49.907988][ T6961] Disabling lock debugging due to kernel taint [ 49.923044][ T6961] Kernel panic - not syncing: panic_on_warn set ... [ 49.929638][ T6961] CPU: 0 PID: 6961 Comm: syz-executor393 Tainted: G B 5.8.0-rc7-syzkaller #0 [ 49.939671][ T6961] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 49.949715][ T6961] Call Trace: [ 49.953001][ T6961] dump_stack+0x1f0/0x31e [ 49.957317][ T6961] panic+0x264/0x7a0 [ 49.961197][ T6961] ? trace_hardirqs_on+0x30/0x80 [ 49.966107][ T6961] kasan_report+0x1c9/0x1d0 [ 49.970584][ T6961] ? __sco_sock_close+0x47c/0xed0 [ 49.975581][ T6961] check_memory_region+0x2b5/0x2f0 [ 49.980661][ T6961] __sco_sock_close+0x47c/0xed0 [ 49.985489][ T6961] ? local_bh_enable+0x5/0x20 [ 49.990138][ T6961] sco_sock_release+0x63/0x4f0 [ 49.994888][ T6961] ? down_write+0xcd/0x130 [ 49.999273][ T6961] sock_close+0xd8/0x260 [ 50.003501][ T6961] ? sock_mmap+0x90/0x90 [ 50.007719][ T6961] __fput+0x2f0/0x750 [ 50.011687][ T6961] task_work_run+0x137/0x1c0 [ 50.016262][ T6961] do_exit+0x601/0x1f80 [ 50.020392][ T6961] do_group_exit+0x161/0x2d0 [ 50.024971][ T6961] get_signal+0x139b/0x1d30 [ 50.029467][ T6961] do_signal+0x33/0x610 [ 50.033598][ T6961] ? __prepare_exit_to_usermode+0x81/0x1e0 [ 50.039388][ T6961] __prepare_exit_to_usermode+0xd7/0x1e0 [ 50.044991][ T6961] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 50.051042][ T6961] do_syscall_64+0x7f/0xe0 [ 50.055428][ T6961] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 50.061302][ T6961] RIP: 0033:0x446e69 [ 50.065162][ T6961] Code: Bad RIP value. [ 50.069202][ T6961] RSP: 002b:00007ffde45fd7f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 50.077592][ T6961] RAX: fffffffffffffffc RBX: 0000000000000000 RCX: 0000000000446e69 [ 50.085533][ T6961] RDX: 0000000000000008 RSI: 0000000020000000 RDI: 0000000000000004 [ 50.093474][ T6961] RBP: 0000000000000004 R08: 0000000000000002 R09: 00000003000000ff [ 50.101429][ T6961] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000000000 [ 50.109379][ T6961] R13: 0000000000407ac0 R14: 0000000000000000 R15: 0000000000000000 [ 50.118396][ T6961] Kernel Offset: disabled [ 50.122710][ T6961] Rebooting in 86400 seconds..