[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.191' (ECDSA) to the list of known hosts.
syzkaller login: [   61.706578][ T6887] IPVS: ftp: loaded support on port[0] = 21
executing program
[   62.901659][ T6913] Bluetooth: Wrong link type (-22)
[   62.909848][ T6887] ==================================================================
[   62.918086][ T6887] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   62.925118][ T6887] Read of size 8 at addr ffff88809fa25318 by task syz-executor149/6887
[   62.933343][ T6887] 
[   62.935662][ T6887] CPU: 0 PID: 6887 Comm: syz-executor149 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0
[   62.945696][ T6887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   62.955949][ T6887] Call Trace:
[   62.959225][ T6887]  dump_stack+0x18f/0x20d
[   62.963592][ T6887]  ? hci_chan_del+0x14f/0x190
[   62.968244][ T6887]  ? hci_chan_del+0x14f/0x190
[   62.972907][ T6887]  print_address_description.constprop.0.cold+0xae/0x497
[   62.979995][ T6887]  ? mutex_lock_io_nested+0xf60/0xf60
[   62.985369][ T6887]  ? lockdep_hardirqs_off+0x7e/0xb0
[   62.990547][ T6887]  ? vprintk_func+0x97/0x1a6
[   62.995116][ T6887]  ? hci_chan_del+0x14f/0x190
[   62.999766][ T6887]  ? hci_chan_del+0x14f/0x190
[   63.004425][ T6887]  kasan_report.cold+0x1f/0x37
[   63.009165][ T6887]  ? hci_chan_del+0x14f/0x190
[   63.013819][ T6887]  hci_chan_del+0x14f/0x190
[   63.018302][ T6887]  l2cap_conn_del+0x61b/0x9e0
[   63.022964][ T6887]  ? l2cap_conn_del+0x9e0/0x9e0
[   63.027791][ T6887]  l2cap_disconn_cfm+0x85/0xa0
[   63.032536][ T6887]  hci_conn_hash_flush+0x114/0x220
[   63.037630][ T6887]  hci_dev_do_close+0x5c6/0x1080
[   63.042560][ T6887]  ? hci_dev_open+0x350/0x350
[   63.047239][ T6887]  ? do_raw_read_unlock+0x70/0x70
[   63.052240][ T6887]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   63.058113][ T6887]  hci_unregister_dev+0x1bd/0xe30
[   63.063202][ T6887]  ? fcntl_setlk+0xf60/0xf60
[   63.067768][ T6887]  ? lock_is_held_type+0xbb/0xf0
[   63.072695][ T6887]  vhci_release+0x70/0xe0
[   63.077001][ T6887]  __fput+0x285/0x920
[   63.080959][ T6887]  ? vhci_close_dev+0x50/0x50
[   63.085620][ T6887]  task_work_run+0xdd/0x190
[   63.090102][ T6887]  do_exit+0xb7d/0x29f0
[   63.094259][ T6887]  ? mm_update_next_owner+0x7a0/0x7a0
[   63.099620][ T6887]  ? vfs_write+0x1b0/0x730
[   63.104018][ T6887]  ? lock_is_held_type+0xbb/0xf0
[   63.108933][ T6887]  do_group_exit+0x125/0x310
[   63.113509][ T6887]  __x64_sys_exit_group+0x3a/0x50
[   63.118512][ T6887]  do_syscall_64+0x2d/0x70
[   63.122904][ T6887]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   63.128775][ T6887] RIP: 0033:0x445138
[   63.132901][ T6887] Code: Bad RIP value.
[   63.136975][ T6887] RSP: 002b:00007fffb6921ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   63.145377][ T6887] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138
[   63.153325][ T6887] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   63.161278][ T6887] RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   63.169226][ T6887] R10: 00007fa5489fd9d0 R11: 0000000000000246 R12: 0000000000000001
[   63.177185][ T6887] R13: 00000000006e0200 R14: 000000000236f850 R15: 0000000000000001
[   63.185140][ T6887] 
[   63.187444][ T6887] Allocated by task 6913:
[   63.192200][ T6887]  kasan_save_stack+0x1b/0x40
[   63.196876][ T6887]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   63.202484][ T6887]  kmem_cache_alloc_trace+0x16e/0x2c0
[   63.208523][ T6887]  hci_chan_create+0x9b/0x330
[   63.213191][ T6887]  l2cap_conn_add.part.0+0x1e/0xe10
[   63.218367][ T6887]  l2cap_connect_cfm+0x23b/0x1090
[   63.223385][ T6887]  le_conn_complete_evt+0x1153/0x1740
[   63.228743][ T6887]  hci_le_meta_evt+0xe55/0x3fd0
[   63.233736][ T6887]  hci_event_packet+0x2e25/0x87a8
[   63.238752][ T6887]  hci_rx_work+0x22e/0xb50
[   63.243158][ T6887]  process_one_work+0x94c/0x1670
[   63.248088][ T6887]  worker_thread+0x64c/0x1120
[   63.252758][ T6887]  kthread+0x3b5/0x4a0
[   63.257031][ T6887]  ret_from_fork+0x1f/0x30
[   63.261435][ T6887] 
[   63.263750][ T6887] Freed by task 6913:
[   63.267726][ T6887]  kasan_save_stack+0x1b/0x40
[   63.272993][ T6887]  kasan_set_track+0x1c/0x30
[   63.277566][ T6887]  kasan_set_free_info+0x1b/0x30
[   63.282499][ T6887]  __kasan_slab_free+0xd8/0x120
[   63.287519][ T6887]  kfree+0x103/0x2c0
[   63.291543][ T6887]  hci_event_packet+0x3e33/0x87a8
[   63.296571][ T6887]  hci_rx_work+0x22e/0xb50
[   63.300978][ T6887]  process_one_work+0x94c/0x1670
[   63.305921][ T6887]  worker_thread+0x64c/0x1120
[   63.310590][ T6887]  kthread+0x3b5/0x4a0
[   63.314651][ T6887]  ret_from_fork+0x1f/0x30
[   63.319041][ T6887] 
[   63.321350][ T6887] The buggy address belongs to the object at ffff88809fa25300
[   63.321350][ T6887]  which belongs to the cache kmalloc-128 of size 128
[   63.335398][ T6887] The buggy address is located 24 bytes inside of
[   63.335398][ T6887]  128-byte region [ffff88809fa25300, ffff88809fa25380)
[   63.348670][ T6887] The buggy address belongs to the page:
[   63.354309][ T6887] page:0000000072875d6f refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809fa25500 pfn:0x9fa25
[   63.365753][ T6887] flags: 0xfffe0000000200(slab)
[   63.370738][ T6887] raw: 00fffe0000000200 ffffea00028b23c8 ffffea00029e0d88 ffff8880aa000400
[   63.379425][ T6887] raw: ffff88809fa25500 ffff88809fa25000 0000000100000006 0000000000000000
[   63.388007][ T6887] page dumped because: kasan: bad access detected
[   63.394404][ T6887] 
[   63.396715][ T6887] Memory state around the buggy address:
[   63.402339][ T6887]  ffff88809fa25200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.410382][ T6887]  ffff88809fa25280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   63.418420][ T6887] >ffff88809fa25300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.426457][ T6887]                             ^
[   63.431285][ T6887]  ffff88809fa25380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   63.439322][ T6887]  ffff88809fa25400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.447356][ T6887] ==================================================================
[   63.455404][ T6887] Disabling lock debugging due to kernel taint
[   63.462472][ T6887] Kernel panic - not syncing: panic_on_warn set ...
[   63.469069][ T6887] CPU: 0 PID: 6887 Comm: syz-executor149 Tainted: G    B             5.8.0-rc7-next-20200731-syzkaller #0
[   63.480338][ T6887] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   63.490386][ T6887] Call Trace:
[   63.493670][ T6887]  dump_stack+0x18f/0x20d
[   63.497981][ T6887]  ? hci_chan_del+0x140/0x190
[   63.502668][ T6887]  panic+0x2e3/0x75c
[   63.506542][ T6887]  ? __warn_printk+0xf3/0xf3
[   63.511107][ T6887]  ? preempt_schedule_common+0x59/0xc0
[   63.516542][ T6887]  ? hci_chan_del+0x14f/0x190
[   63.521202][ T6887]  ? preempt_schedule_thunk+0x16/0x18
[   63.526551][ T6887]  ? trace_hardirqs_on+0x55/0x220
[   63.531549][ T6887]  ? hci_chan_del+0x14f/0x190
[   63.536196][ T6887]  ? hci_chan_del+0x14f/0x190
[   63.540845][ T6887]  end_report+0x4d/0x53
[   63.544992][ T6887]  kasan_report.cold+0xd/0x37
[   63.549706][ T6887]  ? hci_chan_del+0x14f/0x190
[   63.554370][ T6887]  hci_chan_del+0x14f/0x190
[   63.558858][ T6887]  l2cap_conn_del+0x61b/0x9e0
[   63.563516][ T6887]  ? l2cap_conn_del+0x9e0/0x9e0
[   63.568345][ T6887]  l2cap_disconn_cfm+0x85/0xa0
[   63.573084][ T6887]  hci_conn_hash_flush+0x114/0x220
[   63.578169][ T6887]  hci_dev_do_close+0x5c6/0x1080
[   63.583082][ T6887]  ? hci_dev_open+0x350/0x350
[   63.587734][ T6887]  ? do_raw_read_unlock+0x70/0x70
[   63.592781][ T6887]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   63.598647][ T6887]  hci_unregister_dev+0x1bd/0xe30
[   63.603645][ T6887]  ? fcntl_setlk+0xf60/0xf60
[   63.608210][ T6887]  ? lock_is_held_type+0xbb/0xf0
[   63.613128][ T6887]  vhci_release+0x70/0xe0
[   63.617432][ T6887]  __fput+0x285/0x920
[   63.621390][ T6887]  ? vhci_close_dev+0x50/0x50
[   63.626046][ T6887]  task_work_run+0xdd/0x190
[   63.630521][ T6887]  do_exit+0xb7d/0x29f0
[   63.634653][ T6887]  ? mm_update_next_owner+0x7a0/0x7a0
[   63.640000][ T6887]  ? vfs_write+0x1b0/0x730
[   63.644396][ T6887]  ? lock_is_held_type+0xbb/0xf0
[   63.649304][ T6887]  do_group_exit+0x125/0x310
[   63.653871][ T6887]  __x64_sys_exit_group+0x3a/0x50
[   63.658887][ T6887]  do_syscall_64+0x2d/0x70
[   63.663278][ T6887]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   63.669141][ T6887] RIP: 0033:0x445138
[   63.673037][ T6887] Code: Bad RIP value.
[   63.677088][ T6887] RSP: 002b:00007fffb6921ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   63.685471][ T6887] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138
[   63.693418][ T6887] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   63.701379][ T6887] RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   63.709332][ T6887] R10: 00007fa5489fd9d0 R11: 0000000000000246 R12: 0000000000000001
[   63.717291][ T6887] R13: 00000000006e0200 R14: 000000000236f850 R15: 0000000000000001
[   63.726648][ T6887] Kernel Offset: disabled
[   63.730972][ T6887] Rebooting in 86400 seconds..