[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.


Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.160' (ECDSA) to the list of known hosts.
syzkaller login: [   65.313084][ T7263] IPVS: ftp: loaded support on port[0] = 21
[   65.325415][ T7265] IPVS: ftp: loaded support on port[0] = 21
[   65.327520][ T7264] IPVS: ftp: loaded support on port[0] = 21
[   65.345029][ T7257] IPVS: ftp: loaded support on port[0] = 21
[   65.352032][ T7260] IPVS: ftp: loaded support on port[0] = 21
[   65.358886][ T7262] IPVS: ftp: loaded support on port[0] = 21
executing program
executing program
executing program
executing program
executing program
[   65.654400][ T3242] ==================================================================
[   65.662675][ T3242] BUG: KASAN: use-after-free in l2cap_chan_close+0x763/0xb10
[   65.670067][ T3242] Read of size 1 at addr ffff88808ad32020 by task kworker/1:158/3242
[   65.678134][ T3242] 
[   65.680483][ T3242] CPU: 1 PID: 3242 Comm: kworker/1:158 Not tainted 5.7.0-rc1-next-20200415-syzkaller #0
[   65.690197][ T3242] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
executing program
[   65.701223][ T3242] Workqueue: events do_enable_set
[   65.706263][ T3242] Call Trace:
[   65.709566][ T3242]  dump_stack+0x188/0x20d
[   65.713919][ T3242]  print_address_description.constprop.0.cold+0xd3/0x315
[   65.721049][ T3242]  ? l2cap_chan_close+0x763/0xb10
[   65.726092][ T3242]  __kasan_report.cold+0x35/0x4d
[   65.731058][ T3242]  ? l2cap_chan_close+0x763/0xb10
[   65.736112][ T3242]  ? l2cap_chan_close+0x763/0xb10
[   65.741154][ T3242]  kasan_report+0x33/0x50
[   65.745509][ T3242]  l2cap_chan_close+0x763/0xb10
executing program
[   65.750381][ T3242]  ? l2cap_send_i_or_rr_or_rnr+0x320/0x320
[   65.756224][ T3242]  do_enable_set+0x4cf/0x8e0
[   65.760836][ T3242]  ? lowpan_control_write+0x480/0x480
[   65.766233][ T3242]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   65.771793][ T3242]  ? rcu_read_lock_any_held.part.0+0x50/0x50
[   65.777792][ T3242]  ? _raw_spin_unlock_irq+0x1f/0x80
[   65.783031][ T3242]  process_one_work+0x965/0x16a0
[   65.788012][ T3242]  ? lock_release+0x800/0x800
[   65.792698][ T3242]  ? pwq_dec_nr_in_flight+0x310/0x310
[   65.798094][ T3242]  ? rwlock_bug.part.0+0x90/0x90
executing program
[   65.803062][ T3242]  worker_thread+0x96/0xe20
[   65.807591][ T3242]  ? process_one_work+0x16a0/0x16a0
[   65.812823][ T3242]  kthread+0x388/0x470
[   65.816905][ T3242]  ? kthread_mod_delayed_work+0x1a0/0x1a0
[   65.822637][ T3242]  ret_from_fork+0x24/0x30
[   65.827065][ T3242] 
[   65.829398][ T3242] Allocated by task 2718:
[   65.833735][ T3242]  save_stack+0x1b/0x40
[   65.837899][ T3242]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   65.843540][ T3242]  kmem_cache_alloc_trace+0x153/0x7d0
[   65.848935][ T3242]  l2cap_chan_create+0x40/0x3a0
[   65.853795][ T3242]  chan_create+0xc/0xd0
[   65.857964][ T3242]  do_enable_set+0x511/0x8e0
[   65.862562][ T3242]  process_one_work+0x965/0x16a0
[   65.867506][ T3242]  worker_thread+0x96/0xe20
[   65.872017][ T3242]  kthread+0x388/0x470
[   65.876122][ T3242]  ret_from_fork+0x24/0x30
[   65.880540][ T3242] 
[   65.882877][ T3242] Freed by task 2728:
[   65.886869][ T3242]  save_stack+0x1b/0x40
[   65.891034][ T3242]  __kasan_slab_free+0xf7/0x140
[   65.895903][ T3242]  kfree+0x109/0x2b0
[   65.899814][ T3242]  l2cap_chan_put+0x1b2/0x230
[   65.904502][ T3242]  do_enable_set+0x4db/0x8e0
[   65.909105][ T3242]  process_one_work+0x965/0x16a0
[   65.914059][ T3242]  worker_thread+0x96/0xe20
[   65.918573][ T3242]  kthread+0x388/0x470
[   65.922657][ T3242]  ret_from_fork+0x24/0x30
[   65.927072][ T3242] 
[   65.929412][ T3242] The buggy address belongs to the object at ffff88808ad32000
[   65.929412][ T3242]  which belongs to the cache kmalloc-2k of size 2048
[   65.943480][ T3242] The buggy address is located 32 bytes inside of
[   65.943480][ T3242]  2048-byte region [ffff88808ad32000, ffff88808ad32800)
[   65.956763][ T3242] The buggy address belongs to the page:
[   65.962418][ T3242] page:ffffea00022b4c80 refcount:1 mapcount:0 mapping:00000000628e4504 index:0x0
[   65.971542][ T3242] flags: 0xfffe0000000200(slab)
[   65.976411][ T3242] raw: 00fffe0000000200 ffffea00024e7688 ffffea00022b4cc8 ffff8880aa000e00
[   65.985011][ T3242] raw: 0000000000000000 ffff88808ad32000 0000000100000001 0000000000000000
[   65.993595][ T3242] page dumped because: kasan: bad access detected
[   66.000005][ T3242] 
[   66.002355][ T3242] Memory state around the buggy address:
[   66.007990][ T3242]  ffff88808ad31f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   66.016059][ T3242]  ffff88808ad31f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   66.024130][ T3242] >ffff88808ad32000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   66.032197][ T3242]                                ^
[   66.037315][ T3242]  ffff88808ad32080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   66.045381][ T3242]  ffff88808ad32100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
[   66.053497][ T3242] ==================================================================
[   66.061554][ T3242] Disabling lock debugging due to kernel taint
executing program
[   66.156388][ T3242] Kernel panic - not syncing: panic_on_warn set ...
[   66.163031][ T3242] CPU: 1 PID: 3242 Comm: kworker/1:158 Tainted: G    B             5.7.0-rc1-next-20200415-syzkaller #0
[   66.174138][ T3242] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   66.184215][ T3242] Workqueue: events do_enable_set
[   66.189247][ T3242] Call Trace:
[   66.192547][ T3242]  dump_stack+0x188/0x20d
[   66.196896][ T3242]  panic+0x2e3/0x75c
[   66.200799][ T3242]  ? add_taint.cold+0x16/0x16
executing program
[   66.205489][ T3242]  ? preempt_schedule_common+0x5e/0xc0
[   66.211060][ T3242]  ? l2cap_chan_close+0x763/0xb10
[   66.216097][ T3242]  ? preempt_schedule_thunk+0x16/0x18
[   66.221498][ T3242]  ? trace_hardirqs_on+0x55/0x220
[   66.226537][ T3242]  ? l2cap_chan_close+0x763/0xb10
[   66.231567][ T3242]  end_report+0x4d/0x53
[   66.235726][ T3242]  __kasan_report.cold+0xd/0x4d
[   66.240696][ T3242]  ? l2cap_chan_close+0x763/0xb10
[   66.245727][ T3242]  ? l2cap_chan_close+0x763/0xb10
[   66.250751][ T3242]  kasan_report+0x33/0x50
[   66.255085][ T3242]  l2cap_chan_close+0x763/0xb10
[   66.259952][ T3242]  ? l2cap_send_i_or_rr_or_rnr+0x320/0x320
[   66.265771][ T3242]  do_enable_set+0x4cf/0x8e0
[   66.270370][ T3242]  ? lowpan_control_write+0x480/0x480
[   66.275938][ T3242]  ? rcu_read_lock_sched_held+0x9c/0xd0
[   66.281512][ T3242]  ? rcu_read_lock_any_held.part.0+0x50/0x50
[   66.287500][ T3242]  ? _raw_spin_unlock_irq+0x1f/0x80
[   66.292701][ T3242]  process_one_work+0x965/0x16a0
[   66.297648][ T3242]  ? lock_release+0x800/0x800
executing program
executing program
[   66.302326][ T3242]  ? pwq_dec_nr_in_flight+0x310/0x310
[   66.307708][ T3242]  ? rwlock_bug.part.0+0x90/0x90
[   66.312654][ T3242]  worker_thread+0x96/0xe20
[   66.317166][ T3242]  ? process_one_work+0x16a0/0x16a0
[   66.322380][ T3242]  kthread+0x388/0x470
[   66.326449][ T3242]  ? kthread_mod_delayed_work+0x1a0/0x1a0
[   66.332224][ T3242]  ret_from_fork+0x24/0x30
[   66.337815][ T3242] Kernel Offset: disabled
[   66.342141][ T3242] Rebooting in 86400 seconds..