[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.10.19' (ECDSA) to the list of known hosts.
syzkaller login: [   64.100201][ T6833] IPVS: ftp: loaded support on port[0] = 21
executing program
[   65.290816][ T6833] ==================================================================
[   65.299044][ T6833] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   65.306073][ T6833] Read of size 8 at addr ffff88809f538618 by task syz-executor882/6833
[   65.314302][ T6833] 
[   65.316644][ T6833] CPU: 1 PID: 6833 Comm: syz-executor882 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0
[   65.326540][ T6833] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   65.336620][ T6833] Call Trace:
[   65.339918][ T6833]  dump_stack+0x18f/0x20d
[   65.344271][ T6833]  ? hci_chan_del+0x14f/0x190
[   65.348954][ T6833]  ? hci_chan_del+0x14f/0x190
[   65.353649][ T6833]  print_address_description.constprop.0.cold+0xae/0x497
[   65.360665][ T6833]  ? mutex_lock_io_nested+0xf60/0xf60
[   65.366016][ T6833]  ? lockdep_hardirqs_off+0x7e/0xb0
[   65.371193][ T6833]  ? vprintk_func+0x97/0x1a6
[   65.375804][ T6833]  ? hci_chan_del+0x14f/0x190
[   65.380457][ T6833]  ? hci_chan_del+0x14f/0x190
[   65.385149][ T6833]  kasan_report.cold+0x1f/0x37
[   65.389922][ T6833]  ? hci_chan_del+0x14f/0x190
[   65.394607][ T6833]  hci_chan_del+0x14f/0x190
[   65.399086][ T6833]  l2cap_conn_del+0x61b/0x9e0
[   65.403746][ T6833]  ? l2cap_conn_del+0x9e0/0x9e0
[   65.408574][ T6833]  l2cap_disconn_cfm+0x85/0xa0
[   65.413314][ T6833]  hci_conn_hash_flush+0x114/0x220
[   65.418404][ T6833]  hci_dev_do_close+0x5c6/0x1080
[   65.423352][ T6833]  ? hci_dev_open+0x350/0x350
[   65.428004][ T6833]  ? do_raw_read_unlock+0x70/0x70
[   65.433019][ T6833]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   65.438921][ T6833]  hci_unregister_dev+0x1bd/0xe30
[   65.443923][ T6833]  ? fcntl_setlk+0xf60/0xf60
[   65.448491][ T6833]  ? lock_is_held_type+0xbb/0xf0
[   65.453411][ T6833]  vhci_release+0x70/0xe0
[   65.457716][ T6833]  __fput+0x285/0x920
[   65.461680][ T6833]  ? vhci_close_dev+0x50/0x50
[   65.466347][ T6833]  task_work_run+0xdd/0x190
[   65.470830][ T6833]  do_exit+0xb7d/0x29f0
[   65.474966][ T6833]  ? mm_update_next_owner+0x7a0/0x7a0
[   65.480316][ T6833]  ? vfs_write+0x1b0/0x730
[   65.484732][ T6833]  ? lock_is_held_type+0xbb/0xf0
[   65.489656][ T6833]  do_group_exit+0x125/0x310
[   65.494226][ T6833]  __x64_sys_exit_group+0x3a/0x50
[   65.499267][ T6833]  do_syscall_64+0x2d/0x70
[   65.503688][ T6833]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   65.509581][ T6833] RIP: 0033:0x445088
[   65.513446][ T6833] Code: Bad RIP value.
[   65.517487][ T6833] RSP: 002b:00007ffdfda8d6a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   65.525906][ T6833] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445088
[   65.533855][ T6833] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   65.541806][ T6833] RBP: 00000000004cce70 R08: 00000000000000e7 R09: ffffffffffffffd0
[   65.549755][ T6833] R10: 00000000000000ff R11: 0000000000000246 R12: 0000000000000001
[   65.557710][ T6833] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
[   65.565665][ T6833] 
[   65.567970][ T6833] Allocated by task 6857:
[   65.572276][ T6833]  kasan_save_stack+0x1b/0x40
[   65.576929][ T6833]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   65.582536][ T6833]  kmem_cache_alloc_trace+0x16e/0x2c0
[   65.587883][ T6833]  hci_chan_create+0x9b/0x330
[   65.592536][ T6833]  l2cap_conn_add.part.0+0x1e/0xe10
[   65.597712][ T6833]  l2cap_connect_cfm+0x23b/0x1090
[   65.602715][ T6833]  le_conn_complete_evt+0x1153/0x1740
[   65.608068][ T6833]  hci_le_meta_evt+0xe55/0x3fd0
[   65.612895][ T6833]  hci_event_packet+0x2e25/0x87a8
[   65.617894][ T6833]  hci_rx_work+0x22e/0xb50
[   65.622303][ T6833]  process_one_work+0x94c/0x1670
[   65.627218][ T6833]  worker_thread+0x64c/0x1120
[   65.631872][ T6833]  kthread+0x3b5/0x4a0
[   65.635936][ T6833]  ret_from_fork+0x1f/0x30
[   65.640322][ T6833] 
[   65.642628][ T6833] Freed by task 6857:
[   65.646586][ T6833]  kasan_save_stack+0x1b/0x40
[   65.651239][ T6833]  kasan_set_track+0x1c/0x30
[   65.655819][ T6833]  kasan_set_free_info+0x1b/0x30
[   65.660751][ T6833]  __kasan_slab_free+0xd8/0x120
[   65.665592][ T6833]  kfree+0x103/0x2c0
[   65.669465][ T6833]  hci_event_packet+0x3e33/0x87a8
[   65.674473][ T6833]  hci_rx_work+0x22e/0xb50
[   65.678868][ T6833]  process_one_work+0x94c/0x1670
[   65.683784][ T6833]  worker_thread+0x64c/0x1120
[   65.688437][ T6833]  kthread+0x3b5/0x4a0
[   65.692485][ T6833]  ret_from_fork+0x1f/0x30
[   65.696882][ T6833] 
[   65.699202][ T6833] The buggy address belongs to the object at ffff88809f538600
[   65.699202][ T6833]  which belongs to the cache kmalloc-128 of size 128
[   65.713231][ T6833] The buggy address is located 24 bytes inside of
[   65.713231][ T6833]  128-byte region [ffff88809f538600, ffff88809f538680)
[   65.726385][ T6833] The buggy address belongs to the page:
[   65.731998][ T6833] page:00000000837983c6 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809f538e00 pfn:0x9f538
[   65.743422][ T6833] flags: 0xfffe0000000200(slab)
[   65.748252][ T6833] raw: 00fffe0000000200 ffffea000285f208 ffffea00029b7ec8 ffff8880aa000400
[   65.756823][ T6833] raw: ffff88809f538e00 ffff88809f538000 0000000100000008 0000000000000000
[   65.765389][ T6833] page dumped because: kasan: bad access detected
[   65.771780][ T6833] 
[   65.774099][ T6833] Memory state around the buggy address:
[   65.779705][ T6833]  ffff88809f538500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   65.787744][ T6833]  ffff88809f538580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   65.795784][ T6833] >ffff88809f538600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   65.803816][ T6833]                             ^
[   65.808649][ T6833]  ffff88809f538680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   65.816688][ T6833]  ffff88809f538700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   65.824745][ T6833] ==================================================================
[   65.832779][ T6833] Disabling lock debugging due to kernel taint
[   65.874923][ T6833] Kernel panic - not syncing: panic_on_warn set ...
[   65.881516][ T6833] CPU: 1 PID: 6833 Comm: syz-executor882 Tainted: G    B             5.8.0-rc7-next-20200731-syzkaller #0
[   65.892760][ T6833] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   65.902793][ T6833] Call Trace:
[   65.906080][ T6833]  dump_stack+0x18f/0x20d
[   65.910387][ T6833]  ? hci_chan_del+0x140/0x190
[   65.915038][ T6833]  panic+0x2e3/0x75c
[   65.918918][ T6833]  ? __warn_printk+0xf3/0xf3
[   65.923484][ T6833]  ? preempt_schedule_common+0x59/0xc0
[   65.928926][ T6833]  ? hci_chan_del+0x14f/0x190
[   65.933591][ T6833]  ? preempt_schedule_thunk+0x16/0x18
[   65.938952][ T6833]  ? trace_hardirqs_on+0x55/0x220
[   65.943952][ T6833]  ? hci_chan_del+0x14f/0x190
[   65.948605][ T6833]  ? hci_chan_del+0x14f/0x190
[   65.953257][ T6833]  end_report+0x4d/0x53
[   65.957416][ T6833]  kasan_report.cold+0xd/0x37
[   65.962078][ T6833]  ? hci_chan_del+0x14f/0x190
[   65.966743][ T6833]  hci_chan_del+0x14f/0x190
[   65.971223][ T6833]  l2cap_conn_del+0x61b/0x9e0
[   65.975874][ T6833]  ? l2cap_conn_del+0x9e0/0x9e0
[   65.980700][ T6833]  l2cap_disconn_cfm+0x85/0xa0
[   65.985438][ T6833]  hci_conn_hash_flush+0x114/0x220
[   65.990524][ T6833]  hci_dev_do_close+0x5c6/0x1080
[   65.995448][ T6833]  ? hci_dev_open+0x350/0x350
[   66.000099][ T6833]  ? do_raw_read_unlock+0x70/0x70
[   66.005100][ T6833]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   66.010967][ T6833]  hci_unregister_dev+0x1bd/0xe30
[   66.015980][ T6833]  ? fcntl_setlk+0xf60/0xf60
[   66.020599][ T6833]  ? lock_is_held_type+0xbb/0xf0
[   66.025515][ T6833]  vhci_release+0x70/0xe0
[   66.029826][ T6833]  __fput+0x285/0x920
[   66.033781][ T6833]  ? vhci_close_dev+0x50/0x50
[   66.038432][ T6833]  task_work_run+0xdd/0x190
[   66.042913][ T6833]  do_exit+0xb7d/0x29f0
[   66.047044][ T6833]  ? mm_update_next_owner+0x7a0/0x7a0
[   66.052393][ T6833]  ? vfs_write+0x1b0/0x730
[   66.056797][ T6833]  ? lock_is_held_type+0xbb/0xf0
[   66.061709][ T6833]  do_group_exit+0x125/0x310
[   66.066301][ T6833]  __x64_sys_exit_group+0x3a/0x50
[   66.071298][ T6833]  do_syscall_64+0x2d/0x70
[   66.075700][ T6833]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   66.081615][ T6833] RIP: 0033:0x445088
[   66.085503][ T6833] Code: Bad RIP value.
[   66.089571][ T6833] RSP: 002b:00007ffdfda8d6a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   66.097985][ T6833] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445088
[   66.105961][ T6833] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   66.113945][ T6833] RBP: 00000000004cce70 R08: 00000000000000e7 R09: ffffffffffffffd0
[   66.121892][ T6833] R10: 00000000000000ff R11: 0000000000000246 R12: 0000000000000001
[   66.129838][ T6833] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
[   66.138720][ T6833] Kernel Offset: disabled
[   66.143039][ T6833] Rebooting in 86400 seconds..