[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts.
syzkaller login: [   62.066712][ T6821] IPVS: ftp: loaded support on port[0] = 21
executing program
[   63.253012][ T6843] ==================================================================
[   63.262737][ T6843] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   63.270419][ T6843] Read of size 8 at addr ffff8880a65b5818 by task syz-executor450/6843
[   63.279992][ T6843] 
[   63.282343][ T6843] CPU: 1 PID: 6843 Comm: syz-executor450 Not tainted 5.8.0-syzkaller #0
[   63.291784][ T6843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   63.303347][ T6843] Call Trace:
[   63.306768][ T6843]  dump_stack+0x18f/0x20d
[   63.311661][ T6843]  ? hci_chan_del+0x14f/0x190
[   63.316396][ T6843]  ? hci_chan_del+0x14f/0x190
[   63.321091][ T6843]  print_address_description.constprop.0.cold+0xae/0x436
[   63.328165][ T6843]  ? mutex_lock_io_nested+0xf60/0xf60
[   63.333558][ T6843]  ? lockdep_hardirqs_off+0x66/0xa0
[   63.339213][ T6843]  ? vprintk_func+0x97/0x1a6
[   63.343849][ T6843]  ? hci_chan_del+0x14f/0x190
[   63.348549][ T6843]  kasan_report.cold+0x1f/0x37
[   63.353532][ T6843]  ? hci_chan_del+0x14f/0x190
[   63.358706][ T6843]  hci_chan_del+0x14f/0x190
[   63.363521][ T6843]  l2cap_conn_del+0x61b/0x9e0
[   63.369124][ T6843]  ? l2cap_conn_del+0x9e0/0x9e0
[   63.374240][ T6843]  l2cap_disconn_cfm+0x85/0xa0
[   63.379010][ T6843]  hci_conn_hash_flush+0x114/0x220
[   63.385438][ T6843]  ? vhci_close_dev+0x50/0x50
[   63.390816][ T6843]  hci_dev_do_close+0x5c6/0x1080
[   63.396116][ T6843]  ? do_raw_write_lock+0x11a/0x280
[   63.401966][ T6843]  ? hci_dev_open+0x350/0x350
[   63.406761][ T6843]  ? do_raw_read_unlock+0x70/0x70
[   63.413394][ T6843]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   63.420271][ T6843]  ? fsnotify_parent+0xb7/0x2b0
[   63.425253][ T6843]  ? vhci_close_dev+0x50/0x50
[   63.429962][ T6843]  hci_unregister_dev+0x1a3/0xe20
[   63.435022][ T6843]  ? fcntl_setlk+0xf60/0xf60
[   63.439726][ T6843]  ? lock_is_held_type+0xb0/0xe0
[   63.445123][ T6843]  ? vhci_close_dev+0x50/0x50
[   63.450004][ T6843]  vhci_release+0x70/0xe0
[   63.454359][ T6843]  __fput+0x33c/0x880
[   63.458364][ T6843]  task_work_run+0xdd/0x190
[   63.463410][ T6843]  do_exit+0xb72/0x2a40
[   63.468128][ T6843]  ? swapin_walk_pmd_entry+0x7b0/0x7b0
[   63.474046][ T6843]  ? __fget_light+0xea/0x280
[   63.478931][ T6843]  ? mm_update_next_owner+0x7a0/0x7a0
[   63.484809][ T6843]  ? lock_is_held_type+0xb0/0xe0
[   63.490111][ T6843]  ? do_syscall_64+0x1c/0xe0
[   63.495349][ T6843]  __x64_sys_exit+0x3e/0x50
[   63.500336][ T6843]  do_syscall_64+0x60/0xe0
[   63.504762][ T6843]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   63.510668][ T6843] RIP: 0033:0x402b9e
[   63.514586][ T6843] Code: Bad RIP value.
[   63.518657][ T6843] RSP: 002b:00007f34d5d27de0 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
[   63.527099][ T6843] RAX: ffffffffffffffda RBX: 00007f34d5d28700 RCX: 0000000000402b9e
[   63.535087][ T6843] RDX: 000000000000003c RSI: 00000000007fb000 RDI: 0000000000000000
[   63.543080][ T6843] RBP: 0000000000000000 R08: 00000000000000f1 R09: 00007f34d5d28700
[   63.551614][ T6843] R10: 00007f34d5d289d0 R11: 0000000000000246 R12: 0000000000000000
[   63.559857][ T6843] R13: 00007ffdd97efeff R14: 00007f34d5d289c0 R15: 0000000000000001
[   63.568205][ T6843] 
[   63.570822][ T6843] Allocated by task 6845:
[   63.575206][ T6843]  save_stack+0x1b/0x40
[   63.580694][ T6843]  __kasan_kmalloc.constprop.0+0xc2/0xd0
[   63.586870][ T6843]  kmem_cache_alloc_trace+0x14f/0x2d0
[   63.592553][ T6843]  hci_chan_create+0x9b/0x330
[   63.597688][ T6843]  l2cap_conn_add.part.0+0x1e/0xe10
[   63.603870][ T6843]  l2cap_connect_cfm+0x23b/0x1090
[   63.608923][ T6843]  le_conn_complete_evt+0x1153/0x1740
[   63.615643][ T6843]  hci_le_meta_evt+0x745/0x3eb0
[   63.622028][ T6843]  hci_event_packet+0x245a/0x86f5
[   63.627069][ T6843]  hci_rx_work+0x22e/0xb10
[   63.631536][ T6843]  process_one_work+0x94c/0x1670
[   63.637873][ T6843]  worker_thread+0x64c/0x1120
[   63.642658][ T6843]  kthread+0x3b5/0x4a0
[   63.647237][ T6843]  ret_from_fork+0x1f/0x30
[   63.652272][ T6843] 
[   63.654923][ T6843] Freed by task 6845:
[   63.659377][ T6843]  save_stack+0x1b/0x40
[   63.663543][ T6843]  __kasan_slab_free+0xf5/0x140
[   63.668400][ T6843]  kfree+0x103/0x2c0
[   63.672396][ T6843]  hci_event_packet+0x319a/0x86f5
[   63.678069][ T6843]  hci_rx_work+0x22e/0xb10
[   63.682603][ T6843]  process_one_work+0x94c/0x1670
[   63.688904][ T6843]  worker_thread+0x64c/0x1120
[   63.695507][ T6843]  kthread+0x3b5/0x4a0
[   63.699614][ T6843]  ret_from_fork+0x1f/0x30
[   63.704114][ T6843] 
[   63.706711][ T6843] The buggy address belongs to the object at ffff8880a65b5800
[   63.706711][ T6843]  which belongs to the cache kmalloc-128 of size 128
[   63.723573][ T6843] The buggy address is located 24 bytes inside of
[   63.723573][ T6843]  128-byte region [ffff8880a65b5800, ffff8880a65b5880)
[   63.738941][ T6843] The buggy address belongs to the page:
[   63.744954][ T6843] page:ffffea0002996d40 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a65b5500
[   63.757286][ T6843] flags: 0xfffe0000000200(slab)
[   63.762781][ T6843] raw: 00fffe0000000200 ffffea000280eb48 ffffea0002767c88 ffff8880aa000700
[   63.771558][ T6843] raw: ffff8880a65b5500 ffff8880a65b5000 000000010000000d 0000000000000000
[   63.781212][ T6843] page dumped because: kasan: bad access detected
[   63.790581][ T6843] 
[   63.792921][ T6843] Memory state around the buggy address:
[   63.799101][ T6843]  ffff8880a65b5700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.808046][ T6843]  ffff8880a65b5780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   63.816140][ T6843] >ffff8880a65b5800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.824207][ T6843]                             ^
[   63.829063][ T6843]  ffff8880a65b5880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   63.838798][ T6843]  ffff8880a65b5900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   63.847138][ T6843] ==================================================================
[   63.855828][ T6843] Disabling lock debugging due to kernel taint
[   63.866258][ T6843] Kernel panic - not syncing: panic_on_warn set ...
[   63.873055][ T6843] CPU: 1 PID: 6843 Comm: syz-executor450 Tainted: G    B             5.8.0-syzkaller #0
[   63.883336][ T6843] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   63.893744][ T6843] Call Trace:
[   63.897043][ T6843]  dump_stack+0x18f/0x20d
[   63.902146][ T6843]  ? hci_chan_del+0xa0/0x190
[   63.907797][ T6843]  panic+0x2e3/0x75c
[   63.911807][ T6843]  ? __warn_printk+0xf3/0xf3
[   63.917137][ T6843]  ? preempt_schedule_common+0x59/0xc0
[   63.922614][ T6843]  ? hci_chan_del+0x14f/0x190
[   63.927658][ T6843]  ? preempt_schedule_thunk+0x16/0x18
[   63.934099][ T6843]  ? trace_hardirqs_on+0x55/0x220
[   63.939143][ T6843]  ? hci_chan_del+0x14f/0x190
[   63.944144][ T6843]  ? hci_chan_del+0x14f/0x190
[   63.948806][ T6843]  end_report+0x4d/0x53
[   63.953489][ T6843]  kasan_report.cold+0xd/0x37
[   63.958634][ T6843]  ? hci_chan_del+0x14f/0x190
[   63.963817][ T6843]  hci_chan_del+0x14f/0x190
[   63.968816][ T6843]  l2cap_conn_del+0x61b/0x9e0
[   63.973491][ T6843]  ? l2cap_conn_del+0x9e0/0x9e0
[   63.978340][ T6843]  l2cap_disconn_cfm+0x85/0xa0
[   63.983270][ T6843]  hci_conn_hash_flush+0x114/0x220
[   63.988819][ T6843]  ? vhci_close_dev+0x50/0x50
[   63.994461][ T6843]  hci_dev_do_close+0x5c6/0x1080
[   63.999400][ T6843]  ? do_raw_write_lock+0x11a/0x280
[   64.004959][ T6843]  ? hci_dev_open+0x350/0x350
[   64.009640][ T6843]  ? do_raw_read_unlock+0x70/0x70
[   64.016068][ T6843]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   64.022083][ T6843]  ? fsnotify_parent+0xb7/0x2b0
[   64.026953][ T6843]  ? vhci_close_dev+0x50/0x50
[   64.033359][ T6843]  hci_unregister_dev+0x1a3/0xe20
[   64.038398][ T6843]  ? fcntl_setlk+0xf60/0xf60
[   64.043302][ T6843]  ? lock_is_held_type+0xb0/0xe0
[   64.048241][ T6843]  ? vhci_close_dev+0x50/0x50
[   64.052989][ T6843]  vhci_release+0x70/0xe0
[   64.057310][ T6843]  __fput+0x33c/0x880
[   64.061277][ T6843]  task_work_run+0xdd/0x190
[   64.065912][ T6843]  do_exit+0xb72/0x2a40
[   64.070071][ T6843]  ? swapin_walk_pmd_entry+0x7b0/0x7b0
[   64.076311][ T6843]  ? __fget_light+0xea/0x280
[   64.082293][ T6843]  ? mm_update_next_owner+0x7a0/0x7a0
[   64.088206][ T6843]  ? lock_is_held_type+0xb0/0xe0
[   64.093160][ T6843]  ? do_syscall_64+0x1c/0xe0
[   64.097753][ T6843]  __x64_sys_exit+0x3e/0x50
[   64.103046][ T6843]  do_syscall_64+0x60/0xe0
[   64.108627][ T6843]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   64.114537][ T6843] RIP: 0033:0x402b9e
[   64.118429][ T6843] Code: Bad RIP value.
[   64.124393][ T6843] RSP: 002b:00007f34d5d27de0 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
[   64.133472][ T6843] RAX: ffffffffffffffda RBX: 00007f34d5d28700 RCX: 0000000000402b9e
[   64.142841][ T6843] RDX: 000000000000003c RSI: 00000000007fb000 RDI: 0000000000000000
[   64.151279][ T6843] RBP: 0000000000000000 R08: 00000000000000f1 R09: 00007f34d5d28700
[   64.164932][ T6843] R10: 00007f34d5d289d0 R11: 0000000000000246 R12: 0000000000000000
[   64.172999][ T6843] R13: 00007ffdd97efeff R14: 00007f34d5d289c0 R15: 0000000000000001
[   64.181972][ T6843] Kernel Offset: disabled
[   64.186345][ T6843] Rebooting in 86400 seconds..