Warning: Permanently added '10.128.0.33' (ECDSA) to the list of known hosts. syzkaller login: [ 151.099156][ T6858] IPVS: ftp: loaded support on port[0] = 21 executing program executing program executing program executing program [ 152.350680][ T1546] ------------[ cut here ]------------ [ 152.358113][ T1546] refcount_t: addition on 0; use-after-free. [ 152.365473][ T1546] WARNING: CPU: 0 PID: 1546 at lib/refcount.c:25 refcount_warn_saturate+0x169/0x1e0 [ 152.375857][ T1546] Kernel panic - not syncing: panic_on_warn set ... [ 152.383262][ T1546] CPU: 0 PID: 1546 Comm: kworker/u5:0 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0 [ 152.393785][ T1546] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 152.405553][ T1546] Workqueue: hci0 hci_rx_work [ 152.410959][ T1546] Call Trace: [ 152.414452][ T1546] dump_stack+0x18f/0x20d [ 152.419322][ T1546] panic+0x2e3/0x75c [ 152.423871][ T1546] ? __warn_printk+0xf3/0xf3 [ 152.430715][ T1546] ? __warn.cold+0x5/0x4a [ 152.435466][ T1546] ? __warn+0xd6/0x1f2 [ 152.440103][ T1546] ? refcount_warn_saturate+0x169/0x1e0 [ 152.446707][ T1546] __warn.cold+0x20/0x4a [ 152.451261][ T1546] ? refcount_warn_saturate+0x169/0x1e0 [ 152.458107][ T1546] report_bug+0x1bd/0x210 [ 152.463327][ T1546] handle_bug+0x38/0x90 [ 152.467822][ T1546] exc_invalid_op+0x14/0x40 [ 152.473339][ T1546] asm_exc_invalid_op+0x12/0x20 [ 152.478776][ T1546] RIP: 0010:refcount_warn_saturate+0x169/0x1e0 [ 152.486093][ T1546] Code: 07 31 ff 89 de e8 67 f4 d8 fd 84 db 0f 85 36 ff ff ff e8 1a f8 d8 fd 48 c7 c7 20 ca 93 88 c6 05 e3 6e 19 07 01 e8 a9 e7 a9 fd <0f> 0b e9 17 ff ff ff e8 fb f7 d8 fd 0f b6 1d c8 6e 19 07 31 ff 89 [ 152.542446][ T1546] RSP: 0018:ffffc90005677908 EFLAGS: 00010286 [ 152.548792][ T1546] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 152.557102][ T1546] RDX: ffff8880a4ad22c0 RSI: ffffffff815d86e7 RDI: fffff52000acef13 [ 152.565452][ T1546] RBP: 0000000000000002 R08: 0000000000000001 R09: ffff8880ae6318a7 [ 152.574455][ T1546] R10: 0000000000000000 R11: 746e756f63666572 R12: dffffc0000000000 [ 152.583160][ T1546] R13: 0000000000000001 R14: ffff8880a660c000 R15: 0000000000000003 [ 152.592252][ T1546] ? vprintk_func+0x97/0x1a6 [ 152.597893][ T1546] ? refcount_warn_saturate+0x169/0x1e0 [ 152.603709][ T1546] l2cap_global_chan_by_psm+0x53f/0x5b0 [ 152.609586][ T1546] ? l2cap_chan_timeout+0x450/0x450 [ 152.614944][ T1546] ? lockdep_hardirqs_on_prepare+0x530/0x530 [ 152.621621][ T1546] ? mark_lock+0xbc/0x1710 [ 152.626122][ T1546] ? __lock_acquire+0x16cb/0x5640 [ 152.631390][ T1546] l2cap_recv_frame+0xc3b/0xae10 [ 152.636530][ T1546] ? hci_rx_work+0x35b/0xb50 [ 152.641150][ T1546] ? __lock_acquire+0xbb5/0x5640 [ 152.647743][ T1546] ? l2cap_config_rsp.isra.0+0x1130/0x1130 [ 152.653696][ T1546] ? find_held_lock+0x2d/0x110 [ 152.659216][ T1546] ? hci_rx_work+0x498/0xb50 [ 152.664585][ T1546] ? lock_downgrade+0x830/0x830 [ 152.671113][ T1546] ? lock_acquire+0x1f1/0xad0 [ 152.677266][ T1546] ? hci_rx_work+0x33d/0xb50 [ 152.681970][ T1546] ? find_held_lock+0x2d/0x110 [ 152.687351][ T1546] ? __mutex_unlock_slowpath+0xe2/0x610 [ 152.693506][ T1546] ? hci_conn_enter_active_mode+0x11a/0x2e0 [ 152.699796][ T1546] l2cap_recv_acldata+0x7f6/0x8e0 [ 152.705008][ T1546] hci_rx_work+0x4c7/0xb50 [ 152.709738][ T1546] process_one_work+0x94c/0x1670 [ 152.714709][ T1546] ? lock_release+0x8e0/0x8e0 [ 152.719417][ T1546] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 152.724891][ T1546] ? rwlock_bug.part.0+0x90/0x90 [ 152.729849][ T1546] ? lockdep_hardirqs_off+0x7e/0xb0 [ 152.735158][ T1546] worker_thread+0x64c/0x1120 [ 152.740354][ T1546] ? process_one_work+0x1670/0x1670 [ 152.746309][ T1546] kthread+0x3b5/0x4a0 [ 152.750616][ T1546] ? __kthread_bind_mask+0xc0/0xc0 [ 152.755900][ T1546] ? __kthread_bind_mask+0xc0/0xc0 [ 152.761037][ T1546] ret_from_fork+0x1f/0x30 [ 152.767451][ T1546] Kernel Offset: disabled [ 152.772110][ T1546] Rebooting in 86400 seconds..