[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.14' (ECDSA) to the list of known hosts.
syzkaller login: [   65.870837][ T6849] IPVS: ftp: loaded support on port[0] = 21
executing program
[   67.077499][ T6849] ==================================================================
[   67.085855][ T6849] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   67.092889][ T6849] Read of size 8 at addr ffff8880a6bc4218 by task syz-executor009/6849
[   67.101130][ T6849] 
[   67.103488][ T6849] CPU: 1 PID: 6849 Comm: syz-executor009 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0
[   67.113390][ T6849] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   67.124132][ T6849] Call Trace:
[   67.127414][ T6849]  dump_stack+0x18f/0x20d
[   67.131732][ T6849]  ? hci_chan_del+0x14f/0x190
[   67.136406][ T6849]  ? hci_chan_del+0x14f/0x190
[   67.141086][ T6849]  print_address_description.constprop.0.cold+0xae/0x497
[   67.148154][ T6849]  ? mutex_lock_io_nested+0xf60/0xf60
[   67.153517][ T6849]  ? lockdep_hardirqs_off+0x7e/0xb0
[   67.158708][ T6849]  ? vprintk_func+0x97/0x1a6
[   67.163313][ T6849]  ? hci_chan_del+0x14f/0x190
[   67.167979][ T6849]  ? hci_chan_del+0x14f/0x190
[   67.172637][ T6849]  kasan_report.cold+0x1f/0x37
[   67.177401][ T6849]  ? hci_chan_del+0x14f/0x190
[   67.182067][ T6849]  hci_chan_del+0x14f/0x190
[   67.186646][ T6849]  l2cap_conn_del+0x61b/0x9e0
[   67.191313][ T6849]  ? l2cap_conn_del+0x9e0/0x9e0
[   67.196155][ T6849]  l2cap_disconn_cfm+0x85/0xa0
[   67.200922][ T6849]  hci_conn_hash_flush+0x114/0x220
[   67.206030][ T6849]  hci_dev_do_close+0x5c6/0x1080
[   67.210962][ T6849]  ? hci_dev_open+0x350/0x350
[   67.215725][ T6849]  ? do_raw_read_unlock+0x70/0x70
[   67.220743][ T6849]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   67.226629][ T6849]  hci_unregister_dev+0x1bd/0xe30
[   67.231638][ T6849]  ? fcntl_setlk+0xf60/0xf60
[   67.236228][ T6849]  ? lock_is_held_type+0xbb/0xf0
[   67.241165][ T6849]  vhci_release+0x70/0xe0
[   67.245475][ T6849]  __fput+0x285/0x920
[   67.249450][ T6849]  ? vhci_close_dev+0x50/0x50
[   67.254127][ T6849]  task_work_run+0xdd/0x190
[   67.258622][ T6849]  do_exit+0xb7d/0x29f0
[   67.262776][ T6849]  ? blkcg_maybe_throttle_current+0x617/0xf00
[   67.269373][ T6849]  ? mm_update_next_owner+0x7a0/0x7a0
[   67.274741][ T6849]  ? lock_is_held_type+0xbb/0xf0
[   67.279686][ T6849]  ? __blkcg_punt_bio_submit+0x1d0/0x1d0
[   67.285325][ T6849]  ? mem_cgroup_move_account+0xda0/0xda0
[   67.290951][ T6849]  ? lock_is_held_type+0xbb/0xf0
[   67.295893][ T6849]  do_group_exit+0x125/0x310
[   67.300503][ T6849]  __x64_sys_exit_group+0x3a/0x50
[   67.305536][ T6849]  do_syscall_64+0x2d/0x70
[   67.309944][ T6849]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   67.315821][ T6849] RIP: 0033:0x445158
[   67.319702][ T6849] Code: Bad RIP value.
[   67.323757][ T6849] RSP: 002b:00007fff09c71b58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   67.332179][ T6849] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445158
[   67.340156][ T6849] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   67.348117][ T6849] RBP: 00000000004ccf30 R08: 00000000000000e7 R09: ffffffffffffffd0
[   67.356083][ T6849] R10: 00000000000000ff R11: 0000000000000246 R12: 0000000000000001
[   67.364825][ T6849] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000
[   67.372785][ T6849] 
[   67.375121][ T6849] Allocated by task 6873:
[   67.380042][ T6849]  kasan_save_stack+0x1b/0x40
[   67.384712][ T6849]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   67.390344][ T6849]  kmem_cache_alloc_trace+0x16e/0x2c0
[   67.395704][ T6849]  hci_chan_create+0x9b/0x330
[   67.400373][ T6849]  l2cap_conn_add.part.0+0x1e/0xe10
[   67.405554][ T6849]  l2cap_connect_cfm+0x23b/0x1090
[   67.410560][ T6849]  le_conn_complete_evt+0x1153/0x1740
[   67.415911][ T6849]  hci_le_meta_evt+0xe55/0x3fd0
[   67.420743][ T6849]  hci_event_packet+0x2e25/0x87a8
[   67.425744][ T6849]  hci_rx_work+0x22e/0xb50
[   67.430161][ T6849]  process_one_work+0x94c/0x1670
[   67.435112][ T6849]  worker_thread+0x64c/0x1120
[   67.439786][ T6849]  kthread+0x3b5/0x4a0
[   67.443869][ T6849]  ret_from_fork+0x1f/0x30
[   67.448283][ T6849] 
[   67.450626][ T6849] Freed by task 1542:
[   67.454616][ T6849]  kasan_save_stack+0x1b/0x40
[   67.459299][ T6849]  kasan_set_track+0x1c/0x30
[   67.463894][ T6849]  kasan_set_free_info+0x1b/0x30
[   67.469443][ T6849]  __kasan_slab_free+0xd8/0x120
[   67.474324][ T6849]  kfree+0x103/0x2c0
[   67.478232][ T6849]  hci_event_packet+0x3e33/0x87a8
[   67.483285][ T6849]  hci_rx_work+0x22e/0xb50
[   67.487686][ T6849]  process_one_work+0x94c/0x1670
[   67.492640][ T6849]  worker_thread+0x64c/0x1120
[   67.497302][ T6849]  kthread+0x3b5/0x4a0
[   67.501366][ T6849]  ret_from_fork+0x1f/0x30
[   67.505773][ T6849] 
[   67.508084][ T6849] The buggy address belongs to the object at ffff8880a6bc4200
[   67.508084][ T6849]  which belongs to the cache kmalloc-128 of size 128
[   67.522122][ T6849] The buggy address is located 24 bytes inside of
[   67.522122][ T6849]  128-byte region [ffff8880a6bc4200, ffff8880a6bc4280)
[   67.535310][ T6849] The buggy address belongs to the page:
[   67.540946][ T6849] page:00000000b829125e refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a6bc4c00 pfn:0xa6bc4
[   67.552393][ T6849] flags: 0xfffe0000000200(slab)
[   67.557268][ T6849] raw: 00fffe0000000200 ffffea00028b9508 ffffea00028eea08 ffff8880aa000400
[   67.566889][ T6849] raw: ffff8880a6bc4c00 ffff8880a6bc4000 0000000100000006 0000000000000000
[   67.575456][ T6849] page dumped because: kasan: bad access detected
[   67.582389][ T6849] 
[   67.584701][ T6849] Memory state around the buggy address:
[   67.591021][ T6849]  ffff8880a6bc4100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   67.599096][ T6849]  ffff8880a6bc4180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   67.607166][ T6849] >ffff8880a6bc4200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.615213][ T6849]                             ^
[   67.620074][ T6849]  ffff8880a6bc4280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   67.628144][ T6849]  ffff8880a6bc4300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.636188][ T6849] ==================================================================
[   67.644247][ T6849] Disabling lock debugging due to kernel taint
[   67.651497][ T6849] Kernel panic - not syncing: panic_on_warn set ...
[   67.659415][ T6849] CPU: 1 PID: 6849 Comm: syz-executor009 Tainted: G    B             5.8.0-rc7-next-20200731-syzkaller #0
[   67.679545][ T6849] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   67.689659][ T6849] Call Trace:
[   67.692959][ T6849]  dump_stack+0x18f/0x20d
[   67.697320][ T6849]  ? hci_chan_del+0x140/0x190
[   67.702005][ T6849]  panic+0x2e3/0x75c
[   67.705900][ T6849]  ? __warn_printk+0xf3/0xf3
[   67.710498][ T6849]  ? preempt_schedule_common+0x59/0xc0
[   67.715947][ T6849]  ? hci_chan_del+0x14f/0x190
[   67.721429][ T6849]  ? preempt_schedule_thunk+0x16/0x18
[   67.727235][ T6849]  ? trace_hardirqs_on+0x55/0x220
[   67.732253][ T6849]  ? hci_chan_del+0x14f/0x190
[   67.737619][ T6849]  ? hci_chan_del+0x14f/0x190
[   67.742297][ T6849]  end_report+0x4d/0x53
[   67.746566][ T6849]  kasan_report.cold+0xd/0x37
[   67.751371][ T6849]  ? hci_chan_del+0x14f/0x190
[   67.757785][ T6849]  hci_chan_del+0x14f/0x190
[   67.762273][ T6849]  l2cap_conn_del+0x61b/0x9e0
[   67.770766][ T6849]  ? l2cap_conn_del+0x9e0/0x9e0
[   67.775610][ T6849]  l2cap_disconn_cfm+0x85/0xa0
[   67.781270][ T6849]  hci_conn_hash_flush+0x114/0x220
[   67.786391][ T6849]  hci_dev_do_close+0x5c6/0x1080
[   67.791329][ T6849]  ? hci_dev_open+0x350/0x350
[   67.795990][ T6849]  ? do_raw_read_unlock+0x70/0x70
[   67.801004][ T6849]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   67.806908][ T6849]  hci_unregister_dev+0x1bd/0xe30
[   67.812019][ T6849]  ? fcntl_setlk+0xf60/0xf60
[   67.816628][ T6849]  ? lock_is_held_type+0xbb/0xf0
[   67.821561][ T6849]  vhci_release+0x70/0xe0
[   67.825974][ T6849]  __fput+0x285/0x920
[   67.829959][ T6849]  ? vhci_close_dev+0x50/0x50
[   67.834649][ T6849]  task_work_run+0xdd/0x190
[   67.839151][ T6849]  do_exit+0xb7d/0x29f0
[   67.843290][ T6849]  ? blkcg_maybe_throttle_current+0x617/0xf00
[   67.849444][ T6849]  ? mm_update_next_owner+0x7a0/0x7a0
[   67.854803][ T6849]  ? lock_is_held_type+0xbb/0xf0
[   67.859725][ T6849]  ? __blkcg_punt_bio_submit+0x1d0/0x1d0
[   67.868207][ T6849]  ? mem_cgroup_move_account+0xda0/0xda0
[   67.873825][ T6849]  ? lock_is_held_type+0xbb/0xf0
[   67.880034][ T6849]  do_group_exit+0x125/0x310
[   67.885240][ T6849]  __x64_sys_exit_group+0x3a/0x50
[   67.890269][ T6849]  do_syscall_64+0x2d/0x70
[   67.894668][ T6849]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   67.900572][ T6849] RIP: 0033:0x445158
[   67.904455][ T6849] Code: Bad RIP value.
[   67.908529][ T6849] RSP: 002b:00007fff09c71b58 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   67.917734][ T6849] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445158
[   67.925708][ T6849] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   67.933664][ T6849] RBP: 00000000004ccf30 R08: 00000000000000e7 R09: ffffffffffffffd0
[   67.941642][ T6849] R10: 00000000000000ff R11: 0000000000000246 R12: 0000000000000001
[   67.949608][ T6849] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000
[   67.958646][ T6849] Kernel Offset: disabled
[   67.962979][ T6849] Rebooting in 86400 seconds..