[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.146' (ECDSA) to the list of known hosts.
syzkaller login: [   65.328197][ T6851] IPVS: ftp: loaded support on port[0] = 21
executing program
[   66.513138][ T6851] ==================================================================
[   66.521372][ T6851] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   66.528400][ T6851] Read of size 8 at addr ffff8880a6770018 by task syz-executor450/6851
[   66.536658][ T6851] 
[   66.539003][ T6851] CPU: 1 PID: 6851 Comm: syz-executor450 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0
[   66.548887][ T6851] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   66.558946][ T6851] Call Trace:
[   66.562276][ T6851]  dump_stack+0x18f/0x20d
[   66.566616][ T6851]  ? hci_chan_del+0x14f/0x190
[   66.571278][ T6851]  ? hci_chan_del+0x14f/0x190
[   66.575946][ T6851]  print_address_description.constprop.0.cold+0xae/0x497
[   66.582975][ T6851]  ? mutex_lock_io_nested+0xf60/0xf60
[   66.588333][ T6851]  ? lockdep_hardirqs_off+0x7e/0xb0
[   66.593518][ T6851]  ? vprintk_func+0x97/0x1a6
[   66.598145][ T6851]  ? hci_chan_del+0x14f/0x190
[   66.602830][ T6851]  ? hci_chan_del+0x14f/0x190
[   66.607510][ T6851]  kasan_report.cold+0x1f/0x37
[   66.612277][ T6851]  ? hci_chan_del+0x14f/0x190
[   66.616940][ T6851]  hci_chan_del+0x14f/0x190
[   66.621432][ T6851]  l2cap_conn_del+0x61b/0x9e0
[   66.626109][ T6851]  ? l2cap_conn_del+0x9e0/0x9e0
[   66.630946][ T6851]  l2cap_disconn_cfm+0x85/0xa0
[   66.635714][ T6851]  hci_conn_hash_flush+0x114/0x220
[   66.640928][ T6851]  hci_dev_do_close+0x5c6/0x1080
[   66.645885][ T6851]  ? hci_dev_open+0x350/0x350
[   66.650599][ T6851]  ? do_raw_read_unlock+0x70/0x70
[   66.655641][ T6851]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   66.661550][ T6851]  hci_unregister_dev+0x1bd/0xe30
[   66.666716][ T6851]  ? fcntl_setlk+0xf60/0xf60
[   66.671313][ T6851]  ? lock_is_held_type+0xbb/0xf0
[   66.676333][ T6851]  vhci_release+0x70/0xe0
[   66.680681][ T6851]  __fput+0x285/0x920
[   66.684653][ T6851]  ? vhci_close_dev+0x50/0x50
[   66.689312][ T6851]  task_work_run+0xdd/0x190
[   66.693798][ T6851]  do_exit+0xb7d/0x29f0
[   66.697937][ T6851]  ? blkcg_maybe_throttle_current+0x617/0xf00
[   66.703998][ T6851]  ? mm_update_next_owner+0x7a0/0x7a0
[   66.709362][ T6851]  ? lock_is_held_type+0xbb/0xf0
[   66.714298][ T6851]  ? __blkcg_punt_bio_submit+0x1d0/0x1d0
[   66.719976][ T6851]  ? mem_cgroup_move_account+0xda0/0xda0
[   66.725601][ T6851]  ? lock_is_held_type+0xbb/0xf0
[   66.730524][ T6851]  do_group_exit+0x125/0x310
[   66.735102][ T6851]  __x64_sys_exit_group+0x3a/0x50
[   66.740116][ T6851]  do_syscall_64+0x2d/0x70
[   66.744545][ T6851]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   66.750419][ T6851] RIP: 0033:0x445098
[   66.754292][ T6851] Code: Bad RIP value.
[   66.758341][ T6851] RSP: 002b:00007ffcf449b7a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   66.766765][ T6851] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445098
[   66.775244][ T6851] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   66.783203][ T6851] RBP: 00000000004cceb0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   66.791168][ T6851] R10: 00000000000000ff R11: 0000000000000246 R12: 0000000000000001
[   66.799121][ T6851] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
[   66.807081][ T6851] 
[   66.809390][ T6851] Allocated by task 6877:
[   66.813721][ T6851]  kasan_save_stack+0x1b/0x40
[   66.818386][ T6851]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   66.823998][ T6851]  kmem_cache_alloc_trace+0x16e/0x2c0
[   66.829350][ T6851]  hci_chan_create+0x9b/0x330
[   66.834011][ T6851]  l2cap_conn_add.part.0+0x1e/0xe10
[   66.839199][ T6851]  l2cap_connect_cfm+0x23b/0x1090
[   66.844207][ T6851]  le_conn_complete_evt+0x1153/0x1740
[   66.849587][ T6851]  hci_le_meta_evt+0xe55/0x3fd0
[   66.854425][ T6851]  hci_event_packet+0x2e25/0x87a8
[   66.859443][ T6851]  hci_rx_work+0x22e/0xb50
[   66.863849][ T6851]  process_one_work+0x94c/0x1670
[   66.868767][ T6851]  worker_thread+0x64c/0x1120
[   66.873427][ T6851]  kthread+0x3b5/0x4a0
[   66.877478][ T6851]  ret_from_fork+0x1f/0x30
[   66.881865][ T6851] 
[   66.884171][ T6851] Freed by task 1541:
[   66.888132][ T6851]  kasan_save_stack+0x1b/0x40
[   66.892787][ T6851]  kasan_set_track+0x1c/0x30
[   66.897354][ T6851]  kasan_set_free_info+0x1b/0x30
[   66.902270][ T6851]  __kasan_slab_free+0xd8/0x120
[   66.907101][ T6851]  kfree+0x103/0x2c0
[   66.910974][ T6851]  hci_event_packet+0x3e33/0x87a8
[   66.915978][ T6851]  hci_rx_work+0x22e/0xb50
[   66.920387][ T6851]  process_one_work+0x94c/0x1670
[   66.925307][ T6851]  worker_thread+0x64c/0x1120
[   66.929979][ T6851]  kthread+0x3b5/0x4a0
[   66.934092][ T6851]  ret_from_fork+0x1f/0x30
[   66.938485][ T6851] 
[   66.940807][ T6851] The buggy address belongs to the object at ffff8880a6770000
[   66.940807][ T6851]  which belongs to the cache kmalloc-128 of size 128
[   66.954845][ T6851] The buggy address is located 24 bytes inside of
[   66.954845][ T6851]  128-byte region [ffff8880a6770000, ffff8880a6770080)
[   66.968021][ T6851] The buggy address belongs to the page:
[   66.973645][ T6851] page:0000000017985b81 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a6770d00 pfn:0xa6770
[   66.985089][ T6851] flags: 0xfffe0000000200(slab)
[   66.989933][ T6851] raw: 00fffe0000000200 ffffea0002997308 ffffea00028a70c8 ffff8880aa000400
[   66.998498][ T6851] raw: ffff8880a6770d00 ffff8880a6770000 0000000100000004 0000000000000000
[   67.007075][ T6851] page dumped because: kasan: bad access detected
[   67.013477][ T6851] 
[   67.015795][ T6851] Memory state around the buggy address:
[   67.021421][ T6851]  ffff8880a676ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
[   67.029461][ T6851]  ffff8880a676ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   67.037511][ T6851] >ffff8880a6770000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.045546][ T6851]                             ^
[   67.050374][ T6851]  ffff8880a6770080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   67.058430][ T6851]  ffff8880a6770100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   67.066472][ T6851] ==================================================================
[   67.074511][ T6851] Disabling lock debugging due to kernel taint
[   67.082802][ T6851] Kernel panic - not syncing: panic_on_warn set ...
[   67.089481][ T6851] CPU: 0 PID: 6851 Comm: syz-executor450 Tainted: G    B             5.8.0-rc7-next-20200731-syzkaller #0
[   67.100766][ T6851] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   67.110825][ T6851] Call Trace:
[   67.114119][ T6851]  dump_stack+0x18f/0x20d
[   67.118494][ T6851]  ? hci_chan_del+0x140/0x190
[   67.123186][ T6851]  panic+0x2e3/0x75c
[   67.127057][ T6851]  ? __warn_printk+0xf3/0xf3
[   67.131631][ T6851]  ? preempt_schedule_common+0x59/0xc0
[   67.137077][ T6851]  ? hci_chan_del+0x14f/0x190
[   67.141750][ T6851]  ? preempt_schedule_thunk+0x16/0x18
[   67.147112][ T6851]  ? trace_hardirqs_on+0x55/0x220
[   67.152129][ T6851]  ? hci_chan_del+0x14f/0x190
[   67.156778][ T6851]  ? hci_chan_del+0x14f/0x190
[   67.161432][ T6851]  end_report+0x4d/0x53
[   67.165564][ T6851]  kasan_report.cold+0xd/0x37
[   67.170234][ T6851]  ? hci_chan_del+0x14f/0x190
[   67.174890][ T6851]  hci_chan_del+0x14f/0x190
[   67.179393][ T6851]  l2cap_conn_del+0x61b/0x9e0
[   67.184047][ T6851]  ? l2cap_conn_del+0x9e0/0x9e0
[   67.188871][ T6851]  l2cap_disconn_cfm+0x85/0xa0
[   67.193615][ T6851]  hci_conn_hash_flush+0x114/0x220
[   67.198724][ T6851]  hci_dev_do_close+0x5c6/0x1080
[   67.203644][ T6851]  ? hci_dev_open+0x350/0x350
[   67.208296][ T6851]  ? do_raw_read_unlock+0x70/0x70
[   67.213298][ T6851]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   67.219167][ T6851]  hci_unregister_dev+0x1bd/0xe30
[   67.224179][ T6851]  ? fcntl_setlk+0xf60/0xf60
[   67.228755][ T6851]  ? lock_is_held_type+0xbb/0xf0
[   67.233682][ T6851]  vhci_release+0x70/0xe0
[   67.237997][ T6851]  __fput+0x285/0x920
[   67.241958][ T6851]  ? vhci_close_dev+0x50/0x50
[   67.246612][ T6851]  task_work_run+0xdd/0x190
[   67.251091][ T6851]  do_exit+0xb7d/0x29f0
[   67.255225][ T6851]  ? blkcg_maybe_throttle_current+0x617/0xf00
[   67.261264][ T6851]  ? mm_update_next_owner+0x7a0/0x7a0
[   67.266612][ T6851]  ? lock_is_held_type+0xbb/0xf0
[   67.271524][ T6851]  ? __blkcg_punt_bio_submit+0x1d0/0x1d0
[   67.277144][ T6851]  ? mem_cgroup_move_account+0xda0/0xda0
[   67.282754][ T6851]  ? lock_is_held_type+0xbb/0xf0
[   67.287673][ T6851]  do_group_exit+0x125/0x310
[   67.292260][ T6851]  __x64_sys_exit_group+0x3a/0x50
[   67.297260][ T6851]  do_syscall_64+0x2d/0x70
[   67.301655][ T6851]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   67.307520][ T6851] RIP: 0033:0x445098
[   67.311381][ T6851] Code: Bad RIP value.
[   67.315420][ T6851] RSP: 002b:00007ffcf449b7a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   67.323807][ T6851] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445098
[   67.331757][ T6851] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   67.339709][ T6851] RBP: 00000000004cceb0 R08: 00000000000000e7 R09: ffffffffffffffd0
[   67.347660][ T6851] R10: 00000000000000ff R11: 0000000000000246 R12: 0000000000000001
[   67.355606][ T6851] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
[   67.364635][ T6851] Kernel Offset: disabled
[   67.369055][ T6851] Rebooting in 86400 seconds..