[[0;32m  OK  [0m] Started Getty on tty4.
[[0;32m  OK  [0m] Started Getty on tty3.
[[0;32m  OK  [0m] Started Getty on tty2.
[[0;32m  OK  [0m] Started Getty on tty1.
[[0;32m  OK  [0m] Started Serial Getty on ttyS0.
[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.1.24' (ECDSA) to the list of known hosts.
syzkaller login: [   65.268833][ T6864] IPVS: ftp: loaded support on port[0] = 21
executing program
[   66.394466][ T6864] ==================================================================
[   66.402791][ T6864] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   66.409829][ T6864] Read of size 8 at addr ffff88809a22eb18 by task syz-executor678/6864
[   66.418166][ T6864] 
[   66.420512][ T6864] CPU: 0 PID: 6864 Comm: syz-executor678 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0
[   66.430401][ T6864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   66.440461][ T6864] Call Trace:
[   66.443769][ T6864]  dump_stack+0x18f/0x20d
[   66.448208][ T6864]  ? hci_chan_del+0x14f/0x190
[   66.452892][ T6864]  ? hci_chan_del+0x14f/0x190
[   66.457587][ T6864]  print_address_description.constprop.0.cold+0xae/0x497
[   66.464629][ T6864]  ? mutex_lock_io_nested+0xf60/0xf60
[   66.470016][ T6864]  ? lockdep_hardirqs_off+0x7e/0xb0
[   66.475335][ T6864]  ? vprintk_func+0x97/0x1a6
[   66.479941][ T6864]  ? hci_chan_del+0x14f/0x190
[   66.484626][ T6864]  ? hci_chan_del+0x14f/0x190
[   66.489464][ T6864]  kasan_report.cold+0x1f/0x37
[   66.494382][ T6864]  ? hci_chan_del+0x14f/0x190
[   66.499306][ T6864]  hci_chan_del+0x14f/0x190
[   66.503817][ T6864]  l2cap_conn_del+0x61b/0x9e0
[   66.508489][ T6864]  ? l2cap_conn_del+0x9e0/0x9e0
[   66.514015][ T6864]  l2cap_disconn_cfm+0x85/0xa0
[   66.518761][ T6864]  hci_conn_hash_flush+0x114/0x220
[   66.523870][ T6864]  hci_dev_do_close+0x5c6/0x1080
[   66.528789][ T6864]  ? hci_dev_open+0x350/0x350
[   66.533447][ T6864]  ? do_raw_read_unlock+0x70/0x70
[   66.538451][ T6864]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   66.544445][ T6864]  hci_unregister_dev+0x1bd/0xe30
[   66.549450][ T6864]  ? fcntl_setlk+0xf60/0xf60
[   66.554021][ T6864]  ? lock_is_held_type+0xbb/0xf0
[   66.558941][ T6864]  vhci_release+0x70/0xe0
[   66.563270][ T6864]  __fput+0x285/0x920
[   66.567239][ T6864]  ? vhci_close_dev+0x50/0x50
[   66.571897][ T6864]  task_work_run+0xdd/0x190
[   66.576411][ T6864]  do_exit+0xb7d/0x29f0
[   66.580550][ T6864]  ? mm_update_next_owner+0x7a0/0x7a0
[   66.585923][ T6864]  ? lock_is_held_type+0xbb/0xf0
[   66.590841][ T6864]  ? lock_is_held_type+0xbb/0xf0
[   66.595760][ T6864]  do_group_exit+0x125/0x310
[   66.600332][ T6864]  __x64_sys_exit_group+0x3a/0x50
[   66.605352][ T6864]  do_syscall_64+0x2d/0x70
[   66.609747][ T6864]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   66.615646][ T6864] RIP: 0033:0x4450d8
[   66.619533][ T6864] Code: Bad RIP value.
[   66.623578][ T6864] RSP: 002b:00007ffe807b7b78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   66.631971][ T6864] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450d8
[   66.640279][ T6864] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   66.648254][ T6864] RBP: 00000000004cce90 R08: 00000000000000e7 R09: ffffffffffffffd0
[   66.656471][ T6864] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   66.664450][ T6864] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000
[   66.672406][ T6864] 
[   66.674730][ T6864] Allocated by task 6889:
[   66.679041][ T6864]  kasan_save_stack+0x1b/0x40
[   66.683724][ T6864]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   66.689334][ T6864]  kmem_cache_alloc_trace+0x16e/0x2c0
[   66.694684][ T6864]  hci_chan_create+0x9b/0x330
[   66.699370][ T6864]  l2cap_conn_add.part.0+0x1e/0xe10
[   66.704565][ T6864]  l2cap_connect_cfm+0x23b/0x1090
[   66.709566][ T6864]  le_conn_complete_evt+0x1153/0x1740
[   66.714944][ T6864]  hci_le_meta_evt+0xe55/0x3fd0
[   66.720727][ T6864]  hci_event_packet+0x2e25/0x87a8
[   66.725743][ T6864]  hci_rx_work+0x22e/0xb50
[   66.730140][ T6864]  process_one_work+0x94c/0x1670
[   66.735056][ T6864]  worker_thread+0x64c/0x1120
[   66.739881][ T6864]  kthread+0x3b5/0x4a0
[   66.743947][ T6864]  ret_from_fork+0x1f/0x30
[   66.748352][ T6864] 
[   66.750675][ T6864] Freed by task 6889:
[   66.754639][ T6864]  kasan_save_stack+0x1b/0x40
[   66.759293][ T6864]  kasan_set_track+0x1c/0x30
[   66.763860][ T6864]  kasan_set_free_info+0x1b/0x30
[   66.768791][ T6864]  __kasan_slab_free+0xd8/0x120
[   66.774408][ T6864]  kfree+0x103/0x2c0
[   66.778304][ T6864]  hci_event_packet+0x3e33/0x87a8
[   66.783306][ T6864]  hci_rx_work+0x22e/0xb50
[   66.787700][ T6864]  process_one_work+0x94c/0x1670
[   66.792716][ T6864]  worker_thread+0x64c/0x1120
[   66.797401][ T6864]  kthread+0x3b5/0x4a0
[   66.801460][ T6864]  ret_from_fork+0x1f/0x30
[   66.805855][ T6864] 
[   66.808164][ T6864] The buggy address belongs to the object at ffff88809a22eb00
[   66.808164][ T6864]  which belongs to the cache kmalloc-128 of size 128
[   66.822211][ T6864] The buggy address is located 24 bytes inside of
[   66.822211][ T6864]  128-byte region [ffff88809a22eb00, ffff88809a22eb80)
[   66.835456][ T6864] The buggy address belongs to the page:
[   66.841074][ T6864] page:0000000041193b81 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809a22ee00 pfn:0x9a22e
[   66.852587][ T6864] flags: 0xfffe0000000200(slab)
[   66.857445][ T6864] raw: 00fffe0000000200 ffffea00025c8748 ffffea0002868e88 ffff8880aa000400
[   66.866010][ T6864] raw: ffff88809a22ee00 ffff88809a22e000 000000010000000d 0000000000000000
[   66.874580][ T6864] page dumped because: kasan: bad access detected
[   66.880964][ T6864] 
[   66.883284][ T6864] Memory state around the buggy address:
[   66.888895][ T6864]  ffff88809a22ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   66.896933][ T6864]  ffff88809a22ea80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   66.905929][ T6864] >ffff88809a22eb00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   66.913982][ T6864]                             ^
[   66.918825][ T6864]  ffff88809a22eb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   66.926866][ T6864]  ffff88809a22ec00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   66.934905][ T6864] ==================================================================
[   66.942939][ T6864] Disabling lock debugging due to kernel taint
[   66.950888][ T6864] Kernel panic - not syncing: panic_on_warn set ...
[   66.957512][ T6864] CPU: 1 PID: 6864 Comm: syz-executor678 Tainted: G    B             5.8.0-rc7-next-20200731-syzkaller #0
[   66.968781][ T6864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   66.979975][ T6864] Call Trace:
[   66.983249][ T6864]  dump_stack+0x18f/0x20d
[   66.987557][ T6864]  ? hci_chan_del+0x140/0x190
[   66.992211][ T6864]  panic+0x2e3/0x75c
[   66.996084][ T6864]  ? __warn_printk+0xf3/0xf3
[   67.000692][ T6864]  ? preempt_schedule_common+0x59/0xc0
[   67.006144][ T6864]  ? hci_chan_del+0x14f/0x190
[   67.010797][ T6864]  ? preempt_schedule_thunk+0x16/0x18
[   67.016145][ T6864]  ? trace_hardirqs_on+0x55/0x220
[   67.021144][ T6864]  ? hci_chan_del+0x14f/0x190
[   67.025810][ T6864]  ? hci_chan_del+0x14f/0x190
[   67.030479][ T6864]  end_report+0x4d/0x53
[   67.034613][ T6864]  kasan_report.cold+0xd/0x37
[   67.039284][ T6864]  ? hci_chan_del+0x14f/0x190
[   67.044285][ T6864]  hci_chan_del+0x14f/0x190
[   67.049303][ T6864]  l2cap_conn_del+0x61b/0x9e0
[   67.054584][ T6864]  ? l2cap_conn_del+0x9e0/0x9e0
[   67.059434][ T6864]  l2cap_disconn_cfm+0x85/0xa0
[   67.064203][ T6864]  hci_conn_hash_flush+0x114/0x220
[   67.069329][ T6864]  hci_dev_do_close+0x5c6/0x1080
[   67.074523][ T6864]  ? hci_dev_open+0x350/0x350
[   67.079176][ T6864]  ? do_raw_read_unlock+0x70/0x70
[   67.084366][ T6864]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   67.090342][ T6864]  hci_unregister_dev+0x1bd/0xe30
[   67.095353][ T6864]  ? fcntl_setlk+0xf60/0xf60
[   67.099921][ T6864]  ? lock_is_held_type+0xbb/0xf0
[   67.104839][ T6864]  vhci_release+0x70/0xe0
[   67.109666][ T6864]  __fput+0x285/0x920
[   67.113641][ T6864]  ? vhci_close_dev+0x50/0x50
[   67.118382][ T6864]  task_work_run+0xdd/0x190
[   67.122861][ T6864]  do_exit+0xb7d/0x29f0
[   67.126993][ T6864]  ? mm_update_next_owner+0x7a0/0x7a0
[   67.132344][ T6864]  ? lock_is_held_type+0xbb/0xf0
[   67.137260][ T6864]  ? lock_is_held_type+0xbb/0xf0
[   67.142184][ T6864]  do_group_exit+0x125/0x310
[   67.146751][ T6864]  __x64_sys_exit_group+0x3a/0x50
[   67.151779][ T6864]  do_syscall_64+0x2d/0x70
[   67.156182][ T6864]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   67.165435][ T6864] RIP: 0033:0x4450d8
[   67.169314][ T6864] Code: Bad RIP value.
[   67.173370][ T6864] RSP: 002b:00007ffe807b7b78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   67.181867][ T6864] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450d8
[   67.189814][ T6864] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   67.197772][ T6864] RBP: 00000000004cce90 R08: 00000000000000e7 R09: ffffffffffffffd0
[   67.205725][ T6864] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   67.213702][ T6864] R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000
[   67.223070][ T6864] Kernel Offset: disabled
[   67.227393][ T6864] Rebooting in 86400 seconds..