Warning: Permanently added '10.128.1.57' (ECDSA) to the list of known hosts.
syzkaller login: [   72.384791][ T6826] IPVS: ftp: loaded support on port[0] = 21
executing program
[   72.489652][ T6826] ==================================================================
[   72.497936][ T6826] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   72.504950][ T6826] Read of size 8 at addr ffff8880a3090518 by task syz-executor948/6826
[   72.513162][ T6826] 
[   72.515490][ T6826] CPU: 1 PID: 6826 Comm: syz-executor948 Not tainted 5.8.0-syzkaller #0
[   72.523787][ T6826] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   72.533843][ T6826] Call Trace:
[   72.537118][ T6826]  dump_stack+0x18f/0x20d
[   72.541427][ T6826]  ? hci_chan_del+0x14f/0x190
[   72.546102][ T6826]  ? hci_chan_del+0x14f/0x190
[   72.550770][ T6826]  print_address_description.constprop.0.cold+0xae/0x497
[   72.557791][ T6826]  ? mutex_lock_io_nested+0xf60/0xf60
[   72.563156][ T6826]  ? vprintk_func+0x97/0x1a6
[   72.567725][ T6826]  ? hci_chan_del+0x14f/0x190
[   72.572377][ T6826]  ? hci_chan_del+0x14f/0x190
[   72.577030][ T6826]  kasan_report.cold+0x1f/0x37
[   72.581771][ T6826]  ? hci_chan_del+0x14f/0x190
[   72.586424][ T6826]  hci_chan_del+0x14f/0x190
[   72.590912][ T6826]  l2cap_conn_del+0x61b/0x9e0
[   72.595575][ T6826]  ? l2cap_conn_del+0x9e0/0x9e0
[   72.600426][ T6826]  l2cap_disconn_cfm+0x85/0xa0
[   72.605176][ T6826]  hci_conn_hash_flush+0x114/0x220
[   72.610269][ T6826]  hci_dev_do_close+0x5c6/0x1080
[   72.615186][ T6826]  ? hci_dev_open+0x350/0x350
[   72.619836][ T6826]  ? do_raw_read_unlock+0x70/0x70
[   72.624852][ T6826]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   72.630739][ T6826]  hci_unregister_dev+0x1bd/0xe30
[   72.635749][ T6826]  ? fcntl_setlk+0xf60/0xf60
[   72.640318][ T6826]  ? lock_is_held_type+0xbb/0xf0
[   72.645248][ T6826]  vhci_release+0x70/0xe0
[   72.649566][ T6826]  __fput+0x285/0x920
[   72.653525][ T6826]  ? vhci_close_dev+0x50/0x50
[   72.658178][ T6826]  task_work_run+0xdd/0x190
[   72.662673][ T6826]  do_exit+0xb7d/0x29f0
[   72.666809][ T6826]  ? __schedule+0x8ed/0x21e0
[   72.671388][ T6826]  ? mm_update_next_owner+0x7a0/0x7a0
[   72.676742][ T6826]  ? io_schedule_timeout+0x140/0x140
[   72.682003][ T6826]  ? lock_is_held_type+0xbb/0xf0
[   72.686932][ T6826]  do_group_exit+0x125/0x310
[   72.691514][ T6826]  __x64_sys_exit_group+0x3a/0x50
[   72.696568][ T6826]  do_syscall_64+0x2d/0x70
[   72.700980][ T6826]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   72.706848][ T6826] RIP: 0033:0x444f98
[   72.710711][ T6826] Code: Bad RIP value.
[   72.714751][ T6826] RSP: 002b:00007ffe67c0cb28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   72.723151][ T6826] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444f98
[   72.731102][ T6826] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   72.739054][ T6826] RBP: 00000000004ccd10 R08: 00000000000000e7 R09: ffffffffffffffd0
[   72.747015][ T6826] R10: 0000000000000015 R11: 0000000000000246 R12: 0000000000000001
[   72.755402][ T6826] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
[   72.763362][ T6826] 
[   72.765671][ T6826] Allocated by task 6830:
[   72.769978][ T6826]  kasan_save_stack+0x1b/0x40
[   72.774653][ T6826]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   72.780273][ T6826]  kmem_cache_alloc_trace+0x16e/0x2c0
[   72.785640][ T6826]  hci_chan_create+0x9b/0x330
[   72.790292][ T6826]  l2cap_conn_add.part.0+0x1e/0xe10
[   72.795476][ T6826]  l2cap_connect_cfm+0x23b/0x1090
[   72.800479][ T6826]  le_conn_complete_evt+0x1153/0x1740
[   72.805827][ T6826]  hci_le_meta_evt+0x745/0x3ff0
[   72.810647][ T6826]  hci_event_packet+0x2e25/0x87a8
[   72.815656][ T6826]  hci_rx_work+0x22e/0xb50
[   72.820047][ T6826]  process_one_work+0x94c/0x1670
[   72.824967][ T6826]  worker_thread+0x64c/0x1120
[   72.829615][ T6826]  kthread+0x3b5/0x4a0
[   72.833658][ T6826]  ret_from_fork+0x1f/0x30
[   72.838040][ T6826] 
[   72.840356][ T6826] Freed by task 1543:
[   72.844331][ T6826]  kasan_save_stack+0x1b/0x40
[   72.848999][ T6826]  kasan_set_track+0x1c/0x30
[   72.853579][ T6826]  kasan_set_free_info+0x1b/0x30
[   72.858508][ T6826]  __kasan_slab_free+0xd8/0x120
[   72.863334][ T6826]  kfree+0x103/0x2c0
[   72.867232][ T6826]  hci_event_packet+0x3e33/0x87a8
[   72.872245][ T6826]  hci_rx_work+0x22e/0xb50
[   72.876654][ T6826]  process_one_work+0x94c/0x1670
[   72.881584][ T6826]  worker_thread+0x64c/0x1120
[   72.886259][ T6826]  kthread+0x3b5/0x4a0
[   72.890317][ T6826]  ret_from_fork+0x1f/0x30
[   72.894711][ T6826] 
[   72.897026][ T6826] The buggy address belongs to the object at ffff8880a3090500
[   72.897026][ T6826]  which belongs to the cache kmalloc-128 of size 128
[   72.911072][ T6826] The buggy address is located 24 bytes inside of
[   72.911072][ T6826]  128-byte region [ffff8880a3090500, ffff8880a3090580)
[   72.924331][ T6826] The buggy address belongs to the page:
[   72.929955][ T6826] page:0000000000f8c042 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a3090200 pfn:0xa3090
[   72.941399][ T6826] flags: 0xfffe0000000200(slab)
[   72.946234][ T6826] raw: 00fffe0000000200 ffffea000265e048 ffffea0002990848 ffff8880aa040400
[   72.954810][ T6826] raw: ffff8880a3090200 ffff8880a3090000 0000000100000007 0000000000000000
[   72.963377][ T6826] page dumped because: kasan: bad access detected
[   72.969763][ T6826] 
[   72.972078][ T6826] Memory state around the buggy address:
[   72.977701][ T6826]  ffff8880a3090400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   72.985766][ T6826]  ffff8880a3090480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   72.993812][ T6826] >ffff8880a3090500: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.001854][ T6826]                             ^
[   73.006686][ T6826]  ffff8880a3090580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   73.014726][ T6826]  ffff8880a3090600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.022759][ T6826] ==================================================================
[   73.030803][ T6826] Disabling lock debugging due to kernel taint
[   73.038470][ T6826] Kernel panic - not syncing: panic_on_warn set ...
[   73.045080][ T6826] CPU: 1 PID: 6826 Comm: syz-executor948 Tainted: G    B             5.8.0-syzkaller #0
[   73.054782][ T6826] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   73.064827][ T6826] Call Trace:
[   73.068116][ T6826]  dump_stack+0x18f/0x20d
[   73.072444][ T6826]  ? hci_chan_del+0xa0/0x190
[   73.077025][ T6826]  panic+0x2e3/0x75c
[   73.080895][ T6826]  ? __warn_printk+0xf3/0xf3
[   73.085474][ T6826]  ? preempt_schedule_common+0x59/0xc0
[   73.094428][ T6826]  ? hci_chan_del+0x14f/0x190
[   73.099106][ T6826]  ? preempt_schedule_thunk+0x16/0x18
[   73.104459][ T6826]  ? trace_hardirqs_on+0x55/0x220
[   73.109470][ T6826]  ? hci_chan_del+0x14f/0x190
[   73.114120][ T6826]  ? hci_chan_del+0x14f/0x190
[   73.118776][ T6826]  end_report+0x4d/0x53
[   73.122912][ T6826]  kasan_report.cold+0xd/0x37
[   73.127565][ T6826]  ? hci_chan_del+0x14f/0x190
[   73.132234][ T6826]  hci_chan_del+0x14f/0x190
[   73.136718][ T6826]  l2cap_conn_del+0x61b/0x9e0
[   73.141390][ T6826]  ? l2cap_conn_del+0x9e0/0x9e0
[   73.146217][ T6826]  l2cap_disconn_cfm+0x85/0xa0
[   73.150966][ T6826]  hci_conn_hash_flush+0x114/0x220
[   73.156075][ T6826]  hci_dev_do_close+0x5c6/0x1080
[   73.160998][ T6826]  ? hci_dev_open+0x350/0x350
[   73.165657][ T6826]  ? do_raw_read_unlock+0x70/0x70
[   73.170668][ T6826]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   73.176544][ T6826]  hci_unregister_dev+0x1bd/0xe30
[   73.181545][ T6826]  ? fcntl_setlk+0xf60/0xf60
[   73.186123][ T6826]  ? lock_is_held_type+0xbb/0xf0
[   73.191033][ T6826]  vhci_release+0x70/0xe0
[   73.195343][ T6826]  __fput+0x285/0x920
[   73.199314][ T6826]  ? vhci_close_dev+0x50/0x50
[   73.203981][ T6826]  task_work_run+0xdd/0x190
[   73.208465][ T6826]  do_exit+0xb7d/0x29f0
[   73.212614][ T6826]  ? __schedule+0x8ed/0x21e0
[   73.217179][ T6826]  ? mm_update_next_owner+0x7a0/0x7a0
[   73.222973][ T6826]  ? io_schedule_timeout+0x140/0x140
[   73.228233][ T6826]  ? lock_is_held_type+0xbb/0xf0
[   73.233156][ T6826]  do_group_exit+0x125/0x310
[   73.237728][ T6826]  __x64_sys_exit_group+0x3a/0x50
[   73.242726][ T6826]  do_syscall_64+0x2d/0x70
[   73.247134][ T6826]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   73.253011][ T6826] RIP: 0033:0x444f98
[   73.256885][ T6826] Code: Bad RIP value.
[   73.260929][ T6826] RSP: 002b:00007ffe67c0cb28 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   73.269324][ T6826] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000444f98
[   73.277270][ T6826] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   73.285215][ T6826] RBP: 00000000004ccd10 R08: 00000000000000e7 R09: ffffffffffffffd0
[   73.293179][ T6826] R10: 0000000000000015 R11: 0000000000000246 R12: 0000000000000001
[   73.301123][ T6826] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
[   73.310071][ T6826] Kernel Offset: disabled
[   73.314386][ T6826] Rebooting in 86400 seconds..