[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.119' (ECDSA) to the list of known hosts.
syzkaller login: [   59.893221][ T6824] IPVS: ftp: loaded support on port[0] = 21
executing program
[   61.045327][ T6824] ==================================================================
[   61.053597][ T6824] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   61.060637][ T6824] Read of size 8 at addr ffff8880a28f2018 by task syz-executor262/6824
[   61.068875][ T6824] 
[   61.071222][ T6824] CPU: 0 PID: 6824 Comm: syz-executor262 Not tainted 5.8.0-syzkaller #0
[   61.079548][ T6824] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   61.089610][ T6824] Call Trace:
[   61.092931][ T6824]  dump_stack+0x18f/0x20d
[   61.097284][ T6824]  ? hci_chan_del+0x14f/0x190
[   61.101976][ T6824]  ? hci_chan_del+0x14f/0x190
[   61.106687][ T6824]  print_address_description.constprop.0.cold+0xae/0x436
[   61.113720][ T6824]  ? mutex_lock_io_nested+0xf60/0xf60
[   61.119113][ T6824]  ? vprintk_func+0x97/0x1a6
[   61.123721][ T6824]  ? hci_chan_del+0x14f/0x190
[   61.128409][ T6824]  kasan_report.cold+0x1f/0x37
[   61.133190][ T6824]  ? hci_chan_del+0x14f/0x190
[   61.137899][ T6824]  hci_chan_del+0x14f/0x190
[   61.142418][ T6824]  l2cap_conn_del+0x61b/0x9e0
[   61.147118][ T6824]  ? l2cap_conn_del+0x9e0/0x9e0
[   61.151982][ T6824]  l2cap_disconn_cfm+0x85/0xa0
[   61.156760][ T6824]  hci_conn_hash_flush+0x114/0x220
[   61.161886][ T6824]  ? vhci_close_dev+0x50/0x50
[   61.166579][ T6824]  hci_dev_do_close+0x5c6/0x1080
[   61.171562][ T6824]  ? do_raw_write_lock+0x11a/0x280
[   61.176694][ T6824]  ? hci_dev_open+0x350/0x350
[   61.181382][ T6824]  ? do_raw_read_unlock+0x70/0x70
[   61.186428][ T6824]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   61.192431][ T6824]  ? fsnotify_parent+0xb7/0x2b0
[   61.197744][ T6824]  ? vhci_close_dev+0x50/0x50
[   61.202438][ T6824]  hci_unregister_dev+0x1a3/0xe20
[   61.207513][ T6824]  ? fcntl_setlk+0xf60/0xf60
[   61.212117][ T6824]  ? lock_is_held_type+0xbb/0xf0
[   61.217078][ T6824]  ? vhci_close_dev+0x50/0x50
[   61.221785][ T6824]  vhci_release+0x70/0xe0
[   61.226170][ T6824]  __fput+0x33c/0x880
[   61.230175][ T6824]  task_work_run+0xdd/0x190
[   61.234696][ T6824]  do_exit+0xb72/0x2a40
[   61.238876][ T6824]  ? mm_update_next_owner+0x7a0/0x7a0
[   61.244260][ T6824]  ? __sys_getsockopt+0x18d/0x2e0
[   61.249305][ T6824]  ? kernel_accept+0x350/0x350
[   61.254088][ T6824]  ? __blkcg_punt_bio_submit+0x1d0/0x1d0
[   61.259751][ T6824]  ? mem_cgroup_move_charge_pte_range+0xa70/0xa70
[   61.266194][ T6824]  do_group_exit+0x125/0x310
[   61.270806][ T6824]  __x64_sys_exit_group+0x3a/0x50
[   61.275947][ T6824]  do_syscall_64+0x60/0xe0
[   61.280395][ T6824]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   61.286300][ T6824] RIP: 0033:0x445068
[   61.290194][ T6824] Code: Bad RIP value.
[   61.294266][ T6824] RSP: 002b:00007ffeb5639f38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   61.302701][ T6824] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445068
[   61.310710][ T6824] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   61.318989][ T6824] RBP: 00000000004cce50 R08: 00000000000000e7 R09: ffffffffffffffd0
[   61.326974][ T6824] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   61.334956][ T6824] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
[   61.342946][ T6824] 
[   61.345273][ T6824] Allocated by task 6850:
[   61.349615][ T6824]  save_stack+0x1b/0x40
[   61.353782][ T6824]  __kasan_kmalloc.constprop.0+0xc2/0xd0
[   61.359536][ T6824]  kmem_cache_alloc_trace+0x14f/0x2d0
[   61.364921][ T6824]  hci_chan_create+0x9b/0x330
[   61.369615][ T6824]  l2cap_conn_add.part.0+0x1e/0xe10
[   61.374830][ T6824]  l2cap_connect_cfm+0x23b/0x1090
[   61.379883][ T6824]  le_conn_complete_evt+0x1153/0x1740
[   61.385270][ T6824]  hci_le_meta_evt+0x745/0x3eb0
[   61.390150][ T6824]  hci_event_packet+0x245a/0x86f5
[   61.395188][ T6824]  hci_rx_work+0x22e/0xb10
[   61.399616][ T6824]  process_one_work+0x94c/0x1670
[   61.404709][ T6824]  worker_thread+0x64c/0x1120
[   61.409434][ T6824]  kthread+0x3b5/0x4a0
[   61.413517][ T6824]  ret_from_fork+0x1f/0x30
[   61.417930][ T6824] 
[   61.420258][ T6824] Freed by task 6850:
[   61.424242][ T6824]  save_stack+0x1b/0x40
[   61.428409][ T6824]  __kasan_slab_free+0xf5/0x140
[   61.433273][ T6824]  kfree+0x103/0x2c0
[   61.437220][ T6824]  hci_event_packet+0x319a/0x86f5
[   61.442256][ T6824]  hci_rx_work+0x22e/0xb10
[   61.446686][ T6824]  process_one_work+0x94c/0x1670
[   61.451636][ T6824]  worker_thread+0x64c/0x1120
[   61.456319][ T6824]  kthread+0x3b5/0x4a0
[   61.460399][ T6824]  ret_from_fork+0x1f/0x30
[   61.464821][ T6824] 
[   61.467158][ T6824] The buggy address belongs to the object at ffff8880a28f2000
[   61.467158][ T6824]  which belongs to the cache kmalloc-128 of size 128
[   61.481229][ T6824] The buggy address is located 24 bytes inside of
[   61.481229][ T6824]  128-byte region [ffff8880a28f2000, ffff8880a28f2080)
[   61.494518][ T6824] The buggy address belongs to the page:
[   61.500178][ T6824] page:ffffea00028a3c80 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a28f2b00
[   61.510600][ T6824] flags: 0xfffe0000000200(slab)
[   61.515487][ T6824] raw: 00fffe0000000200 ffffea00027f9308 ffffea00028ac148 ffff8880aa000700
[   61.524099][ T6824] raw: ffff8880a28f2b00 ffff8880a28f2000 000000010000000c 0000000000000000
[   61.532943][ T6824] page dumped because: kasan: bad access detected
[   61.539360][ T6824] 
[   61.541686][ T6824] Memory state around the buggy address:
[   61.547323][ T6824]  ffff8880a28f1f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   61.555390][ T6824]  ffff8880a28f1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   61.563463][ T6824] >ffff8880a28f2000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.571546][ T6824]                             ^
[   61.576428][ T6824]  ffff8880a28f2080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   61.584574][ T6824]  ffff8880a28f2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   61.592633][ T6824] ==================================================================
[   61.600783][ T6824] Disabling lock debugging due to kernel taint
[   61.642116][ T6824] Kernel panic - not syncing: panic_on_warn set ...
[   61.648798][ T6824] CPU: 1 PID: 6824 Comm: syz-executor262 Tainted: G    B             5.8.0-syzkaller #0
[   61.658601][ T6824] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   61.669172][ T6824] Call Trace:
[   61.672457][ T6824]  dump_stack+0x18f/0x20d
[   61.676791][ T6824]  ? hci_chan_del+0x100/0x190
[   61.681474][ T6824]  panic+0x2e3/0x75c
[   61.685376][ T6824]  ? __warn_printk+0xf3/0xf3
[   61.689963][ T6824]  ? preempt_schedule_common+0x59/0xc0
[   61.695424][ T6824]  ? hci_chan_del+0x14f/0x190
[   61.701425][ T6824]  ? preempt_schedule_thunk+0x16/0x18
[   61.706877][ T6824]  ? trace_hardirqs_on+0x55/0x220
[   61.711907][ T6824]  ? hci_chan_del+0x14f/0x190
[   61.716575][ T6824]  ? hci_chan_del+0x14f/0x190
[   61.721256][ T6824]  end_report+0x4d/0x53
[   61.725434][ T6824]  kasan_report.cold+0xd/0x37
[   61.730105][ T6824]  ? hci_chan_del+0x14f/0x190
[   61.734777][ T6824]  hci_chan_del+0x14f/0x190
[   61.739293][ T6824]  l2cap_conn_del+0x61b/0x9e0
[   61.743959][ T6824]  ? l2cap_conn_del+0x9e0/0x9e0
[   61.748795][ T6824]  l2cap_disconn_cfm+0x85/0xa0
[   61.753545][ T6824]  hci_conn_hash_flush+0x114/0x220
[   61.758669][ T6824]  ? vhci_close_dev+0x50/0x50
[   61.763354][ T6824]  hci_dev_do_close+0x5c6/0x1080
[   61.768293][ T6824]  ? do_raw_write_lock+0x11a/0x280
[   61.773389][ T6824]  ? hci_dev_open+0x350/0x350
[   61.778052][ T6824]  ? do_raw_read_unlock+0x70/0x70
[   61.783115][ T6824]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   61.789706][ T6824]  ? fsnotify_parent+0xb7/0x2b0
[   61.794548][ T6824]  ? vhci_close_dev+0x50/0x50
[   61.799212][ T6824]  hci_unregister_dev+0x1a3/0xe20
[   61.804235][ T6824]  ? fcntl_setlk+0xf60/0xf60
[   61.808815][ T6824]  ? lock_is_held_type+0xbb/0xf0
[   61.814528][ T6824]  ? vhci_close_dev+0x50/0x50
[   61.820147][ T6824]  vhci_release+0x70/0xe0
[   61.824481][ T6824]  __fput+0x33c/0x880
[   61.828452][ T6824]  task_work_run+0xdd/0x190
[   61.832954][ T6824]  do_exit+0xb72/0x2a40
[   61.837108][ T6824]  ? mm_update_next_owner+0x7a0/0x7a0
[   61.842465][ T6824]  ? __sys_getsockopt+0x18d/0x2e0
[   61.847489][ T6824]  ? kernel_accept+0x350/0x350
[   61.852267][ T6824]  ? __blkcg_punt_bio_submit+0x1d0/0x1d0
[   61.857987][ T6824]  ? mem_cgroup_move_charge_pte_range+0xa70/0xa70
[   61.864907][ T6824]  do_group_exit+0x125/0x310
[   61.869497][ T6824]  __x64_sys_exit_group+0x3a/0x50
[   61.874566][ T6824]  do_syscall_64+0x60/0xe0
[   61.878978][ T6824]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   61.884883][ T6824] RIP: 0033:0x445068
[   61.888760][ T6824] Code: Bad RIP value.
[   61.892811][ T6824] RSP: 002b:00007ffeb5639f38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   61.901307][ T6824] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445068
[   61.909282][ T6824] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[   61.917256][ T6824] RBP: 00000000004cce50 R08: 00000000000000e7 R09: ffffffffffffffd0
[   61.925226][ T6824] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   61.933180][ T6824] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
[   61.942229][ T6824] Kernel Offset: disabled
[   61.946564][ T6824] Rebooting in 86400 seconds..