[�[0;32m OK �[0m] Started Getty on tty2.
Starting Load/Save RF Kill Switch Status...
[�[0;32m OK �[0m] Started Serial Getty on ttyS0.
[�[0;32m OK �[0m] Started Getty on tty1.
[�[0;32m OK �[0m] Reached target Login Prompts.
[�[0;32m OK �[0m] Reached target Multi-User System.
[�[0;32m OK �[0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.85' (ECDSA) to the list of known hosts.
syzkaller login: [ 57.837873][ T6859] IPVS: ftp: loaded support on port[0] = 21
executing program
[ 58.991919][ T6884] ==================================================================
[ 59.000349][ T6884] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[ 59.007375][ T6884] Read of size 8 at addr ffff88809fbd0618 by task syz-executor294/6884
[ 59.015818][ T6884]
[ 59.018160][ T6884] CPU: 1 PID: 6884 Comm: syz-executor294 Not tainted 5.8.0-next-20200812-syzkaller #0
[ 59.027695][ T6884] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 59.037748][ T6884] Call Trace:
[ 59.041043][ T6884] dump_stack+0x18f/0x20d
[ 59.045375][ T6884] ? hci_chan_del+0x14f/0x190
[ 59.050047][ T6884] ? hci_chan_del+0x14f/0x190
[ 59.054745][ T6884] print_address_description.constprop.0.cold+0xae/0x497
[ 59.061793][ T6884] ? mutex_lock_io_nested+0xf60/0xf60
[ 59.067166][ T6884] ? vprintk_func+0x97/0x1a6
[ 59.071765][ T6884] ? hci_chan_del+0x14f/0x190
[ 59.076437][ T6884] ? hci_chan_del+0x14f/0x190
[ 59.081108][ T6884] kasan_report.cold+0x1f/0x37
[ 59.085876][ T6884] ? hci_chan_del+0x14f/0x190
[ 59.090550][ T6884] hci_chan_del+0x14f/0x190
[ 59.095052][ T6884] l2cap_conn_del+0x61b/0x9e0
[ 59.099737][ T6884] ? l2cap_conn_del+0x9e0/0x9e0
[ 59.104579][ T6884] l2cap_disconn_cfm+0x85/0xa0
[ 59.109342][ T6884] hci_conn_hash_flush+0x114/0x220
[ 59.114456][ T6884] hci_dev_do_close+0x5c6/0x1080
[ 59.119396][ T6884] ? hci_dev_open+0x350/0x350
[ 59.124067][ T6884] ? do_raw_read_unlock+0x70/0x70
[ 59.129084][ T6884] ? try_to_grab_pending.part.0+0x7d0/0x7d0
[ 59.134983][ T6884] hci_unregister_dev+0x1bd/0xe30
[ 59.140025][ T6884] ? fcntl_setlk+0xf60/0xf60
[ 59.144610][ T6884] ? lock_is_held_type+0xbb/0xf0
[ 59.149548][ T6884] vhci_release+0x70/0xe0
[ 59.153892][ T6884] __fput+0x285/0x920
[ 59.157870][ T6884] ? vhci_close_dev+0x50/0x50
[ 59.162550][ T6884] task_work_run+0xdd/0x190
[ 59.167051][ T6884] do_exit+0xb7d/0x29f0
[ 59.171208][ T6884] ? __fget_light+0xea/0x280
[ 59.175813][ T6884] ? mm_update_next_owner+0x7a0/0x7a0
[ 59.181185][ T6884] ? lock_is_held_type+0xbb/0xf0
[ 59.186116][ T6884] ? syscall_enter_from_user_mode+0x20/0x290
[ 59.192102][ T6884] ? lockdep_hardirqs_on_prepare+0x354/0x530
[ 59.198083][ T6884] ? trace_hardirqs_on+0x5f/0x220
[ 59.203128][ T6884] __x64_sys_exit+0x3e/0x50
[ 59.207637][ T6884] do_syscall_64+0x2d/0x70
[ 59.212091][ T6884] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 59.217984][ T6884] RIP: 0033:0x402bce
[ 59.221901][ T6884] Code: Bad RIP value.
[ 59.225959][ T6884] RSP: 002b:00007fd0e8018de0 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
[ 59.234368][ T6884] RAX: ffffffffffffffda RBX: 00007fd0e8019700 RCX: 0000000000402bce
[ 59.242351][ T6884] RDX: 000000000000003c RSI: 00000000007fb000 RDI: 0000000000000000
[ 59.250316][ T6884] RBP: 0000000000000000 R08: 00000000000000f1 R09: 00007fd0e8019700
[ 59.258289][ T6884] R10: 00007fd0e80199d0 R11: 0000000000000246 R12: 0000000000000000
[ 59.266364][ T6884] R13: 00007ffc3c9c582f R14: 00007fd0e80199c0 R15: 0000000000000000
[ 59.274346][ T6884]
[ 59.276670][ T6884] Allocated by task 1543:
[ 59.280999][ T6884] kasan_save_stack+0x1b/0x40
[ 59.285685][ T6884] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 59.291325][ T6884] kmem_cache_alloc_trace+0x16e/0x2c0
[ 59.296688][ T6884] hci_chan_create+0x9b/0x330
[ 59.301360][ T6884] l2cap_conn_add.part.0+0x1e/0xe10
[ 59.306555][ T6884] l2cap_connect_cfm+0x23b/0x1090
[ 59.311591][ T6884] le_conn_complete_evt+0x1153/0x1740
[ 59.316961][ T6884] hci_le_meta_evt+0x745/0x3ff0
[ 59.321808][ T6884] hci_event_packet+0x2e25/0x87a8
[ 59.326823][ T6884] hci_rx_work+0x22e/0xb50
[ 59.331234][ T6884] process_one_work+0x94c/0x1670
[ 59.336162][ T6884] worker_thread+0x64c/0x1120
[ 59.340831][ T6884] kthread+0x3b5/0x4a0
[ 59.344895][ T6884] ret_from_fork+0x1f/0x30
[ 59.349295][ T6884]
[ 59.351638][ T6884] Freed by task 1543:
[ 59.355615][ T6884] kasan_save_stack+0x1b/0x40
[ 59.360283][ T6884] kasan_set_track+0x1c/0x30
[ 59.364865][ T6884] kasan_set_free_info+0x1b/0x30
[ 59.369813][ T6884] __kasan_slab_free+0xd8/0x120
[ 59.374658][ T6884] kfree+0x103/0x2c0
[ 59.378563][ T6884] hci_event_packet+0x3e33/0x87a8
[ 59.383581][ T6884] hci_rx_work+0x22e/0xb50
[ 59.387990][ T6884] process_one_work+0x94c/0x1670
[ 59.392922][ T6884] worker_thread+0x64c/0x1120
[ 59.397589][ T6884] kthread+0x3b5/0x4a0
[ 59.401652][ T6884] ret_from_fork+0x1f/0x30
[ 59.406052][ T6884]
[ 59.408391][ T6884] The buggy address belongs to the object at ffff88809fbd0600
[ 59.408391][ T6884] which belongs to the cache kmalloc-128 of size 128
[ 59.422453][ T6884] The buggy address is located 24 bytes inside of
[ 59.422453][ T6884] 128-byte region [ffff88809fbd0600, ffff88809fbd0680)
[ 59.435724][ T6884] The buggy address belongs to the page:
[ 59.441357][ T6884] page:000000001c42e918 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88809fbd0f00 pfn:0x9fbd0
[ 59.452798][ T6884] flags: 0xfffe0000000200(slab)
[ 59.460076][ T6884] raw: 00fffe0000000200 ffffea0002783348 ffffea0002a42f48 ffff8880aa040400
[ 59.468673][ T6884] raw: ffff88809fbd0f00 ffff88809fbd0000 0000000100000008 0000000000000000
[ 59.477243][ T6884] page dumped because: kasan: bad access detected
[ 59.483645][ T6884]
[ 59.485977][ T6884] Memory state around the buggy address:
[ 59.491617][ T6884] ffff88809fbd0500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 59.499670][ T6884] ffff88809fbd0580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 59.507724][ T6884] >ffff88809fbd0600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.515773][ T6884] ^
[ 59.520639][ T6884] ffff88809fbd0680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 59.528711][ T6884] ffff88809fbd0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.536773][ T6884] ==================================================================
[ 59.544821][ T6884] Disabling lock debugging due to kernel taint
[ 59.552396][ T6822] tipc: TX() has been purged, node left!
[ 59.595724][ T6884] Kernel panic - not syncing: panic_on_warn set ...
[ 59.602337][ T6884] CPU: 0 PID: 6884 Comm: syz-executor294 Tainted: G B 5.8.0-next-20200812-syzkaller #0
[ 59.613256][ T6884] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 59.623305][ T6884] Call Trace:
[ 59.626602][ T6884] dump_stack+0x18f/0x20d
[ 59.630943][ T6884] ? hci_chan_del+0xa0/0x190
[ 59.635529][ T6884] panic+0x2e3/0x75c
[ 59.639402][ T6884] ? __warn_printk+0xf3/0xf3
[ 59.644180][ T6884] ? preempt_schedule_common+0x59/0xc0
[ 59.649646][ T6884] ? hci_chan_del+0x14f/0x190
[ 59.654320][ T6884] ? preempt_schedule_thunk+0x16/0x18
[ 59.659666][ T6884] ? trace_hardirqs_on+0x55/0x220
[ 59.664680][ T6884] ? hci_chan_del+0x14f/0x190
[ 59.669331][ T6884] ? hci_chan_del+0x14f/0x190
[ 59.673991][ T6884] end_report+0x4d/0x53
[ 59.678130][ T6884] kasan_report.cold+0xd/0x37
[ 59.682782][ T6884] ? hci_chan_del+0x14f/0x190
[ 59.687433][ T6884] hci_chan_del+0x14f/0x190
[ 59.701290][ T6884] l2cap_conn_del+0x61b/0x9e0
[ 59.705944][ T6884] ? l2cap_conn_del+0x9e0/0x9e0
[ 59.710768][ T6884] l2cap_disconn_cfm+0x85/0xa0
[ 59.715522][ T6884] hci_conn_hash_flush+0x114/0x220
[ 59.720624][ T6884] hci_dev_do_close+0x5c6/0x1080
[ 59.725551][ T6884] ? hci_dev_open+0x350/0x350
[ 59.730226][ T6884] ? do_raw_read_unlock+0x70/0x70
[ 59.735225][ T6884] ? try_to_grab_pending.part.0+0x7d0/0x7d0
[ 59.741092][ T6884] hci_unregister_dev+0x1bd/0xe30
[ 59.746091][ T6884] ? fcntl_setlk+0xf60/0xf60
[ 59.750761][ T6884] ? lock_is_held_type+0xbb/0xf0
[ 59.755691][ T6884] vhci_release+0x70/0xe0
[ 59.760000][ T6884] __fput+0x285/0x920
[ 59.763956][ T6884] ? vhci_close_dev+0x50/0x50
[ 59.768652][ T6884] task_work_run+0xdd/0x190
[ 59.773145][ T6884] do_exit+0xb7d/0x29f0
[ 59.777319][ T6884] ? __fget_light+0xea/0x280
[ 59.781891][ T6884] ? mm_update_next_owner+0x7a0/0x7a0
[ 59.787236][ T6884] ? lock_is_held_type+0xbb/0xf0
[ 59.792150][ T6884] ? syscall_enter_from_user_mode+0x20/0x290
[ 59.798114][ T6884] ? lockdep_hardirqs_on_prepare+0x354/0x530
[ 59.804077][ T6884] ? trace_hardirqs_on+0x5f/0x220
[ 59.809072][ T6884] __x64_sys_exit+0x3e/0x50
[ 59.813551][ T6884] do_syscall_64+0x2d/0x70
[ 59.817942][ T6884] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 59.823816][ T6884] RIP: 0033:0x402bce
[ 59.827678][ T6884] Code: Bad RIP value.
[ 59.831715][ T6884] RSP: 002b:00007fd0e8018de0 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
[ 59.840111][ T6884] RAX: ffffffffffffffda RBX: 00007fd0e8019700 RCX: 0000000000402bce
[ 59.848055][ T6884] RDX: 000000000000003c RSI: 00000000007fb000 RDI: 0000000000000000
[ 59.855998][ T6884] RBP: 0000000000000000 R08: 00000000000000f1 R09: 00007fd0e8019700
[ 59.863943][ T6884] R10: 00007fd0e80199d0 R11: 0000000000000246 R12: 0000000000000000
[ 59.871934][ T6884] R13: 00007ffc3c9c582f R14: 00007fd0e80199c0 R15: 0000000000000000
[ 59.880846][ T6884] Kernel Offset: disabled
[ 59.885203][ T6884] Rebooting in 86400 seconds..