[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.
[[0;32m  OK  [0m] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.1.62' (ECDSA) to the list of known hosts.
syzkaller login: [   62.479005][ T6859] IPVS: ftp: loaded support on port[0] = 21
executing program
[   63.669414][ T6884] ==================================================================
[   63.677688][ T6884] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   63.684735][ T6884] Read of size 8 at addr ffff8880972d9f18 by task syz-executor342/6884
[   63.692978][ T6884] 
[   63.695327][ T6884] CPU: 1 PID: 6884 Comm: syz-executor342 Not tainted 5.8.0-rc7-next-20200731-syzkaller #0
[   63.705224][ T6884] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   63.715290][ T6884] Call Trace:
[   63.718604][ T6884]  dump_stack+0x18f/0x20d
[   63.722953][ T6884]  ? hci_chan_del+0x14f/0x190
[   63.727648][ T6884]  ? hci_chan_del+0x14f/0x190
[   63.732350][ T6884]  print_address_description.constprop.0.cold+0xae/0x497
[   63.739481][ T6884]  ? mutex_lock_io_nested+0xf60/0xf60
[   63.744881][ T6884]  ? lockdep_hardirqs_off+0x7e/0xb0
[   63.750103][ T6884]  ? vprintk_func+0x97/0x1a6
[   63.754698][ T6884]  ? hci_chan_del+0x14f/0x190
[   63.759362][ T6884]  ? hci_chan_del+0x14f/0x190
[   63.764035][ T6884]  kasan_report.cold+0x1f/0x37
[   63.768792][ T6884]  ? hci_chan_del+0x14f/0x190
[   63.773717][ T6884]  hci_chan_del+0x14f/0x190
[   63.778212][ T6884]  l2cap_conn_del+0x61b/0x9e0
[   63.782883][ T6884]  ? l2cap_conn_del+0x9e0/0x9e0
[   63.787724][ T6884]  l2cap_disconn_cfm+0x85/0xa0
[   63.792478][ T6884]  hci_conn_hash_flush+0x114/0x220
[   63.797580][ T6884]  hci_dev_do_close+0x5c6/0x1080
[   63.802514][ T6884]  ? hci_dev_open+0x350/0x350
[   63.807176][ T6884]  ? do_raw_read_unlock+0x70/0x70
[   63.812189][ T6884]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   63.818077][ T6884]  hci_unregister_dev+0x1bd/0xe30
[   63.823089][ T6884]  ? fcntl_setlk+0xf60/0xf60
[   63.827684][ T6884]  ? lock_is_held_type+0xbb/0xf0
[   63.832615][ T6884]  vhci_release+0x70/0xe0
[   63.836932][ T6884]  __fput+0x285/0x920
[   63.840903][ T6884]  ? vhci_close_dev+0x50/0x50
[   63.845593][ T6884]  task_work_run+0xdd/0x190
[   63.850104][ T6884]  do_exit+0xb7d/0x29f0
[   63.854254][ T6884]  ? __fget_light+0xea/0x280
[   63.858832][ T6884]  ? mm_update_next_owner+0x7a0/0x7a0
[   63.864194][ T6884]  ? lock_is_held_type+0xbb/0xf0
[   63.869121][ T6884]  ? syscall_enter_from_user_mode+0x20/0x290
[   63.875089][ T6884]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   63.881056][ T6884]  ? trace_hardirqs_on+0x5f/0x220
[   63.886069][ T6884]  __x64_sys_exit+0x3e/0x50
[   63.890559][ T6884]  do_syscall_64+0x2d/0x70
[   63.894963][ T6884]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   63.900841][ T6884] RIP: 0033:0x402bae
[   63.904714][ T6884] Code: Bad RIP value.
[   63.908767][ T6884] RSP: 002b:00007fa13d64ede0 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
[   63.917168][ T6884] RAX: ffffffffffffffda RBX: 00007fa13d64f700 RCX: 0000000000402bae
[   63.925154][ T6884] RDX: 000000000000003c RSI: 00000000007fb000 RDI: 0000000000000000
[   63.933114][ T6884] RBP: 0000000000000000 R08: 00000000000000f1 R09: 00007fa13d64f700
[   63.941086][ T6884] R10: 00007fa13d64f9d0 R11: 0000000000000246 R12: 0000000000000000
[   63.949064][ T6884] R13: 00007ffc9851569f R14: 00007fa13d64f9c0 R15: 0000000000000001
[   63.957063][ T6884] 
[   63.959380][ T6884] Allocated by task 1546:
[   63.963703][ T6884]  kasan_save_stack+0x1b/0x40
[   63.968384][ T6884]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   63.974005][ T6884]  kmem_cache_alloc_trace+0x16e/0x2c0
[   63.979363][ T6884]  hci_chan_create+0x9b/0x330
[   63.984056][ T6884]  l2cap_conn_add.part.0+0x1e/0xe10
[   63.989242][ T6884]  l2cap_connect_cfm+0x23b/0x1090
[   63.994253][ T6884]  le_conn_complete_evt+0x1153/0x1740
[   63.999611][ T6884]  hci_le_meta_evt+0xe55/0x3fd0
[   64.004448][ T6884]  hci_event_packet+0x2e25/0x87a8
[   64.009457][ T6884]  hci_rx_work+0x22e/0xb50
[   64.013861][ T6884]  process_one_work+0x94c/0x1670
[   64.018784][ T6884]  worker_thread+0x64c/0x1120
[   64.023447][ T6884]  kthread+0x3b5/0x4a0
[   64.027503][ T6884]  ret_from_fork+0x1f/0x30
[   64.031923][ T6884] 
[   64.034236][ T6884] Freed by task 1546:
[   64.038222][ T6884]  kasan_save_stack+0x1b/0x40
[   64.042881][ T6884]  kasan_set_track+0x1c/0x30
[   64.047456][ T6884]  kasan_set_free_info+0x1b/0x30
[   64.052377][ T6884]  __kasan_slab_free+0xd8/0x120
[   64.057212][ T6884]  kfree+0x103/0x2c0
[   64.061108][ T6884]  hci_event_packet+0x3e33/0x87a8
[   64.066115][ T6884]  hci_rx_work+0x22e/0xb50
[   64.070533][ T6884]  process_one_work+0x94c/0x1670
[   64.075805][ T6884]  worker_thread+0x64c/0x1120
[   64.080469][ T6884]  kthread+0x3b5/0x4a0
[   64.084536][ T6884]  ret_from_fork+0x1f/0x30
[   64.088933][ T6884] 
[   64.091258][ T6884] The buggy address belongs to the object at ffff8880972d9f00
[   64.091258][ T6884]  which belongs to the cache kmalloc-128 of size 128
[   64.105314][ T6884] The buggy address is located 24 bytes inside of
[   64.105314][ T6884]  128-byte region [ffff8880972d9f00, ffff8880972d9f80)
[   64.118498][ T6884] The buggy address belongs to the page:
[   64.125968][ T6884] page:000000009445075c refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880972d9100 pfn:0x972d9
[   64.137415][ T6884] flags: 0xfffe0000000200(slab)
[   64.142261][ T6884] raw: 00fffe0000000200 ffffea00028ad488 ffffea0002555108 ffff8880aa000400
[   64.150848][ T6884] raw: ffff8880972d9100 ffff8880972d9000 0000000100000008 0000000000000000
[   64.159413][ T6884] page dumped because: kasan: bad access detected
[   64.165803][ T6884] 
[   64.168116][ T6884] Memory state around the buggy address:
[   64.173732][ T6884]  ffff8880972d9e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.181794][ T6884]  ffff8880972d9e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.189842][ T6884] >ffff8880972d9f00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   64.197898][ T6884]                             ^
[   64.202732][ T6884]  ffff8880972d9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   64.210775][ T6884]  ffff8880972da000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   64.218816][ T6884] ==================================================================
[   64.226876][ T6884] Disabling lock debugging due to kernel taint
[   64.234656][ T6884] Kernel panic - not syncing: panic_on_warn set ...
[   64.241386][ T6884] CPU: 1 PID: 6884 Comm: syz-executor342 Tainted: G    B             5.8.0-rc7-next-20200731-syzkaller #0
[   64.252664][ T6884] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   64.262721][ T6884] Call Trace:
[   64.266008][ T6884]  dump_stack+0x18f/0x20d
[   64.270324][ T6884]  ? hci_chan_del+0x140/0x190
[   64.274983][ T6884]  panic+0x2e3/0x75c
[   64.278890][ T6884]  ? __warn_printk+0xf3/0xf3
[   64.283460][ T6884]  ? preempt_schedule_common+0x59/0xc0
[   64.288905][ T6884]  ? hci_chan_del+0x14f/0x190
[   64.293565][ T6884]  ? preempt_schedule_thunk+0x16/0x18
[   64.298916][ T6884]  ? trace_hardirqs_on+0x55/0x220
[   64.303922][ T6884]  ? hci_chan_del+0x14f/0x190
[   64.308575][ T6884]  ? hci_chan_del+0x14f/0x190
[   64.313228][ T6884]  end_report+0x4d/0x53
[   64.317361][ T6884]  kasan_report.cold+0xd/0x37
[   64.322014][ T6884]  ? hci_chan_del+0x14f/0x190
[   64.326665][ T6884]  hci_chan_del+0x14f/0x190
[   64.331147][ T6884]  l2cap_conn_del+0x61b/0x9e0
[   64.335867][ T6884]  ? l2cap_conn_del+0x9e0/0x9e0
[   64.340699][ T6884]  l2cap_disconn_cfm+0x85/0xa0
[   64.345441][ T6884]  hci_conn_hash_flush+0x114/0x220
[   64.350531][ T6884]  hci_dev_do_close+0x5c6/0x1080
[   64.355448][ T6884]  ? hci_dev_open+0x350/0x350
[   64.360189][ T6884]  ? do_raw_read_unlock+0x70/0x70
[   64.365215][ T6884]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   64.371090][ T6884]  hci_unregister_dev+0x1bd/0xe30
[   64.376102][ T6884]  ? fcntl_setlk+0xf60/0xf60
[   64.380949][ T6884]  ? lock_is_held_type+0xbb/0xf0
[   64.385866][ T6884]  vhci_release+0x70/0xe0
[   64.390176][ T6884]  __fput+0x285/0x920
[   64.394135][ T6884]  ? vhci_close_dev+0x50/0x50
[   64.398792][ T6884]  task_work_run+0xdd/0x190
[   64.403288][ T6884]  do_exit+0xb7d/0x29f0
[   64.407438][ T6884]  ? __fget_light+0xea/0x280
[   64.412002][ T6884]  ? mm_update_next_owner+0x7a0/0x7a0
[   64.417352][ T6884]  ? lock_is_held_type+0xbb/0xf0
[   64.422267][ T6884]  ? syscall_enter_from_user_mode+0x20/0x290
[   64.428226][ T6884]  ? lockdep_hardirqs_on_prepare+0x354/0x530
[   64.434184][ T6884]  ? trace_hardirqs_on+0x5f/0x220
[   64.439184][ T6884]  __x64_sys_exit+0x3e/0x50
[   64.443665][ T6884]  do_syscall_64+0x2d/0x70
[   64.448061][ T6884]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   64.453932][ T6884] RIP: 0033:0x402bae
[   64.457823][ T6884] Code: Bad RIP value.
[   64.461865][ T6884] RSP: 002b:00007fa13d64ede0 EFLAGS: 00000246 ORIG_RAX: 000000000000003c
[   64.470269][ T6884] RAX: ffffffffffffffda RBX: 00007fa13d64f700 RCX: 0000000000402bae
[   64.478219][ T6884] RDX: 000000000000003c RSI: 00000000007fb000 RDI: 0000000000000000
[   64.486170][ T6884] RBP: 0000000000000000 R08: 00000000000000f1 R09: 00007fa13d64f700
[   64.494124][ T6884] R10: 00007fa13d64f9d0 R11: 0000000000000246 R12: 0000000000000000
[   64.502097][ T6884] R13: 00007ffc9851569f R14: 00007fa13d64f9c0 R15: 0000000000000001
[   64.511359][ T6884] Kernel Offset: disabled
[   64.515681][ T6884] Rebooting in 86400 seconds..