[[0;32m  OK  [0m] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.15.193' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   58.374951][ T6828] IPVS: ftp: loaded support on port[0] = 21
[   58.437169][ T6828] ==================================================================
[   58.445568][ T6828] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[   58.452622][ T6828] Read of size 8 at addr ffff8880a1d3df18 by task syz-executor865/6828
[   58.460827][ T6828] 
[   58.463137][ T6828] CPU: 0 PID: 6828 Comm: syz-executor865 Not tainted 5.8.0-syzkaller #0
[   58.471429][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   58.481460][ T6828] Call Trace:
[   58.484732][ T6828]  dump_stack+0x18f/0x20d
[   58.489040][ T6828]  ? hci_chan_del+0x14f/0x190
[   58.493713][ T6828]  ? hci_chan_del+0x14f/0x190
[   58.498367][ T6828]  print_address_description.constprop.0.cold+0xae/0x497
[   58.505387][ T6828]  ? mutex_lock_io_nested+0xf60/0xf60
[   58.510738][ T6828]  ? vprintk_func+0x97/0x1a6
[   58.515304][ T6828]  ? hci_chan_del+0x14f/0x190
[   58.519954][ T6828]  ? hci_chan_del+0x14f/0x190
[   58.524638][ T6828]  kasan_report.cold+0x1f/0x37
[   58.529395][ T6828]  ? hci_chan_del+0x14f/0x190
[   58.534052][ T6828]  hci_chan_del+0x14f/0x190
[   58.538533][ T6828]  l2cap_conn_del+0x61b/0x9e0
[   58.543190][ T6828]  ? l2cap_conn_del+0x9e0/0x9e0
[   58.548015][ T6828]  l2cap_disconn_cfm+0x85/0xa0
[   58.552754][ T6828]  hci_conn_hash_flush+0x114/0x220
[   58.557938][ T6828]  hci_dev_do_close+0x5c6/0x1080
[   58.562855][ T6828]  ? hci_dev_open+0x350/0x350
[   58.567506][ T6828]  ? do_raw_read_unlock+0x70/0x70
[   58.572505][ T6828]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   58.578377][ T6828]  hci_unregister_dev+0x1bd/0xe30
[   58.583378][ T6828]  ? fcntl_setlk+0xf60/0xf60
[   58.587943][ T6828]  ? lock_is_held_type+0xbb/0xf0
[   58.592958][ T6828]  vhci_release+0x70/0xe0
[   58.597306][ T6828]  __fput+0x285/0x920
[   58.601264][ T6828]  ? vhci_close_dev+0x50/0x50
[   58.605918][ T6828]  task_work_run+0xdd/0x190
[   58.610397][ T6828]  do_exit+0xb7d/0x29f0
[   58.614534][ T6828]  ? mm_update_next_owner+0x7a0/0x7a0
[   58.619913][ T6828]  ? vmacache_update+0xce/0x140
[   58.624744][ T6828]  ? lock_is_held_type+0xbb/0xf0
[   58.629747][ T6828]  do_group_exit+0x125/0x310
[   58.634317][ T6828]  __ia32_sys_exit_group+0x3a/0x50
[   58.639403][ T6828]  __do_fast_syscall_32+0x57/0x80
[   58.644489][ T6828]  do_fast_syscall_32+0x2f/0x70
[   58.649330][ T6828]  entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
[   58.655644][ T6828] RIP: 0023:0xf7f73569
[   58.659697][ T6828] Code: Bad RIP value.
[   58.663735][ T6828] RSP: 002b:00000000ffd51a1c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   58.672132][ T6828] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000080fd318
[   58.680079][ T6828] RDX: 0000000000000000 RSI: 00000000080e32a0 RDI: 00000000080fd320
[   58.688041][ T6828] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   58.695993][ T6828] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   58.703938][ T6828] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   58.711892][ T6828] 
[   58.714196][ T6828] Allocated by task 1546:
[   58.718503][ T6828]  kasan_save_stack+0x1b/0x40
[   58.723153][ T6828]  __kasan_kmalloc.constprop.0+0xbf/0xd0
[   58.728763][ T6828]  kmem_cache_alloc_trace+0x16e/0x2c0
[   58.734110][ T6828]  hci_chan_create+0x9b/0x330
[   58.738761][ T6828]  l2cap_conn_add.part.0+0x1e/0xe10
[   58.743946][ T6828]  l2cap_connect_cfm+0x23b/0x1090
[   58.748942][ T6828]  le_conn_complete_evt+0x1153/0x1740
[   58.754297][ T6828]  hci_le_meta_evt+0x745/0x3ff0
[   58.759135][ T6828]  hci_event_packet+0x2e25/0x87a8
[   58.764132][ T6828]  hci_rx_work+0x22e/0xb50
[   58.768525][ T6828]  process_one_work+0x94c/0x1670
[   58.773434][ T6828]  worker_thread+0x64c/0x1120
[   58.778082][ T6828]  kthread+0x3b5/0x4a0
[   58.782120][ T6828]  ret_from_fork+0x1f/0x30
[   58.786510][ T6828] 
[   58.788832][ T6828] Freed by task 6834:
[   58.792788][ T6828]  kasan_save_stack+0x1b/0x40
[   58.797435][ T6828]  kasan_set_track+0x1c/0x30
[   58.801996][ T6828]  kasan_set_free_info+0x1b/0x30
[   58.806906][ T6828]  __kasan_slab_free+0xd8/0x120
[   58.811726][ T6828]  kfree+0x103/0x2c0
[   58.815615][ T6828]  hci_event_packet+0x3e33/0x87a8
[   58.820611][ T6828]  hci_rx_work+0x22e/0xb50
[   58.825001][ T6828]  process_one_work+0x94c/0x1670
[   58.829910][ T6828]  worker_thread+0x64c/0x1120
[   58.834565][ T6828]  kthread+0x3b5/0x4a0
[   58.838608][ T6828]  ret_from_fork+0x1f/0x30
[   58.842991][ T6828] 
[   58.845296][ T6828] The buggy address belongs to the object at ffff8880a1d3df00
[   58.845296][ T6828]  which belongs to the cache kmalloc-128 of size 128
[   58.859841][ T6828] The buggy address is located 24 bytes inside of
[   58.859841][ T6828]  128-byte region [ffff8880a1d3df00, ffff8880a1d3df80)
[   58.872994][ T6828] The buggy address belongs to the page:
[   58.878606][ T6828] page:00000000c9da0632 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a1d3d200 pfn:0xa1d3d
[   58.890025][ T6828] flags: 0xfffe0000000200(slab)
[   58.894853][ T6828] raw: 00fffe0000000200 ffffea0002a29688 ffffea0002698cc8 ffff8880aa040400
[   58.903429][ T6828] raw: ffff8880a1d3d200 ffff8880a1d3d000 0000000100000006 0000000000000000
[   58.911983][ T6828] page dumped because: kasan: bad access detected
[   58.918361][ T6828] 
[   58.920661][ T6828] Memory state around the buggy address:
[   58.926265][ T6828]  ffff8880a1d3de00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.934300][ T6828]  ffff8880a1d3de80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   58.942334][ T6828] >ffff8880a1d3df00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   58.950363][ T6828]                             ^
[   58.955183][ T6828]  ffff8880a1d3df80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   58.963217][ T6828]  ffff8880a1d3e000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   58.971246][ T6828] ==================================================================
[   58.979277][ T6828] Disabling lock debugging due to kernel taint
[   58.985935][ T6828] Kernel panic - not syncing: panic_on_warn set ...
[   58.992526][ T6828] CPU: 0 PID: 6828 Comm: syz-executor865 Tainted: G    B             5.8.0-syzkaller #0
[   59.002227][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   59.012274][ T6828] Call Trace:
[   59.015560][ T6828]  dump_stack+0x18f/0x20d
[   59.019873][ T6828]  ? hci_chan_del+0x80/0x190
[   59.024435][ T6828]  panic+0x2e3/0x75c
[   59.028302][ T6828]  ? __warn_printk+0xf3/0xf3
[   59.032865][ T6828]  ? preempt_schedule_common+0x59/0xc0
[   59.038291][ T6828]  ? hci_chan_del+0x14f/0x190
[   59.042940][ T6828]  ? preempt_schedule_thunk+0x16/0x18
[   59.048299][ T6828]  ? trace_hardirqs_on+0x55/0x220
[   59.053294][ T6828]  ? hci_chan_del+0x14f/0x190
[   59.057945][ T6828]  ? hci_chan_del+0x14f/0x190
[   59.062594][ T6828]  end_report+0x4d/0x53
[   59.066721][ T6828]  kasan_report.cold+0xd/0x37
[   59.071373][ T6828]  ? hci_chan_del+0x14f/0x190
[   59.076130][ T6828]  hci_chan_del+0x14f/0x190
[   59.080608][ T6828]  l2cap_conn_del+0x61b/0x9e0
[   59.085275][ T6828]  ? l2cap_conn_del+0x9e0/0x9e0
[   59.090096][ T6828]  l2cap_disconn_cfm+0x85/0xa0
[   59.094832][ T6828]  hci_conn_hash_flush+0x114/0x220
[   59.099914][ T6828]  hci_dev_do_close+0x5c6/0x1080
[   59.104841][ T6828]  ? hci_dev_open+0x350/0x350
[   59.109557][ T6828]  ? do_raw_read_unlock+0x70/0x70
[   59.114587][ T6828]  ? try_to_grab_pending.part.0+0x7d0/0x7d0
[   59.120462][ T6828]  hci_unregister_dev+0x1bd/0xe30
[   59.125466][ T6828]  ? fcntl_setlk+0xf60/0xf60
[   59.130031][ T6828]  ? lock_is_held_type+0xbb/0xf0
[   59.134942][ T6828]  vhci_release+0x70/0xe0
[   59.139246][ T6828]  __fput+0x285/0x920
[   59.143203][ T6828]  ? vhci_close_dev+0x50/0x50
[   59.147867][ T6828]  task_work_run+0xdd/0x190
[   59.152344][ T6828]  do_exit+0xb7d/0x29f0
[   59.156471][ T6828]  ? mm_update_next_owner+0x7a0/0x7a0
[   59.161825][ T6828]  ? vmacache_update+0xce/0x140
[   59.166651][ T6828]  ? lock_is_held_type+0xbb/0xf0
[   59.171558][ T6828]  do_group_exit+0x125/0x310
[   59.176119][ T6828]  __ia32_sys_exit_group+0x3a/0x50
[   59.181237][ T6828]  __do_fast_syscall_32+0x57/0x80
[   59.186232][ T6828]  do_fast_syscall_32+0x2f/0x70
[   59.191054][ T6828]  entry_SYSENTER_compat_after_hwframe+0x4d/0x5c
[   59.197351][ T6828] RIP: 0023:0xf7f73569
[   59.201386][ T6828] Code: Bad RIP value.
[   59.205433][ T6828] RSP: 002b:00000000ffd51a1c EFLAGS: 00000292 ORIG_RAX: 00000000000000fc
[   59.213824][ T6828] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000080fd318
[   59.221858][ T6828] RDX: 0000000000000000 RSI: 00000000080e32a0 RDI: 00000000080fd320
[   59.229845][ T6828] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[   59.237793][ T6828] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[   59.245740][ T6828] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   59.254980][ T6828] Kernel Offset: disabled
[   59.259344][ T6828] Rebooting in 86400 seconds..