[�[0;32m OK �[0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
Starting Load/Save RF Kill Switch Status...
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
[�[0;32m OK �[0m] Started Load/Save RF Kill Switch Status.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.10.55' (ECDSA) to the list of known hosts.
syzkaller login: [ 58.251644][ T6858] IPVS: ftp: loaded support on port[0] = 21
executing program
[ 59.398419][ T6858] ==================================================================
[ 59.406653][ T6858] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[ 59.413695][ T6858] Read of size 8 at addr ffff8880a19f3218 by task syz-executor237/6858
[ 59.421954][ T6858]
[ 59.424307][ T6858] CPU: 1 PID: 6858 Comm: syz-executor237 Not tainted 5.8.0-syzkaller #0
[ 59.432637][ T6858] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 59.442681][ T6858] Call Trace:
[ 59.445971][ T6858] dump_stack+0x18f/0x20d
[ 59.450290][ T6858] ? hci_chan_del+0x14f/0x190
[ 59.454955][ T6858] ? hci_chan_del+0x14f/0x190
[ 59.459632][ T6858] print_address_description.constprop.0.cold+0xae/0x436
[ 59.466654][ T6858] ? mutex_lock_io_nested+0xf60/0xf60
[ 59.472021][ T6858] ? vprintk_func+0x97/0x1a6
[ 59.476598][ T6858] ? hci_chan_del+0x14f/0x190
[ 59.481256][ T6858] kasan_report.cold+0x1f/0x37
[ 59.486024][ T6858] ? hci_chan_del+0x14f/0x190
[ 59.490685][ T6858] hci_chan_del+0x14f/0x190
[ 59.495250][ T6858] l2cap_conn_del+0x61b/0x9e0
[ 59.499914][ T6858] ? l2cap_conn_del+0x9e0/0x9e0
[ 59.504763][ T6858] l2cap_disconn_cfm+0x85/0xa0
[ 59.509514][ T6858] hci_conn_hash_flush+0x114/0x220
[ 59.514619][ T6858] ? vhci_close_dev+0x50/0x50
[ 59.519281][ T6858] hci_dev_do_close+0x5c6/0x1080
[ 59.524201][ T6858] ? hci_dev_open+0x350/0x350
[ 59.528856][ T6858] ? do_raw_read_unlock+0x70/0x70
[ 59.533871][ T6858] ? try_to_grab_pending.part.0+0x7d0/0x7d0
[ 59.539776][ T6858] ? vhci_close_dev+0x50/0x50
[ 59.544461][ T6858] hci_unregister_dev+0x1bd/0xe30
[ 59.549473][ T6858] ? fcntl_setlk+0xf60/0xf60
[ 59.554113][ T6858] ? lock_is_held_type+0xbb/0xf0
[ 59.559046][ T6858] ? vhci_close_dev+0x50/0x50
[ 59.563718][ T6858] vhci_release+0x70/0xe0
[ 59.568035][ T6858] __fput+0x33c/0x880
[ 59.572010][ T6858] task_work_run+0xdd/0x190
[ 59.576502][ T6858] do_exit+0xb7d/0x29f0
[ 59.580655][ T6858] ? __schedule+0x8ed/0x21e0
[ 59.585239][ T6858] ? mm_update_next_owner+0x7a0/0x7a0
[ 59.590593][ T6858] ? lock_is_held_type+0xbb/0xf0
[ 59.595512][ T6858] ? lock_is_held_type+0xbb/0xf0
[ 59.600430][ T6858] do_group_exit+0x125/0x310
[ 59.605007][ T6858] __x64_sys_exit_group+0x3a/0x50
[ 59.610027][ T6858] do_syscall_64+0x2d/0x70
[ 59.614422][ T6858] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 59.620372][ T6858] RIP: 0033:0x4450b8
[ 59.624237][ T6858] Code: Bad RIP value.
[ 59.628280][ T6858] RSP: 002b:00007fffe7122d88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 59.636684][ T6858] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450b8
[ 59.644640][ T6858] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[ 59.652594][ T6858] RBP: 00000000004cce90 R08: 00000000000000e7 R09: ffffffffffffffd0
[ 59.661167][ T6858] R10: 00000000000000ff R11: 0000000000000246 R12: 0000000000000001
[ 59.669134][ T6858] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
[ 59.677105][ T6858]
[ 59.679412][ T6858] Allocated by task 6883:
[ 59.683835][ T6858] save_stack+0x1b/0x40
[ 59.687963][ T6858] __kasan_kmalloc.constprop.0+0xc2/0xd0
[ 59.693575][ T6858] kmem_cache_alloc_trace+0x14f/0x2d0
[ 59.698934][ T6858] hci_chan_create+0x9b/0x330
[ 59.703602][ T6858] l2cap_conn_add.part.0+0x1e/0xe10
[ 59.708819][ T6858] l2cap_connect_cfm+0x23b/0x1090
[ 59.713884][ T6858] le_conn_complete_evt+0x1153/0x1740
[ 59.719245][ T6858] hci_le_meta_evt+0x745/0x3ff0
[ 59.724084][ T6858] hci_event_packet+0x2e25/0x87a8
[ 59.729093][ T6858] hci_rx_work+0x22e/0xb50
[ 59.733497][ T6858] process_one_work+0x94c/0x1670
[ 59.738417][ T6858] worker_thread+0x64c/0x1120
[ 59.743069][ T6858] kthread+0x3b5/0x4a0
[ 59.747123][ T6858] ret_from_fork+0x1f/0x30
[ 59.751545][ T6858]
[ 59.753853][ T6858] Freed by task 1538:
[ 59.757815][ T6858] save_stack+0x1b/0x40
[ 59.761947][ T6858] __kasan_slab_free+0xf5/0x140
[ 59.766791][ T6858] kfree+0x103/0x2c0
[ 59.770679][ T6858] hci_event_packet+0x3e33/0x87a8
[ 59.775683][ T6858] hci_rx_work+0x22e/0xb50
[ 59.780263][ T6858] process_one_work+0x94c/0x1670
[ 59.785175][ T6858] worker_thread+0x64c/0x1120
[ 59.789828][ T6858] kthread+0x3b5/0x4a0
[ 59.793893][ T6858] ret_from_fork+0x1f/0x30
[ 59.798280][ T6858]
[ 59.800584][ T6858] The buggy address belongs to the object at ffff8880a19f3200
[ 59.800584][ T6858] which belongs to the cache kmalloc-128 of size 128
[ 59.814613][ T6858] The buggy address is located 24 bytes inside of
[ 59.814613][ T6858] 128-byte region [ffff8880a19f3200, ffff8880a19f3280)
[ 59.827783][ T6858] The buggy address belongs to the page:
[ 59.833411][ T6858] page:ffffea0002867cc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a19f3000
[ 59.843798][ T6858] flags: 0xfffe0000000200(slab)
[ 59.848632][ T6858] raw: 00fffe0000000200 ffffea0002a3ee88 ffffea00024a0288 ffff8880aa000700
[ 59.857199][ T6858] raw: ffff8880a19f3000 ffff8880a19f3000 0000000100000007 0000000000000000
[ 59.865753][ T6858] page dumped because: kasan: bad access detected
[ 59.872136][ T6858]
[ 59.874438][ T6858] Memory state around the buggy address:
[ 59.880049][ T6858] ffff8880a19f3100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.888090][ T6858] ffff8880a19f3180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 59.896144][ T6858] >ffff8880a19f3200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 59.904193][ T6858] ^
[ 59.909018][ T6858] ffff8880a19f3280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 59.917053][ T6858] ffff8880a19f3300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 59.925098][ T6858] ==================================================================
[ 59.933138][ T6858] Disabling lock debugging due to kernel taint
[ 59.945142][ T6858] Kernel panic - not syncing: panic_on_warn set ...
[ 59.951743][ T6858] CPU: 1 PID: 6858 Comm: syz-executor237 Tainted: G B 5.8.0-syzkaller #0
[ 59.961475][ T6858] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 59.971547][ T6858] Call Trace:
[ 59.974843][ T6858] dump_stack+0x18f/0x20d
[ 59.979175][ T6858] ? hci_chan_del+0x140/0x190
[ 59.983843][ T6858] panic+0x2e3/0x75c
[ 59.987711][ T6858] ? __warn_printk+0xf3/0xf3
[ 59.992293][ T6858] ? preempt_schedule_common+0x59/0xc0
[ 59.997736][ T6858] ? hci_chan_del+0x14f/0x190
[ 60.002392][ T6858] ? preempt_schedule_thunk+0x16/0x18
[ 60.007741][ T6858] ? trace_hardirqs_on+0x55/0x220
[ 60.012751][ T6858] ? hci_chan_del+0x14f/0x190
[ 60.017399][ T6858] ? hci_chan_del+0x14f/0x190
[ 60.022054][ T6858] end_report+0x4d/0x53
[ 60.026197][ T6858] kasan_report.cold+0xd/0x37
[ 60.030868][ T6858] ? hci_chan_del+0x14f/0x190
[ 60.035606][ T6858] hci_chan_del+0x14f/0x190
[ 60.040099][ T6858] l2cap_conn_del+0x61b/0x9e0
[ 60.044772][ T6858] ? l2cap_conn_del+0x9e0/0x9e0
[ 60.049608][ T6858] l2cap_disconn_cfm+0x85/0xa0
[ 60.054370][ T6858] hci_conn_hash_flush+0x114/0x220
[ 60.059455][ T6858] ? vhci_close_dev+0x50/0x50
[ 60.064105][ T6858] hci_dev_do_close+0x5c6/0x1080
[ 60.069030][ T6858] ? hci_dev_open+0x350/0x350
[ 60.073772][ T6858] ? do_raw_read_unlock+0x70/0x70
[ 60.078784][ T6858] ? try_to_grab_pending.part.0+0x7d0/0x7d0
[ 60.084659][ T6858] ? vhci_close_dev+0x50/0x50
[ 60.089323][ T6858] hci_unregister_dev+0x1bd/0xe30
[ 60.094359][ T6858] ? fcntl_setlk+0xf60/0xf60
[ 60.098932][ T6858] ? lock_is_held_type+0xbb/0xf0
[ 60.103863][ T6858] ? vhci_close_dev+0x50/0x50
[ 60.108514][ T6858] vhci_release+0x70/0xe0
[ 60.112855][ T6858] __fput+0x33c/0x880
[ 60.116860][ T6858] task_work_run+0xdd/0x190
[ 60.121353][ T6858] do_exit+0xb7d/0x29f0
[ 60.125511][ T6858] ? __schedule+0x8ed/0x21e0
[ 60.130127][ T6858] ? mm_update_next_owner+0x7a0/0x7a0
[ 60.135478][ T6858] ? lock_is_held_type+0xbb/0xf0
[ 60.141532][ T6858] ? lock_is_held_type+0xbb/0xf0
[ 60.146461][ T6858] do_group_exit+0x125/0x310
[ 60.151044][ T6858] __x64_sys_exit_group+0x3a/0x50
[ 60.156057][ T6858] do_syscall_64+0x2d/0x70
[ 60.160447][ T6858] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 60.166326][ T6858] RIP: 0033:0x4450b8
[ 60.170201][ T6858] Code: Bad RIP value.
[ 60.174238][ T6858] RSP: 002b:00007fffe7122d88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 60.182624][ T6858] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004450b8
[ 60.190578][ T6858] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[ 60.198585][ T6858] RBP: 00000000004cce90 R08: 00000000000000e7 R09: ffffffffffffffd0
[ 60.206556][ T6858] R10: 00000000000000ff R11: 0000000000000246 R12: 0000000000000001
[ 60.214508][ T6858] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
[ 60.223125][ T6858] Kernel Offset: disabled
[ 60.227440][ T6858] Rebooting in 86400 seconds..