[�[0;32m OK �[0m] Reached target Login Prompts.
[�[0;32m OK �[0m] Reached target Multi-User System.
[�[0;32m OK �[0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.214' (ECDSA) to the list of known hosts.
syzkaller login: [ 60.685243][ T6831] IPVS: ftp: loaded support on port[0] = 21
executing program
[ 60.782239][ T6838] Bluetooth: Wrong link type (-22)
[ 60.795862][ T6831] ==================================================================
[ 60.804042][ T6831] BUG: KASAN: use-after-free in hci_chan_del+0x14f/0x190
[ 60.811051][ T6831] Read of size 8 at addr ffff8880a8ae8318 by task syz-executor465/6831
[ 60.819268][ T6831]
[ 60.821589][ T6831] CPU: 1 PID: 6831 Comm: syz-executor465 Not tainted 5.8.0-syzkaller #0
[ 60.829894][ T6831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 60.839949][ T6831] Call Trace:
[ 60.843231][ T6831] dump_stack+0x18f/0x20d
[ 60.847558][ T6831] ? hci_chan_del+0x14f/0x190
[ 60.852227][ T6831] ? hci_chan_del+0x14f/0x190
[ 60.856897][ T6831] print_address_description.constprop.0.cold+0xae/0x497
[ 60.863913][ T6831] ? mutex_lock_io_nested+0xf60/0xf60
[ 60.869406][ T6831] ? vprintk_func+0x97/0x1a6
[ 60.874017][ T6831] ? hci_chan_del+0x14f/0x190
[ 60.878701][ T6831] ? hci_chan_del+0x14f/0x190
[ 60.883393][ T6831] kasan_report.cold+0x1f/0x37
[ 60.888154][ T6831] ? hci_chan_del+0x14f/0x190
[ 60.892846][ T6831] hci_chan_del+0x14f/0x190
[ 60.897356][ T6831] l2cap_conn_del+0x61b/0x9e0
[ 60.902039][ T6831] ? l2cap_conn_del+0x9e0/0x9e0
[ 60.906889][ T6831] l2cap_disconn_cfm+0x85/0xa0
[ 60.911664][ T6831] hci_conn_hash_flush+0x114/0x220
[ 60.916770][ T6831] hci_dev_do_close+0x5c6/0x1080
[ 60.921707][ T6831] ? hci_dev_open+0x350/0x350
[ 60.926375][ T6831] ? do_raw_read_unlock+0x70/0x70
[ 60.931416][ T6831] ? try_to_grab_pending.part.0+0x7d0/0x7d0
[ 60.937305][ T6831] hci_unregister_dev+0x1bd/0xe30
[ 60.942335][ T6831] ? fcntl_setlk+0xf60/0xf60
[ 60.946918][ T6831] ? lock_is_held_type+0xbb/0xf0
[ 60.951862][ T6831] vhci_release+0x70/0xe0
[ 60.956281][ T6831] __fput+0x285/0x920
[ 60.960374][ T6831] ? vhci_close_dev+0x50/0x50
[ 60.965066][ T6831] task_work_run+0xdd/0x190
[ 60.970039][ T6831] do_exit+0xb7d/0x29f0
[ 60.974197][ T6831] ? mm_update_next_owner+0x7a0/0x7a0
[ 60.979573][ T6831] ? vfs_write+0x1b0/0x730
[ 60.983985][ T6831] ? lock_is_held_type+0xbb/0xf0
[ 60.988926][ T6831] do_group_exit+0x125/0x310
[ 60.993520][ T6831] __x64_sys_exit_group+0x3a/0x50
[ 60.998591][ T6831] do_syscall_64+0x2d/0x70
[ 61.003005][ T6831] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 61.009077][ T6831] RIP: 0033:0x4451c8
[ 61.012953][ T6831] Code: Bad RIP value.
[ 61.017023][ T6831] RSP: 002b:00007ffd9e1f32b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 61.025435][ T6831] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004451c8
[ 61.033403][ T6831] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[ 61.041792][ T6831] RBP: 00000000004ccf30 R08: 00000000000000e7 R09: ffffffffffffffd0
[ 61.049768][ T6831] R10: 0000000000000015 R11: 0000000000000246 R12: 0000000000000001
[ 61.057914][ T6831] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
[ 61.066154][ T6831]
[ 61.068481][ T6831] Allocated by task 6838:
[ 61.072807][ T6831] kasan_save_stack+0x1b/0x40
[ 61.077486][ T6831] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 61.083111][ T6831] kmem_cache_alloc_trace+0x16e/0x2c0
[ 61.088472][ T6831] hci_chan_create+0x9b/0x330
[ 61.093145][ T6831] l2cap_conn_add.part.0+0x1e/0xe10
[ 61.098363][ T6831] l2cap_connect_cfm+0x23b/0x1090
[ 61.103403][ T6831] le_conn_complete_evt+0x1153/0x1740
[ 61.108930][ T6831] hci_le_meta_evt+0x745/0x3ff0
[ 61.114050][ T6831] hci_event_packet+0x2e25/0x87a8
[ 61.119170][ T6831] hci_rx_work+0x22e/0xb50
[ 61.123594][ T6831] process_one_work+0x94c/0x1670
[ 61.128934][ T6831] worker_thread+0x64c/0x1120
[ 61.133748][ T6831] kthread+0x3b5/0x4a0
[ 61.137844][ T6831] ret_from_fork+0x1f/0x30
[ 61.142259][ T6831]
[ 61.144574][ T6831] Freed by task 6838:
[ 61.148555][ T6831] kasan_save_stack+0x1b/0x40
[ 61.153236][ T6831] kasan_set_track+0x1c/0x30
[ 61.157814][ T6831] kasan_set_free_info+0x1b/0x30
[ 61.162746][ T6831] __kasan_slab_free+0xd8/0x120
[ 61.168563][ T6831] kfree+0x103/0x2c0
[ 61.172448][ T6831] hci_event_packet+0x3e33/0x87a8
[ 61.177462][ T6831] hci_rx_work+0x22e/0xb50
[ 61.181886][ T6831] process_one_work+0x94c/0x1670
[ 61.186818][ T6831] worker_thread+0x64c/0x1120
[ 61.191495][ T6831] kthread+0x3b5/0x4a0
[ 61.195568][ T6831] ret_from_fork+0x1f/0x30
[ 61.199961][ T6831]
[ 61.202358][ T6831] The buggy address belongs to the object at ffff8880a8ae8300
[ 61.202358][ T6831] which belongs to the cache kmalloc-128 of size 128
[ 61.216596][ T6831] The buggy address is located 24 bytes inside of
[ 61.216596][ T6831] 128-byte region [ffff8880a8ae8300, ffff8880a8ae8380)
[ 61.229784][ T6831] The buggy address belongs to the page:
[ 61.235422][ T6831] page:00000000dd184e7b refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a8ae8500 pfn:0xa8ae8
[ 61.246867][ T6831] flags: 0xfffe0000000200(slab)
[ 61.251735][ T6831] raw: 00fffe0000000200 ffffea00029b0408 ffffea00025a02c8 ffff8880aa040400
[ 61.260406][ T6831] raw: ffff8880a8ae8500 ffff8880a8ae8000 0000000100000009 0000000000000000
[ 61.268990][ T6831] page dumped because: kasan: bad access detected
[ 61.275391][ T6831]
[ 61.277698][ T6831] Memory state around the buggy address:
[ 61.283314][ T6831] ffff8880a8ae8200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.291556][ T6831] ffff8880a8ae8280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 61.299830][ T6831] >ffff8880a8ae8300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.307882][ T6831] ^
[ 61.312734][ T6831] ffff8880a8ae8380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 61.320794][ T6831] ffff8880a8ae8400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 61.328845][ T6831] ==================================================================
[ 61.336929][ T6831] Disabling lock debugging due to kernel taint
[ 61.344202][ T6831] Kernel panic - not syncing: panic_on_warn set ...
[ 61.350818][ T6831] CPU: 1 PID: 6831 Comm: syz-executor465 Tainted: G B 5.8.0-syzkaller #0
[ 61.359490][ T6784] tipc: TX() has been purged, node left!
[ 61.360535][ T6831] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 61.376431][ T6831] Call Trace:
[ 61.379739][ T6831] dump_stack+0x18f/0x20d
[ 61.384082][ T6831] ? hci_chan_del+0xa0/0x190
[ 61.388691][ T6831] panic+0x2e3/0x75c
[ 61.392604][ T6831] ? __warn_printk+0xf3/0xf3
[ 61.397704][ T6831] ? preempt_schedule_common+0x59/0xc0
[ 61.403205][ T6831] ? hci_chan_del+0x14f/0x190
[ 61.407884][ T6831] ? preempt_schedule_thunk+0x16/0x18
[ 61.413517][ T6831] ? trace_hardirqs_on+0x55/0x220
[ 61.418547][ T6831] ? hci_chan_del+0x14f/0x190
[ 61.423224][ T6831] ? hci_chan_del+0x14f/0x190
[ 61.428079][ T6831] end_report+0x4d/0x53
[ 61.432268][ T6831] kasan_report.cold+0xd/0x37
[ 61.436945][ T6831] ? hci_chan_del+0x14f/0x190
[ 61.441644][ T6831] hci_chan_del+0x14f/0x190
[ 61.446151][ T6831] l2cap_conn_del+0x61b/0x9e0
[ 61.450829][ T6831] ? l2cap_conn_del+0x9e0/0x9e0
[ 61.455680][ T6831] l2cap_disconn_cfm+0x85/0xa0
[ 61.460445][ T6831] hci_conn_hash_flush+0x114/0x220
[ 61.465576][ T6831] hci_dev_do_close+0x5c6/0x1080
[ 61.470513][ T6831] ? hci_dev_open+0x350/0x350
[ 61.475213][ T6831] ? do_raw_read_unlock+0x70/0x70
[ 61.480246][ T6831] ? try_to_grab_pending.part.0+0x7d0/0x7d0
[ 61.486148][ T6831] hci_unregister_dev+0x1bd/0xe30
[ 61.491187][ T6831] ? fcntl_setlk+0xf60/0xf60
[ 61.495782][ T6831] ? lock_is_held_type+0xbb/0xf0
[ 61.500732][ T6831] vhci_release+0x70/0xe0
[ 61.505053][ T6831] __fput+0x285/0x920
[ 61.509026][ T6831] ? vhci_close_dev+0x50/0x50
[ 61.513697][ T6831] task_work_run+0xdd/0x190
[ 61.518190][ T6831] do_exit+0xb7d/0x29f0
[ 61.522340][ T6831] ? mm_update_next_owner+0x7a0/0x7a0
[ 61.527718][ T6831] ? vfs_write+0x1b0/0x730
[ 61.532154][ T6831] ? lock_is_held_type+0xbb/0xf0
[ 61.537090][ T6831] do_group_exit+0x125/0x310
[ 61.541677][ T6831] __x64_sys_exit_group+0x3a/0x50
[ 61.546719][ T6831] do_syscall_64+0x2d/0x70
[ 61.551129][ T6831] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 61.557017][ T6831] RIP: 0033:0x4451c8
[ 61.560894][ T6831] Code: Bad RIP value.
[ 61.564959][ T6831] RSP: 002b:00007ffd9e1f32b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 61.573655][ T6831] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004451c8
[ 61.581717][ T6831] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001
[ 61.589806][ T6831] RBP: 00000000004ccf30 R08: 00000000000000e7 R09: ffffffffffffffd0
[ 61.597780][ T6831] R10: 0000000000000015 R11: 0000000000000246 R12: 0000000000000001
[ 61.605858][ T6831] R13: 00000000006e0200 R14: 0000000000000000 R15: 0000000000000000
[ 61.615083][ T6831] Kernel Offset: disabled
[ 61.619435][ T6831] Rebooting in 86400 seconds..